Re: Bug OpenBGPD, IPv6 peer gets cleared, never gets up again
On Tue, Mar 10, 2009 at 02:46:56PM +0100, Arnoud Vermeer wrote: Hi, Elisa and I were looking at the production-pilot logs last night and noticed the following: I finally found some time to look into this and your dumps. The problem is actually with withdraws that are still totaly fucked up. So the following diff should fix this issue -- beforehands we just never managed to correctly withdraw IPv6 prefixes. This diff fixes two bugs and makes bgpd do the same paranoic checking as juniper and bails out if there is crap after an empty update. With this I can correctly withdraw IPv6 prefixes. -- :wq Claudio Index: rde.c === RCS file: /cvs/src/usr.sbin/bgpd/rde.c,v retrieving revision 1.235 diff -u -p -r1.235 rde.c --- rde.c 13 Jan 2009 21:35:16 - 1.235 +++ rde.c 11 Mar 2009 02:28:44 - @@ -856,8 +856,16 @@ rde_update_dispatch(struct imsg *imsg) prefix_remove(peer, prefix, prefixlen, F_ORIGINAL); } - if (attrpath_len == 0) /* 0 = no NLRI information in this message */ + if (attrpath_len == 0) { + /* 0 = no NLRI information in this message */ + if (nlri_len != 0) { + /* crap at end of update which should not be there */ + rde_update_err(peer, ERR_UPDATE, + ERR_UPD_ATTRLIST, NULL, 0); + return (-1); + } return (0); + } /* withdraw MP_UNREACH_NLRI if available */ if (mpa.unreach_len != 0) { Index: rde_update.c === RCS file: /cvs/src/usr.sbin/bgpd/rde_update.c,v retrieving revision 1.64 diff -u -p -r1.64 rde_update.c --- rde_update.c13 Jan 2009 21:35:16 - 1.64 +++ rde_update.c11 Mar 2009 01:56:54 - @@ -917,13 +917,7 @@ up_dump_mp_unreach(u_char *buf, u_int16_ return (NULL); datalen += 3; /* afi + safi */ - if (datalen 255) { - attrlen += 2 + datalen; - flags |= ATTR_EXTLEN; - } else { - attrlen += 1 + datalen; - buf++; - } + /* prepend header, need to do it reverse */ /* safi afi */ buf[--wpos] = SAFI_UNICAST; @@ -933,11 +927,15 @@ up_dump_mp_unreach(u_char *buf, u_int16_ /* attribute length */ if (datalen 255) { + attrlen += 2 + datalen; + flags |= ATTR_EXTLEN; wpos -= sizeof(u_int16_t); tmp = htons(datalen); memcpy(buf + wpos, tmp, sizeof(u_int16_t)); - } else + } else { + attrlen += 1 + datalen; buf[--wpos] = (u_char)datalen; + } /* mp attribute */ buf[--wpos] = (u_char)ATTR_MP_UNREACH_NLRI; @@ -958,7 +956,7 @@ up_dump_mp_unreach(u_char *buf, u_int16_ /* total length includes the two 2-bytes length fields. */ *len = attrlen + 2 * sizeof(u_int16_t); - return (buf); + return (buf + wpos); } u_char *
Re: halt -p does not powerdown ThinkPad X200 under 4.5beta
Linux Windows halts successfully on HP Pavilion dv6312, while FreeBSD sometimes fails the same as OpenBSD. OpenSolaris rarely fails. On Tue, Mar 10, 2009 at 7:09 PM, Thomas Pfaff tpf...@tp76.info wrote: On Tue, 10 Mar 2009 17:49:52 +0100 Thomas Pfaff tpf...@tp76.info wrote: On Tue, 10 Mar 2009 11:04:46 -0500 Marco Peereboom sl...@peereboom.us wrote: On Tue, Mar 10, 2009 at 04:30:39PM +0100, Thomas Pfaff wrote: Ubuntu 8.04 (Linux 2.6.24-19) powers down my system just fine with halt -p (see previous post for details). Alrighty I'll look at that code (ugh!). While we're at it, I just brought up another system and halt -p does not work here either. Stuck at Attempting to power down... Disabling apm made the system power off and then it attempted to start up again, but the screen was blank and nothing was happening. The lights where on, but there was nobody home, so to speak. I can try installing NetBSD and see if it works there. Might be less painful to look through their code than Linux ;-) NetBSD 4.0/i386 shuts down just fine with halt -p on this machine. OpenBSD 4.5 (GENERIC) #1749: Sat Feb 28 14:51:18 MST 2009 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: AMD Athlon(tm) XP 1800+ (AuthenticAMD 686-class, 256KB L2 cache) 1.53 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE real mem = 267939840 (255MB) avail mem = 250789888 (239MB) [...]
Nginx: filedescriptors, users and login.conf confusion
Hello, I've been running Nginx with php-fastcgi and am sometimes experiencing the 'too many files open' error messages. Investigating the solution I am confused about which user (or userclass in login.conf) I should give more filedescriptors. Setup (single machine) - Nginx deamon running as 'www' - Apache running as 'www' also (overlapping doc root) -Several php-fastcgi processes (Nginx w. Lighttp's spawn-fcgi) running as actual users. These actual users have a nologin class and can only use chrooted SFTP. I'm kinda lost on which user / which (new) login.conf class I should give more filedescriptors. Or how to find out which particular users/deamon needs them. Any advice is appreciated. Thanks!
Re: OpenBSD 4.4 amd64 bsd.mp can't detect 16GB memory
Prakshep Dineshchandra Patel wrote: Hi every one, I have installed OpenBSD 4.4 amd64 on Dell PowerEdge 1950 which contain 16GB of ram. As in that kernel 'BigMem' is already set to 1. But during boot time I can see 4GB instead of 16GB ram. When I use 'Top' command it will shows around 8GB ram. Any suggestions from any one how to solve this problem? I'm afraid I can't solve your problem but the following information might be useful: - the actual data of things you see You make some claims on things you see, but you don't show the actual data. - output of the boot loader's 'probing' line The boot loader prints something like: Loading... probing: pc0 com0 ... mem[... a20=on] If I'm not mistaken the mem[... a20=on] part shows the sizes of the memory blocks detected by querying the BIOS. Adding up these sizes should give an idea of how much memory is reported to the OS by the BIOS. - output of 'dmesg |grep mem' Something like: real mem = ??? (???MB) avail mem = ??? (???MB) spdmem0 at iic0 addr 0x50: ??? This should give an idea of how much memory the OS is actually using. It may also print spdmem entries giving an idea of what memory is physically installed/detected.
mismatch output net-snmp -current
i found mismatch output from snmpwalk in -current net-snmp, sample bellow r...@cadangan[patches]# snmpwalk -v 1 -c public localhost .1.3.6.1.2.1.4.20.1.2 IP-MIB::ipAdEntIfIndex.10.100.0.1 = INTEGER: 1 IP-MIB::ipAdEntIfIndex.10.100.66.1 = INTEGER: 5 IP-MIB::ipAdEntIfIndex.10.100.67.1 = INTEGER: 6 IP-MIB::ipAdEntIfIndex.10.100.68.1 = INTEGER: 7 IP-MIB::ipAdEntIfIndex.10.100.69.1 = INTEGER: 8 IP-MIB::ipAdEntIfIndex.58.145.172.241 = INTEGER: 2 IP-MIB::ipAdEntIfIndex.127.0.0.1 = INTEGER: 4 r...@cadangan[patches]# snmpwalk -v 1 -c public localhost .1.3.6.1.2.1.2.2.1.3 IF-MIB::ifType.1 = INTEGER: softwareLoopback(24) IF-MIB::ifType.2 = INTEGER: ethernetCsmacd(6) IF-MIB::ifType.3 = INTEGER: ethernetCsmacd(6) IF-MIB::ifType.4 = INTEGER: 244 IF-MIB::ifType.5 = INTEGER: ethernetCsmacd(6) IF-MIB::ifType.6 = INTEGER: ethernetCsmacd(6) IF-MIB::ifType.7 = INTEGER: ethernetCsmacd(6) IF-MIB::ifType.8 = INTEGER: ethernetCsmacd(6) IF-MIB::ifType.9 = INTEGER: 245 interface index 5,6,7,8 have the right ip, but there's a mismatch at index 1, 2 and 4 of IP-MIB. any of you have the same problems ? regards, -Agung
Re: x11 problems with lenovo w500
pcidump -xx output for both cases. normally the more interesting result anyway. oh, and the data you're passing on not to be MIME attached, the list strips those. Ok, here we are: http://www.wiroth.net/error/x11/pcidump-xx.working http://www.wiroth.net/error/x11/pcidump-xx.NOT.working Thanks for helping! Didier
OpenSSH release CDS
I've repeatedly been in a position where we weren't making direct use of OpenBSD, but were using OpenSSH, and if there were a recurring cost associated with it (like purchasing a semi-annual CD) it would have been relatively painless to get a rubber stamp approval of such a cost, whereas purchasing an OS we weren't using would've been a much more difficult sell. Since there is already regular ssh art, (that could be used for the next several releases), how much further effort/money would it take to release OpenSSH on CD? Also of the people on misc@ how many would think they'd have an easier time convincing bosses/clients/others to buy a single CD for say $25 then they would getting an OS purchased. Just a thought, for these trying economic times and whatnot. -- /\ASCII Ribbon Campaign \ /Respect for low technology. X Keep e-mail messages readable by any computer system. / \Keep it ASCII.
