sasyncd peer
Hi all... Is there any side effect of having both local and remote IPs in the peer directives in sasyncd.conf? For example: server1: 10.0.0.2 server2: 10.0.0.3 carp:10.0.0.1 So, can I have in both sasyncd.conf: --- peer 10.0.0.2 peer 10.0.0.3 --- The idea is to avoid different configuration files for each server. Yeah... Lazy, but clean and easier to document :D Thanks, g.
ibgp
Greetings... We are trying to use a couple routers with carp and uplinks with 2 different providers. One router as master and another one slave. The slave getting all the routes from the master using IBGP. The problem is that when I bring to interface of the master down to test if the failover works, the slave deletes all the routes it got from the master. Is there any way of retaining those IBGP routes for sometime after the tcp connection is severed, or until the slave server (now master) can connect to the external peers and the get routes from them? Or... if anybody has any other hint for a more resilient setup, I'd be glad to hear. Thanks a bunch, g.
Re: Bernstein puts qmail in public domain
exim is an insecure piece of shit that makes old sendmail look good. besides, it is not free. Curiosity here since we are exim users... what makes it insecure? Should we be really worried about running it? Cheers, g.
Re: Speed Problems
Hi Claudio... What does 'net.inet.ip.ifq.maxlen=256' do for us? Tried a few 'man', and a few google searches and I wasn't very successful. Found tons of other posts telling ppl to bump up that sysctl, but never found what it does exactly. Cheers, g.
Re: Speed Problems
net.inet.ip.ifq.maxlen defines how many packets can be queued in the IP input queue before further packets are dropped. Packets comming from the network card are first put into this queue and the actuall IP packet processing is done later. Gigabit cards with interrupt mitigation may spit out many packets per interrupt plus heavy use of pf can slowdown the packet forwarding. So it is possible that a heavy burst of packets is overflowing this queue. On the other hand you do not want to use a too big number because this has negative effects on the system (livelock etc). 256 seems to be a better default then the 50 but additional tweaking may allow you to process a few packets more. Thanks Claudio... In the link that Stuart posted here, Henning mentions 256 times the number of interfaces: http://archive.openbsd.nu/?ml=openbsd-techa=2006-10t=2474666 I'll try both and see. Thanks you and Stuart for the hints.
Re: list of all files in the filesystem
YES! That's exactly what I was looking for! Thanks a lot Todd! Todd C. Miller wrote: In message [EMAIL PROTECTED] so spake Tom Bombadil (grlists): I guess this is a stupid question... But is there any way to get a list of all files in the filesystem without using 'find'? For a big drive with millions of small files, running find is just too slow. If all you want is a list of all files on the filesystem you could use ncheck, assuming this is a local filesystem. Since ncheck reads the filesystem metadata itself it is pretty fast. - todd
list of all files in the filesystem
I guess this is a stupid question... But is there any way to get a list of all files in the filesystem without using 'find'? For a big drive with millions of small files, running find is just too slow. Thanks for any hint.
Re: spamd DB_SCAN_INTERVAL
Probably Bad things. Oh-oh... I increased it to 2 minutes. Thing are a bit better now. Shouldn't be. What rev of openbsd are you running this spamd box on? I run it on a single ide drive, I'm probably bigger than your site. Really? We get mail for different companies... Even though it's not a lot, we have about 600,000 entries in our DB, and IO is very saturated. Did anybody try to offload spamd from the firewall to a server inside the network? Something like: internet - FW - spamd - mailserver I haven't given much thought, but I guess when spamd translates the packet, the mail server will reply to the gateway, not spamd, right? Any way around it?
