misc你好，供货商交期管制十大之道！

[jlpfqs]

h?f/d8e0
 HTML f egi.d;6oh/7d;%g=i!5f9ef%gi.d;6c


[demime 1.01d removed an attachment of type APPLICATION/DEFANGED which had a 
name of jlpfqs-lead time reduction.20330DEFANGED-xls]

nsd name server generates high load during zone update on slave

[Imre Oolberg]

Hi!

I am having trouble on OpenBSD v. 5.1 using NSD nameserver.

When slave NSD name server receives zone update and reloads it into its 
database high and sustained user load (about 1-2) is generated on cpu 
depending on hardware from 3 minutes to 10 minutes. Also this kind on 
load is observed when doing nsdc patch. It seems to happen only when 
zone has many RRs, say 100k NS lines; using NSD with OpenBSD v. 4.8 from 
packages does not have this issue, also not 5.1-current, but 5.1 does; i 
have tried and got similar results on amd64 and i386, happens on

both; Normally this kind of reload and patch takes several seconds only.

My nsd conf is as following on the slave

   server:
   hide-version: yes
   ip-address: 10.193.0.53
   ip-address: 192.168.1.211
   ip-address: 127.0.0.1
   chroot: /var/nsd
   logfile: /var/log/nsd.log

   zone:
   name: bar
   zonefile: bar.zone

   allow-notify: 127.0.0.1 NOKEY
   allow-notify: 192.80.102.35 NOKEY
   request-xfr: AXFR 192.80.109.158 NOKEY
   provide-xfr: 10.193.0.53 NOKEY
   provide-xfr: 192.168.10.10 NOKEY
   allow-axfr-fallback: yes

and master zone for bar. is like

   $TTL 86400
   @IN  SOA ns.foo.bar. hostmaster.foo.bar. (
2012052308 14400 7200 360 10800 )
   IN  NS  ns.foo.bar.

   aa000 IN NS aa000.bar.foo.
   aa001 IN NS aa001.bar.foo.

   ...
   lc994 IN NS lc994.bar.foo.

I would be very thankful if somebody could have a look at it and confirm 
this behaviour. And if really nsd on 5.1 is to blame may i add that 
patch would be very much welcomed! :)



Best regards,

Imre

PS I used first time sendbug utility to ask help on this, but i am not 
sure i got it all right but at least i can say i succeeded to send out 
an email


May 23 13:16:21 post-relay postfix/smtp[11753]: A1E707E5F7: 
to=gn...@openbsd.org, 
relay=shear.ucar.edu[192.43.244.163]:25, delay=3.8, 
delays=0.01/0.06/2.3/1.4, dsn=2.0.0, status=sent (250 2.0.0 
q4NAGI62032168 Message accepted for delivery)

General question about default route in OSPF

[Ivo Chutkin]

Hello,
I have general question about redistributing default route to ospf peers.
I have R1 which is connected to upstream ISPs via BGPd.
The R1 should redistribute (used to with openbsd 4.4 and after upgrading 
to 5.1 it stopped) default route to C1 via OSPFd.
I have read that in order to redistribute default R1 should have one 
itself, but in this case I get dynamic routes via BGPd and don't have 
default there.


I solve the problem by adding default on C1 to point R1 manually.

If I add loopback as default on B1, will it be better solution?

Thanks for the help,
Ivo

Re: spamd greylisting: false positives

[Stuart Henderson]

On 2012-05-28, David Diggles da...@elven.com.au wrote:
 So there you have it.  Don't use spamd with greytrapping if your
 secondary MX is going to deliver a bounce.  It will confuse SMTP
 servers into giving up.

well, that doesn't just apply to spamd.. you are better off not listing
a secondary MX unless it's A) working and B) has equalyl strong or better
spam controls as the primary MX

Re: spamd greylisting: false positives

[Stuart Henderson]

On 2012-05-27, David Diggles da...@elven.com.au wrote:
From:   Stuart Henderson stu () spacehopper ! org
Date:   2012-05-27 22:29:50

On 2012-05-27, David Diggles da...@elven.com.au wrote:
 Bummer, I have forgotten to pflog the spamd connections to lo0

So this breaks spamlogd which means servers will expire from the
greylist even if they mail you regularly..

 Do you mean this pf rule

 pass in log on egress proto tcp from any to egress \
 port smtp rdr-to 127.0.0.1 port spamd synproxy state

 breaks spamlogd?

 Would you mind explaining why, and how I can un-break it?



Ah sorry I misread, I thought you had written that you weren't logging the
SMTP connections, not the spamd connections..

Re: Problem understanding portupgrade error message

[Stuart Henderson]

On 2012-05-27, Geir Svalland g.svall...@bredband.net wrote:
 Can't install p5-DBD-SQLite-1.35p0v0 because of libraries
|library sqlite3.18.2 not found
| /usr/lib/libsqlite3.so.18.0 (system): minor is too small
| /usr/lib/libsqlite3.so.19.0 (system): bad major

The sqlite library in the base OS had the version number changed a couple of
times in quick succession, it will take a short while for packages to catch up
because they were built against the first version number. Wait a day or two and
try again.

 Full dependency tree is p5-Clone-0.31p1 p5-MLDBM-2.04 p5-PlRPC-0.2018p1
 p5-SQL-Statement-1.33 p5-Params-Util-1.00p2 p5-Net-Daemon-0.43p0
 p5-DBI-1.616 p5-FreezeThaw-0.43p2

 Collision in p5-Geography-Countries-2009041301p0: the following files
 already exist

 /usr/local/libdata/perl5/site_perl/Geography/Countries.pm from
 p5-Geography-Countries-2009041301p0 (same checksum)

 Can't install p5-IP-Country-2.27p0: can't resolve
 p5-Geography-Countries-2009041301p0

I don't understand that, output from pkg_add -vv -ui might help.

ntpd not adjusting system clock

[Zé Loff]

I have a mail server which syncs its clock to a local ntp server.  This
time server in turn syncs itself with a number of public servers and is
working correctly, as far as I can tell (ntpd -dv shows offsets  under
1ms).

However, the mail server (an _old_ Pentium III @ 500Mhz) started
drifting furiously, and the ntpd (client) doesn't appear to be actually
adjusting the local clock, although it sets it correctly (if ntpd -s).

