Re: 'bgpctl show rib in neighbor $peer' no longer shows unfiltered received routes
Thanks for the rapid response and proposal. I'd wanted to test yesterday but had to postpone. On Mon, May 8, 2023 at 12:18 PM Claudio Jeker wrote: > Here is a possible solution where a perfect match aborts the detection > loop. Now this only works if the labels are in the right order ("in" > before "invalid"). This is similar to what I had in mind, but shorter than what I'd thought of. I'll test on -current first and report back. After, I'll adapt for -release after (i.e. the equivalent of r1.124 for parser.c [1]). > I wonder if chaning "invalid" to "notvalid" or "noteligible" would be a > better fix for now... Personally, I like the flexibility of keyword freedom, given the small one-time price to pay of sorting. Sorting may make maintenance a little easier too; at least I've seen several recent commits elsewhere to that end. Best regards, Rogier
'bgpctl show rib in neighbor $peer' no longer shows unfiltered received routes
While diagnosing an unrelated matter, I find that 'bgpctl show rib' has difficulty with the 'in' keyword. The 'out' counterpart works as expected. Looking at bgpctl(8), the following should work (but doesn't): $ bgpctl show rib in neighbor $peer ambiguous argument: in valid commands/args: invalid leaked in out Note: tested this on a 7.3 (w/ bgpd erratum) release system. On a 7.2 release system, I don't see this regression (unsurprising, as bgpctl(8) there doesn't list 'invalid' as a valid 'show rib' option). I suspect this involves the logic in match_token() from src/usr.sbin/bgpctl/parser.c. I'll take a stab at providing a patch. Meanwhile, I'd appreciate any hints and/or a workaround for the mean time. Thanks in advance, Rogier
Re: Multiple, simultaneous interfaces using dhclient
On Sun, Jul 13, 2014 at 10:11 AM, Björn Ketelaars bjorn.ketela...@hydroxide.nl wrote: It sounds like that your default inet route is overwritten after dhclient on vlan1 is issued. That's not something I'd expect, given that the dhclient instances should be in separate routing domains. Did you have a look at the route table before and after each call of dhclient? That was my initial suspicion and one of my reasons for trying to separate things into rdomain 1. I logged routing tables every second or so while manually running dhclient for vlan1 (instead of via hostname.if). Before: # netstat -T0 -nrfinet Internet: DestinationGatewayFlags Refs Use Mtu Prio Iface default84.245.29.1UGS7 1871091 - 8 vlan0 84.245.29/24 link#5 UC 10 - 4 vlan0 84.245.29.100:30:88:16:ac:fd UHLc 10 - 4 vlan0 127/8 127.0.0.1 UGRS 00 33144 8 lo0 127.0.0.1 127.0.0.1 UH 229313 33144 4 lo0 192.168.1.200:25:90:33:12:65 UHLc 0 16 - 4 lo0 224/4 127.0.0.1 URS00 33144 8 lo0 # netstat -T1 -nrfinet Internet: DestinationGatewayFlags Refs Use Mtu Prio Iface 10.0.52/24 link#15UC 00 - 4 vlan52 # route -T1 exec /sbin/dhclient vlan1 Gives me an IP on vlan1 and routes in rdomain 1, but kills connectivity on vlan0 after the first DHCPREQUEST goes out on vlan1. # ps ax | grep dhclient | grep -v grep 23596 ?? Is 0:00.02 dhclient: vlan0 [priv] (dhclient) 27697 ?? Is 0:00.48 dhclient: vlan0 (dhclient) 12813 ?? Ss 0:00.00 dhclient: vlan1 [priv] (dhclient) 10342 p7 Z+ 0:00.00 (dhclient) 7017 p7 S+ 0:00.01 dhclient: vlan1 (dhclient) Note the zombie dhclient in between. I don't know why it's there. A few seconds later, vlan1 appears to have its address and - I assume - the zombie is reaped. # ps ax | grep dhclient | grep -v grep 23596 ?? Is 0:00.02 dhclient: vlan0 [priv] (dhclient) 27697 ?? Is 0:00.48 dhclient: vlan0 (dhclient) 12813 ?? Ss 0:00.01 dhclient: vlan1 [priv] (dhclient) 19415 ?? Ss 0:00.00 dhclient: vlan1 (dhclient) # netstat -T0 -nrfinet Internet: DestinationGatewayFlags Refs Use Mtu Prio Iface default84.245.29.1UGS7 1871093 - 8 vlan0 84.245.29/24 link#5 UC 10 - 4 vlan0 84.245.29.100:30:88:16:ac:fd UHLc 10 - 4 vlan0 127/8 127.0.0.1 UGRS 00 33144 8 lo0 127.0.0.1 127.0.0.1 UH 229313 33144 4 lo0 192.168.1/24 link#2 UC 10 - 4 em1 192.168.1.200:25:90:33:12:65 UHLc 0 16 - 4 lo0 224/4 127.0.0.1 URS00 33144 8 lo0 # netstat -T1 -nrfinet Internet: DestinationGatewayFlags Refs Use Mtu Prio Iface default10.10.12.1 UGS00 - 8 vlan1 10.0.52/24 link#15UC 00 - 4 vlan52 10.10.12/22link#16UC 10 - 4 vlan1 10.10.12.1 link#16UHLc 10 - 4 vlan1 Forgive me for removing the Routing tables line from the netstat output. Only after killing all dhclients and re-running dhclient vlan0, I get my internet connectivity back. Regards, Rogier
Multiple, simultaneous interfaces using dhclient
Dear list, as my ISP is migrating to a new network setup, I'm forced to tinker with my local setup. Unfortunately, I'm struggling to get two interfaces (vlan0, vlan1) working simultaneously with DHCP. Separately, they work fine. Together, vlan1 drops my internet connection (vlan0); the latter won't return until I manually re-issue dhclient vlan0. Upon lease renewal, the same occurs, lest I kill the dhclient instance for vlan1. I wonder if I'm doing something silly. Is the having two simultaneous dhclient instances a supported setup? The second instance is for an IPTV set-top-box (STB) that I'd like to keep away from my regular LAN, hence the routing domains. I've disabled PF while trying to get this working, so as to minimise the amount of things I can do wrong. Does anyone have a cluebat for me? Insight greatly appreciated. Regards, Background: It's a FttH link that provides two tagged networks (vlan 34 for IP; vlan 4 for IPTV). The latter provides an private range address (in 10.10.12.0/22) for a set-top-box. For the STB: - IPTV Traffic is to be NATed to vlan4 (towards the 10.10.12.0/22 and 185.6.48.0/26 ranges) - Other/Internet traffic (e.g. program guides) needs to travel via the regular IP uplink (vlan 34) and should be NATed there # cat /etc/dhclient.conf supersede host-name fluor; prepend domain-name-servers 27.0.0.1; interface vlan1 { #ignore routers;# vlan1 is in rdomain 1; default route won't hurt us } # cat /etc/hostname.em0 description internal -inet6 up # cat /etc/hostname.em1 description uplink -inet6 up # cat /etc/hostname.vlan0 description ip (uplink) vlan 34 vlandev em1 dhcp -inet6 # cat /etc/hostname.vlan1 description tv (uplink) rdomain 1 group tv vlan 4 vlandev em1 dhcp -inet6 # cat /etc/hostname.vlan52 description tv (downlink) rdomain 1 group tv vlan 52 vlandev em0 inet 10.0.52.1/24 -inet6 -- If you don't know where you're going, any road will get you there.
Re: Documentation on rc.conf.local lacks important warning
Though I looked on a 5.3 system, rc.conf(8) suggests the following: It is advisable to leave rc.conf untouched, and instead create and edit a new rc.conf.local file. That's rather different from creating a copy. From a brief look at CVS, it's the same for -current. Regards, Rogier On Sun, Feb 9, 2014 at 7:28 PM, VaZub vasyl.zu...@gmail.com wrote: Hi all, There is a small nuisance I've stumbled upon during my first experiments with OpenBSD. Both the man page for rc.conf(8) as well as the official OpenBSD FAQ (10.3) suggest to avoid editing /etc/rc.conf directly and instead copy it to /etc/rc.conf.local and edit afterwards. Yet it seems both fail to mention, that in order to prevent your system from going ballistic after doing this, you should also comment out or delete a particular line of code in /etc/rc.conf.local, namely this one: [ -f /etc/rc.conf.local ] . /etc/rc.conf.local. Not good, especially for those who do follow official instructions and still suddenly find themselves with a broken system on their hands for no apparent reason. This might seem like a trivial issue for old-timers, and one is sure to find the appropriate solution with a little bit of deeper googling, but having short relevant notices in the aforementioned manuals could save newcomers some introductory frustration. What do you think? Is there anyone among those looking after the official documentation up to consider such a suggestion? Regards, Vasyl Zubko -- If you don't know where you're going, any road will get you there.
Re: Trouble getting ipsec.conf 'tag' working in 5.3
A kind soul (thank you) suggested I add the following to my ruleset: pass quick on enc0 proto ipencap Unfortunately, that does still not allow the inner outbound traffic to pass. From what I can tell, the original ruleset already let ipencap traffic pass on enc0. I verified with tcpdump and by separately logging the pass rules. Had ipencap been the problem, tcpdump on pflog1 would show a match on rule #11 (instead of the 'tagged PBX' rule #12). Pinging or UDP traffic to the 172.24.8.0/24 subnet fails, whereas incoming traffic from the other side is matched to the 'tagged PBX' rule (#12). I've made sure the tagging in #14 does not occur for traffic to the PBX (I added its net to the internal table. I expected ipsec to automagically add the 'PBX' tag to traffic it gets handed (in this case, from $if_int) when that traffic fits its SAs. I further expected pf to need no more than a simple 'pass on enc0 tagged PBX' after that. If I was too optimistic or misunderstood ipsec.conf(5), a cluebat is more than welcome. If this is something that should work, I'll try with -current as well. Regards, Rogier # tcpdump -ni pflog0 -s1600 -eee -ttt -v Jun 11 13:36:47.049079 rule 0/(match) [uid 0, pid 17691] block out on enc0: 192.168.10.101.63617 172.24.8.56.5060: [udp sum ok] udp 593 (ttl 63, id 40730, len 621, bad cksum 5a08!) Jun 11 13:40:03.515813 rule 0/(match) [uid 0, pid 17691] block out on enc0: 192.168.10.102 172.24.8.55: icmp: echo request (id:0001 seq:411) (ttl 127, id 23969, len 60, bad cksum 5dc2!) # tcpdump -ni pflog1 -s1600 -eee -ttt Jun 11 13:39:28.142858 rule 12/(match) pass in on enc0: 172.24.8.1 192.168.10.102: icmp: echo request (encap) Jun 11 13:39:28.142883 rule 12/(match) pass in on enc0: 172.24.8.1 192.168.10.102: icmp: echo request Jun 11 13:39:29.149843 rule 12/(match) pass in on enc0: 172.24.8.1 192.168.10.102: icmp: echo request (encap) Jun 11 13:39:29.149865 rule 12/(match) pass in on enc0: 172.24.8.1 192.168.10.102: icmp: echo request Jun 11 13:39:30.159693 rule 12/(match) pass in on enc0: 172.24.8.1 192.168.10.102: icmp: echo request (encap) Jun 11 13:39:30.159715 rule 12/(match) pass in on enc0: 172.24.8.1 192.168.10.102: icmp: echo request # pfctl -sr -vv | grep -e '^@' @0 block return log all @1 match out on egress inet all tagged OUT nat-to (egress:0:1) round-robin @2 pass out on egress from (egress:3) to any flags S/SA @3 pass out on egress proto udp from (egress:3) to any port = 3740 @4 pass out on egress inet6 from (vlan801:network:1) to any flags S/SA @5 pass on egress proto udp from any to any port = 500 @6 pass on egress proto udp from any to any port = 4500 @7 pass on egress proto ipv6 all @8 pass on egress inet proto icmp all @9 pass on egress inet6 proto ipv6-icmp all @10 pass on egress proto esp all @11 pass log (all, to pflog1) on enc0 proto ipencap all @12 pass log (all, to pflog1) on enc0 all flags S/SA keep state (if-bound) tagged PBX @13 pass in on vlan801 proto tcp from (vlan801:network:5) to (vlan801:9) port = 22 flags S/SA @14 match in on vlan801 from (vlan801:network:5) to ! internal:7 tag OUT @15 pass on vlan801 all flags S/SA
Re: Trouble getting ipsec.conf 'tag' working in 5.3
On Tue, Jun 11, 2013 at 3:26 PM, mxb m...@alumni.chalmers.se wrote: Tried to tag pkts on $int_if ? Eg match in on $if_int from ($if_int:network) to $pbx_net tag PBX Yes and that works. But shouldn't it already be covered by the 'PBX' tag in ipsec.conf? That's what I expected and what I'm trying to figure out. Thanks for the suggestion, though. Regards, Rogier
Trouble getting ipsec.conf 'tag' working in 5.3
