Re: 4.6 arriving
Why don't we just wait until the packages are officially available from the team? I'm pretty sure it will be before or on the documented release date. Exclusivity is quite contradictory to the project's objectives. On Oct 2, 2009, at 11:06 PM, Theo de Raadt wrote: But we won't open up the ftp servers today. I want a sizeable percentage of purchasers to receive their product first. Is setting a password on the new package hierarchy and including the password with the CD feasible or desired? I don't see any benefit to that.
Re: 4.6 postponed to Nov 1
Can anyone point me in the direction of getting the release ISO for those of us that have ordered CDs? Thanks to all of the obsd ninjas...you guys are awesome. I'm pushing at our next blood cycle for a $10k contribution. We'll find out at the end of the month. Thanks to Theo and everyone else that keep this project alive.
Re: syslogd -a question
Alexander Hall wrote: From looking at the source, I'd guess that tweaking /usr/src/usr.sbin/syslogd/syslogd.h and set MAXFUNIX to a larger number than 21 should be pretty straightforward. I'm not in the position to say whether large numbers would be appropriate though, for example by some limitation of poll(2). How about one /dev/log and multiple hard links going to it? Last time I worked with chroot environments was about 7 years ago but I had a script that built the environments using hard links for the users, and it seemed to work well. Of course I believe that the hard link must be on the same file system as the target. [EMAIL PROTECTED]:/tmp]# ln /dev/log . [EMAIL PROTECTED]:/tmp]# ls -il /dev/log /tmp/log 89638 srw-rw-rw- 2 root wheel 0 Aug 3 10:34 /dev/log 89638 srw-rw-rw- 2 root wheel 0 Aug 3 10:34 /tmp/log [EMAIL PROTECTED]:/tmp]# nate
Re: contact info for PC Weasel?
Brian A. Seklecki wrote: On Wed, 2008-08-06 at 13:58 -0700, Chris Cappuccio wrote: spend your money on a motherboard with serial console. like a supermicro board or something. you'll be happier. No offense but: No. No you wont. Unless you have IPMI or something like Dell's DRAC (4, not 5 -- 5 sux big time). Normal serial console works great for me. There are some quirks, I've encountered a few on Dell systems, HP seems quite a bit better. Most of my boxes are Linux, and the Dell bios with redirect after POST conflicts with the serial console settings in the boot loader, so as part of the automated system installation it detects what model# the installer is running on, and if it's an affected system the installer disables the serial console settings on the boot loader to work around the BIOS bug(but keeps the serial console enabled elsewhere like remote tty). Haven't had a chance to mess with DRAC v4 yet, but DRAC v5 works alright, though I have to reboot it more often than I had to reboot the HP iLO (or HP iLO 2). The supermicro premium management card is pretty nice too though last I checked you had to have a browser to get to the console, no SSH access. Earlier versions had an SSH daemon, but none of the commands worked once I got logged in. A few years ago when I had a lot more supermicro systems I got them to fix some of their bios bugs that were the same as the Dell - they conflicted with the boot loader. I'm told by my co workers that Dell support is pretty worthless so I just work around it on my end instead. I also make sure to disable all frame buffers, which is pretty easy. I do like how the newer HP systems auto detect what console port your on, even our latest Dell boxes we seem to have to go into the bios and enable serial redirection before we can get remote serial access via DRAC 5. I don't use the KVM stuff as it wants java, and a web browser etc unless I absolutely have to. 99.9% of the stuff I need the console for plain text serial is fine (and faster/easier to get to over SSH). My OpenBSD systems are installed by hand, fortunately the installer is good about asking about serial consoles during installation, makes it pretty easy too. For what looks like about $300, this mini terminal server can probably provide good remote access to a system with a serial port(assuming you only need 1, if you need lots of ports get a bigger model): http://www.avocent.com/CycladesTS100.aspx I haven't used that model myself, but have used tons of ACS-32 and ACS-48s. (before Cyclades was bought by Avocent, I hear since they have started to charge extra for a lot of the things that were free before). nate
Re: pf macro behavior change between 4.1 and 4.3?
