Re: Unable to reach server in dmz. Whats wrong?
On 1/10/06, Jonas Lindskog [EMAIL PROTECTED] wrote: Hello, We are using OpenBSD 3.8 as a firewall/router. We have two internal nets; one with workstations (NAT) and one DMZ with a single server. And thus we have three network interfaces installed in the router: one for the NAT, one for the DMZ and one for the external net. Our ISP has given us a range of IP adresses (the ones below are obfuscated ;)): Segment: 38.87.5.112 /28 net address: 38.87.5.112 gateway adress: 38.87.5.113 firewall: 38.87.5.114 fria fasta ip: 38.87.5.115-126 broadcast address:38.87.5.127 netmask: 255.255.255.240 I have set up the DMZ with net adress 38.87.5.120 Gateway: 38.87.5.121 Server: 38.87.5.122 netmask: 255.255.255.252 To ensure that routing worked properly I just entered pass (and nat of course) in the /etc/pf.conf file. I have no trouble connecting to the server at 38.87.5.122 from the internal net where nat-addresses are used, but for some reason I cant connect to the server from the outside. I thought it was a routing problem but when I entered a port redirect from the gateway (38.87.5.113) to the server at 38.87.5.122 for the ssh port I reached the server. I haven't got a clue whats wrong. Can anybody help to explain this or have an idea of a workaround (I dont want the port redirect)? Thanks in advance. /Jonas It would help if you attached your pf.conf, and relevant configuration files (hostname.if, for example)
Re: dhcpd and static entries
On 12/12/05, Peter Hessler [EMAIL PROTECTED] wrote:
This is with -current dhcpd within the last month.
On Mon, 12 Dec 2005 12:15:37 -0800
Peter Hessler [EMAIL PROTECTED] wrote:
: I have a dhcp'd network, with static entries for a ton of machines.
: The problem is that the range is for .10 - .254, and the static
: entries are scattered throughout. When a random client requests an
: address, dhcpd will give out a staticly defined entry. So when the
: static entry machine comes back, the two machines fight each other
: for the address.
:
: Moving the static entries to outside the range is unfeasable right
: now. And it doesn't address the issue of 'machine was on a different
: dhcp network with an address that happens to be staticly defined on
: ours'.
:
: Why does dhcpd give out addresses that are currently in use, and why
: does it give out staticly defined addresses? Shouldn't it remove the
: static entries from the dynamic pool?
Because you're static ips are within your dynamic pool, just setup the
static addresses so they're outside the dynamic range. Your server is
misconfigured otherwise.
:
: Sanitized portions of config:
:
: shared-network LOCAL-NET {
: option domain-name example.com;
: option domain-name-servers 10.0.0.1;
:
: option nis-domain example.nis;
: option nis-servers nis.example.com;
: option ntp-servers ntp.example.com;
: option time-offset -28800; # PST
:
: subnet 10.0.0.0 netmask 255.255.255.0 {
: option routers 10.0.0.1;
:
: range 10.0.0.10 10.0.0.254;
: }
:
: group {
: use-host-decl-names on;
: # host1.example.com 10.0.0.15
:host host1.example.com { hardware ethernet \
: 00:0f:1f:f7:7d:64; fixed-address host1.example.com; }
: # host2.example.com 10.0.0.20
: host host2.example.com { hardware ethernet \
: 02:A0:98:01:F5:B4; fixed-address host2.example.com; }
: # host3.example.com 10.0.0.29
: host host3.example.com { hardware ethernet \
: 00:0F:1F:F7:78:B6; fixed- address host3.example.com; }
:}
: }
:
:
:
: --
: Workers of the world, arise! You have nothing to lose but your
: chairs.
:
--
Sex without love is an empty experience, but, as empty experiences go,
it's one of the best.
-- Woody Allen
--
Abe Al-Saleh
I love deadlines. I like the whooshing
sound they make as they fly by.
--Douglas Adams
Re: dhcpd and static entries
On 12/12/05, Peter Hessler [EMAIL PROTECTED] wrote: On Mon, 12 Dec 2005 13:59:23 -0700 Abraham Al-Saleh [EMAIL PROTECTED] wrote: : On 12/12/05, Peter Hessler [EMAIL PROTECTED] wrote: : : : : Moving the static entries to outside the range is unfeasable right : : now. And it doesn't address the issue of 'machine was on a : : different dhcp network with an address that happens to be : : staticly defined on ours'. : : : : Why does dhcpd give out addresses that are currently in use, and : : why does it give out staticly defined addresses? Shouldn't it : : remove the static entries from the dynamic pool? : : : Because you're static ips are within your dynamic pool, just setup : the static addresses so they're outside the dynamic range. Your : server is misconfigured otherwise. So its a feature, not a bug? Note the paragraph before the one you addressed, it says can't happen. Would adding such a feature (maybe off by default, but configurable in command line/conf file) be accepted? I don't know, but it sounds pretty useless to me, your issue is a misconfiguration. If you can't fix the misconfiguration, then it's a policy problem, and you get to hold the peices.