Dear list, after re-installing a machine with 5.3 (i386), I wanted to tighten up the filtering rules. To that end, I added a 'block log' rule near the top of my rules. This appears to be unexpectedly effective. I'm having trouble with my IPsec VPN to a VoIP PBX. Although my SAs come up as expected, outbound traffic appears to be blocked on enc0. What bugs me is that the 'tag' and 'tagged' keywords do not seem to work as I'd expect from ipsec.conf(5). I created the SAs with the 'PBX' tag and would like to be so lazy as to just use: pass on enc keep state (if-bound) tagged PBX Surprisingly, I can receive incoming pings from the PBX (172.24.8.0/24) with this setup, but am unable to ping the address from my own net ( 192.128.10.0/24). I get this with the fairly minimal ruleset added below. Of course, I could add rules listing the address ranges in question, but I had hoped to use the 'PBX' tag for that instead. Did I misread or misunderstand ipsec.conf(5) or am I missing something else entirely? Insight greatly appreciated, Regards, Rogier # tcpdump -eee -ttt -ni pflog0 tcpdump: WARNING: snaplen raised from 116 to 160 tcpdump: listening on pflog0, link-type PFLOG Jun 10 22:42:39.513643 rule 0/(match) block out on enc0: 192.168.10.102 172.24.8.1: icmp: echo request # cat /etc/pf.conf if_int=vlan801 pbx_net=172.24.8.0/24 noc_net=172.24.10.0/24 table internal persist { $if_int:network, $pbx_net, $noc_net } set block-policy return block log set skip on { lo sk0 } # Outbound traffic match out on egress inet nat-to (egress:0) tagged OUT pass out on egress from (egress) # IPv6 tunnel pass out on egress proto tcp from (egress) to any port 3874 # TIC pass out on egress proto udp from (egress) to any port 3740 # heartbeat pass on egress proto ipv6 pass on egress inet proto icmp pass on egress inet6 proto icmp6 # IPsec tunnel pass on egress proto udp from any to any port { isakmp, ipsec-nat-t } pass on egress proto esp pass on enc0 keep state (if-bound) tagged PBX # SSH pass in on $if_int proto tcp from ($if_int:network) to ($if_int) \ port ssh # Internal traffic match in on $if_int from ($if_int:network) to !internal tag OUT pass on $if_int # cat /etc/ipsec.conf id = b2 gw = fxp0 gw6 = gif6 net = 192.168.10.0/24 # PBX access pbx_id = weber pbx_gw = [removed] pbx_net = 172.24.8.0/24 ike esp from $net to $pbx_net peer $pbx_gw srcid $id dstid $pbx_id tag PBX # cat /var/run/dmesg.boot OpenBSD 5.3 (GENERIC) #50: Tue Mar 12 18:35:23 MDT 2013 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Celeron(R) CPU 2.40GHz (GenuineIntel 686-class) 2.40 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,CNXT-ID,xTPR,PERF real mem = 1071374336 (1021MB) avail mem = 1042882560 (994MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 01/22/04, BIOS32 rev. 0 @ 0xf0010, SMBIOS rev. 2.3 @ 0xfbe60 (76 entries) bios0: vendor Intel Corp. version BF86510A.86A.0053.P13.0401220953 date 01/22/2004 bios0: Intel Corporation D865GBF acpi0 at bios0: rev 0 acpi0: sleep states S0 S1 S4 S5 acpi0: tables DSDT FACP APIC ASF! TCPA WDDT acpi0: wakeup devices TANA(S4) P0P3(S4) AC97(S4) USB0(S4) USB1(S4) USB2(S4) USB3(S4) USB7(S4) UAR1(S4) SLPB(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 99MHz ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus -1 (P0P1) acpiprt2 at acpi0: bus -1 (P0P2) acpiprt3 at acpi0: bus 1 (P0P3) acpicpu0 at acpi0 acpipwrres0 at acpi0: URP1 acpipwrres1 at acpi0: FDDP acpipwrres2 at acpi0: LPTP acpibtn0 at acpi0: SLPB bios0: ROM list: 0xc/0xa200! 0xca800/0x800 0xcb000/0x1000 pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel 82865G Host rev 0x02 vga1 at pci0 dev 2 function 0 Intel 82865G Video rev 0x02 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) intagp0 at vga1 agp0 at intagp0: aperture at 0xf000, size 0x800 inteldrm0 at vga1: apic 1 int 16 drm0 at inteldrm0 uhci0 at pci0 dev 29 function 0 Intel 82801EB/ER USB rev 0x02: apic 1 int 16 uhci1 at pci0 dev 29 function 1 Intel 82801EB/ER USB rev 0x02: apic 1 int 19 uhci2 at pci0 dev 29 function 2 Intel 82801EB/ER USB rev 0x02: apic 1 int 18 uhci3 at pci0 dev 29 function 3 Intel 82801EB/ER USB rev 0x02: apic 1 int 16 ehci0 at pci0 dev 29 function 7 Intel 82801EB/ER USB2 rev 0x02: apic 1 int 23 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1 ppb0 at pci0 dev 30 function 0 Intel 82801BA Hub-to-PCI rev 0xc2 pci1 at ppb0 bus 1 skc0 at pci1 dev 0 function 0 3Com 3c940 rev 0x10, Yukon (0x1): apic 1 int 21 sk0 at skc0 port A: address 00:0a:5e:54:48:99 eephy0 at sk0 phy 0: 88E1011 Gigabit
Re: em(4) fails to initialize for Intel i350-F2 dual-port fibre NIC
Apologies for the delayed follow-up; I was unable to test over the weekend. I plugged in both fibres this afternoon. With the diff, the hardware appears to be correctly initialized. Both ports properly find their link. Light testing today shows no surprises. Any particular things I should test additionally? Regards, Rogier
em(4) fails to initialize for Intel i350-F2 dual-port fibre NIC
Dear list, after installing a dual-port fibre NIC, it seems the card is recognized, but fails to initalize. The card in question is an i350-F2. I've upgraded to the latest snapshot to see if there's any improvement, but alas. snip em0 at pci8 dev 0 function 0 Intel I350 Fiber rev 0x01: msiem0: Hardware Initialization Failedem0: Unable to initialize the hardware em1 at pci8 dev 0 function 1 Intel I350 Fiber rev 0x01: msiem1: Hardware Initialization Failedem1: Unable to initialize the hardware /snip From commits, I gather the i350 is relatively new. Would anyone have advice/hints on what steps of the initialisation I should look or how I can generate more debugging output? I tried a verbose boot (boot -c), but that didn't show more details for these em(4) cards. The box is currently hooked up for testing, so few things to break. Any insight appreciated. I've added dmesg and pcidump below. Regards, Rogier $ dmesg OpenBSD 5.3-current (GENERIC.MP) #103: Wed Apr 24 09:33:02 MDT 2013 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 8568242176 (8171MB) avail mem = 8332447744 (7946MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xcfb9c000 (67 entries) bios0: vendor Dell Inc. version 2.7.0 date 10/30/2010 bios0: Dell Inc. PowerEdge 1950 acpi0 at bios0: rev 2 acpi0: sleep states S0 S4 S5 acpi0: tables DSDT FACP APIC SPCR HPET MCFG WD__ SLIC ERST HEST BERT EINJ TCPA acpi0: wakeup devices PCI0(S5) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Xeon(R) CPU L5320 @ 1.86GHz, 1862.18 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,TM2,SSSE3,CX16,xTPR,PDCM,DCA,NXE,LONG,LAHF,PERF cpu0: 4MB 64b/line 16-way L2 cache cpu0: apic clock running at 265MHz cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Xeon(R) CPU L5320 @ 1.86GHz, 1861.92 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,TM2,SSSE3,CX16,xTPR,PDCM,DCA,NXE,LONG,LAHF,PERF cpu1: 4MB 64b/line 16-way L2 cache cpu2 at mainbus0: apid 1 (application processor) cpu2: Intel(R) Xeon(R) CPU L5320 @ 1.86GHz, 1861.92 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,TM2,SSSE3,CX16,xTPR,PDCM,DCA,NXE,LONG,LAHF,PERF cpu2: 4MB 64b/line 16-way L2 cache cpu3 at mainbus0: apid 3 (application processor) cpu3: Intel(R) Xeon(R) CPU L5320 @ 1.86GHz, 1861.92 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,TM2,SSSE3,CX16,xTPR,PDCM,DCA,NXE,LONG,LAHF,PERF cpu3: 4MB 64b/line 16-way L2 cache ioapic0 at mainbus0: apid 4 pa 0xfec0, version 20, 24 pins ioapic0: misconfigured as apic 0, remapped to apid 4 acpihpet0 at acpi0: 14318179 Hz acpimcfg0 at acpi0 addr 0xe000, bus 0-255 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 4 (PEX2) acpiprt2 at acpi0: bus 5 (UPST) acpiprt3 at acpi0: bus 6 (DWN1) acpiprt4 at acpi0: bus 8 (DWN2) acpiprt5 at acpi0: bus 1 (PEX3) acpiprt6 at acpi0: bus -1 (PE2P) acpiprt7 at acpi0: bus 10 (PEX4) acpiprt8 at acpi0: bus 12 (PEX6) acpiprt9 at acpi0: bus 2 (SBEX) acpiprt10 at acpi0: bus 14 (COMP) acpicpu0 at acpi0: C3 acpicpu1 at acpi0: C3 acpicpu2 at acpi0: C3 acpicpu3 at acpi0: C3 ipmi at mainbus0 not configured pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 Intel 5000X Host rev 0x12 ppb0 at pci0 dev 2 function 0 Intel 5000 PCIE rev 0x12 pci1 at ppb0 bus 4 ppb1 at pci1 dev 0 function 0 Intel 6321ESB PCIE rev 0x01 pci2 at ppb1 bus 5 ppb2 at pci2 dev 0 function 0 Intel 6321ESB PCIE rev 0x01 pci3 at ppb2 bus 6 ppb3 at pci3 dev 0 function 0 ServerWorks PCIE-PCIX rev 0xc3 pci4 at ppb3 bus 7 bnx0 at pci4 dev 0 function 0 Broadcom BCM5708 rev 0x12: apic 4 int 16 ppb4 at pci2 dev 1 function 0 Intel 6321ESB PCIE rev 0x01 pci5 at ppb4 bus 8 ppb5 at pci1 dev 0 function 3 Intel 6321ESB PCIE-PCIX rev 0x01 pci6 at ppb5 bus 9 ppb6 at pci0 dev 3 function 0 Intel 5000 PCIE rev 0x12 pci7 at ppb6 bus 1 mfi0 at pci7 dev 0 function 0 Symbios Logic SAS1078 rev 0x04: apic 4 int 16 mfi0: PERC 6/i Integrated, firmware 6.3.1-0003, 256MB cache scsibus0 at mfi0: 64 targets sd0 at scsibus0 targ 0 lun 0: DELL, PERC 6/i, 1.22 SCSI3 0/direct fixed naa.6001e4f03b29f90010d4de5a04294200 sd0: 139264MB, 512 bytes/sector, 285212672 sectors ppb7 at pci0 dev 4 function 0 Intel 5000 PCIE x8 rev 0x12: msi pci8 at ppb7 bus 10 em0 at pci8 dev 0 function 0 Intel I350 Fiber rev 0x01: msiem0: Hardware Initialization Failedem0: Unable to initialize the hardware em1 at pci8 dev 0 function 1 Intel I350 Fiber rev 0x01: msiem1: Hardware Initialization Failedem1: Unable to initialize the hardware ppb8 at pci0
Re: em(4) fails to initialize for Intel i350-F2 dual-port fibre NIC
Hi Jonathan, thanks for the diff. Currently building a kernel with it and will report back. Regards, Rogier On Sat, Apr 27, 2013 at 3:24 AM, Jonathan Gray j...@jsg.id.au wrote: On Fri, Apr 26, 2013 at 10:51:45PM +0200, Rogier Krieger wrote: Dear list, after installing a dual-port fibre NIC, it seems the card is recognized, but fails to initalize. The card in question is an i350-F2. I've upgraded to the latest snapshot to see if there's any improvement, but alas. snip em0 at pci8 dev 0 function 0 Intel I350 Fiber rev 0x01: msiem0: Hardware Initialization Failedem0: Unable to initialize the hardware em1 at pci8 dev 0 function 1 Intel I350 Fiber rev 0x01: msiem1: Hardware Initialization Failedem1: Unable to initialize the hardware /snip From commits, I gather the i350 is relatively new. Would anyone have advice/hints on what steps of the initialisation I should look or how I can generate more debugging output? I tried a verbose boot (boot -c), but that didn't show more details for these em(4) cards. The box is currently hooked up for testing, so few things to break. Any insight appreciated. I've added dmesg and pcidump below. It was tested with copper not fibre, perhaps the following diff helps. Index: if_em_hw.c === RCS file: /cvs/src/sys/dev/pci/if_em_hw.c,v retrieving revision 1.71 diff -u -p -r1.71 if_em_hw.c --- if_em_hw.c 5 Dec 2012 23:20:20 - 1.71 +++ if_em_hw.c 27 Apr 2013 01:21:06 - @@ -1446,7 +1446,7 @@ em_adjust_serdes_amplitude(struct em_hw DEBUGFUNC(em_adjust_serdes_amplitude); if (hw-media_type != em_media_type_internal_serdes || - hw-mac_type == em_82575) + (hw-mac_type = em_82575)) return E1000_SUCCESS; switch (hw-mac_type) { @@ -1700,10 +1700,10 @@ em_setup_fiber_serdes_link(struct em_hw * initialization. */ if (hw-mac_type == em_82571 || hw-mac_type == em_82572 || - hw-mac_type == em_82575) + hw-mac_type = em_82575) E1000_WRITE_REG(hw, SCTL, E1000_DISABLE_SERDES_LOOPBACK); - if (hw-mac_type == em_82575) + if (hw-mac_type = em_82575) em_power_up_serdes_link_82575(hw); /* @@ -1724,7 +1724,7 @@ em_setup_fiber_serdes_link(struct em_hw /* Take the link out of reset */ ctrl = ~(E1000_CTRL_LRST); - if (hw-mac_type == em_82575) { + if (hw-mac_type = em_82575) { /* set both sw defined pins on 82575/82576*/ ctrl |= E1000_CTRL_SWDPIN0 | E1000_CTRL_SWDPIN1; @@ -3611,7 +3611,7 @@ em_check_for_link(struct em_hw *hw) DEBUGFUNC(em_check_for_link); uint16_t speed, duplex; - if (hw-mac_type == em_82575 + if ((hw-mac_type = em_82575) hw-media_type != em_media_type_copper) { ret_val = em_get_pcs_speed_and_duplex_82575(hw, speed, duplex); @@ -3951,7 +3951,8 @@ em_get_speed_and_duplex(struct em_hw *hw uint16_t phy_data; DEBUGFUNC(em_get_speed_and_duplex); - if (hw-mac_type == em_82575 hw-media_type != em_media_type_copper) + if ((hw-mac_type = em_82575) + hw-media_type != em_media_type_copper) return em_get_pcs_speed_and_duplex_82575(hw, speed, duplex); if (hw-mac_type = em_82543) { @@ -5284,7 +5285,7 @@ em_detect_gig_phy(struct em_hw *hw) if ((hw-media_type == em_media_type_internal_serdes || hw-media_type == em_media_type_fiber) - hw-mac_type == em_82575) { + (hw-mac_type = em_82575)) { hw-phy_type = em_phy_undefined; return E1000_SUCCESS; } -- If you don't know where you're going, any road will get you there.
