sysupgrade(8) and FAQ 4 - File Sets
Hi all! First, I'd like to say thank you to the developers for sysupgrade(8). As a hobbyist with limited time and energy, anything that reduces the pain of keeping software up-to-date is always going to be a boon for security (in the sense that I'm more likely to find the time to do an upgrade that is relatively quick and straightforward). Between syspatch and sysupgrade, running OpenBSD has gotten a lot easier over the last few years, and I really appreciate it! I have a suggestion, though: for the sake of us dabblers (who do read the FAQs and the manual, but aren't necessarily mailing list subscribers), I'd like to propose the following update to FAQ 4, under the heading "File Sets". Instead of: New users are recommended to install all of them. I propose the following: Installing all file sets is standard practice, even on headless systems. Only skip a file set if you have a very good reason to do so. This will bring the FAQ more in-line with the tone of what I've been reading on the mailing lists recently, and makes the target audience of this instruction clearer (I've been using OpenBSD on and off for nearly fifteen years, so my status as a "new" user is somewhat ambiguous, at least in my own head). It will also help to clarify sysupdate's behaviour (which otherwise can come as a surprise during an operation when all surprises in particular are unwelcome). Thanks! Sincerely, Russell Ault
sysupgrade(8) and FAQ 4 - File Sets
Hi all! First, I'd like to say to say thank you to the developers for sysupgrade(8). As a hobbyist with limited time and energy, anything that reduces the pain of keeping software up-to-date is always going to be a boon for security (in the sense that I'm more likely to find the time to do an upgrade that is relatively quick and straightforward). Between syspatch and sysupgrade, running OpenBSD has gotten a lot easier over the last few years, and I really appreciate it! I have a suggestion, though: for the sake of us dabblers (who do read the FAQs and the manual, but aren't necessarily mailing list subscribers), I'd like to propose the following update to FAQ 4, under the heading "File Sets". Instead of: New users are recommended to install all of them. I propose the following: Installing all file sets is standard practice, even on headless systems. Only skip a file set if you have a very good reason to do so. This will bring the FAQ more in-line with the tone of what I've been reading on the mailing lists recently, and makes the target audience clearer (I've been using OpenBSD on and off for nearly fifteen years, so my status as a "new" user is somewhat ambiguous, at least in my own head). It will also help to clarify sysupdate's behaviour (which otherwise can come as a surprise during an operation when all surprises in particular are unwelcome). Thanks! Sincerely, Russell Ault
Re: Certain size packets not passing through a L2 over L3 IPsec tunnel
