Re: help
On 8 November 2010 10:46, steve st...@crs.com wrote: help I need somebody.
Re: Enough is enough!
Srsly, if bsdmaster goes, I'm going too. How could OpenBSD survive without him! Quick to www.haiku-os.org ! -- joe.
Re: 4.8 arrival!
On 29 October 2010 04:08, Theo de Raadt dera...@cvs.openbsd.org wrote: Would you please consider uploading an iso image of your OpenBSD 4.8 to some public tracker such as thepiratebay.org? 4.8 is not yet released. If you are unfamiliar with the process of making an iso-image out of a CD, or if you need help with the generation and upload of the torrent file, I may be of some help. Just ask. Gee, thanks. Thanks alot, this will be of great use for poor folks like me who cannot afford the expensive license fees. Yes, I said it, 50CDN$ is very expensive. Maybe the OpenBSD Company could setup something like MSDNAA, for stuents to get access to the software for free? Or maybe we could go broke instead? Anyway, I'm getting off topic. PS: please people, stop bottom-posting. It forces me to scroll down to read the latest message, and I don't like that. Show some common sense! Stop thinking of only yourself. The fact that Theo is so reasonable with this reply leads me to conclude that he, in fact, is the TrollMaster. -- joe.
Re: OpenBSD 4.6 + carp + pf + pfsync lockup
2010/9/9 Martin Pelikan martin.peli...@gmail.com: Hello Martin, I thought the same when I played with TCP buffers set to 1M and after some heavy load tests I went out of RAM quite soon :-) The machine had 2G. Well, the machine has 6Gb of RAM and is only pushing 10Mbit/s of traffic at peak. It does need to maintain a largeish state table, as it is predominatly web traffic, but I've run much much larger and busier sites behind much smaller hardware with the same configs before. I assume ping doesn't work either. Have you raised the recv/send space? Have you tried entering ddb? (you need to set the sysctl before start) No, both machines don't ping and they completely hardlock. I can only think it is an issue with pfsync, which causes both to lock up at the same time, but that is a guess. I guess I'll just upgrade them to 4.7 speculatively and hope it doesn't happen again. recv/send: net.inet.tcp.recvspace=16384 net.inet.udp.recvspace=41600 j...@f1:/home/joe sysctl -a |grep send net.inet.tcp.sendspace=16384 net.inet.udp.sendspace=9216 Too low? What is a good value for them? Thanks for your assistance. -- joe.
OpenBSD 4.6 + carp + pf + pfsync lockup
Hey guys, I'm running two HPDL360 G5 servers with OpenBSD 4.6+carp+pf+pfsync as an active/passive firewall pair. Both are running: (full dmesg at bottom, along with edited pf.conf, in case it's relevant) j...@f2:/home/joe uname -a OpenBSD f2 4.6 GENERIC.MP#81 amd64 I've had a weird problem happen twice now. It seems after about 4 - 6 weeks of running very happily, both servers lock up completely at the same time. Both consoles show no error messages, but the cursor is blinking away happily. Neither console will take any input and the only remedy is to power cycle them. There is nothing unusual in any of the logfiles. I'm planning on updating them to 4.7 anyway, but is this a problem that people are aware of? Is there a fix? Kind regards DMESG == OpenBSD 4.6 (GENERIC.MP) #81: Thu Jul 9 21:26:19 MDT 2009 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 3746754560 (3573MB) avail mem = 3624001536 (3456MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xdf7fe000 (127 entries) bios0: vendor HP version P64 date 07/24/2009 bios0: HP ProLiant DL360 G6 acpi0 at bios0: rev 2 acpi0: tables DSDT FACP SPCR MCFG HPET SPMI ERST APIC SRAT BERT HEST DMAR SSDT SSDT SSDT SSDT SSDT acpi0: wakeup devices acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 14318179 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Xeon(R) CPU E5530 @ 2.40GHz, 2400.39 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR,NXE,LONG cpu0: 256KB 64b/line 8-way L2 cache cpu0: apic clock running at 133MHz cpu1 at mainbus0: apid 4 (application processor) cpu1: Intel(R) Xeon(R) CPU E5530 @ 2.40GHz, 2400.09 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR,NXE,LONG cpu1: 256KB 64b/line 8-way L2 cache cpu2 at mainbus0: apid 2 (application processor) cpu2: Intel(R) Xeon(R) CPU E5530 @ 2.40GHz, 2400.09 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR,NXE,LONG cpu2: 256KB 64b/line 8-way L2 cache cpu3 at mainbus0: apid 6 (application processor) cpu3: Intel(R) Xeon(R) CPU E5530 @ 2.40GHz, 2400.09 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR,NXE,LONG cpu3: 256KB 64b/line 8-way L2 cache cpu4 at mainbus0: apid 1 (application processor) cpu4: Intel(R) Xeon(R) CPU E5530 @ 2.40GHz, 2400.09 MHz cpu4: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR,NXE,LONG cpu4: 256KB 64b/line 8-way L2 cache cpu5 at mainbus0: apid 5 (application processor) cpu5: Intel(R) Xeon(R) CPU E5530 @ 2.40GHz, 2400.09 MHz cpu5: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR,NXE,LONG cpu5: 256KB 64b/line 8-way L2 cache cpu6 at mainbus0: apid 3 (application processor) cpu6: Intel(R) Xeon(R) CPU E5530 @ 2.40GHz, 2400.09 MHz cpu6: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR,NXE,LONG cpu6: 256KB 64b/line 8-way L2 cache cpu7 at mainbus0: apid 7 (application processor) cpu7: Intel(R) Xeon(R) CPU E5530 @ 2.40GHz, 2400.09 MHz cpu7: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR,NXE,LONG cpu7: 256KB 64b/line 8-way L2 cache ioapic0 at mainbus0 apid 8 pa 0xfec0, version 20, 24 pins ioapic1 at mainbus0 apid 0 pa 0xfec8, version 20, 24 pins acpiprt0 at acpi0: bus 1 (IP2P) acpiprt1 at acpi0: bus -1 (IPT1) acpiprt2 at acpi0: bus 3 (PT01) acpiprt3 at acpi0: bus 10 (PT02) acpiprt4 at acpi0: bus 7 (PT03) acpiprt5 at acpi0: bus 11 (PT04) acpiprt6 at acpi0: bus 12 (PT05) acpiprt7 at acpi0: bus 13 (PT06) acpiprt8 at acpi0: bus 14 (PT07) acpiprt9 at acpi0: bus 2 (PT08) acpiprt10 at acpi0: bus 4 (PT09) acpiprt11 at acpi0: bus 15 (PT0A) acpiprt12 at acpi0: bus 0 (PCI0) acpicpu0 at acpi0: C3, C3, C1 acpicpu1 at acpi0: C3, C3, C1 acpicpu2 at acpi0: C3, C3, C1 acpicpu3 at acpi0: C3, C3, C1 acpicpu4 at acpi0: C3, C3, C1 acpicpu5 at acpi0: C3, C3, C1 acpicpu6 at acpi0: C3, C3, C1 acpicpu7 at acpi0: C3, C3, C1 acpitz0 at acpi0: critical temperature 31 degC ipmi at mainbus0 not configured cpu0: unknown i686 model 0x1a, can't get bus clock cpu0: EST: unknown system bus clock pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 vendor Intel, unknown
Re: IPSec to Checkpoint
On Wed, Nov 12, 2008 at 07:13:05PM +0100, Hans-Joerg Hoexer wrote: Support for specifying aes key sizes was added february 2008, thus 4.2 does not provide this. Ah, thought so. Well, I got it working by reverting back to using the old isakmpd.conf method. Thanks for your time. -- joe. Fishing doesn't count as a sport.