Re: Advice on adding com2 to (amd64) GENERIC; enabling easier IPMI SOL with SuperMicro boards
On Sat, Apr 6, 2013 at 1:35 AM, Ted Unangst t...@tedunangst.com wrote: I guess you missed the subsequent put back yesterday. :) Guilty as charged. [...] com2 renumbers any other pci attached com ports from the likes of puc. I suppose for those running tools such as conserver, this would mean changing the config lines that carry the 'baseport' values. In case it's helpful, I've added the following snippet for faq/current.html to warn unsuspecting serial users. Regards, Rogier Index: current.html === RCS file: /cvs/www/faq/current.html,v retrieving revision 1.373 diff -u -r1.373 current.html --- current.html 28 Mar 2013 21:49:08 - 1.373 +++ current.html 6 Apr 2013 09:01:26 - @@ -54,6 +54,7 @@ lia href=#201303102013/03/10 - fontconfig update/a lia href=#201303112013/03/11 - pf translation counter added/a lia href=#201303252013/03/25 - Perl update/a +lia href=#201304052013/04/05 - amd64 adds com2 and com3 to GENERIC/a !-- New additions go on the bottom, please -- /ul @@ -562,6 +563,15 @@ of this being committed and rely on such packages, you might like to wait for updated packages to become available to save the trouble of building them yourself. + +p +a name=20130405/a +h32013/04/05 - amd64 adds com2 and com3 to GENERIC/h3 +OpenBSD/amd64 GENERIC and GENERIC.MP kernels now include the com2 (COM3) +and com3 (disabled by default) devices that were commented out before. This +may cause the renumbering of serial ports on other devices such as puc(4). +Users of the conserver port may want to use the 'portbase' and 'devicesubst' +settings to easily adjust their configuration. hr a href= index.htmlimg height= 24 width= 24 src= ../images/back.gif border= 0 alt=[back]/a
Re: Advice on adding com2 to (amd64) GENERIC; enabling easier IPMI SOL with SuperMicro boards
Out of curiosity, after seeing the commit and subsequent backing out of this change, what'd be the expected issues with enabling com2 that require more thought? Regards, Rogier On Sat, Mar 30, 2013 at 8:01 AM, Ted Unangst t...@tedunangst.com wrote: On Sat, Mar 30, 2013 at 02:06, Rogier Krieger wrote: The GENERIC kernel config has commented out com2 (at isa0, addr 0x3e8, irq 5) and I assume this is not without reason. I've been unable to find that reason in source changes, but perhaps someone here knows. On i386, it is present. I am guessing this is an oversight. i386 runs on the same machines, so if com2 were causing trouble it would be disabled there too. -- If you don't know where you're going, any road will get you there.
Advice on adding com2 to (amd64) GENERIC; enabling easier IPMI SOL with SuperMicro boards
Dear list, in an attempt to save on serial cabling for our machines, I'm trying to see if IPMI Serial over Lan (SOL) works as advertised. For our Dell boxes, things seem to work, but our SuperMicro boards (X7SPA-HF and X8ST3-F) require extra work. The latter seem to insist on using com2 (i.e. COM3 in BIOS), which isn't present by default in GENERIC[.MP]. Obviously, adding this creates a bit of hassle and the risk of the com2 device being unavailable should I ever forget to add it back after upgrades. The GENERIC kernel config has commented out com2 (at isa0, addr 0x3e8, irq 5) and I assume this is not without reason. I've been unable to find that reason in source changes, but perhaps someone here knows. On i386, it is present. In summary, would the following be acceptable? Regards, Rogier Index: GENERIC === RCS file: /cvs/src/sys/arch/amd64/conf/GENERIC,v retrieving revision 1.338 diff -u -r1.338 GENERIC --- GENERIC 15 Mar 2013 09:10:52 - 1.338 +++ GENERIC 30 Mar 2013 01:04:54 - @@ -315,7 +315,7 @@ com0 at isa? port 0x3f8 irq 4# standard PC serial ports com1 at isa? port 0x2f8 irq 3 -#com2 at isa? port 0x3e8 irq 5 +com2 at isa? port 0x3e8 irq 5 #com3 at isa? port 0x2e8 irq 9# (conflicts with some video cards) com* at pcmcia? # PCMCIA modems/serial ports
Re: smtpd relay
On Tue, Feb 26, 2013 at 4:39 PM, Zoran Kolic zko...@sbb.rs wrote: accept for any relay via my.isp.smtpserver iirc, smtpd.conf(5) mentions the host being in URL form, e.g. smtp://my.isp.smtpserver At least, it does for my Feb 17th snapshot. Regards, Rogier
Re: OpenSMTPd error after upgrading to -current
On Sun, Feb 3, 2013 at 10:19 PM, Frank Brodbeck f...@gmx.biz wrote: /etc/mail/smtpd.conf:12: error: invalid url: smtps+auth://mail.split-brain.de The description of the relay parameter in smtpd.conf(5) is accurate. It seems the examples section in smtpd.conf(5) is slightly outdated, however. The format for the relay URL changed to include a label for looking up the credentials. This allows you to select different credentials for the same host should you need that. This is one of the recent goodies [1] mentioned in another thread. Instead of using a hostname in the secrets file, use a label and list that label in the relay URL. After running makemap, smtpd liked my configuration again. I've added a sanitised version as an example. # cat /etc/mail/smtpd.conf listen on lo0 table aliases db:/etc/mail/aliases.db table secrets db:/etc/mail/secrets.db accept for local alias aliases deliver to mbox accept for any relay via ssl+auth://[label]@[host] auth secrets # cat /etc/mail/secrets [label] [user]:[password] Hope that helps, Rogier References: 1. Undeadly - OpenSMTPD: more features, more cleanup, more more http://undeadly.org/cgi?action=articlesid=20130130081741 -- If you don't know where you're going, any road will get you there.
Re: ext2fs read errors
On Sun, Dec 30, 2012 at 12:54 PM, Martijn van Duren m.vandu...@jonker.nl wrote: Jan Stary schreef op zo 30-12-2012 om 12:24 [+0100]: On Dec 30 10:43:00, m.vandu...@jonker.nl wrote: I'm migrating my data from an ext3 partition [...] snip That is correct. And I mounted it mount_ext2fs /dev/wd0i /mnt. Why would you expect an ext3fs partition to be working properly using ext2fs tools? The man pages for the tools involved do not mention ext3fs support or its journal features. Can you reproduce the issue with an ext2fs filesystem as well? Regards, Rogier
Re: ftp/www.openbsd.org downtime today. don't panic
On Fri, Oct 12, 2012 at 4:08 PM, Bob Beck b...@openbsd.org wrote: Please don't panic. Naturally, this happens on a day one forgets to bring a towel. Cheers, Rogier
Re: IPv6, OpenBSD and .. Mac OS X Lion
Here, it took a few iterations of properly reading the rtadvd.conf(5) manual, but the various Mac devices over here (OS X v10.6+, iOS v5+) properly get addresses and DNS servers assigned. My setup: Addresses here are assigned over rtadvd(8); DNS information over DHCPv6. With the recent patch to rtadvd, the latter component could actually be phased out. I suppose that's easier. One thing I ran into: correctly set raflags to accurately reflect your network's situation. For mine, a value of 64 was needed (address: rtadvd; DNS: DHCPv6). Until I properly set this, my systems (Win7 and Mac alike) discarded the DHCPv6 info they received. See rtadvd.conf(5) for the correct values to use. If you use rtadvd exclusively, you'll need another value for raflags, of course. See the manual. Regards, Rogier
Re: AUTHENTICATION_METHOD = 65001 (unknown)
On Sun, Jun 10, 2012 at 8:12 PM, Ray Zorthin rayzort...@yahoo.com wrote: 2) Do we need to use iked(8) instead of isakmpd(8)? Instead, you may want to look at npppd and using the L2TP variant natively available on your iPad. At least, that's how I have an iOS device connect (v5.1.1 currently, but worked for several earlier versions as well). The description in the source tree provides useful hints and required steps to getting this working. The L2TP traffic is secured through IPsec. I have not yet needed to provision iOS devices with this configuration, but I suspect it can be done similarly to how one would provision the (Cisco) IPsec VPN client on iOS. Regards, Rogier
Re: Recent DELL hardware support
On Thu, Apr 5, 2012 at 21:02, Kostas Zorbadelos kzo...@otenet.gr wrote: The only remaining question is PERC H200 support. mpii(4) should cover the Dell PERC H200.
Re: how to find dependencies when building a new kernel
On Tue, Nov 29, 2011 at 11:38, T. Valent tmp...@4ss.de wrote: [dmassage] It's not part of the official OpenBSD or the ports tree. Are you sure it's not in sysutils/dmassage? It would seem you're trying to build your own stripped-down kernel. Doing that sort of thing is typically a you break it, you get to keep the pieces activity. While I do not know the reasons [1] you have for doing so, you may have better luck solving issues using config(8). If you take that route, be sure to note down the changes needed so you can repeat the process at subsequent upgrades. Regards, Rogier 1. OpenBSD FAQ #5 http://openbsd.org/faq/faq5.html#Why
Re: DNS Google ?
Lest I'm mistaken, both serve DNS data, but in different roles. nsd is for serving authoritative zones, not for resolver work. unbound is a resolver. Regards, Rogier
Re: dhclient, resolv.conf
On Thu, Oct 20, 2011 at 20:11, sophia.ort...@googlemail.com wrote: But again, I insist in my first question: how I get that dhclient respect my resolv.conf and do not touch it? If you insist on dhclient not touching resolv.conf and do not want to edit the in-base dhclient-script, you can use the 'script' parameter described in dhclient.conf(5). As a bonus, you get to maintain your changes from then on. I do not see why you prefer editing resolv.conf over dhclient.conf, though, but I trust you have your reasons. Regards, Rogier -- If you don't know where you're going, any road will get you there.
Re: bsd.rd and (automated) upgrading
On Sat, Apr 30, 2011 at 11:54, David Steiner davidsteiner2...@gmail.com wrote: can the upgrade process via bsd.rd be automated? Yes, see e.g. Yaifo. The link came by earlier this week on the list. http://sourceforge.net/projects/yaifo/files/yaifo/4.8/yaifo-4.8.tgz/download Regards, Rogier
Trying to find mfi(4) cards, am I looking for the LSISAS2108 chip?
In short: if I'd like to get a RAID5/6 supporting mfi(4) card, what current LSI/other models would I be looking for? Would that be models with the LSISAS2108 chip? The mfi(4) manual states the Dell PERC H700 to be a supported mfi(4) card. From the Dell documentation, it seems that card holds an LSISAS2108 chip. Is this the generic LSI chip for this particular line? If so, what generic cards LSI cards would I be looking for. It would be nice to have more options than just Dell. Can anyone confirm the following would be mfi(4): + MegaRAID SAS 9260-8i [1] + MegaRAID SAS 9280-16i4e [2] + SuperMicro AOC-USAS2LP-H8iR [3] Each of these has product pages listing the 2108 chipset, but I'd prefer some confirmation before going the 'try by buying' way. Any insight would be greatly appreciated (including a reality check on my liking mfi(4) over e.g. mpi(4)). Regards, Rogier References: 1. LSI - MegaRAID SAS 9260-8i http://www.lsi.com/channel/products/raid_controllers/megaraid_9260-8i/index.html 2. LSI - MegaRAID SAS 9280-16i4e http://www.lsi.com/channel/products/raid_controllers/megaraid_9280-16i4e/index.html 3. SuperMicro - AOC-USAS2LP-H8iR http://www.supermicro.com/products/accessories/addon/AOC-USAS2LP-H8iR.cfm
Re: ipfm+openbsd 4.6
On Mon, Jan 24, 2011 at 01:10, emigrant emig...@gmail.com wrote: ipfm dont work well in openbsd 4.6/4.7/4.8, too much changes in pf?(yes, i use pfaltq+hfsc), any ideas what can i do? go back to 4.5? :) People here are unlikely to recommend going back in OpenBSD versions. From the first Google hit on IPFM [1], I get the impression you best move away from IPFM as it has not been actively developed for years.. If you're after a simple list of traffic for individual hosts, you may be able to leverage the 'label' keyword in pf.conf(5), especially if it's only a few hosts you're trying to get data for. Such as: # /etc/pf.conf hostlist = { 127.0.0.1, 192.168.100.15, 192.168.100.30 } pass from $hostlist label traffic-$srcaddr # sudo pfctl -vvs labels Alternatively, look at pflow(4) and a Netflow collector on the other end to see if that's more to your liking. Regards, Rogier References: 1. Google - 'IPFM' http://www.google.nl/search?q=ipfm
Re: network configuration problems
2010/6/19 Jean-Frangois SIMON jfsimon1...@gmail.com: # bash /etc/netstart As others have pointed at, you'll want /bin/sh instead for this case. When in doubt what to use, review the top line in the script you're about to execute and use the shell listed there. WARNING: /etc/hostname.re0 is insecure, fixing permissions It fixes the permissions, so seeing correct permissions afterward means the fix succeeded. See the relevant lines in /etc/netstart if you want to know more how it does that. Regards, Rogier
Re: anyone use these for firewall?
On Tue, Jun 15, 2010 at 17:58, Chris Smith obsd_m...@chrissmith.org wrote: Ran across these Supermicro boxes: http://www.supermicro.com/products/system/1U/5015/SYS-5015A-PHF.cfm If I'm not mistaken it's a system that turned up on the list earlier, including 4.7 dmesg. http://marc.info/?l=openbsd-miscm=127078571618143w=2 http://marc.info/?l=openbsd-miscm=127050936423288w=2 Regards, Rogier -- If you don't know where you're going, any road will get you there.
Re: Stopped at pf_test_rule+0xa87 [again]
On Tue, Mar 9, 2010 at 22:25, Price, Joe jpr...@ceccontrols.com wrote: In summary, it sounds like Henning may have fixed it from this post: http://marc.info/?l=openbsd-cvsm=124955744915786w=2 From the message you quoted and seeing r1.655.4.1, it seems the fixes you refer to made it into 4.6-stable. You may want to run 4.6-stable to fix your problem; see release(8) on how to build that. Also, why didn't this make it to an errata reliability fix? I don't know, but the following could be an explanation. To quote the FAQ [1]: Note, however, that patches aren't made for new additions to OpenBSD, and are only done for important reliability fixes or security problems that should be addressed right away on impacted systems (which is often NOT all systems, depending on their purpose). Regards, Rogier References 1. OpenBSD FAQ 10 http://www.openbsd.org/faq/faq10.html#Patches
Re: any known working configuration of OpenBGPd and CARP ?
On Sun, Mar 7, 2010 at 06:00, PP;QQ P(P8P?P8QP8P= chipits...@gmail.com wrote: from the network point of view, packets will come from the same MAC an IP address (because of CARP), so ... if BACKUP will just continue to maintain a session, established by MASTER, nobody will even know, 1 sec is nothing in terms of BGP Your just continue sounds a bit optimistic. It could also be called hijacking a session, though you picked a better purpose and much nicer words for it. It's of course possible, since stuff such as MD5 signatures and IPsec exist to thwart that sort of thing. Sounds like a cool idea, though. Regards, Rogier
Re: nmbd does not listen
On Sun, Mar 7, 2010 at 14:31, jean-francois jfsimon1...@gmail.com wrote: Is there some basic configuration I missed to do ? As a quick check, did you start both smbd and nmbd components (ps ax is your friend here) and did you place the necessary lines in /etc/rc.local as per the message you received upon install? If you missed that, see pkg_info(1) and its -M option. Alternatively, review the log files for samba to see what's (not) happening. Regards, Rogier
Re: any known working configuration of OpenBGPd and CARP ?
