obsd as domU?

[Vadkan Jozsef]

Can I run obsd as a xen guest?

Re: obsd as domU?

[Bret Lambert]

On Tue, Jan 12, 2010 at 8:59 AM, Vadkan Jozsef jozsi.avad...@gmail.com wrote:
 Can I run obsd as a xen guest?



http://lmgtfy.com/?q=Can+I+run+obsd+as+a+xen+guest

The internet: you're doing it wrong.

Re: obsd as domU?

[Ciprian Dorin, Craciun]

On Tue, Jan 12, 2010 at 10:10 AM, Bret Lambert bret.lamb...@gmail.com wrote:
 On Tue, Jan 12, 2010 at 8:59 AM, Vadkan Jozsef jozsi.avad...@gmail.com 
 wrote:
 Can I run obsd as a xen guest?



 http://lmgtfy.com/?q=Can+I+run+obsd+as+a+xen+guest

 The internet: you're doing it wrong.


Hello all! (I'm a very new OpenBSD user (tested only on Qemu, but
would like to put OpenBSD in production).)

And I just want to say that I had the same question a couple a
days ago: Is it really possible (as in tried in a quasi-production
environment) to run OpenBSD as a Xen domU? And if so are there some
guidelines, documentation, etc.? If not is there any disponibility to
implement such a feature?

I've searched a little on the net and I've reached to the
following two possibilities:
* Yes but under Xen with HVM support, with the drawback of
(greater) CPU overhead and with some networking problems;
* And also yes as direct DomU, but based on the work of
Christoph Egger but which is not available on the net anymore;
* any other options??? (anyone???)

   So I bet that the initial poster expected an (authoritative) answer
that should have came in the form of an advice based on experience or
at least something useful... (Not lmgtfy, which I'm sure he already
did, but did not found a good enough answer (as in authoritative)...)

Sorry,
Ciprian.

Re: obsd as domU?

[Bret Lambert]

On Tue, Jan 12, 2010 at 9:41 AM, Ciprian Dorin, Craciun
ciprian.crac...@gmail.com wrote:

[snipz0rz]

   So I bet that the initial poster expected an (authoritative) answer
 that should have came in the form of an advice based on experience or
 at least something useful... (Not lmgtfy, which I'm sure he already
 did, but did not found a good enough answer (as in authoritative)...)

When both of his questions were, verbatim:

OpenBSD as Dom0: Is it possible?

and

Can I run obsd as a xen guest?

it's unclear to me, since he's unwilling to document what he's
found in order to help others to help him, whether or not he's willing
to do the work required in finding those answers to begin with.

Re: can't get binat working

[Laurent CARON]

On 12/01/2010 07:19, Shohrukh Shoyoqubov wrote:

I want all traffic to 192.168.0.253 to be forwarded to 192.168.2.2. I
assume that should make 192.168.0.253 visible in 192.168.0.0/24
subnet, but it is not. I can't reach it from 192.168.0.0/24 subnet.
I am just testing with this lab config and later, I want to use binat
to assign real IPs to DMZ machines.


Hi,

What are you *really* trying to achieve ?

Mapping public IPs to private ones ?

Re: obsd as domU?

[Michiel van Baak]

On 08:59, Tue 12 Jan 10, Vadkan Jozsef wrote:
 Can I run obsd as a xen guest?

under 'full' virtualisation, yes.
under para-virtualisation, no.

-- 

Michiel van Baak
mich...@vanbaak.eu
http://michiel.vanbaak.eu
GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x71C946BD

Why is it drug addicts and computer aficionados are both called users?

Re: Mini PCI Wireless Card

[Alexander Hall]

Benjamin Adams wrote:
 Thanks will order one.
 Anyone have an img file for soekris net5501?
 Or where I can download one.
 Easier install.

Would you trust any image presented to you?

It cannot get much easier than using the current installer anyway since
you would still have to tweak it for your setup (network interfaces,
hostnames etc). Plenty of info in the archives about that.

/Alexander

Re: scrotwm: anyone with a non-US keyboard ?

[Alexandre Ratchov]

On Mon, Jan 11, 2010 at 07:13:37PM -0600, Marco Peereboom wrote:
 So what is the verdict?  No good?  Need something else?
 

It seems to need to handle the ``Map'' and ``Unmap'' events;
so when the user switches between keyboard layouts
XKeycodeToKeysym still works.

I'm cooking a diff for this too.

-- Alexandre

Re: can't get binat working

[Shohrukh Shoyoqubov]

On Tue, Jan 12, 2010 at 2:25 PM, Laurent CARON lca...@unix-scripts.info wrote:
 On 12/01/2010 07:19, Shohrukh Shoyoqubov wrote:

 I want all traffic to 192.168.0.253 to be forwarded to 192.168.2.2. I
 assume that should make 192.168.0.253 visible in 192.168.0.0/24
 subnet, but it is not. I can't reach it from 192.168.0.0/24 subnet.
 I am just testing with this lab config and later, I want to use binat
 to assign real IPs to DMZ machines.

 Hi,

 What are you *really* trying to achieve ?

 Mapping public IPs to private ones ?



Yes

mute CARP with i368/4.6 on HP ProLiant DL380 G5

[Pete Vickers]

Hi,

Whilst setting up a H/A service on a pair of RELEASE4.6/i386 (+ bind/ssl
patches) machines, I observe that both become carp master concurrently.
Debugging shows that the carp master does not appear to transmit carp
announcements:


r...@gins0 ~tcpdump -i bnx0 -n proto carp
tcpdump: listening on bnx0, link-type EN10MB
^C [after 30 seconds]
16 packets received by filter
0 packets dropped by kernel
r...@gins0 ~


anyone any ideas ? (all other comms work fine over the link e.g. SSH, DNS,
ping etc.)



relevant config  dmesg follows:

s/123.456/my.correct.prefix/

r...@gins0 ~cat /etc/hostname.bnx0
inet 123.456.250.16 255.255.255.128

r...@gins0 ~cat /etc/hostname.carp0
inet 123.456.250.18 255.255.255.128
vhid 1 advskew 100 carpdev bnx0
description *** Gi NS H/A ***

r...@gins0 ~ifconfig bnx0
bnx0: flags=8b43UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu
1500
lladdr 00:1e:0b:bd:fa:12
priority: 0
groups: egress
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet 123.456.250.16 netmask 0xff80 broadcast 123.456.250.127
inet6 fe80::21e:bff:febd:fa12%bnx0 prefixlen 64 scopeid 0x3

r...@gins0 ~ifconfig carp0
carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:00:5e:00:01:01
description: *** Gi NS H/A ***
priority: 0
carp: MASTER carpdev bnx0 vhid 1 advbase 1 advskew 100
groups: carp
inet 123.456.250.18 netmask 0xff80 broadcast 123.456.250.127
inet6 fe80::200:5eff:fe00:101%carp0 prefixlen 64 scopeid 0x5



dmesg:



r...@gins0 ~cat /var/run/dmesg.boot
OpenBSD 4.6 (GENERIC) #0: Thu Jan 24 03:03:58 CET 2008
r...@gins0:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Xeon(R) CPU E5440 @ 2.83GHz (GenuineIntel 686-class) 2.84
GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,
xTPR
real mem  = 3487485952 (3325MB)
avail mem = 3382898688 (3226MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 12/31/99, BIOS32 rev. 0 @ 0xf,
SMBIOS rev. 2.4 @ 0xee000 (71 entries)
bios0: vendor HP version P56 date 01/24/2008
bios0: HP ProLiant DL380 G5
acpi0 at bios0: rev 2
acpi0: tables DSDT FACP SPCR MCFG HPET SPMI ERST APIC  BERT HEST
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpihpet0 at acpi0: 14318179 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 333MHz
cpu at mainbus0: not configured
cpu at mainbus0: not configured
cpu at mainbus0: not configured
ioapic0 at mainbus0: apid 8 pa 0xfec0, version 20, 24 pins
acpimadt0: unknown apic structure type ff
acpiprt0 at acpi0: bus 1 (IP2P)
acpiprt1 at acpi0: bus 2 (IPTA)
acpiprt2 at acpi0: bus 4 (IPTB)
acpiprt3 at acpi0: bus 11 (IPE1)
acpiprt4 at acpi0: bus 14 (IPE2)
acpiprt5 at acpi0: bus 17 (IPE3)
acpiprt6 at acpi0: bus 10 (IPE4)
acpiprt7 at acpi0: bus 9 (PT02)
acpiprt8 at acpi0: bus 6 (PT03)
acpiprt9 at acpi0: bus 19 (PT04)
acpiprt10 at acpi0: bus 23 (PT06)
acpiprt11 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0
acpitz0 at acpi0: critical temperature 31 degC
bios0: ROM list: 0xc/0xb000 0xcc400/0x4000! 0xd0400/0x1800
0xe6000/0x2000!
ipmi at mainbus0 not configured
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 Intel 5000P Host rev 0xb1
ppb0 at pci0 dev 2 function 0 Intel 5000 PCIE rev 0xb1
pci1 at ppb0 bus 9
ppb1 at pci1 dev 0 function 0 Intel 6321ESB PCIE rev 0x01
pci2 at ppb1 bus 10
ppb2 at pci2 dev 0 function 0 Intel 6321ESB PCIE rev 0x01
pci3 at ppb2 bus 11
ppb3 at pci2 dev 1 function 0 Intel 6321ESB PCIE rev 0x01
pci4 at ppb3 bus 14
ppb4 at pci2 dev 2 function 0 Intel 6321ESB PCIE rev 0x01
pci5 at ppb4 bus 17
ppb5 at pci1 dev 0 function 3 Intel 6321ESB PCIE-PCIX rev 0x01
pci6 at ppb5 bus 18
ppb6 at pci0 dev 3 function 0 Intel 5000 PCIE rev 0xb1
pci7 at ppb6 bus 6
ciss0 at pci7 dev 0 function 0 Hewlett-Packard Smart Array rev 0x03: apic 8
int 18 (irq 10)
ciss0: 1 LD, HW rev 3, FW 4.12/4.12, 64bit fifo
scsibus0 at ciss0: 1 targets
sd0 at scsibus0 targ 0 lun 0: HP, LOGICAL VOLUME, 4.12 SCSI3 0/direct fixed
sd0: 139979MB, 512 bytes/sec, 286677120 sec total
ppb7 at pci0 dev 4 function 0 Intel 5000 PCIE x8 rev 0xb1
pci8 at ppb7 bus 19
ppb8 at pci0 dev 5 function 0 Intel 5000 PCIE rev 0xb1
pci9 at ppb8 bus 22
ppb9 at pci0 dev 6 function 0 Intel 5000 PCIE x8 rev 0xb1
pci10 at ppb9 bus 23
ppb10 at pci0 dev 7 function 0 Intel 5000 PCIE rev 0xb1
pci11 at ppb10 bus 26
pchb1 at pci0 dev 16 function 0 Intel 5000 Error Reporting rev 0xb1
pchb2 at pci0 dev 16 function 1 Intel 5000 Error Reporting rev 0xb1
pchb3 at pci0 dev 16 function 2 Intel 5000 Error Reporting rev 0xb1
pchb4 at pci0 dev 17 function 0 Intel 5000 Reserved rev 0xb1
pchb5 at pci0 dev 19 function 0 Intel 5000 Reserved rev 0xb1
pchb6 at pci0 dev 21 function 0 Intel 5000 FBD rev 0xb1
pchb7 at pci0 

Lanner FW-8760 1U firewall platform.

[SJP Lists]

Howdy folks,

I thought some on the list might find this embedded bare bones 1U
firewall product interesting.

They claim it supports OpenBSD, has 8x Intel 82574L GbE (expandable to
16), a CF socket, 2x SATA and support for Intel Core i3, i5, and i7
processors up to 3.33GHz.

Looks like it might have a serial console too...

http://www.lannerinc.com/expansion/FW-8760

Cheers,


Shane

Using OpenBSD with Amazon's Virtual Private Cloud, IPsec issue

[Matt Dainty]

Hi,

I'm trying to evaluate using OpenBSD with Amazon's Virtual Private Cloud as a
Customer Gateway in their EC2-speak. What you need to do is create a tunnel
to each of Amazon's two routers, use BGP to exchange routes across the tunnels
and protect all the traffic with IPsec.

I've got it mostly working, but I've hit an issue with the IPsec and I'm
hoping someone might know what's going on.

I've made the various API calls as per the getting started guide [1] and
have the configuration in the generic format which you can see an example of
in the network admin guide [2]. Assume my uplink address is 1.2.3.4 and I
have a BGP ASN of 65023, my network is 192.168.23.0/24 and the remote
network where my EC2 instances will appear is 10.0.0.0/24.