Re: IPSec to Checkpoint
On Wed, Nov 12, 2008 at 02:35:35PM +0100, Claer wrote: Hey there, I don't know if your isakmpd.conf is good or not. The general part seems good. But I'm wondering why you are not using the new configuration file (/etc/ipsec.conf) It's much easier to use and to maintain over time. For your part, you'll have to keep default lifetime in isakmpd.conf as it's not supported in ipsec.conf. Aah, I somehow missed that change. I'll look into that. Thanks -- joe. George Lucas was born a nerd and will die a nerd.
Re: IPSec to Checkpoint
On Wed, Nov 12, 2008 at 02:35:35PM +0100, Claer wrote: Hey there, OK, so I've switched to ipsec.conf and it is alot easier! However, I'm still struggling to use aes 256. I have the following: ike esp from 195.24.xxx.x/25 to 62.232.yyy.y/27 \ local 195.24.aaa.aa peer 62.232.bbb.bbb \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes psk sudomakemeagoat This uses aes128. Is there any way to get aes256 working? Note: I'm on 4.2, was 256 support added later? If not, is there any way I could enable 256 on 4.2? -- joe. I can't believe Alan Davies would do that. I absolutely love him!
IPSec to Checkpoint
Hey guys, I'm struggling to get isakpmd to talk to a checkpoint firewall I need the following parameters General IKE Properties = AES-256 with SHA1 IKE Phase 1 SA = Group2 (1024 bit) IKE Phase 1 SA renegotiation = 1440 IKE Phase 2 SA renegotiation = 3600 The network layout looks as follows: OurNet OurFirewall Internet TheirFW TheirNet 195.24.xxx.xxx/25 - 195.24.xxx.yyy - 62.232.xxx.xxx 62.232.xxx.yyy I currently have the following in my isakpmd.policy Keynote-version: 2 Authorizer: POLICY Conditions: app_domain == IPsec policy esp_present == yes esp_enc_alg != null - true; And my isakmpd.conf is at the end. Any pointers guys? [General] Retransmits=5 Exchange-max-time= 120 Listen-on= 195.24.xxx.yyy Default-phase-1-lifetime= 1440,60:86400 Default-phase-2-lifetime= 3600,60:86400 [Phase 1] 62.232.xxx.xxx= local-remote [local-remote] Phase= 1 Transport= udp Local-address= 195.24.xxx.yyy Address=62.232.xxx.xxx Configuration= Default-main-mode Authentication= makemeagoatorsomething [Phase 2] Connections=VPN-local-remote-62.232.xx.yy/255.255.255.224 [VPN-local-remote-62.232.xx.yy/255.255.255.224] Phase= 2 ISAKMP-peer=local-remote Configuration= Default-quick-mode Local-ID= network-195.24.xxx.xxx/255.255.255.128 Remote-ID= network-62.232.xxx.yyy/255.255.255.224 [network-195.24.xxx.xxx/255.255.255.128] ID-type=IPV4_ADDR_SUBNET Network=195.24.xxx.xx Netmask=255.255.255.128 [network-62.232.xxx.yyy/255.255.255.0] ID-type=IPV4_ADDR_SUBNET Network=62.232.xxx.yyy Netmask=255.255.255.0 [Default-main-mode] DOI=IPSEC EXCHANGE_TYPE= ID_PROT Life= ANY Transforms= AES-256-SHA [Default-quick-mode] DOI=IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-AES-256-SHA-SUITE [AES-256-SHA] ENCRYPTION_ALGORITHM= AES_CBC KEY_LENGTH= 256,256:256 HASH_ALGORITHM= SHA AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_1024 Life= LIFE_MAIN_MODE [QM-ESP-AES-256-SHA-SUITE] Protocols= QM-ESP-AES-256-SHA -- joe.