On Sat, Mar 6, 2010 at 17:26, PP;QQ P(P8P?P8QP8P= chipits...@gmail.com wrote: no, I want routes exactly to carp. That sounds odd. Routes are something different than what particular host responds to frames directed to a specific hardware address. If I understand the rest of your description correctly, you want only the master bgpd to have sessions and to somehow distribute its routes to the backup(s), with the backups starting with that 'state' and initiate connections to your BGP peers whenever a master goes down. I doubt that'll work. In your scenario, if your master goes down, there are no longer any BGP sessions up with any of your peers. If I'm not mistaken, that will cause them to withdraw the prefixes you previously advertised from their tables and no longer forward traffic to you. When your new master is promoted, it will set up a new session with your peers. This is probably not the sort of failover you want to see happening in production. I suspect that's just one reason why Henning and Claudio made their suggestions. The N sessions for N CARP members allows for your remote peers to maintain a path back towards you and for you to have a working path out. It is very likely the path of least pain and anguish with smooth failover. Unless of course static routing were an option. While not sexy, it's simple (fewer moving parts) and still allows you to use CARP. Regards, Rogier
Re: pf: blocklists
On Thu, Mar 4, 2010 at 14:34, nixlists nixmli...@gmail.com wrote: spamd is great, but I need to filter other traffic. I still wonder how people manage to download and convert blocklists for loading into pf If I understand your question and read the spamd-setup(8) man page correctly, you may want to try your luck with its '-b' option. Or did I misunderstand your question? Besides that, if spamd and spamd-setup work for you, you can use the spamd table in PF to block access to other targets than SMTP. If you want to use the spamd-setup mechanic but not want the data to end up in spamd (and the spamd table), look at its sources and rework it a bit. Often there are syntax errors in the lists, sometimes transfers fail. IOW it's unreliable, and I have to do it manually. If you want to increase reliability of a (vanilla or reworked) spamd-setup succeeding, you can scrape and parse the lists yourself and distribute them locally. You mentioned that sucks too, though I do not directly see why, other than perhaps the work involved or stale list contents (which can be periodically expired as well). I suspect it's easier to treat the latter reliability concerns as a separate issue rather than work it into spamd-setup, but that's just a personal preference, I suppose. Regards, Rogier -- If you don't know where you're going, any road will get you there.
Re: Core dumps from daemon processes?
Would the following be an improvement for the documentation? Feel free to flame my mdoc(7) skills or lack thereof. Regards, Rogier ### Eclipse Workspace Patch 1.0 #P man5 Index: core.5 === RCS file: /cvs/src/share/man/man5/core.5,v retrieving revision 1.12 diff -u -r1.12 core.5 --- core.5 31 May 2007 19:19:58 - 1.12 +++ core.5 24 Feb 2010 18:57:21 - @@ -158,7 +158,16 @@ .Xr gdb 1 , .Xr pmdb 1 , .Xr setrlimit 2 , -.Xr sigaction 2 +.Xr sigaction 2 , +.Xr sysctl 3 +.Sh CAVEATS +Programs with their set-user-ID bit set will not dump core as a security +precaution. This prevents sensitive information from ending up on disk. +For debugging programs affected by this, refer to +.Xr sysctl 3 +for the +.Li kern.nosuidcoredump +option for how to deal with this. .Sh HISTORY A .Nm
Re: RAID1 : offline - online (how to?)
On Sun, Feb 21, 2010 at 17:51, Jean-Francois jfsimon1...@gmail.com wrote: Sorry for the so many questions but still manual may not always answer to them. Did you read bioctl(8) and did you try the -R option that man page mentions? It would seem appropriate for your question. How do we make the device become online again ? From a (brief) look at the manual and bioctl.c, I get the impression that providing bioctl -R with the failed chunk (sd0, in your case) should set off a rebuild of your softraid volume (sd2, in your case). I haven't had time to explore softraid in practice yet, so take my advice with a grain of salt. BTW does the same apply for physical drives instead of usb pens ? I would expect 'yes', given that your USB pen attaches as an sd(4). Ripping out a USB pen is not that different from ripping out a regular drive, only easier. Regards, Rogier -- If you don't know where you're going, any road will get you there.
Re: RAID1 : offline - online (how to?)
On Sun, Feb 21, 2010 at 19:47, Jean-Francois jfsimon1...@gmail.com wrote: Seems appropriate in the latest man, but did not appear in my man page. The -R is'nt available in version 4.4 ? any way to proceed ? As far as I know, softraid didn't support rebuilds in 4.4; it was added later. Judging from the man page differences between releases, I'd say it was between 4.4 and 4.5. If you're in for potentially dangerous advice: perhaps rebuilding the array with a later release is possible. You probably want to check with a developer first. Assuming you care for the data on the pens, make a backup before trying anything. Regards, Rogier -- If you don't know where you're going, any road will get you there.
Re: RAID1 : offline - online (how to?)
On Mon, Feb 22, 2010 at 00:03, Jean-Francois jfsimon1...@gmail.com wrote: Making again the test on 4.6 Now I have bioctl: BIOCCREATERAID: Invalid argument however on a another machine. Am I wrong in any point ? The kernel complains about invalid metadata, so that may well stop you from rebuilding your 4.4-softraid array on 4.6. If memory serves me, the format did change in the past. You could try checking old revisions of current.html to see if that's the case (or have someone more knowledgeable confirm it). Is there any need to compile raid into the kernel as I saw here ? http://www.argon18.com/raid_openbsd.html Unlikely, it describes RAIDframe. It describes OpenBSD, reality of about 5 to 6 years ago. That document mentions raidctl(8), for instance. Following example (same method as I first used) I presume your example is a copy-paste without editing and you're still using the USB pens. Given the metadata complaints in dmesg, zeroing out the underlying drive chunks may help. That said, it's just guesswork on my part. Regards, Rogier
Re: multiple qemu hosts, typo
On Tue, Feb 2, 2010 at 15:27, Matthias Pfeifer m...@finance-circle.de wrote: [...] Then the second: snip this gives me a cannot create /dev/tun0: Device busy If I'm not mistaken, you need separate tun(4) devices per qemu instance. The reason for that lies in the device being ready for simultaneous use only by a single process. To quote tun(4): Each device has the exclusive open property; it cannot be opened if it is already open and in use by another process. If I misunderstood, feel free to correct me. Regards, Rogier
Re: Jan 28 snapshot - em0 disappeared
On Mon, Feb 1, 2010 at 07:32, Steve Williams st...@williamsitconsulting.com wrote: I have downloaded the current cvs code and compiled it. It exhibits the same problem, missing em0. It seems to nicely detect the hardware, just not liking its EEPROM contents and stopping initialisation there. While you should take a developer's word over mine, I suppose it's not surprising that ifconfig(8) does not show the hardware. Seeing a few Google searches seems to indicate it's not necessarily an OS problem. While some posts mention an Intel utility (IBAUTIL.EXE) to configure/manage the built-in boot agent, you will probably want to search for the correct NIC model and see which specific version/tool you need. I included a link [1] to the utility a 5 minute cursory search yielded me. Use at your own risk, since I can't really be sure it's the correct one. Regards, Rogier References: 1. Intel Boot Agent BIOS http://downloadcenter.intel.com/Detail_Desc.aspx?agr=YDwnldID=12344ProdId=2775lang=eng
Re: Doubt about updating the ports
On Sat, Dec 26, 2009 at 20:11, Daniel Bareiro daniel-lis...@gmx.net wrote: I'm updating OBSD 4.5-stable to OBSD to 4.6-stable and have a doubt when updating ports using this [1] procedure. The instructions you linked describe how to go from 4.6-release to 4.6-stable, not what you are trying to accomplish (unless you've made a typo). If indeed you are at 4.5 and want to go to 4.6, save yourself considerable trouble and some bashing on misc@ (see the archives for why) and either: - upgrade via the FAQ instructions [1] - wipe/reinstall If you want to go straight to 4.6-stable, get a hold of the -stable file sets through someone you trust. You can use those to upgrade or install a 4.6-stable system. If that's not viable, get the -release sets and follow release(8) to build your own -stable. Good luck, Rogier References: 1. OpenBSD FAQ - Upgrade Guide 4.6 http://www.openbsd.org/faq/upgrade46.html -- If you don't know where you're going, any road will get you there.
Re: Dell Latitude E6400 'sluggish' keyboard response with ACPI enabled
On Sun, Oct 4, 2009 at 00:14, Marco Peereboom sl...@peereboom.us wrote: This fixes it. I need to come up with a way to get this in the tree without breaking IBM T21. Indeed it does. Where I originally noticed the problem very quickly after system startup, it now seems to have disappeared. I still see acpidump segfaulting (but I can't tell whether that's a related issue or not). Tested on GENERIC.MP built this morning. dmesg 4.6-current (Oct. 4, amd64) http://pastebin.com/f605fda4d acpidump 4.6-current (Oct. 4, amd64) http://pastebin.com/f45f19d9d (acpidump still segfaults when run; if desired, I have the core file saved) If I can be of help testing further, please let me know. Thanks for the quick response. Regards, Rogier
Dell Latitude E6400 'sluggish' keyboard response with ACPI enabled
While trying out a Dell Latitude E6400, I notice sluggish keyboard behaviour. This occurs both in 4.5 as well as the Oct. 2 snapshot (-current). In each case, I use the amd64 snapshots. The issues disappear when disabling ACPI via UKC. What I see is the following: some keypresses being 'missed', occasional repeats of keys pressed (though only once). Additionally, I sometimes see a briefly non-responsive mousepad in X. Trying acpidump(8) results in a segfault (and accompanying coredump). Are others seeing this as well? I included dmesg and acpidump output at the links below. Other than that, this laptop seems to work fine (but I wouldn't be surprised if Dell does some undocumented dark magic in its ACPI somewhere). Are others seeing this sort of issue as well or does anyone have a suggestion as to what to try? dmesg 4.6-current (Oct. 2 snapshot, amd64) http://pastebin.com/f40be7a33 acpidump 4.6-current (Oct. 2 snapshot, amd64) http://pastebin.com/f10da9f0c (acpidump segfaults when run; if desired, I have the core file saved) Any insight appreciated, Rogier
Re: mod_mp3 bug or wtf
On Tue, Sep 22, 2009 at 01:56, Andrej Elizarov vigilan...@gmail.com wrote: I found this example: mkdir /var/www/music mkdir -p /var/www/var/www cd /var/www/var/www ln -s /var/www/music music But in this case all mp3s must be inside ServerRoot. Not good. You're essentially offering web content. Arguably, /var/www is a good place for that sort of information to be confined to. If you feel you must plug holes into an essentially sane default, you can try mounting an NFS export containing the desired files somewhere within /var/www. See exports(5), mount_nfs(8) and others for more information. I'm not fully sure whether re-mounting exported data from 'localhost' is a good thing. I have it running at a few places (mainly due to earlier poor planning for /var/www/logs). Hope this helps, Rogier -- If you don't know where you're going, any road will get you there.
Re: Updates to several OpenBSD hosts
On Tue, Jun 23, 2009 at 22:27, Urban Hillebrandm...@urban-online.at wrote: My aploogies for being unclear. Those hosts are all on different locations and nets, even belong to different companies. You could try using tools such as cfengine and/or puppet (both are in ports) to have them pull in their configuration form a master host. Preparing the configuration, scripts, install tools and keeping them under version control might work for your purposes. Whether it's worth your effort is up to you. I'd recommend to start simple, to see if you like it. If so, it should free your hands a bit to improve on the system. Perhaps a look at infrastructures.org [1] proves helpful; it was for me. How you want to deploy such a thing with multiple companies etc. may take some thought/checking their policies. Hope this helps, Rogier References: 1. Infrastructures.org - Best practices in automated systems administration [...] http://www.infrastructures.org/
mod_fastcgi and chroot (4.4/amd64)
While trying to get a test Catalyst rig running on my 4.4 machine, I am getting bitten by the chroot(2) feature. Running the following configuration snippet works fine with httpd_flags=-u but yields the following httpd error while using chroot. The machine is a vanilla 4.4-release amd64 box, running the fcgi, mod_fastcgi and p5-Catalyst-* packages. Dmesg included at the end of this message (in the hope that it won't be munged too much). Essentially, I'm looking for a cluebat. I have a feeling a /var/www/ may be stripped off once too often. Insight greatly appreciated, Rogier r...@monitor:/var/www# tail -fn 10 logs/cat-test/error_log snip [Sun Apr 5 14:05:59 2009] [error] [client 172.25.1.150] File does not exist: /cat-test/cat-test.fcgi/ Using the following configuration (included in otherwise unchanged httpd.conf) snippet: r...@monitor:/var/www# cat conf/cat-test.conf # FastCGI settings IfModule mod_fastcgi.c FastCgiIpcDir /var/www/run FastCgiExternalServer /var/www/cat-test/cat-test.fcgi -socket cat-test.sock /IfModule # VirtualHost settings Listen 172.25.1.150:80 NameVirtualHost 172.25.1.150:80 VirtualHost 172.25.1.150:80 #ServerAdminwebmaster@ ServerName cat-test.ht-solutions.lan #ServerAliascat-test.ht-network.lan DocumentRoot/var/www/cat-test Alias / /var/www/cat-test/cat-test.fcgi/ Alias /cat-test//var/www/cat-test/cat-test.fcgi/ # Rewrite URLs without trailing slash #RewriteRule ^/cat-test$ cat-test/ [R] # Do not expose CVS directories LocationMatch /CVS/ AllowOverride None Order deny,allow Deny from all /LocationMatch # Basic logging ErrorLog /var/www/logs/cat-test/error_log CustomLog /var/www/logs/cat-test/access_log combined /VirtualHost r...@monitor:/var/www# ls -al /var/www/run total 12 drwxrwx--- 3 wwwwww 512 Apr 5 13:59 . drwxr-xr-x 13 root daemon 512 Apr 5 13:52 .. srwxrwxrwx 1 cat www 0 Apr 5 13:59 cat-test.sock drwx-- 2 wwwwww 512 Apr 5 10:36 dynamic r...@monitor:/var/www# cat /var/run/dmesg.boot OpenBSD 4.4 (GENERIC.MP) #1812: Tue Aug 12 17:22:53 MDT 2008 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 2129227776 (2030MB) avail mem = 2067476480 (1971MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.5 @ 0x7fb9c000 (66 entries) bios0: vendor Dell Inc. version 2.2.6 date 02/05/2008 bios0: Dell Inc. PowerEdge 1950 acpi0 at bios0: rev 2 acpi0: tables DSDT FACP APIC SPCR HPET MCFG WD__ SLIC ERST HEST BERT EINJ TCPA acpi0: wakeup devices PCI0(S5) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Xeon(R) CPU L5320 @ 1.86GHz, 1862.13 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR,NXE,LONG cpu0: 4MB 64b/line 16-way L2 cache cpu0: apic clock running at 265MHz cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Xeon(R) CPU L5320 @ 1.86GHz, 1861.92 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR,NXE,LONG cpu1: 4MB 64b/line 16-way L2 cache cpu2 at mainbus0: apid 1 (application processor) cpu2: Intel(R) Xeon(R) CPU L5320 @ 1.86GHz, 1861.92 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR,NXE,LONG cpu2: 4MB 64b/line 16-way L2 cache cpu3 at mainbus0: apid 3 (application processor) cpu3: Intel(R) Xeon(R) CPU L5320 @ 1.86GHz, 1861.92 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR,NXE,LONG cpu3: 4MB 64b/line 16-way L2 cache ioapic0 at mainbus0 apid 4 pa 0xfec0, version 20, 24 pins ioapic0: misconfigured as apic 0, remapped to apid 4 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 4 (PEX2) acpiprt2 at acpi0: bus 5 (UPST) acpiprt3 at acpi0: bus 6 (DWN1) acpiprt4 at acpi0: bus 8 (DWN2) acpiprt5 at acpi0: bus 1 (PEX3) acpiprt6 at acpi0: bus 0 (PE2P) acpiprt6: no apic found for irq 64 acpiprt6: no apic found for irq 65 acpiprt6: no apic found for irq 78 acpiprt7 at acpi0: bus 10 (PEX4) acpiprt8 at acpi0: bus 12 (PEX6) acpiprt9 at acpi0: bus 2 (SBEX) acpiprt10 at acpi0: bus 14 (COMP) acpicpu0 at acpi0: C3 acpicpu1 at acpi0: C3 acpicpu2 at acpi0: C3 acpicpu3 at acpi0: C3 ipmi at mainbus0 not configured pci0 at mainbus0 bus 0: configuration mode 1 pchb0 at pci0 dev 0 function 0 Intel 5000X Host rev 0x12 ppb0 at pci0 dev 2 function 0 Intel 5000 PCIE rev 0x12 pci1 at ppb0 bus 4 ppb1
Re: mod_fastcgi and chroot (4.4/amd64) [resolved]
On Sun, Apr 5, 2009 at 16:35, Rogier Krieger rkrie...@gmail.com wrote: While trying to get a test Catalyst rig running on my 4.4 machine, I am getting bitten by the chroot(2) feature. While chroot(2) seems to be the issue, the following two things seem to make it work as desired. Make /var/www/var/www a symlink to /var/www [1] # cd /var/www mkdir var cd var ln -s .. www Alter the location for the FastCgiExternalServer directive to read: FastCgiExternalServer /cat-test/cat-test.fcgi -socket cat-test.sock All of a sudden I now get my expected starting page. Ironic and humbling to see that the thread contains a post of my own as well ;) Still, insight and comments appreciated. Rogier 1. MARC - OpenBSD-misc - Joachim Schipper - Re: ruby on rails derailed [...] http://marc.info/?l=openbsd-miscm=113492193517773w=2 -- If you don't know where you're going, any road will get you there.
