Re: Tape drive DLT VS160

[Brian A. Seklecki]

On Mon, 24 Apr 2006, Planck wrote:


Hello.
I have tape drive Quantum DLT VS160 (part of dmesg bellow) connected to
Adaptec AHA-2940. Everything work fine, but i dont know how to enable
hardware compresion on that drive. There aren't any jumpers on
enclosure, and mt(1) or st(4) dont say anytging about that.



Yea it would normally be mt comp on or mt compress on

~BAS

Re: 3.7: weird IP address problem

[Brian A. Seklecki]

On Mon, 24 Apr 2006, Toni Mueller wrote:


Hello,

I have a box that once had two IP addresses on one interface. I
deconfigured one of them using ifconfig -alias.

Now, when I want to use any (?) program on that box to go over this
interface, it wants to use the addresses which is no longer present. I
double-checked to ensure that there is no NAT in the way, and also used


Also, is it still ARP'ing for the old address (tcpdump(8) will show).

~BAS

Alter root FS device after boot?

[Brian A. Seklecki]

All:

Would it be hypothetical possible to change the device mounted as (/) 
after the system has booted (possibly during the bootstrapping phase)?


This of course overriding the checks in src/sys/kern/sys_vfs*

~BAS

Re: OPENBSD_3_9 won't build

[Brian]

--- [EMAIL PROTECTED] wrote:

 Hello evrybody.
 
 I installed box booting from PXE and then with lastest snapshot. 
 After that I used:
 
 # export [EMAIL PROTECTED]:/cvs
 # cd /usr; cvs checkout -P -rOPENBSD_3_9 src
  

This is stable, not current.  You upgrade a snapshot with current; you don't
go backwards to stable.  The FAQ link I give belows shows the progression; it's
in 5.3.2.  5.3.3 goes into a lot more depth, but below is a simple update of
the source tree.  This does not update X or ports though.

# cd /usr/src
# cvs -q up -Pd  -- to update your cvs to -current (afer you have an initial 
 /usr/src tree)

It's better to download from the ftp sites the gzipped tree instead of cvs'ing
the whole thing.  The FAQ goes into detail about this.


 
 and then successfuly installed new kernel with;
 
 # cd /usr/src/sys/arch/i386/conf
 # config GENERIC
 # cd ../compile/GENERIC
 # make depend
 # make
 # make install


To be safe, you want to:

# make clean  make depend  make

It's a good habit to make clean every time.
 
 And then rebooted PC. After than I tried to compile userland
 
 # rm -rf /usr/obj/
 # cd /usr/src
 # make obj
 # make build 
 

You skipped a step:

# cd /usr/src/etc  env DESTDIR=/ make distrib-dirs

Please read this FAQ for details:

http://www.openbsd.org/faq/faq5.html#Bld

 But it won't compile. 

Of course it won't.
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Override errno EBUSY on rd(4) device after boot in mount(2)?

[Brian A. Seklecki]

Is there any way to override the flag on a device that permits it from
being mounted twice?MNT_FORCE isn't it.

I've got an embedded environment I'm setting up where I want to transfer
the root (/) file system from an rd(4) to an MFS.

To do this, I have to add some customizations to copy() in
sbin/newfs/newfs.c.  This is because as soon as a I call mount_mfs(8)
from my RD's /etc/rc, all of / goes away, so I have to accomplish thing
in C functions until I can get the previous (/) re-mounted as /rescue.

I can call mount(2) manually from newfs::copy(), but /dev/rd0a refuses
to unmount from it's previous ubiquitous root_device.

Even if I explicitly mount /dev/rd0a as /, it refuses to dis-mount after
I mount a new memfs at /, even with MNT_FORCE to unmount(2).

Is it possible that rd(4)'s simply can't be unmounted?  I'm assuming
they can be, and that unlike their MFS counter-part, their contents do
not reset (well, they would reset to whatever the contents of the RD
image in the kernel is, assuming changes had been made).

This is truly a chicken-and-egg scenario.  Any thoughts would be
appreciated.

~BAS

Re: Microsoft SP1 RPC traffic (Active Directory issues)

[Brian A. Seklecki]

On Thu, 20 Apr 2006, James Mackinnon wrote:


Good day everyone

Recently, I installed SP1 on some domain controllers and ran into an issue
where microsoft changed rpc data with SP1 and firewalls such as microsofts own
ISA server as well as checkpoint have started to randomly block this data.



...look at the pflog(4), correlate hits with the source address of servers 
having problems with the blocks, generate a pf.conf(5) rule to match, and 
move on.


~BAS

Re: Panic: biodone already

[Brian A. Seklecki]

On Thu, 20 Apr 2006, Pedro Martelletto wrote:


The raid(4) codebase is old, unmaintained, and known to have issues.

That's one of the reasons it's not in the stock kernel.


Oh I thought the OpenBSD team was silently discouraging people from the 
practice of using software RAID. :}


That sounds like the service of a friend.

Focusing efforts on better universal hardware RAID mgmnt interface 
support.


~BAS

inet6(4)

[Brian]

I am working on some IPv4  IPv6 Interoperability stuff, and I hit a brick wall
trying to get an IPv6 UDP server to receive IPv4 packets.  It looks like that
piece was taken out per inet6(4):

OpenBSD does not route IPv4 traffic to an AF_INET6 socket.  The particu-
 lar behavior in RFC 2553 is intentionally omitted for security reasons
 presented above.  If both IPv4 and IPv6 traffic need to be accepted, lis-
 ten to two sockets.

So if I want to add IPv6 functionality to an existing app, I would convert the
current IPv4 stuff to use getaddrinfo, and I would just open two sockets by
walking the link list provided by getaddrinfo, right?  I wouldn't try to
receive IPv4 traffic on an IPv6 socket for openBSD.

Now, I have done a cursory review of docs via google for converting IPv4 apps
to IPv6, but I haven't looked at the security issues with coding for both. 
Besides searching securityfocus, is there another site I should be reading for
IPv6?  Is KAME still relevant to the openBSD implementation?

Cheers,

Brian
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

FYI: sch5017

[Brian]

It's looking good.  Thanks Roman for letting me help out.  Only two problems
persist:

1) we get the list twice due to the nviic detecting two iic's
2) register 0x20 is +5 VTR, which differs from the adt chip

Here are the results as of pulling down the CVS this weekend:

hw.sensors.0=adt0, +2.5Vin, 1.32 V DC
hw.sensors.1=adt0, Vccp, 1.43 V DC
hw.sensors.2=adt0, Vcc, 3.35 V DC
hw.sensors.3=adt0, +5V, 5.13 V DC
hw.sensors.4=adt0, +12V, 12.00 V DC
hw.sensors.5=adt0, Remote1 Temp, 31.00 degC
hw.sensors.6=adt0, Internal Temp, 38.00 degC
hw.sensors.7=adt0, Remote2 Temp, 33.00 degC
hw.sensors.8=adt0, TACH1, 3832 RPM
hw.sensors.9=adt0, TACH2, 2204 RPM
hw.sensors.12=adt1, +2.5Vin, 1.32 V DC
hw.sensors.13=adt1, Vccp, 1.43 V DC
hw.sensors.14=adt1, Vcc, 3.35 V DC
hw.sensors.15=adt1, +5V, 5.10 V DC
hw.sensors.16=adt1, +12V, 12.06 V DC
hw.sensors.17=adt1, Remote1 Temp, 31.00 degC
hw.sensors.18=adt1, Internal Temp, 38.00 degC
hw.sensors.19=adt1, Remote2 Temp, 33.00 degC
hw.sensors.20=adt1, TACH1, 3829 RPM
hw.sensors.21=adt1, TACH2, 2204 RPM

here's the dmesg:
OpenBSD 3.9-current (GENERIC) #26: Fri Apr 14 16:10:03 MDT 2006
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: AMD Athlon(tm) 64 Processor 3000+ (AuthenticAMD 686-class, 512KB L2
cache) 1.81 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3
real mem  = 1073246208 (1048092K)
avail mem = 972591104 (949796K)
using 4278 buffers containing 53764096 bytes (52504K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(ad) BIOS, date 02/17/05, BIOS32 rev. 0 @ 0xfa780
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 70102 dobusy 1 doidle 1
pcibios0 at bios0: rev 3.0 @ 0xf/0xcc54
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfcb20/288 (16 entries)
pcibios0: bad IRQ table checksum
pcibios0: PCI BIOS has 17 Interrupt Routing table entries
pcibios0: PCI Exclusive IRQs: 5 10 11
pcibios0: no compatible PCI ICU found
pcibios0: Warning, unable to fix up PCI interrupt routing
pcibios0: PCI bus #5 is the last bus
bios0: ROM list: 0xc/0xf000 0xd/0x1800 0xd2000/0x1600
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
NVIDIA nForce4 DDR rev 0xa3 at pci0 dev 0 function 0 not configured
pcib0 at pci0 dev 1 function 0 NVIDIA nForce4 ISA rev 0xa3
nviic0 at pci0 dev 1 function 1 NVIDIA nForce4 SMBus rev 0xa2
iic0 at nviic0
adt0 at iic0 addr 0x2e: sch5017 rev 0x89
iic1 at nviic0
adt1 at iic1 addr 0x2e: sch5017 rev 0x89
ohci0 at pci0 dev 2 function 0 NVIDIA nForce4 USB rev 0xa2: irq 5, version
1.0, legacy support
usb0 at ohci0: USB revision 1.0
uhub0 at usb0
uhub0: NVIDIA OHCI root hub, rev 1.00/1.00, addr 1
uhub0: 10 ports with 10 removable, self powered
ehci0 at pci0 dev 2 function 1 NVIDIA nForce4 USB rev 0xa3: irq 10
usb1 at ehci0: USB revision 2.0
uhub1 at usb1
uhub1: NVIDIA EHCI root hub, rev 2.00/1.00, addr 1
uhub1: 10 ports with 10 removable, self powered
auich0 at pci0 dev 4 function 0 NVIDIA nForce4 AC97 rev 0xa2: irq 5, nForce4
AC97
ac97: codec id 0x414c4760 (Avance Logic ALC655)
audio0 at auich0
pciide0 at pci0 dev 6 function 0 NVIDIA nForce4 IDE rev 0xa2: DMA, channel 0
configured to compatibility, channel 1 configured to compatibility
pciide0: channel 0 disabled (no drives)
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: HL-DT-ST, DVDRAM GSA-4163B, A103 SCSI0 5/cdrom
removable
cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
pciide1 at pci0 dev 7 function 0 NVIDIA nForce4 SATA rev 0xa3: DMA
pciide1: using irq 10 for native-PCI interrupt
wd0 at pciide1 channel 0 drive 0: WDC WD360GD-00FLA2
wd0: 16-sector PIO, LBA48, 35304MB, 72303840 sectors
wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5
wd1 at pciide1 channel 1 drive 0: WDC WD3200KS-00PFB0
wd1: 16-sector PIO, LBA48, 305245MB, 625142448 sectors
wd1(pciide1:1:0): using PIO mode 4, Ultra-DMA mode 5
pciide2 at pci0 dev 8 function 0 NVIDIA nForce4 SATA rev 0xa3: DMA
pciide2: using irq 11 for native-PCI interrupt
ppb0 at pci0 dev 9 function 0 NVIDIA nForce4 PCI-PCI rev 0xa2
pci1 at ppb0 bus 1
ATI Rage XL rev 0x27 at pci1 dev 5 function 0 not configured
VIA VT6306 FireWire rev 0x80 at pci1 dev 6 function 0 not configured
skc0 at pci1 dev 10 function 0 D-Link Systems DGE-530T rev 0x11, Marvell
Yukon Lite (0x9): irq 5
sk0 at skc0 port A, address 00:15:e9:2e:28:e6
eephy0 at sk0 phy 0: Marvell 88E1011 Gigabit PHY, rev. 5
nfe0 at pci0 dev 10 function 0 NVIDIA CK804 LAN rev 0xa3: irq 11, address
00:e0:81:56:8f:67
eephy1 at nfe0 phy 1: Marvell 88E Gigabit PHY, rev. 1
ppb1 at pci0 dev 11 function 0 NVIDIA nForce4 PCIE rev 0xa3
pci2 at ppb1 bus 2
ppb2 at pci0 dev 12 function 0 NVIDIA nForce4 PCIE rev 0xa3
pci3 at ppb2 bus 3
ppb3 at pci0 dev 13 function 0 NVIDIA nForce4 PCIE rev 0xa3
pci4 at ppb3 bus 4
bge0 at pci4 dev 0 function 0 Broadcom BCM5721 rev 0x11, BCM5750 B1 (0x4101):
irq 11, address 00:e0:81:56:8f:66
brgphy0 at 

Re: When would you NOT use OpenBSD?

[Brian]

--- Daniel Ouellet [EMAIL PROTECTED] wrote:


 So, the argument of Vendor support is a sometimes criteria. really 
 doesn't mean ANYTHING to me anymore and real life example proved it many 
 times over!

Paid vendor support is a feel good thing like insurance.  When it comes time
for them to help you out, you get screwed.

Brian
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: odd dmesg

[Brian]

--- Theo de Raadt [EMAIL PROTECTED] wrote:

 
 On iic bus 0, you have a sch5017 chip at address 0x2e for which we do
 not have a driver yet:
 
   http://ftp.smsc.com/main/datasheets/5017.pdf
   start at page 230
 
 Your other iic bus appears has the same chip, or maybe it is two iic
 busses wired together.
 

Thanks.  I started to dig in /usr/src/sys/dev/i2c, and, I think, I found the
function that is resulting in my dmesg dump for iic.  The result seems to be
coming from /usr/src/sys/dev/i2c/i2c_scan.c (function icc_dump).

If I am following the source code correctly, it looks like the setup for iic
is:
pci-iic-individual iic drivers.  Looks like the drivers have a parent/child
relationship. Each driver writes to the following structures:

cfattach (which contains the malloc size of struct xx_softc)
cfdriver

which are a part of cfdata

and the drivers also write to struct sensor.

The drivers also contain the registers per their docs.  It looks like reads are
performed on the register using iic_exec() at the address of the device, which
is passed down from the parent as a parameter (void *aux).  In this case, I
guess the driver for all iic devices.

The drivers look to contain match, attach, and refresh functions.  Where I seem
to be lost is how the driver data coming from the calls to iic_exec ends up in
sysctl.  

And if I were to write a driver based on the previous drivers all ready in
/usr/src/sys/dev/i2c, how would I debug it?  And I still am not sure how I
would add it to the kernel since I have all ways used GENERIC.  I guess I can
dig through the config man pages.  I have never written a driver, so I am
clueless.  I guess I'll keep digging, but thanks for the help.

Cheers,

Brian
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: Moving a file mount point

[Brian]

--- Karl Kopp [EMAIL PROTECTED] wrote:

 Hi All,
 
 I've setup a Cisco replacement using OpenBSD and OpenBGPd and man, this
 thing FLIES :) I paid almost $3k AUD recently for another 64MB of RAM for
 our Cisco 2610 and it was still struggling under the load of 6 - 8mb/sec!
 The new OpenBSD box is running at less that 2% CPU pushing 20mb/sec - and
 cost less than the RAM alone :)
 
 One thing I need to do urgently tho is move my /var mount - I'm not 100% how
 to do this on a running box with the least amount of down time. Any hints /
 advice would be greatly appreciated!
 
 Thanks
 Karl

Does this help:

http://www.openbsd.org/faq/faq14.html#NewDisk

I am not sure what you mean by move.  Move where?  I assume you meant to a new
drive, so the FAQ above should help.

Brian
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

odd dmesg

[Brian]

I just did a fresh install of 3.9-current.  And part of the dmesg is coming
across oddly.  I am not sure what else to say about it.  It's the iic0 and
iic1.

Check it out:

OpenBSD 3.9-current (GENERIC) #670: Sat Apr  1 23:34:55 MST 2006
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: AMD Athlon(tm) 64 Processor 3000+ (AuthenticAMD 686-class, 512KB L2
cache) 1.81 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3
real mem  = 1073246208 (1048092K)
avail mem = 972591104 (949796K)
using 4278 buffers containing 53764096 bytes (52504K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(ad) BIOS, date 02/17/05, BIOS32 rev. 0 @ 0xfa780
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 70102 dobusy 1 doidle 1
pcibios0 at bios0: rev 3.0 @ 0xf/0xcc54
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfcb20/288 (16 entries)
pcibios0: bad IRQ table checksum
pcibios0: PCI BIOS has 17 Interrupt Routing table entries
pcibios0: PCI Exclusive IRQs: 5 10 11
pcibios0: no compatible PCI ICU found
pcibios0: Warning, unable to fix up PCI interrupt routing
pcibios0: PCI bus #5 is the last bus
bios0: ROM list: 0xc/0xf000 0xd/0x1800 0xd2000/0x1600
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
NVIDIA nForce4 DDR rev 0xa3 at pci0 dev 0 function 0 not configured
pcib0 at pci0 dev 1 function 0 NVIDIA nForce4 ISA rev 0xa3
nviic0 at pci0 dev 1 function 1 NVIDIA nForce4 SMBus rev 0xa2
iic0 at nviic0
sch5017 at iic0 addr 0x2e not configured
iic0: addr 0x2e 00=00 01=00 02=00 03=00 04=00 05=00 06=00 07=00 08=00 09=00
0a=00 0b=00 0c=00 0d=00 0e=00 0f=00 10=00 11=00 12=00 13=00 14=00 15=00 16=00
17=00 18=00 19=00 1a=00 1b=00 1c=00 1d=00 1e=00 1f=ec 20=65 21=7a 22=c2 23=c4
24=c1 25=24 26=2a 27=26 28=24 29=05 33=00 34=00 35=00 36=00 37=00 38=00 39=00
3a=00 3b=00 3c=00 3d=00 3e=5c 3f=89 40=05 41=00 42=00 43=00 44=00 46=00 48=00
4a=00 4c=00 4e=81 4f=7f 50=81 51=7f 52=81 53=7f 5c=62 5d=62 5e=62 5f=9b 60=9b
61=9b 62=00 63=00 64=80 65=80 66=80 67=37 68=37 69=37 6a=64 6b=64 6c=64 6d=44
6e=40 6f=00 73=09 74=09 75=09 76=09 77=09 78=09 79=00 7a=10 7b=00 7c=40 7d=00
7e=00 7f=1c 80=00 81=a4 82=00 83=00 84=ef 85=cb 86=67 87=24 88=d3 89=00 8a=4d
8b=4d 8c=0b 8d=0b 8e=0d 8f=00 90=cc 91=04 92=04 93=04 94=0c 95=0c 96=0c 97=5a
98=f1 99=bf 9a=af 9b=00 9d=00 9f=00 a0=00 a1=00 a2=0c a3=00 a4=02 a5=00 a6=00
a7=0b a8=0b a9=fe ab=fe b1=00 b2=00 b3=00 b4=00 b5=00 b6=28 b7=28 b8=0e b9=0e
ba=2b bb=2b bc=00 bd=00 be=00 bf=00 c0=00 c1=00 c2=00 c3=00 c4=00 c5=00 c6=00
c7=00 c8=00 c9=00 ca=00 cb=00 cc=00 cd=00 ce=00 cf=00 d0=00 d1=00 d2=00 d3=00
d4=00 d5=00 d6=00 d7=00 d8=00 d9=00 da=00 db=00 dc=00 dd=00 de=00 df=00 e0=00
e1=00 e2=00 e3=00 e4=00 e5=00 e6=00 e7=00 e8=00 e9=00 ea=00 eb=00 ec=00 ed=00
ee=00 ef=00 f0=00 f1=00 f2=00 f3=00 f4=00 f5=00 f6=00 f7=00 f8=00 f9=00 fa=00
fb=00 fc=00 fd=00 fe=00 ff=00: sch5017
iic1 at nviic0
sch5017 at iic1 addr 0x2e not configured
iic1: addr 0x2e 00=00 01=00 02=00 03=00 04=00 05=00 06=00 07=00 08=00 09=00
0a=00 0b=00 0c=00 0d=00 0e=00 0f=00 10=00 11=00 12=00 13=00 14=00 15=00 16=00
17=00 18=00 19=00 1a=00 1b=00 1c=00 1d=00 1e=00 1f=ec 20=65 21=7a 22=c2 23=c4
24=c1 25=24 26=2b 27=27 28=24 29=05 33=00 34=00 35=00 36=00 37=00 38=00 39=00
3a=00 3b=00 3c=00 3d=00 3e=5c 3f=89 40=05 41=00 42=00 43=00 44=00 46=00 48=00
4a=00 4c=00 4e=81 4f=7f 50=81 51=7f 52=81 53=7f 5c=62 5d=62 5e=62 5f=9b 60=9b
61=9b 62=00 63=00 64=80 65=80 66=80 67=37 68=37 69=37 6a=64 6b=64 6c=64 6d=44
6e=40 6f=00 73=09 74=09 75=09 76=09 77=09 78=09 79=00 7a=10 7b=00 7c=40 7d=00
7e=00 7f=1c 80=00 81=a4 82=00 83=00 84=b2 85=22 86=40 87=16 88=83 89=00 8a=4d
8b=4d 8c=0b 8d=0b 8e=0d 8f=00 90=cc 91=04 92=04 93=04 94=0c 95=0c 96=0c 97=5a
98=f1 99=bf 9a=af 9b=00 9d=00 9f=00 a0=00 a1=00 a2=0c a3=00 a4=02 a5=00 a6=00
a7=0b a8=0b a9=fe ab=fe b1=00 b2=00 b3=00 b4=00 b5=00 b6=28 b7=28 b8=0e b9=0e
ba=2b bb=2b bc=00 bd=00 be=00 bf=00 c0=00 c1=00 c2=00 c3=00 c4=00 c5=00 c6=00
c7=00 c8=00 c9=00 ca=00 cb=00 cc=00 cd=00 ce=00 cf=00 d0=00 d1=00 d2=00 d3=00
d4=00 d5=00 d6=00 d7=00 d8=00 d9=00 da=00 db=00 dc=00 dd=00 de=00 df=00 e0=00
e1=00 e2=00 e3=00 e4=00 e5=00 e6=00 e7=00 e8=00 e9=00 ea=00 eb=00 ec=00 ed=00
ee=00 ef=00 f0=00 f1=00 f2=00 f3=00 f4=00 f5=00 f6=00 f7=00 f8=00 f9=00 fa=00
fb=00 fc=00 fd=00 fe=00 ff=00: sch5017
ohci0 at pci0 dev 2 function 0 NVIDIA nForce4 USB rev 0xa2: irq 5, version
1.0, legacy support
usb0 at ohci0: USB revision 1.0
uhub0 at usb0
uhub0: NVIDIA OHCI root hub, rev 1.00/1.00, addr 1
uhub0: 10 ports with 10 removable, self powered
ehci0 at pci0 dev 2 function 1 NVIDIA nForce4 USB rev 0xa3: irq 10
usb1 at ehci0: USB revision 2.0
uhub1 at usb1
uhub1: NVIDIA EHCI root hub, rev 2.00/1.00, addr 1
uhub1: 10 ports with 10 removable, self powered
auich0 at pci0 dev 4 function 0 NVIDIA nForce4 AC97 rev 0xa2: irq 5, nForce4
AC97
ac97: codec id 0x414c4760 (Avance Logic ALC655)
audio0 at auich0
pciide0 at pci0 dev 6 function 0 

