Re: dhclient implementation
On Sat, Aug 27, 2011 at 1:01 AM, Jona Joachim j...@hcl-club.lu wrote: On 2011-08-26, I??igo Ortiz de Urbina inigoortizdeurb...@gmail.com wrote: Supersede gives me what I want. It just felt weird those entries ended up on resolv.conf when I had not requested them. Thanks and sorry for the noise. This is expected behaviour for the prepend option, it does just that: request the name servers and prepend the one(s) you supplied. That way by default the system will use the name server you supplied in the configuration file but will fall back to the ones given by your router in case the first name server is not reachable. As I said Jona offlist, yes, I understand that behavior. My line is prepended and then anything else goes after it. Still, what I do not understand is why two nameserver entries appear on my resolv.conf, if I have never requested them. Best regards, Jona -- IC1igo Ortiz de Urbina Cazenave http://www.twitter.com/ioc32
dhclient implementation
Hi all users and developers I simply noticed what I would call a weird behaviour on my 32 bit 4.9 GENERIC#671 box's dhclient, which I hope is not the expected behavior. While reading RFC2131, I didnt find any sentence stating or implying that is the desired behavior, as in a server MUST Say I run a local instance of named on my machine. I dont want dhcp to overwrite my resolv.conf, so I add the classical prepend dns-name-servers to my dhclient.conf. I capture the traffic while asking for an IP address (no prior leases) and I can see how DHCP packets do not request DNS servers. However, which I am afraid happens more often than not, my crappy Comtrend domestic router ignores the request and simply decides to always answer including my ISPs DNS servers. I could check this with Wireshark also. The result is resolv.conf has 3 nameserver entries, instead of the only one I want to prepend. I also tried not prepending my localhost named entry, just in case that would trigger something weird in the code and eventually nameservers got appended. No luck. dhclient.conf(5) states the following: The protocol also allows the client to reject offers from servers if they don't contain information the client needs, or if the information provided is not satisfactory. So, shouldnt dhclients just keep track of what they requested and just accept that specific set of properties, instead of all it was sent by the router? I am not talking about whether RFCs or the implementation is correct or not. I am no authority of course. It simply seems reasonable to me to implement it as I just mentioned. I understand clients can ask for parameters that would lead to an invalid network configurations. Still, Unix doesnt let you shoot yourself in the foot for a good reason? Am I missing the obvious? Any comment would be highly appreciated. Thanks for your time and have a nice day
Re: dhclient implementation
Supersede gives me what I want. It just felt weird those entries ended up on resolv.conf when I had not requested them. Thanks and sorry for the noise. 2011/8/27 IC1igo Ortiz de Urbina tarom...