Re: Predictable network interface numbering

[Gregory Edigarov]

On Wed, 2 Feb 2011 09:00:10 -0500
Jean H. Theoret ve...@rac.ca wrote:

 This one's got me stumped for a few days now...
 
 How is it possible to control the network interface numbering
 assignment order?
 
 Here's my specific case: the box has 2 on-board Ethernet interfaces
 and a 3rd one on a PCI-Express card. They come up as:
 
re0: PCI-Express card
re1: on-board interface #1
re2: on-board interface #2
 
 A recent event had disabled the PCI card, and the remaining network
 interfaces ended up being reassigned (upon the next reboot, of
 course) as:
 
re0: on-board interface #1
re1: on-board interface #2
 
 Could this have been prevented by forcing network interface assignment
 to on-board interface _first_, then the PCI card? Or is there a way to
 bind network interface assignment to the adapter's MAC address as
 numbering hint?
 

I think you should be fine using the tricks like bringing the real
interface to vether(4), or even doing trunk(4) with only one running
interface. YMMV, though. 

-- 
With best regards,
Gregory Edigarov

Ultimi articoli di COSTUME E SOCIETA'

[NanniMagazine]

[IMAGE]

Se non sei ancora iscritto alla Newsletter di NanniMagazine clicca QUI

 /TR

Facebook: Facebook Diventa Fan RSS: d Sottoscrivi gli RSS

Newsletter Nr. 15 del 2 Febbraio 2011

Le altre rubriche:

 Costume
 Tech life
 Donne
 Famiglia

[IMAGE]

NanniMagazine h un periodico di informazione giornalistica di inchiesta
che ha come obiettivo lapprofondimento della realt`, per quanto
possibile, prendendo spunto dallattualit` e offrendo maggiori
particolari rispetto a quelli citati da quotidiani, agenzie, blog, etc.

Partendo da un fatto, la redazione, lo analizza, lo approfondisce e
fornisce, a corredo, elementi descrittivi che tendono a completare il
quadro di riferimento in cui il fatto h accaduto.

La struttura editoriale h una realt` molto piccola che vive con pochi
mezzi ma con molta passione, umilt` e un enorme impegno dei suoi
collaboratori.

GLI ULTIMI ARTICOLI PUBBLICATI NELLA RUBRICA:
Costume e Societ`

[IMAGE] Asilo nido: chi lo frequenta sar` piy bravo a scuola

Non h certo una questione nuova: si dibatte da anni sul tema 'asilo
nido', discutendo se sia fondamentale, per il bambino, frequentare un
ambiente 'scolastico' che lo accompagner` alle soglie della prima...

[IMAGE] Giochi di carte online: ora nascono le 'metropoli virtuali'

Saremo stati anche un popolo di poeti, santi e navigatori, adesso
siamo sicuramente un popolo di giocatori. Incalliti. La febbe da poker on
line continua a salire, e si porta dietro tutti i giochi di carte piy
antichi e...

[IMAGE] Natura terapeutica: in Umbria nascono i parchi 'curativi'

Quando si immagina una cura per lo stress e il grigiore quotidiano,
raramente si sceglie un luogo che non sia immerso nella natura: nel
profumo di terra e vento, frusciare di foglie e chiacchiericcio di
uccelli, sembrano rigenerarsi corpo e mente

[IMAGE] In Cina impazzano gli internauti: un abitante su tre h sul web

Il web cinese, primo al mondo per numero di internauti, h ancora piy
forte: secondo le statistiche ufficiali diffuse dalle autorit` di
Pechino, i navigatori cinesi hanno raggiunto quota 457 milioni, ossia piy
di un terzo...

[IMAGE] 'Alfabeti migranti': Cnr, accesso ai testi filosofici antichi
grazie al Web 2.0

Nella societ` della globalizzazione a migrare non solo le persone, ma
anche le lingue e i saperi. Questa l'idea di fondo di 'Migrazioni di
alfabeti', linea di ricerca dellIstituto per il lessico intellettuale
europeo e storia delle...

[IMAGE] Divorzi conflittuali: il massacro psicologico dei figli contesi

La struttura mentale e psicologica di un individuo si forma da una
relazione primaria fondante, quella con i genitori. Lo squilibrio, le
carenze o anche solo la disarmonia nel nucleo familiare sono dunque
destinate, secondo l'opinione di molti...

