Re: PF/Carp/Pfsync
Hello The rules look identical to me at the moment, but i will doublecheck them, one thing thou i dont have same interface names at both boxes, thou the rules/queues are identical (they are built of out script for both boxes) only exception is that interface names are macros rather then static values and change by the box. Aswell I'm using HFSC queue algorythm, could any that make any difference ? On E, 2009-06-01 at 22:47 +0200, Henning Brauer wrote: * Georg Kahest ge...@viatel.ee [2009-06-01 15:21]: Yes the rulesets are identical, strange thing is from pftop it seems that it hits default queue (25mbit queue) but somehow the client gets 10~MB/s what seems more of interface root queue value rather then that default queue. Thou the real queue it should use is at 8mbit. that is expected with states without reference back to a rule. this clearly proves your rulesets are not identical, because otherwise that ref would have been there. and in any case - current behaves differently, queueing info now lives on the state. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam -- Georg Kahest ge...@viatel.ee ProGroup Holding
syntax error in xenocara stable code
Hi, I was updating my OpenBSD 4.5 release to 4.5 stable. While building xenocara I got this error. /usr/X11R6/include/pixman-1/pixman.h:102: error: syntax error before pixman_fix ed_32_32_t /usr/X11R6/include/pixman-1/pixman.h:102: warning: type defaults to `int' in dec laration of `pixman_fixed_32_32_t' /usr/X11R6/include/pixman-1/pixman.h:102: warning: data definition has no type o r storage class /usr/X11R6/include/pixman-1/pixman.h:103: error: syntax error before pixman_fix ed_48_16_t /usr/X11R6/include/pixman-1/pixman.h:103: warning: type defaults to `int' in dec laration of `pixman_fixed_48_16_t' /usr/X11R6/include/pixman-1/pixman.h:103: warning: data definition has no type o r storage class /usr/X11R6/include/pixman-1/pixman.h:104: error: syntax error before pixman_fix ed_1_31_t /usr/X11R6/include/pixman-1/pixman.h:104: warning: type defaults to `int' in dec laration of `pixman_fixed_1_31_t' /usr/X11R6/include/pixman-1/pixman.h:104: warning: data definition has no type o r storage class /usr/X11R6/include/pixman-1/pixman.h:105: error: syntax error before pixman_fix ed_1_16_t /usr/X11R6/include/pixman-1/pixman.h:105: warning: type defaults to `int' in dec laration of `pixman_fixed_1_16_t' /usr/X11R6/include/pixman-1/pixman.h:105: warning: data definition has no type o r storage class /usr/X11R6/include/pixman-1/pixman.h:106: error: syntax error before pixman_fix ed_16_16_t /usr/X11R6/include/pixman-1/pixman.h:106: warning: type defaults to `int' in dec laration of `pixman_fixed_16_16_t' /usr/X11R6/include/pixman-1/pixman.h:106: warning: data definition has no type o r storage class /usr/X11R6/include/pixman-1/pixman.h:107: error: syntax error before pixman_fix ed_t /usr/X11R6/include/pixman-1/pixman.h:107: warning: type defaults to `int' in dec laration of `pixman_fixed_t' /usr/X11R6/include/pixman-1/pixman.h:107: warning: data definition has no type o r storage class /usr/X11R6/include/pixman-1/pixman.h:135: error: syntax error before uint16_t /usr/X11R6/include/pixman-1/pixman.h:143: error: syntax error before pixman_fix ed_t /usr/X11R6/include/pixman-1/pixman.h:154: error: syntax error before pixman_fix ed_t /usr/X11R6/include/pixman-1/pixman.h:159: error: syntax error before pixman_fix ed_t /usr/X11R6/include/pixman-1/pixman.h:243: error: syntax error before int16_t /usr/X11R6/include/pixman-1/pixman.h:249: error: syntax error before int16_t /usr/X11R6/include/pixman-1/pixman.h:345: error: syntax error before int32_t /usr/X11R6/include/pixman-1/pixman.h:351: error: syntax error before int32_t /usr/X11R6/include/pixman-1/pixman.h:418: error: syntax error before '*' token /usr/X11R6/include/pixman-1/pixman.h:429: warning: function declaration isn't a prototype /usr/X11R6/include/pixman-1/pixman.h:430: error: syntax error before '*' token /usr/X11R6/include/pixman-1/pixman.h:437: warning: function declaration isn't a prototype /usr/X11R6/include/pixman-1/pixman.h:452: error: syntax error before '*' token /usr/X11R6/include/pixman-1/pixman.h:453: error: syntax error before uint32_t /usr/X11R6/include/pixman-1/pixman.h:453: warning: function declaration isn't a prototype /usr/X11R6/include/pixman-1/pixman.h:456: error: syntax error before pixman_fix ed_t /usr/X11R6/include/pixman-1/pixman.h:463: error: syntax error before pixman_ind ex_type /usr/X11R6/include/pixman-1/pixman.h:463: warning: type defaults to `int' in dec laration of `pixman_index_type' /usr/X11R6/include/pixman-1/pixman.h:463: warning: data definition has no type o r storage class /usr/X11R6/include/pixman-1/pixman.h:469: error: syntax error before uint32_t /usr/X11R6/include/pixman-1/pixman.h:582: error: syntax error before pixman_fix ed_t /usr/X11R6/include/pixman-1/pixman.h:585: warning: function declaration isn't a prototype /usr/X11R6/include/pixman-1/pixman.h:587: error: syntax error before pixman_fix ed_t /usr/X11R6/include/pixman-1/pixman.h:589: warning: function declaration isn't a prototype /usr/X11R6/include/pixman-1/pixman.h:593: error: syntax error before uint32_t /usr/X11R6/include/pixman-1/pixman.h:594: warning: function declaration isn't a prototype /usr/X11R6/include/pixman-1/pixman.h:614: error: syntax error before '*' token /usr/X11R6/include/pixman-1/pixman.h:615: warning: type defaults to `int' in dec laration of `pixman_image_set_filter' /usr/X11R6/include/pixman-1/pixman.h:615: warning: function declaration isn't a prototype /usr/X11R6/include/pixman-1/pixman.h:620: error: syntax error before int16_t /usr/X11R6/include/pixman-1/pixman.h:621: warning: function declaration isn't a prototype /usr/X11R6/include/pixman-1/pixman.h:625: error: syntax error before pixman_rea d_memory_func_t /usr/X11R6/include/pixman-1/pixman.h:626: warning: function declaration isn't a prototype /usr/X11R6/include/pixman-1/pixman.h:629: error: syntax error before '*' token /usr/X11R6/include/pixman-1/pixman.h:629: warning: type defaults to `int' in dec laration of `pixman_image_get_data' /usr/X11R6/include/pixman-1/pixman.h:629:
Re: PF/Carp/Pfsync
A little update, the filter rules are these, except the interface name they are identical, and queue names are identical aswell, only difference is on what interface the queues are present. Node1 pass in log on vlan0 inet from zzz.xxx.yyy./30 to any flags S/SA keep state queue(zzz.xxx.yyy._stdi, zzz.xxx.yyy._acki) pass out log on em0 inet from zzz.xxx.yyy./30 to any flags S/SA keep state queue(zzz.xxx.yyy._stdo, zzz.xxx.yyy._acko) pass in log on em0 inet from any to zzz.xxx.yyy./30 flags S/SA keep state queue(zzz.xxx.yyy._stdi, zzz.xxx.yyy._acki) Node2 pass in log on vlan1 inet from zzz.xxx.yyy./30 to any flags S/SA keep state queue(zzz.xxx.yyy._stdi, zzz.xxx.yyy._acki) pass out log on vlan0 inet from zzz.xxx.yyy./30 to any flags S/SA keep state queue(zzz.xxx.yyy._stdo, zzz.xxx.yyy._acko) pass in log on vlan0 inet from any to zzz.xxx.yyy./30 flags S/SA keep state queue(zzz.xxx.yyy._stdi, zzz.xxx.yyy._acki) While testing i noticed that if connection was initated ( big ftp download session) for example node1 and then failovered to node2, traffic didnot hit right queue, but when i failovered again to node2 the traffic hit the right queue again, i think the problem is that pf cannot sync correctly if different interface names are used on nodes, could anyone confirm that? On E, 2009-06-01 at 22:47 +0200, Henning Brauer wrote: * Georg Kahest ge...@viatel.ee [2009-06-01 15:21]: Yes the rulesets are identical, strange thing is from pftop it seems that it hits default queue (25mbit queue) but somehow the client gets 10~MB/s what seems more of interface root queue value rather then that default queue. Thou the real queue it should use is at 8mbit. that is expected with states without reference back to a rule. this clearly proves your rulesets are not identical, because otherwise that ref would have been there. and in any case - current behaves differently, queueing info now lives on the state. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam -- Georg Kahest ge...@viatel.ee ProGroup Holding
Re: Wireless help, please
