Re: Tape drive DLT VS160
On Mon, 24 Apr 2006, Planck wrote: Hello. I have tape drive Quantum DLT VS160 (part of dmesg bellow) connected to Adaptec AHA-2940. Everything work fine, but i dont know how to enable hardware compresion on that drive. There aren't any jumpers on enclosure, and mt(1) or st(4) dont say anytging about that. Yea it would normally be mt comp on or mt compress on ~BAS
Re: 3.7: weird IP address problem
On Mon, 24 Apr 2006, Toni Mueller wrote: Hello, I have a box that once had two IP addresses on one interface. I deconfigured one of them using ifconfig -alias. Now, when I want to use any (?) program on that box to go over this interface, it wants to use the addresses which is no longer present. I double-checked to ensure that there is no NAT in the way, and also used Also, is it still ARP'ing for the old address (tcpdump(8) will show). ~BAS
Alter root FS device after boot?
All: Would it be hypothetical possible to change the device mounted as (/) after the system has booted (possibly during the bootstrapping phase)? This of course overriding the checks in src/sys/kern/sys_vfs* ~BAS
Re: OPENBSD_3_9 won't build
--- [EMAIL PROTECTED] wrote: Hello evrybody. I installed box booting from PXE and then with lastest snapshot. After that I used: # export [EMAIL PROTECTED]:/cvs # cd /usr; cvs checkout -P -rOPENBSD_3_9 src This is stable, not current. You upgrade a snapshot with current; you don't go backwards to stable. The FAQ link I give belows shows the progression; it's in 5.3.2. 5.3.3 goes into a lot more depth, but below is a simple update of the source tree. This does not update X or ports though. # cd /usr/src # cvs -q up -Pd -- to update your cvs to -current (afer you have an initial /usr/src tree) It's better to download from the ftp sites the gzipped tree instead of cvs'ing the whole thing. The FAQ goes into detail about this. and then successfuly installed new kernel with; # cd /usr/src/sys/arch/i386/conf # config GENERIC # cd ../compile/GENERIC # make depend # make # make install To be safe, you want to: # make clean make depend make It's a good habit to make clean every time. And then rebooted PC. After than I tried to compile userland # rm -rf /usr/obj/ # cd /usr/src # make obj # make build You skipped a step: # cd /usr/src/etc env DESTDIR=/ make distrib-dirs Please read this FAQ for details: http://www.openbsd.org/faq/faq5.html#Bld But it won't compile. Of course it won't. Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Override errno EBUSY on rd(4) device after boot in mount(2)?
Is there any way to override the flag on a device that permits it from being mounted twice?MNT_FORCE isn't it. I've got an embedded environment I'm setting up where I want to transfer the root (/) file system from an rd(4) to an MFS. To do this, I have to add some customizations to copy() in sbin/newfs/newfs.c. This is because as soon as a I call mount_mfs(8) from my RD's /etc/rc, all of / goes away, so I have to accomplish thing in C functions until I can get the previous (/) re-mounted as /rescue. I can call mount(2) manually from newfs::copy(), but /dev/rd0a refuses to unmount from it's previous ubiquitous root_device. Even if I explicitly mount /dev/rd0a as /, it refuses to dis-mount after I mount a new memfs at /, even with MNT_FORCE to unmount(2). Is it possible that rd(4)'s simply can't be unmounted? I'm assuming they can be, and that unlike their MFS counter-part, their contents do not reset (well, they would reset to whatever the contents of the RD image in the kernel is, assuming changes had been made). This is truly a chicken-and-egg scenario. Any thoughts would be appreciated. ~BAS
Re: Microsoft SP1 RPC traffic (Active Directory issues)
On Thu, 20 Apr 2006, James Mackinnon wrote: Good day everyone Recently, I installed SP1 on some domain controllers and ran into an issue where microsoft changed rpc data with SP1 and firewalls such as microsofts own ISA server as well as checkpoint have started to randomly block this data. ...look at the pflog(4), correlate hits with the source address of servers having problems with the blocks, generate a pf.conf(5) rule to match, and move on. ~BAS
Re: Panic: biodone already
On Thu, 20 Apr 2006, Pedro Martelletto wrote: The raid(4) codebase is old, unmaintained, and known to have issues. That's one of the reasons it's not in the stock kernel. Oh I thought the OpenBSD team was silently discouraging people from the practice of using software RAID. :} That sounds like the service of a friend. Focusing efforts on better universal hardware RAID mgmnt interface support. ~BAS
inet6(4)
I am working on some IPv4 IPv6 Interoperability stuff, and I hit a brick wall trying to get an IPv6 UDP server to receive IPv4 packets. It looks like that piece was taken out per inet6(4): OpenBSD does not route IPv4 traffic to an AF_INET6 socket. The particu- lar behavior in RFC 2553 is intentionally omitted for security reasons presented above. If both IPv4 and IPv6 traffic need to be accepted, lis- ten to two sockets. So if I want to add IPv6 functionality to an existing app, I would convert the current IPv4 stuff to use getaddrinfo, and I would just open two sockets by walking the link list provided by getaddrinfo, right? I wouldn't try to receive IPv4 traffic on an IPv6 socket for openBSD. Now, I have done a cursory review of docs via google for converting IPv4 apps to IPv6, but I haven't looked at the security issues with coding for both. Besides searching securityfocus, is there another site I should be reading for IPv6? Is KAME still relevant to the openBSD implementation? Cheers, Brian Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
FYI: sch5017
It's looking good. Thanks Roman for letting me help out. Only two problems persist: 1) we get the list twice due to the nviic detecting two iic's 2) register 0x20 is +5 VTR, which differs from the adt chip Here are the results as of pulling down the CVS this weekend: hw.sensors.0=adt0, +2.5Vin, 1.32 V DC hw.sensors.1=adt0, Vccp, 1.43 V DC hw.sensors.2=adt0, Vcc, 3.35 V DC hw.sensors.3=adt0, +5V, 5.13 V DC hw.sensors.4=adt0, +12V, 12.00 V DC hw.sensors.5=adt0, Remote1 Temp, 31.00 degC hw.sensors.6=adt0, Internal Temp, 38.00 degC hw.sensors.7=adt0, Remote2 Temp, 33.00 degC hw.sensors.8=adt0, TACH1, 3832 RPM hw.sensors.9=adt0, TACH2, 2204 RPM hw.sensors.12=adt1, +2.5Vin, 1.32 V DC hw.sensors.13=adt1, Vccp, 1.43 V DC hw.sensors.14=adt1, Vcc, 3.35 V DC hw.sensors.15=adt1, +5V, 5.10 V DC hw.sensors.16=adt1, +12V, 12.06 V DC hw.sensors.17=adt1, Remote1 Temp, 31.00 degC hw.sensors.18=adt1, Internal Temp, 38.00 degC hw.sensors.19=adt1, Remote2 Temp, 33.00 degC hw.sensors.20=adt1, TACH1, 3829 RPM hw.sensors.21=adt1, TACH2, 2204 RPM here's the dmesg: OpenBSD 3.9-current (GENERIC) #26: Fri Apr 14 16:10:03 MDT 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: AMD Athlon(tm) 64 Processor 3000+ (AuthenticAMD 686-class, 512KB L2 cache) 1.81 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3 real mem = 1073246208 (1048092K) avail mem = 972591104 (949796K) using 4278 buffers containing 53764096 bytes (52504K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(ad) BIOS, date 02/17/05, BIOS32 rev. 0 @ 0xfa780 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 70102 dobusy 1 doidle 1 pcibios0 at bios0: rev 3.0 @ 0xf/0xcc54 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfcb20/288 (16 entries) pcibios0: bad IRQ table checksum pcibios0: PCI BIOS has 17 Interrupt Routing table entries pcibios0: PCI Exclusive IRQs: 5 10 11 pcibios0: no compatible PCI ICU found pcibios0: Warning, unable to fix up PCI interrupt routing pcibios0: PCI bus #5 is the last bus bios0: ROM list: 0xc/0xf000 0xd/0x1800 0xd2000/0x1600 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) NVIDIA nForce4 DDR rev 0xa3 at pci0 dev 0 function 0 not configured pcib0 at pci0 dev 1 function 0 NVIDIA nForce4 ISA rev 0xa3 nviic0 at pci0 dev 1 function 1 NVIDIA nForce4 SMBus rev 0xa2 iic0 at nviic0 adt0 at iic0 addr 0x2e: sch5017 rev 0x89 iic1 at nviic0 adt1 at iic1 addr 0x2e: sch5017 rev 0x89 ohci0 at pci0 dev 2 function 0 NVIDIA nForce4 USB rev 0xa2: irq 5, version 1.0, legacy support usb0 at ohci0: USB revision 1.0 uhub0 at usb0 uhub0: NVIDIA OHCI root hub, rev 1.00/1.00, addr 1 uhub0: 10 ports with 10 removable, self powered ehci0 at pci0 dev 2 function 1 NVIDIA nForce4 USB rev 0xa3: irq 10 usb1 at ehci0: USB revision 2.0 uhub1 at usb1 uhub1: NVIDIA EHCI root hub, rev 2.00/1.00, addr 1 uhub1: 10 ports with 10 removable, self powered auich0 at pci0 dev 4 function 0 NVIDIA nForce4 AC97 rev 0xa2: irq 5, nForce4 AC97 ac97: codec id 0x414c4760 (Avance Logic ALC655) audio0 at auich0 pciide0 at pci0 dev 6 function 0 NVIDIA nForce4 IDE rev 0xa2: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility pciide0: channel 0 disabled (no drives) atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: HL-DT-ST, DVDRAM GSA-4163B, A103 SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 pciide1 at pci0 dev 7 function 0 NVIDIA nForce4 SATA rev 0xa3: DMA pciide1: using irq 10 for native-PCI interrupt wd0 at pciide1 channel 0 drive 0: WDC WD360GD-00FLA2 wd0: 16-sector PIO, LBA48, 35304MB, 72303840 sectors wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5 wd1 at pciide1 channel 1 drive 0: WDC WD3200KS-00PFB0 wd1: 16-sector PIO, LBA48, 305245MB, 625142448 sectors wd1(pciide1:1:0): using PIO mode 4, Ultra-DMA mode 5 pciide2 at pci0 dev 8 function 0 NVIDIA nForce4 SATA rev 0xa3: DMA pciide2: using irq 11 for native-PCI interrupt ppb0 at pci0 dev 9 function 0 NVIDIA nForce4 PCI-PCI rev 0xa2 pci1 at ppb0 bus 1 ATI Rage XL rev 0x27 at pci1 dev 5 function 0 not configured VIA VT6306 FireWire rev 0x80 at pci1 dev 6 function 0 not configured skc0 at pci1 dev 10 function 0 D-Link Systems DGE-530T rev 0x11, Marvell Yukon Lite (0x9): irq 5 sk0 at skc0 port A, address 00:15:e9:2e:28:e6 eephy0 at sk0 phy 0: Marvell 88E1011 Gigabit PHY, rev. 5 nfe0 at pci0 dev 10 function 0 NVIDIA CK804 LAN rev 0xa3: irq 11, address 00:e0:81:56:8f:67 eephy1 at nfe0 phy 1: Marvell 88E Gigabit PHY, rev. 1 ppb1 at pci0 dev 11 function 0 NVIDIA nForce4 PCIE rev 0xa3 pci2 at ppb1 bus 2 ppb2 at pci0 dev 12 function 0 NVIDIA nForce4 PCIE rev 0xa3 pci3 at ppb2 bus 3 ppb3 at pci0 dev 13 function 0 NVIDIA nForce4 PCIE rev 0xa3 pci4 at ppb3 bus 4 bge0 at pci4 dev 0 function 0 Broadcom BCM5721 rev 0x11, BCM5750 B1 (0x4101): irq 11, address 00:e0:81:56:8f:66 brgphy0 at
Re: When would you NOT use OpenBSD?
--- Daniel Ouellet [EMAIL PROTECTED] wrote: So, the argument of Vendor support is a sometimes criteria. really doesn't mean ANYTHING to me anymore and real life example proved it many times over! Paid vendor support is a feel good thing like insurance. When it comes time for them to help you out, you get screwed. Brian Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: odd dmesg
--- Theo de Raadt [EMAIL PROTECTED] wrote: On iic bus 0, you have a sch5017 chip at address 0x2e for which we do not have a driver yet: http://ftp.smsc.com/main/datasheets/5017.pdf start at page 230 Your other iic bus appears has the same chip, or maybe it is two iic busses wired together. Thanks. I started to dig in /usr/src/sys/dev/i2c, and, I think, I found the function that is resulting in my dmesg dump for iic. The result seems to be coming from /usr/src/sys/dev/i2c/i2c_scan.c (function icc_dump). If I am following the source code correctly, it looks like the setup for iic is: pci-iic-individual iic drivers. Looks like the drivers have a parent/child relationship. Each driver writes to the following structures: cfattach (which contains the malloc size of struct xx_softc) cfdriver which are a part of cfdata and the drivers also write to struct sensor. The drivers also contain the registers per their docs. It looks like reads are performed on the register using iic_exec() at the address of the device, which is passed down from the parent as a parameter (void *aux). In this case, I guess the driver for all iic devices. The drivers look to contain match, attach, and refresh functions. Where I seem to be lost is how the driver data coming from the calls to iic_exec ends up in sysctl. And if I were to write a driver based on the previous drivers all ready in /usr/src/sys/dev/i2c, how would I debug it? And I still am not sure how I would add it to the kernel since I have all ways used GENERIC. I guess I can dig through the config man pages. I have never written a driver, so I am clueless. I guess I'll keep digging, but thanks for the help. Cheers, Brian Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: Moving a file mount point
--- Karl Kopp [EMAIL PROTECTED] wrote: Hi All, I've setup a Cisco replacement using OpenBSD and OpenBGPd and man, this thing FLIES :) I paid almost $3k AUD recently for another 64MB of RAM for our Cisco 2610 and it was still struggling under the load of 6 - 8mb/sec! The new OpenBSD box is running at less that 2% CPU pushing 20mb/sec - and cost less than the RAM alone :) One thing I need to do urgently tho is move my /var mount - I'm not 100% how to do this on a running box with the least amount of down time. Any hints / advice would be greatly appreciated! Thanks Karl Does this help: http://www.openbsd.org/faq/faq14.html#NewDisk I am not sure what you mean by move. Move where? I assume you meant to a new drive, so the FAQ above should help. Brian Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
odd dmesg