Re: ping: sendto: No buffer space available when using bittorrent or another p2p
On Mon, Jul 21, 2008 at 10:53:23AM -0600, Daniel Melameth wrote: On Mon, Jul 21, 2008 at 10:39 AM, Joe Warren-Meeks [EMAIL PROTECTED] wrote: The default limit for number of states is quite low. Try adding the following to pf.conf and running pfctl -vf /etc/pf.conf set limit { states 5000, frags 5000, src-nodes 5000 } You can up the values if they are too low. Use pfctl -s info to view how many entries there are in the state table beforehand and compare it to afterwards. FWIW, the default state and src-nodes limit is twice what you have above. Oops you are right :-) That was meant to be 5, not 5000. I have mine set to 500,000, as we have loads of ram and a load of busy sites. -- joe. It'll cost you many a shilling.
Re: ping: sendto: No buffer space available when using bittorrent or another p2p
On Mon, Jul 21, 2008 at 03:55:41PM +0200, Amaury De Ganseman wrote: Hey there, I run OpenBSD 4.3 on my gateway. But when a machine behind the NAT/gateway uses bittoreent (or gtk-gnutella) I loss packets. For example when I try to do a ping www.google.com I can see ping: sendto: No buffer space available (on my gateway) It's the same if I use gtk-gnutella. I think it's related to the huge number of states (about 1500 for bittorent) The default limit for number of states is quite low. Try adding the following to pf.conf and running pfctl -vf /etc/pf.conf set limit { states 5000, frags 5000, src-nodes 5000 } You can up the values if they are too low. Use pfctl -s info to view how many entries there are in the state table beforehand and compare it to afterwards. HTH. -- joe. Denim is old news. Who wants to look like a member of B*witched?
Re: Multiple FTP servers behind firewalls
On Wed, Jun 04, 2008 at 06:06:47PM -0400, Calomel wrote: Joe, We have used a CARP firewall (two machines in failover and not load balancing) in front of a dozen ftp servers. We use 12 different ip addresses in total. One ftp-proxy for each CARP interface and forwarding the traffic to one of the 12 backend ftp server. This works fine. Ftp-Proxy (forward and reverse proxy) https://calomel.org/ftp_proxy.html Thanks, that is exactly what I'm looking for :) Also, I've read through some of the papers on your site and it is extremely useful! Thanks for a wonderful resource. -- joe. Hasn't Shane Richie done well for himself?
Multiple FTP servers behind firewalls
Hey guys, I have a a pair of OpenBSD firewalls, using carp+pf protecting all our services. Now, we are going to end up in a situation where we need to have multiple separate ftp servers behind these firewalls (one per project). Currently I'm thinking of creating a new CARP interface on the external interface with a unique IP and a separate ftp-proxy per back-end server My question is basically has anyone done this already and does it work? Are there any problems with having multiple CARP interfaces using the same physical one? Is there a better, easier solution? It's times like these that I wish the ftp protocol included vhosts. Cheers chaps. -- joe. I don't like Annika. She's so pretentious.
NAT Rules
Hello there, We have two seperate datacentres, one using 172.16.1.0/24 and the other using 172.16.2.0/24. In front of both are NAT'ing OpenBSD firewalls, using something like: nat on $ext_if from prv_net - ($ext_if:0) (Where prv_net contains the netblock of that datacentre). Now, I would like that NAT to be conditional on the destination address, such that if a packet from datacentre a (172.16.1.12) was heading to datacentre b (172.16.2.16), then it wouldn't get NAT'ed. Is that possible? How would I do that? Thanks -- joe. Excuse me? Is that your samosa?
Re: NAT Rules
On Thu, May 22, 2008 at 06:18:21PM +0100, Joe Warren-Meeks wrote: Hey there, We have two seperate datacentres, one using 172.16.1.0/24 and the other using 172.16.2.0/24. In front of both are NAT'ing OpenBSD firewalls, using something like: nat on $ext_if from prv_net - ($ext_if:0) Ignore me, I just found no nat. -- joe. I have a lot of time for David Pleat.
