obsd as domU?
Can I run obsd as a xen guest?
Re: obsd as domU?
On Tue, Jan 12, 2010 at 8:59 AM, Vadkan Jozsef jozsi.avad...@gmail.com wrote: Can I run obsd as a xen guest? http://lmgtfy.com/?q=Can+I+run+obsd+as+a+xen+guest The internet: you're doing it wrong.
Re: obsd as domU?
On Tue, Jan 12, 2010 at 10:10 AM, Bret Lambert bret.lamb...@gmail.com wrote: On Tue, Jan 12, 2010 at 8:59 AM, Vadkan Jozsef jozsi.avad...@gmail.com wrote: Can I run obsd as a xen guest? http://lmgtfy.com/?q=Can+I+run+obsd+as+a+xen+guest The internet: you're doing it wrong. Hello all! (I'm a very new OpenBSD user (tested only on Qemu, but would like to put OpenBSD in production).) And I just want to say that I had the same question a couple a days ago: Is it really possible (as in tried in a quasi-production environment) to run OpenBSD as a Xen domU? And if so are there some guidelines, documentation, etc.? If not is there any disponibility to implement such a feature? I've searched a little on the net and I've reached to the following two possibilities: * Yes but under Xen with HVM support, with the drawback of (greater) CPU overhead and with some networking problems; * And also yes as direct DomU, but based on the work of Christoph Egger but which is not available on the net anymore; * any other options??? (anyone???) So I bet that the initial poster expected an (authoritative) answer that should have came in the form of an advice based on experience or at least something useful... (Not lmgtfy, which I'm sure he already did, but did not found a good enough answer (as in authoritative)...) Sorry, Ciprian.
Re: obsd as domU?
On Tue, Jan 12, 2010 at 9:41 AM, Ciprian Dorin, Craciun ciprian.crac...@gmail.com wrote: [snipz0rz] So I bet that the initial poster expected an (authoritative) answer that should have came in the form of an advice based on experience or at least something useful... (Not lmgtfy, which I'm sure he already did, but did not found a good enough answer (as in authoritative)...) When both of his questions were, verbatim: OpenBSD as Dom0: Is it possible? and Can I run obsd as a xen guest? it's unclear to me, since he's unwilling to document what he's found in order to help others to help him, whether or not he's willing to do the work required in finding those answers to begin with.
Re: can't get binat working
On 12/01/2010 07:19, Shohrukh Shoyoqubov wrote: I want all traffic to 192.168.0.253 to be forwarded to 192.168.2.2. I assume that should make 192.168.0.253 visible in 192.168.0.0/24 subnet, but it is not. I can't reach it from 192.168.0.0/24 subnet. I am just testing with this lab config and later, I want to use binat to assign real IPs to DMZ machines. Hi, What are you *really* trying to achieve ? Mapping public IPs to private ones ?
Re: obsd as domU?
On 08:59, Tue 12 Jan 10, Vadkan Jozsef wrote: Can I run obsd as a xen guest? under 'full' virtualisation, yes. under para-virtualisation, no. -- Michiel van Baak mich...@vanbaak.eu http://michiel.vanbaak.eu GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x71C946BD Why is it drug addicts and computer aficionados are both called users?
Re: Mini PCI Wireless Card
Benjamin Adams wrote: Thanks will order one. Anyone have an img file for soekris net5501? Or where I can download one. Easier install. Would you trust any image presented to you? It cannot get much easier than using the current installer anyway since you would still have to tweak it for your setup (network interfaces, hostnames etc). Plenty of info in the archives about that. /Alexander
Re: scrotwm: anyone with a non-US keyboard ?
On Mon, Jan 11, 2010 at 07:13:37PM -0600, Marco Peereboom wrote: So what is the verdict? No good? Need something else? It seems to need to handle the ``Map'' and ``Unmap'' events; so when the user switches between keyboard layouts XKeycodeToKeysym still works. I'm cooking a diff for this too. -- Alexandre
Re: can't get binat working
On Tue, Jan 12, 2010 at 2:25 PM, Laurent CARON lca...@unix-scripts.info wrote: On 12/01/2010 07:19, Shohrukh Shoyoqubov wrote: I want all traffic to 192.168.0.253 to be forwarded to 192.168.2.2. I assume that should make 192.168.0.253 visible in 192.168.0.0/24 subnet, but it is not. I can't reach it from 192.168.0.0/24 subnet. I am just testing with this lab config and later, I want to use binat to assign real IPs to DMZ machines. Hi, What are you *really* trying to achieve ? Mapping public IPs to private ones ? Yes
mute CARP with i368/4.6 on HP ProLiant DL380 G5
Hi, Whilst setting up a H/A service on a pair of RELEASE4.6/i386 (+ bind/ssl patches) machines, I observe that both become carp master concurrently. Debugging shows that the carp master does not appear to transmit carp announcements: r...@gins0 ~tcpdump -i bnx0 -n proto carp tcpdump: listening on bnx0, link-type EN10MB ^C [after 30 seconds] 16 packets received by filter 0 packets dropped by kernel r...@gins0 ~ anyone any ideas ? (all other comms work fine over the link e.g. SSH, DNS, ping etc.) relevant config dmesg follows: s/123.456/my.correct.prefix/ r...@gins0 ~cat /etc/hostname.bnx0 inet 123.456.250.16 255.255.255.128 r...@gins0 ~cat /etc/hostname.carp0 inet 123.456.250.18 255.255.255.128 vhid 1 advskew 100 carpdev bnx0 description *** Gi NS H/A *** r...@gins0 ~ifconfig bnx0 bnx0: flags=8b43UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu 1500 lladdr 00:1e:0b:bd:fa:12 priority: 0 groups: egress media: Ethernet autoselect (1000baseT full-duplex) status: active inet 123.456.250.16 netmask 0xff80 broadcast 123.456.250.127 inet6 fe80::21e:bff:febd:fa12%bnx0 prefixlen 64 scopeid 0x3 r...@gins0 ~ifconfig carp0 carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5e:00:01:01 description: *** Gi NS H/A *** priority: 0 carp: MASTER carpdev bnx0 vhid 1 advbase 1 advskew 100 groups: carp inet 123.456.250.18 netmask 0xff80 broadcast 123.456.250.127 inet6 fe80::200:5eff:fe00:101%carp0 prefixlen 64 scopeid 0x5 dmesg: r...@gins0 ~cat /var/run/dmesg.boot OpenBSD 4.6 (GENERIC) #0: Thu Jan 24 03:03:58 CET 2008 r...@gins0:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Xeon(R) CPU E5440 @ 2.83GHz (GenuineIntel 686-class) 2.84 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16, xTPR real mem = 3487485952 (3325MB) avail mem = 3382898688 (3226MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 12/31/99, BIOS32 rev. 0 @ 0xf, SMBIOS rev. 2.4 @ 0xee000 (71 entries) bios0: vendor HP version P56 date 01/24/2008 bios0: HP ProLiant DL380 G5 acpi0 at bios0: rev 2 acpi0: tables DSDT FACP SPCR MCFG HPET SPMI ERST APIC BERT HEST acpi0: wakeup devices acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 14318179 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 333MHz cpu at mainbus0: not configured cpu at mainbus0: not configured cpu at mainbus0: not configured ioapic0 at mainbus0: apid 8 pa 0xfec0, version 20, 24 pins acpimadt0: unknown apic structure type ff acpiprt0 at acpi0: bus 1 (IP2P) acpiprt1 at acpi0: bus 2 (IPTA) acpiprt2 at acpi0: bus 4 (IPTB) acpiprt3 at acpi0: bus 11 (IPE1) acpiprt4 at acpi0: bus 14 (IPE2) acpiprt5 at acpi0: bus 17 (IPE3) acpiprt6 at acpi0: bus 10 (IPE4) acpiprt7 at acpi0: bus 9 (PT02) acpiprt8 at acpi0: bus 6 (PT03) acpiprt9 at acpi0: bus 19 (PT04) acpiprt10 at acpi0: bus 23 (PT06) acpiprt11 at acpi0: bus 0 (PCI0) acpicpu0 at acpi0 acpitz0 at acpi0: critical temperature 31 degC bios0: ROM list: 0xc/0xb000 0xcc400/0x4000! 0xd0400/0x1800 0xe6000/0x2000! ipmi at mainbus0 not configured pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel 5000P Host rev 0xb1 ppb0 at pci0 dev 2 function 0 Intel 5000 PCIE rev 0xb1 pci1 at ppb0 bus 9 ppb1 at pci1 dev 0 function 0 Intel 6321ESB PCIE rev 0x01 pci2 at ppb1 bus 10 ppb2 at pci2 dev 0 function 0 Intel 6321ESB PCIE rev 0x01 pci3 at ppb2 bus 11 ppb3 at pci2 dev 1 function 0 Intel 6321ESB PCIE rev 0x01 pci4 at ppb3 bus 14 ppb4 at pci2 dev 2 function 0 Intel 6321ESB PCIE rev 0x01 pci5 at ppb4 bus 17 ppb5 at pci1 dev 0 function 3 Intel 6321ESB PCIE-PCIX rev 0x01 pci6 at ppb5 bus 18 ppb6 at pci0 dev 3 function 0 Intel 5000 PCIE rev 0xb1 pci7 at ppb6 bus 6 ciss0 at pci7 dev 0 function 0 Hewlett-Packard Smart Array rev 0x03: apic 8 int 18 (irq 10) ciss0: 1 LD, HW rev 3, FW 4.12/4.12, 64bit fifo scsibus0 at ciss0: 1 targets sd0 at scsibus0 targ 0 lun 0: HP, LOGICAL VOLUME, 4.12 SCSI3 0/direct fixed sd0: 139979MB, 512 bytes/sec, 286677120 sec total ppb7 at pci0 dev 4 function 0 Intel 5000 PCIE x8 rev 0xb1 pci8 at ppb7 bus 19 ppb8 at pci0 dev 5 function 0 Intel 5000 PCIE rev 0xb1 pci9 at ppb8 bus 22 ppb9 at pci0 dev 6 function 0 Intel 5000 PCIE x8 rev 0xb1 pci10 at ppb9 bus 23 ppb10 at pci0 dev 7 function 0 Intel 5000 PCIE rev 0xb1 pci11 at ppb10 bus 26 pchb1 at pci0 dev 16 function 0 Intel 5000 Error Reporting rev 0xb1 pchb2 at pci0 dev 16 function 1 Intel 5000 Error Reporting rev 0xb1 pchb3 at pci0 dev 16 function 2 Intel 5000 Error Reporting rev 0xb1 pchb4 at pci0 dev 17 function 0 Intel 5000 Reserved rev 0xb1 pchb5 at pci0 dev 19 function 0 Intel 5000 Reserved rev 0xb1 pchb6 at pci0 dev 21 function 0 Intel 5000 FBD rev 0xb1 pchb7 at pci0
Lanner FW-8760 1U firewall platform.