@gmail.com: Hi all users and developers I simply noticed what I would call a weird behaviour on my 32 bit 4.9 GENERIC#671 box's dhclient, which I hope is not the expected behavior. While reading RFC2131, I didnt find any sentence stating or implying that is the desired behavior, as in a server MUST Say I run a local instance of named on my machine. I dont want dhcp to overwrite my resolv.conf, so I add the classical prepend dns-name-servers to my dhclient.conf. I capture the traffic while asking for an IP address (no prior leases) and I can see how DHCP packets do not request DNS servers. However, which I am afraid happens more often than not, my crappy Comtrend domestic router ignores the request and simply decides to always answer including my ISPs DNS servers. I could check this with Wireshark also. The result is resolv.conf has 3 nameserver entries, instead of the only one I want to prepend. I also tried not prepending my localhost named entry, just in case that would trigger something weird in the code and eventually nameservers got appended. No luck. dhclient.conf(5) states the following: The protocol also allows the client to reject offers B B from servers if they don't contain information the client needs, or if B B the information provided is not satisfactory. So, shouldnt dhclients just keep track of what they requested and just accept that specific set of properties, instead of all it was sent by the router? I am not talking about whether RFCs or the implementation is correct or not. I am no authority of course. It simply seems reasonable to me to implement it as I just mentioned. I understand clients can ask for parameters that would lead to an invalid network configurations. Still, Unix doesnt let you shoot yourself in the foot for a good reason? Am I missing the obvious? Any comment would be highly appreciated. Thanks for your time and have a nice day -- IC1igo Ortiz de Urbina Cazenave http://www.twitter.com/ioc32
Re: high Ierrs in netstat -ni
Maybe u can set debug on iwn using ifconfig. That would help troubleshooting. Also, show output of ifconfig On 10/17/10, frantisek holop min...@obiit.org wrote: hi there, i am runing -current with iwn and i notice a high number of Ierr's in netstat -ni. 0 would be ideal, right? i am using the latest firmware from iwn(4) $ netstat -ni NameMtu Network Address Ipkts IerrsOpkts Oerrs Colls lo0 33200 Link 15262 015262 0 0 lo0 33200 127/8 127.0.0.115262 015262 0 0 lo0 33200 ::1/128 ::1 15262 015262 0 0 lo0 33200 fe80::%lo0/ fe80::1%lo0 15262 015262 0 0 lii0* 1500 Link fe:e1:ba:d0:6b:b30 00 0 0 iwn01500 Link 00:21:5c:04:9e:19 7670 429 6903 0 0 iwn01500 fe80::%iwn0 fe80::221:5cff:fe 7670 429 6903 0 0 iwn01500 10.13.37/24 10.13.37.30 7670 429 6903 0 0 enc0* 0 Link 0 00 0 0 pflog0 33200 Link 0 00 0 0 this is just 20m after reboot. with heavy traffic, it increases by the second.. OpenBSD 4.8-current (GENERIC) #435: Thu Oct 14 13:37:41 MDT 2010 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Celeron(R) M processor 900MHz (GenuineIntel 686-class) 631 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,TM,SBF real mem = 527527936 (503MB) avail mem = 508899328 (485MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 03/11/09, BIOS32 rev. 0 @ 0xf0010, SMBIOS rev. 2.5 @ 0xf06e0 (37 entries) bios0: vendor American Megatrends Inc. version 1302 date 03/11/2009 bios0: ASUSTeK Computer INC. 701 acpi0 at bios0: rev 0 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP APIC OEMB MCFG acpi0: wakeup devices P0P3(S4) P0P4(S4) P0P5(S4) P0P6(S4) P0P7(S4) MC97(S4) USB1(S3) USB2(S3) USB3(S3) USB4(S3) EUSB(S3) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 70MHz ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 5 (P0P3) acpiprt2 at acpi0: bus 3 (P0P5) acpiprt3 at acpi0: bus 1 (P0P6) acpiec0 at acpi0 acpicpu0 at acpi0: C3, C2 acpitz0 at acpi0: critical temperature 90 degC acpibat0 at acpi0: BAT0 model 701 serial type LION oem ASUS acpiac0 at acpi0: AC unit offline acpiasus0 at acpi0 acpibtn0 at acpi0: LID_ acpibtn1 at acpi0: SLPB acpibtn2 at acpi0: PWRB acpivideo0 at acpi0: VGA_ acpivout0 at acpivideo0: CRTD acpivout1 at