Re: pfsync nic problem.
On 12/23/2010 10:48 PM, Johan Beisser wrote:
On Thu, Dec 23, 2010 at 10:43 AM, Alessandro Baggi
alessandro.ba...@gmail.com wrote:
Please post your pf.conf, ifconfig output and dmesg. There may be
another issue not addressed.
I still need your pf.conf.
ext=egress
int=rl0
dmz=rl1
hostweb=172.16.2.3
carpl=10.1.1.5
carpw=192.168.1.84
carpd=172.16.2.4
pfsyncpeer=10.1.1.5
pfsyncdev=rl0
table httpabuse persist
table httpsabuse persist
table sshblacklist persist
# LIMIT and Policy
set block-policy drop
set fingerprints /etc/pf.os
set hostid 1
#set debug none
set limit states 7000
set limit tables 100
set limit table-entries 9
set limit frags 6000
set limit src-nodes 1
set optimization aggressive
set ruleset-optimization basic
set loginterface $ext
#set state-policy if-bound
#set state-defaults
set skip on lo0
set timeout tcp.established 900
set timeout tcp.closed 5
set timeout tcp.first 20
set timeout tcp.opening 20
set timeout tcp.closing 10
set timeout tcp.finwait 30
match all scrub (no-df, random-id, max-mss 1440)
# NAT
match out on $ext inet from $int:network to any nat-to (carp0:0)
match out on $ext inet from $dmz:network to any nat-to (carp0:0)
# RDR
match in log on $int proto tcp from $int:network to any port 21 rdr-to
127.0.0.1 port 8021
# FILTERING RULES
# Bloccaggio delle blacklist http - https - sshd
block in log quick on $ext from { blacklist, httpabuse,
httpsabuse, sshblacklist } to any
# REGOLE ANTISPOOFING
antispoof log quick for { $int , $ext, $dmz }
# CARP RULES
pass in log quick on $int proto carp from $carpl to $int:0 keep state
(no-sync)
pass in log quick on $ext proto carp from $carpw to $ext:0 keep state
(no-sync)
pass in log quick on $dmz proto carp from $carpd to $dmz:0 keep state
(no-sync)
# PFSYNC RULES
pass in log quick on $pfsyncdev proto pfsync from $pfsyncpeer to $int:0
keep state (no-sync)
# DEFAULT DENY
block in log all
pass out all
anchor ftp-proxy/*
# LAN MACHINE RULES
pass in on $int from any to any
# DMZ RULES DOES NOT EXIST
Thanks in advance
Re: Freeze with Western Digital Caviar Green HDD
* roberth rob...@openbsd.pap.st [2010-12-11 01:29]: On Fri, 10 Dec 2010 23:25:56 +0100 Paolo Aglialoro paol...@gmail.com wrote: ok, what manufacturers are left??? :)) just toshiba??? i am happy with samsung, because in that area i am a cheapskate. hardware dies, deal with it, don't buy the new kid on the block and be happy. :) sata disk got really crappy since they hit 2TB. (or 1.5TB in Seagates case.) I have hundreds of disks in use, about half ide/sata and half scsi, and the vast mojority of them seagate. i lose about 2 disks a year. this year it was a 18G SCA (quantum btw) and a 14G IDE - IBM. for new machines i insist on seagate disks whereever possible, when i order disks seperately i order seagate or SSDs. i have not lost a single seagate sata drive yet. in short, i disagree with your seagate judgement. but then i also skip the cheap ones. oh, samsung: 9, not a single one in use, 2 suspect defective. WD: just 6, only 3 in use, one of them defective. and for comedy: there is just two vendors (according to the vendor strings, there might be relabeling) i only have a single disk from. and they are alive. these babies: CONNER CFP2105E 2.14GB 1524 DEC RZ26N (C) DEC 0466 -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
wd0 read timeouts - how to proceed?
