Re: How many IPs can I block before taking a performance hit?

2020-08-14 Thread Alan McKay 
So here is a related question - I want to implement something like
what some of you folks seem to have in place with dynamically updated
blacklists and reloading pf on the fly.

With a redundant pair of firewalls should I be doing this on the MASTER only?
I'm just wondering about reloading pf on the BACKUP and because state
tables are synced is there going to be any kind of negative effect on
MASTER in terms of performance or even the fact that MASTER will be
doing the reload at the same time.

It is relatively easy to detect whether or not I am MASTER and then
only do that if so.

Should I be doing that or will it matter?

Re: How many IPs can I block before taking a performance hit?

2020-08-12 Thread Alan McKay 
Wow over 160 MILLION (yes I screamed that) IPs!

How much RAM is in your system?

On Wed, Aug 12, 2020 at 10:26 AM infoomatic  wrote:
>
> We have ~30,000 entries in our table  blocking networks and
> single ip addresses, all in all at the moment exactly 169,471,974 hosts
> being blocked. No idea what your criteria is for "performance impact",
> but we have no issues.
>
>
> On 12.08.20 14:11, Alan McKay wrote:
> > Hey folks,
> >
> > This is one that is difficult to test in a test environment.
> >
> > I've got OpenBSD 6.5 on a relatively new pair of servers each with 8G RAM.
> >
> > With some scripting I'm looking at feeding block IPs to the firewalls
> > to block bad-guys in near real time, but in theory if we got attacked
> > by a bot net or something like that, it could result in a few thousand
> > IPs being blocked.  Possibly even 10s of thousands.
> >
> > Are there any real-world data out there on how big of a block list we
> > can handle without impacting performance?
> >
> > We're doing the standard /etc/blacklist to load a table and then have
> > a block on the table right at the top of the ruleset.
> >
> > thanks,
> > -Alan
> >
>


-- 
"You should sit in nature for 20 minutes a day.
 Unless you are busy, then you should sit for an hour"
 - Zen Proverb

How many IPs can I block before taking a performance hit?

2020-08-12 Thread Alan McKay 
Hey folks,

This is one that is difficult to test in a test environment.

I've got OpenBSD 6.5 on a relatively new pair of servers each with 8G RAM.

With some scripting I'm looking at feeding block IPs to the firewalls
to block bad-guys in near real time, but in theory if we got attacked
by a bot net or something like that, it could result in a few thousand
IPs being blocked.  Possibly even 10s of thousands.

Are there any real-world data out there on how big of a block list we
can handle without impacting performance?

We're doing the standard /etc/blacklist to load a table and then have
a block on the table right at the top of the ruleset.

thanks,
-Alan

-- 
"You should sit in nature for 20 minutes a day.
 Unless you are busy, then you should sit for an hour"
 - Zen Proverb

Way to find most active IPs for rate limiting with pf

2020-08-06 Thread Alan McKay 
So I want to implement rate limiting, and to determine a reasonable
rate based on current traffic patterns I'd like to be able to figure
out which source IPs are generating the most connections and at what
rate.

Is there a way to do that?


-- 
"You should sit in nature for 20 minutes a day.
 Unless you are busy, then you should sit for an hour"
 - Zen Proverb

/usr/bin/false issue (was: relayd flapping)

2016-09-15 Thread Alan McKay 
OK this is interesting, and the only thing I can think of is that it
is a hardware issue that is starting to manifest itself in this odd
way.

This relates to my email earlier today about relayd.

Because of the odd way we use relayd with "/usr/bin/false" as the
"check", we decided to just run some tests with /usr/bin/false.   We
ran it in a loop timing the execution each time.

As it turns out, normally it is instantaneous (time of 0) but everyone
once in a while it take 700ms or up to 2000ms.   We tried the same
with /usr/bin/true and see the same behavior.

The only thing I can think of at this point is that it must be a HW
issue starting to manifest itself.  Any other ideas?

-- 
"You should sit in nature for 20 minutes a day.
 Unless you are busy, then you should sit for an hour"
 - Zen Proverb

Re: 5.5 odd issue with relayd flapping

2016-09-15 Thread Alan McKay 
Yes, upgrading is on our to-do list.
But it will be a few months before we can do that.

5.5 odd issue with relayd flapping

2016-09-15 Thread Alan McKay 
Hi folks,

I have googled this and found something similar back here :

https://www.mail-archive.com/misc@openbsd.org/msg77218.html

There are a couple of threads but everything seems to say it was a known
issue that was fixed post 5.2.   But I have an extra oddity to add to it as
you will see from my relayd config.

These systems have been running fine for almost 2 years now (653 day
uptime!) with no issues, then last week one of my environments started
throwing these sorts of errors about every hour:

relayd[PID]: host , check script (Xms), state up -> down,
availability x.y%
relayd[PID]: host , check script (Xms), state down -> up,
availability x.y%

The check is against an LDAP server, but here is the funny business we have
going because it is not really checking the LDAP

We have primary and backup LDAPs defined like this :

table  { 10.x.y.1 retry 1 }
table   disable { 10.x.y.2 retry 1 }

[...]


redirect ourldap {
listen on $ldap_addr port $ldap_port interface $relayd_int
tag relayd
session timeout 86400
forward to  check script "/usr/bin/false"
forward to   check script "/usr/bin/false"
}

I know this seems odd but basically as far as relayd is concerned there is
never an issue whatsoever with its check.  We do this because we have another
script which runs that will cut over between the LDAPs if there is an issue.
We basically use relayd to handle the firewall rules for us.  (Earlier versions
of this check found that relayd was not able to properly cut over the LDAPs
on its own - it took several minutes to do so )

We checked the local NICs for errors (netstat -I) and there was nothing.
We checked the switch for errors, and again nothing.

Oh one more thing - this is a redundant pair of firewalls and we only see
this on the backup firewall, not the master.  And it is in our DR facility which
really does not see any traffic.  We have the exact same configuration
in production which is extremely active, and we do not see the issue there.

thanks,
-Alan



-- 
"You should sit in nature for 20 minutes a day.
 Unless you are busy, then you should sit for an hour"
 - Zen Proverb

Re: Small FW boxes for CORP use (was: T40E APU?)

2016-03-11 Thread Alan McKay 
On Fri, Mar 11, 2016 at 4:36 PM, Josh Grosse  wrote:
> 100Mbit?  You could go even smaller, such as the PCEngines Alix
> platform.  They are 32-bit (i386) only, however.
>
> Each NIC is able to sustain 70-80 Mbps, in my experience.

Do those have 4 NICs?

Ideally I'd like to get a redundant pair of FWs in 1U.
But I need 4 NICs on each as a bare min.


-- 
"You should sit in nature for 20 minutes a day.
 Unless you are busy, then you should sit for an hour"
 - Zen Proverb

Re: Small FW boxes for CORP use (was: T40E APU?)