Re: 4.4 sshd didn't start
On Mon, Nov 3, 2008 at 21:08, Bryan Irvine [EMAIL PROTECTED] wrote: Should be in rc.conf.local? If I'm not mistaken [1], you will only see a change in /etc/rc.conf.local if you select 'no' for starting sshd by default. To the OP: On Mon, Nov 3, 2008 at 11:28 AM, elflord woods [EMAIL PROTECTED] wrote: and then i add enable_sshd=YES in /etc/rc.local The flag name should probably be sshd_flags and not enable_sshd. When in doubt: look at /etc/rc.conf, but be sure to save changes to /etc/rc.conf.local to survive upgrades, etc. If you do not see sshd(8) starting upon reboot yet have selected 'yes', you would do best to check your logs and see where the problem is. Did you change any files relating to sshd? but then it complains that it could not load host key What message are you getting w.r.t. the host keys? Report what errors you see instead of letting others guess. If e.g. you are trying to write to a read-only location, the (logs of the) boot up sequence may give useful clues. Regards, Rogier References: 1. OpenBSD CVSweb - src/distrib/miniroot/install.sub - r1.436 http://www.openbsd.org/cgi-bin/cvsweb/src/distrib/miniroot/install.sub?rev=1.436 -- If you don't know where you're going, any road will get you there.
Re: OpenLDAP
On Mon, Sep 8, 2008 at 09:58, my mail [EMAIL PROTECTED] wrote: so i can use ldap with bdb backends in OpenBSD 4.4 eh? Take a look at the port's Makefile [1] which apparently will be in 4.4-release. Excerpt below to save you the searching. If you intended your remark as sarcasm, it's more likely to pollute the archives rather than help. .if ${FLAVOR:L:Mbdb} BROKEN= OpenLDAP 2.3 is incompatible with Berkeley DB 4.6 If you want to use bdb as a backend, you'll likely have to compile OpenLDAP manually (see Philip Guenther's earlier post [2] in this thread, for instance). For extra credit: provide diffs to update the port to deal with 2.4 :) Cheers, Rogier References: 1. OpenBSD CVSweb - ports/databases/openldap/Makefile (r1.85) http://www.openbsd.org/cgi-bin/cvsweb/ports/databases/openldap/Makefile?rev=1.85content-type=text/x-cvsweb-markup 2. MARC.info - OpenBSD-misc, 'Re: OpenLDAP' by Philip Guenther (2008/09/03) http://marc.info/?l=openbsd-miscm=122046507630763w=2 -- If you don't know where you're going, any road will get you there.
Re: FAQ License?
If I'm not mistaken, there has already been a thread [1] on this, including an explanation [2] of the various considerations involved. 1. MARC.info - OpenBSD-misc - Thread 'BSD Documentation License?' http://marc.info/?t=12061249355r=1w=2 2. MARC.info - OpenBSD-misc - Nick Holland - 'Re: BSD Documentation License?' http://marc.info/?l=openbsd-miscm=120618838928361w=2 -- If you don't know where you're going, any road will get you there.
Re: RAID/Intel Installation Problem
On Wed, Jun 18, 2008 at 12:39 PM, Kenneth R Westerback [EMAIL PROTECTED] wrote: If this is the device you expect to provide disks, the only obvious candidate I see, it is not currently supported in the RAMDISK_CD kernel if at all. From a quick glance at pciide(4), I suppose it should work. That is, it would work *without* the in-BIOS RAID. To the OP: for proper RAID support, best refer to mfi(4), ami(4) or arc(4) if you want bioctl(8) niceness. Maybe softraid(4) will suit your needs too (but see the caveats listed in the man page; trying it out is still on my to do list). Cheers, Rogier -- If you don't know where you're going, any road will get you there.
Re: Got Cerfiticate how to use it. WAS: Re: OpenSSL On Openbsd help
On Sun, Jun 15, 2008 at 9:37 AM, Khalid Schofield [EMAIL PROTECTED] wrote: Running openbsd 4.0 and apache 1.3 . I've loads of virtual hosts on apache and I'm now running apache from rc.conf.local with: httpd_flads -u -DSSL . That probably is a typo and in your rc.conf.local it would read httpd_flags? Besides that, you would probably serve yourself with an upgrade to the latest and greatest (4.3) and do so before you upgrade your web apps. Now what? I only want server.crt to be used for one of my virtual hosts. That will cost you a bunch of IP addresses, one for each distinct SSL virtual host. You could start by not using the _default_:443 virtual host. If you want to make sure none of your other virtual hosts accidentally get served via the https port, place each individual SSL'd virtual host on a separate IP address. There is not really a way around that. Virtual hosts work by the information from the Host: $virtual_host header being available. For SSL connections, the crypto work needs to be done before you get that information (which requires you to choose your virtual host already to select keys, certificates, etc.). I've tried all sorts but it doesn't seem to work when I try to connect to 443. Have you tried the usual batch of: + properly connected cables + apache error log upon startup + ps output listing the httpd processes + netstat output listing you have a listener to the https port + firewall rules (tcpdump and pflog0 can come in very handy) Also apachectl restart doesn't ask for the certificate password. But a reboot does. apachectl startssl doesn't ask either. If you're switching to chrooted operation soon, you should probably use stop/start and not restart just to get into the right habit. If httpd does suprising things, you will want to read its error log. I've decided to comment out the certificates for the time being. You don't really want to do that, given that the server will not automagically load the certificates out of thin air. You'll want to make sure that the server can open the files, etc. Again, such is usually listed in your httpd's error log. If you see error numbers that do not directly make sense to you, check with errno(2). Hopefully this helps tracking down the problem, Rogier -- If you don't know where you're going, any road will get you there.
Re: How to HIDE OpenBSD as user-agent?
In hopes of preventing your ending up singed and blackened around the edges... On Tue, Apr 29, 2008 at 2:18 PM, macintoshzoom [EMAIL PROTECTED] wrote: How to HIDE OpenBSD as user-agent? For security reasons it is sometimes interesting to hide GLOBALLLY th O.S. you are running on [...] It is not. As pointed out on these lists countless times now, attackers will throw everything they have and see what (if anything) makes it through. They don't care how they break in, all they want is to use your systems to their ends. Do everyone a favour and stop believing in security through obscurity. Cheers, Rogier -- If you don't know where you're going, any road will get you there.
mpi(4) supporting bio(4)/bioctl(8)?
Dear list, From the differences in the man pages for ami(4) and mfi(4) vs mpi(4), I get the impression that the niceties of bio(4) are not available to mpi devices. Am I correct in thinking that? I'm somewhat confused on the matter, given that the NYCBsdCon 2006 slides [1] from Marco Peereboom's talk on Bio and sensors would suggest basic support (p. 28, Supported Hardware) for mpi devices, but browsing around the CVS, I do not find bio.h included for /sys/dev/ic/mpi.c [2] (whereas ami.c and mfi.c do include it [3,4]). If correct, are there plans or ongoing efforts to make the mpi driver also support bioctl? If not, I know what sort of equipment to avoid on a bunch of new servers. Thanks in advance, Rogier Krieger References: 1. NYCBSDCon 2006 - Marco Peereboom - Bio and Sensors in OpenBSD http://www.openbsd.org/papers/bio.pdf 2. OpenBSD CVSweb - /src/sys/dev/ic/mpi.c (rev. 1.92) http://www.openbsd.org/cgi-bin/cvsweb/src/sys/dev/ic/mpi.c?rev=1.92content-type=text/x-cvsweb-markup 3. OpenBSD CVSweb - /src/sys/dev/ic/ami.c (rev. 1.186) http://www.openbsd.org/cgi-bin/cvsweb/src/sys/dev/ic/ami.c?rev=1.186content-type=text/x-cvsweb-markup 4. OpenBSD CVSweb - /src/sys/dev/ic/mfi.c (rev. 1.80) http://www.openbsd.org/cgi-bin/cvsweb/src/sys/dev/ic/mfi.c?rev=1.80content-type=text/x-cvsweb-markup -- If you don't know where you're going, any road will get you there.
Re: Network Time Synchronization using timed or ntpd or a Combination?
On 10/23/07, Boris Goldberg [EMAIL PROTECTED] wrote: You don't really need ntpd on all systems. One (timeserver) runs ntpd, and others use rdate, called from cron (once a day is usually enough). While your suggestion would work, it would also entail more work without adding benefit. Upon install, you get the question of whether you want to use ntpd. Starting with 4.2, it even asks for a specific NTP server. Using ntpd gets you better synchronisation without the need of setting something up with cron. Rdate will work, but the work developers put into (further integrating) ntpd makes rdate appear rather ... outdated. Cheers, Rogier -- If you don't know where you're going, any road will get you there.
Re: Network Time Synchronization using timed or ntpd or a Combination?
On 10/23/07, Chris Kuethe [EMAIL PROTECTED] wrote: Rdate provides a single valuable service: the ability to poll a device to see what time it thinks it is (ie. probing the health of my time servers). Good point; I should probably add that to my monitoring setup. Thanks for the suggestion, Rogier. -- If you don't know where you're going, any road will get you there.
Re: Network Time Synchronization using timed or ntpd or a Combination?
On 10/23/07, Boris Goldberg [EMAIL PROTECTED] wrote: It's always better to don't run a demon if you don't have to. :) That sort of remark has often started endless debates. :) For me, trusting rdate to provide time or using ntpd for it is pretty much the same, but feel free to disagree. There are no risk-free activities. In my book, ntpd gets the job done with less administrative work and it's made by the same people I trust to provide me with a sensible and secure system. Talking about a more work If using site.tgz this sort of thing is rather a moot point. Anyway, for the last five years no version of OBSD (including 4.2) worked for me without tuning a kernel, so an extra line in a crontab is nothing. :) If you haven't already, it might be wise to track the issue and report it. Most of my things requiring post-install kernel config got fixed over the next release, so I'm a happy camper. Cheers, Rogier -- If you don't know where you're going, any road will get you there.
Re: GSSAPI logins into OpenSSH combined with auto-obtaining AFS tokens
On 7/10/07, Rogier Krieger [EMAIL PROTECTED] wrote: If my clients (MIT KfW, SecureCRT) attempt GSSAPI authentication, [...] OpenSSH does not obtain any AFS token, forcing me to run afslog manually. Or put such a command in /etc/ssh/sshrc, as hinted at in sshd(8). This seems to work in that it provides me with tickets/tokens for both the Kerberos and GSSAPI cases. The above seems a bit of a workaround, but I can live with that. I'll see if I can reproduce this on my 4.1 boxes. If so, I'll report back to the OpenSSH list, since it strikes me as odd that a session would do different things (whether or not to obtain an AFS token) based on how the Krb5 TGT was obtained (password verification or transferred by GSSAPI). Cheers, Rogier -- If you don't know where you're going, any road will get you there.
GSSAPI logins into OpenSSH combined with auto-obtaining AFS tokens
Dear list, While fiddling around to move my home directories onto AFS, I notice a bit of interesting behaviour. At a first glance, everything seems just fine. When logging in through the Krb5 mechanism (as defined in login.conf), OpenSSH nicely obtains an AFS token for me. Use case: Windows SSH client entering a username/password upon connecting. The following scenario, however, does not get me AFS tickets in my shell: obtaining Krb5 credentials on the client and logging into OpenSSH through GSSAPI. Although logging in seems to have nicely transfered my Krb5 ticket, OpenSSH does not obtain an AFS token for me. Running afslog manually fixes this, but I would greatly prefer to have afslog run automatically. Browsing the archives, I gather GSSAPI and Kerberos are treated differently, but I cannot distill a solution from the results. Is there any? I'm presently thinking of ways to get 'afslog' to run after the GSSAPI login is completed. Would the 'approve' stanza in login.conf and a small work for this purpose? Reading the manual, I do get the feeling approve wasn't meant for this sort of thing, but I figured to best ask here for some good advice. Insight or a good cluebat are most appreciated. I'm thinking along the lines of: (in /etc/login.conf) :approve=/usr/local/bin/auto-afslog:\ :approve-ftp=/usr/local/bin/auto-afslog:\ (for the script) #!/bin/sh AFSLOG=/usr/bin/afslog ${AFSLOG} -p ${HOME} For a ${HOME} based in AFS filespace. If ${HOME} were to be outside AFS file space, I wouldn't mind the login to fail, since that would be a worthwhile incident to investigate. Cheers, Rogier -- If you don't know where you're going, any road will get you there.