Ok... I've updated both ends of the tunnel to OpenBSD 6.5 and the same problem exists when trying to pass packets of a certain size. Any ideas on how to fix or work around this issue? Thanks in advance. Russell P. Sutherland Email: russell . sutherland @ utoronto dawt ca Network Engineer, I+TS Voice: +1.416.978.0470 4 Bancroft Ave., Rm. 102 Cell: +1.416.803.0080 University of TorontoFax: +1.416.978.6620 Toronto, ON M5S 1C1 From: Russell Sutherland Sent: Thursday, October 10, 2019 16:25 To: misc@openbsd.org Subject: Certain size packets not passing through a L2 over L3 IPsec tunnel I've set up a L2overL3 tunnel using the template as found in "man etherip". I am running OpenBSD 5.9, which I believe is the first version to support the etherip interface. I find the bridge/tunnel does not pass a small range of specific sized packets. E.g. if 1.2.3.4 is at the far end of the tunnel and I am pinging from the local end: ping -s 1388 1.2.3.4 works ping -s 1396 1.2.3.4 works All other sizes, 1389 to 1395 inclusive fail. Is there some way to remedy this? Thanks in advance. Russell P. Sutherland Email: russell . sutherland @ utoronto dawt ca Network Engineer, I+TS Voice: +1.416.978.0470 4 Bancroft Ave., Rm. 102 Cell: +1.416.803.0080 University of TorontoFax: +1.416.978.6620 Toronto, ON M5S 1C1
Certain size packets not passing through a L2 over L3 IPsec tunnel
I've set up a L2overL3 tunnel using the template as found in "man etherip". I am running OpenBSD 5.9, which I believe is the first version to support the etherip interface. I find the bridge/tunnel does not pass a small range of specific sized packets. E.g. if 1.2.3.4 is at the far end of the tunnel and I am pinging from the local end: ping -s 1388 1.2.3.4 works ping -s 1396 1.2.3.4 works All other sizes, 1389 to 1395 inclusive fail. Is there some way to remedy this? Thanks in advance. Russell P. Sutherland Email: russell . sutherland @ utoronto dawt ca Network Engineer, I+TS Voice: +1.416.978.0470 4 Bancroft Ave., Rm. 102 Cell: +1.416.803.0080 University of TorontoFax: +1.416.978.6620 Toronto, ON M5S 1C1
Re: OpenBSD 6.5 dumps to debugger when using ifconfig bridge command
Done. Russell P. Sutherland Email: russell . sutherland @ utoronto dawt ca Network Engineer, I+TS Voice: +1.416.978.0470 4 Bancroft Ave., Rm. 102 Cell: +1.416.803.0080 University of TorontoFax: +1.416.978.6620 Toronto, ON M5S 1C1 From: owner-m...@openbsd.org on behalf of Hrvoje Popovski Sent: Wednesday, June 5, 2019 05:59 To: misc@openbsd.org Subject: Re: OpenBSD 6.5 dumps to debugger when using ifconfig bridge command On 4.6.2019. 21:22, Russell Sutherland wrote: > I tried loading current on the device and the same result: > > OpenBSD 6.5-current (GENERIC.MP) #5: Mon Jun 3 07:46:49 MDT 2019 > > # netstat -in > NameMtu Network Address Ipkts IfailOpkts Ofail > Colls > lo0 327680 00 0 > 0 > lo0 32768 ::1/128 ::1 0 00 0 > 0 > lo0 32768 fe80::%lo0/ fe80::1%lo0 0 00 0 > 0 > lo0 32768 127/8 127.0.0.10 00 0 > 0 > em0 150000:0d:b9:43:9b:3031715 0 120479 7 > 0 > em1 150000:0d:b9:43:9b:31 123252 11630860 0 > 0 > em2 150000:0d:b9:43:9b:32 1672 0 625 0 > 0 > em2 1500 128.100.103 128.100.103.831672 0 625 0 > 0 > enc0* 00 00 0 > 0 > bridge0 1500152255 0 151339 0 > 0 > pflog0 331360 0 70 0 > 0 > freenas-fw# ifconfig bridge0 > bridge0: flags=4WARNING: SPL NOT LOWERED ON S1 > YSCALL 5index 6 llprio 34 3 EXIT 0 > groups: bridg 9 > e > priorStopped at savectx+0xb1: movl$0,%gs:0x530 > ddb{2}> Hi, can you take a look at this link https://www.openbsd.org/ddb.html when your box is up and running execute sendbug -P > bridge-problem.txt and when your box is in ddb type this commands trace, ps and send all those to b...@openbsd.org mailing list ...
Re: OpenBSD 6.5 dumps to debugger when using ifconfig bridge command