2016-03-11 Thread Alan McKay 
On Fri, Mar 11, 2016 at 4:09 PM, Brandon Vincent
 wrote:
> If you have a pair setup for redundancy, it really comes down to the
> expected network utilization. What sort of network are we talking
> about?

Well I guess I'd place them according to their capability.
Could I put them on a 100Mbit link to the world?
Would they handle that?


-- 
"You should sit in nature for 20 minutes a day.
 Unless you are busy, then you should sit for an hour"
 - Zen Proverb

Small FW boxes for CORP use (was: T40E APU?)

2016-03-11 Thread Alan McKay 
On Mon, Mar 7, 2016 at 3:37 PM, Chris Cappuccio  wrote:
>
> Nope. You might want a Supermicro X11SBA-LN4F or maybe Netgate's
> RCC-VE 2440 if you need 4 ports.

Opinions on using either of those as a redundant pair for corporate use?


-- 
"You should sit in nature for 20 minutes a day.
 Unless you are busy, then you should sit for an hour"
 - Zen Proverb

Re: OpenBSD on AMD Embedded G-Series T40E APU?

2016-03-07 Thread Alan McKay 
Next question ... do they make them with 4 or more NIC ports?

I only see them with 3 ports on that site.

OpenBSD on AMD Embedded G-Series T40E APU?

2016-03-06 Thread Alan McKay 
Hey folks,

The website does not seem to have a lot of info on what CPUs are
supported.  I'm looking at this box for a home firewall with OpenBSD

http://www.corpshadow.biz/bizstore/apu1d-red-combo-kit-p-345.html?cPath=51

thanks,
-Alan

-- 
"You should sit in nature for 20 minutes a day.
 Unless you are busy, then you should sit for an hour"
 - Zen Proverb

implementing circular queue for tcpdump logging

2016-01-28 Thread Alan McKay 
Hi folks,

Something I've done on other platforms e.g on a firewall is have
tcpdump running and logging to disk.  You know ahead of time how much
disk space to allocate to this task, and there are command line
options on tcpdump that you can adjust to accomplish this.  So it will
always occupy that known amount of space, and you know that you have
the last X hours of traffic logged.  Basically use the option to
change to a new log file as soon as it hits size X, combined with the
option to limit the number of log files to Y.

Has anyone done something like this with OpenBSD?  I don't see
anything obvious and was wondering what others might have done to
accomplish this.   Perhaps some kind of wrapper script ...

thanks,
-Alan

-- 
"You should sit in nature for 20 minutes a day.
 Unless you are busy, then you should sit for an hour"
 - Zen Proverb

Re: implementing circular queue for tcpdump logging

2016-01-28 Thread Alan McKay 
On Thu, Jan 28, 2016 at 10:31 AM, sven falempin  wrote:
> syslog has memory buffer that rotates. (:name:size)
> pflogd can log, tcpump | logger is you want something else
>
> problem solved.

Thanks.  I should have thought of pflogd!
Looks like a modification of the standard OpenBSD technique to
shoot that into syslog will work.


-- 
"You should sit in nature for 20 minutes a day.
 Unless you are busy, then you should sit for an hour"
 - Zen Proverb

Re: Munich BSD meetup

2015-02-07 Thread Alan McKay 
Na und?   Wie war das Bier?  Das wolle man mal wissen!

Etwas Dunkles ausgetrunken?

ntpd.conf - add ability to read servers from an include file?

2015-01-29 Thread Alan McKay 
Hey folks,

Would anyone else see value in this?
Basically for the sake of automated deployments it would be nice / clean
to be able to do :

includeservers /path/to/file

And then read them all from the file.  And the same file would be used
as a table in pf.conf for NTP FW rules.  One server per line.

This would make initial deployments easier to automate (no need to
programmatically alter the config file), and then if you need to change
your NTP servers post-deployment it is cleaner as well with less chance
of human error. i.e. changing pf.conf is riskier than changing ntpd.conf

Thoughts?

-Alan

-- 
Don't eat anything you've ever seen advertised on TV
 - Michael Pollan, author of In Defense of Food

Re: Mapping pf syslog rule numbers to lines in pf.conf

2015-01-26 Thread Alan McKay 
On Mon, Jan 26, 2015 at 3:47 PM, James Shupe jsh...@hermetek.com wrote:
 pfctl -sr -R rulenum

 Further details can be found in the man page.

Oh man that was way too easy!

Anyone in Ottawa is welcome to come by and give me 10 lashes ... (
hangs head in shame )

THanks.  I was trying to search through the man page but the work
rule occurs quite a few times ;-)


-- 
Don't eat anything you've ever seen advertised on TV
 - Michael Pollan, author of In Defense of Food

Mapping pf syslog rule numbers to lines in pf.conf

2015-01-26 Thread Alan McKay 
Hey folks,

This one seems to be difficult to google - not coming up with much.

I have some firewall blocks I want to investigate and of course they
are reported as matching a specific rule number - but I am not sure
how to map that back to a line in my pf.conf

Could someone enlighten me?

thanks,
-Alan

-- 
Don't eat anything you've ever seen advertised on TV
 - Michael Pollan, author of In Defense of Food

Re: Hannover BSD meetup

2015-01-23 Thread Alan McKay 
Time it with CeBit and everyone will have a reason to come from afar :-)

1U / 2 Computers? For redundant FW pair

2015-01-21 Thread Alan McKay 
I know that Supermicro has some interesting side-by-sides starting at
2U, but I'm not aware of anything in 1U.  Basically I'd like to have
my redundant FW pairs take up less rack space.   I guess another
option would be half-width 1U if anything like that exists, and
install a rack shelf.


-- 
Don't eat anything you've ever seen advertised on TV
 - Michael Pollan, author of In Defense of Food

Re: 1U / 2 Computers? For redundant FW pair

2015-01-21 Thread Alan McKay 
On Wed, Jan 21, 2015 at 8:05 AM, Ganguin Michel
michel.gang...@nagra.com wrote:
 in 1U (another one goes up to 8 systems in 2U, twin3):
 http://www.supermicro.nl/products/nfo/1UTwin.cfm

Oh they do have them ...  I checked a while back and could have sworn
the Twins only started at 2U

 However they share some stuff:

OK maybe that's why I discounted them back then.



-- 
Don't eat anything you've ever seen advertised on TV
 - Michael Pollan, author of In Defense of Food

building ntop from ports with -w enabled

2015-01-20 Thread Alan McKay 
Hey folks,

I install ntop from ports and try to run it with -w and it tells me it
is disabled due to
security reasons.  (1) I'd like to read more on those reasons, and (2)
I'd like to
enable that feature anyway at very least in my test setup to evaluate while also
reading up on (1).