Anybody else have any suggestions? Nick? Cheers, b On 2009 May 30, at 5:21 PM, Ben Goren wrote: On 2009 May 30, at 7:03 AM, Jason Dixon wrote: On Sat, May 30, 2009 at 06:48:59AM -0700, Ben Goren wrote: I'm trying to set up my first wireless network, with less than stellar success. You need to narrow your spectrum of diagnosis. Start ruling out those things which are known to work. Rule out those things which are known to work and you'll be left with the thing(s) that don't. Examples: - OpenBSD wireless connectivity (as a client) - OpenBSD wired connectivity - Mac wired connectivity - Mac wireless connectivity (to a different WAP) - etc... I've done as much of that as I can -- or, at least, as much as I can think of. The two computers have no trouble talking to each other over wired ethernet. Indeed, for several seconds, they communicate just fine over wireless -- my problem is that it only lasts for several seconds, after which the entire wireless connection is dropped and the iMac is no longer associated with any network. I don't have any other hardware to test with. I've thought of and tried a couple other things since this morning. There's one of those infamous ``linksys'' networks somewhere in the vicinity, but apparently not nearby. I was able to connect to it from the iMac a while ago and do a bit of (very slow) surfing, and even open an ssh session back to the laptop. I can't seem to re-connect to it now, and I haven't been able to connect to it from the laptop. There are a couple other networks in the area that aren't using any form of wireless security, but they have official-sounding names like ``ASUEMPLOYEE.'' I can connect to them from either computer -- and the connection doesn't go away -- but no DHCP servers will talk to me. I've also tried setting up the laptop in both ibss and ibss-master mode. With ibss-master, ifconfig always reports ``no network.'' However, if I set the iMac up as an ibss-master, I can connect to it from the OpenBSD laptop, get a DHCP lease from it, and ping the iMac. So, it seems that everything works except for sustaining a link from the iMac to the OpenBSD laptop as a hostap for more than several seconds. Surely I must be missing something obvious? Cheers, b [demime 1.01d removed an attachment of type application/pkcs7- signature which had a name of smime.p7s] [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
A couple of Lenovo workstation oddities
As I've mentioned in a previous thread, among the machines on which I'm running OpenBSD 4.5 is a Lenovo Thinkstation S10. 4 cores, 4 Gb memory, 2 146 Gb SAS disks on an LSI raid controller, arranged as a raid 0. Two questions: 1. In the past, running Linux, I've backed this machine up (to a sata drive in a usb shoebox) by booting a live- or install-cd, the idea being to have the system completely quiescent during the backup. I've been absolutely stymied in trying to do the same thing with OpenBSD. The install45 cd does not have enough sd* devices (the sd0 series only), so I can't mount both the raid 0 and the backup drive. The two live cds I tried (bsdanywhere and jggimi) both fail during booting, complaining they can't find their root filesystem. In order to get any flavor of OpenBSD to boot on this machine, I have to get into ukc and disable uhci. Thinking that might be causing this problem, I tried the jggimi livecd on my Thinkpad X61 (2 64-bit cores) both just letting it boot and doing the ukc-disable uhci sequence. In both cases, the system booted successfully (no problem finding the root file system on the ramdisk). Hopefully temporarily, I've worked around this problem on the workstation by booting the installed system and backing it up while it's running, shutting down some key things (e.g., postgresql). But I would like to solve this problem one way or another and be able to boot enough of a system from a cd to be able to run my backup script. 2. If I boot the install45 cd (bsd.rd) on the workstation (after disabling uhci in ukc) and run reboot from the shell, the system reboots normally. If I boot the installed kernel (bsd.mp) and run reboot from the shell, the system powers down briefly and then comes back up and reboots. OpenBSD does not behave this way on the two Thinkpads on which I have it installed. Nor have I seen this behavior with Linux or FreeBSD that I had run previously on the workstation. I did get into the bios setup at one point, to see if there was some sort of option/setting that might relate to this, found nothing, escaped back to the top-level and exited without saving. To my surprise, the machine did the same thing -- powered down briefly and then came back up. While this is not a huge problem, the extra power cycling probably does the machine no good (though in the steady-state, once I've got OpenBSD completely sorted out, I won't be doing nearly as much rebooting as I've been doing while getting things together; the machine is normally powered off, I boot it every few days to do some work for a few hours, and then shut it down). While the behavior I saw when exiting the bios setup prompts me to ask Lenovo about this. But since this behavior began with the installation of OpenBSD, it also seems appropriate to query this list. Any good ideas about either of these will be appreciated. /Don Allen
Re: A couple of Lenovo workstation oddities
On Tuesday 02 June 2009 17:16:26 Donald Allen wrote: As I've mentioned in a previous thread, among the machines on which I'm running OpenBSD 4.5 is a Lenovo Thinkstation S10. 4 cores, 4 Gb memory, 2 146 Gb SAS disks on an LSI raid controller, arranged as a raid 0. Two questions: 1. In the past, running Linux, I've backed this machine up (to a sata drive in a usb shoebox) by booting a live- or install-cd, the idea being to have the system completely quiescent during the backup. I've been absolutely stymied in trying to do the same thing with OpenBSD. The install45 cd does not have enough sd* devices (the sd0 series only), so I can't mount both the raid 0 and the backup drive. You can freely create additional devices: # cd /etc sh MAKEDEV sd1 For the rest of your mail - it's not clear, did you tried -CURRENT? I remember there were some commits related to X38... -- Best wishes, Vadim Zhukov A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail?
Re: A couple of Lenovo workstation oddities
On Tue, 2 Jun 2009, Donald Allen wrote: As I've mentioned in a previous thread, among the machines on which I'm running OpenBSD 4.5 is a Lenovo Thinkstation S10. 4 cores, 4 Gb memory, 2 146 Gb SAS disks on an LSI raid controller, arranged as a raid 0. Two questions: 1. In the past, running Linux, I've backed this machine up (to a sata drive in a usb shoebox) by booting a live- or install-cd, the idea being to have the system completely quiescent during the backup. I've been absolutely stymied in trying to do the same thing with OpenBSD. The install45 cd does not have enough sd* devices (the sd0 series only), so I can't mount both the raid 0 and the backup drive. The two live cds I tried (bsdanywhere and jggimi) both fail during booting, complaining they can't find their root filesystem. In order to get any flavor of OpenBSD to boot on this machine, I have to get into ukc and disable uhci. Thinking that might be causing this problem, I tried the jggimi livecd on my Thinkpad X61 (2 64-bit cores) both just letting it boot and doing the ukc-disable uhci sequence. In both cases, the system booted successfully (no problem finding the root file system on the ramdisk). Hopefully temporarily, I've worked around this problem on the workstation by booting the installed system and backing it up while it's running, shutting down some key things (e.g., postgresql). But I would like to solve this problem one way or another and be able to boot enough of a system from a cd to be able to run my backup script. Why not use a single-user mode ( -s from boot prompt) for this? Even Linux and FreeBSD should have it, though not as pure. 2. If I boot the install45 cd (bsd.rd) on the workstation (after disabling uhci in ukc) and run reboot from the shell, the system reboots normally. If I boot the installed kernel (bsd.mp) and run reboot from the shell, the system powers down briefly and then comes back up and reboots. OpenBSD does not behave this way on the two Thinkpads on which I have it installed. Nor have I seen this behavior with Linux or FreeBSD that I had run previously on the workstation. I did get into the bios setup at one point, to see if there was some sort of option/setting that might relate to this, found nothing, escaped back to the top-level and exited without saving. To my surprise, the machine did the same thing -- powered down briefly and then came back up. While this is not a huge problem, the extra power cycling probably does the machine no good (though in the steady-state, once I've got OpenBSD completely sorted out, I won't be doing nearly as much rebooting as I've been doing while getting things together; the machine is normally powered off, I boot it every few days to do some work for a few hours, and then shut it down). While the behavior I saw when exiting the bios setup prompts me to ask Lenovo about this. But since this behavior began with the installation of OpenBSD, it also seems appropriate to query this list. Any good ideas about either of these will be appreciated. I am not the one able to help with this, but the dmesg output (/var/run/dmesg.boot) is almost always needed. Look at the section 'Reporting Bugs' in the FAQ first. Also, check with Lenovo if there are any bios updates available. Btw, do you experience the uhci troubles under OpenBSD/i386 (you forgot to mention here that you are running amd64)? Booting i386 bsd.rd should be enough to test. Maybe this comparison could be helpful. Regards, David