I just did a fresh install of 3.9-current. And part of the dmesg is coming across oddly. I am not sure what else to say about it. It's the iic0 and iic1. Check it out: OpenBSD 3.9-current (GENERIC) #670: Sat Apr 1 23:34:55 MST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: AMD Athlon(tm) 64 Processor 3000+ (AuthenticAMD 686-class, 512KB L2 cache) 1.81 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3 real mem = 1073246208 (1048092K) avail mem = 972591104 (949796K) using 4278 buffers containing 53764096 bytes (52504K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(ad) BIOS, date 02/17/05, BIOS32 rev. 0 @ 0xfa780 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 70102 dobusy 1 doidle 1 pcibios0 at bios0: rev 3.0 @ 0xf/0xcc54 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfcb20/288 (16 entries) pcibios0: bad IRQ table checksum pcibios0: PCI BIOS has 17 Interrupt Routing table entries pcibios0: PCI Exclusive IRQs: 5 10 11 pcibios0: no compatible PCI ICU found pcibios0: Warning, unable to fix up PCI interrupt routing pcibios0: PCI bus #5 is the last bus bios0: ROM list: 0xc/0xf000 0xd/0x1800 0xd2000/0x1600 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) NVIDIA nForce4 DDR rev 0xa3 at pci0 dev 0 function 0 not configured pcib0 at pci0 dev 1 function 0 NVIDIA nForce4 ISA rev 0xa3 nviic0 at pci0 dev 1 function 1 NVIDIA nForce4 SMBus rev 0xa2 iic0 at nviic0 sch5017 at iic0 addr 0x2e not configured iic0: addr 0x2e 00=00 01=00 02=00 03=00 04=00 05=00 06=00 07=00 08=00 09=00 0a=00 0b=00 0c=00 0d=00 0e=00 0f=00 10=00 11=00 12=00 13=00 14=00 15=00 16=00 17=00 18=00 19=00 1a=00 1b=00 1c=00 1d=00 1e=00 1f=ec 20=65 21=7a 22=c2 23=c4 24=c1 25=24 26=2a 27=26 28=24 29=05 33=00 34=00 35=00 36=00 37=00 38=00 39=00 3a=00 3b=00 3c=00 3d=00 3e=5c 3f=89 40=05 41=00 42=00 43=00 44=00 46=00 48=00 4a=00 4c=00 4e=81 4f=7f 50=81 51=7f 52=81 53=7f 5c=62 5d=62 5e=62 5f=9b 60=9b 61=9b 62=00 63=00 64=80 65=80 66=80 67=37 68=37 69=37 6a=64 6b=64 6c=64 6d=44 6e=40 6f=00 73=09 74=09 75=09 76=09 77=09 78=09 79=00 7a=10 7b=00 7c=40 7d=00 7e=00 7f=1c 80=00 81=a4 82=00 83=00 84=ef 85=cb 86=67 87=24 88=d3 89=00 8a=4d 8b=4d 8c=0b 8d=0b 8e=0d 8f=00 90=cc 91=04 92=04 93=04 94=0c 95=0c 96=0c 97=5a 98=f1 99=bf 9a=af 9b=00 9d=00 9f=00 a0=00 a1=00 a2=0c a3=00 a4=02 a5=00 a6=00 a7=0b a8=0b a9=fe ab=fe b1=00 b2=00 b3=00 b4=00 b5=00 b6=28 b7=28 b8=0e b9=0e ba=2b bb=2b bc=00 bd=00 be=00 bf=00 c0=00 c1=00 c2=00 c3=00 c4=00 c5=00 c6=00 c7=00 c8=00 c9=00 ca=00 cb=00 cc=00 cd=00 ce=00 cf=00 d0=00 d1=00 d2=00 d3=00 d4=00 d5=00 d6=00 d7=00 d8=00 d9=00 da=00 db=00 dc=00 dd=00 de=00 df=00 e0=00 e1=00 e2=00 e3=00 e4=00 e5=00 e6=00 e7=00 e8=00 e9=00 ea=00 eb=00 ec=00 ed=00 ee=00 ef=00 f0=00 f1=00 f2=00 f3=00 f4=00 f5=00 f6=00 f7=00 f8=00 f9=00 fa=00 fb=00 fc=00 fd=00 fe=00 ff=00: sch5017 iic1 at nviic0 sch5017 at iic1 addr 0x2e not configured iic1: addr 0x2e 00=00 01=00 02=00 03=00 04=00 05=00 06=00 07=00 08=00 09=00 0a=00 0b=00 0c=00 0d=00 0e=00 0f=00 10=00 11=00 12=00 13=00 14=00 15=00 16=00 17=00 18=00 19=00 1a=00 1b=00 1c=00 1d=00 1e=00 1f=ec 20=65 21=7a 22=c2 23=c4 24=c1 25=24 26=2b 27=27 28=24 29=05 33=00 34=00 35=00 36=00 37=00 38=00 39=00 3a=00 3b=00 3c=00 3d=00 3e=5c 3f=89 40=05 41=00 42=00 43=00 44=00 46=00 48=00 4a=00 4c=00 4e=81 4f=7f 50=81 51=7f 52=81 53=7f 5c=62 5d=62 5e=62 5f=9b 60=9b 61=9b 62=00 63=00 64=80 65=80 66=80 67=37 68=37 69=37 6a=64 6b=64 6c=64 6d=44 6e=40 6f=00 73=09 74=09 75=09 76=09 77=09 78=09 79=00 7a=10 7b=00 7c=40 7d=00 7e=00 7f=1c 80=00 81=a4 82=00 83=00 84=b2 85=22 86=40 87=16 88=83 89=00 8a=4d 8b=4d 8c=0b 8d=0b 8e=0d 8f=00 90=cc 91=04 92=04 93=04 94=0c 95=0c 96=0c 97=5a 98=f1 99=bf 9a=af 9b=00 9d=00 9f=00 a0=00 a1=00 a2=0c a3=00 a4=02 a5=00 a6=00 a7=0b a8=0b a9=fe ab=fe b1=00 b2=00 b3=00 b4=00 b5=00 b6=28 b7=28 b8=0e b9=0e ba=2b bb=2b bc=00 bd=00 be=00 bf=00 c0=00 c1=00 c2=00 c3=00 c4=00 c5=00 c6=00 c7=00 c8=00 c9=00 ca=00 cb=00 cc=00 cd=00 ce=00 cf=00 d0=00 d1=00 d2=00 d3=00 d4=00 d5=00 d6=00 d7=00 d8=00 d9=00 da=00 db=00 dc=00 dd=00 de=00 df=00 e0=00 e1=00 e2=00 e3=00 e4=00 e5=00 e6=00 e7=00 e8=00 e9=00 ea=00 eb=00 ec=00 ed=00 ee=00 ef=00 f0=00 f1=00 f2=00 f3=00 f4=00 f5=00 f6=00 f7=00 f8=00 f9=00 fa=00 fb=00 fc=00 fd=00 fe=00 ff=00: sch5017 ohci0 at pci0 dev 2 function 0 NVIDIA nForce4 USB rev 0xa2: irq 5, version 1.0, legacy support usb0 at ohci0: USB revision 1.0 uhub0 at usb0 uhub0: NVIDIA OHCI root hub, rev 1.00/1.00, addr 1 uhub0: 10 ports with 10 removable, self powered ehci0 at pci0 dev 2 function 1 NVIDIA nForce4 USB rev 0xa3: irq 10 usb1 at ehci0: USB revision 2.0 uhub1 at usb1 uhub1: NVIDIA EHCI root hub, rev 2.00/1.00, addr 1 uhub1: 10 ports with 10 removable, self powered auich0 at pci0 dev 4 function 0 NVIDIA nForce4 AC97 rev 0xa2: irq 5, nForce4 AC97 ac97: codec id 0x414c4760 (Avance Logic ALC655) audio0 at auich0 pciide0 at pci0 dev 6 function 0
Re: Sendmail security problem
On Fri, 24 Mar 2006, Joachim Schipper wrote: On Fri, Mar 24, 2006 at 02:14:50PM +, Stuart Henderson wrote: On 2006/03/24 14:12, Alexander Bochmann wrote: ...on Thu, Mar 23, 2006 at 12:22:37PM +0100, Anthony Howe wrote: P gnu/usr.sbin/sendmail/libsm/refill.c P gnu/usr.sbin/sendmail/sendmail/collect.c P gnu/usr.sbin/sendmail/sendmail/conf.c P gnu/usr.sbin/sendmail/sendmail/deliver.c P gnu/usr.sbin/sendmail/sendmail/headers.c P gnu/usr.sbin/sendmail/sendmail/mime.c P gnu/usr.sbin/sendmail/sendmail/parseaddr.c P gnu/usr.sbin/sendmail/sendmail/savemail.c P gnu/usr.sbin/sendmail/sendmail/sendmail.h P gnu/usr.sbin/sendmail/sendmail/sfsasl.c P gnu/usr.sbin/sendmail/sendmail/sfsasl.h P gnu/usr.sbin/sendmail/sendmail/srvrsmtp.c P gnu/usr.sbin/sendmail/sendmail/usersmtp.c P gnu/usr.sbin/sendmail/sendmail/util.c I am pretty certain a fix was imported for 3.7-stable, too. Yep. Why was there no Security Advisory or entry in the Daily Changelog for this? There's an errata entry, but no announcement =/ ~BAS Joachim
Is list quiet?
Hello everyone, I recently switched to a new mail server (about 3 weeks ago) and at first I was receiving email from the list but it seems to be about 2 weeks since the last one. Is the list real quiet or do I have a local mail issue? Thanks, Brian.
Re: openbsd and the money -solutions
--- Deanna Phillips [EMAIL PROTECTED] wrote: That said, I think a wall of shame page on the OpenSSH site might be a good idea: one listing all those big companies mentioned that have never donated a dime. Negative PR might result in more donations than managers receiving the minor annoyance message forwarded to them, which they'll simply delete and forget about. Too bad openSSH couldn't just require a license fee for openSSH to be included in OS's besides openBSD that are sold for money. This would include corporate use as well. So if IBM wanted to include openSSH in one of its products sold to someone, they would have to pay openSSH to include it in their product or kick back to the openSSH team some percentage of the revenue generated by that product. Of course, the license would have to be written so the openSSH team is not obligated to do support. If IBM wanted their employees to use openSSH, they would have to pay a site license fee. Of course, home users (non-business) and universities would be excluded. Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: openbsd and the money -solutions
--- Spruell, Darren-Perot [EMAIL PROTECTED] wrote: Better approach. How about said companies belly up and support the group that enables them (in part) to enjoy the financial success they have? Because there is no reason for them to. Here's what would happen: 1) license change comes out 2) IT looks for alternative program 3) IT provides figures to finance for either the alternative program, the new license, or in house development 4) finance runs some cash flow analysis and sits down with the CIO and CFO based on the results 5) suggestion is provided to management I work in finance. There is no reason to provide funding from a business standpoint. What does the business gain? Corporations basically have a free development team. Sure they cannot dictate requests, but the code quality is high and the product works well. Honestly, unless the openSSH team mandates funding, no one will cough up cash. And the license price has to be the sweet spot, where it isn't too high that no funding is received and not too low that it doesn't accomplish anything. And Theo from his messages doesn't want the direction of the program dictated to him by folks that donate. No corporation is gonna provide funding unless they get something out of it. I think Theo needs to put his foot down on this issue. I would think of openSSH as separate from openBSD. I would not advocate changing licenses on the rest of openBSD. Of course, the downside is that some of the corporations might withhold documentation needed for driver development unless the license is lifted. Cheers, Brian Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
QUESTION ABOUT PPP.LINKUP AND PF
Hello - I am currently at the end of my understanding. We have PF working between two Ethernet cards perfectly - we have absolutely no problems with it coming up properly and running as needed. What I am having a problem with is when we use PPP to establish a connection to an ISP via a dialup modem. In some cases we do need to do that as the locations do not have high speed access. We have a line for the dialup config in our ppp.conf file called elinkod: This connects up to earthlink manually, with the -ddial or the -auto modes no problem and we can get around on the internet with no problems. We have /etc/ppp/ppp.linkup and in that is a section like this: elinkod: ! sh -c pfctl -e -f /etc/pf.conf Now from what I understand this should allow the connection to establish and the enable pf with the ruleset contained in pf.conf. It doesn't seem to ever work. We even tried putting the commands to kick off in a separate script file and kick that file off like so: elinkod: !bg /etc/ppp/ppp.linkup.elinkod Again that also did not work. We have the set log options set in the ppp.conf file under the elinkod section and the relevant sections setup in syslog.conf to allow for logging of ppp information to /var/log/ppp.log - but nothing is appearing in the log files either. Just wondering if anyone has any suggestions as to what to do next? I am sure it is something I am missing, but I read and re-read the man pages and really couldn't find what I was doing wrong - of course information starts to run together late at night and I might have misread or confused something else. Any help is greatly appreciated. Thanks!
IPMI / SNMP / MRTG (WAS: RE: ipmi(4) (IPMI MIB?))
On Thu, 26 Jan 2006, Bruce Shaw wrote: We've actually got several different problems here. Specifically, the OpenBSD implementation we're seeing here seems to provide sysctl style access to Sensor data, watchdog info, etc., but what about other IPMI functions? I've been working on better sensor information for openBSD but lack reliable access to a platform to develop on (a friend has been doing what he can). On any number of occasions, I've offered personally to donate VMWare licenses to Net-SNMP developers to help bring *BSD support back into the mainstream :} ... That's a standing offer and I'm sure there are plenty of corporations that wouldn't mind contributing either. I will say this, though. It takes about 35 seconds to do an ipmitool sdr list full. Thus, for every two values you would like to graph in MRTG, you can add 35 seconds to the job's run time. The time it takes to do an ipmi sensor get 'blah' is marginally different than a list. $ time ipmitool -U netadmin -E -H sys-lom.priv -c sdr list full Temp,43,degrees C,ok Temp,40,degrees C,ok [...] real0m34.618s user0m0.017s sys 0m0.017s Thus...a in-kernel IPMI--SNMP gateway interface would be optimal (Such as OpenBSD's) to relying on the Hardware/LOM/BMC Functionality, at least for the sensor related data. The hardware interface on the BMC/NIC is infinitely useful. You can VLAN it off into a management/out of band subnet and do hard-power resets, etc, from there. Regarding MRTG, there are 8 sets of values to graph out from the sensor results on Dell PE 1850s/2850s that I have access to: Set 1: CPU0 Temp, CPU1 Temp Set 2: MB Ambient, MB Planar Temp Set 3: Riser Temp [Riser Temp] Set 4: PS#0 Temp, PS#1 Temp Set 5: CMOS Battery Volt [CMOS Battery Volts] Set 6: Fan 1A, Fan 1B Set 7: Fan 2A, Fan 2B Set 8: Fan 3A, Fan 3B Set 9: Fan 4A, Fan 4B I modified version of Chris Wilson's NAGIOS IPMI plugin can be used to poll the data into MRTG in a very ...VERY suboptimal, but functional, manor. http://digitalfreaks.org/~lavalamp/ipmi_mrtg.pl (this script lacks any kind of sanity checking) MRTG Configs might look something like: Target[SYSNAME.fan3]: `/usr/local/cf/ipmi_mrtg.pl SYSNAME-lom.pgh.priv.collaborativefusion.com f3` PageTop[SYSNAME.fan3]: H1Fan Set 3 RPMs/H1 Title[SYSNAME.fan3]: Fan Set 3 RPMs Options[SYSNAME.fan3]: nopercent,gauge,growright #Legend3[SYSNAME.fan3]: Fan Set 3, Fan A RPMs #Legend2[SYSNAME.fan3]: Fan Set 3, Fan b RPMs YLegend[SYSNAME.fan3]: RPMs ShortLegend[SYSNAME.fan3]: RPMsnbsp; LegendI[SYSNAME.fan3]: nbsp;Fan Set 3, Fan A RPMs:nbsp; LegendO[SYSNAME.fan3]: nbsp;Fan Set 3, Fan A RPMs:nbsp; MaxBytes[SYSNAME.fan3]: 1 Target[SYSNAME.risertemp]: `/usr/local/cf/ipmi_mrtg.pl SYSNAME-lom.pgh.priv.collaborativefusion.com ri` PageTop[SYSNAME.risertemp]: H1Motherboard Riser(s)/H1 Title[SYSNAME.risertemp]: Motherboard Riser(s) Options[SYSNAME.risertemp]: nopercent,gauge,growright #Legend1[SYSNAME.risertemp]: Motherboard Riser #Legend2[SYSNAME.risertemp]: Motherboard Riser YLegend[SYSNAME.risertemp]: Degrees Celcius ShortLegend[SYSNAME.risertemp]: Degrees Cnbsp; LegendI[SYSNAME.risertemp]: nbsp;Degrees C Motherboard Riser:nbsp; #LegendO[SYSNAME.risertemp]: nbsp;Degrees C Motherboard Riser:nbsp; MaxBytes[SYSNAME.risertemp]: 100 Target[SYSNAME.pstemp]: `/usr/local/cf/ipmi_mrtg.pl SYSNAME-lom.pgh.priv.collaborativefusion.com ps` PageTop[SYSNAME.pstemp]: H1Power Supply Temperature(s)/H1 Title[SYSNAME.pstemp]: Power Supply Temperature(s) Options[SYSNAME.pstemp]: nopercent,gauge,growright #Legend1[SYSNAME.pstemp]: Temperature Power Supply #0 #Legend2[SYSNAME.pstemp]: Temperature Power Supply #1 YLegend[SYSNAME.pstemp]: Degrees Celcius ShortLegend[SYSNAME.pstemp]: Degrees Cnbsp; LegendI[SYSNAME.pstemp]: nbsp;Degrees C PS#0:nbsp; LegendO[SYSNAME.pstemp]: nbsp;Degrees C PS#1:nbsp; MaxBytes[SYSNAME.pstemp]: 100 Target[SYSNAME.batvolt]: `/usr/local/cf/ipmi_mrtg.pl SYSNAME-lom.pgh.priv.collaborativefusion.com cb` PageTop[SYSNAME.batvolt]: H1CMOS Battery Voltage/H1 Title[SYSNAME.batvolt]: CMOS Battery Voltage Options[SYSNAME.batvolt]: nopercent,gauge,growright #Legend1[SYSNAME.batvolt]: Temperature CPU#0 #Legend2[SYSNAME.batvolt]: Temperature CPU#1 YLegend[SYSNAME.batvolt]: Volts DC ShortLegend[SYSNAME.batvolt]: Volts Cnbsp; LegendI[SYSNAME.batvolt]: nbsp;Volts CMOS Battery:nbsp; #LegendO[SYSNAME.batvolt]: nbsp;Degrees C CPU#1:nbsp; MaxBytes[SYSNAME.batvolt]: 6 Target[SYSNAME.cputemp]: `/usr/local/cf/ipmi_mrtg.pl SYSNAME-lom.pgh.priv.collaborativefusion.com cpu` PageTop[SYSNAME.cputemp]: H1CPU Temperature(s)/H1 Title[SYSNAME.cputemp]: CPU Temperature(s) Options[SYSNAME.cputemp]: nopercent,gauge,growright #Legend1[SYSNAME.cputemp]: Temperature CPU#0 #Legend2[SYSNAME.cputemp]: Temperature CPU#1 YLegend[SYSNAME.cputemp]: Degrees Celcius ShortLegend[SYSNAME.cputemp]: Degrees Cnbsp; LegendI[SYSNAME.cputemp]: nbsp;Degrees C CPU#0:nbsp; LegendO[SYSNAME.cputemp]: nbsp;Degrees C CPU#1:nbsp;
Re: ipmi(4) (IPMI MIB?)