Re: Bug OpenBGPD, IPv6 peer gets cleared, never gets up again
Hi, The patch is working. I have patched both the local testing setup and the production pilot. I tcpdumped the interface and got a nice IPv6 withdraw-packet: No. TimeSourceDestination Protocol Info 101 27.955719 2001:db8:1::a500:6777:1 2001:db8:1::a506:5506:1 BGP UPDATE Message Frame 101 (112 bytes on wire, 112 bytes captured) Ethernet II, Src: DellComp_8d:1a:c2 (00:06:5b:8d:1a:c2), Dst: FoundryN_9f:c5:ae (00:12:f2:9f:c5:ae) Internet Protocol Version 6 Transmission Control Protocol, Src Port: bgp (179), Dst Port: 8172 (8172), Seq: 227, Ack: 155, Len: 38 Border Gateway Protocol UPDATE Message Marker: 16 bytes Length: 38 bytes Type: UPDATE Message (2) Unfeasible routes length: 0 bytes Total path attribute length: 15 bytes Path attributes MP_UNREACH_NLRI (15 bytes) Flags: 0x80 (Optional, Non-transitive, Complete) Type code: MP_UNREACH_NLRI (15) Length: 12 bytes Address family: IPv6 (2) Subsequent address family identifier: Unicast (1) Withdrawn routes (9 bytes) 2001:db8:97::/64 00 12 f2 9f c5 ae 00 06 5b 8d 1a c2 86 dd 60 09 [.`. 0010 97 b5 00 3a 06 01 20 01 0d b8 00 01 00 00 00 00 ...:.. . 0020 a5 00 67 77 00 01 20 01 0d b8 00 01 00 00 00 00 ..gw.. . 0030 a5 06 55 06 00 01 00 b3 1f ec ad 53 e5 05 42 31 ..US..B1 0040 1a e0 50 18 43 80 a9 dd 00 00 ff ff ff ff ff ff ..P.C... 0050 ff ff ff ff ff ff ff ff ff ff 00 26 02 00 00 00 ... 0060 0f 80 0f 0c 00 02 01 40 20 01 0d b8 00 97 00 00 ...@ ... Thanks for the patch! Arnoud Vermeer On 3/11/09 10:11 AM, Claudio Jeker wrote: On Tue, Mar 10, 2009 at 02:46:56PM +0100, Arnoud Vermeer wrote: Hi, Elisa and I were looking at the production-pilot logs last night and noticed the following: I finally found some time to look into this and your dumps. The problem is actually with withdraws that are still totaly fucked up. So the following diff should fix this issue -- beforehands we just never managed to correctly withdraw IPv6 prefixes. This diff fixes two bugs and makes bgpd do the same paranoic checking as juniper and bails out if there is crap after an empty update. With this I can correctly withdraw IPv6 prefixes.
might be slightly OT: `probability in PF'
i say this might be slightly OT because i am asking more of a philosophical question, not a technical one. the excellent documentation has given me all i need to know about the probability directive. thanks, devs, for that. quick story: i have a couple dozen websites spread across two OpenBSD/base apache machines. one of my clients runs a web-based forum that's experienced a bit of trouble recently with previously banned users registering multiple accounts through open proxies and causing problems (just open proxies, not tor exit nodes). the mods have quelled the activity for now, but i'm thinking of ways to help them in the future. i use sensible max-src-conn and max-src-conn-rate to be sure to DoS attacks won't cause httpd to knock down my server, but this is a solution to a different problem in my eyes---this is just trying to be a good sysadmin. i have grepped through the logs of other clients, and i don't see any evidence of any traffic from the lists of open proxies i've compiled, so i don't think this would have un-intended effects on them. the only reason i guess that i'm cautious about just getting a list of known open proxies, creating a pf table and running with something like: block in log quick on $ext_if from openproxies to any probability 90% is because it seems a little bofh-ly to me. and i guess it borders on security-through obscurity, which of course it not really security at all. but it seems a bit more sinister than just outright blocking, which kinda makes me snicker a bit. make the experience painful enough that they just go away. and i suppose i've just been dying to find a use for the probability directive. so anyway, how are _you_ using probability? does this seem inline with what it was designed for? how, if at all, do you deal with open proxies? you can respond off-list if this is really too OT for m...@. and i'm not afraid to be told this is the stupidest. idea. ever. if that's what you think. i'm also open to other ideas. thanks and cheers!
Re: OpenSSH release CDS
2009/3/11 patric conant mirage.comput...@gmail.com: I've repeatedly been in a position where we weren't making direct use of OpenBSD, but were using OpenSSH, and if there were a recurring cost associated with it (like purchasing a semi-annual CD) it would have been relatively painless to get a rubber stamp approval of such a cost, whereas purchasing an OS we weren't using would've been a much more difficult sell. Since there is already regular ssh art, (that could be used for the next several releases), how much further effort/money would it take to release OpenSSH on CD? Also of the people on misc@ how many would think they'd have an easier time convincing bosses/clients/others to buy a single CD for say $25 then they would getting an OS purchased. Just a thought, for these trying economic times and whatnot. I can't speak for the devs, Theo, @misc or anyone except myself and my personal experiences with having a custom CD created but I'd bet my experiences aren't too different from what Theo and the core team have to deal with. When we looked into it for something else, we had to order a set number before anyone would even agree to print/press/package. All of that gets paid out of pocket with the hopes that you can move the product. If it doesn't sell in a reasonable time then it has suddenly become outdated and an unnecessary waste if your sales do not cover at least the physical costs and the man-hours of effort put into it. Colour me skeptical or pessimistic but I'd wager it's Just Not Worth It to package/print/sell OpenSSH discs. You can always donate to the project, though. Methods of payment are available at http://www.openssh.org/donations.html http://openbsd.org/donations.html kmw -- Far better is it to dare mighty things, to win glorious triumphs, even if chequered by failure, than to take rank with those poor spirits who neither enjoy much nor suffer much, because they live in the grey twilight that knows not victory or defeat.
Re: Quick question about an PF user's guide example
On Tue, Mar 10, 2009 at 9:16 PM, Leonardo Rodrigues leonardov...@gmail.com wrote: Hi everyone, I'm trying to build a PF / ALTQ ruleset that handles traffic between 3 internal interfaces and 1 external, so that the internal interfaces can have different priorities on the available bandwidth they can get from the external interface. I don't know if that's possible with only ALTQ rules, or if I'll have to use tagging, so I'm trying to understand some simple setups before. While reading the example #2 on the PF user's guide (http://www.openbsd.org/faq/pf/queueing.html#example2), I came across the following ruleset: boss = 192.168.0.200 ... altq on fxp0 cbq bandwidth 1.5Mb queue { std_ext, www_ext, boss_ext } ... queue boss_ext bandwidth 500Kb priority 3 cbq(borrow) ... # filter rules for fxp0 outbound pass out on fxp0 from $boss to any keep state queue boss_ext--- Where fxp0 is the external interface (internet). My question is about that last rule above. Assuming that NAT is working so that the boss is able to surf the web, and since NAT translations happen before the filtering rules, then the rule above shouldn't work... right? The fxp0 interface would be able to filter only on already translated addresses (its own address), and not on unstranslated addresses, like 192.168.200, which is the boss IP, on a different subnet. Would a rule like that work? No. Without looking at the actual example, I can say that your understanding of NAT/filter interaction is correct and this will not work. If that setup works, I might be able to implement my original idea, by doing something like: pass out on fxp0 from 192.168.0.5 to any keep state queue traffic1_ext pass out on fxp0 from 192.168.2.5 to any keep state queue traffic2_ext pass out on fxp0 from 192.168.5.5 to any keep state queue traffic3_ext Thanks for any ideas =) Leonardo Rodrigues Bear in mind that while a queue is applied to the egress interface, the classification of that traffic may take place on another interface. So you could do something more like this: pass from 192.168.0.5 to ! mynet keep state queue traffic1_ext Or use tagging to avoid maintaining a table of your own networks. -HKS
Re: might be slightly OT: `probability in PF'
On Wed, Mar 11, 2009 at 10:01 PM, jmc j...@cosmicnetworks.net wrote: i say this might be slightly OT because i am asking more of a philosophical question, not a technical one. the excellent documentation has given me all i need to know about the probability directive. thanks, devs, for that. (just as a hint to the rest who are considering whether to read through) doesnt sound philosophical to me! quick story: i have a couple dozen websites spread across two OpenBSD/base apache machines. one of my clients runs a web-based forum that's experienced a bit of trouble recently with previously banned users registering multiple accounts through open proxies and causing problems (just open proxies, not tor exit nodes). the mods have quelled the activity for now, but i'm thinking of ways to help them in the future. i use sensible max-src-conn and max-src-conn-rate to be sure to DoS attacks won't cause httpd to knock down my server, but this is a solution to a different problem in my eyes---this is just trying to be a good sysadmin. i have grepped through the logs of other clients, and i don't see any evidence of any traffic from the lists of open proxies i've compiled, so i don't think this would have un-intended effects on them. dont see any evidence of *legit* traffic from the list of open proxies you've compiled, u mean. the only reason i guess that i'm cautious about just getting a list of known open proxies, creating a pf table and running with something like: block in log quick on $ext_if from openproxies to any probability 90% is because it seems a little bofh-ly to me. and i guess it borders on security-through obscurity, which of course it not really security at all. obscurity may not be true security, - but combined with security, it helps! but it seems a bit more sinister than just outright blocking, which kinda makes me snicker a bit. make the experience painful enough that they just go away. which is good, dont u think? ;) and i suppose i've just been dying to find a use for the probability directive. so anyway, how are _you_ using probability? does this seem inline with what it was designed for? how, if at all, do you deal with open proxies? you can respond off-list if this is really too OT for m...@. and i'm not afraid to be told this is the stupidest. idea. ever. if that's what you think. i'm also open to other ideas. no, it's not (the stupidest idea ever). I think it's good, in fact. Frustrates, confuses, and throws a wrench in the works of the low life and low intelligence scum. -jf -- In the meantime, here is your PSA: It's so hard to write a graphics driver that open-sourcing it would not help. -- Andrew Fear, Software Product Manager, NVIDIA Corporation http://kerneltrap.org/node/7228
Re: might be slightly OT: `probability in PF'
--- Jeffrey 'jf' Lim [Wed, Mar 11, 2009 at 10:09:19PM +0800]: --- On Wed, Mar 11, 2009 at 10:01 PM, jmc j...@cosmicnetworks.net wrote: i say this might be slightly OT because i am asking more of a philosophical question, not a technical one. the excellent documentation has given me all i need to know about the probability directive. thanks, devs, for that. (just as a hint to the rest who are considering whether to read through) doesnt sound philosophical to me! OK, cool. i framed it that way because i didn't want to come across as someone who was asking the list to do my thinking for me. as i suspect lots of misc@ readers do, i come from the ``be liberal in what you accept, conservative in what you send'' school. true the Big Bad Internet has and continues to change rapidly, but i personally still see value in that axiom. outside of the gift from ghod that is spamd(8), this will be the biggest divergence from that axiom that i think i have done in my years as a sys admin. i have grepped through the logs of other clients, and i don't see any evidence of any traffic from the lists of open proxies i've compiled, so i don't think this would have un-intended effects on them. dont see any evidence of *legit* traffic from the list of open proxies you've compiled, u mean. yes, that is what i mean. i also haven't figured out if it's even feasible to keep up with what i'm sure is a rapidly-changing list of open proxies on a daily basis. but that's a sys admin problem, and i'll ask for help on that separately if/when i need it. the lists that i've compiled thus far are from disparate sources, and will require a bit of work to get everything in order. thanks again!