Re: relayctl host disable doesn't loop through all hosts
Original Message Subject: Re:relayctl host disable doesn't loop through all hosts From: Reyk Floeter r...@openbsd.org To: Pierre-Yves Ritschard p...@spootnik.org CC: Pascal Lalonde plalo...@overnet.qc.ca, misc@openbsd.org Date: Wed Apr 01 2009 09:57:24 GMT-0400 (Eastern Daylight Time) On Wed, Apr 01, 2009 at 09:22:44AM +0200, Pierre-Yves Ritschard wrote: * Pascal Lalonde (plalo...@overnet.qc.ca) wrote: Hello, I've been playing with relayd lately. There is a behavior which seems unintuitive and I was wondering if that was a bug or the intended behavior. It's the intended behavior but I have been meaning to fix that at some point. no, it shouldn't be fixed. one host can have different services with different states at the same time. if you want to reuse a single host check, use the parent keyword to inherit the host state from a previous entry, eg. 10.0.1.101 parent 1 to use the state of host 1 for host 4 and so on. this also allows you to disable host 1 and all of its children at the same time. I still don't understand what is the intended behaviour of host disable command, since it only disables the check for the first service being listed in the show summary command. It seems to me that this might be a bug since in the man page it says: host disable [name | id] Disable a host. Treat it as though it were always down. If the host is down, it implies that the services will be down as well. When I try to disable a host (e.g.: relayctl host disable 10.0.1.101), and that host is part of more than one table, only the first occurence gets disabled. I'm testing with relayd from Feb 28th snapshot. I would suppose it should disable all occurences, since disabling by ID already lets you choose specific instances of that host. # relayctl show summary Id TypeNameAvlblty Status 1 redirecttestactive 1 table test:8080 active (3 hosts) 1 host10.0.1.101 100.00% up 2 host10.0.1.102 100.00% up 3 host10.0.1.103 100.00% up 2 redirecttest2 active 2 table test2:3 active (6 hosts) 4 host10.0.1.101 100.00% up 5 host10.0.1.102 100.00% up 6 host10.0.1.103 100.00% up 7 host10.0.1.104 100.00% up 8 host10.0.1.105 100.00% up 9 host10.0.1.106 100.00% up # relayctl host disable 10.0.1.101 command succeeded # relayctl show summary Id TypeNameAvlblty Status 1 redirecttestactive 1 table test:8080 active (2 hosts) 1 host10.0.1.101 disabled 2 host10.0.1.102 100.00% up 3 host10.0.1.103 100.00% up 2 redirecttest2 active 2 table test2:3 active (6 hosts) 4 host10.0.1.101 100.00% up 5 host10.0.1.102 100.00% up 6 host10.0.1.103 100.00% up 7 host10.0.1.104 100.00% up 8 host10.0.1.105 100.00% up 9 host10.0.1.106 100.00% up Thanks in advance! -- Emery Guivremont Administrateur Riseau/ Network Administrator Gameloft - Global Network Service
Re: List of old forked or frozen code like apache that needs cleanup?
On Mon, Jun 1, 2009 at 11:12 PM, eWGENIJ `NAK e.yu...@gmail.com wrote: Yes, but the tracker is about bugs, there is no such category as enhancement proposal. Maybe, just include such class? And i feel there still is a need for a list of what needs to be done, and who is responsible (think most active developers) for what subsystem. That will bring more openness to the development process, and it actually helps. OpenBSD was the first one to have public anon cvs. Having such tools is a normal way of communication in a big open source project, isn't it? This comes up from time to time and the more I think about it, the more I believe that if you don't know what you want to do but somebody tells you, you won't be very good at it. Partially because you lack motivation, but also because if the problem you're solving has never affected you, then you probably won't understand it. Anyway, if you still feel like doing something, practically everyday someday requests some feature on the mailing list.
Re: PF/Carp/Pfsync
Hello again I made identical configurations to both boxes pf wise only difference was the physical interface under the vlan interfaces on top of what carp was built, and i couldnot get carp/pfsync to work correctly, ongoing traffic at failover didnot hit right queue, only new traffic did. Note: One Box has nic with EM driver other BNX I got the Failover queue sync working correctly ( ongoing traffic at failover moment hits the right queue, rather then default queue) by adding no state to all queue rules. That thou produces alot of more spam(@pflog)/resource usage, are there any other workarounds for this issue. and hows the sitsuation with it at openbsd 4.5 ? example: pass in log on vlan0 from zzz.xxx.yyy.ddd/30 queue (zzz.xxx.yyy.ddd_stdi, zzz.xxx.yyy.ddd_acki) no state On E, 2009-06-01 at 22:47 +0200, Henning Brauer wrote: * Georg Kahest ge...@viatel.ee [2009-06-01 15:21]: Yes the rulesets are identical, strange thing is from pftop it seems that it hits default queue (25mbit queue) but somehow the client gets 10~MB/s what seems more of interface root queue value rather then that default queue. Thou the real queue it should use is at 8mbit. that is expected with states without reference back to a rule. this clearly proves your rulesets are not identical, because otherwise that ref would have been there. and in any case - current behaves differently, queueing info now lives on the state. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam -- Georg Kahest ge...@viatel.ee ProGroup Holding
Re: Wireless help, please
On Tue, Jun 2, 2009 at 7:32 AM, Ben Goren b...@trumpetpower.com wrote: Anybody else have any suggestions? Nick? I have similar problems with a 'rum' USB stick in AP mode using WPA. See the man page for specific know issues with using this chipset in Host AP mode. Can anybody suggest a readily available USB2 Wireless-G adapter which works well as an AP?
Re: Wireless help, please
On 2009-06-02, K K kka...@gmail.com wrote: On Tue, Jun 2, 2009 at 7:32 AM, Ben Goren b...@trumpetpower.com wrote: Anybody else have any suggestions? Nick? I have similar problems with a 'rum' USB stick in AP mode using WPA. See the man page for specific know issues with using this chipset in Host AP mode. Can anybody suggest a readily available USB2 Wireless-G adapter which works well as an AP? USB wireless adapters do not work well as APs. The only ones where we support this at all are ural and rum, and though they can be useful in a sticky situation where it's all you have available, they don't make good access points.
Re: bsd.rd doesn't boot on a Lenovo Thinkstation S10
Attempting to boot my Thinkstation S10 with a cd made from amd64/install45.iso results in uhci3: host system error uhci3: host controller process error uhci3: host controller halted The machine has a quad-core Intel processor, 4 Gb memory, 2 146 Gb SAS drives on an LSI raid controller set up as a raid 0. It's plugged into a Raritan Switchman KVM. I had no trouble installing Linux and later FreeBSD on this machine. From what I've seen thus far of OpenBSD, I prefer it to anything else. But this is obviously a showstopper if I can't boot the install cd. Anyone have any ideas? Thanks -- /Don Allen Why are you using the AMD installation with an Intel cpu? -- Ed Ahlsen-Girard Ft. Walton Beach FL
Re: bsd.rd doesn't boot on a Lenovo Thinkstation S10
On Tue, Jun 2, 2009 at 1:09 PM, eagir...@cox.net wrote: Why are you using the AMD installation with an Intel cpu? Probably because it's a better architecture.