acpivideo0: TVOD acpivout2 at acpivideo0: LCDD bios0: ROM list: 0xc/0xf800! pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel 82915GM Host rev 0x04 vga1 at pci0 dev 2 function 0 Intel 82915GM Video rev 0x04 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) intagp0 at vga1 agp0 at intagp0: aperture at 0xd000, size 0x1000 inteldrm0 at vga1: apic 1 int 16 (irq 5) drm0 at inteldrm0 Intel 82915GM Video rev 0x04 at pci0 dev 2 function 1 not configured azalia0 at pci0 dev 27 function 0 Intel 82801FB HD Audio rev 0x04: apic 1 int 16 (irq 5) azalia0: codecs: Realtek ALC662 audio0 at azalia0 ppb0 at pci0 dev 28 function 0 Intel 82801FB PCIE rev 0x04: apic 1 int 16 (irq 5) pci1 at ppb0 bus 4 ppb1 at pci0 dev 28 function 1 Intel 82801FB PCIE rev 0x04: apic 1 int 17 (irq 11) pci2 at ppb1 bus 3 lii0 at pci2 dev 0 function 0 Attansic Technology L2 rev 0xa0: apic 1 int 17 (irq 11), address 71:ec:da:32:72:24 ukphy0 at lii0 phy 1: Generic IEEE 802.3u media interface, rev. 2: OUI 0x001374, model 0x0002 ppb2 at pci0 dev 28 function 2 Intel 82801FB PCIE rev 0x04: apic 1 int 18 (irq 10) pci3 at ppb2 bus 1 iwn0 at pci3 dev 0 function 0 Intel Wireless WiFi Link 4965 rev 0x61: apic 1 int 18 (irq 10), MIMO 2T3R, MoW2, address 00:21:5c:04:9e:19 uhci0 at pci0 dev 29 function 0 Intel 82801FB USB rev 0x04: apic 1 int 23 (irq 3) uhci1 at pci0 dev 29 function 1 Intel 82801FB USB rev 0x04: apic 1 int 19 (irq 7) uhci2 at pci0 dev 29 function 2 Intel 82801FB USB rev 0x04: apic 1 int 18 (irq 10) uhci3 at pci0 dev 29 function 3 Intel 82801FB USB rev 0x04: apic 1 int 16 (irq 5) ehci0 at pci0 dev 29 function 7 Intel 82801FB USB rev 0x04: apic 1 int 23 (irq 3) usb0 at ehci0: USB revision 2.0 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1 ppb3 at pci0 dev 30 function 0 Intel 82801BAM Hub-to-PCI rev 0xd4 pci4 at ppb3 bus 5 ichpcib0 at pci0 dev 31 function 0 Intel 82801FBM LPC rev 0x04: PM disabled pciide0 at pci0 dev 31 function 2 Intel 82801FBM SATA rev 0x04: DMA,
Re: which monitoring do you use (on OpenBSD)
Mainstream open source monitoring is pretty much about munin, cacti, nagios, zabbix. You can make any of these run on openbsd, AFAIK. Even though they serve different purposes, my favourite (if no custom, tailored solution is crafted) between these is cacti. However, its pretty disappointing the lack of support for alternative (see psql) backends :( /rant On 8/10/10, Eugene Yunak e.yu...@gmail.com wrote: On 10 August 2010 02:28, Jiri B. ji...@live.com wrote: Hello, I'm thinking to choose a monitoring tool which would run on OpenBSD of course. I have been working with Tivoli and Netview for couple of years so my idea is: * clients - heartbeats of course - simple interface to give a client some input as alert - text configuration on client node (can be pushed from central repo) - light * infrastructure nodes - proxy feature for far networks or dmz - filtering rules (thresholds, time filters ...) - text configuration - light * main server(s) - good filtering - surveillance console for monitoring center - be able to change status of an alert (acknowledge, closed, solved...) - be able to have some categories of clients based on roles I'm watching zabbix... not sure... If I wouldn't want event console I would probably check snmp - sec - snmptt. jirib Definitely nagios/cacti pair or zabbix. Having used nagios for a year or so, i would never want to get back to Tivoli. It also gives you lots of flexibility in how you setup your monitoring, and can neatly work with snmp as well. Eugene -- The best the little guy can do is what the little guy does right
Re: developing openbsd?