Howdy folks, I thought some on the list might find this embedded bare bones 1U firewall product interesting. They claim it supports OpenBSD, has 8x Intel 82574L GbE (expandable to 16), a CF socket, 2x SATA and support for Intel Core i3, i5, and i7 processors up to 3.33GHz. Looks like it might have a serial console too... http://www.lannerinc.com/expansion/FW-8760 Cheers, Shane
Using OpenBSD with Amazon's Virtual Private Cloud, IPsec issue
Hi, I'm trying to evaluate using OpenBSD with Amazon's Virtual Private Cloud as a Customer Gateway in their EC2-speak. What you need to do is create a tunnel to each of Amazon's two routers, use BGP to exchange routes across the tunnels and protect all the traffic with IPsec. I've got it mostly working, but I've hit an issue with the IPsec and I'm hoping someone might know what's going on. I've made the various API calls as per the getting started guide [1] and have the configuration in the generic format which you can see an example of in the network admin guide [2]. Assume my uplink address is 1.2.3.4 and I have a BGP ASN of 65023, my network is 192.168.23.0/24 and the remote network where my EC2 instances will appear is 10.0.0.0/24. Here's what I've done, first create two gif(4) tunnels: # ifconfig gif1 create # ifconfig gif1 tunnel 1.2.3.4 72.21.209.225 # ifconfig gif1 169.254.255.2 169.254.255.1 prefixlen 32 # ifconfig gif2 create # ifconfig gif2 tunnel 1.2.3.4 72.21.209.193 # ifconfig gif2 169.254.255.6 169.254.255.5 prefixlen 32 Add the following to /etc/ipsec.conf: ike dynamic esp from 169.254.255.2 to 169.254.255.1 \ local 1.2.3.4 peer 72.21.209.225 \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes group modp1024 \ srcid 1.2.3.4 \ psk XXX ike dynamic esp from 169.254.255.6 to 169.254.255.5 \ local 1.2.3.4 peer 72.21.209.193 \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes group modp1024 \ srcid 1.2.3.4 \ psk YYY Run isakmpd and load those two tunnels: # isakmpd -4 -K # ipsecctl -f /etc/ipsec.conf ipsecctl -s all confirms those are loaded and I can ping the two tunnel endpoints successfully. I've added pf rules to allow ESP and UDP 500 on the external interface and for now I'm skipping gif1, gif2 and enc0 to hopefully exclude pf as a potential source of any trouble. Now I've created /etc/bgpd.conf AS 65023 router-id 1.2.3.4 listen on 127.0.0.1 listen on 169.254.255.2 listen on 169.254.255.6 group amazon { remote-as 7224 holdtime 30 holdtime min 30 announce default-route announce IPv6 none announce IPv4 unicast neighbor 169.254.255.1 { local-address 169.254.255.2 } neighbor 169.254.255.5 { local-address 169.254.255.6 } } Fire up bgpd and confirm it's working: # bgpctl show nexthop Nexthop State 169.254.255.5valid gif2UP 169.254.255.1valid gif1UP # route -n get 10.0.0.0 route to: 10.0.0.0 destination: 10.0.0.0 mask: 255.255.255.0 gateway: 169.254.255.6 interface: gif2 if address: 169.254.255.6 priority: 48 (bgp) flags: UP,GATEWAY,DONE use mtuexpire 24 0 0 Now here's where I've got stuck. If I try and ping an EC2 instance from my network, I see the plain gif traffic leaving the external interface and gets dropped by the remote router as it's not protected with IPsec. This makes sense as there's no flow defined that will match that traffic, so I add two further tunnels to /etc/ipsec.conf: ike dynamic esp from 192.168.23.0/24 to 10.0.0.0/24 \ local 1.2.3.4 peer 72.21.209.225 \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes group modp1024 \ srcid 1.2.3.4 \ psk XXX ike dynamic esp from 192.168.23.0/24 to 10.0.0.0/24 \ local 1.2.3.4 peer 72.21.209.193 \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes group modp1024 \ srcid 1.2.3.4 \ psk YYY Now, only the latter tunnel gets configured, I'm guessing this is because the from+to tuple is identical so I'm configuring the same tunnel twice just with a different peer and key. As long as the routing decides to use the tunnel that is configured between the second peer, everything works, I can ping and SSH to my EC2 instance, but if it switches to the tunnel configured between the first peer then it breaks. Is it possible to have both configured somehow? Thanks Matt [1] http://docs.amazonwebservices.com/AmazonVPC/latest/GettingStartedGuide/ [2] http://docs.amazonwebservices.com/AmazonVPC/2009-07-15/NetworkAdminGuide/
Re: mute CARP with i368/4.6 on HP ProLiant DL380 G5
Hi, r...@gins0 ~grep pf /etc/rc.conf.local pf=NO # Packet filter / NAT switches are fine, and couldn't affect outgoing packets anyway. /Pete On 12. jan. 2010, at 12.55, Rogier Krieger wrote: On Tue, Jan 12, 2010 at 12:14, Pete Vickers p...@systemnet.no wrote: Debugging shows that the carp master does not appear to transmit carp announcements: Neither does it seem to receive any announcements. A silly question, are you blocking CARP advertisements on the interfaces? Since a pf.conf output appears to be missing, that may be the issue. Another cause may be present in switches; on some of our older Cisco equipment a configuration with port security (if memory serves) caused us trouble. Try if a direct cable or dumb switch/hub lets packets flow if PF is not the source of the problem. All that is assuming that the basics were set up properly. Hope that helps, Rogier -- If you don't know where you're going, any road will get you there.
Re: 4.6 reboots x336 ibm server(s)
I just joined this thread today, but had a similar issue with an IBM 305 machine. On 4.5, it would randomly just shut down. No reason. Nothing in any logs, it was as if the power was pulled. I have 2 identical IBM 305 machines and it was happening on both, so that technically ruled out any specific hardware failure. What I did notice (in the BIOS events) was that the IBM reported fan #1,2,3 loss. Something seemed to disrupt the fan speed to bios reporting and I suspect the machine powered down since it thought it was overheating? - I could go a day or 2 weeks. Very random. 4.6 hasn't done this (yet) and uptime has been over a month. However, eventhough both IBMs are the same in every way, 4.6-REL will boot on machine #2 but I have no networking. If I use a 4.6-CUR snapshot, it comes up fine. That makes NO sense, yet another user reported the same exact thing. -- J.D. Bronson
thinkpad x200 wireless 5100 old issue
Running 4.6 release. Some time in summer I'd opened a thread about Thinkpad x200 5100 wi-fi nic, of which here is the line from dmesg: iwn0 at pci2 dev 0 function 0 Intel WiFi Link 5100 rev 0x00: apic 1 int 17 (irq 11), MIMO 1T2R, MoW, address omissis It turned out that the firmware is not perfect and the nic hangs very often and restarts working only doing an 'ifconfig iwn0 down' and subsequent 'up' (and it seems it has not been fixed in 4.6). I used to restart the nic automatically with this script started in rc.local: while true; do ping -v -c 1 -w 1 www.google.com | grep -q 100.0% packet loss if [ ${?} -eq 0 ] then ifconfig iwn0 down ifconfig iwn0 up sleep 3 done Every things was fine until yesterday, when, whithout any change from my part on the system, the 'ping' often does not give the 'packet loss' error and just hangs there, so the script (expecting the '100% packet loss') does not work. Why is ping not givin me the expected error an just hangs there as this?: ~ $ ping -v -c 1 -w 1 www.google.com (here is a blinking cursor) Of course, if I at this point do a manual ifconfig iwn0 down ifconfig iwn0 up it then works again. tks
Re: sasyncd syncs only newly created sad's
Hi again, there is no feedback.. could someone who runs sasyncd check this for me? Please, just restart sasyncd on slave(or master), and see if it syncs the SAD's? This behaviour renders my redundant routers - non redundant. If I reboot master, when it comes back and become master again, all VPN tunnels are down because no SAD's are synced. Thank you very much. -Original Message- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Mihajlo Manojlov Sent: Wednesday, January 06, 2010 11:10 PM To: misc@openbsd.org Subject: sasyncd syncs only newly created sad's Hi to all, I have two carped boxes and I want to use sasyncd for vpn redundancy, but only newly created sad's get synced. For example, I reboot the slave box, and when it comes up again, sasyncd only sets flows, not the sad's. Maybe this is normal behaviour? log from master: Jan 6 21:59:23 openbsd1 sasyncd[25895]: net: peer 10.23.6.2 connected Jan 6 21:59:23 openbsd1 sasyncd[25895]: net_ctl: peer 10.23.6.2 state change to SLAVE Jan 6 21:59:25 openbsd1 sasyncd[25895]: monitor_get_pfkey_snap: got 2016 bytes SADB, 1392 bytes SPD Jan 6 21:59:25 openbsd1 sasyncd[25895]: pfkey_send_flush: sending FLUSH to peer 10.23.6.2 Jan 6 21:59:25 openbsd1 sasyncd[25895]: pfkey_snapshot: SADB data 020a00023f000200010088f180d710010303040004000200 15f7444b04000400 380404000300 b00403000500100259d44c6d 03000600100259d45bb205000a00 010038392e3231322e37362e3130392f3332 05000b00010038392e3231322e39312e3137382f3332 04000800a0009884229af8684722ecf09bfe79c0d8eef96b3cfb 04000900c000e73eb8f1c43d90bdfaf40fb3abfe879d28e74cf8e870dd0b01001400 0101010013000300150010020a00 030011001002ff00030016001002 0a070800030012001002ff00 0200210008007465737476706e00 Jan 6 21:59:25 openbsd1 sasyncd[25895]: pfkey_snapshot: sync SA 0x88cca800 len 504 to peer 10.23.6.2 Jan 6 21:59:25 openbsd1 sasyncd[25895]: pfkey_snapshot: sync SA 0x88cca9f8 len 504 to peer 10.23.6.2 Jan 6 21:59:25 openbsd1 sasyncd[25895]: pfkey_snapshot: sync SA 0x88ccabf0 len 504 to peer 10.23.6.2 Jan 6 21:59:25 openbsd1 sasyncd[25895]: pfkey_snapshot: sync SA 0x88ccade8 len 504 to peer 10.23.6.2 Jan 6 21:59:25 openbsd1 sasyncd[25895]: pfkey_snapshot: SPD data 02121d0003000600100259d44c6d 010014000101010013000300150010020a00 030011001002ff0003001600 10020a070800030012001002ff00 05000a00010038392e3231322e39312e3137 382f333205000b00010038392e3231322e37 362e3130392f333202121d0003000600 100259d44c6d01001400030201001300 0300150010020a070800030011001002 ff000300160010020a00 030012001002ff0005000a000100 38392e3231322e39312e3137382f333205000b000100 38392e3231322e37362e3130392f33320212 Jan 6 21:59:25 openbsd1 sasyncd[25895]: pfkey_snapshot: sync FLOW 0x88cca000 len 232 to peer 10.23.6.2 Jan 6 21:59:25 openbsd1 sasyncd[25895]: pfkey_snapshot: sync FLOW 0x88cca0e8 len 232 to peer 10.23.6.2 Jan 6 21:59:25 openbsd1 sasyncd[25895]: pfkey_snapshot: sync FLOW 0x88cca1d0 len 232 to peer 10.23.6.2 Jan 6 21:59:25 openbsd1 sasyncd[25895]: pfkey_snapshot: sync FLOW 0x88cca2b8 len 232 to peer 10.23.6.2 Jan 6 21:59:25 openbsd1 sasyncd[25895]: pfkey_snapshot: sync FLOW 0x88cca3a0 len 232 to peer 10.23.6.2 Jan 6 21:59:25 openbsd1 sasyncd[25895]: pfkey_snapshot: sync FLOW 0x88cca488 len 232 to peer 10.23.6.2 It looks to me like everything is ok? log from slave: Jan 6 22:52:09 openbsd2 sasyncd[3384]: config: add peer 10.23.6.3 Jan 6 22:52:09 openbsd2 sasyncd[3384]: config: interface carp3 Jan 6 22:52:09 openbsd2 sasyncd[3384]: config: group carp Jan 6 22:52:09 openbsd2 sasyncd[3384]: config: 32 byte shared hex key Jan 6 22:52:09 openbsd2 sasyncd[3384]: config: shared key set Jan 6 22:52:09 openbsd2 sasyncd[3384]: carp_init: initializing runstate to SLAVE Jan 6 22:52:09 openbsd2 sasyncd[3384]: listening on 0.0.0.0 port 500 fd 6 Jan 6 22:52:09 openbsd2 sasyncd[3384]: net_connect: peer 10.23.6.3 connected, fd 7 Jan 6 22:52:09 openbsd2 sasyncd[26685]: net_ctl: peer 10.23.6.3 state change to MASTER
Re: Lanner FW-8760 1U firewall platform.
On Tue, 12 Jan 2010, SJP Lists wrote: SNIP Looks like it might have a serial console too... just a headsup probably redirection of video to serial, better than a sharp stick in the eye, but not a ROM monitor.