Re: Wireless help, please
On 2009 Jun 2, at 10:00 AM, Stuart Henderson wrote: On 2009-06-02, K K kka...@gmail.com wrote: On Tue, Jun 2, 2009 at 7:32 AM, Ben Goren b...@trumpetpower.com wrote: Anybody else have any suggestions? Nick? I have similar problems with a 'rum' USB stick in AP mode using WPA. See the man page for specific know issues with using this chipset in Host AP mode. Can anybody suggest a readily available USB2 Wireless-G adapter which works well as an AP? USB wireless adapters do not work well as APs. The only ones where we support this at all are ural and rum, and though they can be useful in a sticky situation where it's all you have available, they don't make good access points. With that in mind...are any of these ``wireless bridge'' devices worth considering? I have a spare PC Ethernet card for this laptop. This is one of Amazon's top hits for the sort of thing I'm thinking of. If anybody has any suggestions on the matter, I'd appreciate it http://www.amazon.com/Linksys-WET610N-Wireless-N-Ethernet-Dual-Band/dp/B001QVQ7JU/ref=sr_1_2?ie=UTF8s=electronicsqid=1243962805sr=1-2 or: http://tinyurl.com/oe3nsg Cheers, b [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
Bochs on OpenBSD/Sparc64
Hi, I just found out that the bochs-package: http://www.openbsd.org/4.4_packages/sparc64/bochs-2.3.7.tgz-long.html is available for OpenBSD/Sparc64. I therefore wonder if: -Linux/x86 would run on a OBSD netra server and if -isdn4linux with usb-modem would run smoothly -a fonera (www.fon.com) linux-x86 binary for offering hotspots using a usb-wifi-stick could be run as well. Does anybody have experience regarding -performance -security -stability ? Thanks, Chris
Re: bsd.rd doesn't boot on a Lenovo Thinkstation S10
On Tue, Jun 02, 2009 at 01:29:45PM -0400, Ted Unangst wrote: On Tue, Jun 2, 2009 at 1:09 PM, eagir...@cox.net wrote: Why are you using the AMD installation with an Intel cpu? Probably because it's a better architecture. If such decisions could be made without taking into account reality, surely sparc64 would be a better choice. But the S10 has an N270 Atom processor, so it is i386 only. http://ark.intel.com/Product.aspx?id=36331
Re: PF/Carp/Pfsync
* Georg Kahest ge...@viatel.ee [2009-06-02 10:01]: The rules look identical to me at the moment, but i will doublecheck them, one thing thou i dont have same interface names at both boxes, that is your problem. checksum in pfctl -vsi must be identical. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: bsd.rd doesn't boot on a Lenovo Thinkstation S10
On Tue, Jun 2, 2009 at 1:48 PM, Jonathan Gray j...@goblin.cx wrote: On Tue, Jun 02, 2009 at 01:29:45PM -0400, Ted Unangst wrote: On Tue, Jun 2, 2009 at 1:09 PM, eagir...@cox.net wrote: Why are you using the AMD installation with an Intel cpu? Probably because it's a better architecture. If such decisions could be made without taking into account reality, surely sparc64 would be a better choice. But the S10 has an N270 Atom processor, so it is i386 only. http://ark.intel.com/Product.aspx?id=36331 If it makes it far enough to display usb device attachment it can definitely run 64-bit code, as evidenced by the fact that it is.
Re: Bochs on OpenBSD/Sparc64
On Tue, Jun 2, 2009 at 1:42 PM, Christopher Intemann intem...@gmail.com wrote: I therefore wonder if: -Linux/x86 would run on a OBSD netra server and if -isdn4linux with usb-modem would run smoothly Since isdn4linux doesn't support usb-modems, no.
Re: bsd.rd doesn't boot on a Lenovo Thinkstation S10
On Tue, Jun 02, 2009 at 02:00:02PM -0400, Ted Unangst wrote: On Tue, Jun 2, 2009 at 1:48 PM, Jonathan Gray j...@goblin.cx wrote: On Tue, Jun 02, 2009 at 01:29:45PM -0400, Ted Unangst wrote: On Tue, Jun 2, 2009 at 1:09 PM, eagir...@cox.net wrote: Why are you using the AMD installation with an Intel cpu? Probably because it's a better architecture. If such decisions could be made without taking into account reality, surely sparc64 would be a better choice. But the S10 has an N270 Atom processor, so it is i386 only. http://ark.intel.com/Product.aspx?id=36331 If it makes it far enough to display usb device attachment it can definitely run 64-bit code, as evidenced by the fact that it is. So lenovo sell two different products called S10, ugh.
Re: Wireless help, please
Stuart Henderson, 06/02/09 20:00: On 2009-06-02, K K kka...@gmail.com wrote: On Tue, Jun 2, 2009 at 7:32 AM, Ben Goren b...@trumpetpower.com wrote: Anybody else have any suggestions? Nick? I have similar problems with a 'rum' USB stick in AP mode using WPA. See the man page for specific know issues with using this chipset in Host AP mode. Can anybody suggest a readily available USB2 Wireless-G adapter which works well as an AP? USB wireless adapters do not work well as APs. The only ones where we support this at all are ural and rum, and though they can be useful in a sticky situation where it's all you have available, they don't make good access points. I have a rum0 based cnet pro usb dongle, and it even supports wpa/psk. Regards, Cem
Re: bsd.rd doesn't boot on a Lenovo Thinkstation S10
On Tue, Jun 2, 2009 at 1:48 PM, Jonathan Gray j...@goblin.cx wrote: On Tue, Jun 02, 2009 at 01:29:45PM -0400, Ted Unangst wrote: On Tue, Jun 2, 2009 at 1:09 PM, eagir...@cox.net wrote: Why are you using the AMD installation with an Intel cpu? Probably because it's a better architecture. If such decisions could be made without taking into account reality, surely sparc64 would be a better choice. But the S10 has an N270 Atom processor, so it is i386 only. That's not correct. See my previous message. You are confusing my machine (a Thinkstation S10 workstation) with a Lenovo netbook of the same name. /Don http://ark.intel.com/Product.aspx?id=36331
Re: Wireless help, please
Cem Kayali, 06/02/09 21:23: Stuart Henderson, 06/02/09 20:00: On 2009-06-02, K K kka...@gmail.com wrote: On Tue, Jun 2, 2009 at 7:32 AM, Ben Goren b...@trumpetpower.com wrote: Anybody else have any suggestions? Nick? I have similar problems with a 'rum' USB stick in AP mode using WPA. See the man page for specific know issues with using this chipset in Host AP mode. Can anybody suggest a readily available USB2 Wireless-G adapter which works well as an AP? USB wireless adapters do not work well as APs. The only ones where we support this at all are ural and rum, and though they can be useful in a sticky situation where it's all you have available, they don't make good access points. I have a rum0 based cnet pro usb dongle, and it even supports wpa/psk. Regards, Cem This one: http://www.cnet.com.tw/product/cwd-854d.htm Cem
Re: bsd.rd doesn't boot on a Lenovo Thinkstation S10
On Tue, Jun 2, 2009 at 1:09 PM, eagir...@cox.net wrote: Attempting to boot my Thinkstation S10 with a cd made from amd64/install45.iso results in uhci3: host system error uhci3: host controller process error uhci3: host controller halted The machine has a quad-core Intel processor, 4 Gb memory, 2 146 Gb SAS drives on an LSI raid controller set up as a raid 0. It's plugged into a Raritan Switchman KVM. I had no trouble installing Linux and later FreeBSD on this machine. From what I've seen thus far of OpenBSD, I prefer it to anything else. But this is obviously a showstopper if I can't boot the install cd. Anyone have any ideas? Thanks -- /Don Allen Why are you using the AMD installation with an Intel cpu? From http://www.openbsd.org/amd64.html: OpenBSD/amd64 runs on AMD's Athlon-64 family of processors in 64-bit mode. It also runs on processors made by other manufacturers which have cloned the AMD64 extensions. (Some Intel processors lack support for important PAE NX bit, which means those machines will run without any W^X support -- it is thus safer to run those machines in i386 mode). This machine has the Intel Q6600 quad-core processor, which supports PAE NX. /Don Allen -- Ed Ahlsen-Girard Ft. Walton Beach FL
Re: A couple of Lenovo workstation oddities
On Tue, Jun 2, 2009 at 10:18 AM, Vadim Zhukov persg...@gmail.com wrote: On Tuesday 02 June 2009 17:16:26 Donald Allen wrote: As I've mentioned in a previous thread, among the machines on which I'm running OpenBSD 4.5 is a Lenovo Thinkstation S10. 4 cores, 4 Gb memory, 2 146 Gb SAS disks on an LSI raid controller, arranged as a raid 0. Two questions: 1. In the past, running Linux, I've backed this machine up (to a sata drive in a usb shoebox) by booting a live- or install-cd, the idea being to have the system completely quiescent during the backup. I've been absolutely stymied in trying to do the same thing with OpenBSD. The install45 cd does not have enough sd* devices (the sd0 series only), so I can't mount both the raid 0 and the backup drive. You can freely create additional devices: # cd /etc sh MAKEDEV sd1 Thanks -- I'll try it. For the rest of your mail - it's not clear, did you tried -CURRENT? I remember there were some commits related to X38... I have not tried -CURRENT. I'll check the cvs logs to see if I can find anything that seems relevant. /Don -- Best wishes, Vadim Zhukov A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail?