I tried loading current on the device and the same result: OpenBSD 6.5-current (GENERIC.MP) #5: Mon Jun 3 07:46:49 MDT 2019 # netstat -in NameMtu Network Address Ipkts IfailOpkts Ofail Colls lo0 327680 00 0 0 lo0 32768 ::1/128 ::1 0 00 0 0 lo0 32768 fe80::%lo0/ fe80::1%lo0 0 00 0 0 lo0 32768 127/8 127.0.0.10 00 0 0 em0 150000:0d:b9:43:9b:3031715 0 120479 7 0 em1 150000:0d:b9:43:9b:31 123252 11630860 0 0 em2 150000:0d:b9:43:9b:32 1672 0 625 0 0 em2 1500 128.100.103 128.100.103.831672 0 625 0 0 enc0* 00 00 0 0 bridge0 1500152255 0 151339 0 0 pflog0 331360 0 70 0 0 freenas-fw# ifconfig bridge0 bridge0: flags=4WARNING: SPL NOT LOWERED ON S1 YSCALL 5index 6 llprio 34 3 EXIT 0 groups: bridg 9 e priorStopped at savectx+0xb1: movl$0,%gs:0x530 ddb{2}> Russell P. Sutherland Email: russell . sutherland @ utoronto dawt ca Network Engineer, I+TS Voice: +1.416.978.0470 4 Bancroft Ave., Rm. 102 Cell: +1.416.803.0080 University of Toronto Fax: +1.416.978.6620 Toronto, ON M5S 1C1 From: owner-m...@openbsd.org on behalf of Stuart Henderson Sent: Tuesday, June 4, 2019 13:53 To: misc@openbsd.org Subject: Re: OpenBSD 6.5 dumps to debugger when using ifconfig bridge command >There was a crash fixed in bridge(4) a few weeks ago, can you try reproducing on -current? On 2019-06-04, Lee Nelson wrote: > I have twice seen kernel panics in the same situation. It drops to "ddb>" > but the system is unresponsive. Unfortunately, other than taking a picture > of the screen with my cellphone, I do not have any further information from > the system. On both occasions, I was issuing "ifconfig bridge42" without > any arguments. (and no, there aren't 41 other bridges. 42 has other > significance in my network) > > On Tue, Jun 4, 2019, 08:41 Russell Sutherland < > russell.sutherl...@utoronto.ca> wrote: > >> I began to install resflash (https://stable.rcesoftware.com/resflash/) >> which is based on OpenBSD) to build a small firewall on an PC Engines apu2 >> board. Three interfaces, two bridged and one with an IP for management. >> >> I found the system would crash and drop down to the debugger interface >> whenever I issued the: >> >> # ifconfig bridge0 >> >> command. >> >> # ifconfig -a >> >> worked fine. After discussing this with the author we thought it good to >> try the same configuration on vanilla 6.5 install. >> >> This worked better, but after a short period of operation the same >> symptoms occured: >> >> # ifconfig bridge0 >> >> bridge0: flags=4WAR1 >> >> Nindex 6 llprio ING: SPL NOT >> >> groups: bridgLOWEe >> >> priority 327RED68 hellotime 2 f ONwddelay 15 maxag e 20 holdcnt 6 >> pSYSCALL 5roto rstp >> >> desi4gnated: id 00:0 3 EXIT 0:00:00:00:00 pri 9 >> >> ority 0 >> >> agsStopped at savectx+0xb1: movl $0,%gs:0x508 >> >> ddb{3}> >> >> >> Here is the output from dmesg: >> >> >> OpenBSD 6.5 (GENERIC.MP) #3: Sat Apr 13 14:48:43 MDT 2019 >> dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP >> real mem = 1996148736 (1903MB) >> avail mem = 1926090752 (1836MB) >> mpath0 at root >> scsibus0 at mpath0: 256 targets >> mainbus0 at root >> bios0 at mainbus0: SMBIOS rev. 2.7 @ 0x77fb7020 (7 entries) >> bios0: vendor coreboot version "88a4f96" date 03/07/2016 >> bios0: PC Engines apu2 >> acpi0 at bios0: rev 2 >> acpi0: sleep states S0 S1 S2 S3 S4 S5 >> acpi0: tables DSDT FACP SSDT APIC HEST SSDT SSDT HPET >> acpi0: wakeup devices PWRB(S4) PBR4(S4) PBR5(S4) PBR6(S4) PBR7(S4) >> PBR8(S4) UOH1(S3) UOH3(S3) UOH5(S3) XHC0(S4) >> acpitimer0 at acpi0: 3579545 Hz, 32 bits >> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat >> cpu0 at mainbus0: apid 0 (boot processor) >> cpu0: AMD GX-412TC SOC, 998.28 MHz, 16-30-01 >> cpu0:FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PA