Re: Mini PCI Wireless Card
Hi, what would you like to do with wifi? do you want to build an access point, or do you just want to connect to wifi network? on this link, you can see which cards support Host AP mode: http://zythmer.acyclic.org/articles/OpenBSD_4.3_wifi.html For Soekris image, I would recommend you to install it yourself. All you have to do is to boot soekris with the card you wish to install to, check C/H/S settings and write them down, then put the card in your PC, boot OpenBSD cd, in disklabel set C/H/S to the values you read before, and then install like normal. I have done that on the pc-engines wrap box, but I think the same applies to soekris too. bye -Original Message- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Benjamin Adams Sent: Tuesday, January 12, 2010 4:27 AM To: Luis Useche Cc: misc Subject: Re: Mini PCI Wireless Card Thanks will order one. Anyone have an img file for soekris net5501? Or where I can download one. Easier install. Thanks Ben On Mon, Jan 11, 2010 at 9:45 PM, Luis Useche use...@gmail.com wrote: I'm using an Intel PRO/Wireless 3945ABG successfully. Luis On Mon, Jan 11, 2010 at 9:25 PM, Benjamin Adams freebsdwo...@gmail.com wrote: Anyone know a good card with 4.6 support? Thanks Ben
Re: can't get binat working
On 1/12/2010 7:02 PM, Wade, Daniel wrote: Do you have net.inet.ip.forwarding=1 set? Yes. The machine actually acts as a router for some other networks. It has more interfaces in fact. I just showed the ones involved in binat.
Re: 4.6 reboots x336 ibm server(s)
I would try a -current but the 4.6-STABLE I have in use on Machine #1 has been running fine and I am not seeing reboots or unexpected shutdowns as the OP has been experiencing. The Machine #2 will only run -current and I can't figure that out when they are identical. I suspect 4.7 will run fine on both machines.. -- J.D. Bronson
Re: 4.6 reboots x336 ibm server(s)
On Tue, Jan 12, 2010 at 05:44:57AM -0600, J.D. Bronson wrote: I just joined this thread today, but had a similar issue with an IBM 305 machine. On 4.5, it would randomly just shut down. No reason. Nothing in any logs, it was as if the power was pulled. I have 2 identical IBM 305 machines and it was happening on both, so that technically ruled out any specific hardware failure. What I did notice (in the BIOS events) was that the IBM reported fan #1,2,3 loss. Something seemed to disrupt the fan speed to bios reporting and I suspect the machine powered down since it thought it was overheating? - I could go a day or 2 weeks. Very random. 4.6 hasn't done this (yet) and uptime has been over a month. However, eventhough both IBMs are the same in every way, 4.6-REL will boot on machine #2 but I have no networking. If I use a 4.6-CUR snapshot, it comes up fine. That makes NO sense, yet another user reported the same exact thing. -- J.D. Bronson Please try -current as of today (Jan 13, 2010 Melbourne time), there were number of significant fixes committed in the last couple of days. Ken
Yerevan, Aremenia and OpenBSD Users
Hi, Are there any OpenBSD users in Yerevan, Armenia? For work reasons, I'm moving there in a few days for probably the best part of six months. I know absolutely no-one there so it would be good to go for a beer with someone (do they have beer in Armenia?) If there is anyone interested in meeting up, then feel free to get in touch via this email address. -mark P.S. I don't speak Armenian or Russian. And my dialect of C is hard to understand, even for me.
Happy new year and wish
Dear Good Lord, Santa Claus and all of you ;) first ,I wish you an happy new year ... 2010 second, thanks for openbsd ;) third ... my wish list for next Chrismas ... a good looking ... Puffy Droid :))) with blinking red eyes when fishing bad packets ... lol Best regards radioramax ps : addon wish list proof of program for core kernel ;)
Re: can't get binat working
On 1/12/2010 4:01 PM, Shohrukh Shoyoqubov wrote: On Tue, Jan 12, 2010 at 2:25 PM, Laurent CARONlca...@unix-scripts.info wrote: On 12/01/2010 07:19, Shohrukh Shoyoqubov wrote: I want all traffic to 192.168.0.253 to be forwarded to 192.168.2.2. I assume that should make 192.168.0.253 visible in 192.168.0.0/24 subnet, but it is not. I can't reach it from 192.168.0.0/24 subnet. I am just testing with this lab config and later, I want to use binat to assign real IPs to DMZ machines. Hi, What are you *really* trying to achieve ? Mapping public IPs to private ones ? Yes Do I need to set an alias IP (the mapped IP) for binat to work?
Re: can't get binat working
On 1/12/2010 9:03 PM, Jim Razmus wrote: * Shohrukh Shoyoqubovshohrukh.shoyoku...@gmail.com [100112 01:35]: Hello, I am new to pf and I am trying to do binat but it is not working for some reason. fxp1 is the interface on subnet 192.168.0.0/24 vr0 is the interface on subnet 192.168.2.0/24 Here is my pf.conf #left from the original pf.conf set skip on lo pass# to establish keep-state block in on ! lo0 proto tcp to port 6000:6010 #added by me binat on fxp1 inet from 192.168.2.2 to any - 192.168.0.253 I want all traffic to 192.168.0.253 to be forwarded to 192.168.2.2. I assume that should make 192.168.0.253 visible in 192.168.0.0/24 subnet, but it is not. I can't reach it from 192.168.0.0/24 subnet. I am just testing with this lab config and later, I want to use binat to assign real IPs to DMZ machines. I believe I am missing something obvious. Any ideas? Thank you, Shohrukh If you're tracking -current, read this: http://www.openbsd.org/faq/current.html#20090901 jim Thanks. Good to know ahead :) I am using 4.6 release. It uses the 'old-style' nat. The match based rules are only in -current and gonna be in 4.7, right? shohrukh
Re: problems with emails through pf
Thanks Robert and Peter. Robert wrote: You probalby are using an uplink with a MTU lower than 1500. Peter wrote: match in all scrub (no-df max-mss 1440) the problem went away. tcpdump output of successful and failing connetions would be instructive, along with the actual error messages, if any. Setting the maximum segment size to a smaller number seems to have helped noticeably on my ADSL connection. What should one look for in the tcpdump output? Here is the tail end of a timed out connection to a web server. Regards, /Lars 17:40:58.051513 upload.esams.wikimedia.org.www foo.54960: F 1474:1474(0) ack 530 win 14 nop,nop,timestamp 1674149461 2201021415 (DF) 17:40:58.051988 foo.50486 upload.esams.wikimedia.org.www: . ack 12226 win 16384 nop,nop,timestamp 3093236957 1674149461 17:40:58.052006 foo.54960 upload.esams.wikimedia.org.www: . ack 1475 win 16384 nop,nop,timestamp 2201021534 1674149461 17:41:09.729879 foo.63952 upload.esams.wikimedia.org.www: F 542:542(0) ack 851 win 16384 nop,nop,timestamp 507798705 1674149461 17:41:09.729897 foo.50486 upload.esams.wikimedia.org.www: F 487:487(0) ack 12226 win 16384 nop,nop,timestamp 3093236980 1674149461 17:41:09.729955 foo.54960 upload.esams.wikimedia.org.www: F 530:530(0) ack 1475 win 16384 nop,nop,timestamp 2201021557 1674149461 17:41:09.781579 upload.esams.wikimedia.org.www foo.63952: . ack 543 win 14 nop,nop,timestamp 1674150634 507798705 (DF) 17:41:09.783580 upload.esams.wikimedia.org.www foo.50486: . ack 488 win 14 nop,nop,timestamp 1674150634 3093236980 (DF) 17:41:09.783596 upload.esams.wikimedia.org.www foo.54960: . ack 531 win 14 nop,nop,timestamp 1674150635 2201021557 (DF)
Re: 4.6 reboots x336 ibm server(s)
2010/1/12 Kenneth R Westerback kwesterb...@rogers.com: Please try -current as of today (Jan 13, 2010 Melbourne time), there were number of significant fixes committed in the last couple of days. Hi, I tried current - the good news is the problem with freeze at startup is gone - kernel boots immediately. However, it hangs later on just after printing out following lines: pci0 at mainbus0 bus 0: configuration mode 1 (bios) mem address conflict 0xff00/0x1000 pchb0 at pci0 dev 0 function 0 Intel E7520 Host rev 0x0c Intel E7520 Error Reporting rev 0x0c at pci0 dev 0 function 1 not configured ppb0 at pci0 dev 2 function 0 Intel E7520 PCIE rev 0x0c Thanks, Marcin
Re: mute CARP with i368/4.6 on HP ProLiant DL380 G5
pete - pls send /etc/hostname.carp0 from the other machine. On Jan 12, 2010, at 3:14 AM, Pete Vickers wrote: Hi, Whilst setting up a H/A service on a pair of RELEASE4.6/i386 (+ bind/ssl patches) machines, I observe that both become carp master concurrently. Debugging shows that the carp master does not appear to transmit carp announcements: r...@gins0 ~tcpdump -i bnx0 -n proto carp tcpdump: listening on bnx0, link-type EN10MB ^C [after 30 seconds] 16 packets received by filter 0 packets dropped by kernel r...@gins0 ~ anyone any ideas ? (all other comms work fine over the link e.g. SSH, DNS, ping etc.) relevant config dmesg follows: s/123.456/my.correct.prefix/ r...@gins0 ~cat /etc/hostname.bnx0 inet 123.456.250.16 255.255.255.128 r...@gins0 ~cat /etc/hostname.carp0 inet 123.456.250.18 255.255.255.128 vhid 1 advskew 100 carpdev bnx0 description *** Gi NS H/A *** r...@gins0 ~ifconfig bnx0 bnx0: flags=8b43UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu 1500 lladdr 00:1e:0b:bd:fa:12 priority: 0 groups: egress media: Ethernet autoselect (1000baseT full-duplex) status: active inet 123.456.250.16 netmask 0xff80 broadcast 123.456.250.127 inet6 fe80::21e:bff:febd:fa12%bnx0 prefixlen 64 scopeid 0x3 r...@gins0 ~ifconfig carp0 carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5e:00:01:01 description: *** Gi NS H/A *** priority: 0 carp: MASTER carpdev bnx0 vhid 1 advbase 1 advskew 100 groups: carp inet 123.456.250.18 netmask 0xff80 broadcast 123.456.250.127 inet6 fe80::200:5eff:fe00:101%carp0 prefixlen 64 scopeid 0x5 dmesg: r...