Calomel.org

[James Peltier]

There was mention of calomel.org recently.  This is a great resource, however,
it needs to be a bit more updated.  For example the following page advises
*not* to use the GENERIC.MP kernel, however, considering how much work has
gone into the MP work and fact that MP will become default I think it should
be updated. ;)

https://calomel.org/network_performance.html

---
James A.
Peltier james_a_pelt...@yahoo.ca
__
Make your
browsing faster, safer, and easier with the new Internet Explorer. 8.
Optimized for Yahoo! Get it Now for Free! at
http://downloads.yahoo.com/ca/internetexplorer/

Re: OT: 10GbE Physical Network Taps

[Johan Fredin]

On 09-05-07 05.00, J.C. Roberts wrote:

If anyone here mistakenly thinks they can actually run *ANALYSIS* at
these speeds with off the shelf components...

BAWAHAHAHAHAHAHAHA!


Well, depends on what you mean by off the shelf. Procera Networks is 
doing layer 7 analysis at 40Gbps FD with their PacketLogic PL10k. The 
hardware used for this is sourced from companies that anyone can by 
hardware from as far as I know.


Of course it's not x86 stuff, but it's off the shelf. :)

/Johan

Re: XTerm resizing and 4.5

[Matthieu Herrb]

On Thu, May 7, 2009 at 12:31 AM, Hugo Villeneuve
harpa...@jwales.eintr.net wrote:
 Somehow, while upgrading from 4.4 to 4.5 on i386, I lost the ability
 to resize an XTerm via the command resize -s rows cols.

 It's not the end of the world and for now I just changed XTerm
 default geometry to 132x48.

 I'm not sure where I should look to bring that behavior back.

see the allowWindowOps resource in the xterm(1) manual page.
It is now disabled by default on OpenBSD.

-- 
Matthieu Herrb

Re: ypldap and ldaps

[Pierre-Yves Ritschard]

On Wed, 6 May 2009 18:51:45 +0300
Vasiliy Kiryanov vasiliy.kirya...@gmail.com wrote:

 Hello community.
 
 I would want to use ypldap with our ldap server that work over ssl.
 The problem is how to change ypldap.conf to work with ldaps.
 
 I will appreciate any ideas.
 
 thanks.
 
Hi,

There is no ldaps support in ypldap so far, the only viable way of
doing it is replicating with slurp and binding to a local ldap server
without SSL, we will make ldaps support available at some point.

Re: how to configure Grub 0.97 for booting my OpenBSD 4.5

[Bryan]

You should try GAG, I use it to dual-boot a windows/openbsd box. it
will allow for installation of several OSes...

http://gag.sourceforge.net/

On Wed, May 6, 2009 at 19:37, Nick Holland n...@holland-consulting.net
wrote:
 Feifei (7I7I) wrote:
 Hi, guys,

 I just install the OpenBSD 4.5, but my grub configuration can't boot it.
 Before that, I use OpenBSD 4.2, it is a new installation, not upgrade.
 ...
 It works well with the OpenBSD 4.2,

 But , if I use it to boot 4.5, I only get a error :
 Starting up ...
 Loading ...
 ERR M

 man biosboot
 will tell you what the error means.
 http://www.openbsd.org/faq/faq14.html will show you how
 the boot process works. B I'm going to assume you read that
 before I expect you to understand this:

 short version: the PBR read something, but it wasn't /boot.

 I'm not a grub expert, but obviously the PBR you are running
 isn't the one that OpenBSD put into place. B Some boot loaders
 do silly things like store a copy of the real PBR somewhere
 they think is cool, and when you reinstall the OS, the stored
 PBR doesn't get replaced when the real one is. B So now you have
 the old PBR reading ...something other than /boot

 If you replace your grub boot loader with a normal MBR and flag
 the OpenBSD partition as active, I bet the system will boot just
 fine.

 Alternatively, do whatever voodoo you need to do to tell grub
 there is a new PBR for it to use.

 Nick.

Re: OT: 10GbE Physical Network Taps

[J.C. Roberts]

On Thu, 07 May 2009 06:10:30 +0200 Johan Fredin jo...@spelaroll.se
wrote:

 On 09-05-07 05.00, J.C. Roberts wrote:
  If anyone here mistakenly thinks they can actually run *ANALYSIS* at
  these speeds with off the shelf components...
  
  BAWAHAHAHAHAHAHAHA!
 
 Well, depends on what you mean by off the shelf. Procera Networks
 is doing layer 7 analysis at 40Gbps FD with their PacketLogic PL10k.
 The hardware used for this is sourced from companies that anyone can
 by hardware from as far as I know.
 
 Of course it's not x86 stuff, but it's off the shelf. :)
 
 /Johan

It always comes down to how high up on the wall is the shelf that you
can afford. ;-)

-- 
J.C. Roberts

Problem with pf/nat (bug?) and aliases in internal interface

[Cristiano Deana]

Scenario:

int_if with two ip addresses in two differents lans  (192.168.20.254,
192.168.21.254).
more aliases in the external interfaces

nat rules: every 10 internals ip use an external address for the nat.

everything works fine, except for the second internal ip address. ip
from 192.168.21.0/24 are natted with rules of net 192.168.20.0/24

machines from internal lan use .20.254 or .21.254 as a gateway.
p.s.
both of them works, but second ones use wrong nat.

# uname -mprs
OpenBSD 4.4 amd64 Intel(R) Xeon(R) CPU 5110 @ 1.60GHz

# pfctl -vsr
pass in log quick on bnx1 inet from 192.168.20.0/24 to any flags S/SA 
keep state
 [ Evaluations: 61921 Packets: 370618Bytes: 216808002   States: 
4230  ]

 [ Inserted: uid 0 pid 12418 State Creations: 23774 ]
pass in log quick on bnx1 inet from 192.168.21.0/24 to any flags S/SA 
keep state
 [ Evaluations: 628   Packets: 13136 Bytes: 10432453States: 
117   ]

 [ Inserted: uid 0 pid 12418 State Creations: 202   ]

# pfctl -vvsn | grep -A2 -e '@0' -e '@24' -e '@25'
@0 nat on bnx0 inet from 192.168.20.1 - 192.168.20.10 to any - 
xxx.xxx.xxx.1
 [ Evaluations: 34016 Packets: 57999 Bytes: 23576755States: 
803   ]

 [ Inserted: uid 0 pid 12418 State Creations: 5402  ]
@24 nat on bnx0 inet from 192.168.20.241 - 192.168.20.254 to any -
xxx.xxx.xxx.25
 [ Evaluations: 1079  Packets: 3353  Bytes: 1489982 States: 
79]

 [ Inserted: uid 0 pid 12418 State Creations: 179   ]
@25 nat on bnx0 inet from 192.168.21.1 - 192.168.21.10 to any - 
xxx.xxx.xxx.26
 [ Evaluations: 793   Packets: 0 Bytes: 0   States: 
0 ]

 [ Inserted: uid 0 pid 12418 State Creations: 0 ]



--
Cris, member of G.U.F.I
Italian FreeBSD User Group
http://www.gufi.org/

Re: internal vs. external microphone: very different signal levels

[Jan Stary]

On May 05 22:30:26, Jacob Meuser wrote:
 On Tue, May 05, 2009 at 09:17:52PM +0200, Jan Stary wrote:
  On Apr 25 22:23:21, Jacob Meuser wrote:
   On Sat, Apr 25, 2009 at 01:15:33PM +0200, Jan Stary wrote:
Hi all,

I am doing some trivial sound-recording on my Compaq Armada 110 laptop
(dmesg and mixerctl below). The sound device is

auvia0 at pci0 dev 7 function 5 VIA VT82C686 AC97 rev 0x20: irq 9
audio0 at auvia0
   
   for ac97 devices, the codec is also very important.  although the
   AD1881A looks pretty standard.  no jack sense or anything.
   
and it works without problems.

Now, the laptop has an internal microphone - that tiny little hole
you have seen on some laptops. It records fine, set up as

inputs.mic=255
inputs.mic.mute=off
inputs.mic.preamp=on
inputs.mic.source=mic0
record.source=mic

The laptop also has an input for an external mike (the usual small jack,
just next to the headphones output). When you plug in an external mike,
the audio chip is smart enough to record from that one, and no longer
record from the internal mike. (I use Shure SM57 as the external mike,
which I believe is irrelevant.) Recording with the external mike plugged
in works fine too, EXCEPT the signal level from the external mike is
much weaker, and I wonder why.
   
   maybe there is a separate preamp on the internal mic pin?
  
  Well, both mikes do respond to setting
  
  inputs.mic.preamp=off/on
  
  so I suppose either each has its own preamp,
  or there is just one mic preamp, pre-amping
  the one mike (int/ext) that is currently in use.
 
 yes, there is one preamp on the mic pin in the codec.
 
 but, there could be *external to the codec* preamp circuitry between
 the built-in mic and the codec.  the codec's datasheet explains how
 to do this.

   does changing inputs.mic.source have any effect?
  
  inputs.mic.source=mic0 is set by default and behaves as described.
  inputs.mic.source=mic1 is accepted and results in silence being recorded.
 
 then there is probably jack sense circuitry (again, external to the
 codec), that switches which mic is connected to the mic pin on the
 codec.

That explains it to me, thanks.
Recording works, I just wanted to understand this difference.

Jan

Re: RES: Migration from IPTABLES to PF

[William Chivers]

TomC!E!,

thanks for the tip
Bill

-
William J. Chivers
Lecturer in Information Technology
School of DCIT
Faculty of Science and Information Technology
University of Newcastle---Ourimbah Campus
PO Box 127, Ourimbah, NSW 2259
Australia
CRICOS Provider Number: 00109J 

phone:   +61 2 4349 4473
fax: +61 2 4349 4565
email:  william.chiv...@newcastle.edu.au
-
 TomC!E! BodEC!r tomas.bod...@gmail.com 05/06/09 3:41 PM 
I think,that in case of pf is good start point this site
http://home.nuug.no/~peter/pf/ and then FAQ parts

2009/5/5 William Chivers william.chiv...@newcastle.edu.au:
 Hello Ricardo,

 This is not a beginners' mailing list, people here expect questions to
 1. be very specific, and
 2. demonstrate that you have spent a lot of time trying to solve the
problem yourself, reading the documentation etc.

 Start with http://www.openbsd.org/faq/pf/index.html
 If you still need help, there are several books on pf, for example
The Book of PF (http://nostarch.com/pf.htm).

 Look back through the misc mailing list to see how specific questions
about pf are. When you have a specific question, the best help available
is right here.

 Bill

 -
 William J. Chivers
 Lecturer in Information Technology
 School of DCIT
 Faculty of Science and Information Technology
 University of Newcastle---Ourimbah Campus
 PO Box 127, Ourimbah, NSW 2259
 Australia
 CRICOS Provider Number: 00109J

 phone:   +61 2 4349 4473
 fax: +61 2 4349 4565
 email:  william.chiv...@newcastle.edu.au
 -
 Ricardo Augusto de Souza ricardo.so...@cmtsp.com.br 05/06/09 5:08
AM 
 Thanks for this 'polite' reply.
 As I Said i spent some years away from Unix/Linux world,
 I worked with business intelligence this years.
 Now i AM back to network administration and  i got this Project to 
do.
 I used openbsd before version 3. I do like  it.

 This is my current senario.
 -  2 firewalls with 2 carp+pfsync that  Will handle 2 internet
connections,  1
 mpls connection, 1 lan to handle around 60 bus company that transport
2
 million users per Day, each user has your own myfair card. Each bus
has a
 system that store this data in a file. This files Will be imported to
Oracle
 later. After this import, there are a lot of specific applications
that uses
 this informations.
 - behind this 2 firewalls   we have around 30 servers: ( most Windows)
iis,
 file transfer servers,ws, and some other servers like some red hat
enterprise
 running Oracle 10g.
 - at the beginning the firewalls Will do Nat  + filter  + gateway +
mpd5+squid
 ( the fucking operators Who need Access to the Windows servers were
surfing on
 web from there. )
 - our applications has around 5,000 users per Day, but we have a lot
of web
 services and some etl process ( i dont have statistics about volume
yet)

 So that  is it.


 -Mensagem original-
 De: William Chivers [mailto:william.chiv...@newcastle.edu.au]
 Enviada em: segunda-feira, 4 de maio de 2009 22:46
 Para: Ricardo Augusto de Souza; misc@openbsd.org
 Assunto: Re: Migration from IPTABLES to PF

 This is a great advertisement for OpenBSD, PF, and keeping things
simple in
 general, mind if I use it Ricardo?

 As for your original question, I wouldn't even try to convert your
iptables,
 especially using some magic tool to do it. Decide what you want your
firewall
 to do and start from scratch with PF. That way you will know it is
working and
 you will be able to maintain it reliably.

 Cheers, Bill


 -
 William J. Chivers
 Lecturer in Information Technology
 School of DCIT
 Faculty of Science and Information Technology
 University of Newcastle---Ourimbah Campus
 PO Box 127, Ourimbah, NSW 2259
 Australia
 CRICO email:  william.chiv...@newcastle.edu.au
 -
 Ricardo Augusto de Souza ricardo.so...@cmtsp.com.br 05/05/09 3:17
AM

 Hi,

 I have a firewall running on a Fedora Core 4 (STentz) with iptables.
The Guy
 Who installed it left our company some months ago.
 I spent some years far from iptables, now i have to migrate this
firewall to
 PF.
 THere are some 'special' features on this firewall,  i need some
 documentation
 or help about implementing this features at new firewall ( PF ).

 This is the iptables scripts:

 #!/bin/bash
 FW=/sbin/iptables
 LOAD=/sbin/modprobe

#__

 # Carregando Modulo do IPTABLES
 . /etc/rc.d/init.d/prodata/fw_modulos

 # Carregando Variaveis
 . /etc/rc.d/init.d/prodata/fw_variaveis

 if [ $KERNEL = sim ]
   then . /etc/rc.d/init.d/prodata/fw_kernel
 fi


#___
 # Cria politicas de LOGs

#___

 if [ $LOGS = sim ]
   then . 