I'd love to see such a document available. Depending on the scope of this documentation effort, it could even be bundled as a package. On 8/8/10, Tomas Vavrys vav...@cleancode.cz wrote: It would be great if anybody could share whole .vim/ .vimrc. I could write OpenBSD Vim C Programming manual once and for all. 2010/8/8 Darrin Chandler dwchand...@stilyagin.com: On Sun, Aug 08, 2010 at 04:39:56PM +0200, Tomas Vavrys wrote: Does any developer use c.vim plugin? I can't get it working properly according to STYLE(9). I would appreciate your settings. What other Vim plugins do you use? I have this in ~/.vim/after/ftplugin/c.vim: set cinoptions=t0,+4,(4,u4,w1 set shiftwidth=8 set softtabstop=8 let c_space_errors=1 That gets me somewhat close. Anyone want to share other ways or refinements? -- Darrin Chandler B B B B B B | B Phoenix BSD User Group B | B MetaBUG dwchand...@stilyagin.com B | B http://phxbug.org/ B B B | B http://metabug.org/ http://www.stilyagin.com/ B | B Daemons in the Desert B | B Global BUG Federation
Re: portrange with tcpdump
On Tue, May 25, 2010 at 7:26 PM, Daniel Bareiro daniel-lis...@gmx.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all! I'm trying to use tcpdump in OpenBSD 4.6 with a syntax similar to the following: # tcpdump -vvv udp and port 5060 or portrange 1-2000 -s0 \ -i eht0 -w eavesdropping_ulaw.dump In this case, the interface is em0, but I see that with this tcpdump version there is no parameter 'portrange'. I'm using a version compiled with the source code obtained by anoncvs, because I wanted to install with pkg_add but was not available. I tried as follows, but without success: No pkg_add needed, its part of the base install: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/tcpdump/ # tcpdump -vv udp and port 5060 or port = 1 and port = 2 -s0 \ -i em0 -w eavesdropping_ulaw.dump tcpdump: syntax error Thanks in advance for your reply. Regards, Daniel iEYEARECAAYFAkv7+mYACgkQZpa/GxTmHTdQ2wCeLsz+Zv0ad6I+IMr7S+NgBBZU oAAAn2C2eLJyhqS0KHN1rHZiHK2kbWHy =Pbeq -END PGP SIGNATURE- Also, does -s0 work on OpenBSD? I thought it was a GNU/Linux and FreeBSDish hack. On OpenBSD, shouldnt it manually be set to whatever your MTU is?
Re: time based rules on pf
On Mon, May 17, 2010 at 5:03 PM, Leonardo Carneiro - Veltrac lscarne...@veltrac.com.br wrote: There is a way to do time-based rules on pf? Something like this packet will /pass/ from 10h to 13h or this packet will /pass/ until 22h, 13 june. I mean, there is a built-in mechanic to do this in pf or i'll need to write a script in cron to add and remove rules? Tks in advance -- As nobody jumps in here to -kind of- state the obvious, I dont think there's such a thing already *built-in*. For the archive and newcomers, you achieve this kind of things, though, with anchors and some duct tape scripting.
Re: OpenBSD virtualization
Err... do the homework first. On Thu, Apr 1, 2010 at 2:45 PM, Digital Edge reachta...@hotmail.com wrote: Dear List, I am very much new to OpenBSD. I have two Sun UltraSparcT2( Niagara2) servers. I have install OpenBSD4.6 on that. But my intention is to install KVM/XEN on those box. Can anyone help me to do so Thanks, dE _ The world in moving pictures http://news.in.msn.com/gallery/archive.aspx
Re: OpenSMTPd actual development and integration
On Thu, Jan 14, 2010 at 6:50 PM, Jean-Francois jfsimon1...@gmail.com wrote: Hi All, Could you please inform about the actual state of OpenSMTPd and when it shall be fully integrated into OpenBSD ? Thanks. You can keep an eye on its development by tracking commits on the CVS repository. I cant tell as I am not using it currently but I would say its already integrated and pretty usable for common scenarios, not yet fully, if at all, ready for production. calomel.org has an article that can give you an idea of its actual state. gilles@ or jacek@ can add more insight into this anyway. Have a nice day Iqigo
Re: Maximizing File/Network I/O