OpenBSD 6.5 dumps to debugger when using ifconfig bridge command
acpi0: bus 3 (PBR7) acpiprt5 at acpi0: bus -1 (PBR8) acpicpu0 at acpi0: C2(0@400 io@0x1771), C1(@1 halt!), PSS acpicpu1 at acpi0: C2(0@400 io@0x1771), C1(@1 halt!), PSS acpicpu2 at acpi0: C2(0@400 io@0x1771), C1(@1 halt!), PSS acpicpu3 at acpi0: C2(0@400 io@0x1771), C1(@1 halt!), PSS acpibtn0 at acpi0: PWRB acpipci0 at acpi0 PCI0: 0x 0x0011 0x0001 acpicmos0 at acpi0 cpu0: 998 MHz: speeds: 1000 800 600 MHz pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 "AMD AMD64 16h Root Complex" rev 0x00 pchb1 at pci0 dev 2 function 0 "AMD AMD64 16h Host" rev 0x00 ppb0 at pci0 dev 2 function 2 "AMD AMD64 16h PCIE" rev 0x00: msi pci1 at ppb0 bus 1 em0 at pci1 dev 0 function 0 "Intel I211" rev 0x03: msi, address 00:0d:b9:43:9b:30 ppb1 at pci0 dev 2 function 3 "AMD AMD64 16h PCIE" rev 0x00: msi pci2 at ppb1 bus 2 em1 at pci2 dev 0 function 0 "Intel I211" rev 0x03: msi, address 00:0d:b9:43:9b:31 ppb2 at pci0 dev 2 function 4 "AMD AMD64 16h PCIE" rev 0x00: msi pci3 at ppb2 bus 3 em2 at pci3 dev 0 function 0 "Intel I211" rev 0x03: msi, address 00:0d:b9:43:9b:32 ccp0 at pci0 dev 8 function 0 "AMD Cryptographic Co-processor v3" rev 0x00 xhci0 at pci0 dev 16 function 0 "AMD Bolton xHCI" rev 0x11: msi, xHCI 1.0 usb0 at xhci0: USB revision 3.0 uhub0 at usb0 configuration 1 interface 0 "AMD xHCI root hub" rev 3.00/1.00 addr 1 ahci0 at pci0 dev 17 function 0 "AMD Hudson-2 SATA" rev 0x40: apic 4 int 19, AHCI 1.3 scsibus1 at ahci0: 32 targets ehci0 at pci0 dev 19 function 0 "AMD Hudson-2 USB2" rev 0x39: apic 4 int 18 usb1 at ehci0: USB revision 2.0 uhub1 at usb1 configuration 1 interface 0 "AMD EHCI root hub" rev 2.00/1.00 addr 1 piixpm0 at pci0 dev 20 function 0 "AMD Hudson-2 SMBus" rev 0x42: SMBus disabled pcib0 at pci0 dev 20 function 3 "AMD Hudson-2 LPC" rev 0x11 sdhc0 at pci0 dev 20 function 7 "AMD Bolton SD/MMC" rev 0x01: apic 4 int 16 sdhc0: SDHC 2.0, 63 MHz base clock sdmmc0 at sdhc0: 4-bit, sd high-speed, mmc high-speed, dma pchb2 at pci0 dev 24 function 0 "AMD AMD64 16h Link Cfg" rev 0x00 pchb3 at pci0 dev 24 function 1 "AMD AMD64 16h Address Map" rev 0x00 pchb4 at pci0 dev 24 function 2 "AMD AMD64 16h DRAM Cfg" rev 0x00 km0 at pci0 dev 24 function 3 "AMD AMD64 16h Misc Cfg" rev 0x00 pchb5 at pci0 dev 24 function 4 "AMD AMD64 16h CPU Power" rev 0x00 pchb6 at pci0 dev 24 function 5 "AMD AMD64 16h Misc Cfg" rev 0x00 isa0 at pcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com0: console com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo pcppi0 at isa0 port 0x61 spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 wbsio0 at isa0 port 0x2e/2: NCT5104D rev 0x52 vmm0 at mainbus0: SVM/RVI umass0 at uhub0 port 3 configuration 1 interface 0 "SanDisk Cruzer Glide" rev 2.00/1.00 addr 2 umass0: using SCSI over Bulk-Only scsibus2 at umass0: 2 targets, initiator 0 sd0: 29952MB, 512 bytes/sector, 61341696 sectors uhub2 at uhub1 port 1 configuration 1 interface 0 "Advanced Micro Devices product 0x7900" rev 2.00/0.18 addr 2 vscsi0 at root scsibus3 at vscsi0: 256 targets softraid0 at root scsibus4 at softraid0: 256 targets root on sd0a (d3fbbb47f1a19759.a) swap on sd0b dump on sd0b Russell P. Sutherland Email: russell . sutherland @ utoronto dawt ca Network Engineer, I+TS Voice: +1.416.978.0470 4 Bancroft Ave., Rm. 102 Cell: +1.416.803.0080 University of Toronto Fax: +1.416.978.6620 Toronto, ON M5S 1C1