Se ti piace questo progetto, se hai qualcosa da dire o da condividere
puoi:

inviare un articolo, uno studio, una ricerca

Gli scritti possono essere gi` pubblicati oppure originali.
Lo scritto va inviato, in formato word o rft, come allegato di posta
elettronica all'indirizzo c...@nannieditore.it

segnalare un evento

NanniMagazine.it pubblica gratuitamente gli appuntamenti ed i convegni
.Invia la tua segnalazione per posta elettronica all'indirizzo
c...@nannieditore.it

evidenziare una notizia di cronaca

Se trovi una notizia interessante, se leggi un sondaggio curioso o
quant'altro pur riguardare i temi di NanniMagazine.it, inviali
direttamente sullo spazio c...@nannieditore.it

segnalare un libro o un sito internet interessante

NanniMagazine.it nasce proprio dalla condivisione di culture, esperienze,
letture, incontri che ci hanno fatto crescere

Copyright ) Nanni Editore   nbs p; 

Hai ricevuto questa email perchh sei iscritto alla newsletter di
Nannimagazine o perchh sei in contatto con la Nanni Editore oppure hai
esplicitamente indicato , sul sito di appartenenza, la mail per essere
contattato. Iscrizione alla newsletter. Se non siete ancora iscritti alla
Newletter di nannimagazine Cliccate QUICancellazione Per non ricevere piy
la Newsletter di Nannimagazine, Cliccate QUI

Ils prennent l'habitude de ne pas payer

[Marie Call]

Si vous ne visualisez pas ce message, suivez ce lien 

En partenariat avec FRANCE CREANCES

Comment iviter l'impayi et 
encaisser vos factures ` ichiance ?

Une journie de formation pour optimiser votre recouvrement et amiliorer votre 
trisorerie en priservant votre image commerciale

La journie de formation au recouvrement par tiliphone, c'est :

gagner en compitence et renforcer l'efficaciti du recouvrement.

compliter ses connaissances par une mithodologie de relances.

cerner l'intirjt d'un encaissement rapide en tenant compte des spicificitis de 
chaque mitier.

Le formateur : Madeleine GORRIAS 

Dipltmie d'itudes supirieures de Doctorat en Droit, est spicialisie dans le 
traitement d'impayis et a diveloppi pour les clients de FRANCE CREANCES une 
approche concrhte de tout ce qui concerne la gestion du risque client. 

Les + de GORRIAS CONSULTANTS :

les formations de GORRIAS CONSULTANTS sont certifiies ISO 9001.

l'agriment des formations qui permet la prise en charge auprhs de votre OPCA.

Les participants recevront gratuitement le Lexique juridique pour 
l'entreprise dont Madeleine GORRIAS est co-auteur.

Un support de formation remis ` chaque stagiaire.

Une assistance GRATUITE par le formateur pendant les 3 mois suivants la 
formation.

Ils ont fait confiance ` GORRIAS CONSULTANTS : 

A+BENNES, ACTIMAIL, ATELIER DES TERRITOIRES, AIRCELLES (GROUPE SAFRAN), 
ARTISANAT SEL, BATIR ET VOIR, BRIOUDE INTERNET, BURO CLUB, CABINET SURIA, 
ARTCHITECTE, CIVEDI, ESPACE ISOLATION, EFFIA PARKING, FRANCE INDUSTRIE, 
FERMIERS DE ROCAMADOUR, HOLDING TROPHY, HORIZON SOFTWARE, IRFIP, INTERNET.FR, 
SIMON AVOCATS ASSOCIES, IPSOS FRANCE, JS SERVICES, PANAMETRICS, MINALE DESIGN 
STRATEGY, MT3E, MASTER IMPACT, ORDINAL, TECHNOLOGIES, POTEL  CHABOT, 
TELECONTACT, SOFRECOM, SOGIRC, SOGECID, WEB ISI, EXPERTISE GALTIER, IDFA, 
UDOWEB, FASTBOOKING, HUHTAMAKI, SPRING TECHNOLOGIES, OTIS, INTUITION 
INFORMATIQUE, FITEC, LAN, JOURNAL LA LOI, OCAI, IVALUA, BASF, TRANSPORTS 
FOURNIER, CABINET D'EXPERTS COMPTABLES CREUZOT, etc.

Pour vous deacute;sabonner,  cliquez ici 

Re: Predictable network interface numbering

[frantisek holop]

hmm, on Fri, Feb 04, 2011 at 01:28:31PM +1100, Rod Whitworth said that
 So it's easy to remember 0 is for 0utside, 1 is for 1nside and 2 is for
 2ervers.

that is really nice actually.  now i appreciate the blanket numbering more.

-f
-- 
has a room temperature iq.

make keep state (no-sync) the default?

[Harald Dunkel]

Hi folks,

from a previous thread on this list I learned that
keep state (no-sync) should be added to all rules
concerning either a local service or local client
running on the gateway itself.

Esp. when you do nat this becomes pretty error-prone.
Its easy to forget.

AFAICS something like

match out from self to any keep state (no-sync)
match out on $ext_if inet nat-to ($ext_if:0)

is not allowed (keep state is great, but only for pass
rules). Is there some other way to avoid a lot of
keep state (no-sync) statements?

Any helpful comment would be highly appreciated.