All: Regarding the future of IPMI and SNMP, where do they intersect in the evolution of enterprise free software (aka, BSD) ? Specifically, the OpenBSD implementation we're seeing here seems to provide sysctl style access to Sensor data, watchdog info, etc., but what about other IPMI functions? For those, you still need the ipmitool(8) from Sourceforge. A kernel interface is nice, but ipmitool -H 1.2.3.4 chassis reset or off are obviously beyond the scope of this implementation. The problem is that the data is useless unless you can collect using something like SNMP. From there you can feed to MRTG for simple graphing, SNMP Traps for from the agent for events (case intrusion detection, etc.) Perl modules for data archiving, etc. What about more-practicle examples of IPMI - Net-SNMP integration. Two come to mind: Platform independent environmental sensor data and chassis information. The latter isn't available via the kernel on any OS that I know of, and the former isnt unified (various ways of talking to W83781D, W83782D, W83783S, LM78, LM79 and the AS99127F) chips. But IPMI, could standardize that. For example, the ipmitool(8) values of chassis status or sensor: $ ipmitool -E sensor [temperature, fans, voltages ommited] Then 4 or 5 values that you simply cannot get from ISA based environmental ICs are available: OS Watchdog|0x0|discrete|0x0080|na|na|na|na|na|na SEL Intrusion PSRedundancy FanRedundancy Also, these aren't showing up in my hardware, but: Error reading sensor PCI Parity Err (#04) Error reading sensor PCI System Err (#05) Error reading sensor SCSI Connector A (#02) Error reading sensor Drive (#01) Error reading sensor ECC Corr Err (#01) Error reading sensor ECC Uncorr Err (#02 Error reading sensor Memory Mirrored (#12) Error reading sensor Memory RAID (#13) Error reading sensor Memory Added (#14) Error reading sensor Memory Removed (#15) If that information was populated, that would be very exciting (For example, Drive failure notificat via IPMI? Perhaps in RAID?) Also: $ ipmitool -E chassis status System Power : on Power Overload : false Power Interlock : inactive Main Power Fault : false Power Control Fault : false Power Restore Policy : always-off Last Power Event : Chassis Intrusion: inactive Front-Panel Lockout : inactive Drive Fault : false Cooling/Fan Fault: false Sleep Button Disable : allowed Diag Button Disable : allowed Reset Button Disable : allowed Power Button Disable : allowed Sleep Button Disabled: true Diag Button Disabled : true Reset Button Disabled: true Power Button Disabled: true It would be extremely useful to be able to map these values directly into a Net-SNMP MIB's values as booleans then use defaultMonitor / DISMAN-EVENT-MIB for the event-style bits and other integers for the traditional sensor data (fan RPMs, thermometer). In the mean time, it maybe possible to use Net-SNMP's built in Perl support to read sysctl(2) data from OpenBSD and parse the output of ipmitool(8) (ipmitool(8) has a -c flag to CSV output, but it doesn't seem to work in combination with the 'sensor' command -- suks) on other BSD's, but I'm not sure how that process would begin (an OID tree would need to be assigned to IPMI?) ~BAS
Re: Annoying echoes in console DRAC III/XT on DELL Poweredge
On Fri, 13 Jan 2006, Xavier Millihs-Lacroix wrote: Sorry for the delay. In the BIOS I have found, 'USB Controller' with 3 options : Sets the USB controller to On with BIOS Support, On Without BIOS Support, or Off. If you have a PS/2 keyboard attached, On Without BIOS Support disables BIOS USB support. If you do not have a PS/2 keyboard attached and select On Without BIOS Support, USB mouse and keyboard devices function only during the boot process. When set to On With BIOS Support, USB mouse and keyboard devices are controlled by the BIOS until an operating system driver is loaded. But none are working. Any other ideas ? Wscons may not be available during the initial install if that's what you're trying to do; otherwise all new USB keyboards connected while the system is running should get MUX'd in. Compile a kernel w/o wscons or wskbd? I dunno. I'd really have to play with it. All that I can personally attest to is: It works fine with Drac/4 on FreeBSD 5.x =/ ~BAS -Message d'origine- De : Brian A. Seklecki [mailto:[EMAIL PROTECTED] Envoyi : lundi 5 dicembre 2005 02:11 @ : Xavier Millihs-Lacroix Cc : misc@openbsd.org Objet : Re: Annoying echoes in console DRAC III/XT on DELL Poweredge The thing emulates a USB keyboard. Trying toggling legacy emulation mode in the BIOS. ~BAS On Thu, 2005-12-01 at 03:55, Xavier Millihs-Lacroix wrote: Hello, I 'm trying to install OBSD 3.8 on a Dell Poweredge 750 server using the Card DRAC III/XT (provides remote console/screen). But each time a ket is pushed I have the letter repetead on the console. I have put the last firmware for the DRAC Card. I have search by didn't find any answer I can't install remotely OBSD ! Do you have already met this issue ? Is it a java problem (the remote access is done via http and a java virtual machine) ? Xavier. l8* -lava x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8
Re: isakmpd + gre crashing on OpenBSD 3.8
But as soon as I start an scp from Perspex to Soekris, Perspex reboots after a few hundred kb. Unfortunately, Perspex is in a datacenter and I do not have console access to it to see what the heck is happening at that exact moment. I don't recall. But for the record (IPSEC inside GRE): If the Transport IPSEC connection is negotiated between two hosts inside the GRE tunnel private subnet and the IPSEC connection goes down, the data flows in cleartext. *bad* The opposite would be (GRE-inside-IPSEC-Transport): If the Transport IPSEC tunnel is built between the two hosts` public interfaces and the GRE tunnel is built normally and thus encrypted, things should work. Of course, we run into the crash. The trick was I tried it on OpenBSD/Sparc where there is no-such-thing as Flash back to the BIOS and it turns out a Sun watchdog timer is getting hit. Watchdog timers on i386 must cause the BIOS to reset. So the problem is in-kernel and the config is probably too obscure for developers to spend time on. My solution was to re-IP my network properly, and use IP Supernets/ summarization/ subnet aggregation thus consolidating the need for so many spokes on a hub-and-spoke VPN config. ~~BAS I noticed that there were no responses to your thread, but I was wondering if you had worked out your problem or if you decided to go the ipsec encapsulated in gre. Cheers, /Jason -- Jason Taylor e: [EMAIL PROTECTED] m: 514-815-8204 l8* -lava x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8
Re: OpenBSD beep
PC speaker beep (something action on the console?) Or possibly hardware alarm? ~BAS On Sat, 2005-12-17 at 09:12, dimaz wrote: I've installed OpenBSD on my small server, before on server was linux, and 2-3 times a day my server beeps (3 times)... What does it mean? And how I can control this beeps?
Re: UltraSparc documentation
There is the (expensive) Real Weasel for x86 kit, Dell's crappy lights DRAC/4 isn't that bad :} You can always use serial console redirection on the 1850s/2850s; it works well until OS boot (BIOS menus works, RAID, IPMI menus), when you have to setup serial console redirection on the boot loader/kernel, and then start a getty on the com. Plus you have hardware level IPMI (cold boots, etc.) which you can tag with a VLAN. It's not Sun, though. ~BAS out card isn't a reliable option. Any thoughts welcome.
Re: RAIDframe issues on 3.8
started filing PR's for RAIDframe stuff in OpenBSD -- there have been a lot of changes/fixes to RAIDframe in the last 5 years that aren't I have $100 via Paypal for the person who commits RAID enabled boot blocks for Sparc[64] and i386/amd64 on OpenBSD. I have an $100 additional via Paypal for the person who makes an initial effort re-sync the RAIDFrame codebase. ~BAS reflected in the code in OpenBSD, and I wouldn't know where to begin :) Later... Greg Oster
Re: *STUPID* IPSEC Routing Bug - No Default Gateway?!
no, you just need a route to the destination, this is a known a route to the destination of the tunnel...(that overlaps with the encap route...)... but and there's no simple fix. however, just create a network route for the peer that points back to the sender. this way ...or a route to the isakmpd peer? because techncially one gets added to the route table by ARP: 192.168.1.50 0:11:43:e8:2b:c6 UHLc 0 679672 - vlan30 ...this of course would differ if there were multiple hops between the isakmpd peers. ~BAS you avoid sending out unencrypted traffic if the ipsec tunnels are down. -m
PF NAT Address Pool Source Interface
All: It may seem rudimentary, but no where in the FAQ or man pages is it explicitly stated that the source address or address pool of a NAT translation must be assigned to an interface. Obviously it can be either be a primary address (such as 99.9% of the PAT configurations on the Internet) or a series of IP Aliases assigned. Further more, It doesn't actually state or recommend which interface the translated addresses should be assigned. Technically, it's irrelevant. In practice, it depends greatly on the overall network configuration (specifically, routing). As long as other hosts in the network know a discrete route to the subnet of the translated hosts via any interface on the device doing the translation. The translation occurs to the packet's source address as it leaves the outbound interface (the one explicitly defined to the right of the - in the pf.conf(5) rule), so one might casually assume to assign the pool/address there; however in my tests, I've found that It can be assigned to the same interface as the subnet being translated. However, if a translation rule in pf.conf(5) exists but the destination address/pool (the address to be translated to, not the optional destination CIDR mask), OpenBSD will still happily transmit a translated packet out an interface with a source address foreign to that segment / whatever media. Even if other hosts receive a packet and reply to it, they won't be able to ARP for it, and if they could, the original OpenBSD box will drop the reply with destination host/network unreachable (obviously). Wouldn't a better behavior to prevent the transmission of the packet in the same way the a socket cannot bind to a source port/ip if it is not assigned to an interface? Thoughts? TIA, BAS
Re: OpenBSD 3.8 and Dell 1850 with PERC4/DC controller
I've only had the priv. to run OpenBSD on the 750 and 850 1Us from Dell. However I have a number of FreeBSD 5.3x hosts on single and dual-proc 1850 models, some with RAID and some with standard SCSI. The standard SCSI config (on which I run software RAID) probes as: NAME mpt(4) -- LSI Fusion-MPT SCSI/Fibre Channel driver mpt0: LSILogic 1030 Ultra4 Adapter port 0xec00-0xecff mem 0xdfde-0xdfde,0xdfdf-0xdfdf irq 34 at device 5.0 on pci2 mpt0: [GIANT-LOCKED] ses0 at mpt0 bus 0 target 6 lun 0 da0 at mpt0 bus 0 target 0 lun 0 da1 at mpt0 bus 0 target 1 lun 0 The hardware RAID (with cache and battery and all) probes as: NAME amr(4) -- AMI MegaRAID PCI-SCSI RAID driver amr0: LSILogic MegaRAID mem 0xdfde-0xdfdf,0xd80f-0xd80f irq 46 at device 14.0 on pci2 amr0: [GIANT-LOCKED] amr0: LSILogic PERC 4e/Si Firmware 521S, BIOS H430, 256MB RAM amrd0: LSILogic MegaRAID logical drive on amr0 amrd0: 69880MB (143114240 sectors) RAID 1 (optimal) Maybe check your invoice? ~BAS On Mon, 5 Dec 2005, shane mullins wrote: We have a Dell 1850 with a PERC4/DC controller. When I try installing OpenBSD 3.8, I am having some troubles. 3.8 will sees the card as with the mpt0 driver. Which will not recognize my RAID1 config. The hardware compatibility guide tells me the mpt0 is support for a standard scsi card. According to the hardware guide, the correct driver for RAID support is ami. When I boot with the, boot -cs and add the ami driver support, I get a no disk drive support. To check the drive config I installed and booted another OS. Any help/comments would be greatly appreciated. Thanks Shane l8* -lava x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8
*STUPID* IPSEC Routing Bug - No Default Gateway?!
All: I'm CC'ing everyone who has previously posted the destination host unreachable behavior when setting up a generic 4-host IPSec VPN tunnel config per the template in vpn(8) / isakmpd.conf(5). NOTE: This is not the I can't ping the other side of the tunnel from the remote gateway because I forgot to specify the source IP flag to ping(8) bug. In the template, gateway A and B share a WAN circuit, normally an ethernet segment (a /30 for example). Each has a CIDR of RFC1918 Space on a second interface (a /24 for example) The tunnel(s) comes up, netstat -rn -f encap shows the ipsec routes, ipsecadm(8) shows the flows. However: If gateway A sends an ICMP packet using ping(8)'s -I with a source address of the private subnet on its second interface to the IP on the private/second interface on gateway B, the packet gets properly encapsualted and transmitted per pflog0. However, if the destination of the ICMP ping is an IP in the subnet assigned to the Ethernet segment on Gateway B's private/second interface, the packet: - crosses the tunnel - leaves the private interface, hits host X - host X returns the packet to Gateway B - Gateway B drops the packet, and returns Host X an ICMP host unreachable for Gateway A As crazy as that sounds, it happens? And after hours of troubleshooting, the problem turns out to be??!?! [*drumroll*] OpenBSD requires that gateway A and gateway B have a default route declared *EVEN THOUGH ONE IS NOT REQUIRED IN THE LAB CONFIGURATION* 1) If gateway A and gateway B have WAN interfaces on an ethernet segment such as a /30, they know the route to their respective WAN networks via directly connected route. 2) isakmpd/ipsec traffic can flow across that WAN network with no addtional routing assistance. 3) Once the phase 2 negotiation is complete, both boxes know a new special ipsec route for a /24 via the ipsec peer. 4) TRAFFIC EGRESSING THE TUNNEL MUST HAVE A SOURCE ADDRESS THAT MATCHES THE ACL. So why in the world would a default gateway be required? A default gateway is only required to reach subnets for which routes do not exist. Try it. :} This is the second time I've been bitten by these psuedo routes . See PR 4314/system. ~BAS
Re: Annoying echoes in console DRAC III/XT on DELL Poweredge
The thing emulates a USB keyboard. Trying toggling legacy emulation mode in the BIOS. ~BAS On Thu, 2005-12-01 at 03:55, Xavier MilliC(s-Lacroix wrote: Hello, I 'm trying to install OBSD 3.8 on a Dell Poweredge 750 server using the Card DRAC III/XT (provides remote console/screen). But each time a ket is pushed I have the letter repetead on the console. I have put the last firmware for the DRAC Card. I have search by didn't find any answer I can't install remotely OBSD ! Do you have already met this issue ? Is it a java problem (the remote access is done via http and a java virtual machine) ? Xavier.
Re: multiple Local-IDs for isakmpd
I opened a PR on this earlier this year. Seach my last name in query-pr. The Cisco 3000 supports SA Proposals with multiple discontiguous subnets. ~BAS On Tue, 2005-06-07 at 20:54, Tamas TEVESZ wrote: hi, i have a situation where a branch office with multiple, non-overlapping, non-aggregatable local networks need to connect to the head office, via an ipsec tunnel. of course, the security gateway is also acting as a gateway to the internet (nat and the usual collateral stuff), and, as a matter of fact, some of the local networks are connected to it via openvpn (that is, it itself is a vpn concentrator of sorts, for openvpn tunnels). rough sketch: -- branch office -- | | -- head office -- | | 172.16.187.0/24 - | | 172.19.47.0/24 \ +---+ | | +---+ +- |security gw| - (ipsec tun) - |security gw| - ... 192.168.114.0/24 / ++--+ | | +---+ 192.168.2.0/24 - | \ (internet etc..) it may also be the case that at the head office end, there will be more than one hosts/networks to be accessed, this is not clarified yet. i am not in control of the head office's concentrator, but i know that they are using a cisco 3060. how is this realized within isakmpd's configuration? i already have tried putting more than one ipv4_addr_subnets into the ipsec-id section, and even more than one ipsec-id section, but isakmpd throw them out (not surprise). if this cannot be realized within isakmpd, what other options do i have? pf route-tos/reply-tos are about the only thing i can think of... anything else? tia,
Re: OpenBSD 3.8 X.org on Sun Blade 100
I had a U5 270? 330? Mhz for a year or two; the only way to get into 1280x1024 (the max res of the monitor that it shipped with) was to drop into 8bpp. At 16/24 bpp, with the 8mb integrated ATI Rage 64 something something garbag, you had to use m64config(8) and put the frambuffer in ...1152x1024? 1152x768? Something like that. Your X.log shows those available...try them. I just dont see 8mb video cards making it to 1280x1024 at 24/16bpp Also, doe the log really stop at: (EE) xf86OpenSerial: Cannot open device /dev/mouse Operation not permitted. (EE) Mouse0: cannot open input device (EE) PreInit failed for input device Mouse0 ...is it possible X is crashing/core'ing at this state? Normally it will passively fail to open the mouse device, but who knows. Try: -allowNonLocalModInDev allow changes to keyboard and mouse settings -allowMouseOpenFailstart server even if the mouse can't be initialized Also 2: (--) Using wscons driver _XSERVTransmkdir: ERROR: euid != 0,directory /tmp/.X11-unix will not be created. _XSERVTransSocketUNIXCreateListener: mkdir(/tmp/.X11-unix) failed, errno = 2 _XSERVTransMakeAllCOTSServerListeners: failed to create listener for local Is /tmp mounted MFS or so? Is it mode 777? ~BAS On Thu, 17 Nov 2005, Simon Morgan wrote: On 17/11/05, Brian A. Seklecki [EMAIL PROTECTED] wrote: Wait...1280x1024 or 1600x1200 w/ 8MB of RAM? Is that right? Onboard video only occupies 8MB? Sorry, yes. AFAIK the onboard video is 8MB. l8* -lava x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8
Re: OpenBSD 3.8 X.org on Sun Blade 100
On Thu, 17 Nov 2005, Simon Morgan wrote: On 17/11/05, Brian A. Seklecki [EMAIL PROTECTED] wrote: I just dont see 8mb video cards making it to 1280x1024 at 24/16bpp I've now managed to get a display up. Many thanks to you and everyone else who offered advice. Unfortunately the mouse is still completely Errr jumped the gun...was it the resolution at 1152 something...or was it something else?