Re: dhcp overwriting resolv.conf
On 10/25/05, Chris Smith [EMAIL PROTECTED] wrote: Hello, Running 3.8, 2 nics, 1 statically assigned, and the other using dhcp. Problem is that resolv.conf is always overwritten. Using resolv.conf.tail doesn't help as the information is just tacked on at the end of the dhcp supplied information. How can I prevent the overwriting of resolv.conf? Thanks. Chris man dhclient.conf
Re: Two Isp Fault Tollerance Help
On 10/7/05, Olivier Mehani [EMAIL PROTECTED] wrote: On Fri, 7 Oct 2005 14:29:08 +0200 Johan M:son Lindman [EMAIL PROTECTED] wrote: One of my clients has got an Internet connection with a no much affidable provider. He reports continual disconnection and so on. I would like to do a second connection with another provider to obtain a sort of redundancy, a fault tollerance. What I have to do to obtain the automatic connection with both of the providers and to shift to the one that is connected when the other is in trouble? ( without problems for the client). Border Gateway Protocol. Doesn't it imply that said client has its own IP addresses range and not NATing behind one single ISP-provided address ? yes. Alternatively, look at route-to in pf.conf -- Olivier Mehani [EMAIL PROTECTED] PGP fingerprint: 3720 A1F7 1367 9FA3 C654 6DFB 6845 4071 E346 2FD1 -- Abe Al-Saleh And then came the Apocolypse. It actually wasn't that bad, everyone got the day off and there were barbeques all around.
Re: is there a way to block sshd trolling?
You could use connection throttling, it won't eliminate them, but it will
make it take longer. If you don't need ssh on that host (although, you
probably do, I'd be lost without it) disable it. You could bind sshd to a
different port, and disable port 22 (most of these attacks are automated
bots). The best thing you can do is to disable root access, use difficult
passwords (or better yet, use keys and disable passwords), go out of your
way to make sure you don't use common names for usernames (if you can), and
enforce a good password policy. Then you can do what I do when I get the
output of my logs, laugh.
On 9/23/05, John Marten [EMAIL PROTECTED] wrote:
You know what i mean? Every day I get some script kiddie, or adult
trying to guess usernames or passwords.
I've installed the newest version of SSH, so i'm covered there. But I
still get a dozen or 2 of the
sshd Invalid user somename from ###.##.##.###
input_userauth_request: ivalid user somename
Failed password for invalid user somename
Recieved disconnect from ###.##.##.###
Someone told me to add a 'block in quick on $net inet proto {tcp,udp}
from ###.##.##.### to any flags S/SA'
entry in my pf.conf file. But if I had do that for every hacker my
pf.conf would be huge!
There's got to be a better way, and I'm open to suggestions.
John F. Marten III
Information Technology Specialist
--
Abe Al-Saleh
And then came the Apocolypse. It actually wasn't that
bad, everyone got the day off and there were barbeques
all around.
Re: is there a way to block sshd trolling?
just to add my $0.02. The best they could hope for would be disallowing your default gateway from connecting to your ssh server... whoop-de-doo. On 9/23/05, Wolfgang S. Rupprecht [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] writes: My only question is what if I traceroute to you, find out the IP number of your upstream router? Then I make a bunch of connection attempts to your IP but forge the packets to make them look like they came from your upstream. Don't *you* end up blacklisting your default route and you become 'so long suckah'd? This isn't a problem for 2 reasons. 1) The upstream router isn't likely to be the destination of any packet in a consumer-isp situation. Only if you are running some routing protocol that uses that upstream router as an endpoint (eg. rip, ospf, etc) will a block against that router's IP matter to you. I've heard of cases where folks intentionally add an IP-level block against their ISP's whole infrastructure. (Some ISP's don't allow any servers. If they find an sshd hanging on port 22 are they going to hassle you? Just block 'em.) 2) Forging the source IP in a TCP packet and succeeding in negotiating the 3-way handshake isn't all that simple any more. I wouldn't worry about it. If someone could forge that reliably, there is much better game to go after (like breaking into machines that still use IP addresses for authorization.) Someone spoofing an IP so that you mistakenly block an innocent party is pretty much wasting a good trick. -wolfgang
Re: OpenBSD website Design.