Regards

Harri

Re: antispoof quick for self

[Stuart Henderson]

** moving from misc@ to tech@, reply-to is set to tech@ **

Harald Dunkel harald.dun...@aixigo.de wrote:
 If I add antispoof quick for self to my pf.conf to enable
 antispoofing on all interfaces, then I get these additional
 rules:

 block drop in quick on ! self inet from __automatic_3df3184e_0 to any
 block drop in quick on ! self inet6 from ::1 to any
 block drop in quick inet6 from ::1 to any
 block drop in quick on lo0 inet6 from fe80::1 to any
 block drop in quick on em0 inet6 from fe80::260:e0ff:fe4b:d2ec to any
 block drop in quick on em1 inet6 from fe80::260:e0ff:fe4b:d2ed to any
 block drop in quick on em5 inet6 from fe80::260:e0ff:fe4b:d2f1 to any
 block drop in quick on em6 inet6 from fe80::260:e0ff:fe4b:d2f2 to any
 block drop in quick on carp0 inet6 from fe80::200:5eff:fe00:10a to any
 block drop in quick on carp1 inet6 from fe80::200:5eff:fe00:107 to any
 block drop in quick on carp5 inet6 from fe80::200:5eff:fe00:111 to any
 block drop in quick inet from __automatic_3df3184e_1 to any

 The automatic tables contain the local networks and the local
 IP addresses, including carp interfaces.

 I am not sure about the on ! self. Ain't this a contradiction
 in terms?

 Sorry for asking, but self is just very briefly described on
 pf.conf(5). Any helpful comment would be highly appreciated.

Using self to represent all addresses on the system is only
valid in a context where an IP address would be used (refer to
the BNF at the bottom of pf.conf(5) which is probably the best
guide to the file format; self is used in hosts and tableaddr).

The antispoof keyword accepts the name of an interface or an
interface group, so in this case it is being interpreted as
an interface group. However (unless you have created it)
there is no actual group named self.

And actually, even if a group of that name exists, antispoof doesn't
behave correctly unless the group only contains a single interface.
I think it would have to expand groups at config-load time to the set
of interfaces in that group e.g. treat 'antispoof for somegroup' as
if you wrote 'antispoof for em0', 'antispoof for em1', etc. for each
member of the group.

As a discussion point this diff (not intended to commit as-is)
prevents groups/self from being used in antispoof, but it's a bit
unpleasant for anyone who uses antispoof for egress with a single
interface in the egress group, which is treated sanely without this
diff.

Index: parse.y
===
RCS file: /cvs/src/sbin/pfctl/parse.y,v
retrieving revision 1.597
diff -u -p -r1.597 parse.y
--- parse.y 31 Dec 2010 12:15:31 -  1.597
+++ parse.y 4 Feb 2011 11:59:09 -
@@ -1083,7 +1083,7 @@ antispoof : ANTISPOOF logquick antispoof
h-addr.iflags = PFI_AFLAG_NETWORK;
} else {
h = ifa_lookup(j-ifname,
-   PFI_AFLAG_NETWORK);
+   PFI_AFLAG_NETWORK, 0);
hh = NULL;
}
 
@@ -1107,7 +1107,7 @@ antispoof : ANTISPOOF logquick antispoof
if (hh != NULL)
h = hh;
else
-   h = ifa_lookup(i-ifname, 0);
+   h = ifa_lookup(i-ifname, 0, 0);
if (h != NULL)
expand_rule(r, 0, NULL, NULL,
NULL, NULL, NULL, NULL, h,
Index: pfctl_parser.c
===
RCS file: /cvs/src/sbin/pfctl/pfctl_parser.c,v
retrieving revision 1.273
diff -u -p -r1.273 pfctl_parser.c
--- pfctl_parser.c  23 Jan 2011 11:19:55 -  1.273
+++ pfctl_parser.c  4 Feb 2011 11:59:09 -
@@ -1318,7 +1318,7 @@ ifa_grouplookup(const char *ifa_name, in
for (ifg = ifgr.ifgr_groups; ifg  len = sizeof(struct ifg_req);
ifg++) {
len -= sizeof(struct ifg_req);
-   if ((n = ifa_lookup(ifg-ifgrq_member, flags)) == NULL)
+   if ((n = ifa_lookup(ifg-ifgrq_member, flags, 1)) == NULL)
continue;
if (h == NULL)
h = n;
@@ -1334,16 +1334,16 @@ ifa_grouplookup(const char *ifa_name, in
 }
 
 struct node_host *
-ifa_lookup(const char *ifa_name, int flags)
+ifa_lookup(const char *ifa_name, int flags, int allow_group)
 {
struct node_host*p = NULL, *h = NULL, *n = NULL;
int  got4 = 0, got6 = 0;
const char   *last_if = NULL;
 
-   if ((h = ifa_grouplookup(ifa_name, flags)) != NULL)
+   if (allow_group  (h = ifa_grouplookup(ifa_name, flags)) != 

Re: Predictable disk device numbering

[Christopher Zimmermann]

Hi,

I have a similar problem since I an using softraid to encrypt /var and
/home. The softraid device is usually on sd0. But when I have an usb
mass storage device plugged in during boot up it gets assigned to sd0
and softraid gets sd1. Still, my fstab tries to mount from /dev/sd0X.
This can be annoying.
Is there no way to reserve sd0 or tell bioctl to use a higher number for
the softraid sdX? With vnd(3) this is not so much of a problem, because
vnd(3) devices won't conflict with unpredictable things like usb-sticks,
which share the sd(4) namespace.


