Re: TTL for backup hosts (relayd)

[Bernd]

Am 2012-08-01 14:07, schrieb Sebastian Benoit:

Bernd(be...@kroenchenstadt.de) on 2012.08.01 12:07:10 +0200:

Hi,

I got some redirects configured in relayd(8) which use backup
('fallback') hosts for the case all hosts in the 'main' table are 
down,

e.g. due to maintenance.

So, in this case, backup hosts get enabled and show a page like 
"sorry,

we're down for maintenance".

This works fine; however, after the main table hosts (at least one) 
are

back up and running (due to checks being successful again, or
re-enabling them) sessions that went to the backup hosts don't go 
away.


My primary thought was that sessions to fallback hosts would be 
flushed
or time out as soon as the main table is active again, or at least 
after

$timeout (default: 600s).

Best,

Bernd


Hi Bernd,

you might indeed have found a bug. I'll look into it.

/Benno


Hi,

I found out that this problem does *not* persist when not using 
stickyness. I'll update the machines soon (not easy because under heavy 
load), and check if it still happens running 5.1.


Thanks,

Bernd

Re: Dilemma: between OpenBSD and NetBSD

[Matthew Weigel]

On 08/12/2012 08:16 PM, Kevin Chadwick wrote:

> It is faster with softdep and safer without. My mail client has similar
> choices in it's options. Which do you think my mail client enables by
> default... The safe option of course. So does OpenBSD which isn't like
> Linux userspace.

Is 'safer' really the right word here?  As I understand it, with or
without softdeps, the filesystem on disk will be consistent and
recoverable (excepting, of course, that when a disk confirms a write is
completed isn't necessarily when the write is completed).

The difference is that with softdeps, you don't have the guarantee that
metadata writes have been completed (insofar as the kernel can know)
when the syscall to change it returns.

On the other hand, because predicting the state of your filesytem after
a crash is a bit harder with softdep enabled, leaving it turned off by
default seems like a sensible choice.

The really unsafe, choice, though, is mounting async, which can lead to
unrecoverable filesystems in the event of a crash.
-- 
 Matthew Weigel
 hacker
 unique & idempot . ent

Re: Dilemma: between OpenBSD and NetBSD

[Kevin Chadwick]

> > Why softdep not enabled by default?
> >   
> Because, unlike some OS's, OpenBSD doesn't want to think for you.
> I've noticed that whenever an OS or an application tries to think
> for me it is wrong 99% of the time.

It is faster with softdep and safer without. My mail client has similar
choices in it's options. Which do you think my mail client enables by
default... The safe option of course. So does OpenBSD which isn't like
Linux userspace.

-- 
___

'Write programs that do one thing and do it well. Write programs to work
together. Write programs to handle text streams, because that is a
universal interface'

(Doug McIlroy)
___

Re: Dilemma: between OpenBSD and NetBSD

[Paul Pruett]

> But in the past couple of years, I see hangers on trying to show off 
by bullying new comers, and that's really distasteful


Possibly what you are experiencing in part is "bikeshedding"
http://en.wiktionary.org/wiki/bikeshedding
http://en.wikipedia.org/wiki/Parkinson%27s_Law_of_Triviality

I was guilty myself when I popped off an answer mentioning the FAQ,
and guessing it would generate a lot of trivial responses...

On a question like the one that started this thread,
most any OpenBSD user knew enough to quickly point to the FAQ
answer...  And for a bully, well it was an easy one to pounce on.

customer notice

[National Australia Bank]

 - This mail is in HTML. Some elements may be ommited in plain text. -

NAB Protection Alert
An attempt to access NAB Internet Banking was denied 30mins ago:
If you do not remember trying to access online banking,
please
select:
That was NOT me
National
Australia Bank.
All rights reserved
..

Re: azalia audio: Sound distorted

[web.de]

Hello,

> Christian Weisgerber  mips.inka.de> writes:
> 
> > 
> > Mark Kettenis:
> > 
> > > Does the diff below fix the problem?
> > 
> > Yes, it does.