Must be the holiday season *sigh* my OpenBSD server is suddenly giving the occassional read-timeout on the /var slice of the main harddisk: --- wd0(pciide0:0:0): timeout type: ata c_bcount: 65536 c_skip: 0 wd0g: device timeout reading fsbn 17002464 of 17002464-17002591 (wd0 bn 67334928; cn 66800 tn 8 sn 24), retrying wd0: soft error (corrected) --- Is this the actual disk or the controller/other hardware? Either way it needs a fix. My problem is this is a live system that is not close by. I would very much prefer to 'fix' this remotely to buy some time to replace the machine completely. I do have offsite backups of essential data but not a spare system in the rack at this very moment. Not to mention I would like to avoid spending X-mas alone in the datacenter. There is a second harddisk installed, with OpenBSD formatted slices, but of different proportions. This (larger) disk is unused, so data / layout may be wiped, so it seems like smart idea to copy the data at least (I do have offsite backups of essential data but not a spare system in the rack at this very moment) Can I just copy /var (wd0g) to /var2 (wd1i) and remount or should I proceed otherwise or would copy/remounting /var simply not work on a live system? Or, possibly, I could 'clone' the whole wd0 disk to wd1 and use that instead of wd1? I understood you will need to boot in single user mode for this [1] and or have identical disks [2], or is there another (remote-safe) way? Any advice is highly appreciated! Thanks, and happy holidays, Matt [1] http://unixsadm.blogspot.com/2007/08/cloning-disk-in-openbsd.html [2] http://monkey.org/openbsd/archive/tech/0112/msg00079.html
Re: wd0 read timeouts - how to proceed?
On Fri, Dec 24, 2010 at 11:00:48AM +0100, Webcharge wrote: Must be the holiday season *sigh* my OpenBSD server is suddenly giving the occassional read-timeout on the /var slice of the main harddisk: There is a second harddisk installed, with OpenBSD formatted slices, but of different proportions. This (larger) disk is unused, so data / layout may be wiped, so it seems like smart idea to copy the data at least (I do have offsite backups of essential data but not a spare system in the rack at this very moment) Can I just copy /var (wd0g) to /var2 (wd1i) and remount or should I proceed otherwise or would copy/remounting /var simply not work on a live system? If the system is quiet, you can try 'sync; sync; dd ...; fsck', but something like 'tar cpf - | tar xpf -' is more likely to get you a somewhat consistent view. Change /etc/fstab and reboot (you *can* try mounting the new /var over the old one, but you'll want to play with fstat -n to see which processes are still accessing the old /var.) Of course, this isn't guaranteed to work. In particular, if something is actually writing to /var, your view won't be consistent. Even more in particular, don't try this with running databases. Joachim
Bonjour tres cher(e)
This is a MIME-encoded message that info246 sent through Multiply. To read it, you need a HTML-capable mail client.
Re: pfsync nic problem [SOLVED]
On 12/24/2010 10:25 AM, Alessandro Baggi wrote:
On 12/23/2010 10:48 PM, Johan Beisser wrote:
On Thu, Dec 23, 2010 at 10:43 AM, Alessandro Baggi
alessandro.ba...@gmail.com wrote:
Please post your pf.conf, ifconfig output and dmesg. There may be
another issue not addressed.
I still need your pf.conf.