X won't work

[x x]

it's an old Intel video on Inspiron from 2003. I already uncommented
machdep.allowaperture=2, and when I type startx I get

xauth: creating new authority file /root/.serverauth.24871

X.Org X Server 1.5.3
Release Date: 5 November 2008
X Protocol Version 11, Revision 0
Build Operating System: OpenBSD 4.5 i386
Current Operating System: OpenBSD lengsel.vc.shawcable.net 4.5 GENERIC#0
i386
Build Date: 05 May 2009 03:10:16PM

Before reporting problems, check http://wiki.x.org
to make sure that you have the latest version.
Markers: (--) probed, (**) from config file, (==) default setting,
(++) from command line, (!!) notice, (II) informational,
(WW) warning, (EE) error, (NI) not implemented, (??) unknown.
(==) Log file: /var/log/Xorg.0.log, Time: Tue May 5 18:00:43 2009
(EE) Unable to locate/open config file
New driver is intel
(==) Using default built-in configuration (30 lines)
(EE) Failed to load module fbdev (module does not exist, 0)
Error in I830WaitLpRing(), timeout for 2 seconds
pgetbl_ctl: 0x1ffe0001 getbl_err: 0x0021
ipeir: 0x iphdr: 0x54f6
LP ring tail: 0x9fe0 head: 0xa000 len: 0x0001f001 start
0x
eir: 0x esr: 0x0010 emr: 0xff7b
instdone: 0xff41 instpm: 0x
memmode: 0x instps: 0x0820
hwstam: 0xeffe ier: 0x0042 imr: 0xffbf iir: 0x
Ring at virtual 0x8bd7d000 head 0xa000 tail 0x9fe0 count 32760
Ring at virtual 0x8bd7d000 head 0xa000 tail 0x9fe0 count 32760
9f00:  MI_NOOP 1
9f04:  MI_NOOP 1
9f08:  MI_NOOP 1
9f0c:  MI_NOOP 1
9f10:  MI_NOOP 1
9f14:  MI_NOOP 1
9f18:  MI_NOOP 1
9f1c:  MI_NOOP 1
9f20:  MI_NOOP 1
9f24:  MI_NOOP 1
9f28:  MI_NOOP 1
9f2c:  MI_NOOP 1
9f30:  MI_NOOP 1
9f34:  MI_NOOP 1
9f38:  MI_NOOP 1
9f3c:  MI_NOOP 1
9f40:  MI_NOOP 1
9f44:  MI_NOOP 1
9f48:  MI_NOOP 1
9f4c:  MI_NOOP 1
9f50:  MI_NOOP 1
9f54:  MI_NOOP 1
9f58:  MI_NOOP 1
9f5c:  MI_NOOP 1
9f60:  MI_NOOP 1
9f64:  MI_NOOP 1
9f68:  MI_NOOP 1
9f6c:  MI_NOOP 1
9f70:  MI_NOOP 1
9f74:  MI_NOOP 1
9f78:  MI_NOOP 1
9f7c:  MI_NOOP 1
9f80:  MI_NOOP 1
9f84:  MI_NOOP 1
9f88:  MI_NOOP 1
9f8c:  MI_NOOP 1
9f90:  MI_NOOP 1
9f94:  MI_NOOP 1
9f98:  MI_NOOP 1
9f9c:  MI_NOOP 1
9fa0:  MI_NOOP 1
9fa4:  MI_NOOP 1
9fa8:  MI_NOOP 1
9fac:  MI_NOOP 1
9fb0:  MI_NOOP 1
9fb4:  MI_NOOP 1
9fb8:  MI_NOOP 1
9fbc:  MI_NOOP 1
9fc0:  MI_NOOP 1
9fc4:  MI_NOOP 1
9fc8:  MI_NOOP 1
9fcc:  MI_NOOP 1
9fd0:  MI_NOOP 1
9fd4:  MI_NOOP 1
9fd8:  MI_NOOP 1
9fdc:  MI_NOOP 1
9fe0:  MI_NOOP 1
9fe4:  MI_NOOP 1
9fe8:  MI_NOOP 1
9fec:  MI_NOOP 1
9ff0:  MI_NOOP 1
9ff4:  MI_NOOP 1
9ff8:  MI_NOOP 1
9ffc:  MI_NOOP 1
Ring end
space: 24 wanted 32

Fatal server error:
lockup

giving up.
xinit: Connection refused (errno 61): unable to connect to X server
xinit: No such process (errno 3): Server error.

Re: No OpenBSD for Lenovo Thinkpad w500 4058CTO

[Bill Maas]

Hi Nick,

On Tue, 2009-05-05 at 09:48 -0400, Nick Guenther wrote:
 Your disks aren't showing up in dmesg. Try tweaking your BIOS
 settings--i know that I had to change from IDE emulation to AHCI when
 I upgraded to 4.5.

That did the trick. Thanks. I'm hoping to replace my current GNOME
desktop with an OpenBSD-based one, so I can keep more in touch with this
excellent little system;).

Bill

 On 05/05/2009, Bill Maas b...@stsx.org wrote:
  Hi,
 
  First, and just for the record: while trying to set up an FTP server on
  OpenBSD 4.2 I got this error message while trying to connect by any
  other address than 'localhost':
 
  421 Service not available, remote server has closed connection.
 
  Reason, it turned out: a missing entry in /etc/hosts.allow. I had a hard
  time finding anything relevant out there, so now at least the relation
  between the error message and the missing entry is documented.
 
 
  The reason I needed an FTP server is that I'm trying to install OpenBSD
  4.5 on a Lenovo Thinkpad W500 model 4058-CTO, with no success. With obsd
  4.4 it never got past hardware initialization, with 4.5 at least I get
  the installer menu, but no for long:
 
  [...]
  Proceed with install? [n] y
  [...]
 
  No disks found
  #
 
  And no, I don't expect developers to _scramble to their laptops_ just
  because I as an OpenBSD user am _entitled to have this fixed ASAP_ and
  stuff like that. I was at least happy to see that the Fathers of OpenBSD
  in their infinite wisdom decided to use plain ftp for downloading
  packages, and not some custom-built single-purpose
  binary-installer-builtin, so I could at least get a dmesg off the box (I
  didn't manage to get a screen capture over USB).
 
  The output from the 'dmesg' command run from the shell commandline is
  listed below. I'm only an index list member, but feel free to contact
  me offlist if you need more info. I'll be happy to help testing any
  updates. And I'll be following any replies through the archives of
  course.
 
  An otherwise very happy OpenBSD user,
 
 
  Bill
 
 
  dmesg:
  --
  OpenBSD 4.5 (RAMDISK_CD) #1112: Sat Feb 28 15:06:26 MST 2009
  dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/RAMDISK_CD
  cpu0: Intel(R) Core(TM)2 Duo CPU T9400 @ 2.53GHz (GenuineIntel
  686-class) 2.53 GHz
  cpu0:
  FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,CX16,xTPR
  real mem  = 3214176256 (3065MB)
  avail mem = 3115958272 (2971MB)
  mainbus0 at root
  bios0 at mainbus0: AT/286+ BIOS, date 09/24/08, BIOS32 rev. 0 @ 0xfdc80,
  SMBIOS rev. 2.4 @ 0xe0010 (74 entries)
  bios0: vendor LENOVO version 6FET46WW (1.16 ) date 09/24/2008
  bios0: LENOVO 4058CTO
  acpi0 at bios0: rev 2
  acpi0: tables DSDT FACP SSDT ECDT APIC MCFG HPET SLIC BOOT ASF! SSDT
  SSDT SSDT SSDT SSDT
  acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
  cpu0 at mainbus0: apid 0 (boot processor)
  cpu0: apic clock running at 265MHz
  cpu at mainbus0: not configured
  ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins
  ioapic0: misconfigured as apic 2, remapped to apid 1
  acpiprt0 at acpi0: bus 0 (PCI0)
  acpiprt1 at acpi0: bus 1 (AGP_)
  acpiprt2 at acpi0: bus 2 (EXP0)
  acpiprt3 at acpi0: bus 3 (EXP1)
  acpiprt4 at acpi0: bus -1 (EXP2)
  acpiprt5 at acpi0: bus 5 (EXP3)
  acpiprt6 at acpi0: bus 13 (EXP4)
  acpiprt7 at acpi0: bus 21 (PCI1)
  bios0: ROM list: 0xc/0xfc00 0xd/0x1000 0xd1000/0x1000
  0xd2000/0x1000 0xde000/0x1800! 0xe/0x1
  pci0 at mainbus0 bus 0: configuration mode 1 (bios)
  pchb0 at pci0 dev 0 function 0 Intel GM45 Host rev 0x07
  ppb0 at pci0 dev 1 function 0 Intel GM45 PCIE rev 0x07: apic 1 int 16
  (irq 11)
  pci1 at ppb0 bus 1
  vga1 at pci1 dev 0 function 0 ATI Mobility Radeon HD 3650 rev 0x00
  wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
  Intel GM45 HECI rev 0x07 at pci0 dev 3 function 0 not configured
  em0 at pci0 dev 25 function 0 Intel ICH9 IGP M AMT rev 0x03: apic 1
  int 20 (irq 11), address 00:1c:25:97:34:61
  uhci0 at pci0 dev 26 function 0 Intel 82801I USB rev 0x03: apic 1 int
  20 (irq 11)
  uhci1 at pci0 dev 26 function 1 Intel 82801I USB rev 0x03: apic 1 int
  21 (irq 11)
  uhci2 at pci0 dev 26 function 2 Intel 82801I USB rev 0x03: apic 1 int
  22 (irq 11)
  ehci0 at pci0 dev 26 function 7 Intel 82801I USB rev 0x03: apic 1 int
  23 (irq 11)
  usb0 at ehci0: USB revision 2.0
  uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1
  Intel 82801I HD Audio rev 0x03 at pci0 dev 27 function 0 not
  configured
  ppb1 at pci0 dev 28 function 0 Intel 82801I PCIE rev 0x03: apic 1 int
  20 (irq 11)
  pci2 at ppb1 bus 2
  ppb2 at pci0 dev 28 function 1 Intel 82801I PCIE rev 0x03: apic 1 int
  21 (irq 11)
  pci3 at ppb2 bus 3
  iwn0 at pci3 dev 0 function 0 Intel WiFi Link 5300AGN rev 0x00: apic 1
  int 17 (irq 11), MIMO 3T3R, MoW, 

Re: 4.5 - strange performance issue

[Andrei GUDIU]

 Try to enable EXA and play with Option MigrationHeuristic greedy


I can confirm this solved my X problem. And it was really really a slow X.
I added

Option AccelMethod EXA
Option MigrationHeuristic greedy

in Section Device.

Re: 4.5 - strange performance issue

[The Wraith]

I can confirm the problem, but it was not an X problem only...everything was
slow.
The problem was that my interrupts were up to 82.9%. Disabled acpiprt and
acpimadt in the kernel and it all works ok.

On Wed, May 6, 2009 at 11:35 AM, Andrei GUDIU andr...@openbsd-box.orgwrote:

  Try to enable EXA and play with Option MigrationHeuristic greedy
 

 I can confirm this solved my X problem. And it was really really a slow X.
 I added

Option AccelMethod EXA
Option MigrationHeuristic greedy

 in Section Device.

Re: A new toy for programmers who uses VIM on OpenBSD

[Stuart Henderson]

(cc/reply-to set to ports@).

useful :-) would you be interested in adding some kind of license
(we like /usr/share/misc/license.template, but it's your choice)?
then it could go into ports/packages.



On 2009/05/06 09:01, Dasn wrote:
 Hi guys, I wrote a toy which builds communications between VIM and
 debuggers. The tool's main function is tracing the instruction pointer
 in VIM while we debugging the program. That should be similar to Emacs's
 Gud, I suppose. :)
 
 Here it is:
 http://lrc.sf.net/bride-0.1.1.tar.gz
 
 And some screen shots:
 http://lrc.sf.net/shot1.jpg
 http://lrc.sf.net/shot2.jpg
 
 make  make install will do all the jobs for you.
 For more info, see :h Bride in VIM.
 
 As the development just begins, it currently only supports two
 debuggers: 'gdb' and 'pdb' (python's debugger), and was only tested on
 OpenBSD.
 
 Any comments are appreciated.
 
 I'm not on misc@, please Cc me, thanks.
 
 -- 
 Dasn

Re: route(8) delete - need a little help

[LEVAI Daniel]

On Tuesday 05 May 2009 20.23.06 Claudio Jeker wrote:
 On Tue, May 05, 2009 at 01:27:21PM +0200, LEVAI Daniel wrote:
  Hi!
 
  I have this in my route table:
  10/8   link#1 UC 50 - 4
  em0 10/8   gw_ip  UGS0 1072 - 8
  tun1
 
  How can I delete only the first line, the route with the em0 device?
  So far I can only execute this:
  # route delete 10/8
 
  But this is too ambigious.
 
  I thought of something like this:
  # route delete 10/8 -dev em0
  but of course this will not gonna happen.
 You've assigned an address on 10/8 to em0.  Delete that address from
 the interface if you don't want to have that route.  (If you're trying
 to have 10/8 on both ends of a tunnel then you need to back up and
 rethink what you're trying to do.)

[...]

 ifconfig em0 delete

 because this is a interface route and not deletable by route(8)
 unless you know the magic and the consequences.

Thanks Claudio and Philip. Now I see.

Daniel

--
LIVAI Daniel
PGP key ID = 0x4AC0A4B1
Key fingerprint = D037 03B9 C12D D338 4412  2D83 1373 917A 4AC0 A4B1

Re: HD 'Analysis'

[Steve Shockley]

On 5/5/2009 12:50 PM, Josi Quinteiro wrote:

First thing I do with a new hard drive is run a long self-test using
smartctl. If it passes it gets added to the system. I have smartd set to
do a daily short self-test and a weekly long self-test on every drive.
Replace any drives that start to show errors.


The self-tests take the drive offline while they run, right?  Do you 
unmount them first, or is the system okay just waiting until the drive 
responds?

Re: HD 'Analysis'

[Steve Shockley]

On 5/5/2009 11:49 AM, L. V. Lammert wrote:

Some good options, .. seems like all are DOS, however g!! I guess
that's no big deal if you're rebooting for the analysis, but it does not
seem 'right'!


No, they have a Windows version of Victoria! g  Personally, I use 
these kinds of utilities to see if a drive is worth saving, when I can 
do destructive tests.  For example I recovered a 250gb disk from an 
XServe RAID that i use as a second drive in my work desktop.  SMART 
reports 300 reallocation events, but no matter what I do that doesn't 
increase.  I use it for temporary storage for easy-to-replace data.

Re: X won't work

[BOG BOG]

May this is not the case but it might be possible to have many instances of the 
server ending with the same error.

Try killing all instances, and then try again.

If there are many instances, trying to start another one merely fails because 
there already exists /tmp/.X0-lock

From the bottom of the error message it seems it is a lock problem.

And then again may be this is not the case.

--- On Wed, 5/6/09, x x tonino-pa...@lycos.com wrote:

 From: x x tonino-pa...@lycos.com
 Subject: X won't work
 To: misc@openbsd.org
 Date: Wednesday, May 6, 2009, 1:06 AM
 it's an old Intel video on Inspiron from 2003. I already
 uncommented
 machdep.allowaperture=2, and when I type startx I get
 
 xauth: creating new authority file /root/.serverauth.24871
 
 X.Org X Server 1.5.3
 Release Date: 5 November 2008
 X Protocol Version 11, Revision 0
 Build Operating System: OpenBSD 4.5 i386
 Current Operating System: OpenBSD lengsel.vc.shawcable.net
 4.5 GENERIC#0
 i386
 Build Date: 05 May 2009 03:10:16PM
 
 Before reporting problems, check http://wiki.x.org
 to make sure that you have the latest version.
 Markers: (--) probed, (**) from config file, (==) default
 setting,
 (++) from command line, (!!) notice, (II) informational,
 (WW) warning, (EE) error, (NI) not implemented, (??)
 unknown.
 (==) Log file: /var/log/Xorg.0.log, Time: Tue
 May 5 18:00:43 2009
 (EE) Unable to locate/open config file
 New driver is intel
 (==) Using default built-in configuration (30 lines)
 (EE) Failed to load module fbdev (module does
 not exist, 0)
 Error in I830WaitLpRing(), timeout for 2 seconds
 pgetbl_ctl: 0x1ffe0001 getbl_err: 0x0021
 ipeir: 0x iphdr: 0x54f6
 LP ring tail: 0x9fe0 head: 0xa000 len: 0x0001f001
 start
 0x
 eir: 0x esr: 0x0010 emr: 0xff7b
 instdone: 0xff41 instpm: 0x
 memmode: 0x instps: 0x0820
 hwstam: 0xeffe ier: 0x0042 imr: 0xffbf iir: 0x
 Ring at virtual 0x8bd7d000 head 0xa000 tail 0x9fe0 count
 32760
 Ring at virtual 0x8bd7d000 head 0xa000 tail 0x9fe0 count
 32760
 9f00:  MI_NOOP 1
 9f04:  MI_NOOP 1
 9f08:  MI_NOOP 1
 9f0c:  MI_NOOP 1
 9f10:  MI_NOOP 1
 9f14:  MI_NOOP 1
 9f18:  MI_NOOP 1
 9f1c:  MI_NOOP 1
 9f20:  MI_NOOP 1
 9f24:  MI_NOOP 1
 9f28:  MI_NOOP 1
 9f2c:  MI_NOOP 1
 9f30:  MI_NOOP 1
 9f34:  MI_NOOP 1
 9f38:  MI_NOOP 1
 9f3c:  MI_NOOP 1
 9f40:  MI_NOOP 1
 9f44:  MI_NOOP 1
 9f48:  MI_NOOP 1
 9f4c:  MI_NOOP 1
 9f50:  MI_NOOP 1
 9f54:  MI_NOOP 1
 9f58:  MI_NOOP 1
 9f5c:  MI_NOOP 1
 9f60:  MI_NOOP 1
 9f64:  MI_NOOP 1
 9f68:  MI_NOOP 1
 9f6c:  MI_NOOP 1
 9f70:  MI_NOOP 1
 9f74:  MI_NOOP 1
 9f78:  MI_NOOP 1
 9f7c:  MI_NOOP 1
 9f80:  MI_NOOP 1
 9f84:  MI_NOOP 1
 9f88:  MI_NOOP 1
 9f8c:  MI_NOOP 1
 9f90:  MI_NOOP 1
 9f94:  MI_NOOP 1
 9f98:  MI_NOOP 1
 9f9c:  MI_NOOP 1
 9fa0:  MI_NOOP 1
 9fa4:  MI_NOOP 1
 9fa8:  MI_NOOP 1
 9fac:  MI_NOOP 1
 9fb0:  MI_NOOP 1
 9fb4:  MI_NOOP 1
 9fb8:  MI_NOOP 1
 9fbc:  MI_NOOP 1
 9fc0:  MI_NOOP 1
 9fc4:  MI_NOOP 1
 9fc8:  MI_NOOP 1
 9fcc:  MI_NOOP 1
 9fd0:  MI_NOOP 1
 9fd4:  MI_NOOP 1
 9fd8:  MI_NOOP 1
 9fdc:  MI_NOOP 1
 9fe0:  MI_NOOP 1
 9fe4:  MI_NOOP 1
 9fe8:  MI_NOOP 1
 9fec:  MI_NOOP 1
 9ff0:  MI_NOOP 1
 9ff4:  MI_NOOP 1
 9ff8:  MI_NOOP 1
 9ffc:  MI_NOOP 1
 Ring end
 space: 24 wanted 32
 
 Fatal server error:
 lockup
 
 giving up.
 xinit: Connection refused (errno 61): unable to connect to
 X server
 xinit: No such process (errno 3): Server error.