Christopher

Re: nat static-port option

[Pete Vickers]

On 3. feb. 2011, at 17.37, Bret S. Lambert wrote:

 On Thu, Feb 03, 2011 at 07:31:01AM -0800, Johan Beisser wrote:
 On Feb 3, 2011, at 5:17, Martin SchrC6der mar...@oneiros.de wrote:
 
 2011/2/3 Bret Lambert bret.lamb...@gmail.com:
 Counting my toaster?
 
 Your toaster has an IP?
 
 
 Yours doesn't?
 
 
 He's got IPv6! His *cockroaches' toasters* have IPs!
 


He don't appear to 'have' IPv6...

http://www.ris.ripe.net/dashboard/24640


/Pete

Audio-Video-Iluminacion para tus Eventos

[Fernando Fernandez]

Tienes un evento?
Necesitas mzsica, pantallas, videos, fiesta, reventsn, etc.
BeatBox te ofrece audio, video e iluminacisn para tus eventos
corporativos, privados, bodas y de cualquier tipo.

Para mayor informacisn por favor visita:
http://www.webbcenter.com/audiovideo.html

BeatBox
Fernando Fernandez
044555-437-2658
fernand...@webbcenter.com

Re: Predictable disk device numbering

[Matthias Guedemann]

On Fri, 4 Feb 2011 14:32:15 +0100, Christopher Zimmermann madro...@zakweb.de 
wrote:
 I have a similar problem since I an using softraid to encrypt /var and
 /home. The softraid device is usually on sd0. But when I have an usb
 mass storage device plugged in during boot up it gets assigned to sd0
 and softraid gets sd1. Still, my fstab tries to mount from /dev/sd0X.
 This can be annoying.

it is, but an easy way to avoid this is to use the UID to mount. If your
sd0X has no UID, simply open it with disklabel and save without other
changes - this generates one. You can then change /dev/sd0X to UID.X in
your fstab.

Matthias

Re: Predictable disk device numbering

[Nick Holland]

On 02/04/2011 08:32 AM, Christopher Zimmermann wrote:

Hi,

I have a similar problem since I an using softraid to encrypt /var and
/home. The softraid device is usually on sd0. But when I have an usb
mass storage device plugged in during boot up it gets assigned to sd0
and softraid gets sd1. Still, my fstab tries to mount from /dev/sd0X.
This can be annoying.
Is there no way to reserve sd0 or tell bioctl to use a higher number for
the softraid sdX? With vnd(3) this is not so much of a problem, because
vnd(3) devices won't conflict with unpredictable things like usb-sticks,
which share the sd(4) namespace.


Christopher

man diskmap
man mount  (search for UID)

Nick.

Re: Predictable disk device numbering

[Christopher Zimmermann]

On 02/04/11 15:10, Matthias Guedemann wrote:
 On Fri, 4 Feb 2011 14:32:15 +0100, Christopher Zimmermann 
 madro...@zakweb.de wrote:
 I have a similar problem since I an using softraid to encrypt /var and
 /home. The softraid device is usually on sd0. But when I have an usb
 mass storage device plugged in during boot up it gets assigned to sd0
 and softraid gets sd1. Still, my fstab tries to mount from /dev/sd0X.
 This can be annoying.
 
 it is, but an easy way to avoid this is to use the UID to mount. If your
 sd0X has no UID, simply open it with disklabel and save without other
 changes - this generates one. You can then change /dev/sd0X to UID.X in
 your fstab.
 
 Matthias
 
 


Thanks! Just what I needed :)

Re: nat static-port option

[Martin Schröder]

2011/2/4 Pete Vickers p...@systemnet.no:
 He don't appear to 'have' IPv6...

DTAG will offer v6 to all it's customers later this year.
It's only the largest telco in Germany. :-)

Best
   Martin

Re: nat static-port option

[Joakim Aronius]

* Ted Unangst (ted.unan...@gmail.com) wrote:
 On Wed, Feb 2, 2011 at 11:23 AM, Martin Schrvder mar...@oneiros.de wrote:
  2011/2/2 Henning Brauer lists-open...@bsws.de:
  who sez that your made up isp has to hand out network-wide unique IPs
  to his customers?
 
  AFAIK Comcast already has 2^24 customers.
 
 And they seem to be doing just fine.  What's the problem again?

..dont want to fuel a flame war here but i heard stuff like ATT is using 40 
instances of 10/8 indicates that big operators needs to bend themselves 
backwards to get their stuff together. 