PF, CARP and ospfd
hey guys, I have a couple of firewalling routers, running OpenBSD 4.2 + pf + carp + OpenOSPFD. Similar to the below: | | |.2|.3 192.168.1.0/24 | .1(CARP addy) | ------ | fw1 | | fw2 | | | | | | .2 | .3 192.168.2.0/24 | .1 (CARP addy) | | | .111 --- | Host| | | --- Both routers run OSPF, with the following in their config: area 0.0.0.2 { interface em0 interface carp1 interface carp2 } Where em0 is the external interface. FW1 is advskewed to be master. Now, this is all fine and works a treat. I can reach the host fine, and OSPF pays attention to the status of the CARP master / backup interfaces. Now, I want to add an new router, next to the Host. To do that, I enable ospf on the internal interface, by adding interface em1 to the area 0.0.0.2 stanza above. Suddenly, ospfd stops honouring the CARP status, and connectivity to the host becomes sporadic. I.e. Inbound packets go through fw1, master and the host attempts to default router back through the CARP address (.1) OSPF, however, announces fw2 the designated router, so packets bing over to that, where they are blocked as (I guess) state isn't replicated quickly enough. Any ideas where I'm going wrong? -- joe. God, how I wish I didn't exist.
Re: PF, CARP and ospfd
On Mon, May 19, 2008 at 05:03:37PM +0100, Joe Warren-Meeks wrote: hey guys, I have a couple of firewalling routers, running OpenBSD 4.2 + pf + carp + OpenOSPFD. I've realised my problem. Using the internal carp interface assures that routes will only be announced when it is set to master. If I also have ospf working on the real internal interface (to talk to the next router) then the state of the carp interface doesn't matter, the internal routes will still be announced. The fix is, redistribute static and a static route. -- joe.
4.2 and em(4)
Hey guys, I have a pair of firewalls running fully patched OpenBSD 4.2. These are DL140s and i have the optional quad gigabit ethernet card in them. Now, whenever I use the GENERIC kernel, all is well. However, if I switch to the GENERIC.MP kernel I lose connectivity and get em0: watchdog timeout resetting messages. Does anyone know what is causing this and what I can do about it? Thanks in advance Dmesg: OpenBSD 4.2 (GENERIC) #0: Mon Apr 14 14:01:40 BST 2008 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Xeon(R) CPU E5310 @ 1.60GHz (GenuineIntel 686-class) 1.60 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR real mem = 2146054144 (2046MB) avail mem = 2067517440 (1971MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 12/31/99, BIOS32 rev. 0 @ 0xfd361, SMBIOS rev. 2.31 @ 0xdc010 (57 entries) bios0: vendor HP version O08date 08/13/2007 bios0: HP ProLiant DL140 G3 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 30102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xfd360/0xca0 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdde0/512 (30 entries) pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82371FB ISA rev 0x00) pcibios0: PCI bus #24 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x1000 0xc9000/0x4000! 