Is there any way to do that from ports or will I need to build from scratch?

thanks,
-Alan

-- 
Don't eat anything you've ever seen advertised on TV
 - Michael Pollan, author of In Defense of Food

Re: Crash cart console adapters compatible with OpenBSD?

2015-01-16 Thread Alan McKay 
On Fri, Jan 16, 2015 at 1:38 PM, Devin Reade g...@gno.org wrote:
 Well, in an attempt to dig myself out of the hole, the OP *did* say, or in a 
 pinch, Linux ...

That I did :-)


-- 
Don't eat anything you've ever seen advertised on TV
 - Michael Pollan, author of In Defense of Food

Crash cart console adapters compatible with OpenBSD?

2015-01-15 Thread Alan McKay 
Hey folks,

I'm looking for something like this that I can plug into a network
debugging laptop to get console access to servers in a rack.  Ideally
the laptop would run OpenBSD or in a pinch Linux.  The comments
section of this page says there is required software and that it
stopped working when upgrading from Ubuntu 12.04 to 14.04.  That
suggests to me this would not work with OpenBSD

http://ca.startech.com/Server-Management/KVM-Switches/Portable-USB-PS-2-KVM-Console-Adapter-for-Notebook-PCs~NOTECONS01

Can anyone suggest something similar that would?

thanks,
-Alan

-- 
Don't eat anything you've ever seen advertised on TV
 - Michael Pollan, author of In Defense of Food

Re: Crash cart console adapters compatible with OpenBSD?

2015-01-15 Thread Alan McKay 
On Thu, Jan 15, 2015 at 1:22 PM, Jon Simola jsim...@gmail.com wrote:
 To explain better, this would be in a private /30 network just so you can
 VNC from laptop to the KVM.

OK that might work


-- 
Don't eat anything you've ever seen advertised on TV
 - Michael Pollan, author of In Defense of Food

Re: Crash cart console adapters compatible with OpenBSD?

2015-01-15 Thread Alan McKay 
This one seems reasonable so I will get one in to try out.

http://www.newegg.ca/Product/Product.aspx?Item=9SIA5SC1VA2702cm_re=lantronix_spider-_-9SIA5SC1VA2702-_-Product

The only downside I see is that a laptop will have only 1 NIC and so I
won't have both a console and network connection at the same time.
I guess I could also get a USB NIC adapter for a 2nd NIC.

Re: mouse spontaneously detaches in console

2014-12-19 Thread Alan McKay 
We've been having a similar issue with keyboards on 5.1 with no X, and
when we upgraded to 5.5 recently we seem to still have it.  All HP
hardware about 3 years old.  You have to unplug the keyboard and plug
it into a different port, then return it back to the original to get
it back.  Sometimes you have to walk around to the other side of the
rack to do it.

Very frustrating ...

After the holidays I'll get a dmesg with more details

Re: OpenBSD embedded? (was: OpenBSD 5.6-current on ASUS Chromebox)

2014-12-04 Thread Alan McKay 
On Thu, Dec 4, 2014 at 1:15 AM, Vivek Vinod vi...@icanconnect.com wrote:
 We have been using Mikrotik routerboards since 7 years

Huh?  With OpenBSD on them?


-- 
Don't eat anything you've ever seen advertised on TV
 - Michael Pollan, author of In Defense of Food

OpenBSD embedded? (was: OpenBSD 5.6-current on ASUS Chromebox)

2014-12-03 Thread Alan McKay 
This is very interesting - I've been looking at various small boxes
like this to use as a home firewall.
The only problem is that not many of them have 2 NICs, and the ones
that do are very expensive (higher end Zotac)

Does anyone know of a similar device with 2 NICs that might be
suitable as a home firewall?

What about one of the Open Firmware firewalls like ASUS?  Is there an
OpenBSD load for those?  Instead of Tomato or the likes ...

Re: OpenBSD embedded? (was: OpenBSD 5.6-current on ASUS Chromebox)

2014-12-03 Thread Alan McKay 
On Wed, Dec 3, 2014 at 4:54 PM, Mikkel C. Simonsen m...@post5.tele.dk wrote:
 As I have written many times - used thin clients are available in huge
 numbers as scrap. Many of them have a PCI or PCIe slot, so adding a second
 NIC is easy. I often use thin clients with a Compaq 2- or 4-port NIC. Total
 cost about 15-20 euros.

That's interesting - what soft of brand name or product name would I search for?
I'm not really familiar with any thin clients


-- 
Don't eat anything you've ever seen advertised on TV
 - Michael Pollan, author of In Defense of Food

Re: OpenBSD embedded? (was: OpenBSD 5.6-current on ASUS Chromebox)

2014-12-03 Thread Alan McKay 
I see one of  these on my local kijiji but can't tell whether or not
it has a PCI slot.  It is not on the hardware list of that parkytowers
site

http://h10010.www1.hp.com/wwpc/us/en/sm/WF06a/12454-12454-321959-338927-5112717-5295294.html?dnr=2

Re: ifstated intermittant flapping after 5.1 to 5.5 upgrade

2014-11-21 Thread Alan McKay 
We believe we've found it - the internet-facing NIC had a minor
configuration change as well, as part of the upgrade.  It was no
longer explicitly being set in full duplex mode, and as it turns out
it was coming up in half-duplex.

Now we play the waiting game to see whether we are right :-)

ifstated intermittant flapping after 5.1 to 5.5 upgrade

2014-11-20 Thread Alan McKay 
Hi folks,

After a 5.1 to 5.5 upgrade on a redundant firewall pair, every once in
a while my FW2 (backup) promotes itself and then immediately demotes
itself again.  Which I find very odd because it is doing so based on
pinging its peer every 10 seconds, and so the value of that boolean
should only change after 10 seconds, no?

I cannot find anything else going on in other log files around the
same time that would help explain this.

From my /var/log/daemon :

Nov 15 17:55:25 my-hostname ifstated[28981]: changing state to promoted
Nov 15 17:55:25 my-hostname ifstated[28981]: changing state to backup
Nov 16 21:43:07 my-hostname ifstated[28981]: changing state to promoted
Nov 16 21:43:07 my-hostname ifstated[28981]: changing state to backup
Nov 18 11:44:38 my-hostname ifstated[28981]: changing state to promoted
Nov 18 11:44:38 my-hostname ifstated[28981]: changing state to backup
Nov 19 07:44:27 my-hostname ifstated[28981]: changing state to promoted
Nov 19 07:44:27 my-hostname ifstated[28981]: changing state to backup

Ifstated.conf has changed very little since before the upgrade - a few
minor tweaks and that is it.  And what is triggering the flap is this
piece of code :