The time server is a Soekris net4801, the mail server is an _old_
x86 box (Pentium III 500Mhz). Both boxes run 5.0.

$ sudo ntpd -svd 
ntp engine ready
reply from 10.17.16.2: offset -5.781745 delay 0.001901, next query 8s
set local clock to Mon May 28 12:22:39 WEST 2012 (offset -5.781745s)
reply from 10.17.16.2: offset -0.249842 delay 0.001821, next query 7s
reply from 10.17.16.2: offset -0.471290 delay 0.001870, next query 8s
peer 10.17.16.2 now valid
reply from 10.17.16.2: offset -0.724371 delay 0.001822, next query 8s
reply from 10.17.16.2: offset -0.977404 delay 0.001875, next query 9s
reply from 10.17.16.2: offset -1.262066 delay 0.001814, next query 5s
reply from 10.17.16.2: offset -1.420363 delay 0.001776, next query 31s
reply from 10.17.16.2: offset -2.400023 delay 0.001832, next query 33s
adjusting local clock by -1.420363s
reply from 10.17.16.2: offset -2.057283 delay 0.001924, next query 34s
reply from 10.17.16.2: offset -3.131575 delay 0.001821, next query 34s
reply from 10.17.16.2: offset -4.201259 delay 0.001737, next query 34s
reply from 10.17.16.2: offset -5.275638 delay 0.001835, next query 31s
reply from 10.17.16.2: offset -6.255265 delay 0.001849, next query 31s
reply from 10.17.16.2: offset -7.234918 delay 0.001811, next query 31s
reply from 10.17.16.2: offset -8.214601 delay 0.001750, next query 31s
adjusting local clock by -4.481622s
reply from 10.17.16.2: offset -5.024796 delay 0.001837, next query 31s
reply from 10.17.16.2: offset -6.004269 delay 0.001842, next query 30s
reply from 10.17.16.2: offset -6.947157 delay 0.002090, next query 32s
reply from 10.17.16.2: offset -7.958516 delay 0.001831, next query 32s
...

As you can notice, the drift is of about 2s/min which is huge and quicky
amounts to a few hours and the next thing I know I'm getting mails which
were sent tomorrow...

Is this drift too large to be adjusted smoothly by ntpd? And if so, any
idea as to what might be causing this?

Many thanks
Zi Loff

-- 

Re: ntpd not adjusting system clock

[Zé Loff]

On Mon, May 28, 2012 at 12:46:45PM +0100, Zi Loff wrote:
 I have a mail server which syncs its clock to a local ntp server.  This
 time server in turn syncs itself with a number of public servers and is
 working correctly, as far as I can tell (ntpd -dv shows offsets  under
 1ms).
 
 However, the mail server (an _old_ Pentium III @ 500Mhz) started
 drifting furiously, and the ntpd (client) doesn't appear to be actually
 adjusting the local clock, although it sets it correctly (if ntpd -s).
 
 The time server is a Soekris net4801, the mail server is an _old_
 x86 box (Pentium III 500Mhz). Both boxes run 5.0.
 
 $ sudo ntpd -svd 
 ntp engine ready
 reply from 10.17.16.2: offset -5.781745 delay 0.001901, next query 8s
 set local clock to Mon May 28 12:22:39 WEST 2012 (offset -5.781745s)
 reply from 10.17.16.2: offset -0.249842 delay 0.001821, next query 7s
 reply from 10.17.16.2: offset -0.471290 delay 0.001870, next query 8s
 peer 10.17.16.2 now valid
 reply from 10.17.16.2: offset -0.724371 delay 0.001822, next query 8s
 reply from 10.17.16.2: offset -0.977404 delay 0.001875, next query 9s
 reply from 10.17.16.2: offset -1.262066 delay 0.001814, next query 5s
 reply from 10.17.16.2: offset -1.420363 delay 0.001776, next query 31s
 reply from 10.17.16.2: offset -2.400023 delay 0.001832, next query 33s
 adjusting local clock by -1.420363s
 reply from 10.17.16.2: offset -2.057283 delay 0.001924, next query 34s
 reply from 10.17.16.2: offset -3.131575 delay 0.001821, next query 34s
 reply from 10.17.16.2: offset -4.201259 delay 0.001737, next query 34s
 reply from 10.17.16.2: offset -5.275638 delay 0.001835, next query 31s
 reply from 10.17.16.2: offset -6.255265 delay 0.001849, next query 31s
 reply from 10.17.16.2: offset -7.234918 delay 0.001811, next query 31s
 reply from 10.17.16.2: offset -8.214601 delay 0.001750, next query 31s
 adjusting local clock by -4.481622s
 reply from 10.17.16.2: offset -5.024796 delay 0.001837, next query 31s
 reply from 10.17.16.2: offset -6.004269 delay 0.001842, next query 30s
 reply from 10.17.16.2: offset -6.947157 delay 0.002090, next query 32s
 reply from 10.17.16.2: offset -7.958516 delay 0.001831, next query 32s
 ...
 
 As you can notice, the drift is of about 2s/min which is huge and quicky
 amounts to a few hours and the next thing I know I'm getting mails which
 were sent tomorrow...
 
 Is this drift too large to be adjusted smoothly by ntpd? And if so, any
 idea as to what might be causing this?
 
 Many thanks
 Zi Loff
 
 -- 
 

Correction: I realize it is adjusting the lock (offset diminishes after
adjustment). The output above does not show the behaviour I referred to.
I'm looking further into this, and I'll post some more info later. Sorry
about the noise.

(that is a big drift, though...)

-- 

Re: spamd greylisting: false positives

[Peter N. M. Hansteen]

David Diggles da...@elven.com.au writes:

 So there you have it.  Don't use spamd with greytrapping if your
 secondary MX is going to deliver a bounce.  It will confuse SMTP
 servers into giving up.

Secondary MXes that are not set up to actually receive mail for your
domain is one thing (annoying, but just a simple misconfiguration),
another thing you need to do is make sure the secondaries have the same
or equivalent level of spam and malware protection.  That's where things
like spamd's syncronization options come in handy. 

- P
-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
Remember to set the evil bit on all malicious network traffic
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: Tuning for pppoe over fibre 30M/1M link

[David Diggles]

I have got it to do 10Mbps now, by ditching the 85Mbps ethernet over
power adaptors, in favor of a cable.