On Tue, Jan 5, 2010 at 9:13 AM, Tomas Bodzar tomas.bod...@gmail.com wrote: There is much more to do. You can find some ideas eg. here http://www.openbsd.org/papers/tuning-openbsd.ps . It's good idea to follow outputs of systat, vmstat and top for some time to find bottlenecks. I recall a message in misc (which I am not able to find on the archives) about someone posting here the results of his research on optimizing and improving OpenBSD overall performance (fs, network, etc). Among the links he posted on his comprehensive compilation, he sent tuning-openbsd.ps. I remember one reply of a developer stating that some of those tuning measures are not needed anymore as OpenBSD has grown quite a bit since that time. Which are the recommended -always working- directions, then, to tune a system for its particular needs? My point is we all have to be careful and not follow guides or try values on sysctls blindly (although experimenting is welcome and healthy) as we can harm more than benefit we can get. Still, some enviroments will need adjustment to push much more traffic than GENERIC can, and this is a really hard task to accomplish unless you are a @henning or @claudio :) On Tue, Jan 5, 2010 at 9:04 AM, nixlists nixmli...@gmail.com wrote: On Tue, Jan 5, 2010 at 1:45 AM, Bret S. Lambert blamb...@openbsd.org wrote: Start with mount_nfs options, specifically -r and -w; I assume that you would have mentioned tweaking those if you had already done so. Setting -r and -w to 16384, and jumbo frames to 9000 yields just a couple of MB/s more. Far from 10 MB/s more the network can do ;( -- http://www.openbsd.org/lyrics.html
Re: allow dhcp in pf
On Tue, Nov 24, 2009 at 3:45 PM, Otto Moerbeek o...@drijf.net wrote:
On Tue, Nov 24, 2009 at 03:37:58PM +0100, Andreas Mueller wrote:
open...@e-solutions.re wrote:
Hello
i added theses lines :
pass in on $int_if inet proto { tcp, udp } from any to $gw_obsd port 67
pass in on $int_if inet proto { tcp, udp } from any to $gw_obsd port 68
Clients most certainly don't send dhcp request packets to your gateway
but to multicast, so set destination to 255.255.255.255.
my dhcpd.conf is a standard config...
my hostname.bge0 :
inet 192.168.0.1 255.255.255.0 NONE
if i configure a machine with static ip address, all works fine.
Using DHCP is not possible, pf block it, and i don't understand why...
Can you help me please ?
Andreas
No no no, listen to what claudio wrote. dhcp packets are grabbed by
dhclient or dhcpd before pf sees them.
-Otto
Otto is right, dont keep suggesting things and listen to Claudio's words.
I came across this issue some time ago, i was quite confused on why pf
and dhcpd or dhclient are both on top of bpf device, however after
some thinking everything made sense.
http://onlamp.com/lpt/a/4839 can help inspite being an interview from
2004. Design hasnt changed that much, as far as I know.
Re: 4.6 arriving
On Tue, Oct 20, 2009 at 1:08 PM, Dennis Davis d.h.da...@bath.ac.uk wrote: On Fri, 9 Oct 2009, Martin Schrvder wrote: From: Martin Schrvder mar...@oneiros.de To: OpenBSD general usage list misc@openbsd.org Date: Fri, 9 Oct 2009 13:07:01 Subject: Re: 4.6 arriving X-Spam-Score: 0.0 (/) 2009/10/9 Bret S. Lambert bret.lamb...@gmail.com: On Fri, Oct 09, 2009 at 09:30:07AM +0200, Lukas Ratajski wrote: Oh man, I'd LOVE to give the 2.1 version a boot opportunity on i386. Just for the sake of curiosity. Anyone offering a copy? Yes, but it's a collectible at this point: https://https.openbsd.org/cgi-bin/order Indeed. But 2.4 is the real collectible. :-) I'm rich! I'm rich!! I'm rich!!! I'm rich because OpenBSD4.6 arrived last week. I'm also rich because I found all my early OpenBSD releases, that's release 2.1 to 3.1. Which includes the pricey OpenBSD2.1, OpenBSD2.2, OpenBSD2.3 OpenBSD2.4 CDs. Now this is a problem. The cardboard-box-under-the-bed bank is possibly a little too insecure for such great treasures. I'll have to place them in a hermetically-sealed, lead-lined box and bury them in the garden. Sigh, and then forget where they are. Leaving some future fortunate to find this treasure trove long after I'm gone. Damn, I'll be worrying about this for some time. ...with great wealth comes great responsibilty... Discs arrived to Donostia-San Sebastian, Basque Country, Spain, just some minutes ago. Thanks a lot to Theo and assorted developers and OpenBSD Europe for their impeccable work on delivering this wonderful OS just on time. Muchisimas gracias!