@gins0 ~cat /var/run/dmesg.boot OpenBSD 4.6 (GENERIC) #0: Thu Jan 24 03:03:58 CET 2008 r...@gins0:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Xeon(R) CPU E5440 @ 2.83GHz (GenuineIntel 686-class) 2.84 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16, xTPR real mem = 3487485952 (3325MB) avail mem = 3382898688 (3226MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 12/31/99, BIOS32 rev. 0 @ 0xf, SMBIOS rev. 2.4 @ 0xee000 (71 entries) bios0: vendor HP version P56 date 01/24/2008 bios0: HP ProLiant DL380 G5 acpi0 at bios0: rev 2 acpi0: tables DSDT FACP SPCR MCFG HPET SPMI ERST APIC BERT HEST acpi0: wakeup devices acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 14318179 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 333MHz cpu at mainbus0: not configured cpu at mainbus0: not configured cpu at mainbus0: not configured ioapic0 at mainbus0: apid 8 pa 0xfec0, version 20, 24 pins acpimadt0: unknown apic structure type ff acpiprt0 at acpi0: bus 1 (IP2P) acpiprt1 at acpi0: bus 2 (IPTA) acpiprt2 at acpi0: bus 4 (IPTB) acpiprt3 at acpi0: bus 11 (IPE1) acpiprt4 at acpi0: bus 14 (IPE2) acpiprt5 at acpi0: bus 17 (IPE3) acpiprt6 at acpi0: bus 10 (IPE4) acpiprt7 at acpi0: bus 9 (PT02) acpiprt8 at acpi0: bus 6 (PT03) acpiprt9 at acpi0: bus 19 (PT04) acpiprt10 at acpi0: bus 23 (PT06) acpiprt11 at acpi0: bus 0 (PCI0) acpicpu0 at acpi0 acpitz0 at acpi0: critical temperature 31 degC bios0: ROM list: 0xc/0xb000 0xcc400/0x4000! 0xd0400/0x1800 0xe6000/0x2000! ipmi at mainbus0 not configured pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel 5000P Host rev 0xb1 ppb0 at pci0 dev 2 function 0 Intel 5000 PCIE rev 0xb1 pci1 at ppb0 bus 9 ppb1 at pci1 dev 0 function 0 Intel 6321ESB PCIE rev 0x01 pci2 at ppb1 bus 10 ppb2 at pci2 dev 0 function 0 Intel 6321ESB PCIE rev 0x01 pci3 at ppb2 bus 11 ppb3 at pci2 dev 1 function 0 Intel 6321ESB PCIE rev 0x01 pci4 at ppb3 bus 14 ppb4 at pci2 dev 2 function 0 Intel 6321ESB PCIE rev 0x01 pci5 at ppb4 bus 17 ppb5 at pci1 dev 0 function 3 Intel 6321ESB PCIE-PCIX rev 0x01 pci6 at ppb5 bus 18 ppb6 at pci0 dev 3 function 0 Intel 5000 PCIE rev 0xb1 pci7 at ppb6 bus 6 ciss0 at pci7 dev 0 function 0 Hewlett-Packard Smart Array rev 0x03: apic 8 int 18 (irq 10) ciss0: 1 LD, HW rev 3, FW 4.12/4.12, 64bit fifo scsibus0 at ciss0: 1 targets sd0 at scsibus0 targ 0 lun 0: HP, LOGICAL VOLUME, 4.12 SCSI3 0/direct fixed sd0: 139979MB, 512 bytes/sec, 286677120 sec total ppb7 at pci0 dev 4 function 0 Intel 5000 PCIE x8 rev 0xb1 pci8 at ppb7 bus 19 ppb8 at pci0 dev 5 function 0 Intel 5000 PCIE rev 0xb1 pci9 at ppb8 bus 22 ppb9 at pci0 dev 6 function 0 Intel 5000 PCIE x8 rev 0xb1 pci10 at ppb9 bus 23 ppb10 at pci0 dev 7 function 0 Intel 5000 PCIE rev 0xb1 pci11 at ppb10 bus 26 pchb1 at pci0 dev 16 function 0 Intel 5000 Error Reporting rev 0xb1 pchb2 at pci0 dev 16 function 1 Intel 5000 Error Reporting rev 0xb1 pchb3 at pci0 dev 16 function 2 Intel 5000
Re: problems with emails through pf
Hi everyone. I tried with max-mss 1440 and this really solved my problem. Tks everyone I didn't found the tcpdump in the packages repo, and when i use ntop, somehow my net.inet.ip.forwarding is set to 0! Is avaible via ports, i guess? *Leonardo de Souza Carneiro* *Veltrac - Tecnologia em Logmstica.* lscarne...@veltrac.com.br mailto:lscarne...@veltrac.com.br http://www.veltrac.com.br http://www.veltrac.com.br/ /Fone Com.: (43)2105-5601/ /R. Para 162 - CENTRO/ /Londrina- PR/ /Cep: 86010-450/ Lars Nooden escreveu: Thanks Robert and Peter. Robert wrote: You probalby are using an uplink with a MTU lower than 1500. Peter wrote: match in all scrub (no-df max-mss 1440) the problem went away. tcpdump output of successful and failing connetions would be instructive, along with the actual error messages, if any. Setting the maximum segment size to a smaller number seems to have helped noticeably on my ADSL connection. What should one look for in the tcpdump output? Here is the tail end of a timed out connection to a web server. Regards, /Lars 17:40:58.051513 upload.esams.wikimedia.org.www foo.54960: F 1474:1474(0) ack 530 win 14 nop,nop,timestamp 1674149461 2201021415 (DF) 17:40:58.051988 foo.50486 upload.esams.wikimedia.org.www: . ack 12226 win 16384 nop,nop,timestamp 3093236957 1674149461 17:40:58.052006 foo.54960 upload.esams.wikimedia.org.www: . ack 1475 win 16384 nop,nop,timestamp 2201021534 1674149461 17:41:09.729879 foo.63952 upload.esams.wikimedia.org.www: F 542:542(0) ack 851 win 16384 nop,nop,timestamp 507798705 1674149461 17:41:09.729897 foo.50486 upload.esams.wikimedia.org.www: F 487:487(0) ack 12226 win 16384 nop,nop,timestamp 3093236980 1674149461 17:41:09.729955 foo.54960 upload.esams.wikimedia.org.www: F 530:530(0) ack 1475 win 16384 nop,nop,timestamp 2201021557 1674149461 17:41:09.781579 upload.esams.wikimedia.org.www foo.63952: . ack 543 win 14 nop,nop,timestamp 1674150634 507798705 (DF) 17:41:09.783580 upload.esams.wikimedia.org.www foo.50486: . ack 488 win 14 nop,nop,timestamp 1674150634 3093236980 (DF) 17:41:09.783596 upload.esams.wikimedia.org.www foo.54960: . ack 531 win 14 nop,nop,timestamp 1674150635 2201021557 (DF)
Re: mute CARP with i368/4.6 on HP ProLiant DL380 G5
this is with the other machine powered off, so it's config is irrelevant. Den 12. jan. 2010 kl. 17.08 skrev Ben Calvert b...@flyingwalrus.net: pete - pls send /etc/hostname.carp0 from the other machine. On Jan 12, 2010, at 3:14 AM, Pete Vickers wrote: Hi, Whilst setting up a H/A service on a pair of RELEASE4.6/i386 (+ bind/ssl patches) machines, I observe that both become carp master concurrently. Debugging shows that the carp master does not appear to transmit carp announcements: r...@gins0 ~tcpdump -i bnx0 -n proto carp tcpdump: listening on bnx0, link-type EN10MB ^C [after 30 seconds] 16 packets received by filter 0 packets dropped by kernel r...@gins0 ~ anyone any ideas ? (all other comms work fine over the link e.g. SSH, DNS, ping etc.) relevant config dmesg follows: s/123.456/my.correct.prefix/ r...@gins0 ~cat /etc/hostname.bnx0 inet 123.456.250.16 255.255.255.128 r...@gins0 ~cat /etc/hostname.carp0 inet 123.456.250.18 255.255.255.128 vhid 1 advskew 100 carpdev bnx0 description *** Gi NS H/A *** r...@gins0 ~ifconfig bnx0 bnx0: flags=8b43UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu 1500 lladdr 00:1e:0b:bd:fa:12 priority: 0 groups: egress media: Ethernet autoselect (1000baseT full-duplex) status: active inet 123.456.250.16 netmask 0xff80 broadcast 123.456.250.127 inet6 fe80::21e:bff:febd:fa12%bnx0 prefixlen 64 scopeid 0x3 r...@gins0 ~ifconfig carp0 carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5e:00:01:01 description: *** Gi NS H/A *** priority: 0 carp: MASTER carpdev bnx0 vhid 1 advbase 1 advskew 100 groups: carp inet 123.456.250.18 netmask 0xff80 broadcast 123.456.250.127 inet6 fe80::200:5eff:fe00:101%carp0 prefixlen 64 scopeid 0x5 dmesg: r...@gins0 ~cat /var/run/dmesg.boot OpenBSD 4.6 (GENERIC) #0: Thu Jan 24 03:03:58 CET 2008 r...@gins0:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Xeon(R) CPU E5440 @ 2.83GHz (GenuineIntel 686- class) 2.84 GHz cpu0: FPU, V86, DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS- CPL,VMX,EST,TM2,CX16, xTPR real mem = 3487485952 (3325MB) avail mem = 3382898688 (3226MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 12/31/99, BIOS32 rev. 0 @ 0xf, SMBIOS rev. 2.4 @ 0xee000 (71 entries) bios0: vendor HP version P56 date 01/24/2008 bios0: HP ProLiant DL380 G5 acpi0 at bios0: rev 2 acpi0: tables DSDT FACP SPCR MCFG HPET SPMI ERST APIC BERT HEST acpi0: wakeup devices acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 14318179 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 333MHz cpu at mainbus0: not configured cpu at mainbus0: not configured cpu at mainbus0: not configured ioapic0 at mainbus0: apid 8 pa 0xfec0, version 20, 24 pins acpimadt0: unknown apic structure type ff acpiprt0 at acpi0: bus 1 (IP2P) acpiprt1 at acpi0: bus 2 (IPTA) acpiprt2 at acpi0: bus 4 (IPTB) acpiprt3 at acpi0: bus 11 (IPE1) acpiprt4 at acpi0: bus 14 (IPE2) acpiprt5 at acpi0: bus 17 (IPE3) acpiprt6 at acpi0: bus 10 (IPE4) acpiprt7 at acpi0: bus 9 (PT02) acpiprt8 at acpi0: bus 6 (PT03) acpiprt9 at acpi0: bus 19 (PT04) acpiprt10 at acpi0: bus 23 (PT06) acpiprt11 at acpi0: bus 0 (PCI0) acpicpu0 at acpi0 acpitz0 at acpi0: critical temperature 31 degC bios0: ROM list: 0xc/0xb000 0xcc400/0x4000! 0xd0400/0x1800 0xe6000/0x2000! ipmi at mainbus0 not configured pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel 5000P Host rev 0xb1 ppb0 at pci0 dev 2 function 0 Intel 5000 PCIE rev 0xb1 pci1 at ppb0 bus 9 ppb1 at pci1 dev 0 function 0 Intel 6321ESB PCIE rev 0x01 pci2 at ppb1 bus 10 ppb2 at pci2 dev 0 function 0 Intel 6321ESB PCIE rev 0x01 pci3 at ppb2 bus 11 ppb3 at pci2 dev 1 function 0 Intel 6321ESB PCIE rev 0x01 pci4 at ppb3 bus 14 ppb4 at pci2 dev 2 function 0 Intel 6321ESB PCIE rev 0x01 pci5 at ppb4 bus 17 ppb5 at pci1 dev 0 function 3 Intel 6321ESB PCIE-PCIX rev 0x01 pci6 at ppb5 bus 18 ppb6 at pci0 dev 3 function 0 Intel 5000 PCIE rev 0xb1 pci7 at ppb6 bus 6 ciss0 at pci7 dev 0 function 0 Hewlett-Packard Smart Array rev 0x03: apic 8 int 18 (irq 10) ciss0: 1 LD, HW rev 3, FW 4.12/4.12, 64bit fifo scsibus0 at ciss0: 1 targets sd0 at scsibus0 targ 0 lun 0: HP, LOGICAL VOLUME, 4.12 SCSI3 0/ direct fixed sd0: 139979MB, 512 bytes/sec, 286677120 sec total ppb7 at pci0 dev 4 function 0 Intel 5000 PCIE x8 rev 0xb1 pci8 at ppb7 bus 19 ppb8 at pci0 dev 5 function 0 Intel 5000 PCIE rev 0xb1 pci9 at ppb8 bus 22 ppb9 at pci0 dev 6 function 0 Intel 5000 PCIE x8 rev 0xb1 pci10 at ppb9 bus 23 ppb10 at pci0 dev 7 function 0 Intel 5000 PCIE rev 0xb1 pci11 at ppb10 bus 26 pchb1 at pci0 dev 16 function 0 Intel 5000 Error Reporting rev 0xb1 pchb2 at pci0 dev 16 function 1 Intel 5000 Error