Here's what I've done, first create two gif(4) tunnels:

# ifconfig gif1 create
# ifconfig gif1 tunnel 1.2.3.4 72.21.209.225
# ifconfig gif1 169.254.255.2 169.254.255.1 prefixlen 32
# ifconfig gif2 create
# ifconfig gif2 tunnel 1.2.3.4 72.21.209.193
# ifconfig gif2 169.254.255.6 169.254.255.5 prefixlen 32

Add the following to /etc/ipsec.conf:

ike dynamic esp from 169.254.255.2 to 169.254.255.1 \
local 1.2.3.4 peer 72.21.209.225 \
main auth hmac-sha1 enc aes group modp1024 \
quick auth hmac-sha1 enc aes group modp1024 \
srcid 1.2.3.4 \
psk XXX
ike dynamic esp from 169.254.255.6 to 169.254.255.5 \
local 1.2.3.4 peer 72.21.209.193 \
main auth hmac-sha1 enc aes group modp1024 \
quick auth hmac-sha1 enc aes group modp1024 \
srcid 1.2.3.4 \
psk YYY

Run isakmpd and load those two tunnels:

# isakmpd -4 -K
# ipsecctl -f /etc/ipsec.conf

ipsecctl -s all confirms those are loaded and I can ping the two tunnel
endpoints successfully. I've added pf rules to allow ESP and UDP 500 on the
external interface and for now I'm skipping gif1, gif2 and enc0 to hopefully
exclude pf as a potential source of any trouble.

Now I've created /etc/bgpd.conf

AS 65023
router-id 1.2.3.4
listen on 127.0.0.1
listen on 169.254.255.2
listen on 169.254.255.6

group amazon {
remote-as 7224
holdtime 30
holdtime min 30
announce default-route
announce IPv6 none
announce IPv4 unicast

neighbor 169.254.255.1 {
local-address 169.254.255.2
}

neighbor 169.254.255.5 {
local-address 169.254.255.6
}
}

Fire up bgpd and confirm it's working:

# bgpctl show nexthop   
Nexthop  State 
169.254.255.5valid gif2UP
169.254.255.1valid gif1UP
# route -n get 10.0.0.0
   route to: 10.0.0.0
destination: 10.0.0.0
   mask: 255.255.255.0
gateway: 169.254.255.6
  interface: gif2
 if address: 169.254.255.6
   priority: 48 (bgp)
  flags: UP,GATEWAY,DONE
 use   mtuexpire
  24 0 0 

Now here's where I've got stuck. If I try and ping an EC2 instance from my
network, I see the plain gif traffic leaving the external interface and gets
dropped by the remote router as it's not protected with IPsec. This makes
sense as there's no flow defined that will match that traffic, so I add two
further tunnels to /etc/ipsec.conf:

ike dynamic esp from 192.168.23.0/24 to 10.0.0.0/24 \
local 1.2.3.4 peer 72.21.209.225 \
main auth hmac-sha1 enc aes group modp1024 \
quick auth hmac-sha1 enc aes group modp1024 \
srcid 1.2.3.4 \
psk XXX
ike dynamic esp from 192.168.23.0/24 to 10.0.0.0/24 \
local 1.2.3.4 peer 72.21.209.193 \
main auth hmac-sha1 enc aes group modp1024 \
quick auth hmac-sha1 enc aes group modp1024 \
srcid 1.2.3.4 \
psk YYY

Now, only the latter tunnel gets configured, I'm guessing this is because the
from+to tuple is identical so I'm configuring the same tunnel twice just with
a different peer and key. As long as the routing decides to use the tunnel
that is configured between the second peer, everything works, I can ping and
SSH to my EC2 instance, but if it switches to the tunnel configured between
the first peer then it breaks.

Is it possible to have both configured somehow?

Thanks

Matt

[1] http://docs.amazonwebservices.com/AmazonVPC/latest/GettingStartedGuide/
[2] http://docs.amazonwebservices.com/AmazonVPC/2009-07-15/NetworkAdminGuide/

Re: mute CARP with i368/4.6 on HP ProLiant DL380 G5

[Pete Vickers]

Hi,

r...@gins0 ~grep pf /etc/rc.conf.local
pf=NO   # Packet filter / NAT


switches are fine, and couldn't affect outgoing packets anyway.

/Pete


On 12. jan. 2010, at 12.55, Rogier Krieger wrote:

 On Tue, Jan 12, 2010 at 12:14, Pete Vickers p...@systemnet.no wrote:
 Debugging shows that the carp master does not appear to transmit carp
 announcements:

 Neither does it seem to receive any announcements. A silly question,
 are you blocking CARP advertisements on the interfaces? Since a
 pf.conf output appears to be missing, that may be the issue.

 Another cause may be present in switches; on some of our older Cisco
 equipment a configuration with port security (if memory serves) caused
 us trouble. Try if a direct cable or dumb switch/hub lets packets flow
 if PF is not the source of the problem.

 All that is assuming that the basics were set up properly.

 Hope that helps,

 Rogier

 --
 If you don't know where you're going, any road will get you there.

Re: 4.6 reboots x336 ibm server(s)

[J.D. Bronson]

I just joined this thread today, but had a similar issue with an IBM 305 
machine.


On 4.5, it would randomly just shut down. No reason. Nothing in any 
logs, it was as if the power was pulled.


I have 2 identical IBM 305 machines and it was happening on both, so 
that technically ruled out any specific hardware failure.
What I did notice (in the BIOS events) was that the IBM reported fan 
#1,2,3 loss. Something seemed to disrupt the fan speed to bios reporting 
and I suspect the machine powered down since it thought it was 
overheating? - I could go a day or 2 weeks. Very random.


4.6 hasn't done this (yet) and uptime has been over a month.
However, eventhough both IBMs are the same in every way, 4.6-REL will 
boot on machine #2 but I have no networking. If I use a 4.6-CUR 
snapshot, it comes up fine. That makes NO sense, yet another user 
reported the same exact thing.


--
J.D. Bronson

thinkpad x200 wireless 5100 old issue

[shwegime]

Running 4.6 release.

Some time in summer I'd opened a thread about Thinkpad x200 5100 wi-fi 
nic, of which here is the line from dmesg:
iwn0 at pci2 dev 0 function 0 Intel WiFi Link 5100 rev 0x00: apic 1 int 
17 (irq 11), MIMO 1T2R, MoW, address omissis
It turned out that the firmware 
is not perfect and the nic hangs 
very often and restarts working only doing an 'ifconfig iwn0 down' and 
subsequent 'up' (and it seems it has not been fixed in 4.6).
I used to restart the nic automatically with this script started in 
rc.local:


while true; do
ping -v -c 1 -w 1 www.google.com | grep -q 100.0% packet loss
if [ ${?} -eq 0 ]
then
ifconfig iwn0 down  ifconfig iwn0 up
sleep 3
done 

Every things was fine until yesterday, when, whithout any change from my 
part on the system, the 'ping' often does not give the 'packet loss' error 
and just hangs there, so the script (expecting the '100% packet loss') 
does not work.

Why is ping not givin me the expected error an just hangs there as this?:

~ $ ping -v -c 1 -w 1 www.google.com
(here is a blinking cursor)


Of course, if I at this point do a manual

ifconfig iwn0 down  ifconfig iwn0 up

it then works again.

tks

Re: sasyncd syncs only newly created sad's

[Mihajlo Manojlov]

Hi again,

there is no feedback.. could someone who runs sasyncd check this for me?
Please, just restart sasyncd on slave(or master), and see if it syncs the
SAD's?

This behaviour renders my redundant routers - non redundant. If I reboot
master, when it comes back and become master again, all VPN tunnels are down
because no SAD's are synced.

Thank you very much.

-Original Message-
From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of
Mihajlo Manojlov
Sent: Wednesday, January 06, 2010 11:10 PM
To: misc@openbsd.org
Subject: sasyncd syncs only newly created sad's

Hi to all,

I have two carped boxes and I want to use sasyncd for vpn redundancy, but
only
newly created sad's get synced. For example, I reboot the slave box, and when
it comes up again, sasyncd only sets flows, not the sad's. Maybe this is
normal behaviour?

log from master:
Jan  6 21:59:23 openbsd1 sasyncd[25895]: net: peer 10.23.6.2 connected
Jan  6 21:59:23 openbsd1 sasyncd[25895]: net_ctl: peer 10.23.6.2 state
change to SLAVE
Jan  6 21:59:25 openbsd1 sasyncd[25895]: monitor_get_pfkey_snap: got 2016
bytes SADB, 1392 bytes SPD
Jan  6 21:59:25 openbsd1 sasyncd[25895]: pfkey_send_flush: sending FLUSH to
peer 10.23.6.2
Jan  6 21:59:25 openbsd1 sasyncd[25895]: pfkey_snapshot: SADB data
020a00023f000200010088f180d710010303040004000200
15f7444b04000400
380404000300
b00403000500100259d44c6d
03000600100259d45bb205000a00
010038392e3231322e37362e3130392f3332
05000b00010038392e3231322e39312e3137382f3332
04000800a0009884229af8684722ecf09bfe79c0d8eef96b3cfb
04000900c000e73eb8f1c43d90bdfaf40fb3abfe879d28e74cf8e870dd0b01001400
0101010013000300150010020a00
030011001002ff00030016001002
0a070800030012001002ff00
0200210008007465737476706e00
Jan  6 21:59:25 openbsd1 sasyncd[25895]: pfkey_snapshot: sync SA 0x88cca800
len 504 to peer 10.23.6.2
Jan  6 21:59:25 openbsd1 sasyncd[25895]: pfkey_snapshot: sync SA 0x88cca9f8
len 504 to peer 10.23.6.2
Jan  6 21:59:25 openbsd1 sasyncd[25895]: pfkey_snapshot: sync SA 0x88ccabf0
len 504 to peer 10.23.6.2
Jan  6 21:59:25 openbsd1 sasyncd[25895]: pfkey_snapshot: sync SA 0x88ccade8
len 504 to peer 10.23.6.2
Jan  6 21:59:25 openbsd1 sasyncd[25895]: pfkey_snapshot: SPD data
02121d0003000600100259d44c6d
010014000101010013000300150010020a00
030011001002ff0003001600
10020a070800030012001002ff00
05000a00010038392e3231322e39312e3137
382f333205000b00010038392e3231322e37
362e3130392f333202121d0003000600
100259d44c6d01001400030201001300
0300150010020a070800030011001002
ff000300160010020a00
030012001002ff0005000a000100
38392e3231322e39312e3137382f333205000b000100
38392e3231322e37362e3130392f33320212
Jan  6 21:59:25 openbsd1 sasyncd[25895]: pfkey_snapshot: sync FLOW 0x88cca000
len 232 to peer 10.23.6.2
Jan  6 21:59:25 openbsd1 sasyncd[25895]: pfkey_snapshot: sync FLOW 0x88cca0e8
len 232 to peer 10.23.6.2
Jan  6 21:59:25 openbsd1 sasyncd[25895]: pfkey_snapshot: sync FLOW 0x88cca1d0
len 232 to peer 10.23.6.2
Jan  6 21:59:25 openbsd1 sasyncd[25895]: pfkey_snapshot: sync FLOW 0x88cca2b8
len 232 to peer 10.23.6.2
Jan  6 21:59:25 openbsd1 sasyncd[25895]: pfkey_snapshot: sync FLOW 0x88cca3a0
len 232 to peer 10.23.6.2
Jan  6 21:59:25 openbsd1 sasyncd[25895]: pfkey_snapshot: sync FLOW 0x88cca488
len 232 to peer 10.23.6.2

It looks to me like everything is ok?

log from slave:
Jan  6 22:52:09 openbsd2 sasyncd[3384]: config: add peer 10.23.6.3
Jan  6 22:52:09 openbsd2 sasyncd[3384]: config: interface carp3
Jan  6 22:52:09 openbsd2 sasyncd[3384]: config: group carp
Jan  6 22:52:09 openbsd2 sasyncd[3384]: config: 32 byte shared hex key
Jan  6 22:52:09 openbsd2 sasyncd[3384]: config: shared key set
Jan  6 22:52:09 openbsd2 sasyncd[3384]: carp_init: initializing runstate to
SLAVE
Jan  6 22:52:09 openbsd2 sasyncd[3384]: listening on 0.0.0.0 port 500 fd 6
Jan  6 22:52:09 openbsd2 sasyncd[3384]: net_connect: peer 10.23.6.3
connected, fd 7
Jan  6 22:52:09 openbsd2 sasyncd[26685]: net_ctl: peer 10.23.6.3 state
change to MASTER

Re: Lanner FW-8760 1U firewall platform.

[Diana Eichert]

On Tue, 12 Jan 2010, SJP Lists wrote:

SNIP

Looks like it might have a serial console too...


just a headsup

probably redirection of video to serial, better than a sharp
stick in the eye, but not a ROM monitor.

Re: Mini PCI Wireless Card

[Mihajlo Manojlov]

Hi,

what would you like to do with wifi? do you want to build an access point, or
do you just want to connect to wifi network?

on this link, you can see which cards support Host AP mode:
http://zythmer.acyclic.org/articles/OpenBSD_4.3_wifi.html

For Soekris image, I would recommend you to install it yourself. All you have
to do is to boot soekris with the card you wish to install to, check C/H/S
settings and write them down, then put the card in your PC, boot OpenBSD cd,
in disklabel set C/H/S to the values you read before, and then install like
normal.
I have done that on the pc-engines wrap box, but I think the same applies to
soekris too.

bye

-Original Message-
From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of
Benjamin Adams
Sent: Tuesday, January 12, 2010 4:27 AM
To: Luis Useche
Cc: misc
Subject: Re: Mini PCI Wireless Card

Thanks will order one.
Anyone have an img file for soekris net5501?
Or where I can download one.
Easier install.
Thanks

Ben
On Mon, Jan 11, 2010 at 9:45 PM, Luis Useche use...@gmail.com wrote:
 I'm using an Intel PRO/Wireless 3945ABG successfully.