0xcd000/0x1600 0xce800/0x1600 0xdc000/0x4000! cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 5000X Host rev 0x31 ppb0 at pci0 dev 2 function 0 Intel 5000 PCIE rev 0x31 pci1 at ppb0 bus 1 ppb1 at pci1 dev 0 function 0 Intel 6321ESB PCIE rev 0x01 pci2 at ppb1 bus 2 ppb2 at pci2 dev 0 function 0 Intel 6321ESB PCIE rev 0x01 pci3 at ppb2 bus 3 ppb3 at pci3 dev 0 function 0 vendor IDT, unknown product 0x8018 rev 0x0e pci4 at ppb3 bus 4 ppb4 at pci4 dev 2 function 0 vendor IDT, unknown product 0x8018 rev 0x0e pci5 at ppb4 bus 5 em0 at pci5 dev 0 function 0 Intel PRO/1000 QP (82571EB) rev 0x06: irq 10, address 00:1c:c4:48:e9:01 em1 at pci5 dev 0 function 1 Intel PRO/1000 QP (82571EB) rev 0x06: irq 9, address 00:1c:c4:48:e9:00 ppb5 at pci4 dev 4 function 0 vendor IDT, unknown product 0x8018 rev 0x0e pci6 at ppb5 bus 6 em2 at pci6 dev 0 function 0 Intel PRO/1000 QP (82571EB) rev 0x06: irq 7, address 00:1c:c4:48:e9:03 em3 at pci6 dev 0 function 1 Intel PRO/1000 QP (82571EB) rev 0x06: irq 11, address 00:1c:c4:48:e9:02 ppb6 at pci1 dev 0 function 3 Intel 6321ESB PCIE-PCIX rev 0x01 pci7 at ppb6 bus 7 ppb7 at pci0 dev 3 function 0 Intel 5000 PCIE rev 0x31 pci8 at ppb7 bus 8 ppb8 at pci0 dev 4 function 0 Intel 5000X PCIE rev 0x31 pci9 at ppb8 bus 12 ppb9 at pci9 dev 0 function 0 ServerWorks PCIE-PCIX rev 0xb4 pci10 at ppb9 bus 13 ppb10 at pci10 dev 4 function 0 ServerWorks HT-1000 PCIX rev 0xb2 pci11 at ppb10 bus 14 ciss0 at pci10 dev 8 function 0 Hewlett-Packard Smart Array rev 0x00: irq 11 ciss0: 0 LDs, HW rev 0, FW 1.66/1.66 scsibus0 at ciss0: 8 targets ppb11 at pci0 dev 5 function 0 Intel 5000 PCIE rev 0x31 pci12 at ppb11 bus 15 ppb12 at pci0 dev 6 function 0 Intel 5000 PCIE rev 0x31 pci13 at ppb12 bus 16 ppb13 at pci0 dev 7 function 0 Intel 5000 PCIE rev 0x31 pci14 at ppb13 bus 17 pchb1 at pci0 dev 16 function 0 Intel 5000 Error Reporting rev 0x31 pchb2 at pci0 dev 16 function 1 Intel 5000 Error Reporting rev 0x31 pchb3 at pci0 dev 16 function 2 Intel 5000 Error Reporting rev 0x31 pchb4 at pci0 dev 17 function 0 Intel 5000 Reserved rev 0x31 pchb5 at pci0 dev 19 function 0 Intel 5000 Reserved rev 0x31 pchb6 at pci0 dev 21 function 0 Intel 5000 FBD rev 0x31 pchb7 at pci0 dev 22 function 0 Intel 5000 FBD rev 0x31 ppb14 at pci0 dev 28 function 0 Intel 6321ESB PCIE rev 0x09 pci15 at ppb14 bus 22 bge0 at pci15 dev 0 function 0 Broadcom BCM5721 rev 0x11, BCM5750 B1 (0x4101): irq 11, address 00:1e:0b:84:9f:74 brgphy0 at bge0 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0 ppb15 at pci0 dev 28 function 1 Intel 6321ESB PCIE rev 0x09 pci16 at ppb15 bus 23 bge1 at pci16 dev 0 function 0 Broadcom BCM5721 rev 0x11, BCM5750 B1 (0x4101): irq 7, address 00:1e:0b:84:9f:75 brgphy1 at bge1 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0 uhci0 at pci0 dev 29 function 0 Intel 6321ESB USB rev 0x09: irq 5 uhci1 at pci0 dev 29 function 1 Intel 6321ESB USB rev 0x09: irq 5 uhci2 at pci0 dev 29 function 2 Intel 6321ESB USB rev 0x09: irq 5 ehci0 at pci0 dev 29 function 7 Intel 6321ESB USB rev 0x09: irq 5 ehci0: timed out waiting for BIOS usb0 at ehci0: USB revision 2.0 uhub0 at usb0: Intel EHCI root hub, rev 2.00/1.00, addr 1 ppb16 at pci0 dev 30 function 0 Intel 82801BA AGP rev 0xd9 pci17 at ppb16 bus 24 vga1 at pci17 dev 2 function 0 Matrox MGA G200e (ServerEngines) rev 0x02 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) ichpcib0 at pci0 dev 31 function 0 Intel 6321ESB LPC rev 0x09: PM disabled pciide0 at pci0 dev 31
Re: 4.2 and em(4)
On Mon, Apr 14, 2008 at 05:38:21PM +0200, Jordi Espasa Clofent wrote: Hey there, According several messages I've read from Henning or Daniel in present and @pf list, there are not any benefits in run PF with MP kernels (and multi-processor boxes, of course). Even you can get a poor performance that uni-processor kernel/box. If the box was only doing pf stuff, then that would be correct. If you were to put a bunch of ftp-proxys on there too, then MP would help, no? -- joe. They do free shipping on new futons.