The diff works for me too. Many thanks to you all for your help.

Alexander 

Re: DisplayLink CONV-USB2DVI : wsudl(0): We are not attached to the udl driver

[Alexis de BRUYN]

On 11.08.2012 23:33, Alexis de BRUYN wrote:
> # wsconsctl -f /dev/ttyC0 display.type
> display.type=vga-pci
> # wsconsctl -f /dev/ttyD0 display.type
> display.type=displaylink
> # wsconsctl -f /dev/ttyE0 display.type
> display.type=displaylink

I still have my previous issue, but I have another one : while the
in-board display device is actived through my xorg.conf, the udl devices
are not working too.

# cat /etc/X11/xorg.conf


Section "ServerLayout"
Identifier  "Server Layout"
Screen  0   "Screen0" 0 0
Screen  1   "Screen1" LeftOf "Screen0"
Screen  2   "Screen2" RightOf "Screen0"
Option  "Xinerama" "On"
EndSection

Section "Screen"
Identifier  "Screen0"
Device  "Card0"
EndSection

Section "Screen"
Identifier  "Screen1"
Device  "Card1"
EndSection

Section "Screen"
Identifier  "Screen2"
Device  "Card2"
EndSection

Section "Device"
Identifier  "Card0"
Driver  "intel"
Option  "Device" "/dev/ttyC0"
EndSection

Section "Device"
Identifier  "Card1"
Driver  "wsudl"
Option  "Device" "/dev/ttyD0"
EndSection

Section "Device"
Identifier  "Card2"
Driver  "wsudl"
Option  "Device" "/dev/ttyE0"
EndSection

Here is the Xorg.log file :

