Calomel.org
There was mention of calomel.org recently. This is a great resource, however, it needs to be a bit more updated. For example the following page advises *not* to use the GENERIC.MP kernel, however, considering how much work has gone into the MP work and fact that MP will become default I think it should be updated. ;) https://calomel.org/network_performance.html --- James A. Peltier james_a_pelt...@yahoo.ca __ Make your browsing faster, safer, and easier with the new Internet Explorer. 8. Optimized for Yahoo! Get it Now for Free! at http://downloads.yahoo.com/ca/internetexplorer/
Re: OT: 10GbE Physical Network Taps
On 09-05-07 05.00, J.C. Roberts wrote: If anyone here mistakenly thinks they can actually run *ANALYSIS* at these speeds with off the shelf components... BAWAHAHAHAHAHAHAHA! Well, depends on what you mean by off the shelf. Procera Networks is doing layer 7 analysis at 40Gbps FD with their PacketLogic PL10k. The hardware used for this is sourced from companies that anyone can by hardware from as far as I know. Of course it's not x86 stuff, but it's off the shelf. :) /Johan
Re: XTerm resizing and 4.5
On Thu, May 7, 2009 at 12:31 AM, Hugo Villeneuve harpa...@jwales.eintr.net wrote: Somehow, while upgrading from 4.4 to 4.5 on i386, I lost the ability to resize an XTerm via the command resize -s rows cols. It's not the end of the world and for now I just changed XTerm default geometry to 132x48. I'm not sure where I should look to bring that behavior back. see the allowWindowOps resource in the xterm(1) manual page. It is now disabled by default on OpenBSD. -- Matthieu Herrb
Re: ypldap and ldaps
On Wed, 6 May 2009 18:51:45 +0300 Vasiliy Kiryanov vasiliy.kirya...@gmail.com wrote: Hello community. I would want to use ypldap with our ldap server that work over ssl. The problem is how to change ypldap.conf to work with ldaps. I will appreciate any ideas. thanks. Hi, There is no ldaps support in ypldap so far, the only viable way of doing it is replicating with slurp and binding to a local ldap server without SSL, we will make ldaps support available at some point.
Re: how to configure Grub 0.97 for booting my OpenBSD 4.5
You should try GAG, I use it to dual-boot a windows/openbsd box. it will allow for installation of several OSes... http://gag.sourceforge.net/ On Wed, May 6, 2009 at 19:37, Nick Holland n...@holland-consulting.net wrote: Feifei (7I7I) wrote: Hi, guys, I just install the OpenBSD 4.5, but my grub configuration can't boot it. Before that, I use OpenBSD 4.2, it is a new installation, not upgrade. ... It works well with the OpenBSD 4.2, But , if I use it to boot 4.5, I only get a error : Starting up ... Loading ... ERR M man biosboot will tell you what the error means. http://www.openbsd.org/faq/faq14.html will show you how the boot process works. B I'm going to assume you read that before I expect you to understand this: short version: the PBR read something, but it wasn't /boot. I'm not a grub expert, but obviously the PBR you are running isn't the one that OpenBSD put into place. B Some boot loaders do silly things like store a copy of the real PBR somewhere they think is cool, and when you reinstall the OS, the stored PBR doesn't get replaced when the real one is. B So now you have the old PBR reading ...something other than /boot If you replace your grub boot loader with a normal MBR and flag the OpenBSD partition as active, I bet the system will boot just fine. Alternatively, do whatever voodoo you need to do to tell grub there is a new PBR for it to use. Nick.
Re: OT: 10GbE Physical Network Taps
On Thu, 07 May 2009 06:10:30 +0200 Johan Fredin jo...@spelaroll.se wrote: On 09-05-07 05.00, J.C. Roberts wrote: If anyone here mistakenly thinks they can actually run *ANALYSIS* at these speeds with off the shelf components... BAWAHAHAHAHAHAHAHA! Well, depends on what you mean by off the shelf. Procera Networks is doing layer 7 analysis at 40Gbps FD with their PacketLogic PL10k. The hardware used for this is sourced from companies that anyone can by hardware from as far as I know. Of course it's not x86 stuff, but it's off the shelf. :) /Johan It always comes down to how high up on the wall is the shelf that you can afford. ;-) -- J.C. Roberts
Problem with pf/nat (bug?) and aliases in internal interface
Scenario: int_if with two ip addresses in two differents lans (192.168.20.254, 192.168.21.254). more aliases in the external interfaces nat rules: every 10 internals ip use an external address for the nat. everything works fine, except for the second internal ip address. ip from 192.168.21.0/24 are natted with rules of net 192.168.20.0/24 machines from internal lan use .20.254 or .21.254 as a gateway. p.s. both of them works, but second ones use wrong nat. # uname -mprs OpenBSD 4.4 amd64 Intel(R) Xeon(R) CPU 5110 @ 1.60GHz # pfctl -vsr pass in log quick on bnx1 inet from 192.168.20.0/24 to any flags S/SA keep state [ Evaluations: 61921 Packets: 370618Bytes: 216808002 States: 4230 ] [ Inserted: uid 0 pid 12418 State Creations: 23774 ] pass in log quick on bnx1 inet from 192.168.21.0/24 to any flags S/SA keep state [ Evaluations: 628 Packets: 13136 Bytes: 10432453States: 117 ] [ Inserted: uid 0 pid 12418 State Creations: 202 ] # pfctl -vvsn | grep -A2 -e '@0' -e '@24' -e '@25' @0 nat on bnx0 inet from 192.168.20.1 - 192.168.20.10 to any - xxx.xxx.xxx.1 [ Evaluations: 34016 Packets: 57999 Bytes: 23576755States: 803 ] [ Inserted: uid 0 pid 12418 State Creations: 5402 ] @24 nat on bnx0 inet from 192.168.20.241 - 192.168.20.254 to any - xxx.xxx.xxx.25 [ Evaluations: 1079 Packets: 3353 Bytes: 1489982 States: 79] [ Inserted: uid 0 pid 12418 State Creations: 179 ] @25 nat on bnx0 inet from 192.168.21.1 - 192.168.21.10 to any - xxx.xxx.xxx.26 [ Evaluations: 793 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 12418 State Creations: 0 ] -- Cris, member of G.U.F.I Italian FreeBSD User Group http://www.gufi.org/
Re: internal vs. external microphone: very different signal levels
On May 05 22:30:26, Jacob Meuser wrote: On Tue, May 05, 2009 at 09:17:52PM +0200, Jan Stary wrote: On Apr 25 22:23:21, Jacob Meuser wrote: On Sat, Apr 25, 2009 at 01:15:33PM +0200, Jan Stary wrote: Hi all, I am doing some trivial sound-recording on my Compaq Armada 110 laptop (dmesg and mixerctl below). The sound device is auvia0 at pci0 dev 7 function 5 VIA VT82C686 AC97 rev 0x20: irq 9 audio0 at auvia0 for ac97 devices, the codec is also very important. although the AD1881A looks pretty standard. no jack sense or anything. and it works without problems. Now, the laptop has an internal microphone - that tiny little hole you have seen on some laptops. It records fine, set up as inputs.mic=255 inputs.mic.mute=off inputs.mic.preamp=on inputs.mic.source=mic0 record.source=mic The laptop also has an input for an external mike (the usual small jack, just next to the headphones output). When you plug in an external mike, the audio chip is smart enough to record from that one, and no longer record from the internal mike. (I use Shure SM57 as the external mike, which I believe is irrelevant.) Recording with the external mike plugged in works fine too, EXCEPT the signal level from the external mike is much weaker, and I wonder why. maybe there is a separate preamp on the internal mic pin? Well, both mikes do respond to setting inputs.mic.preamp=off/on so I suppose either each has its own preamp, or there is just one mic preamp, pre-amping the one mike (int/ext) that is currently in use. yes, there is one preamp on the mic pin in the codec. but, there could be *external to the codec* preamp circuitry between the built-in mic and the codec. the codec's datasheet explains how to do this. does changing inputs.mic.source have any effect? inputs.mic.source=mic0 is set by default and behaves as described. inputs.mic.source=mic1 is accepted and results in silence being recorded. then there is probably jack sense circuitry (again, external to the codec), that switches which mic is connected to the mic pin on the codec. That explains it to me, thanks. Recording works, I just wanted to understand this difference. Jan
Re: RES: Migration from IPTABLES to PF
TomC!E!, thanks for the tip Bill - William J. Chivers Lecturer in Information Technology School of DCIT Faculty of Science and Information Technology University of Newcastle---Ourimbah Campus PO Box 127, Ourimbah, NSW 2259 Australia CRICOS Provider Number: 00109J phone: +61 2 4349 4473 fax: +61 2 4349 4565 email: william.chiv...@newcastle.edu.au - TomC!E! BodEC!r tomas.bod...@gmail.com 05/06/09 3:41 PM I think,that in case of pf is good start point this site http://home.nuug.no/~peter/pf/ and then FAQ parts 2009/5/5 William Chivers william.chiv...@newcastle.edu.au: Hello Ricardo, This is not a beginners' mailing list, people here expect questions to 1. be very specific, and 2. demonstrate that you have spent a lot of time trying to solve the problem yourself, reading the documentation etc. Start with http://www.openbsd.org/faq/pf/index.html If you still need help, there are several books on pf, for example The Book of PF (http://nostarch.com/pf.htm). Look back through the misc mailing list to see how specific questions about pf are. When you have a specific question, the best help available is right here. Bill - William J. Chivers Lecturer in Information Technology School of DCIT Faculty of Science and Information Technology University of Newcastle---Ourimbah Campus PO Box 127, Ourimbah, NSW 2259 Australia CRICOS Provider Number: 00109J phone: +61 2 4349 4473 fax: +61 2 4349 4565 email: william.chiv...@newcastle.edu.au - Ricardo Augusto de Souza ricardo.so...@cmtsp.com.br 05/06/09 5:08 AM Thanks for this 'polite' reply. As I Said i spent some years away from Unix/Linux world, I worked with business intelligence this years. Now i AM back to network administration and i got this Project to do. I used openbsd before version 3. I do like it. This is my current senario. - 2 firewalls with 2 carp+pfsync that Will handle 2 internet connections, 1 mpls connection, 1 lan to handle around 60 bus company that transport 2 million users per Day, each user has your own myfair card. Each bus has a system that store this data in a file. This files Will be imported to Oracle later. After this import, there are a lot of specific applications that uses this informations. - behind this 2 firewalls we have around 30 servers: ( most Windows) iis, file transfer servers,ws, and some other servers like some red hat enterprise running Oracle 10g. - at the beginning the firewalls Will do Nat + filter + gateway + mpd5+squid ( the fucking operators Who need Access to the Windows servers were surfing on web from there. ) - our applications has around 5,000 users per Day, but we have a lot of web services and some etl process ( i dont have statistics about volume yet) So that is it. -Mensagem original- De: William Chivers [mailto:william.chiv...@newcastle.edu.au] Enviada em: segunda-feira, 4 de maio de 2009 22:46 Para: Ricardo Augusto de Souza; misc@openbsd.org Assunto: Re: Migration from IPTABLES to PF This is a great advertisement for OpenBSD, PF, and keeping things simple in general, mind if I use it Ricardo? As for your original question, I wouldn't even try to convert your iptables, especially using some magic tool to do it. Decide what you want your firewall to do and start from scratch with PF. That way you will know it is working and you will be able to maintain it reliably. Cheers, Bill - William J. Chivers Lecturer in Information Technology School of DCIT Faculty of Science and Information Technology University of Newcastle---Ourimbah Campus PO Box 127, Ourimbah, NSW 2259 Australia CRICO email: william.chiv...@newcastle.edu.au - Ricardo Augusto de Souza ricardo.so...@cmtsp.com.br 05/05/09 3:17 AM Hi, I have a firewall running on a Fedora Core 4 (STentz) with iptables. The Guy Who installed it left our company some months ago. I spent some years far from iptables, now i have to migrate this firewall to PF. THere are some 'special' features on this firewall, i need some documentation or help about implementing this features at new firewall ( PF ). This is the iptables scripts: #!/bin/bash FW=/sbin/iptables LOAD=/sbin/modprobe #__ # Carregando Modulo do IPTABLES . /etc/rc.d/init.d/prodata/fw_modulos # Carregando Variaveis . /etc/rc.d/init.d/prodata/fw_variaveis if [ $KERNEL = sim ] then . /etc/rc.d/init.d/prodata/fw_kernel fi #___ # Cria politicas de LOGs #___ if [ $LOGS = sim ] then .