I get 12Mbps if I run it to the 2.4GHz Pentium 4 xl0 100Mbps port.

No idea what is slowing it down here yet.  It should be getting 30Mbps,
like it does on the Mac.

Maybe I should try some of the kernel tuning suggested on calomel.

On Mon, May 21, 2012 at 11:00:22AM -0600, Daniel Melameth wrote:
 On Mon, May 21, 2012 at 9:35 AM, David Diggles da...@elven.com.au wrote:
  I am still getting 300 kilobytes/second download speed with OpenBSD pppoe, 
  however when
  I plug directly into a Mac and run pppoe on it, 3 megabytes/second.
 
  What should I look at for tuning this to get 3MB/s through OpenBSD?
 
  Connection: pppoe, over fibre, 30M downlink, 1M uplink
 
  The OpenBSD gateway is using the kernel pppoe driver.
  ...
  OpenBSD 5.1 (GENERIC) #160: Sun Feb 12 09:46:33 MST 2012
  ? ?dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
  cpu0: Geode(TM) Integrated Processor by National Semi (CyrixInstead 
  586-class) 301 MHz
  cpu0: FPU,TSC,MSR,CX8,CMOV,MMX
  real mem ?= 132182016 (126MB)
  avail mem = 119992320 (114MB)
 ...
  rl0 at pci0 dev 14 function 0 Realtek 8139 rev 0x10: irq 12, address 
  00:90:0b:04:bb:f1
  rlphy0 at rl0 phy 0: RTL internal PHY
  rl1 at pci0 dev 15 function 0 Realtek 8139 rev 0x10: irq 10, address 
  00:90:0b:04:bb:f2
  rlphy1 at rl1 phy 0: RTL internal PHY
  rl2 at pci0 dev 16 function 0 Realtek 8139 rev 0x10: irq 11, address 
  00:90:0b:04:bb:f3
  rlphy2 at rl2 phy 0: RTL internal PHY
 
 FWIW, I have 20M/5M VDSL service at home and have zero issue doing
 20Mbps with OpenBSD as my pppoe-based firewall.  That said, while I
 wouldn't expect a 300MHz machine to limit you to 2.4Mbps, it is a bit
 weak--and rl NICs are some of the worst out there.  Curiously, when
 doing 2.4Mbps, what does top show for interrupts?  For comparison,
 when I'm doing 20Mbps, my interrupts are at 5-6% using em and fxp
 NICs.

pfctl -P

[Jan Stary]

The manpage says
-P Print ports using their names in /etc/services if available.

This works with pfctl -P -sr, but not with pfctl -P -ss
- is that intended?

Jan

pflogd -x

[Jan Stary]

Byt the pflogd(8) manpage, the '-x' option can be used
to check the integrity of an existing logfile.

Is there a way to tell whether pflogd did find
the file to be OK or not? For example:

# pflogd -x -f /var/log/pflog 
# echo $?  
0

# echo foo  /tmp/bar  
# pflogd -x -f /tmp/bar
# echo $?   
0

Am I missing something?

Re: pfctl -P

[Lawrence Teo]

On Mon, May 28, 2012 at 03:34:04PM +0200, Jan Stary wrote:
 The manpage says
 -P Print ports using their names in /etc/services if available.
 
 This works with pfctl -P -sr, but not with pfctl -P -ss
 - is that intended?

Good catch. :)  I originally created -P for use with -sr, and did not
consider that it might be useful for -ss too.  Let me see if I can hack
something up...

Thanks,
Lawrence

Re: pflogd -x

[Jan Stary]

On May 28 15:53:03, Jan Stary wrote:
 Byt the pflogd(8) manpage, the '-x' option can be used
 to check the integrity of an existing logfile.
 
 Is there a way to tell whether pflogd did find
 the file to be OK or not? For example:
 
   # pflogd -x -f /var/log/pflog 
   # echo $?  
   0
 
   # echo foo  /tmp/bar  
   # pflogd -x -f /tmp/bar
   # echo $?   
   0
 
 Am I missing something?

Ah, it's in /var/log/daemon. Duh.

Anyway, would there be a benefit in returning 0
if the file is not consistent?

Also, is this tcpdump's job, really?
What would be a typical use of 'pflogd -x' in real life?

Thanks

Jan

Re: spamd greylisting: false positives

[Henning Brauer]

* David Diggles da...@elven.com.au [2012-05-28 02:44]:
 Why shouldn't I?
 
 These guys do in their example.
 https://calomel.org/spamd_config.html

that alone is a reason to not do it.

really, everything on calomel.org is garbage. you are best off to
ignore it.

i wish somebody would track this guy don, explain hom how his garbage
hurts the community, and makes him remove it.

-- 
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/

Re: Tuning for pppoe over fibre 30M/1M link

[Andre Keller]

Am 28.05.2012 15:26, schrieb David Diggles:
 Maybe I should try some of the kernel tuning suggested on calomel.

I would not even visit that site... It's mostly a waste of time as most
of the tunings are not up-to-date or just plain wrong. OpenBSD ships
with pretty sane defaults that normally do not need any tweaking unless
you run some unorthodox configuration. If you need to tweak something
look into the faq and the sysctl(3) man page and not to calomel.org


Could you please be a bit more specific about your setup?

Are you using pppoe(4) or pppoe(8)?

Do you see maxed out mbufs (netstat -m), a very high interrupt load (top
/ vmstat -i), ifq drops (sysctl net.inet.ip.ifq.drops), interface errors
(netstat -i)?

I'm running pppoe(4) on a lot of Geode 500MHz powered boxes and have no
problem getting 30Mbit/s throughput of unencrypted traffic...



g
Andri

Re: Problem understanding portupgrade error message

[Stuart Henderson]

On 2012/05/28 18:19, obsd wrote:
 
  /usr/local/libdata/perl5/site_perl/Geography/Countries.pm from
  p5-Geography-Countries-2009041301p0 (same checksum)
 
  Can't install p5-IP-Country-2.27p0: can't resolve
  p5-Geography-Countries-2009041301p0
 
 I don't understand that, output from pkg_add -vv -ui might help.
 