More syntax/parsing issues in the lists/macros of pf
Is it possible to use a macro variable with a network CIDR value and then reference it later in a list? E.g. This first example is fine: a = “1.2.3.4” b = “2.3.4.5” c = “{“ $a $b “}” works as expected, that is c ends up as a list with host values: c = "{ 1.2.3.4 2.3.4.5 }” But if one uses the CIDR network format for any one of the variables, a syntax error is created: an = “1.2.3.0/24” bn = “2.3.0.0/16” cn = “{“ $an $bn “}” Output from pfctl -nvf /etc/pf.conf: a = "1.2.3.4" b = "2.3.4.5" c = "{ 1.2.3.4 2.3.4.5 }" an = "1.2.3.0/24" bn = "2.3.0.0/16" /etc/pf.conf:36: syntax error — Russell Sutherland Supervisor, Network Development | Enterprise Infrastructure Solutions Information Technology Services | University of Toronto 4 Bancroft Ave., Rm. 102 | Toronto, ON M5S 1C1 russell.sutherl...@utoronto.ca +1.416.978.0470 ~ tel +1.416.978.6620 ~ fax
Connecting to a GRE Transparent Ethernet Bridging host
Is it possible to use one of OpenBSD’s tunnelling interfaces (gre/gif/etherip) to connect to a remote host (Edgerouter Lite) which is using GRE in Transparent Ethernet (protocol type 0x6558) mode? Looking at the source code in /usr/src/sys/net there is a flag for this mode defined but I do not think it is referenced and hence not utilized. # pwd /usr/src/sys/net # grep ETHERTYPE * | grep TRANS ethertypes.h:#defineETHERTYPE_TRANSETHER0x6558 /* Trans Ether Bridging (RFC1701)*/ — Russell Sutherland Supervisor, Network Development | Enterprise Infrastructure Solutions Information Technology Services | University of Toronto 4 Bancroft Ave., Rm. 102 | Toronto, ON M5S 1C1 russell.sutherl...@utoronto.ca +1.416.978.0470 ~ tel +1.416.978.6620 ~ fax
Differences between etherip(4) and gif(4)
I noticed that the etherip pseudo-device appeared with OpenBSD 5.9 which is intended for tunnelling. Prior to this I have been using the gif pseudo device to accomplish much the same thing (in my case L2 over L3). Apart from specifying the mtu to lower value to avoid problems with larger frames, is there any real advantage with the new etherip device? — Russell Sutherland Supervisor, Network Development | Enterprise Infrastructure Solutions Information Technology Services | University of Toronto 4 Bancroft Ave., Rm. 102 | Toronto, ON M5S 1C1 russell.sutherl...@utoronto.ca +1.416.978.0470 ~ tel +1.416.978.6620 ~ fax
Core dumps after upgrading to OpenBSD 5.7
31 function 2 Intel 3400 SATA rev 0x05: DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI pciide0: using apic 0 int 20 for native-PCI interrupt pciide1 at pci0 dev 31 function 5 Intel 3400 SATA rev 0x05: DMA, channel 0 wired to native-PCI, channel 1 wired to native-PCI pciide1: using apic 0 int 21 for native-PCI interrupt atapiscsi0 at pciide1 channel 0 drive 0 scsibus2 at atapiscsi0: 2 targets cd0 at scsibus2 targ 0 lun 0: TEAC, DVD-ROM DV-28SW, R.2A ATAPI 5/cdrom removable cd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5 isa0 at pcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 pcppi0 at isa0 port 