OT: 10GbE Physical Network Taps

[J.C. Roberts]

I need to collect raw throughput statistics without increasing latency
or reducing bandwidth on 10GbE fiber links, so most of the typical
methods are out of the question (i.e. like bridging, SPAN sessions on a
switch, ...). As far as my understanding allows, I believe the best way
to do this is with a physical network tap connected to monitoring
equipment. I figure folks running/maintaining OpenBSD firewalls might
be familiar with using physical network taps for deploying IDS/IPS since
using bridges on such systems is a Bad Idea (R)(TM).

I've found one company [1] which offers what I need, but I was wondering
if anyone can recommend a vendor of physical network taps?

Thanks,
jcr


[1] http://www.networktaps.com/products/index.html

-- 
J.C. Roberts

Re: X won't work

[J.C. Roberts]

On Wed, 06 May 2009 04:06:42 -0400 (EDT) x x tonino-pa...@lycos.com
wrote:

 it's an old Intel video on Inspiron from 2003. I already uncommented
 machdep.allowaperture=2, and when I type startx I get

easy answer: Search the archives


easier answer:

xorg.conf DEVICE section

Option AccelMethod XXA
Option  DDC2 false



-- 
J.C. Roberts

Re: no init scripts, what is the best way to start dnsmasq

[Alexander Hall]

Mark Shroyer wrote:
 On Tue, May 05, 2009 at 02:11:57PM +0200, Coert Waagmeester wrote:
 I have installed dnsmasq on OpenBSD.

 What is the best way to start it? Should I start it
 from /etc/rc.securelevel, or rc.local?

 It's best not to think of this in terms of SysV-style init scripts.  In
 OpenBSD, shell commands in /etc/rc.local get run at boot time, so all
 you have to do is put some command in there to launch dnsmasq in any
 fashion that you see fit.  So it would suffice to simply add a line with
 /usr/local/sbin/dnsmasq; however, for consistency with the way things
 are launched in /etc/rc, I generally do something like the following:
 
 ,--- /etc/rc.local ---
 if [ X${dnsmasq_flags-NO} != XNO -a -x /usr/local/sbin/dnsmasq ]; then
^^^

Ooh how lovely to see someone else doin this! :-)

For the archives - if used consequently, this way makes it amazingly
easy to start only certain services via /etc/rc.local; e.g.

$ sudo dnsmasq_flags= sh /etc/rc.local

while

$ sudo sh /etc/rc.local

would not start anything

(well, unless you have stupid names for the variables in your /etc.rc
that matches eported variables from the shell and sudo is set up to pass
these on. That should not be the case very often)

/Alexander

 echo -n ' dnsmasq'; /usr/local/sbin/dnsmasq ${dnsmasq_flags}
 fi
 `-
 
 ,--- /etc/rc.conf.local --
 dnsmasq_flags=
 `-
 
 This way, if you want to temporarily disable dnsmasq, you can simply
 remove the line in rc.conf.local or change it to dnsmasq_flags=NO.

Mplayer problem with new dualhead setup

[Chris Bennett]

I just installed a Radeon 9700 in dualhead. That is working fine as far 
as I can tell.
I am getting what looks like flashes of diagonal text when playing a 
video in youtube.
Goes away if I leave video screen. Sound is unaffected. Using scrotwm. 
i386, recent -current


Chris Bennett

OpenBSD 4.5-current (GENERIC) #85: Mon Apr 20 23:51:01 MDT 2009
   dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium III (GenuineIntel 686-class, 128KB L2 cache) 899 MHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE

real mem  = 536375296 (511MB)
avail mem = 510328832 (486MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 12/19/01, BIOS32 rev. 0 @ 0xfb0c0, 
SMBIOS rev. 2.3 @ 0xf0800 (38 entries)
bios0: vendor Award Software International, Inc. version 6.00 PG date 
12/19/2001

bios0: LEGEND.QDI(R) SynactiX5EP
apm0 at bios0: Power Management spec V1.2 (slowidle)
apm0: AC on, battery charge unknown
acpi at bios0 function 0x0 not configured
pcibios0 at bios0: rev 2.1 @ 0xf/0xb540
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfded0/192 (10 entries)
pcibios0: PCI Exclusive IRQs: 5 9 11 12
pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82371SB ISA rev 0x00)
pcibios0: PCI bus #3 is the last bus
bios0: ROM list: 0xc/0xd000 0xd/0x4000!
cpu0 at mainbus0: (uniprocessor)
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
extent `pciio' (0x0 - 0x), flags=0
0xa000 - 0xd01f
0xd800 - 0xd81f
0xf000 - 0xf00f
extent `pcimem' (0x0 - 0x), flags=0
0x0 - 0x9
0xf - 0x1fff
0xd000 - 0xe8ff
0xffb0 - 0x
pchb0 at pci0 dev 0 function 0 Intel 82815 Host rev 0x04
intelagp0 at pchb0
agp0 at intelagp0: aperture at 0xe000, size 0x240
ppb0 at pci0 dev 1 function 0 Intel 82815 AGP rev 0x04
pci1 at ppb0 bus 1
mem address conflict 0xd000/0x800
mem address conflict 0xd800/0x800
extent `ppb0 pciio' (0x0 - 0x), flags=0
0x0 - 0xc0ff
0xd000 - 0x
extent `ppb0 pcimem' (0x0 - 0x), flags=0
0x0 - 0xe3ff
0xe500 - 0xe501
0xe600 - 0x
vga1 at pci1 dev 0 function 0 ATI Radeon 9500/9700 rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
radeondrm0 at vga1: irq 5
drm0 at radeondrm0
ATI Radeon 9500/9700 Sec rev 0x00 at pci1 dev 0 function 1 not configured
ppb1 at pci0 dev 30 function 0 Intel 82801BA Hub-to-PCI rev 0x05
pci2 at ppb1 bus 2
extent `ppb1 pciio' (0x0 - 0x), flags=0
0x0 - 0xb03f
0xb400 - 0xb407
0xc000 - 0x
extent `ppb1 pcimem' (0x0 - 0x), flags=0
0x0 - 0xe80047ff
0xe900 - 0x
ppb2 at pci2 dev 11 function 0 IBM 82351 PCI-PCI rev 0x01
pci3 at ppb2 bus 3
extent `ppb2 pciio' (0x0 - 0x), flags=0
0x0 - 0xa00f
0xa400 - 0xa40f
0xb000 - 0x
extent `ppb2 pcimem' (0x0 - 0x), flags=0
0x0 - 0xe5ff
0xe700 - 0xe70f
0xe7001000 - 0xe700100f
0xe800 - 0x
tl0 at pci3 dev 0 function 0 Compaq DP Netelligent 10/100TX rev 0x10: 
irq 11 address 00:08:c7:5d:a2:8f

nsphy0 at tl0 phy 1: DP83840 10/100 PHY, rev. 1
ukphy0 at tl0 phy 31: Generic IEEE 802.3u media interface, rev. 5: OUI 
0x100014, model 0x0001
tl1 at pci3 dev 1 function 0 Compaq DP Netelligent 10/100TX rev 0x10: 
irq 12 address 00:08:c7:5d:a2:0f

nsphy1 at tl1 phy 1: DP83840 10/100 PHY, rev. 1
ukphy1 at tl1 phy 31: Generic IEEE 802.3u media interface, rev. 5: OUI 
0x100014, model 0x0001
emu0 at pci2 dev 14 function 0 Creative Labs SoundBlaster Audigy rev 
0x04: irq 9

ac97: codec id 0x83847650 (SigmaTel STAC9750/51)
ac97: codec features headphone, 20 bit DAC, 20 bit ADC, SigmaTel 3D
audio0 at emu0
Creative Labs SoundBlaster Audigy Digital rev 0x04 at pci2 dev 14 
function 1 not configured

Creative Labs Firewire rev 0x04 at pci2 dev 14 function 2 not configured
ichpcib0 at pci0 dev 31 function 0 Intel 82801BA LPC rev 0x05: 24-bit 
timer at 3579545Hz
pciide0 at pci0 dev 31 function 1 Intel 82801BA IDE rev 0x05: DMA, 
channel 0 wired to compatibility, channel 1 wired to compatibility

wd0 at pciide0 channel 0 drive 0: ST3200822A
wd0: 16-sector PIO, LBA48, 190782MB, 390721968 sectors
wd1 at pciide0 channel 0 drive 1: Maxtor 90430D3
wd1: 16-sector PIO, LBA, 4112MB, 8421840 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
wd1(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: BENQ, DVD DD DW1640, BSRB ATAPI 5/cdrom 
removable

cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
uhci0 at pci0 dev 31 function 2 Intel 82801BA USB rev 0x05: irq 11
uhci1 at pci0 dev 31 function 4 Intel 82801BA USB rev 0x05: irq 11
isa0 at ichpcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 

OpenBGPD transparent-as issue

[Tom Martin]

Hi all,

At the moment we are running some tests to use OpenBGPD as a Route-server
instead of using Quagga. The first tests are very positive, but we are
facing one major problem. We tried our solution on OpenBSD 4.4 as well under
4.5. When we made one route-server, which means that we remove the private
AS to al the neighbors, and this not working under OpenBGPD. The
route-server can easily make an connection to a lot of quagga/cisco routers,
but when a OpenBGPD client wants to join we are facing the following error
on the server side:


May  6 17:00:01 openBSD4-5 bgpd[5747]: neighbor 192.168.113.100 (test.4):
received notification: error in UPDATE message, AS-Path unacceptable

At the client side we see a fatal error:

Apr 6 17:00:05 bsd bgpd[24969]: neighbor 192.168.113.1 (test): state change
Established - Idle, reason: Fatal error

When we use quagga as client the session is doing fine on both sides, even
with community filters. When we are using OpenBGPD we keep facing this
message until we are removing the following line: transparent-as yes. Is
this a comment problem, or is this a bad configuration of us?

Configuration route-server:
#macros
ASN=64512
peer1=192.168.113.2
AS1=64513
peer2=192.168.113.3
AS2=64514
peer3=192.168.113.4
AS3=64515
peer4=192.168.113.100
AS4=64516
peer5=192.168.113.101
AS5=65534

# global configuration
router-id 192.168.113.1
AS $ASN
log updates
transparent-as yes

# network 10.0.1.0/24

neighbor $peer1 {
remote-as   $AS1
descr   test.1
announceall
max-prefix  100 restart 300
softreconfigin yes
#   tcp md5sig key  deadbeef
}

neighbor $peer2 {
remote-as   $AS2
descr   test.2
announceall
softreconfigin yes
max-prefix  100 restart 1
}

neighbor $peer3 {
remote-as   $AS3
descr   test.3
announceall
softreconfigin yes
max-prefix  100 restart 300
}

neighbor $peer4 {
remote-as  $AS4
descr   test.4
local-address   192.168.113.1
holdtime180
holdtime min3
announceall
softreconfigin yes
#max-prefix  100 restart 300
}

neighbor $peer5 {
remote-as   $AS5
descr   test.5
announceall
softreconfigin yes
max-prefix  100 restart 300
}



# filter out prefixes longer than 24 or shorter than 8 bits
deny from any
allow from any inet prefixlen 8 - 24

# Filter the general prefixes
# deny to any community *:*
# allow to any community 64512:64512

# Filter the per-peer prefixes
allow to $peer1 community $ASN:neighbor-as
deny  to $peer1 community 0:neighbor-as
allow to $peer2 community $ASN:neighbor-as
deny  to $peer2 community 0:neighbor-as
allow to $peer3 community $ASN:neighbor-as
deny  to $peer3 community 0:neighbor-as
allow to $peer4 community $ASN:neighbor-as
deny  to $peer4 community 0:neighbor-as

Easy configuration of a client:

AS 64516
router-id 192.168.113.100
# log updates
network 3.3.3.0/24

neighbor 192.168.113.1 {
remote-as   64512
descr   test
local-address   192.168.113.100
holdtime180
holdtime min3
announceall
max-prefix  100 restart 300
softreconfigin yes
}


Thanks in advance!

Tom Martin

-- 
View this message in context: 
http://n2.nabble.com/OpenBGPD-transparent-as-issue-tp2815387p2815387.html
Sent from the OpenBSD Misc mailing list archive at Nabble.com.

Re: OT: 10GbE Physical Network Taps

[Simen Stavdal]

Hello jcr,

Not quite sure if this would meet your needs, but you could look at anue
systems :

http://www.anuesystems.com

Cheers,
Simon.

On Wed May 6 13:33 , J.C. Roberts sent:

  I need to collect raw throughput statistics without increasing
  latency
  or reducing bandwidth on 10GbE fiber links, so most of the typical
  methods are out of the question (i.e. like bridging, SPAN sessions on
  a
  switch, ...). As far as my understanding allows, I believe the best
  way
  to do this is with a physical network tap connected to monitoring
  equipment. I figure folks running/maintaining OpenBSD firewalls might
  be familiar with using physical network taps for deploying IDS/IPS
  since
  using bridges on such systems is a Bad Idea (R)(TM).

  I've found one company [1] which offers what I need, but I was
  wondering
  if anyone can recommend a vendor of physical network taps?

  Thanks,
  jcr

  [1] http://www.networktaps.com/products/index.html

  --
  J.C. Roberts

-
FC% din egen, gratis e-postadresse pC% Start.no

Re: OpenBGPD transparent-as issue

[Henning Brauer]

* Tom Martin openb...@lekl.nl [2009-05-06 15:41]:
 May  6 17:00:01 openBSD4-5 bgpd[5747]: neighbor 192.168.113.100 (test.4):
 received notification: error in UPDATE message, AS-Path unacceptable
 
 At the client side we see a fatal error:
 
 Apr 6 17:00:05 bsd bgpd[24969]: neighbor 192.168.113.1 (test): state change
 Established - Idle, reason: Fatal error
 
 When we use quagga as client the session is doing fine on both sides, even
 with community filters. When we are using OpenBGPD we keep facing this
 message until we are removing the following line: transparent-as yes. Is
 this a comment problem, or is this a bad configuration of us?

bad config on the client side - must use
  enforce neighbor-as no

OpenBGPD enforces that AS Pathes from a neighbor begin with his AS by
default. If the neighbor is a transparent route-server, that is - of
course - not the case.

-- 
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg  Amsterdam

Re: OpenBGPD transparent-as issue

[Tom Martin]

Thnx for your fast reply.
It works very well and saved us a lot of configuration time! By the way do
you know why this isn't nescesary by using Quagga? (A little bit off topic,
but I am just wondering).