X won't work
it's an old Intel video on Inspiron from 2003. I already uncommented machdep.allowaperture=2, and when I type startx I get xauth: creating new authority file /root/.serverauth.24871 X.Org X Server 1.5.3 Release Date: 5 November 2008 X Protocol Version 11, Revision 0 Build Operating System: OpenBSD 4.5 i386 Current Operating System: OpenBSD lengsel.vc.shawcable.net 4.5 GENERIC#0 i386 Build Date: 05 May 2009 03:10:16PM Before reporting problems, check http://wiki.x.org to make sure that you have the latest version. Markers: (--) probed, (**) from config file, (==) default setting, (++) from command line, (!!) notice, (II) informational, (WW) warning, (EE) error, (NI) not implemented, (??) unknown. (==) Log file: /var/log/Xorg.0.log, Time: Tue May 5 18:00:43 2009 (EE) Unable to locate/open config file New driver is intel (==) Using default built-in configuration (30 lines) (EE) Failed to load module fbdev (module does not exist, 0) Error in I830WaitLpRing(), timeout for 2 seconds pgetbl_ctl: 0x1ffe0001 getbl_err: 0x0021 ipeir: 0x iphdr: 0x54f6 LP ring tail: 0x9fe0 head: 0xa000 len: 0x0001f001 start 0x eir: 0x esr: 0x0010 emr: 0xff7b instdone: 0xff41 instpm: 0x memmode: 0x instps: 0x0820 hwstam: 0xeffe ier: 0x0042 imr: 0xffbf iir: 0x Ring at virtual 0x8bd7d000 head 0xa000 tail 0x9fe0 count 32760 Ring at virtual 0x8bd7d000 head 0xa000 tail 0x9fe0 count 32760 9f00: MI_NOOP 1 9f04: MI_NOOP 1 9f08: MI_NOOP 1 9f0c: MI_NOOP 1 9f10: MI_NOOP 1 9f14: MI_NOOP 1 9f18: MI_NOOP 1 9f1c: MI_NOOP 1 9f20: MI_NOOP 1 9f24: MI_NOOP 1 9f28: MI_NOOP 1 9f2c: MI_NOOP 1 9f30: MI_NOOP 1 9f34: MI_NOOP 1 9f38: MI_NOOP 1 9f3c: MI_NOOP 1 9f40: MI_NOOP 1 9f44: MI_NOOP 1 9f48: MI_NOOP 1 9f4c: MI_NOOP 1 9f50: MI_NOOP 1 9f54: MI_NOOP 1 9f58: MI_NOOP 1 9f5c: MI_NOOP 1 9f60: MI_NOOP 1 9f64: MI_NOOP 1 9f68: MI_NOOP 1 9f6c: MI_NOOP 1 9f70: MI_NOOP 1 9f74: MI_NOOP 1 9f78: MI_NOOP 1 9f7c: MI_NOOP 1 9f80: MI_NOOP 1 9f84: MI_NOOP 1 9f88: MI_NOOP 1 9f8c: MI_NOOP 1 9f90: MI_NOOP 1 9f94: MI_NOOP 1 9f98: MI_NOOP 1 9f9c: MI_NOOP 1 9fa0: MI_NOOP 1 9fa4: MI_NOOP 1 9fa8: MI_NOOP 1 9fac: MI_NOOP 1 9fb0: MI_NOOP 1 9fb4: MI_NOOP 1 9fb8: MI_NOOP 1 9fbc: MI_NOOP 1 9fc0: MI_NOOP 1 9fc4: MI_NOOP 1 9fc8: MI_NOOP 1 9fcc: MI_NOOP 1 9fd0: MI_NOOP 1 9fd4: MI_NOOP 1 9fd8: MI_NOOP 1 9fdc: MI_NOOP 1 9fe0: MI_NOOP 1 9fe4: MI_NOOP 1 9fe8: MI_NOOP 1 9fec: MI_NOOP 1 9ff0: MI_NOOP 1 9ff4: MI_NOOP 1 9ff8: MI_NOOP 1 9ffc: MI_NOOP 1 Ring end space: 24 wanted 32 Fatal server error: lockup giving up. xinit: Connection refused (errno 61): unable to connect to X server xinit: No such process (errno 3): Server error.
Re: No OpenBSD for Lenovo Thinkpad w500 4058CTO
Hi Nick, On Tue, 2009-05-05 at 09:48 -0400, Nick Guenther wrote: Your disks aren't showing up in dmesg. Try tweaking your BIOS settings--i know that I had to change from IDE emulation to AHCI when I upgraded to 4.5. That did the trick. Thanks. I'm hoping to replace my current GNOME desktop with an OpenBSD-based one, so I can keep more in touch with this excellent little system;). Bill On 05/05/2009, Bill Maas b...@stsx.org wrote: Hi, First, and just for the record: while trying to set up an FTP server on OpenBSD 4.2 I got this error message while trying to connect by any other address than 'localhost': 421 Service not available, remote server has closed connection. Reason, it turned out: a missing entry in /etc/hosts.allow. I had a hard time finding anything relevant out there, so now at least the relation between the error message and the missing entry is documented. The reason I needed an FTP server is that I'm trying to install OpenBSD 4.5 on a Lenovo Thinkpad W500 model 4058-CTO, with no success. With obsd 4.4 it never got past hardware initialization, with 4.5 at least I get the installer menu, but no for long: [...] Proceed with install? [n] y [...] No disks found # And no, I don't expect developers to _scramble to their laptops_ just because I as an OpenBSD user am _entitled to have this fixed ASAP_ and stuff like that. I was at least happy to see that the Fathers of OpenBSD in their infinite wisdom decided to use plain ftp for downloading packages, and not some custom-built single-purpose binary-installer-builtin, so I could at least get a dmesg off the box (I didn't manage to get a screen capture over USB). The output from the 'dmesg' command run from the shell commandline is listed below. I'm only an index list member, but feel free to contact me offlist if you need more info. I'll be happy to help testing any updates. And I'll be following any replies through the archives of course. An otherwise very happy OpenBSD user, Bill dmesg: -- OpenBSD 4.5 (RAMDISK_CD) #1112: Sat Feb 28 15:06:26 MST 2009 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/RAMDISK_CD cpu0: Intel(R) Core(TM)2 Duo CPU T9400 @ 2.53GHz (GenuineIntel 686-class) 2.53 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,CX16,xTPR real mem = 3214176256 (3065MB) avail mem = 3115958272 (2971MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 09/24/08, BIOS32 rev. 0 @ 0xfdc80, SMBIOS rev. 2.4 @ 0xe0010 (74 entries) bios0: vendor LENOVO version 6FET46WW (1.16 ) date 09/24/2008 bios0: LENOVO 4058CTO acpi0 at bios0: rev 2 acpi0: tables DSDT FACP SSDT ECDT APIC MCFG HPET SLIC BOOT ASF! SSDT SSDT SSDT SSDT SSDT acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 265MHz cpu at mainbus0: not configured ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins ioapic0: misconfigured as apic 2, remapped to apid 1 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (AGP_) acpiprt2 at acpi0: bus 2 (EXP0) acpiprt3 at acpi0: bus 3 (EXP1) acpiprt4 at acpi0: bus -1 (EXP2) acpiprt5 at acpi0: bus 5 (EXP3) acpiprt6 at acpi0: bus 13 (EXP4) acpiprt7 at acpi0: bus 21 (PCI1) bios0: ROM list: 0xc/0xfc00 0xd/0x1000 0xd1000/0x1000 0xd2000/0x1000 0xde000/0x1800! 0xe/0x1 pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel GM45 Host rev 0x07 ppb0 at pci0 dev 1 function 0 Intel GM45 PCIE rev 0x07: apic 1 int 16 (irq 11) pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 ATI Mobility Radeon HD 3650 rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) Intel GM45 HECI rev 0x07 at pci0 dev 3 function 0 not configured em0 at pci0 dev 25 function 0 Intel ICH9 IGP M AMT rev 0x03: apic 1 int 20 (irq 11), address 00:1c:25:97:34:61 uhci0 at pci0 dev 26 function 0 Intel 82801I USB rev 0x03: apic 1 int 20 (irq 11) uhci1 at pci0 dev 26 function 1 Intel 82801I USB rev 0x03: apic 1 int 21 (irq 11) uhci2 at pci0 dev 26 function 2 Intel 82801I USB rev 0x03: apic 1 int 22 (irq 11) ehci0 at pci0 dev 26 function 7 Intel 82801I USB rev 0x03: apic 1 int 23 (irq 11) usb0 at ehci0: USB revision 2.0 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1 Intel 82801I HD Audio rev 0x03 at pci0 dev 27 function 0 not configured ppb1 at pci0 dev 28 function 0 Intel 82801I PCIE rev 0x03: apic 1 int 20 (irq 11) pci2 at ppb1 bus 2 ppb2 at pci0 dev 28 function 1 Intel 82801I PCIE rev 0x03: apic 1 int 21 (irq 11) pci3 at ppb2 bus 3 iwn0 at pci3 dev 0 function 0 Intel WiFi Link 5300AGN rev 0x00: apic 1 int 17 (irq 11), MIMO 3T3R, MoW,
Re: 4.5 - strange performance issue
Try to enable EXA and play with Option MigrationHeuristic greedy I can confirm this solved my X problem. And it was really really a slow X. I added Option AccelMethod EXA Option MigrationHeuristic greedy in Section Device.
Re: 4.5 - strange performance issue
I can confirm the problem, but it was not an X problem only...everything was slow. The problem was that my interrupts were up to 82.9%. Disabled acpiprt and acpimadt in the kernel and it all works ok. On Wed, May 6, 2009 at 11:35 AM, Andrei GUDIU andr...@openbsd-box.orgwrote: Try to enable EXA and play with Option MigrationHeuristic greedy I can confirm this solved my X problem. And it was really really a slow X. I added Option AccelMethod EXA Option MigrationHeuristic greedy in Section Device.
Re: A new toy for programmers who uses VIM on OpenBSD
(cc/reply-to set to ports@). useful :-) would you be interested in adding some kind of license (we like /usr/share/misc/license.template, but it's your choice)? then it could go into ports/packages. On 2009/05/06 09:01, Dasn wrote: Hi guys, I wrote a toy which builds communications between VIM and debuggers. The tool's main function is tracing the instruction pointer in VIM while we debugging the program. That should be similar to Emacs's Gud, I suppose. :) Here it is: http://lrc.sf.net/bride-0.1.1.tar.gz And some screen shots: http://lrc.sf.net/shot1.jpg http://lrc.sf.net/shot2.jpg make make install will do all the jobs for you. For more info, see :h Bride in VIM. As the development just begins, it currently only supports two debuggers: 'gdb' and 'pdb' (python's debugger), and was only tested on OpenBSD. Any comments are appreciated. I'm not on misc@, please Cc me, thanks. -- Dasn
Re: route(8) delete - need a little help
On Tuesday 05 May 2009 20.23.06 Claudio Jeker wrote: On Tue, May 05, 2009 at 01:27:21PM +0200, LEVAI Daniel wrote: Hi! I have this in my route table: 10/8 link#1 UC 50 - 4 em0 10/8 gw_ip UGS0 1072 - 8 tun1 How can I delete only the first line, the route with the em0 device? So far I can only execute this: # route delete 10/8 But this is too ambigious. I thought of something like this: # route delete 10/8 -dev em0 but of course this will not gonna happen. You've assigned an address on 10/8 to em0. Delete that address from the interface if you don't want to have that route. (If you're trying to have 10/8 on both ends of a tunnel then you need to back up and rethink what you're trying to do.) [...] ifconfig em0 delete because this is a interface route and not deletable by route(8) unless you know the magic and the consequences. Thanks Claudio and Philip. Now I see. Daniel -- LIVAI Daniel PGP key ID = 0x4AC0A4B1 Key fingerprint = D037 03B9 C12D D338 4412 2D83 1373 917A 4AC0 A4B1
Re: HD 'Analysis'
On 5/5/2009 12:50 PM, Josi Quinteiro wrote: First thing I do with a new hard drive is run a long self-test using smartctl. If it passes it gets added to the system. I have smartd set to do a daily short self-test and a weekly long self-test on every drive. Replace any drives that start to show errors. The self-tests take the drive offline while they run, right? Do you unmount them first, or is the system okay just waiting until the drive responds?
Re: HD 'Analysis'
On 5/5/2009 11:49 AM, L. V. Lammert wrote: Some good options, .. seems like all are DOS, however g!! I guess that's no big deal if you're rebooting for the analysis, but it does not seem 'right'! No, they have a Windows version of Victoria! g Personally, I use these kinds of utilities to see if a drive is worth saving, when I can do destructive tests. For example I recovered a 250gb disk from an XServe RAID that i use as a second drive in my work desktop. SMART reports 300 reallocation events, but no matter what I do that doesn't increase. I use it for temporary storage for easy-to-replace data.
Re: X won't work
May this is not the case but it might be possible to have many instances of the server ending with the same error. Try killing all instances, and then try again. If there are many instances, trying to start another one merely fails because there already exists /tmp/.X0-lock From the bottom of the error message it seems it is a lock problem. And then again may be this is not the case. --- On Wed, 5/6/09, x x tonino-pa...@lycos.com wrote: From: x x tonino-pa...@lycos.com Subject: X won't work To: misc@openbsd.org Date: Wednesday, May 6, 2009, 1:06 AM it's an old Intel video on Inspiron from 2003. I already uncommented machdep.allowaperture=2, and when I type startx I get xauth: creating new authority file /root/.serverauth.24871 X.Org X Server 1.5.3 Release Date: 5 November 2008 X Protocol Version 11, Revision 0 Build Operating System: OpenBSD 4.5 i386 Current Operating System: OpenBSD lengsel.vc.shawcable.net 4.5 GENERIC#0 i386 Build Date: 05 May 2009 03:10:16PM Before reporting problems, check http://wiki.x.org to make sure that you have the latest version. Markers: (--) probed, (**) from config file, (==) default setting, (++) from command line, (!!) notice, (II) informational, (WW) warning, (EE) error, (NI) not implemented, (??) unknown. (==) Log file: /var/log/Xorg.0.log, Time: Tue May 5 18:00:43 2009 (EE) Unable to locate/open config file New driver is intel (==) Using default built-in configuration (30 lines) (EE) Failed to load module fbdev (module does not exist, 0) Error in I830WaitLpRing(), timeout for 2 seconds pgetbl_ctl: 0x1ffe0001 getbl_err: 0x0021 ipeir: 0x iphdr: 0x54f6 LP ring tail: 0x9fe0 head: 0xa000 len: 0x0001f001 start 0x eir: 0x esr: 0x0010 emr: 0xff7b instdone: 0xff41 instpm: 0x memmode: 0x instps: 0x0820 hwstam: 0xeffe ier: 0x0042 imr: 0xffbf iir: 0x Ring at virtual 0x8bd7d000 head 0xa000 tail 0x9fe0 count 32760 Ring at virtual 0x8bd7d000 head 0xa000 tail 0x9fe0 count 32760 9f00: MI_NOOP 1 9f04: MI_NOOP 1 9f08: MI_NOOP 1 9f0c: MI_NOOP 1 9f10: MI_NOOP 1 9f14: MI_NOOP 1 9f18: MI_NOOP 1 9f1c: MI_NOOP 1 9f20: MI_NOOP 1 9f24: MI_NOOP 1 9f28: MI_NOOP 1 9f2c: MI_NOOP 1 9f30: MI_NOOP 1 9f34: MI_NOOP 1 9f38: MI_NOOP 1 9f3c: MI_NOOP 1 9f40: MI_NOOP 1 9f44: MI_NOOP 1 9f48: MI_NOOP 1 9f4c: MI_NOOP 1 9f50: MI_NOOP 1 9f54: MI_NOOP 1 9f58: MI_NOOP 1 9f5c: MI_NOOP 1 9f60: MI_NOOP 1 9f64: MI_NOOP 1 9f68: MI_NOOP 1 9f6c: MI_NOOP 1 9f70: MI_NOOP 1 9f74: MI_NOOP 1 9f78: MI_NOOP 1 9f7c: MI_NOOP 1 9f80: MI_NOOP 1 9f84: MI_NOOP 1 9f88: MI_NOOP 1 9f8c: MI_NOOP 1 9f90: MI_NOOP 1 9f94: MI_NOOP 1 9f98: MI_NOOP 1 9f9c: MI_NOOP 1 9fa0: MI_NOOP 1 9fa4: MI_NOOP 1 9fa8: MI_NOOP 1 9fac: MI_NOOP 1 9fb0: MI_NOOP 1 9fb4: MI_NOOP 1 9fb8: MI_NOOP 1 9fbc: MI_NOOP 1 9fc0: MI_NOOP 1 9fc4: MI_NOOP 1 9fc8: MI_NOOP 1 9fcc: MI_NOOP 1 9fd0: MI_NOOP 1 9fd4: MI_NOOP 1 9fd8: MI_NOOP 1 9fdc: MI_NOOP 1 9fe0: MI_NOOP 1 9fe4: MI_NOOP 1 9fe8: MI_NOOP 1 9fec: MI_NOOP 1 9ff0: MI_NOOP 1 9ff4: MI_NOOP 1 9ff8: MI_NOOP 1 9ffc: MI_NOOP 1 Ring end space: 24 wanted 32 Fatal server error: lockup giving up. xinit: Connection refused (errno 61): unable to connect to X server xinit: No such process (errno 3): Server error.