0x61 spkr0 at pcppi0 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 uhub2 at uhub0 port 1 Intel Rate Matching Hub rev 2.00/0.00 addr 2 uhub3 at uhub2 port 1 Standard Microsystems product 0x2514 rev 2.00/0.00 addr 3 uhub4 at uhub3 port 2 Mitsumi Electric Hub in Apple Extended USB Keyboard rev 1.10/4.10 addr 4 uhidev0 at uhub4 port 3 configuration 1 interface 0 Mitsumi Electric Apple Extended USB Keyboard rev 1.10/4.10 addr 5 uhidev0: iclass 3/1 ukbd0 at uhidev0: 8 variable keys, 6 key codes wskbd0 at ukbd0: console keyboard, using wsdisplay0 uhidev1 at uhub4 port 3 configuration 1 interface 1 Mitsumi Electric Apple Extended USB Keyboard rev 1.10/4.10 addr 5 uhidev1: iclass 3/0, 3 report ids uhid0 at uhidev1 reportid 2: input=1, output=0, feature=0 uhid1 at uhidev1 reportid 3: input=3, output=0, feature=0 uhub5 at uhub1 port 1 Intel Rate Matching Hub rev 2.00/0.00 addr 2 vscsi0 at root scsibus3 at vscsi0: 256 targets softraid0 at root scsibus4 at softraid0: 256 targets root on sd0a (6b4b6c203a57b1ac.a) swap on sd0b dump on sd0b bnx0: address 78:2b:cb:13:e4:0c brgphy0 at bnx0 phy 1: BCM5709 10/100/1000baseT PHY, rev. 8 bnx1: address 78:2b:cb:13:e4:0d brgphy1 at bnx1 phy 1: BCM5709 10/100/1000baseT PHY, rev. 8 ukbd0: was console keyboard wskbd0 detached ukbd0 detached uhidev0 detached uhid0 detached uhid1 detached uhidev1 detached uhub4 detached Iâve never had this behaviour after an upgrade. -- Russell Sutherland Supervisor, Network Development | Enterprise Infrastructure Solutions Information Technology Services | University of Toronto 4 Bancroft Ave., Rm. 102 | Toronto, ON M5S 1C1 russell.sutherl...@utoronto.ca +1.416.978.0470 ~ tel +1.416.978.6620 ~ fax
Re: OpenBSD embedded?
Does anyone know if the Dual-Core 500 MHz, MIPS64 board that is used in the Ubiquiti EdgeRouter family, has been used as an OpenBSD platform? I know there is development on the octeon http://www.openbsd.org/octeon.html platforms, but not sure if the port was actually usable. -- Russell Sutherland I+TS email:russell.sutherl...@utoronto.ca office: +1.416.978.0470 mobile: +1.416.803.0080 On 2014-12-04, 7:53 AM, Brad Smith b...@comstyle.com wrote: On 12/04/14 07:05, Alan McKay wrote: On Thu, Dec 4, 2014 at 1:15 AM, Vivek Vinod vi...@icanconnect.com wrote: We have been using Mikrotik routerboards since 7 years Huh? With OpenBSD on them? There are 3 PowerPC based RouterBOARDs. AFAIK the RB600 is supported at the moment by the socppc port. The RB800 and RB850Gx2 boards would probably be relatively easy to add support for. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: OpenBSD embedded?
ThanksŠ And may I assume with net booting saving local customizations (firewall rules, network configuration, etc.) is a bit awkward, as there is no local storage? -- Russell Sutherland I+TS email:russell.sutherl...@utoronto.ca office: +1.416.978.0470 mobile: +1.416.803.0080 On 2014-12-04, 12:05 PM, Chris Cappuccio ch...@nmedia.net wrote: Russell Sutherland [russell.sutherl...@utoronto.ca] wrote: Does anyone know if the Dual-Core 500 MHz, MIPS64 board that is used in the Ubiquiti EdgeRouter family, has been used as an OpenBSD platform? I know there is development on the octeon http://www.openbsd.org/octeon.html platforms, but not sure if the port was actually usable. The port is going to be more usable if it gets USB support. Right now you have to net boot.