Re: A couple of Lenovo workstation oddities
On Tue, Jun 2, 2009 at 10:23 AM, David Vasek va...@fido.cz wrote: On Tue, 2 Jun 2009, Donald Allen wrote: As I've mentioned in a previous thread, among the machines on which I'm running OpenBSD 4.5 is a Lenovo Thinkstation S10. 4 cores, 4 Gb memory, 2 146 Gb SAS disks on an LSI raid controller, arranged as a raid 0. Two questions: 1. In the past, running Linux, I've backed this machine up (to a sata drive in a usb shoebox) by booting a live- or install-cd, the idea being to have the system completely quiescent during the backup. I've been absolutely stymied in trying to do the same thing with OpenBSD. The install45 cd does not have enough sd* devices (the sd0 series only), so I can't mount both the raid 0 and the backup drive. The two live cds I tried (bsdanywhere and jggimi) both fail during booting, complaining they can't find their root filesystem. In order to get any flavor of OpenBSD to boot on this machine, I have to get into ukc and disable uhci. Thinking that might be causing this problem, I tried the jggimi livecd on my Thinkpad X61 (2 64-bit cores) both just letting it boot and doing the ukc-disable uhci sequence. In both cases, the system booted successfully (no problem finding the root file system on the ramdisk). Hopefully temporarily, I've worked around this problem on the workstation by booting the installed system and backing it up while it's running, shutting down some key things (e.g., postgresql). But I would like to solve this problem one way or another and be able to boot enough of a system from a cd to be able to run my backup script. Why not use a single-user mode ( -s from boot prompt) for this? Even Linux and FreeBSD should have it, though not as pure. 2. If I boot the install45 cd (bsd.rd) on the workstation (after disabling uhci in ukc) and run reboot from the shell, the system reboots normally. If I boot the installed kernel (bsd.mp) and run reboot from the shell, the system powers down briefly and then comes back up and reboots. OpenBSD does not behave this way on the two Thinkpads on which I have it installed. Nor have I seen this behavior with Linux or FreeBSD that I had run previously on the workstation. I did get into the bios setup at one point, to see if there was some sort of option/setting that might relate to this, found nothing, escaped back to the top-level and exited without saving. To my surprise, the machine did the same thing -- powered down briefly and then came back up. While this is not a huge problem, the extra power cycling probably does the machine no good (though in the steady-state, once I've got OpenBSD completely sorted out, I won't be doing nearly as much rebooting as I've been doing while getting things together; the machine is normally powered off, I boot it every few days to do some work for a few hours, and then shut it down). While the behavior I saw when exiting the bios setup prompts me to ask Lenovo about this. But since this behavior began with the installation of OpenBSD, it also seems appropriate to query this list. Any good ideas about either of these will be appreciated. I am not the one able to help with this, but the dmesg output (/var/run/dmesg.boot) is almost always needed. Look at the section 'Reporting Bugs' in the FAQ first. Also, check with Lenovo if there are any bios updates available. Already did -- there aren't. Btw, do you experience the uhci troubles under OpenBSD/i386 (you forgot to mention here that you are running amd64)? Booting i386 bsd.rd should be enough to test. Maybe this comparison could be helpful. Good idea -- I'll try it. /Don Regards, David
Re: bsd.rd doesn't boot on a Lenovo Thinkstation S10
On Tue, Jun 02, 2009 at 02:36:07PM -0400, Donald Allen wrote: On Tue, Jun 2, 2009 at 1:48 PM, Jonathan Gray j...@goblin.cx wrote: On Tue, Jun 02, 2009 at 01:29:45PM -0400, Ted Unangst wrote: On Tue, Jun 2, 2009 at 1:09 PM, eagir...@cox.net wrote: Why are you using the AMD installation with an Intel cpu? Probably because it's a better architecture. If such decisions could be made without taking into account reality, surely sparc64 would be a better choice. But the S10 has an N270 Atom processor, so it is i386 only. That's not correct. See my previous message. You are confusing my machine (a Thinkstation S10 workstation) with a Lenovo netbook of the same name. Either way, I believe the Atom supports amd64 architecture as well as i386. -- - Graham Allan School of Physics and Astronomy - University of Minnesota -
Re: A couple of Lenovo workstation oddities
On Tuesday 02 June 2009 22:49:39 Donald Allen wrote: On Tue, Jun 2, 2009 at 10:18 AM, Vadim Zhukov persg...@gmail.com wrote: For the rest of your mail - it's not clear, did you tried -CURRENT? I remember there were some commits related to X38... I have not tried -CURRENT. I'll check the cvs logs to see if I can find anything that seems relevant. I'll recommend you to try it anyway. If it'll help then you can find a fix in CVS; if it will not then developers may pay attention to your problem; they do not care much about something already fixed, unless it is considered critical. -- Best wishes, Vadim Zhukov A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail?
Re: Wireless help, please
On 2009/06/02 21:23, Cem Kayali wrote: Stuart Henderson, 06/02/09 20:00: On 2009-06-02, K K kka...@gmail.com wrote: On Tue, Jun 2, 2009 at 7:32 AM, Ben Goren b...@trumpetpower.com wrote: Anybody else have any suggestions? Nick? I have similar problems with a 'rum' USB stick in AP mode using WPA. See the man page for specific know issues with using this chipset in Host AP mode. Can anybody suggest a readily available USB2 Wireless-G adapter which works well as an AP? USB wireless adapters do not work well as APs. The only ones where we support this at all are ural and rum, and though they can be useful in a sticky situation where it's all you have available, they don't make good access points. I have a rum0 based cnet pro usb dongle, and it even supports wpa/psk. Sure it works, but not *well*. rum CAVEATS The rum driver supports automatic control of the transmit speed in BSS mode only. Therefore the use of a rum adapter in Host AP mode is dis- couraged. ural CAVEATS The ural driver supports automatic control of the transmit speed in BSS mode only. Therefore the use of an ural adapter in Host AP mode is dis- couraged. everything else USB, no hostap.
Flapping VPN under load on Soekris
Hi,
Soekris is a VPN gateway for 11 clients. All those 12 machines are running
OpenBSD. 10 of client machines are connected to the VPN via wireless and
all of those 10 machines are behind NAT (they share the same external
ip). 1 host is at remote location connected via wire.
Afer all machine are setup IPsec VPN tunnels I can ssh to them with
their internal IPs and everything works okay. There are no delays on
ssh, all ssh sessions are pretty stable.
Unforunately VPN is starting to flap when I increast bandwidthd load on
one of the servers. If I start env PKG_PATH=scp://.../ pkg_add -ui
IPsec connection will drop after a while. If I connect to samba and try
to download any file larger than 300MB VPN will drop.
Another scenario. When all VPNs are up and stable (traffic is low) and
one of the clients is rebooted at boot time when ipsecctl -f
/etc/ipsec.conf is executed it's tunell is setup and _all_ other
tunnels are immediately dropped.
I would really appreciate some help to explain root of the problem.
Below some config files, isakmpd log, and soekris dmesg attached. Not
all clients have the same ipec.conf(5) though.
Soekris:
OpenBSD 4.5 (GENERIC) #1749: Sat Feb 28 14:51:18 MST 2009
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
Example client:
OpenBSD 4.5-current (GENERIC) #16: Sun May 31 10:28:18 MDT 2009
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
# Soekris ipsec.conf(5):
ike passive esp tunnel \
from { \
172.16.0.0/16 192.168.1.0/24 \
192.168.2.0/24 192.168.3.0/24 \
10.0.0.0/8 any \
} to any \
main auth hmac-sha1 enc aes-128 group modp1024 \
quick auth hmac-sha1 enc aes-128 group modp1024 \
srcid net4511.ath.cx
# Example client ipsec.conf(5):
ike dynamic esp tunnel \
from egress to any peer net4511.ath.cx \
main auth hmac-sha1 enc aes-128 group modp1024 \
quick auth hmac-sha1 enc aes-128 group modp1024 \
dstid net4511.ath.cx
# Logs from Soekris:
Jun 2 21:43:44 net4511 isakmpd[16015]: isakmpd: quick mode done: src:
79.97.195.245 dst: 172.16.0.53
Jun 2 21:43:44 net4511 isakmpd[16015]: isakmpd: quick mode done: src:
79.97.195.245 dst: 172.16.0.66
Jun 2 21:43:44 net4511 isakmpd[16015]: isakmpd: quick mode done: src:
79.97.195.245 dst: 172.16.0.50
Jun 2 21:43:44 net4511 isakmpd[16015]: isakmpd: quick mode done: src:
79.97.195.245 dst: 172.16.0.59
Jun 2 21:43:44 net4511 isakmpd[16015]: isakmpd: quick mode done: src:
79.97.195.245 dst: 172.16.0.65
Jun 2 21:43:44 net4511 isakmpd[16015]: isakmpd: quick mode done: src:
79.97.195.245 dst: 172.16.0.52
Jun 2 21:43:44 net4511 isakmpd[16015]: message_parse_payloads: invalid next
payload type Unknown 29 in payload of type 8
Jun 2 21:43:44 net4511 isakmpd[16015]: dropped message from 172.16.0.66 port
500 due to notification type INVALID_PAYLOAD_TYPE
Jun 2 21:43:44 net4511 isakmpd[16015]: message_parse_payloads: reserved field
non-zero: b3
Jun 2 21:43:44 net4511 isakmpd[16015]: dropped message from 172.16.0.50 port
500 due to notification type PAYLOAD_MALFORMED
Jun 2 21:43:44 net4511 isakmpd[16015]: message_parse_payloads: reserved field
non-zero: 9e
Jun 2 21:43:44 net4511 isakmpd[16015]: dropped message from 172.16.0.53 port
500 due to notification type PAYLOAD_MALFORMED
Jun 2 21:43:45 net4511 isakmpd[16015]: isakmpd: quick mode done: src:
79.97.195.245 dst: 172.16.0.56
Jun 2 21:43:45 net4511 isakmpd[16015]: isakmpd: quick mode done: src:
79.97.195.245 dst: 172.16.0.226
Jun 2 21:43:45 net4511 isakmpd[16015]: message_parse_payloads: reserved field
non-zero: c7
--
best regards
q#
OpenBSD 4.5 (GENERIC) #1749: Sat Feb 28 14:51:18 MST 2009
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: AMD Am486DX4 W/B or Am5x86 W/B 150 (AuthenticAMD 486-class)
cpu0: FPU
real mem = 66678784 (63MB)
avail mem = 55160832 (52MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 20/50/27, BIOS32 rev. 0 @ 0xf7840
pcibios0 at bios0: rev 2.0 @ 0xf/0x1
pcibios0: pcibios_get_intr_routing - function not supported
pcibios0: PCI IRQ Routing information unavailable.