 Luis



 On Mon, Jan 11, 2010 at 9:25 PM, Benjamin Adams freebsdwo...@gmail.com
wrote:
 Anyone know a good card with 4.6 support?
 Thanks

 Ben

Re: can't get binat working

[Shohrukh Shoyoqubov]

On 1/12/2010 7:02 PM, Wade, Daniel wrote:

Do you have net.inet.ip.forwarding=1 set?
   
Yes. The machine actually acts as a router for some other networks. It 
has more interfaces in fact. I just showed the ones involved in binat.

Re: 4.6 reboots x336 ibm server(s)

[J.D. Bronson]

I would try a -current but the 4.6-STABLE I have in use on Machine #1
has been running fine and I am not seeing reboots or unexpected 
shutdowns as the OP has been experiencing.


The Machine #2 will only run -current and I can't figure that out when 
they are identical. I suspect 4.7 will run fine on both machines..


--
J.D. Bronson

Re: 4.6 reboots x336 ibm server(s)

[Kenneth R Westerback]

On Tue, Jan 12, 2010 at 05:44:57AM -0600, J.D. Bronson wrote:
 I just joined this thread today, but had a similar issue with an IBM
 305 machine.
 
 On 4.5, it would randomly just shut down. No reason. Nothing in any
 logs, it was as if the power was pulled.
 
 I have 2 identical IBM 305 machines and it was happening on both, so
 that technically ruled out any specific hardware failure.
 What I did notice (in the BIOS events) was that the IBM reported fan
 #1,2,3 loss. Something seemed to disrupt the fan speed to bios
 reporting and I suspect the machine powered down since it thought it
 was overheating? - I could go a day or 2 weeks. Very random.
 
 4.6 hasn't done this (yet) and uptime has been over a month.
 However, eventhough both IBMs are the same in every way, 4.6-REL
 will boot on machine #2 but I have no networking. If I use a 4.6-CUR
 snapshot, it comes up fine. That makes NO sense, yet another user
 reported the same exact thing.
 
 -- 
 J.D. Bronson
 

Please try -current as of today (Jan 13, 2010 Melbourne time), there were 
number of significant fixes committed in the last couple of days.

 Ken

Yerevan, Aremenia and OpenBSD Users

[Mark Lumsden]

Hi,

Are there any OpenBSD users in Yerevan, Armenia? For work reasons, I'm
moving there in a few days for probably the best part of six months. I
know absolutely no-one there so it would be good to go for a beer with
someone (do they have beer in Armenia?)

If there is anyone interested in meeting up, then feel free to get in
touch via this email address.

-mark
P.S. I don't speak Armenian or Russian. And my dialect of C is hard to
understand, even for me.

Happy new year and wish

[iki tornsen]

Dear  Good Lord, Santa Claus and all of you ;)

first ,I wish you an happy new year ... 2010
second, thanks for openbsd ;)
third ... my wish list for next Chrismas ... a good looking ... Puffy Droid
:)))
with blinking red eyes when fishing bad packets ... lol


Best regards
radioramax

ps  :
addon wish list
proof of program for core kernel ;)

Re: can't get binat working

[Shohrukh Shoyoqubov]

On 1/12/2010 4:01 PM, Shohrukh Shoyoqubov wrote:

On Tue, Jan 12, 2010 at 2:25 PM, Laurent CARONlca...@unix-scripts.info  wrote:
   

On 12/01/2010 07:19, Shohrukh Shoyoqubov wrote:
 

I want all traffic to 192.168.0.253 to be forwarded to 192.168.2.2. I
assume that should make 192.168.0.253 visible in 192.168.0.0/24
subnet, but it is not. I can't reach it from 192.168.0.0/24 subnet.
I am just testing with this lab config and later, I want to use binat
to assign real IPs to DMZ machines.
   

Hi,

What are you *really* trying to achieve ?

Mapping public IPs to private ones ?


 

Yes
   

Do I need to set an alias IP (the mapped IP) for binat to work?

Re: can't get binat working

[Shohrukh Shoyoqubov]

On 1/12/2010 9:03 PM, Jim Razmus wrote:

* Shohrukh Shoyoqubovshohrukh.shoyoku...@gmail.com  [100112 01:35]:
   

Hello,

I am new to pf and I am trying to do binat but it is not working for
some reason.

fxp1 is the interface on subnet 192.168.0.0/24
vr0 is the interface on subnet 192.168.2.0/24

Here is my pf.conf

#left from the original pf.conf
set skip on lo
pass# to establish keep-state
block in on ! lo0 proto tcp to port 6000:6010

#added by me
binat on fxp1 inet from 192.168.2.2 to any -  192.168.0.253


I want all traffic to 192.168.0.253 to be forwarded to 192.168.2.2. I
assume that should make 192.168.0.253 visible in 192.168.0.0/24
subnet, but it is not. I can't reach it from 192.168.0.0/24 subnet.
I am just testing with this lab config and later, I want to use binat
to assign real IPs to DMZ machines.

I believe I am missing something obvious. Any ideas?

Thank you,
Shohrukh

 

If you're tracking -current, read this:

http://www.openbsd.org/faq/current.html#20090901

jim
   

Thanks. Good to know ahead :)

I am using 4.6 release. It uses the 'old-style' nat. The match based 
rules are only in -current and gonna be in 4.7, right?


shohrukh

Re: problems with emails through pf

[Lars Nooden]

Thanks Robert and Peter.

Robert wrote:
 You probalby are using an uplink with a MTU lower than 1500.

Peter wrote:
   match in all scrub (no-df max-mss 1440)

 the problem went away.  tcpdump output of successful and failing
 connetions would be instructive, along with the actual error
 messages, if any.

Setting the maximum segment size to a smaller number seems to have
helped noticeably on my ADSL connection.

What should one look for in the tcpdump output?  Here is the tail end of
a timed out connection to a web server.

Regards,
/Lars

 17:40:58.051513 upload.esams.wikimedia.org.www  foo.54960: F
1474:1474(0) ack 530 win 14 nop,nop,timestamp 1674149461
2201021415 (DF)
 17:40:58.051988 foo.50486  upload.esams.wikimedia.org.www: . ack
12226 win 16384 nop,nop,timestamp 3093236957 1674149461
 17:40:58.052006 foo.54960  upload.esams.wikimedia.org.www: . ack
1475 win 16384 nop,nop,timestamp 2201021534 1674149461
 17:41:09.729879 foo.63952  upload.esams.wikimedia.org.www: F
542:542(0) ack 851 win 16384 nop,nop,timestamp 507798705
1674149461
 17:41:09.729897 foo.50486  upload.esams.wikimedia.org.www: F
487:487(0) ack 12226 win 16384 nop,nop,timestamp 3093236980
1674149461
 17:41:09.729955 foo.54960  upload.esams.wikimedia.org.www: F
530:530(0) ack 1475 win 16384 nop,nop,timestamp 2201021557
1674149461
 17:41:09.781579 upload.esams.wikimedia.org.www  foo.63952: . ack
543 win 14 nop,nop,timestamp 1674150634 507798705 (DF)
 17:41:09.783580 upload.esams.wikimedia.org.www  foo.50486: . ack
488 win 14 nop,nop,timestamp 1674150634 3093236980 (DF)
 17:41:09.783596 upload.esams.wikimedia.org.www  foo.54960: . ack
531 win 14 nop,nop,timestamp 1674150635 2201021557 (DF)

Re: 4.6 reboots x336 ibm server(s)

[Marcin]

2010/1/12 Kenneth R Westerback kwesterb...@rogers.com:
 Please try -current as of today (Jan 13, 2010 Melbourne time), there were
 number of significant fixes committed in the last couple of days.

Hi,

I tried current - the good news is the problem with freeze at startup is gone
 - kernel boots immediately.

However, it hangs later on just after printing out following lines:

pci0 at mainbus0 bus 0: configuration mode 1 (bios)
mem address conflict 0xff00/0x1000
pchb0 at pci0 dev 0 function 0 Intel E7520 Host rev 0x0c
Intel E7520 Error Reporting rev 0x0c at pci0 dev 0 function 1 not configured
ppb0 at pci0 dev 2 function 0 Intel E7520 PCIE rev 0x0c


Thanks,
Marcin

Re: mute CARP with i368/4.6 on HP ProLiant DL380 G5

[Ben Calvert]

pete -

pls send /etc/hostname.carp0 from the other machine.

On Jan 12, 2010, at 3:14 AM, Pete Vickers wrote:

 Hi,

 Whilst setting up a H/A service on a pair of RELEASE4.6/i386 (+ bind/ssl
 patches) machines, I observe that both become carp master concurrently.
 Debugging shows that the carp master does not appear to transmit carp
 announcements:


 r...@gins0 ~tcpdump -i bnx0 -n proto carp
 tcpdump: listening on bnx0, link-type EN10MB
 ^C [after 30 seconds]
 16 packets received by filter
 0 packets dropped by kernel
 r...@gins0 ~


 anyone any ideas ? (all other comms work fine over the link e.g. SSH, DNS,
 ping etc.)



 relevant config  dmesg follows:

 s/123.456/my.correct.prefix/

 r...@gins0 ~cat /etc/hostname.bnx0
 inet 123.456.250.16 255.255.255.128

 r...@gins0 ~cat /etc/hostname.carp0
 inet 123.456.250.18 255.255.255.128
 vhid 1 advskew 100 carpdev bnx0
 description *** Gi NS H/A ***

 r...@gins0 ~ifconfig bnx0
 bnx0: flags=8b43UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST
mtu
 1500
lladdr 00:1e:0b:bd:fa:12
priority: 0
groups: egress
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet 123.456.250.16 netmask 0xff80 broadcast 123.456.250.127
inet6 fe80::21e:bff:febd:fa12%bnx0 prefixlen 64 scopeid 0x3

 r...@gins0 ~ifconfig carp0
 carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:00:5e:00:01:01
description: *** Gi NS H/A ***
priority: 0
carp: MASTER carpdev bnx0 vhid 1 advbase 1 advskew 100
groups: carp
inet 123.456.250.18 netmask 0xff80 broadcast 123.456.250.127
inet6 fe80::200:5eff:fe00:101%carp0 prefixlen 64 scopeid 0x5



 dmesg:



 r...@gins0 ~cat /var/run/dmesg.boot
 OpenBSD 4.6 (GENERIC) #0: Thu Jan 24 03:03:58 CET 2008
r...@gins0:/usr/src/sys/arch/i386/compile/GENERIC
 cpu0: Intel(R) Xeon(R) CPU E5440 @ 2.83GHz (GenuineIntel 686-class) 2.84
 GHz
 cpu0:

FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS

H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,
 xTPR
 real mem  = 3487485952 (3325MB)
 avail mem = 3382898688 (3226MB)
 mainbus0 at root
 bios0 at mainbus0: AT/286+ BIOS, date 12/31/99, BIOS32 rev. 0 @ 0xf,
 SMBIOS rev. 2.4 @ 0xee000 (71 entries)
 bios0: vendor HP version P56 date 01/24/2008
 bios0: HP ProLiant DL380 G5
 acpi0 at bios0: rev 2
 acpi0: tables DSDT FACP SPCR MCFG HPET SPMI ERST APIC  BERT HEST
 acpi0: wakeup devices
 acpitimer0 at acpi0: 3579545 Hz, 24 bits
 acpihpet0 at acpi0: 14318179 Hz
 acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
 cpu0 at mainbus0: apid 0 (boot processor)
 cpu0: apic clock running at 333MHz
 cpu at mainbus0: not configured
 cpu at mainbus0: not configured
 cpu at mainbus0: not configured
 ioapic0 at mainbus0: apid 8 pa 0xfec0, version 20, 24 pins
 acpimadt0: unknown apic structure type ff
 acpiprt0 at acpi0: bus 1 (IP2P)
 acpiprt1 at acpi0: bus 2 (IPTA)
 acpiprt2 at acpi0: bus 4 (IPTB)
 acpiprt3 at acpi0: bus 11 (IPE1)
 acpiprt4 at acpi0: bus 14 (IPE2)
 acpiprt5 at acpi0: bus 17 (IPE3)
 acpiprt6 at acpi0: bus 10 (IPE4)
 acpiprt7 at acpi0: bus 9 (PT02)
 acpiprt8 at acpi0: bus 6 (PT03)
 acpiprt9 at acpi0: bus 19 (PT04)
 acpiprt10 at acpi0: bus 23 (PT06)
 acpiprt11 at acpi0: bus 0 (PCI0)
 acpicpu0 at acpi0
 acpitz0 at acpi0: critical temperature 31 degC
 bios0: ROM list: 0xc/0xb000 0xcc400/0x4000! 0xd0400/0x1800
 0xe6000/0x2000!
 ipmi at mainbus0 not configured
 pci0 at mainbus0 bus 0: configuration mode 1 (bios)
 pchb0 at pci0 dev 0 function 0 Intel 5000P Host rev 0xb1
 ppb0 at pci0 dev 2 function 0 Intel 5000 PCIE rev 0xb1
 pci1 at ppb0 bus 9
 ppb1 at pci1 dev 0 function 0 Intel 6321ESB PCIE rev 0x01
 pci2 at ppb1 bus 10
 ppb2 at pci2 dev 0 function 0 Intel 6321ESB PCIE rev 0x01
 pci3 at ppb2 bus 11
 ppb3 at pci2 dev 1 function 0 Intel 6321ESB PCIE rev 0x01
 pci4 at ppb3 bus 14
 ppb4 at pci2 dev 2 function 0 Intel 6321ESB PCIE rev 0x01
 pci5 at ppb4 bus 17
 ppb5 at pci1 dev 0 function 3 Intel 6321ESB PCIE-PCIX rev 0x01
 pci6 at ppb5 bus 18
 ppb6 at pci0 dev 3 function 0 Intel 5000 PCIE rev 0xb1
 pci7 at ppb6 bus 6
 ciss0 at pci7 dev 0 function 0 Hewlett-Packard Smart Array rev 0x03: apic
8
 int 18 (irq 10)
 ciss0: 1 LD, HW rev 3, FW 4.12/4.12, 64bit fifo
 scsibus0 at ciss0: 1 targets
 sd0 at scsibus0 targ 0 lun 0: HP, LOGICAL VOLUME, 4.12 SCSI3 0/direct
fixed
 sd0: 139979MB, 512 bytes/sec, 286677120 sec total
 ppb7 at pci0 dev 4 function 0 Intel 5000 PCIE x8 rev 0xb1
 pci8 at ppb7 bus 19
 ppb8 at pci0 dev 5 function 0 Intel 5000 PCIE rev 0xb1
 pci9 at ppb8 bus 22
 ppb9 at pci0 dev 6 function 0 Intel 5000 PCIE x8 rev 0xb1
 pci10 at ppb9 bus 23
 ppb10 at pci0 dev 7 function 0 Intel 5000 PCIE rev 0xb1
 pci11 at ppb10 bus 26
 pchb1 at pci0 dev 16 function 0 Intel 5000 Error Reporting rev 0xb1
 pchb2 at pci0 dev 16 function 1 Intel 5000 Error Reporting rev 0xb1
 pchb3 at pci0 dev 16 function 2 Intel 5000 

Re: problems with emails through pf

[Leonardo Carneiro]

Hi everyone.