Re: Nginx: filedescriptors, users and login.conf confusion
Matt, On Wed, Mar 11, 2009 at 11:42:54AM +0100, Matt wrote: I've been running Nginx with php-fastcgi and am sometimes experiencing the 'too many files open' error messages. Investigating the solution I am confused about which user (or userclass in login.conf) I should give more filedescriptors. Setup (single machine) - Nginx deamon running as 'www' If nginx is running as 'www' then you're building your own nginx rather than using the package? If so, then nginx is starting however you tell it, and without details it's impossible to say. - Apache running as 'www' also (overlapping doc root) -Several php-fastcgi processes (Nginx w. Lighttp's spawn-fcgi) running as actual users. These actual users have a nologin class and can only use chrooted SFTP. I'm kinda lost on which user / which (new) login.conf class I should give more filedescriptors. Or how to find out which particular users/deamon needs them. You can specify a the login class you desire when starting a daemon. See su(1), specifically the '-c login-class' option. A common practice is to copy the 'daemon' class to a new login.conf entry named whatever you like, start your daemon using that class, then tweak as desired. For lots of details about doing that, search the archives for 'mysql' and 'login.conf'... -- Darrin Chandler| Phoenix BSD User Group | MetaBUG dwchand...@stilyagin.com | http://phxbug.org/ | http://metabug.org/ http://www.stilyagin.com/ | Daemons in the Desert | Global BUG Federation [demime 1.01d removed an attachment of type application/pgp-signature]
Ramifications of blocking SYN+FIN TCP packets
I understand that this might annoy a few of you, If it does please accept my apologies. The place I work is required to have an external security scan from time to time and the latest scan says that we have failed because the firewall responded to a TCP packet that has the SYN and FIN flags set. I know that OpenBSD isn't vulnerable to the exploits that use this: http://www.kb.cert.org/vuls/id/IAFY-5F8RWP However, I don't see any reason to respond to a packet with SYN and FIN set, AND, a firewall rule that drops said TCP packets would fix the fact that we are now non compliant as far as the security scan goes. I think a pf rule such as: block drop in quick proto tcp all flags SF/SF would do it. Does anyone see a way that this would come back to bite me on the ass later? Stuart van Zee stua...@datalinesys.com Sage advise requested... fire retardant underwear in place...
Re: How to break the httpd's 4G file size limit?
On 2009-03-10 at 14:34:30, you wrote: I want to set up the web server to share file, but i know apache-1.3.x (which is openbsd default httpd) had the 4G file size limit, can i break this limit? I don't know the correct answer to this question, but i thought of a possible work-around in the event the answer is no. Could you write a CGI program that serves the file? I don't know where Apache's 4 GB limit is. But if the limitation is in how Apache accesses the filesystem and not in how it manages network connections, then maybe a program that is capable of reading large files could get around the limit. This would most likely require mangling the URLs to the large files to really point to the program, unless you can do some mod_rewrite magic. Dan RamaleyDial Center 118, Drake University Network Programmer/Analyst 2407 Carpenter Ave +1 515 271-4540Des Moines IA 50311 USA
Re: Ramifications of blocking SYN+FIN TCP packets
On Wed, Mar 11, 2009 at 10:42:38AM -0400, Stuart VanZee wrote: I understand that this might annoy a few of you, If it does please accept my apologies. The place I work is required to have an external security scan from time to time and the latest scan says that we have failed because the firewall responded to a TCP packet that has the SYN and FIN flags set. I know that OpenBSD isn't vulnerable to the exploits that use this: http://www.kb.cert.org/vuls/id/IAFY-5F8RWP However, I don't see any reason to respond to a packet with SYN and FIN set, AND, a firewall rule that drops said TCP packets would fix the fact that we are now non compliant as far as the security scan goes. I think a pf rule such as: block drop in quick proto tcp all flags SF/SF would do it. Does anyone see a way that this would come back to bite me on the ass later? S/SAFR I just had to deal with this on our customer's PCI scan. Don't argue with the logic, just do it. :) -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: Ramifications of blocking SYN+FIN TCP packets
On Wed, Mar 11, 2009 at 10:54:18AM -0400, Jason Dixon wrote: On Wed, Mar 11, 2009 at 10:42:38AM -0400, Stuart VanZee wrote: I understand that this might annoy a few of you, If it does please accept my apologies. The place I work is required to have an external security scan from time to time and the latest scan says that we have failed because the firewall responded to a TCP packet that has the SYN and FIN flags set. I know that OpenBSD isn't vulnerable to the exploits that use this: http://www.kb.cert.org/vuls/id/IAFY-5F8RWP However, I don't see any reason to respond to a packet with SYN and FIN set, AND, a firewall rule that drops said TCP packets would fix the fact that we are now non compliant as far as the security scan goes. I think a pf rule such as: block drop in quick proto tcp all flags SF/SF would do it. Does anyone see a way that this would come back to bite me on the ass later? S/SAFR I just had to deal with this on our customer's PCI scan. Don't argue with the logic, just do it. :) I should clarify, you want to use the above flags on your pass rule. Don't bother with a block rule matching on flags. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: How to break the httpd's 4G file size limit?
Daniel A. Ramaley wrote: On 2009-03-10 at 14:34:30, you wrote: I want to set up the web server to share file, but i know apache-1.3.x (which is openbsd default httpd) had the 4G file size limit, can i break this limit? I don't know the correct answer to this question, but i thought of a possible work-around in the event the answer is no. Could you write a CGI program that serves the file? I don't know where Apache's 4 GB limit is. But if the limitation is in how Apache accesses the filesystem and not in how it manages network connections, then maybe a program that is capable of reading large files could get around the limit. This would most likely require mangling the URLs to the large files to really point to the program, unless you can do some The limitation is 2Gb on 32-bit platforms because of off_t (man lseek). Stock ftpd also has mentioned limitation (try to REST a file beyond 2Gb offset). Using any 64-bit platform will solve the problem due to bigger off_t, but if it's not a case, one can use Apache 2.2.x from ports. Alexey
Re: How to break the httpd's 4G file size limit?
On Wed, Mar 11, 2009 at 05:37:14PM +0200, Alexey Suslikov wrote: The limitation is 2Gb on 32-bit platforms because of off_t (man lseek). huh? [gra...@nohead tmp]$ cat x.c #include sys/types.h #include stdio.h int main(void) { printf(size of off_t is %u bits\n, 8 * sizeof(off_t)); } [gra...@nohead tmp]$ cc x.c [gra...@nohead tmp]$ ./a.out size of off_t is 64 bits [gra...@nohead tmp]$ arch -s i386 Stock ftpd also has mentioned limitation (try to REST a file beyond 2Gb offset). Using any 64-bit platform will solve the problem due to bigger off_t, but if it's not a case, one can use Apache 2.2.x from ports. Alexey -- Alexander Yurchenko
Re: How to break the httpd's 4G file size limit?
On Wed, Mar 11, 2009 at 05:37:14PM +0200, Alexey Suslikov wrote: Daniel A. Ramaley wrote: On 2009-03-10 at 14:34:30, you wrote: I want to set up the web server to share file, but i know apache-1.3.x (which is openbsd default httpd) had the 4G file size limit, can i break this limit? I don't know the correct answer to this question, but i thought of a possible work-around in the event the answer is no. Could you write a CGI program that serves the file? I don't know where Apache's 4 GB limit is. But if the limitation is in how Apache accesses the filesystem and not in how it manages network connections, then maybe a program that is capable of reading large files could get around the limit. This would most likely require mangling the URLs to the large files to really point to the program, unless you can do some The limitation is 2Gb on 32-bit platforms because of off_t (man lseek). Stock ftpd also has mentioned limitation (try to REST a file beyond 2Gb offset). Using any 64-bit platform will solve the problem due to bigger off_t, but if it's not a case, one can use Apache 2.2.x from ports. Alexey This is not correct. off_t is 64-bit on all platforms. -Otto
Re: How to break the httpd's 4G file size limit?