Stuart Henderson wrote:
ah, actually I think this one (which only affected numbers in
a macro; strings worked ok) was already fixed. on -current:
$ pfctl -nvf -
ssh = 22
ssh = 22
smtp= 25
smtp = 25
penguin = 216.39.174.25
penguin = 216.39.174.25
penguin_ports = { $ssh $smtp }
penguin_ports = { 22 25 }
Excellent! great to hear, thanks a bunch for your help.
nate
Re: pf macro behavior change between 4.1 and 4.3?
Stuart Henderson wrote:
The pfctl-based config parsers were re-unified between 4.2 and
4.3, most things just worktm but there are some uncommon cases
which used to work that don't now.
Ok thanks! Do you happen to know if there are plans to fix the
uncommon cases at some point? It seems like this particular
behavior wouldn't be intentional.
For this in particular, you can simplify. Port names are looked
up from /etc/services; just write { ssh, smtp }. The comma is
optional - see op-list in BNF of pf.conf(5) - but imo makes it
easier to read (as does removing unnecessary macros).
Nice, that works well. I do have a few ports that are not
in /etc/services but I can hard code them without a recursive
macro, not a big deal. (rather than worry about having to
update /etc/services when I replicate my config between systems)
pfctl/pf.conf probably could have done with an explicit
mention, but on plus43.html you find Improvements in the
common parser code generator for various OpenBSD daemons
which is meant to cover this too.
Ok, good to know.
I appreciate the quick response! thanks a bunch
nate
pf macro behavior change between 4.1 and 4.3?
Hello there ..
I am in the process of building a new OpenBSD 4.3 system in
parallel to my existing 4.1 system and ran into a little
glitch with regards to migrating my pf rule set to the new
system.
It seems that in 4.3, macros that expand to ports with
variables doesn't work anymore. I get a syntax error. I've
been using this since about 3.6, so didn't expect it to
break.
I've stripped the firewall config down to as basic as I can
make it, to reflect the behavior:
--begin firewall config--
external = fxp5
ssh = 22
smtp= 25
penguin = 216.39.174.25
penguin_ports = { $ssh $smtp }
pass in quick on $external \
proto tcp \
from any\
to $penguin \
port $penguin_ports \
flags S/SA \
keep state
--end firewall config--
(my original firewall config is about 370 lines, this is just
the bare minimum to repro the behavior)
If I try to validate the config with pfctl under 4.1 it
validates no problem, if I try under 4.3 I get:
pf.conf_small:5: syntax error
pf.conf_small:10: macro 'penguin_ports' not defined
pf.conf_small:11: syntax error
I have other macros that have variables in them, which expand
to IP addresses instead of port numbers and those validate
no problem in 4.3.
I looked at the web-based changelog of 4.1-4.2 and 4.2-4.3
but didn't notice anything that might trigger this. I also
re-checked the FAQ and from what I can tell what I am
doing is still valid.
any ideas?
thanks
nate
Re: pf macro behavior change between 4.1 and 4.3?
Vasile Cristescu wrote:
Hello,
penguin_ports = { $ssh $smtp } -- I think it should be like :
penguin_ports = { $ssh, $smtp }
Thanks for the quick reply! I just tried your suggestion but I get
the same syntax error. The faq doesn't mention commas either(for
recursive macros):
http://www.openbsd.org/faq/pf/macros.html
thanks again
nate
Re: Quad ethernet card
Henning Brauer wrote: * nate [EMAIL PROTECTED] [2007-06-05 21:44]: I built 3 OpenBSD 3.6(?) servers in mid 2005 with these cards, and was able to get a peak throughput of about 520Mbps in bridged mode (pf disabled) measured using iperf. the single-stream tcp test iperf uses is pretty meaningless (unless.. well, that's another story) Interrupt cpu time was ~30%, the rest of the cpu was idle. hmm, well I would expect this would provide a maximum number for throughput because there's only 1 connection, no extra processing vs multiple connections, not that multiple connections should matter since it was a bridge, and pf was disabled for the test. It doesn't make sense to me why more connections would increase throughput, can you(or someone) explain why this would be the case. I also would expect that this maximum number likely would not be achieved once pf is enabled and 'real world' traffic was flowing through the system keeping track of thousands