Re: OpenBSD 3.8 X.org on Sun Blade 100
On Thu, 17 Nov 2005, Simon Morgan wrote: On 17/11/05, Brian A. Seklecki [EMAIL PROTECTED] wrote: I had a U5 270? 330? Mhz for a year or two; the only way to get into 1280x1024 (the max res of the monitor that it shipped with) was to drop into 8bpp. At 16/24 bpp, with the 8mb integrated ATI Rage 64 something something garbag, you had to use m64config(8) and put the frambuffer in ...1152x1024? 1152x768? Something like that. Your X.log shows those available...try them. I just dont see 8mb video cards making it to 1280x1024 at 24/16bpp
Re: OpenBSD 3.8 X.org on Sun Blade 100
Wait...1280x1024 or 1600x1200 w/ 8MB of RAM? Is that right? Onboard video only occupies 8MB? (II) ATI(0): Using Block 1 MMIO aperture at 0x00426000. (II) ATI(0): MMIO write caching enabled. (--) ATI(0): 8192 kB of SDRAM (1:1) detected (using 8191 kB). (WW) ATI(0): Cannot shadow an accelerated frame buffer. (II) ATI(0): Engine XCLK 115.000 MHz; Refresh rate code 10. (--) ATI(0): Internal programmable clock generator detected. (--) ATI(0): Reference clock 29.500 MHz. Try adding DefaultDepth24 to your Screen section? It doesn't seem to automatically be picking a modeline. Xorg/XFree don't shine. ~BAS On Wed, 2005-11-16 at 18:35, Simon Morgan wrote: Hi, I have a Sun Blade 100 and have just installed OpenBSD 3.8 on it and so far I'm very impressed. NetBSD, the supposed king of multi-platform, doesn't even support the keyboard! This is 5 year old hardware! Anyway, the problem I'm having is with X.org. Whenever I try and run it my monitor spits out an out of sync error and the only way (AFAIK to regain a usable console is to shutdown the machine and boot it up again. Depending on the settings I use I'll either get a sub-error bitching about the frequencies or about the resolution (it complains that it's 1280x1024, which it isn't). I've trawled the mailing list archives and tried all the suggestions (mainly setting reference_clock) to no avail and was hoping that somebody here who knows more about X and/or Sun hardware could offer some insight. I've uploaded my xorg.conf and Xorg.0.log to http://16hz.net/~simon/SunBlade100/ in the hope that it will be of some use. If I've neglected to mention any pertinent information then please do say and I'll be happy to give it. Many thanks. Simon
Re: Tyan Thunder LE SMP issues
Why were they given to you? Something wrong with them perhaps. Try booting Memtest86+ ISO and let it ride for a while? Try another kernel from another OS? Try a non MP kernel? ~BAS On Wed, 2005-11-16 at 22:01, Lokkju wrote: Hey all, hoping someone might be able to point me in some sort of direction... I recently was given two BOXX brand 1u servers, both of which are the exact same - Tyan Thunder LE 2510 dual proc motherboards, with two 867Mhz chips per board, and 4 256MB ram sticks per board. The rest you can get from the dmesg. Anyway, I have been trying to get OpenBSD to run on them, and I continuously have problems on processor 1 - and no, it does not matter WHICH processor is in slot 1. I usually get an apm error, but sometimes I get tcp related, or copyout related, or other errors - all ending up with me dumped into ddb. These are usually stopped errors, not panics. In this case, the error is a apm_cpu_idle stopped error. So, here it goes - the dmesg, the trace on each processor, and the ps - as I side note, I can almost always instigate this crash by trying to untar something big - especially is I use verbose mode. PANIC # Stopped at apm_cpu_idle+0x4a: leal0xfff4(%ebp),%esp ddb{0} show panic the kernel did not panic DMESG * OpenBSD 3.8 (GENERIC.MP) #298: Sat Sep 10 15:51:54 MDT 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel Pentium III (GenuineIntel 686-class) 864 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,S ER,MMX,FXSR,SSE real mem = 1073324032 (1048168K) avail mem = 972730368 (949932K) using 4278 buffers containing 53768192 bytes (52508K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 10/31/00, BIOS32 rev. 0 @ 0xfdba0 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown, estimated 0:00 hours apm0: APM get event: interface not connected (3) apm0: APM get event: interface not connected (3) apm0: disconnected apm0: flags 30102 dobusy 0 doidle 0 pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf5200/192 (10 entries) pcibios0: PCI Interrupt Router at 000:15:0 (ServerWorks ROSB4 SouthBridge rev 0x00) pcibios0: PCI bus #0 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x1000 ainbus0: Intel MP Specification (Version 1.4) (AMI CNB30LE ) cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 132 MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel Pentium III (GenuineIntel 686-class) 864 MHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,S ER,MMX,FXSR,SSE mainbus0: bus 0 is type PCI mainbus0: bus 1 is type PCI mainbus0: bus 2 is type ISA ioapic0 at mainbus0: apid 4 pa 0xfec0, version 11, 16 pins ioapic1 at mainbus0: apid 5 pa 0xfec01000, version 11, 16 pins pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 ServerWorks CNB20LE Host rev 0x06 pchb1 at pci0 dev 0 function 1 ServerWorks CNB20LE Host rev 0x06 pci1 at pchb1 bus 1 vga1 at pci0 dev 1 function 0 ATI Rage XL rev 0x27 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) fxp0 at pci0 dev 4 function 0 Intel 82557 rev 0x08, i82559: apic 5 int 4 (irq 11), address 00:e0:81:01:cb:ca inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4 pcib0 at pci0 dev 15 function 0 ServerWorks ROSB4 SouthBridge rev 0x50 pciide0 at pci0 dev 15 function 1 ServerWorks OSB4 IDE rev 0x00: DMA wd0 at pciide0 channel 0 drive 0: Maxtor 6Y060L0 wd0: 16-sector PIO, LBA, 58644MB, 120103200 sectors wd0(pciide0:0:0): using PIO mode 4, DMA mode 2, Ultra-DMA mode 2 ohci0 at pci0 dev 15 function 2 ServerWorks OSB4/CSB5 USB rev 0x04: apic 4 in t 10 (irq 10), version 1.0, legacy support usb0 at ohci0: USB revision 1.0 uhub0 at usb0 uhub0: ServerWorks OHCI root hub, rev 1.00/1.00, addr 1 uhub0: 4 ports with 4 removable, self powered isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pmsi0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pmsi0 mux 0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 sysbeep0 at pcppi0 npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom0: console pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec biomask 0 netmask 0 ttymask 0 pctr: 686-class user-level performance counters enabled mtrr: Pentium Pro MTRR support dkcsum: wd0 matches BIOS drive 0x80 root on wd0a rootdev=0x0 rrootdev=0x300 rawdev=0x302 WARNING: / was not properly unmounted Stopped at
Re: RAIDFrame, failed component
I'm not sure what to make of 'component1'. It's not an explicit For some reason, RAIDFrame refers to a missing drive component1 whenever the RAID device is initialized and the drive is absent. ~BAS device, did you use that string your raid0.conf? The first slot in these commands should refer to an explicit device.
Re: Problem with ISAKMPD
Are you expiring lifetime on bandwidth or time? Probably the defaults of whatever transforms suite you're using. Try manually defining it? If you expire on time, say...10 minutes, you can tcpdump for udp 500 on either side at the expected time and watch the renegotiation. Maybe UDP packets are getting lost at renegotiation time. I had that problem once with pf where i was exhausing the max default states at 10,000 and new states were being refused with ICMP. ~BAS On Sun, 2005-11-13 at 20:45, James Mackinnon wrote: Hey everyone I am hoping I am posting this to the correct list I am running an AMD 2200+ w/ 512mb of ram and all intel pro cards in my main location. I have 14 other locations connecting back to this 1 location and each location creates 3 tunnels to this system as I have 3 internal network segments I want available via VPN Platforms are: Main system: OpenBSD 3.7 Stable Remote locations: OpenBSD 3.5 and some OpenBSD 3.7 at first, all locations come up fine, but then in approx 1 hour, 3 units stop communicating to the main firewall. They all have the same config (minor changes based on location and assigned ips of course). I was planning to finally get rid of my main checkpoint box and complete my migration to BSD but I had to revert back do to lack of time i had left to go back in case of an issue. My Main location is on Fiber All branches on DSL (pretty much same provider) My main location has approx 50VPN Connection entries in it. My Branches connect to 3 VPN's. Example branch isakmpd.conf file [Phase 1] 12.12.12.12= peer-loc1 13.13.13.13= peer-loc2 14.14.14.14= peer-loc3 [Phase 2] Connections=LOC1-SEG1, LOC1-SEG2, LOC1-SEG3, LOC2-SEG1, LOC3-SEG1 [peer-loc1] Phase= 1 Transport= udp Address=12.12.12.12 Configuration= Default-main-mode Authentication= MYSUPERPASS [peer-loc2] Phase= 1 Transport= udp Address=13.13.13.13 Configuration= Default-main-mode Authentication= MYSUPERPASS [peer-loc3] Phase= 1 Transport= udp Address=14.14.14.14 Configuration= Default-main-mode Authentication= MYSUPERPASS [LOC1-SEG1] Phase= 2 ISAKMP-peer=peer-loc1 Configuration= Default-quick-mode Local-ID= Loc-Network Remote-ID= loc1-seg1-Network [LOC1-SEG2] Phase= 2 ISAKMP-peer=peer-loc1 Configuration= Default-quick-mode Local-ID= Loc-Network Remote-ID= loc1-seg2-Network [LOC1-SEG3] Phase= 2 ISAKMP-peer=peer-loc1 Configuration= Default-quick-mode Local-ID= Loc-Network Remote-ID= loc1-seg3-Network [LOC2-SEG1] Phase= 2 ISAKMP-peer=peer-loc2 Configuration= Default-quick-mode Local-ID= Loc-Network Remote-ID= loc2-seg1-Network [LOC3-SEG1] Phase= 2 ISAKMP-peer=peer-loc3 configuration= Default-quick-mode Local-ID= Loc-Network Remote-ID= loc3-seg1-Network [loc1-seg1-Network] ID-type=IPV4_ADDR_SUBNET Network=10.20.22.0 Netmask=255.255.255.0 [loc1-seg2-Network] ID-type=IPV4_ADDR_SUBNET Network=10.20.23.0 Netmask=255.255.255.0 [loc1-seg3-Network] ID-type=IPV4_ADDR_SUBNET Network=10.20.24.0 Netmask=255.255.255.0 [loc2-seg1-Network] ID-type=IPV4_ADDR_SUBNET Network=10.20.21.0 Netmask=255.255.255.0 [loc3-seg1-Network] ID-type=IPV4_ADDR_SUBNET Network=10.20.20.0 Netmask=255.255.255.0 [Loc-Network] ID-type=IPV4_ADDR_SUBNET Network=10.20.25.0 Netmask=255.255.255.0 [Default-main-mode] DOI=IPSEC EXCHANGE_TYPE= ID_PROT Transforms= 3DES-SHA [Default-quick-mode] DOI=IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-3DES-SHA-SUITE My isakmpd.policy file Keynote-version: 2 Authorizer: POLICY Conditions: app_domain == IPsec policy esp_present == yes esp_enc_alg != null - true; I have run isakmpd -L , which I am still reviewing but most errors are below Nov 13 04:01:14 fw2 isakmpd[16014]: transport_send_messages: giving up on message 0x3c066800, exchange fw01 Nov 13 04:01:14 fw2 isakmpd[16014]: transport_send_messages: either this message did not reach the other peer Nov 13 04:01:14 fw2 isakmpd[16014]: transport_send_messages: or the responsemessage did not reach us back Nov 13 05:41:46 fw2 isakmpd[16014]: dropped message from fw01 port 500 due to notification type PAYLOAD_MALFORMED Nov 13 05:41:46 fw2 isakmpd[16014]: message_parse_payloads: reserved field non-zero: ca Nov 13 05:41:46 fw2 isakmpd[16014]: dropped message from fw01 port 500 due to notification type PAYLOAD_MALFORMED Nov 13 21:09:52 fw2 isakmpd[3312]: message_recv: invalid cookie(s) 8710be0bf45687ff 482bbdaf5287d3db Nov 13 21:09:52 fw2 isakmpd[3312]: dropped message from fw01 port 57834 due to notification type INVALID_COOKIE Nov 13 21:11:41 fw2
Re: isakmpd - Single Phase 1 - Multiple Phase 2 Address
This is confirmed to work? I suppose that would resolve part of my problem with 4314/system ~BAS On Thu, 2005-10-27 at 05:02, Runo Forrisdahl wrote: On Wed, Oct 26, 2005 at 02:40:52PM -0400, Roy Morris wrote: | I have been reading through the archives but have not found a reliable answer | yet. I have recently been converting vpns from manual to isakmpd, with one | of the other endpoints being a Cisco box. I can bring up a single subnet/IP | no problem but if I try to add another phase2 connection it fails. | | Does anyone have a config showing this setup? This config works for me after posting a similar question just a few days ago. [Phase 1] 192.168.15.1= cisco [Phase 2] Connections=tunnel-opengw-cisco,tunnel-opengw-cisco2 [peer-opengw] ID-type=IPV4_ADDR Address=192.168.20.13 [peer-cisco] ID-type=IPV4_ADDR Address=192.168.15.1 [net-opengw] ID-type=IPV4_ADDR_SUBNET Network=172.16.15.0 Netmask=255.255.255.0 [net-cisco] ID-type=IPV4_ADDR_SUBNET Network=10.0.0.0 Netmask=255.255.254.0 [net-cisco2] ID-type=IPV4_ADDR_SUBNET Network=10.0.2.0 Netmask=255.255.254.0 [cisco] Phase= 1 Transport= udp Local-address= 192.168.20.13 Address=192.168.15.1 Configuration= main-mode Authentication= Hemmelig [opengw-net] Phase= 1 Network=172.16.15.0 Netmask=255.255.255.0 Configuration= main-mode [cisco-net] Phase= 1 Network=10.0.0.0 Netmask=255.255.254.0 Configuration= main-mode [cisco2-net] Phase= 1 Network=10.0.2.0 Netmask=255.255.254.0 Configuration= main-mode [tunnel-opengw-cisco] Phase= 2 ISAKMP-peer=cisco Configuration= quick-mode Local-ID= net-opengw Remote-ID= net-cisco [tunnel-opengw-cisco2] Phase= 2 ISAKMP-peer=cisco Configuration= quick-mode Local-ID= net-opengw Remote-ID= net-cisco2 [rsa-main-mode] DOI=IPSEC EXCHANGE_TYPE= ID_PROT Transforms= 3DES-SHA-RSA_SIG [main-mode] DOI=IPSEC EXCHANGE_TYPE= ID_PROT Transforms= 3DES-SHA [quick-mode] DOI=IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-3DES-SHA-SUITE
Notes on RAID1 Root Tutorial Adaption
...a while back, i wrote a tutorial for RAIFRame RAID1 as a root FS on NetBSD. I used the bootstrap method. Sometime not soon after, NetBSD added RAIDFrame to the INSTALL* kernels and presumably menus to sysinst, mitigating the need for this approach. the boostrap process is: *) do a basic install on component0 *) use the base install to create a RAID set composed of a single member: component1 *) copy the system over *) boot component1 in degraded mode *) destory the original install on component0 and import it into RAID *) sync component1 back to component0 ...however, this is still the applicable process for OpenBSD, as OpenBSD INSTALL and GENERIC kernels lack RAIDFrame. moreover, the boot blocks lack support for booting RAID volumes, so there are some caveats here are some notes for adapting the process: Firstly, per: http://cvs.openbsd.org/cgi-bin/query-pr-wrapper?full=yesnumbers=4567 pseudo-device raid4 # RAIDframe disk driver option RAID_AUTOCONFIG ...must be added to GENERIC. They are not present. Update your src and re-roll your kernel. 16.3.3. Initial Install on Disk0/wd0 for simplicity in the original tutorial, i recommend one big slash plus swap its important to note that although only a basic system is required on wd0/component0, you simplify the system bootstrap process by laying out the file system slices/mountpoints the way you plan on the eventual RAID volume (*even though* the sizes of slices will be different.) see below 16.3.3. Initial Install on Disk0/wd0 apparently /dev/{r,}wd[0-9] behave differently in obsd. instead of: # dd if=/dev/zero of=/dev/rwd1d bs=8k count=1 one would use # dd if=/dev/zero of=/dev/wd1c bs=8k count=1 note: use the character device instead of the raw device ...or disklabel -E wd1 and then D + w, but this method won't blow away the MBR label. Next, instead of: # fdisk -0ua /dev/rwd1d do: # fdisk -i wd1 and y at the prompt. next instead of: # disklabel -r -e -I wd1 do: # disklabel -E wd1 or -e if you prefer $EDITOR style. create your file systems as as you prefer. this is where it the process differs greatly. in the netbsd tutorial, i suggest disklabel'ing each RAID1 component member disk entirely a RAID slice. for a number of reasons, this must differ on openbsd. i recommend that each members a: slice be a 128mb 4.2BSD FFS slice. i recommend b: be a RAID type slice the size of which the SWAP parition will be. i recommend that d: be the remainder of the disk, type RAID this will be explained later a d offset: [1310400] size: [25389630] FS type: [4.2BSD] RAID w p m device: /dev/rwd1c type: ESDI disk: ESDI/IDE disk label: IBM-DPTA-371360 bytes/sector: 512 sectors/track: 63 tracks/cylinder: 16 sectors/cylinder: 1008 cylinders: 16383 total bytes: 13043.0M free bytes: 0.0M rpm: 3600 16 partitions: #sizeoffset fstype [fsize bsize cpg] a: 127.9M0.0M 4.2BSD 2048 16384 16 # Cyl 0*- 259 b: 511.9M128.0M RAID # Cyl 260 - 1299 c: 13043.0M 0.0M unused 0 0 # Cyl 0 - 26499 d: 12397.3M 639.8M RAID # Cyl 1300 - 26488* 16.3.5. Initializing the RAID Device this step unchanged, except the magic absent keyword trick does not exist in raid.conf of course, raidctl -C [.conf] and raidctl -I will need to be run for raid0 and raid1. -I should have different serials for each, so 2005101801 for raid0 and 2005101801 for raid1. 16.3.6. Setting up Filesystems unchanged. when disklabel(8)'ing raid0, a: can be offset 0, size of the entire meta-disk, type swap when disklabel(8)'ing raid1, a:, b:, d: - m: can be your optimal slice configuration. use the disklabel on wd0 as your reference. however theres an offset because b: on wd0 was your original swap partition on your inital system, therefore map as so: wd0: raid1: a:a: d:b: e:d: f:e: ... When newfs(8)'ing, raw devices must be used. the following would need to be newfs(8)'d, -0 flag does not apply. /dev/rwd1a /dev/rraid1a /dev/rraid1b /dev/rraid1d /dev/rraid1e /dev/rraid0a will be swap and does not need to be newfs(8)'d 16.3.8. Migrating System to RAID two changes: instead of using pax(1) to recursivley copy / from the wd0 base install to a the FFS/UFS/4.2BSD slices on /dev/raid1, i recommend using dump(1)/restore(8) instead (because the work on the file system level) if the base install looked something like: # df Filesystem 1K-blocks Used Avail Capacity Mounted on /dev/wd0a 1035440 38460945208 4%/ /dev/wd0g 281260812 2671966 0%/home /dev/wd0d 4125138 1285796 263308633%/usr /dev/wd0e 2062928 8086 1951696 0%/var /dev/wd0f 206292888 1959694 0%/var/log the the steps would be: # mkdir