These are the internal and external interfaces.  The first IP is the
front door.  The second one is an internal IP - the stuff I am
protecting.  This is happening in 3 different environments all with
carbon-copy configs

peer = '( ping -q -c 1 -w 1 10.1.1.1  /dev/null 21 every 10  \
   ping -q -c 1 -w 1 10.20.1.1  /dev/null 21 every 10)'

snip---

if  ! $peer {
if $carp_ready {
if $local {
if $relayd {
set-state promoted
}
}
}
}


And here is the whole ifstated.conf - with some added debug statements
to try to help me get to the bottom of this.


init-state backup

carp_ready = ( (! carp0.link.unknown)  (! carp1.link.unknown)  (!
carp5.link.unknown)  (! carp20.link.unknown)  (!
carp25.link.unknown)  (! carp30.link.unknown) )

local = '( ping -q -c 1 -w 1 10.1.1.2  /dev/null 21 every 10  \
ping -q -c 1 -w 1 10.20.1.2  /dev/null 21 every 10)'

# changed this to determine which one was not pinging
# peer = '( ping -q -c 1 -w 1 10.1.1.1  /dev/null 21 every 10  \
#   ping -q -c 1 -w 1 10.20.1.1  /dev/null 21 every 10)'
peer1 = '( ping -q -c 1 -w 1 10.1.1.1  /dev/null 21 every 10)'
peer2 = '( ping -q -c 1 -w 1 10.20.1.1  /dev/null 21 every 10)'

# If relayd fails, we will not be promoted.
relayd = '( pgrep relayd | wc -l | grep 8 every 10 )'

state backup {
init {
run  echo \$(date +\%Y-%M-%d %H:%M:%S\) starting
up\  /var/log/ifstated
run ifconfig carp0 advskew 100
run ifconfig carp1 advskew 100
run ifconfig carp5 advskew 100
run ifconfig carp20 advskew 100
run ifconfig carp25 advskew 100
run ifconfig carp30 advskew 100
run sleep 60
}

# these debugging statements are new to help get to the bottom of it
if ! $peer1  {
run echo \$(date +\%Y-%M-%d %H:%M:%S\) peer1 no
good\  /var/log/ifstated
}
if ! $peer2  {
run echo \$(date +\%Y-%M-%d %H:%M:%S\) peer2 no
good\  /var/log/ifstated
}
if ! $carp_ready  {
run echo \$(date +\%Y-%M-%d %H:%M:%S\) carp_ready
no good\  /var/log/ifstated
}
if ! $local  {
run echo \$(date +\%Y-%M-%d %H:%M:%S\) local no
good\  /var/log/ifstated
}
if ! $relayd  {
run echo \$(date +\%Y-%M-%d %H:%M:%S\) relayd no
good\  /var/log/ifstated
}

if ( ! $peer1 ) || ( ! $peer2 ) {
if $carp_ready {
if $local {
if $relayd {
set-state promoted
}
}
}
}
}

state promoted {
init {
run ifconfig carp0 advskew 10
run ifconfig carp1 advskew 10
run ifconfig carp5 advskew 10
run ifconfig carp20 advskew 10
run ifconfig carp25 advskew 10
run ifconfig carp30 advskew 10
}

if ( $peer1 )  ( $peer2 ) {
set-state backup
}

}


-- 
Don't eat anything you've ever seen advertised on TV
 - Michael Pollan, author of In Defense of Food

Re: ifstated intermittant flapping after 5.1 to 5.5 upgrade

2014-11-20 Thread Alan McKay 
On Thu, Nov 20, 2014 at 3:57 PM, Alan McKay alan.mc...@gmail.com wrote:
 peer1 = '( ping -q -c 1 -w 1 10.1.1.1  /dev/null 21 every 10)'
 peer2 = '( ping -q -c 1 -w 1 10.20.1.1  /dev/null 21 every 10)'

At present I am thinking that my problem would go away if I changed my
pings to -c 3 -w 3 instead of 1s, but it was never a problem before
the upgrade so I'm a big baffled.

I would hate to fix that and thereby mask some other issue.

-- 
Don't eat anything you've ever seen advertised on TV
 - Michael Pollan, author of In Defense of Food

Input from upgrade script overwrites files in site55-hostname.tgz

2014-11-13 Thread Alan McKay 
Hi folks,

Maybe this is by design but it seems odd to me.

I have a site55-hostname.tgz file with all of my local customizations,
and it installs great over http.
However, /etc/mygate ends up being based on the input I provided
during the upgrade script.
And /etc/hostname.bnx3 as well (install took place through bnx3, I did
not configure any other interface during the install).  Both of these
files are in site55-hostname.tgz and those files are what I want used
in my final system.

I would expect site55-hostname.tgz to be untarred last and would
expect the mygate and hostname.bnx3 found therein to be what I end up
with after booting, but that is not the case.

I work around the issue with some fancy footwork in a post-install
script I've provided, but it seems to me to be something that should
not have to be worked around.

Is there a rational for this?

thanks,
-Alan

-- 
Don't eat anything you've ever seen advertised on TV
 - Michael Pollan, author of In Defense of Food

Re: Logging Password change attempts

2014-10-30 Thread Alan McKay 
Take the original passwd command and rename it to passwd.orig and
rename your script into its place (without the .sh ending) and have
your script call passwd.orig.  Still not perfect since someone who
knows the difference can still call the orig directly.

The alternative would be to dig into the source code of passwd itself,
and submit a patch to do what you want to do.That would be the
cleanest solution.

Re: relayd question - from the man page

2014-10-21 Thread Alan McKay 
Anyone?
Anyone?
Buehler?

On Fri, Oct 17, 2014 at 9:41 AM, Alan McKay alan.mc...@gmail.com wrote:
 Hi folks,

 The manpage for relayd.conf has this basic construct in it a couple of times :

table service { 192.168.1.1, 192.168.1.2, 192.168.2.3 }
table fallback disable { 10.1.5.1 retry 2 }

redirect www {
listen on www.example.com port 80
forward to service check http / code 200
forward to fallback check http / code 200
}

 And also has this to say about the disable attribute.

  disable
  The redirection is initially disabled.  It can be later enabled
  through relayctl(8).

 What I don't understand from the given examples is how fallback
 above is getting re-enabled.  It starts out with the table disabled -
 I get that.  But then within the redirect we are basically saying
 (correct me if I am wrong) always use service unless it is not
 availble, in which case use fallback

 But I don't see anywhere that fallback was re-enabled so how can it
 be used?  And I search through the manpage and don't see any mention
 of this.  Does it automatically get re-enabled within the redirect -
 forward?  And if that is the case, what was the point of starting it
 disabled in the first place?

 thanks,
 -Alan

 --
 Don't eat anything you've ever seen advertised on TV
  - Michael Pollan, author of In Defense of Food



-- 
Don't eat anything you've ever seen advertised on TV
 - Michael Pollan, author of In Defense of Food

Re: relayd question - from the man page

2014-10-21 Thread Alan McKay 
On Tue, Oct 21, 2014 at 1:25 PM, System Administrator ad...@bitwise.net wrote:
 The answer to your question is right there in the very manpage
 paragraph you quoted below.