I tried with max-mss 1440 and this really solved my problem. Tks everyone

I didn't found the tcpdump in the packages repo, and when i use ntop, 
somehow my net.inet.ip.forwarding is set to 0!

Is avaible via ports, i guess?

*Leonardo de Souza Carneiro*
*Veltrac - Tecnologia em Logmstica.*
lscarne...@veltrac.com.br mailto:lscarne...@veltrac.com.br
http://www.veltrac.com.br http://www.veltrac.com.br/
/Fone Com.: (43)2105-5601/
/R. Para 162 - CENTRO/
/Londrina- PR/
/Cep: 86010-450/



Lars Nooden escreveu:

Thanks Robert and Peter.

Robert wrote:
  

You probalby are using an uplink with a MTU lower than 1500.



Peter wrote:
  

match in all scrub (no-df max-mss 1440)

the problem went away.  tcpdump output of successful and failing
connetions would be instructive, along with the actual error
messages, if any.



Setting the maximum segment size to a smaller number seems to have
helped noticeably on my ADSL connection.

What should one look for in the tcpdump output?  Here is the tail end of
a timed out connection to a web server.

Regards,
/Lars

 17:40:58.051513 upload.esams.wikimedia.org.www  foo.54960: F
1474:1474(0) ack 530 win 14 nop,nop,timestamp 1674149461
2201021415 (DF)
 17:40:58.051988 foo.50486  upload.esams.wikimedia.org.www: . ack
12226 win 16384 nop,nop,timestamp 3093236957 1674149461
 17:40:58.052006 foo.54960  upload.esams.wikimedia.org.www: . ack
1475 win 16384 nop,nop,timestamp 2201021534 1674149461
 17:41:09.729879 foo.63952  upload.esams.wikimedia.org.www: F
542:542(0) ack 851 win 16384 nop,nop,timestamp 507798705
1674149461
 17:41:09.729897 foo.50486  upload.esams.wikimedia.org.www: F
487:487(0) ack 12226 win 16384 nop,nop,timestamp 3093236980
1674149461
 17:41:09.729955 foo.54960  upload.esams.wikimedia.org.www: F
530:530(0) ack 1475 win 16384 nop,nop,timestamp 2201021557
1674149461
 17:41:09.781579 upload.esams.wikimedia.org.www  foo.63952: . ack
543 win 14 nop,nop,timestamp 1674150634 507798705 (DF)
 17:41:09.783580 upload.esams.wikimedia.org.www  foo.50486: . ack
488 win 14 nop,nop,timestamp 1674150634 3093236980 (DF)
 17:41:09.783596 upload.esams.wikimedia.org.www  foo.54960: . ack
531 win 14 nop,nop,timestamp 1674150635 2201021557 (DF)

Re: mute CARP with i368/4.6 on HP ProLiant DL380 G5

[Pete Vickers]

this is with the other machine powered off, so it's config is  
irrelevant.






Den 12. jan. 2010 kl. 17.08 skrev Ben Calvert b...@flyingwalrus.net:


pete -

pls send /etc/hostname.carp0 from the other machine.

On Jan 12, 2010, at 3:14 AM, Pete Vickers wrote:


Hi,

Whilst setting up a H/A service on a pair of RELEASE4.6/i386 (+  
bind/ssl
patches) machines, I observe that both become carp master  
concurrently.

Debugging shows that the carp master does not appear to transmit carp
announcements:


r...@gins0 ~tcpdump -i bnx0 -n proto carp
tcpdump: listening on bnx0, link-type EN10MB
^C [after 30 seconds]
16 packets received by filter
0 packets dropped by kernel
r...@gins0 ~


anyone any ideas ? (all other comms work fine over the link e.g.  
SSH, DNS,

ping etc.)



relevant config  dmesg follows:

s/123.456/my.correct.prefix/

r...@gins0 ~cat /etc/hostname.bnx0
inet 123.456.250.16 255.255.255.128

r...@gins0 ~cat /etc/hostname.carp0
inet 123.456.250.18 255.255.255.128
vhid 1 advskew 100 carpdev bnx0
description *** Gi NS H/A ***

r...@gins0 ~ifconfig bnx0
bnx0:  
flags=8b43UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST

mtu

1500
  lladdr 00:1e:0b:bd:fa:12
  priority: 0
  groups: egress
  media: Ethernet autoselect (1000baseT full-duplex)
  status: active
  inet 123.456.250.16 netmask 0xff80 broadcast  
123.456.250.127

  inet6 fe80::21e:bff:febd:fa12%bnx0 prefixlen 64 scopeid 0x3

r...@gins0 ~ifconfig carp0
carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
  lladdr 00:00:5e:00:01:01
  description: *** Gi NS H/A ***
  priority: 0
  carp: MASTER carpdev bnx0 vhid 1 advbase 1 advskew 100
  groups: carp
  inet 123.456.250.18 netmask 0xff80 broadcast  
123.456.250.127

  inet6 fe80::200:5eff:fe00:101%carp0 prefixlen 64 scopeid 0x5



dmesg:



r...@gins0 ~cat /var/run/dmesg.boot
OpenBSD 4.6 (GENERIC) #0: Thu Jan 24 03:03:58 CET 2008
  r...@gins0:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Xeon(R) CPU E5440 @ 2.83GHz (GenuineIntel 686- 
class) 2.84

GHz
cpu0:

FPU, 
V86, 
DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS


H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS- 
CPL,VMX,EST,TM2,CX16,

xTPR
real mem  = 3487485952 (3325MB)
avail mem = 3382898688 (3226MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 12/31/99, BIOS32 rev. 0 @  
0xf,

SMBIOS rev. 2.4 @ 0xee000 (71 entries)
bios0: vendor HP version P56 date 01/24/2008
bios0: HP ProLiant DL380 G5
acpi0 at bios0: rev 2
acpi0: tables DSDT FACP SPCR MCFG HPET SPMI ERST APIC  BERT HEST
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpihpet0 at acpi0: 14318179 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 333MHz
cpu at mainbus0: not configured
cpu at mainbus0: not configured
cpu at mainbus0: not configured
ioapic0 at mainbus0: apid 8 pa 0xfec0, version 20, 24 pins
acpimadt0: unknown apic structure type ff
acpiprt0 at acpi0: bus 1 (IP2P)
acpiprt1 at acpi0: bus 2 (IPTA)
acpiprt2 at acpi0: bus 4 (IPTB)
acpiprt3 at acpi0: bus 11 (IPE1)
acpiprt4 at acpi0: bus 14 (IPE2)
acpiprt5 at acpi0: bus 17 (IPE3)
acpiprt6 at acpi0: bus 10 (IPE4)
acpiprt7 at acpi0: bus 9 (PT02)
acpiprt8 at acpi0: bus 6 (PT03)
acpiprt9 at acpi0: bus 19 (PT04)
acpiprt10 at acpi0: bus 23 (PT06)
acpiprt11 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0
acpitz0 at acpi0: critical temperature 31 degC
bios0: ROM list: 0xc/0xb000 0xcc400/0x4000! 0xd0400/0x1800
0xe6000/0x2000!
ipmi at mainbus0 not configured
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 Intel 5000P Host rev 0xb1
ppb0 at pci0 dev 2 function 0 Intel 5000 PCIE rev 0xb1
pci1 at ppb0 bus 9
ppb1 at pci1 dev 0 function 0 Intel 6321ESB PCIE rev 0x01
pci2 at ppb1 bus 10
ppb2 at pci2 dev 0 function 0 Intel 6321ESB PCIE rev 0x01
pci3 at ppb2 bus 11
ppb3 at pci2 dev 1 function 0 Intel 6321ESB PCIE rev 0x01
pci4 at ppb3 bus 14
ppb4 at pci2 dev 2 function 0 Intel 6321ESB PCIE rev 0x01
pci5 at ppb4 bus 17
ppb5 at pci1 dev 0 function 3 Intel 6321ESB PCIE-PCIX rev 0x01
pci6 at ppb5 bus 18
ppb6 at pci0 dev 3 function 0 Intel 5000 PCIE rev 0xb1
pci7 at ppb6 bus 6
ciss0 at pci7 dev 0 function 0 Hewlett-Packard Smart Array rev  
0x03: apic

8

int 18 (irq 10)
ciss0: 1 LD, HW rev 3, FW 4.12/4.12, 64bit fifo
scsibus0 at ciss0: 1 targets
sd0 at scsibus0 targ 0 lun 0: HP, LOGICAL VOLUME, 4.12 SCSI3 0/ 
direct

fixed

sd0: 139979MB, 512 bytes/sec, 286677120 sec total
ppb7 at pci0 dev 4 function 0 Intel 5000 PCIE x8 rev 0xb1
pci8 at ppb7 bus 19
ppb8 at pci0 dev 5 function 0 Intel 5000 PCIE rev 0xb1
pci9 at ppb8 bus 22
ppb9 at pci0 dev 6 function 0 Intel 5000 PCIE x8 rev 0xb1
pci10 at ppb9 bus 23
ppb10 at pci0 dev 7 function 0 Intel 5000 PCIE rev 0xb1
pci11 at ppb10 bus 26
pchb1 at pci0 dev 16 function 0 Intel 5000 Error Reporting rev 0xb1
pchb2 at pci0 dev 16 function 1 Intel 5000 Error 

Re: problems with emails through pf

[Leonardo Carneiro]

Ignore. I junt found that tcpdump comes with the system.

*Leonardo de Souza Carneiro*
*Veltrac - Tecnologia em Logmstica.*
lscarne...@veltrac.com.br mailto:lscarne...@veltrac.com.br
http://www.veltrac.com.br http://www.veltrac.com.br/
/Fone Com.: (43)2105-5601/
/R. Para 162 - CENTRO/
/Londrina- PR/
/Cep: 86010-450/



Leonardo Carneiro escreveu:

Hi everyone.

I tried with max-mss 1440 and this really solved my problem. Tks everyone

I didn't found the tcpdump in the packages repo, and when i use ntop, 
somehow my net.inet.ip.forwarding is set to 0!

Is avaible via ports, i guess?

*Leonardo de Souza Carneiro*
*Veltrac - Tecnologia em Logmstica.*
lscarne...@veltrac.com.br mailto:lscarne...@veltrac.com.br
http://www.veltrac.com.br http://www.veltrac.com.br/
/Fone Com.: (43)2105-5601/
/R. Para 162 - CENTRO/
/Londrina- PR/
/Cep: 86010-450/



Lars Nooden escreveu:

Thanks Robert and Peter.

Robert wrote:
 

You probalby are using an uplink with a MTU lower than 1500.



Peter wrote:
 

match in all scrub (no-df max-mss 1440)

the problem went away.  tcpdump output of successful and failing
connetions would be instructive, along with the actual error
messages, if any.



Setting the maximum segment size to a smaller number seems to have
helped noticeably on my ADSL connection.

What should one look for in the tcpdump output?  Here is the tail end of
a timed out connection to a web server.