Re: problems with emails through pf
Ignore. I junt found that tcpdump comes with the system. *Leonardo de Souza Carneiro* *Veltrac - Tecnologia em Logmstica.* lscarne...@veltrac.com.br mailto:lscarne...@veltrac.com.br http://www.veltrac.com.br http://www.veltrac.com.br/ /Fone Com.: (43)2105-5601/ /R. Para 162 - CENTRO/ /Londrina- PR/ /Cep: 86010-450/ Leonardo Carneiro escreveu: Hi everyone. I tried with max-mss 1440 and this really solved my problem. Tks everyone I didn't found the tcpdump in the packages repo, and when i use ntop, somehow my net.inet.ip.forwarding is set to 0! Is avaible via ports, i guess? *Leonardo de Souza Carneiro* *Veltrac - Tecnologia em Logmstica.* lscarne...@veltrac.com.br mailto:lscarne...@veltrac.com.br http://www.veltrac.com.br http://www.veltrac.com.br/ /Fone Com.: (43)2105-5601/ /R. Para 162 - CENTRO/ /Londrina- PR/ /Cep: 86010-450/ Lars Nooden escreveu: Thanks Robert and Peter. Robert wrote: You probalby are using an uplink with a MTU lower than 1500. Peter wrote: match in all scrub (no-df max-mss 1440) the problem went away. tcpdump output of successful and failing connetions would be instructive, along with the actual error messages, if any. Setting the maximum segment size to a smaller number seems to have helped noticeably on my ADSL connection. What should one look for in the tcpdump output? Here is the tail end of a timed out connection to a web server. Regards, /Lars 17:40:58.051513 upload.esams.wikimedia.org.www foo.54960: F 1474:1474(0) ack 530 win 14 nop,nop,timestamp 1674149461 2201021415 (DF) 17:40:58.051988 foo.50486 upload.esams.wikimedia.org.www: . ack 12226 win 16384 nop,nop,timestamp 3093236957 1674149461 17:40:58.052006 foo.54960 upload.esams.wikimedia.org.www: . ack 1475 win 16384 nop,nop,timestamp 2201021534 1674149461 17:41:09.729879 foo.63952 upload.esams.wikimedia.org.www: F 542:542(0) ack 851 win 16384 nop,nop,timestamp 507798705 1674149461 17:41:09.729897 foo.50486 upload.esams.wikimedia.org.www: F 487:487(0) ack 12226 win 16384 nop,nop,timestamp 3093236980 1674149461 17:41:09.729955 foo.54960 upload.esams.wikimedia.org.www: F 530:530(0) ack 1475 win 16384 nop,nop,timestamp 2201021557 1674149461 17:41:09.781579 upload.esams.wikimedia.org.www foo.63952: . ack 543 win 14 nop,nop,timestamp 1674150634 507798705 (DF) 17:41:09.783580 upload.esams.wikimedia.org.www foo.50486: . ack 488 win 14 nop,nop,timestamp 1674150634 3093236980 (DF) 17:41:09.783596 upload.esams.wikimedia.org.www foo.54960: . ack 531 win 14 nop,nop,timestamp 1674150635 2201021557 (DF)
OpenBGPD AS Filtering
Hello, Are there any plans afoot to enable more flexibility when specifying ASN filters in bgpd.conf ? Unless I've missed something important in the man page, there's no way to turn : deny from any AS {64512,64513,64514,64515,64516, /** BIG SNIP **/ 65528,65529,65530,65531,65532,65533,65534} into deny from any AS {64512-65534} The unwieldy nature of the present syntax only gets worse with 32-bit ASNs, which suddenly takes us from a 1022 ASN list (or more if you are pedantic and include RFC5398 64496-64511 and 65535) to many more if you include presently unallocated ranges (e.g.394240-4294967294) Surely I cannot be the only one facing this issue ? Other than that, keep up the good work ! Ben
Re: sasyncd syncs only newly created sad's
Hi Mihajlo Yes, this feature (re-sychronization after master failure) has been missing from the day sasyncd came out (http://archives.neohapsis.com/archives/openbsd/2005-09/0818.html). When I gave that speech in Switzerland (the one you found the PDF of), I was confident that it would be implemented within a couple of months or so ... the whole thing being a sponsored development, I figured that the sponsor would want this program to be usable. But, alas, it wasn't. Pity, really. With a little more time at my hands and a little more wit in my brains I would love to pick this up. It would be SUCH a killer application. Hakan Olsson, the original developper, did once say he would look into it, butI haven't heard of him since. krgds sorrynohelphere /markus Mihajlo Manojlov wrote: Hi again, there is no feedback.. could someone who runs sasyncd check this for me? Please, just restart sasyncd on slave(or master), and see if it syncs the SAD's? This behaviour renders my redundant routers - non redundant. If I reboot master, when it comes back and become master again, all VPN tunnels are down because no SAD's are synced. Thank you very much. -Original Message- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Mihajlo Manojlov Sent: Wednesday, January 06, 2010 11:10 PM To: misc@openbsd.org Subject: sasyncd syncs only newly created sad's Hi to all, I have two carped boxes and I want to use sasyncd for vpn redundancy, but only newly created sad's get synced. For example, I reboot the slave box, and when it comes up again, sasyncd only sets flows, not the sad's. Maybe this is normal behaviour? log from master: Jan 6 21:59:23 openbsd1 sasyncd[25895]: net: peer 10.23.6.2 connected Jan 6 21:59:23 openbsd1 sasyncd[25895]: net_ctl: peer 10.23.6.2 state change to SLAVE Jan 6 21:59:25 openbsd1 sasyncd[25895]: monitor_get_pfkey_snap: got 2016 bytes SADB, 1392 bytes SPD Jan 6 21:59:25 openbsd1 sasyncd[25895]: pfkey_send_flush: sending FLUSH to peer 10.23.6.2 Jan 6 21:59:25 openbsd1 sasyncd[25895]: pfkey_snapshot: SADB data 020a00023f000200010088f180d710010303040004000200 15f7444b04000400 380404000300 b00403000500100259d44c6d 03000600100259d45bb205000a00 010038392e3231322e37362e3130392f3332 05000b00010038392e3231322e39312e3137382f3332 04000800a0009884229af8684722ecf09bfe79c0d8eef96b3cfb 04000900c000e73eb8f1c43d90bdfaf40fb3abfe879d28e74cf8e870dd0b01001400 0101010013000300150010020a00 030011001002ff00030016001002 0a070800030012001002ff00 0200210008007465737476706e00 Jan 6 21:59:25 openbsd1 sasyncd[25895]: pfkey_snapshot: sync SA 0x88cca800 len 504 to peer 10.23.6.2 Jan 6 21:59:25 openbsd1 sasyncd[25895]: pfkey_snapshot: sync SA 0x88cca9f8 len 504 to peer 10.23.6.2 Jan 6 21:59:25 openbsd1 sasyncd[25895]: pfkey_snapshot: sync SA 0x88ccabf0 len 504 to peer 10.23.6.2 Jan 6 21:59:25 openbsd1 sasyncd[25895]: pfkey_snapshot: sync SA 0x88ccade8 len 504 to peer 10.23.6.2 Jan 6 21:59:25 openbsd1 sasyncd[25895]: pfkey_snapshot: SPD data 02121d0003000600100259d44c6d 010014000101010013000300150010020a00 030011001002ff0003001600 10020a070800030012001002ff00 05000a00010038392e3231322e39312e3137 382f333205000b00010038392e3231322e37 362e3130392f333202121d0003000600 100259d44c6d01001400030201001300 0300150010020a070800030011001002 ff000300160010020a00 030012001002ff0005000a000100 38392e3231322e39312e3137382f333205000b000100 38392e3231322e37362e3130392f33320212 Jan 6 21:59:25 openbsd1 sasyncd[25895]: pfkey_snapshot: sync FLOW 0x88cca000 len 232 to peer 10.23.6.2 Jan 6 21:59:25 openbsd1 sasyncd[25895]: pfkey_snapshot: sync FLOW 0x88cca0e8 len 232 to peer 10.23.6.2 Jan 6 21:59:25 openbsd1 sasyncd[25895]: pfkey_snapshot: sync FLOW 0x88cca1d0 len 232 to peer 10.23.6.2 Jan 6 21:59:25 openbsd1 sasyncd[25895]: pfkey_snapshot: sync FLOW 0x88cca2b8 len 232 to peer 10.23.6.2 Jan 6 21:59:25 openbsd1 sasyncd[25895]:
Re: 4.6 reboots x336 ibm server(s)
On Tue, Jan 12, 2010 at 6:05 PM, Marcin mig...@gmail.com wrote: I tried current - the good news is the problem with freeze at startup is gone - kernel boots immediately. However, it hangs later on just after printing out following lines: pci0 at mainbus0 bus 0: configuration mode 1 (bios) mem address conflict 0xff00/0x1000 pchb0 at pci0 dev 0 function 0 Intel E7520 Host rev 0x0c Intel E7520 Error Reporting rev 0x0c at pci0 dev 0 function 1 not configured ppb0 at pci0 dev 2 function 0 Intel E7520 PCIE rev 0x0c Yup, same error here, precisely at that line. Just to confirm that we have the same issue, can you try disabling ppb* on boot -c then see if it goes to the login prompt? Cheers, Steph
Any good/bad experiences on OpenBSD4.6-release Dell R(2|4|6)10 or HP DL320 G6
Hello (again), I'm planning to buy a couple of lower end servers for a PF VPN termination of a small network. Does anyone have any comments on OpenBSD 4.6-release on Dell R210/410/610 or HP DL320 G6 ? Looking back through the archives, it seems people's experiences when using OpenBSD-release on lower end servers was a bit patchy, although some seemed to resolve it by using -current instead. However there has not been much talk recently (unless I've missed it !) of 4.6 experiences and/or more recent servers. Looking forward to your feedback.
Re: can't get binat working
On 2010-01-12, Shohrukh Shoyoqubov shohrukh.shoyoku...@gmail.com wrote: On 1/12/2010 4:01 PM, Shohrukh Shoyoqubov wrote: On Tue, Jan 12, 2010 at 2:25 PM, Laurent CARONlca...@unix-scripts.info wrote: On 12/01/2010 07:19, Shohrukh Shoyoqubov wrote: I want all traffic to 192.168.0.253 to be forwarded to 192.168.2.2. I assume that should make 192.168.0.253 visible in 192.168.0.0/24 subnet, but it is not. I can't reach it from 192.168.0.0/24 subnet. I am just testing with this lab config and later, I want to use binat to assign real IPs to DMZ machines. Hi, What are you *really* trying to achieve ? Mapping public IPs to private ones ? Yes Do I need to set an alias IP (the mapped IP) for binat to work? Technically not, you just need 'some way' to get other hosts to send you traffic for that address. Could be proxy arp, could be route table entries (static or routing protocols), but in practice adding an alias IP is usually what you want.