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc8000/0x9000
cpu0 at mainbus0: (uniprocessor)
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
elansc0 at pci0 dev 0 function 0 AMD ElanSC520 PCI rev 0x00: product 0
stepping 1.1, CPU clock 100MHz, reset 0
gpio0 at elansc0: 32 pins
cbb0 at pci0 dev 9 function 0 TI PCI1410 CardBus rev 0x02: irq 10
hifn0 at pci0 dev 16 function 0 Hifn 7955/7954 rev 0x00: LZS 3DES ARC4 MD5
SHA1 RNG AES PK, 32KB dram, irq 11
sis0 at pci0 dev 18 function 0 NS DP83815 10/100 rev 0x00, DP83816A: irq 5,
address 00:00:24:c5:23:58
nsphyter0 at sis0 phy 0: DP83815 10/100 PHY, rev. 1
sis1 at pci0 dev 19 function 0 NS DP83815 10/100 rev 0x00, DP83816A: irq 9,
address 00:00:24:c5:23:59
nsphyter1 at sis1 phy 0: DP83815 10/100 PHY, rev. 1
cardslot0 at cbb0
Re: Is Jesus God
On Mon, 11 May 2009 16:40:56 -0500 Marco Peereboom sl...@peereboom.us wrote: no Well, yes, but only in the Hindu sense, if you want to maintain consistency ;-) Dhu On Mon, May 11, 2009 at 03:24:15PM -0500, James wrote: !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//EN HTMLHEAD META http-equiv=Content-Type content=text/html; charset=unicode META content=MSHTML 6.00.6001.18226 name=GENERATOR/HEAD BODY PHere is your Topic of the Month. Please log in at A href=http://www.jesus4athiest.org;www.jesus4athiest.org/A/P PTopic: nbsp;Is Jesus God/P Ppeace-james/P/BODY/HTML
Re: bsd.rd doesn't boot on a Lenovo Thinkstation S10
On 2009-06-02, Graham Allan al...@physics.umn.edu wrote: On Tue, Jun 02, 2009 at 02:36:07PM -0400, Donald Allen wrote: On Tue, Jun 2, 2009 at 1:48 PM, Jonathan Gray j...@goblin.cx wrote: On Tue, Jun 02, 2009 at 01:29:45PM -0400, Ted Unangst wrote: On Tue, Jun 2, 2009 at 1:09 PM, eagir...@cox.net wrote: Why are you using the AMD installation with an Intel cpu? Probably because it's a better architecture. If such decisions could be made without taking into account reality, surely sparc64 would be a better choice. But the S10 has an N270 Atom processor, so it is i386 only. That's not correct. See my previous message. You are confusing my machine (a Thinkstation S10 workstation) with a Lenovo netbook of the same name. Either way, I believe the Atom supports amd64 architecture as well as i386. Only some.
Re: bsd.rd doesn't boot on a Lenovo Thinkstation S10
Are you guys still all excited about the stinkstation?
Re: Flapping VPN under load on Soekris
you're probably overloading the CPU. try -current, sis(4) has
MCLGETI now which should mitigate things a bit. still, that's a
lot of load you're putting on a little 486 which will almost
certainly be restricting your throughput.
On 2009-06-02, Mikolaj Kucharski miko...@kucharski.name wrote:
Hi,
Soekris is a VPN gateway for 11 clients. All those 12 machines are running
OpenBSD. 10 of client machines are connected to the VPN via wireless and
all of those 10 machines are behind NAT (they share the same external
ip). 1 host is at remote location connected via wire.
Afer all machine are setup IPsec VPN tunnels I can ssh to them with
their internal IPs and everything works okay. There are no delays on
ssh, all ssh sessions are pretty stable.
Unforunately VPN is starting to flap when I increast bandwidthd load on
one of the servers. If I start env PKG_PATH=scp://.../ pkg_add -ui
IPsec connection will drop after a while. If I connect to samba and try
to download any file larger than 300MB VPN will drop.
Another scenario. When all VPNs are up and stable (traffic is low) and
one of the clients is rebooted at boot time when ipsecctl -f
/etc/ipsec.conf is executed it's tunell is setup and _all_ other
tunnels are immediately dropped.
I would really appreciate some help to explain root of the problem.
Below some config files, isakmpd log, and soekris dmesg attached. Not
all clients have the same ipec.conf(5) though.
Soekris:
OpenBSD 4.5 (GENERIC) #1749: Sat Feb 28 14:51:18 MST 2009
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
Example client:
OpenBSD 4.5-current (GENERIC) #16: Sun May 31 10:28:18 MDT 2009
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
# Soekris ipsec.conf(5):
ike passive esp tunnel \
from { \
172.16.0.0/16 192.168.1.0/24 \
192.168.2.0/24 192.168.3.0/24 \
10.0.0.0/8 any \
} to any \
main auth hmac-sha1 enc aes-128 group modp1024 \
quick auth hmac-sha1 enc aes-128 group modp1024 \
srcid net4511.ath.cx
# Example client ipsec.conf(5):
ike dynamic esp tunnel \
from egress to any peer net4511.ath.cx \
main auth hmac-sha1 enc aes-128 group modp1024 \
quick auth hmac-sha1 enc aes-128 group modp1024 \
dstid net4511.ath.cx
# Logs from Soekris:
Jun 2 21:43:44 net4511 isakmpd[16015]: isakmpd: quick mode done: src:
79.97.195.245 dst: 172.16.0.53
Jun 2 21:43:44 net4511 isakmpd[16015]: isakmpd: quick mode done: src:
79.97.195.245 dst: 172.16.0.66
Jun 2 21:43:44 net4511 isakmpd[16015]: isakmpd: quick mode done: src:
79.97.195.245 dst: 172.16.0.50
Jun 2 21:43:44 net4511 isakmpd[16015]: isakmpd: quick mode done: src:
79.97.195.245 dst: 172.16.0.59
Jun 2 21:43:44 net4511 isakmpd[16015]: isakmpd: quick mode done: src:
79.97.195.245 dst: 172.16.0.65
Jun 2 21:43:44 net4511 isakmpd[16015]: isakmpd: quick mode done: src:
79.97.195.245 dst: 172.16.0.52
Jun 2 21:43:44 net4511 isakmpd[16015]: message_parse_payloads: invalid next
payload type Unknown 29 in payload of type 8
Jun 2 21:43:44 net4511 isakmpd[16015]: dropped message from 172.16.0.66 port
500 due to notification type INVALID_PAYLOAD_TYPE
Jun 2 21:43:44 net4511 isakmpd[16015]: message_parse_payloads: reserved
field non-zero: b3
Jun 2 21:43:44 net4511 isakmpd[16015]: dropped message from 172.16.0.50 port
500 due to notification type PAYLOAD_MALFORMED
Jun 2 21:43:44 net4511 isakmpd[16015]: message_parse_payloads: reserved
field non-zero: 9e
Jun 2 21:43:44 net4511 isakmpd[16015]: dropped message from 172.16.0.53 port
500 due to notification type PAYLOAD_MALFORMED
Jun 2 21:43:45 net4511 isakmpd[16015]: isakmpd: quick mode done: src:
79.97.195.245 dst: 172.16.0.56
Jun 2 21:43:45 net4511 isakmpd[16015]: isakmpd: quick mode done: src:
79.97.195.245 dst: 172.16.0.226
Jun 2 21:43:45 net4511 isakmpd[16015]: message_parse_payloads: reserved
field non-zero: c7
Re: Flapping VPN under load on Soekris
Can anyone give me example of embedded system (Soekris-like) which is known to handle PF traffic + VPN traffic at MBit/s throughput, and packets per second level, generated by home users browsing web, skyping, playing games on-line (low latency), at the same time. *Fanless* and which can run OpenBSD of course. I hope I'm not too demanding, is there anything like that? On Tue, Jun 02, 2009 at 11:10:14PM +, Stuart Henderson wrote: you're probably overloading the CPU. try -current, sis(4) has MCLGETI now which should mitigate things a bit. still, that's a lot of load you're putting on a little 486 which will almost certainly be restricting your throughput. Thanks Stuart. -- best regards q#
Re: bsd.rd doesn't boot on a Lenovo Thinkstation S10
On Tuesday 02 June 2009 19:14:12 Marco Peereboom wrote: Are you guys still all excited about the stinkstation? I haven't tried putting a spare disk in the s10 someone has at work and put OpenBSD on it, but I can say that its built a LOT better than many of the netbooks I've seen. --STeve Andre'
Can't get tls on smtpd to work right, just can't connect to server using tls.