Regards,
/Lars

 17:40:58.051513 upload.esams.wikimedia.org.www  foo.54960: F
1474:1474(0) ack 530 win 14 nop,nop,timestamp 1674149461
2201021415 (DF)
 17:40:58.051988 foo.50486  upload.esams.wikimedia.org.www: . ack
12226 win 16384 nop,nop,timestamp 3093236957 1674149461
 17:40:58.052006 foo.54960  upload.esams.wikimedia.org.www: . ack
1475 win 16384 nop,nop,timestamp 2201021534 1674149461
 17:41:09.729879 foo.63952  upload.esams.wikimedia.org.www: F
542:542(0) ack 851 win 16384 nop,nop,timestamp 507798705
1674149461
 17:41:09.729897 foo.50486  upload.esams.wikimedia.org.www: F
487:487(0) ack 12226 win 16384 nop,nop,timestamp 3093236980
1674149461
 17:41:09.729955 foo.54960  upload.esams.wikimedia.org.www: F
530:530(0) ack 1475 win 16384 nop,nop,timestamp 2201021557
1674149461
 17:41:09.781579 upload.esams.wikimedia.org.www  foo.63952: . ack
543 win 14 nop,nop,timestamp 1674150634 507798705 (DF)
 17:41:09.783580 upload.esams.wikimedia.org.www  foo.50486: . ack
488 win 14 nop,nop,timestamp 1674150634 3093236980 (DF)
 17:41:09.783596 upload.esams.wikimedia.org.www  foo.54960: . ack
531 win 14 nop,nop,timestamp 1674150635 2201021557 (DF)

OpenBGPD AS Filtering

[a b]

Hello,

Are there any plans afoot to enable more flexibility when specifying
ASN filters in bgpd.conf ?

Unless I've missed something important in the man
page, there's no way to turn :

deny from any AS
{64512,64513,64514,64515,64516,  /** BIG SNIP **/
65528,65529,65530,65531,65532,65533,65534} 

into 

deny from any AS
{64512-65534}

The unwieldy nature of the present syntax only gets worse with
32-bit ASNs, which suddenly takes us from a 1022 ASN list (or more if you are
pedantic and include RFC5398 64496-64511 and 65535) to  many more if you
include presently unallocated ranges (e.g.394240-4294967294)

Surely I cannot
be the only one facing this issue ? 


Other than that, keep up the good work
!

Ben

Re: sasyncd syncs only newly created sad's

[Markus Wernig]

Hi Mihajlo

Yes, this feature (re-sychronization after master failure) has been
missing from the day sasyncd came out
(http://archives.neohapsis.com/archives/openbsd/2005-09/0818.html). When
I gave that speech in Switzerland (the one you found the PDF of), I was
confident that it would be implemented within a couple of months or so
... the whole thing being a sponsored development, I figured that the
sponsor would want this program to be usable. But, alas, it wasn't.
Pity, really. With a little more time at my hands and a little more wit
in my brains I would love to pick this up. It would be SUCH a killer
application. Hakan Olsson, the original developper, did once say he
would look into it, butI haven't heard of him since.

krgds  sorrynohelphere

/markus

Mihajlo Manojlov wrote:
 Hi again,
 
 there is no feedback.. could someone who runs sasyncd check this for me?
 Please, just restart sasyncd on slave(or master), and see if it syncs the
 SAD's?
 
 This behaviour renders my redundant routers - non redundant. If I reboot
 master, when it comes back and become master again, all VPN tunnels are down
 because no SAD's are synced.
 
 Thank you very much.
 
 -Original Message-
 From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of
 Mihajlo Manojlov
 Sent: Wednesday, January 06, 2010 11:10 PM
 To: misc@openbsd.org
 Subject: sasyncd syncs only newly created sad's
 
 Hi to all,
 
 I have two carped boxes and I want to use sasyncd for vpn redundancy, but
 only
 newly created sad's get synced. For example, I reboot the slave box, and when
 it comes up again, sasyncd only sets flows, not the sad's. Maybe this is
 normal behaviour?
 
 log from master:
 Jan  6 21:59:23 openbsd1 sasyncd[25895]: net: peer 10.23.6.2 connected
 Jan  6 21:59:23 openbsd1 sasyncd[25895]: net_ctl: peer 10.23.6.2 state
 change to SLAVE
 Jan  6 21:59:25 openbsd1 sasyncd[25895]: monitor_get_pfkey_snap: got 2016
 bytes SADB, 1392 bytes SPD
 Jan  6 21:59:25 openbsd1 sasyncd[25895]: pfkey_send_flush: sending FLUSH to
 peer 10.23.6.2
 Jan  6 21:59:25 openbsd1 sasyncd[25895]: pfkey_snapshot: SADB data
 020a00023f000200010088f180d710010303040004000200
 15f7444b04000400
 380404000300
 b00403000500100259d44c6d
 03000600100259d45bb205000a00
 010038392e3231322e37362e3130392f3332
 05000b00010038392e3231322e39312e3137382f3332
 04000800a0009884229af8684722ecf09bfe79c0d8eef96b3cfb
 04000900c000e73eb8f1c43d90bdfaf40fb3abfe879d28e74cf8e870dd0b01001400
 0101010013000300150010020a00
 030011001002ff00030016001002
 0a070800030012001002ff00
 0200210008007465737476706e00
 Jan  6 21:59:25 openbsd1 sasyncd[25895]: pfkey_snapshot: sync SA 0x88cca800
 len 504 to peer 10.23.6.2
 Jan  6 21:59:25 openbsd1 sasyncd[25895]: pfkey_snapshot: sync SA 0x88cca9f8
 len 504 to peer 10.23.6.2
 Jan  6 21:59:25 openbsd1 sasyncd[25895]: pfkey_snapshot: sync SA 0x88ccabf0
 len 504 to peer 10.23.6.2
 Jan  6 21:59:25 openbsd1 sasyncd[25895]: pfkey_snapshot: sync SA 0x88ccade8
 len 504 to peer 10.23.6.2
 Jan  6 21:59:25 openbsd1 sasyncd[25895]: pfkey_snapshot: SPD data
 02121d0003000600100259d44c6d
 010014000101010013000300150010020a00
 030011001002ff0003001600
 10020a070800030012001002ff00
 05000a00010038392e3231322e39312e3137
 382f333205000b00010038392e3231322e37
 362e3130392f333202121d0003000600
 100259d44c6d01001400030201001300
 0300150010020a070800030011001002
 ff000300160010020a00
 030012001002ff0005000a000100
 38392e3231322e39312e3137382f333205000b000100
 38392e3231322e37362e3130392f33320212
 Jan  6 21:59:25 openbsd1 sasyncd[25895]: pfkey_snapshot: sync FLOW 0x88cca000
 len 232 to peer 10.23.6.2
 Jan  6 21:59:25 openbsd1 sasyncd[25895]: pfkey_snapshot: sync FLOW 0x88cca0e8
 len 232 to peer 10.23.6.2
 Jan  6 21:59:25 openbsd1 sasyncd[25895]: pfkey_snapshot: sync FLOW 0x88cca1d0
 len 232 to peer 10.23.6.2
 Jan  6 21:59:25 openbsd1 sasyncd[25895]: pfkey_snapshot: sync FLOW 0x88cca2b8
 len 232 to peer 10.23.6.2
 Jan  6 21:59:25 openbsd1 sasyncd[25895]: 

Re: 4.6 reboots x336 ibm server(s)

[FRLinux]

On Tue, Jan 12, 2010 at 6:05 PM, Marcin mig...@gmail.com wrote:
 I tried current - the good news is the problem with freeze at startup is
gone
  - kernel boots immediately.

 However, it hangs later on just after printing out following lines:

 pci0 at mainbus0 bus 0: configuration mode 1 (bios)
 mem address conflict 0xff00/0x1000
 pchb0 at pci0 dev 0 function 0 Intel E7520 Host rev 0x0c
 Intel E7520 Error Reporting rev 0x0c at pci0 dev 0 function 1 not
configured
 ppb0 at pci0 dev 2 function 0 Intel E7520 PCIE rev 0x0c

Yup, same error here, precisely at that line.

Just to confirm that we have the same issue, can you try disabling
ppb* on boot -c then see if it goes to the login prompt?

Cheers,
Steph

Any good/bad experiences on OpenBSD4.6-release Dell R(2|4|6)10 or HP DL320 G6

[a b]

Hello (again),

I'm planning to buy a couple of lower end servers for a PF 
VPN termination of a small network.

Does anyone have any comments on OpenBSD
4.6-release on Dell R210/410/610 or HP DL320 G6 ?

Looking back through the
archives, it seems people's experiences when using OpenBSD-release on lower
end servers was a bit patchy, although some seemed to resolve it by using
-current instead. However there has not been much talk recently (unless
I've missed it !) of 4.6 experiences and/or more recent servers.

Looking
forward to your feedback.

Re: can't get binat working

[Stuart Henderson]

On 2010-01-12, Shohrukh Shoyoqubov shohrukh.shoyoku...@gmail.com wrote:
 On 1/12/2010 4:01 PM, Shohrukh Shoyoqubov wrote:
 On Tue, Jan 12, 2010 at 2:25 PM, Laurent CARONlca...@unix-scripts.info  
 wrote:

 On 12/01/2010 07:19, Shohrukh Shoyoqubov wrote:
  
 I want all traffic to 192.168.0.253 to be forwarded to 192.168.2.2. I
 assume that should make 192.168.0.253 visible in 192.168.0.0/24
 subnet, but it is not. I can't reach it from 192.168.0.0/24 subnet.
 I am just testing with this lab config and later, I want to use binat
 to assign real IPs to DMZ machines.

 Hi,

 What are you *really* trying to achieve ?

 Mapping public IPs to private ones ?


  
 Yes

 Do I need to set an alias IP (the mapped IP) for binat to work?



Technically not, you just need 'some way' to get other hosts to send
you traffic for that address. Could be proxy arp, could be route table
entries (static or routing protocols), but in practice adding an
alias IP is usually what you want.

Re: Using OpenBSD with Amazon's Virtual Private Cloud, IPsec issue

[Stuart Henderson]

Their examples are using route-based VPNs (http://kb.juniper.net/KB4124,
RFC3884), I'm not sure whether this is entirely possible here with our
ipsec (policy-based), but you could try setting up tunnels between the
gif tunnel endpoints i.e. 1.2.3.4 and 72.21.209.225, and a second between
1.2.3.4 and 72.21.209.193. These would take place of the tunnels between
192.168.23/24 and 10/24 (traffic between these networks would be routed
in the usual way, taking the gif interfaces as point-to-point links).


On 2010-01-12, Matt Dainty m...@bodgit-n-scarper.com wrote:
 Hi,

 I'm trying to evaluate using OpenBSD with Amazon's Virtual Private Cloud as a
 Customer Gateway in their EC2-speak. What you need to do is create a tunnel
 to each of Amazon's two routers, use BGP to exchange routes across the tunnels
 and protect all the traffic with IPsec.

 I've got it mostly working, but I've hit an issue with the IPsec and I'm
 hoping someone might know what's going on.

 I've made the various API calls as per the getting started guide [1] and
 have the configuration in the generic format which you can see an example of
 in the network admin guide [2]. Assume my uplink address is 1.2.3.4 and I
 have a BGP ASN of 65023, my network is 192.168.23.0/24 and the remote
 network where my EC2 instances will appear is 10.0.0.0/24.

 Here's what I've done, first create two gif(4) tunnels:

 # ifconfig gif1 create
 # ifconfig gif1 tunnel 1.2.3.4 72.21.209.225
 # ifconfig gif1 169.254.255.2 169.254.255.1 prefixlen 32
 # ifconfig gif2 create
 # ifconfig gif2 tunnel 1.2.3.4 72.21.209.193
 # ifconfig gif2 169.254.255.6 169.254.255.5 prefixlen 32

 Add the following to /etc/ipsec.conf:

 ike dynamic esp from 169.254.255.2 to 169.254.255.1 \
   local 1.2.3.4 peer 72.21.209.225 \
   main auth hmac-sha1 enc aes group modp1024 \
   quick auth hmac-sha1 enc aes group modp1024 \
   srcid 1.2.3.4 \
   psk XXX
 ike dynamic esp from 169.254.255.6 to 169.254.255.5 \
   local 1.2.3.4 peer 72.21.209.193 \
   main auth hmac-sha1 enc aes group modp1024 \
   quick auth hmac-sha1 enc aes group modp1024 \
   srcid 1.2.3.4 \
   psk YYY

 Run isakmpd and load those two tunnels:

 # isakmpd -4 -K
 # ipsecctl -f /etc/ipsec.conf

 ipsecctl -s all confirms those are loaded and I can ping the two tunnel
 endpoints successfully. I've added pf rules to allow ESP and UDP 500 on the
 external interface and for now I'm skipping gif1, gif2 and enc0 to hopefully
 exclude pf as a potential source of any trouble.