Re: Supporting OpenBSD
On Wed, Sep 9, 2009 at 11:54 AM, Jordi Espasa Clofent jordi.esp...@opengea.org wrote: People, it is time to get your browsers over to http://www.openbsd.org/orders.html and start running some money into the project. Done. +1 ;) -- Thanks, Jordi Espasa Clofent +2 from Euskadi and Catalunya, Spain, so to speak :)
Re: Accessing lan from internet
On Thu, Sep 3, 2009 at 8:08 AM, Dorian B|ttner dorian.buett...@gmx.dewrote: halcon schrieb: El miC), 02-09-2009 a las 18:48 +, Daniel Bolgheroni escribiC3: On Wed, 2 Sep 2009, halcon wrote: Hello I am administering a small linux/windows lan from my laptop/OpenBSD-4.5 base, without any problem, using # ssh u...@192.168.0.xxx; how could i accesss the lan from internet? u...@hostname? u...@external ip? I have read many docs without success, thanks in advance. francisco Are you using these cheap routers available everywhere? Port forwarding, forwarding, virtual server, etc. Yes, i am, my gateway is 192.168.0.1 it is a cheap D-Link, behind, there are 2 Linux boxes (Ubuntu and Slackware), and 2 windows boxes (Windows Pro 2000 and Windows XP Home). If i understood well; it could be: ssh [hostname|IP] -- log into hostname as current username ssh Slackware|192.168.0.1 ssh au...@[hostname|IP] --log into hostname as auser or ssh j...@slackware|192.168.0.1 where IP is the current gateway to your lan. Is it correct, Dhu? I use ssh -l username host ip or fqdn Me too, I find it faster to type. @halcon: if you still plan to access the LAN from the Internet without DMZ be sure to at least read any of the ssh best practices thread or articles out there, AND man sshd and the like.
Re: strange (?) ssh user
On Fri, Aug 21, 2009 at 7:19 AM, Uwe Dippel udip...@uniten.edu.my wrote: Recently, I noticed an ssh user on one of my machines, who never logged on, is not visible with 'last', seems to have no terminal active, and is back immediately after a reboot. Hmm. root 13415 0.0 0.9 3280 2420 ?? Ss12:04PM0:00.08 sshd: isuser isuser 702 0.0 0.7 3280 1824 ?? S 12:04PM0:00.00 sshd: isuser Whatever I do with finger, w, last, no trace of any activity; not even a login. I tried to kill the processes, and they are gone, but the next second another pair is up. Could anyone help me to explain what is going on here? Uwe As its not clear to me if isuser is a user you trust, created or needed for your services, I would say your machine might have been compromised. What kind of traffic is isuser generating? Is it just a reverse ssh shell? Can you shutdown his account or set his/her/its shell to nologin(8)? Next install you might consider following the advices of mtree(8) as the output of previous and current `mtree -cK sha1digest` would be really usefeul here.
Re: Use memory as disk
On Fri, Aug 21, 2009 at 2:03 PM, obvvbooo obvvbooo obvvb...@googlemail.comwrote: Hi, Is there a way to use memory as a disk/partition? Such as mount it to /mnt/mem or such things. I can't find information of this in the man pages and after googled, Havent tried this before but you should be able to create your own ramdisks with rdconfig(8). I found rd for OpenBSD, which seems similar with md in FreeBSD. But still not useful. Anybody help? Thanks Just wondering, how come it is not useful? Is it because your fresh ramdisk is not immediately usable right after creating it?