OT: 10GbE Physical Network Taps
I need to collect raw throughput statistics without increasing latency or reducing bandwidth on 10GbE fiber links, so most of the typical methods are out of the question (i.e. like bridging, SPAN sessions on a switch, ...). As far as my understanding allows, I believe the best way to do this is with a physical network tap connected to monitoring equipment. I figure folks running/maintaining OpenBSD firewalls might be familiar with using physical network taps for deploying IDS/IPS since using bridges on such systems is a Bad Idea (R)(TM). I've found one company [1] which offers what I need, but I was wondering if anyone can recommend a vendor of physical network taps? Thanks, jcr [1] http://www.networktaps.com/products/index.html -- J.C. Roberts
Re: X won't work
On Wed, 06 May 2009 04:06:42 -0400 (EDT) x x tonino-pa...@lycos.com wrote: it's an old Intel video on Inspiron from 2003. I already uncommented machdep.allowaperture=2, and when I type startx I get easy answer: Search the archives easier answer: xorg.conf DEVICE section Option AccelMethod XXA Option DDC2 false -- J.C. Roberts
Re: no init scripts, what is the best way to start dnsmasq
Mark Shroyer wrote: On Tue, May 05, 2009 at 02:11:57PM +0200, Coert Waagmeester wrote: I have installed dnsmasq on OpenBSD. What is the best way to start it? Should I start it from /etc/rc.securelevel, or rc.local? It's best not to think of this in terms of SysV-style init scripts. In OpenBSD, shell commands in /etc/rc.local get run at boot time, so all you have to do is put some command in there to launch dnsmasq in any fashion that you see fit. So it would suffice to simply add a line with /usr/local/sbin/dnsmasq; however, for consistency with the way things are launched in /etc/rc, I generally do something like the following: ,--- /etc/rc.local --- if [ X${dnsmasq_flags-NO} != XNO -a -x /usr/local/sbin/dnsmasq ]; then ^^^ Ooh how lovely to see someone else doin this! :-) For the archives - if used consequently, this way makes it amazingly easy to start only certain services via /etc/rc.local; e.g. $ sudo dnsmasq_flags= sh /etc/rc.local while $ sudo sh /etc/rc.local would not start anything (well, unless you have stupid names for the variables in your /etc.rc that matches eported variables from the shell and sudo is set up to pass these on. That should not be the case very often) /Alexander echo -n ' dnsmasq'; /usr/local/sbin/dnsmasq ${dnsmasq_flags} fi `- ,--- /etc/rc.conf.local -- dnsmasq_flags= `- This way, if you want to temporarily disable dnsmasq, you can simply remove the line in rc.conf.local or change it to dnsmasq_flags=NO.
Mplayer problem with new dualhead setup
I just installed a Radeon 9700 in dualhead. That is working fine as far as I can tell. I am getting what looks like flashes of diagonal text when playing a video in youtube. Goes away if I leave video screen. Sound is unaffected. Using scrotwm. i386, recent -current Chris Bennett OpenBSD 4.5-current (GENERIC) #85: Mon Apr 20 23:51:01 MDT 2009 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium III (GenuineIntel 686-class, 128KB L2 cache) 899 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE real mem = 536375296 (511MB) avail mem = 510328832 (486MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 12/19/01, BIOS32 rev. 0 @ 0xfb0c0, SMBIOS rev. 2.3 @ 0xf0800 (38 entries) bios0: vendor Award Software International, Inc. version 6.00 PG date 12/19/2001 bios0: LEGEND.QDI(R) SynactiX5EP apm0 at bios0: Power Management spec V1.2 (slowidle) apm0: AC on, battery charge unknown acpi at bios0 function 0x0 not configured pcibios0 at bios0: rev 2.1 @ 0xf/0xb540 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfded0/192 (10 entries) pcibios0: PCI Exclusive IRQs: 5 9 11 12 pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82371SB ISA rev 0x00) pcibios0: PCI bus #3 is the last bus bios0: ROM list: 0xc/0xd000 0xd/0x4000! cpu0 at mainbus0: (uniprocessor) pci0 at mainbus0 bus 0: configuration mode 1 (bios) extent `pciio' (0x0 - 0x), flags=0 0xa000 - 0xd01f 0xd800 - 0xd81f 0xf000 - 0xf00f extent `pcimem' (0x0 - 0x), flags=0 0x0 - 0x9 0xf - 0x1fff 0xd000 - 0xe8ff 0xffb0 - 0x pchb0 at pci0 dev 0 function 0 Intel 82815 Host rev 0x04 intelagp0 at pchb0 agp0 at intelagp0: aperture at 0xe000, size 0x240 ppb0 at pci0 dev 1 function 0 Intel 82815 AGP rev 0x04 pci1 at ppb0 bus 1 mem address conflict 0xd000/0x800 mem address conflict 0xd800/0x800 extent `ppb0 pciio' (0x0 - 0x), flags=0 0x0 - 0xc0ff 0xd000 - 0x extent `ppb0 pcimem' (0x0 - 0x), flags=0 0x0 - 0xe3ff 0xe500 - 0xe501 0xe600 - 0x vga1 at pci1 dev 0 function 0 ATI Radeon 9500/9700 rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) radeondrm0 at vga1: irq 5 drm0 at radeondrm0 ATI Radeon 9500/9700 Sec rev 0x00 at pci1 dev 0 function 1 not configured ppb1 at pci0 dev 30 function 0 Intel 82801BA Hub-to-PCI rev 0x05 pci2 at ppb1 bus 2 extent `ppb1 pciio' (0x0 - 0x), flags=0 0x0 - 0xb03f 0xb400 - 0xb407 0xc000 - 0x extent `ppb1 pcimem' (0x0 - 0x), flags=0 0x0 - 0xe80047ff 0xe900 - 0x ppb2 at pci2 dev 11 function 0 IBM 82351 PCI-PCI rev 0x01 pci3 at ppb2 bus 3 extent `ppb2 pciio' (0x0 - 0x), flags=0 0x0 - 0xa00f 0xa400 - 0xa40f 0xb000 - 0x extent `ppb2 pcimem' (0x0 - 0x), flags=0 0x0 - 0xe5ff 0xe700 - 0xe70f 0xe7001000 - 0xe700100f 0xe800 - 0x tl0 at pci3 dev 0 function 0 Compaq DP Netelligent 10/100TX rev 0x10: irq 11 address 00:08:c7:5d:a2:8f nsphy0 at tl0 phy 1: DP83840 10/100 PHY, rev. 1 ukphy0 at tl0 phy 31: Generic IEEE 802.3u media interface, rev. 5: OUI 0x100014, model 0x0001 tl1 at pci3 dev 1 function 0 Compaq DP Netelligent 10/100TX rev 0x10: irq 12 address 00:08:c7:5d:a2:0f nsphy1 at tl1 phy 1: DP83840 10/100 PHY, rev. 1 ukphy1 at tl1 phy 31: Generic IEEE 802.3u media interface, rev. 5: OUI 0x100014, model 0x0001 emu0 at pci2 dev 14 function 0 Creative Labs SoundBlaster Audigy rev 0x04: irq 9 ac97: codec id 0x83847650 (SigmaTel STAC9750/51) ac97: codec features headphone, 20 bit DAC, 20 bit ADC, SigmaTel 3D audio0 at emu0 Creative Labs SoundBlaster Audigy Digital rev 0x04 at pci2 dev 14 function 1 not configured Creative Labs Firewire rev 0x04 at pci2 dev 14 function 2 not configured ichpcib0 at pci0 dev 31 function 0 Intel 82801BA LPC rev 0x05: 24-bit timer at 3579545Hz pciide0 at pci0 dev 31 function 1 Intel 82801BA IDE rev 0x05: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: ST3200822A wd0: 16-sector PIO, LBA48, 190782MB, 390721968 sectors wd1 at pciide0 channel 0 drive 1: Maxtor 90430D3 wd1: 16-sector PIO, LBA, 4112MB, 8421840 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 wd1(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: BENQ, DVD DD DW1640, BSRB ATAPI 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 uhci0 at pci0 dev 31 function 2 Intel 82801BA USB rev 0x05: irq 11 uhci1 at pci0 dev 31 function 4 Intel 82801BA USB rev 0x05: irq 11 isa0 at ichpcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0
OpenBGPD transparent-as issue
Hi all, At the moment we are running some tests to use OpenBGPD as a Route-server instead of using Quagga. The first tests are very positive, but we are facing one major problem. We tried our solution on OpenBSD 4.4 as well under 4.5. When we made one route-server, which means that we remove the private AS to al the neighbors, and this not working under OpenBGPD. The route-server can easily make an connection to a lot of quagga/cisco routers, but when a OpenBGPD client wants to join we are facing the following error on the server side: May 6 17:00:01 openBSD4-5 bgpd[5747]: neighbor 192.168.113.100 (test.4): received notification: error in UPDATE message, AS-Path unacceptable At the client side we see a fatal error: Apr 6 17:00:05 bsd bgpd[24969]: neighbor 192.168.113.1 (test): state change Established - Idle, reason: Fatal error When we use quagga as client the session is doing fine on both sides, even with community filters. When we are using OpenBGPD we keep facing this message until we are removing the following line: transparent-as yes. Is this a comment problem, or is this a bad configuration of us? Configuration route-server: #macros ASN=64512 peer1=192.168.113.2 AS1=64513 peer2=192.168.113.3 AS2=64514 peer3=192.168.113.4 AS3=64515 peer4=192.168.113.100 AS4=64516 peer5=192.168.113.101 AS5=65534 # global configuration router-id 192.168.113.1 AS $ASN log updates transparent-as yes # network 10.0.1.0/24 neighbor $peer1 { remote-as $AS1 descr test.1 announceall max-prefix 100 restart 300 softreconfigin yes # tcp md5sig key deadbeef } neighbor $peer2 { remote-as $AS2 descr test.2 announceall softreconfigin yes max-prefix 100 restart 1 } neighbor $peer3 { remote-as $AS3 descr test.3 announceall softreconfigin yes max-prefix 100 restart 300 } neighbor $peer4 { remote-as $AS4 descr test.4 local-address 192.168.113.1 holdtime180 holdtime min3 announceall softreconfigin yes #max-prefix 100 restart 300 } neighbor $peer5 { remote-as $AS5 descr test.5 announceall softreconfigin yes max-prefix 100 restart 300 } # filter out prefixes longer than 24 or shorter than 8 bits deny from any allow from any inet prefixlen 8 - 24 # Filter the general prefixes # deny to any community *:* # allow to any community 64512:64512 # Filter the per-peer prefixes allow to $peer1 community $ASN:neighbor-as deny to $peer1 community 0:neighbor-as allow to $peer2 community $ASN:neighbor-as deny to $peer2 community 0:neighbor-as allow to $peer3 community $ASN:neighbor-as deny to $peer3 community 0:neighbor-as allow to $peer4 community $ASN:neighbor-as deny to $peer4 community 0:neighbor-as Easy configuration of a client: AS 64516 router-id 192.168.113.100 # log updates network 3.3.3.0/24 neighbor 192.168.113.1 { remote-as 64512 descr test local-address 192.168.113.100 holdtime180 holdtime min3 announceall max-prefix 100 restart 300 softreconfigin yes } Thanks in advance! Tom Martin -- View this message in context: http://n2.nabble.com/OpenBGPD-transparent-as-issue-tp2815387p2815387.html Sent from the OpenBSD Misc mailing list archive at Nabble.com.
Re: OT: 10GbE Physical Network Taps
Hello jcr, Not quite sure if this would meet your needs, but you could look at anue systems : http://www.anuesystems.com Cheers, Simon. On Wed May 6 13:33 , J.C. Roberts sent: I need to collect raw throughput statistics without increasing latency or reducing bandwidth on 10GbE fiber links, so most of the typical methods are out of the question (i.e. like bridging, SPAN sessions on a switch, ...). As far as my understanding allows, I believe the best way to do this is with a physical network tap connected to monitoring equipment. I figure folks running/maintaining OpenBSD firewalls might be familiar with using physical network taps for deploying IDS/IPS since using bridges on such systems is a Bad Idea (R)(TM). I've found one company [1] which offers what I need, but I was wondering if anyone can recommend a vendor of physical network taps? Thanks, jcr [1] http://www.networktaps.com/products/index.html -- J.C. Roberts - FC% din egen, gratis e-postadresse pC% Start.no
Re: OpenBGPD transparent-as issue
* Tom Martin openb...@lekl.nl [2009-05-06 15:41]: May 6 17:00:01 openBSD4-5 bgpd[5747]: neighbor 192.168.113.100 (test.4): received notification: error in UPDATE message, AS-Path unacceptable At the client side we see a fatal error: Apr 6 17:00:05 bsd bgpd[24969]: neighbor 192.168.113.1 (test): state change Established - Idle, reason: Fatal error When we use quagga as client the session is doing fine on both sides, even with community filters. When we are using OpenBGPD we keep facing this message until we are removing the following line: transparent-as yes. Is this a comment problem, or is this a bad configuration of us? bad config on the client side - must use enforce neighbor-as no OpenBGPD enforces that AS Pathes from a neighbor begin with his AS by default. If the neighbor is a transparent route-server, that is - of course - not the case. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: OpenBGPD transparent-as issue
Thnx for your fast reply. It works very well and saved us a lot of configuration time! By the way do you know why this isn't nescesary by using Quagga? (A little bit off topic, but I am just wondering). Henning Brauer wrote: * Tom Martin openb...@lekl.nl [2009-05-06 15:41]: May 6 17:00:01 openBSD4-5 bgpd[5747]: neighbor 192.168.113.100 (test.4): received notification: error in UPDATE message, AS-Path unacceptable At the client side we see a fatal error: Apr 6 17:00:05 bsd bgpd[24969]: neighbor 192.168.113.1 (test): state change Established - Idle, reason: Fatal error When we use quagga as client the session is doing fine on both sides, even with community filters. When we are using OpenBGPD we keep facing this message until we are removing the following line: transparent-as yes. Is this a comment problem, or is this a bad configuration of us? bad config on the client side - must use enforce neighbor-as no OpenBGPD enforces that AS Pathes from a neighbor begin with his AS by default. If the neighbor is a transparent route-server, that is - of course - not the case. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam -- View this message in context: http://n2.nabble.com/OpenBGPD-transparent-as-issue-tp2815387p2816439.html Sent from the OpenBSD Misc mailing list archive at Nabble.com.