spamd DB_SCAN_INTERVAL
Hi all... What happens if we change #define DB_SCAN_INTERVAL 60 to 600 in /usr/src/libexec/spamd/grey.h? Sorry, I'm no C coder... Basically we just want to spread out table scans for now until we get new hardware in, because it's fairly heavy on an single IDE drive. Does DB_SCAN_INTERVAL have to be smaller than `passtime` argument in spamd? Thanks :)
bge0: watchdog timeout
Greetings... I'm getting a few bge0: watchdog timeout -- resetting errors on 4.1-stable The box becomes unresponsive for a minute or so, and then comes back to life. Any hints? Thanks, g. # dmesg OpenBSD 4.1-stable (GENERIC.MP) #0: Mon Aug 27 11:04:17 UTC 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel(R) Xeon(TM) CPU 2.80GHz (GenuineIntel 686-class) 2.79 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID,xTPR real mem = 2146889728 (2096572K) avail mem = 1952116736 (1906364K) using 4278 buffers containing 107466752 bytes (104948K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+ BIOS, date 01/13/04, BIOS32 rev. 0 @ 0xffe90, SMBIOS rev. 2.3 @ 0xfb320 (56 entries) bios0: Dell Computer Corporation PowerEdge 1750 pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfc4a0/144 (7 entries) pcibios0: PCI Interrupt Router at 000:15:0 (ServerWorks CSB5 rev 0x00) pcibios0: PCI bus #0 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x1000 0xc9000/0x2200 0xcb800/0x1800 0xec000/0x4000! acpi at mainbus0 not configured ipmi0 at mainbus0: version 1.0 interface BT iobase 0xe4/3 spacing 1 irq 10 mainbus0: Intel MP Specification (Version 1.4) cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 132 MHz cpu1 at mainbus0: apid 6 (application processor) cpu1: Intel(R) Xeon(TM) CPU 2.80GHz (GenuineIntel 686-class) 2.79 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID,xTPR mainbus0: bus 0 is type PCI mainbus0: bus 1 is type PCI mainbus0: bus 2 is type PCI mainbus0: bus 3 is type PCI mainbus0: bus 4 is type PCI mainbus0: bus 5 is type ISA ioapic0 at mainbus0: apid 8 pa 0xfec0, version 11, 16 pins ioapic0: misconfigured as apic 0, remapped to apid 8 ioapic1 at mainbus0: apid 9 pa 0xfec01000, version 11, 16 pins ioapic1: misconfigured as apic 0, remapped to apid 9 ioapic2 at mainbus0: apid 10 pa 0xfec02000, version 11, 16 pins ioapic2: misconfigured as apic 0, remapped to apid 10 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 ServerWorks CNB20-HE Host (GC-LE) rev 0x33 pchb1 at pci0 dev 0 function 1 ServerWorks CNB20-HE Host (GC-LE) rev 0x00 pci1 at pchb1 bus 1 mskc0 at pci1 dev 4 function 0 Schneider Koch SK-9Sxx rev 0x12, Yukon-2 XL rev. A1 (0x1): apic 9 int 4 (irq 7) msk0 at mskc0 port A, address 00:00:5a:72:cb:f9 eephy0 at msk0 phy 0: Marvell 88E1112 Gigabit PHY, rev. 1 msk1 at mskc0 port B, address 00:00:5a:72:cb:fa eephy1 at msk1 phy 0: Marvell 88E1112 Gigabit PHY, rev. 1 pchb2 at pci0 dev 0 function 2 ServerWorks CNB20-HE Host (GC-LE) rev 0x00 pci2 at pchb2 bus 3 mskc1 at pci2 dev 6 function 0 Schneider Koch SK-9Sxx rev 0x12, Yukon-2 XL rev. A1 (0x1): apic 9 int 8 (irq 5) msk2 at mskc1 port A, address 00:00:5a:72:cc:0b eephy2 at msk2 phy 0: Marvell 88E1112 Gigabit PHY, rev. 1 msk3 at mskc1 port B, address 00:00:5a:72:cc:0c eephy3 at msk3 phy 0: Marvell 88E1112 Gigabit PHY, rev. 1 vga1 at pci0 dev 14 function 0 ATI Rage XL rev 0x27 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) piixpm0 at pci0 dev 15 function 0 ServerWorks CSB5 rev 0x93: SMBus disabled pciide0 at pci0 dev 15 function 1 ServerWorks CSB5 IDE rev 0x93: DMA atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: SAMSUNG, CD-ROM SN-124, N103 SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, DMA mode 2, Ultra-DMA mode 2 ohci0 at pci0 dev 15 function 2 ServerWorks OSB4/CSB5 USB rev 0x05: apic 8 int 11 (irq 11), version 1.0, legacy support usb0 at ohci0: USB revision 1.0 uhub0 at usb0 uhub0: ServerWorks OHCI root hub, rev 1.00/1.00, addr 1 uhub0: 4 ports with 4 removable, self powered pcib0 at pci0 dev 15 function 3 ServerWorks CSB5 LPC rev 0x00 pchb3 at pci0 dev 16 function 0 ServerWorks CIOB-E rev 0x12 pchb4 at pci0 dev 16 function 2 ServerWorks CIOB-E rev 0x12 pci3 at pchb4 bus 2 bge0 at pci3 dev 0 function 0 Broadcom BCM5704C rev 0x02, BCM5704 A2 (0x2002): apic 9 int 0 (irq 5), address 00:0f:1f:64:89:94 brgphy0 at bge0 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0 bge1 at pci3 dev 0 function 1 Broadcom BCM5704C rev 0x02, BCM5704 A2 (0x2002): apic 9 int 1 (irq 7), address 00:0f:1f:64:89:95 brgphy1 at bge1 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0 pchb5 at pci0 dev 17 function 0 ServerWorks CIOB-X2 PCIX rev 0x05 pchb6 at pci0 dev 17 function 2 ServerWorks CIOB-X2 PCIX rev 0x05 pci4 at pchb6 bus 4 ami0 at pci4 dev 3 function 0 Dell PERC 4/Di Verde rev 0x02: apic 9 int 2 (irq 7) ami0: Dell 14a, 32b, FW 412W, BIOS vH406, 128MB RAM ami0: 2 channels, 0 FC loops, 1 logical drives scsibus1 at ami0: 40 targets sd0 at scsibus1 targ 0 lun 0: AMI, Host drive #00, SCSI2 0/direct fixed sd0: 69880MB, 69880 cyl, 64 head, 32 sec, 512 bytes/sec,
Re: bge0: watchdog timeout
The 5704 has a particularly crappy DMA controller. This might be the usual problems of the bge hardware. Not only does it support only one DMA transfer in parallel, it also jams for some times, and if it has a particularly bad day, it jams the bus, too. There might be a description on how to work around this bug in the Broadcom errata documents, but I don't think I have access to them. Tonnerre Thanks Tonnerre, So, basically all we can do is just avoid the 5704s, right? It sucks that dell servers comes with it. Another question then... The new HP hardware we are getting comes with embedded BCM5708s (bnx). Does, this NIC have any problem we should know about? Cheers, g.
msk2: phy failed to come ready
Well... I guess I'm the unluckiest man on earth: Aug 28 21:55:59 van-fw1 /bsd: msk3: watchdog timeout Aug 28 21:56:00 van-fw1 /bsd: msk2: phy failed to come ready Aug 28 21:56:31 van-fw1 last message repeated 77 times Aug 28 21:58:32 van-fw1 last message repeated 297 times Aug 28 22:00:00 van-fw1 last message repeated 215 times This is a pretty staple Dell 1750, with two extra dual-port syskonnects. The card simply doesn't change it's state to active when I plugged in the cable. After I rebooted, the card came up alright, but this behavior worries me. BTW... this problem happened in another Dell 1750 with the same cards using just a GENERIC kernel. In the past 6 months, I've had problems with em, bge, and msk cards... hehehe... Is there any other gigabit card out there I can fuck up? hehehe Thanks all. # dmesg OpenBSD 4.1-stable (GENERIC.MP) #0: Mon Aug 27 11:04:17 UTC 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel(R) Xeon(TM) CPU 2.80GHz (GenuineIntel 686-class) 2.79 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID,xTPR real mem = 2146889728 (2096572K) avail mem = 1952116736 (1906364K) using 4278 buffers containing 107466752 bytes (104948K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+ BIOS, date 01/13/04, BIOS32 rev. 0 @ 0xffe90, SMBIOS rev. 2.3 @ 0xfb320 (56 entries) bios0: Dell Computer Corporation PowerEdge 1750 pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfc4a0/144 (7 entries) pcibios0: PCI Interrupt Router at 000:15:0 (ServerWorks CSB5 rev 0x00) pcibios0: PCI bus #0 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x1000 0xc9000/0x2200 0xcb800/0x1800 0xec000/0x4000! acpi at mainbus0 not configured ipmi0 at mainbus0: version 1.0 interface BT iobase 0xe4/3 spacing 1 irq 10 mainbus0: Intel MP Specification (Version 1.4) cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 132 MHz cpu1 at mainbus0: apid 6 (application processor) cpu1: Intel(R) Xeon(TM) CPU 2.80GHz (GenuineIntel 686-class) 2.79 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID,xTPR mainbus0: bus 0 is type PCI mainbus0: bus 1 is type PCI mainbus0: bus 2 is type PCI mainbus0: bus 3 is type PCI mainbus0: bus 4 is type PCI mainbus0: bus 5 is type ISA ioapic0 at mainbus0: apid 8 pa 0xfec0, version 11, 16 pins ioapic0: misconfigured as apic 0, remapped to apid 8 ioapic1 at mainbus0: apid 9 pa 0xfec01000, version 11, 16 pins ioapic1: misconfigured as apic 0, remapped to apid 9 ioapic2 at mainbus0: apid 10 pa 0xfec02000, version 11, 16 pins ioapic2: misconfigured as apic 0, remapped to apid 10 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 ServerWorks CNB20-HE Host (GC-LE) rev 0x33 pchb1 at pci0 dev 0 function 1 ServerWorks CNB20-HE Host (GC-LE) rev 0x00 pci1 at pchb1 bus 1 mskc0 at pci1 dev 4 function 0 Schneider Koch SK-9Sxx rev 0x12, Yukon-2 XL rev. A1 (0x1): apic 9 int 4 (irq 7) msk0 at mskc0 port A, address 00:00:5a:72:cb:f9 eephy0 at msk0 phy 0: Marvell 88E1112 Gigabit PHY, rev. 1 msk1 at mskc0 port B, address 00:00:5a:72:cb:fa eephy1 at msk1 phy 0: Marvell 88E1112 Gigabit PHY, rev. 1 pchb2 at pci0 dev 0 function 2 ServerWorks CNB20-HE Host (GC-LE) rev 0x00 pci2 at pchb2 bus 3 mskc1 at pci2 dev 6 function 0 Schneider Koch SK-9Sxx rev 0x12, Yukon-2 XL rev. A1 (0x1): apic 9 int 8 (irq 5) msk2 at mskc1 port A, address 00:00:5a:72:cc:0b eephy2 at msk2 phy 0: Marvell 88E1112 Gigabit PHY, rev. 1 msk3 at mskc1 port B, address 00:00:5a:72:cc:0c eephy3 at msk3 phy 0: Marvell 88E1112 Gigabit PHY, rev. 1 vga1 at pci0 dev 14 function 0 ATI Rage XL rev 0x27 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) piixpm0 at pci0 dev 15 function 0 ServerWorks CSB5 rev 0x93: SMBus disabled pciide0 at pci0 dev 15 function 1 ServerWorks CSB5 IDE rev 0x93: DMA atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: SAMSUNG, CD-ROM SN-124, N103 SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, DMA mode 2, Ultra-DMA mode 2 ohci0 at pci0 dev 15 function 2 ServerWorks OSB4/CSB5 USB rev 0x05: apic 8 int 11 (irq 11), version 1.0, legacy support usb0 at ohci0: USB revision 1.0 uhub0 at usb0 uhub0: ServerWorks OHCI root hub, rev 1.00/1.00, addr 1 uhub0: 4 ports with 4 removable, self powered pcib0 at pci0 dev 15 function 3 ServerWorks CSB5 LPC rev 0x00 pchb3 at pci0 dev 16 function 0 ServerWorks CIOB-E rev 0x12 pchb4 at pci0 dev 16 function 2 ServerWorks CIOB-E rev 0x12 pci3 at pchb4 bus 2 bge0 at pci3 dev 0 function 0 Broadcom BCM5704C rev 0x02, BCM5704 A2 (0x2002): apic 9 int 0 (irq 5), address 00:0f:1f:64:89:94 brgphy0 at bge0 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0 bge1 at pci3 dev 0 function 1 Broadcom BCM5704C
Re: msk2: phy failed to come ready
This is a pretty staple Dell 1750, with two extra dual-port syskonnects. ioapic0 at mainbus0: apid 8 pa 0xfec0, version 11, 16 pins ioapic0: misconfigured as apic 0, remapped to apid 8 ioapic1 at mainbus0: apid 9 pa 0xfec01000, version 11, 16 pins ioapic1: misconfigured as apic 0, remapped to apid 9 ioapic2 at mainbus0: apid 10 pa 0xfec02000, version 11, 16 pins ioapic2: misconfigured as apic 0, remapped to apid 10 I would try enabling acpi. Would disabled ACPI cause that problem with the NICs? I've had some nasty problems with ACPI and SMP freebsd in the past, and eventhough this is not freebsd, I didn't want to learn the hard way on a firewall. Thanks Stuart
syskonnect SK-9E22
Greetings all... We bought a SK-9S22 (pci-x) card a while ago, and even though 'man msk' listed it as working on 4.0, it actually didn't work. So, now we are thinking about a SK-9E22 (pci-e) for another box, and we think we should ask if this model is working on 4.1 before actually spending any money on it. Also, if anybody can recommend any 4-port gigabit NIC for openbsd, we would appreciate it Thanks in advance, g.