of states from the ~400 hosts on both sides of the firewall. But at least it would give me a number, if I saw the same interrupt cpu% I could reasonably expect the box to be maxxed out. Fortunately normal network traffic was quite low, the biggest users of bandwidth were file copies via scp/rsync. Someone replied to my original post off-list and told me about a bug that was fixed in 2006 in the Intel GigE network driver that reduces the amount of pci hits per packet thus increasing throughput and packets per second, which may have contributed to the performance issue I experienced(again in mid 2005). Of course at the time I partipated in a thread very similar to this and I don't recall anyone responding with their openbsd network performance, so I had nothing to base it on(were the numbers normal? low ? high?). The FAQ says it's dependent on the system, and I purchased the fastest 32-bit CPU that was on the market at the time(64-bit was still too new I think that was (one of) the first releases to support 64-bit x86), and OpenBSD SMP crashed on all machines I tested at the time during boot). Even now I think I've gotten one response(may of been off-list) saying they get less than 500Mbit on their card(forgot which card off hand, not the Intel one though). So regardless of the performance I think it was about as fast as it was going to get, at the time. Short of absurdly low numbers (under 200Mbit, which I would of purchased a fully hardware firewall, we had just purchased 3000 gigabit switch ports so we were spending a bit), I was going to stick with OpenBSD because pf is a great tool, and easy to use, and the hardware was a good price too with hardware raid, triple redundant power supplies (each on a seperate UPS-backed circuit), hot swap fans etc. In the end the firewalls seemed to work out well, it's been 2 years since they launched and they haven't had a problem, fortunately network traffic is fairly low. Two firewalls are in active use(for different network segments, and are failover for each other's network segments), with a 3rd cold standby server. tcpreplay sounds like an interesting tool, I had not heard about it until your post. nate
Unable to fsck after crash - cannot alloc 30231937 bytes for typemap
Hello folks - My OpenBSD 4.1/i386 firewall crashed last week(seems to be on the 31st), fortunately it did not stop passing packets. There is no log and the console didn't show anything(serial console). I rebooted it today, and it came up in single user mode telling me to run fsck manually, which I tried, but it fails within 2 seconds: # fsck_ffs -y /dev/rsd0a ** /dev/rsd0a cannot alloc 30231937 bytes for typemap I ran a couple searches and came across this: http://www.openbsd.org/faq/faq14.html#LargeDrive which states [..]A rough guideline is the system should have at least 1M of available memory for every 1G of disk space to successfully fsck the disk. The filesystem is 228G (disks are 250GB in hardware raid 1) I have 768MB of memory in the machine - real mem = 804859904 (785996K) avail mem = 726327296 (709304K) That is more than triple the amount of memory that the docs say is needed to check a disk of this size, yet it still fails. if I exit out and continue booting it won't let me fsck from multiuser (I expect it would of since the volume is mounted read-only) # fsck_ffs -y /dev/rsd0a ** /dev/rsd0a (NO WRITE) ** Last Mounted on / ** Root file system ** Phase 1 - Check Blocks and Sizes INCORRECT BLOCK COUNT I=21267992 (448 should be 384) CORRECT? no PARTIALLY TRUNCATED INODE I=21267993 SALVAGE? no INCORRECT BLOCK COUNT I=21267996 (8864 should be 8832) CORRECT? no INCORRECT BLOCK COUNT I=21267997 (1152 should be 1120) CORRECT? no INCORRECT BLOCK COUNT I=21267998 (244 should be 128) CORRECT? no INCORRECT BLOCK COUNT I=21268001 (168 should be 160) CORRECT? no INCORRECT BLOCK COUNT I=21268002 (40 should be 32) CORRECT? no [..] Hardware: Intel P3-800 (don't recall what motherboard) 768MB memory 3Ware 8006-2 RAID controller 2 x 250GB Western Digital Raid edition drives in RAID 1 3COM 3c59x PCI 10/100 NIC(management) Intel 4 port 10/100 NIC (DEC 21142/3 chipset) - 2 ports are for a bridging firewall, the other 2 are not used The system ran fine for several weeks, it was about a week after I enabled several rsnapshot jobs that it seemed to crash. I'm not as concerned right now about the crash but of course the inability to run fsck. Any suggestions? thanks nate