The current one is great. Functional and easy to use, much like the OS itself. No reason to fix it if it's not broken. On 9/7/05, Siju George [EMAIL PROTECTED] wrote: Hi, One of my friends sent me this new OpenBSD website design he created. Please have a look at it :-D http://mayuresh.freeshell.org/openbsd/ Thankyou so much Kind Regards Siju -- Abe Al-Saleh And then came the Apocolypse. It actually wasn't that bad, everyone got the day off and there were barbeques all around.
Re: Lifecycle question
On 9/5/05, Stephan A. Rickauer [EMAIL PROTECTED] wrote: Ramiro Aceves schrieb: I like and use both systems. But If you are concerned about easy upgrading, I would recommend Debian GNU/Linux (no flamewars please ;-) ). It is a very stable system that it is upgraded slowly, about 2 years (they whant to speed it in the future to 18 month cicle). You will not We have FreeBSD, Debian Sarge and SuSE 9.0 9.1 9.3 as productive systems running. Technically, we're kind of aware of the differences. system. If you want a desktop with hundreds of packages installed, I find Debian more practical to upgrade. Both systems allow you to tweak the internals as you want. Both come with the base system and the remaining applications. We use SuSE on ~50 desktops in our Institute and are quite happy (well, we had to tune it a bit to make it use apt-get). Debian is my first choice for non-BSD servers, but I would not use it for dekstop purposes still. Well, don't wan't flame wars here either ;) Anyway, I am getting in love with OpenBSD because of its securyty, simplicity, stability, clarity, superb documentation and coherency. If I would have to build a server conected to the dangerous Internet, I will undoubtlely use OpenBSD. I am already in love with it, since I plan to use it as a HA-firewall using carp and pfsync. Problem here is just that it looks as if I had to reinstall it all year ... If that's the case, then you just take one down, upgrade it, bring it back online, take the other down, upgrade it, bring it back online. I fail to see the issue here. 'nuff said. Thanks, -- Stephan A. Rickauer Institut f|r Neuroinformatik Universitdt / ETH Z|rich Winterthurerstriasse 190 CH-8057 Z|rich Tel: +41 44 635 30 50 Sek: +41 44 635 30 52 Fax: +41 44 635 30 53 http://www.ini.ethz.ch -- Abe Al-Saleh And then came the Apocolypse. It actually wasn't that bad, everyone got the day off and there were barbeques all around.
Re: via S3 Unichrome, anyone ? ;)
The problem with the unichrome is that stock xorg identifies it (correctly) as a via, but it does not support it's specific chipset. The unichrome.sf.net http://unichrome.sf.net project has patches for XF86 and Xorg that fix this, but you will have to recompile xorg for it to work. It should work, but you won't have any hardware acceleration, as that relies on a drm linux kernel module. However, I haven't tried it with obsd, YMMV. You may have a tough time getting support from the unichrome guys, or the obsd X maintainer, but I do not speak for them. I'd attempt it on my laptop (averatec 3200), but due to other hardware problems, it's currently out of condition. Never hurts to try though. ;) On 9/1/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: hi my laptop died in the most horrible way (it fell off from the desk ...) and I had to replaced it so i bought a low price workstation. It came with an integrated (*ugh*) via S3 unichrome chipset that is recognized by openbsd at boot time. I tried starting an X session but it just hangs until i log into another tty and kill the process, no error in Xorg's logfile ... i've done some googling and found out that: - some people reported that they have a working via S3 Unichrome under OpenBSD on their laptop/desktop station, but none explained wether it was only recognized or if it was also useable with X. - there seems to be a Unichrome project that adds support for the chipset, but it seems like it's for Linux only (i'll investigate this when i get some sleep). Please tell me that someone has X working with it and that I don't have to code in console for the months to come ... thanks ;) -- strlcat,strlcpy: This is horribly inefficient BSD crap. [...] This is why you use: *((char *) memcpy (dst, src, n)) = '\0'; -- Ulrich Drepper, Linux style efficiency ;) -- Abe Al-Saleh And then came the Apocolypse. It actually wasn't that bad, everyone got the day off and there were barbeques all around.
Re: Help!