Re: spamd - 250 return text
As far as I understand from them, the sysadmin was showing the defer to his boss using a telnet session, and the boss got pissed off, because they are actually very diligent about their spam policies. Anyways, I just wanted to know if it there was another way to change the 250 messages without changing the source code... I should have just not mentioned my reasons. Sorry for that. Thanks a lot for all the replies. g. Peter Fraser wrote: I think that the problem is a bad mail program at your clients, A user should not see the 250 status, it is not a failure of any sort but I have seen it as a return status sent to a user. Here is an example that I have seen from someone who sent us a message. The message failed and this is the status that they received: Reporting-MTA: dns; toq7.bellnexxia.net Arrival-Date: Fri, 20 Jul 2007 21:26:11 -0400 Received-From-MTA: dns; Christine (64.230.70.248) Content-Type: text/plain Final-Recipient: RFC822; [EMAIL PROTECTED] Action: failed Status: 4.4.7 Remote-MTA: dns; thinkage.ca Diagnostic-Code: smtp; 250 This is hurting you more than it is hurting me.
spamd - 250 return text
Hi all, Short of recompiling spamd, is there any undocumented way of changing the 250 responses from spamd? - 250 Hello, spam sender. Pleased to be wasting your time. - 250 You are about to try to deliver spam. Your time will be spent, for nothing. man spamd and a quick search in the ML archives weren't very successful. We've had a pretty hard time from a client saying how rude this default message is. Even though their tech people didn't care, the people higher up got really offended... Quite understandably I'd say, since these greetings aren't really what we can call friendly... hehe Sorry to bug you guys with this lame problem but in the financial world, people can be very touchy :D Thanks, g.
Re: spamd - 250 return text
Editing the binary? (Is recompiling really so hard?) Not hard, just changed it right now... But sometimes it pays to ask around to see if there is a simpler way that doesn't involve messing around with the original source code. Ah, you'll be looking for the OpenBSD Corporate Edition - with sudo defaulting to !insults, apologies from spamd, and available on exclusive gold CDs, it's yours for a bargain donation to the project of only $5k... (-: I was in no way complaining about the outstanding work all the developers are doing, but since being called a spammer is a very bad insult these days, surely a innocuous '250 OK' would make less people mad.. hehehe Thanks for all the responses, g.
Re: Announcing: The OpenBSD Foundation
Money just spoils the weak in character. Lack money is what spoils everything ;) Gregory Edigarov wrote: BEST OF THE LUCK, GUYS!!! DON'T LET THE MONEY TO SPOIL EVERYTHING!!! HOPE ON YOU!
LACP
Hi all... is there any support for LACP on openbsd? On any plan to have it working? A quick read on trunk(4) doesn't look very promising, but I read an interview on onlamp a while ago saying it would be available sometime. Thanks!