And T-Mobile US is about to launch an IPv6 only + NAT64 mobile service, will be 
interesting to see how that plays out..

Cheers,
/Joakim

Re: nat static-port option

[Bret Lambert]

On Fri, Feb 4, 2011 at 2:45 PM, Martin Schrvder mar...@oneiros.de wrote:
 2011/2/4 Pete Vickers p...@systemnet.no:
 He don't appear to 'have' IPv6...

 DTAG will offer v6 to all it's customers later this year.
 It's only the largest telco in Germany. :-)

The US has been offering freedom to the world for a while now.
It's only the largest republic in the world :-)

Re: nat static-port option

[Martin Schröder]

2011/2/4 Bret Lambert bret.lamb...@gmail.com:
 The US has been offering freedom to the world for a while now.
 It's only the largest republic in the world :-)

No, that's India (people). Or Russia (size).

Best
   Martin

Re: nat static-port option

[Daniel Gracia]

El 04/02/2011 16:15, Martin Schrvder escribis:

2011/2/4 Bret Lambertbret.lamb...@gmail.com:

The US has been offering freedom to the world for a while now.
It's only the largest republic in the world :-)


No, that's India (people). Or Russia (size).

Best
Martin



Still US (money). Take your pick.

Re: nat static-port option

[Martin Schröder]

2011/2/4 Joakim Aronius joa...@aronius.com:
 ..dont want to fuel a flame war here but i heard stuff like ATT is using 40 
 instances of 10/8 indicates that big operators needs to bend themselves 
 backwards to get their stuff together.

Carrier grade NAT is less bullshit than ipv6. :-)

Re: nat static-port option

[Joakim Aronius]

* Joakim Aronius (joa...@aronius.com) wrote:
 
 ..dont want to fuel a flame war here but i heard stuff like ATT is using 40 
 instances of 10/8 indicates that big operators needs to bend themselves 
 backwards to get their stuff together. 

Need to correct myself there, should be Verizon Wireless, not ATT.
https://sites.google.com/site/ipv6implementors/2010/agenda/14_Parker_VerizonWireless.pdf?attredirects=0
https://sites.google.com/site/ipv6implementors/2010/agenda

Cheers,
/Joakim

Re: make keep state (no-sync) the default?

[Henning Brauer]

* Harald Dunkel harald.dun...@aixigo.de [2011-02-04 14:31]:
 Is there some other way to avoid a lot of keep state (no-sync)
 statements?

is there some other way to make people READ the fucking mnapages we
put so much effort in?

-- 
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting

Re: make keep state (no-sync) the default?

[Daniel Gracia]

El 04/02/2011 18:56, Henning Brauer escribis:

* Harald Dunkelharald.dun...@aixigo.de  [2011-02-04 14:31]:

Is there some other way to avoid a lot of keep state (no-sync)
statements?


is there some other way to make people READ the fucking mnapages we
put so much effort in?



You're talking nonsense; of course no!

PD: Some of us don't forget that udp mode, non-forking, non-blocking 
mods for tcpbench... I must stop slacking! xDDD

Re: nat static-port option

[Joakim Aronius]

* Martin Schrvder (mar...@oneiros.de) wrote:
 Carrier grade NAT is less bullshit than ipv6. :-)

Arbor networks just released their new 'Worldwide Infrastructure Report' which
was interesting. In particular the rising threat of DDOS and the use of
statefull network gear in mobile networks, such as DPI and NAT...

The complexities of IPv6, as eloquently expressed by Henning, will surely
result in some interesting security issues..

http://www.arbornetworks.com/en/arbor-networks-sixth-annual-worldwide-infrast
ructure-security-report.html

Now I think we shall let this thread come to rest as this is a bit out of
topic. (and before someone refrains to name calling, I was almost called 'IPv6
fanboy' at one point).

Have a nice weekend :)
/Joakim

IPv6 router with static addresses assignment not works

[Evgeniy Sudyr]

Hi all:

I have problem with my ipv6 router (two NICs) running on 4.8. I have
external IP address /64 and routed by ISP /48 network through that IP.
I want to use static addressing in my internal network, so I've choose
one /64 subnet in my /48 network and assigned xx::1 to my internal
router and assigned xx::2 IP and xx::1 to client host in my internal
network.

1) I'm able to ping client host from router and vice versa.
2) Firewall permitting icmp6 and not blocks packets (I'm logging
blocked packets and checked with tcpdump on pflog0).
3) I'm able to reach external IPv6 hosts from router and I'm able to
ping router from remote ipv6 hosts. problem is that
4) I can't reach external hosts from my client host xx::2 (or any
other IP).  I don't see requests on router's internal interface, but
see it with tcpdump on client host.
5) When I'm trying to ping client host from external host I see on
client host that packets reach client host and sends response but that
responses not reach xx::1. Ipv6 forwarding is enabled 100%.