Yes, I should have clarified that I did see that. (That is why I quoted it)

It just does not seem to make a lot of sense that one would have to
manually intervene
in order to cut over to the fallback.  So I guess that is my question
behind my question.

Why start the fallback table as disabled?

Would it not make a lot more sense to start it enabled so if service
was down it
would automatically cut over to fallback without manual intervention?

Or is there somehow a danger that it will go to fallback when
service is not down?
Is that why fallback is started disabled?


-- 
Don't eat anything you've ever seen advertised on TV
 - Michael Pollan, author of In Defense of Food

relayd question - from the man page

2014-10-17 Thread Alan McKay 
Hi folks,

The manpage for relayd.conf has this basic construct in it a couple of times :

   table service { 192.168.1.1, 192.168.1.2, 192.168.2.3 }
   table fallback disable { 10.1.5.1 retry 2 }

   redirect www {
   listen on www.example.com port 80
   forward to service check http / code 200
   forward to fallback check http / code 200
   }

And also has this to say about the disable attribute.

 disable
 The redirection is initially disabled.  It can be later enabled
 through relayctl(8).

What I don't understand from the given examples is how fallback
above is getting re-enabled.  It starts out with the table disabled -
I get that.  But then within the redirect we are basically saying
(correct me if I am wrong) always use service unless it is not
availble, in which case use fallback

But I don't see anywhere that fallback was re-enabled so how can it
be used?  And I search through the manpage and don't see any mention
of this.  Does it automatically get re-enabled within the redirect -
forward?  And if that is the case, what was the point of starting it
disabled in the first place?

thanks,
-Alan

-- 
Don't eat anything you've ever seen advertised on TV
 - Michael Pollan, author of In Defense of Food

Re: carp not reverting to master

2014-10-15 Thread Alan McKay 
On Wed, Oct 15, 2014 at 2:13 PM, Marko Cupać marko.cu...@mimar.rs wrote:
 Oct 14 15:21:19 bgp1 /bsd: carp2: state transition: MASTER - BACKUP
 Oct 14 15:21:19 bgp1 /bsd: carp1: state transition: MASTER - BACKUP
 Oct 14 15:21:22 bgp1 /bsd: carp1: state transition: BACKUP - MASTER
 Oct 14 15:21:22 bgp1 /bsd: carp2: state transition: BACKUP - MASTER
 Oct 14 15:22:52 bgp1 /bsd: carp2: state transition: MASTER - BACKUP
 Oct 14 15:22:52 bgp1 /bsd: carp1: state transition: MASTER - BACKUP
 Oct 14 15:22:53 bgp1 /bsd: carp3: state transition: MASTER - BACKUP
 Oct 14 15:23:02 bgp1 /bsd: carp3: state transition: BACKUP - MASTER
 Oct 14 15:23:03 bgp1 /bsd: carp1: state transition: BACKUP - MASTER
 Oct 14 15:23:03 bgp1 /bsd: carp2: state transition: BACKUP - MASTER

This looks to me like you have flapping taking place because of your
ifstated configuration.

Something is wrong with /etc/ifstated.conf on one end or the other.

-- 
“Don't eat anything you've ever seen advertised on TV”
 - Michael Pollan, author of In Defense of Food

Where is the 'tar' source code?

2014-10-10 Thread Alan McKay 
Hey folks,

I'm experiencing some really bizarre behavior with tar when trying to
pass it a list of files with the -I option, and I want to look at the
source code but alas it is not in the tree that I can find.

Yet the machine having the issue was built on this very same build machine.

I'd expect it to be here :

root@openbsd-build32
/usr/src # which tar
/bin/tar

root@openbsd-build32
/usr/src/bin # ls
CVS   chio  date  echo  kill
md5   pax   rmstty
Makefile  chmod ddedksh
mkdir psrmail sync
Makefile.inc  cpdfexpr  ln
mtpwd   rmdir systrace
cat   csh   domainnamehostname  ls
mvrcp   sleep test

root@openbsd-build32
/usr/src # find . -name tar

thanks,
-Alan

-- 
Don't eat anything you've ever seen advertised on TV
 - Michael Pollan, author of In Defense of Food

Re: Where is the 'tar' source code?

2014-10-10 Thread Alan McKay 
Aha, should have figured to look for a link!

Anyway, I solved my problem without looking at source code.
There was a blank line in the file I was using with -I, and that
caused tar/pax to barf.

Re: rc.conf issue on upgrade from 5.5 to 5.6

2014-10-10 Thread Alan McKay 
On Fri, Oct 10, 2014 at 5:35 PM, Stuart Henderson s...@spacehopper.org wrote:
 Yep. You *have* to run sysmerge for this upgrade or you will have broken rc 
 scripts.

Note to self ...

-- 
Don't eat anything you've ever seen advertised on TV
 - Michael Pollan, author of In Defense of Food

Re: Securing communications with OpenBSD

2014-10-06 Thread Alan McKay 
On Mon, Oct 6, 2014 at 2:00 AM, C. L. Martinez carlopm...@gmail.com wrote:
  Is my approach correct? Any other better solution? Is it stupid this 
 approach?

You did not really state what your goal was.   Or what the problem is.

Securing communications between front and back end via SSH/SSL is
not a goal or problem.  It is a solution to a problem.

To me it seems a bit strange that you'd want to do this if they are all in the
same rack, for example, connected to switches that you control.

Is the goal just to make your infrastructure as secure as possible?

-- 
Don't eat anything you've ever seen advertised on TV
 - Michael Pollan, author of In Defense of Food

Re: Securing communications with OpenBSD

2014-10-06 Thread Alan McKay 
On Mon, Oct 6, 2014 at 4:17 PM, Giancarlo Razzolini
grazzol...@gmail.com wrote:
 Traffic in the clear, even on a switch controlled by you, doesn't mean
 that anyone with physical access couldn't tap into your switch and see
 the traffic.

Which is why you need to lock down the switch as well.
Password protected.  Disable all unused ports.
Have some kind of MAC detection to detect and alert unknown MACs
(e.g. infoblox or something home rolled - not that difficult)

Good security is also a matter of the policies and procedures you
have in place.  Who has root access?  How do they access root?
(sudo is best - and log it all).  Is there a change management
policy and procedure?


-- 
Don't eat anything you've ever seen advertised on TV
 - Michael Pollan, author of In Defense of Food

Re: openbsdstore: enable javascript and buy something or gtfo

2014-10-03 Thread Alan McKay 
On Fri, Oct 3, 2014 at 10:25 AM, Bryan Steele bry...@gmail.com wrote:
 So, you visit an order page likely content on providing your billing
 information and shipping address, but it's the use of Javascript that
 sways your final decision to order?