 Now I've created /etc/bgpd.conf

 AS 65023
 router-id 1.2.3.4
 listen on 127.0.0.1
 listen on 169.254.255.2
 listen on 169.254.255.6

 group amazon {
   remote-as 7224
   holdtime 30
   holdtime min 30
   announce default-route
   announce IPv6 none
   announce IPv4 unicast

   neighbor 169.254.255.1 {
   local-address 169.254.255.2
   }

   neighbor 169.254.255.5 {
   local-address 169.254.255.6
   }
 }

 Fire up bgpd and confirm it's working:

 # bgpctl show nexthop   
 Nexthop  State 
 169.254.255.5valid gif2UP
 169.254.255.1valid gif1UP
 # route -n get 10.0.0.0
route to: 10.0.0.0
 destination: 10.0.0.0
mask: 255.255.255.0
 gateway: 169.254.255.6
   interface: gif2
  if address: 169.254.255.6
priority: 48 (bgp)
   flags: UP,GATEWAY,DONE
  use   mtuexpire
   24 0 0 

 Now here's where I've got stuck. If I try and ping an EC2 instance from my
 network, I see the plain gif traffic leaving the external interface and gets
 dropped by the remote router as it's not protected with IPsec. This makes
 sense as there's no flow defined that will match that traffic, so I add two
 further tunnels to /etc/ipsec.conf:

 ike dynamic esp from 192.168.23.0/24 to 10.0.0.0/24 \
   local 1.2.3.4 peer 72.21.209.225 \
   main auth hmac-sha1 enc aes group modp1024 \
   quick auth hmac-sha1 enc aes group modp1024 \
   srcid 1.2.3.4 \
   psk XXX
 ike dynamic esp from 192.168.23.0/24 to 10.0.0.0/24 \
   local 1.2.3.4 peer 72.21.209.193 \
   main auth hmac-sha1 enc aes group modp1024 \
   quick auth hmac-sha1 enc aes group modp1024 \
   srcid 1.2.3.4 \
   psk YYY

 Now, only the latter tunnel gets configured, I'm guessing this is because the
 from+to tuple is identical so I'm configuring the same tunnel twice just with
 a different peer and key. As long as the routing decides to use the tunnel
 that is configured between the second peer, everything works, I can ping and
 SSH to my EC2 instance, but if it switches to the tunnel configured between
 the first peer then it breaks.

 Is it possible to have both configured somehow?

 Thanks

 Matt

 [1] http://docs.amazonwebservices.com/AmazonVPC/latest/GettingStartedGuide/
 [2] http://docs.amazonwebservices.com/AmazonVPC/2009-07-15/NetworkAdminGuide/

Re: problems with emails through pf

[Dirk Mast]

Peter N. M. Hansteen wrote:

 lscarne...@veltrac.com.br writes:
 
 My script is very simple (as you will see below), but by some reason,
 my machines behind the firewall can't send large emails, or emails
 with attached files.
 
 You don't offer any details of the other parts of the mail handling
 setup, but my first suspect would be content filtering of some kind
 kicks in noticeably only when there's attachments to be dechiphered.
 
 My other suspect is that
 
 match in all scrub (no-df)
 
 somehow tickles the receiving end the wrong way.  Others have reported
 to me privately that going from 4.4 and
 
 scrub in all
 
 to 4.6 and
 
 match in all scrub (reassemble tcp)
 
 worked OK on most traffic, but slowed down some https traffic
 horribly.  Then some apparently random experimentation lead to trying
 different max-mss values and with
 
 match in all scrub (no-df max-mss 1440)
 
 the problem went away.  tcpdump output of successful and failing
 connetions would be instructive, along with the actual error messages,
 if any.
 
 - P

I too have this feeling, that things somehow got really slow,
since scrub went away and match in scrub came.
I'm using match in all scrub (no-df max-mss 1440)
but some pages get weird TCP DUP ACKS, OUT-OF-ORDER Packets and
Previous Segment Lost (Wireshark slang).

Wikipedia is such a page for example - takes about 10 seconds to load 
sometimes.

I don't think I had this with 4.5.

I'm running an Alix 2c3 board, with pppoe to DSL.


OpenBSD 4.6-current (GENERIC) #452: Thu Dec 10 15:52:44 MST 2009
  
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC 
  
RTC BIOS diagnostic error 80clock_battery 
  
cpu0: Geode(TM) Integrated Processor by AMD PCS (AuthenticAMD 586-class) 
499 MHz
cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX
  
real mem  = 268009472 (255MB)   
  
avail mem = 251064320 (239MB)   
  
RTC BIOS diagnostic error 80clock_battery 
  
mainbus0 at root
  
bios0 at mainbus0: AT/286+ BIOS, date 01/27/08, BIOS32 rev. 0 @ 0xfceb2 
  
pcibios0 at bios0: rev 2.1 @ 0xf/0x1
  
pcibios0: pcibios_get_intr_routing - function not supported 
  
pcibios0: PCI IRQ Routing information unavailable.  
  
pcibios0: PCI bus #0 is the last bus
  
bios0: ROM list: 0xe/0xa800 
  
cpu0 at mainbus0: (uniprocessor)
  
pci0 at mainbus0 bus 0: configuration mode 1 (bios) 
  
pchb0 at pci0 dev 1 function 0 AMD Geode LX rev 0x31  
  
glxsb0 at pci0 dev 1 function 2 AMD Geode LX Crypto rev 0x00: RNG AES 
  
vr0 at pci0 dev 9 function 0 VIA VT6105M RhineIII rev 0x96: irq 10, 
address 00:0d:b9:12:6b:04   
ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 
0x004063, model 0x0034  
vr1 at pci0 dev 10 function 0 VIA VT6105M RhineIII rev 0x96: irq 11, 
address 00:0d:b9:12:6b:05  
ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 
0x004063, model 0x0034  
vr2 at pci0 dev 11 function 0 VIA VT6105M RhineIII rev 0x96: irq 12, 
address 00:0d:b9:12:6b:06
ukphy2 at vr2 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 
0x004063, model 0x0034
ath0 at pci0 dev 12 function 0 Atheros AR2413 rev 0x01: irq 9
ath0: AR2413 7.8 phy 4.5 rf 5.6, FCC2A*, address 00:1d:0f:af:98:88
glxpcib0 at pci0 dev 15 function 0 AMD CS5536 ISA rev 0x03: rev 0, 32-bit 
3579545Hz timer, watchdog, gpio
gpio0 at glxpcib0: 32 pins
pciide0 at pci0 dev 15 function 2 AMD CS5536 IDE rev 0x01: DMA, channel 0 
wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: SanDisk SDCFX3-2048
wd0: 4-sector PIO, LBA, 1953MB, 4001760 sectors
wd0(pciide0:0:0): using PIO mode 4, DMA mode 2
pciide0: channel 1 ignored (disabled)
ohci0 at pci0 dev 15 function 4 AMD CS5536 USB rev 0x02: irq 15, version 
1.0, legacy support
ehci0 at pci0 dev 15 function 5 AMD CS5536 USB rev 0x02: irq 15
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 AMD EHCI root hub rev 2.00/1.00 addr 1
isa0 at glxpcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
pcppi0 at isa0 port 0x61
midi0 at pcppi0: PC speaker
spkr0 at pcppi0
npx0 at isa0 port 0xf0/16: reported 

Re: problems with emails through pf

[Dirk Mast]

Dirk Mast wrote:

 Peter N. M. Hansteen wrote:

 the problem went away.  tcpdump output of successful and failing
 connetions would be instructive, along with the actual error messages,
 if any.

Request to wiki (see those long timestamps), hope this helps_

Jan 12 23:22:06.181513 PPPoE
   
code Session, version 1, type 1, id 0x0580, length 114  
   
IP: 195.50.140.178.53  x.x.x.x.18336: 26867 2/0/1 CNAME 
rr.esams.wikimedia.org., A 91.198.174.2 (84)
   
Jan 12 23:22:06.184287 PPPoE
   
code Session, version 1, type 1, id 0x0580, length 62   
   
IP: x.x.x.x.51519  91.198.174.2.80: S 126511392:126511392(0) win 
5840 mss 1460,sackOK,timestamp 6393340 0,nop,wscale 7 (DF)
  
Jan 12 23:22:09.182870 PPPoE
   
code Session, version 1, type 1, id 0x0580, length 62   
   
IP: x.x.x.x.51519  91.198.174.2.80: S 126511392:126511392(0) win 
5840 mss 1460,sackOK,timestamp 6394090 0,nop,wscale 7 (DF)
  
Jan 12 23:22:15.182651 PPPoE
   
code Session, version 1, type 1, id 0x0580, length 62   
   
IP: x.x.x.x.51519  91.198.174.2.80: S 126511392:126511392(0) win 
5840 mss 1460,sackOK,timestamp 6395590 0,nop,wscale 7 (DF)
  
Jan 12 23:22:15.700298 PPPoE
   
code Session, version 1, type 1, id 0x0580, length 62   
   
IP: 91.198.174.2.80  x.x.x.x.51519: S 4264277910:4264277910(0) ack 
126511393 win 5792 mss 1460,sackOK,timestamp 1676557187 6393340,nop,wscale 
9 (DF) 
Jan 12 23:22:15.700652 PPPoE
   
code Session, version 1, type 1, id 0x0580, length 54   
   
IP: x.x.x.x.51519  91.198.174.2.80: . ack 1 win 46 
nop,nop,timestamp 6395719 1676557187 (DF) 

Jan 12 23:22:15.700784 PPPoE
   
code Session, version 1, type 1, id 0x0580, length 507  
   
IP: x.x.x.x.51519  91.198.174.2.80: P 1:454(453) ack 1 win 46 
nop,nop,timestamp 6395719 1676557187 (DF) 
 
Jan 12 23:22:16.387740 PPPoE
   
code Session, version 1, type 1, id 0x0580, length 449  
   
IP: 91.198.174.2.80  x.x.x.x.51519: P 1:396(395) ack 454 win 14 
nop,nop,timestamp 1676557256 6395719 (DF) 
   
Jan 12 23:22:16.388127 PPPoE
   
code Session, version 1, type 1, id 0x0580, length 54   
   
IP: x.x.x.x.51519  91.198.174.2.80: . ack 396 win 54 
nop,nop,timestamp 6395891 1676557256 (DF) 
  
Jan 12 23:22:16.399542 PPPoE
   
code Session, version 1, type 1, id 0x0580, length 77   
   
IP: x.x.x.x.38781  195.50.140.178.53: 14313+% [1au] A? 
bits.wikimedia.org. (47) 
Jan 12 23:22:16.421172 PPPoE
   
code Session, version 1, type 1, id 0x0580, length 141  
   
IP: 195.50.140.178.53  x.x.x.x.38781: 14313 3/0/1 CNAME bits-
geo.wikimedia.org., CNAME[|domain]  
  
Jan 12 23:22:16.422460 PPPoE
   
code Session, version 1, type 1, id 0x0580, length 83   
   
IP: x.x.x.x.24926  195.50.140.178.53: 2994+% [1au] A? 
bits.esams.wikimedia.org. (53)
Jan 12 23:22:16.444376 PPPoE
   
code Session, version 1, type 1, id 0x0580, length 99   
   
  

IPSec head check question.

[Christopher Sean Hilton]

I have isakmpd running quite well with certificates. I'm now trying to do
something that may or may not be simple.

I wish to establish two tunnels between my ipsec central server on a static IP
two dynamic points on the internet. The first case is an openbsd box which
wants to connect a remote lan. The second case is an openbsd laptop which just
needs remote access for itself.

I've done this in my ipsec.conf:

##
---

my_fqdn=ipsec-hub.example.com
my_network=10.0.0.0/24

## Allow the remote box access

remote_fqdn=myremote.dyndns.org
remote_network=10.0.1.0/24

ike passive esp \
from { $my_fqdn $my_network } \
to { $remote_fqdn $remote_network } \
local $my_fqdn peer any \
srcid $my_fqdn dstid $remote_fqdn

## Allow the laptop access

laptop_fqdn=mylaptop.dyndns.org

ike passive esp \
from { $my_fqdn $my_network } \
to any \
local $my_fqdn peer any \
srcid $my_fqdn dstid $laptop_fqdn

##
---

I think that I've over-specified things because either configuration works if
they are alone  in the file but putting them both together results in an
error?

There's more. If you choose to call me an idiot over this please do so in
private :-)...

This file works:

my_fqdn=ipsec-hub.example.com
my_network=10.0.0.1/24

ike passive esp
from { $my_fqdn $my_network } to any \
local $my_fqdn peer any \
srcid $my_fqdn

I would like to believe that the reason it works is because my peers both have
signed certificate which verify as okay using the ca.crt that I've configured
in /etc/isakmpd/ca. However if I'm wrong then I've just opened up my LAN to
attack from the entire internet. Which -D options do I need to set in isakmpd
E.g.

 # isakmpd -Kd -D 3=10 -D 8=10

to see the identity of the peers and get confirmation that the reason that
negotiation was successful is because A the peer provided a certificate and B
the certificate verified with my CA?

-- Chris




   There will be an answer, Let it be.
  ch...@vindaloo.com

Re: thinkpad x200 wireless 5100 old issue

[shwegime]

Thank you for replying.
As you can see from the first line of my post, I'm running -release, and 
not -current, and I don't plan to run -current since I'm very happy with 
an upgrade twice a year for the moment.
Actually, since the link you provided was from end october, I tried 
installing it but the nic does not come up at all.
On my machine I had previously installed iwn-firmware-5.1, now I have 
iwn-firmware-5.1p0, but the situation is exactly as per my first post.


So, why does 'ping' hang there and does not give 'packet loss' error, as 
it did until two days ago?

Re: Any good/bad experiences on OpenBSD4.6-release Dell R(2|4|6)10 or HP DL320 G6

[Marco Peereboom]

The dell stuff needs -current.  No idea about the HP stuff.

On Tue, Jan 12, 2010 at 08:31:51PM +, a b wrote:
 Hello (again),
 
 I'm planning to buy a couple of lower end servers for a PF 
 VPN termination of a small network.
 
 Does anyone have any comments on OpenBSD
 4.6-release on Dell R210/410/610 or HP DL320 G6 ?
 
 Looking back through the
 archives, it seems people's experiences when using OpenBSD-release on lower
 end servers was a bit patchy, although some seemed to resolve it by using
 -current instead. However there has not been much talk recently (unless
 I've missed it !) of 4.6 experiences and/or more recent servers.
 