Re: [dera...@cvs.openbsd.org: Re: I would like to send this to misc@ and security-announce@, from me.]
e.g. ftp://mirrors.nic.funet.fi/ftp.openbsd.org/pub/OpenBSD/ I'll make a bulk check of the mirrors that haven't got 4.5 yet sometime soon and remind them to update their rsync inclusion lists. I'll give it a bit longer because some are probably still trying to fetch the release. And there is a big difference between a mirror that is behind, and a mirror that is providing you with something that is not what it purports to be.
Re: OT: 10GbE Physical Network Taps
On Wed, 6 May 2009, J.C. Roberts wrote: I need to collect raw throughput statistics without increasing latency or reducing bandwidth on 10GbE fiber links, so most of the typical methods are out of the question (i.e. like bridging, SPAN sessions on a switch, ...). As far as my understanding allows, I believe the best way to do this is with a physical network tap connected to monitoring equipment. I figure folks running/maintaining OpenBSD firewalls might be familiar with using physical network taps for deploying IDS/IPS since using bridges on such systems is a Bad Idea (R)(TM). I've found one company [1] which offers what I need, but I was wondering if anyone can recommend a vendor of physical network taps? Thanks, jcr [1] http://www.networktaps.com/products/index.html -- J.C. Roberts JC We use physical taps at work, when I get the chance I'll take a look at the vendor. Also, you really think you can capture 10GE? Chuckle, good luck. diana
Re: Mplayer problem with new dualhead setup
I seem to have this fixed now. I changed my .xinitrc to specify modes AND positions explicitly, getting rid of --left-of stuff. Now the problem is gone. Chris Bennett wrote: I just installed a Radeon 9700 in dualhead. That is working fine as far as I can tell. I am getting what looks like flashes of diagonal text when playing a video in youtube. Goes away if I leave video screen. Sound is unaffected. Using scrotwm. i386, recent -current Chris Bennett OpenBSD 4.5-current (GENERIC) #85: Mon Apr 20 23:51:01 MDT 2009 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium III (GenuineIntel 686-class, 128KB L2 cache) 899 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE real mem = 536375296 (511MB) avail mem = 510328832 (486MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 12/19/01, BIOS32 rev. 0 @ 0xfb0c0, SMBIOS rev. 2.3 @ 0xf0800 (38 entries) bios0: vendor Award Software International, Inc. version 6.00 PG date 12/19/2001 bios0: LEGEND.QDI(R) SynactiX5EP apm0 at bios0: Power Management spec V1.2 (slowidle) apm0: AC on, battery charge unknown acpi at bios0 function 0x0 not configured pcibios0 at bios0: rev 2.1 @ 0xf/0xb540 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfded0/192 (10 entries) pcibios0: PCI Exclusive IRQs: 5 9 11 12 pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82371SB ISA rev 0x00) pcibios0: PCI bus #3 is the last bus bios0: ROM list: 0xc/0xd000 0xd/0x4000! cpu0 at mainbus0: (uniprocessor) pci0 at mainbus0 bus 0: configuration mode 1 (bios) extent `pciio' (0x0 - 0x), flags=0 0xa000 - 0xd01f 0xd800 - 0xd81f 0xf000 - 0xf00f extent `pcimem' (0x0 - 0x), flags=0 0x0 - 0x9 0xf - 0x1fff 0xd000 - 0xe8ff 0xffb0 - 0x pchb0 at pci0 dev 0 function 0 Intel 82815 Host rev 0x04 intelagp0 at pchb0 agp0 at intelagp0: aperture at 0xe000, size 0x240 ppb0 at pci0 dev 1 function 0 Intel 82815 AGP rev 0x04 pci1 at ppb0 bus 1 mem address conflict 0xd000/0x800 mem address conflict 0xd800/0x800 extent `ppb0 pciio' (0x0 - 0x), flags=0 0x0 - 0xc0ff 0xd000 - 0x extent `ppb0 pcimem' (0x0 - 0x), flags=0 0x0 - 0xe3ff 0xe500 - 0xe501 0xe600 - 0x vga1 at pci1 dev 0 function 0 ATI Radeon 9500/9700 rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) radeondrm0 at vga1: irq 5 drm0 at radeondrm0 ATI Radeon 9500/9700 Sec rev 0x00 at pci1 dev 0 function 1 not configured ppb1 at pci0 dev 30 function 0 Intel 82801BA Hub-to-PCI rev 0x05 pci2 at ppb1 bus 2 extent `ppb1 pciio' (0x0 - 0x), flags=0 0x0 - 0xb03f 0xb400 - 0xb407 0xc000 - 0x extent `ppb1 pcimem' (0x0 - 0x), flags=0 0x0 - 0xe80047ff 0xe900 - 0x ppb2 at pci2 dev 11 function 0 IBM 82351 PCI-PCI rev 0x01 pci3 at ppb2 bus 3 extent `ppb2 pciio' (0x0 - 0x), flags=0 0x0 - 0xa00f 0xa400 - 0xa40f 0xb000 - 0x extent `ppb2 pcimem' (0x0 - 0x), flags=0 0x0 - 0xe5ff 0xe700 - 0xe70f 0xe7001000 - 0xe700100f 0xe800 - 0x tl0 at pci3 dev 0 function 0 Compaq DP Netelligent 10/100TX rev 0x10: irq 11 address 00:08:c7:5d:a2:8f nsphy0 at tl0 phy 1: DP83840 10/100 PHY, rev. 1 ukphy0 at tl0 phy 31: Generic IEEE 802.3u media interface, rev. 5: OUI 0x100014, model 0x0001 tl1 at pci3 dev 1 function 0 Compaq DP Netelligent 10/100TX rev 0x10: irq 12 address 00:08:c7:5d:a2:0f nsphy1 at tl1 phy 1: DP83840 10/100 PHY, rev. 1 ukphy1 at tl1 phy 31: Generic IEEE 802.3u media interface, rev. 5: OUI 0x100014, model 0x0001 emu0 at pci2 dev 14 function 0 Creative Labs SoundBlaster Audigy rev 0x04: irq 9 ac97: codec id 0x83847650 (SigmaTel STAC9750/51) ac97: codec features headphone, 20 bit DAC, 20 bit ADC, SigmaTel 3D audio0 at emu0 Creative Labs SoundBlaster Audigy Digital rev 0x04 at pci2 dev 14 function 1 not configured Creative Labs Firewire rev 0x04 at pci2 dev 14 function 2 not configured ichpcib0 at pci0 dev 31 function 0 Intel 82801BA LPC rev 0x05: 24-bit timer at 3579545Hz pciide0 at pci0 dev 31 function 1 Intel 82801BA IDE rev 0x05: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: ST3200822A wd0: 16-sector PIO, LBA48, 190782MB, 390721968 sectors wd1 at pciide0 channel 0 drive 1: Maxtor 90430D3 wd1: 16-sector PIO, LBA, 4112MB, 8421840 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 wd1(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: BENQ, DVD DD DW1640, BSRB ATAPI 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 uhci0 at pci0 dev 31 function 2 Intel 82801BA USB rev 0x05: irq 11 uhci1 at pci0 dev 31 function 4 Intel 82801BA USB rev 0x05: irq 11 isa0 at
Re: OT: 10GbE Physical Network Taps
On Wed, May 6, 2009 at 3:42 PM, Diana Eichert deich...@wrench.com wrote: On Wed, 6 May 2009, J.C. Roberts wrote: I need to collect raw throughput statistics without increasing latency or reducing bandwidth on 10GbE fiber links, so most of the typical methods are out of the question (i.e. like bridging, SPAN sessions on a switch, ...). As far as my understanding allows, I believe the best way to do this is with a physical network tap connected to monitoring equipment. I figure folks running/maintaining OpenBSD firewalls might be familiar with using physical network taps for deploying IDS/IPS since using bridges on such systems is a Bad Idea (R)(TM). I've found one company [1] which offers what I need, but I was wondering if anyone can recommend a vendor of physical network taps? Thanks, jcr [1] http://www.networktaps.com/products/index.html -- J.C. Roberts JC We use physical taps at work, when I get the chance I'll take a look at the vendor. Also, you really think you can capture 10GE? Chuckle, good luck. diana NSA,MI(x)/GCHQ,ASIO and their vendor friends would beg to differ. I can't see any black helicopters and my Tin Foil hat fits fine thanks for asking.
Re: OpenBGPD transparent-as issue
On Wed, May 06, 2009 at 07:20:58AM -0700, Tom Martin wrote: Thnx for your fast reply. It works very well and saved us a lot of configuration time! By the way do you know why this isn't nescesary by using Quagga? (A little bit off topic, but I am just wondering). They don't know sane defaults. We try to help people get good -- a bit paranoid -- default config while other projects and vendors believe in that every system must behave like a Cizzzcoee so that CCIE are not lost. -- :wq Claudio
how to configure Grub 0.97 for booting my OpenBSD 4.5
Hi, guys, I just install the OpenBSD 4.5, but my grub configuration can't boot it. Before that, I use OpenBSD 4.2, it is a new installation, not upgrade. The OpenBSD slice is in (hd0,2),when I use the OpenBSD 4.2, I use chainloader to boot it: root (hd0,a) makeactive chainloader +1 - It works well with the OpenBSD 4.2, But , if I use it to boot 4.5, I only get a error : Starting up ... Loading ... ERR M if i use this configuration to boot it : root (hd0,a) kernel --type=openbsd /bsd boot The screen will show me as these below: , 0x200120:0x5c299c:0x102bc8, shtab=0x8c6140Strating up ... panic: /boot too old: upgrade! Stopped at 0xd0499848: leave (null) (0,d071a8df, d078c44, d08c7f74, 8c6000) at 0xd0499848 (null) (d0717582,d08c7f74,d08c7f9c,d049d101,0) at 0xd0363085 (null) (8cd000) at 0xd049d415 Run at least 'trace' and 'ps' and include output when reporting this panic! don't even bother reporting this without including that inforamtion! ddb After run trace, get the same result : (null) (0,d071a8df, d078c44, d08c7f74, 8c6000) at 0xd0499848 (null) (d0717582,d08c7f74,d08c7f9c,d049d101,0) at 0xd0363085 (null) (8cd000) at 0xd049d415 After run ps, the result is null. The Grub version is distributed with the Ubuntu 8.04 which is installed in (hd0,6) How to resolve it? Thanks.
Re: Installboot to usb drive?