Re: keep state and PF Queues
I was just curious if any of the developers (or experts) would care to articulate officially :} ~BAS On Wed, 19 Oct 2005, William Bloom wrote: The PF queueing FAQ page at http://www.openbsd.org has a wealth of info that seems to nicely clarify the pf.conf man page. I recall that the FAQ contains an example much as you describe (as I recall, specifying a queue for -incoming- traffic will indeed cause that traffic to be processed through the named queue as it is -outgoing-). Bill Brian A. Seklecki wrote: Would anyone like to elaborate on the impacts of using keep state on conjunction with pass rules that assign traffic to queues? One might assume that inverted traffic flows would also be queued, however that would break the traffic can only be queued egress an interface rule... There should be some remarks on this in pf.conf(5) TIA, ~BAS -- William Bloom| Snr Systems Engineer|M P H A S I S Architecting Value | Eldorado Computing 5353 North 16th Street, Suite 400 Phoenix, Az 85016 | Direct: +11-602-604-3100 | Fax: +11-602-604-3115| http://www.eldocomp.com -- CONFIDENTIALITY NOTICE -- Information transmitted by this e-mail is proprietary to MphasiS and/or its Customers and is intended for use only by the individual or entity to which it is addressed, and may contain information that is privileged, confidential or exempt from disclosure under applicable law. If you are not the intended recipient or it appears that this mail has been forwarded to you without proper authority, you are notified that any use or dissemination of this information in any manner is strictly prohibited. In such cases, please notify us immediately at [EMAIL PROTECTED] and delete this mail from your records. l8* -lava x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8
Re: Carp / VLAN and net.inet.carp.preempt=1
On Fri, 21 Oct 2005, Xavier Beaudouin wrote: Hello there, I have 2 openbsd box (that does as well openbgpd but this is not the aim of this mail). Question is that any problems to do sysctl net.inet.carp.preempt=1 and ifconfig em0 up ifconfig vlan0 vlan 11 vlandev em0 Each machine must have a trunk link from the single switch (or if you have reundant switch fabric, two switches that are themselves trunked). Effectivly in the same ethernet segment. Each OpenBSD machine will have a Vlan11 interface presented to it. Each must have an IP with in the subnet. Then, the CARP interface will share an other (3rd) IP in the same subnet. So if you've got a /24, the CARP VIP could be .1 and each Box's vlan11 could be .2 and .3. ~BAS I don't know how you plan to sync the BGP table between teh two. I know PF tables and ISAKMPd states are syncavble. Peace, ~BAS ifconfig carp0 inet 10.0.0.1 netmask 255.255.255.0 vhid 1 carpdev vlan0 In each routers / carp border machines to have full redondancy ? Thanks :) /Xavier -- Quand on essaye continuellement, on finit par y arriver. Donc, plus ca rate, plus on a de chance que ca marche... (Proverbe Shadok) l8* -lava x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8
Re: passwd: /sbin/nologin --- not working for me
You said you entered into those files. Did you vi(1) them mnaually? Did you rebuild the database afterward? When you finger the user, what does the shell show up as? Use either vipw(8) as root, to do this, or use chfn(1) as the user. ~BAS On Fri, 21 Oct 2005, morla wrote: hello all, i just made up a second account on my box and wanted to prevent the old one from loging into it, due i want to keep it for email retrival. when i enter something like morla:*:1000:1000:morla:/home/morla:/sbin/nologin into /etc/passwd and a similary entry into /etc/master.passwd should'nt this keep me out??? please be carefull with me, i am realtily new to bsd... thanks all morla l8* -lava x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8
Re: Statefull VPN failover a fork from Re: iptables vs pf
More to the point, how to find this info. 1: Go to http://www.openbsd.org/cgi-bin/man.cgi 2: click apropos 3: make sure current is selected 4: query sync 5: click on sasynchd(8) and sasychd.conf(5) http://www.openbsd.org/cgi-bin/man.cgi?query=sasyncdsektion=8apropos=0manpath=OpenBSD+Currentarch=i386 http://www.openbsd.org/cgi-bin/man.cgi?query=sasyncdsektion=8apropos=0manpath=OpenBSD+Currentarch=i386 6: Once intimately familar with the process, write some Docs and submit them for translation. Also, someone at NYC BSDcon 05 gave a presentation and had slides. Try to find those too. Best of luck. ~BAS On Thu, 20 Oct 2005, [EMAIL PROTECTED] wrote: I have been moving a single Linux FW to a pair of OBSD machines, lured by carp and pfsync. This has been working well in my test environment. This also lead me to vpns running with ISAKMPD, replaceing a Freeswan box, and forestalling purchasing proprietary products for site to site partner vpns. THE POINT: Where will I find docs that explains how this is done Oh, and when your 3.8 VPNs failover statefully, too. :) ? -Original Message- From: Jason Dixon [mailto:[EMAIL PROTECTED] Sent: Thursday, October 20, 2005 02:07 AM To: 'Edy Purnomo' Cc: misc@openbsd.org Subject: Re: iptables vs pf On Oct 19, 2005, at 6:21 PM, Edy Purnomo wrote: i suggested to my friend to replace his linux box to openbsd. he uses mailnly for internet gateway : pf + squid proxy after 2 weeks later he switched it back linux and said : linux much faster to respond the http requests (he had a same configuration on openbsd, pf + squid proxy). is there any program that can proof what he says ? thanks. Three points: 1) No way in hell is iptables faster than PF. 2) His box _may_ pass traffic faster, but this is almost certainly due to the support level of the hardware. Without real information, it's hard to qualify this. 3) Who cares? Why are you worried about what your friend uses? If it works for him, so be it. Rather than trying to bring him over cuz PF is l33t, just make sure you mention how cool it is when your stateful firewalls run 24x7. Oh, and when your 3.8 VPNs failover statefully, too. :) http://www.openbsd.org/goals.html -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net l8* -lava x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8
Re: keep state and PF Queues
If a TCP flow is egressing an interface at 2000k/s (17-18mbps), it might be causing as much as 300kbps of ACK traffic. That traffic really doesn't get queued on return at the same inteface it's egressing. However, I have noticed that, if a traffic flow is passing through a router (say, the same flow as before, egressing an upstream inteface at 2000k/s) and a rule set exists on the interface the flow is inressing from (on it's way through to the previously mentioned egress interface), the ACK traffic will get queued leaving that sender facing interface, on its way back to the sender. So really, keep state has no impact? ~BAS On Fri, 21 Oct 2005, Henning Brauer wrote: well, I did numerous times in the past. th emisunderstanding most of you have is that queue assignment and th actual queueing are sepearate things. you assign a queue with the name X somewhere, be it by a rule in the inbound path or the outbound, or a state in either direction, and when we hit the enqueuing on the outbound interface we check wether the packet in question is tagged to be put in a specific queue. if so, and a queue by the desired name exists on the given interface, we do so, otherwise it goes to the default queue. * Brian A. Seklecki [EMAIL PROTECTED] [2005-10-21 17:59]: I was just curious if any of the developers (or experts) would care to articulate officially :} ~BAS On Wed, 19 Oct 2005, William Bloom wrote: The PF queueing FAQ page at http://www.openbsd.org has a wealth of info that seems to nicely clarify the pf.conf man page. I recall that the FAQ contains an example much as you describe (as I recall, specifying a queue for -incoming- traffic will indeed cause that traffic to be processed through the named queue as it is -outgoing-). Bill Brian A. Seklecki wrote: Would anyone like to elaborate on the impacts of using keep state on conjunction with pass rules that assign traffic to queues? One might assume that inverted traffic flows would also be queued, however that would break the traffic can only be queued egress an interface rule... There should be some remarks on this in pf.conf(5) TIA, ~BAS -- William Bloom| Snr Systems Engineer|M P H A S I S Architecting Value | Eldorado Computing 5353 North 16th Street, Suite 400 Phoenix, Az 85016 | Direct: +11-602-604-3100 | Fax: +11-602-604-3115| http://www.eldocomp.com -- CONFIDENTIALITY NOTICE -- Information transmitted by this e-mail is proprietary to MphasiS and/or its Customers and is intended for use only by the individual or entity to which it is addressed, and may contain information that is privileged, confidential or exempt from disclosure under applicable law. If you are not the intended recipient or it appears that this mail has been forwarded to you without proper authority, you are notified that any use or dissemination of this information in any manner is strictly prohibited. In such cases, please notify us immediately at [EMAIL PROTECTED] and delete this mail from your records. l8* -lava x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8 -- BS Web Services, http://www.bsws.de/ OpenBSD-based Webhosting, Mail Services, Managed Servers, ... Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie) l8* -lava x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8
Dell PowerEdge SC1420 w/ CERC SATA 2S RAID
For the record, these systems run 3.7/i386 rock solid. Just forget entirely about using the Software Assist RAID support on the motherboard and use RAIDFrame instead. In the BIOS, you can toggle it between RAID and NON-RAID mode, but it makes no difference. The kernel probes it just the same. Even if you go into the CERC SATA 2S RAID BIOS v2.1, which is actually an Adaptec menu. It actually probes as Intel 82801ER SATA on all the BSDs. It should be noted that the RAID Mode does indeed only show one low-level DOS disk signature at 0x80 if you go into the menu and build an array. However, the kernel doesnt probe a meta-disk in either mode. Just the individual components on each SATA channel l8r, ~lava Below as follows: - Entire OpenBSD dmesg(8), NetBSD-current relevent info on the controller, then FreeBSD. OpenBSD/i386 BOOT 2.06 boot booting fd0a:/bsd: 4302596+825452=0x4e40b8 entry point at 0x100120* Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2005 OpenBSD. All rights reserved. http://www.OpenBSD.org OpenBSD 3.7 (RAMDISK_CD) #573: Sun Mar 20 00:27:05 MST 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/RAMDISK_CD cpu0: Intel(R) Xeon(TM) CPU 3.00GHz (GenuineIntel 686-class) 3 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF LUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,PNI,MWAIT,CNXT-ID real mem = 534933504 (522396K) avail mem = 482287616 (470984K) using 4278 buffers containing 26849280 bytes (26220K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 08/18/05, BIOS32 rev. 0 @ 0xffe90 apm0 at bios0: Power Management spec V1.2 pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfeb00/256 (14 entries) pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82801EB/ER LPC rev 0x00) pcibios0: PCI bus #6 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x1800! 0xc9800/0x4800 0xce000/0x2000 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel E7710 SMCH rev 0x09 Intel E7710 MCH ERR rev 0x09 at pci0 dev 0 function 1 not configured ppb0 at pci0 dev 2 function 0 Intel E7710 MCH PCIE rev 0x09 pci1 at ppb0 bus 1 ppb1 at pci1 dev 0 function 0 Intel PCIE-PCIE rev 0x00 pci2 at ppb1 bus 2 vga1 at pci2 dev 12 function 0 ATI Mach64 GO rev 0x27 wsdisplay0 at vga1: console (80x25, vt100 emulation) ppb2 at pci1 dev 0 function 2 Intel PCIE-PCIE rev 0x00 pci3 at ppb2 bus 3 em0 at pci3 dev 14 function 0 Intel PRO/1000MT (82545GM) rev 0x04: irq 11, add ress: 00:12:3f:61:7a:75 ppb3 at pci0 dev 3 function 0 Intel E7710 MCH PCIE rev 0x09 pci4 at ppb3 bus 4 ppb4 at pci0 dev 4 function 0 Intel E7710 MCH PCIE rev 0x09 pci5 at ppb4 bus 5 uhci0 at pci0 dev 29 function 0 Intel 82801EB/ER USB rev 0x02: irq 11 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 29 function 1 Intel 82801EB/ER USB rev 0x02: irq 10 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered uhci2 at pci0 dev 29 function 2 Intel 82801EB/ER USB rev 0x02: irq 9 usb2 at uhci2: USB revision 1.0 uhub2 at usb2 uhub2: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub2: 2 ports with 2 removable, self powered uhci3 at pci0 dev 29 function 3 Intel 82801EB/ER USB rev 0x02: irq 11 usb3 at uhci3: USB revision 1.0 uhub3 at usb3 uhub3: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub3: 2 ports with 2 removable, self powered ehci0 at pci0 dev 29 function 7 Intel 82801EB/ER USB rev 0x02: irq 5 ehci0: EHCI version 1.0 ehci0: companion controllers, 2 ports each: uhci0 uhci1 uhci2 uhci3 usb4 at ehci0: USB revision 2.0 uhub4 at usb4 uhub4: Intel EHCI root hub, class 9/0, rev 2.00/1.00, addr 1 uhub4: single transaction translator uhub4: 8 ports with 8 removable, self powered ppb5 at pci0 dev 30 function 0 Intel 82801BA AGP rev 0xc2 pci6 at ppb5 bus 6 ichpcib0 at pci0 dev 31 function 0 Intel 82801EB/ER LPC rev 0x02 pciide0 at pci0 dev 31 function 1 Intel 82801EB/ER IDE rev 0x02: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility pciide0: channel 0 ignored (disabled) atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: LITE-ON, CD-ROM LTN-489S, 8DS2 SCSI0 5/cdrom rem ovable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 pciide1 at pci0 dev 31 function 2 Intel 82801ER SATA rev 0x02: DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI pciide1: using irq 9 for native-PCI interrupt wd0 at pciide1 channel 0 drive 0: WDC WD800JD-75LSA0 wd0: 16-sector PIO, LBA48, 76293MB, 15625 sectors wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5 wd1 at pciide1 channel 1 drive 0: WDC
keep state and PF Queues
Would anyone like to elaborate on the impacts of using keep state on conjunction with pass rules that assign traffic to queues? One might assume that inverted traffic flows would also be queued, however that would break the traffic can only be queued egress an interface rule... There should be some remarks on this in pf.conf(5) TIA, ~BAS
Re: em(4) problems with -current
I'll double check this today and verify. Will the IPMI on the motherboard only work with the onboard ethernet controllers, or will it get its grubby little hands on any/all controllers it finds? If it only The IPMI configuration screen gives you the option of configuring which Interface to bind to, at least on some models, and on others it defaults to the the first onboard. Like I said, you can use tcpdump(8) with an address or host syntax of the IPv4 of the IPMI address. Trying enabling it and pinging it, watch for the ICMP to/from the IPMI host, which will strangely and bizzarely appear to be on the same ethernet segment as the interface visible to the OS. It's like having a IP Alias configured that you can't see :}}} I like to VLAN tag my IMPI stuff. God hates the BOFH. ~BAS works with the onboard, then maybe switching to the PCI card ports will be a sufficient workaround.
Re: em(4) problems with -current
On Wed, 19 Oct 2005, Theo de Raadt wrote: Someone with one of these problematic cards should put it in the It isn't so much a bug; more so a caveat of Dell's implenentation. Maybe you can order PowerEdge 1850s w/o a hardware IPMI implementation, but I don't think it's an issue that warrants chewing up precious cycles in a developer's schedule. ~BAS mail to Brad in Toronto. That is your best bet.