On Wed, Mar 11, 2009 at 11:37 AM, Alexey Suslikov alexey.susli...@gmail.com wrote: The limitation is 2Gb on 32-bit platforms because of off_t (man lseek). off_t is always 64-bit. Stock ftpd also has mentioned limitation (try to REST a file beyond 2Gb offset). Using any 64-bit platform will solve the problem due to bigger off_t, but if it's not a case, one can use Apache 2.2.x from ports. If using a 64-bit machine fixes it, then the type in question is not off_t.
Re: How to break the httpd's 4G file size limit?
On Wed, Mar 11, 2009 at 17:56, Ted Unangst ted.unan...@gmail.com wrote: On Wed, Mar 11, 2009 at 11:37 AM, Alexey Suslikov alexey.susli...@gmail.com wrote: The limitation is 2Gb on 32-bit platforms because of off_t (man lseek). off_t is always 64-bit. Stock ftpd also has mentioned limitation (try to REST a file beyond 2Gb offset). Using any 64-bit platform will solve the problem due to bigger off_t, but if it's not a case, one can use Apache 2.2.x from ports. If using a 64-bit machine fixes it, then the type in question is not off_t. Maybe you should try to transfer (using stock httpd) at least 3Gb file on i386? Also, I have the following in my archives: -- Forwarded message -- From: Marc Balmer m...@msys.ch Date: Fri, Jun 20, 2008 at 11:09 Subject: Re: Apache doesn't handle files 2Gb properly To: Alexey Suslikov alexey.susli...@gmail.com Cc: Marc Balmer mbal...@openbsd.org, Jason McIntyre j...@openbsd.org * Alexey Suslikov wrote: Hello Marc, Jason. Can you comment on this issue? http://marc.info/?t=121379382200010r=1w=2 Maybe it is a good idea to warn note about long files on 32-bit platform to httpd man page or/and FAQ? no. fix the problem, diffs are welcome ;) maybe, if I find time, I look into this myself. - Marc
Re: How to break the httpd's 4G file size limit?
On Wed, Mar 11, 2009 at 06:48:49PM +0300, Alexander Yurchenko wrote: On Wed, Mar 11, 2009 at 05:37:14PM +0200, Alexey Suslikov wrote: The limitation is 2Gb on 32-bit platforms because of off_t (man lseek). huh? [gra...@nohead tmp]$ cat x.c #include sys/types.h #include stdio.h int main(void) { printf(size of off_t is %u bits\n, 8 * sizeof(off_t)); } [gra...@nohead tmp]$ cc x.c [gra...@nohead tmp]$ ./a.out size of off_t is 64 bits [gra...@nohead tmp]$ arch -s i386 This code is not portable. sizeof returns a size_t, which is 64 bits on 64-bits platforms. Better use %zu. -Otto
Re: How long it should take for a fsck to check a 300GB hdd?
dmesg as promised: OpenBSD 4.4-stable (SQUID_DISKD) #9: Sat Jan 10 19:27:35 CET 2009 r...@pegasus.plan9.homeunix.net:/usr/src/sys/arch/i386/compile/SQUID_DISK D cpu0: AMD Sempron(tm) Processor LE-1150 (AuthenticAMD 686-class, 256KB L2 cach e) 2.01 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF LUSH,MMX,FXSR,SSE,SSE2,SSE3,CX16 real mem = 1003974656 (957MB) avail mem = 962015232 (917MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 02/01/08, BIOS32 rev. 0 @ 0xfb7c0, SMBIOS rev. 2.4 @ 0xf0100 (46 entries) bios0: vendor Award Software International, Inc. version F1 date 02/01/2008 bios0: Gigabyte Technology Co., Ltd. GA-MA74GM-S2H apm at bios0 function 0x15 not configured acpi0 at bios0: rev 0 acpi0: tables DSDT FACP SSDT HPET MCFG APIC acpi0: wakeup devices USB0(S3) USB1(S3) USB2(S3) USB3(S3) USB4(S3) USB5(S3) USB6 (S3) SBAZ(S4) P2P_(S5) PCE2(S4) PCE3(S4) PCE4(S4) PCE5(S4) PCE6(S4) PCE7(S4) PCE 8(S4) PS2K(S5) PCI0(S5) acpitimer0 at acpi0: 3579545 Hz, 32 bits acpihpet0 at acpi0: 14318180 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 200MHz ioapic0 at mainbus0: apid 2 pa 0xfec0, version 21, 24 pins ioapic0: misconfigured as apic 4, remapped to apid 2 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 3 (P2P_) acpiprt2 at acpi0: bus -1 (PCE2) acpiprt3 at acpi0: bus -1 (PCE3) acpiprt4 at acpi0: bus -1 (PCE4) acpiprt5 at acpi0: bus -1 (PCE5) acpiprt6 at acpi0: bus 2 (PCE6) acpiprt7 at acpi0: bus -1 (PCE7) acpiprt8 at acpi0: bus -1 (PCE8) acpiprt9 at acpi0: bus 1 (AGP_) acpicpu0 at acpi0: PSS acpibtn0 at acpi0: PWRB bios0: ROM list: 0xc/0xd600 0xd/0x1a00 cpu0: PowerNow! K8 2010 MHz: speeds: 2000 1800 1000 MHz pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 ATI RS740 Host rev 0x00 ppb0 at pci0 dev 1 function 0 ATI RS690 PCIE rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 5 function 0 ATI Radeon 2100 rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) drm at vga1 unsupported ppb1 at pci0 dev 6 function 0 ATI RS690 PCIE rev 0x00 pci2 at ppb1 bus 2 re0 at pci2 dev 0 function 0 Realtek 8168 rev 0x02: RTL8168C/8111C (0x3c00), a pic 2 int 18 (irq 10), address 00:1f:d0:5a:41:fa rgephy0 at re0 phy 7: RTL8169S/8110S PHY, rev. 2 ahci0 at pci0 dev 17 function 0 ATI IXPx00 SATA rev 0x00: apic 2 int 22 (irq 1 1), AHCI 1.1 scsibus0 at ahci0: 32 targets, initiator 32 sd0 at scsibus0 targ 0 lun 0: ATA, HITACHI HUA7210S, GKAO SCSI3 0/direct fixed sd0: 953868MB, 121601 cyl, 255 head, 63 sec, 512 bytes/sec, 1953523055 sec total sd1 at scsibus0 targ 1 lun 0: ATA, HITACHI HUA7210S, GKAO SCSI3 0/direct fixed sd1: 953869MB, 121601 cyl, 255 head, 63 sec, 512 bytes/sec, 1953525168 sec total sd2 at scsibus0 targ 2 lun 0: ATA, HDS725050KLA360, K2AO SCSI3 0/direct fixed sd2: 476938MB, 60801 cyl, 255 head, 63 sec, 512 bytes/sec, 976771055 sec total sd3 at scsibus0 targ 3 lun 0: ATA, Hitachi HDT72505, V56O SCSI3 0/direct fixed sd3: 476938MB, 60801 cyl, 255 head, 63 sec, 512 bytes/sec, 976771055 sec total sd4 at scsibus0 targ 4 lun 0: ATA, WDC WD10EACS-00D, 01.0 SCSI3 0/direct fixed sd4: 953869MB, 121601 cyl, 255 head, 63 sec, 512 bytes/sec, 1953525168 sec total ohci0 at pci0 dev 18 function 0 ATI IXP700 USB rev 0x00: apic 2 int 16 (irq 3) , version 1.0, legacy support ohci1 at pci0 dev 18 function 1 ATI IXP700 USB rev 0x00: apic 2 int 16 (irq 3) , version 1.0, legacy support ehci0 at pci0 dev 18 function 2 ATI IXP700 USB2 rev 0x00: apic 2 int 17 (irq 7 ) usb0 at ehci0: USB revision 2.0 uhub0 at usb0 ATI EHCI root hub rev 2.00/1.00 addr 1 ohci2 at pci0 dev 19 function 0 ATI IXP700 USB rev 0x00: apic 2 int 18 (irq 10 ), version 1.0, legacy support ohci3 at pci0 dev 19 function 1 ATI IXP700 USB rev 0x00: apic 2 int 18 (irq 10 ), version 1.0, legacy support ehci1 at pci0 dev 19 function 2 ATI IXP700 USB2 rev 0x00: apic 2 int 19 (irq 5 ) usb1 at ehci1: USB revision 2.0 uhub1 at usb1 ATI EHCI root hub rev 2.00/1.00 addr 1 piixpm0 at pci0 dev 20 function 0 ATI IXPx00 SMBus rev 0x3a: SMI iic0 at piixpm0 spdmem0 at iic0 addr 0x50: 1GB DDR2 SDRAM non-parity PC2-6400CL5 pciide0 at pci0 dev 20 function 1 ATI IXP700 IDE rev 0x00: DMA, channel 0 conf igured to compatibility, channel 1 configured to compatibility pcib0 at pci0 dev 20 function 3 ATI IXP700 ISA rev 0x00 ppb2 at pci0 dev 20 function 4 ATI IXP600 PCI rev 0x00 pci3 at ppb2 bus 3 ohci4 at pci0 dev 20 function 5 ATI IXP700 USB rev 0x00: apic 2 int 18 (irq 10 ), version 1.0, legacy support pchb1 at pci0 dev 24 function 0 AMD AMD64 0Fh HyperTransport rev 0x00 pchb2 at pci0 dev 24 function 1 AMD AMD64 0Fh Address Map rev 0x00 pchb3 at pci0 dev 24 function 2 AMD AMD64 0Fh DRAM Cfg rev 0x00 kate0 at pci0 dev 24 function 3 AMD AMD64 0Fh Misc Cfg rev 0x00: core rev DH-G 1 usb2 at ohci0: USB revision 1.0 uhub2 at usb2 ATI OHCI root hub rev 1.00/1.00 addr 1 usb3
Re: mouse cursor is gone after running xorgconfig with nv driver
On Tue, 10 Mar 2009, microlaser wrote: Hi, I am running openbsd 4.4 on an amd64 with the nv driver, with an nvidia gforce 6200. I used xorgconfig to reconfigure x and now the mouse cursor is gone. anyone have any idea how to get it back? Thanks I don't know how your mouse gone. As you said, you reconfigured Xorg, and the problem must be there. Also, you just told your problem, but gives no more information to help people help you, like (at least) /var/log/Xorg.0.log. I have a problem that my mouse too: the pointer often go away. But it has not to do with configuration. The pointer simply disappear, and even restarting Xorg get it back. -- Daniel Bolgheroni m...@dbolgheroni.eng.br FEI - Faculdade de Engenharia Industrial http://www.dbolgheroni.eng.br/mykey ASCII ribbon campaign ( ) against HTML e-mail X / \
Re: Nginx: filedescriptors, users and login.conf confusion
If nginx is running as 'www' then you're building your own nginx rather than using the package? If so, then nginx is starting however you tell it, and without details it's impossible to say. It's installed through package and I use a startup as adviced in /etc/rc.local. However the 'user' in the nginx.conf is set to 'www'. Thanks for the pointers - I will add a daemon class to login.conf. Like with the MySQL examples [1] should I restart nginx through a shellscript as well ? (Per documentation it is adviced to restart nginx with 'kill -HUP pid') Thanks, Matt [1] http://openbsdsupport.org/mysql.htm#/etc/rc.local
Re: Ramifications of blocking SYN+FIN TCP packets
On Wed, Mar 11, 2009 at 01:04:34PM -0400, David Goldsmith wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jason Dixon wrote: S/SAFR I just had to deal with this on our customer's PCI scan. Don't argue with the logic, just do it. :) Let me guess -- TrustKeeper? We just had to deal with this as well. Submit an appeal and they should accept it. Yup. The flags S/SAFR will work unless you are being a good little pf admin and also scrubbing all the traffic. The problem is pf considers SYN-RST packets to be illegal and drops them (good) but only considers SYN-FIN packets to be ambiguous and so it normalizes them and clears the FIN bit (in this case for the PCI scan - bad) Then your server behind the firewall received what it thinks is a nice clean SYN packet and it sends back SYN-ACK. Yes, we have our own reasons not to scrub there. Well, *someone* has their reasons. I have to deal with those reasons. ;) -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: How to break the httpd's 4G file size limit?