You've not indicated which kernel you used (it should be bsd.mp), nor have you included a dmesg so that the more experienced users can help you with your problem, if indeed there is one. Also, I understand that English is probably not your native language, but I'm having a little trouble understanding some of your post. Is there someone who can help you clarify? On 8/29/05, MySHOP [EMAIL PROTECTED] wrote: Hi I am OpenBSD user. last week I sale a Xern 2 CPU server. and intel CPU P4 D. But I check sysctl hw and can not find out 2 CPU. OpenBSD can not support 2 CPU intel CPU , P4-ht and P4-D. I type command in P4-HT CPU but Xern 2 CPU and intel P4-D are same. I can not find 2 CPU. sysctl hw hw.machine=i386 hw.model=Intel(R) Pentium(R) 4 CPU 2.80GHz (GenuineIntel 686-class) hw.ncpu=1 hw.byteorder=1234 hw.physmem=804880384 hw.usermem=804069376 hw.pagesize=4096 hw.disknames=wd0,cd0,wd1,fd0 hw.diskcount=4 hw.sensors.0=nsclpcsio0, TSENS1, temp, -128.00 degC / -198.40 degF hw.sensors.1=nsclpcsio0, TSENS2, temp, -128.00 degC / -198.40 degF hw.sensors.2=nsclpcsio0, TNSC, temp, 40.00 degC / 104.00 degF hw.sensors.3=nsclpcsio0, VSENS0, volts_dc, 1.61 V hw.sensors.4=nsclpcsio0, VSENS1, volts_dc, 2.59 V hw.sensors.5=nsclpcsio0, VSENS2, volts_dc, 1.51 V hw.sensors.6=nsclpcsio0, VSENS3, volts_dc, 1.54 V hw.sensors.7=nsclpcsio0, VSENS4, volts_dc, 1.83 V hw.sensors.8=nsclpcsio0, VSENS5, volts_dc, 2.29 V hw.sensors.9=nsclpcsio0, VSENS6, volts_dc, 2.56 V hw.sensors.10=nsclpcsio0, VSB, volts_dc, 3.35 V hw.sensors.11=nsclpcsio0, VDD, volts_dc, 3.35 V hw.sensors.12=nsclpcsio0, VBAT, volts_dc, 3.01 V hw.sensors.13=nsclpcsio0, AVDD, volts_dc, 3.35 V hw.sensors.14=nsclpcsio0, TS1, volts_dc, 1.62 V hw.sensors.15=nsclpcsio0, TS2, volts_dc, 1.61 V hw.sensors.16=nsclpcsio0, TS3, volts_dc, 1.62 V hw.cpuspeed=2400 hw.setperf=100 Best Regards Suen Siu Man -- Abe Al-Saleh And then came the Apocolypse. It actually wasn't that bad, everyone got the day off and there were barbeques all around.
Re: Help!
On 8/29/05, MySHOP [EMAIL PROTECTED] wrote: Hi Abraham Al-Saleh , I am use OpenBSD 3.7 for test computer. My computer with P4 - HT cpu like 2 CPUs . It find in some linux or windows with 2 CPU. and my home computer P4 Not HT = 1CPU only How can make OpenBSD support 2 CPU Suen Siu Man You've not indicated which kernel you used (it should be bsd.mp), nor have you included a dmesg so that the more experienced users can help you with your problem, if indeed there is one. Also, I understand that English is probably not your native language, but I'm having a little trouble understanding some of your post. Is there someone who can help you clarify? On 8/29/05, MySHOP [EMAIL PROTECTED] wrote: Hi I am OpenBSD user. last week I sale a Xern 2 CPU server. and intel CPU P4 D. But I check sysctl hw and can not find out 2 CPU. OpenBSD can not support 2 CPU intel CPU , P4-ht and P4-D. I type command in P4-HT CPU but Xern 2 CPU and intel P4-D are same. I can not find 2 CPU. sysctl hw hw.machine=i386 hw.model=Intel(R) Pentium(R) 4 CPU 2.80GHz (GenuineIntel 686-class) hw.ncpu=1 hw.byteorder=1234 hw.physmem=804880384 hw.usermem=804069376 hw.pagesize=4096 hw.disknames=wd0,cd0,wd1,fd0 hw.diskcount=4 hw.sensors.0=nsclpcsio0, TSENS1, temp, -128.00 degC / -198.40 degF hw.sensors.1=nsclpcsio0, TSENS2, temp, -128.00 degC / -198.40 degF hw.sensors.2=nsclpcsio0, TNSC, temp, 40.00 degC / 104.00 degF hw.sensors.3=nsclpcsio0, VSENS0, volts_dc, 1.61 V hw.sensors.4=nsclpcsio0, VSENS1, volts_dc, 2.59 V hw.sensors.5=nsclpcsio0, VSENS2, volts_dc, 1.51 V hw.sensors.6=nsclpcsio0, VSENS3, volts_dc, 1.54 V hw.sensors.7=nsclpcsio0, VSENS4, volts_dc, 1.83 V hw.sensors.8=nsclpcsio0, VSENS5, volts_dc, 2.29 V hw.sensors.9=nsclpcsio0, VSENS6, volts_dc, 2.56 V hw.sensors.10=nsclpcsio0, VSB, volts_dc, 3.35 V hw.sensors.11=nsclpcsio0, VDD, volts_dc, 3.35 V hw.sensors.12=nsclpcsio0, VBAT, volts_dc, 3.01 V hw.sensors.13=nsclpcsio0, AVDD, volts_dc, 3.35 V hw.sensors.14=nsclpcsio0, TS1, volts_dc, 1.62 V hw.sensors.15=nsclpcsio0, TS2, volts_dc, 1.61 V hw.sensors.16=nsclpcsio0, TS3, volts_dc, 1.62 V hw.cpuspeed=2400 hw.setperf=100 Best Regards Suen Siu Man Please Read the archives, here's a starting point: http://marc.theaimsgroup.com/?l=openbsd-miscm=110370077903290w=2 http://marc.theaimsgroup.com/?l=openbsd-miscm=109622763808474w=2 (also, to the rest of the list, sorry for top posting previously, I realize it's annoying, just a little bit sleep. ;))
