Re: NFS high availability
snip... throwing stale nfs file handle errors. My assumption is that these are the result of ESTALE being returned by the server and that the system doesn't understand how to handle this gracefully and reopen the files. What you need to do is mount the nfs state directory from shared storage. nfs1:~# ls -la /var/lib/nfs lrwxrwxrwx 1 root root 14 2006-07-24 08:22 /var/lib/nfs - /mnt/state/nfs nfs1:~# You'll also want to use the -n option to statd, putting the virtual hostname as a parameter. This way the state will work from either host. When the failover nfs server comes online, it uses this state data and common hostname, and it will pick up the task without so much as a hiccup. I'm doing this currently on Debian GNU/Linux, but the concept is exactly the same and should be very similar on OBSD. -C
Re: Code to execute a command on another tty
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of STeve Andre' Sent: Tuesday, July 25, 2006 9:35 AM To: misc@openbsd.org Subject: Re: Code to execute a command on another tty That echoes data to another tty; I want to send *input* to that ttty as if somewhere were there. --STeve Andre' On Tuesday 25 July 2006 07:11, Lawrence Horvath wrote: As long as the permissions are correct you can just redirect, you just need to know what tty your piping to, i used who to check, and you have to be an equal or higher user, my example was done as the same user on both sides, like so: ttyp1: $ echo hello world /dev/ttyp0 $ ttyp0 $ hello world On 7/24/06, STeve Andre' [EMAIL PROTECTED] wrote: I'm looking for a way to execute commands on other tty's. On SunOS there was force. Is there an equivelant here or do I need to make my own? Thanks, STeve Andre' Would www.conserver.com work for you? -C
Re: News From HiFn
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Travers Buda Sent: Wednesday, July 12, 2006 10:46 AM To: OpenBSD Misc Subject: Re: News From HiFn On Tue, 11 Jul 2006 11:03:02 -0400, Dan Farrell [EMAIL PROTECTED] said: I had respect for Theo before the American comment. It was unnecessary, out of line, and damaging to the OBSD effort as a whole. You couldn't make your point without getting ugly, eh? Oh shutup. You're of the mentailty that you should never have to be offended. Too bad, it happens. What I have respect for is a person who speaks their mind, makes their position clear, and has no regard for politics. Oh noes! Theo made an anti-American comment! Well we need all the anti- bull comments we can get about stupid policy, stupid wars, stupid everything! Infact, Theo has got that original American spirit--freedom from tyrrany, freedom of speech, freedom do do as he pleases. That's what being American is all about, freedom. Wars, wartime policy, domestic surveilance, asinine export laws, (crypto is a munition? pass the spoon!) skewing the system of checks and balances, loading the courts with fundamentalists, etc, is as un- American as you can get. Travers Don't forget about flag burning! Burning the flag IS the symbol of the freedom that the flag ostensibly represents. People fought and died in political wars to be ABLE to burn a flag if they goddamn want to (assuming it's theirs, of course ;). Like this is the MOST important thing these spineless-never-been-in-the-military-anyway-chickenhawk f**ks should be arguing about? *cough*Katrina*cough*Campaign Finance Reform*cough*impeach the criminals*cough*. Sheesh. And don't forget 'Support Our Troops!'. Like we don't, if we don't want them to die meaninglessly? Tap...Tap...Hell? (more 'look at the shiny object!' - not at the truth, Rovian political double-speak hogwash). These douchebags would be just plain embarrassing - if they weren't so waron-terra-fying. 'Better the pride that resides, in a citizen of the World, then the pride that divides, when a colorful rag is unfurled' --Rush (the Band, not the rabid limpdick druggie) -C
FW: Ntop, Nw. Board Mfg, and CARP
-Original Message- From: Barry, Christopher Sent: Saturday, June 24, 2006 4:09 PM To: misc@openbsd.org Subject: Ntop, Nw. Board Mfg, and CARP Hey, I'm running CARP on a 3.7 GENERIC router. I'm playing w/ ntop, and pressing 'n' repeatedly changes the display format of the host. One selection is network board manufacturer, based on MAC allocation I'm guessing. My CARP interface says the mfg is U.S. Department of Defense. Is this normal? Thanks, -C Ironically - this never made it to the list... Reposting. -C
Ntop, Nw. Board Mfg, and CARP
Hey, I'm running CARP on a 3.7 GENERIC router. I'm playing w/ ntop, and pressing 'n' repeatedly changes the display format of the host. One selection is network board manufacturer, based on MAC allocation I'm guessing. My CARP interface says the mfg is U.S. Department of Defense. Is this normal? Thanks, -C
Re: NFS Slow writes