Re: GSSAPI logins into OpenSSH combined with auto-obtaining AFS tokens
As someone kind made me realise in an off-list reply, I should have included my sshd_config on the machine in question. I should further note that it is a 3.9-stable machine (although I did not spot changes relating to the OpenSSH behaviour regarding GSSAPI for the versions included with 4.0/4.1). The following parameters differ from the stock sshd_config (the complete file is at the bottom of this message): KerberosAuthentication yes KerberosGetAFSToken yes GSSAPIAuthentication yes X11Forwarding yes The above lines allow me to enter a username/password combination to login (after which OpenSSH properly obtains the AFS tokens for me). As I said, this bit works nicely. If my clients (MIT KfW, SecureCRT) attempt GSSAPI authentication, OpenSSH properly obtains the Krb5 TGT (with the same end time as the one listed in my MIT KfW) and lets me login. In the GSSAPI case, however, OpenSSH does not obtain any AFS token, forcing me to run afslog manually. Hence my original question: can/should I use login.conf(5)'s 'approve' stanza and a special script to run the afslog for me to get my AFS tokens in order for the GSSAPI case? Cheers, Rogier # cat /etc/ssh/sshd_config # $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. #Port 22 #Protocol 2,1 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 768 # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH #LogLevel INFO # Authentication: #LoginGraceTime 2m #PermitRootLogin yes PermitRootLogin without-password #StrictModes yes #MaxAuthTries 6 #RSAAuthentication yes #PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no KerberosAuthentication yes #KerberosOrLocalPasswd no KerberosGetAFSToken yes # GSSAPI options GSSAPIAuthentication yes #GSSAPIAuthentication no #GSSAPICleanupCredentials yes #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10 #PermitTunnel no # no default banner path #Banner /some/path # override default of no subsystems Subsystem sftp/usr/libexec/sftp-server -- If you don't know where you're going, any road will get you there.
Re: spamd
On 6/4/07, Edgars Makra [EMAIL PROTECTED] wrote: With one such non passable smtp server admin we tested it via phone. He said that promt is very slow (as it should be), then he got 451 Temp error. After 5, 15, 30 and 60 minutes he retried, nothing :( If you tried connecting by manually performing an SMTP conversation, be sure to connect from a constant IP address and be especially careful to send exactly the same information for the MAIL FROM and RCPT TO commands. A simple typo can mess up your test and explain your problem. To prevent typing mistakes, you may want to consider scripting a test, e.g. by using nc(1) and a constant SMTP conversation. Be sure to make it a proper SMTP conversation, too, given Bob Beck's remark earlier in this thread. Hope this helps, Rogier -- If you don't know where you're going, any road will get you there.
Re: pf.conf settings
On 5/28/07, Woodchuck [EMAIL PROTECTED] wrote: I wonder if this setup will allow you to do dhcp. Probably during boot, (before it takes effect, when the rules in /etc/rc are active), but afterwards, not. Typically, dhclient(8) uses the bpf(4) devices and is not troubled by PF's ruleset. If I'm not mistaken, this behaviour is hinted at in the man page. This might be an issue. I dunno how dhcp communicates, don't use it myself. If you're interested, you may want to see RFC 2131 and RFC 2132. In short: DHCP uses UDP datagrams to/from ports 67 and 68. Typically, conversations start with a discovery (broadcast by the client). An active DHCP server may then provide a lease offer. Normally, the client requests the address listed in the offer. If all goes well, the server acknowledges the request. Cheers, Rogier -- If you don't know where you're going, any road will get you there.
FFS panic on 4.0-release and fsck_ffs troubles (SATA drive on SiI3112)
On an older piece of hardware (PII-300) running 4.0-release running local storage at my parents', I experience FFS-related panics when writing files to the secondary HDD [wd1] (connected to a separate SATA controller [pciide1]). Since I lacked a console cable, I copied the trace and ps information by hand. I see the following panic: start = 0, len = 7547, fs = /storage panic: ffs_alloccg: map corrupted Stopped at Debugger+0x4: leave RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC! DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION! ddb trace Debugger(d0716864,1,daf72ae0,1d7b,0) at Debugger+0x4 panic(d06737d6,0,1d7b,d0bc48d4,40) at panic+0x63 ffs_freefile(d0bc4800,d74ea000,ebd0,8,0) at ffs_freefile+0x5b6 ffs1_blkpref(d3cdf4a8,d3de2f2c,0,4000,d3cdf4fc) at ffs1_blkpref+0x843 ffs1_blkpref(d3cdf4a8,17b,0,4000) at ffs1_blkpref+0x7e4 ffs1_blkpref(d3cdf4a8,13a,18c06c8,4000,d03fcba0,20,d3dbd500,0) at ffs1_blkpref+0x1ec ffs_alloc(d3cdf4a8,0,18c06c8,4000,d3dbd500,daf72ca4,d0b203c0,d3c79198) at ffs_alloc+0x116 ffs1_balloc(d3cdf4a8,0,0,4000,d3dbd500,0,daf72ddc,4000) at ffs1_balloc+0x4a4 ffs_write(daf72e08,d3ce0924,30042,d3c73448,d07173c0) at ffs_write+0x240 VOP_WRITE(d3ce0924,daf72e98,1,d3dbd500,d3ce0924,20002,d3c73448,2) at VOP_WRITE+0x34 vn_write(d3da09a0,d3da09bc,daf72e98,d3dbd500) at vn_write+0x89 dofilewrite(d3c73448,4,d3da09a0,86e3d000,4) at dofilewrite+0x71 sys_write(d3c73448,daf72f68,daf72f58,4,b0) at sys_write+0x47 syscall() at syscall+0x2ea --- syscall (number 4) --- 0x1c1ba69: ddb ps PIDPPIDPGRP UID S FLAGS WAITCOMMAND *26380 17275 17275 070x6rsync 172757353 17275 03 0x408eselect rsync 735324867353 03 0x4086pause ksh 2486 204262486 10013 0x4086pause ksh 20246 10313 10313 10013 0x185select sshd 10313 14793 10313 03 0x4084netio sshd 2831 12831 030x40184select sendmail 10501 1 1 03 0x4084ttyopn getty 25497 1 25497 03 0x4086ttyin getty 16601 1 16601 03 0x4086ttyin getty 13493 1 13493 03 0x4086ttyin getty 1360 11360 03 0x4086ttyin getty 32381 1 32381 03 0x4086ttyin getty 30314 1 30314 03 0x84select cron 8100 18100 03 0x85select nmbd 30863 22543 22543 03 0x185pause smbd 22543 1 22543 03 0x185select smbd 14793 1 14793 03 0x84select sshd 7408 17408 03 0x184select inetd 20959 1 20959 713 0x184kqread ftp-proxy 7102 17102 773 0x184polldhcpd 28523 1 28523 03 0x84pollntpd 16441 1 16441 833 0x184pollntpd 972636793679 683 0x184select isakmpd 3679 13679 03 0x84netio isakmpd 148613171317 703 0x184select named 1317 11317 03 0x184netio named 17875 30083 30083 743 0x184bpf pflogd 30083 1 30083 03 0x84netio pflogd 8979 28885 28885 732 0x184syslogd 28885 1 28885 03 0x8cnetio syslogd 18547 1 18547 773 0x184polldhclient 3186 1 11906 03 0x86polldhclient 13 0 0 03 0x100204crypto_wa crypto 12 0 0 03 0x100204aiodonedaiodoned 11 0 0 03 0x100204syncer update 10 0 0 03 0x100204cleaner cleaner 9 0 0 03 0x100204reaper reaper 8 0 0 03 0x100204pgdaemon pagedaemon 7 0 0 03 0x100204pftmpfpurge 6 0 0 03 0x100204wait wskbd_hotkey 5 0 0 03 0x100204usbtsk usbtask 4 0 0 03
Re: Problem: Raid mounting root as read-only, and not from the partition desired...
On 4/7/07, Merp.com Volunteer [EMAIL PROTECTED] wrote: I used the directions from eclectica here: http://www.eclectica.ca/howto/openbsd-software-raid-howto.php To be blunt: you are using old (3.7) instructions that are not from the OpenBSD project, that involve compiling your own kernel (see the FAQ on that [1]), that you do not fully follow either. Why do you expect help on misc@ (instead of contacting the author of your instructions)? My partitioning scheme is a little different, and maybe that's part of the problem. I'm trying to have it setup as: /raid0a = /boot /raid0d = / Why do you want a separate /boot? If the answer to that question is: It works that way on my Linux system alarm bells should go off, prompting you to read the documentation. If I misinterpreted things here, please say so. The 'a' partition is for your root. Using it for /boot (which is a single file on OpenBSD, not a directory) is bound to get you strange results. The raidctl(8) manual, for instance, is quite clear on that (see the -A root option). Your easiest option would be to acquire a decent RAID card (the ami(4), mfi(4) or mpi(4) cards come to mind) and perform a regular install. Granted, doing so costs money and I do not know your budget. Given your sender address, the choice probably depends on the scarcer of the two: volunteers or money. If others will need to maintain the system after you're involved, spending money to save them time later may be well worth it. If you want to continue on RAIDframe (which is a fine product, but requires more skills from you), I suggest you rethink your partition scheme and make raid0a the root partition. In fact, I would recommend starting from scratch and with the documentation to figure out a proper procedure. You're likely to come out with a better understanding of the system. Please document your entire setup (and recovery) procedure for posterity and fellow volunteers to come. They *will* need it at some point in time. If you are not planning to do documentation, better rethink the whole effort. Cheers, Rogier References: 1. OpenBSD FAQ - Why do I need a custom kernel? http://www.openbsd.org/faq/faq5.html#Why
Re: bcw(4) is gone
On 4/6/07, Andris Delfino [EMAIL PROTECTED] wrote: What's wrong? They protect their license. Period. No one seems to dispute the right of copyright holders to protect their licence. That said, there are more ways than one to protect one's licence. It hardly seems unreasonable to privately contact the developer in question before going public, as seems to be the custom in many other suspected licence issues. Choosing to first send a private message would likely have remedied any issues, both quickly and with a lot less fallout. Too bad that that didn't happen. Rogier
Re: Problems with X11 traffic over ssh in pf.conf
On 3/23/07, carlopmart [EMAIL PROTECTED] wrote: Do I need to open additional ports or protocols?? Not so much additional ports or protocols, but are you sure you enabled X11 forwarding? A few suggestions for things to check: + in /etc/ssh/sshd_config, did you enable 'X11Forwarding' ? + for the ssh client(s), did you choose to enable X11 forwarding? In ssh, you can use either the -X command line option or use settings to that effect in your config file (see ssh_config(5) for more info). Hope this helps, Rogier -- If you don't know where you're going, any road will get you there.
Re: Problems with X11 traffic over ssh in pf.conf
On 3/23/07, carlopmart [EMAIL PROTECTED] wrote: My problem is wih pf rules. If I put on pf.conf pass all, all works ok. Then the easiest debugging feature is doing a tcpdump on pflog0 for blocked packets. Assuming (without your pf.conf, it's hard to guess) you use a default block, add a log clause to that line. Blocked packets will then show up on tcpdump. $ sudo tcpdump -n -e -vv -ttt -i pflog0 Hope this helps, Rogier -- If you don't know where you're going, any road will get you there.
Re: ldap authentication troubles
On 2/21/07, Vijay Sankar [EMAIL PROTECTED] wrote: On Wednesday 21 February 2007 10:22, Rogier Krieger wrote: Personally, I'm having trouble using login-ldap with my local(host) LDAP server using SSL. snip ftl2# more /etc/openldap/ldap.conf snip TLS_CACERT /etc/ssl/certs/ca.crt The TLS_CACERT setting did the trick for me. Things work just fine now. Thank you for that pointer. I knew I was missing something :) Cheers, Rogier -- If you don't know where you're going, any road will get you there.
Re: ldap authentication troubles
On 2/21/07, L. V. Lammert [EMAIL PROTECTED] wrote: PMFJI, but could you clarify that? Requiring local accounts totally defeats the purpose of an LDAP server. Yes, it does. In fact, it is clearly documented in the login-ldap port materials. You may get around said local accounts requirement if you can create an LDAP-NIS gateway that the OpenBSD machine can talk with. At present, I do not believe one is available for OpenBSD-bsed systems. What apps have you found do NOT work properly with LDAP? Personally, I'm having trouble using login-ldap with my local(host) LDAP server using SSL. It refuses to connect and I can't find where the problem lies. But since the two run on the same server, I manage to live with unsecured connections. Cheers, Rogier -- If you don't know where you're going, any road will get you there.
Re: spamd unnecessarily abrasive?
On 2/20/07, J Moore [EMAIL PROTECTED] wrote: I was under the impression that spamd was supposed to politely defer connections from unknown/greylisted hosts. Given the '451' response in the SMTP conversation, it is a relatively polite and benign way to defer connections. I doubt a sending MTA will feel too heartbroken over the accompanying text ;) Humans shouldn't be connecting to port 25 in any case, unless when they know what they're doing (and know why they're connecting). End user connections are what the submission port (589) is for. For port 589, I recommend the administrator set his MTA software to a warm and friendly greeting, with a stern message upon failed authentication. That bit, however, falls outside the scope of spamd. Cheers, Rogier -- If you don't know where you're going, any road will get you there.
Re: spamd unnecessarily abrasive?
On 2/20/07, Jimmy Mdkeld | Loopia AB [EMAIL PROTECTED] wrote: Rogier Krieger wrote: End user connections are what the submission port (589) is for. # grep submission /etc/services submission 587/tcp submission 587/udp As I ment to say, port 587 ;) Apparently, it is time for my coffee break. Cheers, Rogier -- If you don't know where you're going, any road will get you there.
Re: pf rules
On 2/12/07, Artyom Goryainov [EMAIL PROTECTED] wrote: block in quick on $ext_if proto tcp from {!$me, !$mynet} to $ext_if port 80 You will probably want to see the PF FAQ [1] on this, specifically the section on Lists and Macros. It tells you why you should use tables for this purpose. The list expands to a set of separate single rules, for !$me and !$mynet respectively. To quote from the FAQ: Beware of constructs like the following, dubbed negated lists, which are a common mistake: pass in on fxp0 from { 10.0.0.0/8, !10.1.2.3 } While the intended meaning is usually to match any address within 10.0.0.0/8, except for 10.1.2.3, the rule expands to: pass in on fxp0 from 10.0.0.0/8 pass in on fxp0 from !10.1.2.3 References: 1. PF FAQ - Lists and Macros http://www.openbsd.org/faq/pf/macros.html -- If you don't know where you're going, any road will get you there.