 Looking
 forward to your feedback.

Re: thinkpad x200 wireless 5100 old issue

[Aaron Mason]

On Wed, Jan 13, 2010 at 11:23 AM,  shweg...@gmail.com wrote:
 Thank you for replying.
 As you can see from the first line of my post, I'm running -release, and not
 -current, and I don't plan to run -current since I'm very happy with an
 upgrade twice a year for the moment.
 Actually, since the link you provided was from end october, I tried
 installing it but the nic does not come up at all.
 On my machine I had previously installed iwn-firmware-5.1, now I have
 iwn-firmware-5.1p0, but the situation is exactly as per my first post.

 So, why does 'ping' hang there and does not give 'packet loss' error, as it
 did until two days ago?



If this machine isn't production, then no harm could come from trying
a snapshot.  It would give the developers a much better idea as to
where you system's at.  Use a USB thumb drive if you're that worried
about trashing your data.

-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse

Re: thinkpad x200 wireless 5100 old issue

[shwegime]

On Wed, 13 Jan 2010, Aaron Mason wrote:


On Wed, Jan 13, 2010 at 11:23 AM,  shweg...@gmail.com wrote:

Thank you for replying.
As you can see from the first line of my post, I'm running -release, and not
-current, and I don't plan to run -current since I'm very happy with an
upgrade twice a year for the moment.
Actually, since the link you provided was from end october, I tried
installing it but the nic does not come up at all.
On my machine I had previously installed iwn-firmware-5.1, now I have
iwn-firmware-5.1p0, but the situation is exactly as per my first post.

So, why does 'ping' hang there and does not give 'packet loss' error, as it
did until two days ago?




If this machine isn't production, then no harm could come from trying
a snapshot.  It would give the developers a much better idea as to
where you system's at.  Use a USB thumb drive if you're that worried
about trashing your data.

--
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



ok, you've convinced me, I'll give it a try on a usb thumb for a start.
tks

Re: thinkpad x200 wireless 5100 old issue

[Brad Tilley]

  If this machine isn't production, then no harm could come from trying
  a snapshot.  It would give the developers a much better idea as to
  where you system's at.  Use a USB thumb drive if you're that worried
  about trashing your data.
 
  -- 
  Aaron Mason - Programmer, open source addict
  I've taken my software vows - for beta or for worse
 
 
 ok, you've convinced me, I'll give it a try on a usb thumb for a start.
 tks

It's the easiest bootable OS on a USB stick install you'll ever do. Just 
install like you normally would except rather than using the internal hard 
drive, select the USB drive.

Brad 

Re: thinkpad x200 wireless 5100 old issue

[shwegime]

On Tue, 12 Jan 2010, Brad Tilley wrote:


If this machine isn't production, then no harm could come from trying
a snapshot.  It would give the developers a much better idea as to
where you system's at.  Use a USB thumb drive if you're that worried
about trashing your data.

--
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



ok, you've convinced me, I'll give it a try on a usb thumb for a start.
tks


It's the easiest bootable OS on a USB stick install you'll ever do. Just 
install like you normally would except rather than using the internal hard drive, select 
the USB drive.

Brad




tks
In fact I already have a rescue openbsd on a 1 gig partition on my usb 
thumb, just in case hard disk should not boot, so I'll put a 'snapshot' 
in instead and try using it for a while. If 'iwn' hangs it does it every 
few minutes, so I can check it quickly.

Re: Lanner FW-8760 1U firewall platform.

[SJP Lists]

2010/1/12 Diana Eichert deich...@wrench.com:
 On Tue, 12 Jan 2010, SJP Lists wrote:

 SNIP

 Looks like it might have a serial console too...

 just a headsup

 probably redirection of video to serial, better than a sharp
 stick in the eye, but not a ROM monitor.

Bummer.  Hope not.  I've been spoiled by Soekris and ALIX machines.


Shane

Re: thinkpad x200 wireless 5100 old issue

[shwegime]

I just installed a snapshot and run it from a usb thumb.
The 'iwn' has exactly the same issues (that is hanging after a minute 
or so of usage and working again after doing 'up down') as with -release, 
including the 'ping' 
hanging there and not giving the 'packet loss' error, which I cannot 
really understand since it worked just fine until a couple of days ago.


any ideas?

Removing pf_pool

[Pascal Lalonde]

I just caught the following from openbsd-cvs:

http://marc.info/?l=openbsd-cvsm=126326657232193w=2

If my understanding is correct, this means that it will become
impossible to emulate weighted round robin with constructs like the one
below, since duplicate IPs will be flattened once converted to a
standard PF table?

rdr on em0 inet proto tcp \
from any to 192.168.100.100 port = www - {
10.0.0.1, 10.0.0.1, 10.0.0.1, \
10.0.0.2, 10.0.0.2, \
10.0.0.3 \
} round-robin

Is this right?

-- 
Pascal

Re: Removing pf_pool

[Ryan McBride]

On Tue, Jan 12, 2010 at 11:11:54PM -0500, Pascal Lalonde wrote:
 I just caught the following from openbsd-cvs:
 
 http://marc.info/?l=openbsd-cvsm=126326657232193w=2
 
 If my understanding is correct, this means that it will become
 impossible to emulate weighted round robin with constructs like the one
 below, since duplicate IPs will be flattened once converted to a
 standard PF table?
 
 rdr on em0 inet proto tcp \
   from any to 192.168.100.100 port = www - {
   10.0.0.1, 10.0.0.1, 10.0.0.1, \
   10.0.0.2, 10.0.0.2, \
   10.0.0.3 \
   } round-robin
 
 Is this right?

Well, that rule above will not parse anymore on -current, you need to
use match or pass with rdr-to now. But yes, the above construct will
stop working.

My first thought is to wonder why you're not running with a symmetrical
cluster. But I realise that we are not always in control of such things,
and one of PFs functions is to get help people work around bad network
design.


There are a few things you can do here to get a similar effect.

1) Assign multiple IP addresses to the servers you'd like to hit more
heavily.

match on em0 inet proto tcp \
from any to 192.168.100.100 port = www  \
rdr-to {
10.0.0.1, 10.0.0.2, 10.0.0.3, \ 
10.0.0.11, 10.0.0.12, \
10.0.0.21 \
} round-robin

2) Use the 'probability' keyword 

pass quick on em0 inet proto tcp from any to 192.168.100.100 \
probability 50% rdr-to 10.0.0.1
pass quick on em0 inet proto tcp from any to 192.168.100.100 \
probability 70% rdr-to 10.0.0.2
pass quick on em0 inet proto tcp from any to 192.168.100.100 \
rdr-to 10.0.0.3

The changes just committed are actually cleanup that needs to happen if
you want to see some more intelligent weighted load balancing in PF than
these hacks. But that is still a far ways off, definately after 4.7.

-Ryan

Re: can't get binat working

[Shohrukh Shoyoqubov]

 Do I need to set an alias IP (the mapped IP) for binat to work?



 Technically not, you just need 'some way' to get other hosts to send
 you traffic for that address. Could be proxy arp, could be route table
 entries (static or routing protocols), but in practice adding an
 alias IP is usually what you want.


Thanks. Alias did the job. Thanks everyone!

shohrukh

Re: obsd as domU?

[J.C. Roberts]

On Tue, 12 Jan 2010 10:41:15 +0200 Ciprian Dorin, Craciun
ciprian.crac...@gmail.com wrote:

So I bet that the initial poster expected an (authoritative) answer
 that should have came in the form of an advice based on experience or
 at least something useful... (Not lmgtfy, which I'm sure he already
 did, but did not found a good enough answer (as in authoritative)...)

You are missing the point. Virtualization has been discussed to death
for *YEARS* and all of it is in the misc@ list archives.

Here's the short version of those years of discussion:

1.) Since you can't trust the skill of most developers to write a
perfectly secure operating systems, trusting them to write a perfectly
secure software emulation of hardware is insane.

2.) If systems and application software runs fine on real hardware, but
fails to run on emulated/virtualized hardware, then the problem is in
the virtualization software. --In other words, take questions and
complaints to the vendor of your virtualization software.

3.) Many of the benefits you gain by running a stable and secure
operating system like OpenBSD are lost when you run it as a guest on
top of some other insecure host operating system.

4.) Most Virtualization Software fails to emulate hardware perfectly.

5.) Most Virtualization Software expects the host operating system to
have specific features, and hence, it's not easily portable, or it is
not portable at all.

6.) Most Virtualization Software wants to use fancy hardware features
and/or have direct access to hardware. If your vitualization software
is by-passing the restrictions enforced by the host operating system,
then the host operating systems is not able to do it's job.


Virtualization can be very useful in certain situations, yet you not
only need to fully understand and accept the implications and risks of
virtualization, but *you* also need to test it in *your* environment to
determine if it meets *your* requirements. Anything less is irrelevant!

If you're too lazy to do the weeks or months of research work on your
own, then you really should not use virtualization. Unfortunately, most
people just believe the constant bullshit from the virtualization
vendors, or ask irrelevant questions on various mailing lists.


Lastly, Bret Lambert is one of the OpenBSD developers, so you can
consider his lmgtfy reply as authoritative --He's humorously telling
you to do your own work. There is no other way.


-- 
J.C. Roberts

/bsd: acpitz1: Critical temperature, shutting down

[Don Scott]

My X60 overheated and did a clean shutdown while building devel/jdk/1.6.
This is the first time there has been a heat related issue on this laptop.
It's running the latest BIOS (version 2.18) and an i386 snapshot from
January 5th.

/var/log/messages:
Jan 12 19:40:27 x60 /bsd: acpithinkpad0: unknown event 0x6022
Jan 12 19:40:42 x60 last message repeated 16 times
Jan 12 19:40:45 x60 /bsd: acpitz1: Critical temperature, shutting down
Jan 12 19:40:45 x60 /bsd: acpithinkpad0: unknown event 0x6022

sysctl hw:
hw.machine=i386
hw.model=Intel(R) Core(TM)2 CPU T7200 @ 2.00GHz (GenuineIntel 686-class)
hw.ncpu=2
hw.byteorder=1234
hw.pagesize=4096
hw.disknames=sd0,sd1
hw.diskcount=2
hw.sensors.acpitz0.temp0=70.00 degC (zone temperature)
hw.sensors.acpitz1.temp0=73.00 degC (zone temperature)
hw.sensors.acpibat0.volt0=14.40 VDC (voltage)
hw.sensors.acpibat0.volt1=16.40 VDC (current voltage)
hw.sensors.acpibat0.watthour0=40.59 Wh (last full capacity)
hw.sensors.acpibat0.watthour1=2.03 Wh (warning capacity)
hw.sensors.acpibat0.watthour2=0.20 Wh (low capacity)
hw.sensors.acpibat0.watthour3=40.59 Wh (remaining capacity), OK
hw.sensors.acpibat0.raw0=0 (battery full), OK
hw.sensors.acpibat0.raw1=0 (rate)
hw.sensors.acpiac0.indicator0=On (power supply)
hw.sensors.acpithinkpad0.temp0=70.00 degC
hw.sensors.acpithinkpad0.temp1=55.00 degC
hw.sensors.acpithinkpad0.temp3=66.00 degC
hw.sensors.acpithinkpad0.temp4=38.00 degC
hw.sensors.acpithinkpad0.temp6=33.00 degC
hw.sensors.acpithinkpad0.fan0=2817 RPM
hw.sensors.acpidock0.indicator0=Off (not docked)
hw.sensors.cpu0.temp0=75.00 degC
hw.sensors.aps0.temp0=55.00 degC
hw.sensors.aps0.temp1=55.00 degC
hw.sensors.aps0.indicator0=Off (Keyboard Active)
hw.sensors.aps0.indicator1=Off (Mouse Active)
hw.sensors.aps0.indicator2=On (Lid Open)
hw.sensors.aps0.raw0=415 (X_ACCEL)
hw.sensors.aps0.raw1=522 (Y_ACCEL)
hw.sensors.aps0.raw2=415 (X_VAR)
hw.sensors.aps0.raw3=522 (Y_VAR)
hw.cpuspeed=2000
hw.setperf=100
hw.vendor=LENOVO
hw.product=1709G3U
hw.version=ThinkPad X60
hw.serialno=LVD6250
hw.uuid=2a4afc60-77b1-11db-8510-e4b0a9ddd65f
hw.physmem=3211161600
hw.usermem=3211083776
hw.ncpufound=2

Although the fan appears to be running fine, I  may replace it anyway since
it is over 3 years old. Maybe it's possible to apply some fresh thermal
compound as well.

I don't think this is openbsd related, but thought it would be interesting
to post anyway (especially since acpi development is in progress).

Dmesg to follow. Comments and questions are welcome and appreciated.