Re: Unable to fsck after crash - cannot alloc 30231937 bytes for typemap
Otto Moerbeek wrote: go to single user mode, and type ulimit -dH unlimited and then run fsck thanks for the quick reply! but that particular command had no effect: [..] root on sd0a rootdev=0x400 rrootdev=0xd00 rawdev=0xd02 WARNING: / was not properly unmounted Automatic boot in progress: starting file system checks. /dev/rsd0a: INCORRECT BLOCK COUNT I=21267992 (448 should be 384) (CORRECTED) PARTIALLY TRUNCATED INODE I=21267993 /dev/rsd0a: UNEXPECTED INCONSISTENCY; RUN fsck_ffs MANUALLY. Automatic file system check failed; help! Enter pathname of shell or RETURN for sh: Terminal type? vt100 # ulimit -dH unlimited # fsck_ffs -y /dev/rsd0a ** /dev/rsd0a cannot alloc 30231937 bytes for typemap # ulimit -a time(cpu-seconds)unlimited file(blocks) unlimited coredump(blocks) unlimited data(kbytes) 65536 stack(kbytes)4096 lockedmem(kbytes)236424 memory(kbytes) 705612 nofiles(descriptors) 64 processes80 # however just ulimit -d unlimited worked # ulimit -d unlimited # ulimit -d 1048576 # fsck_ffs -y /dev/rsd0a ** /dev/rsd0a ** Last Mounted on / ** Root file system ** Phase 1 - Check Blocks and Sizes INCORRECT BLOCK COUNT I=21267992 (448 should be 384) CORRECT? yes PARTIALLY TRUNCATED INODE I=21267993 SALVAGE? yes INCORRECT BLOCK COUNT I=21267996 (8864 should be 8832) CORRECT? yes INCORRECT BLOCK COUNT I=21267997 (1152 should be 1120) CORRECT? yes [..] thanks!! nate
Re: Quad ethernet card
Fredrik Carlsson wrote: Hi, I'm planing to set up a new firewall and have a few questions about what quad ethernet cards people recommend? The server will probably be a Dell PE860 (they seem to be well supported by OpenBSD), but what quad cards should i buy? what cards have good performance? While I was personally somewhat disapointed with the performance it was still pretty fast, the Intel Pro 1000 GT quad port: http://www.intel.com/network/connectivity/products/pro1000gt_quadport_server_adapter.htm I built 3 OpenBSD 3.6(?) servers in mid 2005 with these cards, and was able to get a peak throughput of about 520Mbps in bridged mode (pf disabled) measured using iperf. Interrupt cpu time was ~30%, the rest of the cpu was idle. CPU was I think single proc Xeon 3.6Ghz(dual proc supermicro motherboard for multiple PCI-X busses and stuff). I expected to be able to peg the CPU, but no matter how hard I hit it, it wouldn't go higher than ~30%. All in all the systems had 8 Intel GigE ports, a dual port PCI-X, a quad port PCI-X, and two onboard. It didn't matter what config I used, if the bridge was on one card or more than one, if it was going across one IRQ or two, the system wouldn't go higher than ~520Mbps. I was hoping to be able to get at least 1Gbps, if not 2Gbps. (the firewalls had two bridges serving different network segments). Redundancy was provided by OSPF on the switches. The systems were connected to fairly hefty Extreme Black Diamond 10808s, when I removed the bridge and just connected the switch back to itself(layer 3 virtual switching), throughput went up to around 900Mbps (I think I hit a limitation on the servers I was testing with at that point). I sent a few posts to the list back at the time, probably May-June 2005, I don't work at that company anymore so I don't recall exact specifics on everything. nate
Re: Max number of states in pf? (100k? 200k? 1M?)
Ted Unangst said: states are only allocated on demand. you could set the limit to a billion with no problem until you actually start using too many states. the limit is there to protect you from the firewall imploding. thanks for all the info, very useful! hopefully such info can get added to the docs at some point, since others have contacted me as well asking similar questions. thanks a lot(again) nate
Max number of states in pf? (100k? 200k? 1M?)
Greetings
I don't have a good way to test generating large numbers
of states so I was wondering for a server with 2GB of memory
which all it does is pf how many states can it handle? I
started with the default of 10k, exausted that pretty quick,
then upped it to 32k about 3 weeks ago then exausted that,
upgraded it to 90k last night, and just now I see it hovering
at around 70k.