Re: pf, altq, packet rate
On Mon, May 25, 2009 at 10:35 PM, Philip Guenther guent...@gmail.com wrote: 2009/5/25 irix i...@ukr.net: And it will be added to the main tree? Let's see, no code, no mention of license, and no demonstration that it actually solves a/your problem. How can your question possibly be answered? Philip Guenther Probably you are right but I'd recommend him style(9), inspite of not being a developer at all. Just in case (s)he feels in the mood.
Re: OpenBSD and VPN 1411 Criptographic Card
On Wed, May 20, 2009 at 10:15 PM, Stuart Henderson s...@spacehopper.org wrote: On 2009-05-20, Joco Salvatti salva...@gmail.com wrote: Hi misc, I bought a Soekris Net5501 with a cryptographic card VPN1411 (Authentication, SHA-1 and MD5, Public Key, RSA, DSA, SSL, IKE and DH, Hardware random number generator) and I would like to know if any configuration is needed in OpenBSD kernel to use this card when cryptography is necessary. eg. When a VPN IPSec is done. You might want to check that it's not actually slower when you use the card. Some basic benchmarking would be appreciated, for the sake of the list. As a newcomer I am really interested in understanding the cryptohardware framework. I would have never said accelerated hardware could perform any worse. Interesting point Stuart.
Re: old and new pf tandem test ---help
Mehma, You can find more info on the performance boost, and how developers achieved it, in this article. You can go through all of it as its really interesting IMHO: http://www.onlamp.com/pub/a/bsd/2007/11/01/whats-new-in-bsd-42.html Hope it helps you feel the need of trying pf _at home_ :) On Tue, May 19, 2009 at 7:20 AM, mehma sarja mehmasa...@gmail.com wrote: Otto, Henning and Stuart to-the-point answers. Thanks guys. I have taken the post over to FreeBSD list. However, Henning, I am curious why you call pf on anything but OpenBSD a starter drug? Is the performance difference that huge? pf on FreeBSD 7.2 is version 4.1. You have piqued my interest and may convince me to switch to OpenBSD. Keep the posts coming. Yudhvir
Re: old and new pf tandem test ---help
On Tue, May 19, 2009 at 2:37 PM, Stuart Henderson s...@spacehopper.org wrote: On 2009-05-19, Iqigo Ortiz de Urbina tarom...@gmail.com wrote: Mehma, You can find more info on the performance boost, and how developers achieved it, in this article. You can go through all of it as its really interesting IMHO: http://www.onlamp.com/pub/a/bsd/2007/11/01/whats-new-in-bsd-42.html Hope it helps you feel the need of trying pf _at home_ :) That is a good start, but there have been other changes since. Not only pf, but also pfsync, nic drivers, and more. -current has some nice extras (added after 4.5) for ruleset sanity too. For example, match rules, which are absolutely great when combined with tags. Indeed, and the active-active setup. For those interested, here's more info on the subject: Lecture: http://www.youtube.com/watch?v=cBxDgevQpCg Paper, part1 : http://undeadly.org/cgi?action=articlesid=20090220014805
Re: Why so cool OS doesn't have vuln database?