Hi, I am having problem testing this and my be I am missing something simple, so any pointers would be appreciates. To test this I created the cert as describe in man 8 starttls as follow and below are all the steps I did without success so far: Create the missing directory and change to it. # mkdir /etc/mail/certs # cd /etc/mail/certs Generate the key and certificate based on my interface name dc0 in this case as follow: # openssl dsaparam 1024 -out dsa1024.pem # openssl req -x509 -nodes -days 365 -newkey dsa:dsa1024.pem \ -out /etc/mail/certs/dc0.crt -keyout /etc/mail/certs/dc0.key I answer the various question about the country, start, city, etc. Country Name (2 letter code) []: State or Province Name (full name) []: Locality Name (eg, city) []: Organization Name (eg, company) []: Organizational Unit Name (eg, section) []: Common Name (eg, fully qualified host name) []: Email Address []: Then all look good after that. I move my certificate and key to be root readable only as recommended in man 8 starttls as follow: # chmod -R go-rwx /etc/mail/certs And I finally removed the not needed dsa1024.pem file as well as suggested in man 8 starttls # rm dsa1024.pem Now it look like this: # ls -al total 16 drwx-- 2 root wheel 512 Jun 2 20:50 . drwxr-xr-x 3 root wheel 1024 Jun 2 20:44 .. -rw--- 1 root wheel 1241 Jun 2 20:47 dc0.crt -rw--- 1 root wheel 668 Jun 2 20:47 dc0.key I also created a link for the lo0 interface, witch I am not sure why we should use tls there as it's local, but anyway, for completeness I did never the less. Here I used the same key, but I could created a second key too. Unless I am missing something, I guess for lo0 shou;dn't tls be ignore anyway? Just a thought as you are already on the system at that point so why use it, or even smtps? Anyway, I do: # ln -s dc0.crt lo0.crt # ln -s dc0.key lo0.key and I have the final needed files as this: # ls -al total 16 drwx-- 2 root wheel 512 Jun 2 20:53 . drwxr-xr-x 3 root wheel 1024 Jun 2 20:44 .. -rw--- 1 root wheel 1241 Jun 2 20:47 dc0.crt -rw--- 1 root wheel 668 Jun 2 20:47 dc0.key lrwxr-xr-x 1 root wheel 7 Jun 2 20:53 lo0.crt - dc0.crt lrwxr-xr-x 1 root wheel 7 Jun 2 20:53 lo0.key - dc0.key Then I put the configuration in the /etc/mail/smtpd.conf file to use them: listen on lo0 tls certificate /etc/mail/certs/lo0.crt enable auth listen on dc0 tls certificate /etc/mail/certs/dc0.crt enable auth and I get errors: # pkill smtpd # smtpd /etc/mail/smtpd.conf:12: syntax error /etc/mail/smtpd.conf:13: syntax error Even only on dc0 only I get the same things: # cat /etc/mail/smtpd.conf | grep listen listen on dc0 tls certificate /etc/mail/certs/dc0.crt enable auth # pkill smtpd # smtpd /etc/mail/smtpd.conf:6: syntax error Any variation of it give me the same errors except this one: listen on dc0 tls If I try to specify the certificate name, location, full path, etc I get errors, even if I add or not the end options enable auth. I can't connect to the smtpd using clients with only tls enable. I test this using thunderbird and setup the sending mail server to use tls ONLY. I keep getting errors trying to connect to it. It refuse connection to it. I try everything I can think of some far and I am still not successful doing it. The only part that works very well for weeks so far is without any tls like this: # cat /etc/mail/smtpd.conf | grep listen listen on dc0 # pkill smtpd # smtpd But with tls configuration, I can see the starttls in the offering: # telnet no-spam1.realconnect.com 25 Trying ::1... Connected to no-spam1.realconnect.com. Escape character is '^]'. 220 no-spam1.realconnect.com ESMTP OpenSMTPD EHLO testing 250-no-spam1.realconnect.com Hello testing [IPv6:::1], pleased to meet you 250-8BITMIME 250-STARTTLS 250 HELP quit 221 no-spam1.realconnect.com Closing connection Connection closed by foreign host. Anything I am forgetting that is obvious, or is it not ready to be use yet? Thanks for the feedback. Best, Daniel
Re: Can't get tls on smtpd to work right, just can't connect to server using tls.
Daniel Ouellet wrote: Hi, I am having problem testing this and my be I am missing something simple, so any pointers would be appreciates. To test this I created the cert as describe in man 8 starttls as follow and below are all the steps I did without success so far: Create the missing directory and change to it. # mkdir /etc/mail/certs # cd /etc/mail/certs Generate the key and certificate based on my interface name dc0 in this case as follow: # openssl dsaparam 1024 -out dsa1024.pem # openssl req -x509 -nodes -days 365 -newkey dsa:dsa1024.pem \ -out /etc/mail/certs/dc0.crt -keyout /etc/mail/certs/dc0.key I answer the various question about the country, start, city, etc. Country Name (2 letter code) []: State or Province Name (full name) []: Locality Name (eg, city) []: Organization Name (eg, company) []: Organizational Unit Name (eg, section) []: Common Name (eg, fully qualified host name) []: Email Address []: Then all look good after that. I move my certificate and key to be root readable only as recommended in man 8 starttls as follow: # chmod -R go-rwx /etc/mail/certs And I finally removed the not needed dsa1024.pem file as well as suggested in man 8 starttls # rm dsa1024.pem Now it look like this: # ls -al total 16 drwx-- 2 root wheel 512 Jun 2 20:50 . drwxr-xr-x 3 root wheel 1024 Jun 2 20:44 .. -rw--- 1 root wheel 1241 Jun 2 20:47 dc0.crt -rw--- 1 root wheel 668 Jun 2 20:47 dc0.key I also created a link for the lo0 interface, witch I am not sure why we should use tls there as it's local, but anyway, for completeness I did never the less. Here I used the same key, but I could created a second key too. Unless I am missing something, I guess for lo0 shou;dn't tls be ignore anyway? Just a thought as you are already on the system at that point so why use it, or even smtps? Anyway, I do: # ln -s dc0.crt lo0.crt # ln -s dc0.key lo0.key and I have the final needed files as this: # ls -al total 16 drwx-- 2 root wheel 512 Jun 2 20:53 . drwxr-xr-x 3 root wheel 1024 Jun 2 20:44 .. -rw--- 1 root wheel 1241 Jun 2 20:47 dc0.crt -rw--- 1 root wheel 668 Jun 2 20:47 dc0.key lrwxr-xr-x 1 root wheel 7 Jun 2 20:53 lo0.crt - dc0.crt lrwxr-xr-x 1 root wheel 7 Jun 2 20:53 lo0.key - dc0.key Then I put the configuration in the /etc/mail/smtpd.conf file to use them: listen on lo0 tls certificate /etc/mail/certs/lo0.crt enable auth listen on dc0 tls certificate /etc/mail/certs/dc0.crt enable auth and I get errors: # pkill smtpd # smtpd /etc/mail/smtpd.conf:12: syntax error /etc/mail/smtpd.conf:13: syntax error Even only on dc0 only I get the same things: # cat /etc/mail/smtpd.conf | grep listen listen on dc0 tls certificate /etc/mail/certs/dc0.crt enable auth # pkill smtpd # smtpd /etc/mail/smtpd.conf:6: syntax error Any variation of it give me the same errors except this one: listen on dc0 tls If I try to specify the certificate name, location, full path, etc I get errors, even if I add or not the end options enable auth. I can't connect to the smtpd using clients with only tls enable. I test this using thunderbird and setup the sending mail server to use tls ONLY. I keep getting errors trying to connect to it. It refuse connection to it. I try everything I can think of some far and I am still not successful doing it. The only part that works very well for weeks so far is without any tls like this: # cat /etc/mail/smtpd.conf | grep listen listen on dc0 # pkill smtpd # smtpd But with tls configuration, I can see the starttls in the offering: # telnet no-spam1.realconnect.com 25 Trying ::1... Connected to no-spam1.realconnect.com. Escape character is '^]'. 220 no-spam1.realconnect.com ESMTP OpenSMTPD EHLO testing 250-no-spam1.realconnect.com Hello testing [IPv6:::1], pleased to meet you 250-8BITMIME 250-STARTTLS 250 HELP quit 221 no-spam1.realconnect.com Closing connection Connection closed by foreign host. Anything I am forgetting that is obvious, or is it not ready to be use yet? Thanks for the feedback. Best, Daniel I didn't see you mention a certificate authority, is this self-signed? starttls says: If you don't intend to use TLS for authentication (and if you are using self-signed certificates you probably don't) you can simply link your new certificate to CAcert.pem. # ln -s /etc/mail/certs/mycert.pem /etc/mail/certs/CAcert.pem If, on the other hand, you intend to use TLS for authentication you should install your certificate authority bundle as /etc/mail/certs/CAcert.pem. You didn't mention this file. Chris Bennett -- A human being should be able to change a diaper, plan an invasion, butcher a hog, conn a ship, design a building, write a sonnet, balance accounts, build a wall, set a bone, comfort the dying, take orders, give orders, cooperate, act alone, solve equations, analyze a new problem, pitch manure, program a
Re: Can't get tls on smtpd to work right, just can't connect to server using tls.