ext=egress
int=rl0
dmz=rl1
hostweb=172.16.2.3
carpl=10.1.1.5
carpw=192.168.1.84
carpd=172.16.2.4
pfsyncpeer=10.1.1.5
pfsyncdev=rl0
table httpabuse persist
table httpsabuse persist
table sshblacklist persist
# LIMIT and Policy
set block-policy drop
set fingerprints /etc/pf.os
set hostid 1
#set debug none
set limit states 7000
set limit tables 100
set limit table-entries 9
set limit frags 6000
set limit src-nodes 1
set optimization aggressive
set ruleset-optimization basic
set loginterface $ext
#set state-policy if-bound
#set state-defaults
set skip on lo0
set timeout tcp.established 900
set timeout tcp.closed 5
set timeout tcp.first 20
set timeout tcp.opening 20
set timeout tcp.closing 10
set timeout tcp.finwait 30
match all scrub (no-df, random-id, max-mss 1440)
# NAT
match out on $ext inet from $int:network to any nat-to (carp0:0)
match out on $ext inet from $dmz:network to any nat-to (carp0:0)
# RDR
match in log on $int proto tcp from $int:network to any port 21 rdr-to
127.0.0.1 port 8021
# FILTERING RULES
# Bloccaggio delle blacklist http - https - sshd
block in log quick on $ext from { blacklist, httpabuse,
httpsabuse, sshblacklist } to any
# REGOLE ANTISPOOFING
antispoof log quick for { $int , $ext, $dmz }
# CARP RULES
pass in log quick on $int proto carp from $carpl to $int:0 keep state
(no-sync)
pass in log quick on $ext proto carp from $carpw to $ext:0 keep state
(no-sync)
pass in log quick on $dmz proto carp from $carpd to $dmz:0 keep state
(no-sync)
# PFSYNC RULES
pass in log quick on $pfsyncdev proto pfsync from $pfsyncpeer to
$int:0 keep state (no-sync)
# DEFAULT DENY
block in log all
pass out all
anchor ftp-proxy/*
# LAN MACHINE RULES
pass in on $int from any to any
# DMZ RULES DOES NOT EXIST
Thanks in advance
Hi list. I've tried another nic same as xl0, and the problem was the
same. The only thing to see was the pf ruleset. All carp rules was
wrong. Then I've tried with xl0 - rl2 and all works fine.
I've changed the rules:
pass in log quick on $int proto carp from $carpl to $int:0 keep state
(no-sync)
pass in log quick on $ext proto carp from $carpw to $ext:0 keep state
(no-sync)
pass in log quick on $dmz proto carp from $carpd to $dmz:0 keep state
(no-sync)
in:
pass in quick on { $int, $ext, $dmz } proto carp keep state (no-sync)
Best regards and thanks for the time.
Re: wd0 read timeouts - how to proceed?
2010/12/24 Joachim Schipper joac...@joachimschipper.nl: something like 'tar cpf - | tar xpf -' is more likely to get you a somewhat consistent view. POSIX pax(1) with -rw options should work slightly faster (and it's already faster to type ;) ). -- WBR, Vadim Zhukov
salut amicalement
This is a MIME-encoded message that lovebb2000 sent through Multiply. To read it, you need a HTML-capable mail client.
The story of tea with me
I grew up in the hometown- GuangXi China,where four seasons are delightful, abundant precipitation,sunshine moderate,rich soil condition,so the tea unique flavor here.Cause that my family has strong interest on tea,oolong tea can improve the health,is dad favourite;black tea is rich with flavour,mother's beverages will drink daily; green tea,with bitter and little sweet aftertaste is my old brother's hobby;about me,various scented tea is my beauty comes from natural.So five years ago,I went to Japan to study abroad,mother didn't forget to I prepared scented tea enough to drink for a year,after that I afraid to trouble mother to mail again,I purchase on local ,but always feel to lack the flavor of hometown. After graduated,a number of company invited to work there,but I resolutely decided to back to tea's hometown,worked as tea image spokesperson,and opened up a personal website www.newpastoral.com to sharing with friends. My family due to long tea's reason,parents are more healthy,the old brother more handsome,and me?even more slim,more beautiful,for that sincere said 1: Good tea is from hometown.
RAVIE DE FAIRE VOTRE CONNAISSANCE!!!
This is a MIME-encoded message that xsdcfvgb sent through Multiply. To read it, you need a HTML-capable mail client.
Re: wd0 read timeouts - how to proceed?
On Fri, Dec 24, 2010 at 5:00 AM, Webcharge webcha...@gmx.net wrote: Is this the actual disk or the controller/other hardware? If the hardware is smart aware installing smartmontools and running smartctl may give you a clue.
Re: wd0 read timeouts - how to proceed?
On 12/24/10 17:09, Chris Smith wrote: On Fri, Dec 24, 2010 at 5:00 AM, Webchargewebcha...@gmx.net wrote: Is this the actual disk or the controller/other hardware? If the hardware is smart aware installing smartmontools and running smartctl may give you a clue. atactl(8) works just fine.