Re: Using OpenBSD with Amazon's Virtual Private Cloud, IPsec issue
Their examples are using route-based VPNs (http://kb.juniper.net/KB4124, RFC3884), I'm not sure whether this is entirely possible here with our ipsec (policy-based), but you could try setting up tunnels between the gif tunnel endpoints i.e. 1.2.3.4 and 72.21.209.225, and a second between 1.2.3.4 and 72.21.209.193. These would take place of the tunnels between 192.168.23/24 and 10/24 (traffic between these networks would be routed in the usual way, taking the gif interfaces as point-to-point links). On 2010-01-12, Matt Dainty m...@bodgit-n-scarper.com wrote: Hi, I'm trying to evaluate using OpenBSD with Amazon's Virtual Private Cloud as a Customer Gateway in their EC2-speak. What you need to do is create a tunnel to each of Amazon's two routers, use BGP to exchange routes across the tunnels and protect all the traffic with IPsec. I've got it mostly working, but I've hit an issue with the IPsec and I'm hoping someone might know what's going on. I've made the various API calls as per the getting started guide [1] and have the configuration in the generic format which you can see an example of in the network admin guide [2]. Assume my uplink address is 1.2.3.4 and I have a BGP ASN of 65023, my network is 192.168.23.0/24 and the remote network where my EC2 instances will appear is 10.0.0.0/24. Here's what I've done, first create two gif(4) tunnels: # ifconfig gif1 create # ifconfig gif1 tunnel 1.2.3.4 72.21.209.225 # ifconfig gif1 169.254.255.2 169.254.255.1 prefixlen 32 # ifconfig gif2 create # ifconfig gif2 tunnel 1.2.3.4 72.21.209.193 # ifconfig gif2 169.254.255.6 169.254.255.5 prefixlen 32 Add the following to /etc/ipsec.conf: ike dynamic esp from 169.254.255.2 to 169.254.255.1 \ local 1.2.3.4 peer 72.21.209.225 \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes group modp1024 \ srcid 1.2.3.4 \ psk XXX ike dynamic esp from 169.254.255.6 to 169.254.255.5 \ local 1.2.3.4 peer 72.21.209.193 \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes group modp1024 \ srcid 1.2.3.4 \ psk YYY Run isakmpd and load those two tunnels: # isakmpd -4 -K # ipsecctl -f /etc/ipsec.conf ipsecctl -s all confirms those are loaded and I can ping the two tunnel endpoints successfully. I've added pf rules to allow ESP and UDP 500 on the external interface and for now I'm skipping gif1, gif2 and enc0 to hopefully exclude pf as a potential source of any trouble. Now I've created /etc/bgpd.conf AS 65023 router-id 1.2.3.4 listen on 127.0.0.1 listen on 169.254.255.2 listen on 169.254.255.6 group amazon { remote-as 7224 holdtime 30 holdtime min 30 announce default-route announce IPv6 none announce IPv4 unicast neighbor 169.254.255.1 { local-address 169.254.255.2 } neighbor 169.254.255.5 { local-address 169.254.255.6 } } Fire up bgpd and confirm it's working: # bgpctl show nexthop Nexthop State 169.254.255.5valid gif2UP 169.254.255.1valid gif1UP # route -n get 10.0.0.0 route to: 10.0.0.0 destination: 10.0.0.0 mask: 255.255.255.0 gateway: 169.254.255.6 interface: gif2 if address: 169.254.255.6 priority: 48 (bgp) flags: UP,GATEWAY,DONE use mtuexpire 24 0 0 Now here's where I've got stuck. If I try and ping an EC2 instance from my network, I see the plain gif traffic leaving the external interface and gets dropped by the remote router as it's not protected with IPsec. This makes sense as there's no flow defined that will match that traffic, so I add two further tunnels to /etc/ipsec.conf: ike dynamic esp from 192.168.23.0/24 to 10.0.0.0/24 \ local 1.2.3.4 peer 72.21.209.225 \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes group modp1024 \ srcid 1.2.3.4 \ psk XXX ike dynamic esp from 192.168.23.0/24 to 10.0.0.0/24 \ local 1.2.3.4 peer 72.21.209.193 \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes group modp1024 \ srcid 1.2.3.4 \ psk YYY Now, only the latter tunnel gets configured, I'm guessing this is because the from+to tuple is identical so I'm configuring the same tunnel twice just with a different peer and key. As long as the routing decides to use the tunnel that is configured between the second peer, everything works, I can ping and SSH to my EC2 instance, but if it switches to the tunnel configured between the first peer then it breaks. Is it possible to have both configured somehow? Thanks Matt [1] http://docs.amazonwebservices.com/AmazonVPC/latest/GettingStartedGuide/ [2] http://docs.amazonwebservices.com/AmazonVPC/2009-07-15/NetworkAdminGuide/
Re: problems with emails through pf
Peter N. M. Hansteen wrote: lscarne...@veltrac.com.br writes: My script is very simple (as you will see below), but by some reason, my machines behind the firewall can't send large emails, or emails with attached files. You don't offer any details of the other parts of the mail handling setup, but my first suspect would be content filtering of some kind kicks in noticeably only when there's attachments to be dechiphered. My other suspect is that match in all scrub (no-df) somehow tickles the receiving end the wrong way. Others have reported to me privately that going from 4.4 and scrub in all to 4.6 and match in all scrub (reassemble tcp) worked OK on most traffic, but slowed down some https traffic horribly. Then some apparently random experimentation lead to trying different max-mss values and with match in all scrub (no-df max-mss 1440) the problem went away. tcpdump output of successful and failing connetions would be instructive, along with the actual error messages, if any. - P I too have this feeling, that things somehow got really slow, since scrub went away and match in scrub came. I'm using match in all scrub (no-df max-mss 1440) but some pages get weird TCP DUP ACKS, OUT-OF-ORDER Packets and Previous Segment Lost (Wireshark slang). Wikipedia is such a page for example - takes about 10 seconds to load sometimes. I don't think I had this with 4.5. I'm running an Alix 2c3 board, with pppoe to DSL. OpenBSD 4.6-current (GENERIC) #452: Thu Dec 10 15:52:44 MST 2009 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC RTC BIOS diagnostic error 80clock_battery cpu0: Geode(TM) Integrated Processor by AMD PCS (AuthenticAMD 586-class) 499 MHz cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX real mem = 268009472 (255MB) avail mem = 251064320 (239MB) RTC BIOS diagnostic error 80clock_battery mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 01/27/08, BIOS32 rev. 0 @ 0xfceb2 pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: pcibios_get_intr_routing - function not supported pcibios0: PCI IRQ Routing information unavailable. pcibios0: PCI bus #0 is the last bus bios0: ROM list: 0xe/0xa800 cpu0 at mainbus0: (uniprocessor) pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 1 function 0 AMD Geode LX rev 0x31 glxsb0 at pci0 dev 1 function 2 AMD Geode LX Crypto rev 0x00: RNG AES vr0 at pci0 dev 9 function 0 VIA VT6105M RhineIII rev 0x96: irq 10, address 00:0d:b9:12:6b:04 ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034 vr1 at pci0 dev 10 function 0 VIA VT6105M RhineIII rev 0x96: irq 11, address 00:0d:b9:12:6b:05 ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034 vr2 at pci0 dev 11 function 0 VIA VT6105M RhineIII rev 0x96: irq 12, address 00:0d:b9:12:6b:06 ukphy2 at vr2 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034 ath0 at pci0 dev 12 function 0 Atheros AR2413 rev 0x01: irq 9 ath0: AR2413 7.8 phy 4.5 rf 5.6, FCC2A*, address 00:1d:0f:af:98:88 glxpcib0 at pci0 dev 15 function 0 AMD CS5536 ISA rev 0x03: rev 0, 32-bit 3579545Hz timer, watchdog, gpio gpio0 at glxpcib0: 32 pins pciide0 at pci0 dev 15 function 2 AMD CS5536 IDE rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: SanDisk SDCFX3-2048 wd0: 4-sector PIO, LBA, 1953MB, 4001760 sectors wd0(pciide0:0:0): using PIO mode 4, DMA mode 2 pciide0: channel 1 ignored (disabled) ohci0 at pci0 dev 15 function 4 AMD CS5536 USB rev 0x02: irq 15, version 1.0, legacy support ehci0 at pci0 dev 15 function 5 AMD CS5536 USB rev 0x02: irq 15 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 AMD EHCI root hub rev 2.00/1.00 addr 1 isa0 at glxpcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com0: console pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 npx0 at isa0 port 0xf0/16: reported
Re: problems with emails through pf
Dirk Mast wrote: Peter N. M. Hansteen wrote: the problem went away. tcpdump output of successful and failing connetions would be instructive, along with the actual error messages, if any. Request to wiki (see those long timestamps), hope this helps_ Jan 12 23:22:06.181513 PPPoE code Session, version 1, type 1, id 0x0580, length 114 IP: 195.50.140.178.53 x.x.x.x.18336: 26867 2/0/1 CNAME rr.esams.wikimedia.org., A 91.198.174.2 (84) Jan 12 23:22:06.184287 PPPoE code Session, version 1, type 1, id 0x0580, length 62 IP: x.x.x.x.51519 91.198.174.2.80: S 126511392:126511392(0) win 5840 mss 1460,sackOK,timestamp 6393340 0,nop,wscale 7 (DF) Jan 12 23:22:09.182870 PPPoE code Session, version 1, type 1, id 0x0580, length 62 IP: x.x.x.x.51519 91.198.174.2.80: S 126511392:126511392(0) win 5840 mss 1460,sackOK,timestamp 6394090 0,nop,wscale 7 (DF) Jan 12 23:22:15.182651 PPPoE code Session, version 1, type 1, id 0x0580, length 62 IP: x.x.x.x.51519 91.198.174.2.80: S 126511392:126511392(0) win 5840 mss 1460,sackOK,timestamp 6395590 0,nop,wscale 7 (DF) Jan 12 23:22:15.700298 PPPoE code Session, version 1, type 1, id 0x0580, length 62 IP: 91.198.174.2.80 x.x.x.x.51519: S 4264277910:4264277910(0) ack 126511393 win 5792 mss 1460,sackOK,timestamp 1676557187 6393340,nop,wscale 9 (DF) Jan 12 23:22:15.700652 PPPoE code Session, version 1, type 1, id 0x0580, length 54 IP: x.x.x.x.51519 91.198.174.2.80: . ack 1 win 46 nop,nop,timestamp 6395719 1676557187 (DF) Jan 12 23:22:15.700784 PPPoE code Session, version 1, type 1, id 0x0580, length 507 IP: x.x.x.x.51519 91.198.174.2.80: P 1:454(453) ack 1 win 46 nop,nop,timestamp 6395719 1676557187 (DF) Jan 12 23:22:16.387740 PPPoE code Session, version 1, type 1, id 0x0580, length 449 IP: 91.198.174.2.80 x.x.x.x.51519: P 1:396(395) ack 454 win 14 nop,nop,timestamp 1676557256 6395719 (DF) Jan 12 23:22:16.388127 PPPoE code Session, version 1, type 1, id 0x0580, length 54 IP: x.x.x.x.51519 91.198.174.2.80: . ack 396 win 54 nop,nop,timestamp 6395891 1676557256 (DF) Jan 12 23:22:16.399542 PPPoE code Session, version 1, type 1, id 0x0580, length 77 IP: x.x.x.x.38781 195.50.140.178.53: 14313+% [1au] A? bits.wikimedia.org. (47) Jan 12 23:22:16.421172 PPPoE code Session, version 1, type 1, id 0x0580, length 141 IP: 195.50.140.178.53 x.x.x.x.38781: 14313 3/0/1 CNAME bits- geo.wikimedia.org., CNAME[|domain] Jan 12 23:22:16.422460 PPPoE code Session, version 1, type 1, id 0x0580, length 83 IP: x.x.x.x.24926 195.50.140.178.53: 2994+% [1au] A? bits.esams.wikimedia.org. (53) Jan 12 23:22:16.444376 PPPoE code Session, version 1, type 1, id 0x0580, length 99
IPSec head check question.
I have isakmpd running quite well with certificates. I'm now trying to do something that may or may not be simple. I wish to establish two tunnels between my ipsec central server on a static IP two dynamic points on the internet. The first case is an openbsd box which wants to connect a remote lan. The second case is an openbsd laptop which just needs remote access for itself. I've done this in my ipsec.conf: ## --- my_fqdn=ipsec-hub.example.com my_network=10.0.0.0/24 ## Allow the remote box access remote_fqdn=myremote.dyndns.org remote_network=10.0.1.0/24 ike passive esp \ from { $my_fqdn $my_network } \ to { $remote_fqdn $remote_network } \ local $my_fqdn peer any \ srcid $my_fqdn dstid $remote_fqdn ## Allow the laptop access laptop_fqdn=mylaptop.dyndns.org ike passive esp \ from { $my_fqdn $my_network } \ to any \ local $my_fqdn peer any \ srcid $my_fqdn dstid $laptop_fqdn ## --- I think that I've over-specified things because either configuration works if they are alone in the file but putting them both together results in an error? There's more. If you choose to call me an idiot over this please do so in private :-)... This file works: my_fqdn=ipsec-hub.example.com my_network=10.0.0.1/24 ike passive esp from { $my_fqdn $my_network } to any \ local $my_fqdn peer any \ srcid $my_fqdn I would like to believe that the reason it works is because my peers both have signed certificate which verify as okay using the ca.crt that I've configured in /etc/isakmpd/ca. However if I'm wrong then I've just opened up my LAN to attack from the entire internet. Which -D options do I need to set in isakmpd E.g. # isakmpd -Kd -D 3=10 -D 8=10 to see the identity of the peers and get confirmation that the reason that negotiation was successful is because A the peer provided a certificate and B the certificate verified with my CA? -- Chris There will be an answer, Let it be. ch...@vindaloo.com
Re: thinkpad x200 wireless 5100 old issue
Thank you for replying. As you can see from the first line of my post, I'm running -release, and not -current, and I don't plan to run -current since I'm very happy with an upgrade twice a year for the moment. Actually, since the link you provided was from end october, I tried installing it but the nic does not come up at all. On my machine I had previously installed iwn-firmware-5.1, now I have iwn-firmware-5.1p0, but the situation is exactly as per my first post. So, why does 'ping' hang there and does not give 'packet loss' error, as it did until two days ago?
Re: Any good/bad experiences on OpenBSD4.6-release Dell R(2|4|6)10 or HP DL320 G6
The dell stuff needs -current. No idea about the HP stuff. On Tue, Jan 12, 2010 at 08:31:51PM +, a b wrote: Hello (again), I'm planning to buy a couple of lower end servers for a PF VPN termination of a small network. Does anyone have any comments on OpenBSD 4.6-release on Dell R210/410/610 or HP DL320 G6 ? Looking back through the archives, it seems people's experiences when using OpenBSD-release on lower end servers was a bit patchy, although some seemed to resolve it by using -current instead. However there has not been much talk recently (unless I've missed it !) of 4.6 experiences and/or more recent servers. Looking forward to your feedback.