I thought it was the ellipsis that did it :-)


-- 
Don't eat anything you've ever seen advertised on TV
 - Michael Pollan, author of In Defense of Food

Re: carp not reverting to master

2014-10-02 Thread Alan McKay 
You have not yet shown the output of ifconfig

Check the advskew values on the interfaces.

When carpdemote values are equal then advskew determines who is MASTER

Re: carp not reverting to master

2014-10-02 Thread Alan McKay 
On Thu, Oct 2, 2014 at 11:03 AM, Marko Cupać marko.cu...@mimar.rs wrote:
 I have posted advskew values in initial mail (0 on masters, 100 on
 backups).

That shows me what they are supposed to be.

That does not show me what they actually are.

ifconfig output will show what they actually are.


-- 
“Don't eat anything you've ever seen advertised on TV”
 - Michael Pollan, author of In Defense of Food

Re: How to follow -stable and verify it with signify?

2014-10-01 Thread Alan McKay 
On Tue, Sep 30, 2014 at 4:56 PM, Josh Grosse j...@jggimi.homeip.net wrote:
 They happen whenever a fix is backported but not deemed critical enough
 or in wide enough use for errata.  Here's the first two I found in 5.5-stable,
 there may be others but I stopped looking, since you just wanted a couple
 of examples.


Thanks.  How do I go about finding those myself?



-- 
Don't eat anything you've ever seen advertised on TV
 - Michael Pollan, author of In Defense of Food

Build is hard-coded to /usr/src and /usr/obj?

2014-10-01 Thread Alan McKay 
Hi folks,

This seems to be the case but wondering whether there is a way to override this.
In particular I want to be able to build 5.5 -stable and then 5.5
-release + patches
and keep the two source trees separate.

thanks,
-Alan

-- 
Don't eat anything you've ever seen advertised on TV
 - Michael Pollan, author of In Defense of Food

Re: Build is hard-coded to /usr/src and /usr/obj?

2014-10-01 Thread Alan McKay 
On Wed, Oct 1, 2014 at 11:20 AM, Josh Grosse j...@jggimi.homeip.net wrote:
 Guidance for environment variable setting can be found in the top level
 src/Makefile,
 and also in the /usr/share/mk/bsd.README -- and you may find the bsd.own.mk
 Makefile helpful.

Dang, should have thought to look there.

I was looking at the release manpage which gives the details on how
to build from source.

There is mention there of env vars for building the final release, but
not for alternate source code locations.


-- 
Don't eat anything you've ever seen advertised on TV
 - Michael Pollan, author of In Defense of Food

Re: Change routing tables when ISP goes down

2014-10-01 Thread Alan McKay 
ifstated could do it ...

No SSH fingerprints for Alberta Anon CVS Server?

2014-10-01 Thread Alan McKay 
Hi again folks,

This is yet another email relating to my search for a secure way to download
-stable source.  When I first started building -stable a couple of weeks ago I
chose the Alberta CVS server because I considered it Home Base
(or maybe I should say Center Ice?  :-))

Now that I have the building down pat I am looking at ways to ensure I
have the correct source code.  So I'm looking at what someone mentioned in
my other thread I started - verify SSH fingerprints.

However, it seems that all the servers except the Alberta one have this
information published at http://www.openbsd.org/anoncvs.html

Is there a reason this one does not have its fingerprints listed?

thanks,
-Alan

-- 
Don't eat anything you've ever seen advertised on TV
 - Michael Pollan, author of In Defense of Food

Re: No SSH fingerprints for Alberta Anon CVS Server?

2014-10-01 Thread Alan McKay 
On Wed, Oct 1, 2014 at 12:32 PM, trondd tro...@gmail.com wrote:
 Note: If your server is listed on here with inaccurate or unknown
 information, please contact b...@openbsd.org

Yeah, damned if you do, damned if you don't.

I saw that and was not 100% sure whether this fell into that category
and did not want to bug him and/or get chewed out for bugging him.

So I figured I'd ask the list first.

Thanks, I'll just check with beck@


-- 
Don't eat anything you've ever seen advertised on TV
 - Michael Pollan, author of In Defense of Food

Re: Change routing tables when ISP goes down

2014-10-01 Thread Alan McKay 
On Wed, Oct 1, 2014 at 2:10 PM, Gerald Chudyk gchu...@gmail.com wrote:
 I have been casually working on this for some time now.

Hey, nice work!


-- 
Don't eat anything you've ever seen advertised on TV
 - Michael Pollan, author of In Defense of Food

How to follow -stable and verify it with signify?

2014-09-30 Thread Alan McKay 
Hi folks,

I've been googling for a couple of hours now and not coming up with much here.
I see how to download the -release source and then verify it, but I
cannot find any way to grab -stable from CVS and do the same.   I
guess the only way I do see is to start out with the -release code,
verify it, and then download each patch and apply it after verifying.
That looks to me like it would be a lot of jumping through hoops.

Am I missing something somewhere?
Or is there really no way to do this (directly)?

thanks,
-Alan

-- 
Don't eat anything you've ever seen advertised on TV
 - Michael Pollan, author of In Defense of Food

Re: How to follow -stable and verify it with signify?

2014-09-30 Thread Alan McKay 
On Tue, Sep 30, 2014 at 10:27 AM, Stefan Olsson
stefan.karl.ols...@gmail.com wrote:
 I don't do this myself, but stable=patch branch, i.e. release + patches.
 All info you need is really in these two pages:

Yes, I have it working great already.  But at no point during that
process does it have me verify that the source code I have downloaded
is safe and came from the place I was expecting to get it from.

That's the part I'm asking about.

thanks,
-Alan

-- 
Don't eat anything you've ever seen advertised on TV
 - Michael Pollan, author of In Defense of Food

Re: How to follow -stable and verify it with signify?

2014-09-30 Thread Alan McKay 
Sounds like I'll need to go with the signed tarballs for the -release
and then apply the signed patches to get -stable.

Dangit, I already had my process down (building from CVS) and now I
have to change it ...

Re: How to follow -stable and verify it with signify?

2014-09-30 Thread Alan McKay 
On Tue, Sep 30, 2014 at 4:21 PM, Stuart Henderson s...@spacehopper.org wrote:
 binpatchng can help you with this process.

I will have to look into that

 But note that -stable sometimes has extra commits that don't have errata;
 release+patches is not quite the same thing as -stable.

Can you give 1 or 2 examples?

I've been digging into this and it actually looks like release+patches
will be easier for me to build than -stable


-- 
Don't eat anything you've ever seen advertised on TV
 - Michael Pollan, author of In Defense of Food

Re: OT: Goldman Sachs rescued(?) by Google

2014-09-23 Thread Alan McKay 
On Tue, Sep 23, 2014 at 3:43 AM, Maurice McCarthy
m...@mythic-beasts.com wrote:
 OK I surrender! I get the message lol

Hey at least I marked it OT:

:-)


-- 
Don't eat anything you've ever seen advertised on TV
 - Michael Pollan, author of In Defense of Food

OT: Goldman Sachs rescued(?) by Google

2014-09-22 Thread Alan McKay 
Wow!  I can't believe the could email something like that in the first
place without encrypting it first.