# cat /var/log/Xorg.0.log
[473998.075] (--) checkDevMem: using aperture driver /dev/xf86
[473998.089] (--) Using wscons driver on /dev/ttyC4 in pcvt
compatibility mode (version 3.32)
[473998.144]
X.Org X Server 1.11.4
Release Date: 2012-01-27
[473998.144] X Protocol Version 11, Revision 0
[473998.144] Build Operating System: OpenBSD 5.1 amd64
[473998.144] Current Operating System: OpenBSD test.lan.mrs.de-bruyn.fr
5.1 GENERIC#0 amd64
[473998.144] Build Date: 11 February 2012  09:52:29PM
[473998.144]
[473998.144] Current version of pixman: 0.22.2
[473998.144]Before reporting problems, check http://wiki.x.org
to make sure that you have the latest version.
[473998.144] Markers: (--) probed, (**) from config file, (==) default
setting,
(++) from command line, (!!) notice, (II) informational,
(WW) warning, (EE) error, (NI) not implemented, (??) unknown.
[473998.144] (==) Log file: "/var/log/Xorg.0.log", Time: Sun Aug 12
21:12:41 2012
[473998.197] (==) Using config file: "/etc/X11/xorg.conf"
[473998.197] (==) Using system config directory
"/usr/X11R6/share/X11/xorg.conf.d"
[473998.239] (==) ServerLayout "Server Layout"
[473998.239] (**) |-->Screen "Screen0" (0)
[473998.239] (**) |   |-->Monitor ""
[473998.272] (**) |   |-->Device "Card0"
[473998.272] (==) No monitor specified for screen "Screen0".
Using a default monitor configuration.
[473998.272] (**) |-->Screen "Screen1" (1)
[473998.272] (**) |   |-->Monitor ""
[473998.272] (**) |   |-->Device "Card1"
[473998.272] (==) No monitor specified for screen "Screen1".
Using a default monitor configuration.
[473998.272] (**) |-->Screen "Screen2" (2)
[473998.272] (**) |   |-->Monitor ""
[473998.273] (**) |   |-->Device "Card2"
[473998.273] (==) No monitor specified for screen "Screen2".
Using a default monitor configuration.
[473998.273] (**) Option "Xinerama" "On"
[473998.273] (==) Disabling SIGIO handlers for input devices
[473998.273] (==) Automatically adding devices
[473998.273] (==) Automatically enabling devices
[473998.280] (**) Xinerama: enabled
[473998.395] (==) FontPath set to:
/usr/X11R6/lib/X11/fonts/misc/,
/usr/X11R6/lib/X11/fonts/TTF/,
/usr/X11R6/lib/X11/fonts/OTF/,
/usr/X11R6/lib/X11/fonts/Type1/,
/usr/X11R6/lib/X11/fonts/100dpi/,
/usr/X11R6/lib/X11/fonts/75dpi/
[473998.395] (==) ModulePath set to "/usr/X11R6/lib/modules"
[473998.395] (II) The server relies on wscons to provide the list of
input devices.
If no devices become available, reconfigure wscons or disable
AutoAddDevices.
[473998.405] (II) Loader magic: 0x79e220
[473998.405] (II) Module ABI versions:
[473998.405]X.Org ANSI C Emulation: 0.4
[473998.405]X.Org Video Driver: 11.0
[473998.405]X.Org XInput driver : 13.0
[473998.406]X.Org Server Extension : 6.0
[473998.409] (--) PCI:*(0:0:2:0) 8086:0116:106b:00e7 rev 9, Mem @
0xa000/4194304, 0x9000/268435456, I/O @ 0x2000/64
[473998.409] (II) LoadModule: "extmod"
[473998.431] (II) Loading /usr/X11R6/lib/modules/extensions/libextmod.so
[473998.439] (II) Module extmod: vendor="X.Org Foundation"
[473998.439]compiled for 1.11.4, module version = 1.0.0
[473998.439]Module class: X.Org Server Extension
[473998.439]ABI class: X.Org Server Extension, version 6.0
[473998.439] (II) Loading extension MIT-SCREEN-SAVER
[473998.439] (II) Loading extension XFree86-VidModeExtension
[473998.439] (II) Loading extension XFree86-DGA
[473998.439] (II) Loading extension DPMS
[473998.439] (II) Loading extension XVideo
[473998.439] (II) Loading extension XVideo-MotionCompensation
[473

Re: OpenSSL handling intermediate certificates

[Nico Kadel-Garcia]

On Thu, Aug 9, 2012 at 3:22 PM, Justin N. Lindberg
 wrote:
> On Thu, 09 Aug 2012 09:18:00 +0200
> Moritz Grimm  wrote:
>
>> You always put trust into the whole chain (that's why you need
>> intermediate certs in the first place), starting with your trusted
>> root. If that trust turns out to be misplaced in any one of the
>> components (root, intermediate, server), you lose.
>
> For a server certificate you can generally only lose inasmuch as that
> server or domain name is concerned.  But for misplaced trust in an
> intermediate cert with certificate-signing capability, you lose
> big-time, because that cert can be used to sign a server cert for any
> domain whatsoever.

Such certificates have already been stolen. They're dependent on the
security of the intermediate key owners, and the are demonstrably
unsecure: Check this URL for more details on the release of rogue SSL
signing certificates through a Dutch firm:


http://www.computerworld.com/s/article/9219606/Hackers_stole_Google_SSL_certificate_Dutch_firm_admits

This is precisely why revocation of certificates is such a key aspect
of SSL, and why the longstanding lack of such revocation or even
revocation of SSH host or user keys remains a significant security
concern. Very few infrastructures are really secure once someine is
inside the network or has access to backps, and it's why the most
secure OS in the world is, in many ways, an expensive waste of time if
the basic security policies aren't in place.