Re: Sendmail security problem

[Brian A. Seklecki]

On Fri, 24 Mar 2006, Joachim Schipper wrote:


On Fri, Mar 24, 2006 at 02:14:50PM +, Stuart Henderson wrote:

On 2006/03/24 14:12, Alexander Bochmann wrote:

...on Thu, Mar 23, 2006 at 12:22:37PM +0100, Anthony Howe wrote:


P gnu/usr.sbin/sendmail/libsm/refill.c
P gnu/usr.sbin/sendmail/sendmail/collect.c
P gnu/usr.sbin/sendmail/sendmail/conf.c
P gnu/usr.sbin/sendmail/sendmail/deliver.c
P gnu/usr.sbin/sendmail/sendmail/headers.c
P gnu/usr.sbin/sendmail/sendmail/mime.c
P gnu/usr.sbin/sendmail/sendmail/parseaddr.c
P gnu/usr.sbin/sendmail/sendmail/savemail.c
P gnu/usr.sbin/sendmail/sendmail/sendmail.h
P gnu/usr.sbin/sendmail/sendmail/sfsasl.c
P gnu/usr.sbin/sendmail/sendmail/sfsasl.h
P gnu/usr.sbin/sendmail/sendmail/srvrsmtp.c
P gnu/usr.sbin/sendmail/sendmail/usersmtp.c
P gnu/usr.sbin/sendmail/sendmail/util.c



I am pretty certain a fix was imported for 3.7-stable, too.



Yep.

Why was there no Security Advisory or entry in the Daily Changelog for 
this?


There's an errata entry, but no announcement =/

~BAS


Joachim

Is list quiet?

[Brian Street]

Hello everyone,

I recently switched to a new mail server (about 3 weeks ago) and at first
I was receiving email from the list but it seems to be about 2 weeks since
the last one.

Is the list real quiet or do I have a local mail issue?

Thanks,
Brian.

Re: openbsd and the money -solutions

[Brian]

--- Deanna Phillips [EMAIL PROTECTED] wrote:


 That said, I think a wall of shame page on the OpenSSH site
 might be a good idea: one listing all those big companies
 mentioned that have never donated a dime.  Negative PR might
 result in more donations than managers receiving the minor
 annoyance message forwarded to them, which they'll simply delete
 and forget about.

Too bad openSSH couldn't just require a license fee for openSSH to
be included in OS's besides openBSD that are sold for money.  This would
include corporate use as well.  So if IBM wanted to include openSSH
in one of its products sold to someone, they would have to pay openSSH
to include it in their product or kick back to the openSSH team some percentage
of the revenue generated by that product.  

Of course, the license would have to be written so the openSSH team is not
obligated to do support.  If IBM wanted their employees to use openSSH, they
would have to pay a site license fee.  Of course, home users (non-business) and
universities would be excluded.
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: openbsd and the money -solutions

[Brian]

--- Spruell, Darren-Perot [EMAIL PROTECTED] wrote:

 Better approach. How about said companies belly up and support the group
 that enables them (in part) to enjoy the financial success they have? 

Because there is no reason for them to.  Here's what would happen:

1) license change comes out
2) IT looks for alternative program
3) IT provides figures to finance for either the alternative program,
   the new license, or in house development 
4) finance runs some cash flow analysis and sits down with the CIO and CFO
based 
   on the results
5) suggestion is provided to management

I work in finance.  There is no reason to provide funding from a business
standpoint.  What does the business gain?  Corporations basically have a free
development team.  Sure they cannot dictate requests, but the code quality is
high and the product works well.

Honestly, unless the openSSH team mandates funding, no one will cough up cash. 
And the license price has to be the sweet spot, where it isn't too high that no
funding is received and not too low that it doesn't accomplish anything.  

And Theo from his messages doesn't want the direction of the program dictated
to him by folks that donate.  No corporation is gonna provide funding unless
they get something out of it.

I think Theo needs to put his foot down on this issue.  I would think of
openSSH as separate from openBSD.  I would not advocate changing licenses on
the rest of openBSD.  Of course, the downside is that some of the corporations
might withhold documentation needed for driver development unless the license
is lifted.

Cheers,

Brian
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

QUESTION ABOUT PPP.LINKUP AND PF

[Brian Shackelford]

Hello -



I am currently at the end of my understanding.  We have PF working
between two Ethernet cards perfectly - we have absolutely no problems
with it coming up properly and running as needed.  What I am having a
problem with is when we use PPP to establish a connection to an ISP via
a dialup modem.  In some cases we do need to do that as the locations do
not have high speed access.



We have a line for the dialup config in our ppp.conf file called
elinkod:  This connects up to earthlink manually, with the -ddial or the
-auto modes no problem and we can get around on the internet with no
problems.



We have /etc/ppp/ppp.linkup and in that is a section like this:



elinkod:

! sh -c pfctl -e -f /etc/pf.conf



Now from what I understand this should allow the connection to establish
and the enable pf with the ruleset contained in pf.conf.  It doesn't
seem to ever work.  We even tried putting the commands to kick off in a
separate script file and kick that file off like so:



elinkod:

!bg /etc/ppp/ppp.linkup.elinkod



Again that also did not work.  We have the set log options set in the
ppp.conf file under the elinkod section and the relevant sections setup
in syslog.conf to allow for logging of ppp information to
/var/log/ppp.log - but nothing is appearing in the log files either.



Just wondering if anyone has any suggestions as to what to do next?  I
am sure it is something I am missing, but I read and re-read the man
pages and really couldn't find what I was doing wrong - of course
information starts to run together late at night and I might have
misread or confused something else.



Any help is greatly appreciated.



Thanks!

IPMI / SNMP / MRTG (WAS: RE: ipmi(4) (IPMI MIB?))

[Brian A. Seklecki]

On Thu, 26 Jan 2006, Bruce Shaw wrote:


We've actually got several different problems here.


Specifically, the OpenBSD implementation we're seeing here seems to
provide sysctl style access to Sensor data, watchdog info, etc., but what
about other IPMI functions?


I've been working on better sensor information for openBSD but lack reliable
access to a platform to develop on (a friend has been doing what he can).


On any number of occasions, I've offered personally to donate VMWare 
licenses to Net-SNMP developers to help bring *BSD support back into the 
mainstream :} ... That's a standing offer and I'm sure there are plenty 
of corporations that wouldn't mind contributing either.


I will say this, though.  It takes about 35 seconds to do an ipmitool sdr 
list full.  Thus, for every two values you would like to graph in MRTG,
you can add 35 seconds to the job's run time.  The time it takes to do an 
ipmi sensor get 'blah' is marginally different than a list.


$ time ipmitool -U netadmin -E -H sys-lom.priv -c sdr list full
Temp,43,degrees C,ok
Temp,40,degrees C,ok
[...]
real0m34.618s
user0m0.017s
sys 0m0.017s

Thus...a in-kernel IPMI--SNMP gateway interface would be optimal (Such 
as OpenBSD's) to relying on the Hardware/LOM/BMC Functionality, at least 
for the sensor related data.


The hardware interface on the BMC/NIC is infinitely useful.  You can VLAN 
it off into a management/out of band subnet and do hard-power resets, etc, 
from there.


Regarding MRTG, there are 8 sets of values to graph out from the sensor 
results on Dell PE 1850s/2850s that I have access to:


Set 1: CPU0 Temp, CPU1 Temp
Set 2: MB Ambient, MB Planar Temp
Set 3: Riser Temp  [Riser Temp]
Set 4: PS#0 Temp, PS#1 Temp
Set 5: CMOS Battery Volt  [CMOS Battery Volts]
Set 6: Fan 1A, Fan 1B
Set 7: Fan 2A, Fan 2B
Set 8: Fan 3A, Fan 3B
Set 9: Fan 4A, Fan 4B

I modified version of Chris Wilson's NAGIOS IPMI plugin can be used to 
poll the data into MRTG in a very ...VERY suboptimal, but functional, 
manor.


http://digitalfreaks.org/~lavalamp/ipmi_mrtg.pl

(this script lacks any kind of sanity checking)

MRTG Configs might look something like:


Target[SYSNAME.fan3]: `/usr/local/cf/ipmi_mrtg.pl 
SYSNAME-lom.pgh.priv.collaborativefusion.com f3`

PageTop[SYSNAME.fan3]: H1Fan Set 3 RPMs/H1
Title[SYSNAME.fan3]: Fan Set 3 RPMs
Options[SYSNAME.fan3]: nopercent,gauge,growright
#Legend3[SYSNAME.fan3]: Fan Set 3, Fan A RPMs
#Legend2[SYSNAME.fan3]: Fan Set 3, Fan b RPMs
YLegend[SYSNAME.fan3]: RPMs
ShortLegend[SYSNAME.fan3]: RPMsnbsp;
LegendI[SYSNAME.fan3]: nbsp;Fan Set 3, Fan A RPMs:nbsp;
LegendO[SYSNAME.fan3]: nbsp;Fan Set 3, Fan A RPMs:nbsp;
MaxBytes[SYSNAME.fan3]: 1


Target[SYSNAME.risertemp]: `/usr/local/cf/ipmi_mrtg.pl 
SYSNAME-lom.pgh.priv.collaborativefusion.com ri`

PageTop[SYSNAME.risertemp]: H1Motherboard Riser(s)/H1
Title[SYSNAME.risertemp]: Motherboard Riser(s)
Options[SYSNAME.risertemp]: nopercent,gauge,growright
#Legend1[SYSNAME.risertemp]: Motherboard Riser
#Legend2[SYSNAME.risertemp]: Motherboard Riser
YLegend[SYSNAME.risertemp]: Degrees Celcius
ShortLegend[SYSNAME.risertemp]: Degrees Cnbsp;
LegendI[SYSNAME.risertemp]: nbsp;Degrees C Motherboard Riser:nbsp;
#LegendO[SYSNAME.risertemp]: nbsp;Degrees C Motherboard Riser:nbsp;
MaxBytes[SYSNAME.risertemp]: 100


Target[SYSNAME.pstemp]: `/usr/local/cf/ipmi_mrtg.pl 
SYSNAME-lom.pgh.priv.collaborativefusion.com ps`

PageTop[SYSNAME.pstemp]: H1Power Supply Temperature(s)/H1
Title[SYSNAME.pstemp]: Power Supply Temperature(s)
Options[SYSNAME.pstemp]: nopercent,gauge,growright
#Legend1[SYSNAME.pstemp]: Temperature Power Supply #0
#Legend2[SYSNAME.pstemp]: Temperature Power Supply #1
YLegend[SYSNAME.pstemp]: Degrees Celcius
ShortLegend[SYSNAME.pstemp]: Degrees Cnbsp;
LegendI[SYSNAME.pstemp]: nbsp;Degrees C PS#0:nbsp;
LegendO[SYSNAME.pstemp]: nbsp;Degrees C PS#1:nbsp;
MaxBytes[SYSNAME.pstemp]: 100

Target[SYSNAME.batvolt]: `/usr/local/cf/ipmi_mrtg.pl 
SYSNAME-lom.pgh.priv.collaborativefusion.com cb`

PageTop[SYSNAME.batvolt]: H1CMOS Battery Voltage/H1
Title[SYSNAME.batvolt]: CMOS Battery Voltage
Options[SYSNAME.batvolt]: nopercent,gauge,growright
#Legend1[SYSNAME.batvolt]: Temperature CPU#0
#Legend2[SYSNAME.batvolt]: Temperature CPU#1
YLegend[SYSNAME.batvolt]: Volts DC
ShortLegend[SYSNAME.batvolt]: Volts Cnbsp;
LegendI[SYSNAME.batvolt]: nbsp;Volts CMOS Battery:nbsp;
#LegendO[SYSNAME.batvolt]: nbsp;Degrees C CPU#1:nbsp;
MaxBytes[SYSNAME.batvolt]: 6

Target[SYSNAME.cputemp]: `/usr/local/cf/ipmi_mrtg.pl 
SYSNAME-lom.pgh.priv.collaborativefusion.com cpu`

PageTop[SYSNAME.cputemp]: H1CPU Temperature(s)/H1
Title[SYSNAME.cputemp]: CPU Temperature(s)
Options[SYSNAME.cputemp]: nopercent,gauge,growright
#Legend1[SYSNAME.cputemp]: Temperature CPU#0
#Legend2[SYSNAME.cputemp]: Temperature CPU#1
YLegend[SYSNAME.cputemp]: Degrees Celcius
ShortLegend[SYSNAME.cputemp]: Degrees Cnbsp;
LegendI[SYSNAME.cputemp]: nbsp;Degrees C CPU#0:nbsp;
LegendO[SYSNAME.cputemp]: nbsp;Degrees C CPU#1:nbsp;

Re: ipmi(4) (IPMI MIB?)

[Brian A. Seklecki]

All:

Regarding the future of IPMI and SNMP, where do they intersect in the 
evolution of enterprise free software (aka, BSD) ?


Specifically, the OpenBSD implementation we're seeing here seems to 
provide sysctl style access to Sensor data, watchdog info, etc., but what 
about other IPMI functions?


For those, you still need the ipmitool(8) from Sourceforge.  A kernel 
interface is nice, but ipmitool -H 1.2.3.4 chassis reset or off are 
obviously beyond the scope of this implementation.


The problem is that the data is useless unless you can collect using 
something like SNMP.  From there you can feed to MRTG for simple graphing, 
SNMP Traps for from the agent for events (case intrusion detection, etc.) 
Perl modules for data archiving, etc.


What about more-practicle examples of IPMI - Net-SNMP integration.  Two 
come to mind: Platform independent environmental sensor data and chassis 
information.  The latter isn't available via the kernel on any OS that I 
know of, and the former isnt unified (various ways of talking to W83781D, 
W83782D, W83783S, LM78, LM79 and the AS99127F) chips.  But IPMI, could 
standardize that.


For example, the ipmitool(8) values of chassis status or sensor:

$ ipmitool -E sensor
[temperature, fans, voltages ommited]

Then 4 or 5 values that you simply cannot get from ISA based environmental
ICs are available:
OS Watchdog|0x0|discrete|0x0080|na|na|na|na|na|na
SEL
Intrusion
PSRedundancy
FanRedundancy

Also, these aren't showing up in my hardware, but:

Error reading sensor PCI Parity Err (#04)
Error reading sensor PCI System Err (#05)
Error reading sensor SCSI Connector A (#02)
Error reading sensor Drive (#01)
Error reading sensor ECC Corr Err (#01)
Error reading sensor ECC Uncorr Err (#02
Error reading sensor Memory Mirrored (#12)
Error reading sensor Memory RAID (#13)
Error reading sensor Memory Added (#14)
Error reading sensor Memory Removed (#15)

If that information was populated, that would be very exciting (For
example, Drive failure notificat via IPMI? Perhaps in RAID?)

Also:

$ ipmitool -E chassis status
System Power : on
Power Overload   : false
Power Interlock  : inactive
Main Power Fault : false
Power Control Fault  : false
Power Restore Policy : always-off
Last Power Event :
Chassis Intrusion: inactive
Front-Panel Lockout  : inactive
Drive Fault  : false
Cooling/Fan Fault: false
Sleep Button Disable : allowed
Diag Button Disable  : allowed
Reset Button Disable : allowed
Power Button Disable : allowed
Sleep Button Disabled: true
Diag Button Disabled : true
Reset Button Disabled: true
Power Button Disabled: true

It would be extremely useful to be able to map these values directly into
a Net-SNMP MIB's values as booleans then use defaultMonitor /
DISMAN-EVENT-MIB for the event-style bits and other integers for the
traditional sensor data (fan RPMs, thermometer).

In the mean time, it maybe possible to use Net-SNMP's built in Perl 
support to read sysctl(2) data from OpenBSD and parse the output of 
ipmitool(8) (ipmitool(8) has a -c flag to CSV output, but it doesn't 
seem to work in combination with the 'sensor' command -- suks) on other 
BSD's, but I'm not sure how that process would begin (an OID tree would 
need to be assigned to IPMI?)


~BAS

Re: Annoying echoes in console DRAC III/XT on DELL Poweredge

[Brian A. Seklecki]

On Fri, 13 Jan 2006, Xavier Millihs-Lacroix wrote:

 Sorry for the delay.