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bob Bostwick (Lists) Sent: Thursday, June 15, 2006 6:05 PM To: misc@openbsd.org Subject: NFS Slow writes I'm trying to setup an NFS share, and am getting horrible write performance. Reads are fast as can be expected. I've searched the archives and found several threads on the subject, but no resolutions. I've tried all possible fstab options (that I know of) but none really help with write. I'm currently using ip.addr:/nfs /test/dir nfs rw,nodev,nosuid,tcp,intr,-r=32768,-w=32768 0 0 From (Subject: Re: nfs write speed performance... still)A Nov. 2004 thread ...it seems that the problem is known but no fixes are known or planned for now since there're other priorities... Does anyone still know if this is the case, or have I missed an important thread? Thanks. Newer versions of nfs are set to 'sync' by default. Change to 'async' and check performance. -C
Re: Hifn policy on documentation
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hank Cohen Sent: Tuesday, June 13, 2006 12:10 AM To: misc@openbsd.org Subject: Hifn policy on documentation Folks, There has been some discussion of late on this list about Hifn's policy with respect to releasing documentation to the general public. That discussion lead to a great deal of uninformed speculation and unflattering statement's about Hifn's unfriendliness towards the open source community. I would like to set the record straight. The simple fact is that anyone who wants access to Hifn's documentation need only log on to our extranet site (http://extranet.hifn.com/home/) to download as much as they like. This is true of the 795x Algorithm accelerator chips and the 7855 and 8155 HIPP chips. Some more restrictions may apply to our NP and flow through part documents. Specifically the documentation for 7954, 7955 and 7956 is available. The other chips that are supported by the Open BSD Crypto drivers hifn(4), lofn(4) and nofn(4) (7751, 7811,7951, 9751, 6500, 7814, 7851 and 7854) are legacy parts that are not recommended for new designs. The driver will also work for 7954 even though that is not listed. This does represent some liberalization of access in recent months. Hifn is always monitoring its policy with respect to the confidentiality of documentation and other business information. Some information will probably always require a non-disclosure agreement. Information that falls into that category is generally of a sensitive competitive nature, contains trade secrets or is related to unanounced or unreleased products. Software licenses are generally restricted in the disclosure or source code reproduction rights. Hifn reserves the right to keep our source code proprietary. This should not affect the hifn(4) driver since that driver is programmed directly to the hardware and does not use Hifn's enablement software library. Registration at our extranet is required along with an email address that can be confirmed. We cannot support anonymous FTP or http downloads. The reason for this is that we are required by the conditions of our US export licenses to know who and where our customers are. If anyone objects to registration then we could not sell them chips anyway so it does not seem an unreasonable restriction to us. I hope that this clears the air. Best regards, Hank Cohen Product Line Manager Hifn Inc. 750 University Ave Los Gatos Ca. 95032 408-399-3593 Actually, it's just ignorance on Hifn Marketing's part. It's really that simple. Ignorance and stubborn misunderstanding, and it's incredibly frustrating. It's not stupidity - there's a difference. Ya don't know what ya don't know... They simply do not understand. Hank, certainly you can see the relationship between driver support on more platforms and increased product sales. It's just logical. More chips sold, and you get a bigger bonus! You can also understand the need for security and privacy - hence your product. Security is one of the main reasons people gravitate toward OpenBSD. You really have a lot in common. Check it out - OpenBSD people are writing code to support your products, and not only is it not costing your company a penny, but it is actively increasing the sale of your product. It's a total Win-Win. Do the numbers. When you look at the security minded bent of the OpenBSD community, what I would say is a fierce loyalty to those vendors that 'get it', and the fact that this thread will be available for all the World to see when they Google 'hifn openbsd', and you should start seeing that by stubbornly adhering to your policy, you are really just shooting yourself in the foot. What you *could* be doing is running as fast and hard as you can in the *other* direction - by actively helping Open Source developers as much as possible - and that means support with docs, dev kits, test hardware, and maybe even a little financial support. That's the savvy, New World MBA thing to do. I see this all the time, most big vendors are clueless, and frankly my company is guilty of it. What your company - and mine - need is to employ the perspective and wisdom of those deeply into open source to help them leverage the energy of those committed to providing quality, free software. For hardware vendors, there is no better way. But doing that correctly requires a real understanding of the culture, respect for why these developers do what they do, and a cultivation of trust in the community. I hope that decrypts the air a bit more. Regards, -C
Re: Good GigE 8-port switch?