Shared Queues / Queuing on Multiple Interfaces
I think I fumbled last week when I posted this original message in reply to one serveral months old (causing it to not be seen by MUA threading) The question remains: Can traffic travelling ingress on one-of-a-three-interface router be queued as it egresses the other two possible interfaces, enforcing a Frame-Relay CIR style sharing policy, but allowing either queue to borrow up to the maxiumum possible Downstream bandwidth on the original inteface? See URL and msg below: http://digitalfreaks.org/~lavalamp/Queues.png ~BAS -- Forwarded message -- Date: Mon, 3 Oct 2005 11:28:24 -0400 (EDT) From: Brian A. Seklecki [EMAIL PROTECTED] To: Henning Brauer [EMAIL PROTECTED] Cc: misc@openbsd.org, Tony Sarendal [EMAIL PROTECTED], jared r r spiegel [EMAIL PROTECTED], Seamus Wassman [EMAIL PROTECTED] Subject: Queing on Multiple Interfaces Revisited (WAS: Re: matching queues in both directions with stateful rulesets) On Mon, October 25, 2004 12:50 pm, Henning Brauer said: * Tony Sarendal [EMAIL PROTECTED] [2004-10-25 16:48]: Is there a way to assign wich queues stateful traffic will use in both directions ? yes, you can have queues with the same names on multiple interfaces. i. e. you create the queue customer1 on both your external (dc0) and his interface (vlan1). outbond will go to the one on dc0, inbound to the one on vlan1. A better topic would be perhaps upstream bandwidth distribution...downstream All, the PF FAQ states several fundementals about queuing: 1) queuing is only useful for packets in the outbound direction ..then later: 2) Note that queue designation can happen on an interface other than the one defined in the altq on directive: [...example rule set..] Queueing is enabled on fxp0 but the designation takes place on dc0. If packets matching the pass rule exit from interface fxp0, they will be queued in the ftp queue. This type of queueing can be very useful on routers. - I think a lot of confusion on this topic of multiple interfaaces originates from three problems: *) The FAQ/documentation doesn't discuss how stateful rules effect behavior of queue assigment of returing traffic. *) The FAQ/documentation doesn't really clarify how matching traffic inbound on one interface (of which the destination traffic matched will travel outbound on an inteface on which queuing is enabled) and applying it to the outbound queue of the designated interface (point #2 above) differs in behavior from simply matching traffic outbound on said queuing-enabled interface. *) The documentation is a bit ambiguous in the use of terminology such as direction, inbound, outbound, upstream, downstream, ingress, egress, etc., this is especially important with regards to the naming conventions on queues and also when the behavior of an example rulset is described. Back to the multiple interface issue: Let's looks at an example like a Frame Relay network mightsay that your objective is an SLA for your customers worded as so: Customer 1 has a 300Kbps bi-directional CIR. Customer 2 has a 500Kbps bi-directional CIR. Both may borrow from the total available. *) 1 or 2 physical interface, 3 logical, whatever. *) The upstream external interface is broadband/narrowband delivered via Fast Ethernet (xl0) *) For the sake of sanity, the narrowband connectivity is synchronous/symetric *) Customer handoff is 100mbs Ethernet (vlan10,vlan20), switch trunked *) The OpenBSD router is a perimeter router with a pass all style ruleset (with scrubbing and RFC1918 bogon filters, etc.) In this case, you can use a generic template to enforce upstream or outbound queues on xl0. altq on xl0 cbq queue { std-up cust1-up cust2-up } queue std-up cbq(default ecn) queue cust1-up bandwidth 10Mb cbq(ecn) queue cust2-up bandwidth 10Mb cbq(ecn) pass out on xl0 from $vlan10_subnet to any keep state queue cust1-up pass out on xl0 from $vlan20_subnet to any keep state queue cust1-up # these filters will match customer FTP uploads and HTTP GETs from cuomster-hosted web servers, etc. # this rule is redundant because the traffic would be forwarded anyway, it exists simply to match traffic into a queue and create a state table entry while we're at it. ... But then let's say you want to invert those rules. **NOTE**, if customer1 and customer2 were visibile via the same interface, then you could easily create a queue on that shared customer-facing interface with a bandwidth statement that matches the max hypothetical downstream speed of the broadband connection. Then divy it up using sub-queues and borrow statements. ...but what if Customer 1 and Customer 2 are on seperate interfaces? 1) You could create non-stateful matching rules as pass in on $ext_if 2) You could create non-stateful matching rules as pass out on $cust1 ..., pass out on $cust2..., But the question remains: Into what queue? What type of queue would be used to desginate a policy for downstream traffic flows that are traveling
Queing on Multiple Interfaces Revisited (WAS: Re: matching queues in both directions with stateful rulesets)
On Mon, October 25, 2004 12:50 pm, Henning Brauer said: * Tony Sarendal [EMAIL PROTECTED] [2004-10-25 16:48]: Is there a way to assign wich queues stateful traffic will use in both directions ? yes, you can have queues with the same names on multiple interfaces. i. e. you create the queue customer1 on both your external (dc0) and his interface (vlan1). outbond will go to the one on dc0, inbound to the one on vlan1. A better topic would be perhaps upstream bandwidth distribution...downstream All, the PF FAQ states several fundementals about queuing: 1) queuing is only useful for packets in the outbound direction ..then later: 2) Note that queue designation can happen on an interface other than the one defined in the altq on directive: [...example rule set..] Queueing is enabled on fxp0 but the designation takes place on dc0. If packets matching the pass rule exit from interface fxp0, they will be queued in the ftp queue. This type of queueing can be very useful on routers. - I think a lot of confusion on this topic of multiple interfaaces originates from three problems: *) The FAQ/documentation doesn't discuss how stateful rules effect behavior of queue assigment of returing traffic. *) The FAQ/documentation doesn't really clarify how matching traffic inbound on one interface (of which the destination traffic matched will travel outbound on an inteface on which queuing is enabled) and applying it to the outbound queue of the designated interface (point #2 above) differs in behavior from simply matching traffic outbound on said queuing-enabled interface. *) The documentation is a bit ambiguous in the use of terminology such as direction, inbound, outbound, upstream, downstream, ingress, egress, etc., this is especially important with regards to the naming conventions on queues and also when the behavior of an example rulset is described. Back to the multiple interface issue: Let's looks at an example like a Frame Relay network mightsay that your objective is an SLA for your customers worded as so: Customer 1 has a 300Kbps bi-directional CIR. Customer 2 has a 500Kbps bi-directional CIR. Both may borrow from the total available. *) 1 or 2 physical interface, 3 logical, whatever. *) The upstream external interface is broadband/narrowband delivered via Fast Ethernet (xl0) *) For the sake of sanity, the narrowband connectivity is synchronous/symetric *) Customer handoff is 100mbs Ethernet (vlan10,vlan20), switch trunked *) The OpenBSD router is a perimeter router with a pass all style ruleset (with scrubbing and RFC1918 bogon filters, etc.) In this case, you can use a generic template to enforce upstream or outbound queues on xl0. altq on xl0 cbq queue { std-up cust1-up cust2-up } queue std-up cbq(default ecn) queue cust1-up bandwidth 10Mb cbq(ecn) queue cust2-up bandwidth 10Mb cbq(ecn) pass out on xl0 from $vlan10_subnet to any keep state queue cust1-up pass out on xl0 from $vlan20_subnet to any keep state queue cust1-up # these filters will match customer FTP uploads and HTTP GETs from cuomster-hosted web servers, etc. # this rule is redundant because the traffic would be forwarded anyway, it exists simply to match traffic into a queue and create a state table entry while we're at it. ... But then let's say you want to invert those rules. **NOTE**, if customer1 and customer2 were visibile via the same interface, then you could easily create a queue on that shared customer-facing interface with a bandwidth statement that matches the max hypothetical downstream speed of the broadband connection. Then divy it up using sub-queues and borrow statements. ...but what if Customer 1 and Customer 2 are on seperate interfaces? 1) You could create non-stateful matching rules as pass in on $ext_if 2) You could create non-stateful matching rules as pass out on $cust1 ..., pass out on $cust2..., But the question remains: Into what queue? What type of queue would be used to desginate a policy for downstream traffic flows that are traveling inbound via an upstream interface, processed by the router, and forwarded outbound via two downstream interfaces, ***while SHARING the available downstream bandwidth available via the inbound interface*** It's as if there needs to almost be a seperate type of queue not affilated with an Interface, i.e., the ingress/egress queue for matching traffic switched from interface-to-interface. We keep saying, you can't queue inbound, which makese sense. But you need a technique for queuing a shared ingress ~BAS -- http://2suck.net/hhwl.html - http://www.bsws.de/ Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie) -- l8r* -- ~ Brian A. Seklecki From back in the heady days when 'Help Desk' meant nothing, 'Disk Quota' meant everything, and lives could be bought and sold for a couple of pages of laser printout...and frequently were.
Netgear WG311 and ath driver on amd64.
with IntelliEye(TM), rev 1.10/3.00, addr 2, iclass 3/1 ums0 at uhidev0: 3 buttons and Z dir. wsmouse0 at ums0 mux 0 The only thing that looks remotely like a netgear wg311 is the; Texas Instruments ACX111 rev 0x00 at pci0 dev 12 function 0 not configured when I try any ifconfig commands related to ath0 they fail, which seems obvious as the kernel has not picked up any ath devices. So, whats up with the WG311 or any ath based cards for the amd64 port ? In fact, according to the hardware support page there appears to be *no* ath support for amd64. Is this correct. Brian.
Re: Load Balancing
So have him send the message pre-formatted to the list? HTML? How about just draw the diagram using ports/graphics/dia/* and export to PNG, post the URL? ~BAS On Fri, 2005-09-30 at 10:01, J.C. Roberts wrote: On Fri, 30 Sep 2005 18:35:16 +0530, Manpreet Singh Nehra [EMAIL PROTECTED] wrote: DHCP | | 172.31.1.1 | | rl0 | | --- | OpenBSD | | | DHCP| | 172.31.2.1 | | | | rl1| | 192.168.1.0/24 --- | 192.168.1.3| | | rl4 DHCP | | 172.31.3.1 | | | | rl2| | --- | Firewall | | | DHCP | | 172.31.4.1 | | | | rl3 --- I suggest you learn to use a fixed pitch font for email, particularly for ascii-drawings, rather than forcing everyone to play a pointless game of guess the magic font so they can read your post. JCR
Re: ntop
What platform are you on? Are you compiling it from source? It works just fine in 3.7/i386. Just: bash-3.00# cd /usr/ports/net/ntop make install clean If you insist on source, try looking at /usr/ports/net/ntop/patches/* Try reading about Ports in the FAQ. ~BAS On Thu, 2005-09-29 at 12:43, B4nsh33 wrote: Hi, im trying to install ntop 3.1 on openbsd 3.7, it doesnt compile, reading the archives i learned its an unsupported application. Is there any workaround o should i look for another package?, i really like the ntop's full feature set and i would prefer use it. --- thanks
ath hostap and carp ?
Hello all, can anyone tell me if running 'ath' based cards in hostap mode is reliable and stable ? I'm deciding whether to get a linksys wrt54g or to throw an ath based card in my firewall and run it as the AP. Also, does anyone know if I can run carp on wireless cards ? Specifically, I currently have a carp based firewall setup and I was wondering if running both of these as AP could give me AP failover ? Thanks, Brian.
Re: CARP/PFSYNC over USB is possible?
On Mon, 29 Aug 2005, Vinicius Pavanelli Vianna wrote: I'm currently using an OpenBSD 3.7 as a firewall for my network, since this machines is a 1U rack I can't add an extra ethernet card to it, so I was looking for an alternative solution to use redundancy, since there are plenty of usb ports free can i use an usb-to-usb link over two No one ever answered you, but I'm assuming that you discovered: $ apropos usb|grep -i ether aue (4) - ADMtek AN986 / ADM8511 Pegasus family USB Ethernet driver axe (4) - ASIX Electronics AX88172 USB Ethernet driver cdce (4) - USB Communication Device Class Ethernet driver cue (4) - CATC USB-EL1201A USB Ethernet driver kue (4) - Kawasaki LSI KL5KUSB101B USB Ethernet driver udav (4) - Davicom DM9601 USB Ethernet driver url (4) - Realtek RTL8150L USB Ethernet driver ~BAS
Re: 3.8 beta requests
I am not sure if this is related. But when I code assembly to pass a double precision floating point value (%xmm0) to printf, my program will crash without a stack frame. I am fine for passing strings and integers. Here's the simple code: .section .data str: .string %f\n test: .float 2.5 .section .text .extern printf .global main main: push %rbp # set-up stack frame movq %rsp, %rbp# will fault without this movl $str, %edi movl $test, %eax cvtss2sd (%rax), %xmm0 movq $1, %rax call printf movq $1, %rax xorq %rdi, %rdi syscall If I remove the stack frame, this code will fault every time. Now, according to the amd64 ABI, I shouldn't need a stack frame. Now, gcc compiles with stack frames, but this does appear to be a memory bug. I'm just not sure where to go next to research this further. Here's my dmesg: OpenBSD 3.8-beta (GENERIC) #210: Sat Aug 13 20:20:15 MDT 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC real mem = 1073278976 (1048124K) avail mem = 909148160 (887840K) using 22937 buffers containing 107536384 bytes (105016K) of memory mainbus0 (root) cpu0 at mainbus0: (uniprocessor) cpu0: AMD Athlon(tm) 64 Processor 3000+, 1808.55 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative pci0 at mainbus0 bus 0: configuration mode 1 Nvidia nForce4 DDR rev 0xa3 at pci0 dev 0 function 0 not configured Nvidia nForce4 ISA rev 0xa3 at pci0 dev 1 function 0 not configured Nvidia nForce4 SMBus rev 0xa2 at pci0 dev 1 function 1 not configured ohci0 at pci0 dev 2 function 0 Nvidia nForce4 USB rev 0xa2: irq 10, version 1.0, legacy support usb0 at ohci0: USB revision 1.0 uhub0 at usb0 uhub0: Nvidia OHCI root hub, rev 1.00/1.00, addr 1 uhub0: 10 ports with 10 removable, self powered ehci0 at pci0 dev 2 function 1 Nvidia nForce4 USB rev 0xa3: irq 11 usb1 at ehci0: USB revision 2.0 uhub1 at usb1 uhub1: Nvidia EHCI root hub, rev 2.00/1.00, addr 1 uhub1: 10 ports with 10 removable, self powered auich0 at pci0 dev 4 function 0 Nvidia nForce4 AC97 rev 0xa2: irq 11, nForce4 AC97 ac97: codec id 0x414c4760 (Avance Logic ALC655) audio0 at auich0 pciide0 at pci0 dev 6 function 0 Nvidia nForce4 IDE rev 0xa2: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility pciide0: channel 0 disabled (no drives) atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: HL-DT-ST, DVDRAM GSA-4163B, A103 SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 pciide1 at pci0 dev 7 function 0 Nvidia nForce4 SATA 1 rev 0xa3: DMA (unsupported), channel 0 wired to native-PCI, channel 1 wired to native-PCI pciide1: using irq 10 for native-PCI interrupt wd0 at pciide1 channel 0 drive 0: WDC WD360GD-00FLA2 wd0: 16-sector PIO, LBA48, 35304MB, 72303840 sectors pciide1: channel 1 ignored (not responding; disabled or no drives?) pciide2 at pci0 dev 8 function 0 Nvidia nForce4 SATA 2 rev 0xa3: DMA (unsupported), channel 0 wired to native-PCI, channel 1 wired to native-PCI pciide2: using irq 11 for native-PCI interrupt pciide2: channel 0 ignored (not responding; disabled or no drives?) pciide2: channel 1 ignored (not responding; disabled or no drives?) ppb0 at pci0 dev 9 function 0 Nvidia nForce4 PCI-PCI rev 0xa2 pci1 at ppb0 bus 1 vga1 at pci1 dev 5 function 0 ATI Rage XL rev 0x27 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) VIA VT6306 FireWire rev 0x80 at pci1 dev 6 function 0 not configured Nvidia CK804 LAN rev 0xa3 at pci0 dev 10 function 0 not configured ppb1 at pci0 dev 11 function 0 Nvidia nForce4 PCIE rev 0xa3 pci2 at ppb1 bus 2 ppb2 at pci0 dev 12 function 0 Nvidia nForce4 PCIE rev 0xa3 pci3 at ppb2 bus 3 ppb3 at pci0 dev 13 function 0 Nvidia nForce4 PCIE rev 0xa3 pci4 at ppb3 bus 4 bge0 at pci4 dev 0 function 0 Broadcom BCM5721 rev 0x11, BCM5750 B1 (0x4101): irq 5 address 00:e0:81:56:8f:66 brgphy0 at bge0 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0 ppb4 at pci0 dev 14 function 0 Nvidia nForce4 PCIE rev 0xa3 pci5 at ppb4 bus 5 pchb0 at pci0 dev 24 function 0 AMD AMD64 HyperTransport rev 0x00 pchb1 at pci0 dev 24 function 1 AMD AMD64 Address Map rev 0x00 pchb2 at pci0 dev 24 function 2 AMD AMD64 DRAM Cfg rev 0x00 pchb3 at pci0 dev 24 function 3 AMD AMD64 Misc Cfg rev 0x00 isa0 at mainbus0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pmsi0 at pckbc0 (aux slot)
Re: Text editor
If you install the port vim, it comes with vimtutor. You just type: $ /usr/local/bin/vimtutor And the tutor is pretty good. It helped me out. Brian Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs
Re: IPSec Routing / Multiple Subnets / GRE Revisited
On Sat, 23 Jul 2005, Hans-Joerg Hoexer wrote: Hi, On Fri, Jul 22, 2005 at 06:43:34PM -0400, Brian A. Seklecki wrote: The URL: http://digitalfreaks.org/~lavalamp/openbsd_ipsec_generic.png Outlines the generic cookie-cutter configuration from vpn(8) with addressing changes. A couple of comments on that document: [...] yes, please. For the record, before I submit this PR, here is the generic isakmpd.conf from my lab: --- [General] Listen-on= 192.168.100.2 Default-Phase-1-Lifetime= 600,60:900 Default-Phase-2-Lifetime= 300,60:900 [Phase 1] 192.168.100.1= ISAKMP-peer-Concentrator [Phase 2] Connections=IPsec-PghToConcentrator [ISAKMP-peer-Concentrator] Phase= 1 Transport= udp Address=192.168.100.1 Configuration= Default-main-mode Authentication= lies [IPsec-PghToConcentrator] Phase= 2 ISAKMP-peer=ISAKMP-peer-Concentrator Configuration= Default-quick-mode Local-ID= Net-Pgh Remote-ID= Net-Concentrator [Net-Pgh] ID-type=IPV4_ADDR Address=192.168.100.2 Protocol= 47 [Net-Concentrator] ID-type=IPV4_ADDR Address=192.168.100.1 Protocol= 47 [Default-main-mode] DOI=IPSEC EXCHANGE_TYPE= ID_PROT Transforms= 3DES-SHA [Default-quick-mode] DOI=IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-TRP-3DES-MD5-SUITE -- The otherside is understandably opposite in respective places. I create my tunnels: # ifconfig gre0 create # ifconfig gre0 192.168.200.2 192.168.200.1 netmask 0x link0 up # ifconfig gre0 tunnel 192.168.100.2 192.168.100.1 --- Routing tables Encap: Source Port Destination Port Proto SA(Address/Proto/Type/Direction) 192.168.100.1/32 0 192.168.100.2/32 0 47 192.168.100.1/50/use/in 192.168.100.2/32 0 192.168.100.1/32 0 47 192.168.100.1/50/require/out sadb_dump: satype esp vers 2 len 39 seq 0 pid 0 errno 89: Unknown error: 89 sa: spi 0x2f88fffb auth hmac-md5 enc 3des-cbc state larval replay 16 flags 0 lifetime_cur: alloc 0 bytes 0 add 1122327771 first 0 lifetime_soft: alloc 0 bytes 0 add 1080 first 0 lifetime_hard: alloc 0 bytes 0 add 1200 first 0 address_src: 192.168.100.2 address_dst: 192.168.100.1 identity_src: type prefix id 0: 192.168.100.2/32 identity_dst: type prefix id 0: 192.168.100.1/32 key_auth: bits 128: 0a4e518fdb7dfdf5d3a32b1e486490a7 key_encrypt: bits 192: d11e3b020f96c8160fdd8bee9778e2acee2790cd5be31e86 sadb_dump: satype esp vers 2 len 39 seq 0 pid 0 errno 89: Unknown error: 89 sa: spi 0xf75988c3 auth hmac-md5 enc 3des-cbc state larval replay 0 flags 0 lifetime_cur: alloc 0 bytes 0 add 1122327768 first 0 lifetime_soft: alloc 0 bytes 0 add 1080 first 0 lifetime_hard: alloc 0 bytes 0 add 1200 first 0 address_src: 192.168.100.1 address_dst: 192.168.100.2 identity_src: type prefix id 0: 192.168.100.1/32 identity_dst: type prefix id 0: 192.168.100.2/32 key_auth: bits 128: 6d4096f6a3971b31b2a1642fb6563cc8 key_encrypt: bits 192: 4e833ca770b3c9409c7308522fa2ed8ad73a05911beaacab sadb_dump: satype esp vers 2 len 39 seq 0 pid 0 errno 89: Unknown error: 89 sa: spi 0x0e22792c auth hmac-md5 enc 3des-cbc state larval replay 16 flags 0 lifetime_cur: alloc 0 bytes 0 add 1122327771 first 0 lifetime_soft: alloc 0 bytes 0 add 1080 first 0 lifetime_hard: alloc 0 bytes 0 add 1200 first 0 address_src: 192.168.100.1 address_dst: 192.168.100.2 identity_src: type prefix id 0: 192.168.100.1/32 identity_dst: type prefix id 0: 192.168.100.2/32 key_auth: bits 128: aaab5a489fe9c6fe7f950ecd7e8665c6 key_encrypt: bits 192: aabf088d4bb7928dd5d3515359fdc0a0c7bbd1bc11a705ab sadb_dump: satype esp vers 2 len 39 seq 0 pid 0 errno 89: Unknown error: 89 sa: spi 0x61def2ad auth hmac-md5 enc 3des-cbc state larval replay 0 flags 0 lifetime_cur: alloc 0 bytes 0 add 1122327768 first 0 lifetime_soft: alloc 0 bytes 0 add 1080 first 0 lifetime_hard: alloc 0 bytes 0 add 1200 first 0 address_src: 192.168.100.2 address_dst: 192.168.100.1 identity_src: type prefix id 0: 192.168.100.2/32 identity_dst: type prefix id 0: 192.168.100.1/32 key_auth: bits 128: 96bcaad8da66a92d67247f1bcc8ab0e1 key_encrypt: bits 192: 1fe5ada905338811fa97ad1af009e11f2237c434a225fc00 When I start isakmpd(8), i can use tcpdump(8) to see that the only traffic between 192.168.100.2 and 192.168.100.1 that is encrypted (seen via enc0) is GRE encapsulated traffic: At that point in time
Re: ntpq -p equiv with openNTP?