 Excellent.
 That did the trick. Thank you very much.
 It really got verbose, and even offered to repair my missing packet
 registrations.

Ah - it would have offered to repair even without the -vv then

I initially thought it may have been a missing package registration
due to a previous crash or something, but figured that it wouldn't
have been able to say which package the file came from if that was
the case..

 Problems gone. Only The sqlite library left and will follow your advice on
 that one too.

good stuff :)

Re: Problem understanding portupgrade error message

[obsd]

-Ursprungligt meddelande-
Fren: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] Fvr Stuart
Henderson
Skickat: den 28 maj 2012 13:42
Till: misc@openbsd.org
Dmne: Re: Problem understanding portupgrade error message

On 2012-05-27, Geir Svalland g.svall...@bredband.net wrote:
 Can't install p5-DBD-SQLite-1.35p0v0 because of libraries
|library sqlite3.18.2 not found
| /usr/lib/libsqlite3.so.18.0 (system): minor is too small
| /usr/lib/libsqlite3.so.19.0 (system): bad major

The sqlite library in the base OS had the version number changed a couple of
times in quick succession, it will take a short while for packages to catch
up because they were built against the first version number. Wait a day or
two and try again.

 Full dependency tree is p5-Clone-0.31p1 p5-MLDBM-2.04
 p5-PlRPC-0.2018p1
 p5-SQL-Statement-1.33 p5-Params-Util-1.00p2 p5-Net-Daemon-0.43p0
 p5-DBI-1.616 p5-FreezeThaw-0.43p2

 Collision in p5-Geography-Countries-2009041301p0: the following files
 already exist

 /usr/local/libdata/perl5/site_perl/Geography/Countries.pm from
 p5-Geography-Countries-2009041301p0 (same checksum)

 Can't install p5-IP-Country-2.27p0: can't resolve
 p5-Geography-Countries-2009041301p0

I don't understand that, output from pkg_add -vv -ui might help.

Excellent.
That did the trick. Thank you very much.
It really got verbose, and even offered to repair my missing packet
registrations.
Problems gone. Only The sqlite library left and will follow your advice on
that one too.

/Hasse

Re: carp mixed states

[shadrock]

hi thanks to everyone who responded,
the problem was due to connectivity on the em0 interface between both 
firewalls being block by pf.conf



Hi

On Fri, 18 may 2012 at 02:38 CEST
shadrockshadr...@ntlworld.com  wrote:

  still looking for an answer to the following question
hi all
have configured two firewalls with carp
i have connectivity to the internet and the firewalls failover properly.
when i check the carp states of each firewall the slave reports that its
wan connection is in the master state the same as the master firewall
while the slave carp lan connection is in the backup state.
is this normal or should both carps be in backup for the slave ?
shadrock
  
  
master firewall
/etc/hostname.carp1
inet 10.5.5.1 255.255.255.0 10.5.5.255 vhid 1 carpdev em1 pass pass1
  
/etc/hostname.carp2
inet 192.168.5.1 255.255.255.0 192.168.5.255 vhid 2 carpdev em0 pass pass2
  
/etc/hostname.em0
inet 192.168.5.2 255.255.255.0
  
/etc/hostname.em1
inet 10.5.5.2 255.255.255.0 NONE
  
/etc/hostname.bge0
inet 172.16.0.2 255.255.255.0 NONE
  
/etc/hostname.pfsync0
up syncdev bge0
  
  
ifconfig -a
  
lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST   mtu 33196
  priority: 0
  groups: lo
  inet6 ::1 prefixlen 128
  inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
  inet 127.0.0.1 netmask 0xff00
bge0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST   mtu 1500
  lladdr 00:18:8b:60:7b:06
  priority: 0
  media: Ethernet autoselect (1000baseT
full-duplex,master,rxpause,txpause)
  status: active
  inet 172.16.0.2 netmask 0xff00 broadcast 172.16.0.255
  inet6 fe80::218:8bff:fe60:7b06%bge0 prefixlen 64 scopeid 0x1
em0: flags=8b43UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST
mtu 1500
  lladdr 00:04:23:df:6b:a4
  priority: 0
  groups: egress
  media: Ethernet autoselect (100baseTX 
full-duplex,rxpause,txpause)
  status: active
  inet 192.168.5.2 netmask 0xff00 broadcast 192.168.5.255
  inet6 fe80::204:23ff:fedf:6ba4%em0 prefixlen 64 scopeid 0x2
em1: flags=8b43UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST
mtu 1500
  lladdr 00:04:23:df:6b:a5
  priority: 0
  media: Ethernet autoselect (1000baseT 
full-duplex,rxpause,txpause)
  status: active
  inet 10.5.5.2 netmask 0xff00 broadcast 10.5.5.255
  inet6 fe80::204:23ff:fedf:6ba5%em1 prefixlen 64 scopeid 0x3
enc0: flags=41UP,RUNNING
  priority: 0
  groups: enc
  status: active
pfsync0: flags=41UP,RUNNING   mtu 1500
  priority: 0
  pfsync: syncdev: bge0 maxupd: 128 defer: off
  groups: carp pfsync
pflog0: flags=141UP,RUNNING,PROMISC   mtu 33196
  priority: 0
  groups: pflog
carp1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST   mtu 1500
  lladdr 00:00:5e:00:01:01
  priority: 0
  carp: MASTER carpdev em1 vhid 1 advbase 1 advskew 0
  groups: carp
  status: master
  inet6 fe80::200:5eff:fe00:101%carp1 prefixlen 64 scopeid 0x6
  inet 10.5.5.1 netmask 0xff00 broadcast 10.5.5.255
carp2: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST   mtu 1500
  lladdr 00:00:5e:00:01:02
  priority: 0
  carp: MASTER carpdev em0 vhid 2 advbase 1 advskew 0
  groups: carp
  status: master
  inet6 fe80::200:5eff:fe00:102%carp2 prefixlen 64 scopeid 0x7
  inet 192.168.5.1 netmask 0xff00 broadcast 192.168.5.255
  
  
slave firewall
  
/etc/hostname.carp1
inet 10.5.5.1 255.255.255.0 10.5.5.255 vhid 1 carpdev em1 advskew 100
pass pass1
  