At 08:28 PM 5/5/2009 -0400, you wrote: You are (probably) changing from sd0 to wd0, but that only messes up your /etc/fstab file. Good point! Usual error is to forget that boot specified on the installboot command line is not the one in the installboot directory or your current root partition, but rather the /boot that exists on the root partition of the target drive (i.e., the boot you WILL use, not the one that you already used). Confirmed. Here is what worked: First problem, I missed the '/mnt' for boot: /usr/mdec/installboot -v /mnt/boot /usr/mdec/biosboot wd0 I used both sd0 and wd0 to make sure it would work, .. both indicated 'cross-device install'? Am I correct that the boot *device* specified should be wd0, when the drive will be physically used as bootable? Thansk! Lee
Re: RES: Migration from IPTABLES to PF
On Wed, May 6, 2009 02:41, TomC!E! BodEC!r wrote: I think,that in case of pf is good start point this site http://home.nuug.no/~peter/pf/ and then FAQ parts it always helps me to read https://calomel.org/ when in doubt. :) (the new photo looks cool also =] ) matheus 2009/5/5 William Chivers william.chiv...@newcastle.edu.au: Hello Ricardo, This is not a beginners' mailing list, people here expect questions to 1. be very specific, and 2. demonstrate that you have spent a lot of time trying to solve the problem yourself, reading the documentation etc. Start with http://www.openbsd.org/faq/pf/index.html If you still need help, there are several books on pf, for example The Book of PF (http://nostarch.com/pf.htm). Look back through the misc mailing list to see how specific questions about pf are. When you have a specific question, the best help available is right here. Bill - William J. Chivers Lecturer in Information Technology School of DCIT Faculty of Science and Information Technology University of Newcastle---Ourimbah Campus PO Box 127, Ourimbah, NSW 2259 Australia CRICOS Provider Number: 00109J phone: B +61 2 4349 4473 fax: B B +61 2 4349 4565 email: B william.chiv...@newcastle.edu.au - Ricardo Augusto de Souza ricardo.so...@cmtsp.com.br 05/06/09 5:08 AM Thanks for this 'polite' reply. As I Said i spent some years away from Unix/Linux world, I worked with business intelligence this years. Now i AM back to network administration and B i got this Project to B do. I used openbsd before version 3. I do like B it. This is my current senario. - B 2 firewalls with 2 carp+pfsync that B Will handle 2 internet connections, B 1 mpls connection, 1 lan to handle around 60 bus company that transport 2 million users per Day, each user has your own myfair card. Each bus has a system that store this data in a file. This files Will be imported to Oracle later. After this import, there are a lot of specific applications that uses this informations. - behind this 2 firewalls B we have around 30 servers: ( most Windows) iis, file transfer servers,ws, and some other servers like some red hat enterprise running Oracle 10g. - at the beginning the firewalls Will do Nat B + filter B + gateway + mpd5+squid ( the fucking operators Who need Access to the Windows servers were surfing on web from there. ) - our applications has around 5,000 users per Day, but we have a lot of web services and some etl process ( i dont have statistics about volume yet) So that B is it. -Mensagem original- De: William Chivers [mailto:william.chiv...@newcastle.edu.au] Enviada em: segunda-feira, 4 de maio de 2009 22:46 Para: Ricardo Augusto de Souza; misc@openbsd.org Assunto: Re: Migration from IPTABLES to PF This is a great advertisement for OpenBSD, PF, and keeping things simple in general, mind if I use it Ricardo? As for your original question, I wouldn't even try to convert your iptables, especially using some magic tool to do it. Decide what you want your firewall to do and start from scratch with PF. That way you will know it is working and you will be able to maintain it reliably. Cheers, Bill - William J. Chivers Lecturer in Information Technology School of DCIT Faculty of Science and Information Technology University of Newcastle---Ourimbah Campus PO Box 127, Ourimbah, NSW 2259 Australia CRICOS Provider Number: 00109J phone: B +61 2 4349 4473 fax: B B +61 2 4349 4565 email: B william.chiv...@newcastle.edu.au - Ricardo Augusto de Souza ricardo.so...@cmtsp.com.br 05/05/09 3:17 AM Hi, I have a firewall running on a Fedora Core 4 (STentz) with iptables. The Guy Who installed it left our company some months ago. I spent some years far from iptables, now i have to migrate this firewall to PF. THere are some 'special' features on this firewall, B i need some documentation or help about implementing this features at new firewall ( PF ). This is the iptables scripts: #!/bin/bash FW=/sbin/iptables LOAD=/sbin/modprobe #__ # Carregando Modulo do IPTABLES . /etc/rc.d/init.d/prodata/fw_modulos # Carregando Variaveis . /etc/rc.d/init.d/prodata/fw_variaveis if [ $KERNEL = sim ] B then . /etc/rc.d/init.d/prodata/fw_kernel fi #___ # Cria politicas de LOGs #___ if [ $LOGS = sim ] B then . /etc/rc.d/init.d/prodata/fw_politicas fi Normal rules here EOF /etc/rc.d/init.d/prodata/fw_modulos #$LOAD nfnetlink $LOAD ip_conntrack $LOAD
OpenVPN destroys tun
So apparently OpenVPN is a douche of an application by destroying/recreating any tun devices you ask it to bind to. This causes havoc with pf/altq if you queue on those tun interfaces. I've asked on the openvpn-users mailing list if there's any way to have OpenVPN avoid teardown of an existing tun(4) interface but nobody had any useful answers (besides use the up/down scripts)... yeah, thanks. Has anyone here used OpenVPN in server mode and overcome this? Thanks, -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
help with getting kernel/userland back in sync
Hi Folks, I recently upgraded a 4.4 system to 4.5. I followed the Upgrade Guide, not using sysmerge. The upgrade went more-or-less ok. After that, I wanted to install the five patches on the 4.5 errata page. I copied src.tar.gz and sys.tar.gz (for v4.5) from a mirror, unpacked them in /usr/src, applied the first patch (libssl) and my make failed at some point with errors. I removed the /usr/src tree, and created it again from scratch. I tried the make again (without applying patch) and it failed again, so I concluded I need to sync with CVS. This seems weird. I would have thought the src/sys tars would be clean... I updated the tree from CVS using: cd /usr/src cvs up -r OPENBSD_4_5_BASE -Pd as documented in release(8). I repeated my attempt to make libssl, which was successful. I applied the rest of the patches, (aucat and 3 kernel patches), built a new kernel (GENERIC.MP), installed it, and rebooted. First I had to figure out that /sbin/ifconfig was hosed and rebuilt it. (it got hosed/installed when I did the make install for /usr/src/sbin after building libssl. I'm not sure why.) Now I get the following messages at boot (10 repetitions): sysctl: fourth level name dad_pending in net.inet6.ip6.dad_pending is invalid which is in the v4.5 /etc/netstart script. According to a mail from Stuard Henderson, this means my kernel and userland are out of sync. It's not clear to me how this could be, as /etc/netstart is v4.5 and the src/sys sources I used also. Can someone shed some light on this problem? thanks, Rob Urban
Re: HD 'Analysis'
2009/5/6, Steve Shockley steve.shock...@shockley.net: The self-tests take the drive offline while they run, right? Do you No. man smartctl Best Martin
Re: how to configure Grub 0.97 for booting my OpenBSD 4.5
On 5/6/09 5:07 PM, Feifei (??) wrote: The Grub version is distributed with the Ubuntu 8.04 which is installed in (hd0,6) How to resolve it? Use the chainloader to call the OpenBSD bootloader. Something like: |title OpenBSD root (hd0,a) makeactive chainloader +1 ciao Luca |
Hey, what is it http://www.openbsdsupport.org/obsd_php_mysql.html
subj
ypldap and ldaps
Hello community. I would want to use ypldap with our ldap server that work over ssl. The problem is how to change ypldap.conf to work with ldaps. I will appreciate any ideas. thanks.
Re: help with getting kernel/userland back in sync
I'll answer my own question. It seems it's not a problem of the kernel and userland being out of sync, but rather /sbin/sysctl was hosed too. rebuilt and problem disappeared. I'm guessing that either I had some junk in /usr/obj/sbin or the patch instructions for libssl need to mention doing a make clean after cd ../../sbin. Rob Urban Robert Urban wrote: Hi Folks, I recently upgraded a 4.4 system to 4.5. I followed the Upgrade Guide, not using sysmerge. The upgrade went more-or-less ok. After that, I wanted to install the five patches on the 4.5 errata page. I copied src.tar.gz and sys.tar.gz (for v4.5) from a mirror, unpacked them in /usr/src, applied the first patch (libssl) and my make failed at some point with errors. I removed the /usr/src tree, and created it again from scratch. I tried the make again (without applying patch) and it failed again, so I concluded I need to sync with CVS. This seems weird. I would have thought the src/sys tars would be clean... I updated the tree from CVS using: cd /usr/src cvs up -r OPENBSD_4_5_BASE -Pd as documented in release(8). I repeated my attempt to make libssl, which was successful. I applied the rest of the patches, (aucat and 3 kernel patches), built a new kernel (GENERIC.MP), installed it, and rebooted. First I had to figure out that /sbin/ifconfig was hosed and rebuilt it. (it got hosed/installed when I did the make install for /usr/src/sbin after building libssl. I'm not sure why.) Now I get the following messages at boot (10 repetitions): sysctl: fourth level name dad_pending in net.inet6.ip6.dad_pending is invalid which is in the v4.5 /etc/netstart script. According to a mail from Stuard Henderson, this means my kernel and userland are out of sync. It's not clear to me how this could be, as /etc/netstart is v4.5 and the src/sys sources I used also. Can someone shed some light on this problem? thanks, Rob Urban
Re: X won't work
On Wed, May 06, 2009 at 04:06:42AM -0400, x x wrote: it's an old Intel video on Inspiron from 2003. I already uncommented machdep.allowaperture=2, and when I type startx I get xauth: creating new authority file /root/.serverauth.24871 without even looking past the ring stall, that's an 845. force XAA mode and you'll be ok. it's an intel driver bug. -- All I ask is a chance to prove that money can't make me happy.
Re: OT: 10GbE Physical Network Taps
On Wed, 6 May 2009, openbsd misc wrote: On Wed, May 6, 2009 at 3:42 PM, Diana Eichert deich...@wrench.com wrote: We use physical taps at work, when I get the chance I'll take a look at the vendor. Also, you really think you can capture 10GE? Chuckle, good luck. diana NSA,MI(x)/GCHQ,ASIO and their vendor friends would beg to differ. I can't see any black helicopters and my Tin Foil hat fits fine thanks for asking. Yeah, and I'm sure JC has equivalent resources of the acronym laden institutions you mention. Do you have any idea how they capture packets at line rate? I strongly doubt they are using off the shelf hardware, but hey what would I know, I'm just a girl. I'm sure you can piss a further stream than I can so I leave the pissing match to you. diana
Re: Hey, what is it http://www.openbsdsupport.org/obsd_php_mysql.html
It's a website. On Wed, May 6, 2009 at 11:55 AM, Alexandr Knyazev a.knya...@timeweb.ru wrote: subj
Re: OT: 10GbE Physical Network Taps
We use NetOptics taps. diana
Re: ypldap and ldaps
On Wed, May 6, 2009 at 4:51 PM, Vasiliy Kiryanov vasiliy.kirya...@gmail.com wrote: I would want to use ypldap with our ldap server that work over ssl. The problem is how to change ypldap.conf to work with ldaps. Hello, I took this as a base : http://kerneltrap.org/index.php?q=mailarchive/openbsd-misc/2008/10/11/3589614/thread I remember successfully linking to my ldap server over SSL but cannot check it now (test server and currently off). Maybe some other people can expand on that. The only remaining problem as far as i can see is that one user cannot login using that system if he is not in the passwd file (which makes it slightly redundant then). If I am mistaken about that point, I'd happily like to be corrected and shown the way. Cheers, Steph
Re: OpenVPN destroys tun
On Wednesday 06 May 2009 19:20:43 Jason Dixon wrote: So apparently OpenVPN is a douche of an application by destroying/recreating any tun devices you ask it to bind to. This causes havoc with pf/altq if you queue on those tun interfaces. I've asked on the openvpn-users mailing list if there's any way to have OpenVPN avoid teardown of an existing tun(4) interface but nobody had any useful answers (besides use the up/down scripts)... yeah, thanks. Has anyone here used OpenVPN in server mode and overcome this? Thanks, See persist-tun option. -- Best wishes, Vadim Zhukov A: Because it messes up the way people read text. Q: Why is a top-posting such a bad thing?
Re: OT: 10GbE Physical Network Taps
openbsd misc wrote: On Wed, May 6, 2009 at 3:42 PM, Diana Eichert deich...@wrench.com wrote: On Wed, 6 May 2009, J.C. Roberts wrote: I need to collect raw throughput statistics without increasing latency or reducing bandwidth on 10GbE fiber links, so most of the typical methods are out of the question (i.e. like bridging, SPAN sessions on a switch, ...). As far as my understanding allows, I believe the best way to do this is with a physical network tap connected to monitoring equipment. I figure folks running/maintaining OpenBSD firewalls might be familiar with using physical network taps for deploying IDS/IPS since using bridges on such systems is a Bad Idea (R)(TM). I've found one company [1] which offers what I need, but I was wondering if anyone can recommend a vendor of physical network taps? Thanks, jcr [1] http://www.networktaps.com/products/index.html -- J.C. Roberts JC We use physical taps at work, when I get the chance I'll take a look at the vendor. Also, you really think you can capture 10GE? Chuckle, good luck. note that he wants to collect raw throughput statistics and doesn't explicitly say dump all the traffic to disk. if he wanted to dump the entire pipe to disk it would require 10 COTS machines and load balancing. diana NSA,MI(x)/GCHQ,ASIO and their vendor friends would beg to differ. i'd be more worried about the NBA, those dudes are huge and are known to roll with guns in sweatpants. jc is just trying to find a way to get traffic statistics, likely in relation to his earlier 'remotely connected disk' discussion. move along, nothing to see here. I can't see any black helicopters and my Tin Foil hat fits fine thanks for asking.
Re: OT: 10GbE Physical Network Taps
Diana Eichert wrote: On Wed, 6 May 2009, openbsd misc wrote: On Wed, May 6, 2009 at 3:42 PM, Diana Eichert deich...@wrench.com wrote: We use physical taps at work, when I get the chance I'll take a look at the vendor. Also, you really think you can capture 10GE? Chuckle, good luck. Pretty hard, but doable with special hardware according to some people (eg not me, not my toys, just forwarding what I read about/know) DAG cards come to mind: http://www.endace.com/dag-network-monitoring-cards.html which you can stick into most hosts, they sell various 10GE adapters and claim it can do 10GE too. Linux/Windows/FreeBSD drivers available, thus should not be too hard I guess to make an OpenBSD driver (that is depending on documentation available etc...) They claim to be able to even do 40Gbps: http://www.endace.com/guaranteed-packet-capture.html 8 This foundation is totally agnostic, supporting Ethernet and Packet-Over-SONET (PoS), IP and InfiniBand, guaranteeing packet capture, regardless of packet rate and size, at interface speeds up to 40Gbps. 8 And I know for a fact that IBM ISS has a DPI thing which can do 40Gbps++, that is including upto Level 7 analysis... it just depends on what kind of hardware one throws at it ;) Greets, Jeroen (long live IPSEC :) [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: Hey, what is it http://www.openbsdsupport.org/obsd_php_mysql.html
On Wed, May 06, 2009 at 12:33:02PM -0400, Ted Unangst wrote: It's a website. On Wed, May 6, 2009 at 11:55 AM, Alexandr Knyazev a.knya...@timeweb.ru wrote: subj Nah, it's a URL. -Otto
Re: OT: 10GbE Physical Network Taps
On Wed, 6 May 2009, Jeroen Massar wrote: SNIP it just depends on what kind of hardware one throws at it ;) Greets, Jeroen (long live IPSEC :) AKA what kind of money you have to throw at it. We had a 10G box that filtered on SNORT rules in hardware. We purchased it from MetaNetworks, who were bought out by Force10. The product page is here, http://www.force10networks.com/products/pseries.asp . Ours was the 2nd or third built, you could still get to the FPGA with Xilinx development tools. A grad student, Jonathon Donaldson, working in our organization used it in the work he did for his thesis. If you are interested it is available here, https://ritdml.rit.edu/dspace/bitstream/1850/4769/1/JDonaldsonThesis05-2007.pdf diana
Re: DHCP versus PPPoE for ADSL.
From: Stuart Henderson I just added the address assigned to me into hostname.pppoe0: inet6 2001:4b10:1002:ff::1 64 !/sbin/route add -inet6 default 2001:4b10:1002:ff::1 Hi Stuart. Thanks for all the help. I am curious, in pppoe(4) this example is given: inet 0.0.0.0 255.255.255.255 NONE \ pppoedev ne0 authproto pap \ authname 'testcaller' authkey 'donttell' up dest 0.0.0.1 !/sbin/route add default -ifp pppoe0 0.0.0.1 So the destination wildcard is used as the route entry. You have used the IP6 address assigned to your interface rather than the remote IP6 address. I must be missing something. Can you shine a light on that for me? Also, considering my ISP is very reticent (for whatever reason) to provide support for IPv6 do you have any idea of the wildcards for inet6? Getting IP addresses out of them is proving problematic. I suspect they are ready but haven't got to the point for large scale implementation. I would rather suck it and see than get support mail referring me to Wikipedia. Best wishes.