OpenBSD 3.7 with Intel Xeon 3.4Ghz CPU 2GB memory, 8 em
interfaces(only 1 of which is being used by pf at this
time for state info)
(though between the time I saw 70k states and about
2 minutes later it seems to have expired all but 3k
of them)
State Table Total Rate
current entries 2786
searches 29837068755 5627.9/s
inserts211072218 39.8/s
removals 211069432 39.8/s
I do have optimization set to conservative, considering
changing it back to normal. I am mostly concerned about
hitting some sort of magic internal kernel memory limit and
crashing the box. I don't know if there is such a limit,
from what I have read I can't find any evidence that there
is.
Currently the boxes(running pfsync) are running at around
3-4% cpu usage.
running:
set optimization conservative
set timeout { adaptive.start 5, adaptive.end 92000 }
set limit states 9
Can I run with 200k states? 500k ? 1M states? 'top' reads
1833MB of memory is available. The docs say that 32MB
is enough for ~30k states. so in theory memory wise at
least this box should be able to handle at least
1.6M states. Not that I plan to keep that much!
there are about 100 servers on the inside of the firewall and
about 250 on the outside(probably will double that in the
next 6 months or less).
thanks
nate
Re: OpenBSD favorable HW
Johan P. Lindstrvm said: hello .. I used openbsd a few times a few years back only recently got into it again .. The SCSI RAID issues with Adaptec - What alternatives have you tried, good and bad and the ugly currently have 3 openbsd systems(all 3.7 as of tomorrow), that are running this card: INTEL ICP-VORTEX GDT8514RZ 128MB SCSI CTRL with 4 10k RPM 36GB disks in raid 10, sofar works ok, had to upgrade the firmware to keep it from hanging during the bios POST. my vendor tells me at least in their experience the ICP cards are the most stable under openbsd. IRQ flooding on the NIC's - dc, em and sk seems to be the way to go, but what to for quad port cards? where to find one, brand names, model numbers, revisions I posted a question on this topic(my reason for joining the list), with the em driver. I get about 50% cpu usage servicing interrupts (~480Mbps of throughput peak) in any case these are the cards I have in my systems: INTEL PWLA8492MT 2-PORT COPPER GIG CTRL INTEL PWLA8494MT PRO/1000 MT Quad Port both are PCI-X and seem to work alright. What I am looking for is HW mirroring of drives with hotswap for webservers and quadport nic's I got my systems from www.asaservers.com (I just mail them for what I want, rather than use the website). pretty good service and prices, have ordered about 300 systems from them in the past few months. mostly running redhat enterprise. I don't have time to get into hardware these days so I like being able to tell them what I plan to use a system for and have them give a reccomendation then I can buy it and they can burn it in for me and send it. much more flexible than HP which I used to buy from. any small shop with openbsd experience should do fine though. if you want a copy of the full specs of my openbsd systems mail me off list and I'll try to get it for you(price is 6 months out of date) hope this helps nate
Re: Tuning gigabit bridging firewall for better performance
Tony Sarendal said: Now about netstat on your openbsd box ? netstat -I interface -w10 I will try that tomorrow, thanks! also any opinions whether or not the amd64 port of openbsd may perform better ? even though I'm running a cheap hack of the amd64 platform(EM64T). I wanted to go full opteron though my vendor could not find a SCSI raid card that ran stable under openbsd on opteron, so I went with Xeons for these firewalls. nate
Re: Tuning gigabit bridging firewall for better performance
Tony Sarendal said: When it comes to network performance most plattforms have limitations in packets per second before bandwidth. Please post the performance in pps also, as that is more interesting and more relevant, especially in the GigE case. I don't see a way in iperf to get this stat, I will try to find another tool, I did a crude test which basically involved clearing the counters on my switch, using a stop watch and measuring the time period. the results were approx 43,000 pps (1467476 packets sent, 718984 recieved during the 1.7GByte test), throughput was 400Mbit The fastest pc os around according to google is FreeBSD which has broken the 1Mpps limit on pc hardware (2.8 GHz Xeon), but that is not wirespeed. yeah I remember reading that news when they first broke that If you expect to see wire speed your box has to handle 1.5Mpps, for just one direction GigE. What kind of pps numbers are you seeing ? not really expecting wire 1Gbit speed, just closer to the wire speed I am getting (~700Mbit) without the bridge. as-is I am getting 200-300Mbit less vs going raw over the switch. I will try to look for another tool, if you or anyone has any suggestions let me know thanks nate