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Karel Gardas Sent: Tuesday, May 09, 2006 8:19 AM To: misc@openbsd.org Subject: OT: Good GigE 8-port switch? Hello, I'm looking to replace my old 100Mbit Edimax desktop switch with something able to manage Gbit ethernet. The purpose is office usage, but since I'm software developer and like playing with network technologies I would prefer to have something with VLAN/QoS/jumbo frames support on board. Since this means more software written on the switch, I'm more aware of the fact that it might be buggy and so I'm searching for any advice with regarding to reliable switch manufacturer. So far I've just found some OvisLink, D-Link, Edimax, 3Com, Linksys, LevelOne, SMC which do support at least part of the wanted features, but none of the companies tell anything about their products reliability of course. Thanks, Karel -- Karel Gardas [EMAIL PROTECTED] ObjectSecurity Ltd. http://www.objectsecurity.com I've had very good experiences with SMC, as a brand, ok experiences with 3Com as a brand, and very poor experiences with the D-Link and Linksys brands. HTH, -C
Re: Good GigE 8-port switch?
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Timo Schoeler Sent: Tuesday, May 09, 2006 8:55 AM To: misc@openbsd.org Cc: Barry, Christopher Subject: Re: Good GigE 8-port switch? thus Barry, Christopher spake: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Karel Gardas Sent: Tuesday, May 09, 2006 8:19 AM To: misc@openbsd.org Subject: OT: Good GigE 8-port switch? Hello, I'm looking to replace my old 100Mbit Edimax desktop switch with something able to manage Gbit ethernet. The purpose is office usage, but since I'm software developer and like playing with network technologies I would prefer to have something with VLAN/QoS/jumbo frames support on board. Since this means more software written on the switch, I'm more aware of the fact that it might be buggy and so I'm searching for any advice with regarding to reliable switch manufacturer. So far I've just found some OvisLink, D-Link, Edimax, 3Com, Linksys, LevelOne, SMC which do support at least part of the wanted features, but none of the companies tell anything about their products reliability of course. Thanks, Karel -- Karel Gardas [EMAIL PROTECTED] ObjectSecurity Ltd. http://www.objectsecurity.com I've had very good experiences with SMC, as a brand, ok experiences with 3Com as a brand, and very poor experiences with the D-Link and Linksys brands. HTH, -C same here. SMC is very good and the products can be bought at a decent price. for enterprise networking, we use nortel switches after years of poor and not so good experiences with other brands. as a rule of thumb: beware consumer level products. you may save 50% when buying them, put you'll pay for it later. and you'll pay much more than you saved! timo We also use Nortel (and Bay Networking) for our primary switches (8610,450-24T). If you can afford them, they are absolutely rock solid, and have an excellent management software tool. But hey, why not just get one of these: shameless plug: http://www.silverstorm.com/pdf/silverstorm_5000_data_sheet.pdf ;)
Re: IO fencing question
-Original Message- From: francisco [mailto:[EMAIL PROTECTED] Sent: Sunday, April 09, 2006 4:07 PM To: Barry, Christopher Subject: Re: IO fencing question Thanks everyone for your ideas on this. As it turns out, the issue is indeed the switch's redundant fiber port not releasing. As soon as power hits the server's motherboard, a link is present on the switch - even though all of my fiber NICs are in PCI slots. The only way I can reliably failover the switch port is to remove power completely from the router. Are these managed switches, and if so, can you login and flush the switches arp cache? A script to do this upon carp event might be the better solution. -f http://www.blackant.net/ heh, it's a conundrum wrapped in an enigma, tied with a paradox. ...or maybe just a catch:22? Because the routers attach to each of three switches directly into their redundant MDAs, the master router is the only guy that can talk to them. The backup router is 'fenced out' by the MDA itself. If the master craps out, but the switch is still hanging onto him, who will be able to access the switches arp table to flush it? Short answer: nobody. The only way to do this is to have another host out on that network that can detect if the router is down, and then do this, maybe via snmp. The problem with that is I do not control the hosts out on that net typically, and it becomes another point of failure, and spreads the system of redundancy a bit too thin in my view. Another *interesting* problem with this topology choice I've made is what happens when the redundant fiber on the switch that is connected to the master goes down? Until this happens, I guess I just cannot know. Thanks, Chris
Re: IO fencing question
If you can manage it, it might be best to cut fiber access instead of power. Joachim True - but to place fiber switch I can kill in the middle is a tad beyond my budget! I guess I could have a servo-actuated guillotine over the fibers themselves... ;) -C
Re: IO fencing question
-Original Message- From: Jon Hart [mailto:[EMAIL PROTECTED] Sent: Friday, April 07, 2006 1:25 PM To: Barry, Christopher Cc: misc@openbsd.org Subject: Re: IO fencing question On Fri, Apr 07, 2006 at 12:26:45PM -0400, Barry, Christopher wrote: Thanks much for your answers. By 'soft', I mean a controlled reboot/shutdown where the power remains on even though the OS has obviously stopped running. I have not experienced any actual failures of anything, so I do not the outcome of that. Induced 'Hard' failure (e.g. pulling the plug) works perfectly. The more I look at it, and think about it, I'm guessing the problem is more related to the redundant fibre ports on the 350-24T switch, actually holding onto information about the directly connect interface, and stubbornly sticking to it if it detects any kind of signal whatsoever. I experienced this same sort of weirdness when setting up a pair of redundant routers. The two upstreams, which I had no control over, ran OSPF. If I powered off the machine, all was well. If I simply halted the machine, or there was power to it at all, their OSPF daemon would detect a link and continue to route in the direction of our downed router. The problem, in the end, was that the Dell 1850s primary onboard ethernet controller will exhibit link when there is power to the board. The secondary, and any PCI/PCI-X cards that we added on afterward, did not exhibit this behavior. -jon Thanks everyone for your ideas on this. As it turns out, the issue is indeed the switch's redundant fiber port not releasing. As soon as power hits the server's motherboard, a link is present on the switch - even though all of my fiber NICs are in PCI slots. The only way I can reliably failover the switch port is to remove power completely from the router. To do this, I'm thinking a combination of: http://freshmeat.net/projects/powerswitch/ and: http://www.servertech.com/products/product.aspx?GroupID=1ProductID=12# Of course the powerswitch script will need a bit of hacking, and I'll need to wrap the whole deal in a looping testing script, looking for when stge0 on the backup becomes master. Then I'm thinking of attempting a 'ssh master -c halt -p', waiting a certain amount of seconds, and then switching off the power to the plug. Does that sound like a reasonable approach? Anyone already done this and have some lessons for me? Thanks, -C
Re: IO fencing question
No one has responded to this yet.
Wondering: Is this the wrong list for this question? Is this a
completely non-standard use? Can anyone please shed some light on this
for me?