NAT logging and limits using pf
I am trying to determine whether using an OpenBSD system to perform institutional NAT for our wireless users would be a viable option. At the present time we are evaluating the A10 Thunder CGN appliance. There are a few issues for which I would like to get some input for those using pf for NAT in large environments ( 10k users ) * are there problems with arp cache resources ? * can logging be modified to use radius ? We really need some hooks to determine who is/was responsible for a given session. Thanks in advance for any operational experience you may have using pf in a similar environment. -- Russell Sutherland I+TS email:russell.sutherl...@utoronto.ca office: +1.416.978.0470 mobile: +1.416.803.0080
Re: Problem with a startup script
On 05/21/2013 11:18 PM, C. L. Martinez wrote: Hi all, I have a problem with some tcl rc.d startup scripts. Start and status works ok but stop and restart, doesn't. Script: #!/bin/sh -x # # $OpenBSD: suricata_proxyin_agent,v 1.0 daemon=/usr/local/bin/suricata_proxyin_agent.tcl daemon_flags=-c /data/config/etc/sguil/suricata_proxyin_agent.conf -D . /etc/rc.d/rc.subr pexp=/usr/local/bin/tclsh8.5 $daemon rc_cmd $1 I have tried several variants like to insert rc_stop specific option or changing pexp to /usr/local/bin/tclsh8.5 $daemon $daemon_args without luck. Debugging script, acts as like the other system startup scripts: . + echo NO + : NO + [ XNO = XYES ] + echo NO + : NO + domainname + [ X != X -a -d /var/yp/binding ] + echo NO + : NO + : NO + [ -n /usr/local/bin/suricata_proxyin_agent.tcl ] + unset _RC_DEBUG _RC_FORCE + getopts df c + shift 0 + basename ./suricata_proxyin_agent + _name=suricata_proxyin_agent + _RC_RUNDIR=/var/run/rc.d + _RC_RUNFILE=/var/run/rc.d/suricata_proxyin_agent + eval _rcflags=${suricata_proxyin_agent_flags} + _rcflags= + eval _rcuser=${suricata_proxyin_agent_user} + _rcuser= + getcap -f /etc/login.conf suricata_proxyin_agent + /dev/null + 21 + [ -z ] + daemon_class=daemon + [ -z ] + daemon_user=root + [ -n ] + [ -n ] + [ -n ] + printf %s -c /data/config/etc/sguil/suricata_proxyin_agent.conf -D + daemon_flags= -c /data/config/etc/sguil/suricata_proxyin_agent.conf -D + daemon_flags=-c /data/config/etc/sguil/suricata_proxyin_agent.conf -D + readonly daemon_class + unset _rcflags _rcuser + pexp=/usr/local/bin/suricata_proxyin_agent.tcl -c /data/config/etc/sguil/suricata_proxyin_agent.conf -D + rcexec=su -l -c daemon -s /bin/sh root -c + pexp=/usr/local/bin/tclsh8.5 /usr/local/bin/suricata_proxyin_agent.tcl + rc_cmd stop root@nsm10:/usr/local/etc/rc.d# ps xa |grep suricata_proxyin_agent.tcl | grep -v grep 17486 p2- I 0:00.29 /usr/local/bin/tclsh8.5 /usr/local/bin/suricata_proxyin_agent.tcl -c /data/config/etc/sguil/suricata_proxyin_agent.conf -D Any idea why process is not stopped?? Because pexp uses pkill to do its work and pkill matches on command name only(like ps -c). the command name for your tcl scripts is the tcl interpreter. I had same problem with some python daemons I wrote. my solution ignore all the nice rc.subr goodness and write the rc.d script with explicit start and stop bits.
Re: Problem with a startup script
Because pexp uses pkill to do its work and pkill matches on command name only(like ps -c). sorry for the noise I just revisited this and I am wrong. the pkill bits in rc.subr are using pkill -f and that does match agianst the full arg list. as said before make a better pexp and it should work.
nfe on i386