stan wrote: Is there a way to do soemthing like ntpq -p with OpenBSD's OpenNTPD? I really just want a quick way to assure myself that a given machine is in synch. No, but you can send us some code Only joking ;-) I'd like that option also.
Re: Speed isn't everything, luckily for OpenBSD.
--- MikeM [EMAIL PROTECTED] wrote: On 7/22/2005 at 9:10 PM Nick Holland wrote: | There is just *no* way to explain just how wacked Linux looks to | someone who is having to go from OpenBSD to Linux for some stuff | at work. Wow. | You'd swear it was written by an unorganized mob with no central | control or plan at all. Oh, wait... = Software tends to take on the architecture of the organization that created it. Fortunately, the group here stands fast and creates good stuff. You have to respect a group that will tell you straight out that you are making mistakes. I actually solved my little assembly problem thanks to the approach the developers take here. Brian Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
IPSec Routing / Multiple Subnets / GRE Revisited
The URL: http://digitalfreaks.org/~lavalamp/openbsd_ipsec_generic.png Outlines the generic cookie-cutter configuration from vpn(8) with addressing changes. A couple of comments on that document: *) The output of 'netstat -rn -f encap' should probably be included at the end. *) ...possibly in combination with mentioning enc(4) and some example output of 'tcpdump -n -i enc0' watching ping(8) traffic. I can submit patches if needed. *) One thing that is not obvious is the nature of the routing behavior. Similar to Cisco ACLs, the isakmpd(8) Remote-ID and Local-ID definitions designate traffic to encrypt, but they're also used as one of many factors in choosing a proposal. *) Hosts on 192.168.0.0/24 can reach hosts in 192.168.10.0/24 vice- versa, Hosts on 192.168.1.0/24 can reach hosts in 192.168.10.0/24 vice-versa. *) Neither router/vpn termination point can communicate with the remote subnet via the tunnel unless the application specifically binds to the Inet address on the Lan0 side of the host. For example: # ping -I [Lan0] [Remote Lan0] # traceroute -s [Lan0] [Remote Lan0] ... thereby creating traffic with a IP Source Address that matches the ACL. This caveat is not at all obvious and probably should be explicitly pointed out in vpn(8) or elsewhere. Another Hypothetical Situation (Routing/Subnets/GRE) http://digitalfreaks.org/~lavalamp/openbsd_ipsec_sit1.png http://digitalfreaks.org/~lavalamp/openbsd_ipsec_sit2.png Let's say Facility 2 as depicted assumes the role of a VPN Concentrator , i.e.: *) A second subnet is added to Facility 1's Lan1 Interface *) A 2nd remote facility's VPN, Facility 3, becomes terminated here. *) A tunnel between Facilities 1 and 3 is not available. *) Because of the poor addressing scheme used in such a network, the two /24s located at Location 1 cannot both be visible via the Tunnel between Location 2 and Location 1 because *only one subnet* per Phase1/Phase2 connection , can be specified in the Remote-ID/Local-ID. *) Of course, if 192.168.0.0/24 and 192.168.0.1/24 were located at Site 1 and 192.168.2.0/24 was located at at Site 3, an IPV4_ADDR_SUBNET with a Subnet=255.255.254.0 could simply be used to specify the aggregate of two /24s (a /23) *) Per Andre Ruppert [EMAIL PROTECTED]: http://www.monkey.org/openbsd/archive/misc/0302/msg01895.html ...a work-around to this would be a separate Phase 1 and Phase 2 connection must be built between Location 1 and Location 2 for every Discontinuous subnet, which does not scale well. *) Although the remote networks of each tunnel are known via 'netstat -rn -f encap' on each machine, authentic routes do not exist in route(8) print output; -- possibly because instead of a route being associated with an Interface or a Next-Hop gateway, they are known via an SA? *) Therefore, it is not possible to add static routes that reference the tunnel. Example, if Location 2 were to try to add a route to 192.168.2.0/24 via 192.168.0.1 (a Lan0 interface in Location 1, which is reachable via the Tunnel / SA, and would be happy to forward traffic to 192.168.2.0/24), the route add would fail: # route add -net 192.168.2.0 192.168.0.1 255.255.255.0 route: writing to routing socket: Network is unreachable add net 192.168.2.0: gateway 192.168.0.1: Network is unreachable ...which makes sense because the routing process would traditionally need to know a directly connected interface with an address in a subnet to forward to, in this case, no interface exists. Additionally, even if there was a static route, the source-address of packets from subnet 192.168.2.0/24 would not match the SA's ACL and would be dropped anyway. *) This presents a dilemma. Location 2 cannot act in the capacity of a VPN Concentrator if it cannot advertise routes into a larger network environment because any number of subnets could exist at any location which may want to access resources at any other location. The source and destination addresses vary greatly, but if my understanding is correct, only one subnet can be specified per tunnel using ISAKMPD in OpenBSD *) One cheap hack would be to use NAT to change up the source addresses, but then pf(4) ACLs become harder to control access. *) In a Cisco IOS environment, IP extended ACLs are used to designate crypto maps of interesting traffic. The syntax is comparable in flexibility to pf.conf(5) and any number of source/destinations can be included flagged per tunnel. *) Another option would be to change from TUNNEL mode to TRANSPORT mode in Quick mode transforms/suites and then create GRE tunnels between all of the routers. The Remote/Local-ID Definition could specifically designate IP Protocol 47 (GRE) for encryption: [machineB-to-machineA] ID-type=IPV4_ADDR Address=10.0.99.0 Protocol= 47 This configuration works well under
Re: Still stuck with this assembly stuff (amd64)
Thanks. I just wasn't sure if my problem was an openBSD problem or an assembly problem. It's definitely the later. And I just found the amd64 ABI, which is making the problems clear for me. Pushing those args on the stack is definitely wrong. Anyway, I appreciate the feedback. And thanks Art for pointing out that the assembly was wrong. That put me on the right track to finding a solution. The recent threads about the notes section just confused me and put me down the wrong track. Thanks, Brian --- STeve Andre' [EMAIL PROTECTED] wrote: Brian, its always good idea to learn stuff, but this isn't the right place to talk about assembly problems. One of the newsgroups devoted to programming would be a far better source, or one of the many web forums out there. As someone said, compiling programs and looking at the code is a great way of seeing how things are done. Thats one of the ways I learned, quite some time ago with Digital Research C, an awful compiler that gave me lots of pain... The other thing you might want to think about is getting experience on a simpler cpu, perhaps the z80. There are tons and tons of documents on it, and I'm pretty sure that you could write stuff and then run it on an emulator, faster than the hardware I had, back when I used them. At any rate, misc@ isn't the best place for your questions. I'm sure there are some assembler freaks out there who would just love to talk with you and help out. --STeve Andre' Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs
(g)as on amd64
Is there anything special I need to do for assembly on amd64? I am having trouble with the following code: .data msg: .ascii Hello\n len = . - msg .text .global _start _syscall: int $0x80 ret _start: xor %rax, %rax cdq push $len push $msg push $1 movb $4,%al call _syscall push $0 movb $1,%al call _syscall Here is how I am attempting to assemble the above: as -o test1.o test1.s ld -e _start -o test1 test1.o I tried elf2olf -o openbsd test1, but I receive this error: elf2olf: test1: Exec format error. Is there something that I am missing that I need to do on amd64? Thanks, Brian Note: NASM is not an option since it's not available on amd64; there isn't a port of YASM available yet. And I ran into problems trying to compile the YASM's source. Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs
Still stuck with this assembly stuff (amd64)
links or man pages to read would be helpful? I have all ready info as, and it's pretty old, but it's still useful. When I type in test1, the program appears to just exit, but nothing is printed to STDOUT. Thanks, Brian Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs
Re: sniffer
Hannah Schroeter wrote: Hello! On Tue, Jul 19, 2005 at 05:20:43PM +0300, [EMAIL PROTECTED] wrote: I need to sniff a network segment and I need to sniff both headers and data. Because tcpdump captures only headers its unsuitable for the task. No. Read the manpage, look for the option -s. [...] Kind regards, Hannah. Yep -s0 is definitely the tool to see data. Brian
Re: OpenBSD 3.7 + Bridge Wireless (Orinoco)
Roberto Gonzalez Azevedo wrote: Hello everybody... I have a little problem to solve here and i hope that you can help me. I wanna do a 'wireless bridge' : rl0 -- wi0 But it4s not working. I4m trying to use PPPoE in this bridge, but the PADI is not passing over wi0 ... Thanks ... Roberto Gonzalez Azevedo Brazil Can you show ther current pf.conf (pf settings) you have so far?
RAID-1 Root + boot(8) on i386/amd64
Please confirm that the following are applicable: * boot(8), biosboot(8), installboot(8), boot_i386(8) lack any support for booting off RAIDFrame volumes (a 13 line patch 22 months ago fixed this on the bother side of the isleb(r)). * No support is planned * raid(4) is no longer aggressively maintained and has been relegated to some reduced status based on the lack of commits to src/sys/dev/raidframe or possibly general lack of interest I ask because RAIDFrame software RAID is still a very attractive option to bworkgroupb and bentry levelb class servers; especially RAID-1 Root. However, the requirement of having a ~15 megabyte UFS partition (say, /antiraid) on both mirror components is cumbersome. Firstly, the partition exists only to contain two files: /boot and /bsd. Secondly, that creates administrative overhead and the possibility that each partition could become desynchronized during an upgrade. Another potential problem occurs in fstab(5). /antiraid *has* to be mounted in order to provide a sym/hard link from /antiraid/bsd to /bsd (yet another very bad idea, but less of a bad idea then having a 3rd copy of bsd laying around). In a generic RAID-1 mirror between two wd(4) disks, since /antiraid resides on either /dev/{r,}wd0a or /dev/{r,}wd1a, the admin must arbitrarily choose which to reference in the shared /etc/fstab. In the event of a component failure (reboot incurred here, possibly failing to probe at the next boot, possibly not, but let's be pessimistic), you have a 50% chance that rc(8) could fail to ever reach multi-user mode because fsck can't access /antiraid, which effectively defeats the purpose of raid(4) adding redundancy to the system. TIA, ~BAS
Re: HP ProLiant DL140 serial consola installation
The same behavior happens on Dell's serial console redirection. It happens when you boot FreeBSD too. As soon as the kernel starts output ANSI characters it goes dead. Dell lets you toggle between VT100/220 mode and ANSI mode, but it's unaffected. The kernel output just kills it. Dell has an option Continue after OS Load The trick is disable that boolean and make a custom boot/install CD with an etc/boot.conf that redirects. You'd think that between the collective minds at HP and Dell, they'd have licensed Real Weasel / PC Weasel technology. Till the list archives for details. ~BAS On Thu, 2005-06-30 at 20:49, Michael Favinsky wrote: I have some DL140's running OpenBSD. The BIOS redirection stops working when OpenBSD starts booting. Kinda sucks since you can't see the boot sequence or go into the BIOS setup from a serial console. Disable the BIOS console redirection and set OpenBSD to redirect the console to com0. -Original Message- From: Martin Bruns [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 29, 2005 8:55 AM To: [EMAIL PROTECTED]; misc@openbsd.org Subject: Re: HP ProLiant DL140 serial consola installation [EMAIL PROTECTED] schrieb: Martin Bruns wrote: Hi Marc, that was what I have done initially but then I fall back to 9600 but also there I did not get anything on the console after 'set tty com0'. To make it clear I can not use the serial nor the keyboard/monitor after that command. Maybe you serial link is not in order. Set the baudrate to 9600, so you are sure what parameters to set. I already check that :-( FOr a first try, disable the serial console feature in the BIOS (not in OpenBSD). Some times the serial BIOS console and the serial OpenBSD console interfere. In that case you would have the BIOS console on com0 and the OpenBSD console on com1. Good point. I just cross checked it. I disabled the serial BIOS and also tried with enabled serial BIOS but with different redirection during/after POST and BOOTLOADER. But non is working. This server has only one serial port so there is no com1 :-( Keep trying Martin This message may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended recipient of this message you may not store, disclose, copy, forward, distribute or use this message or its contents for any purpose. If you have received this communication in error, please notify us immediately by return e-mail and delete the original message and any attachments from your e-mail system. Thank you.
[Fwd: Re: spamd and comcast]
In response to the how would it increase cost question, anytime a provider has to deal with more spam it costs more money, additional manpower to process abuse complaints, additional bandwidth, server space etc. Brian
Snapshot from 03/June : spamd working ?
Hello all, Not sure if I'm missing something here with spamd so I thought I'd ask the experts. I have it setup with the default config file (snipped) ; [fw1]# cat /etc/spamd.conf all:\ :spamhaus:china:korea: # Mirrored from http://spfilter.openrbl.org/data/sbl/SBL.cidr.bz2 spamhaus:\ :black:\ :msg=SPAM. Your address %A is in the Spamhaus Block List\n\ See http://www.spamhaus.org/sbl and\ http://www.abuse.net/sbl.phtml?IP=%A for more details:\ :method=http:\ :file=www.openbsd.org/spamd/SBL.cidr.gz: # Mirrored from http://www.spews.org/spews_list_level1.txt spews1:\ :black:\ :msg=SPAM. Your address %A is in the spews level 1 database\n\ See http://www.spews.org/ask.cgi?x=%A for more details:\ :method=http:\ :file=www.openbsd.org/spamd/spews_list_level1.txt.gz: # Mirrored from http://www.spews.org/spews_list_level2.txt spews2:\ :black:\ :msg=SPAM. Your address %A is in the spews level 2 database\n\ See http://www.spews.org/ask.cgi?x=%A for more details:\ :method=http:\ :file=www.openbsd.org/spamd/spews_list_level2.txt.gz: and the relevant processes are running; [firewall]# ps wax PID TT STAT TIME COMMAND 26310 ?? Is 0:00.01 ntpd: [priv] (ntpd) 26951 ?? Is 0:00.01 inetd 19580 ?? Is 0:00.18 /usr/sbin/sshd 26828 ?? Is 0:00.08 /usr/libexec/spamd 16673 ?? Is 0:00.20 sendmail: accepting connections (sendmail) I have the cron job enabled for root; [fw1]# crontab -l | grep spam 0 * * * * /usr/libexec/spamd-setup I also have the relevant pf rule in place; [firewall]# pfctl -vsn rdr inet proto tcp from spamd to any port = smtp - 127.0.0.1 port 8025 [ Evaluations: 104628Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 25445 ] and as you can see not one hit from a known spammer ! I run Mailscanner on my mailserver behind the openbsd box and he is still constantly rejecting mail from known spammers - this is part of my sendmail.mc file; FEATURE(`dnsbl',`relays.ordb.org', `Rejected - see http://ordb.org/')dnl FEATURE(`dnsbl',`sbl-xbl.spamhaus.org',`Rejected - see http://spamhaus.org/')dnl FEATURE(`dnsbl',`list.dsbl.org',`554 Rejected - see http://dsbl.org/')dnl FEATURE(`dnsbl',`smtp.dnsbl.sorbs.net',`554 Rejected ${client_addr} found in smtp.dnsbl.sorbs.net')dnl FEATURE(`dnsbl',`opm.blitzed.org',`554 Rejected ${client_addr} found in opm.blitzed.org')dnl FEATURE(`dnsbl',`dul.dnsbl.sorbs.net',`554 Rejected ${client_addr} found in dul.dnsbl.sorbs.net')dnl FEATURE(`dnsbl',`cbl.abuseat.org',`554 Rejected ${client_addr} found in cbl.abuseat.org')dnl and, finally, some log entries; Jun 17 19:49:29 inetmail sendmail[13126]: ruleset=check_relay, arg1=[210.213.176.247], arg2=127.0.0.4, relay=210.213.176.247.pldt.net [210.213.176.247] (may be forged), reject= 553 5.3.0 Rejected - see http://spamhaus.org/ Jun 17 20:41:26 inetmail sendmail[13390]: ruleset=check_relay, arg1=[61.96.162.88], arg2=127.0.0.4, relay=[61.96.162.88], reject=553 5.3.0 Rejected - see http://spamhaus.org/ So given that both spamd and sendmail are configured to talk to spamhaus, why is openbsd 3.7 spamd not blocking connections from these guys ? Thanks for reading this Oh, here's my dmesg.. OpenBSD 3.7-current (GENERIC) #175: Fri Jun 3 18:00:08 MDT 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium III (GenuineIntel 686-class) 702 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE real mem = 65576960 (64040K) avail mem = 38232064 (37336K) using 4130 buffers containing 16916480 bytes (16520K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(01) BIOS, date 04/07/00, BIOS32 rev. 0 @ 0xfb0c0 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 70102 dobusy 1 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0xb540 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfde90/96 (4 entries) pcibios0: bad IRQ table checksum pcibios0: PCI BIOS has 4 Interrupt Routing table entries pcibios0: PCI Exclusive IRQs: 5 11 12 pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82801AA LPC rev 0x00) pcibios0: PCI bus #2 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x4000! 0xcc000/0x1000 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82810 rev 0x03: rng active, 9Kb/sec vga1 at pci0 dev 1 function 0 Intel 82810 Graphics rev 0x03: aperture at 0xd800, size 0x400 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) ppb0 at pci0 dev 30 function 0 Intel 82801AA Hub-to-PCI rev 0x02 pci1 at ppb0 bus 1 ppb1 at pci1 dev 0 function 0 DEC 21154 PCI-PCI rev 0x05 pci2 at ppb1 bus 2 fxp0 at pci2 dev 4 function 0 Intel 82557 rev 0x05, i82558: irq 5, address
Re: Snapshot from 03/June : spamd working ?