Does anybody have clue why it not works?

Magic happens when I'm starting rtadvd re0 -c /etc/rtadvd.conf (where
I have same network specified) - then it works :).

My NIC is re0 at pci1 dev 0 function 0 D-Link DGE-528T rev 0x10:
RTL8169/8110SB (0x1000), apic 2 int 20 (irq 12), address
00:1e:58:2b:f3:d8
rgephy0 at re0 phy 7: RTL8169S/8110S PHY, rev. 3

# sysctl -a | grep inet6
net.inet6.ip6.forwarding=1
net.inet6.ip6.redirect=1
net.inet6.ip6.hlim=64
net.inet6.ip6.mrtproto=103
net.inet6.ip6.maxfragpackets=200
net.inet6.ip6.accept_rtadv=0
net.inet6.ip6.keepfaith=1
net.inet6.ip6.log_interval=5
net.inet6.ip6.hdrnestlimit=10
net.inet6.ip6.dad_count=1
net.inet6.ip6.auto_flowlabel=1
net.inet6.ip6.defmcasthlim=1
net.inet6.ip6.kame_version=OpenBSD-current
net.inet6.ip6.use_deprecated=1
net.inet6.ip6.rr_prune=5
net.inet6.ip6.v6only=1
net.inet6.ip6.maxfrags=200
net.inet6.ip6.mforwarding=0
net.inet6.ip6.multipath=0
net.inet6.ip6.multicast_mtudisc=0
net.inet6.ip6.neighborgcthresh=2048
net.inet6.ip6.maxifprefixes=16
net.inet6.ip6.maxifdefrouters=16
net.inet6.ip6.maxdynroutes=4096
net.inet6.ip6.dad_pending=0
net.inet6.icmp6.rediraccept=1
net.inet6.icmp6.redirtimeout=600
net.inet6.icmp6.nd6_prune=1
net.inet6.icmp6.nd6_delay=5
net.inet6.icmp6.nd6_umaxtries=3
net.inet6.icmp6.nd6_mmaxtries=3
net.inet6.icmp6.nd6_useloopback=1
net.inet6.icmp6.nodeinfo=1
net.inet6.icmp6.errppslimit=100
net.inet6.icmp6.nd6_maxnudhint=0
net.inet6.icmp6.mtudisc_hiwat=1280
net.inet6.icmp6.mtudisc_lowat=256
net.inet6.icmp6.nd6_debug=0
net.inet6.divert.recvspace=65636
net.inet6.divert.sendspace=65636

# uname -a
OpenBSD gateway 4.8 GENERIC.MP#335 amd64



-- 
--
With regards,
Eugene Sudyr

Re: make keep state (no-sync) the default?

[Kevin Chadwick]

On Fri, 4 Feb 2011 18:56:28 +0100
Henning Brauer lists-open...@bsws.de wrote:

 is there some other way to make people READ the fucking mnapages we
 put so much effort in?

laser etcher + contact lens and super glue

Re: make keep state (no-sync) the default?

[Kurt Mosiejczuk]

Kevin Chadwick wrote:

On Fri, 4 Feb 2011 18:56:28 +0100
Henning Brauer lists-open...@bsws.de wrote:



is there some other way to make people READ the fucking mnapages we
put so much effort in?



laser etcher + contact lens and super glue


I'm positive that that still won't work for some folks.

--Kurt

Re: make keep state (no-sync) the default?

[Kurt Mosiejczuk]

Henning Brauer wrote:

* Harald Dunkel harald.dun...@aixigo.de [2011-02-04 14:31]:

Is there some other way to avoid a lot of keep state (no-sync)
statements?


is there some other way to make people READ the fucking mnapages we
put so much effort in?


If you figure that out, I think you'll be a very rich man.

--Kurt

By default, should `lynx your external IP` work?

[Ezequiel Garzón]

Hello! By chance I tried this from my fresh OpenBSD VPS, which I
assume has had a default installation. Basically by chance (it didn't
make much sense) I tried lynx external IP *from my VPS*, and it
didn't work, even though it did work from my desktop PC:

--
Looking up external IP first
Looking up external IP
Making HTTP connection to external IP
Alert!: Unable to connect to remote host.

lynx: Can't access startfile http://external IP/
--

But there's more. A similar situation happens with ping (which, again,
works when called from another computer):

--
PING external IP (external IP): 56 data bytes
--- external IP ping statistics ---
219 packets transmitted, 0 packets received, 100.0% packet loss
--

Is this normal behavior by default? I know both things work from other
OSes, so I'm wondering if this has something to do with OpenBSD's
added security measures.

Thank you in advance for your help.

Cheers,

Ezequiel

Re: By default, should `lynx your external IP` work?