Holy moly!


-- 
Don't eat anything you've ever seen advertised on TV
 - Michael Pollan, author of In Defense of Food

Re: OT? - people going to EuroBSDcon in Sofia

2014-09-04 Thread Alan McKay 
Personally I would not consider this off-topic in the least ...

Sadly, I will not be going.  But I may see you at the next one in Ottawa :-)

Re: Automated PXE install auto_install issue (was: Serva)

2014-09-02 Thread Alan McKay 
On Sat, Aug 30, 2014 at 12:54 PM, Jiri B ji...@devio.us wrote:
 And you probably didn't mention problem with auto_install as 'filename' :)
 See http://devio.us/~jirib/pxelinux-openbsd.html

Quote : The caveat is how pxelinux reacts when filename is set to
auto_install, as stated in autoinstall(8). pxelinux would use the
value and it would split it on underscore character and use the
beginning part as prefix for every path is is supposed to be loaded.

Awesome!  Thanks for that tip!   I had set up an auto-installer about
a month ago to do Linux and BSD installs and hit upon this fairly
major stumbling block.  I ended up doing things a bit differently that
requires some manual steps but this should let me get it back going
the way I want.

There were some other issues I'd found with the OpenBSD auto install -
I should summarize them to the list.  Room for improvement.   As a
first release of an auto installer it is pretty good though.

One nice addition would be if there is no answer in the automated
answer file, then prompt for that question.  I was surprised to find
out that OpenBSD requires you to have all questions answered or else
it bombs out.  I'll check my notes to see whether there was anything
else.

-- 
Don't eat anything you've ever seen advertised on TV
 - Michael Pollan, author of In Defense of Food

Problems with older nc without -N option ... also how to detect nc version

2014-08-27 Thread Alan McKay 
Hi folks,

I'm writing some scripts to clone over the network, and since I have
mostly boxes that do not have the -N option on nc, this is proving to
be an issue.

I have a bunch of dump files - one for each filesystem - that were
created from a live system.  When I want to send them back over the
network to another system, it seems that the sender never really sees
the end of the file.

One the sender I do

nc DEST IP DEST PORT  dump.file

On the receiver I do simply

nc -l DEST PORT | restore -rf -

That send/receive pair will just hang there forever.  But if I add the
-N option to the sender, it works as expected.

However I've also implemented some rudimentary handshaking - when the
recipient is done with the file I do :

echo OK | nc SENDER IP DEST PORT

Note no -N option - and it works great.  The other end is just doing
nc -l DEST PORT

The difference seems to be the pipe.

So I'm thinking maybe introduce a superfluous dd on the original
sender, perhaps :

dd if=dump.file | nc DEST IP DEST PORT

But I try that and get the same results - they will just stay in that
state forever.

Any ideas on how to solve this problem?  Is there some way I can tell
dd to do something differently?  Looking at the man page did not turn
up much obvious.

Also, I'd like for my script to use the -N option if it is available,
but I don't see any easy way to detect that.  I can do a man nc and
grep for -N, which seems clumsy.   nc does not seem to have a command
line option to get it to tell you what version it is.  I tried just
doing a pseudo-call with -N and checking the return code, but it seems
to always return 1 no matter what I do.  I even went into the source
code to see what was up with that.

Anyone have any ideas here?

The only thing I can think of is to write a little subroutine on the
sender which backgrounds itself and monitors the mounted disk.   When
the disk usage does not change for X seconds, kill the running 'nc'.
It should work buy oh man is that hacky!

thanks,
-Alan

-- 
Don't eat anything you've ever seen advertised on TV
 - Michael Pollan, author of In Defense of Food

Re: Problems with older nc without -N option ... also how to detect nc version

2014-08-27 Thread Alan McKay 
On Wed, Aug 27, 2014 at 12:56 PM, Alan McKay alan.mc...@gmail.com wrote:
 Anyone have any ideas here?

Well I'd been through the nc man page close to a dozen times ... and
just this one last time noticed the -w option for timeout

Works a charm!



-- 
Don't eat anything you've ever seen advertised on TV
 - Michael Pollan, author of In Defense of Food

Re: Cloning an OpenBSD system (and potential FAQ (4.15) error?)

2014-08-23 Thread Alan McKay 
On Sat, Aug 23, 2014 at 6:21 AM, Stuart Henderson s...@spacehopper.org wrote:
 It may be easier to installboot(8) after copying.

Yeah I used installboot


-- 
Don't eat anything you've ever seen advertised on TV
 - Michael Pollan, author of In Defense of Food

Cloning an OpenBSD system (and potential FAQ (4.15) error?)

2014-08-22 Thread Alan McKay 
Hi folks,

I've done this a (n exaggerated) million times on Linux but I'm new at
OpenBSD.   Google found me a few options and I just want to see
whether there are any more that I missed.

FAQ 4.15 addresses this matter and says : Unfortunately, there are no
known disk imaging packages which are FFS-aware

However my googling turned up http://clonezilla.org/, and their FAQ
claims that they understand UFS.  More googling tells me that UFS
and FFS are the same thing.   However I have not yet tried Clonezilla.

I have also found this : http://www.ualberta.ca/~antoine/clone/openbsd.html
Also looks promising.

I like the looks of the latter since it seems to allow me to run the
first part on a live system, to make a copy of that system (can anyone
confirm that?).   I'd much rather not have to take it down to make the
image since I don't have to do that when I clone Linux.   And my
production systems will be happier that way :-)

Clonezilla looks to be all-singing-all-dancing, but seems to require
me to boot from their CD or USB in order to make a copy of my original
system (can anyone confirm or refute?).  Not a massive issue in my DEV
rack but not ideal in production.

In Linux the way I do systems is to boot the target system in Live
Linux (Ubuntu), and then partition the HD(s) the way I want, and mount
them up under /mnt/target/ with that being my root.  Then run rsync
locally to copy the master live system into /mnt/target.  Use a couple
of options to tell it what not to copy.   Works awesome.   The above
perl scripts from U Alberta seem to be at least a bit similar to this
procedure.

Are there any options I am missing that I should look at?
Has anyone used the above methods and can comment on how well they
work or whether or not I should just avoid one or the other?

thanks,
-Alan


-- 
Don't eat anything you've ever seen advertised on TV
 - Michael Pollan, author of In Defense of Food

Re: Cloning an OpenBSD system (and potential FAQ (4.15) error?)

2014-08-22 Thread Alan McKay 
Wow, thanks for the responses so far!