Thanks,
Don

OpenBSD 4.6-current (GENERIC.MP) #381: Tue Jan  5 13:43:29 MST 2010
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel(R) Core(TM)2 CPU T7200 @ 2.00GHz (GenuineIntel 686-class) 2
GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR
real mem  = 3211161600 (3062MB)
avail mem = 3119341568 (2974MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 11/20/08, BIOS32 rev. 0 @ 0xfd690,
SMBIOS rev. 2.4 @ 0xe0010 (67 entries)
bios0: vendor LENOVO version 7BETD7WW (2.18 ) date 11/20/2008
bios0: LENOVO 1709G3U
acpi0 at bios0: rev 2
acpi0: tables DSDT FACP SSDT ECDT TCPA APIC MCFG HPET BOOT SSDT SSDT SSDT
SSDT
acpi0: wakeup devices LID_(S3) SLPB(S3) DURT(S3) EXP0(S4) EXP1(S4) EXP2(S4)
EXP3(S4) PCI1(S4) USB0(S3) USB1(S3) USB2(S3) USB7(S3) HDEF(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 166MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Core(TM)2 CPU T7200 @ 2.00GHz (GenuineIntel 686-class) 2
GHz
cpu1:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins
ioapic0: misconfigured as apic 2, remapped to apid 1
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (AGP_)
acpiprt2 at acpi0: bus 2 (EXP0)
acpiprt3 at acpi0: bus 3 (EXP1)
acpiprt4 at acpi0: bus 4 (EXP2)
acpiprt5 at acpi0: bus 12 (EXP3)
acpiprt6 at acpi0: bus 21 (PCI1)
acpiec0 at acpi0
acpicpu0 at acpi0: C3, C2, C1, PSS
acpicpu1 at acpi0: C3, C2, C1, PSS
acpipwrres0 at acpi0: PUBS
acpitz0 at acpi0: critical temperature 127 degC
acpitz1 at acpi0: critical temperature 97 degC
acpibtn0 at acpi0: LID_
acpibtn1 at acpi0: SLPB
acpibat0 at acpi0: BAT0 model 93P5029 serial   437 type LION oem SANYO
acpibat1 at acpi0: BAT1 not present
acpibat2 at acpi0: BAT2 not present
acpiac0 at acpi0: AC unit online
acpithinkpad0 at acpi0
acpidock0 at acpi0: GDCK not docked (0)
bios0: ROM list: 0xc/0xea00! 0xdc000/0x4000! 0xe/0x1!
cpu0: Enhanced SpeedStep 1996 MHz: speeds: 2000, 1667, 1333, 1000 MHz
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 Intel 82945GM Host rev 

Re: Any good/bad experiences on OpenBSD4.6-release Dell R(2|4|6)10 or HP DL320 G6

[J.C. Roberts]

On Tue, 12 Jan 2010 20:31:51 + (GMT) a b rclo...@yahoo.co.uk
wrote:

 Hello (again),
 
 I'm planning to buy a couple of lower end servers for a PF 
 VPN termination of a small network.
 
 Does anyone have any comments on OpenBSD
 4.6-release on Dell R210/410/610 or HP DL320 G6 ?
 
 Looking back through the
 archives, it seems people's experiences when using OpenBSD-release on
 lower end servers was a bit patchy, although some seemed to resolve
 it by using -current instead. However there has not been much
 talk recently (unless I've missed it !) of 4.6 experiences and/or
 more recent servers.
 
 Looking
 forward to your feedback.
 

In September (i.e. 4.6-current *after* the roll-up for the release), I
had OpenBSD running on a new Dell T610 at work for a couple of days
before the machine was re-purposed. Unfortunately, I didn't have the
opportunity to really test much of anything, and worse, I think I lost
the dmesg before sending it in (a dev will have to check the dmesg
archive).


-- 
J.C. Roberts

Re: obsd as domU?

[Ciprian Dorin, Craciun]

On Wed, Jan 13, 2010 at 7:43 AM, J.C. Roberts list-...@designtools.org
wrote:
 On Tue, 12 Jan 2010 10:41:15 +0200 Ciprian Dorin, Craciun
 ciprian.crac...@gmail.com wrote:

 B  B So I bet that the initial poster expected an (authoritative) answer
 that should have came in the form of an advice based on experience or
 at least something useful... (Not lmgtfy, which I'm sure he already
 did, but did not found a good enough answer (as in authoritative)...)

 You are missing the point. Virtualization has been discussed to death
 for *YEARS* and all of it is in the misc@ list archives.

Sorry didn't knew... (I should have checked the mailing list...)


 Here's the short version of those years of discussion:

 1.) Since you can't trust the skill of most developers to write a
 perfectly secure operating systems, trusting them to write a perfectly
 secure software emulation of hardware is insane.

Sorry, but you guys from OpenBSD have proved that you can trust
the skills of **some** developers to write an __supposed__ perfectly
secure operating system, so why not trust other developers to write
a __supposed__ secure software emulation with the help of hardware.
(Let me say it more simply: we have trust in you, but why don't you
have the disposition to trust in others?)


 2.) If systems and application software runs fine on real hardware, but
 fails to run on emulated/virtualized hardware, then the problem is in
 the virtualization software. --In other words, take questions and
 complaints to the vendor of your virtualization software.

Agree. This is the same as with software: if software runs
perfectly on one version of OpenBSD, but not on another it does not
mean that its the fault of the new version. (But Xen is not all about
emulation, it cooperates with the guest kernel, so in this case the
blame could be on both sides.)


 3.) Many of the benefits you gain by running a stable and secure
 operating system like OpenBSD are lost when you run it as a guest on
 top of some other insecure host operating system.

This is only true if either:
* there is a security bug in the virtualization software (highly
improbable, and maybe easibly fixed);
* you let the host operating system front the Internet; (but you
could just filter out all the traffic from the exterior to the host,
and use one of the guests (OpenBSD) as a gateway);


 4.) Most Virtualization Software fails to emulate hardware perfectly.

(Again we are not speaking of emulation, we are speaking of
cooperation between the hypervisor and the guest kernel.)


 5.) Most Virtualization Software expects the host operating system to
 have specific features, and hence, it's not easily portable, or it is
 not portable at all.

 6.) Most Virtualization Software wants to use fancy hardware features
 and/or have direct access to hardware. If your vitualization software
 is by-passing the restrictions enforced by the host operating system,
 then the host operating systems is not able to do it's job.

No, (in general) the requirement of virtualization is not to
bypass the restrictions imposed by OS to hardware.


 Virtualization can be very useful in certain situations, yet you not
 only need to fully understand and accept the implications and risks of
 virtualization, but *you* also need to test it in *your* environment to
 determine if it meets *your* requirements. Anything less is irrelevant!

One important use of virtualization software (like Xen for
example), is to allow experimentation. For example I don't have 4
pieces of hardware to be able to also host a Linux server (for
personal stuff), experiment with OpenBSD or Plan9, and also give one
of my friends a small VPN and download host. So I use Xen and turn one
computer into many. (As you see it's not the security aspect I'm
interested but the consolidation aspect...) (Yes very lame I know, but
sometimes money does beat security...)


 If you're too lazy to do the weeks or months of research work on your
 own, then you really should not use virtualization. Unfortunately, most
 people just believe the constant bullshit from the virtualization
 vendors, or ask irrelevant questions on various mailing lists.

(I hope I've touched this subject above.)


 Lastly, Bret Lambert is one of the OpenBSD developers, so you can
 consider his lmgtfy reply as authoritative --He's humorously telling
 you to do your own work. There is no other way.
 --
 J.C. Roberts


Thanks for the time and the responses,
Ciprian.

Dear:misc:抗氧化還原水大發現: 新書隆重面世, 兼大抽獎!

[HYLA Limited]

Having problems viewing this email? Please click here. For enquiry, please send 
email to i...@sanwahk.net

eg!f3i1h.d;%d8ge'e.9oh+f   f-$cef  
d;;d=f%h)h+i;i5h3  i...@sanwahk.netc 

please link with our home page: http://www.lea.org.hk

HI,misc















eff(d8
f3e
f6e0fegd?!d;6oh+fih#ie.c 

Important Notice: Base on the Unsolicited Electronic Messages Ordinance, if you 
DO NOT want to receive any promotional email messages from us in the future, 
please kindly reply this e-mail for DELETION. If you would like to continue to 
receive our promotional email massages, you do not need to reply us.

Re: obsd as domU?

[Bret S. Lambert]

How did lazy internet denizen gets told he's lazy turn into
anything worth spending this much time on?

Re: obsd as domU?

[Ciprian Dorin, Craciun]

On Wed, Jan 13, 2010 at 8:43 AM, Bret S. Lambert bret.lamb...@gmail.com wrote:
 How did lazy internet denizen gets told he's lazy turn into
 anything worth spending this much time on?

I would like to personally apologize for criticizing you, Bret, of
lmgtfy the other guy (which I didn't knew he also posted another
question about OpenBSD and dom0, and he was also responded).

But I wouldn't say that the discussion has turned into something
not-worth discussing. I myself have learned a lot about the position
of the OpenBSD developers regarding the possibility of ever using
OpenBSD ontop of virtualization (not emulation) platforms (like Xen).
(I had my hopes, but not any more... :) )

Thanks again for all the time and effort spent,
Ciprian.

P.S.: Maybe an entry in the FAQ about this topic will cut down all
these questions about virtualization?

Re: obsd as domU?

[Henning Brauer]

* Ciprian Dorin, Craciun ciprian.crac...@gmail.com [2010-01-13 07:37]:
 This is only true if either:
 * there is a security bug in the virtualization software (highly
 improbable, and maybe easibly fixed);

i owuld pee my pants (or maybe bob's instead) laughing if it wasn't so
sad. it is this mindset that gets this industry in shit every other
day.

-- 
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting

Re: obsd as domU?

[Eric Furman]

On Wed, 13 Jan 2010 08:31 +0200, Ciprian Dorin, Craciun
ciprian.crac...@gmail.com wrote:
 On Wed, Jan 13, 2010 at 7:43 AM, J.C. Roberts list-...@designtools.org
 wrote:
  On Tue, 12 Jan 2010 10:41:15 +0200 Ciprian Dorin, Craciun
  ciprian.crac...@gmail.com wrote:
 
  B  B So I bet that the initial poster expected an (authoritative) answer
  that should have came in the form of an advice based on experience or
  at least something useful... (Not lmgtfy, which I'm sure he already
  did, but did not found a good enough answer (as in authoritative)...)
 
  You are missing the point. Virtualization has been discussed to death
  for *YEARS* and all of it is in the misc@ list archives.
 
 Sorry didn't knew... (I should have checked the mailing list...)
 
 
  Here's the short version of those years of discussion:
 
  1.) Since you can't trust the skill of most developers to write a
  perfectly secure operating systems, trusting them to write a perfectly
  secure software emulation of hardware is insane.
 
 Sorry, but you guys from OpenBSD have proved that you can trust
 the skills of **some** developers to write an __supposed__ perfectly
 secure operating system, so why not trust other developers to write
 a __supposed__ secure software emulation with the help of hardware.
 (Let me say it more simply: we have trust in you, but why don't you
 have the disposition to trust in others?)

Very few have demonstrated that they can be trusted.
BTW, *any* virtualization software written for i386 is always going
to have the potential for compromise because of the inherent flaws
in that architecture. It was *not* designed with virtualization in mind.

 
 
  2.) If systems and application software runs fine on real hardware, but
  fails to run on emulated/virtualized hardware, then the problem is in
  the virtualization software. --In other words, take questions and
  complaints to the vendor of your virtualization software.
 
 Agree. This is the same as with software: if software runs
 perfectly on one version of OpenBSD, but not on another it does not
 mean that its the fault of the new version. (But Xen is not all about
 emulation, it cooperates with the guest kernel, so in this case the
 blame could be on both sides.)

Wrong. If it works on real hardware and fails in virtualization
the virtualization software is *always* to blame.

 
 
  3.) Many of the benefits you gain by running a stable and secure
  operating system like OpenBSD are lost when you run it as a guest on
  top of some other insecure host operating system.
 
 This is only true if either:
 * there is a security bug in the virtualization software (highly
 improbable, and maybe easibly fixed);

BWHAHHAHAHAHAHH. Have you ever actually worked with any
virtualization software?
There have been many documented security bugs in every virtualization
software.
Try Securityfocus or your favorite search engine.

 * you let the host operating system front the Internet; (but you
 could just filter out all the traffic from the exterior to the host,
 and use one of the guests (OpenBSD) as a gateway);
 
 
  4.) Most Virtualization Software fails to emulate hardware perfectly.
 
 (Again we are not speaking of emulation, we are speaking of
 cooperation between the hypervisor and the guest kernel.)
 
 
  5.) Most Virtualization Software expects the host operating system to
  have specific features, and hence, it's not easily portable, or it is
  not portable at all.
 
  6.) Most Virtualization Software wants to use fancy hardware features
  and/or have direct access to hardware. If your vitualization software
  is by-passing the restrictions enforced by the host operating system,
  then the host operating systems is not able to do it's job.
 
 No, (in general) the requirement of virtualization is not to
 bypass the restrictions imposed by OS to hardware.

BWAAAHAHAHAHAHAH! It *should* be a requirement, but rarely *is*.

 
 
  Virtualization can be very useful in certain situations, yet you not
  only need to fully understand and accept the implications and risks of
  virtualization, but *you* also need to test it in *your* environment to
  determine if it meets *your* requirements. Anything less is irrelevant!
 
 One important use of virtualization software (like Xen for
 example), is to allow experimentation. For example I don't have 4
 pieces of hardware to be able to also host a Linux server (for
 personal stuff), experiment with OpenBSD or Plan9, and also give one
 of my friends a small VPN and download host. So I use Xen and turn one
 computer into many. (As you see it's not the security aspect I'm
 interested but the consolidation aspect...) (Yes very lame I know, but
 sometimes money does beat security...)

This is actually very true. But you need to be very aware of where
it does and where it doesn't.