Thanks,
-C
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Barry, Christopher
Sent: Tuesday, April 04, 2006 5:26 PM
To: misc@openbsd.org
Subject: IO fencing question
Greetings,
I've built a pair of 6-interface OBSD 3.7 routers for use at
work. These routers have 4 Fibre GigE interfaces each, and 2
copper GigE
interfaces ea as follows:
carp{0,1,2,3,4} production,integration,staging,systest,dmz_1
respectively
stge{0,1,2,3} production,integration,staging,systest respectively
em0 sync device
rl0 dmz_1
the machines are core-master and core-backup, the vip is core-rtr.
stge1 on core-master has a fibre running to the left fiber
MDA port on a
Nortel (BayStack) 350-24T switch, while stge1 on core-backup
runs to the
right MDA port (they both are 'port 25' in the switch).
stge{2,3} behave
similarly on 2 other identical switches. stge0 on both routers go to 2
separate fibre ports on a larger Nortel 8600.
Example:
If I'm out on the production net (stge0) and start an ssh session to a
host out on the development net (stge1), and start a ping in
the session
back to a host on the production network, and then pull plug on
core-master (I know, ouch) it might drop a ping, but otherwise works
flawlessly! Really sweet. The problems occur during a 'soft' failure,
e.g. a reboot or a halt without power off.
To be fair, I do not think it's carp that's causing the problem, the
backup instantly becomes the master. It appears to be something with
either the MDAs not failing over or an issue with the stge0 interfaces
on two separate fibre ports on the big switch.
It's only a problem if the failing host does not get powered off.
My thoughts have been:
* put both hosts on a serial power strip - on a failure,
surviving node
powers off the failed node.
* have a scripted way to simulate that all of the interfaces
are powered
off. (or heck, maybe even just being automatically downed might do it)
Question: Can someone recommend a solution to this problem,
or point me
at a doc or software that can help me with this?
Thanks,
Chris
Re: IO fencing question
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Joachim Schipper
Sent: Friday, April 07, 2006 11:48 AM
To: misc@openbsd.org
Subject: Re: IO fencing question
On Fri, Apr 07, 2006 at 09:45:15AM -0400, Barry, Christopher wrote:
No one has responded to this yet.
Wondering: Is this the wrong list for this question? Is this a
completely non-standard use? Can anyone please shed some
light on this
for me?
AFAICT, this is a proper question, properly asked, on the proper list.
I, personally, have not responded because I didn't really have a clue
what could be wrong.
From your own description, the real problem seems to be
elsewhere. Since
I don't know much of anything about this particular elsewhere, I'm
afraid I won't be much help there.
I do not understand entirely what you mean by 'soft' failure - do you
mean an OS crash/panic, in which the hardware is working ok but the OS
isn't? Or are you talking about a non-clean shutdown, where
the hardware
is down too? Or are we talking a controlled, clean shutdown/reboot?
(Testing the above cases might give some hints.)
Finally, a tcpdump, including ARP activity, might allow someone more
well-versed in CARP than myself to discover if CARP is to blame, and
maybe even what else is.
If you go for the scripted solution, maybe ifstated(8) could
be of some
use here?
Joachim
Joachim,
Thanks much for your answers. By 'soft', I mean a controlled
reboot/shutdown where the power remains on even though the OS has
obviously stopped running. I have not experienced any actual failures of
anything, so I do not the outcome of that. Induced 'Hard' failure (e.g.
pulling the plug) works perfectly.
The more I look at it, and think about it, I'm guessing the
problem is more related to the redundant fibre ports on the 350-24T
switch, actually holding onto information about the directly connect
interface, and stubbornly sticking to it if it detects any kind of
signal whatsoever.
I'll examine ifstated, experiment, and report back.