Re: a few questions on spamdb
I'm currently going in to test some new stuff that will fix this problem. so as theo said. wait a few days.. damn... you guys rock! Will it be something in the lines of pfsync? Cheers
Re: spamd-white
Thank you all for the input. jared r r spiegel wrote: On Tue, Feb 27, 2007 at 05:44:05PM -0700, Bob Beck wrote: * Tom Bombadil [EMAIL PROTECTED] [2007-02-27 15:09]: Greetings... By any chance, will spamd delete any IPs that I add manually to spamd-white? Yes. consider the entries in spamd-white to be the exclusive stomping grounds of spamd(8) for the sole purpose for pumping the WHITE entries from /var/db/spamd into pf(4). the 'expire' time in the db file is a simple sum of 'now' plus whatever 'whiteexp' is set to when the entry is written. the entry is reapered out later on when that expire time is = 'now'. since spamd-white's purpose is nothing other than to enumerate IPs which shall not actually *talk* to spamd(8) at all, it is perfectly correct to take any IPs you personally want to whitelist (be it on a permanent basis or whatever) and put them into a different table that you just use in pf.conf(5) spamd(8) says: spamd regularly scans the /var/db/spamd database and configures all whitelist addresses as the spamd-white pf(4) table. How exactly does spamd configure spamd-white table? The objective is to safely add my own IPs to the whitelist. don't put them in spamd-white: table no-spamd file /etc/mail/nospamd ... no-rdr proto tcp from no-spamd to any port 25 ... like beck@ mentions there. for instance, i wrote two shell scripts to take care of this for me. one of them runs against a list of domain names that i know have SPF records and that i want to whitelist based on them, it runs some digs, sorts/uniqs them, and writes the results somefile.spf. the second script reads the contents of somefile.spf and also somefile.static and pumps them into a table in pf i call perma-white, who then gets a no-rdr line. so i just add things to the list of domains for the SPF lookup if applicable, and if not applicable or i need something Right Now, i just add them to the somefile.static. this way you keep your manual whitelisted entries decoupled from spamd, spamd-setup, and /var/db/spamd, and it's easy to manage them on the side.
a few questions on spamdb
I wonder how people are coping with master downtime when using spamd? Is it a good idea to regularly dump spamd-white into a file, rsync it to the backup carp server, and load these IPs in a separate table? I was thinking of lowering whiteexp on spamd as well (to have a leaner DB) From what I gather from old posts, there is no safe way of copying /var/db/spamd to the backup server. Am I wrong here? Cheers
spamd-white
Greetings... By any chance, will spamd delete any IPs that I add manually to spamd-white? spamd(8) says: spamd regularly scans the /var/db/spamd database and configures all whitelist addresses as the spamd-white pf(4) table. How exactly does spamd configure spamd-white table? The objective is to safely add my own IPs to the whitelist. Thanks :)
Re: Wanted: OpenBSD Systems Administrator
Here, here! I agree with Diana! Now go away with your silly questions! Why would anyone want to work for you? E... unemployement?
Re: Wanted: OpenBSD Systems Administrator
The just guy sent one single e-mail asking if a bsd user wanted a job, which I bet many among us might be interested. A bit off topic, yes but if that doesn't apply to someone, bitching just creates more noise... As it is clearly stated in that page: Complaining about and commenting upon spam on the list proper is counter-productive as it generates more traffic than the spam itself. So, while his spam could potentially give any a job to a fellow BSD user, all complaints about his post accomplish absolutely nothing. Happy new year! Luca Corti wrote: On Tue, 2007-01-02 at 16:50 -0700, Christopher Snell wrote: And who appointed you list manager? My post was permitted based on my reading of the rules in http://www.openbsd.org/mail.html. Quoting from the page you cite: Stay on topic Please keep the subject of the post relevant to users of OpenBSD. Please note the users part. I don't think OpenBSD *users* think job ads are relevant to them. ciao Luca
dual port syskonnect gigabit card
Hey all... We got a few SysKonnect SK-9S22 dual port cards, and they don't work under 4.0, nor under stable (as of 19/12/2006). We got these cards because it was listed in the msk(4) manual pages: http://www.openbsd.org/cgi-bin/man.cgi?query=mskapropos=0sektion=0manpath=OpenBSD+4.0arch=i386format=html I'm getting these in the log: Dec 19 12:15:38 xxx-server /bsd: mskc0 at pci2 dev 1 function 0 Schneider Koch SK-9Sxx rev 0x12, Marvell Yukon-2 XL rev. A1 (0x1): irq 11 Dec 19 12:15:38 xxx-server /bsd: msk0 at mskc0 port A, address 00:00:5a:72:80:89 Dec 19 12:15:38 xxx-server /bsd: msk0: no PHY found! Dec 19 12:15:38 xxx-server /bsd: msk1 at mskc0 port B, address 00:00:5a:72:80:8a Dec 19 12:15:38 xxx-server /bsd: msk1: no PHY found! Any hint is really appreciated. Thanks :)
carp weirdness