On Wed, Mar 11, 2009 at 12:01 PM, Alexey Suslikov alexey.susli...@gmail.com wrote: On Wed, Mar 11, 2009 at 17:56, Ted Unangst ted.unan...@gmail.com wrote: If using a 64-bit machine fixes it, then the type in question is not off_t. Maybe you should try to transfer (using stock httpd) at least 3Gb file on i386? I didn't say it wasn't a problem, I said your diagnosis was incorrect. Also, I have the following in my archives: http://marc.info/?t=121379382200010r=1w=2 from that very thread, the problem is using long *instead* of off_t. Using off_t would fix the problem. http://marc.info/?l=openbsd-bugsm=121379609212212w=2
Re: Nginx: filedescriptors, users and login.conf confusion
On Wed, Mar 11, 2009 at 06:01:31PM +0100, Matt wrote: If nginx is running as 'www' then you're building your own nginx rather than using the package? If so, then nginx is starting however you tell it, and without details it's impossible to say. It's installed through package and I use a startup as adviced in /etc/rc.local. However the 'user' in the nginx.conf is set to 'www'. Ah, ok. Thanks for the pointers - I will add a daemon class to login.conf. There's already a daemon class in the stock login.conf. You can play with that or copy it to a new one for www, nginx, or whatever you like. Then change your rc.local to use su -c class. Like with the MySQL examples [1] should I restart nginx through a shellscript as well ? (Per documentation it is adviced to restart nginx with 'kill -HUP pid') 'kill -HUP pid' will not work for this. You kill need to 'kill pid' to terminate it completely, then start it fresh. Otherwise the new login class will not be applied. If you do that with a script or by hand is up to you. -- Darrin Chandler| Phoenix BSD User Group | MetaBUG dwchand...@stilyagin.com | http://phxbug.org/ | http://metabug.org/ http://www.stilyagin.com/ | Daemons in the Desert | Global BUG Federation [demime 1.01d removed an attachment of type application/pgp-signature]
Re: How to break the httpd's 4G file size limit?
On Wed, Mar 11, 2009 at 19:11, Ted Unangst ted.unan...@gmail.com wrote: On Wed, Mar 11, 2009 at 12:01 PM, Alexey Suslikov alexey.susli...@gmail.com wrote: On Wed, Mar 11, 2009 at 17:56, Ted Unangst ted.unan...@gmail.com wrote: If using a 64-bit machine fixes it, then the type in question is not off_t. Maybe you should try to transfer (using stock httpd) at least 3Gb file on i386? I didn't say it wasn't a problem, I said your diagnosis was incorrect. Also, I have the following in my archives: http://marc.info/?t=121379382200010r=1w=2 from that very thread, the problem is using long *instead* of off_t. Using off_t would fix the problem. http://marc.info/?l=openbsd-bugsm=121379609212212w=2 I can't recall exact code from httpd, but how about libexec/ftpd: ... extern off_t restart_point; ... if (restart_point) { if (type == TYPE_A) { off_t i, n; int c; n = restart_point; i = 0; while (i++ n) { if ((c = getc(fin)) == EOF) { if (ferror(fin)) { perror_reply(550, name); goto done; } else break; } if (c == '\n') i++; } } else if (lseek(fileno(fin), restart_point, SEEK_SET) 0) { perror_reply(550, name); goto done; } } ... Above code effectively results in inability to REST beyond 2Gb on i386 however sequential read from position 0 will be ok. Alexey
openbsd - microsoft vpn interoperability
Hi everyone. A web search only picked up antiquated information on this one. I'm talking about setting up a network to network VPN between Microsoft and OpenBSD gateways. I'm here asking for comments on what people are actually doing and hopefully with pros and cons included. So which solution? OpenVPN or native IPSEC (isakmpd)? The OpenBSD side will be running 4.5. At this time I'm not sure what will be on the other end but I know it is currently managing tunnels with other MS-based products. Thanks in advance to any responders. -- jm
Re: How to break the httpd's 4G file size limit?
On Wed, Mar 11, 2009 at 1:21 PM, Alexey Suslikov alexey.susli...@gmail.com wrote: I can't recall exact code from httpd, but how about libexec/ftpd: ... extern off_t restart_point; ... you're looking at the wrong code. ftpcmd.y: restart_point = $4; /* XXX $4 is only int */
Re: vic(4) on amd64
I see that the vic(4) driver is still not in amd64/conf/GENERIC. Has anyone any recent experience with this driver+platform, or know whether its absence reflects a known problem or just lack of testing? For the record, it works fine for me on an i386 guest on ESXi 3.5 U3, with adaptor type flexible. I'm fairly confident that using anything other than the default e1000 network device with 64-bit guests is discouraged by VMWare. At the very least, e1000 is what new 64-bit guests default to, and I've personally had plenty of success using the em driver with all sorts of 64-bit *BSD guests in this configuration. -J
Re: openbsd - microsoft vpn interoperability
Juan Miscaro wrote: ... I'm here asking for comments on what people are actually doing and hopefully with pros and cons included. So which solution? OpenVPN or native IPSEC (isakmpd)? ... MS products are not really designed for interoperability, rather the opposite. So you may wish to reconsider parts of the design to avoid 'native' components of that platform. The choices appear to be SSL or IPSEC, http://www.vpnc.org/vpn-standards.html -Lars
4.4 on ESXi 3.5 (was: vic(4) on amd64)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Josh Archambault wrote: I'm fairly confident that using anything other than the default e1000 network device with 64-bit guests is discouraged by VMWare. It would appear that you're correct. Though the documentation does not make that clear, I do find this point made in their forums. At the very least, e1000 is what new 64-bit guests default to, and I've personally had plenty of success using the em driver with all sorts of 64-bit *BSD guests in this configuration. Likewise, I'm using the e1000 with em, and it's fine. There is known to be a non-trivial difference in measured (though not necessarily real-world) performance between vmxnet and e1000 on 32 bit guests, so all else being equal, one would naturally prefer vmxnet. I didn't realize that this did not necessarily generalize to 64 bit guests. Thanks for bringing that to my attention. In other news, for the benefit of anyone else using this combination of OS and hypervisor: I discovered a severe performance problem, wherein an OpenBSD guest would run fine for some period of hours, and then become horribly bogged down during disk operations, to the point of unusability. This was true even when the guest was nearly idle and the VM host had abundant uncommitted resources, and was equally true on 32 bit and 64 bit OpenBSD guests. This was a showstopper, but the problem appears to have been resolved by lying to the hypervisor. Since I told it that the guest was Red Hat Enterprise Linux 64 bit, instead of Other 64 bit, the problem has so far not recurred. Cheers -d - -- David Talkington dt...@drizzle.com - -- PGP key: http://www.flyingjoke.org/keys/801E3976.asc iQEcBAEBAgAGBQJJuAquAAoJEO7jL1CAHjl2WTAH/R4SndPEO7Rsn3PhbTm+GsWo vGMo45ZKgxOhuz4eLQVBQvqC46ON7aISshXTly8zGzumEbi2rFbHdFT91A+02Et7 NvURrLv0mMgt38jwsE68NX/dfOfI7ycoNylI9Yi52+dh6d7ldidlV7LCWN6TxLB9 iMouIlUTHu+I/3rtlWYGIQHa0Myvgtb7yKED6npvwEAU70UwQ3xIEP+aRRD2rzVp BfHRWjuJGj/2RKmvy31sgh6VNRckM5NWaXByJNsNdtE2bEqNI2/Fy1dOzvkYUs9Z k5sjUAZXWJ9r66kMWiSs7k8bqtRICcyiVsnNPQAt50gB8sQBdGlHlU0tiXt0YZg= =QiyD -END PGP SIGNATURE-
Re: openbsd - microsoft vpn interoperability
2009/3/11 Lars NoodC)n l...@umich.edu: Juan Miscaro wrote: ... I'm here asking for comments on what people are actually doing and hopefully with pros and cons included. B So which solution? B OpenVPN or native IPSEC (isakmpd)? B ... MS products are not really designed for interoperability, rather the opposite. B So you may wish to reconsider parts of the design to avoid 'native' components of that platform. The choices appear to be SSL or IPSEC, B B B B http://www.vpnc.org/vpn-standards.html -Lars Thanks. Yeah, I am going to push to have an OpenBSD portal installed on the remote end. Thing is, how am I going to get it installed? -- jm
Re: openbsd - microsoft vpn interoperability
Juan Miscaro wrote: Thanks. Yeah, I am going to push to have an OpenBSD portal installed on the remote end. Thing is, how am I going to get it installed? http://openvpn.net/index.php/downloads.html http://openvpn.net/howto.html#startup http://www.openbsd.org/4.4_packages/i386/openvpn-2.1rc7.tgz-long.html Or is it a question of physical access? -Lars
Re: NFS or SAMBA ?