Re: The OACK Project
On 1/24/07, Jonathan Eifrig [EMAIL PROTECTED] wrote: tftpd[]: oack: Permission denied That may have something to do with *file* permissions. Quoting tftpd(8): The use of tftp(1) does not require an account or password on the remote system. Due to the lack of authentication information, tftpd will allow only publicly readable files to be accessed. Are the files you're trying to serve world-readable? Cheers, Rogier -- If you don't know where you're going, any road will get you there.
Re: ODBC repost...
On 1/9/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: We would then like to access that data from our mainframe via ODBC to retreive the records. Since it's not really clear to me what you intend to so, I am assuming the following: + Your mainframe runs a Windows platform + Your OpenBSD machine serves as a database server + You're going for PostgreSQL on your OpenBSD machine as your database choice In that case: install the ODBC plugins available from postgresql.org onto your Windows machine. Set up an ODBC link and retrieve the data from PostgreSQL throuth that ODBC link. You shouldn't need to install an ODBC package onto your OpenBSD machine: installing on your Windows mainframe should suffice. All you'd need to install onto your OpenBSD machine is the PostgreSQL package. Hope this helps, Rogier -- If you don't know where you're going, any road will get you there.
Re: PHP5 install error
Just a quick guess. On 11/30/06, Brendan Grossman [EMAIL PROTECTED] wrote: Can't install php5-core-5.1.4p1-hardened because of conflicts (php5-core-5.1.4p1) Try to delete the conflicting package (php5-core) first. You already seem to have it installed, blocking the installation for your differently flavoured package. # pkg_delete php5-core Then give your original command another try. Cheers, Rogier -- If you don't know where you're going, any road will get you there.
Re: Building 4.0 problem
On 11/2/06, Josh [EMAIL PROTECTED] wrote: Following the man release page [...] Could you elaborate on what branch (-release, -stable, -current) and version you're trying to build 4.0 on? And of course: which 4.0 branch are you trying to build? If it's not working, try the regular binary upgrade or snapshots. The regular bits of documentation (upgrade guide, tracking -current) still apply, of course. Cheers, Rogier -- If you don't know where you're going, any road will get you there.
Re: openbsd mobile question?
This *really* is something you should have looked up in the archives. Browse those for more information. The archive is your friend. On 10/16/06, Jay Jesus Amorin [EMAIL PROTECTED] wrote: does openbsd 4.0 supports intel ac'97 modem and intel ipw2200 on laptop? In short: don't expect Winmodems to work and see iwi(4). Cheers, Rogier -- If you don't know where you're going, any road will get you there.
Re: best hardware plattform for openbsd
On 10/13/06, Toni Mueller [EMAIL PROTECTED] wrote: Thanks for pointing me to bioctl - I was unaware about that - but I don't offhand see how I could eg. collect SMART status on the drives hanging off such a card. IIRC, you cannot collect the SMART status on individual drives. Personally, I don't really mind as I'm not a big fan of SMART. Having seen drives that showed no issues in SMART, right up to the point of dying, is bound to change one's perspective. Since the machines may very well be not in reach, I don't fancy beeping or blinking drive enclosures. I need log entries instead. The logical disk status on ami(4) devices can also be polled through sensorsd(8). Perhaps I should also have mentioned that bit. If you want individual drive statistics, I suppose you would want to parse bioctl(8) output. I also recommend you take a quick look at sensorsd.conf(5). The above works for me, but of course your requirements may be different. Cheers, Rogier -- If you don't know where you're going, any road will get you there.
Re: best hardware plattform for openbsd
On 10/13/06, Toni Mueller [EMAIL PROTECTED] wrote: [...] whether I should stick with RAIDframe [...] or if I should go for hardware RAID instead [...] Personally, I find using hardware RAID a lot easier. You can stick with GENERIC kernels and have fewer problems on installing/upgrading. For me, that's worth the extra cash spent on hardware. [...] and fly blind (or which ways do I have to monitor the health status of disks and RAID [...] w/o disrupting normal operation?). Using bioctl(8), I find that you're far from blind. Stick with the LSI ami(4) or mfi(4) gear or Areca arc(4) cards if you want to use bioctl. IIRC, arc(4) made it to the 4.0 release, but I have yet to try out one of those cards. Cheers, Rogier -- If you don't know where you're going, any road will get you there.
persistent fsck error on newly newfs'ed filesystem [BLK(S) MISSING IN BIT MAPS]
On one of my older P2 machines (running 3.9-stable), I seem to have a very persistent fsck error: BLK(S) MISSING IN BIT MAPS. Regardless of whether or not I choose to salvage these, I keep getting the error below. The error occurs on an unmounted file system. After choosing to salvage, seems to complete normally. Running it again yields the same missing blocks message. Expecting user error, I emptied the drive using dd, ran fdisk -i and re-created the disklabel using the built-in editor (disklabel -E). Even on a newly newfs'ed filesystem, the problem persists. If anyone could shed some light on what is going wrong, I would greatly appreciate it. Cluebats are equally welcome. Output for fsck, fdisk, disklabel, /etc/fstab and dmesg are all included below. If I should provide other info, please let me know. Cheers, Rogier [EMAIL PROTECTED]:/# fsck -fy /backup ** /dev/rwd1e ** File system is already clean ** Last Mounted on ** Phase 1 - Check Blocks and Sizes ** Phase 2 - Check Pathnames ** Phase 3 - Check Connectivity ** Phase 4 - Check Reference Counts ** Phase 5 - Check Cyl groups BLK(S) MISSING IN BIT MAPS SALVAGE? yes 1 files, 1 used, 41280687 free (15 frags, 5160084 blocks, 0.0% fragmentation) * FILE SYSTEM WAS MODIFIED * [EMAIL PROTECTED]:/# fdisk wd1 Disk: wd1 geometry: 30401/255/63 [488392065 Sectors] Offset: 0 Signature: 0xAA55 Starting Ending LBA Info: #: idC H S -C H S [ start: size ] 0: 000 0 0 -0 0 0 [ 0: 0 ] unused 1: 000 0 0 -0 0 0 [ 0: 0 ] unused 2: 000 0 0 -0 0 0 [ 0: 0 ] unused *3: A60 1 1 - 30400 254 63 [ 63: 488392002 ] OpenBSD [EMAIL PROTECTED]:/# disklabel wd1 # Inside MBR partition 3: type A6 start 63 size 488392002 # /dev/rwd1c: type: ESDI disk: ESDI/IDE disk label: ST3250820AS flags: bytes/sector: 512 sectors/track: 63 tracks/cylinder: 16 sectors/cylinder: 1008 cylinders: 16383 total sectors: 488397168 rpm: 3600 interleave: 1 trackskew: 0 cylinderskew: 0 headswitch: 0 # microseconds track-to-track seek: 0 # microseconds drivedata: 0 16 partitions: # sizeoffset fstype [fsize bsize cpg] a: 102406563 4.2BSD 2048 16384 328 # Cyl 0*- 1015 b: 3973473 484418592swap # Cyl 480574 -484515* c: 488397168 0 unused 0 0 # Cyl 0 -484520 d: 1048320 1024128 4.2BSD 2048 16384 16 # Cyl 1016 - 2055 e: 167772528 2072448 4.2BSD 2048 16384 328 # Cyl 2056 -168496 h: 115343424 169844976 4.2BSD 2048 16384 16 # Cyl 168497 -282924 i: 167772528 285188400 4.2BSD 2048 16384 16 # Cyl 282925 -449365 j: 10486224 452960928 4.2BSD 2048 16384 16 # Cyl 449366 -459768 k: 20971440 463447152 4.2BSD 2048 16384 16 # Cyl 459769 -480573 [EMAIL PROTECTED]:/# cat /etc/fstab # System drive (WD Caviar 6 GByte IDE) /dev/wd0a / ffs rw 1 1 #/dev/wd0d /altroot ffs xx 0 0 /dev/wd0e /var ffs rw,nodev,nosuid 1 2 /dev/wd0f /var/log ffs rw,nodev,nosuid 1 2 /dev/wd0g /usr ffs rw,nodev 1 2 /dev/wd0h /data ffs rw,nodev,nosuid 1 2 # # Secondary drive (Seagate 250 GByte S-ATA) /dev/wd1d /altroot ffs xx 0 0 /dev/wd1e /backup ffs rw,nodev,nosuid 1 2 /dev/wd1h /home ffs rw,nodev,nosuid 1 2 /dev/wd1i /storage ffs rw,nodev,nosuid,noexec 1 2 /dev/wd1j /var/www ffs ro,nodev,nosuid,noexec 1 2 /dev/wd1k /var/squid ffs ro,nodev,nosuid,noexec 1 2 [EMAIL PROTECTED]:/# dmesg OpenBSD 3.9-stable (GENERIC) #9: Sun Sep 3 17:34:41 CEST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium II (GenuineIntel 686-class, 512KB L2 cache) 301 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR real mem = 133799936 (130664K) avail mem = 115363840 (112660K) using 1658 buffers containing 6791168 bytes (6632K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(c4) BIOS, date 03/22/98, BIOS32 rev. 0 @ 0xfb4f0 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 70102 dobusy 1 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0xb968 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf10/128 (6 entries) pcibios0: PCI Exclusive IRQs: 10 11 12 pcibios0: PCI Interrupt Router at 000:07:0 (Intel 82371SB ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0x8000 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82443BX AGP rev 0x02 ppb0 at pci0 dev 1 function 0 Intel 82443BX AGP rev 0x02 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 ATI Rage Pro rev 0x5c wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pcib0 at pci0 dev 7 function 0 Intel
Re: mount_null replacement?
On 10/4/06, G 0kita [EMAIL PROTECTED] wrote: I notice mount_null was dropped as of OpenBSD 3.8, can someone tell me first of all why this was done [...] Various comments to the likes of 'turd polishing' can be found in the misc@ archives. IIRC, the developers gave up on this piece of functionality as it just wouldn't work reliably. See the archives and commit logs for a more detailed description. Specifically I'm looking to have a writable directory mounted read-only in another location. As another poster suggested, you can probably get away with local NFS mounts. Those have worked for me since 3.8, although I never put them to antthing resembling a stress test. YMMV. Cheers, Rogier -- If you don't know where you're going, any road will get you there.
Re: NIS server
On 10/3/06, Joachim Schipper [EMAIL PROTECTED] wrote: [...] note that at least OpenBSD can authenticate directly against LDAP, using sysutils/login_ldap. Personally, I suspect the OP has a specific interest in implementing NIS. Through NIS, OpenBSD can obtain the information it would otherwise get from the password file (i.e. user entries). IIRC, there is no alternative 'nsswitch-like' tool available for OpenBSD. If I'm wrong on this, feel free to correct me (you'd make me happy). As nice a tool as login_ldap may be, it still requires you to add such entries, limiting scalability. Unfortunately, I do not know of an LDAP-based NIS working on OpenBSD, so this probably isn't too much help to the OP either. Sorry for wasting the bandwidth. Cheers, Rogier -- If you don't know where you're going, any road will get you there.
Re: OpenBSD Paypal used against User Agreement?
On 9/30/06, Karel Kulhavy [EMAIL PROTECTED] wrote: The PayPal service may not be used solely for the purpose of transferring money from one individual to another without an underlying transaction for the sale of goods or services. It's a payment model to allow a twice-yearly (update of) release of your favourite software to take place. For the specific transaction, you buy a spot with your name on it on the donations page. If you're still uncertain, order a few CD's and wrapping (T-shirts). Cheers, Rogier -- If you don't know where you're going, any road will get you there.
Re: bioctl(8) and ami(4)
On 9/15/06, Darrin Chandler [EMAIL PROTECTED] wrote: [...] mostly I'm looking for a cluestick about bioctl. AFAIK, this has to do with bugs in the 3.9 bioctl that were fixed in -current a while ago. The following two threads came up in the archives: LSI MegaRaid non-hotspare http://marc.theaimsgroup.com/?t=11481358623r=1w=2 Unable to set Hot Spare on MegaRAID 300-8x http://marc.theaimsgroup.com/?t=11516052231r=1w=2 Hope these help, Rogier -- If you don't know where you're going, any road will get you there.
Re: How to update httpd without a compiller
On 8/23/06, Juha Saarinen [EMAIL PROTECTED] wrote: On 8/23/06, Nico Meijer [EMAIL PROTECTED] wrote: Set up another, non-production, box with 3.9 and build -stable on that. snip Seems a slightly cumbersome way to deal with security issues which may be urgent, but perhaps that's just me? Building -stable on a suitable host does not take too long, so I suppose time constraints will not bite you too often. Regarding your comment on the process being cumbersome: you use the same update process as you do for your twice-yearly updates. In this case, you do not even have to update your configuration in /etc. I find the process rather easy and the process scales relatively well to accommodate larger number of machines. If you're working with a single machine, perhaps applying patches to -release is easier than building -stable. I used to do so before I obtained a build host. The OP will need a compiler for that, though. An alternative may be binpatch (see the archives), but I haven't tried that piece of software yet. IIRC, quite a few people are happy with that, so it may be worth your while. Cheers, Rogier -- If you don't know where you're going, any road will get you there.
Re: spamd and TLS on port 25
On 8/10/06, Will H. Backman [EMAIL PROTECTED] wrote: Am I correct in assuming that spamd and TLS on port 25 don't get along? Given a mail server (or MUA) that is configured to require TLS on a port it connects to, it will likely have a problem with any other end not offering TLS capability. This is hardly spamd-specific. However, the above is unlikely to be the case. Some sites may attempt to setup TLS, but IIRC, they only do so if their counterpart advertises that capability. Note that spamd doesn't advertise that capability, so there should be no problem. Capability advertisement takes place after the EHLO stage. I have never seen any capabilities offered by spamd. It just does what it's supposed to do (and no more): let valid mail servers through to your real MTA. Once the connection passes through to your real MTA, the rules of engagement for your real MTA apply. By then, spamd is out of the picture. Upon issuing EHLO to that server, it should return the supported service extensions. As a side note: if you intend to let users submit mail, you'd best use a different port. Ports such as 587 (negotiate STARTTLS) or port 465 (TLS by default). You wouldn't even be dealing with spamd then. Cheers, Rogier -- If you don't know where you're going, any road will get you there.
Re: spamd and TLS on port 25
On 8/10/06, Will H. Backman [EMAIL PROTECTED] wrote: Because I require TLS and SMTP-AUTH for relaying purposes, I'm in a bind. My real problem is getting Exchange to do SMTP-TLS on a different port, so this is really a non-openbsd issue. Perhaps you'd benefit from a solution of shielding your Exchange with a more benign MTA (e.g. Postfix, sendmail) and add spamd into the mix if you desire. For relaying, all you need is a way to validate the usernames. Using the Exchange's LDAP repository as a lookup table for Postfix or exporting valid users and their passwords to a Postfix lookup table (file), you could get around your Exchange configuration issue. In the smtp-proxy [1] thread earlier this week, at least two people pointed to the Book of Postfix that contains an example (yes, this is somehwat of a dij`-vu). Cheers, Rogier References: 1. MARC openbsd-misc archive: Re: smtp proxy http://marc.theaimsgroup.com/?l=openbsd-miscm=115512550405839w=2 -- If you don't know where you're going, any road will get you there.