Re: NAT doesn't appear to work for some websites
On 8/14/05, Matt Garman [EMAIL PROTECTED] wrote: I have a number of websites that I cannot load from machines connected to the 'net through my OpenBSD firewall/NAT box. One such site is directron.com. Using Mozilla Firefox, it will just say Waiting for directron.com... but the page never loads. There are several other pages I've tried to load with the same result. On the other hand, some pages load fine (such as openbsd.org). However, if I login to the firewall (the openbsd box), I can use links to connect to these sites without any problem. I'm guessing that this has something to do with redirects on the target website. I'm pretty sure that directon.com is actually an alias for some other URL. I'm thinking that the pf ruleset on the OBSD box is not allowing this. I'm using the pf example from the OpenBSD FAQ: http://openbsd.org/faq/pf/example1.html Has anyone else seen this before? Thanks for any suggestions, Matt -- Matt Garman email at: http://raw-sewage.net/index.php?file=email Highly unlikely, a nat is just a nat. Unless you have any special rules beyond the default from the example, then you need to look at your client, or your internal network.
Re: syslogd udp port
On 8/5/05, poncenby [EMAIL PROTECTED] wrote: Firstly I never said mentioned the word security, so I don't know where Tobias got that from. I apologise once again for not searching the archives and reading the man pages. May I suggest some tolerance(doesn't have to be sincere) for people who are simply either too busy or too lazy to read man pages in their entirety. or just simply ignore the email. surely certain people on this list (theo - that's you!) don't actually enjoy patronising their loyal userbase? snip In the long run, it's usually faster to do research than to send a question to a mailing list and hope someone is going to hold your hand. You waste your time and everyone elses. If you want to be lazy, pay someone to do your administration, don't expect everyone else to do it for free.
Re: Soekris OBSD as servers
On 8/4/05, Gustavo Rios [EMAIL PROTECTED] wrote: On 8/5/05, Scott Francis [EMAIL PROTECTED] wrote: On 8/4/05, Gustavo Rios [EMAIL PROTECTED] wrote: I would like to set a obsd and soekris boxes as a server for about 100 users. This box is supposed to handle NIS + Kerberos. Does such configuration can handle the task ? I mean on a performance matter. Does anybody have such configuration? I am not asking jus ton OpenBSD, but a combination of OBSD and Soekris. I am considering using OpenBSD+soekris for this task: (NIS and Kerberos) because i believe this type of service to be light for the amount of users i have to handle. Any other services will be handle by other hardware, like the NFS, web and the like. For now, let's just consider NIS and Kerberos on OBSD 3.7 and soekris. My concern is whether i could use OBSD with soekris. I could for instance use QNX with an embed NIS and kerberos to achieve paramount performance even on such a modest hardware and no other OS i known could beat. But, again, i would like to stay with OBSD. snip Soekris are small x86 machines. There is no reason it shouldn't work, openbsd doesn't need graphics or sounds. If you look on the soekris site, they list openbsd as one of the OSes that their hardware is designed for. You'll need a null modem cable, tip (or minicom, hyperterminal, whatever your flavor is), bootp, etc. But I can confirm it works fine, I have a couple of them.