IPSEC leak channel issue
Hi, Regarding the recent issue, I would like to understand what could be potentially the threat, cause to me it's only likely that a crypted channel could leak information if hjowever the sory reveals to have imacted OpenBSD. Thanks for some kind of understanding from those who have that knowledge. Regards
iso to usb installer script
Hi Guys,
I have heard a couple of times in this list about the problem of how to
convert from iso to usb installer. I made one small script to do this
conversion that I use myself and perhaps is useful to others. Assuming your
usb key was attached in sd1, you should call the script as:
./iso2usb /full/path/to/install.iso sd1
WARNING: This script makes modifications to the parition tables so make sure
the argument you are passing as USB is the correct one. Otherwise you can
wipe your root disk.
This script is not bullet-proof either, I do not make any errors check. It
was intended just as a proof of concept and works very well for me.
I higly recommend understanding the script before using.
Luis.
#!/bin/sh
ISO=$1
USB=$2
ISO_MNT=/tmp/iso/
USB_MNT=/tmp/usb/
# make temporary mount dirs
mkdir $ISO_MNT $USB_MNT
# mount iso
vnconfig svnd0 $ISO
mount /dev/svnd0c $ISO_MNT
# prepare and mount usb
dd if=/dev/zero of=/dev/${USB}c count=1 bs=1m
echo reinit\nwrite\nquit\n | fdisk -e $USB
echo a\n\n\n\n\nw\nq\n | disklabel -E $USB
newfs /dev/r${USB}a
mount /dev/${USB}a $USB_MNT
# copy data from iso to usb
cp -r $ISO_MNT/* $USB_MNT
# make usb bootable
cp /usr/mdec/boot $USB_MNT/boot
/usr/mdec/installboot -v $USB_MNT/boot /usr/mdec/biosboot $USB
# unmounting and cleaning everything
umount $ISO_MNT $USB_MNT
vnconfig -u svnd0
Problem sur votre dernier facture.
[IMAGE] Bonjour, Cet email a ete envoye pour vous informer que nous ne pouvions pas traiter votre paiement recent de facture. Ceci pourrait etre du a l une ou l autre des raisons suivantes: 1. Un changement recent de vos informations personnelles. (par exemple : adresse de facturation, telephone) 2. Soumission de l information incorrecte pendant le processus de paiement de facture. 3. Une incapacite de verifier exactement votre option choisie de paiement due a une erreur interne dans nos processeurs. En raison de ceci, pour s assurer que votre service n est pas interrompu, nous vous invitons a confirmer et mettre a jour votre information de facturation aujourd hui: Cliquer Ici Pour Une Resolution. Merci de votre confiance, [IMAGE] Fabrice Andri Directeur de la relation clients ) 2010 ORANGE. Tous droits reserves.
Re: remove users from group
* Bret Lambert bret.lamb...@gmail.com [2010-12-13 10:32]: You're all wrong. We obviously need XML user databases. go play with phk, only JSON is web scale. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
Bonjour
This is a MIME-encoded message that valeriev15 sent through Multiply. To read it, you need a HTML-capable mail client.
BONNE FETE DE FIN D'ANNE
This is a MIME-encoded message that altnatiqufinzzie sent through Multiply. To read it, you need a HTML-capable mail client.
Fw: Relatorio Orcamento.
[IMAGE] 1 anexos Relatorio-orcamento.pdf (142,1 kb) Segue em anexo o relatorio para orgamento. tenha um bom dia. __
mplayer tip
Contrary to the mplayer documentation, the gl video output driver may work better than xv, at least for some systems, in at least two ways. Playing a large video (1080p), xv can't keep up, and the video falls behind audio. With gl, works great. Even with xv, CPU is considerably less than 100%, so the problem is elsewhere. Playing any video, it looks like xv attempts to sync to 60 fps, but my internal display is 50 Hz. Video looks fine on an external display (60 Hz), but there's a lot of tearing on the LCD. Video is smooth on either display using gl output. This is a laptop with intel video, other systems may be different, but if you're having any trouble with mplayer video, the gl driver is worth trying.