/etc/hostname.carp2
inet 192.168.5.1 255.255.255.0 192.168.5.255 vhid 2 carpdev em0 advskew
100 pass pass2
  
/etc/hostname.em0
inet 192.168.5.3 255.255.255.0
  
/etc/hostname.em1
inet 10.5.5.3 255.255.255.0 NONE
  
/etc/hostname.bge0
inet 172.16.0.3 255.255.255.0 NONE
  
/etc/hostname.pfsync0
up syncdev bge0
  
  
ifconfig -a
  
lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST   mtu 33196
  priority: 0
  groups: lo
  inet6 ::1 prefixlen 128
  inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
  inet 127.0.0.1 netmask 0xff00
bge0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST   mtu 1500
  lladdr 00:18:8b:6c:4e:85
  priority: 0
  media: Ethernet autoselect (1000baseT 
full-duplex,rxpause,txpause)
  status: active
  inet 172.16.0.3 netmask 0xff00 broadcast 172.16.0.255
  

spamd -v

[Jan Stary]

According to the spamd(8) manpage, the '-v' option makes
message detail including subject and recipient information
logged with LOG_INFO; but the subject doesn't seem to be logged
(not that I miss it):

May 28 20:05:23 www spamd[13382]: 91.121.238.116: connected (1/0)
May 28 20:05:34 www spamd[13382]: (GREY) 91.121.238.116: 
starj...@lists.ff.cuni.cz - h...@stare.cz
May 28 20:05:34 www spamd[13382]: 91.121.238.116: disconnected after 11 seconds.

Neither does the message body and the SMTP dialogue get logged
even if I bump syslog to daemon.debug

Am I missing something obvious?

Jan

Re: nsd name server generates high load during zone update on slave

[Stuart Henderson]

On 2012-05-28, Imre Oolberg i...@auul.pri.ee wrote:
 Hi!

 I am having trouble on OpenBSD v. 5.1 using NSD nameserver.

 When slave NSD name server receives zone update and reloads it into its 
 database high and sustained user load (about 1-2) is generated on cpu 
 depending on hardware from 3 minutes to 10 minutes. Also this kind on 
 load is observed when doing nsdc patch. It seems to happen only when 
 zone has many RRs, say 100k NS lines; using NSD with OpenBSD v. 4.8 from 
 packages does not have this issue, also not 5.1-current, but 5.1 does; i 
 have tried and got similar results on amd64 and i386, happens on
 both; Normally this kind of reload and patch takes several seconds only.

 I would be very thankful if somebody could have a look at it and confirm 
 this behaviour. And if really nsd on 5.1 is to blame may i add that 
 patch would be very much welcomed! :)

This is due to a bug introduced with NSD 3.2.9 and fixed shortly afterwards.
The _untested_ diff against -stable below may fix it.

Index: difffile.c
===
RCS file: /cvs/src/usr.sbin/nsd/difffile.c,v
retrieving revision 1.1.1.5
diff -u -p -r1.1.1.5 difffile.c
--- difffile.c  29 Jan 2012 11:15:31 -  1.1.1.5
+++ difffile.c  28 May 2012 20:10:31 -
@@ -261,14 +261,43 @@ has_data_below(domain_type* top)
/* in the canonical ordering subdomains are after this name */
d = domain_next(d);
while(d != NULL  dname_is_subdomain(domain_dname(d), 
domain_dname(top))) {
-   if(d-is_existing)
+   if(d-is_existing) {
return 1;
+   }
d = domain_next(d);
}
return 0;
 }
 
-static void
+
+/* this routine makes empty terminals non-existent.
+ * @domain the lowest empty terminal
+ * @ce the closest encloser
+ */
+static domain_type*
+rrset_delete_empty_terminals(domain_type* domain, domain_type* ce)
+{
+   assert(domain);
+   if (domain-rrsets == 0) {
+   /* if there is no data below it, it becomes non existing.
+  also empty nonterminals above it become nonexisting */
+   /* check for data below this node. */
+   if(!has_data_below(domain)) {
+   /* nonexist this domain and all parent empty 
nonterminals */
+   domain_type* p = domain;
+   while(p != NULL  p-rrsets == 0) {
+   if(p == ce || has_data_below(p))
+   return p;
+   p-is_existing = 0;
+   p = p-parent;
+   }
+   }
+   }
+   return NULL;
+}
+
+
+static domain_type*
 rrset_delete(namedb_type* db, domain_type* domain, rrset_type* rrset)
 {
int i;
@@ -279,7 +308,7 @@ rrset_delete(namedb_type* db, domain_typ
}
if(!*pp) {
/* rrset does not exist for domain */
-   return;
+   return NULL;
}
*pp = rrset-next;
 
@@ -320,23 +349,13 @@ rrset_delete(namedb_type* db, domain_typ
sizeof(rr_type) * rrset-rr_count);
region_recycle(db-region, rrset, sizeof(rrset_type));
 
+   rrset-rr_count = 0;
+
/* is the node now an empty node (completely deleted) */
-   if(domain-rrsets == 0) {
-   /* if there is no data below it, it becomes non existing.
-  also empty nonterminals above it become nonexisting */
-   /* check for data below this node. */
-   if(!has_data_below(domain)) {
-   /* nonexist this domain and all parent empty 
nonterminals */
-   domain_type* p = domain;
-   while(p != NULL  p-rrsets == 0) {
-   if(has_data_below(p))
-   break;
-   p-is_existing = 0;
-   p = p-parent;
-   }
-   }
+   if (domain-rrsets == 0) {
+   return domain;
}
-   rrset-rr_count = 0;
+   return NULL;
 }
 
 static int
@@ -384,6 +403,7 @@ find_rr_num(rrset_type* rrset,
 static int
 delete_RR(namedb_type* db, const dname_type* dname,
uint16_t type, uint16_t klass,
+   domain_type* prevdomain,
buffer_type* packet, size_t rdatalen, zone_type *zone,
region_type* temp_region, int is_axfr)
 {
@@ -442,7 +462,11 @@ delete_RR(namedb_type* db, const dname_t
 
if(rrset-rr_count == 1) {
/* delete entire rrset */
-   rrset_delete(db, domain, rrset);
+   domain = rrset_delete(db, domain, rrset);
+   if (domain  !domain-nextdiff) {
+   /* this domain is not yet in the diff chain */
+   

Re: ntpd not adjusting system clock

[Zé Loff]

OK, let me try this again:

Old x86 desktop box (Pentium III @ 500MHz) running 5.0. Machine has been
on 24/7 for the past few years (minus the occasional PSU replacement),
serving mail and http under very light loads.