Re: thinkpad x200 wireless 5100 old issue
On Wed, Jan 13, 2010 at 11:23 AM, shweg...@gmail.com wrote: Thank you for replying. As you can see from the first line of my post, I'm running -release, and not -current, and I don't plan to run -current since I'm very happy with an upgrade twice a year for the moment. Actually, since the link you provided was from end october, I tried installing it but the nic does not come up at all. On my machine I had previously installed iwn-firmware-5.1, now I have iwn-firmware-5.1p0, but the situation is exactly as per my first post. So, why does 'ping' hang there and does not give 'packet loss' error, as it did until two days ago? If this machine isn't production, then no harm could come from trying a snapshot. It would give the developers a much better idea as to where you system's at. Use a USB thumb drive if you're that worried about trashing your data. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: thinkpad x200 wireless 5100 old issue
On Wed, 13 Jan 2010, Aaron Mason wrote: On Wed, Jan 13, 2010 at 11:23 AM, shweg...@gmail.com wrote: Thank you for replying. As you can see from the first line of my post, I'm running -release, and not -current, and I don't plan to run -current since I'm very happy with an upgrade twice a year for the moment. Actually, since the link you provided was from end october, I tried installing it but the nic does not come up at all. On my machine I had previously installed iwn-firmware-5.1, now I have iwn-firmware-5.1p0, but the situation is exactly as per my first post. So, why does 'ping' hang there and does not give 'packet loss' error, as it did until two days ago? If this machine isn't production, then no harm could come from trying a snapshot. It would give the developers a much better idea as to where you system's at. Use a USB thumb drive if you're that worried about trashing your data. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse ok, you've convinced me, I'll give it a try on a usb thumb for a start. tks
Re: thinkpad x200 wireless 5100 old issue
If this machine isn't production, then no harm could come from trying a snapshot. It would give the developers a much better idea as to where you system's at. Use a USB thumb drive if you're that worried about trashing your data. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse ok, you've convinced me, I'll give it a try on a usb thumb for a start. tks It's the easiest bootable OS on a USB stick install you'll ever do. Just install like you normally would except rather than using the internal hard drive, select the USB drive. Brad
Re: thinkpad x200 wireless 5100 old issue
On Tue, 12 Jan 2010, Brad Tilley wrote: If this machine isn't production, then no harm could come from trying a snapshot. It would give the developers a much better idea as to where you system's at. Use a USB thumb drive if you're that worried about trashing your data. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse ok, you've convinced me, I'll give it a try on a usb thumb for a start. tks It's the easiest bootable OS on a USB stick install you'll ever do. Just install like you normally would except rather than using the internal hard drive, select the USB drive. Brad tks In fact I already have a rescue openbsd on a 1 gig partition on my usb thumb, just in case hard disk should not boot, so I'll put a 'snapshot' in instead and try using it for a while. If 'iwn' hangs it does it every few minutes, so I can check it quickly.
Re: Lanner FW-8760 1U firewall platform.
2010/1/12 Diana Eichert deich...@wrench.com: On Tue, 12 Jan 2010, SJP Lists wrote: SNIP Looks like it might have a serial console too... just a headsup probably redirection of video to serial, better than a sharp stick in the eye, but not a ROM monitor. Bummer. Hope not. I've been spoiled by Soekris and ALIX machines. Shane
Re: thinkpad x200 wireless 5100 old issue
I just installed a snapshot and run it from a usb thumb. The 'iwn' has exactly the same issues (that is hanging after a minute or so of usage and working again after doing 'up down') as with -release, including the 'ping' hanging there and not giving the 'packet loss' error, which I cannot really understand since it worked just fine until a couple of days ago. any ideas?
Removing pf_pool
I just caught the following from openbsd-cvs: http://marc.info/?l=openbsd-cvsm=126326657232193w=2 If my understanding is correct, this means that it will become impossible to emulate weighted round robin with constructs like the one below, since duplicate IPs will be flattened once converted to a standard PF table? rdr on em0 inet proto tcp \ from any to 192.168.100.100 port = www - { 10.0.0.1, 10.0.0.1, 10.0.0.1, \ 10.0.0.2, 10.0.0.2, \ 10.0.0.3 \ } round-robin Is this right? -- Pascal
Re: Removing pf_pool
On Tue, Jan 12, 2010 at 11:11:54PM -0500, Pascal Lalonde wrote: I just caught the following from openbsd-cvs: http://marc.info/?l=openbsd-cvsm=126326657232193w=2 If my understanding is correct, this means that it will become impossible to emulate weighted round robin with constructs like the one below, since duplicate IPs will be flattened once converted to a standard PF table? rdr on em0 inet proto tcp \ from any to 192.168.100.100 port = www - { 10.0.0.1, 10.0.0.1, 10.0.0.1, \ 10.0.0.2, 10.0.0.2, \ 10.0.0.3 \ } round-robin Is this right? Well, that rule above will not parse anymore on -current, you need to use match or pass with rdr-to now. But yes, the above construct will stop working. My first thought is to wonder why you're not running with a symmetrical cluster. But I realise that we are not always in control of such things, and one of PFs functions is to get help people work around bad network design. There are a few things you can do here to get a similar effect. 1) Assign multiple IP addresses to the servers you'd like to hit more heavily. match on em0 inet proto tcp \ from any to 192.168.100.100 port = www \ rdr-to { 10.0.0.1, 10.0.0.2, 10.0.0.3, \ 10.0.0.11, 10.0.0.12, \ 10.0.0.21 \ } round-robin 2) Use the 'probability' keyword pass quick on em0 inet proto tcp from any to 192.168.100.100 \ probability 50% rdr-to 10.0.0.1 pass quick on em0 inet proto tcp from any to 192.168.100.100 \ probability 70% rdr-to 10.0.0.2 pass quick on em0 inet proto tcp from any to 192.168.100.100 \ rdr-to 10.0.0.3 The changes just committed are actually cleanup that needs to happen if you want to see some more intelligent weighted load balancing in PF than these hacks. But that is still a far ways off, definately after 4.7. -Ryan
Re: can't get binat working
Do I need to set an alias IP (the mapped IP) for binat to work? Technically not, you just need 'some way' to get other hosts to send you traffic for that address. Could be proxy arp, could be route table entries (static or routing protocols), but in practice adding an alias IP is usually what you want. Thanks. Alias did the job. Thanks everyone! shohrukh
Re: obsd as domU?
On Tue, 12 Jan 2010 10:41:15 +0200 Ciprian Dorin, Craciun ciprian.crac...@gmail.com wrote: So I bet that the initial poster expected an (authoritative) answer that should have came in the form of an advice based on experience or at least something useful... (Not lmgtfy, which I'm sure he already did, but did not found a good enough answer (as in authoritative)...) You are missing the point. Virtualization has been discussed to death for *YEARS* and all of it is in the misc@ list archives. Here's the short version of those years of discussion: 1.) Since you can't trust the skill of most developers to write a perfectly secure operating systems, trusting them to write a perfectly secure software emulation of hardware is insane. 2.) If systems and application software runs fine on real hardware, but fails to run on emulated/virtualized hardware, then the problem is in the virtualization software. --In other words, take questions and complaints to the vendor of your virtualization software. 3.) Many of the benefits you gain by running a stable and secure operating system like OpenBSD are lost when you run it as a guest on top of some other insecure host operating system. 4.) Most Virtualization Software fails to emulate hardware perfectly. 5.) Most Virtualization Software expects the host operating system to have specific features, and hence, it's not easily portable, or it is not portable at all. 6.) Most Virtualization Software wants to use fancy hardware features and/or have direct access to hardware. If your vitualization software is by-passing the restrictions enforced by the host operating system, then the host operating systems is not able to do it's job. Virtualization can be very useful in certain situations, yet you not only need to fully understand and accept the implications and risks of virtualization, but *you* also need to test it in *your* environment to determine if it meets *your* requirements. Anything less is irrelevant! If you're too lazy to do the weeks or months of research work on your own, then you really should not use virtualization. Unfortunately, most people just believe the constant bullshit from the virtualization vendors, or ask irrelevant questions on various mailing lists. Lastly, Bret Lambert is one of the OpenBSD developers, so you can consider his lmgtfy reply as authoritative --He's humorously telling you to do your own work. There is no other way. -- J.C. Roberts
/bsd: acpitz1: Critical temperature, shutting down
My X60 overheated and did a clean shutdown while building devel/jdk/1.6. This is the first time there has been a heat related issue on this laptop. It's running the latest BIOS (version 2.18) and an i386 snapshot from January 5th. /var/log/messages: Jan 12 19:40:27 x60 /bsd: acpithinkpad0: unknown event 0x6022 Jan 12 19:40:42 x60 last message repeated 16 times Jan 12 19:40:45 x60 /bsd: acpitz1: Critical temperature, shutting down Jan 12 19:40:45 x60 /bsd: acpithinkpad0: unknown event 0x6022 sysctl hw: hw.machine=i386 hw.model=Intel(R) Core(TM)2 CPU T7200 @ 2.00GHz (GenuineIntel 686-class) hw.ncpu=2 hw.byteorder=1234 hw.pagesize=4096 hw.disknames=sd0,sd1 hw.diskcount=2 hw.sensors.acpitz0.temp0=70.00 degC (zone temperature) hw.sensors.acpitz1.temp0=73.00 degC (zone temperature) hw.sensors.acpibat0.volt0=14.40 VDC (voltage) hw.sensors.acpibat0.volt1=16.40 VDC (current voltage) hw.sensors.acpibat0.watthour0=40.59 Wh (last full capacity) hw.sensors.acpibat0.watthour1=2.03 Wh (warning capacity) hw.sensors.acpibat0.watthour2=0.20 Wh (low capacity) hw.sensors.acpibat0.watthour3=40.59 Wh (remaining capacity), OK hw.sensors.acpibat0.raw0=0 (battery full), OK hw.sensors.acpibat0.raw1=0 (rate) hw.sensors.acpiac0.indicator0=On (power supply) hw.sensors.acpithinkpad0.temp0=70.00 degC hw.sensors.acpithinkpad0.temp1=55.00 degC hw.sensors.acpithinkpad0.temp3=66.00 degC hw.sensors.acpithinkpad0.temp4=38.00 degC hw.sensors.acpithinkpad0.temp6=33.00 degC hw.sensors.acpithinkpad0.fan0=2817 RPM hw.sensors.acpidock0.indicator0=Off (not docked) hw.sensors.cpu0.temp0=75.00 degC hw.sensors.aps0.temp0=55.00 degC hw.sensors.aps0.temp1=55.00 degC hw.sensors.aps0.indicator0=Off (Keyboard Active) hw.sensors.aps0.indicator1=Off (Mouse Active) hw.sensors.aps0.indicator2=On (Lid Open) hw.sensors.aps0.raw0=415 (X_ACCEL) hw.sensors.aps0.raw1=522 (Y_ACCEL) hw.sensors.aps0.raw2=415 (X_VAR) hw.sensors.aps0.raw3=522 (Y_VAR) hw.cpuspeed=2000 hw.setperf=100 hw.vendor=LENOVO hw.product=1709G3U hw.version=ThinkPad X60 hw.serialno=LVD6250 hw.uuid=2a4afc60-77b1-11db-8510-e4b0a9ddd65f hw.physmem=3211161600 hw.usermem=3211083776 hw.ncpufound=2 Although the fan appears to be running fine, I may replace it anyway since it is over 3 years old. Maybe it's possible to apply some fresh thermal compound as well. I don't think this is openbsd related, but thought it would be interesting to post anyway (especially since acpi development is in progress). Dmesg to follow. Comments and questions are welcome and appreciated. Thanks, Don OpenBSD 4.6-current (GENERIC.MP) #381: Tue Jan 5 13:43:29 MST 2010 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel(R) Core(TM)2 CPU T7200 @ 2.00GHz (GenuineIntel 686-class) 2 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR real mem = 3211161600 (3062MB) avail mem = 3119341568 (2974MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 11/20/08, BIOS32 rev. 0 @ 0xfd690, SMBIOS rev. 2.4 @ 0xe0010 (67 entries) bios0: vendor LENOVO version 7BETD7WW (2.18 ) date 11/20/2008 bios0: LENOVO 1709G3U acpi0 at bios0: rev 2 acpi0: tables DSDT FACP SSDT ECDT TCPA APIC MCFG HPET BOOT SSDT SSDT SSDT SSDT acpi0: wakeup devices LID_(S3) SLPB(S3) DURT(S3) EXP0(S4) EXP1(S4) EXP2(S4) EXP3(S4) PCI1(S4) USB0(S3) USB1(S3) USB2(S3) USB7(S3) HDEF(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 166MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Core(TM)2 CPU T7200 @ 2.00GHz (GenuineIntel 686-class) 2 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins ioapic0: misconfigured as apic 2, remapped to apid 1 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus -1 (AGP_) acpiprt2 at acpi0: bus 2 (EXP0) acpiprt3 at acpi0: bus 3 (EXP1) acpiprt4 at acpi0: bus 4 (EXP2) acpiprt5 at acpi0: bus 12 (EXP3) acpiprt6 at acpi0: bus 21 (PCI1) acpiec0 at acpi0 acpicpu0 at acpi0: C3, C2, C1, PSS acpicpu1 at acpi0: C3, C2, C1, PSS acpipwrres0 at acpi0: PUBS acpitz0 at acpi0: critical temperature 127 degC acpitz1 at acpi0: critical temperature 97 degC acpibtn0 at acpi0: LID_ acpibtn1 at acpi0: SLPB acpibat0 at acpi0: BAT0 model 93P5029 serial 437 type LION oem SANYO acpibat1 at acpi0: BAT1 not present acpibat2 at acpi0: BAT2 not present acpiac0 at acpi0: AC unit online acpithinkpad0 at acpi0 acpidock0 at acpi0: GDCK not docked (0) bios0: ROM list: 0xc/0xea00! 0xdc000/0x4000! 0xe/0x1! cpu0: Enhanced SpeedStep 1996 MHz: speeds: 2000, 1667, 1333, 1000 MHz pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel 82945GM Host rev
Re: Any good/bad experiences on OpenBSD4.6-release Dell R(2|4|6)10 or HP DL320 G6
On Tue, 12 Jan 2010 20:31:51 + (GMT) a b rclo...@yahoo.co.uk wrote: Hello (again), I'm planning to buy a couple of lower end servers for a PF VPN termination of a small network. Does anyone have any comments on OpenBSD 4.6-release on Dell R210/410/610 or HP DL320 G6 ? Looking back through the archives, it seems people's experiences when using OpenBSD-release on lower end servers was a bit patchy, although some seemed to resolve it by using -current instead. However there has not been much talk recently (unless I've missed it !) of 4.6 experiences and/or more recent servers. Looking forward to your feedback. In September (i.e. 4.6-current *after* the roll-up for the release), I had OpenBSD running on a new Dell T610 at work for a couple of days before the machine was re-purposed. Unfortunately, I didn't have the opportunity to really test much of anything, and worse, I think I lost the dmesg before sending it in (a dev will have to check the dmesg archive). -- J.C. Roberts
Re: obsd as domU?