Henning Brauer wrote:
 
 * Tom Martin openb...@lekl.nl [2009-05-06 15:41]:
 May  6 17:00:01 openBSD4-5 bgpd[5747]: neighbor 192.168.113.100 (test.4):
 received notification: error in UPDATE message, AS-Path unacceptable
 
 At the client side we see a fatal error:
 
 Apr 6 17:00:05 bsd bgpd[24969]: neighbor 192.168.113.1 (test): state
 change
 Established - Idle, reason: Fatal error
 
 When we use quagga as client the session is doing fine on both sides,
 even
 with community filters. When we are using OpenBGPD we keep facing this
 message until we are removing the following line: transparent-as yes. Is
 this a comment problem, or is this a bad configuration of us?
 
 bad config on the client side - must use
   enforce neighbor-as no
 
 OpenBGPD enforces that AS Pathes from a neighbor begin with his AS by
 default. If the neighbor is a transparent route-server, that is - of
 course - not the case.
 
 -- 
 Henning Brauer, h...@bsws.de, henn...@openbsd.org
 BS Web Services, http://bsws.de
 Full-Service ISP - Secure Hosting, Mail and DNS Services
 Dedicated Servers, Rootservers, Application Hosting - Hamburg  Amsterdam
 
 
 

-- 
View this message in context: 
http://n2.nabble.com/OpenBGPD-transparent-as-issue-tp2815387p2816439.html
Sent from the OpenBSD Misc mailing list archive at Nabble.com.

Re: [dera...@cvs.openbsd.org: Re: I would like to send this to misc@ and security-announce@, from me.]

[Bob Beck]

  e.g. ftp://mirrors.nic.funet.fi/ftp.openbsd.org/pub/OpenBSD/
 
 I'll make a bulk check of the mirrors that haven't got 4.5 yet
 sometime soon and remind them to update their rsync inclusion
 lists. I'll give it a bit longer because some are probably
 still trying to fetch the release.
 

And there is a big difference between a mirror that is behind, and a
mirror that is providing you with something that is not what it
purports to be.

Re: OT: 10GbE Physical Network Taps

[Diana Eichert]

On Wed, 6 May 2009, J.C. Roberts wrote:


I need to collect raw throughput statistics without increasing latency
or reducing bandwidth on 10GbE fiber links, so most of the typical
methods are out of the question (i.e. like bridging, SPAN sessions on a
switch, ...). As far as my understanding allows, I believe the best way
to do this is with a physical network tap connected to monitoring
equipment. I figure folks running/maintaining OpenBSD firewalls might
be familiar with using physical network taps for deploying IDS/IPS since
using bridges on such systems is a Bad Idea (R)(TM).

I've found one company [1] which offers what I need, but I was wondering
if anyone can recommend a vendor of physical network taps?

Thanks,
jcr


[1] http://www.networktaps.com/products/index.html

--
J.C. Roberts


JC

We use physical taps at work, when I get the chance I'll take a look at
the vendor.

Also, you really think you can capture 10GE? Chuckle, good luck.

diana

Re: Mplayer problem with new dualhead setup

[Chris Bennett]

I seem to have this fixed now.
I changed my .xinitrc to specify modes AND positions explicitly, getting 
rid of --left-of stuff.

Now the problem is gone.

Chris Bennett wrote:
I just installed a Radeon 9700 in dualhead. That is working fine as 
far as I can tell.
I am getting what looks like flashes of diagonal text when playing a 
video in youtube.
Goes away if I leave video screen. Sound is unaffected. Using scrotwm. 
i386, recent -current


Chris Bennett

OpenBSD 4.5-current (GENERIC) #85: Mon Apr 20 23:51:01 MDT 2009
   dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium III (GenuineIntel 686-class, 128KB L2 cache) 899 
MHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE 


real mem  = 536375296 (511MB)
avail mem = 510328832 (486MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 12/19/01, BIOS32 rev. 0 @ 
0xfb0c0, SMBIOS rev. 2.3 @ 0xf0800 (38 entries)
bios0: vendor Award Software International, Inc. version 6.00 PG 
date 12/19/2001

bios0: LEGEND.QDI(R) SynactiX5EP
apm0 at bios0: Power Management spec V1.2 (slowidle)
apm0: AC on, battery charge unknown
acpi at bios0 function 0x0 not configured
pcibios0 at bios0: rev 2.1 @ 0xf/0xb540
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfded0/192 (10 entries)
pcibios0: PCI Exclusive IRQs: 5 9 11 12
pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82371SB ISA rev 0x00)
pcibios0: PCI bus #3 is the last bus
bios0: ROM list: 0xc/0xd000 0xd/0x4000!
cpu0 at mainbus0: (uniprocessor)
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
extent `pciio' (0x0 - 0x), flags=0
0xa000 - 0xd01f
0xd800 - 0xd81f
0xf000 - 0xf00f
extent `pcimem' (0x0 - 0x), flags=0
0x0 - 0x9
0xf - 0x1fff
0xd000 - 0xe8ff
0xffb0 - 0x
pchb0 at pci0 dev 0 function 0 Intel 82815 Host rev 0x04
intelagp0 at pchb0
agp0 at intelagp0: aperture at 0xe000, size 0x240
ppb0 at pci0 dev 1 function 0 Intel 82815 AGP rev 0x04
pci1 at ppb0 bus 1
mem address conflict 0xd000/0x800
mem address conflict 0xd800/0x800
extent `ppb0 pciio' (0x0 - 0x), flags=0
0x0 - 0xc0ff
0xd000 - 0x
extent `ppb0 pcimem' (0x0 - 0x), flags=0
0x0 - 0xe3ff
0xe500 - 0xe501
0xe600 - 0x
vga1 at pci1 dev 0 function 0 ATI Radeon 9500/9700 rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
radeondrm0 at vga1: irq 5
drm0 at radeondrm0
ATI Radeon 9500/9700 Sec rev 0x00 at pci1 dev 0 function 1 not 
configured

ppb1 at pci0 dev 30 function 0 Intel 82801BA Hub-to-PCI rev 0x05
pci2 at ppb1 bus 2
extent `ppb1 pciio' (0x0 - 0x), flags=0
0x0 - 0xb03f
0xb400 - 0xb407
0xc000 - 0x
extent `ppb1 pcimem' (0x0 - 0x), flags=0
0x0 - 0xe80047ff
0xe900 - 0x
ppb2 at pci2 dev 11 function 0 IBM 82351 PCI-PCI rev 0x01
pci3 at ppb2 bus 3
extent `ppb2 pciio' (0x0 - 0x), flags=0
0x0 - 0xa00f
0xa400 - 0xa40f
0xb000 - 0x
extent `ppb2 pcimem' (0x0 - 0x), flags=0
0x0 - 0xe5ff
0xe700 - 0xe70f
0xe7001000 - 0xe700100f
0xe800 - 0x
tl0 at pci3 dev 0 function 0 Compaq DP Netelligent 10/100TX rev 
0x10: irq 11 address 00:08:c7:5d:a2:8f

nsphy0 at tl0 phy 1: DP83840 10/100 PHY, rev. 1
ukphy0 at tl0 phy 31: Generic IEEE 802.3u media interface, rev. 5: OUI 
0x100014, model 0x0001
tl1 at pci3 dev 1 function 0 Compaq DP Netelligent 10/100TX rev 
0x10: irq 12 address 00:08:c7:5d:a2:0f

nsphy1 at tl1 phy 1: DP83840 10/100 PHY, rev. 1
ukphy1 at tl1 phy 31: Generic IEEE 802.3u media interface, rev. 5: OUI 
0x100014, model 0x0001
emu0 at pci2 dev 14 function 0 Creative Labs SoundBlaster Audigy rev 
0x04: irq 9

ac97: codec id 0x83847650 (SigmaTel STAC9750/51)
ac97: codec features headphone, 20 bit DAC, 20 bit ADC, SigmaTel 3D
audio0 at emu0
Creative Labs SoundBlaster Audigy Digital rev 0x04 at pci2 dev 14 
function 1 not configured
Creative Labs Firewire rev 0x04 at pci2 dev 14 function 2 not 
configured
ichpcib0 at pci0 dev 31 function 0 Intel 82801BA LPC rev 0x05: 
24-bit timer at 3579545Hz
pciide0 at pci0 dev 31 function 1 Intel 82801BA IDE rev 0x05: DMA, 
channel 0 wired to compatibility, channel 1 wired to compatibility

wd0 at pciide0 channel 0 drive 0: ST3200822A
wd0: 16-sector PIO, LBA48, 190782MB, 390721968 sectors
wd1 at pciide0 channel 0 drive 1: Maxtor 90430D3
wd1: 16-sector PIO, LBA, 4112MB, 8421840 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
wd1(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: BENQ, DVD DD DW1640, BSRB ATAPI 
5/cdrom removable

cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
uhci0 at pci0 dev 31 function 2 Intel 82801BA USB rev 0x05: irq 11
uhci1 at pci0 dev 31 function 4 Intel 82801BA USB rev 0x05: irq 11
isa0 at 

Re: OT: 10GbE Physical Network Taps

[openbsd misc]

On Wed, May 6, 2009 at 3:42 PM, Diana Eichert deich...@wrench.com wrote:
 On Wed, 6 May 2009, J.C. Roberts wrote:

 I need to collect raw throughput statistics without increasing latency
 or reducing bandwidth on 10GbE fiber links, so most of the typical
 methods are out of the question (i.e. like bridging, SPAN sessions on a
 switch, ...). As far as my understanding allows, I believe the best way
 to do this is with a physical network tap connected to monitoring
 equipment. I figure folks running/maintaining OpenBSD firewalls might
 be familiar with using physical network taps for deploying IDS/IPS since
 using bridges on such systems is a Bad Idea (R)(TM).

 I've found one company [1] which offers what I need, but I was wondering
 if anyone can recommend a vendor of physical network taps?

 Thanks,
 jcr


 [1] http://www.networktaps.com/products/index.html

 --
 J.C. Roberts

 JC

 We use physical taps at work, when I get the chance I'll take a look at
 the vendor.

 Also, you really think you can capture 10GE? Chuckle, good luck.

 diana




   NSA,MI(x)/GCHQ,ASIO and their vendor friends would beg to differ.

 I can't see any  black helicopters and my Tin Foil hat fits fine
thanks for asking.

Re: OpenBGPD transparent-as issue

[Claudio Jeker]

On Wed, May 06, 2009 at 07:20:58AM -0700, Tom Martin wrote:
 Thnx for your fast reply.
 It works very well and saved us a lot of configuration time! By the way do
 you know why this isn't nescesary by using Quagga? (A little bit off topic,
 but I am just wondering).
 

They don't know sane defaults. We try to help people get good -- a bit
paranoid -- default config while other projects and vendors believe in
that every system must behave like a Cizzzcoee so that CCIE are not lost.

-- 
:wq Claudio

how to configure Grub 0.97 for booting my OpenBSD 4.5

[飞飞]

Hi, guys,

I just install the OpenBSD 4.5, but my grub configuration can't boot it.
Before that, I use OpenBSD 4.2, it is a new installation, not upgrade.

The OpenBSD slice is in (hd0,2),when I use the OpenBSD 4.2, I use
chainloader to boot it:
root (hd0,a)
makeactive
chainloader +1
-
It works well with the OpenBSD 4.2,

But , if I use it to boot 4.5, I only get a error :
Starting up ...
Loading ...
ERR M


if i use this configuration to boot it :
root (hd0,a)
kernel --type=openbsd /bsd
boot

The screen will show me as these below:
, 0x200120:0x5c299c:0x102bc8, shtab=0x8c6140Strating up ...
panic: /boot too old: upgrade!
Stopped at 0xd0499848: leave
(null) (0,d071a8df, d078c44, d08c7f74, 8c6000) at 0xd0499848
(null) (d0717582,d08c7f74,d08c7f9c,d049d101,0) at 0xd0363085
(null) (8cd000) at 0xd049d415
Run at least 'trace' and 'ps' and include output when reporting this panic!
don't even bother reporting this without including that inforamtion!
ddb


After run trace, get the same result :
(null) (0,d071a8df, d078c44, d08c7f74, 8c6000) at 0xd0499848
(null) (d0717582,d08c7f74,d08c7f9c,d049d101,0) at 0xd0363085
(null) (8cd000) at 0xd049d415

After run ps, the result is null.

The Grub version is distributed with the Ubuntu 8.04 which is installed in
(hd0,6)

How to resolve it?

Thanks.

Re: Installboot to usb drive?

[L. V. Lammert]

At 08:28 PM 5/5/2009 -0400, you wrote:


You are (probably) changing from sd0 to wd0, but that only messes up
your /etc/fstab file.


Good point!


Usual error is to forget that boot specified on the installboot command
line is not the one in the installboot directory or your current root
partition, but rather the /boot that exists on the root partition of the
target drive (i.e., the boot you WILL use, not the one that you already
used).


Confirmed. Here is what worked: First problem, I missed the '/mnt' for boot:

/usr/mdec/installboot -v /mnt/boot /usr/mdec/biosboot wd0

I used both sd0 and wd0 to make sure it would work, .. both indicated 
'cross-device install'? Am I correct that the boot *device* specified 
should be wd0, when the drive will be physically used as bootable?


Thansk!

Lee

Re: RES: Migration from IPTABLES to PF

[Nenhum_de_Nos]

On Wed, May 6, 2009 02:41, TomC!E! BodEC!r wrote:
 I think,that in case of pf is good start point this site
 http://home.nuug.no/~peter/pf/ and then FAQ parts

it always helps me to read https://calomel.org/ when in doubt. :)

(the new photo looks cool also =] )

matheus

 2009/5/5 William Chivers william.chiv...@newcastle.edu.au:
 Hello Ricardo,

 This is not a beginners' mailing list, people here expect questions to
 1. be very specific, and
 2. demonstrate that you have spent a lot of time trying to solve the
 problem
 yourself, reading the documentation etc.

 Start with http://www.openbsd.org/faq/pf/index.html
 If you still need help, there are several books on pf, for example The
 Book
 of PF (http://nostarch.com/pf.htm).

 Look back through the misc mailing list to see how specific questions
 about
 pf are. When you have a specific question, the best help available is
 right
 here.

 Bill

 -
 William J. Chivers
 Lecturer in Information Technology
 School of DCIT
 Faculty of Science and Information Technology
 University of Newcastle---Ourimbah Campus
 PO Box 127, Ourimbah, NSW 2259
 Australia
 CRICOS Provider Number: 00109J

 phone: B  +61 2 4349 4473
 fax: B  B  +61 2 4349 4565
 email: B william.chiv...@newcastle.edu.au
 -
 Ricardo Augusto de Souza ricardo.so...@cmtsp.com.br 05/06/09 5:08
 AM

 Thanks for this 'polite' reply.
 As I Said i spent some years away from Unix/Linux world,
 I worked with business intelligence this years.
 Now i AM back to network administration and B i got this Project to B
 do.
 I used openbsd before version 3. I do like B it.

 This is my current senario.
 - B 2 firewalls with 2 carp+pfsync that B Will handle 2 internet
 connections, B 1
 mpls connection, 1 lan to handle around 60 bus company that transport 2
 million users per Day, each user has your own myfair card. Each bus has
 a
 system that store this data in a file. This files Will be imported to
 Oracle
 later. After this import, there are a lot of specific applications that
 uses
 this informations.
 - behind this 2 firewalls B  we have around 30 servers: ( most Windows)
 iis,
 file transfer servers,ws, and some other servers like some red hat
 enterprise
 running Oracle 10g.
 - at the beginning the firewalls Will do Nat B + filter B + gateway +
 mpd5+squid
 ( the fucking operators Who need Access to the Windows servers were
 surfing
 on
 web from there. )
 - our applications has around 5,000 users per Day, but we have a lot of
 web
 services and some etl process ( i dont have statistics about volume yet)

 So that B is it.


 -Mensagem original-
 De: William Chivers [mailto:william.chiv...@newcastle.edu.au]
 Enviada em: segunda-feira, 4 de maio de 2009 22:46
 Para: Ricardo Augusto de Souza; misc@openbsd.org
 Assunto: Re: Migration from IPTABLES to PF

 This is a great advertisement for OpenBSD, PF, and keeping things simple
 in
 general, mind if I use it Ricardo?