Otto Moerbeek wrote: On Fri, 17 Jun 2005, Brian McKerr wrote: I also have the relevant pf rule in place; [firewall]# pfctl -vsn rdr inet proto tcp from spamd to any port = smtp - 127.0.0.1 port 8025 [ Evaluations: 104628Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 25445 ] i'm missing a pass here. -Otto You mean a basic SMTP pass in ? This has been allowing mail to the mailserver for years, its only this week that I tried the Spamd thingo pfctl -sr | grep -i smtp pass in log quick on fxp0 proto tcp from any to any port = smtp flags S/SA modulate state queue(q_def, q_pri) cheers, Brian.
Re: Snapshot from 03/June : spamd working ?
Otto Moerbeek wrote: On Fri, 17 Jun 2005, Brian McKerr wrote: You mean a basic SMTP pass in ? This has been allowing mail to the mailserver for years, its only this week that I tried the Spamd thingo pfctl -sr | grep -i smtp pass in log quick on fxp0 proto tcp from any to any port = smtp flags S/SA modulate state queue(q_def, q_pri) that seems to be OK. What does pfctl -t spamd -T show show? -Otto Here is the tail of it; 219.149.10.91 219.149.64.0/24 219.150.112.0/20 219.150.128.0/17 219.151.40.59 219.153.13.240/29 219.160.130.0/24 219.162.168.0/24 219.163.88.0/29 219.163.170.112/29 219.166.26.98 219.166.172.64/29 219.166.175.232/29 219.216.0.0/13 219.224.0.0/12 219.232.178.109 219.232.183.47 219.232.184.0/24 219.232.188.153 219.234.22.0/24 219.234.192.0/19 219.235.0.9 219.235.232.0/24 219.237.49.145 219.238.146.119 219.240.0.0/15 219.240.39.225 219.242.0.0/15 219.244.0.0/14 219.248.0.0/13 219.254.32.64/26 220.19.108.0/22 220.64.0.0/11 220.64.98.0/23 220.66.8.120 220.73.160.0/24 220.73.173.96/27 220.80.104.0/22 220.85.13.90/31 220.85.13.92 220.97.18.0/24 220.97.40.0/24 220.99.71.48/29 220.103.0.0/16 220.105.107.145 220.106.2.0/24 220.110.185.176 220.111.133.95 220.112.0.0/14 220.112.123.54 220.112.152.112 220.112.152.136 220.112.157.55 220.113.183.169 220.114.69.147 220.116.0.0/14 220.117.234.0/23 220.117.244.0/22 220.120.0.0/13 220.130.208.19 220.135.232.187 220.135.233.115 220.149.0.0/16 220.150.34.0/24 220.150.253.125 220.160.0.0/11 220.163.21.18 220.163.58.143 220.163.74.45 220.163.176.208 220.163.176.211 220.164.144.0/24 220.191.30.0/23 220.192.0.0/12 220.192.157.7 220.194.60.242 220.196.248.142 220.201.194.241 220.202.18.0/24 220.202.133.36 220.202.248.48/28 220.215.44.164 220.220.71.73 220.230.0.0/16 220.231.0.0/18 220.231.128.0/17 220.234.0.0/16 220.246.67.87 220.247.245.180 220.248.0.0/14 220.248.65.150 220.255.94.113 220.255.136.240 220.255.172.125 220.255.248.5 221.0.0.0/13 221.0.118.253 221.0.126.15 221.2.55.0/24 221.3.132.0/26 221.4.154.63 221.4.199.234 221.7.209.0/24 221.8.0.0/15 221.10.0.0/16 221.10.71.248/29 221.10.201.0/24 221.10.224.162 221.10.226.48/28 221.10.254.0/24 221.11.0.0/17 221.11.128.0/18 221.11.192.0/19 221.12.0.0/17 221.12.128.0/18 221.13.0.0/16 221.14.0.0/15 221.117.247.131 221.119.23.0/24 221.122.0.0/15 221.124.87.254 221.126.149.24 221.127.55.0/24 221.129.0.0/16 221.130.0.0/15 221.132.30.203 221.132.48.0/22 221.132.56.175 221.132.64.0/19 221.133.128.0/18 221.136.0.0/15 221.136.65.105 221.136.68.186 221.136.88.49 221.136.100.36/31 221.137.242.189 221.138.0.0/15 221.139.14.110 221.139.14.112/28 221.140.0.0/14 221.143.21.236/30 221.144.0.0/12 221.160.0.0/13 221.164.141.44 221.168.0.0/16 221.168.182.0/23 221.169.54.0/24 221.169.236.120 221.172.0.0/14 221.176.0.0/13 221.185.74.76 221.186.27.172 221.186.72.122 221.186.80.16/29 221.186.106.64/29 221.186.117.94 221.186.144.168/29 221.192.0.0/14 221.196.0.0/15 221.196.19.0/24 221.196.115.0/24 221.198.0.0/16 221.199.0.0/19 221.199.32.0/20 221.199.128.0/18 221.199.192.0/20 221.200.0.0/13 221.208.0.0/12 221.224.0.0/12 221.250.86.245 221.251.7.24/29 222.1.219.130 222.16.0.0/12 222.32.0.0/11 222.36.42.120/29 222.36.42.182 222.47.76.251 222.64.0.0/15 222.64.0.0/11 222.67.160.0/22 222.76.158.0/23 222.76.196.0/24 222.80.184.0/24 222.82.1.233 222.84.222.17 222.89.98.0/24 222.90.44.225 222.90.66.53 222.90.74.0/24 222.96.0.0/12 222.96.156.0/25 222.98.237.251 222.101.7.192/26 222.101.168.0/25 222.112.0.0/13 222.112.67.86 222.120.0.0/15 222.121.206.0/24 222.121.213.0/25 222.122.0.0/16 222.122.12.0/24 222.122.39.0/24 222.122.56.35 222.122.60.61 222.122.65.0/24 222.124.21.21 222.124.44.8 222.125.0.0/16 222.128.0.0/12 222.134.66.0/24 222.146.162.0/24 222.147.181.49 222.148.108.0/24 222.149.144.27 222.150.167.55 222.151.231.58/31 222.153.70.113 222.156.15.0/24 222.160.0.0/15 222.162.0.0/16 222.163.0.0/19 222.166.48.0/24 222.168.0.0/13 222.169.80.0/20 222.170.7.0/24 222.170.97.22 222.174.34.151 222.176.0.0/12 222.192.0.0/11 222.208.168.0/24 222.208.183.0/24 222.222.48.0/24 222.231.0.0/18 222.232.0.0/13 222.234.48.0/24 222.240.0.0/13 222.248.0.0/16 222.248.6.13 222.248.21.47 222.248.48.178 222.248.148.76 222.249.0.0/17 222.249.128.0/18 222.249.192.0/19 222.249.224.0/20 222.249.240.0
Re: Snapshot from 03/June : spamd working ?
Steve Tornio wrote: FEATURE(`dnsbl',`relays.ordb.org', `Rejected - see http://ordb.org/')dnl FEATURE(`dnsbl',`sbl-xbl.spamhaus.org',`Rejected - see http://spamhaus.org/')dnl Jun 17 19:49:29 inetmail sendmail[13126]: ruleset=check_relay, arg1=[210.213.176.247], arg2=127.0.0.4, relay=210.213.176.247.pldt.net [210.213.176.247] (may be forged), reject= 553 5.3.0 Rejected - see http://spamhaus.org/ Jun 17 20:41:26 inetmail sendmail[13390]: ruleset=check_relay, arg1=[61.96.162.88], arg2=127.0.0.4, relay=[61.96.162.88], reject=553 5.3.0 Rejected - see http://spamhaus.org/ So given that both spamd and sendmail are configured to talk to spamhaus, why is openbsd 3.7 spamd not blocking connections from these guys ? Because those addresses are in the XBL, not the SBL. The XBL is populated by entries from the CBL, which are added when virus-like or worm-like behavior is detected, and entries are removed at the first request. Doesn't really make a whole lot of sense to try to create a static list for it, when the SBL list is only updated twice a day anyway. Of course, you could just go to www.spamhaus.org and read up on how it works. Steve Thanks for the tip Steve, I've just read up on it.. and it seems to suggest that using sbl+xbl is a good thing. What exactly is spamd going to catch then ?
Re: Snapshot from 03/June : spamd working ?
Steve Tornio wrote: Because those addresses are in the XBL, not the SBL. The XBL is populated by entries from the CBL, which are added when virus-like or worm-like behavior is detected, and entries are removed at the first request. Doesn't really make a whole lot of sense to try to create a static list for it, when the SBL list is only updated twice a day anyway. Of course, you could just go to www.spamhaus.org and read up on how it works. Steve Thanks for the tip Steve, I've just read up on it.. and it seems to suggest that using sbl+xbl is a good thing. What exactly is spamd going to catch then ? spamd will tarpit entries in the SBL, which are (supposed to be) actual spamming operations. The idea behind spamd is to waste the time and resources of spam operations, not simply to reject their mail. If you're only looking to reject mail, then don't use spamd. I do understand what spamd is trying to achieve. I want both .. to waste their time and resources and block their email as I'm sure everyone does !. Which is what should happen according to my interpretation of spamd and its standard implementation. To my knowledge, there does not appear to be anywhere in the spamd documentation that says something like (sarcastic voice) after delaying the spammer and using up their time and resources, allow their connection through to your mailserver so they can deliver their spam ! Thanks for your help Steve, I think Otto is looking at the *real* problem. Brian.
Re: Theo gave an interview to Forbes Mag. about Linux
I thought the interview was good. It just didn't read like an interview like the one linked to from undeadly. I used linux a year before moving over to openBSD, and the two are night and day. openBSD is well organized with very good code. linux is a disaster to navigate (horrible man pages and docs), install (it's pretty looking, but you have no clue what is going on behind the scenes), too many distros (which one is good?), and work with (do you YUM, RPMs, etc to upgrade?). And I like the fact that Theo will tell you straight out if you are doing something stupid. The developers here are honest and will tell you when something isn't worth your time. Anyway, cheers for being honest and straight forward. Brian --- J. Lievisse Adriaanse [EMAIL PROTECTED] wrote: Theo gave an interview to Forbes Magazine, in which he stated: It's terrible, De Raadt says. Everyone is using it, and they don't realize how bad it is. And the Linux people will just stick with it and add to it rather than stepping back and saying, 'This is garbage and we should fix it.' Nice to read though as an ex-Linsux'er :) Jasper -- checking whether you're still watching...probaly not :-) /usr/ports/x11/wmx configure script. Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: speed of mac mini
I haven't set X up yet, but I finally got 3.7 installed on the Mac mini without issue. I was using MBR for the disk instead of HFS, and there's an issue with the disklabel initial setup. The fix is outlined in this message: http://www.monkey.org/openbsd/archive/misc/0309/msg01319.html and I'll submit a more thorough bug report when I get a chance to write it. So far the mini seems quite fast to me, I doubt you'll have any issues. - brian Hello list, i will only do normal thinks:- some coding -- emacs/terminals/ddd - read www.openbsd.org -- firefox/dillo -read mails of misc@openbsd.org -- thunderbird - write some letters, do some calculations -- abiword/gnumeric - some statistik -- gnuplot - audio/video playing -- xmms/mplayer all with gnome or windowmaker. That's all. Bye Thorsten LiteStar numnums wrote: G'day, A friend of mine uses the mini for all of his foto processing with Photoshop and the like, whilst Illustrator and Safari are running. It seems fast enough. I've no idea what you want to really do with it (if it has a hard time with gnome/kde, that would be really bad, eh?), but for his needs it's fine. Cheers! On 6/16/05, Thorsten Johannvorderbrueggen [EMAIL PROTECTED] wrote: Hello list, i think of buying a mac mini, but i don't know if a mac mini is fast enough. So i ask you: does anyone use an mac mini with gnome/kde or so? At the moment i have an dual-P3 and he's fast enough. Any coments, suggestions? Bye Thorsten
3.7 mac install problem
I'm trying to install 3.7 on my Mac Mini, and I'm having an issue with the MSDOS boot partition that the ofwboot file is supposed to be copied to. I'm using MBR for my disk, and the official CD release. Specifically, when I go through the install process, I get the message that the i partition is created and that I must leave it available for OpenBSD. All seems good, I create my partitions, not creating an i parition and also not using any offset before 3024. However, at the end of the install, when the installer calls mount_msdos to try and copy the ofwboot file over, I get this message: Copying 'ofwboot' to the boot partition (wd0i)...mount_msdos: /dev/wd0i on /mnt2: Device not configured FAILED. I am then, unable to boot from wd0. I've Googled, read the INSTALL.macppc doc, and still have been unable to get this to work. All help is much appreciated, - brian
pf and rdr pass nat
The man page says; If the pass modifier is given, packets matching the translation rule are passed without inspecting the filter rules: I like this as it will reduce the size of my rules file, however, how can I rdr pass and have it honour (for want of a better word) altq ? Cheers, Brian.
Sun Netra T1 105
I am thinking of getting one (or two) of these for my new firewall, just curious if nayone has any opinions on its suitability in such a role. Spec as follows; 64bit 360mhz CPU (IIi) 128mb RAM 1 x 18gb 10krpm 2 x integrated NIC 1x PCI (which I intend to put a dual port compaq/intel NIC in) Basically, I have a low traffic mail and web server behind this firewall it also is my OpenVPN server for one VPN. I have around 90 pf rules. I may even chuck a squid cache on it given its got heaps of free disk. Lastly, does anyone know if these have a 40 pin IDE connector for the optional CDROM and if so do you reckon it would be able to boot from a compact flash ? Cheers in advance. Brian.
ifnet (frequency of updates)
I am stuck trying to find a piece of kernel code. I am trying to find the kernel function(s) that update the ifnet structure post the initial boot sequence. I found the initial setup in /usr/src/sys/kern/init_main.c, and I have been reviewing /usr/src/sys/net/if.c. At this point, I am not concerned with userland apps that update ifnet. I am probably overlooking something. Any man page read suggestions or other source files to look in? What I am trying to do is figure out a way to capture the ifnet structure members atomically (I'm experimenting.) In if.c, the network hardware devices are blocked (with splnet()) when ifnet is updated or member is deleted from the list. I do not know if it makes sense to block the device while walking the list and copying it in userland. Any suggestions are appreciated. I am new to this, so it's taking a long time. Thanks, Brian Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: 3.7 is released!
On Fri, 20 May 2005, Steve Loranz wrote: I'm confused. The site says 3.7 was released yesterday just like Theo's mail says. So, what is the CD claiming to be 3.7 that arrived at my door at the end of April? -steve I heard that was a benefit given to folks who actually PAID for the OS. Brian The path to a desireable destination is often more difficult than the path to stay where you are.
dns
I see now there's a patch, apologies for not checking errata first. Brian The path to a desireable destination is often more difficult than the path to stay where you are.
Re: 3.6 caching resolver
Rod.. Whitworth wrote: On Thu, 5 May 2005 10:31:56 -0700 (PDT), Brian W. wrote: Anyone else notice this performing slowly. I did a tcpdump and it appears localhost gets queried 2-3 times before a packet goes out. I see quite a few delays and some failures to resolve that work with one or two retries. I am using the default config file. It is a bit annoying for me but I know to retry. The windows only users on the LAN get a bit testy about server not responding messages (or whatever it says) from their browsers From the land down under: Australia. Do we look umop apisdn from up over? Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server. I did the 3.6 patch, that helped a little but its still pokey. Its a p2-350 with 128 megs. I'll have to do some comparison testing, either Freebsd on this hardware, or openbsd on a 1.2G p3. Brian