 In the BIOS I have found, 'USB Controller' with 3 options :
    Sets the USB controller to On with BIOS Support, On Without BIOS
 Support, or Off. If you have a PS/2 keyboard attached, On Without BIOS
 Support disables BIOS USB support. If you do not have a PS/2 keyboard
 attached and select On Without BIOS Support, USB mouse and keyboard devices
 function only during the boot process. When set to On With BIOS Support, USB
 mouse and keyboard devices are controlled by the BIOS until an operating
 system driver is loaded.

 But none are working.

 Any other ideas ?

Wscons may not be available during the initial install if that's what 
you're trying to do; otherwise all new USB keyboards connected while
the system is running should get MUX'd in.

Compile a kernel w/o wscons or wskbd? I dunno.  I'd really have to play 
with it.  All that I can personally attest to is: It works fine with 
Drac/4 on FreeBSD 5.x =/

~BAS


 -Message d'origine-
 De : Brian A. Seklecki [mailto:[EMAIL PROTECTED]
 Envoyi : lundi 5 dicembre 2005 02:11
 @ : Xavier Millihs-Lacroix
 Cc : misc@openbsd.org
 Objet : Re: Annoying echoes in console DRAC III/XT on DELL Poweredge

 The thing emulates a USB keyboard.  Trying toggling legacy emulation mode in
 the BIOS.

 ~BAS

 On Thu, 2005-12-01 at 03:55, Xavier Millihs-Lacroix wrote:
 Hello,

 I 'm trying to install OBSD 3.8 on a Dell Poweredge 750 server using
 the Card DRAC III/XT (provides remote console/screen).
 But each time a ket is pushed I have the letter repetead on the console.
 I have put the last firmware for the DRAC Card.

 I have search by didn't find any answer 

 I can't install remotely OBSD !

 Do you have already met this issue ?

 Is it a java problem (the remote access is done via http and a java
 virtual
 machine) ?

 Xavier.






l8*
-lava

x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8

Re: isakmpd + gre crashing on OpenBSD 3.8

[Brian A. Seklecki]

But as soon as I start an scp from Perspex to Soekris, Perspex reboots
after a few hundred kb.  Unfortunately, Perspex is in a datacenter and I
do not have console access to it to see what the heck is happening at that
exact moment.


I don't recall.  But for the record (IPSEC inside GRE):

If the Transport IPSEC connection is negotiated between two hosts inside the 
GRE tunnel private subnet and the IPSEC connection goes down, the data flows in 
cleartext.  *bad*


The opposite would be (GRE-inside-IPSEC-Transport):

If the Transport IPSEC tunnel is built between the two hosts` public interfaces 
and the GRE tunnel is built normally and thus encrypted, things should work. 
Of course, we run into the crash.


The trick was I tried it on OpenBSD/Sparc where there is no-such-thing as 
Flash back to the BIOS and it turns out a Sun watchdog timer is getting 
hit.  Watchdog timers on i386 must cause the BIOS to reset. So the problem is 
in-kernel and the config is probably too obscure for developers to spend time 
on.


My solution was to re-IP my network properly, and use IP Supernets/ 
summarization/ subnet aggregation thus consolidating the need for so many 
spokes on a hub-and-spoke VPN config.


~~BAS



I noticed that there were no responses to your thread, but I was wondering
if you had worked out your problem or if you decided to go the ipsec
encapsulated in gre.

Cheers,

/Jason
--
Jason Taylor
e: [EMAIL PROTECTED]
m: 514-815-8204




l8*
-lava

x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8

Re: OpenBSD beep

[Brian A. Seklecki]

PC speaker beep (something action on the console?)

Or possibly hardware alarm?

~BAS

On Sat, 2005-12-17 at 09:12, dimaz wrote:
 I've installed OpenBSD on my small server, before on server was linux, 
 and 2-3 times a day my server beeps (3 times)...
 What does it mean? And how I can control this beeps?

Re: UltraSparc documentation

[Brian A. Seklecki]

 There is the (expensive) Real Weasel for x86 kit, Dell's crappy lights

DRAC/4 isn't that bad :}

You can always use serial console redirection on the 1850s/2850s; it
works well until OS boot (BIOS menus works, RAID, IPMI menus), when you
have to setup serial console redirection on the boot loader/kernel, and
then start a getty on the com.

Plus you have hardware level IPMI (cold boots, etc.) which you can tag
with a VLAN.

It's not Sun, though.

~BAS

 out card isn't a reliable option. 
 
 Any thoughts welcome.

Re: RAIDframe issues on 3.8

[Brian A. Seklecki]

 started filing PR's for RAIDframe stuff in OpenBSD -- there have been 
 a lot of changes/fixes to RAIDframe in the last 5 years that aren't 

I have $100 via Paypal for the person who commits RAID enabled boot
blocks for Sparc[64] and i386/amd64 on OpenBSD.

I have an $100 additional via Paypal for the person who makes an initial
effort re-sync the RAIDFrame codebase.

~BAS

 reflected in the code in OpenBSD, and I wouldn't know where to begin 
 :)
 
 Later...
 
 Greg Oster

Re: *STUPID* IPSEC Routing Bug - No Default Gateway?!

[Brian A. Seklecki]

 no, you just need a route to the destination, this is a known

a route to the destination of the tunnel...(that overlaps with the encap
route...)...

 but and there's no simple fix.  however, just create a network
 route for the peer that points back to the sender. this way

...or a route to the isakmpd peer?  because techncially one gets added
to the route table by ARP:

192.168.1.50  0:11:43:e8:2b:c6   UHLc 0   679672  -   vlan30

...this of course would differ if there were multiple hops between the
isakmpd peers.

~BAS

 you avoid sending out unencrypted traffic if the ipsec tunnels
 are down.
 
 -m

PF NAT Address Pool Source Interface

[Brian A. Seklecki]

All:

It may seem rudimentary, but no where in the FAQ or man pages is it 
explicitly stated that the source address or address pool of a NAT 
translation must be assigned to an interface.


Obviously it can be either be a primary address (such as 99.9% of the PAT 
configurations on the Internet) or a series of IP Aliases assigned.


Further more, It doesn't actually state or recommend which interface the 
translated addresses should be assigned.  Technically, it's irrelevant. 
In practice, it depends greatly on the overall network configuration 
(specifically, routing).  As long as other hosts in the network know a 
discrete route to the subnet of the translated hosts via any interface on 
the device doing the translation.


The translation occurs to the packet's source address as it leaves the 
outbound interface (the one explicitly defined to the right of the - in 
the pf.conf(5) rule), so one might casually assume to assign the 
pool/address there; however in my tests, I've found that It can be 
assigned to the same interface as the subnet being translated.


However, if a translation rule in pf.conf(5) exists but the destination 
address/pool (the address to be translated to, not the optional 
destination CIDR mask),  OpenBSD will still happily transmit a translated 
packet out an interface with a source address foreign to that segment / 
whatever media.


Even if other hosts receive a packet and reply to it, they won't be able 
to ARP for it, and if they could, the original OpenBSD box will drop the 
reply with destination host/network unreachable (obviously).


Wouldn't a better behavior to prevent the transmission of the packet in 
the same way the a socket cannot bind to a source port/ip if it is not 
assigned to an interface?


Thoughts?

TIA,
BAS

Re: OpenBSD 3.8 and Dell 1850 with PERC4/DC controller

[Brian A. Seklecki]

I've only had the priv. to run OpenBSD on the 750 and 850 1Us from Dell.

However I have a number of FreeBSD 5.3x hosts on single and dual-proc 1850 
models, some with RAID and some with standard SCSI.


The standard SCSI config (on which I run software RAID) probes as:


NAME
 mpt(4) -- LSI Fusion-MPT SCSI/Fibre Channel driver

mpt0: LSILogic 1030 Ultra4 Adapter port 0xec00-0xecff mem 
0xdfde-0xdfde,0xdfdf-0xdfdf irq 34 at device 5.0 on pci2

mpt0: [GIANT-LOCKED]
ses0 at mpt0 bus 0 target 6 lun 0
da0 at mpt0 bus 0 target 0 lun 0
da1 at mpt0 bus 0 target 1 lun 0


The hardware RAID (with cache and battery and all) probes as:

NAME
 amr(4) -- AMI MegaRAID PCI-SCSI RAID driver

amr0: LSILogic MegaRAID mem 0xdfde-0xdfdf,0xd80f-0xd80f 
irq 46 at device 14.0 on pci2

amr0: [GIANT-LOCKED]
amr0: LSILogic PERC 4e/Si Firmware 521S, BIOS H430, 256MB RAM
amrd0: LSILogic MegaRAID logical drive on amr0
amrd0: 69880MB (143114240 sectors) RAID 1 (optimal)

Maybe check your invoice?


~BAS

On Mon, 5 Dec 2005, shane mullins wrote:


We have a Dell 1850 with a PERC4/DC controller.  When I try installing OpenBSD
3.8, I am having some troubles.  3.8 will sees the card as with the mpt0
driver.  Which will not recognize my RAID1 config.  The hardware compatibility
guide tells me the mpt0 is support for a standard scsi card.  According to the
hardware guide, the correct driver for RAID support is ami.  When I boot with
the, boot -cs and add the ami driver support, I get a no disk drive support.
To check the drive config I installed and booted another OS.  Any
help/comments would be greatly appreciated.

Thanks
Shane




l8*
-lava

x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8

*STUPID* IPSEC Routing Bug - No Default Gateway?!

[Brian A. Seklecki]

All:

I'm CC'ing everyone who has previously posted the destination host 
unreachable behavior when setting up a generic 4-host IPSec VPN tunnel 
config per the template in vpn(8) / isakmpd.conf(5).


NOTE: This is not the I can't ping the other side of the tunnel from the 
remote gateway because I forgot to specify the source IP flag to ping(8) 
bug.


In the template, gateway A and B share a WAN circuit, normally an 
ethernet segment (a /30 for example).  Each has a CIDR of RFC1918 Space on 
a second interface (a /24 for example)


The tunnel(s) comes up, netstat -rn -f encap shows the ipsec routes, 
ipsecadm(8) shows the flows.


However:

If gateway A sends an ICMP packet using ping(8)'s -I with a source 
address of the private subnet on its second interface to the IP on the 
private/second interface on gateway B, the packet gets properly 
encapsualted and transmitted per pflog0.


However, if the destination of the ICMP ping is an IP in the subnet 
assigned to the Ethernet segment on Gateway B's private/second interface, 
the packet:

- crosses the tunnel
- leaves the private interface, hits host X
- host X returns the packet to Gateway B
- Gateway B drops the packet, and returns Host X an ICMP host 
unreachable for Gateway A 


As crazy as that sounds, it happens?

And after hours of troubleshooting, the problem turns out to be??!?!

[*drumroll*]

OpenBSD requires that gateway A and gateway B have a default route 
declared


*EVEN THOUGH ONE IS NOT REQUIRED IN THE LAB CONFIGURATION*

1) If gateway A and gateway B have WAN interfaces on an ethernet segment 
such as a /30, they know the route to their respective WAN networks via 
directly connected route.


2) isakmpd/ipsec traffic can flow across that WAN network with no 
addtional routing assistance.


3) Once the phase 2 negotiation is complete, both boxes know a new special 
ipsec route for a /24 via the ipsec peer.


4) TRAFFIC EGRESSING THE TUNNEL MUST HAVE A SOURCE ADDRESS THAT MATCHES 
THE ACL.


So why in the world would a default gateway be required?  A default 
gateway is only required to reach subnets for which routes do not exist.


Try it.  :}

This is the second time I've been bitten by these psuedo routes .

See PR 4314/system.

~BAS

Re: Annoying echoes in console DRAC III/XT on DELL Poweredge

[Brian A. Seklecki]

The thing emulates a USB keyboard.  Trying toggling legacy emulation
mode in the BIOS.

~BAS

On Thu, 2005-12-01 at 03:55, Xavier MilliC(s-Lacroix wrote:
 Hello,
 
 I 'm trying to install OBSD 3.8 on a Dell Poweredge 750 server using the Card
 DRAC III/XT (provides remote console/screen).
 But each time a ket is pushed I have the letter repetead on the console.
 I have put the last firmware for the DRAC Card.
 
 I have search by didn't find any answer 
 
 I can't install remotely OBSD !
 
 Do you have already met this issue ?
 
 Is it a java problem (the remote access is done via http and a java virtual
 machine) ?
 
 Xavier.

Re: multiple Local-IDs for isakmpd

[Brian A. Seklecki]

I opened a PR on this earlier this year.  Seach my last name in
query-pr.

The Cisco 3000 supports SA Proposals with multiple discontiguous
subnets.

~BAS

On Tue, 2005-06-07 at 20:54, Tamas TEVESZ wrote:
 hi,
 
 i have a situation where a branch office with multiple,
 non-overlapping, non-aggregatable local networks need to connect to
 the head office, via an ipsec tunnel. of course, the security
 gateway is also acting as a gateway to the internet (nat and the usual
 collateral stuff), and, as a matter of fact, some of the local
 networks are connected to it via openvpn (that is, it itself is a vpn
 concentrator of sorts, for openvpn tunnels).
 
 rough sketch:
 
   -- branch office --  | | -- head office --
| |
 172.16.187.0/24 -  | |
 172.19.47.0/24   \   +---+ | | +---+
   +- |security gw| - (ipsec tun) - |security gw| - ...
 192.168.114.0/24 /   ++--+ | | +---+
 192.168.2.0/24  - |
   \
 (internet etc..)
 
 it may also be the case that at the head office end, there will be
 more than one hosts/networks to be accessed, this is not clarified
 yet. i am not in control of the head office's concentrator, but i know
 that they are using a cisco 3060.
 
 how is this realized within isakmpd's configuration? i already have
 tried putting more than one ipv4_addr_subnets into the ipsec-id
 section, and even more than one ipsec-id section, but isakmpd throw
 them out (not surprise).
 
 if this cannot be realized within isakmpd, what other options do i
 have? pf route-tos/reply-tos are about the only thing i can think
 of... anything else?
 
 tia,

Re: OpenBSD 3.8 X.org on Sun Blade 100

[Brian A. Seklecki]

I had a U5 270? 330? Mhz for a year or two; the only way to get into 
1280x1024 (the max res of the monitor that it shipped with) was to drop 
into 8bpp.  At 16/24 bpp, with the 8mb integrated ATI Rage 64 something 
something garbag, you had to use m64config(8) and put the frambuffer in 
...1152x1024?  1152x768? Something like that.  Your X.log shows those 
available...try them.


I just dont see 8mb video cards making it to 1280x1024 at 24/16bpp

Also, doe the log really stop at:

(EE) xf86OpenSerial: Cannot open device /dev/mouse
Operation not permitted.
(EE) Mouse0: cannot open input device
(EE) PreInit failed for input device Mouse0

...is it possible X is crashing/core'ing at this state?  Normally it will 
passively fail to open the mouse device, but who knows.


Try:

-allowNonLocalModInDev allow changes to keyboard and mouse settings
-allowMouseOpenFailstart server even if the mouse can't be initialized

Also 2:

(--) Using wscons driver
_XSERVTransmkdir: ERROR: euid != 0,directory /tmp/.X11-unix will not be 
created.
_XSERVTransSocketUNIXCreateListener: mkdir(/tmp/.X11-unix) failed, errno = 
2

_XSERVTransMakeAllCOTSServerListeners: failed to create listener for local

Is /tmp mounted MFS or so?  Is it mode 777?

~BAS

On Thu, 17 Nov 2005, Simon Morgan wrote:


On 17/11/05, Brian A. Seklecki [EMAIL PROTECTED] wrote:

Wait...1280x1024 or 1600x1200 w/ 8MB of RAM?  Is that right? Onboard
video only occupies 8MB?


Sorry, yes. AFAIK the onboard video is 8MB.



l8*
-lava

x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8

Re: OpenBSD 3.8 X.org on Sun Blade 100

[Brian A. Seklecki]

On Thu, 17 Nov 2005, Simon Morgan wrote:


On 17/11/05, Brian A. Seklecki [EMAIL PROTECTED] wrote:






I just dont see 8mb video cards making it to 1280x1024 at 24/16bpp


I've now managed to get a display up. Many thanks to you and everyone
else who offered advice. Unfortunately the mouse is still completely



Errr jumped the gun...was it the resolution at 1152 something...or was it 
something else?

Re: OpenBSD 3.8 X.org on Sun Blade 100

[Brian A. Seklecki]

On Thu, 17 Nov 2005, Simon Morgan wrote:


On 17/11/05, Brian A. Seklecki [EMAIL PROTECTED] wrote:


I had a U5 270? 330? Mhz for a year or two; the only way to get into
1280x1024 (the max res of the monitor that it shipped with) was to drop
into 8bpp.  At 16/24 bpp, with the 8mb integrated ATI Rage 64 something
something garbag, you had to use m64config(8) and put the frambuffer in
...1152x1024?  1152x768? Something like that.  Your X.log shows those
available...try them.

I just dont see 8mb video cards making it to 1280x1024 at 24/16bpp

Re: OpenBSD 3.8 X.org on Sun Blade 100

[Brian A. Seklecki]

Wait...1280x1024 or 1600x1200 w/ 8MB of RAM?  Is that right? Onboard
video only occupies 8MB?

(II) ATI(0): Using Block 1 MMIO aperture at 0x00426000.
(II) ATI(0): MMIO write caching enabled.
(--) ATI(0): 8192 kB of SDRAM (1:1) detected (using 8191 kB).
(WW) ATI(0): Cannot shadow an accelerated frame buffer.
(II) ATI(0): Engine XCLK 115.000 MHz;  Refresh rate code 10.
(--) ATI(0): Internal programmable clock generator detected.
(--) ATI(0): Reference clock 29.500 MHz.

Try adding DefaultDepth24  to your Screen section?

It doesn't seem to automatically be picking a modeline.

Xorg/XFree don't shine.

~BAS

On Wed, 2005-11-16 at 18:35, Simon Morgan wrote:
 Hi,
 
 I have a Sun Blade 100 and have just installed OpenBSD 3.8 on it and so far 
 I'm
 very impressed. NetBSD, the supposed king of multi-platform, doesn't
 even support the keyboard! This is 5 year old hardware!
 
 Anyway, the problem I'm having is with X.org. Whenever I try and run it my
 monitor spits out an out of sync error and the only way (AFAIK to regain a
 usable console is to shutdown the machine and boot it up again. Depending
 on the settings I use I'll either get a sub-error bitching about the 
 frequencies
 or about the resolution (it complains that it's  1280x1024, which it 
 isn't).
 
 I've trawled the mailing list archives and tried all the suggestions (mainly
 setting reference_clock) to no avail and was hoping that somebody here who
 knows more about X and/or Sun hardware could offer some insight.
 
 I've uploaded my xorg.conf and Xorg.0.log to
 http://16hz.net/~simon/SunBlade100/ in the hope that it will be of some use.
 If I've neglected to mention any pertinent information then please do say
 and I'll be happy to give it.
 
 Many thanks.
 
 Simon

Re: Tyan Thunder LE SMP issues

[Brian A. Seklecki]

Why were they given to you? Something wrong with them perhaps.  Try
booting Memtest86+ ISO and let it ride for a while?

Try another kernel from another OS?  Try a non MP kernel?

~BAS

On Wed, 2005-11-16 at 22:01, Lokkju wrote:
 Hey all, hoping someone might be able to point me in some sort of direction...
 
 I recently was given two BOXX brand 1u servers, both of which are the
 exact same - Tyan Thunder LE 2510 dual proc motherboards, with two
 867Mhz chips per board, and 4 256MB ram sticks per board.  The rest
 you can get from the dmesg.
 