 As for your original question, I wouldn't even try to convert your
 iptables,
 especially using some magic tool to do it. Decide what you want your
 firewall
 to do and start from scratch with PF. That way you will know it is
 working
 and
 you will be able to maintain it reliably.

 Cheers, Bill


 -
 William J. Chivers
 Lecturer in Information Technology
 School of DCIT
 Faculty of Science and Information Technology
 University of Newcastle---Ourimbah Campus
 PO Box 127, Ourimbah, NSW 2259
 Australia
 CRICOS Provider Number: 00109J

 phone: B  +61 2 4349 4473
 fax: B  B  +61 2 4349 4565
 email: B william.chiv...@newcastle.edu.au
 -
 Ricardo Augusto de Souza ricardo.so...@cmtsp.com.br 05/05/09 3:17
 AM

 Hi,

 I have a firewall running on a Fedora Core 4 (STentz) with iptables. The
 Guy
 Who installed it left our company some months ago.
 I spent some years far from iptables, now i have to migrate this
 firewall
 to
 PF.
 THere are some 'special' features on this firewall, B i need some
 documentation
 or help about implementing this features at new firewall ( PF ).

 This is the iptables scripts:

 #!/bin/bash
 FW=/sbin/iptables
 LOAD=/sbin/modprobe
 #__

 # Carregando Modulo do IPTABLES
 . /etc/rc.d/init.d/prodata/fw_modulos

 # Carregando Variaveis
 . /etc/rc.d/init.d/prodata/fw_variaveis

 if [ $KERNEL = sim ]
 B  then . /etc/rc.d/init.d/prodata/fw_kernel
 fi


 #___
 # Cria politicas de LOGs

 #___

 if [ $LOGS = sim ]
 B  then . /etc/rc.d/init.d/prodata/fw_politicas
 fi

 Normal rules here
  EOF



 /etc/rc.d/init.d/prodata/fw_modulos
 #$LOAD nfnetlink

 $LOAD ip_conntrack
 $LOAD 

OpenVPN destroys tun

[Jason Dixon]

So apparently OpenVPN is a douche of an application by
destroying/recreating any tun devices you ask it to bind to.  This
causes havoc with pf/altq if you queue on those tun interfaces.

I've asked on the openvpn-users mailing list if there's any way to have
OpenVPN avoid teardown of an existing tun(4) interface but nobody had
any useful answers (besides use the up/down scripts)... yeah, thanks.
Has anyone here used OpenVPN in server mode and overcome this?

Thanks,

-- 
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/

help with getting kernel/userland back in sync

[Robert Urban]

Hi Folks,

I recently upgraded a 4.4 system to 4.5. I followed the Upgrade Guide, not using
sysmerge.  The upgrade went more-or-less ok.  After that, I wanted to install
the five patches on the 4.5 errata page.

I copied src.tar.gz and sys.tar.gz (for v4.5) from a mirror, unpacked them in
/usr/src, applied the first patch (libssl) and my make failed at some point with
errors.  I removed the /usr/src tree, and created it again from scratch.

I tried the make again (without applying patch) and it failed again, so I
concluded I need to sync with CVS.  This seems weird.  I would have thought the
src/sys tars would be clean...

I updated the tree from CVS using:

cd /usr/src  cvs up -r OPENBSD_4_5_BASE -Pd

as documented in release(8).

I repeated my attempt to make libssl, which was successful.  I applied the rest
of the patches, (aucat and 3 kernel patches), built a new kernel (GENERIC.MP),
installed it, and rebooted.

First I had to figure out that /sbin/ifconfig was hosed and rebuilt it. (it got
hosed/installed when I did the make install for /usr/src/sbin after building
libssl. I'm not sure why.)

Now I get the following messages at boot (10 repetitions):

 sysctl: fourth level name dad_pending in net.inet6.ip6.dad_pending is invalid

which is in the v4.5 /etc/netstart script.  According to a mail from Stuard
Henderson, this means my kernel and userland are out of sync.  It's not clear to
me how this could be, as /etc/netstart is v4.5 and the src/sys sources I used 
also.

Can someone shed some light on this problem?

thanks,

Rob Urban

Re: HD 'Analysis'

[Martin Schröder]

2009/5/6, Steve Shockley steve.shock...@shockley.net:
  The self-tests take the drive offline while they run, right?  Do you

No. man smartctl

Best
   Martin

Re: how to configure Grub 0.97 for booting my OpenBSD 4.5

[Luca Corti]

On 5/6/09 5:07 PM, Feifei (??) wrote:
 The Grub version is distributed with the Ubuntu 8.04 which is installed in
 (hd0,6)

 How to resolve it?

Use the chainloader to call the OpenBSD bootloader. Something like:

|title OpenBSD
root (hd0,a)
makeactive
chainloader +1

ciao

Luca
|

Hey, what is it http://www.openbsdsupport.org/obsd_php_mysql.html

[Alexandr Knyazev]

subj

ypldap and ldaps

[Vasiliy Kiryanov]

Hello community.

I would want to use ypldap with our ldap server that work over ssl.
The problem is how to change ypldap.conf to work with ldaps.

I will appreciate any ideas.

thanks.

Re: help with getting kernel/userland back in sync

[Robert Urban]

I'll answer my own question.

It seems it's not a problem of the kernel and userland being out of sync, but
rather /sbin/sysctl was hosed too.  rebuilt and problem disappeared.  I'm
guessing that either I had some junk in /usr/obj/sbin or the patch instructions
for libssl need to mention doing a make clean after cd ../../sbin.

Rob Urban

Robert Urban wrote:
 Hi Folks,
 
 I recently upgraded a 4.4 system to 4.5. I followed the Upgrade Guide, not 
 using
 sysmerge.  The upgrade went more-or-less ok.  After that, I wanted to install
 the five patches on the 4.5 errata page.
 
 I copied src.tar.gz and sys.tar.gz (for v4.5) from a mirror, unpacked them in
 /usr/src, applied the first patch (libssl) and my make failed at some point 
 with
 errors.  I removed the /usr/src tree, and created it again from scratch.
 
 I tried the make again (without applying patch) and it failed again, so I
 concluded I need to sync with CVS.  This seems weird.  I would have thought 
 the
 src/sys tars would be clean...
 
 I updated the tree from CVS using:
 
   cd /usr/src  cvs up -r OPENBSD_4_5_BASE -Pd
 
 as documented in release(8).
 
 I repeated my attempt to make libssl, which was successful.  I applied the 
 rest
 of the patches, (aucat and 3 kernel patches), built a new kernel (GENERIC.MP),
 installed it, and rebooted.
 
 First I had to figure out that /sbin/ifconfig was hosed and rebuilt it. (it 
 got
 hosed/installed when I did the make install for /usr/src/sbin after building
 libssl. I'm not sure why.)
 
 Now I get the following messages at boot (10 repetitions):
 
  sysctl: fourth level name dad_pending in net.inet6.ip6.dad_pending is invalid
 
 which is in the v4.5 /etc/netstart script.  According to a mail from Stuard
 Henderson, this means my kernel and userland are out of sync.  It's not clear 
 to
 me how this could be, as /etc/netstart is v4.5 and the src/sys sources I used 
 also.
 
 Can someone shed some light on this problem?
 
 thanks,
 
 Rob Urban

Re: X won't work

[Owain Ainsworth]

On Wed, May 06, 2009 at 04:06:42AM -0400, x x wrote:
 it's an old Intel video on Inspiron from 2003. I already uncommented
 machdep.allowaperture=2, and when I type startx I get
 
 xauth: creating new authority file /root/.serverauth.24871

without even looking past the ring stall, that's an 845.

force XAA mode and you'll be ok. it's an intel driver bug.

-- 
All I ask is a chance to prove that money can't make me happy.

Re: OT: 10GbE Physical Network Taps

[Diana Eichert]

On Wed, 6 May 2009, openbsd misc wrote:


On Wed, May 6, 2009 at 3:42 PM, Diana Eichert deich...@wrench.com wrote:


We use physical taps at work, when I get the chance I'll take a look at
the vendor.

Also, you really think you can capture 10GE? Chuckle, good luck.

diana



  NSA,MI(x)/GCHQ,ASIO and their vendor friends would beg to differ.

I can't see any  black helicopters and my Tin Foil hat fits fine
thanks for asking.


Yeah, and I'm sure JC has equivalent resources of the acronym laden
institutions you mention.  Do you have any idea how they capture
packets at line rate?  I strongly doubt they are using off the shelf
hardware, but hey what would I know, I'm just a girl.

I'm sure you can piss a further stream than I can so I leave the 
pissing match to you.


diana

Re: Hey, what is it http://www.openbsdsupport.org/obsd_php_mysql.html

[Ted Unangst]

It's a website.

On Wed, May 6, 2009 at 11:55 AM, Alexandr Knyazev a.knya...@timeweb.ru wrote:
 subj

Re: OT: 10GbE Physical Network Taps

[Diana Eichert]

We use NetOptics taps.

diana

Re: ypldap and ldaps

[FRLinux]

On Wed, May 6, 2009 at 4:51 PM, Vasiliy Kiryanov
vasiliy.kirya...@gmail.com wrote:
 I would want to use ypldap with our ldap server that work over ssl.
 The problem is how to change ypldap.conf to work with ldaps.

Hello,

I took this as a base :
http://kerneltrap.org/index.php?q=mailarchive/openbsd-misc/2008/10/11/3589614/thread

I remember successfully linking to my ldap server over SSL but cannot
check it now (test server and currently off). Maybe some other people
can expand on that.

The only remaining problem as far as i can see is that one user cannot
login using that system if he is not in the passwd file (which makes
it slightly redundant then). If I am mistaken about that point, I'd
happily like to be corrected and shown the way.

Cheers,
Steph

Re: OpenVPN destroys tun

[Vadim Zhukov]

On Wednesday 06 May 2009 19:20:43 Jason Dixon wrote:
 So apparently OpenVPN is a douche of an application by
 destroying/recreating any tun devices you ask it to bind to.  This
 causes havoc with pf/altq if you queue on those tun interfaces.

 I've asked on the openvpn-users mailing list if there's any way to
 have OpenVPN avoid teardown of an existing tun(4) interface but nobody
 had any useful answers (besides use the up/down scripts)... yeah,
 thanks. Has anyone here used OpenVPN in server mode and overcome this?

 Thanks,

See persist-tun option.

-- 
  Best wishes,
Vadim Zhukov

A: Because it messes up the way people read text.
Q: Why is a top-posting such a bad thing?

Re: OT: 10GbE Physical Network Taps

[Jacob Yocom-Piatt]

openbsd misc wrote:

On Wed, May 6, 2009 at 3:42 PM, Diana Eichert deich...@wrench.com wrote:
  

On Wed, 6 May 2009, J.C. Roberts wrote:



I need to collect raw throughput statistics without increasing latency
or reducing bandwidth on 10GbE fiber links, so most of the typical
methods are out of the question (i.e. like bridging, SPAN sessions on a
switch, ...). As far as my understanding allows, I believe the best way
to do this is with a physical network tap connected to monitoring
equipment. I figure folks running/maintaining OpenBSD firewalls might
be familiar with using physical network taps for deploying IDS/IPS since
using bridges on such systems is a Bad Idea (R)(TM).

I've found one company [1] which offers what I need, but I was wondering
if anyone can recommend a vendor of physical network taps?

Thanks,
jcr


[1] http://www.networktaps.com/products/index.html

--
J.C. Roberts
  

JC

We use physical taps at work, when I get the chance I'll take a look at
the vendor.

Also, you really think you can capture 10GE? Chuckle, good luck.





note that he wants to collect raw throughput statistics and doesn't 
explicitly say dump all the traffic to disk. if he wanted to dump the 
entire pipe to disk it would require  10 COTS machines and load balancing.




diana






   NSA,MI(x)/GCHQ,ASIO and their vendor friends would beg to differ.

  



i'd be more worried about the NBA, those dudes are huge and are known to 
roll with guns in sweatpants.


jc is just trying to find a way to get traffic statistics, likely in 
relation to his earlier 'remotely connected disk' discussion. move 
along, nothing to see here.




 I can't see any  black helicopters and my Tin Foil hat fits fine
thanks for asking.

Re: OT: 10GbE Physical Network Taps

[Jeroen Massar]

Diana Eichert wrote:
 On Wed, 6 May 2009, openbsd misc wrote:

 On Wed, May 6, 2009 at 3:42 PM, Diana Eichert deich...@wrench.com
 wrote:

 We use physical taps at work, when I get the chance I'll take a look at
 the vendor.

 Also, you really think you can capture 10GE? Chuckle, good luck.

Pretty hard, but doable with special hardware according to some people
(eg not me, not my toys, just forwarding what I read about/know)

DAG cards come to mind:
http://www.endace.com/dag-network-monitoring-cards.html
which you can stick into most hosts, they sell various 10GE adapters and
claim it can do 10GE too. Linux/Windows/FreeBSD drivers available, thus
should not be too hard I guess to make an OpenBSD driver (that is
depending on documentation available etc...)

They claim to be able to even do 40Gbps:
http://www.endace.com/guaranteed-packet-capture.html
8
This foundation is totally agnostic, supporting Ethernet and
Packet-Over-SONET (PoS), IP and InfiniBand, guaranteeing packet capture,
regardless of packet rate and size, at interface speeds up to 40Gbps.
8

And I know for a fact that IBM ISS has a DPI thing which can do
40Gbps++, that is including upto Level 7 analysis... it just depends on
what kind of hardware one throws at it ;)

Greets,
 Jeroen
  (long live IPSEC :)

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: Hey, what is it http://www.openbsdsupport.org/obsd_php_mysql.html

[Otto Moerbeek]

On Wed, May 06, 2009 at 12:33:02PM -0400, Ted Unangst wrote:

 It's a website.
 
 On Wed, May 6, 2009 at 11:55 AM, Alexandr Knyazev a.knya...@timeweb.ru 
 wrote:
  subj

Nah, it's a URL.

-Otto

Re: OT: 10GbE Physical Network Taps

[Diana Eichert]

On Wed, 6 May 2009, Jeroen Massar wrote:
SNIP

it just depends on
what kind of hardware one throws at it ;)

Greets,
Jeroen
 (long live IPSEC :)


AKA what kind of money you have to throw at it.  We had 
a 10G box that filtered on SNORT rules in hardware.  We

purchased it from MetaNetworks, who were bought out by
Force10.  The product page is here,
http://www.force10networks.com/products/pseries.asp .

Ours was the 2nd or third built, you could still get to
the FPGA with Xilinx development tools.  A grad student, 
Jonathon Donaldson, working in our organization used it

in the work he did for his thesis.  If you are
interested it is available here,
https://ritdml.rit.edu/dspace/bitstream/1850/4769/1/JDonaldsonThesis05-2007.pdf

diana

Re: DHCP versus PPPoE for ADSL.

[David Walker]

From:  Stuart Henderson
 I just added the address assigned to me into hostname.pppoe0:

 inet6 2001:4b10:1002:ff::1 64
 !/sbin/route add -inet6 default 2001:4b10:1002:ff::1

Hi Stuart.
Thanks for all the help.

I am curious, in pppoe(4) this example is given:
   inet 0.0.0.0 255.255.255.255 NONE \
   pppoedev ne0 authproto pap \
   authname 'testcaller' authkey 'donttell' up
   dest 0.0.0.1
   !/sbin/route add default -ifp pppoe0 0.0.0.1
So the destination wildcard is used as the route entry.
You have used the IP6 address assigned to your interface rather than
the remote IP6 address.
I must be missing something. Can you shine a light on that for me?

Also, considering my ISP is very reticent (for whatever reason) to
provide support for IPv6 do you have any idea of the wildcards for
inet6?
Getting IP addresses out of them is proving problematic. I suspect
they are ready but haven't got to the point for large scale
implementation. I would rather suck it and see than get support mail
referring me to Wikipedia.

Best wishes.

Re: OpenVPN destroys tun

[Jason Dixon]

On Wed, May 06, 2009 at 08:48:06PM +0400, Vadim Zhukov wrote:
 On Wednesday 06 May 2009 19:20:43 Jason Dixon wrote:
  So apparently OpenVPN is a douche of an application by
  destroying/recreating any tun devices you ask it to bind to.  This
  causes havoc with pf/altq if you queue on those tun interfaces.
 