HP DL140
Hey there, Anyone had any truck installing OpenBSD on an HP DL140? I have tried several times and it just hangs after uncompressing the kernel, right before the copyright message from the kernel. Anyone know the magic cockerel wave to get them to boot? (Note, using 4.2 release) Thanks. -- joe. He has this massive ashtray that's like an Aladdin's lamp.
Re: HP DL140
On Wed, Apr 09, 2008 at 11:16:12AM +0200, Raimo Niskanen wrote: Which generation of DL140? I know there were some problems with the G3, but it did boot. I think it is the G3. It is the latest generation. several times and it just hangs after uncompressing the kernel, right before the copyright message from the kernel. I guess it is the install kernel that hangs. Correct. Anyone know the magic cockerel wave to get them to boot? (Note, using 4.2 release) Have you tried both i386 and amd64? Ah, no. It is definitely the intel cpu though. Still worth trying the amd? -- joe. Answer me this... why is it that now I am getting hitched, all these men start flirting with me?
Re: ftp-proxy and carp
On Wed, Mar 12, 2008 at 12:28:00PM +, Joe Warren-Meeks wrote: Hey chaps, I have a pair of OpenBSD firewalls running CARP Thanks for your help guys. -- joe. Daddy, can we play a game of brinkmanship?
ftp-proxy and carp
Hey chaps, I have a pair of OpenBSD firewalls running CARP $ uname -a OpenBSD ns-gs-fw2.host.nativ-systems.com 4.2 NS-GS-FW#0 i386 They both have internal and external addresses and an internal carp and external carp address shared. Now, they are protecting an FTP server that I want to allow access to. Ideally, I'd have ftp-proxy bind to the CARP address, so that if there was a failover event, inbound ftp would still work. Is this possible, or do I have to bind it to the real address and let inbound ftp fail in the event of a failover? -- joe. Have you seen the syrup on that bloke? Unreal.
Re: Remote Admin Card - Dell DRAC or HP ILO2 ?
On Thu, Feb 21, 2008 at 08:10:16PM +0100, Nick Nauwelaerts wrote: I don't really see how this is related to openbsd, but ilo2 wins hands down to drac, but has a costly advanced license. Installing openbsd through ilo2 virtual cd works just fine btw. I thought you only needed the license if you used higher resolutions than a basic console. If you are just using text mode on the console, then they work excellently. I've used both with OpenBSD firewalls and infinitely prefer the HP ones. -- joe. Jennifer's dad sent her a nice cuddly cat, so that's nice.
Re: FOSDEM 23/24 Feb Brussels
On Fri, Feb 22, 2008 at 12:08:14PM -0500, Douglas A. Tutty wrote: Now, is a Flemish Cap: a. a distinctive head wear b. a shallow area east of the Grand Banks c. What Belch people call the head on the beer d. all of the above e. none of the above. f. A contraceptive shaped like a piece of medieval armour I'll get my coat.. -- joe. He's got an old-school Ipod thing. It's huge. It probably plays tapes.