Re: mplayer tip
On Fri, Dec 24, 2010 at 10:46:36PM -0500, Ted Unangst wrote: This is a laptop with intel video, other systems may be different, but if you're having any trouble with mplayer video, the gl driver is worth trying. I used to notice a lot of tearing on Intel X3100 chipsets (GM965). I don't see any issues anymore, but maybe someone will find this useful anyway. Another tip is to check the output of xvinfo. For example, on a ThinkPad X61s, xvinfo gives the following results. X-Video Extension version 2.2 screen #0 Adaptor #0: Intel(R) Textured Video number of ports: 16 port base: 86 operations supported: PutImage supported visuals: depth 24, visualID 0x21 number of attributes: 3 XV_BRIGHTNESS (range -128 to 127) client settable attribute client gettable attribute (current value is 0) XV_CONTRAST (range 0 to 255) client settable attribute client gettable attribute (current value is 0) XV_SYNC_TO_VBLANK (range -1 to 1) client settable attribute client gettable attribute (current value is 1) maximum XvImage size: 2048 x 2048 Number of image formats: 5 id: 0x32595559 (YUY2) guid: 59555932--0010-8000-00aa00389b71 bits per pixel: 16 number of planes: 1 type: YUV (packed) id: 0x32315659 (YV12) guid: 59563132--0010-8000-00aa00389b71 bits per pixel: 12 number of planes: 3 type: YUV (planar) id: 0x30323449 (I420) guid: 49343230--0010-8000-00aa00389b71 bits per pixel: 12 number of planes: 3 type: YUV (planar) id: 0x59565955 (UYVY) guid: 55595659--0010-8000-00aa00389b71 bits per pixel: 16 number of planes: 1 type: YUV (packed) id: 0x434d5658 (XVMC) guid: 58564d43--0010-8000-00aa00389b71 bits per pixel: 12 number of planes: 3 type: YUV (planar) Adaptor #1: Intel(R) Video Overlay number of ports: 1 port base: 102 operations supported: PutImage supported visuals: depth 24, visualID 0x21 number of attributes: 11 XV_COLORKEY (range 0 to 16777215) client settable attribute client gettable attribute (current value is 66046) XV_BRIGHTNESS (range -128 to 127) client settable attribute client gettable attribute (current value is -19) XV_CONTRAST (range 0 to 255) client settable attribute client gettable attribute (current value is 75) XV_SATURATION (range 0 to 1023) client settable attribute client gettable attribute (current value is 146) XV_PIPE (range -1 to 1) client settable attribute client gettable attribute (current value is -1) XV_GAMMA0 (range 0 to 16777215) client settable attribute client gettable attribute (current value is 526344) XV_GAMMA1 (range 0 to 16777215) client settable attribute client gettable attribute (current value is 1052688) XV_GAMMA2 (range 0 to 16777215) client settable attribute client gettable attribute (current value is 2105376) XV_GAMMA3 (range 0 to 16777215) client settable attribute client gettable attribute (current value is 4210752) XV_GAMMA4 (range 0 to 16777215) client settable attribute client gettable attribute (current value is 8421504) XV_GAMMA5 (range 0 to 16777215) client settable attribute client gettable attribute (current value is 12632256) maximum XvImage size: 2048 x 2048 Number of image formats: 4 id: 0x32595559 (YUY2) guid: 59555932--0010-8000-00aa00389b71 bits per pixel: 16 number of planes: 1 type: YUV (packed) id: 0x32315659 (YV12) guid: 59563132--0010-8000-00aa00389b71 bits per pixel: 12 number of planes: 3 type: YUV (planar) id: 0x30323449 (I420) guid: 49343230--0010-8000-00aa00389b71 bits per pixel: 12 number of planes: 3 type: YUV (planar) id: 0x59565955 (UYVY) guid: 55595659--0010-8000-00aa00389b71 bits per pixel: 16 number of planes: 1 type: YUV (packed) The Intel(R) Textured Video adaptor was absolutely awful and it is with that I would see all of the tearing and sync issues. AFAIK, mplayer uses the first adaptor it comes across if not explicitly specified. Switching to the Intel(R) Video Overlay, all of my issues just went away (mplayer
merry xmas
Merry Xmas to all OpenBSD developers, supporters and fans. May this holiday bring you a lot of health, joy and may all your dreams come true. Merry Christmas friends, and a Happy New Year!