  I've asked on the openvpn-users mailing list if there's any way to
  have OpenVPN avoid teardown of an existing tun(4) interface but nobody
  had any useful answers (besides use the up/down scripts)... yeah,
  thanks. Has anyone here used OpenVPN in server mode and overcome this?
 
 See persist-tun option.

This only affects restarts, not the initial startup.

-- 
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/

Re: OT: 10GbE Physical Network Taps

[Christian Weisgerber]

openbsd misc open...@6wells.com wrote:

NSA,MI(x)/GCHQ,ASIO and their vendor friends would beg to differ.

That would be DSD rather than ASIO, I think.
(Since we are already wildly off-topic.)

-- 
Christian naddy Weisgerber  na...@mips.inka.de

Re: DHCP versus PPPoE for ADSL.

[David Walker]

Ignore my question re inet6 wildcards.
Asked and answered.

From:  Stuart Henderson
 I think you're supposed to do rtsol, but we don't support that on a
 device configured as a router. There is afaik no IPv6 address discovery
 mechanism done by PPP.

Best wishes.

Re: Hey, what is it http://www.openbsdsupport.org/obsd_php_mysql.html

[looptigger]

it's ABSOLUTE URL :)

On Wed, May 6, 2009 at 7:55 PM, Otto Moerbeek o...@drijf.net wrote:

  On Wed, May 06, 2009 at 12:33:02PM -0400, Ted Unangst wrote:

  It's a website.
 
  On Wed, May 6, 2009 at 11:55 AM, Alexandr Knyazev a.knya...@timeweb.ru
 wrote:
   subj

 Nah, it's a URL.

-Otto

Re: OpenVPN destroys tun

[Vadim Zhukov]

On Wednesday 06 May 2009 21:39:15 Jason Dixon wrote:
 On Wed, May 06, 2009 at 08:48:06PM +0400, Vadim Zhukov wrote:
  On Wednesday 06 May 2009 19:20:43 Jason Dixon wrote:
   So apparently OpenVPN is a douche of an application by
   destroying/recreating any tun devices you ask it to bind to.  This
   causes havoc with pf/altq if you queue on those tun interfaces.
  
   I've asked on the openvpn-users mailing list if there's any way to
   have OpenVPN avoid teardown of an existing tun(4) interface but
   nobody had any useful answers (besides use the up/down
   scripts)... yeah, thanks. Has anyone here used OpenVPN in server
   mode and overcome this?
 
  See persist-tun option.

 This only affects restarts, not the initial startup.

The idea is that you pre-create tun device (possibly in startup script, 
or in /etc/rc.local) and then OpenVPN uses it.

-- 
  Best wishes,
Vadim Zhukov

A: Because it messes up the way people read text.
Q: Why is a top-posting such a bad thing?

Re: OpenVPN destroys tun

[Mark Shroyer]

On Wed, May 06, 2009 at 11:20:43AM -0400, Jason Dixon wrote:
 So apparently OpenVPN is a douche of an application by
 destroying/recreating any tun devices you ask it to bind to.  This
 causes havoc with pf/altq if you queue on those tun interfaces.
 
 I've asked on the openvpn-users mailing list if there's any way to have
 OpenVPN avoid teardown of an existing tun(4) interface but nobody had
 any useful answers (besides use the up/down scripts)... yeah, thanks.
 Has anyone here used OpenVPN in server mode and overcome this?

Weird.  I ran an OpenVPN server on my OpenBSD gateway until just
recently, and I'm 98% sure that it never did this to me.  Are you
specifying both dev-type and dev in the VPN configuration?

Actually, that's one thought...  are you sure that the dev-type
setting in your OpenVPN configuration file and the configuration of your
tun(4) device are either both as tun or both as tap?  One of the things
that caught me off-guard about setting up OpenVPN on OpenBSD is that
OpenBSD's tap interfaces are actually called tunX, they just have the
link0 flag set.  (So you could properly end up with, e.g., dev-type
tap and dev tun0 in your OpenVPN configuration.)  Could be that if
OpenVPN expects one type of device but gets the other, it automatically
destroys and replaces it...

If that doesn't work, maybe you could try replacing the dev line in
your configuration with an equivalent dev-node line, just for the heck
of it.

Just a couple random shots in the dark, anyway.

-- 
Mark Shroyer
http://markshroyer.com/contact/

Re: OpenVPN destroys tun

[Jason Dixon]

On Wed, May 06, 2009 at 11:14:21PM +0400, Vadim Zhukov wrote:
 On Wednesday 06 May 2009 21:39:15 Jason Dixon wrote:
  On Wed, May 06, 2009 at 08:48:06PM +0400, Vadim Zhukov wrote:
   On Wednesday 06 May 2009 19:20:43 Jason Dixon wrote:
So apparently OpenVPN is a douche of an application by
destroying/recreating any tun devices you ask it to bind to.  This
causes havoc with pf/altq if you queue on those tun interfaces.
   
I've asked on the openvpn-users mailing list if there's any way to
have OpenVPN avoid teardown of an existing tun(4) interface but
nobody had any useful answers (besides use the up/down
scripts)... yeah, thanks. Has anyone here used OpenVPN in server
mode and overcome this?
  
   See persist-tun option.
 
  This only affects restarts, not the initial startup.
 
 The idea is that you pre-create tun device (possibly in startup script, 
 or in /etc/rc.local) and then OpenVPN uses it.

You're missing the point.  I create the necessary tun devices at boot
with hostname.tun* so that we get no pf/altq load errors.  But as soon
as OpenVPN runs from rc.local, it destroys the tun device and recreates
it.  This breaks altq because the file descriptor (/dev/tun*) changes.

Having OpenVPN create the tun device does me no good.  I'd still have to
re-load pf/altq after the file descriptor is created.

-- 
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/

Re: Hey, what is it http://www.openbsdsupport.org/obsd_php_mysql.html

[Chris Bennett]

Why are all of you dwelling on the subject of this message?
Clearly, the body of the message refers to the important part:

subj

I don't have an answer to subj, but one of the bad ass developers MUST know!
Chris Bennett

looptigger wrote:

it's ABSOLUTE URL :)

On Wed, May 6, 2009 at 7:55 PM, Otto Moerbeek o...@drijf.net wrote:

  

 On Wed, May 06, 2009 at 12:33:02PM -0400, Ted Unangst wrote:



It's a website.

On Wed, May 6, 2009 at 11:55 AM, Alexandr Knyazev a.knya...@timeweb.ru
  

wrote:


subj


Nah, it's a URL.

   -Otto




  


--
A human being should be able to change a diaper, plan an invasion,
butcher a hog, conn a ship, design a building, write a sonnet, balance
accounts, build a wall, set a bone, comfort the dying, take orders,
give orders, cooperate, act alone, solve equations, analyze a new
problem, pitch manure, program a computer, cook a tasty meal, fight
efficiently, die gallantly. Specialization is for insects.
  -- Robert Heinlein

Re: OpenVPN destroys tun

[Jason Dixon]

On Wed, May 06, 2009 at 03:21:16PM -0400, Mark Shroyer wrote:
 On Wed, May 06, 2009 at 11:20:43AM -0400, Jason Dixon wrote:
  So apparently OpenVPN is a douche of an application by
  destroying/recreating any tun devices you ask it to bind to.  This
  causes havoc with pf/altq if you queue on those tun interfaces.
  
  I've asked on the openvpn-users mailing list if there's any way to have
  OpenVPN avoid teardown of an existing tun(4) interface but nobody had
  any useful answers (besides use the up/down scripts)... yeah, thanks.
  Has anyone here used OpenVPN in server mode and overcome this?
 
 Weird.  I ran an OpenVPN server on my OpenBSD gateway until just
 recently, and I'm 98% sure that it never did this to me.  Are you
 specifying both dev-type and dev in the VPN configuration?

I'm specifying dev tun0.  Per the openvpn(8) man page, dev-type should
only be used if the TUN/TAP device used with --dev does not begin with
tun or tap.

Were you actually using altq on your tun device?
 
 Actually, that's one thought...  are you sure that the dev-type
 setting in your OpenVPN configuration file and the configuration of your
 tun(4) device are either both as tun or both as tap?  One of the things
 that caught me off-guard about setting up OpenVPN on OpenBSD is that
 OpenBSD's tap interfaces are actually called tunX, they just have the
 link0 flag set.  (So you could properly end up with, e.g., dev-type
 tap and dev tun0 in your OpenVPN configuration.)  Could be that if
 OpenVPN expects one type of device but gets the other, it automatically
 destroys and replaces it...

As mentioned, dev-type is unnecessary.  We have no problems with this
configuration other than OpenVPN destroying the device at runtime which
causes the file-descriptor to change, confusing pf/altq.

Thanks,

-- 
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/

Re: OpenVPN destroys tun

[Giancarlo Razzolini]

Jason Dixon escreveu:

So apparently OpenVPN is a douche of an application by
destroying/recreating any tun devices you ask it to bind to.  This
causes havoc with pf/altq if you queue on those tun interfaces.

I've asked on the openvpn-users mailing list if there's any way to have
OpenVPN avoid teardown of an existing tun(4) interface but nobody had
any useful answers (besides use the up/down scripts)... yeah, thanks.
Has anyone here used OpenVPN in server mode and overcome this?

Thanks,

  
Well, you don't necessarily need to enable altq on the tun interface to 
get your packets queued. I did overcome this by making the queue on 
another interface, a physical one, and then making packets coming or 
leaving the tun interface to get queued on that interface. This works, 
and you won't have to deal with the tun interface being destroyed across 
openvpn starts/stops.


My regards,

--
Giancarlo Razzolini
http://lock.razzolini.adm.br
Linux User 172199
Red Hat Certified Engineer no:804006389722501
Verify:https://www.redhat.com/certification/rhce/current/
Moleque Sem Conteudo Numero #002
OpenBSD 4.5
Ubuntu 9.04 Jaunty Jackalope
4386 2A6F FFD4 4D5F 5842  6EA0 7ABE BBAB 9C0E 6B85

Re: OpenVPN destroys tun

[Jason Dixon]

On Wed, May 06, 2009 at 04:29:10PM -0300, Giancarlo Razzolini wrote:
 Jason Dixon escreveu:
 So apparently OpenVPN is a douche of an application by
 destroying/recreating any tun devices you ask it to bind to.  This
 causes havoc with pf/altq if you queue on those tun interfaces.

 I've asked on the openvpn-users mailing list if there's any way to have
 OpenVPN avoid teardown of an existing tun(4) interface but nobody had
 any useful answers (besides use the up/down scripts)... yeah, thanks.
 Has anyone here used OpenVPN in server mode and overcome this?
   
 Well, you don't necessarily need to enable altq on the tun interface to  
 get your packets queued. I did overcome this by making the queue on  
 another interface, a physical one, and then making packets coming or  
 leaving the tun interface to get queued on that interface. This works,  
 and you won't have to deal with the tun interface being destroyed across  
 openvpn starts/stops.

You don't understand the usage.  We have a remote office with a fixed
pipe and *all* of their traffic crossing the VPN tunnel to our office.
It's necessary to queue a fraction of the traffic crossing the physical
interface for this purpose.  We also perform queueing on the physical
interface that has a completely different usage model than the VPN
tunnel.

Please, let's not get off-topic.  It's a simple question... can you
start OpenVPN without having it destroy/recreate the tun interface.  If
you haven't used this, please refrain from commenting.

Thanks,

-- 
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/

Re: OpenVPN destroys tun

[Vadim Zhukov]

On Wednesday 06 May 2009 23:18:31 Jason Dixon wrote:
 On Wed, May 06, 2009 at 11:14:21PM +0400, Vadim Zhukov wrote:
  On Wednesday 06 May 2009 21:39:15 Jason Dixon wrote:
   On Wed, May 06, 2009 at 08:48:06PM +0400, Vadim Zhukov wrote:
On Wednesday 06 May 2009 19:20:43 Jason Dixon wrote:
 So apparently OpenVPN is a douche of an application by
 destroying/recreating any tun devices you ask it to bind to. 
 This causes havoc with pf/altq if you queue on those tun
 interfaces.

 I've asked on the openvpn-users mailing list if there's any
 way to have OpenVPN avoid teardown of an existing tun(4)
 interface but nobody had any useful answers (besides use the
 up/down scripts)... yeah, thanks. Has anyone here used
 OpenVPN in server mode and overcome this?
   
See persist-tun option.
  
   This only affects restarts, not the initial startup.
 
  The idea is that you pre-create tun device (possibly in startup
  script, or in /etc/rc.local) and then OpenVPN uses it.

 You're missing the point.  I create the necessary tun devices at boot
 with hostname.tun* so that we get no pf/altq load errors.  But as soon
 as OpenVPN runs from rc.local, it destroys the tun device and
 recreates it.  This breaks altq because the file descriptor
 (/dev/tun*) changes.

 Having OpenVPN create the tun device does me no good.  I'd still have
 to re-load pf/altq after the file descriptor is created.

Strange, I do not have such problem. But I'm not using altq there,
just some block/allow and NAT... Could you post your OpenVPN config?

Mine looks like this:

remote vpn.some.net 1194
proto tcp-client
resolv-retry infinite
persist-tun
dev tun2
dev-type tap
pull
ifconfig-noexec
up /etc/openvpn/some.up

(parameters related to authentication are excluded).

Up script just runs ifconfig for configuring (not [re-]creating) tun
device.

-- 
  Best wishes,
Vadim Zhukov

A: Because it messes up the way people read text.
Q: Why is a top-posting such a bad thing?

Re: OpenVPN destroys tun

[Jason Dixon]

On Wed, May 06, 2009 at 11:43:15PM +0400, Vadim Zhukov wrote:
 On Wednesday 06 May 2009 23:18:31 Jason Dixon wrote:
 
  Having OpenVPN create the tun device does me no good.  I'd still have
  to re-load pf/altq after the file descriptor is created.
 
 Strange, I do not have such problem. But I'm not using altq there,
 just some block/allow and NAT... Could you post your OpenVPN config?

Right, this only really manifests with altq on tun(4).  There's no point
to pasting my config, but I'll include most of it here so you don't think
I'm jerking your chain.  ;)


#
local x.x.x.9
port 1194
proto udp
dev tun0

ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
crl-verify /etc/openvpn/crl.pem
tls-auth /etc/openvpn/keys/ta.key 0
client-config-dir /etc/openvpn/ccd

server 192.168.210.0 255.255.255.0
ifconfig-pool-persist /etc/openvpn/ipp.txt 86400
push route 10.0.116.0 255.255.254.0

keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun

status /etc/openvpn/openvpn-status.log

verb 3
management 127.0.0.1 7505
#


-- 
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/

Re: OpenVPN destroys tun

[Vadim Zhukov]

On Wednesday 06 May 2009 23:34:52 Jason Dixon wrote:
 On Wed, May 06, 2009 at 03:21:16PM -0400, Mark Shroyer wrote:
  On Wed, May 06, 2009 at 11:20:43AM -0400, Jason Dixon wrote:
   So apparently OpenVPN is a douche of an application by
   destroying/recreating any tun devices you ask it to bind to.  This
   causes havoc with pf/altq if you queue on those tun interfaces.
  
   I've asked on the openvpn-users mailing list if there's any way to
   have OpenVPN avoid teardown of an existing tun(4) interface but
   nobody had any useful answers (besides use the up/down
   scripts)... yeah, thanks. Has anyone here used OpenVPN in server
   mode and overcome this?
 
  Weird.  I ran an OpenVPN server on my OpenBSD gateway until just
  recently, and I'm 98% sure that it never did this to me.  Are you
  specifying both dev-type and dev in the VPN configuration?

 I'm specifying dev tun0.  Per the openvpn(8) man page, dev-type
 should only be used if the TUN/TAP device used with --dev does not
 begin with tun or tap.

 Were you actually using altq on your tun device?

  Actually, that's one thought...  are you sure that the dev-type
  setting in your OpenVPN configuration file and the configuration of
  your tun(4) device are either both as tun or both as tap?  One of
  the things that caught me off-guard about setting up OpenVPN on
  OpenBSD is that OpenBSD's tap interfaces are actually called tunX,
  they just have the link0 flag set.  (So you could properly end up
  with, e.g., dev-type tap and dev tun0 in your OpenVPN
  configuration.)  Could be that if OpenVPN expects one type of device
  but gets the other, it automatically destroys and replaces it...