On Wed, Jan 13, 2010 at 7:43 AM, J.C. Roberts list-...@designtools.org wrote: On Tue, 12 Jan 2010 10:41:15 +0200 Ciprian Dorin, Craciun ciprian.crac...@gmail.com wrote: B B So I bet that the initial poster expected an (authoritative) answer that should have came in the form of an advice based on experience or at least something useful... (Not lmgtfy, which I'm sure he already did, but did not found a good enough answer (as in authoritative)...) You are missing the point. Virtualization has been discussed to death for *YEARS* and all of it is in the misc@ list archives. Sorry didn't knew... (I should have checked the mailing list...) Here's the short version of those years of discussion: 1.) Since you can't trust the skill of most developers to write a perfectly secure operating systems, trusting them to write a perfectly secure software emulation of hardware is insane. Sorry, but you guys from OpenBSD have proved that you can trust the skills of **some** developers to write an __supposed__ perfectly secure operating system, so why not trust other developers to write a __supposed__ secure software emulation with the help of hardware. (Let me say it more simply: we have trust in you, but why don't you have the disposition to trust in others?) 2.) If systems and application software runs fine on real hardware, but fails to run on emulated/virtualized hardware, then the problem is in the virtualization software. --In other words, take questions and complaints to the vendor of your virtualization software. Agree. This is the same as with software: if software runs perfectly on one version of OpenBSD, but not on another it does not mean that its the fault of the new version. (But Xen is not all about emulation, it cooperates with the guest kernel, so in this case the blame could be on both sides.) 3.) Many of the benefits you gain by running a stable and secure operating system like OpenBSD are lost when you run it as a guest on top of some other insecure host operating system. This is only true if either: * there is a security bug in the virtualization software (highly improbable, and maybe easibly fixed); * you let the host operating system front the Internet; (but you could just filter out all the traffic from the exterior to the host, and use one of the guests (OpenBSD) as a gateway); 4.) Most Virtualization Software fails to emulate hardware perfectly. (Again we are not speaking of emulation, we are speaking of cooperation between the hypervisor and the guest kernel.) 5.) Most Virtualization Software expects the host operating system to have specific features, and hence, it's not easily portable, or it is not portable at all. 6.) Most Virtualization Software wants to use fancy hardware features and/or have direct access to hardware. If your vitualization software is by-passing the restrictions enforced by the host operating system, then the host operating systems is not able to do it's job. No, (in general) the requirement of virtualization is not to bypass the restrictions imposed by OS to hardware. Virtualization can be very useful in certain situations, yet you not only need to fully understand and accept the implications and risks of virtualization, but *you* also need to test it in *your* environment to determine if it meets *your* requirements. Anything less is irrelevant! One important use of virtualization software (like Xen for example), is to allow experimentation. For example I don't have 4 pieces of hardware to be able to also host a Linux server (for personal stuff), experiment with OpenBSD or Plan9, and also give one of my friends a small VPN and download host. So I use Xen and turn one computer into many. (As you see it's not the security aspect I'm interested but the consolidation aspect...) (Yes very lame I know, but sometimes money does beat security...) If you're too lazy to do the weeks or months of research work on your own, then you really should not use virtualization. Unfortunately, most people just believe the constant bullshit from the virtualization vendors, or ask irrelevant questions on various mailing lists. (I hope I've touched this subject above.) Lastly, Bret Lambert is one of the OpenBSD developers, so you can consider his lmgtfy reply as authoritative --He's humorously telling you to do your own work. There is no other way. -- J.C. Roberts Thanks for the time and the responses, Ciprian.
Dear:misc:抗氧化還原水大發現: 新書隆重面世, 兼大抽獎!
Having problems viewing this email? Please click here. For enquiry, please send email to i...@sanwahk.net eg!f3i1h.d;%d8ge'e.9oh+f f-$cef d;;d=f%h)h+i;i5h3 i...@sanwahk.netc please link with our home page: http://www.lea.org.hk HI,misc eff(d8 f3e f6e0fegd?!d;6oh+fih#ie.c Important Notice: Base on the Unsolicited Electronic Messages Ordinance, if you DO NOT want to receive any promotional email messages from us in the future, please kindly reply this e-mail for DELETION. If you would like to continue to receive our promotional email massages, you do not need to reply us.
Re: obsd as domU?
How did lazy internet denizen gets told he's lazy turn into anything worth spending this much time on?
Re: obsd as domU?
On Wed, Jan 13, 2010 at 8:43 AM, Bret S. Lambert bret.lamb...@gmail.com wrote: How did lazy internet denizen gets told he's lazy turn into anything worth spending this much time on? I would like to personally apologize for criticizing you, Bret, of lmgtfy the other guy (which I didn't knew he also posted another question about OpenBSD and dom0, and he was also responded). But I wouldn't say that the discussion has turned into something not-worth discussing. I myself have learned a lot about the position of the OpenBSD developers regarding the possibility of ever using OpenBSD ontop of virtualization (not emulation) platforms (like Xen). (I had my hopes, but not any more... :) ) Thanks again for all the time and effort spent, Ciprian. P.S.: Maybe an entry in the FAQ about this topic will cut down all these questions about virtualization?
Re: obsd as domU?
* Ciprian Dorin, Craciun ciprian.crac...@gmail.com [2010-01-13 07:37]: This is only true if either: * there is a security bug in the virtualization software (highly improbable, and maybe easibly fixed); i owuld pee my pants (or maybe bob's instead) laughing if it wasn't so sad. it is this mindset that gets this industry in shit every other day. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
Re: obsd as domU?
On Wed, 13 Jan 2010 08:31 +0200, Ciprian Dorin, Craciun ciprian.crac...@gmail.com wrote: On Wed, Jan 13, 2010 at 7:43 AM, J.C. Roberts list-...@designtools.org wrote: On Tue, 12 Jan 2010 10:41:15 +0200 Ciprian Dorin, Craciun ciprian.crac...@gmail.com wrote: B B So I bet that the initial poster expected an (authoritative) answer that should have came in the form of an advice based on experience or at least something useful... (Not lmgtfy, which I'm sure he already did, but did not found a good enough answer (as in authoritative)...) You are missing the point. Virtualization has been discussed to death for *YEARS* and all of it is in the misc@ list archives. Sorry didn't knew... (I should have checked the mailing list...) Here's the short version of those years of discussion: 1.) Since you can't trust the skill of most developers to write a perfectly secure operating systems, trusting them to write a perfectly secure software emulation of hardware is insane. Sorry, but you guys from OpenBSD have proved that you can trust the skills of **some** developers to write an __supposed__ perfectly secure operating system, so why not trust other developers to write a __supposed__ secure software emulation with the help of hardware. (Let me say it more simply: we have trust in you, but why don't you have the disposition to trust in others?) Very few have demonstrated that they can be trusted. BTW, *any* virtualization software written for i386 is always going to have the potential for compromise because of the inherent flaws in that architecture. It was *not* designed with virtualization in mind. 2.) If systems and application software runs fine on real hardware, but fails to run on emulated/virtualized hardware, then the problem is in the virtualization software. --In other words, take questions and complaints to the vendor of your virtualization software. Agree. This is the same as with software: if software runs perfectly on one version of OpenBSD, but not on another it does not mean that its the fault of the new version. (But Xen is not all about emulation, it cooperates with the guest kernel, so in this case the blame could be on both sides.) Wrong. If it works on real hardware and fails in virtualization the virtualization software is *always* to blame. 3.) Many of the benefits you gain by running a stable and secure operating system like OpenBSD are lost when you run it as a guest on top of some other insecure host operating system. This is only true if either: * there is a security bug in the virtualization software (highly improbable, and maybe easibly fixed); BWHAHHAHAHAHAHH. Have you ever actually worked with any virtualization software? There have been many documented security bugs in every virtualization software. Try Securityfocus or your favorite search engine. * you let the host operating system front the Internet; (but you could just filter out all the traffic from the exterior to the host, and use one of the guests (OpenBSD) as a gateway); 4.) Most Virtualization Software fails to emulate hardware perfectly. (Again we are not speaking of emulation, we are speaking of cooperation between the hypervisor and the guest kernel.) 5.) Most Virtualization Software expects the host operating system to have specific features, and hence, it's not easily portable, or it is not portable at all. 6.) Most Virtualization Software wants to use fancy hardware features and/or have direct access to hardware. If your vitualization software is by-passing the restrictions enforced by the host operating system, then the host operating systems is not able to do it's job. No, (in general) the requirement of virtualization is not to bypass the restrictions imposed by OS to hardware. BWAAAHAHAHAHAHAH! It *should* be a requirement, but rarely *is*. Virtualization can be very useful in certain situations, yet you not only need to fully understand and accept the implications and risks of virtualization, but *you* also need to test it in *your* environment to determine if it meets *your* requirements. Anything less is irrelevant! One important use of virtualization software (like Xen for example), is to allow experimentation. For example I don't have 4 pieces of hardware to be able to also host a Linux server (for personal stuff), experiment with OpenBSD or Plan9, and also give one of my friends a small VPN and download host. So I use Xen and turn one computer into many. (As you see it's not the security aspect I'm interested but the consolidation aspect...) (Yes very lame I know, but sometimes money does beat security...) This is actually very true. But you need to be very aware of where it does and where it doesn't.