Thanks Again,
Chris
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Barry, Christopher
Sent: Tuesday, April 04, 2006 5:26 PM
To: misc@openbsd.org
Subject: IO fencing question
Greetings,
I've built a pair of 6-interface OBSD 3.7 routers for use at
work. These routers have 4 Fibre GigE interfaces each, and 2
copper GigE
interfaces ea as follows:
carp{0,1,2,3,4} production,integration,staging,systest,dmz_1
respectively
stge{0,1,2,3} production,integration,staging,systest respectively
em0 sync device
rl0 dmz_1
the machines are core-master and core-backup, the vip is core-rtr.
stge1 on core-master has a fibre running to the left fiber
MDA port on a
Nortel (BayStack) 350-24T switch, while stge1 on core-backup
runs to the
right MDA port (they both are 'port 25' in the switch).
stge{2,3} behave
similarly on 2 other identical switches. stge0 on both
routers go to 2
separate fibre ports on a larger Nortel 8600.
Example:
If I'm out on the production net (stge0) and start an ssh
session to a
host out on the development net (stge1), and start a ping in
the session
back to a host on the production network, and then pull plug on
core-master (I know, ouch) it might drop a ping, but
otherwise works
flawlessly! Really sweet. The problems occur during a
'soft' failure,
e.g. a reboot or a halt without power off.
To be fair, I do not think it's carp that's causing the
problem, the
backup instantly becomes the master. It appears to be
something with
either the MDAs not failing over or an issue with the
stge0 interfaces
on two separate fibre ports on the big switch.
It's only a problem if the failing host does not get powered off.
My thoughts have been:
* put both hosts on a serial power strip - on a failure,
surviving node
powers off the failed node.
* have a scripted way to simulate that all of the interfaces
are powered
off. (or heck, maybe even just being automatically downed
might do it)
Question: Can someone recommend a solution to this problem,
or point me
at a doc or software that can help me with this?
Thanks,
Chris
IO fencing question
Greetings,
I've built a pair of 6-interface OBSD 3.7 routers for use at
work. These routers have 4 Fibre GigE interfaces each, and 2 copper GigE
interfaces ea as follows:
carp{0,1,2,3,4} production,integration,staging,systest,dmz_1
respectively
stge{0,1,2,3} production,integration,staging,systest respectively
em0 sync device
rl0 dmz_1
the machines are core-master and core-backup, the vip is core-rtr.
stge1 on core-master has a fibre running to the left fiber MDA port on a
Nortel (BayStack) 350-24T switch, while stge1 on core-backup runs to the
right MDA port (they both are 'port 25' in the switch). stge{2,3} behave
similarly on 2 other identical switches. stge0 on both routers go to 2
separate fibre ports on a larger Nortel 8600.
Example:
If I'm out on the production net (stge0) and start an ssh session to a
host out on the development net (stge1), and start a ping in the session
back to a host on the production network, and then pull plug on
core-master (I know, ouch) it might drop a ping, but otherwise works
flawlessly! Really sweet. The problems occur during a 'soft' failure,
e.g. a reboot or a halt without power off.
To be fair, I do not think it's carp that's causing the problem, the
backup instantly becomes the master. It appears to be something with
either the MDAs not failing over or an issue with the stge0 interfaces
on two separate fibre ports on the big switch.
It's only a problem if the failing host does not get powered off.
My thoughts have been:
* put both hosts on a serial power strip - on a failure, surviving node
powers off the failed node.
* have a scripted way to simulate that all of the interfaces are powered
off. (or heck, maybe even just being automatically downed might do it)
Question: Can someone recommend a solution to this problem, or point me
at a doc or software that can help me with this?