Its local clock is drifting. A lot.


Without ntpd running:

# date; rdate -nv ntp.phistat.com; sleep 1200; date; rdate -nv \
ntp.phistat.com 
Mon May 28 17:12:07 WEST 2012
Mon May 28 17:11:36 WEST 2012
rdate: adjust local clock by -30.124462 seconds
Mon May 28 17:31:37 WEST 2012
Mon May 28 17:30:59 WEST 2012
rdate: adjust local clock by -37.912744 seconds

So that's about a 38s offset in 20 minutes.


When running ntpd:

# ntpd -sdv  
ntp engine ready
reply from 10.17.16.2: offset -293.664414 delay 0.001944, next query 8s
set local clock to Mon May 28 20:01:01 WEST 2012 (offset -293.664414s)
reply from 10.17.16.2: offset -0.253115 delay 0.001728, next query 6s
reply from 10.17.16.2: offset -0.442993 delay 0.001704, next query 5s
peer 10.17.16.2 now valid
reply from 10.17.16.2: offset -0.601451 delay 0.001323, next query 5s
reply from 10.17.16.2: offset -0.759521 delay 0.001758, next query 7s
reply from 10.17.16.2: offset -0.980987 delay 0.001775, next query 6s
reply from 10.17.16.2: offset -1.170839 delay 0.001795, next query 33s
reply from 10.17.16.2: offset -2.213734 delay 0.001826, next query 32s
adjusting local clock by -0.601451s
reply from 10.17.16.2: offset -2.626567 delay 0.002090, next query 34s
reply from 10.17.16.2: offset -3.732722 delay 0.001811, next query 34s
reply from 10.17.16.2: offset -4.802128 delay 0.001883, next query 32s
reply from 10.17.16.2: offset -5.812614 delay 0.001804, next query 32s
adjusting local clock by -0.158070s
clock is now synced
reply from 10.17.16.2: offset -6.666142 delay 0.001363, next query 30s
adjusting local clock by -6.666142s
reply from 10.17.16.2: offset -0.948669 delay 0.001233, next query 30s
reply from 10.17.16.2: offset -1.896441 delay 0.001815, next query 31s
reply from 10.17.16.2: offset -2.876058 delay 0.001887, next query 31s
reply from 10.17.16.2: offset -3.887582 delay 0.001791, next query 34s
reply from 10.17.16.2: offset -4.956985 delay 0.001778, next query 30s
reply from 10.17.16.2: offset -5.904974 delay 0.001913, next query 31s
reply from 10.17.16.2: offset -6.884482 delay 0.002125, next query 34s
reply from 10.17.16.2: offset -7.959015 delay 0.001858, next query 34s
adjusting local clock by -6.359810s
clock is now unsynced
reply from 10.17.16.2: offset -8.084752 delay 0.001801, next query 31s
adjusting local clock by -10.198126s
reply from 10.17.16.2: offset -5.056171 delay 0.001622, next query 34s
reply from 10.17.16.2: offset -6.162315 delay 0.001810, next query 30s
reply from 10.17.16.2: offset -7.105366 delay 0.001770, next query 32s
reply from 10.17.16.2: offset -8.116619 delay 0.001682, next query 30s
adjusting local clock by -14.619296s
...


While the ntpd client was running, 

$ while true; do date; sleep 1; done 

showed a steady sequence of seconds, albeit the 'adjustments' claimed by
the ntpd client, although I'm not sure if this is normal or not.

Nevertheless, the offset seems to shrink after each 'ajusting local
clock', judging from the ntpd output, but it just keeps growing in a
kind of a sawtooth pattern.

Is the clock drift just to large for ntpd/adjtime/adjfreq to handle
properly? If so, is there any 'cure' on the software side?

And for extra points:
Any clues on why this is happening? Ageing harware? Faulty PSU?

Many thanks
Ze' Loff

Re: ntpd not adjusting system clock

[Martin Schröder]

2012/5/28 Zi Loff zel...@zeloff.org:
 Is the clock drift just to large for ntpd/adjtime/adjfreq to handle
 properly? If so, is there any 'cure' on the software side?

Yes.
Not with ntpd; you could run ntpdate from cron, but then your clock would
jump.

 And for extra points:
 Any clues on why this is happening? Ageing harware? Faulty PSU?

Ageing hardware. Get a new one. :-)

Best
   Martin

Re: spamd greylisting: false positives

[Peter N. M. Hansteen]

In response to various tidbits that popped up in this thread, I put
together some notes on setting up a sane email system, in a works for
me article:

http://bsdly.blogspot.com/2012/05/in-name-of-sane-email-setting-up-spamd.html
-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
Remember to set the evil bit on all malicious network traffic
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: ntpd not adjusting system clock

[Christian Weisgerber]

Zi Loff zel...@zeloff.org wrote:

 Is the clock drift just to large for ntpd/adjtime/adjfreq to handle
 properly?

I forgot what the maximum is that ntpd can handle, but yes, it looks
like the drift is just too large.

 If so, is there any 'cure' on the software side?

You could try a different kern.timecounter.hardware setting, but
on such an old machine there is probably little choice.
$ sysctl kern.timecounter.{hardware,choice}

Another idea that comes to mind--I've never tried this--is to preload
an adjfreq(2) value into /var/db/ntpd.drift.

-- 
Christian naddy Weisgerber  na...@mips.inka.de

Unexpected carp failovers when using crossover cable as pfsync syncdev in 5.1

[Alex Moore]

Hello all,

I'm seeing unexpected CARP failovers upon rebooting what's expected to
be the backup firewall in a pair, which seems to have been introduced in
OpenBSD 5.1. A description of my setup follows...

enrhfw1 and enrhfw2 are a pair of OpenBSD 5.1-RELEASE systems (eg:
OpenBSD enrhfw2.datcon.co.uk 5.1 GENERIC.MP#207 amd64) using CARP and
PFSync, with preemption enabled, and the pfsync syncdev being a
dedicated crossover cable between the two (recommended by the FAQ as
being best-practice, and therefore presumably a common setup). All CARP
interfaces on enrhfw1 have a configured advskew of 0, and on enrhfw2
they have an advskew of 100 (so under normal conditions, enrhfw1 will be
master and enrhfw2 will be backup).