HP Network cards
Hey guys, Is either HP ProLiant NC364T[0] or the NC360T (one quad gigabit ethernet, the second dual gigabit ethernet) supported under openbsd? I checked http://www.openbsd.org/i386.html#hardware which would indicate not, but I just wanted to double check here. If not, can anyone point me at a good quality dual or quad GigE card that is well supported? Thanks! [0] - http://h18004.www1.hp.com/products/servers/networking/nc364t/index.html -- joe. Rohan Ricketts has been using some new kind of hair oil on his scalp, you can tell.
OpenBGPD
Hey guys, Is there a mailing list for OpenBGPD? I'm about to kick off a project to build a 2nd datacentre and we are going to move to PI space with two seperate transit providers and am planning on using OpenBGPD/OpenBSD. Failing a mailing list, can anyone point me at any howtos? The man pages are great, but some examples would be nice. It has been 13 years since I last was involved with GateD/OpenBSD :-) Thanks. -- joe. You can deal with that at home with a cream - you don't need a check up.
Re: 4.1 Hacked? Some interesting hashes
On Mon, Feb 11, 2008 at 04:34:18AM -0800, Manuel Ravasio wrote: Hey there, Ok, I did understand THAT. What I'm still missing is the relationship (if any) between a couple of hashes and a possible breach in OBSD... Well, if the guy genuinely had an exploit and wanted to keep the mechanism secret, whilst being able to prove that he had it back when he made that post, posting the md5 checksum would be a good way of doing it. Then in the future he could release the same .tar file which contained the working exploit and had the same hash as in the email and people would know he had had a working exploit since back then. What is much more likely, however, is that the poster is an idiot who is trying to spread FUD by that mechanism. -- joe. I'm always fond of Larkin and Eliot, but other modern poets...lost on me.
Re: Network Slowness Proliant DL380 G4
On Wed, Feb 06, 2008 at 07:19:03PM +0100, Pete Vickers wrote: Hey there, OpenBSD's bge driver sucks big time, typical symptoms are very slow transfers, and incrementing errors (netstat -i). You can confirm this by booting $other_os_boot_cd and retesting. Ah, I was unaware of this. I've got a pair of OpenBSD firewalls running pf and carp using bge interfaces. What is the best miliation strategy to deal with this? I've upped the tcp recvspace and sendspace. Any idea if/when the driver will be improved? Thanks. -- joe.
Re: Inexpensive networking.
On Thu, Feb 07, 2008 at 12:32:20PM -0500, Douglas A. Tutty wrote: Hey there What speed is normal house-hold high-speed internet anyway? This would be the best that most students would have experienced. Remote directory: /pub/OpenBSD/4.2 ftp get xenocara.tar.gz local: xenocara.tar.gz remote: xenocara.tar.gz 229 Entering Extended Passive Mode (|||46940|) 150 Opening BINARY mode data connection for xenocara.tar.gz (102270558 bytes). 100% |*| 99873 KB1.53 MB/s00:00 ETA 226 File send OK. 102270558 bytes received in 01:03 (1.53 MB/s) for me, 16Mbit/s adsl2+. Quite normal in the UK. It's great. -- joe. This burger is a bit sweaty.
Re: Network Slowness Proliant DL380 G4
On Thu, Feb 07, 2008 at 03:04:13PM +, Stuart Henderson wrote: Hey there, recvspace and sendspace do *nothing* to packet-forwarding performance. they affect only locally sourced/sinked traffic. Ah yes, of course. So, is there anything I can do, or need to do, to ensure good throughput? Or is the bge driver ok for that? -- joe. You live in the London? You are so lucky to live here. I am from Greece, you see.
Re: ftp.openbsd.org?
On Mon, Feb 04, 2008 at 03:40:50PM +0100, xavier brinon wrote: man pages too www.openbsd.org too. That'd explain spamd-setup ftp connect timeouts all over the place :-) -- joe. Every single day we have to wait at Edgware Road.