Thanks,
Chris
Re: Music made with OpenBSD
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alexandre Ratchov Sent: Saturday, April 01, 2006 11:49 AM To: misc@openbsd.org Subject: Music made with OpenBSD hello, there's a small music piece that i'd like to share; it's composed and recorded on openbsd, mostly with MIDI software developped on openbsd (audio/midish from ports). Even if openbsd has the reputation of server operating system i've enjoyed using it for playing music: it's simple and reliable http://caoua.org/alex/obsd/reg-disto.ogg enjoy -- Alexandre Wow! Really well done! Got any more? post a link. I'd be interested in how you actually made that too. -C
Arp question
Greetings, I've googled and went to MARC, but can't find anything very helpful about this, so I am here asking for your assistance. I'm getting the following error: /bsd: arp: attempt to overwrite entry for 172.26.0.68 on stge3 by 00:00:1a:19:d3:13 on stge2 repeating multiple times to the console. I have a four interface router, running 3.7 Generic. These two interfaces are going out to our lab. My gut reaction was that someone in the lab might have cabled between two switches on each subnet. Does that seem probable? It's a damn spaghetti mess out there, and before I go spend half a day digging, thought I'd float this out there. Any pointers would be very appreciated. Thanks, Chris
SOLVED: RE: Arp question
Nevermind - somebody moved a box to the other network and fired it up with the old network configured. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Barry, Christopher Sent: Tuesday, March 21, 2006 4:24 PM To: misc@openbsd.org Subject: Arp question Greetings, I've googled and went to MARC, but can't find anything very helpful about this, so I am here asking for your assistance. I'm getting the following error: /bsd: arp: attempt to overwrite entry for 172.26.0.68 on stge3 by 00:00:1a:19:d3:13 on stge2 repeating multiple times to the console. I have a four interface router, running 3.7 Generic. These two interfaces are going out to our lab. My gut reaction was that someone in the lab might have cabled between two switches on each subnet. Does that seem probable? It's a damn spaghetti mess out there, and before I go spend half a day digging, thought I'd float this out there. Any pointers would be very appreciated. Thanks, Chris
Re: skype on openbsd?
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Sunday, March 05, 2006 6:22 PM To: misc@openbsd.org Subject: skype on openbsd? i saw a post just recently on bsdforums.org about getting the linux version of skype running on freebsd, http://www.bsdforums.org/forums/showthread.php?t=39145 . i'm trying to get this working on openbsd, but when i run the static binary with Qt compiled in, it tells me: skype: error while loading shared libraries: libGL.so.1: cannot open shared object file: No such file or directory this isn't so surprising since doesn't exist on the 3.9 snapshot from 3/4 i'm running. however, other versions of the libGL.so library exist on the system. i tried to follow the instructions in the post, but i couldn't find libGL.so.1 since, AFAICT, it isn't generated by the redhat_base port like it is for the SUSE linux emulator on freebsd. any suggestions on how to get an acceptable libGL.so.1 with which to run skype? cheers, jake Have you tried making a symlink named 'libGL.so.1' pointing at your version of the same library file? This often correct version issues in Linux. -C
Re: Stupid Carp question
-Original Message-
From: Monah Baki [mailto:[EMAIL PROTECTED]
Sent: Thursday, August 04, 2005 8:29 AM
To: misc@openbsd.org
Subject: Stupid Carp question
Hi all,
Implementing carp, I have 2 net4801's that seem to be
synchronizing, when I do
a ifconfig -a on the secondary I see carp0 on the slave
becomes Master when
the primary goes down.
The internal machines are working fine accessing the internet and all.
The pf.conf rule has the 2 rules:
pass quick on { sis2 } proto pfsync
pass on { sis0 sis1 } proto carp keep state
However when I physiclly remove the ethernet cable from sis0
on the master,
the internal machine cannot access the net anymore.
Do I need to copy the pf.conf from the master to the scondary
unit, have them
both identical
Thank you
Do I need to copy the pf.conf from the master to the scondary
unit, have them
both identical
yes.
fw(s) w/ NAT, pf and carp - failover during large download
Hi. I researched this on MARC, and while I did find posts relating to it, I found no definitive answer as to how to solve the problem. I setup two firewalls, each with in/dmz/out/sync interfaces - 4 interfaces each. preempt=1,forward=1,allow=1 I have basic failover working great, but if I start pulling down an .iso image for instance, and then shutdown the master, the download hangs. I tried setting NAT to use carp0, thinking the remote host got confused when the real IP went down. This did not work at all. Is this interrupted session behavior normal for this configuration, or do I obviously have something mis-configured? What info is needed to best help troubleshoot this? Thanks, Chris
Re: authpf-like functionality via a web interface?