Re: OpenVPN destroys tun
On Wed, May 06, 2009 at 08:48:06PM +0400, Vadim Zhukov wrote: On Wednesday 06 May 2009 19:20:43 Jason Dixon wrote: So apparently OpenVPN is a douche of an application by destroying/recreating any tun devices you ask it to bind to. This causes havoc with pf/altq if you queue on those tun interfaces. I've asked on the openvpn-users mailing list if there's any way to have OpenVPN avoid teardown of an existing tun(4) interface but nobody had any useful answers (besides use the up/down scripts)... yeah, thanks. Has anyone here used OpenVPN in server mode and overcome this? See persist-tun option. This only affects restarts, not the initial startup. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: OT: 10GbE Physical Network Taps
openbsd misc open...@6wells.com wrote: NSA,MI(x)/GCHQ,ASIO and their vendor friends would beg to differ. That would be DSD rather than ASIO, I think. (Since we are already wildly off-topic.) -- Christian naddy Weisgerber na...@mips.inka.de
Re: DHCP versus PPPoE for ADSL.
Ignore my question re inet6 wildcards. Asked and answered. From: Stuart Henderson I think you're supposed to do rtsol, but we don't support that on a device configured as a router. There is afaik no IPv6 address discovery mechanism done by PPP. Best wishes.
Re: Hey, what is it http://www.openbsdsupport.org/obsd_php_mysql.html
it's ABSOLUTE URL :) On Wed, May 6, 2009 at 7:55 PM, Otto Moerbeek o...@drijf.net wrote: On Wed, May 06, 2009 at 12:33:02PM -0400, Ted Unangst wrote: It's a website. On Wed, May 6, 2009 at 11:55 AM, Alexandr Knyazev a.knya...@timeweb.ru wrote: subj Nah, it's a URL. -Otto
Re: OpenVPN destroys tun
On Wednesday 06 May 2009 21:39:15 Jason Dixon wrote: On Wed, May 06, 2009 at 08:48:06PM +0400, Vadim Zhukov wrote: On Wednesday 06 May 2009 19:20:43 Jason Dixon wrote: So apparently OpenVPN is a douche of an application by destroying/recreating any tun devices you ask it to bind to. This causes havoc with pf/altq if you queue on those tun interfaces. I've asked on the openvpn-users mailing list if there's any way to have OpenVPN avoid teardown of an existing tun(4) interface but nobody had any useful answers (besides use the up/down scripts)... yeah, thanks. Has anyone here used OpenVPN in server mode and overcome this? See persist-tun option. This only affects restarts, not the initial startup. The idea is that you pre-create tun device (possibly in startup script, or in /etc/rc.local) and then OpenVPN uses it. -- Best wishes, Vadim Zhukov A: Because it messes up the way people read text. Q: Why is a top-posting such a bad thing?
Re: OpenVPN destroys tun
On Wed, May 06, 2009 at 11:20:43AM -0400, Jason Dixon wrote: So apparently OpenVPN is a douche of an application by destroying/recreating any tun devices you ask it to bind to. This causes havoc with pf/altq if you queue on those tun interfaces. I've asked on the openvpn-users mailing list if there's any way to have OpenVPN avoid teardown of an existing tun(4) interface but nobody had any useful answers (besides use the up/down scripts)... yeah, thanks. Has anyone here used OpenVPN in server mode and overcome this? Weird. I ran an OpenVPN server on my OpenBSD gateway until just recently, and I'm 98% sure that it never did this to me. Are you specifying both dev-type and dev in the VPN configuration? Actually, that's one thought... are you sure that the dev-type setting in your OpenVPN configuration file and the configuration of your tun(4) device are either both as tun or both as tap? One of the things that caught me off-guard about setting up OpenVPN on OpenBSD is that OpenBSD's tap interfaces are actually called tunX, they just have the link0 flag set. (So you could properly end up with, e.g., dev-type tap and dev tun0 in your OpenVPN configuration.) Could be that if OpenVPN expects one type of device but gets the other, it automatically destroys and replaces it... If that doesn't work, maybe you could try replacing the dev line in your configuration with an equivalent dev-node line, just for the heck of it. Just a couple random shots in the dark, anyway. -- Mark Shroyer http://markshroyer.com/contact/
Re: OpenVPN destroys tun
On Wed, May 06, 2009 at 11:14:21PM +0400, Vadim Zhukov wrote: On Wednesday 06 May 2009 21:39:15 Jason Dixon wrote: On Wed, May 06, 2009 at 08:48:06PM +0400, Vadim Zhukov wrote: On Wednesday 06 May 2009 19:20:43 Jason Dixon wrote: So apparently OpenVPN is a douche of an application by destroying/recreating any tun devices you ask it to bind to. This causes havoc with pf/altq if you queue on those tun interfaces. I've asked on the openvpn-users mailing list if there's any way to have OpenVPN avoid teardown of an existing tun(4) interface but nobody had any useful answers (besides use the up/down scripts)... yeah, thanks. Has anyone here used OpenVPN in server mode and overcome this? See persist-tun option. This only affects restarts, not the initial startup. The idea is that you pre-create tun device (possibly in startup script, or in /etc/rc.local) and then OpenVPN uses it. You're missing the point. I create the necessary tun devices at boot with hostname.tun* so that we get no pf/altq load errors. But as soon as OpenVPN runs from rc.local, it destroys the tun device and recreates it. This breaks altq because the file descriptor (/dev/tun*) changes. Having OpenVPN create the tun device does me no good. I'd still have to re-load pf/altq after the file descriptor is created. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: Hey, what is it http://www.openbsdsupport.org/obsd_php_mysql.html
Why are all of you dwelling on the subject of this message? Clearly, the body of the message refers to the important part: subj I don't have an answer to subj, but one of the bad ass developers MUST know! Chris Bennett looptigger wrote: it's ABSOLUTE URL :) On Wed, May 6, 2009 at 7:55 PM, Otto Moerbeek o...@drijf.net wrote: On Wed, May 06, 2009 at 12:33:02PM -0400, Ted Unangst wrote: It's a website. On Wed, May 6, 2009 at 11:55 AM, Alexandr Knyazev a.knya...@timeweb.ru wrote: subj Nah, it's a URL. -Otto -- A human being should be able to change a diaper, plan an invasion, butcher a hog, conn a ship, design a building, write a sonnet, balance accounts, build a wall, set a bone, comfort the dying, take orders, give orders, cooperate, act alone, solve equations, analyze a new problem, pitch manure, program a computer, cook a tasty meal, fight efficiently, die gallantly. Specialization is for insects. -- Robert Heinlein
Re: OpenVPN destroys tun
On Wed, May 06, 2009 at 03:21:16PM -0400, Mark Shroyer wrote: On Wed, May 06, 2009 at 11:20:43AM -0400, Jason Dixon wrote: So apparently OpenVPN is a douche of an application by destroying/recreating any tun devices you ask it to bind to. This causes havoc with pf/altq if you queue on those tun interfaces. I've asked on the openvpn-users mailing list if there's any way to have OpenVPN avoid teardown of an existing tun(4) interface but nobody had any useful answers (besides use the up/down scripts)... yeah, thanks. Has anyone here used OpenVPN in server mode and overcome this? Weird. I ran an OpenVPN server on my OpenBSD gateway until just recently, and I'm 98% sure that it never did this to me. Are you specifying both dev-type and dev in the VPN configuration? I'm specifying dev tun0. Per the openvpn(8) man page, dev-type should only be used if the TUN/TAP device used with --dev does not begin with tun or tap. Were you actually using altq on your tun device? Actually, that's one thought... are you sure that the dev-type setting in your OpenVPN configuration file and the configuration of your tun(4) device are either both as tun or both as tap? One of the things that caught me off-guard about setting up OpenVPN on OpenBSD is that OpenBSD's tap interfaces are actually called tunX, they just have the link0 flag set. (So you could properly end up with, e.g., dev-type tap and dev tun0 in your OpenVPN configuration.) Could be that if OpenVPN expects one type of device but gets the other, it automatically destroys and replaces it... As mentioned, dev-type is unnecessary. We have no problems with this configuration other than OpenVPN destroying the device at runtime which causes the file-descriptor to change, confusing pf/altq. Thanks, -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: OpenVPN destroys tun
Jason Dixon escreveu: So apparently OpenVPN is a douche of an application by destroying/recreating any tun devices you ask it to bind to. This causes havoc with pf/altq if you queue on those tun interfaces. I've asked on the openvpn-users mailing list if there's any way to have OpenVPN avoid teardown of an existing tun(4) interface but nobody had any useful answers (besides use the up/down scripts)... yeah, thanks. Has anyone here used OpenVPN in server mode and overcome this? Thanks, Well, you don't necessarily need to enable altq on the tun interface to get your packets queued. I did overcome this by making the queue on another interface, a physical one, and then making packets coming or leaving the tun interface to get queued on that interface. This works, and you won't have to deal with the tun interface being destroyed across openvpn starts/stops. My regards, -- Giancarlo Razzolini http://lock.razzolini.adm.br Linux User 172199 Red Hat Certified Engineer no:804006389722501 Verify:https://www.redhat.com/certification/rhce/current/ Moleque Sem Conteudo Numero #002 OpenBSD 4.5 Ubuntu 9.04 Jaunty Jackalope 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85
Re: OpenVPN destroys tun
On Wed, May 06, 2009 at 04:29:10PM -0300, Giancarlo Razzolini wrote: Jason Dixon escreveu: So apparently OpenVPN is a douche of an application by destroying/recreating any tun devices you ask it to bind to. This causes havoc with pf/altq if you queue on those tun interfaces. I've asked on the openvpn-users mailing list if there's any way to have OpenVPN avoid teardown of an existing tun(4) interface but nobody had any useful answers (besides use the up/down scripts)... yeah, thanks. Has anyone here used OpenVPN in server mode and overcome this? Well, you don't necessarily need to enable altq on the tun interface to get your packets queued. I did overcome this by making the queue on another interface, a physical one, and then making packets coming or leaving the tun interface to get queued on that interface. This works, and you won't have to deal with the tun interface being destroyed across openvpn starts/stops. You don't understand the usage. We have a remote office with a fixed pipe and *all* of their traffic crossing the VPN tunnel to our office. It's necessary to queue a fraction of the traffic crossing the physical interface for this purpose. We also perform queueing on the physical interface that has a completely different usage model than the VPN tunnel. Please, let's not get off-topic. It's a simple question... can you start OpenVPN without having it destroy/recreate the tun interface. If you haven't used this, please refrain from commenting. Thanks, -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: OpenVPN destroys tun
On Wednesday 06 May 2009 23:18:31 Jason Dixon wrote: On Wed, May 06, 2009 at 11:14:21PM +0400, Vadim Zhukov wrote: On Wednesday 06 May 2009 21:39:15 Jason Dixon wrote: On Wed, May 06, 2009 at 08:48:06PM +0400, Vadim Zhukov wrote: On Wednesday 06 May 2009 19:20:43 Jason Dixon wrote: So apparently OpenVPN is a douche of an application by destroying/recreating any tun devices you ask it to bind to. This causes havoc with pf/altq if you queue on those tun interfaces. I've asked on the openvpn-users mailing list if there's any way to have OpenVPN avoid teardown of an existing tun(4) interface but nobody had any useful answers (besides use the up/down scripts)... yeah, thanks. Has anyone here used OpenVPN in server mode and overcome this? See persist-tun option. This only affects restarts, not the initial startup. The idea is that you pre-create tun device (possibly in startup script, or in /etc/rc.local) and then OpenVPN uses it. You're missing the point. I create the necessary tun devices at boot with hostname.tun* so that we get no pf/altq load errors. But as soon as OpenVPN runs from rc.local, it destroys the tun device and recreates it. This breaks altq because the file descriptor (/dev/tun*) changes. Having OpenVPN create the tun device does me no good. I'd still have to re-load pf/altq after the file descriptor is created. Strange, I do not have such problem. But I'm not using altq there, just some block/allow and NAT... Could you post your OpenVPN config? Mine looks like this: remote vpn.some.net 1194 proto tcp-client resolv-retry infinite persist-tun dev tun2 dev-type tap pull ifconfig-noexec up /etc/openvpn/some.up (parameters related to authentication are excluded). Up script just runs ifconfig for configuring (not [re-]creating) tun device. -- Best wishes, Vadim Zhukov A: Because it messes up the way people read text. Q: Why is a top-posting such a bad thing?
Re: OpenVPN destroys tun
On Wed, May 06, 2009 at 11:43:15PM +0400, Vadim Zhukov wrote: On Wednesday 06 May 2009 23:18:31 Jason Dixon wrote: Having OpenVPN create the tun device does me no good. I'd still have to re-load pf/altq after the file descriptor is created. Strange, I do not have such problem. But I'm not using altq there, just some block/allow and NAT... Could you post your OpenVPN config? Right, this only really manifests with altq on tun(4). There's no point to pasting my config, but I'll include most of it here so you don't think I'm jerking your chain. ;) # local x.x.x.9 port 1194 proto udp dev tun0 ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/server.crt key /etc/openvpn/keys/server.key dh /etc/openvpn/keys/dh1024.pem crl-verify /etc/openvpn/crl.pem tls-auth /etc/openvpn/keys/ta.key 0 client-config-dir /etc/openvpn/ccd server 192.168.210.0 255.255.255.0 ifconfig-pool-persist /etc/openvpn/ipp.txt 86400 push route 10.0.116.0 255.255.254.0 keepalive 10 120 comp-lzo user nobody group nobody persist-key persist-tun status /etc/openvpn/openvpn-status.log verb 3 management 127.0.0.1 7505 # -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: OpenVPN destroys tun
On Wednesday 06 May 2009 23:34:52 Jason Dixon wrote: On Wed, May 06, 2009 at 03:21:16PM -0400, Mark Shroyer wrote: On Wed, May 06, 2009 at 11:20:43AM -0400, Jason Dixon wrote: So apparently OpenVPN is a douche of an application by destroying/recreating any tun devices you ask it to bind to. This causes havoc with pf/altq if you queue on those tun interfaces. I've asked on the openvpn-users mailing list if there's any way to have OpenVPN avoid teardown of an existing tun(4) interface but nobody had any useful answers (besides use the up/down scripts)... yeah, thanks. Has anyone here used OpenVPN in server mode and overcome this? Weird. I ran an OpenVPN server on my OpenBSD gateway until just recently, and I'm 98% sure that it never did this to me. Are you specifying both dev-type and dev in the VPN configuration? I'm specifying dev tun0. Per the openvpn(8) man page, dev-type should only be used if the TUN/TAP device used with --dev does not begin with tun or tap. Were you actually using altq on your tun device? Actually, that's one thought... are you sure that the dev-type setting in your OpenVPN configuration file and the configuration of your tun(4) device are either both as tun or both as tap? One of the things that caught me off-guard about setting up OpenVPN on OpenBSD is that OpenBSD's tap interfaces are actually called tunX, they just have the link0 flag set. (So you could properly end up with, e.g., dev-type tap and dev tun0 in your OpenVPN configuration.) Could be that if OpenVPN expects one type of device but gets the other, it automatically destroys and replaces it... As mentioned, dev-type is unnecessary. We have no problems with this configuration other than OpenVPN destroying the device at runtime which causes the file-descriptor to change, confusing pf/altq. 1. Did you tried specifing tunnel type? 2. tap devices exists on Windows and on Linux, but NOT on OpenBSD. So OpenVPN cannot determine device type via its name. -- Best wishes, Vadim Zhukov A: Because it messes up the way people read text. Q: Why is a top-posting such a bad thing?