Re: Load Balance net connections w/ redirect
On 7/18/05, James Harless [EMAIL PROTECTED] wrote: Well, my objective is to have fail-over on the outbound connections, primarily. The load-balancing comes about because of that. Load-balancing is definitely not a requirement for this site and I probably should have worded my email a bit differently. One connection is a cable modem and the other ADSL. I really want the connections to fail-over when the other isn't available. I achieved this through the current configuration but, maybe not in an optimal fashion. I don't need to balance the incoming connections (and don't want to) but, I'm having issues getting the gateway to reply w/o balancing issues. I've attached my newest pf.conf in the hopes that you might be able to see my error. This is (obviously) the first time I've worked with this type of setup so, I'm uncertain where the issue lies. It seems like I need to get rdr and reply-to to work together but, maybe there is a different method. Thanks, James snip You'll probably save alot of lines in your pf.conf if you just do this: pass in on $ext_if1 reply-to ($ext_if1 $ext_gw1) from any to \ $ext_if1 keep state pass in on $ext_if2 reply-to ($ext_if2 $ext_gw2) from any to \ $ext_if2 keep state
Re: Theo gave an interview to Forbes Mag. about Linux
I'm actually curious as to the apparent change of stance between interviews. In the last two interviews I've read, you've made it clear that you've never used it, and had no comment. Am I missing something? Just curious. On 6/17/05, Theo de Raadt [EMAIL PROTECTED] wrote: On Fri, Jun 17, 2005 at 04:48:31PM +0200, J. Lievisse Adriaanse wrote: Theo gave an interview to Forbes Magazine, in which he stated: It's terrible, De Raadt says. Everyone is using it, and they don't realize how bad it is. And the Linux people will just stick with it and add to it rather than stepping back and saying, 'This is garbage and we should fix it.' Heh. Theo never did pull his punches. I suppose there's now a war going on in /. ? :) If the Linux people actually cared about Quality, as we do, they would not have had as many localhost kernel security holes in the last year. How many is it... 20 so far? -- Abe Al-Saleh And then came the Apocolypse. It actually wasn't that bad, everyone got the day off and there were barbeques all around.
Re: interface groups and pf
Marvelous work. Thank you. :)
Re: subversion port 3.7 problem
use the package, I was able to successfully install it on my openbsd workstation. On 5/25/05, Price, Joe [EMAIL PROTECTED] wrote: Hi, when I try to build subversion on 3.7 i386 I get: [] main.o -c /usr/ports/devel/subversion/w-subversion-1.1.3p0/subversion- 1.1.3/subversion/svnadmin/main.c cd subversion/svnadmin /bin/sh /usr/ports/devel/subversion/w- subversion-1.1.3p0/build-i386/libtool --silent --mode=link cc -O2 -pipe -DNEON_ZLIB -DNEON_SSL -L/usr/local/lib/db4 -L/usr/local/lib -rpath /usr/local/lib -o svnadmin main.o../../subversion/libsvn_repos/libsvn_repos- 1.la http://1.la ../../subversion/libsvn_fs/libsvn_fs-1.la http://1.la../../subversion/libsvn_delta/libsvn_delta- 1.la http://1.la ../../subversion/libsvn_subr/libsvn_subr-1.lahttp://1.la/usr/local/lib/liba prutil- 1.la http://1.la -ldb -lexpat -liconv /usr/local/lib/libapr-1.lahttp://1.la-lintl -liconv -lz /usr/local/lib/libsvn_subr-1.so.0.0: warning: sprintf() is often misused, please use snprintf() main.o(.text+0x90b): In function `subcommand_recover': : undefined reference to `svn_repos_recover2' main.o(.text+0x9c1): In function `subcommand_recover': : undefined reference to `svn_repos_recover2' main.o(.text+0xe27): In function `subcommand_setlog': : undefined reference to `svn_repos_fs_change_rev_prop2' collect2: ld returned 1 exit status *** Error code 1 Stop in /usr/ports/devel/subversion/w-subversion-1.1.3p0/build-i386 (line 355 of /usr/ports/devel/subversion/w-subversion-1.1.3p0/subversion-1.1.3 /build-outputs.mk http://outputs.mk). *** Error code 1 Stop in /usr/ports/devel/subversion (line 1769 of /usr/ports/infrastructure/mk/bsd.port.mk). I have YET to build subversion for OpenBSD, I thought I'd let the port do it for me =( Any ideas? Thanks! -- Abe Al-Saleh And then came the Apocolypse. It actually wasn't that bad, everyone got the day off and there were barbeques all around.
Re: Bandwidth loss
I had a similar problem a month or so back, I have a 4 Mb/s cable connection, and I could only get about 200 Kb/s. I switched my nics out, changed the tcp receive window size, etc, but nothing worked. I was running 3.6, so I installed a fresh 3.7 snapshot, and haven't had a problem since. So, if 3.6 doesn't work, wait until 3.7-release hits the mirrors, or grab a snapshot (which is technically the next release) and see if it improves. On 5/14/05, N. Raghavendra [EMAIL PROTECTED] wrote: At 2005-05-13T11:00:34+01:00, Stuart Henderson wrote: 1. The OpenBSD version is nearly two years old. Update to recent software, and see if the problem still exists. ... 2. You provide no information about the hardware. I will upgrade to OpenBSD 3.6, and will get back to the list with full details if the problem persists. Thank you. Raghavendra. -- N. Raghavendra [EMAIL PROTECTED] | See mail headers for contact Harish-Chandra Research Institute | and OpenPGP details. -- Abe Al-Saleh And then came the Apocolypse. It actually wasn't that bad, everyone got the day off and there were barbeques all around.