-Original Message- From: Lars Hansson [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 03, 2005 12:20 AM To: misc@openbsd.org Subject: Re: authpf-like functionality via a web interface? On Tue, 2 Aug 2005 18:43:56 -0400 Barry, Christopher [EMAIL PROTECTED] wrote: Authpf seems to do this via ssh, but I'll need to service non-ssh equipped sales folk, etc. Is there a project around that provides this functionality, or will I need to create it? Clicking an icon on their Windows desktop that launches Putty and connects to the firewall is something even the most inept technical person is able to do. I've done exactly this for some of our top-level managers and even though they know virtually NOTHING about computers they had no problem with it and even thought it was neat. --- Lars Hansson Thanks everyone. I really had no idea a web interface for this would be so incredibly stupid and insecure. Sorry for my sub-optimal clue-level on this. Also, sorry for bringing this whole mess up again. It's apparently a bit of a sore spot. From the number of replies, I'm thinking the batch-file/plink combo, downloadable from a redirected web page, could work well for windows folk. Linux users can of course simply ssh in, but I'm not a Mac guy, and while I know that they can probably ssh in now too, many Mac users will not really understand that. Is there a 'batch file/plink'-like automated way for Mac folk that anyone knows about? Any script/redirect examples for your implementations you may be willing to share would be great for any of this stuff. I'll bet others could use it too. Thanks again. Chris
Re: VPN behind a router
-Original Message- From: Helio Santana [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 02, 2005 8:59 AM To: misc@openbsd.org Subject: VPN behind a router Hi, first excuse my english, please. I'm trying to make a VPN between 2 computers with OpenBSD behind a router that connected to internet (See schema) Private LAN4 -- OBSD_4 Router_4 Internet Router_5 - OBSD_5 Private LAN5 Every OBSD has 2 net cards 1 connected to router, and the other to the hub in private lan. I have made all steps explained in man vpn. My private Lan's are 192.168.4.0/24 and 192.168.5.0/24. The Lan between OBSD and router's are 192.168.41.0/24 and 192.168.51.0/24. Routers redirect all incoming trafic to his respective OBSD and have his Firewalls disabled. External IP Router_4 is A.B.C.D, External IP Router_5 is W.X.Y.Z All computers in LAN4 has access to internet and can make a ping to W.X.Y.Z... I can make an ssh connection from OBSD_4 to OBSD_5... even from an conection from Internet I can make a ping, etc. The only way I have make possible to connect the VPN is configuring routers as modems (I don't know whats the name of this in english, in spanish 'monopuesto'). But I need to do configuring both routers as routers (in spanish 'multipuesto'). Thanks in advance, Helio. routers as modems (I don't know whats the name of this in english, in spanish 'monopuesto'). I think you mean 'bridge' Q: how can 'rdr' function with pf disabled?
Re: VPN behind a router
I misunderstood your implementation. NAT on router_{4,5} is likely the
culprit - if it is doing NAT. If can pull the NAT functionality in to
the OBSD boxen, and make router_{4,5} simply route, then this would
work. You will need ideally 3 'real' IPs on the Internet for each site
to do this though, although you could probably get away with 2.
router = 1 IP
OBSD = 2 IPs (a main fw external IP, and an external alias for the
IPSEC interface.)
-C
-Original Message-
From: Helio Santana [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 02, 2005 10:21 AM
To: Barry, Christopher
Subject: Re: VPN behind a router
I think you mean 'bridge'
I dont know if bridge is the same as 'monopuesto'... 'monopuesto' is
the way to do OBSD gets by DHCP the external IP of my router, as a
modem conected to a computer... this means 'bridge'? I dont know...
Q: how can 'rdr' function with pf disabled?
PF is enabled and I send a sample in last mail. But I see a little
light at the bottom of my tunnel... what 'rdr' line I need in every
OBSD?... Ops, sorry... but in sample dont says nothing about 'rdr'...
ohhh no, I must be a 'RTFM man'... jajaja. What rdr should be?
Thanks, Helio.