An ancilliary question : am I going to have any issues bringing it up in a VM?
I know that for example NIC names will change so I'll have to rename
hostname.bnx0 to hostname.em0

Any other gotchas?

Re: Cloning an OpenBSD system (and potential FAQ (4.15) error?)

2014-08-22 Thread Alan McKay 
On Fri, Aug 22, 2014 at 10:22 AM, Jiri B ji...@devio.us wrote:
 What about automated installation and configuration management
 to do the rest?

What is this?


-- 
Don't eat anything you've ever seen advertised on TV
 - Michael Pollan, author of In Defense of Food

Re: Cloning an OpenBSD system (and potential FAQ (4.15) error?)

2014-08-22 Thread Alan McKay 
On Fri, Aug 22, 2014 at 10:37 AM, sven falempin sven.falem...@gmail.com wrote:

 Openbsd is simple, you may easily script an install or use the
 automated install feature.IE  a file containing the answer to the
 install process.

 And finally siteXX.tgz to push your own file.

Oh OK I missed that.  Yes, we do this actually.  But I need to
clone/move a system that was created outside of that infrastructure.

I'm actually working towards pulling it into the automated installs
and cloning/moving it is part of that.

We've got a pretty slick system with svn and maven for doing this.
Just one outlier that needs to be brought in.

-- 
Don't eat anything you've ever seen advertised on TV
 - Michael Pollan, author of In Defense of Food

Re: Cloning an OpenBSD system (and potential FAQ (4.15) error?)

2014-08-22 Thread Alan McKay 
On Fri, Aug 22, 2014 at 10:28 AM, Christopher Zimmermann
chr...@openbsd.org wrote:
 I usually do dump -0auf 140822var.dump0 /var for dumping /var in a
 file or
 dump -0auf - /var |nc -l 1 on source and
 restore -rf - |nc source 1

OK I want to try this so that I have better control of things and
understand it all better

On the restore side I guess I have to have the new /var mounted in the
cwd where I run this command?
e.g.
mkdir /mnt/var
chmod 0777 /mnt/var
mount /dev/foo /mnt/var
cd /mnt/var

and shouldn't the restore/nc be the other way around?  So now :

nc source 1 | restore -rf -

Also, I have the OpenBSD install CD booted and I exited to shell, but
there does not seem to be an nc there.

What are you booting on the restore side?

And do you have the -l option on the correct end up there?

I'm relatively new to nc as well but man page says that is listen
for incoming connection


-- 
Don't eat anything you've ever seen advertised on TV
 - Michael Pollan, author of In Defense of Food

Re: Cloning an OpenBSD system (and potential FAQ (4.15) error?)

2014-08-22 Thread Alan McKay 
On Fri, Aug 22, 2014 at 11:07 AM, Alan McKay alan.mc...@gmail.com wrote:
 Also, I have the OpenBSD install CD booted and I exited to shell, but
 there does not seem to be an nc there.

 What are you booting on the restore side?

Looks like this problem is easily solved thus :
http://livecd-openbsd.sourceforge.net/

Is that a trustworthy product?

And the intricacies of dump/restore/nc I can work out on my own ...


-- 
Don't eat anything you've ever seen advertised on TV
 - Michael Pollan, author of In Defense of Food

Re: Cloning an OpenBSD system (and potential FAQ (4.15) error?)

2014-08-22 Thread Alan McKay 
Clone worked great with the LiveCD booted in the destination, and
dump/restore/nc

I will be happy to document it for the FAQ if anyone wants it there.
Not sure what the process is for that.

And I will also be happy to update the FAQ regarding the aforementioned error.

Now, I do have one problem with the cloned system, but I'll start a
new thread for it.

CARP interfaces stay in BACKUP on cloned system

2014-08-22 Thread Alan McKay 
Hey folks,

I got my system cloned and it runs fine in a VM.  I had to make a few
obvious changes like changing bnx to em in all the places where I
definite things with interfaces.  So /etc/hostname.* /etc/pf.conf,
/etc/relayd.conf.  And I greped for bnx in /etc/* and /etc/*/* to
make sure I did not miss anything.

But darnit those CARP interfaces do not want to leave BACKUP state.
Even when I used ifconfig and state master to force it to master -
nope.

And there is currently no firewall partner for the pair.  There was
not for the original and it was working fine.  It is configured as one
of a pair with pfsync and so on, but its partner has been missing for
some time.

But - if I copy a hostname.carpX to a new file, give it a new vhid,
and then sh /etc/netstart carpY the new interface comes up in
MASTER.  Just all of the existing ones before the clone want to stay
in BACKUP

I've destroyed them and brought them back up.  I've put state master
into the hostname.carpX.

I'm really stumped here - any thoughts on the matter?

Any thoughts?  Do MAC addresses get cached somewhere maybe?
Something like that?

thanks,
-Alan

-- 
Don't eat anything you've ever seen advertised on TV
 - Michael Pollan, author of In Defense of Food

Re: troubleshooting carp [solved]

2014-08-20 Thread Alan McKay 
This is very interesting.   I have the faulty config in 5.5 but it
seems to work.  But we have it all on 1 line if that matters and we
also specify carpdev


---snip---

This doesn't work so well:
# cat /etc/hostname.carp0
inet 192.168.16.1/24
vhid 100 pass blahblah advbase 5 advskew 0


This works however:
# cat /etc/hostname.carp0
vhid 100 pass blahblah advbase 5 advskew 0
inet 192.168.16.1/24

Re: named does not start?

2014-08-20 Thread Alan McKay 
On Wed, Aug 20, 2014 at 3:08 PM, Christer Solskogen
christer.solsko...@gmail.com wrote:
 named_flags=

Try

named_flags=

I had the same issue with httpd in 5.5.

It seems that ntpd lets you have blank afer =, but not httpd

Not running named on this system so dunno :

ntpd_flags= # enabled during install
httpd_flags=  # for normal use: 



-- 
Don't eat anything you've ever seen advertised on TV
 - Michael Pollan, author of In Defense of Food

Re: troubleshooting carp

2014-08-14 Thread Alan McKay 
On Thu, Aug 14, 2014 at 2:36 PM, Stefan Olsson stur...@hotmail.com wrote:
 That begs the question though -

http://begthequestion.info/

:-) (former philosophy major ...)


-- 
Don't eat anything you've ever seen advertised on TV
 - Michael Pollan, author of In Defense of Food

Re: [Bulk] Re: Donations to OpenBSD

2014-08-14 Thread Alan McKay 
On Thu, Aug 14, 2014 at 4:40 PM, Daniel Villarreal
yclwebmas...@gmail.com wrote:
 It means Producer, or maker

also manufacturer ...


-- 
Don't eat anything you've ever seen advertised on TV
 - Michael Pollan, author of In Defense of Food