2009/3/9 Henning Brauer lists-open...@bsws.de * Guillermo Bernaldo de Quiros Maraver debug...@gmail.com [2009-02-13 21:06]: if you have a shared network between WINDOWS and OpenBSD i recommend Samba if not, NFS NFS = Insecure SAMBA = Have a problems, but, it's more secure. that is the most ridiculous bullshit I have ever read here in some time. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam that is the most entertaining flame I have ever read here in some time. LOL! I'm loving your aggression man. ^_^
How to mount samba shares in OpenBSD?
'running 4.4-RELEASE here. I've got SAMBA running on my Chuck Norris/kick-ass OpenWrt file server but I want to mount those shares onto my OpenBSD laptop. I've read the smbclient man page and I've googled. Is sharity-light the only (client) option?
Re: Nginx: filedescriptors, users and login.conf confusion
Matt wrote: If nginx is running as 'www' then you're building your own nginx rather than using the package? If so, then nginx is starting however you tell it, and without details it's impossible to say. It's installed through package and I use a startup as adviced in /etc/rc.local. However the 'user' in the nginx.conf is set to 'www'. Thanks for the pointers - I will add a daemon class to login.conf. Like with the MySQL examples [1] should I restart nginx through a shellscript as well ? (Per documentation it is adviced to restart nginx with 'kill -HUP pid') The kill -HUP will just read the configuration again. I could be wrong here, but as I stated on the faq as well, Remember, if you don't do this, it will use the default class! Same if you restart MySQL manually! Class are read and use on login the class is process only at login, so you will need to totally kill the daemon and restarted with the class as you saw in the example and adjust it for your needs obviously. su -c _mysql root -c '/usr/local/bin/mysqld_safe ' /dev/null echo -n ' mysql' Thanks, Matt [1] http://openbsdsupport.org/mysql.htm#/etc/rc.local That remind me that I should update it for 4.5 as well. Daniel
Re: openbsd - microsoft vpn interoperability
2009/3/11 Lars NoodC)n l...@umich.edu: Juan Miscaro wrote: Thanks. B Yeah, I am going to push to have an OpenBSD portal installed on the remote end. B Thing is, how am I going to get it installed? http://openvpn.net/index.php/downloads.html http://openvpn.net/howto.html#startup http://www.openbsd.org/4.4_packages/i386/openvpn-2.1rc7.tgz-long.html Or is it a question of physical access? -Lars Right, physically install the machine. -- jm
Re: How to mount samba shares in OpenBSD?
On Wed, 11 Mar 2009, Shagbag OpenBSD wrote: 'running 4.4-RELEASE here. I've got SAMBA running on my Chuck Norris/kick-ass OpenWrt file server but I want to mount those shares onto my OpenBSD laptop. I've read the smbclient man page and I've googled. Is sharity-light the only (client) option? Since your itsy bitty OpenWrt server is so kick-ass I recommend you run NFS. Or is it not kick-ass enough to run NFS? Oh, yeah, sharity-light is it for SMB shares. diana
Re: IP aliases: how many in one server with OpenBSD 4.4? Is it possible to change the limit?
* Alvaro Mantilla Gimenez alv...@dydnetworks.com [2009-02-19 02:52]: Anyways, the question is still valid: how many IP aliases we can reach in an OpenBSD system? which is the limit? in theory, there is none but memory. in practice, it is a simple linked list, so things get slower at some point. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
strange load values
Hey there! I have a Compaq DL580 G1 with 4x700Mhz PIII, 2GB RAM, 2x36GB U320 SCSI on a HP SmartArray 5300 with 64MB BBU. It's a general purpose 'hobby' server. The average concurrent connections are 20-30, mostly resolv queries for bind. The load is always aroun 1.0 and frequenlty jumps up to 2. Is this normal for OpenBSD 4.4 on a machine like this? OpenBSD 4.4 (GENERIC.MP) #0: Sat Dec 6 13:06:44 CET 2008 /usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel Pentium III Xeon (GenuineIntel 686-class) 702 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE real mem = 2147037184 (2047MB) avail mem = 2067615744 (1971MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 12/31/99, BIOS32 rev. 0 @ 0xf, SMBIOS rev. 2.3 @ 0xe6000 (57 entries) bios0: vendor Compaq version P20 date 12/17/2002 bios0: Compaq ProLiant DL580 acpi0 at bios0: rev 0, can't enable ACPI bios0: ROM list: 0xc/0x8000 0xc8000/0x4000! 0xcc000/0x1800 0xcd800/0x4000 0xe8000/0x6000 0xee000/0x2000! mainbus0: Intel MP Specification (Version 1.4) cpu0 at mainbus0: apid 3 (boot processor) cpu0: apic clock running at 100MHz cpu1 at mainbus0: apid 0 (application processor) cpu1: Intel Pentium III Xeon (GenuineIntel 686-class) 702 MHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE cpu2 at mainbus0: apid 1 (application processor) cpu2: Intel Pentium III Xeon (GenuineIntel 686-class) 702 MHz cpu2: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE cpu3 at mainbus0: apid 2 (application processor) cpu3: Intel Pentium III Xeon (GenuineIntel 686-class) 702 MHz cpu3: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE mainbus0: bus 0 is type PCI mainbus0: bus 2 is type PCI mainbus0: bus 7 is type PCI mainbus0: bus 15 is type ISA ioapic0 at mainbus0: apid 8 pa 0xfec0, version 11, 35 pins ioapic0: misconfigured as apic 0, remapped to apid 8 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 ServerWorks CNB20HE Host rev 0x23 pci1 at pchb0 bus 2 Compaq PCI Hotplug rev 0x12 at pci1 dev 5 function 0 not configured pchb1 at pci0 dev 0 function 1 ServerWorks CNB20HE Host rev 0x01 pchb2 at pci0 dev 0 function 2 ServerWorks CNB20HE Host rev 0x01 pchb3 at pci0 dev 0 function 3 ServerWorks CNB20HE Host rev 0x01 pci2 at pchb3 bus 7 Compaq PCI Hotplug rev 0x12 at pci2 dev 5 function 0 not configured ciss0 at pci2 dev 7 function 0 Compaq Smart Array 5300 rev.2 rev 0x02: apic 8 int 11 (irq 11) ciss0: 1 LD, HW rev 0, FW 3.40/3.40 scsibus0 at ciss0: 1 targets, initiator 1 sd0 at scsibus0 targ 0 lun 0: COMPAQ, LOGICAL VOLUME, 3.40 SCSI0 0/direct fixed sd0: 34727MB, 4427 cyl, 255 head, 63 sec, 512 bytes/sec, 71122560 sec total Compaq Netelligent ASMC rev 0x00 at pci0 dev 3 function 0 not configured cac0 at pci0 dev 4 function 0 Symbios Logic 53c1510 rev 0x02: apic 8 int 5 (irq 5), Integrated Array cac0: no volumes defined vga1 at pci0 dev 5 function 0 ATI Mach64 GV rev 0x7a wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) drm at vga1 unsupported fxp0 at pci0 dev 7 function 0 Intel 8255x rev 0x08, i82559: apic 8 int 3 (irq 3), address 00:02:a5:3f:e0:ea inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4 piixpm0 at pci0 dev 15 function 0 ServerWorks OSB4 rev 0x51: SMBus disabled pciide0 at pci0 dev 15 function 1 ServerWorks OSB4 IDE rev 0x00: DMA atapiscsi0 at pciide0 channel 0 drive 0 scsibus1 at atapiscsi0: 2 targets, initiator 7 cd0 at scsibus1 targ 0 lun 0: COMPAQ, CD-224E, 9.0C ATAPI 5/cdrom removable cd0(pciide0:0:0): using PIO mode 4, DMA mode 2 isa0 at mainbus0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pmsi0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pmsi0 mux 0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec mtrr: Pentium Pro MTRR support softraid0 at root root on sd0a swap on sd0b dump on sd0b -- Gabri Mate
Re: 4.4 on ESXi 3.5 (was: vic(4) on amd64)
On Wed, Mar 11, 2009 at 4:02 PM, dt...@drizzle.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Josh Archambault wrote: I'm fairly confident that using anything other than the default e1000 network device with 64-bit guests is discouraged by VMWare. It would appear that you're correct. Though the documentation does not make that clear, I do find this point made in their forums. At the very least, e1000 is what new 64-bit guests default to, and I've personally had plenty of success using the em driver with all sorts of 64-bit *BSD guests in this configuration. Likewise, I'm using the e1000 with em, and it's fine. There is known to be a non-trivial difference in measured (though not necessarily real-world) performance between vmxnet and e1000 on 32 bit guests, so all else being equal, one would naturally prefer vmxnet. I didn't realize that this did not necessarily generalize to 64 bit guests. Thanks for bringing that to my attention. In other news, for the benefit of anyone else using this combination of OS and hypervisor: I discovered a severe performance problem, wherein an OpenBSD guest would run fine for some period of hours, and then become horribly bogged down during disk operations, to the point of unusability. This was true even when the guest was nearly idle and the VM host had abundant uncommitted resources, and was equally true on 32 bit and 64 bit OpenBSD guests. This was a showstopper, but the problem appears to have been resolved by lying to the hypervisor. Since I told it that the guest was Red Hat Enterprise Linux 64 bit, instead of Other 64 bit, the problem has so far not recurred. Cheers -d - -- David Talkington dt...