Here's what happens when I reboot enrhfw2, since upgrading them both to
OpenBSD 5.1. These are the relevant logs from both, with
net.inet.carp.log=3:

[Looks like the syncdev interface status on enrhfw1 cycles 3 times while
the server being rebooted has its BIOS splash screen up. The first of
these triggers enrhfw1 to request a pfsync bulk update from its
currently-rebooting peer]:

May 28 14:02:48 enrhfw1 /bsd: carp: pfsync0 demoted group carp by 1 to 1 
(pfsyncdev)
May 28 14:02:48 enrhfw1 /bsd: carp: pfsync0 demoted group pfsync by 1 to 1 
(pfsyncdev)
May 28 14:02:50 enrhfw1 /bsd: carp: pfsync0 demoted group carp by 1 to 2 
(pfsync 
bulk start)
May 28 14:02:50 enrhfw1 /bsd: carp: pfsync0 demoted group pfsync by 1 to 2 
(pfsync bulk start)
May 28 14:02:50 enrhfw1 /bsd: carp: pfsync0 demoted group carp by -1 to 1 
(pfsyncdev)
May 28 14:02:50 enrhfw1 /bsd: carp: pfsync0 demoted group pfsync by -1 to 1 
(pfsyncdev)
May 28 14:02:54 enrhfw1 /bsd: carp: pfsync0 demoted group carp by 1 to 2 
(pfsyncdev)
May 28 14:02:54 enrhfw1 /bsd: carp: pfsync0 demoted group pfsync by 1 to 2 
(pfsyncdev)
May 28 14:02:57 enrhfw1 /bsd: carp: pfsync0 demoted group carp by -1 to 1 
(pfsyncdev)
May 28 14:02:57 enrhfw1 /bsd: carp: pfsync0 demoted group pfsync by -1 to 1 
(pfsyncdev)
May 28 14:03:03 enrhfw1 /bsd: carp: pfsync0 demoted group carp by 1 to 2 
(pfsyncdev)
May 28 14:03:03 enrhfw1 /bsd: carp: pfsync0 demoted group pfsync by 1 to 2 
(pfsyncdev)
May 28 14:03:05 enrhfw1 /bsd: carp: pfsync0 demoted group carp by -1 to 1 
(pfsyncdev)
May 28 14:03:05 enrhfw1 /bsd: carp: pfsync0 demoted group pfsync by -1 to 1 
(pfsyncdev)

[This last cycle appears to be when the OpenBSD kernel loads and the
syncdev on enrhfw2 is then initialized by netstart.sh]:

May 28 14:03:40 enrhfw1 /bsd: carp: pfsync0 demoted group carp by 1 to 2 
(pfsyncdev)
May 28 14:03:40 enrhfw1 /bsd: carp: pfsync0 demoted group pfsync by 1 to 2 
(pfsyncdev)
May 28 14:03:45 enrhfw1 /bsd: carp: pfsync0 demoted group carp by -1 to 1 
(pfsyncdev)
May 28 14:03:45 enrhfw1 /bsd: carp: pfsync0 demoted group pfsync by -1 to 1 
(pfsyncdev)

[Here the rc scripts on enrhfw2 initialize all its interfaces, and
request a pfsync bulk update from enrhfw1 (although note that at this
stage enrhfw1 is still in the process of attempting a bulk update in the
reverse direction!). The rc script's carp interlock is in place at
this stage]:

May 28 14:03:45 enrhfw2 /bsd: carp: carp0 demoted group carp by 1 to 129 
(carpdev)
May 28 14:03:45 enrhfw2 /bsd: carp: carp1 demoted group carp by 1 to 130 
(carpdev)
May 28 14:03:45 enrhfw2 /bsd: carp: carp2 demoted group carp by 1 to 131 
(carpdev)
May 28 14:03:45 enrhfw2 /bsd: carp: carp3 demoted group carp by 1 to 132 
(carpdev)
May 28 14:03:45 enrhfw2 /bsd: carp: carp4 demoted group carp by 1 to 133 
(carpdev)
May 28 14:03:45 enrhfw2 /bsd: carp: carp5 demoted group carp by 1 to 134 
(carpdev)
May 28 14:03:45 enrhfw2 /bsd: carp: pfsync0 demoted group carp by 1 to 135 
(pfsync bulk start)
May 28 14:03:45 enrhfw2 /bsd: carp: pfsync0 demoted group pfsync by 1 to 1 
(pfsync bulk start)
May 28 14:03:45 enrhfw2 /bsd: carp: carp5 demoted group carp by -1 to 134 
(carpdev)
May 28 14:03:45 enrhfw2 /bsd: carp: carp5 demoted group smartph by -1 to 0 
(carpdev)
May 28 14:03:45 enrhfw2 /bsd: carp: carp0 demoted group carp by -1 to 133 
(carpdev)
May 28 14:03:45 enrhfw2 /bsd: carp: carp0 demoted group int by -1 to 0 (carpdev)
May 28 14:03:45 enrhfw2 /bsd: carp: carp1 demoted group carp by -1 to 132 
(carpdev)
May 28 14:03:45 enrhfw2 /bsd: carp: carp1 demoted group pubdmz by -1 to 0 
(carpdev)
May 28 14:03:45 enrhfw2 /bsd: carp: carp3 demoted group carp by -1 to 131 
(carpdev)
May 28 14:03:45 enrhfw2 /bsd: carp: carp3 demoted group extmgmt by -1 to 0 
(carpdev)
May 28 14:03:45 enrhfw2 /bsd: carp: carp4 demoted group carp by -1 to 130 
(carpdev)
May 28 14:03:45 enrhfw2 /bsd: carp: carp4 demoted group trext by -1 to 0 
(carpdev)
May 28 14:03:45 enrhfw2 /bsd: carp: carp2 demoted group carp by -1 to 129 
(carpdev)
May 28 14:03:45 enrhfw2 /bsd: carp: carp2 demoted group ext by -1 to 0 (carpdev)
May 28 14:03:55 enrhfw2 /bsd: carp: pfsync0 demoted group carp by -1 to 128 
(pfsync bulk done)
May 28 14:03:55 enrhfw2 /bsd: carp: pfsync0 demoted group pfsync by 

Re: ntpd not adjusting system clock

[Ralph Ellis]

On 05/28/12 15:25, Zi Loff wrote:

OK, let me try this again:

Old x86 desktop box (Pentium III @ 500MHz) running 5.0. Machine has been
on 24/7 for the past few years (minus the occasional PSU replacement),
serving mail and http under very light loads.