 As mentioned, dev-type is unnecessary.  We have no problems with
 this configuration other than OpenVPN destroying the device at runtime
 which causes the file-descriptor to change, confusing pf/altq.

1. Did you tried specifing tunnel type?

2. tap devices exists on Windows and on Linux, but NOT on OpenBSD. So 
OpenVPN cannot determine device type via its name.

-- 
  Best wishes,
Vadim Zhukov

A: Because it messes up the way people read text.
Q: Why is a top-posting such a bad thing?

Re: OpenVPN destroys tun

[Jason Dixon]

On Wed, May 06, 2009 at 11:51:19PM +0400, Vadim Zhukov wrote:
 On Wednesday 06 May 2009 23:34:52 Jason Dixon wrote:
 
  I'm specifying dev tun0.  Per the openvpn(8) man page, dev-type
  should only be used if the TUN/TAP device used with --dev does not
  begin with tun or tap.

[ ... ]

 1. Did you tried specifing tunnel type?
 
 2. tap devices exists on Windows and on Linux, but NOT on OpenBSD. So 
 OpenVPN cannot determine device type via its name.

Both of your questions were answered by my last reply (see above).

Thanks,

-- 
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/

Re: OpenVPN destroys tun

[Giancarlo Razzolini]

Jason Dixon escreveu:

On Wed, May 06, 2009 at 04:29:10PM -0300, Giancarlo Razzolini wrote:
  

Jason Dixon escreveu:


So apparently OpenVPN is a douche of an application by
destroying/recreating any tun devices you ask it to bind to.  This
causes havoc with pf/altq if you queue on those tun interfaces.

I've asked on the openvpn-users mailing list if there's any way to have
OpenVPN avoid teardown of an existing tun(4) interface but nobody had
any useful answers (besides use the up/down scripts)... yeah, thanks.
Has anyone here used OpenVPN in server mode and overcome this?
  
  
Well, you don't necessarily need to enable altq on the tun interface to  
get your packets queued. I did overcome this by making the queue on  
another interface, a physical one, and then making packets coming or  
leaving the tun interface to get queued on that interface. This works,  
and you won't have to deal with the tun interface being destroyed across  
openvpn starts/stops.



You don't understand the usage.  We have a remote office with a fixed
pipe and *all* of their traffic crossing the VPN tunnel to our office.
It's necessary to queue a fraction of the traffic crossing the physical
interface for this purpose.  We also perform queueing on the physical
interface that has a completely different usage model than the VPN
tunnel.

Please, let's not get off-topic.  It's a simple question... can you
start OpenVPN without having it destroy/recreate the tun interface.  If
you haven't used this, please refrain from commenting.

Thanks,

  
Well, i wasn't OT with my reply. And i use openvpn from the beginning of 
the project, even made a plugin for it. So i know i little of it. My 
suggestion was to avoid what you might be already suspecting. You will 
have to mess with openvpn code and recompile it to do what you want. The 
solution i suggested is a viable one, even if already have queueing 
policies on that interface. It'll only require a little adaptation on 
your altq rules. I guess you won't get far with an attitude like that, 
being rude with people that are trying to help you. That said, you might 
want to take a look at openvpn source code, mainly tun.c and tun.h files.


My regards,

--
Giancarlo Razzolini
http://lock.razzolini.adm.br
Linux User 172199
Red Hat Certified Engineer no:804006389722501
Verify:https://www.redhat.com/certification/rhce/current/
Moleque Sem Conteudo Numero #002
OpenBSD 4.5
Ubuntu 9.04 Jaunty Jackalope
4386 2A6F FFD4 4D5F 5842  6EA0 7ABE BBAB 9C0E 6B85

Re: OpenVPN destroys tun

[Jason Dixon]

On Wed, May 06, 2009 at 05:38:51PM -0300, Giancarlo Razzolini wrote:

 Well, i wasn't OT with my reply. And i use openvpn from the beginning of  
 the project, even made a plugin for it. So i know i little of it. My  
 suggestion was to avoid what you might be already suspecting. You will  
 have to mess with openvpn code and recompile it to do what you want. The  
 solution i suggested is a viable one, even if already have queueing  
 policies on that interface. It'll only require a little adaptation on  
 your altq rules. I guess you won't get far with an attitude like that,  
 being rude with people that are trying to help you. That said, you might  
 want to take a look at openvpn source code, mainly tun.c and tun.h files.

Regardless of how much you claim to know about it, the fact remains that
there's no way to have OpenVPN bind to an existing tun device.  Thanks
for the roundabout answer.

-- 
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/

Re: OpenVPN destroys tun

[Claudio Jeker]

On Wed, May 06, 2009 at 11:20:43AM -0400, Jason Dixon wrote:
 So apparently OpenVPN is a douche of an application by
 destroying/recreating any tun devices you ask it to bind to.  This
 causes havoc with pf/altq if you queue on those tun interfaces.
 
 I've asked on the openvpn-users mailing list if there's any way to have
 OpenVPN avoid teardown of an existing tun(4) interface but nobody had
 any useful answers (besides use the up/down scripts)... yeah, thanks.
 Has anyone here used OpenVPN in server mode and overcome this?
 

How does openvpn destroy the interfaces? IIRC they just close the fd and
that is causing the interface to be destroyed if it was auto created.

Did you try to ifconfig tunX up before starting openvpn? These
interfaces will not be auto destroyed on close and remain available.

-- 
:wq Claudio

Re: A new toy for programmers who use VIM on OpenBSD

[Dasn]

On 06/05/09 10:43 +0100, Stuart Henderson wrote:
 (cc/reply-to set to ports@).
 
 useful :-) would you be interested in adding some kind of license
 (we like /usr/share/misc/license.template, but it's your choice)?
 then it could go into ports/packages.
 
No problem, I'd love to add this license.

-- 
Dasn

swap(encrypt) vs. vnd

[Maxim Bourmistrov]

Hello misc@,
any one can answer the following question:

why codebase used to encrypt/decrypt swap is not used to replace/ 
complement vnd?
Complement, means skip the creation of encrypted image part and work  
directly with block device.


//maxim

Re: OpenVPN destroys tun

[Giancarlo Razzolini]

Jason Dixon escreveu:

On Wed, May 06, 2009 at 05:38:51PM -0300, Giancarlo Razzolini wrote:
  
Well, i wasn't OT with my reply. And i use openvpn from the beginning of  
the project, even made a plugin for it. So i know i little of it. My  
suggestion was to avoid what you might be already suspecting. You will  
have to mess with openvpn code and recompile it to do what you want. The  
solution i suggested is a viable one, even if already have queueing  
policies on that interface. It'll only require a little adaptation on  
your altq rules. I guess you won't get far with an attitude like that,  
being rude with people that are trying to help you. That said, you might  
want to take a look at openvpn source code, mainly tun.c and tun.h files.



Regardless of how much you claim to know about it, the fact remains that
there's no way to have OpenVPN bind to an existing tun device.  Thanks
for the roundabout answer.

  
Well, my rude friend, i guess you'll have to accept my suggestion 
because you're simply stuck with it. I shouldn't but, i took a little 
time and dove in openvpn source code. This is the piece of code that 
does what exactly what you're saying:


#elif defined(TARGET_OPENBSD)

 /*
  * OpenBSD tun devices appear to be persistent by default.  It 
seems in order
  * to make this work correctly, we need to delete the previous 
instance
  * (if it exists), and re-ifconfig.  Let me know if you know a 
better way.

  */

 argv_printf (argv,
   %s %s destroy,
   IFCONFIG_PATH,
   actual);
 argv_msg (M_INFO, argv);
 openvpn_execve_check (argv, es, 0, NULL);
 argv_printf (argv,
   %s %s create,
   IFCONFIG_PATH,
   actual);
 argv_msg (M_INFO, argv);
 openvpn_execve_check (argv, es, 0, NULL);
 msg (M_INFO, NOTE: Tried to delete pre-existing tun/tap instance 
-- No Problem if failure);


 /* example: ifconfig tun2 10.2.0.2 10.2.0.1 mtu 1450 netmask 
255.255.255.255 up */

 if (tun)
   argv_printf (argv,
 %s %s %s %s mtu %d netmask 255.255.255.255 up,
 IFCONFIG_PATH,
 actual,
 ifconfig_local,
 ifconfig_remote_netmask,
 tun_mtu
 );
 else
   argv_printf (argv,
 %s %s %s netmask %s mtu %d broadcast %s link0,
 IFCONFIG_PATH,
 actual,
 ifconfig_local,
 ifconfig_remote_netmask,
 tun_mtu,
 ifconfig_broadcast
 );
 argv_msg (M_INFO, argv);
 openvpn_execve_check (argv, es, S_FATAL, OpenBSD ifconfig failed);
 tt-did_ifconfig = true;

   Attempt to the comment of the developer. If you change this code, 
it'll probably break openvpn and it won't work. Either you accept my 
suggestion, that was a good and viable one, or you change this piece of 
code. By the way, don't forget to contact James (main openvpn 
developer), and tell that you have a better way, as he asks in his 
comment. Bet that wasn't roundabout.


My regards,

--
Giancarlo Razzolini
http://lock.razzolini.adm.br
Linux User 172199
Red Hat Certified Engineer no:804006389722501
Verify:https://www.redhat.com/certification/rhce/current/
Moleque Sem Conteudo Numero #002
OpenBSD 4.5
Ubuntu 9.04 Jaunty Jackalope
4386 2A6F FFD4 4D5F 5842  6EA0 7ABE BBAB 9C0E 6B85

Re: OpenVPN destroys tun

[Jason Dixon]

On Wed, May 06, 2009 at 06:04:19PM -0300, Giancarlo Razzolini wrote:
 Jason Dixon escreveu:
   
 Well, my rude friend, i guess you'll have to accept my suggestion  
 because you're simply stuck with it. I shouldn't but, i took a little  
 time and dove in openvpn source code. This is the piece of code that  
 does what exactly what you're saying:

Or I can continue to reload pf in /etc/rc.local like we currently do.
No harm no foul.  It's just not elegant.

Sorry if you find my demeanor rude.  I don't have a lot of patience for
tangents when I'm asking a straightforward question and getting
horizontal advice instead.  New workarounds aren't necessarily better
than existing workarounds.

I appreciate your digging into the code.  That was above and beyond,
even if it doesn't really do me any good.

Thanks,

-- 
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/

Re: OpenVPN destroys tun

[Ross Cameron]

On Wed, May 6, 2009 at 10:38 PM, Giancarlo Razzolini
linux-...@onda.com.brwrote:

  Well, i wasn't OT with my reply. And i use openvpn from the beginning of
 the project, even made a plugin for it. So i know i little of it. My
 suggestion was to avoid what you might be already suspecting. You will have
 to mess with openvpn code and recompile it to do what you want. The solution
 i suggested is a viable one, even if already have queueing policies on that
 interface. It'll only require a little adaptation on your altq rules. I
 guess you won't get far with an attitude like that, being rude with people
 that are trying to help you. That said, you might want to take a look at
 openvpn source code, mainly tun.c and tun.h files.


I'm with Giancarlo here,... I use OpenVPN extensively (not on OpenBSD
admittedly - my own embedded BSD variant).
And the man knows what he's talking about when it comes to OpenVPN.

Really man IF you want help don't douche on the guys trying to help you.

An attitude like that deserves a response akin to Use the source Luke and
no more.

-- 
Opportunity is most often missed by people because it is dressed in
overalls and looks like work.
   Thomas Alva Edison
   Inventor of 1093 patents, including:
   The light bulb, phonogram and motion pictures.

Re: Hey, what is it http://www.openbsdsupport.org/obsd_php_mysql.html

[Daniel Ouellet]

It's a bird?

No, it's a UFO!

No, It's gone!

It wasn't link from the main page for a very long time waiting on the 
author updates, but as it never come, then now deleted!


May be a wiki page will show up soon instead, but will see how I fell 
about it.


Don't complain on misc@ for anything wrong there, just send updates.

Best,

Daniel

looptigger wrote:

it's ABSOLUTE URL :)

On Wed, May 6, 2009 at 7:55 PM, Otto Moerbeek o...@drijf.net wrote:


 On Wed, May 06, 2009 at 12:33:02PM -0400, Ted Unangst wrote:


It's a website.

On Wed, May 6, 2009 at 11:55 AM, Alexandr Knyazev a.knya...@timeweb.ru

wrote:

subj

Nah, it's a URL.

   -Otto

Re: OpenVPN destroys tun

[Jason Dixon]

On Wed, May 06, 2009 at 11:25:20PM +0200, Ross Cameron wrote:
 On Wed, May 6, 2009 at 10:38 PM, Giancarlo Razzolini
 linux-...@onda.com.brwrote:
 
   Well, i wasn't OT with my reply. And i use openvpn from the beginning of
  the project, even made a plugin for it. So i know i little of it. My
  suggestion was to avoid what you might be already suspecting. You will have
  to mess with openvpn code and recompile it to do what you want. The solution
  i suggested is a viable one, even if already have queueing policies on that
  interface. It'll only require a little adaptation on your altq rules. I
  guess you won't get far with an attitude like that, being rude with people
  that are trying to help you. That said, you might want to take a look at
  openvpn source code, mainly tun.c and tun.h files.
 
 I'm with Giancarlo here,... I use OpenVPN extensively (not on OpenBSD
 admittedly - my own embedded BSD variant).
 And the man knows what he's talking about when it comes to OpenVPN.
 
 Really man IF you want help don't douche on the guys trying to help you.

I just wanted a simple question to a simple answer.  Not the same old
jeez, you should try this instead.
 
 An attitude like that deserves a response akin to Use the source Luke and
 no more.

We all have good and bad days.  I've been offering free (hopefully good)
advice to these lists for almost 10 years now.  I keep my questions
brief and my answers concise.  Detours piss me off.

-- 
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/

Re: OpenVPN destroys tun

[Giancarlo Razzolini]

Jason Dixon escreveu:

On Wed, May 06, 2009 at 06:04:19PM -0300, Giancarlo Razzolini wrote:
  

Jason Dixon escreveu:

  
  
Well, my rude friend, i guess you'll have to accept my suggestion  
because you're simply stuck with it. I shouldn't but, i took a little  
time and dove in openvpn source code. This is the piece of code that  
does what exactly what you're saying:



Or I can continue to reload pf in /etc/rc.local like we currently do.
No harm no foul.  It's just not elegant.

Sorry if you find my demeanor rude.  I don't have a lot of patience for
tangents when I'm asking a straightforward question and getting
horizontal advice instead.  New workarounds aren't necessarily better
than existing workarounds.

I appreciate your digging into the code.  That was above and beyond,
even if it doesn't really do me any good.

Thanks,

  
Well, it can't always be elegant. IT isn't elegant. As you saw in the 
code yourself. You only forgot to mention that you already had a 
workaround for your problem. If i knew it, would had saved a lot of 
time, by not suggesting another one.


My regards,

--
Giancarlo Razzolini
http://lock.razzolini.adm.br
Linux User 172199
Red Hat Certified Engineer no:804006389722501
Verify:https://www.redhat.com/certification/rhce/current/
Moleque Sem Conteudo Numero #002
OpenBSD 4.5
Ubuntu 9.04 Jaunty Jackalope
4386 2A6F FFD4 4D5F 5842  6EA0 7ABE BBAB 9C0E 6B85

Re: OpenVPN destroys tun

[Jason Dixon]

On Wed, May 06, 2009 at 06:26:30PM -0300, Giancarlo Razzolini wrote:
 Jason Dixon escreveu:

 I appreciate your digging into the code.  That was above and beyond,
 even if it doesn't really do me any good.
   
 Well, it can't always be elegant. IT isn't elegant. As you saw in the  
 code yourself. You only forgot to mention that you already had a  
 workaround for your problem. If i knew it, would had saved a lot of  
 time, by not suggesting another one.

I mentioned it in a reply to Vadim.  Sorry for not making it more
obvious and that it caused you any wasted time.

Thanks,

-- 
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/

Re: Installboot to usb drive?