@drizzle.com - -- PGP key: http://www.flyingjoke.org/keys/801E3976.asc iQEcBAEBAgAGBQJJuAquAAoJEO7jL1CAHjl2WTAH/R4SndPEO7Rsn3PhbTm+GsWo vGMo45ZKgxOhuz4eLQVBQvqC46ON7aISshXTly8zGzumEbi2rFbHdFT91A+02Et7 NvURrLv0mMgt38jwsE68NX/dfOfI7ycoNylI9Yi52+dh6d7ldidlV7LCWN6TxLB9 iMouIlUTHu+I/3rtlWYGIQHa0Myvgtb7yKED6npvwEAU70UwQ3xIEP+aRRD2rzVp BfHRWjuJGj/2RKmvy31sgh6VNRckM5NWaXByJNsNdtE2bEqNI2/Fy1dOzvkYUs9Z k5sjUAZXWJ9r66kMWiSs7k8bqtRICcyiVsnNPQAt50gB8sQBdGlHlU0tiXt0YZg= =QiyD -END PGP SIGNATURE- Hi. Just to share my experience, i have been running OpenBSD 4.3/i386 and now 4.4/i386 for a while in VMware ESX 3.5 and it runs fine. I didn't have any stability problem with it, but the disk I/O operations are just too slow. To unpack ports.tar.gz for example, it took about 8 minutes. But, as the machine doesn't do much disk I/O, it's fine.The network performance i didn't measure too, but for normal usage it's ok and didn't get any timeout from the card. I'm using softdep and noatime, to increase the I/O performance a little bit: /dev/sd0a on / type ffs (local, noatime, softdep) /dev/sd0d on /var type ffs (local, noatime, nodev, nosuid, softdep) Here's a dmesg: OpenBSD 4.4 (GENERIC.MP) #2: Mon Nov 10 16:19:31 BRST 2008 r...@kyubi.openbsd-sp.org:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel(R) Xeon(R) CPU E5335 @ 2.00GHz (GenuineIntel 686-class) 2 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,SSE3 real mem = 2146988032 (2047MB) avail mem = 2067566592 (1971MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 01/30/08, BIOS32 rev. 0 @ 0xfd880, SMBIOS rev. 2.31 @ 0xe0010 (45 entries) bios0: vendor Phoenix Technologies LTD version 6.00 date 01/30/2008 bios0: VMware, Inc. VMware Virtual Platform acpi0 at bios0: rev 0 acpi0: tables DSDT FACP APIC BOOT acpi0: wakeup devices USB_(S1) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 65MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Xeon(R) CPU E5335 @ 2.00GHz (GenuineIntel 686-class) 2 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,SSE3 cpu2 at mainbus0: apid 2 (application processor) cpu2: Intel(R) Xeon(R) CPU E5335 @ 2.00GHz (GenuineIntel 686-class) 2 GHz cpu2: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,SSE3 cpu3 at mainbus0: apid 3 (application processor) cpu3: Intel(R) Xeon(R) CPU E5335 @ 2.00GHz (GenuineIntel 686-class) 2 GHz cpu3: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,SSE3 ioapic0 at mainbus0: apid 4 pa 0xfec0, version 11, 24 pins acpiprt0 at acpi0: bus 0 (PCI0) acpicpu0 at acpi0 acpicpu1 at acpi0 acpicpu2 at acpi0 acpicpu3 at acpi0 acpibat0 at acpi0: BAT1 not present acpibat1 at acpi0: BAT2 not present acpiac0 at acpi0: AC unit online bios0: ROM list: 0xc/0x8000 0xc8000/0x1e00! 0xca000/0x1000 0xdc000/0x4000! 0xe/0x4000! pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82443BX AGP rev 0x01
Re: gem0 on Sun V120 goes dead in a few minutes with gem0: device timeout error on bsd 4.5, but works without issue on bsd.mp 4.5.
Daniel Ouellet wrote: Hi, With the 4.5 kernel on Sun V120, the Ethernet interface will go dead after a few minutes. May be 5 to 15 minutes. No consistence yet that I can see. When this happened, all access to the server is gone and no ping reply as well. The only way is to log via the console and simply do: ifconfig gem0 down ifconfig gem0 up And then you are good for a few more minutes. The only thing I see is in the logs message like this: gem0: device timeout However these were present in 4.4 as well, however, never did the connection was totally lost, meaning, may be there was a dead time and came back, can say for sure, but never the less the same server run for months without issue what so ever in doing it's thing. Install with 4.5 now have this lost of connectivity. I tried also the bsd.mp to see if that was different. So far no issue what so ever, nor is there any time out warning in the logs and it's now being operating for 3 hours. Small update on this. Same thing happen on the mp kernel, but just way later. Same error in the logs and instead of being a few minutes, it lasted 19 hours. gem0: device timeout # uptime 4:26PM up 19:22, 1 user, load averages: 0.17, 0.12, 0.22
label rule on pf
Hello, Is possible 'label' the matched rule in pf log? Im having this: Mar 11 20:50:57.307005 rule 0/(match) rdr in on fxp1: 209.85.220.166.57173 127.0.0.1.25: [|tcp] (DF) Mar 11 20:54:13.568475 rule 0/(match) rdr in on fxp1: 81.92.222.103.52011 127.0.0.1.25: [|tcp] (DF) I need (if exist) something more 'readable'. Someone know if is it possible? tks a lot
Re: Quick question about an PF user's guide example
2009/3/11 Leonardo Rodrigues leonardov...@gmail.com: Hi everyone, I'm trying to build a PF / ALTQ ruleset that handles traffic between 3 internal interfaces and 1 external, so that the internal interfaces can have different priorities on the available bandwidth they can get from the external interface. I don't know if that's possible with only ALTQ rules, or if I'll have to use tagging, so I'm trying to understand some simple setups before. While reading the example #2 on the PF user's guide (http://www.openbsd.org/faq/pf/queueing.html#example2), I came across the following ruleset: boss = 192.168.0.200 ... altq on fxp0 cbq bandwidth 1.5Mb queue { std_ext, www_ext, boss_ext } ... queue boss_ext bandwidth 500Kb priority 3 cbq(borrow) ... # filter rules for fxp0 outbound pass out on fxp0 from $boss to any keep state queue boss_ext--- Where fxp0 is the external interface (internet). My question is about that last rule above. Assuming that NAT is working so that the boss is able to surf the web, and since NAT translations happen before the filtering rules, then the rule above shouldn't work... right? The fxp0 interface would be able to filter only on already translated addresses (its own address), and not on unstranslated addresses, like 192.168.200, which is the boss IP, on a different subnet. Would a rule like that work? Well, the FAQ there also says: Note that only the pf.conf directives that apply directly to the above policy are present; nat, rdr, options, etc., are not shown. Without that crucial bit of info --whether NAT is actually being done in this scenario-- it's not quite right to characterize this rule as incorrect (not that you'd said that either). Correct me if I'm wrong, but I'd imagine the rule would work if no NAT was being done. I'm thus not sure if or how this part of the FAQ could be improved (but, at the peril of coming across as snarky, I'm sure Nick would welcome your diffs ;). No offense, and kind regards, :) --ropers
Re: OpenBGP 4.3/4.4 Gotchas
* Dan Carley dan.car...@gmail.com [2009-02-20 14:47]: This behaviour was thankfully not replicated with 4.4 in the lab, so we'll be upgrading promptly. But we were having issues with our 4.4 peers keeping sessions open to each other. This was resolved with r1.13 of bgpd/timer.c. I'm curious though whether this will make it into the 4.4 errata as a reliability fix? it is in 4.4-stable -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Un site internet pour votre bien immobilier pour misc de openbsd.org
Content-Transfer-Encoding: 8bit Bonjour, Vendre ou louer un bien immobilier nest pas facile et peut couter rapidement tres cher en petites annonces qui ne restent visibles quune ou deux semaines avant de devoir payer a nouveau. Mais comment se distinguer de la masse dannonces en 4 ou 5 lignes et une ou deux petites photos ? Comment votre acheteur ou votre loueur peut-il savoir que vous proposez un bien sil na pas lu le journal au moment ou vous avez passe votre annonce ? La reponse a toutes ces questions est simple : pratiquement toutes les personnes qui cherchent a acheter ou louer un bien consultent internet. Et tous passent necessairement par google, yahoo ou msn. Mais pour cela, il faut avoir un site internet, avec une veritable adresse web, pour se faire referencer sur les moteurs de recherche. Cest pourquoi ymmoo vous propose un logiciel de creation automatique de site web specialement concu pour limmobilier pour 49 euro; seulement. Avec ymmoo vous pouvez creer votre site, decrire completement votre bien immobilier, en ajoutant toutes les photos que vous desirez, piece par piece, sans limitation. Cest tres facile, il ny a pas de connaissance specifique a avoir en informatique, toute la partie technique se fait automatiquement, vous avez juste a cliquer sur le bouton + creer votre site ; et votre site est en ligne avec ladresse internet que vous avez choisie. Ensuite, vous pouvez referencer votre veritable site internet sur les moteurs de recherche. Le referencement sur internet, cest gratuit, cest sans limite de duree et cest la seule veritable garantie defficacite. Avec le logiciel nous vous fournissons les 400 plus importants moteurs de recherche et annuaires de France sur lesquels vous pouvez proposer gratuitement le lien vers votre site: dont bien sur google, yahoo et msn. Retrouvez le descriptif complet de notre logiciel sur www.ymmoo.com . Pierre Mensat Ps : pour ne plus recevoir dinformation de notre part, cliquez sur http://www.emailing-box.info/scripts/desincrire.php?client =misc*openbsd.orgsourcemail=abfdkjhf2585
Re: IP aliases: how many in one server with OpenBSD 4.4? Is it possible to change the limit?