Re: Dilemma: between OpenBSD and NetBSD

[Nick Holland]

On 08/12/12 06:32, Ed Ahlsen-Girard wrote:
> On 2012-08-11 18:43:56, Miod Vallat  wrote:
> 
>>> You will find idiots on @misc. It's one of the few things not in the
>>> FAQ.
> 
>>We'd rather not have idiots in the FAQ (-:
> 
>>Miod
> 
> Alfred E. Neumann was in FAQ until May; the precedent is set.
> 

hardly -- the person who plays the fool is often not the idiot.

(though, I've seen some pretty convincing performances)

Nick.

pf / gif / ipv6

[Michael Mercier]

Hello,

I am seeing a behavior in pf that I don't understand.

# uname -mrvp
5.0 GENERIC#36 sparc64 SUNW,UltraSPARC-IIIi (rev 2.4) @ 1062 MHz

When I have the following configured:

(not complete configuration)

ext_if = "hme0"
int_if = "bge0"

ipv6gws = "{ a.b.c.192 a.b.c.193 a.b.c.194 a.b.c.195 }"

block log all

# permit proto 41 to/from ipv6 gws
#pass log quick on $ext_if inet proto 41 from any to any
pass in log quick on $ext_if inet proto 41 from $ipv6gws to ($ext_if)
pass out log quick  on $ext_if inet proto 41 from ($ext_if) to $ipv6gws

pfctl -s rules produces:
pass in log quick on hme0 inet proto ipv6 from a.b.c..192 to (hme0)
pass in log quick on hme0 inet proto ipv6 from a.b.c..193 to (hme0)
pass in log quick on hme0 inet proto ipv6 from a.b.c..194 to (hme0)
pass in log quick on hme0 inet proto ipv6 from a.b.c..195 to (hme0)
pass out log quick on hme0 inet proto ipv6 from (hme0) to a.b.c..192
pass out log quick on hme0 inet proto ipv6 from (hme0) to a.b.c..193
pass out log quick on hme0 inet proto ipv6 from (hme0) to a.b.c..194
pass out log quick on hme0 inet proto ipv6 from (hme0) to a.b.c..195

gif interface:
ifconfig gif5 create
ifconfig gif5 tunnel a.b.c.195 x.y.z.38
ifconfig gif5 up
route -n add -inet6 default ::1 -ifp gif5

but this traffic is blocked by pf ($ext_if - hme0 is x.y.z.38):

20:31:03.536279 rule 11/(match) [uid 0, pid 28111] block in on hme0:  
a.b.c.195 > x.y.z.38: a:b:c:d::e > a:c:f:13:111:512f:f07a:8193: [|tcp]  
(len 28, hlim 57) (ttl 251, id 37052, len 88)


rule 11 is "block log all" from above

but if I uncomment the rule:
pass log quick on $ext_if inet proto 41 from any to any
traffic passes.

NOTE:  I have also tried modifying the rules to have $ext_if instead  
of ($ext_if) with the same results.


My question is, what is being blocked by the rule?

Thanks,
Mike

任务下达后完成得不好但因为是碰到困难又怎么处理？-廖亮光

[廖亮光]

vutrwmvs

nod0p

[demime 1.01d removed an attachment of type APPLICATION/DEFANGED which had a 
name of ÑÐa·¢¾­tÀíµÄÁìeµ¼Á¦ÓëÖ´qÐÐÁ¦.15096DEFANGED-xls]

Re: Dilemma: between OpenBSD and NetBSD

[Ed Ahlsen-Girard]

On 2012-08-11 18:43:56, Miod Vallat  wrote:

>> You will find idiots on @misc. It's one of the few things not in the
>> FAQ.

>We'd rather not have idiots in the FAQ (-:

>Miod

Alfred E. Neumann was in FAQ until May; the precedent is set.

-- 

Edward Ahlsen-Girard
Ft Walton Beach, FL

税务代开;å¼ å ˆç”Ÿ13691895695

[ä½ å¥½]

   你好

   2012-8-12


[demime 1.01d removed an attachment of type image/gif which had a name of 
dll.gif]