 Anyway, I have been trying to get OpenBSD to run on them, and I
 continuously have problems on processor 1 - and no, it does not matter
 WHICH processor is in slot 1.  I usually get an apm error, but
 sometimes I get tcp related, or copyout related, or other errors - all
 ending up with me dumped into ddb.  These are usually stopped
 errors, not panics.  In this case, the error is a apm_cpu_idle stopped
 error.
 
 So, here it goes - the dmesg, the trace on each processor, and the ps
 - as I side note, I can almost always instigate this crash by trying
 to untar something big - especially is I use verbose mode.
 
 PANIC
 
 # Stopped at  apm_cpu_idle+0x4a:  leal0xfff4(%ebp),%esp
 ddb{0} show panic
 the kernel did not panic
 
 DMESG
 *
 OpenBSD 3.8 (GENERIC.MP) #298: Sat Sep 10 15:51:54 MDT 2005
 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP
 cpu0: Intel Pentium III (GenuineIntel 686-class) 864 MHz
 cpu0: 
 FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,S
 ER,MMX,FXSR,SSE
 real mem  = 1073324032 (1048168K)
 avail mem = 972730368 (949932K)
 using 4278 buffers containing 53768192 bytes (52508K) of memory
 mainbus0 (root)
 bios0 at mainbus0: AT/286+(00) BIOS, date 10/31/00, BIOS32 rev. 0 @ 0xfdba0
 apm0 at bios0: Power Management spec V1.2
 apm0: AC on, battery charge unknown, estimated 0:00 hours
 apm0: APM get event: interface not connected (3)
 apm0: APM get event: interface not connected (3)
 apm0: disconnected
 apm0: flags 30102 dobusy 0 doidle 0
 pcibios0 at bios0: rev 2.1 @ 0xf/0x1
 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf5200/192 (10 entries)
 pcibios0: PCI Interrupt Router at 000:15:0 (ServerWorks ROSB4 SouthBridge 
 rev
  0x00)
 pcibios0: PCI bus #0 is the last bus
 bios0: ROM list: 0xc/0x8000 0xc8000/0x1000
 ainbus0: Intel MP Specification (Version 1.4) (AMI  CNB30LE )
 cpu0 at mainbus0: apid 0 (boot processor)
 cpu0: apic clock running at 132 MHz
 cpu1 at mainbus0: apid 1 (application processor)
 cpu1: Intel Pentium III (GenuineIntel 686-class) 864 MHz
 cpu1: 
 FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,S
 ER,MMX,FXSR,SSE
 mainbus0: bus 0 is type PCI
 mainbus0: bus 1 is type PCI
 mainbus0: bus 2 is type ISA
 ioapic0 at mainbus0: apid 4 pa 0xfec0, version 11, 16 pins
 ioapic1 at mainbus0: apid 5 pa 0xfec01000, version 11, 16 pins
 pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
 pchb0 at pci0 dev 0 function 0 ServerWorks CNB20LE Host rev 0x06
 pchb1 at pci0 dev 0 function 1 ServerWorks CNB20LE Host rev 0x06
 pci1 at pchb1 bus 1
 vga1 at pci0 dev 1 function 0 ATI Rage XL rev 0x27
 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
 wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
 fxp0 at pci0 dev 4 function 0 Intel 82557 rev 0x08, i82559: apic 5 int 4 
 (irq
   11), address 00:e0:81:01:cb:ca
 inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4
 pcib0 at pci0 dev 15 function 0 ServerWorks ROSB4 SouthBridge rev 0x50
 pciide0 at pci0 dev 15 function 1 ServerWorks OSB4 IDE rev 0x00: DMA
 wd0 at pciide0 channel 0 drive 0: Maxtor 6Y060L0
 wd0: 16-sector PIO, LBA, 58644MB, 120103200 sectors
 wd0(pciide0:0:0): using PIO mode 4, DMA mode 2, Ultra-DMA mode 2
 ohci0 at pci0 dev 15 function 2 ServerWorks OSB4/CSB5 USB rev 0x04: apic 4 
 in
 t 10 (irq 10), version 1.0, legacy support
 usb0 at ohci0: USB revision 1.0
 uhub0 at usb0
 uhub0: ServerWorks OHCI root hub, rev 1.00/1.00, addr 1
 uhub0: 4 ports with 4 removable, self powered
 isa0 at pcib0
 isadma0 at isa0
 pckbc0 at isa0 port 0x60/5
 pckbd0 at pckbc0 (kbd slot)
 pckbc0: using irq 1 for kbd slot
 wskbd0 at pckbd0: console keyboard, using wsdisplay0
 pmsi0 at pckbc0 (aux slot)
 pckbc0: using irq 12 for aux slot
 wsmouse0 at pmsi0 mux 0
 pcppi0 at isa0 port 0x61
 midi0 at pcppi0: PC speaker
 spkr0 at pcppi0
 sysbeep0 at pcppi0
 npx0 at isa0 port 0xf0/16: using exception 16
 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
 pccom0: console
 pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
 fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
 biomask 0 netmask 0 ttymask 0
 pctr: 686-class user-level performance counters enabled
 mtrr: Pentium Pro MTRR support
 dkcsum: wd0 matches BIOS drive 0x80
 root on wd0a
 rootdev=0x0 rrootdev=0x300 rawdev=0x302
 WARNING: / was not properly unmounted
 Stopped at  

Re: RAIDFrame, failed component

[Brian A. Seklecki]

 I'm not sure what to make of 'component1'.  It's not an explicit

For some reason, RAIDFrame refers to a missing drive component1
whenever the RAID device is initialized and the drive is absent. 

~BAS

 device, did you use that string your raid0.conf?  The first slot in
 these commands should refer to an explicit device.

Re: Problem with ISAKMPD

[Brian A. Seklecki]

Are you expiring lifetime on bandwidth or time?  Probably the defaults
of whatever transforms suite you're using.

Try manually defining it?  If you expire on time, say...10 minutes, you
can tcpdump for udp 500 on either side at the expected time and watch
the renegotiation.

Maybe UDP packets are getting lost at renegotiation time.  I had that
problem once with pf where i was exhausing the max default states at
10,000 and new states were being refused with ICMP.

~BAS

On Sun, 2005-11-13 at 20:45, James Mackinnon wrote:
 Hey everyone
 
 I am hoping I am posting this to the correct list
 
 I am running an AMD 2200+ w/ 512mb of ram and all intel pro cards in my main
 location.
 
 I have 14 other locations connecting back to this 1 location and each location
 creates 3 tunnels to this system as I have
 3 internal network segments I want available via VPN
 
 Platforms are:
 
 Main system: OpenBSD 3.7 Stable
 Remote locations: OpenBSD 3.5 and some OpenBSD 3.7
 
 at first, all locations come up fine, but then in approx 1 hour, 3 units stop
 communicating to the main firewall.
 
 They all have the same config (minor changes based on location and assigned
 ips of course).
 
 I was planning to finally get rid of my main checkpoint box and complete my
 migration to BSD but I had to revert back do to lack of time i had left to go
 back in case of an issue.
 
 
 My Main location is on Fiber
 All branches on DSL (pretty much same provider)
 
 My main location has approx 50VPN Connection entries in it.
 My Branches connect to 3 VPN's.
 
 Example branch isakmpd.conf file
 
 [Phase 1]
 12.12.12.12= peer-loc1
 13.13.13.13= peer-loc2
 14.14.14.14= peer-loc3
 
 
 [Phase 2]
 Connections=LOC1-SEG1, LOC1-SEG2, LOC1-SEG3, LOC2-SEG1, LOC3-SEG1
 
 [peer-loc1]
 Phase=  1
 Transport=  udp
 Address=12.12.12.12
 Configuration=  Default-main-mode
 Authentication= MYSUPERPASS
 
 [peer-loc2]
 Phase=  1
 Transport=  udp
 Address=13.13.13.13
 Configuration=  Default-main-mode
 Authentication= MYSUPERPASS
 
 [peer-loc3]
 Phase=  1
 Transport=  udp
 Address=14.14.14.14
 Configuration=  Default-main-mode
 Authentication= MYSUPERPASS
 
 [LOC1-SEG1]
 Phase=  2
 ISAKMP-peer=peer-loc1
 Configuration=  Default-quick-mode
 Local-ID=   Loc-Network
 Remote-ID=  loc1-seg1-Network
 
 [LOC1-SEG2]
 Phase=  2
 ISAKMP-peer=peer-loc1
 Configuration=  Default-quick-mode
 Local-ID=   Loc-Network
 Remote-ID=  loc1-seg2-Network
 
 [LOC1-SEG3]
 Phase=  2
 ISAKMP-peer=peer-loc1
 Configuration=  Default-quick-mode
 Local-ID=   Loc-Network
 Remote-ID=  loc1-seg3-Network
 
 [LOC2-SEG1]
 Phase=  2
 ISAKMP-peer=peer-loc2
 Configuration=  Default-quick-mode
 Local-ID=   Loc-Network
 Remote-ID=  loc2-seg1-Network
 
 [LOC3-SEG1]
 Phase=  2
 ISAKMP-peer=peer-loc3
 configuration=  Default-quick-mode
 Local-ID=   Loc-Network
 Remote-ID=  loc3-seg1-Network
 
 [loc1-seg1-Network]
 ID-type=IPV4_ADDR_SUBNET
 Network=10.20.22.0
 Netmask=255.255.255.0
 
 [loc1-seg2-Network]
 ID-type=IPV4_ADDR_SUBNET
 Network=10.20.23.0
 Netmask=255.255.255.0
 
 [loc1-seg3-Network]
 ID-type=IPV4_ADDR_SUBNET
 Network=10.20.24.0
 Netmask=255.255.255.0
 
 [loc2-seg1-Network]
 ID-type=IPV4_ADDR_SUBNET
 Network=10.20.21.0
 Netmask=255.255.255.0
 
 [loc3-seg1-Network]
 ID-type=IPV4_ADDR_SUBNET
 Network=10.20.20.0
 Netmask=255.255.255.0
 
 
 [Loc-Network]
 ID-type=IPV4_ADDR_SUBNET
 Network=10.20.25.0
 Netmask=255.255.255.0
 
 [Default-main-mode]
 DOI=IPSEC
 EXCHANGE_TYPE=  ID_PROT
 Transforms= 3DES-SHA
 
 [Default-quick-mode]
 DOI=IPSEC
 EXCHANGE_TYPE=  QUICK_MODE
 Suites= QM-ESP-3DES-SHA-SUITE
 
 
 My isakmpd.policy file
 
 Keynote-version: 2
 Authorizer: POLICY
 Conditions: app_domain == IPsec policy 
 esp_present == yes 
 esp_enc_alg != null - true;
 
 
 
 
 I have run isakmpd -L , which I am still reviewing but most errors are below
 
 Nov 13 04:01:14 fw2 isakmpd[16014]: transport_send_messages: giving up on
 message 0x3c066800, exchange fw01
 Nov 13 04:01:14 fw2 isakmpd[16014]: transport_send_messages: either this
 message did not reach the other peer
 Nov 13 04:01:14 fw2 isakmpd[16014]: transport_send_messages: or the
 responsemessage did not reach us back
 
 Nov 13 05:41:46 fw2 isakmpd[16014]: dropped message from fw01 port 500 due to
 notification type PAYLOAD_MALFORMED
 Nov 13 05:41:46 fw2 isakmpd[16014]: message_parse_payloads: reserved field
 non-zero: ca
 Nov 13 05:41:46 fw2 isakmpd[16014]: dropped message from fw01 port 500 due to
 notification type PAYLOAD_MALFORMED
 Nov 13 21:09:52 fw2 isakmpd[3312]: message_recv: invalid cookie(s)
 8710be0bf45687ff 482bbdaf5287d3db
 Nov 13 21:09:52 fw2 isakmpd[3312]: dropped message from fw01 port 57834 due to
 notification type INVALID_COOKIE
 Nov 13 21:11:41 fw2 

Re: isakmpd - Single Phase 1 - Multiple Phase 2 Address

[Brian A. Seklecki]

This is confirmed to work?  I suppose that would resolve part of my
problem with 4314/system 

~BAS

On Thu, 2005-10-27 at 05:02, Runo Forrisdahl wrote:
 On Wed, Oct 26, 2005 at 02:40:52PM -0400, Roy Morris wrote:
 | I have been reading through the archives but have not found a reliable 
 answer
 | yet. I have recently been converting vpns from manual to isakmpd, with one
 | of the other endpoints being a Cisco box. I can bring up a single subnet/IP 
 | no problem but if I try to add another phase2 connection it fails. 
 | 
 | Does anyone have a config showing this setup? 
 
 This config works for me after posting a similar question just a few days ago.
 
 [Phase 1]
 192.168.15.1= cisco
 
 [Phase 2]
 Connections=tunnel-opengw-cisco,tunnel-opengw-cisco2
 
 [peer-opengw]
 ID-type=IPV4_ADDR
 Address=192.168.20.13
 
 [peer-cisco]
 ID-type=IPV4_ADDR
 Address=192.168.15.1
 
 [net-opengw]
 ID-type=IPV4_ADDR_SUBNET
 Network=172.16.15.0
 Netmask=255.255.255.0
 
 [net-cisco]
 ID-type=IPV4_ADDR_SUBNET
 Network=10.0.0.0
 Netmask=255.255.254.0
 
 [net-cisco2]
 ID-type=IPV4_ADDR_SUBNET
 Network=10.0.2.0
 Netmask=255.255.254.0
 
 [cisco]
 Phase=  1
 Transport=  udp
 Local-address=  192.168.20.13
 Address=192.168.15.1
 Configuration=  main-mode
 Authentication= Hemmelig
 
 [opengw-net]
 Phase=  1
 Network=172.16.15.0
 Netmask=255.255.255.0
 Configuration=  main-mode
 
 [cisco-net]
 Phase=  1
 Network=10.0.0.0
 Netmask=255.255.254.0
 Configuration=  main-mode
 
 [cisco2-net]
 Phase=  1
 Network=10.0.2.0
 Netmask=255.255.254.0
 Configuration=  main-mode
 
 [tunnel-opengw-cisco]
 Phase=  2
 ISAKMP-peer=cisco
 Configuration=  quick-mode
 Local-ID=   net-opengw
 Remote-ID=  net-cisco
 
 [tunnel-opengw-cisco2]
 Phase=  2
 ISAKMP-peer=cisco
 Configuration=  quick-mode
 Local-ID=   net-opengw
 Remote-ID=  net-cisco2
 
 [rsa-main-mode]
 DOI=IPSEC
 EXCHANGE_TYPE=  ID_PROT
 Transforms= 3DES-SHA-RSA_SIG
 
 [main-mode]
 DOI=IPSEC
 EXCHANGE_TYPE=  ID_PROT
 Transforms= 3DES-SHA
 
 [quick-mode]
 DOI=IPSEC
 EXCHANGE_TYPE=  QUICK_MODE
 Suites= QM-ESP-3DES-SHA-SUITE

Notes on RAID1 Root Tutorial Adaption

[Brian A. Seklecki]

...a while back, i wrote a tutorial for RAIFRame RAID1 as a root FS on 
NetBSD.  I used the bootstrap method.  Sometime not soon after, NetBSD 
added RAIDFrame to the INSTALL* kernels and presumably menus to sysinst, 
mitigating the need for this approach.


the boostrap process is:

*) do a basic install on component0
*) use the base install to create a RAID set composed of a single member:
   component1
*) copy the system over
*) boot component1 in degraded mode
*) destory the original install on component0 and import it into RAID
*) sync component1 back to component0

...however, this is still the applicable process for OpenBSD, as OpenBSD 
INSTALL and GENERIC kernels lack RAIDFrame.   moreover, the boot blocks 
lack support for booting RAID volumes, so there are some caveats


here are some notes for adapting the process:


Firstly, per:
http://cvs.openbsd.org/cgi-bin/query-pr-wrapper?full=yesnumbers=4567

  pseudo-device   raid4   # RAIDframe disk driver
  option RAID_AUTOCONFIG

...must be added to GENERIC.  They are not present.  Update your src and 
re-roll your kernel.



16.3.3. Initial Install on Disk0/wd0

  for simplicity in the original tutorial, i recommend one big slash
  plus swap

  its important to note that although only a basic system is required on
  wd0/component0, you simplify the system bootstrap process by laying out
  the file system slices/mountpoints the way you plan on the eventual RAID
  volume (*even though* the sizes of slices will be different.)  see below


16.3.3. Initial Install on Disk0/wd0

  apparently /dev/{r,}wd[0-9] behave differently in obsd.  instead of:

# dd if=/dev/zero of=/dev/rwd1d bs=8k count=1

   one would use

# dd if=/dev/zero of=/dev/wd1c bs=8k count=1

   note: use the character device instead of the raw device

   ...or disklabel -E wd1 and then D + w, but this method won't blow
   away the MBR label.


Next, instead of:

# fdisk -0ua /dev/rwd1d

do:

# fdisk -i wd1

   and y at the prompt.

   next  instead of:

# disklabel -r -e -I wd1

do:

# disklabel -E wd1

   or -e if you prefer $EDITOR style.  create your file systems as
   as you prefer.

   this is where it the process differs greatly.  in the netbsd tutorial,
   i suggest disklabel'ing each RAID1 component member disk entirely
   a RAID slice.

   for a number of reasons, this must differ on openbsd.  i recommend that
   each members a: slice be a 128mb 4.2BSD FFS slice.  i recommend b:
   be a RAID type slice the size of which the SWAP parition will be.  i
   recommend that d: be the remainder of the disk, type RAID

   this will be explained later



a d

offset: [1310400]
size: [25389630]
FS type: [4.2BSD] RAID

w
p m

device: /dev/rwd1c
type: ESDI
disk: ESDI/IDE disk
label: IBM-DPTA-371360
bytes/sector: 512
sectors/track: 63
tracks/cylinder: 16
sectors/cylinder: 1008
cylinders: 16383
total bytes: 13043.0M
free bytes: 0.0M
rpm: 3600

16 partitions:
#sizeoffset  fstype [fsize bsize  cpg]
  a:  127.9M0.0M 4.2BSD 2048 16384 16 # Cyl 0*- 259
  b:  511.9M128.0M RAID # Cyl 260 - 1299
  c:  13043.0M  0.0M unused 0 0 # Cyl 0 - 26499
  d:  12397.3M  639.8M RAID # Cyl 1300 - 26488*


16.3.5. Initializing the RAID Device

this step unchanged, except the magic absent keyword trick does not
exist in raid.conf

of course, raidctl -C [.conf] and raidctl -I will need to be run for
raid0 and raid1.  -I should have different serials for each, so
2005101801 for raid0 and 2005101801 for raid1.


16.3.6. Setting up Filesystems

   unchanged.  when disklabel(8)'ing raid0, a: can be offset 0, size of
   the entire meta-disk, type swap

   when disklabel(8)'ing raid1, a:, b:, d: - m: can be your
   optimal slice configuration.  use the disklabel on wd0 as your
   reference.  however theres an offset because b: on wd0 was your
original swap partition on your inital system, therefore map as so:

   wd0:  raid1:
   a:a:
   d:b:
   e:d:
   f:e:
   ...


   When newfs(8)'ing, raw devices must be used.  the following would need
   to be newfs(8)'d,  -0 flag does not apply.