On Wed, Mar 11, 2009 at 08:54:42PM +0100, Henning Brauer wrote: * Alvaro Mantilla Gimenez alv...@dydnetworks.com [2009-02-19 02:52]: Anyways, the question is still valid: how many IP aliases we can reach in an OpenBSD system? which is the limit? in theory, there is none but memory. in practice, it is a simple linked list, so things get slower at some point. Also check the lo(4) link1 flag for mass IP aliases. Note: currently works only with IPv4 (but I have a diff somewhere for the v6 case). -- :wq Claudio
Re: Cardbus stops working after repeated card insertions
As a note, this is running on a Thinkpad X31.
compaq sun drive caddies / sleds / trays for developers
Hello developers... I have several SCSI drive carriers/trays/caddys/caddies/sleds (whatever else you'd like to call 'em) I'd like to offer up for any developer who wants 'em for the bargain price of free if anyone has a need for such creatures. There are: 6 x 104663-001 80-pin SCSI Compaq sleds/trays 9 x Sun 80-pin SCSI sleds/trays for the SPARCstation 5 (and similar) If anyone is interested, please let me know, and I'll get them out the door to you (postage paid) asap. Kevin
Setting up a bidirectional (1:1) firewall
In my small company, we already have a SonicWALL firewall that handles all the workstation traffic to the Internet. We have an block of public IP Addresses, but the SonicWALL only allows us to make use of two of them. I am trying to setup a OpenBSD machine as a firewall for the rest of the IP addresses. I have the machine setup so that it has two NIC's. The external NIC has all the IP addresses we want to use right now aliases to it. The only question now is how to setup the firewall for the 1:1 mapping. I tried to put something together but it simply does not work, I am clueless at why. Any suggestions are very helpful. Here is what I have tried: #$OpenBSD: pf.conf,v 1.37 2008/05/09 06:04:08 reyk Exp $ # # See pf.conf(5) for syntax and examples. # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 # in /etc/sysctl.conf if packets are to be forwarded between interfaces. ext_if=dc0 int_if=xl0 tcp_services={22, 113} icmp_types=echoreq ccdemo_ext = xxx.xxx.xxx.214 ccdemo_int = 172.16.2.10 ###set skip on lo scrub in all #nat on $ext_if from !($ext_if) - ($ext_if:0) binat on $ext_if from $ccdemo_int to any - $ccdemo_ext block in pass out keep state antispoof quick for { lo $int_if } pass in quick on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state #pass in quick on $ext_if proto tcp from any to $ccdemo_int ports https flags S/SA synproxy state pass in on $ext_if proto tcp from any to $ccdemo_int pass in quick on $int_if
Re: Quick question about an PF user's guide example
Note that only the pf.conf directives that apply directly to the above policy are present; nat, rdr, options, etc., are not shown. Yeah, I noticed that too =) But I don't know if that setup would work without NAT enabled. But then, I'm no network expert... Bear in mind that while a queue is applied to the egress interface, the classification of that traffic may take place on another interface. So you could do something more like this: pass from 192.168.0.5 to ! mynet keep state queue traffic1_ext I considered trying that, but I think that queueing only the egress interface wouldn't solve my problem. Since my link to the internet is an ADSL line, 1Mb downstream and 512Kb upstream, I think that the only sane way to queue both up and down bandwidth would be to set up altq on the egress interface (for queueing uploads) and another altq on the internal interface (for queueing downloads). The big problem here is that I have _three_ internal interfaces that must share the internet link. I considered setting a hard limit on each internal interface (33% each), but that can't be, since I need them to borrow available bandwidth and have different priorities on downloading via the external interface. Does anyone has any ideas on how to accomplish such a setup? Leonardo Rodrigues
Re: 4.4 on ESXi 3.5 (was: vic(4) on amd64)
2009/3/12 dt...@drizzle.com: I discovered a severe performance problem, wherein an OpenBSD guest would run fine for some period of hours, and then become horribly bogged down during disk operations, to the point of unusability. This was true even when the guest was nearly idle and the VM host had abundant uncommitted resources, and was equally true on 32 bit and 64 bit OpenBSD guests. This was a showstopper, but the problem appears to have been resolved by lying to the hypervisor. Since I told it that the guest was Red Hat Enterprise Linux 64 bit, instead of Other 64 bit, the problem has so far not recurred. Thanks David, I came across this problem a few days ago and have yet to get back looking at it. So I'm glad for this tip! Shane
Re: PF Seems To Reload Its Default Rules Unexpectedly
It happened again... 2009/3/9 J.C. Roberts list-...@designtools.org: As for whether or not the assigned IP address you get from your ISP via DHCP will become a problem really depends on the netmask and default route they give you along with the IP. If your internal network is 192.168.151.* And your ISP gives you 192.168.1.* with a netmask of 255.255.0.0 then you're officially hosed. The provided netmask means your internal network is *within* the range of your external network. bad juju! That netmask would give you the range 192.168.0.0 - 192.168.255.255 on your external interface, and hence, overlapping your internal network. The netmask is 192.168.1.255 so I should be okay there. When using Point to Point Protocol (PPP, PPPoE, and similar), it can get far more confusing. Take a look at the following: No PPP or PPPoE, just simple DHCP. None the less, the safest thing you can do is use an obtuse private network range for your internal LAN. I guess it would be a good idea to do that then anyway. If I was able to 'keep state' every time I 'pass out' drinking would be far more enjoyable. Though I can't do it, pf can, and does it by default, but it seems I've digressed. Additionally, you need to be very careful when using the quick keyword since it intentionally short circuits your rule evaluation. B B B B ext_if = sk0 B B B B int_if = sk1 B B B B set skip on lo B B B B scrub in B B B B nat on $ext_if from !($ext_if) -) ($ext_if:0) B B B B block in log B B B B pass out B B B B antispoof quick for { lo $int_if } B B B B pass quick on $int_if no state On the last line, you do not necessarily need the 'no state' (but it eliminates collecting pointless state entries) and you don't need the 'quick' since it's the last rule evaluated (but you might follow this with other rules). I'll see if simplifying the rules helps. If during a DHCP (re)assignment the DHCP server sends an ICMP Echo Request packet (Type 8), and you're blocking the packet but due to your block-policy replying with ICMP Destination Unreachable packet (Type 3), strange things might occur. The problem is definitely with DHCP assigning a new IP address. I checked and (as everybody here was already expecting) pf is still using the same rules as before. So apparently using ($ext_if) isn't working properly. I need to reload pf.conf for the firewall to work again. I'll see if changing the return policy makes any difference. Cheers, Hilco
Re: OpenSSH release CDS
Well i think it is not a bad Idea; purchasing a superb remote administration software on a CD for 25USD or whatever sounds easy to sell; though i think its true, it will be a lot of work and trouble to get those CD's and Packaging Artwork and everything in low enough Quantities, and then turn it over fast enough; Maybe though a Custom Build cheap enough USB Stick which gets loaded with the newest stable Version could be send out together with some Stickers or so. Who knows, just a thought to get more money to the Project. On Wed, Mar 11, 2009 at 10:07:21AM -0400, Kevin Wilcox wrote: 2009/3/11 patric conant mirage.comput...@gmail.com: I've repeatedly been in a position where we weren't making direct use of OpenBSD, but were using OpenSSH, and if there were a recurring cost associated with it (like purchasing a semi-annual CD) it would have been relatively painless to get a rubber stamp approval of such a cost, whereas purchasing an OS we weren't using would've been a much more difficult sell. Since there is already regular ssh art, (that could be used for the next several releases), how much further effort/money would it take to release OpenSSH on CD? Also of the people on misc@ how many would think they'd have an easier time convincing bosses/clients/others to buy a single CD for say $25 then they would getting an OS purchased. Just a thought, for these trying economic times and whatnot. I can't speak for the devs, Theo, @misc or anyone except myself and my personal experiences with having a custom CD created but I'd bet my experiences aren't too different from what Theo and the core team have to deal with. When we looked into it for something else, we had to order a set number before anyone would even agree to print/press/package. All of that gets paid out of pocket with the hopes that you can move the product. If it doesn't sell in a reasonable time then it has suddenly become outdated and an unnecessary waste if your sales do not cover at least the physical costs and the man-hours of effort put into it. Colour me skeptical or pessimistic but I'd wager it's Just Not Worth It to package/print/sell OpenSSH discs. You can always donate to the project, though. Methods of payment are available at http://www.openssh.org/donations.html http://openbsd.org/donations.html kmw -- Far better is it to dare mighty things, to win glorious triumphs, even if chequered by failure, than to take rank with those poor spirits who neither enjoy much nor suffer much, because they live in the grey twilight that knows not victory or defeat.