I wonder if he is after something similar to portaudit[1] on OpenBSD? [1]: http://www.freebsd.org/doc/en/books/handbook/security-portaudit.html 2009/5/16 Toma( Bod8ar tomas.bod...@gmail.com I think that you are looking for tool which isn't available under OpenBSD.Here you must know what you are doing.Do you read FAQ part of pages? 2009/5/16 Yuriy Grishin grishin-mailing-li...@minselhoz.samara.ru: J Sisson wrote: Sorry, I meant your_last_post.[your configuration]. In other words, it'd help people make recommendations if we knew the hardware you were running and what changes you'd made to the base system. Here you are the output of dmesg - --- # dmesg OpenBSD 4.5 (GENERIC) #1749: Sat Feb 28 14:51:18 MST 2009 B dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: AMD-K6(tm) 3D processor (AuthenticAMD 586-class) 361 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,PGE,MMX real mem B = 267939840 (255MB) avail mem = 250789888 (239MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 07/21/99, BIOS32 rev. 0 @ 0xfb3c0, SMBIOS rev. 2.2 @ 0xf0800 (32 entries) bios0: vendor Award Software International, Inc. version 4.51 PG date 07/21/99 apm0 at bios0: Power Management spec V1.2 (slowidle) apm0: AC on, battery charge unknown acpi at bios0 function 0x0 not configured pcibios0 at bios0: rev 2.1 @ 0xf/0xb848 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfddc0/128 (6 entries) pcibios0: PCI Exclusive IRQs: 10 11 12 pcibios0: PCI Interrupt Router at 000:07:0 (Intel 82371SB ISA rev 0x00) pcibios0: PCI bus #0 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x800 0xc9000/0x800 cpu0 at mainbus0: (uniprocessor) pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel 82439TX System rev 0x01 piixpcib0 at pci0 dev 7 function 0 Intel 82371AB PIIX4 ISA rev 0x01 pciide0 at pci0 dev 7 function 1 Intel 82371AB IDE rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: Conner Technology CT204 wd0: 16-sector PIO, LBA, 4100MB, 8397686 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 wd1 at pciide0 channel 1 drive 0: ST320410A wd1: 16-sector PIO, LBA, 19092MB, 39102336 sectors wd1(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 uhci0 at pci0 dev 7 function 2 Intel 82371AB USB rev 0x01: irq 10 piixpm0 at pci0 dev 7 function 3 Intel 82371AB Power rev 0x01: SMBus disabled xl0 at pci0 dev 9 function 0 3Com 3c905C 100Base-TX rev 0x74: irq 11, address 00:04:79:67:c3:ec bmtphy0 at xl0 phy 24: 3C905C internal PHY, rev. 6 xl1 at pci0 dev 11 function 0 3Com 3c905C 100Base-TX rev 0x78: irq 10, address 00:01:02:0a:60:2f bmtphy1 at xl1 phy 24: 3C905C internal PHY, rev. 7 vga1 at pci0 dev 12 function 0 S3 ViRGE rev 0x06 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) isa0 at piixpcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 Intel UHCI root hub rev 1.00/1.00 addr 1 biomask f765 netmask ff65 ttymask mtrr: K6-family MTRR support (2 registers) softraid0 at root root on wd0a swap on wd0b dump on wd0b WARNING: / was not properly unmounted - --- ...and what the custom_options? Where can I find them? -- Code cheap ($3 for an application) -- http://www.openbsd.org/lyrics.html
Re: sendmail vs. other MTAs
On Tue, May 12, 2009 at 12:54 AM, Dan d...@ourbrains.org wrote: Daniel Ouellet(dan...@presscom.net)@2009.05.11 18:08:02 -0400: This new smtpd better be at least as good as qmail, otherwise - what's the point? For fun and learning dammit. It's been explain on undeadly before and in the list. And because it's smaller, easier to maintain, clean and works! Apart from fun and learning, as Daniel says, the point is pretty much the same to assigning developer resources to opencvs or openntpd for example: having things done how they think have to be done, and trust me Dan, I learnt long ago (and you should) that in most scenarios, they are in the right track and we have nothing to do but learn from their skills and ideas, and THANK them (at least showing a thankful attitude). Have a nice day
Re: sendmail vs. other MTAs
On Sun, May 10, 2009 at 2:48 PM, FRLinux frli...@gmail.com wrote: On Sun, May 10, 2009 at 1:34 PM, Felipe Alfaro Solana felipe.alf...@gmail.com wrote: Why isn't Postfix included? The license is not free, and thus can not be considered. And anyways, I found that switching from sendmail to postfix is extremely easy in OpenBSD. Yay, another 20k long thread for nothing... Consider reading Gille's implementation of smtpd : http://undeadly.org/cgi?action=articlesid=20081112084647 Steph I am really excited towards seeing Gille's implementation stable enough to make its way to base. One of the things I like most about OpenBSD is that it always gets better with each release, and his smtpd would bring us an even more compact, feature rich and easy to configure OS (with sane defaults ;) Keep up the great work!