   /dev/rwd1a
   /dev/rraid1a
   /dev/rraid1b
   /dev/rraid1d
   /dev/rraid1e
   

   /dev/rraid0a will be swap and does not need to be newfs(8)'d


16.3.8. Migrating System to RAID

   two changes:

   instead of using pax(1) to recursivley copy / from the wd0 base
   install to a the FFS/UFS/4.2BSD slices on /dev/raid1, i recommend using
   dump(1)/restore(8) instead (because the work on the file system level)


if the base install looked something like:

# df
Filesystem  1K-blocks  Used Avail Capacity  Mounted on
/dev/wd0a 1035440 38460945208 4%/
/dev/wd0g 281260812   2671966 0%/home
/dev/wd0d 4125138   1285796   263308633%/usr
/dev/wd0e 2062928  8086   1951696 0%/var
/dev/wd0f 206292888   1959694 0%/var/log

the the steps would be:

# mkdir 

Re: keep state and PF Queues

[Brian A. Seklecki]

I was just curious if any of the developers (or experts) would care to 
articulate officially :}

~BAS


On Wed, 19 Oct 2005, William Bloom wrote:

 The PF queueing FAQ page at http://www.openbsd.org has a wealth of info that
 seems to nicely clarify the pf.conf man page.  I recall that the FAQ contains 
 an
 example much as you describe (as I recall, specifying a queue for -incoming-
 traffic will indeed cause that traffic to be processed through the named queue
 as it is -outgoing-).


 Bill

 Brian A. Seklecki wrote:
 Would anyone like to elaborate on the impacts of using keep state on
 conjunction with pass rules that assign traffic to queues?

 One might assume that inverted traffic flows would also be queued,
 however that would break the traffic can only be queued egress an
 interface rule...

 There should be some remarks on this in pf.conf(5)

 TIA,

 ~BAS


 -- 
 William Bloom| Snr Systems Engineer|M P H A S I S Architecting Value | 
 Eldorado
 Computing
 5353 North 16th Street, Suite 400 Phoenix, Az 85016 | Direct: 
 +11-602-604-3100 |
 Fax: +11-602-604-3115| http://www.eldocomp.com

 -- CONFIDENTIALITY NOTICE --

 Information transmitted by this e-mail is proprietary to MphasiS and/or its 
 Customers and is intended for use only by the individual or entity to which 
 it is addressed, and may contain information that is privileged, confidential 
 or exempt from disclosure under applicable law. If you are not the intended 
 recipient or it appears that this mail has been forwarded to you without 
 proper authority, you are notified that any use or dissemination of this 
 information in any manner is strictly prohibited. In such cases, please 
 notify us immediately at [EMAIL PROTECTED] and delete this mail from your 
 records.


l8*
-lava

x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8

Re: Carp / VLAN and net.inet.carp.preempt=1

[Brian A. Seklecki]

On Fri, 21 Oct 2005, Xavier Beaudouin wrote:


Hello there,

I have 2 openbsd box (that does as well openbgpd but this is not the aim
of this mail).

Question is that any problems to do

sysctl net.inet.carp.preempt=1

and

ifconfig em0 up
ifconfig vlan0 vlan 11 vlandev em0


Each machine must have a trunk link from the single switch (or if you 
have reundant switch fabric, two switches that are themselves trunked). 
Effectivly in the same ethernet segment.


Each OpenBSD machine will have a Vlan11 interface presented to it.  Each 
must have an IP with in the subnet.  Then, the CARP interface will share 
an other (3rd) IP in the same subnet.


So if you've got a /24, the CARP VIP could be .1 and each Box's vlan11 
could be .2 and .3.


~BAS

I don't know how you plan to sync the BGP table between teh two.   I know 
PF tables and ISAKMPd states are syncavble.


Peace,
~BAS


ifconfig carp0 inet 10.0.0.1 netmask 255.255.255.0 vhid 1 carpdev vlan0

In each routers / carp border machines to have full redondancy ?

Thanks :)
/Xavier


--
Quand on essaye continuellement, on finit par y arriver. Donc, plus ca
rate, plus on a de chance que ca marche...
(Proverbe Shadok)




l8*
-lava

x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8

Re: passwd: /sbin/nologin --- not working for me

[Brian A. Seklecki]

You said you entered into those files.  Did you vi(1) them mnaually? 
Did you rebuild the database afterward?  When you finger the user, what 
does the shell show up as?  Use either vipw(8) as root, to do this, or 
use chfn(1) as the user.


~BAS

On Fri, 21 Oct 2005, morla wrote:


hello all,

i just made up a second account on my box and wanted to prevent the old one 
from loging into it, due i want to keep it for email retrival.


when i enter something like

morla:*:1000:1000:morla:/home/morla:/sbin/nologin

into /etc/passwd and a similary entry into /etc/master.passwd should'nt this 
keep me out???


please be carefull with me, i am realtily new to bsd...


thanks all morla




l8*
-lava

x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8

Re: Statefull VPN failover a fork from Re: iptables vs pf

[Brian A. Seklecki]

More to the point, how to find this info.

1: Go to http://www.openbsd.org/cgi-bin/man.cgi
2: click apropos
3: make sure current is selected
4: query sync
5: click on sasynchd(8) and sasychd.conf(5)

http://www.openbsd.org/cgi-bin/man.cgi?query=sasyncdsektion=8apropos=0manpath=OpenBSD+Currentarch=i386
http://www.openbsd.org/cgi-bin/man.cgi?query=sasyncdsektion=8apropos=0manpath=OpenBSD+Currentarch=i386

6: Once intimately familar with the process, write some Docs and submit 
them for translation.


Also, someone at NYC BSDcon 05 gave a presentation and had slides.  Try to 
find those too.


Best of luck.

~BAS

On Thu, 20 Oct 2005, [EMAIL PROTECTED] wrote:


I have been moving a single Linux FW to a pair of OBSD machines, lured by carp 
and pfsync. This has been working well in my test environment.  This also lead 
me to vpns running with ISAKMPD, replaceing a Freeswan box, and forestalling 
purchasing proprietary products for site to site partner vpns.





THE POINT: Where will I find docs that explains how this is done Oh, and when your 
3.8 VPNs failover   statefully, too.  :) ?





-Original Message-
From: Jason Dixon [mailto:[EMAIL PROTECTED]
Sent: Thursday, October 20, 2005 02:07 AM
To: 'Edy Purnomo'
Cc: misc@openbsd.org
Subject: Re: iptables vs pf

On Oct 19, 2005, at 6:21 PM, Edy Purnomo wrote:


i suggested to my friend to replace his linux box to openbsd.
he uses mailnly for internet gateway : pf + squid proxy
after 2 weeks later he switched it back linux and said : linux much
faster to respond the http requests (he had a same configuration on
openbsd, pf + squid proxy).

is there any program that can proof what he says ?
thanks.


Three points:

1) No way in hell is iptables faster than PF.

2) His box _may_ pass traffic faster, but this is almost certainly
due to the support level of the hardware.  Without real information,
it's hard to qualify this.

3) Who cares?  Why are you worried about what your friend uses?  If
it works for him, so be it.  Rather than trying to bring him over
cuz PF is l33t, just make sure you mention how cool it is when your
stateful firewalls run 24x7.  Oh, and when your 3.8 VPNs failover
statefully, too.  :)

http://www.openbsd.org/goals.html


--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net





l8*
-lava

x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8

Re: keep state and PF Queues

[Brian A. Seklecki]

If a TCP flow is egressing an interface at 2000k/s (17-18mbps), it might 
be causing as much as 300kbps of ACK traffic.  That traffic really 
doesn't get queued on return at the same inteface it's egressing.


However, I have noticed that, if a traffic flow is passing through a 
router (say, the same flow as before, egressing an upstream inteface at 
2000k/s) and a rule set exists on the interface the flow is inressing from 
(on it's way through to the previously mentioned egress interface), the 
ACK traffic will get queued leaving that sender facing interface, on its 
way back to the sender.


So really, keep state has no impact?

~BAS

On Fri, 21 Oct 2005, Henning Brauer wrote:


well, I did numerous times in the past.

th emisunderstanding most of you have is that queue assignment and th
actual queueing are sepearate things.
you assign a queue with the name X somewhere, be it by a rule in the
inbound path or the outbound, or a state in either direction, and when
we hit the enqueuing on the outbound interface we check wether the
packet in question is tagged to be put in a specific queue. if so, and
a queue by the desired name exists on the given interface, we do so,
otherwise it goes to the default queue.

* Brian A. Seklecki [EMAIL PROTECTED] [2005-10-21 17:59]:

I was just curious if any of the developers (or experts) would care to
articulate officially :}

~BAS


On Wed, 19 Oct 2005, William Bloom wrote:


The PF queueing FAQ page at http://www.openbsd.org has a wealth of info that
seems to nicely clarify the pf.conf man page.  I recall that the FAQ contains an
example much as you describe (as I recall, specifying a queue for -incoming-
traffic will indeed cause that traffic to be processed through the named queue
as it is -outgoing-).


Bill

Brian A. Seklecki wrote:

Would anyone like to elaborate on the impacts of using keep state on
conjunction with pass rules that assign traffic to queues?

One might assume that inverted traffic flows would also be queued,
however that would break the traffic can only be queued egress an
interface rule...

There should be some remarks on this in pf.conf(5)

TIA,

~BAS



--
William Bloom| Snr Systems Engineer|M P H A S I S Architecting Value | Eldorado
Computing
5353 North 16th Street, Suite 400 Phoenix, Az 85016 | Direct: +11-602-604-3100 |
Fax: +11-602-604-3115| http://www.eldocomp.com

-- CONFIDENTIALITY NOTICE --

Information transmitted by this e-mail is proprietary to MphasiS and/or its 
Customers and is intended for use only by the individual or entity to which it 
is addressed, and may contain information that is privileged, confidential or 
exempt from disclosure under applicable law. If you are not the intended 
recipient or it appears that this mail has been forwarded to you without proper 
authority, you are notified that any use or dissemination of this information 
in any manner is strictly prohibited. In such cases, please notify us 
immediately at [EMAIL PROTECTED] and delete this mail from your records.



l8*
-lava

x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8



--
BS Web Services, http://www.bsws.de/
OpenBSD-based Webhosting, Mail Services, Managed Servers, ...
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)




l8*
-lava

x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8

Dell PowerEdge SC1420 w/ CERC SATA 2S RAID

[Brian A. Seklecki]

For the record, these systems run 3.7/i386 rock solid.  Just forget 
entirely about using the Software Assist RAID support on the motherboard 
and use RAIDFrame instead.

In the BIOS, you can toggle it between RAID and NON-RAID mode, but it 
makes no difference.  The kernel probes it just the same.  Even if you go 
into the CERC SATA 2S RAID BIOS v2.1, which is actually an Adaptec menu.

It actually probes as Intel 82801ER SATA on all the BSDs.

It should be noted that the RAID Mode does indeed only show one 
low-level DOS disk signature at 0x80 if you go into the menu and build an 
array.  However, the kernel doesnt probe a meta-disk in either mode.  Just 
the individual components on each SATA channel

l8r,
~lava


Below as follows:

- Entire OpenBSD dmesg(8), NetBSD-current relevent info on the controller, 
then FreeBSD.

 OpenBSD/i386 BOOT 2.06
boot
booting fd0a:/bsd: 4302596+825452=0x4e40b8
entry point at 0x100120*
Copyright (c) 1982, 1986, 1989, 1991, 1993
 The Regents of the University of California.  All rights reserved.
Copyright (c) 1995-2005 OpenBSD. All rights reserved. 
http://www.OpenBSD.org

OpenBSD 3.7 (RAMDISK_CD) #573: Sun Mar 20 00:27:05 MST 2005
 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/RAMDISK_CD
cpu0: Intel(R) Xeon(TM) CPU 3.00GHz (GenuineIntel 686-class) 3 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF
LUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,PNI,MWAIT,CNXT-ID
real mem  = 534933504 (522396K)
avail mem = 482287616 (470984K)
using 4278 buffers containing 26849280 bytes (26220K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(00) BIOS, date 08/18/05, BIOS32 rev. 0 @ 
0xffe90
apm0 at bios0: Power Management spec V1.2
pcibios0 at bios0: rev 2.1 @ 0xf/0x1
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfeb00/256 (14 entries)
pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82801EB/ER LPC rev 
0x00)
pcibios0: PCI bus #6 is the last bus
bios0: ROM list: 0xc/0x8000 0xc8000/0x1800! 0xc9800/0x4800 
0xce000/0x2000
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel E7710 SMCH rev 0x09
Intel E7710 MCH ERR rev 0x09 at pci0 dev 0 function 1 not configured
ppb0 at pci0 dev 2 function 0 Intel E7710 MCH PCIE rev 0x09
pci1 at ppb0 bus 1
ppb1 at pci1 dev 0 function 0 Intel PCIE-PCIE rev 0x00
pci2 at ppb1 bus 2
vga1 at pci2 dev 12 function 0 ATI Mach64 GO rev 0x27
wsdisplay0 at vga1: console (80x25, vt100 emulation)
ppb2 at pci1 dev 0 function 2 Intel PCIE-PCIE rev 0x00
pci3 at ppb2 bus 3
em0 at pci3 dev 14 function 0 Intel PRO/1000MT (82545GM) rev 0x04: irq 
11, add
ress: 00:12:3f:61:7a:75
ppb3 at pci0 dev 3 function 0 Intel E7710 MCH PCIE rev 0x09
pci4 at ppb3 bus 4
ppb4 at pci0 dev 4 function 0 Intel E7710 MCH PCIE rev 0x09
pci5 at ppb4 bus 5
uhci0 at pci0 dev 29 function 0 Intel 82801EB/ER USB rev 0x02: irq 11
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1 at pci0 dev 29 function 1 Intel 82801EB/ER USB rev 0x02: irq 10
usb1 at uhci1: USB revision 1.0
uhub1 at usb1
uhub1: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
uhci2 at pci0 dev 29 function 2 Intel 82801EB/ER USB rev 0x02: irq 9
usb2 at uhci2: USB revision 1.0
uhub2 at usb2
uhub2: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub2: 2 ports with 2 removable, self powered
uhci3 at pci0 dev 29 function 3 Intel 82801EB/ER USB rev 0x02: irq 11
usb3 at uhci3: USB revision 1.0
uhub3 at usb3
uhub3: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub3: 2 ports with 2 removable, self powered
ehci0 at pci0 dev 29 function 7 Intel 82801EB/ER USB rev 0x02: irq 5
ehci0: EHCI version 1.0
ehci0: companion controllers, 2 ports each: uhci0 uhci1 uhci2 uhci3
usb4 at ehci0: USB revision 2.0
uhub4 at usb4
uhub4: Intel EHCI root hub, class 9/0, rev 2.00/1.00, addr 1
uhub4: single transaction translator
uhub4: 8 ports with 8 removable, self powered
ppb5 at pci0 dev 30 function 0 Intel 82801BA AGP rev 0xc2
pci6 at ppb5 bus 6
ichpcib0 at pci0 dev 31 function 0 Intel 82801EB/ER LPC rev 0x02
pciide0 at pci0 dev 31 function 1 Intel 82801EB/ER IDE rev 0x02: DMA, 
channel
0 configured to compatibility, channel 1 configured to compatibility
pciide0: channel 0 ignored (disabled)
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: LITE-ON, CD-ROM LTN-489S, 8DS2 SCSI0 
5/cdrom rem
ovable
cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
pciide1 at pci0 dev 31 function 2 Intel 82801ER SATA rev 0x02: DMA, 
channel 0
configured to native-PCI, channel 1 configured to native-PCI
pciide1: using irq 9 for native-PCI interrupt
wd0 at pciide1 channel 0 drive 0: WDC WD800JD-75LSA0
wd0: 16-sector PIO, LBA48, 76293MB, 15625 sectors
wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5
wd1 at pciide1 channel 1 drive 0: WDC 

keep state and PF Queues

[Brian A. Seklecki]

Would anyone like to elaborate on the impacts of using keep state on 
conjunction with pass rules that assign traffic to queues?


One might assume that inverted traffic flows would also be queued, however 
that would break the traffic can only be queued egress an interface 
rule...


There should be some remarks on this in pf.conf(5)

TIA,

~BAS

Re: em(4) problems with -current

[Brian A. Seklecki]

I'll double check this today and verify.  Will the IPMI on the
motherboard only work with the onboard ethernet controllers, or will it
get its grubby little hands on any/all controllers it finds?  If it only


The IPMI configuration screen gives you the option of configuring which 
Interface to bind to, at least on some models, and on others it defaults 
to the the first onboard.


Like I said, you can use tcpdump(8) with an address or host syntax of 
the IPv4 of the IPMI address.  Trying enabling it and pinging it, watch 
for the ICMP to/from the IPMI host, which will strangely and bizzarely 
appear to be on the same ethernet segment as the interface visible to the 
OS.


It's like having a IP Alias configured that you can't see :}}}

I like to VLAN tag my IMPI stuff.  God hates the BOFH.

~BAS


works with the onboard, then maybe switching to the PCI card ports will
be a sufficient workaround.

Re: em(4) problems with -current

[Brian A. Seklecki]

On Wed, 19 Oct 2005, Theo de Raadt wrote:


Someone with one of these problematic cards should put it in the


It isn't so much a bug; more so a caveat of Dell's implenentation.

Maybe you can order PowerEdge 1850s w/o a hardware IPMI implementation, 
but I don't think it's an issue that warrants chewing up precious cycles 
in a developer's schedule.


~BAS


mail to Brad in Toronto.  That is your best bet.

Shared Queues / Queuing on Multiple Interfaces

[Brian A. Seklecki]

I think I fumbled last week when I posted this original message in reply 
to one serveral months old (causing it to not be seen by MUA threading)


The question remains:

Can traffic travelling ingress on one-of-a-three-interface router be 
queued as it egresses the other two possible interfaces, enforcing a 
Frame-Relay CIR style sharing policy, but allowing either queue to 
borrow up to the maxiumum possible Downstream bandwidth on the original 
inteface?


See URL and msg below:

http://digitalfreaks.org/~lavalamp/Queues.png

~BAS

-- Forwarded message --
Date: Mon, 3 Oct 2005 11:28:24 -0400 (EDT)
From: Brian A. Seklecki [EMAIL PROTECTED]
To: Henning Brauer [EMAIL PROTECTED]
Cc: misc@openbsd.org, Tony Sarendal [EMAIL PROTECTED],
jared r r spiegel [EMAIL PROTECTED], Seamus Wassman [EMAIL PROTECTED]
Subject: Queing on Multiple Interfaces Revisited (WAS: Re: matching queues
in both directions with stateful rulesets)


On Mon, October 25, 2004 12:50 pm, Henning Brauer said:

* Tony Sarendal [EMAIL PROTECTED] [2004-10-25 16:48]:

Is there a way to assign wich queues stateful traffic
will use in both directions ?


yes, you can have queues with the same names on multiple interfaces.

i. e. you create the queue customer1 on both your external (dc0) and
his interface (vlan1). outbond will go to the one on dc0, inbound to
the one on vlan1.


A better topic would be perhaps upstream bandwidth
distribution...downstream

All, the PF FAQ states several fundementals about queuing:

1) queuing is only useful for packets in the outbound direction

..then later:

2) Note that queue designation can happen on an interface other than the
one defined in the altq on directive:
  [...example rule set..]

 Queueing is enabled on fxp0 but the designation takes place on dc0. If
packets matching the pass rule exit from interface fxp0, they will be
queued in the ftp queue. This type of queueing can be very useful on
routers.

-

I think a lot of confusion on this topic of multiple interfaaces
originates from three problems:

*) The FAQ/documentation doesn't discuss how stateful rules effect
behavior of queue assigment of returing traffic.

*) The FAQ/documentation doesn't really clarify how matching traffic
inbound on one interface (of which the destination traffic matched will
travel outbound on an inteface on which queuing is enabled) and applying
it to the outbound queue of the designated interface (point #2 above)
differs in behavior from simply matching traffic outbound on said
queuing-enabled interface.

*) The documentation is a bit ambiguous in the use of terminology such as
direction, inbound, outbound, upstream, downstream, ingress,
egress, etc.,
this is especially important with regards to the naming conventions on
queues and also when the behavior of an example rulset is described.

Back to the multiple interface issue:

Let's looks at an example like a Frame Relay network mightsay that
your objective is an SLA for your customers worded as so:

Customer 1 has a 300Kbps bi-directional CIR. Customer 2 has a 500Kbps
bi-directional CIR.  Both may borrow from the total available.