Re: spamd and TLS on port 25
On 8/10/06, Joachim Schipper [EMAIL PROTECTED] wrote: Note that at least Postfix has an independent greylisting implementation True and these implementations may even be quite nice. I never felt much of a need to try it out after having setup spamd. Both are likely to work with STARTTLS; spamd isn't going to do that. And spamd shouldn't, either. For submission purposes, the clean solution is use an alternate port (as it's a different bit of the e-mail system). For user mail submission, I see no real need to use spamd, either. Tracing (and handling) offending users is relatively simple once they're authenticated. Keep a few sanity checks (e.g. no more than X recipients for a message or no more than 100 messages a minute) for virus detection and/or quarantine purposes if you please. Cheers, Rogier -- If you don't know where you're going, any road will get you there.
Re: spamd and TLS on port 25
On 8/10/06, Joachim Schipper [EMAIL PROTECTED] wrote: Keep a few sanity checks (e.g. no more than X recipients for a message or no more than 100 messages a minute) snip This also helps against compromised boxes - i.e., it limits the damage. So it's generally a good idea to have some limit. For those servicing larger networks such as universities' ResNets or campus networks, using a mandatory smarthost can be an excellent detection tool to see which users/stations need to end up in a quarantine. Granted, the largest customer base for this sort of thing are likely to be Windows users. A few exception lists (for those capable administrators running valid mail servers that push a lot of traffic) should keep the Unix folks happy. Also, while STARTTLS does have its merits, it's still better suited for handling MTA authentication than protecting user data [...] Very true. STARTTLS really only safeguards the credentials exchange. Once the MTA relays the message, there are no guaranteers on infrastructure security. Cheers, Rogier -- If you don't know where you're going, any road will get you there.
Re: smtp proxy
From the behaviour you describe, your design takes an effort at tearing down just about the nicest part of SMTP: its resilience against network outages. On 8/9/06, openbsd misc [EMAIL PROTECTED] wrote: the smtp proxy should not be allowed to queue a message, else the size of the ramdisk would set the maximum message size. I wonder what your rationale is behind your intention to have the proxy function from RAM. It seems to cause more problems than it solves. [...] I need a solution that streams the mail after checking the envelope (smtp session) informations. From a functional point of view, you need a proxy that kills off unwanted messages and reliably delivers them to your Exchange device. Shielding an Exchange server from the big bad Internet is good practice. I can heartily second Rod Whitworth's suggestion and assure you it works quite well. Your streaming wish seems to come from your wish not to store data on a ramdisk. Once again: why have the ramdisk at all? It should also drop the connection if the exchange server is down. You could do that and perhaps there are several good reasons for dropping connectivity. Keep in mind that you're actively shutting down SMTP-availability for your site with such a measure. What do you specifically need your Exchange server for that you must shut down your site in case it is unavailable? Allowing for your proxy to have an up-to-date table of valid users can be achieved quite simply without having to sacrifice SMTP-availability (once again, see the Book of Postfix example for pointers, p. 174 and onwards) Without that problem I would take qmail. Qmail (SMTP) stores its work in progress in /var/qmail/queue. I'll admit not having checked the QMTP/QMQP sources, but I suspect qmail-qmtpd or qmail-qmqpd store their work there as well. It's been a while since I actively administered qmail (and I'm reluctant to touch our last few remaining qmail setups to find out more). Cheers, Rogier -- If you don't know where you're going, any road will get you there.
Re: Alternative superuser aside from root
On 8/8/06, Tito Mari Francis Escaqo [EMAIL PROTECTED] wrote: Is it possible to replace root with another username as superuser? Sure, just change its password entry. That said, I wouldn't recommend wasting your time on this. This could make the system very secure because when it comes to BSD/Unix/Linux, the root is the most coveted user account. No, it wouldn't make your system any more secure than it was before the change. I recommend you read the archives to see why your suggestion isn't too worthwhile. One reason why s/root/anything/ won't help you much is that its UID is still 0. In other words: you still have an almighty user on the system. The concept of usernames is primarily to make things easier for us humans. Under the hood, things work in terms of (numeric) UIDs/GIDs. As a hacker, you'd just go for UID 0. Cheers, Rogier -- If you don't know where you're going, any road will get you there.
Re: watchdogd
On 8/5/06, Felix Kronlage [EMAIL PROTECTED] wrote: I think, silent by default with -v for more informations seems more appropiate too. Would you care to elaborate why you want the default behaviour (notify on a changed timeout) altered? The proposed patch by the OP doesn't cause changes for existing users. Your suggestion does. Are there that many noisy devices? I'm just curious. Cheers, Rogier -- If you don't know where you're going, any road will get you there.
Re: OpenBSD's own compiler
On 7/31/06, R. Tyler Ballance [EMAIL PROTECTED] wrote: Jeeez, talk about an overreaction to the suggestion. [...] It's not that far fetched of an idea Given the times that this question popped up in the archives, Mickey's reaction isn't too surprising. From the past discussions, I gather that a change of compiler would be a massive job, regardless of the compiler changed to. That said, I'll happily admit that I didn't make a time estimate for the job. [...] remember a spin-off project that the OpenBSD guys are responsible that's become the most heavily used SSH code on the planet... Given the History page on OpenSSH.org [1], licensing terms are likely to have been a factor as well. To quote: OpenSSH is a derivative of the original free ssh 1.2.12 release from Tatu Ylvnen. This version was the last one which was free enough for reuse by our project. [...] but I'm certain it'd just take a few talented individuals with spare time to really get it [TeNDRA] going again. The above does not include the work done on actually obtaining a compiler desired. Be it from scratch or by working on existing code, I recommend to be careful whose spare time you volunteer. Cheers, Rogier References: 1. OpenSSH Project History and Credits http://www.openssh.org/history.html -- If you don't know where you're going, any road will get you there.
Re: SATA DVD Support?
On 7/29/06, J Moore [EMAIL PROTECTED] wrote: I guess that squelches plans for a SATA HDD as well :( If by that you mean you expect OpenBSD to not support SATA HDDs, I can happily assure you you're wrong. OpenBSD supports various SATA controllers (such as your SiI 3112, the SiI 3114, etc.). I yet have to encounter a SATA HDD it does not support. Regarding SATA DVD drives, I have no experience with those (as in: I have yet to encounter them) so I cannot tell you whether they should work or not. Cheers, Rogier -- If you don't know where you're going, any road will get you there.
Re: VPN(8)
On 7/26/06, Gustavo Rios [EMAIL PROTECTED] wrote: # Pass encrypted traffic to/from security gateways pass in proto esp from $GATEWAY_B to $GATEWAY_A pass out proto esp from $GATEWAY_A to $GATEWAY_B In the last two line above, if i wanted to specify the interface, which of enc0 or $ext_if, should i use? $ext_if, given the following rationale: Your external interface will see the packets with ESP payload coming from / going to the other gateway(s). Inbound, these packets require processing; outbound, they are the result of processing. Your external interface cannot - unless you do *very* unwise things - see the internals of those packets; that's what your enc(4) interfaces can help you with. From enc(4): The enc interface allows an administrator to see outgoing packets before they have been processed by ipsec(4), or incoming packets after they have been similarly processed, via tcpdump(8). Cheers, Rogier -- If you don't know where you're going, any road will get you there.
Re: Help to debug Openbsd freezes...
On 7/24/06, Xavier Mertens [EMAIL PROTECTED] wrote: It's still running 3.5 (ok, ok, don't shoot, it's an old one but upgrades are not easy). As another poster already mentioned: upgrades are an easy and well documented process. Do your specific circumstances (e.g. problems to physically access your co-located machines) make upgrades painful? If so, you should probably solve that problem. If you can't perform routine work such as upgrades, what do you do when an emergency pops up? For two weeks now, the box freezes randomly... I've encountered such trouble as well. Several times, replacing the power supply did the trick. You may want to keep those around at the data centre. Cheers, Rogier -- If you don't know where you're going, any road will get you there.
Re: stopping robots
On 7/25/06, prad [EMAIL PROTECTED] wrote: what is the best way to stop those robots and spiders from getting in? The sure way to stop robots and spiders is to shut down your web server. I don't suppose that's the answer you're looking for. Treat malicious robots as malicious/unwelcome users. For whatever your definition of malicious, do not expect to be able to easily discern between regular human users and robots. It's too easy to alter user-agent strings, etc to rely on those without precautions (as with all client-generated input). .htaccess? That might help, but not solve your problem discerning between human and automated clients. Also, the usual problems/threats regarding credentials will of course apply. Mind you, automated processes (robots) can also use credentials. Possibly you can also use CAPTCHA. Various modules (PHP, Perl) exist that allow to integrate these easily. Whether (or when) robots will be able to fool these tests is another matter. robot.txt and apache directives? Well-behaved robots will adhere to measures such as (x)html meta tags, robots.txt files, etc. Other robots may not. find them on the access_log and block with pf? Using access_log means you're using information gathered from after the fact. which are good robots and which are bad? Apart from robots/spiders potentially being an excellent friend, allowing robots (e.g. Google) may also have undesirable side effects. Such effects range from out-dated information being displayed to search engine users to sensitive data being stored on servers outside your influence. I'm sure there are many more. I'd recommend you think about your threat model first and use that to determine which information you deem sensitive and to what lengths you will go to secure that information. Cheers, Rogier -- If you don't know where you're going, any road will get you there.
alias addresses with dhclient - exits with buf_read (connection closed)
When using the alias clause (per dhclient.conf(5)), I encounter a problem with dhclient: it immediately exits after obtaining a lease. It does seem to set the requested alias, however. It exits with the following syslog messages: Jul 22 16:14:11 sol dhclient[1937]: buf_read (connection closed) Jul 22 16:14:11 sol dhclient[1937]: exiting. I would expect dhclient to keep running as it normally does (i.e. without aliases). Given the manual (and barring configuration errors), I would expect this functionality to be supported. Is that correct or are there caveats? I could not find these in the manual/faq/Google. If I remove the alias clause from the dhclient.conf file (included below), dhclient works as expected: it obtains a lease, sets the interface address and keeps running. Adding the alias clause seems to cause this symptom. I traced the exit message above to the privsep.c file included with the dhclient sources. I suspect something causes the connection to the privileged process to close. I cannot find out what specific condition causes it to close, though. In the dhclient(8) and dhclient.conf(5) manuals, I cannot find information on how to obtain more verbose logging. Suggestions on how to obtain more information are more than welcome, if anyone has them. I've seen several threads [1,2] describe this issue, but I failed to find answers indicating what the underlying problem is. My dhclient configuration: # cat /etc/dhclient.conf # Generic settings initial-interval 1; send host-name sol; # ADSL uplink interface rl0 { # Prepend our own information where needed (DNS) prepend domain-name-servers 127.0.0.1; # Request other information from the DHCP server request host-name, subnet-mask, broadcast-address, routers, domain-name- servers, time-offset; # Supersede some information obtained from the DHCP server #supersede routers 10.0.0.138; #supersede subnet-mask 255.255.255.0; } # ADSL modem connection alias { interface rl0; fixed-address 10.0.0.10; option subnet-mask 255.255.255.255; } My system's dmesg: # cat /var/run/dmesg.boot OpenBSD 3.9 (GENERIC) #617: Thu Mar 2 02:26:48 MST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium II (GenuineIntel 686-class, 512KB L2 cache) 301 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR real mem = 133799936 (130664K) avail mem = 115367936 (112664K) using 1658 buffers containing 6791168 bytes (6632K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(c4) BIOS, date 03/22/98, BIOS32 rev. 0 @ 0xfb4f0 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 70102 dobusy 1 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0xb968 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf10/128 (6 entries) pcibios0: PCI Exclusive IRQs: 10 11 12 pcibios0: PCI Interrupt Router at 000:07:0 (Intel 82371SB ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0x8000 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82443BX AGP rev 0x02 ppb0 at pci0 dev 1 function 0 Intel 82443BX AGP rev 0x02 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 ATI Rage Pro rev 0x5c wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pcib0 at pci0 dev 7 function 0 Intel 82371AB PIIX4 ISA rev 0x02 pciide0 at pci0 dev 7 function 1 Intel 82371AB IDE rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: WDC AC36400L wd0: 16-sector PIO, LBA, 6149MB, 12594960 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: E-IDE, CD-ROM 36X/AKU, U10I SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 uhci0 at pci0 dev 7 function 2 Intel 82371AB USB rev 0x01: irq 10 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered piixpm0 at pci0 dev 7 function 3 Intel 82371AB Power rev 0x02: polling iic0 at piixpm0 unknown at iic0 addr 0x28 not configured rl0 at pci0 dev 9 function 0 Realtek 8139 rev 0x10: irq 11, address 00:e0:4c:3c:5b:0d rlphy0 at rl0 phy 0: RTL internal PHY rl1 at pci0 dev 11 function 0 Realtek 8139 rev 0x10: irq 12, address 00:e0:4c:69:ec:31 rlphy1 at rl1 phy 0: RTL internal PHY pciide1 at pci0 dev 12 function 0 CMD Technology SiI3112 SATA rev 0x02: DMA pciide1: using irq 10 for native-PCI interrupt pciide1: port 0: device present, speed: 1.5Gb/s wd1 at pciide1 channel 0 drive 0: ST3250820AS wd1: 16-sector PIO, LBA48, 238475MB, 488397168 sectors wd1(pciide1:0:0): using BIOS timings, Ultra-DMA mode 6 isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot
Re: alias addresses with dhclient - exits with buf_read (connection closed)
On 7/24/06, Matthias Bertschy [EMAIL PROTECTED] wrote: I have encountered this problem, and Kenneth helped me with some diffs. Glad to see you got a follow-up on that thread. I didn't find it in the archives, though. When can one obtain these diffs? I have tested them and they work, but I don't know if they are already in CVS... I'll admit that I haven't checked this with -current. If you could send me the diffs as well, I'd be happy to verify. I saw several changes in the sources beyond 3.9-release, but it'd be easier to check with the diffs around. Cheers, Rogier -- If you don't know where you're going, any road will get you there.
Re: Why ksh?
On 7/21/06, Pedro Timsteo [EMAIL PROTECTED] wrote: In bash, I often type a command, but then think I want to have all the xterm for this, so I press CTRL-L and then RETURN. How about the follwoing: press CTRL+A, prepend clear; to your command line and use CTRL+E to return to where you were editing. Cheers, Rogier -- If you don't know where you're going, any road will get you there.