Re: OpenVPN destroys tun
On Wed, May 06, 2009 at 11:51:19PM +0400, Vadim Zhukov wrote: On Wednesday 06 May 2009 23:34:52 Jason Dixon wrote: I'm specifying dev tun0. Per the openvpn(8) man page, dev-type should only be used if the TUN/TAP device used with --dev does not begin with tun or tap. [ ... ] 1. Did you tried specifing tunnel type? 2. tap devices exists on Windows and on Linux, but NOT on OpenBSD. So OpenVPN cannot determine device type via its name. Both of your questions were answered by my last reply (see above). Thanks, -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: OpenVPN destroys tun
Jason Dixon escreveu: On Wed, May 06, 2009 at 04:29:10PM -0300, Giancarlo Razzolini wrote: Jason Dixon escreveu: So apparently OpenVPN is a douche of an application by destroying/recreating any tun devices you ask it to bind to. This causes havoc with pf/altq if you queue on those tun interfaces. I've asked on the openvpn-users mailing list if there's any way to have OpenVPN avoid teardown of an existing tun(4) interface but nobody had any useful answers (besides use the up/down scripts)... yeah, thanks. Has anyone here used OpenVPN in server mode and overcome this? Well, you don't necessarily need to enable altq on the tun interface to get your packets queued. I did overcome this by making the queue on another interface, a physical one, and then making packets coming or leaving the tun interface to get queued on that interface. This works, and you won't have to deal with the tun interface being destroyed across openvpn starts/stops. You don't understand the usage. We have a remote office with a fixed pipe and *all* of their traffic crossing the VPN tunnel to our office. It's necessary to queue a fraction of the traffic crossing the physical interface for this purpose. We also perform queueing on the physical interface that has a completely different usage model than the VPN tunnel. Please, let's not get off-topic. It's a simple question... can you start OpenVPN without having it destroy/recreate the tun interface. If you haven't used this, please refrain from commenting. Thanks, Well, i wasn't OT with my reply. And i use openvpn from the beginning of the project, even made a plugin for it. So i know i little of it. My suggestion was to avoid what you might be already suspecting. You will have to mess with openvpn code and recompile it to do what you want. The solution i suggested is a viable one, even if already have queueing policies on that interface. It'll only require a little adaptation on your altq rules. I guess you won't get far with an attitude like that, being rude with people that are trying to help you. That said, you might want to take a look at openvpn source code, mainly tun.c and tun.h files. My regards, -- Giancarlo Razzolini http://lock.razzolini.adm.br Linux User 172199 Red Hat Certified Engineer no:804006389722501 Verify:https://www.redhat.com/certification/rhce/current/ Moleque Sem Conteudo Numero #002 OpenBSD 4.5 Ubuntu 9.04 Jaunty Jackalope 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85
Re: OpenVPN destroys tun
On Wed, May 06, 2009 at 05:38:51PM -0300, Giancarlo Razzolini wrote: Well, i wasn't OT with my reply. And i use openvpn from the beginning of the project, even made a plugin for it. So i know i little of it. My suggestion was to avoid what you might be already suspecting. You will have to mess with openvpn code and recompile it to do what you want. The solution i suggested is a viable one, even if already have queueing policies on that interface. It'll only require a little adaptation on your altq rules. I guess you won't get far with an attitude like that, being rude with people that are trying to help you. That said, you might want to take a look at openvpn source code, mainly tun.c and tun.h files. Regardless of how much you claim to know about it, the fact remains that there's no way to have OpenVPN bind to an existing tun device. Thanks for the roundabout answer. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: OpenVPN destroys tun
On Wed, May 06, 2009 at 11:20:43AM -0400, Jason Dixon wrote: So apparently OpenVPN is a douche of an application by destroying/recreating any tun devices you ask it to bind to. This causes havoc with pf/altq if you queue on those tun interfaces. I've asked on the openvpn-users mailing list if there's any way to have OpenVPN avoid teardown of an existing tun(4) interface but nobody had any useful answers (besides use the up/down scripts)... yeah, thanks. Has anyone here used OpenVPN in server mode and overcome this? How does openvpn destroy the interfaces? IIRC they just close the fd and that is causing the interface to be destroyed if it was auto created. Did you try to ifconfig tunX up before starting openvpn? These interfaces will not be auto destroyed on close and remain available. -- :wq Claudio
Re: A new toy for programmers who use VIM on OpenBSD
On 06/05/09 10:43 +0100, Stuart Henderson wrote: (cc/reply-to set to ports@). useful :-) would you be interested in adding some kind of license (we like /usr/share/misc/license.template, but it's your choice)? then it could go into ports/packages. No problem, I'd love to add this license. -- Dasn
swap(encrypt) vs. vnd
Hello misc@, any one can answer the following question: why codebase used to encrypt/decrypt swap is not used to replace/ complement vnd? Complement, means skip the creation of encrypted image part and work directly with block device. //maxim
Re: OpenVPN destroys tun
Jason Dixon escreveu: On Wed, May 06, 2009 at 05:38:51PM -0300, Giancarlo Razzolini wrote: Well, i wasn't OT with my reply. And i use openvpn from the beginning of the project, even made a plugin for it. So i know i little of it. My suggestion was to avoid what you might be already suspecting. You will have to mess with openvpn code and recompile it to do what you want. The solution i suggested is a viable one, even if already have queueing policies on that interface. It'll only require a little adaptation on your altq rules. I guess you won't get far with an attitude like that, being rude with people that are trying to help you. That said, you might want to take a look at openvpn source code, mainly tun.c and tun.h files. Regardless of how much you claim to know about it, the fact remains that there's no way to have OpenVPN bind to an existing tun device. Thanks for the roundabout answer. Well, my rude friend, i guess you'll have to accept my suggestion because you're simply stuck with it. I shouldn't but, i took a little time and dove in openvpn source code. This is the piece of code that does what exactly what you're saying: #elif defined(TARGET_OPENBSD) /* * OpenBSD tun devices appear to be persistent by default. It seems in order * to make this work correctly, we need to delete the previous instance * (if it exists), and re-ifconfig. Let me know if you know a better way. */ argv_printf (argv, %s %s destroy, IFCONFIG_PATH, actual); argv_msg (M_INFO, argv); openvpn_execve_check (argv, es, 0, NULL); argv_printf (argv, %s %s create, IFCONFIG_PATH, actual); argv_msg (M_INFO, argv); openvpn_execve_check (argv, es, 0, NULL); msg (M_INFO, NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure); /* example: ifconfig tun2 10.2.0.2 10.2.0.1 mtu 1450 netmask 255.255.255.255 up */ if (tun) argv_printf (argv, %s %s %s %s mtu %d netmask 255.255.255.255 up, IFCONFIG_PATH, actual, ifconfig_local, ifconfig_remote_netmask, tun_mtu ); else argv_printf (argv, %s %s %s netmask %s mtu %d broadcast %s link0, IFCONFIG_PATH, actual, ifconfig_local, ifconfig_remote_netmask, tun_mtu, ifconfig_broadcast ); argv_msg (M_INFO, argv); openvpn_execve_check (argv, es, S_FATAL, OpenBSD ifconfig failed); tt-did_ifconfig = true; Attempt to the comment of the developer. If you change this code, it'll probably break openvpn and it won't work. Either you accept my suggestion, that was a good and viable one, or you change this piece of code. By the way, don't forget to contact James (main openvpn developer), and tell that you have a better way, as he asks in his comment. Bet that wasn't roundabout. My regards, -- Giancarlo Razzolini http://lock.razzolini.adm.br Linux User 172199 Red Hat Certified Engineer no:804006389722501 Verify:https://www.redhat.com/certification/rhce/current/ Moleque Sem Conteudo Numero #002 OpenBSD 4.5 Ubuntu 9.04 Jaunty Jackalope 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85
Re: OpenVPN destroys tun
On Wed, May 06, 2009 at 06:04:19PM -0300, Giancarlo Razzolini wrote: Jason Dixon escreveu: Well, my rude friend, i guess you'll have to accept my suggestion because you're simply stuck with it. I shouldn't but, i took a little time and dove in openvpn source code. This is the piece of code that does what exactly what you're saying: Or I can continue to reload pf in /etc/rc.local like we currently do. No harm no foul. It's just not elegant. Sorry if you find my demeanor rude. I don't have a lot of patience for tangents when I'm asking a straightforward question and getting horizontal advice instead. New workarounds aren't necessarily better than existing workarounds. I appreciate your digging into the code. That was above and beyond, even if it doesn't really do me any good. Thanks, -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: OpenVPN destroys tun
On Wed, May 6, 2009 at 10:38 PM, Giancarlo Razzolini linux-...@onda.com.brwrote: Well, i wasn't OT with my reply. And i use openvpn from the beginning of the project, even made a plugin for it. So i know i little of it. My suggestion was to avoid what you might be already suspecting. You will have to mess with openvpn code and recompile it to do what you want. The solution i suggested is a viable one, even if already have queueing policies on that interface. It'll only require a little adaptation on your altq rules. I guess you won't get far with an attitude like that, being rude with people that are trying to help you. That said, you might want to take a look at openvpn source code, mainly tun.c and tun.h files. I'm with Giancarlo here,... I use OpenVPN extensively (not on OpenBSD admittedly - my own embedded BSD variant). And the man knows what he's talking about when it comes to OpenVPN. Really man IF you want help don't douche on the guys trying to help you. An attitude like that deserves a response akin to Use the source Luke and no more. -- Opportunity is most often missed by people because it is dressed in overalls and looks like work. Thomas Alva Edison Inventor of 1093 patents, including: The light bulb, phonogram and motion pictures.
Re: Hey, what is it http://www.openbsdsupport.org/obsd_php_mysql.html
It's a bird? No, it's a UFO! No, It's gone! It wasn't link from the main page for a very long time waiting on the author updates, but as it never come, then now deleted! May be a wiki page will show up soon instead, but will see how I fell about it. Don't complain on misc@ for anything wrong there, just send updates. Best, Daniel looptigger wrote: it's ABSOLUTE URL :) On Wed, May 6, 2009 at 7:55 PM, Otto Moerbeek o...@drijf.net wrote: On Wed, May 06, 2009 at 12:33:02PM -0400, Ted Unangst wrote: It's a website. On Wed, May 6, 2009 at 11:55 AM, Alexandr Knyazev a.knya...@timeweb.ru wrote: subj Nah, it's a URL. -Otto
Re: OpenVPN destroys tun
On Wed, May 06, 2009 at 11:25:20PM +0200, Ross Cameron wrote: On Wed, May 6, 2009 at 10:38 PM, Giancarlo Razzolini linux-...@onda.com.brwrote: Well, i wasn't OT with my reply. And i use openvpn from the beginning of the project, even made a plugin for it. So i know i little of it. My suggestion was to avoid what you might be already suspecting. You will have to mess with openvpn code and recompile it to do what you want. The solution i suggested is a viable one, even if already have queueing policies on that interface. It'll only require a little adaptation on your altq rules. I guess you won't get far with an attitude like that, being rude with people that are trying to help you. That said, you might want to take a look at openvpn source code, mainly tun.c and tun.h files. I'm with Giancarlo here,... I use OpenVPN extensively (not on OpenBSD admittedly - my own embedded BSD variant). And the man knows what he's talking about when it comes to OpenVPN. Really man IF you want help don't douche on the guys trying to help you. I just wanted a simple question to a simple answer. Not the same old jeez, you should try this instead. An attitude like that deserves a response akin to Use the source Luke and no more. We all have good and bad days. I've been offering free (hopefully good) advice to these lists for almost 10 years now. I keep my questions brief and my answers concise. Detours piss me off. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: OpenVPN destroys tun
Jason Dixon escreveu: On Wed, May 06, 2009 at 06:04:19PM -0300, Giancarlo Razzolini wrote: Jason Dixon escreveu: Well, my rude friend, i guess you'll have to accept my suggestion because you're simply stuck with it. I shouldn't but, i took a little time and dove in openvpn source code. This is the piece of code that does what exactly what you're saying: Or I can continue to reload pf in /etc/rc.local like we currently do. No harm no foul. It's just not elegant. Sorry if you find my demeanor rude. I don't have a lot of patience for tangents when I'm asking a straightforward question and getting horizontal advice instead. New workarounds aren't necessarily better than existing workarounds. I appreciate your digging into the code. That was above and beyond, even if it doesn't really do me any good. Thanks, Well, it can't always be elegant. IT isn't elegant. As you saw in the code yourself. You only forgot to mention that you already had a workaround for your problem. If i knew it, would had saved a lot of time, by not suggesting another one. My regards, -- Giancarlo Razzolini http://lock.razzolini.adm.br Linux User 172199 Red Hat Certified Engineer no:804006389722501 Verify:https://www.redhat.com/certification/rhce/current/ Moleque Sem Conteudo Numero #002 OpenBSD 4.5 Ubuntu 9.04 Jaunty Jackalope 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85
Re: OpenVPN destroys tun
On Wed, May 06, 2009 at 06:26:30PM -0300, Giancarlo Razzolini wrote: Jason Dixon escreveu: I appreciate your digging into the code. That was above and beyond, even if it doesn't really do me any good. Well, it can't always be elegant. IT isn't elegant. As you saw in the code yourself. You only forgot to mention that you already had a workaround for your problem. If i knew it, would had saved a lot of time, by not suggesting another one. I mentioned it in a reply to Vadim. Sorry for not making it more obvious and that it caused you any wasted time. Thanks, -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: Installboot to usb drive?