*) 1 or 2 physical interface, 3 logical, whatever.
*) The upstream external interface is broadband/narrowband delivered via
Fast Ethernet (xl0)
*) For the sake of sanity, the narrowband connectivity is
synchronous/symetric
*) Customer handoff is 100mbs Ethernet (vlan10,vlan20), switch trunked
*) The OpenBSD router is a perimeter router with a pass all style
ruleset (with scrubbing and RFC1918 bogon filters, etc.)

In this case, you can use a generic template to enforce upstream or
outbound queues on xl0.

altq on xl0 cbq queue { std-up cust1-up cust2-up }
queue std-up cbq(default ecn)
queue cust1-up bandwidth 10Mb cbq(ecn)
queue cust2-up bandwidth 10Mb cbq(ecn)

pass out on xl0 from $vlan10_subnet to any keep state queue cust1-up
pass out on xl0 from $vlan20_subnet to any keep state queue cust1-up
# these filters will match customer FTP uploads and HTTP GETs from
cuomster-hosted web servers, etc.
# this rule is redundant because the traffic would be forwarded anyway, it
exists simply to match traffic into a queue and create a state table entry
while we're at it.

...

But then let's say you want to invert those rules.

**NOTE**, if customer1 and customer2 were visibile via the same interface,
then you could easily create a queue on that shared customer-facing
interface with a bandwidth statement that matches the max hypothetical
downstream speed of the broadband connection.  Then divy it up using
sub-queues and borrow statements.

...but what if Customer 1 and Customer 2 are on seperate interfaces?

1) You could create non-stateful matching rules as pass in on $ext_if
2) You could create non-stateful matching rules as pass out on $cust1
..., pass out on $cust2...,

But the question remains: Into what queue?  What type of queue would be
used to desginate a policy for downstream traffic flows that are
traveling

Queing on Multiple Interfaces Revisited (WAS: Re: matching queues in both directions with stateful rulesets)

[Brian A. Seklecki]

On Mon, October 25, 2004 12:50 pm, Henning Brauer said:
 * Tony Sarendal [EMAIL PROTECTED] [2004-10-25 16:48]:
 Is there a way to assign wich queues stateful traffic
 will use in both directions ?

 yes, you can have queues with the same names on multiple interfaces.

 i. e. you create the queue customer1 on both your external (dc0) and
 his interface (vlan1). outbond will go to the one on dc0, inbound to
 the one on vlan1.

A better topic would be perhaps upstream bandwidth
distribution...downstream

All, the PF FAQ states several fundementals about queuing:

1) queuing is only useful for packets in the outbound direction

..then later:

2) Note that queue designation can happen on an interface other than the
one defined in the altq on directive:
  [...example rule set..]

 Queueing is enabled on fxp0 but the designation takes place on dc0. If
packets matching the pass rule exit from interface fxp0, they will be
queued in the ftp queue. This type of queueing can be very useful on
routers.

-

I think a lot of confusion on this topic of multiple interfaaces
originates from three problems:

*) The FAQ/documentation doesn't discuss how stateful rules effect
behavior of queue assigment of returing traffic.

*) The FAQ/documentation doesn't really clarify how matching traffic
inbound on one interface (of which the destination traffic matched will
travel outbound on an inteface on which queuing is enabled) and applying
it to the outbound queue of the designated interface (point #2 above)
differs in behavior from simply matching traffic outbound on said
queuing-enabled interface.

*) The documentation is a bit ambiguous in the use of terminology such as
direction, inbound, outbound, upstream, downstream, ingress,
egress, etc.,
this is especially important with regards to the naming conventions on
queues and also when the behavior of an example rulset is described.

Back to the multiple interface issue:

Let's looks at an example like a Frame Relay network mightsay that
your objective is an SLA for your customers worded as so:

Customer 1 has a 300Kbps bi-directional CIR. Customer 2 has a 500Kbps
bi-directional CIR.  Both may borrow from the total available.

*) 1 or 2 physical interface, 3 logical, whatever.
*) The upstream external interface is broadband/narrowband delivered via
Fast Ethernet (xl0)
*) For the sake of sanity, the narrowband connectivity is
synchronous/symetric
*) Customer handoff is 100mbs Ethernet (vlan10,vlan20), switch trunked
*) The OpenBSD router is a perimeter router with a pass all style
ruleset (with scrubbing and RFC1918 bogon filters, etc.)

In this case, you can use a generic template to enforce upstream or
outbound queues on xl0.

altq on xl0 cbq queue { std-up cust1-up cust2-up }
queue std-up cbq(default ecn)
queue cust1-up bandwidth 10Mb cbq(ecn)
queue cust2-up bandwidth 10Mb cbq(ecn)

pass out on xl0 from $vlan10_subnet to any keep state queue cust1-up
pass out on xl0 from $vlan20_subnet to any keep state queue cust1-up
# these filters will match customer FTP uploads and HTTP GETs from
cuomster-hosted web servers, etc.
# this rule is redundant because the traffic would be forwarded anyway, it
exists simply to match traffic into a queue and create a state table entry
while we're at it.

...

But then let's say you want to invert those rules.

**NOTE**, if customer1 and customer2 were visibile via the same interface,
then you could easily create a queue on that shared customer-facing
interface with a bandwidth statement that matches the max hypothetical
downstream speed of the broadband connection.  Then divy it up using
sub-queues and borrow statements.

...but what if Customer 1 and Customer 2 are on seperate interfaces?

1) You could create non-stateful matching rules as pass in on $ext_if
2) You could create non-stateful matching rules as pass out on $cust1
..., pass out on $cust2...,

But the question remains: Into what queue?  What type of queue would be
used to desginate a policy for downstream traffic flows that are
traveling inbound via an upstream interface, processed by the router,
and forwarded outbound via two downstream interfaces, ***while SHARING
the available downstream bandwidth available via the inbound
interface***

It's as if there needs to almost be a seperate type of queue not affilated
with an Interface, i.e., the ingress/egress queue for matching traffic
switched from interface-to-interface.

We keep saying, you can't queue inbound, which makese sense.

But you need a technique for queuing a shared ingress

~BAS


 --
 http://2suck.net/hhwl.html - http://www.bsws.de/
 Unix is very simple, but it takes a genius to understand the simplicity.
 (Dennis Ritchie)




-- 
l8r* --
~ Brian A. Seklecki

From back in the heady days when 'Help Desk' meant nothing, 'Disk Quota'
meant everything, and lives could be bought and sold for a couple of pages
of laser printout...and frequently were.

Netgear WG311 and ath driver on amd64.

[Brian McKerr]

 with IntelliEye(TM), rev 
1.10/3.00, addr 2, iclass 3/1

ums0 at uhidev0: 3 buttons and Z dir.
wsmouse0 at ums0 mux 0


The only thing that looks remotely like a netgear wg311 is the;

Texas Instruments ACX111 rev 0x00 at pci0 dev 12 function 0 not configured

when I try any ifconfig commands related to ath0 they fail, which seems 
obvious as the kernel has not picked up any ath devices.



So, whats up with the WG311 or any ath based cards for the amd64 port ? 
In fact, according to the hardware support page there appears to be  
*no* ath support for amd64.


Is this correct.


Brian.

Re: Load Balancing

[Brian A. Seklecki]

So have him send the message pre-formatted to the list? HTML?

How about just draw the diagram using ports/graphics/dia/* and export to
PNG, post the URL?

~BAS

On Fri, 2005-09-30 at 10:01, J.C. Roberts wrote:
 On Fri, 30 Sep 2005 18:35:16 +0530, Manpreet Singh Nehra
 [EMAIL PROTECTED] wrote:
 
 

 DHCP |  |  172.31.1.1  
  
|  |
   rl0 | |
---
  |  OpenBSD   |  
 
 | |
  DHCP|  |  172.31.2.1  
| |
|  |
rl1| |   192.168.1.0/24
---
  | 
 192.168.1.3|   
 
 | | rl4
   DHCP   |  |  172.31.3.1  
| |
|  |
rl2| |   
---
  |   Firewall |
 
 | |
 DHCP |  |  172.31.4.1  
| |
|  |
 rl3
---
 
 
 I suggest you learn to use a fixed pitch font for email,
 particularly for ascii-drawings, rather than forcing everyone to play
 a pointless game of guess the magic font so they can read your post.
 
 JCR

Re: ntop

[Brian A. Seklecki]

What platform are you on? Are you compiling it from source?  

It works just fine in 3.7/i386.

Just:

bash-3.00# cd /usr/ports/net/ntop  make install clean


If you insist on source, try looking at /usr/ports/net/ntop/patches/*

Try reading about Ports in the FAQ.

~BAS

On Thu, 2005-09-29 at 12:43, B4nsh33 wrote:
 Hi, im trying to install ntop 3.1 on openbsd 3.7, it doesnt compile, 
 reading the archives i learned its an unsupported application.
 Is there any workaround o should i look for another package?, i really 
 like the ntop's full feature set and i would prefer use it.
 
 ---
 thanks

ath hostap and carp ?

[Brian McKerr]

Hello all,

can anyone tell me if running 'ath' based cards in hostap mode is 
reliable and stable ? I'm deciding whether to get a linksys wrt54g or to 
throw an ath based card in my firewall and run it as the AP.


Also, does anyone know if I can run carp on wireless cards ? 
Specifically, I currently have a carp based firewall setup and I was 
wondering if running both of these as AP could give me AP failover ?


Thanks,

Brian.

Re: CARP/PFSYNC over USB is possible?

[Brian A. Seklecki]

On Mon, 29 Aug 2005, Vinicius Pavanelli Vianna wrote:


I'm currently using an OpenBSD 3.7 as a firewall for my network, since
this machines is a 1U rack I can't add an extra ethernet card to it, so
I was looking for an alternative solution to use redundancy, since there
are plenty of usb ports free can i use an usb-to-usb link over two


No one ever answered you, but I'm assuming that you discovered:

$ apropos usb|grep -i ether
aue (4) - ADMtek AN986 / ADM8511 Pegasus family USB Ethernet driver
axe (4) - ASIX Electronics AX88172 USB Ethernet driver
cdce (4) - USB Communication Device Class Ethernet driver
cue (4) - CATC USB-EL1201A USB Ethernet driver
kue (4) - Kawasaki LSI KL5KUSB101B USB Ethernet driver
udav (4) - Davicom DM9601 USB Ethernet driver
url (4) - Realtek RTL8150L USB Ethernet driver


~BAS

Re: 3.8 beta requests

[Brian]

I am not sure if this is related.  But when I code assembly to pass 
a double precision floating point value (%xmm0) to printf, my program will
crash
without a stack frame.  I am fine for passing strings and integers.

Here's the simple code:

.section .data

str:
.string %f\n
test:
.float 2.5

.section .text
.extern printf

.global main

main:

push %rbp  # set-up stack frame
movq %rsp, %rbp# will fault without this

movl $str, %edi
movl $test,  %eax
cvtss2sd (%rax), %xmm0
movq $1, %rax
call printf

movq $1, %rax
xorq %rdi, %rdi
syscall

 
If I remove the stack frame, this code will fault every time.  Now, according
to the amd64 ABI, I shouldn't need a stack frame.  Now, gcc compiles with stack
frames, but this does appear to be a memory bug.  I'm just not sure where to go
next to research this further.

Here's my dmesg:

OpenBSD 3.8-beta (GENERIC) #210: Sat Aug 13 20:20:15 MDT 2005
[EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC
real mem = 1073278976 (1048124K)
avail mem = 909148160 (887840K)
using 22937 buffers containing 107536384 bytes (105016K) of memory
mainbus0 (root)
cpu0 at mainbus0: (uniprocessor)
cpu0: AMD Athlon(tm) 64 Processor 3000+, 1808.55 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line
16-way L2 cache
cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative
cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative
pci0 at mainbus0 bus 0: configuration mode 1
Nvidia nForce4 DDR rev 0xa3 at pci0 dev 0 function 0 not configured
Nvidia nForce4 ISA rev 0xa3 at pci0 dev 1 function 0 not configured
Nvidia nForce4 SMBus rev 0xa2 at pci0 dev 1 function 1 not configured
ohci0 at pci0 dev 2 function 0 Nvidia nForce4 USB rev 0xa2: irq 10, version
1.0, legacy support
usb0 at ohci0: USB revision 1.0
uhub0 at usb0
uhub0: Nvidia OHCI root hub, rev 1.00/1.00, addr 1
uhub0: 10 ports with 10 removable, self powered
ehci0 at pci0 dev 2 function 1 Nvidia nForce4 USB rev 0xa3: irq 11
usb1 at ehci0: USB revision 2.0
uhub1 at usb1
uhub1: Nvidia EHCI root hub, rev 2.00/1.00, addr 1
uhub1: 10 ports with 10 removable, self powered
auich0 at pci0 dev 4 function 0 Nvidia nForce4 AC97 rev 0xa2: irq 11, nForce4
AC97
ac97: codec id 0x414c4760 (Avance Logic ALC655)
audio0 at auich0
pciide0 at pci0 dev 6 function 0 Nvidia nForce4 IDE rev 0xa2: DMA, channel 0
configured to compatibility, channel 1 configured to compatibility
pciide0: channel 0 disabled (no drives)
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: HL-DT-ST, DVDRAM GSA-4163B, A103 SCSI0 5/cdrom
removable
cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
pciide1 at pci0 dev 7 function 0 Nvidia nForce4 SATA 1 rev 0xa3: DMA
(unsupported), channel 0 wired to native-PCI, channel 1 wired to native-PCI
pciide1: using irq 10 for native-PCI interrupt
wd0 at pciide1 channel 0 drive 0: WDC WD360GD-00FLA2
wd0: 16-sector PIO, LBA48, 35304MB, 72303840 sectors
pciide1: channel 1 ignored (not responding; disabled or no drives?)
pciide2 at pci0 dev 8 function 0 Nvidia nForce4 SATA 2 rev 0xa3: DMA
(unsupported), channel 0 wired to native-PCI, channel 1 wired to native-PCI
pciide2: using irq 11 for native-PCI interrupt
pciide2: channel 0 ignored (not responding; disabled or no drives?)
pciide2: channel 1 ignored (not responding; disabled or no drives?)
ppb0 at pci0 dev 9 function 0 Nvidia nForce4 PCI-PCI rev 0xa2
pci1 at ppb0 bus 1
vga1 at pci1 dev 5 function 0 ATI Rage XL rev 0x27
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
VIA VT6306 FireWire rev 0x80 at pci1 dev 6 function 0 not configured
Nvidia CK804 LAN rev 0xa3 at pci0 dev 10 function 0 not configured
ppb1 at pci0 dev 11 function 0 Nvidia nForce4 PCIE rev 0xa3
pci2 at ppb1 bus 2
ppb2 at pci0 dev 12 function 0 Nvidia nForce4 PCIE rev 0xa3
pci3 at ppb2 bus 3
ppb3 at pci0 dev 13 function 0 Nvidia nForce4 PCIE rev 0xa3
pci4 at ppb3 bus 4
bge0 at pci4 dev 0 function 0 Broadcom BCM5721 rev 0x11, BCM5750 B1 (0x4101):
irq 5 address 00:e0:81:56:8f:66
brgphy0 at bge0 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0
ppb4 at pci0 dev 14 function 0 Nvidia nForce4 PCIE rev 0xa3
pci5 at ppb4 bus 5
pchb0 at pci0 dev 24 function 0 AMD AMD64 HyperTransport rev 0x00
pchb1 at pci0 dev 24 function 1 AMD AMD64 Address Map rev 0x00
pchb2 at pci0 dev 24 function 2 AMD AMD64 DRAM Cfg rev 0x00
pchb3 at pci0 dev 24 function 3 AMD AMD64 Misc Cfg rev 0x00
isa0 at mainbus0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pmsi0 at pckbc0 (aux slot)

Re: Text editor

[Brian]

If you install the port vim, it comes with vimtutor.  You just type:

$ /usr/local/bin/vimtutor

And the tutor is pretty good.  It helped me out.

Brian








Start your day with Yahoo! - make it your home page 
http://www.yahoo.com/r/hs 

Re: IPSec Routing / Multiple Subnets / GRE Revisited

[Brian A. Seklecki]

On Sat, 23 Jul 2005, Hans-Joerg Hoexer wrote:


Hi,

On Fri, Jul 22, 2005 at 06:43:34PM -0400, Brian A. Seklecki wrote:

The URL:

http://digitalfreaks.org/~lavalamp/openbsd_ipsec_generic.png


Outlines the generic cookie-cutter configuration from vpn(8) with
addressing changes.  A couple of comments on that document:


[...]


yes, please.


For the record, before I submit this PR, here is the generic isakmpd.conf 
from my lab:


---

[General]
Listen-on=  192.168.100.2

Default-Phase-1-Lifetime= 600,60:900
Default-Phase-2-Lifetime= 300,60:900

[Phase 1]
192.168.100.1=  ISAKMP-peer-Concentrator

[Phase 2]
Connections=IPsec-PghToConcentrator

[ISAKMP-peer-Concentrator]
Phase=  1
Transport=  udp
Address=192.168.100.1
Configuration=  Default-main-mode
Authentication= lies

[IPsec-PghToConcentrator]
Phase=  2
ISAKMP-peer=ISAKMP-peer-Concentrator
Configuration=  Default-quick-mode
Local-ID=   Net-Pgh
Remote-ID=  Net-Concentrator

[Net-Pgh]
ID-type=IPV4_ADDR
Address=192.168.100.2
Protocol=   47

[Net-Concentrator]
ID-type=IPV4_ADDR
Address=192.168.100.1
Protocol=   47

[Default-main-mode]
DOI=IPSEC
EXCHANGE_TYPE=  ID_PROT
Transforms= 3DES-SHA

[Default-quick-mode]
DOI=IPSEC
EXCHANGE_TYPE=  QUICK_MODE
Suites= QM-ESP-TRP-3DES-MD5-SUITE

--

The otherside is understandably opposite in respective places.