Its local clock is drifting. A lot.


Without ntpd running:

# date; rdate -nv ntp.phistat.com; sleep 1200; date; rdate -nv \
ntp.phistat.com
Mon May 28 17:12:07 WEST 2012
Mon May 28 17:11:36 WEST 2012
rdate: adjust local clock by -30.124462 seconds
Mon May 28 17:31:37 WEST 2012
Mon May 28 17:30:59 WEST 2012
rdate: adjust local clock by -37.912744 seconds

So that's about a 38s offset in 20 minutes.


When running ntpd:

# ntpd -sdv
ntp engine ready
reply from 10.17.16.2: offset -293.664414 delay 0.001944, next query 8s
set local clock to Mon May 28 20:01:01 WEST 2012 (offset -293.664414s)
reply from 10.17.16.2: offset -0.253115 delay 0.001728, next query 6s
reply from 10.17.16.2: offset -0.442993 delay 0.001704, next query 5s
peer 10.17.16.2 now valid
reply from 10.17.16.2: offset -0.601451 delay 0.001323, next query 5s
reply from 10.17.16.2: offset -0.759521 delay 0.001758, next query 7s
reply from 10.17.16.2: offset -0.980987 delay 0.001775, next query 6s
reply from 10.17.16.2: offset -1.170839 delay 0.001795, next query 33s
reply from 10.17.16.2: offset -2.213734 delay 0.001826, next query 32s
adjusting local clock by -0.601451s
reply from 10.17.16.2: offset -2.626567 delay 0.002090, next query 34s
reply from 10.17.16.2: offset -3.732722 delay 0.001811, next query 34s
reply from 10.17.16.2: offset -4.802128 delay 0.001883, next query 32s
reply from 10.17.16.2: offset -5.812614 delay 0.001804, next query 32s
adjusting local clock by -0.158070s
clock is now synced
reply from 10.17.16.2: offset -6.666142 delay 0.001363, next query 30s
adjusting local clock by -6.666142s
reply from 10.17.16.2: offset -0.948669 delay 0.001233, next query 30s
reply from 10.17.16.2: offset -1.896441 delay 0.001815, next query 31s
reply from 10.17.16.2: offset -2.876058 delay 0.001887, next query 31s
reply from 10.17.16.2: offset -3.887582 delay 0.001791, next query 34s
reply from 10.17.16.2: offset -4.956985 delay 0.001778, next query 30s
reply from 10.17.16.2: offset -5.904974 delay 0.001913, next query 31s
reply from 10.17.16.2: offset -6.884482 delay 0.002125, next query 34s
reply from 10.17.16.2: offset -7.959015 delay 0.001858, next query 34s
adjusting local clock by -6.359810s
clock is now unsynced
reply from 10.17.16.2: offset -8.084752 delay 0.001801, next query 31s
adjusting local clock by -10.198126s
reply from 10.17.16.2: offset -5.056171 delay 0.001622, next query 34s
reply from 10.17.16.2: offset -6.162315 delay 0.001810, next query 30s
reply from 10.17.16.2: offset -7.105366 delay 0.001770, next query 32s
reply from 10.17.16.2: offset -8.116619 delay 0.001682, next query 30s
adjusting local clock by -14.619296s
...


While the ntpd client was running,

$ while true; do date; sleep 1; done

showed a steady sequence of seconds, albeit the 'adjustments' claimed by
the ntpd client, although I'm not sure if this is normal or not.

Nevertheless, the offset seems to shrink after each 'ajusting local
clock', judging from the ntpd output, but it just keeps growing in a
kind of a sawtooth pattern.

Is the clock drift just to large for ntpd/adjtime/adjfreq to handle
properly? If so, is there any 'cure' on the software side?

And for extra points:
Any clues on why this is happening? Ageing harware? Faulty PSU?

Many thanks
Ze' Loff

Going way back to my i386 and i486 days, clock drift was sometimes the 
result of the battery that backed up the bios losing its charge. Some 
early clocks were like old pre quartz electrical watches. If the battery 
ran down, the watch ran slowly. You seem to mention that your problem is 
that the clock is running too fast. I would suspect that this is a 
hardware issue that you do not want to spend any money on. If you can 
fix it via a software setting change such as an incredibly frequent cron 
job, wonderful.
If the machine is at all critical, you may want to spend a minimal 
amount of money to replace it with a new machine.

Ralph Ellis

Re: Tuning for pppoe over fibre 30M/1M link

[David Diggles]

 Could you please be a bit more specific about your setup?

Sure.

 Are you using pppoe(4) or pppoe(8)?

pppoe(4)

 Do you see maxed out mbufs (netstat -m), a very high interrupt load (top
 / vmstat -i), ifq drops (sysctl net.inet.ip.ifq.drops), interface errors
 (netstat -i)?

None of the above were maxed out on the P4.  It was only a quick test,
as this is the production spamd server.

 I'm running pppoe(4) on a lot of Geode 500MHz powered boxes and have no
 problem getting 30Mbit/s throughput of unencrypted traffic...

I plugged it back into the gw, Geode 300MHz with 100MBit Realtek.

I made the pf.conf as default as possible (to look like the
example pf.conf provided in /etc), I removed all the modulate and
synproxy state options that calomel suggested putting in pf.conf.

The performance improved from 1MB/s to 1.8MB/s.

I would love to get 3MB/s, but maybe 1.8MB/s is the limit of the
realtek NIC.

I have just ordered an Atom 1.8GHz with Gigabit Intel NICs, should
be more than good enough as an upgrade?  I may upgrade my link from
30Mbit to 100Mbit in future, I would expect the Atom to handle this.

.d.d.