[Benny Lofgren]

On 2011-02-04 21.12, Ezequiel Garzsn wrote:
 Hello! By chance I tried this from my fresh OpenBSD VPS, which I
 assume has had a default installation. Basically by chance (it didn't
 make much sense) I tried lynx external IP *from my VPS*, and it
 didn't work, even though it did work from my desktop PC:
 --
 Looking up external IP first
 Looking up external IP
 Making HTTP connection to external IP
 Alert!: Unable to connect to remote host.
 lynx: Can't access startfile http://external IP/
 --
 But there's more. A similar situation happens with ping (which, again,
 works when called from another computer):
 --
 PING external IP (external IP): 56 data bytes
 --- external IP ping statistics ---
 219 packets transmitted, 0 packets received, 100.0% packet loss
 --
 Is this normal behavior by default? I know both things work from other
 OSes, so I'm wondering if this has something to do with OpenBSD's
 added security measures.

No, this is not normal behaviour. Your VPS provider have some explaining
to do.

(And by the way, making things not work is hardly ever an added
security measure - it's just a plain inconvenience. And inconvenienced
people tend to be more prone to do something stupid while trying to work
around their inconvenience than people whos stuff just work as expected...)


Regards,
/Benny

-- 
internetlabbet.se / work:   +46 8 551 124 80  / Words must
Benny Lvfgren/  mobile: +46 70 718 11 90 /   be weighed,
/   fax:+46 8 551 124 89/not counted.
   /email:  benny -at- internetlabbet.se

dell latitude d430 + port replicator -- is okay?

[Sviatoslav Chagaev]

Hi,

I want to buy a DELL Latitude D430 + a port replicator (for the DVI and
LPT ports).

Does this laptop work okay with OBSD?

How about the port replicator? Does it need any kind of support from
the OS (e.g. drivers) or is it just an electromechanical contraption?

Thanks.

Re: dell latitude d430 + port replicator -- is okay?

[Ron McDowell]

Sviatoslav Chagaev wrote:

Hi,

I want to buy a DELL Latitude D430 + a port replicator (for the DVI and
LPT ports).

Does this laptop work okay with OBSD?

How about the port replicator? Does it need any kind of support from
the OS (e.g. drivers) or is it just an electromechanical contraption?

Thanks.
  


I have loaded 4.6 or .7 on a D430 and don't remember any problems. 
Printer and serial worked, as did the optical drive I installed from.  
Ethernet and wifi worked on mine but wifi might depend on what adapter 
is in it.  I never tried X or the DVI plug but X on other BSDs and UXes 
has worked fine in the past.


--
Ron McDowell
San Antonio TX

Re: dell latitude d430 + port replicator -- is okay?

[Martin Schröder]

2011/2/5 Sviatoslav Chagaev 0x1...@gmail.com:
 How about the port replicator? Does it need any kind of support from
 the OS (e.g. drivers) or is it just an electromechanical contraption?

If you mean a PR01X: The latter. It just works.

Best
   Martin

Re: IPv6 router with static addresses assignment not works

[Evgeniy Sudyr]

Joakim,

I set default gateway and it's present in routes list :). I've sorted
out and solved problem!!!

Unfortunatelly all of my office clients are Windows OSes which are too
USER FRIENDLY and it added Site-local route automatically :)

I was wondered to see this:

C:\Users\Evgeniy.Sudyrnetsh int ipv6 show route

Publish  Type  Met  PrefixIdx  Gateway/Interface Name
---    ---    ---  
No   Manual256  ::/0   11  fe80::218:e7ff:fefc:4a20
No   Manual256::/0   11
2aaa::::1b:1::1

 Where 2aaa::::1b:1::1 is statically set IPv6 default
gateway and fe80::218:e7ff:fefc:4a20 as automatically assigned IP
address with the same metric (I've used defaults and don't played with
it before).

With tcpdump I figured that it uses fe80::218:e7ff:fefc:4a20 as
default gateway all the time.

Obviously solution was to change metric value to something lower which
will be used instead fe80 router which is local address :).

To change route metric just simply use netsh or GUI :)

netsh int ipv6 set route ::/0 11 2aaa::::1b:1::1 0 100 no


Hope this will be useful for somebody else.

OpenBSD rocks!




On Sat, Feb 5, 2011 at 12:15 AM, Joakim Aronius joa...@aronius.com wrote:
 * Evgeniy Sudyr (eject.in...@gmail.com) wrote:
 Magic happens when I'm starting rtadvd re0 -c /etc/rtadvd.conf (where
 I have same network specified) - then it works :).


 Hi there Evgeniy,

 Problem is that when you statically configure the IP parameters you do not 
 set the default gateway so the client does not know where to send packets 
 outside the v6 LAN.

 In my machines I have a line like this in my hostname.if
 !/sbin/route add -inet6 default 2001:db8:cc17:5::1

 ..but now when I have a look it seems like since 4.8 it is supported to ad a 
 default gateway address to /etc/mygate in the same way as for IPv4. So if you 
 only have a default GW thats what you should do.