I create my tunnels:

# ifconfig gre0 create
# ifconfig gre0 192.168.200.2 192.168.200.1 netmask 0x link0 up
# ifconfig gre0 tunnel 192.168.100.2 192.168.100.1

---

Routing tables

Encap: Source Port Destination Port Proto SA(Address/Proto/Type/Direction) 
192.168.100.1/32 0 192.168.100.2/32 0 47 192.168.100.1/50/use/in 
192.168.100.2/32 0 192.168.100.1/32 0 47 192.168.100.1/50/require/out



sadb_dump: satype esp vers 2 len 39 seq 0 pid 0
errno 89: Unknown error: 89
sa: spi 0x2f88fffb auth hmac-md5 enc 3des-cbc
state larval replay 16 flags 0
lifetime_cur: alloc 0 bytes 0 add 1122327771 first 0
lifetime_soft: alloc 0 bytes 0 add 1080 first 0
lifetime_hard: alloc 0 bytes 0 add 1200 first 0
address_src: 192.168.100.2
address_dst: 192.168.100.1
identity_src: type prefix id 0: 192.168.100.2/32
identity_dst: type prefix id 0: 192.168.100.1/32
key_auth: bits 128: 0a4e518fdb7dfdf5d3a32b1e486490a7
	key_encrypt: bits 192: 
d11e3b020f96c8160fdd8bee9778e2acee2790cd5be31e86

sadb_dump: satype esp vers 2 len 39 seq 0 pid 0
errno 89: Unknown error: 89
sa: spi 0xf75988c3 auth hmac-md5 enc 3des-cbc
state larval replay 0 flags 0
lifetime_cur: alloc 0 bytes 0 add 1122327768 first 0
lifetime_soft: alloc 0 bytes 0 add 1080 first 0
lifetime_hard: alloc 0 bytes 0 add 1200 first 0
address_src: 192.168.100.1
address_dst: 192.168.100.2
identity_src: type prefix id 0: 192.168.100.1/32
identity_dst: type prefix id 0: 192.168.100.2/32
key_auth: bits 128: 6d4096f6a3971b31b2a1642fb6563cc8
	key_encrypt: bits 192: 
4e833ca770b3c9409c7308522fa2ed8ad73a05911beaacab

sadb_dump: satype esp vers 2 len 39 seq 0 pid 0
errno 89: Unknown error: 89
sa: spi 0x0e22792c auth hmac-md5 enc 3des-cbc
state larval replay 16 flags 0
lifetime_cur: alloc 0 bytes 0 add 1122327771 first 0
lifetime_soft: alloc 0 bytes 0 add 1080 first 0
lifetime_hard: alloc 0 bytes 0 add 1200 first 0
address_src: 192.168.100.1
address_dst: 192.168.100.2
identity_src: type prefix id 0: 192.168.100.1/32
identity_dst: type prefix id 0: 192.168.100.2/32
key_auth: bits 128: aaab5a489fe9c6fe7f950ecd7e8665c6
	key_encrypt: bits 192: 
aabf088d4bb7928dd5d3515359fdc0a0c7bbd1bc11a705ab

sadb_dump: satype esp vers 2 len 39 seq 0 pid 0
errno 89: Unknown error: 89
sa: spi 0x61def2ad auth hmac-md5 enc 3des-cbc
state larval replay 0 flags 0
lifetime_cur: alloc 0 bytes 0 add 1122327768 first 0
lifetime_soft: alloc 0 bytes 0 add 1080 first 0
lifetime_hard: alloc 0 bytes 0 add 1200 first 0
address_src: 192.168.100.2
address_dst: 192.168.100.1
identity_src: type prefix id 0: 192.168.100.2/32
identity_dst: type prefix id 0: 192.168.100.1/32
key_auth: bits 128: 96bcaad8da66a92d67247f1bcc8ab0e1
	key_encrypt: bits 192: 
1fe5ada905338811fa97ad1af009e11f2237c434a225fc00





When I start isakmpd(8), i can use tcpdump(8) to see that the only traffic 
between 192.168.100.2 and 192.168.100.1 that is encrypted (seen via enc0) 
is GRE encapsulated traffic:


At that point in time

Re: ntpq -p equiv with openNTP?

[Brian McKerr]

stan wrote:


Is there a way to do soemthing like ntpq -p with OpenBSD's OpenNTPD? I
really just want a quick way to assure myself that a given machine is in
synch.

 


No, but you can send us some code 

Only joking ;-)

I'd like that option also.

Re: Speed isn't everything, luckily for OpenBSD.

[Brian]

--- MikeM [EMAIL PROTECTED] wrote:

 On 7/22/2005 at 9:10 PM Nick Holland wrote:
 
 | There is just *no* way to explain just how wacked Linux looks to 
 | someone who is having to go from OpenBSD to Linux for some stuff 
 | at work.  Wow.
 | You'd swear it was written by an unorganized mob with no central
 | control or plan at all.  Oh, wait...
  =
 
 Software tends to take on the architecture of the organization that
 created it.
 

Fortunately, the group here stands fast and creates good stuff.  You have to
respect a group that will tell you straight out that you are making mistakes. 
I actually solved my little assembly problem thanks to the approach the
developers take here.

Brian
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

IPSec Routing / Multiple Subnets / GRE Revisited

[Brian A. Seklecki]

The URL:

http://digitalfreaks.org/~lavalamp/openbsd_ipsec_generic.png


Outlines the generic cookie-cutter configuration from vpn(8) with 
addressing changes.  A couple of comments on that document:


*) The output of 'netstat -rn -f encap' should probably be included at the 
end.


*) ...possibly in combination with mentioning enc(4) and some example 
output of 'tcpdump -n -i enc0' watching ping(8) traffic.  I can submit 
patches if needed.


*) One thing that is not obvious is the nature of the routing behavior. 
Similar to Cisco ACLs, the isakmpd(8) Remote-ID and Local-ID definitions 
designate traffic to encrypt, but they're also used as one of many factors 
in choosing a proposal.


*) Hosts on 192.168.0.0/24 can reach hosts in 192.168.10.0/24  vice- 
versa, Hosts on 192.168.1.0/24 can reach hosts in 192.168.10.0/24  
vice-versa.


*) Neither router/vpn termination point can communicate with the remote 
subnet via the tunnel unless the application specifically binds to the 
Inet address on the Lan0 side of the host. For example:

# ping -I [Lan0] [Remote Lan0]
# traceroute -s [Lan0] [Remote Lan0]

... thereby creating traffic with a IP Source Address that matches the 
ACL.


This caveat is not at all obvious and probably should be explicitly 
pointed out in vpn(8) or elsewhere.


Another Hypothetical Situation (Routing/Subnets/GRE)

http://digitalfreaks.org/~lavalamp/openbsd_ipsec_sit1.png
http://digitalfreaks.org/~lavalamp/openbsd_ipsec_sit2.png

Let's say Facility 2 as depicted assumes the role of a VPN Concentrator 
, i.e.:


*) A second subnet is added to Facility 1's Lan1 Interface
*) A 2nd remote facility's VPN, Facility 3, becomes terminated here.
*) A tunnel between Facilities 1 and 3 is not available.


*) Because of the poor addressing scheme used in such a network, the two 
/24s located at Location 1 cannot both be visible via the Tunnel between 
Location 2 and Location 1 because *only one subnet* per Phase1/Phase2 
connection , can be specified in the Remote-ID/Local-ID.


*) Of course, if 192.168.0.0/24 and 192.168.0.1/24 were located at Site 1 
and 192.168.2.0/24 was  located at at Site 3, an IPV4_ADDR_SUBNET with a 
Subnet=255.255.254.0 could simply be used to specify the aggregate of two 
/24s (a /23)


*) Per Andre Ruppert [EMAIL PROTECTED]:
http://www.monkey.org/openbsd/archive/misc/0302/msg01895.html

...a work-around to this would be a separate Phase 1 and Phase 2 
connection must be built between Location 1 and Location 2 for every 
Discontinuous subnet, which does not scale well.


*) Although the remote networks of each tunnel are known via 'netstat -rn 
-f encap' on each machine, authentic routes do not exist in route(8) 
print output; -- possibly because instead of a route being associated 
with an Interface or a Next-Hop gateway, they are known via an SA?


*) Therefore, it is not possible to add static routes that reference the 
tunnel.


Example, if Location 2 were to try to add a route to 192.168.2.0/24 via 
192.168.0.1 (a Lan0 interface in Location 1, which is reachable via the 
Tunnel / SA, and would be happy to forward traffic to 192.168.2.0/24), the 
route add would fail:


# route add -net 192.168.2.0 192.168.0.1 255.255.255.0
route: writing to routing socket: Network is unreachable
add net 192.168.2.0: gateway 192.168.0.1: Network is unreachable

...which makes sense because the routing process would traditionally need 
to know a directly connected interface with an address in a subnet to 
forward to, in this case, no interface exists.


Additionally, even if there was a static route, the source-address of 
packets from subnet 192.168.2.0/24 would not match the SA's ACL and would 
be dropped anyway.


*) This presents a dilemma.  Location 2 cannot act in the capacity of a 
VPN Concentrator if it cannot advertise routes into a larger network 
environment because any number of subnets could exist at any location 
which may want to access resources at any other location.  The source and 
destination addresses vary greatly, but if my understanding is correct, 
only one subnet can be specified per tunnel using ISAKMPD in OpenBSD


*) One cheap hack would be to use NAT to change up the source addresses, 
but then pf(4) ACLs become harder to control access.


*) In a Cisco IOS environment, IP extended ACLs are used to designate 
crypto maps of interesting traffic.  The syntax is comparable in 
flexibility to pf.conf(5) and any number of source/destinations can be 
included flagged per tunnel.


*) Another option would be to change from TUNNEL mode to TRANSPORT mode in 
Quick mode transforms/suites and then create GRE tunnels between all of 
the routers.  The Remote/Local-ID Definition could specifically designate 
IP Protocol 47 (GRE) for encryption:


  [machineB-to-machineA]
  ID-type=IPV4_ADDR
  Address=10.0.99.0
  Protocol= 47

This configuration works well under 

Re: Still stuck with this assembly stuff (amd64)

[Brian]

Thanks.  I just wasn't sure if my problem was an openBSD problem or an assembly
problem.  It's definitely the later.  And I just found the amd64 ABI, which is
making the problems clear for me.  Pushing those args on the stack is
definitely wrong.

Anyway, I appreciate the feedback.  And thanks Art for pointing out that the
assembly was wrong.  That put me on the right track to finding a solution.  The
recent threads about the notes section just confused me and put me down the
wrong track.

Thanks,

Brian

--- STeve Andre' [EMAIL PROTECTED] wrote:

 
 Brian, its always good idea to learn stuff, but this isn't the right
 place to talk about assembly problems.  One of the newsgroups
 devoted to programming would be a far better source, or one of
 the many web forums out there.
 
 As someone said, compiling programs and looking at the code 
 is a great way of seeing how things are done.  Thats one of the
 ways I learned, quite some time ago with Digital Research C, an
 awful compiler that gave me lots of pain...
 
 The other thing you might want to think about is getting experience
 on a simpler cpu, perhaps the z80.  There are tons and tons of 
 documents on it, and I'm pretty sure that you could write stuff and
 then run it on an emulator, faster than the hardware I had, back
 when I used them.
 
 At any rate, misc@ isn't the best place for your questions.  I'm sure
 there are some assembler freaks out there who would just love to
 talk with you and help out.
 
 --STeve Andre'
 
 





Start your day with Yahoo! - make it your home page 
http://www.yahoo.com/r/hs 

(g)as on amd64

[Brian]

Is there anything special I need to do for assembly on amd64?

I am having trouble with the following code:

.data   

msg:
.ascii Hello\n  
len = . - msg 

.text  

.global _start  

_syscall:  
int $0x80
ret

_start:
xor  %rax, %rax
cdq
push $len  
push $msg
push $1   
movb $4,%al   
call _syscall   

push $0   
movb $1,%al
call _syscall  

Here is how I am attempting to assemble the above:

as -o test1.o test1.s
ld -e _start -o test1 test1.o

I tried elf2olf -o openbsd test1, but I receive this error:

elf2olf: test1: Exec format error.

Is there something that I am missing that I need to do on amd64?

Thanks,

Brian

Note: NASM is not an option since it's not available on amd64; there isn't a 
  port of YASM available yet.  And I ran into problems trying to compile 
  the YASM's source.




Start your day with Yahoo! - make it your home page 
http://www.yahoo.com/r/hs 

Still stuck with this assembly stuff (amd64)

[Brian]

 links or man pages to read would be helpful?  I have all ready info as, and
it's pretty old, but it's still useful.

When I type in test1, the program appears to just exit, but nothing is printed
to STDOUT.

Thanks,

Brian




Start your day with Yahoo! - make it your home page 
http://www.yahoo.com/r/hs 

Re: sniffer

[Brian]

Hannah Schroeter wrote:


Hello!

On Tue, Jul 19, 2005 at 05:20:43PM +0300, [EMAIL PROTECTED] wrote:
 


I need to sniff a network segment and I need to sniff both headers and
data. Because tcpdump captures only headers its unsuitable for the task.
   



No. Read the manpage, look for the option -s.

 


[...]
   



Kind regards,

Hannah.
 


Yep -s0 is definitely the tool to see data.

Brian

Re: OpenBSD 3.7 + Bridge Wireless (Orinoco)

[Brian J. Woods]

Roberto Gonzalez Azevedo wrote:


Hello everybody...

I have a little problem to solve here and i hope that you can help me.

I wanna do a 'wireless bridge' :

rl0 -- wi0

But it4s not working. I4m trying to use PPPoE in this bridge, but the 
PADI is not passing over wi0 ...


Thanks ...

Roberto Gonzalez Azevedo
Brazil



Can you show ther current pf.conf (pf settings) you have so far?

RAID-1 Root + boot(8) on i386/amd64

[Brian A. Seklecki]

Please confirm that the following are applicable:

  * boot(8), biosboot(8), installboot(8), boot_i386(8) lack any
support for booting off RAIDFrame volumes (a 13 line patch 22
months ago fixed this on the bother side of the isleb(r)).  

  * No support is planned

  * raid(4) is no longer aggressively maintained and has been
relegated to some reduced status based on the lack of commits to
src/sys/dev/raidframe or possibly general lack of interest


I ask because RAIDFrame software RAID is still a very attractive option
to bworkgroupb and bentry levelb class servers; especially RAID-1 Root.

However, the requirement of having a ~15 megabyte UFS partition (say,
/antiraid) on both mirror components is cumbersome. Firstly, the
partition exists only to contain two files: /boot and /bsd. Secondly,
that creates administrative overhead and the possibility that each
partition could become desynchronized during an upgrade.

Another potential problem occurs in fstab(5). /antiraid *has* to be
mounted in order to provide a sym/hard link from /antiraid/bsd to /bsd
(yet another very bad idea, but less of a bad idea then having a 3rd
copy of bsd laying around). In a generic RAID-1 mirror between two wd(4)
disks, since /antiraid resides on either /dev/{r,}wd0a or /dev/{r,}wd1a,
the admin must arbitrarily choose which to reference in the shared
/etc/fstab.

In the event of a component failure (reboot incurred here, possibly
failing to probe at the next boot, possibly not, but let's be
pessimistic), you have a 50% chance that rc(8) could fail to ever reach
multi-user mode because fsck can't access /antiraid, which effectively
defeats the purpose of raid(4) adding redundancy to the system.

TIA,
~BAS

Re: HP ProLiant DL140 serial consola installation

[Brian A. Seklecki]

The same behavior happens on Dell's serial console redirection.  It
happens when you boot FreeBSD too.  As soon as the kernel starts output
ANSI characters it goes dead.

Dell lets you toggle between VT100/220 mode and ANSI mode, but it's
unaffected.  The kernel output just kills it.

Dell has an option Continue after OS Load

The trick is disable that boolean and  make a custom boot/install CD
with an etc/boot.conf that redirects.

You'd think that between the collective minds at HP and Dell, they'd
have licensed Real Weasel / PC Weasel technology. 

Till the list archives for details.

~BAS

On Thu, 2005-06-30 at 20:49, Michael Favinsky wrote:
 I have some DL140's running OpenBSD. The BIOS redirection stops working when
 OpenBSD starts booting. Kinda sucks since you can't see the boot sequence or
 go into the BIOS setup from a serial console. Disable the BIOS console
 redirection and set OpenBSD to redirect the console to com0. 
 
 -Original Message-
 From: Martin Bruns [mailto:[EMAIL PROTECTED] 
 Sent: Wednesday, June 29, 2005 8:55 AM
 To: [EMAIL PROTECTED]; misc@openbsd.org
 Subject: Re: HP ProLiant DL140 serial consola installation
 
 [EMAIL PROTECTED] schrieb:
 
  Martin Bruns wrote:
 
  Hi Marc,
 
  that was what I have done initially but then I fall back to 9600 but 
  also there I did not get anything on the console after 'set tty 
  com0'. To make it clear I can not use the serial nor the 
  keyboard/monitor after that command.
 
 
  Maybe you serial link is not in order.  Set the baudrate to 9600, so 
  you are sure what parameters to set.
 
 I already check that :-(
 
 
  FOr a first try, disable the serial console feature in the BIOS (not 
  in OpenBSD).
  Some times the serial BIOS console and the serial OpenBSD console 
  interfere.
  In that case you would have the BIOS console on com0 and the OpenBSD 
  console on com1.
 
 
 Good point. I just cross checked it. I disabled the serial BIOS and also
 tried with enabled serial BIOS but with different redirection during/after
 POST and BOOTLOADER. But non is working. This server has only one serial
 port so there is no com1 :-(
 
 Keep trying
 Martin
 
 
 
 This message may contain information that is privileged, confidential and
 exempt from disclosure under applicable law. If you are not the intended
 recipient of this message you may not store, disclose, copy, forward,
 distribute or use this message or its contents for any purpose. If you have
 received this communication in error, please notify us immediately by return
 e-mail and delete the original message and any attachments from your e-mail
 system. Thank you.

[Fwd: Re: spamd and comcast]

[Brian]

In response to the how would it increase cost question, anytime a 
provider has to deal with more spam it costs more money, additional 
manpower to process abuse complaints, additional bandwidth, server space 
etc.


Brian

Snapshot from 03/June : spamd working ?

[Brian McKerr]

Hello all,

Not sure if I'm missing something here with spamd so I thought I'd ask 
the experts. I have it setup with the default config file (snipped) ;


[fw1]# cat /etc/spamd.conf

all:\
   :spamhaus:china:korea:

# Mirrored from http://spfilter.openrbl.org/data/sbl/SBL.cidr.bz2
spamhaus:\
   :black:\
   :msg=SPAM. Your address %A is in the Spamhaus Block List\n\
   See http://www.spamhaus.org/sbl and\
   http://www.abuse.net/sbl.phtml?IP=%A for more details:\
   :method=http:\
   :file=www.openbsd.org/spamd/SBL.cidr.gz:

# Mirrored from http://www.spews.org/spews_list_level1.txt
spews1:\
   :black:\
   :msg=SPAM. Your address %A is in the spews level 1 database\n\
   See http://www.spews.org/ask.cgi?x=%A for more details:\
   :method=http:\
   :file=www.openbsd.org/spamd/spews_list_level1.txt.gz:

# Mirrored from http://www.spews.org/spews_list_level2.txt
spews2:\
   :black:\
   :msg=SPAM. Your address %A is in the spews level 2 database\n\
   See http://www.spews.org/ask.cgi?x=%A for more details:\
   :method=http:\
   :file=www.openbsd.org/spamd/spews_list_level2.txt.gz:


and the relevant processes are running;
[firewall]# ps wax
 PID TT   STAT  TIME COMMAND
26310 ??  Is  0:00.01 ntpd: [priv] (ntpd)
26951 ??  Is  0:00.01 inetd
19580 ??  Is  0:00.18 /usr/sbin/sshd
26828 ??  Is  0:00.08 /usr/libexec/spamd
16673 ??  Is  0:00.20 sendmail: accepting connections (sendmail)


I have the cron job enabled for root;

[fw1]# crontab -l | grep spam

0   *   *   *   *   /usr/libexec/spamd-setup


I also have the relevant pf rule in place;

[firewall]# pfctl -vsn
rdr inet proto tcp from spamd to any port = smtp - 127.0.0.1 port 8025
 [ Evaluations: 104628Packets: 0 Bytes: 0   States: 
0 ]

 [ Inserted: uid 0 pid 25445 ]



and as you can see not one hit from a known spammer !

I run Mailscanner on my mailserver behind the openbsd box and he is 
still constantly rejecting mail from known spammers - this is part of my 
sendmail.mc file;


FEATURE(`dnsbl',`relays.ordb.org', `Rejected - see http://ordb.org/')dnl
FEATURE(`dnsbl',`sbl-xbl.spamhaus.org',`Rejected - see 
http://spamhaus.org/')dnl

FEATURE(`dnsbl',`list.dsbl.org',`554 Rejected - see http://dsbl.org/')dnl
FEATURE(`dnsbl',`smtp.dnsbl.sorbs.net',`554 Rejected  ${client_addr} 
 found in smtp.dnsbl.sorbs.net')dnl
FEATURE(`dnsbl',`opm.blitzed.org',`554 Rejected  ${client_addr}  
found in opm.blitzed.org')dnl
FEATURE(`dnsbl',`dul.dnsbl.sorbs.net',`554 Rejected  ${client_addr}  
found in dul.dnsbl.sorbs.net')dnl
FEATURE(`dnsbl',`cbl.abuseat.org',`554 Rejected  ${client_addr}  
found in cbl.abuseat.org')dnl


and, finally, some log entries;

Jun 17 19:49:29 inetmail sendmail[13126]: ruleset=check_relay, 
arg1=[210.213.176.247], arg2=127.0.0.4, relay=210.213.176.247.pldt.net 
[210.213.176.247] (may be forged), reject=

553 5.3.0 Rejected - see http://spamhaus.org/
Jun 17 20:41:26 inetmail sendmail[13390]: ruleset=check_relay, 
arg1=[61.96.162.88], arg2=127.0.0.4, relay=[61.96.162.88], reject=553 
5.3.0 Rejected - see http://spamhaus.org/



So given that both spamd and sendmail are configured to talk to 
spamhaus, why is openbsd 3.7 spamd not blocking connections from these 
guys ?