L. V. Lammert wrote: At 08:28 PM 5/5/2009 -0400, you wrote: ... Usual error is to forget that boot specified on the installboot command line is not the one in the installboot directory or your current root partition, but rather the /boot that exists on the root partition of the target drive (i.e., the boot you WILL use, not the one that you already used). Confirmed. Here is what worked: First problem, I missed the '/mnt' for boot: /usr/mdec/installboot -v /mnt/boot /usr/mdec/biosboot wd0 I used both sd0 and wd0 to make sure it would work, .. both indicated 'cross-device install'? Am I correct that the boot *device* specified should be wd0, when the drive will be physically used as bootable? no, all installboot does is install a tiny little program (biosboot) in the PBR, and point it to the inode used by the file /boot. So, it needs to know about which file boot will end up being /boot It needs to know where to put it, it really doesn't care what driver will hook to the device after boot. As the name implies, biosboot uses the bios, not the kernel driver. Biosboot is finished with its job long before the kernel is even loaded (is five seconds long? :). See faq14 for more info on how this all works. You want something like: /usr/mdec/installboot -v /mnt/boot /usr/mdec/biosboot sd0 assuming sd0a is mounted on /mnt and is your new disk. (alternately: just boot install media, point it at sd0, and it will do the rest for you...) Nick.
EUSecWest 2009 (May27/28) London Agenda and PacSec 2009 (Nov 4/5) Tokyo CFP deadline: June 1 2009
EUSecWest 2009 Speakers Efficient UAK Recovery attacks against DECT - Ralf-Philipp Weinmann, University of Luxembourg A year in the life of an Adobe Flash security researcher - Peleus Uhley, Adobe Pwning your grandmother's iPhone - Charley Miller, Independent Security Evaluators Post exploitation techniques on OSX and Iphone and other TBA matters. - Vincent Iozzo,Zynamics STOP!! Objective-C Run-TIME. - nemo Exploiting Delphi/Pascal - Ilja Van Sprundel, IOActive PCI bus based operating system attack and protections - Christophe Devine Guillaume Vissian, Thales Thoughts about Trusted Computing - Joanna Rutkowska, Invisible Things Lab Nice NIC you got there... does it come with an SSH daemon? - Arrigo Trulzi Evolving Microsoft Exploit Mitigations - Tim Burrell Peter Beck, Microsoft Malware Case Study: the ZeuS evolution - Vicente Diaz, S21Sec Writing better XSS payloads - Alex Kouzemtchenko, SIFT Exploiting Firefox Extensions -Roberto Suggi Liverani Nick Freeman, Security-Assessment.com Stored Value Gift Cards, Magstripes Revisited - Adrian Pastor, Gnucitizen, Corsaire Advanced SQL Injection to operating system control - Bernardo Damele Assumpcao Guimaraes, Portcullis Cloning Mifare Classic - Nicolas Courtois, University of London Rootkits on Windows Mobile/Embedded - Petr Matousek, Coseinc PacSec 2009 CALL FOR PAPERS World Security Pros To Converge on Japan TOKYO, Japan -- To address the increasing importance of information security in Japan, the best known figures in the international security industry will get together with leading Japanese researchers to share best practices and technology. The most significant new discoveries about computer network hack attacks will be presented at the seventh annual PacSec conference to be discussed. The PacSec meeting provides an opportunity for foreign specialists to be exposed to Japanese innovation and markets and collaborate on practical solutions to computer security issues. In an informal setting with a mixture of material bilingually translated in both English and Japanese the eminent technologists can socialize and attend training sessions. Announcing the opportunity to submit papers for the PacSec 2009 network security training conference. The conference will be held November 4/5th in Tokyo. The conference focuses on emerging information security tutorials - it is a bridge between the international and Japanese information security technology communities.. Please make your paper proposal submissions before June 1st, 2009. Slides for the papers must be submitted for translation by October 1, 2009 (Which, oh so rarely, happens we are going to start asking for them earlier :-P --dr). A some invited papers have been confirmed, but a limited number of speaking slots are still available. The conference is responsible for travel and accomodations for the speakers. If you have a proposal for a tutorial session then please email a synopsis of the material and your biography, papers and, speaking background to . Tutorials are one hour in length, but with simultaneous translation should be approximately 45 minutes in English, or Japanese. Only slides will be needed for the October paper deadline, full text does not have to be submitted. The PacSec conference consists of tutorials on technical details about current issues, innovative techniques and best practices in the information security realm. The audiences are a multi-national mix of professionals involved on a daily basis with security work: security product vendors, programmers, security officers, and network administrators. We give preference to technical details and education for a technical audience. The conference itself is a single track series of presentations in a lecture theater environment. The presentations offer speakers the opportunity to showcase on-going research and collaborate with peers while educating and highlighting advancements in security products and techniques. The focus is on innovation, tutorials, and education instead of product pitches. Some commercial content is tolerated, but it needs to be backed up by a technical presenter - either giving a valuable tutorial and best practices instruction or detailing significant new technology in the products. Paper proposals should consist of the following information: 1) Presenter, and geographical location (country of origin/passport) and contact info (e-mail, postal address, phone, fax). 2) Employer and/or affiliations. 3) Brief biography, list of publications and papers. 4) Any significant presentation and educational experience/background. 5) Topic synopsis, Proposed paper title, and a one paragraph description. 6) Reason why this material is innovative or significant or an important tutorial. 7. Optionally, any samples of prepared material or outlines ready. 8. Will you have full text
XTerm resizing and 4.5
Somehow, while upgrading from 4.4 to 4.5 on i386, I lost the ability to resize an XTerm via the command resize -s rows cols. It's not the end of the world and for now I just changed XTerm default geometry to 132x48. I'm not sure where I should look to bring that behavior back. -- Hugo Villeneuve h...@eintr.net
Re: HD 'Analysis'
On Monday 04 May 2009 17:56:43 L. V. Lammert wrote: What is the best way to do a surface analysis on a disk? 2009/5/5 Tony Abernethy t...@servacorp.com: There is, in the e2fsprogs package, something called badblocks. I have used it (on Linux) to rescue bad disks. (Windows laptops -- kinda redundant?) If you care about your data, follow Steve's advice. The reality seems to be that this does exercise a disk's ability to relocate bad sectors so that a bad disk suddenly goes good. This is using a destructive surface test (badblocks -sw ...) Realistically, seems like the most reliable test is that disk is slower than it should be. Me, if I want to rely on a disk drive, I will run badblocks on it. The long-winded destructive test And I will time it, at least sporadically. (New disks are not immune from having problems ;-) The exercise maybe loses out to watching grass grow. I also would recommend badblocks(8), but I would recommend badblocks -svn instead of badblocks -sw. badblocks -svn also (s)hows its progress as it goes along, but does a (v)erbose (n)on-destructive read/write test (as opposed to either the default read-only test or the destructive read/write test). You can check an entire device with badblocks, or a partition, or a file. The great thing about using badblocks to check a partition is that it's filesystem-agnostic. It will dutifully check every bit of its target partition regardless of what's actually on it. And if you give badblocks -svn an entire storage device to test, it will not even care about the actual partition scheme used. Because this read/write test can trigger the disk's own built-in bad sector relocation, this means you can even have a disk that you can't read the partition table from, and running badblocks -svn over it may at least temporarily fix things. And I've used badblocks -svn e.g. to check old Macintosh floppies. Who cares that OpenBSD doesn't know much about the filesystem on those? badblocks does the job anyway. (Because of this agnosticism, it's actually questionable whether badblocks(8) ought to be part of a filesystem-specific package, but hey, that's what it comes in. Yea, one *could* also argue whether to include it elsewhere by default because it's so useful, but I'm not the one making those decisions and I guess the folks who do will do what makes the most sense to them, so I don't feel like starting to be a back seat driver... ;-) Oh, and of course it would probably be prudent to do a backup before read/write tests, even though badblocks is well-established and (with -n) supposed to be non-destructive. Supposed to... ;-) I've never been disappointed but YMMV. regards, --ropers
Re: OpenLDAP w/o bdb okay?
Henning Brauer(lists-open...@bsws.de)@2009.01.06 14:42:09 +0100: * Toni Mueller openbsd-m...@oeko.net [2009-01-06 12:25]: openldap is still a piece of shit, but the ldbm backend is probably the sanest one. This pattern comes up often, but almost noone suggests an alternative LDAP server package. I am not aware of any. Lack of options doesn't make openldap better. How about OpenDS? Fedora Directory Server? Both are pukable on the keyboard? Apache DS? Yeah, I know OpenDS is Java and so is ApacheDS...
Re: how to configure Grub 0.97 for booting my OpenBSD 4.5
yes, it works well with OpenBSD 4.2, but, it failed in OpenBSD 4.5, I only get a error : Starting up ... Loading ... ERR M 2009/5/6 Luca Corti l...@fantacast.it On 5/6/09 5:07 PM, Feifei (??) wrote: The Grub version is distributed with the Ubuntu 8.04 which is installed in (hd0,6) How to resolve it? Use the chainloader to call the OpenBSD bootloader. Something like: |title OpenBSD root (hd0,a) makeactive chainloader +1 ciao Luca |
Re: HD 'Analysis'
On 5/6/2009 11:24 AM, Martin Schrvder wrote: 2009/5/6, Steve Shockleysteve.shock...@shockley.net: The self-tests take the drive offline while they run, right? Do you No. man smartctl Huh. That kind of contradicts the name offline self test, but I guess they call that captive.
Re: how to configure Grub 0.97 for booting my OpenBSD 4.5
Feifei (7I7I) wrote: Hi, guys, I just install the OpenBSD 4.5, but my grub configuration can't boot it. Before that, I use OpenBSD 4.2, it is a new installation, not upgrade. ... It works well with the OpenBSD 4.2, But , if I use it to boot 4.5, I only get a error : Starting up ... Loading ... ERR M man biosboot will tell you what the error means. http://www.openbsd.org/faq/faq14.html will show you how the boot process works. I'm going to assume you read that before I expect you to understand this: short version: the PBR read something, but it wasn't /boot. I'm not a grub expert, but obviously the PBR you are running isn't the one that OpenBSD put into place. Some boot loaders do silly things like store a copy of the real PBR somewhere they think is cool, and when you reinstall the OS, the stored PBR doesn't get replaced when the real one is. So now you have the old PBR reading ...something other than /boot If you replace your grub boot loader with a normal MBR and flag the OpenBSD partition as active, I bet the system will boot just fine. Alternatively, do whatever voodoo you need to do to tell grub there is a new PBR for it to use. Nick.
Re: OT: 10GbE Physical Network Taps
On Wed, 6 May 2009 10:17:06 -0600 (MDT) Diana Eichert deich...@wrench.com wrote: On Wed, 6 May 2009, openbsd misc wrote: On Wed, May 6, 2009 at 3:42 PM, Diana Eichert deich...@wrench.com wrote: We use physical taps at work, when I get the chance I'll take a look at the vendor. Also, you really think you can capture 10GE? Chuckle, good luck. diana NSA,MI(x)/GCHQ,ASIO and their vendor friends would beg to differ. I can't see any black helicopters and my Tin Foil hat fits fine thanks for asking. Yeah, and I'm sure JC has equivalent resources of the acronym laden institutions you mention. Do you have any idea how they capture packets at line rate? I strongly doubt they are using off the shelf hardware, Well, a good number of the 10-Gbit/s Eethernet cards on the market actually have dual 10GbE interfaces in one configuration or another. The most typical configuration that *I* have seen is the two bonded (20-Gbit/s) as a single logical interface with fail-over between the two physical connections. In short, to capture a single card, you basically need to be able to store 2-GByte/s *somewhere* Yes, I'm intentionally skipping the overhead calculations and keeping things overly generalized... --this is misc@ after all (; On the more modern Intel chipset systems (X58), your memory bandwidth is about 64-Gbyte/s from RAM to proc, so if you stuff the box with 128-GByte of ram, you can collect about hour's worth of capture in a sizable RAM disk. Of course, 128-GByte of 1333-MHz RAM will set you back about $15-20 thousand USD. If you need more permanent storage (i.e. saved to disk), you only have two options: 1.) A large stripe set of Intel X25-{M,E} devices. Both the X25-M and X25-E SATA II (3.0 Gbit/s) can do about 250-Mbyte/s read/write, so a RAID0 stripe set of 16 of them will get you to about 4-Gbyte/s. Unfortunately, as far as *I* know, no SATA/RAID controller manufacturer has a product that can support 16 SATA II drives, *AND* has a 16-Lane PCIe Gen-1.0 interface (4-GByte/s), or 8-Lane PCIe Gen-2.0 interface (also 4-GByte/s), or a 4-Lane PCIe Gen-3.0 interface (again 4-GByte/s), so you'd be forced to use multiple controller cards and suffer a performance hit. It would cost you about $12-16 Thousand USD to build such a beast mainly due to the cost of the drives, but it's doable. For your money, you'd get about 2500-GByte (16 * 160-GByte) of rather volatile storage due to the RAID0, or about 21 hours of capture. 2.) Due to the absolutely insane prices of the hardware, your other option for non-custom hardware doesn't really qualify as off the shelf. The other option is to use a stripe set of Fusion-IO.com solid state disks which can read/write at either 800-MByte/s (for the 320-GByte and below) or 1.5-GByte/s (for the 640-GByte and above double disks) depending on the model you buy. The present capacity limit is 640-GByte for their high end, double disk but that will hit 1.2-TByte by the end of the year (supposedly). Doing a stripe set across a bunch of these is, ummm, and interesting endeavor due to the fact they require very custom, closed source drivers and a system with 8-GByte of RAM per device. Oh, and according to what I've been told, if you have a power fault, you're totally screwed due to the way the mystery driver works. Though you can buy these things off the shelf, it's a very high shelf. The 320-GByte capactity 800-MByte/s drives are about $14,000 each retail, and you'd need at least four of the striped together to surpass the 2-GByte/s rate of a single 10-GBit/s card (two interfaces 20-Gbit/s). Other than the three options above, I do not know of any other way to capture 10 and/or 20 GBit/s Ethernet at line speed with off the shelf components. Also, I'll be the first to say the above is a bit dodgy, but it would more or less work if one can afford it. And yep, you're very much correct; attempting capture at these speeds is good for a chuckle and even the three cheap off-the-shelf methods above are not really affordable for home use. (; If anyone here mistakenly thinks they can actually run *ANALYSIS* at these speeds with off the shelf components... BAWAHAHAHAHAHAHAHA! Diana, thanks for the link to the FPGA analysis stuff later in the thread. I'll try to read it tomorrow, but the thought of someone doing the *REQUIRED* over-clocking of a FPGA to get the needed throughput sounds dangerously dodgy at best. Off the top of my head, other than over-clocking a half-baked FPGA, I can't think of any other way they could have done it without a serious performance impact on the link. but hey what would I know, I'm just a girl. CORRECTION: ... just a girl with technical super powers, and a lab that makes everyone very, very jealous. -- J.C. Roberts