Re: beginner, intermediate, and advanced scripting
It's a good scripting language because of how well regular expressions are integrated into the language. It's also easy to pick up and use, because it's pretty lenient in specific syntax. I can't recommend a book though, as most of what I know of perl has been from reading other peoples scripts and asking some of my programmer friends how would I accomplish X? On 5/14/05, Eugene Hercun [EMAIL PROTECTED] wrote: Hello everyone, I was reading the UNIX System Administration Handbook the other day, and I really liked the idea of programming your own scheduled automated tasks. Mr. Holland made a very good point regarding this issue Ok, your computer is doing some inefficient work, but that's what computers are good for -- working. Save the thinking for people. - Mr. Nick Holland Anyway, I was curious, the UNIX System book mentioned that Perl is a good programming language to use for scripting, but it does not explain why. What are some good books for beginner through advanced scripting? I poked around amazon.com http://amazon.com and the user reviews are generally useless. Eugene -- Abe Al-Saleh And then came the Apocolypse. It actually wasn't that bad, everyone got the day off and there were barbeques all around.
Re: exposing an internal server to the Internet
Do you need every port on the mail server to be exposed to the internet? that's how I originally interpreted your question. If you only need mail server ports, then use the rdr statement, which you can again read about in the pf.conf man page. Otherwise, you will need to alias another ip to your obsd box and binat traffic destined to that address to your mail server. On 5/14/05, GV [EMAIL PROTECTED] wrote: thanks for your prompt reply. I do agree with you but when reading the manual concerning binat it says: ..Connections from the Internet to the external address will be translated to the internal address.. which means that ANY connection from the Internet will be translated/redirected to this specific server which actually discharges my whole LAN? To be more specific, I first tried the following configuration: -- binat on $ext_if from $cam1 to any - $ext_if nat on $ext_if from $int_if:network to any - $ext_if -- and couldn't ssh my server any more cause my connection was automatically redirected to port 22 of the internal machine where no sshd was running!!! I think that I misunderstood binat but couldn't find any detailed docs or examples how to use it. If you have time to provide me some directions to this? Thanks for your support George On Saturday 14 May 2005 23:46, Abraham Al-Saleh wrote: Use binat. From man (5) pf.conf: binat A binat rule specifies a bidirectional mapping between an external IP netblock and an internal IP netblock. read the pf.conf manual page for more information. On 5/14/05, GV [EMAIL PROTECTED] wrote: Hi, I have a situation where an internal (located in a LAN and behind a OpenBSD firewall/NAT) has to be fully exposed to the Internet! What's the best way to acieve that? Thanks George -- Abe Al-Saleh And then came the Apocolypse. It actually wasn't that bad, everyone got the day off and there were barbeques all around.
Openbgpd routing for redundancy.
Alright, before I go to far, I'm going to present what I know, what I need, and what I've read so far. We had a recent scare at my company, we lost conectivity with our isp for about ten minutes because of a glitch. Due to the nature of our company, we have to have 100% uptime, and our SLA only guarantees us 99.999%. So, I'm currently talking with several companies to have another T1 brought in, and I'm planning on using OpenBGPD to provide fault tolerance. The only problem? I've never done anything like this before. I'm already comfortable with openbsd, as we've been using it on all of OUR routers (not the managed router from our T1 provider... but that's going to be going away if we do this) and we've been very happy with it due to the likes of carp and pf. I've read the bgpd, bgpd.conf, and bgpctl man pages, I've skimmed rfc 1771, I've read the slides presented by Henning Brauer to the Chaos Communication Congress, and I've been googling like mad. What I'm looking for is a thorough overview of implementing openbgpd in a situation like mine, good resources on bgp in particular (books, websites, anything anyone else has found useful), or just general tips that anyone would be willing to give me. I'll be the first to admit that I haven't spent a lot of time in the down deeps of routing, but I'm not against reading large technical manuals. Any help would be hot, thank you everyone.