Thanks for reading this


Oh, here's my dmesg..

OpenBSD 3.7-current (GENERIC) #175: Fri Jun  3 18:00:08 MDT 2005
   [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium III (GenuineIntel 686-class) 702 MHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE

real mem  = 65576960 (64040K)
avail mem = 38232064 (37336K)
using 4130 buffers containing 16916480 bytes (16520K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(01) BIOS, date 04/07/00, BIOS32 rev. 0 @ 0xfb0c0
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 70102 dobusy 1 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xf/0xb540
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfde90/96 (4 entries)
pcibios0: bad IRQ table checksum
pcibios0: PCI BIOS has 4 Interrupt Routing table entries
pcibios0: PCI Exclusive IRQs: 5 11 12
pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82801AA LPC rev 0x00)
pcibios0: PCI bus #2 is the last bus
bios0: ROM list: 0xc/0x8000 0xc8000/0x4000! 0xcc000/0x1000
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel 82810 rev 0x03: rng active, 9Kb/sec
vga1 at pci0 dev 1 function 0 Intel 82810 Graphics rev 0x03: aperture 
at 0xd800, size 0x400

wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ppb0 at pci0 dev 30 function 0 Intel 82801AA Hub-to-PCI rev 0x02
pci1 at ppb0 bus 1
ppb1 at pci1 dev 0 function 0 DEC 21154 PCI-PCI rev 0x05
pci2 at ppb1 bus 2
fxp0 at pci2 dev 4 function 0 Intel 82557 rev 0x05, i82558: irq 5, 
address 

Re: Snapshot from 03/June : spamd working ?

[Brian McKerr]

Otto Moerbeek wrote:

On Fri, 17 Jun 2005, Brian McKerr wrote:

  

I also have the relevant pf rule in place;

[firewall]# pfctl -vsn
rdr inet proto tcp from spamd to any port = smtp - 127.0.0.1 port 8025
 [ Evaluations: 104628Packets: 0 Bytes: 0   States: 0
]
 [ Inserted: uid 0 pid 25445 ]



i'm missing a pass here.

   -Otto
  


You mean a basic SMTP pass in ?

This has been allowing mail to the mailserver for years, its only this
week that I tried the Spamd thingo

pfctl -sr | grep -i smtp

pass in log quick on fxp0 proto tcp from any to any port = smtp flags
S/SA modulate state queue(q_def, q_pri)



cheers,


Brian.

Re: Snapshot from 03/June : spamd working ?

[Brian McKerr]

Otto Moerbeek wrote:

On Fri, 17 Jun 2005, Brian McKerr wrote:

  

You mean a basic SMTP pass in ?

This has been allowing mail to the mailserver for years, its only this
week that I tried the Spamd thingo

pfctl -sr | grep -i smtp

pass in log quick on fxp0 proto tcp from any to any port = smtp flags
S/SA modulate state queue(q_def, q_pri)



that seems to be OK. What does

   pfctl -t spamd -T show 

show?

   -Otto
  


Here is the tail of it;


   219.149.10.91
   219.149.64.0/24
   219.150.112.0/20
   219.150.128.0/17
   219.151.40.59
   219.153.13.240/29
   219.160.130.0/24
   219.162.168.0/24
   219.163.88.0/29
   219.163.170.112/29
   219.166.26.98
   219.166.172.64/29
   219.166.175.232/29
   219.216.0.0/13
   219.224.0.0/12
   219.232.178.109
   219.232.183.47
   219.232.184.0/24
   219.232.188.153
   219.234.22.0/24
   219.234.192.0/19
   219.235.0.9
   219.235.232.0/24
   219.237.49.145
   219.238.146.119
   219.240.0.0/15
   219.240.39.225
   219.242.0.0/15
   219.244.0.0/14
   219.248.0.0/13
   219.254.32.64/26
   220.19.108.0/22
   220.64.0.0/11
   220.64.98.0/23
   220.66.8.120
   220.73.160.0/24
   220.73.173.96/27
   220.80.104.0/22
   220.85.13.90/31
   220.85.13.92
   220.97.18.0/24
   220.97.40.0/24
   220.99.71.48/29
   220.103.0.0/16
   220.105.107.145
   220.106.2.0/24
   220.110.185.176
   220.111.133.95
   220.112.0.0/14
   220.112.123.54
   220.112.152.112
   220.112.152.136
   220.112.157.55
   220.113.183.169
   220.114.69.147
   220.116.0.0/14
   220.117.234.0/23
   220.117.244.0/22
   220.120.0.0/13
   220.130.208.19
   220.135.232.187
   220.135.233.115
   220.149.0.0/16
   220.150.34.0/24
   220.150.253.125
   220.160.0.0/11
   220.163.21.18
   220.163.58.143
   220.163.74.45
   220.163.176.208
   220.163.176.211
   220.164.144.0/24
   220.191.30.0/23
   220.192.0.0/12
   220.192.157.7
   220.194.60.242
   220.196.248.142
   220.201.194.241
   220.202.18.0/24
   220.202.133.36
   220.202.248.48/28
   220.215.44.164
   220.220.71.73
   220.230.0.0/16
   220.231.0.0/18
   220.231.128.0/17
   220.234.0.0/16
   220.246.67.87
   220.247.245.180
   220.248.0.0/14
   220.248.65.150
   220.255.94.113
   220.255.136.240
   220.255.172.125
   220.255.248.5
   221.0.0.0/13
   221.0.118.253
   221.0.126.15
   221.2.55.0/24
   221.3.132.0/26
   221.4.154.63
   221.4.199.234
   221.7.209.0/24
   221.8.0.0/15
   221.10.0.0/16
   221.10.71.248/29
   221.10.201.0/24
   221.10.224.162
   221.10.226.48/28
   221.10.254.0/24
   221.11.0.0/17
   221.11.128.0/18
   221.11.192.0/19
   221.12.0.0/17
   221.12.128.0/18
   221.13.0.0/16
   221.14.0.0/15
   221.117.247.131
   221.119.23.0/24
   221.122.0.0/15
   221.124.87.254
   221.126.149.24
   221.127.55.0/24
   221.129.0.0/16
   221.130.0.0/15
   221.132.30.203
   221.132.48.0/22
   221.132.56.175
   221.132.64.0/19
   221.133.128.0/18
   221.136.0.0/15
   221.136.65.105
   221.136.68.186
   221.136.88.49
   221.136.100.36/31
   221.137.242.189
   221.138.0.0/15
   221.139.14.110
   221.139.14.112/28
   221.140.0.0/14
   221.143.21.236/30
   221.144.0.0/12
   221.160.0.0/13
   221.164.141.44
   221.168.0.0/16
   221.168.182.0/23
   221.169.54.0/24
   221.169.236.120
   221.172.0.0/14
   221.176.0.0/13
   221.185.74.76
   221.186.27.172
   221.186.72.122
   221.186.80.16/29
   221.186.106.64/29
   221.186.117.94
   221.186.144.168/29
   221.192.0.0/14
   221.196.0.0/15
   221.196.19.0/24
   221.196.115.0/24
   221.198.0.0/16
   221.199.0.0/19
   221.199.32.0/20
   221.199.128.0/18
   221.199.192.0/20
   221.200.0.0/13
   221.208.0.0/12
   221.224.0.0/12
   221.250.86.245
   221.251.7.24/29
   222.1.219.130
   222.16.0.0/12
   222.32.0.0/11
   222.36.42.120/29
   222.36.42.182
   222.47.76.251
   222.64.0.0/15
   222.64.0.0/11
   222.67.160.0/22
   222.76.158.0/23
   222.76.196.0/24
   222.80.184.0/24
   222.82.1.233
   222.84.222.17
   222.89.98.0/24
   222.90.44.225
   222.90.66.53
   222.90.74.0/24
   222.96.0.0/12
   222.96.156.0/25
   222.98.237.251
   222.101.7.192/26
   222.101.168.0/25
   222.112.0.0/13
   222.112.67.86
   222.120.0.0/15
   222.121.206.0/24
   222.121.213.0/25
   222.122.0.0/16
   222.122.12.0/24
   222.122.39.0/24
   222.122.56.35
   222.122.60.61
   222.122.65.0/24
   222.124.21.21
   222.124.44.8
   222.125.0.0/16
   222.128.0.0/12
   222.134.66.0/24
   222.146.162.0/24
   222.147.181.49
   222.148.108.0/24
   222.149.144.27
   222.150.167.55
   222.151.231.58/31
   222.153.70.113
   222.156.15.0/24
   222.160.0.0/15
   222.162.0.0/16
   222.163.0.0/19
   222.166.48.0/24
   222.168.0.0/13
   222.169.80.0/20
   222.170.7.0/24
   222.170.97.22
   222.174.34.151
   222.176.0.0/12
   222.192.0.0/11
   222.208.168.0/24
   222.208.183.0/24
   222.222.48.0/24
   222.231.0.0/18
   222.232.0.0/13
   222.234.48.0/24
   222.240.0.0/13
   222.248.0.0/16
   222.248.6.13
   222.248.21.47
   222.248.48.178
   222.248.148.76
   222.249.0.0/17
   222.249.128.0/18
   222.249.192.0/19
   222.249.224.0/20
   222.249.240.0

Re: Snapshot from 03/June : spamd working ?

[Brian McKerr]

Steve Tornio wrote:


 FEATURE(`dnsbl',`relays.ordb.org', `Rejected - see http://ordb.org/')dnl
 FEATURE(`dnsbl',`sbl-xbl.spamhaus.org',`Rejected - see
 http://spamhaus.org/')dnl

 Jun 17 19:49:29 inetmail sendmail[13126]: ruleset=check_relay,
 arg1=[210.213.176.247], arg2=127.0.0.4,
 relay=210.213.176.247.pldt.net [210.213.176.247] (may be forged),
 reject=
 553 5.3.0 Rejected - see http://spamhaus.org/
 Jun 17 20:41:26 inetmail sendmail[13390]: ruleset=check_relay,
 arg1=[61.96.162.88], arg2=127.0.0.4, relay=[61.96.162.88], reject=553
 5.3.0 Rejected - see http://spamhaus.org/


 So given that both spamd and sendmail are configured to talk to
 spamhaus, why is openbsd 3.7 spamd not blocking connections from
 these guys ?


 Because those addresses are in the XBL, not the SBL.  The XBL is
 populated by entries from the CBL, which are added when virus-like or
 worm-like behavior is detected, and entries are removed at the first
 request. Doesn't really make a whole lot of sense to try to create a
 static list for it, when the SBL list is only updated twice a day anyway.

 Of course, you could just go to www.spamhaus.org and read up on how it
 works.

 Steve

Thanks for the tip Steve,

I've just read up on it..
  

and it seems to suggest that using sbl+xbl is a good thing.

What exactly is spamd going to catch then ?

Re: Snapshot from 03/June : spamd working ?

[Brian McKerr]

Steve Tornio wrote:



Because those addresses are in the XBL, not the SBL.  The XBL is
populated by entries from the CBL, which are added when virus-like or
worm-like behavior is detected, and entries are removed at the first
request. Doesn't really make a whole lot of sense to try to create a
static list for it, when the SBL list is only updated twice a day 
anyway.


Of course, you could just go to www.spamhaus.org and read up on how it
works.

Steve



Thanks for the tip Steve,

I've just read up on it..


and it seems to suggest that using sbl+xbl is a good thing.

What exactly is spamd going to catch then ?


spamd will tarpit entries in the SBL, which are (supposed to be) 
actual spamming operations.  The idea behind spamd is to waste the 
time and resources of spam operations, not simply to reject their 
mail.  If you're only looking to reject mail, then don't use spamd.


I do understand what spamd is trying to achieve.

I want both .. to waste their time and resources and 
block their email as I'm sure everyone does !.


Which is what should happen according to my interpretation of spamd and 
its standard implementation. To my knowledge, there does not appear to 
be anywhere in the spamd documentation that says something like 
(sarcastic voice) after delaying the spammer and using up their time 
and resources, allow their connection through to your mailserver so they 
can deliver their spam !


Thanks for your help Steve, I think Otto is looking at the *real* problem.


Brian.

Re: Theo gave an interview to Forbes Mag. about Linux

[Brian]

I thought the interview was good.  It just didn't read like an interview like
the one linked to from undeadly.

I used linux a year before moving over to openBSD, and the two are night and
day.  openBSD is well organized with very good code.  linux is a disaster to
navigate (horrible man pages and docs), install (it's pretty looking, but you
have no clue what is going on behind the scenes), too many distros (which one
is good?), and work with (do you YUM, RPMs, etc to upgrade?).  

And I like the fact that Theo will tell you straight out if you are doing
something stupid.  The developers here are honest and will tell you when
something isn't worth your time.

Anyway, cheers for being honest and straight forward.

Brian

--- J. Lievisse Adriaanse [EMAIL PROTECTED] wrote:

 Theo gave an interview to Forbes Magazine, in which he stated: It's
 terrible, De Raadt says. Everyone is using it, and they don't realize how
 bad it is. And the Linux people will just stick with it and add to it rather
 than stepping back and saying, 'This is garbage and we should fix it.' 
 
 Nice to read though as an ex-Linsux'er :)
 
 Jasper
 
 -- 
 checking whether you're still watching...probaly not :-)
 /usr/ports/x11/wmx configure script.
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: speed of mac mini

[brian pink]

I haven't set X up yet, but I finally got 3.7 installed on the Mac mini
without issue. I was using MBR for the disk instead of HFS, and there's
an issue with the disklabel initial setup. The fix is outlined in this
message:

http://www.monkey.org/openbsd/archive/misc/0309/msg01319.html

and I'll submit a more thorough bug report when I get a chance to write
it. So far the mini seems quite fast to me, I doubt you'll have any
issues.

- brian



 Hello list,
 
 i will only do normal thinks:- some coding --
 emacs/terminals/ddd - read www.openbsd.org -- firefox/dillo -read
 mails of misc@openbsd.org -- thunderbird - write some letters, do
 some calculations -- abiword/gnumeric - some statistik -- gnuplot -
 audio/video playing -- xmms/mplayer all with gnome or windowmaker.
 That's all.
 
 Bye Thorsten
 
 LiteStar numnums wrote:
 
 G'day,
  A friend of mine uses the mini for all of his foto processing with
 Photoshop and the like, whilst Illustrator and Safari are running.
 It seems fast enough. I've no idea what you want to really do with
 it (if it has a hard time with gnome/kde, that would be really bad,
 eh?), but for his needs it's fine. Cheers!
 
 On 6/16/05, Thorsten Johannvorderbrueggen
 [EMAIL PROTECTED] wrote:
  
 
 Hello list,
 
 i think of buying a mac mini, but i don't know if a mac mini is
 fast enough. So i ask you: does anyone use an mac mini with
 gnome/kde or so? At the moment i have an dual-P3 and he's fast
 enough.
 
 Any coments, suggestions?
 
 Bye
  Thorsten

3.7 mac install problem

[brian pink]

I'm trying to install 3.7 on my Mac Mini, and I'm having an issue with
the MSDOS boot partition that the ofwboot file is supposed to be copied
to. I'm using MBR for my disk, and the official CD release. 

Specifically, when I go through the install process, I get the message
that the i partition is created and that I must leave it available for
OpenBSD. All seems good, I create my partitions, not creating an i
parition and also not using any offset before 3024. However, at the end
of the install, when the installer calls mount_msdos to try and copy
the ofwboot file over, I get this message:

Copying 'ofwboot' to the boot partition (wd0i)...mount_msdos: /dev/wd0i
on /mnt2: Device not configured FAILED.

I am then, unable to boot from wd0. I've Googled, read the
INSTALL.macppc doc, and still have been unable to get this to work. All
help is much appreciated,

- brian

pf and rdr pass nat

[Brian McKerr]

The man page says;

If the pass modifier is given, packets matching the translation rule 
are passed without inspecting the filter rules:


I like this as it will reduce the size of my rules file, however,  how 
can I rdr pass and have it honour (for want of a better word) altq ?


Cheers,


Brian.

Sun Netra T1 105

[Brian McKerr]

I am thinking of getting one (or two) of these for my new firewall, just 
curious if nayone has any opinions on its suitability in such a role. 
Spec as follows;


64bit 360mhz CPU (IIi)
128mb RAM
1 x 18gb 10krpm
2 x integrated NIC
1x PCI (which I intend to put a dual port compaq/intel NIC in)

Basically, I have a low traffic mail and web server behind this firewall 
it also is my OpenVPN server for one VPN. I have around 90 pf rules.


I may even chuck a squid cache on it given its got heaps of free disk.

Lastly, does anyone know if these have a 40 pin IDE connector for the 
optional CDROM and if so do you reckon it would be able to boot from a 
compact flash ?


Cheers in advance.


Brian.

ifnet (frequency of updates)

[Brian]

I am stuck trying to find a piece of kernel code.

I am trying to find the kernel function(s) that update the ifnet structure post
the initial boot sequence.  I found the initial setup in
/usr/src/sys/kern/init_main.c, and I have been reviewing /usr/src/sys/net/if.c.
 At this point, I am not concerned with userland apps that update ifnet.

I am probably overlooking something.

Any man page read suggestions or other source files to look in?

What I am trying to do is figure out a way to capture the ifnet structure
members atomically (I'm experimenting.)  In if.c, the network hardware devices
are blocked (with splnet()) when ifnet is updated or member is deleted from the
list.  I do not know if it makes sense to block the device while walking the
list and copying it in userland.

Any suggestions are appreciated.  I am new to this, so it's taking a long time.

Thanks,

Brian
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: 3.7 is released!

[Brian W.]

On Fri, 20 May 2005, Steve Loranz wrote:
I'm confused.  The site says 3.7 was released yesterday just like
Theo's mail says.  So, what is the CD claiming to be 3.7 that arrived
at my door at the end of April?
-steve
I heard that was a benefit given to folks who actually PAID for the OS.
Brian
The path to a desireable destination
is often more difficult than the path to stay where you are.

dns

[Brian W.]

I see now there's a patch, apologies for not checking errata first.
Brian
The path to a desireable destination 
is often more difficult than the path to stay where you are.

Re: 3.6 caching resolver

[Brian]

Rod.. Whitworth wrote:
On Thu, 5 May 2005 10:31:56 -0700 (PDT), Brian W. wrote:
 

Anyone else notice this performing slowly.  I did a tcpdump and it appears 
localhost gets queried 2-3 times before a packet goes out.

   

I see quite a few delays and some failures to resolve that work with
one or two retries. I am using the default config file.
It is a bit annoying for me but I know to retry. The windows only users
on the LAN get a bit testy about server not responding messages (or
whatever it says) from their browsers
From the land down under: Australia.
Do we look umop apisdn from up over?
Do NOT CC me - I am subscribed to the list.
Replies to the sender address will fail except from the list-server.
 

I did the 3.6 patch, that helped a little but its still pokey.   Its a 
p2-350 with 128 megs.  I'll have to do some comparison testing, either 
Freebsd on this hardware, or openbsd on a 1.2G p3.

Brian