 /Joakim




-- 
--
With regards,
Eugene Sudyr

Re: By default, should `lynx your external IP` work?

[Ezequiel Garzón]

Thank you, Benny. I thought so, but wasn't sure.

On Fri, Feb 4, 2011 at 10:35 PM, Benny Lofgren bl-li...@lofgren.biz wrote:
 On 2011-02-04 21.12, Ezequiel Garzsn wrote:
 Hello! By chance I tried this from my fresh OpenBSD VPS, which I
 assume has had a default installation. Basically by chance (it didn't
 make much sense) I tried lynx external IP *from my VPS*, and it
 didn't work, even though it did work from my desktop PC:
 --
 Looking up external IP first
 Looking up external IP
 Making HTTP connection to external IP
 Alert!: Unable to connect to remote host.
 lynx: Can't access startfile http://external IP/
 --
 But there's more. A similar situation happens with ping (which, again,
 works when called from another computer):
 --
 PING external IP (external IP): 56 data bytes
 --- external IP ping statistics ---
 219 packets transmitted, 0 packets received, 100.0% packet loss
 --
 Is this normal behavior by default? I know both things work from other
 OSes, so I'm wondering if this has something to do with OpenBSD's
 added security measures.

 No, this is not normal behaviour. Your VPS provider have some explaining
 to do.

 (And by the way, making things not work is hardly ever an added
 security measure - it's just a plain inconvenience. And inconvenienced
 people tend to be more prone to do something stupid while trying to work
 around their inconvenience than people whos stuff just work as expected...)


 Regards,
 /Benny

 --
 internetlabbet.se / work:   +46 8 551 124 80  / Words must
 Benny Lvfgren/  mobile: +46 70 718 11 90 /   be weighed,
/   fax:+46 8 551 124 89/not counted.
   /email:  benny -at- internetlabbet.se

Re: Relayd -- FQDN length limit?

[Ted Unangst]

On Fri, Feb 4, 2011 at 7:04 PM, Andrew Klettke aklet...@opticfusion.net
wrote:
 If we define a relay with a hostname that is longer than 32 characters, we
 get the following:
 Feb  1 22:14:00 fw02 relayd[22062]: fatal: relay_init: failed to create SSL
 context: No buffer space available

That error may be misleading.  I can't find any references to ENOBUFS
in relayd or openssl, and I don't think openssl uses errno much
anyway.  I think you should turn on debugging, it will provide better
messages.

Newsletter Suzuki | Poupar está na moda

[Suzuki]

 Siga as tendjncias actuais com o Suzuki Alto.
  Suzuki - Way of Life! Siga as tendjncias actuais com o Suzuki
Alto. http://www.suzuki.pt/automoveis/alto  Siga as tendjncias
actuais com o Suzuki Alto.
  Siga as tendjncias actuais com o Suzuki Alto. Siga as
tendjncias actuais com o Suzuki Alto.Siga as tendjncias
actuais
com o Suzuki Alto.
 Estilo, prego imbatmvel e baixo consumo nunca combinaram tco
bem.
Por 8.900 e um consumo de 3,8 L, o Suzuki Alto assenta como uma luva no
trbnsito da cidade e, claro, em si!
Entre na moda ao volante de um Suzuki Alto!
 CONDIGUES ESPECIAIS DA CAMPANHA EM VIGOR
http://www.suzuki.pt/automoveis/alto/preco/campanha

 * Consumo em Estrada, com transmissco manual de 5 velocidades.
Prego de venda a pzblico recomendado para a versco 1.0L GA, nco
incluindo despesas administrativas ou pintura metalizada. Consumo
combinado de 4,4 a 5,2 L/100 km. Emissues de CO2 de 103 a 122 g/km.

 Siga as tendjncias actuais com o Suzuki Alto. Siga as tendjncias
actuais com o Suzuki Alto.
  Siga as tendjncias actuais com o Suzuki Alto.

 Nco lj correctamente esta mensagem?
www.suzuki.pt/automoveis
http://www.suzuki.pt/automoveis/newsletters/20110204/index.html
Para mais informagues acerca da nossa Polmtica de Privacidade, clique
aqui http://www.suzuki.pt/automoveis/termosdeuso .
Para ser retirado da Newsletter Suzuki, por favor clique aqui
http://www.suzuki.pt/automoveis/newsletter/remover .

Re: dell latitude d430 + port replicator -- is okay?

[Marco Peereboom]

if i recall it correctly that is a fine machine.  make sure you dont get
an nvidia one though (not sure they made them but got to avoid them)

On Sat, Feb 05, 2011 at 01:16:04AM +0200, Sviatoslav Chagaev wrote:
 Hi,
 
 I want to buy a DELL Latitude D430 + a port replicator (for the DVI and
 LPT ports).
 
 Does this laptop work okay with OBSD?
 
 How about the port replicator? Does it need any kind of support from
 the OS (e.g. drivers) or is it just an electromechanical contraption?
 
 Thanks.