Re: Openbgpd routing for redundancy.
eric wrote: On Fri, 2005-05-06 at 14:35:09 -0600, Abraham Al-Saleh proclaimed... Alright, before I go to far, I'm going to present what I know, what I need, and what I've read so far. We had a recent scare at my company, we lost conectivity with our isp for about ten minutes because of a glitch. Due to the nature of our company, we have to have 100% uptime, and our SLA only guarantees us 99.999%. At best you'll get 5 9's. Why don't you look at multiple locations? After all, if your business is that critical, a power outage due to a bad circuit in the street outside where there is *supposed* to be redundancy but there isn't will cause pain. I'd also be curious to know what kind of location you're at if you need 100% uptime with T1 links. - Eric We have a backup generator that will run for five days and can be refilled while in operation, as well as dual matrix 5000 UPS'. We're working on an online medical prescribing and patient management solution, but we're currently small, we don't have the staff or the money to support two locations (yet). -- Cordially, Abraham Al-Saleh Systems Administrator CaduRx
Re: Openbgpd routing for redundancy.
eric wrote: On Fri, 2005-05-06 at 14:54:31 -0600, Abraham Al-Saleh proclaimed... We have a backup generator that will run for five days and can be refilled while in operation, as well as dual matrix 5000 UPS'. We're working on an online medical prescribing and patient management solution, but we're currently small, we don't have the staff or the money to support two locations (yet). Cool, it's good to see what kind of markets obsd can get into. Hopefully you find two ISP's that don't have simultaneous failures! Yes, there's only so much I can do to keep everything redundant at present, something that will change later when we have sufficient money, a big concern is that someone might dig out our local loop with a back hoe, nothing I can do about that at present. I'm just trying to minimize as many risks as possible.
Re: Openbgpd routing for redundancy.
Stuart Henderson wrote: --On 06 May 2005 14:35 -0600, Abraham Al-Saleh wrote: uptime, and our SLA only guarantees us 99.999%. So, I'm currently You sometimes find that SLA means something like we'll charge you more so that when things break, we can pay some of it back... talking with several companies to have another T1 brought in, and I'm planning on using OpenBGPD to provide fault tolerance. The only problem? I've never done anything like this before. I'm already While BGP can be used to improve reliability, it also gives you interesting and varied ways to break your network. What's more, it's quite possible to break your connectivity for extended periods of time (through flap dampening), and there's nothing that can be done to fix it, you just have to sit it out. So it must be done with thought and care. good resources on bgp in particular (books, websites, See http://www.bgp4.as/books - maybe look at Stewart BGP4, van Beijnum BGP, Halabi Internet routing architectures. Typically, config examples are given for IOS, but many concepts are portable. van Beijnum is probably the easier read, Stewart has good information about the protocol (probably will help you to understand the RFC better), Halabi is published by Cisco Press so understandably IOS-centric, quite a lot of good material. A test network is pretty much essential to help you get to grips with things... Thanks for the tips, the funny thing is I just sent a request to my boss to purchase the books by Stewart and Beijnum. And thanks for the advice about testing, I was pretty sure that my weekends and evenings were shot for awhile anyway...
Re: Openbgpd routing for redundancy.
L. V. Lammert wrote: On Fri, 6 May 2005, Abraham Al-Saleh wrote: Yes, there's only so much I can do to keep everything redundant at present, something that will change later when we have sufficient money, a big concern is that someone might dig out our local loop with a back hoe, nothing I can do about that at present. I'm just trying to minimize as many risks as possible. Why haven't you CoLo'd a set of backup servers? Doesn't cost much to have a rack on a backbone, .. you can even shop for one in a different part of the country/world. Lee Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net Because, with the type of colocation we require, it DOES cost much. We can't stick our servers on a simple rack, we have to have cage space, and that costs more than a little. We store medical data, and HIPAA compliance (if you've ever heard of that?) is a bitch, to put it simply. What's worse is that many medical organizations misunderstand it, and put even more stringent practices that must be adhered to. -- Cordially, Abraham Al-Saleh Systems Administrator CaduRx
Re: Will different CPU and RAM matter?
STeve Andre' wrote: On Thursday 05 May 2005 14:15, Gary Clemans-Gibbon wrote: Hi All, I have a co-located 3.4 web/mail box at a remote location with a P3 1.2Ghz and 1Gb RAM (on-board LAN and video). At home I have another copy of the exact same motherboard but with a Celeron 1.1Ghz and 512 Gb RAM. The question is, can I install 3.7 on the box at home and then simply take out the HDD and swap it into the co-lo server? Will it care that it was installed on a different CPU with less RAM? TIA. Um, if one motherboard is a p3 and the other is a celeron, they aren't the same. Close maybe, but not the same. Remember that when at some point in the future two similar motherboards do slightly different things to you. Anyway, unless there are odd disk geometry problems, you ought to be able to move the disk over to the new box. Keep in mind that if the network card differs you'll have to change /etc/hostname.?. You should be able to do this easily. Have a backup plan in case it doesn't go well. --STeve Andre' Unless he's using a celeron based on a pentium 3 core such as coppermine, in which case, it's very feasible that he could have the same motherboard in each system. But it doesn't matter, because they're both i386. -- Cordially, Abraham Al-Saleh Systems Administrator CaduRx