[Nick Holland]

L. V. Lammert wrote:

At 08:28 PM 5/5/2009 -0400, you wrote:

...

Usual error is to forget that boot specified on the installboot command
line is not the one in the installboot directory or your current root
partition, but rather the /boot that exists on the root partition of the
target drive (i.e., the boot you WILL use, not the one that you already
used).


Confirmed. Here is what worked: First problem, I missed the '/mnt' for 
boot:


/usr/mdec/installboot -v /mnt/boot /usr/mdec/biosboot wd0

I used both sd0 and wd0 to make sure it would work, .. both indicated 
'cross-device install'? Am I correct that the boot *device* specified 
should be wd0, when the drive will be physically used as bootable?


no, all installboot does is install a tiny little program (biosboot)
in the PBR, and point it to the inode used by the file /boot.  So, it 
needs to know about which file boot will end up being /boot


It needs to know where to put it, it really doesn't care what driver 
will hook to the device after boot.  As the name implies, biosboot uses 
the bios, not the kernel driver.  Biosboot is finished with its job long 
before the kernel is even loaded (is five seconds long? :).


See faq14 for more info on how this all works.

You want something like:
/usr/mdec/installboot -v /mnt/boot /usr/mdec/biosboot sd0

assuming sd0a is mounted on /mnt and is your new disk.

(alternately: just boot install media, point it at sd0, and it will do 
the rest for you...)


Nick.

EUSecWest 2009 (May27/28) London Agenda and PacSec 2009 (Nov 4/5) Tokyo CFP deadline: June 1 2009

[Dragos Ruiu]

EUSecWest 2009 Speakers

Efficient UAK Recovery attacks against DECT
- Ralf-Philipp Weinmann,  University of Luxembourg
A year in the life of an Adobe Flash security researcher
- Peleus  Uhley, Adobe
Pwning your grandmother's iPhone
- Charley Miller, Independent Security Evaluators
Post exploitation techniques on OSX and Iphone and other TBA matters.
- Vincent Iozzo,Zynamics
STOP!! Objective-C Run-TIME.
- nemo
Exploiting Delphi/Pascal
- Ilja Van Sprundel, IOActive
PCI bus based operating system attack and protections
- Christophe  Devine  Guillaume Vissian, Thales
Thoughts about Trusted Computing
- Joanna Rutkowska, Invisible Things Lab
Nice NIC you got there... does it come with an SSH daemon?
- Arrigo Trulzi
Evolving Microsoft Exploit Mitigations
- Tim Burrell  Peter Beck,  Microsoft
Malware Case Study: the ZeuS evolution
- Vicente Diaz, S21Sec
Writing better XSS payloads
- Alex Kouzemtchenko, SIFT
Exploiting Firefox Extensions
-Roberto Suggi Liverani  Nick Freeman,  Security-Assessment.com
Stored Value Gift Cards, Magstripes Revisited
- Adrian Pastor,  Gnucitizen, Corsaire
Advanced SQL Injection to operating system control
- Bernardo Damele Assumpcao Guimaraes, Portcullis
Cloning Mifare Classic
- Nicolas Courtois, University of London
Rootkits on Windows Mobile/Embedded
- Petr Matousek, Coseinc


PacSec 2009  CALL FOR PAPERS

World Security Pros To Converge on Japan

TOKYO, Japan -- To address the increasing importance of information
security in Japan, the best known figures in the international
security industry will get together with leading Japanese researchers
to share best practices and technology. The most significant new
discoveries about computer network hack attacks will be presented at
the seventh annual PacSec conference to be discussed.

The PacSec meeting provides an opportunity for foreign specialists to
be exposed to Japanese innovation and markets and collaborate on
practical solutions to computer security issues. In an informal
setting with a mixture of material bilingually translated in both
English and Japanese the eminent technologists can socialize and
attend training sessions.

Announcing the opportunity to submit papers for the PacSec 2009
network security training conference. The conference will be held
November 4/5th in Tokyo. The conference focuses on emerging
information security tutorials - it is a bridge between the
international and Japanese information security technology communities..

Please make your paper proposal submissions before June 1st, 2009.
Slides for the papers must be submitted for translation by October 1,
2009 (Which, oh so rarely, happens we are going to start asking for
them earlier :-P --dr).

A some invited papers have been confirmed, but a limited number of
speaking slots are still available. The conference is responsible for
travel and accomodations for the speakers. If you have a proposal for
a tutorial session then please email a synopsis of the material and
your biography, papers and, speaking background to  . Tutorials are
one hour in length, but with simultaneous translation should be
approximately 45 minutes in English, or Japanese. Only slides will be
needed for the October paper deadline, full text does not have to be
submitted.

The PacSec conference consists of tutorials on technical details about
current issues, innovative techniques and best practices in the
information security realm. The audiences are a multi-national mix of
professionals involved on a daily basis with security work: security
product vendors, programmers, security officers, and network
administrators. We give preference to technical details and education
for a technical audience.

The conference itself is a single track series of presentations in a
lecture theater environment. The presentations offer speakers the
opportunity to showcase on-going research and collaborate with peers
while educating and highlighting advancements in security products and
techniques. The focus is on innovation, tutorials, and education
instead of product pitches. Some commercial content is tolerated, but
it needs to be backed up by a technical presenter - either giving a
valuable tutorial and best practices instruction or detailing
significant new technology in the products.

Paper proposals should consist of the following information:

1) Presenter, and geographical location (country of origin/passport)
and contact info (e-mail, postal address, phone, fax).
2) Employer and/or affiliations.
3) Brief biography, list of publications and papers.
4) Any significant presentation and educational experience/background.
5) Topic synopsis, Proposed paper title, and a one paragraph
description.
6) Reason why this material is innovative or significant or an
important tutorial.
7. Optionally, any samples of prepared material or outlines ready.
8. Will you have full text 

XTerm resizing and 4.5

[Hugo Villeneuve]

Somehow, while upgrading from 4.4 to 4.5 on i386, I lost the ability
to resize an XTerm via the command resize -s rows cols.

It's not the end of the world and for now I just changed XTerm
default geometry to 132x48.

I'm not sure where I should look to bring that behavior back.


-- 
Hugo Villeneuve h...@eintr.net

Re: HD 'Analysis'

[ropers]

 On Monday 04 May 2009 17:56:43 L. V. Lammert wrote:
  What is the best way to do a surface analysis on a disk?


2009/5/5 Tony Abernethy t...@servacorp.com:
 There is, in the e2fsprogs package, something called badblocks.
 I have used it (on Linux) to rescue bad disks.
 (Windows laptops  -- kinda redundant?)

 If you care about your data, follow Steve's advice.

 The reality seems to be that this does exercise a disk's ability
 to relocate bad sectors so that a bad disk suddenly goes good.
 This is using a destructive surface test  (badblocks -sw ...)
 Realistically, seems like the most reliable test is that disk is slower
 than it should be.

 Me, if I want to rely on a disk drive, I will run badblocks on it.
 The long-winded destructive test
 And I will time it, at least sporadically.
 (New disks are not immune from having problems ;-)
 The exercise maybe loses out to watching grass grow.

I also would recommend badblocks(8), but I would recommend
  badblocks -svn
instead of badblocks -sw.

badblocks -svn also (s)hows its progress as it goes along, but does a
(v)erbose (n)on-destructive read/write test (as opposed to either the
default read-only test or the destructive read/write test). You can
check an entire device with badblocks, or a partition, or a file. The
great thing about using badblocks to check a partition is that it's
filesystem-agnostic. It will dutifully check every bit of its target
partition regardless of what's actually on it. And if you give
badblocks -svn an entire storage device to test, it will not even care
about the actual partition scheme used. Because this read/write test
can trigger the disk's own built-in bad sector relocation, this means
you can even have a disk that you can't read the partition table from,
and running badblocks -svn over it may at least temporarily fix
things. And I've used badblocks -svn e.g. to check old Macintosh
floppies. Who cares that OpenBSD doesn't know much about the
filesystem on those? badblocks does the job anyway.

(Because of this agnosticism, it's actually questionable whether
badblocks(8) ought to be part of a filesystem-specific package, but
hey, that's what it comes in. Yea, one *could* also argue whether to
include it elsewhere by default because it's so useful, but I'm not
the one making those decisions and I guess the folks who do will do
what makes the most sense to them, so I don't feel like starting to be
a back seat driver... ;-)

Oh, and of course it would probably be prudent to do a backup before
read/write tests, even though badblocks is well-established and (with
-n) supposed to be non-destructive. Supposed to... ;-) I've never been
disappointed but YMMV.

regards,
--ropers

Re: OpenLDAP w/o bdb okay?

[Dan]

Henning Brauer(lists-open...@bsws.de)@2009.01.06 14:42:09 +0100:
 * Toni Mueller openbsd-m...@oeko.net [2009-01-06 12:25]:
   openldap is still a piece of shit, but the ldbm backend is probably the
   sanest one.
  
  This pattern comes up often, but almost noone suggests an alternative
  LDAP server package.
 
 I am not aware of any. Lack of options doesn't make openldap better.

How about OpenDS? Fedora Directory Server? Both are pukable on the
keyboard? Apache DS?

Yeah, I know OpenDS is Java and so is ApacheDS...

Re: how to configure Grub 0.97 for booting my OpenBSD 4.5

[飞飞]

yes, it works well with OpenBSD 4.2,

but, it failed in OpenBSD 4.5,
I only get a error :
Starting up ...
Loading ...
ERR M



2009/5/6 Luca Corti l...@fantacast.it

 On 5/6/09 5:07 PM, Feifei (??) wrote:
  The Grub version is distributed with the Ubuntu 8.04 which is installed
 in
  (hd0,6)
 
  How to resolve it?
 
 Use the chainloader to call the OpenBSD bootloader. Something like:

 |title OpenBSD
 root (hd0,a)
 makeactive
 chainloader +1

 ciao

 Luca
 |

Re: HD 'Analysis'

[Steve Shockley]

On 5/6/2009 11:24 AM, Martin Schrvder wrote:

2009/5/6, Steve Shockleysteve.shock...@shockley.net:

  The self-tests take the drive offline while they run, right?  Do you


No. man smartctl


Huh.  That kind of contradicts the name offline self test, but I guess 
they call that captive.

Re: how to configure Grub 0.97 for booting my OpenBSD 4.5

[Nick Holland]

Feifei (7I7I) wrote:
 Hi, guys,
 
 I just install the OpenBSD 4.5, but my grub configuration can't boot it.
 Before that, I use OpenBSD 4.2, it is a new installation, not upgrade.
...
 It works well with the OpenBSD 4.2,
 
 But , if I use it to boot 4.5, I only get a error :
 Starting up ...
 Loading ...
 ERR M

man biosboot
will tell you what the error means.
http://www.openbsd.org/faq/faq14.html will show you how
the boot process works.  I'm going to assume you read that
before I expect you to understand this:

short version: the PBR read something, but it wasn't /boot.

I'm not a grub expert, but obviously the PBR you are running
isn't the one that OpenBSD put into place.  Some boot loaders
do silly things like store a copy of the real PBR somewhere
they think is cool, and when you reinstall the OS, the stored
PBR doesn't get replaced when the real one is.  So now you have
the old PBR reading ...something other than /boot

If you replace your grub boot loader with a normal MBR and flag
the OpenBSD partition as active, I bet the system will boot just
fine.

Alternatively, do whatever voodoo you need to do to tell grub
there is a new PBR for it to use.

Nick.

Re: OT: 10GbE Physical Network Taps

[J.C. Roberts]

On Wed, 6 May 2009 10:17:06 -0600 (MDT) Diana Eichert
deich...@wrench.com wrote:

 On Wed, 6 May 2009, openbsd misc wrote:
 
  On Wed, May 6, 2009 at 3:42 PM, Diana Eichert deich...@wrench.com
  wrote:
 
  We use physical taps at work, when I get the chance I'll take a
  look at the vendor.
 
  Also, you really think you can capture 10GE? Chuckle, good luck.
 
  diana
 
 
NSA,MI(x)/GCHQ,ASIO and their vendor friends would beg to differ.
 
  I can't see any  black helicopters and my Tin Foil hat fits fine
  thanks for asking.
 
 Yeah, and I'm sure JC has equivalent resources of the acronym laden
 institutions you mention.  Do you have any idea how they capture
 packets at line rate?  I strongly doubt they are using off the shelf
 hardware, 

Well, a good number of the 10-Gbit/s Eethernet cards on the market
actually have dual 10GbE interfaces in one configuration or another.
The most typical configuration that *I* have seen is the two bonded
(20-Gbit/s) as a single logical interface with fail-over between the two
physical connections. In short, to capture a single card, you basically
need to be able to store 2-GByte/s *somewhere*

Yes, I'm intentionally skipping the overhead calculations and keeping
things overly generalized... --this is misc@ after all (;

On the more modern Intel chipset systems (X58), your memory bandwidth
is about 64-Gbyte/s from RAM to proc, so if you stuff the box with
128-GByte of ram, you can collect about hour's worth of capture in a
sizable RAM disk. Of course, 128-GByte of 1333-MHz RAM will set you
back about $15-20 thousand USD.

If you need more permanent storage (i.e. saved to disk), you only
have two options:

1.) A large stripe set of Intel X25-{M,E} devices. Both the X25-M and
X25-E SATA II (3.0 Gbit/s) can do about 250-Mbyte/s read/write, so a
RAID0 stripe set of 16 of them will get you to about 4-Gbyte/s.
Unfortunately, as far as *I* know, no SATA/RAID controller manufacturer
has a product that can support 16 SATA II drives, *AND* has a 16-Lane
PCIe Gen-1.0 interface (4-GByte/s), or 8-Lane PCIe Gen-2.0 interface
(also 4-GByte/s), or a 4-Lane PCIe Gen-3.0 interface (again 4-GByte/s),
so you'd be forced to use multiple controller cards and suffer a
performance hit. It would cost you about $12-16 Thousand USD to build
such a beast mainly due to the cost of the drives, but it's doable. For
your money, you'd get about 2500-GByte (16 * 160-GByte) of rather
volatile storage due to the RAID0, or about 21 hours of capture.

2.) Due to the absolutely insane prices of the hardware, your other
option for non-custom hardware doesn't really qualify as off the
shelf. The other option is to use a stripe set of Fusion-IO.com solid
state disks which can read/write at either 800-MByte/s (for the
320-GByte and below) or 1.5-GByte/s (for the 640-GByte and above
double disks) depending on the model you buy. The present capacity
limit is 640-GByte for their high end, double disk but that will hit
1.2-TByte by the end of the year (supposedly). Doing a stripe set
across a bunch of these is, ummm, and interesting endeavor due to the
fact they require very custom, closed source drivers and a system with
8-GByte of RAM per device. Oh, and according to what I've been told, if
you have a power fault, you're totally screwed due to the way the
mystery driver works. Though you can buy these things off the shelf,
it's a very high shelf. The 320-GByte capactity 800-MByte/s drives are
about $14,000 each retail, and you'd need at least four of the striped
together to surpass the 2-GByte/s rate of a single 10-GBit/s card (two
interfaces 20-Gbit/s).

Other than the three options above, I do not know of any other way to
capture 10 and/or 20 GBit/s Ethernet at line speed with off the shelf
components. Also, I'll be the first to say the above is a bit dodgy,
but it would more or less work if one can afford it. And yep, you're
very much correct; attempting capture at these speeds is good for a
chuckle and even the three cheap off-the-shelf methods above are not
really affordable for home use. (;

If anyone here mistakenly thinks they can actually run *ANALYSIS* at
these speeds with off the shelf components...

BAWAHAHAHAHAHAHAHA!

Diana, thanks for the link to the FPGA analysis stuff later in the
thread. I'll try to read it tomorrow, but the thought of someone doing
the *REQUIRED* over-clocking of a FPGA to get the needed throughput
sounds dangerously dodgy at best. Off the top of my head, other than
over-clocking a half-baked FPGA, I can't think of any other way they
could have done it without a serious performance impact on the link.

 but hey what would I know, I'm just a girl.
 

CORRECTION: ... just a girl with technical super powers, and a lab that
makes everyone very, very jealous.

-- 
J.C. Roberts