I didn't see you mention a certificate authority, is this self-signed? Yes it is self signed. starttls says: If you don't intend to use TLS for authentication (and if you are using self-signed certificates you probably don't) you can simply link your new certificate to CAcert.pem. # ln -s /etc/mail/certs/mycert.pem /etc/mail/certs/CAcert.pem If, on the other hand, you intend to use TLS for authentication you should install your certificate authority bundle as /etc/mail/certs/CAcert.pem. You didn't mention this file. Because it doesn't apply at all for smtpd and nowhere in the code does it look for that anyway. So, no I didn't do anything about it. I did look at the code first and I did find the answer to one of my questions, (the part for the name) but still the smtpd refuse connections for tls exchange. Just for the archive, the man smtpd on the configuration have: listen on interface [port port] [tls | smtps] [certificate name] [enable auth] where I was failing for the name part ONLY on the [certificate name] was that I use the full file name as dc0.crt instead of dc0 only as the code does add the .crt part to the name. But that address only the name part of the configuration I had errors with. It doesn't fix the issue I can't get the system to work with tls. Most likely it is something stupid, but I can't se it never th eless. Best, Daniel
Re: Can't get tls on smtpd to work right, just can't connect to server using tls.
If you don't intend to use TLS for authentication (and if you are using
self-signed certificates you probably don't) you can simply link
your new
certificate to CAcert.pem.
# ln -s /etc/mail/certs/mycert.pem /etc/mail/certs/CAcert.pem
If, on the other hand, you intend to use TLS for authentication you
should install your certificate authority bundle as
/etc/mail/certs/CAcert.pem.
You didn't mention this file.
So, just in case something else in the system might look for this, I did
the following:
ln -s dc0.crt CAcert.pem
I didn't think it would make any differencem but just for testing I did
anyway and I now have;
# ls -al
total 16
drwx-- 2 root wheel 512 Jun 2 22:05 .
drwxr-xr-x 3 root wheel 1024 Jun 2 20:56 ..
lrwxr-xr-x 1 root wheel 7 Jun 2 22:05 CAcert.pem - dc0.crt
-rw--- 1 root wheel 1241 Jun 2 20:47 dc0.crt
-rw--- 1 root wheel 668 Jun 2 20:47 dc0.key
lrwxr-xr-x 1 root wheel 7 Jun 2 20:53 lo0.crt - dc0.crt
lrwxr-xr-x 1 root wheel 7 Jun 2 20:53 lo0.key - dc0.key
And still no go.
Obviously here the dc0.crt is what the mycert.pem would have been anyway.
smtpd.conf is looking for name.crt where the .crt is burned in the code,
so it's not optional to have it.
# cat /usr/src/usr.sbin/smtpd/ssl.c | grep .crt
/etc/mail/certs/%s.crt, name)) {
So, that's for the clue, but that's not is yet anyway.
Best,
Daniel
Feng Shui bütün dünyayı etkiliyor...
Gin'den Haberler 28 May}s 2009 Say}: 8 Gin'den Haberler'i d|zg|n gvr|nt|lenemiyorsa l|tfen t}klay}n}z http://www.email2clients.com/geotourism/lists/lt.php?id=ZU4EBQUIUA8FCEpWA11KUlAGDlIH . http://www.email2clients.com/geotourism/lists/lt.php?id=ZU4EBQUIUA8EAUpWA11KUlAGDlIH http://www.email2clients.com/geotourism/lists/lt.php?id=ZU4EBQUIUA8EAEpWA11KUlAGDlIH http://www.email2clients.com/geotourism/lists/lt.php?id=ZU4EBQUIUA8EA0pWA11KUlAGDlIH http://www.email2clients.com/geotourism/lists/lt.php?id=ZU4EBQUIUA8EAkpWA11KUlAGDlIH http://www.email2clients.com/geotourism/lists/lt.php?id=ZU4EBQUIUA8EA0pWA11KUlAGDlIH http://www.email2clients.com/geotourism/lists/lt.php?id=ZU4EBQUIUA8EBUpWA11KUlAGDlIH http://www.email2clients.com/geotourism/lists/lt.php?id=ZU4EBQUIUA8EBEpWA11KUlAGDlIH http://www.email2clients.com/geotourism/lists/lt.php?id=ZU4EBQUIUA8EB0pWA11KUlAGDlIH http://www.email2clients.com/geotourism/lists/lt.php?id=ZU4EBQUIUA8EBkpWA11KUlAGDlIH http://www.email2clients.com/geotourism/lists/lt.php?id=ZU4EBQUIUA8ECUpWA11KUlAGDlIH http://www.email2clients.com/geotourism/lists/lt.php?id=ZU4EBQUIUA8ECEpWA11KUlAGDlIH http://www.email2clients.com/geotourism/lists/lt.php?id=ZU4EBQUIUA8DAUpWA11KUlAGDlIH http://www.email2clients.com/geotourism/lists/lt.php?id=ZU4EBQUIUA8EBkpWA11KUlAGDlIH http://www.email2clients.com/geotourism/lists/lt.php?id=ZU4EBQUIUA8DAEpWA11KUlAGDlIH http://www.email2clients.com/geotourism/lists/lt.php?id=ZU4EBQUIUA8DA0pWA11KUlAGDlIH http://www.email2clients.com/geotourism/lists/lt.php?id=ZU4EBQUIUA8DAkpWA11KUlAGDlIH http://www.email2clients.com/geotourism/lists/lt.php?id=ZU4EBQUIUA8DBUpWA11KUlAGDlIH http://www.email2clients.com/geotourism/lists/lt.php?id=ZU4EBQUIUA8DBEpWA11KUlAGDlIH mailto:nopermis...@email2clients.com http://www.email2clients.com/geotourism/lists/lt.php?id=ZU4EBQUIUA8DB0pWA11KUlAGDlIH mailto:sendmem...@email2clients.com http://www.email2clients.com/geotourism/lists/lt.php?id=ZU4EBQUIUA8DAkpWA11KUlAGDlIH -- Powered by PHPlist, www.phplist.com --
8 Noites, por apenas 55 euros
Lugar ao Sol Encomende 7 Noites alojamento em duplo por apenas 55 ⬠e recebe 1 Noite de OFERTA!! Lugar ao Sol Os Talonario sco transmissmveis. Surpreenda os seus familiares ou amigos e oferaga-lhes algo original... Talonario - O que i? i constitumdo por uma caderneta de 7 talues (noites) alojamento, em quarto duplo, um Guia de Hotiis e uma bolsa para guardar estes documentos. Condigues principais de utilizagco: ⢠O Talonario tem a a validade de 2 anos apss a data da compra ⢠Nco i obrigatsria a utilizagco seguida dos 7 talues de estada na mesma unidade ⢠Os utilizadores dos talonarios deverco efectuar determinados consumos mmnimos obrigatsrios diarios e por pessoa, normalmente, um pequeno almogo, uma refeigco e eventualmente uma pequena despesa no bar. Lugar ao Sol se pretender remover o seu email desta lista - clique aqui