Greetings all... This was probably discussed before, but I couldn't really find anything in the archives. 1) We have a carp0 interface with a few aliases in it, and carp works fine between master (SERVER-A) and backup (SERVER-B)... until... 2) ... we plumb a another new alias into SERVER-B's carp0. Then the status of carp0 on SERVER-B goes from BACKUP to MASTER, even though the advskew on SERVER-A is lower (0) than SERVER-B's advskew (127). 3) Now, we have both servers saying carp0 is MASTER, and some connectivity problems going on, and this in the logs: Sep 15 04:00:02 fw1 /bsd: carp0: incorrect hash 4) We haven't tested it, but it seems that if we have added the alias to SERVER-A first, the problem would still happen, because the hash would be different as well. Question: whats the best way to add an alias to carp, and avoid this problem? I know we can switch shells very fast and execute the ifconfig command in both servers a second or two apart, but I guess most ppl would agree this is not is not an elegant solution. We are running 3.9-stable Thank you very much ;)
Re: broadcom
Yes... I agree with with you... not really my decision at the time, since I didn't work here... but I guess the thought was that RaidFrame would provide more uptime in case of multiple harddrive failures, and not really data protection. Thanks Daniel Daniel Ouellet wrote: Tom Bombadil wrote: One funny story about redundancy in general: we run raidframe to mirror the 2 disks in the system... And like I said both firewalls were crashing together... After the crash our allegedly redundant firewalls were both down for 20 minutes for parity rebuilding... simplicity is a beautiful thing ;) May be that's just me, but a very simple question for you. If you have redundant firewall and I guess you are running CARP on them right? Why would you even have raidframe setup on a firewall. Isn't it the KISS gold principal would dictate otherwise here. Specially for a firewall. A good firewall needs the minimum setup on it. Obviously I may be talking none sense here, but RaidFrame on a firewall is the last place I would put it. What kind of data do you want to protect on a RaidFrame. The list of bad ssh attackers for your PF configurations? Must be a HUGE list to needs RaidFrame for it! (; Just a thought, may be review your setup might be much better then trying to get new hardware, but that's just me. Best, Daniel
Re: broadcom
mm... I thought it was to save ~500K in the kernel: http://openbsd.org/faq/faq14.html#Optraid Is there any other reason? Cheers Marco Peereboom wrote: RAIDFrame is disabled in GENERIC for a reason you know. On Mon, Sep 11, 2006 at 10:08:48AM -0700, Tom Bombadil wrote: Yes... I agree with with you... not really my decision at the time, since I didn't work here... but I guess the thought was that RaidFrame would provide more uptime in case of multiple harddrive failures, and not really data protection. Thanks Daniel Daniel Ouellet wrote: Tom Bombadil wrote: One funny story about redundancy in general: we run raidframe to mirror the 2 disks in the system... And like I said both firewalls were crashing together... After the crash our allegedly redundant firewalls were both down for 20 minutes for parity rebuilding... simplicity is a beautiful thing ;) May be that's just me, but a very simple question for you. If you have redundant firewall and I guess you are running CARP on them right? Why would you even have raidframe setup on a firewall. Isn't it the KISS gold principal would dictate otherwise here. Specially for a firewall. A good firewall needs the minimum setup on it. Obviously I may be talking none sense here, but RaidFrame on a firewall is the last place I would put it. What kind of data do you want to protect on a RaidFrame. The list of bad ssh attackers for your PF configurations? Must be a HUGE list to needs RaidFrame for it! (; Just a thought, may be review your setup might be much better then trying to get new hardware, but that's just me. Best, Daniel
Re: broadcom
Unfortunately we cannot provide a bug report for now, because we set ddb.panic=0 because those boxes are in production, and were having the same panic at the exact same time... So, no debugger for now or else I'll get myself fired :) We are trying to convince the boss to order a box with completely different hardware, so a bug in a device or driver doesn't affect all firewalls at the same time. After that box is setup, I'll re-enable the debugger, and send a bug report. One funny story about redundancy in general: we run raidframe to mirror the 2 disks in the system... And like I said both firewalls were crashing together... After the crash our allegedly redundant firewalls were both down for 20 minutes for parity rebuilding... simplicity is a beautiful thing ;) Thank you all for your insights... Marco Peereboom wrote: Many of the big server makers (HP, sun, etc) seem to be using broadcoms, and we really need to get away from our Dell boxes with em(4) card, as they crash like crazy with 3.9 stable. You must be using different Dell boxes because mine work just fine and I have many deployed. Care to elaborate with a bug report?