doctor it hurts when I do this PXE boot MAC address 00:e0:81:77:e8:78, interface nfe0 uvm_fault(0xd0a36200, 0x0, 0, 1) - e kernel: page fault trap, code=0 Stopped at get_hibernate_io_function+0x28: repe cmpsb (%esi),%es:(%edi) Well stop doing that. *sigh* yes I know I am dabbleing with dark forces I don't fully understand and should probably stop. but what the hell it's the weekend I am allowed a bit of fun every now and then, right. so.. I am trying to setup an i386 system for netbooting, the smart way would be to install to the actual i386 then copy the filesystem to the fileserver, the stupid way(my way) is to untar the sets and try to reproduce the rest of the install script. And just because thats not stupid enough, I am doing this on a spare amd64 system 'cause I don't want loose my net connection through the alix the netboot tree is intended for. As a bonus the bsd.rd boot just fine. dmesg and trace to follow but quick question on MAKEDEV first to get the i386 dev entrys I ran the i386 MAKEDEV in the diskless client tree /diskless/firewall/dev/MAKEDEV and it *appered* to do the correct thing. However I ran it from an amd64 kernel is this ok or does it need to run under a i386 kernel dmesg (actually a serial console dump) PhoenixBIOS 4.0 Release 6.1 C OpenBSD/i386 PXEBOOT 3.17 boot booting tftp:/bsd: 8288508+1101960 [52+372864+359455]=0x9a77cc entry point at 0x200120 [ using 732744 bytes of bsd ELF symbol table ] Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2012 OpenBSD. All rights reserved. http://www.OpenBSD.org OpenBSD 5.2 (GENERIC) #278: Wed Aug 1 10:04:16 MDT 2012 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Dual-Core AMD Opteron(tm) Processor SE (AuthenticAMD 686-class, 102 4KB L2 cache) 3.01 GHz cpu0: Dual-Core AMD Opteron(tm) Processor SE (AuthenticAMD 686-[105/1981] 4KB L2 cache) 3.01 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF LUSH,MMX,FXSR,SSE,SSE2,HTT,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW,SSE3,CX16,LAHF,SVM real mem = 3454894080 (3294MB) avail mem = 3387609088 (3230MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 11/07/08, BIOS32 rev. 0 @ 0xfdd34, SMBIOS rev. 2.4 @ 0xcdf6b000 (36 entries) bios0: vendor Phoenix Technologies Ltd. version S2912-E V4.00 date 11/07/2008 bios0: empty empty acpi0 at bios0: rev 2 acpi0: sleep states S0 S1 S4 S5 acpi0: tables DSDT FACP SSDT SRAT SPCR MCFG HPET APIC BOOT acpi0: wakeup devices PCI0(S5) USB0(S3) USB2(S3) MAC0(S5) MAC2(S5) P2P0(S5) KBC0 (S4) MSE0(S4) XVR0(S5) XVR2(S5) XVR5(S5) HTX_(S5) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimcfg0 at acpi0 addr 0xe000, bus 0-4 acpihpet0 at acpi0: 2500 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 200MHz cpu at mainbus0: not configured cpu0: apic clock running at 200MHz [84/1981] cpu at mainbus0: not configured cpu at mainbus0: not configured cpu at mainbus0: not configured ioapic0 at mainbus0: apid 4 pa 0xfec0, version 11, 24 pins acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (P2P0) acpiprt2 at acpi0: bus 4 (XVR0) acpiprt3 at acpi0: bus 3 (XVR2) acpiprt4 at acpi0: bus 2 (XVR5) acpiprt5 at acpi0: bus -1 (HTX_) acpicpu0 at acpi0: C3, C2, PSS acpibtn0 at acpi0: PWRB bios0: ROM list: 0xc/0x9000 0xc9000/0x1800 ipmi at mainbus0 not configured cpu0: PowerNow! K8 3001 MHz: speeds: 3000 2800 2600 2400 2200 2000 1800 1000 MHz pci0 at mainbus0 bus 0: configuration mode 1 (bios) NVIDIA MCP55 Memory rev 0xa2 at pci0 dev 0 function 0 not configured pcib0 at pci0 dev 1 function 0 NVIDIA MCP55 ISA rev 0xa3 nviic0 at pci0 dev 1 function 1 NVIDIA MCP55 SMBus rev 0xa3 iic0 at nviic0 spdmem0 at iic0 addr 0x50: 1GB DDR2 SDRAM registered cmd/addr parity, data ECC P C2-5300CL5 spdmem0 at iic0 addr 0x50: 1GB DDR2 SDRAM registered cmd/addr parity, d[63/1981] C2-5300CL5 spdmem1 at iic0 addr 0x51: 1GB DDR2 SDRAM registered cmd/addr parity, data ECC P C2-5300CL5 spdmem2 at iic0 addr 0x54: 1GB DDR2 SDRAM registered cmd/addr parity, data ECC P C2-5300CL5 spdmem3 at iic0 addr 0x55: 1GB DDR2 SDRAM registered cmd/addr parity, data ECC P C2-5300CL5 iic1 at nviic0 adt0 at iic1 addr 0x2c: adt7476 rev 0x69 lm1 at iic1 addr 0x2d: W83627HF adt1 at iic1 addr 0x2e: adt7476 rev 0x69 ohci0 at pci0 dev 2 function 0 NVIDIA MCP55 USB rev 0xa1: apic 4 int 10, versi on 1.0, legacy support ehci0 at pci0 dev 2 function 1 NVIDIA MCP55 USB rev 0xa2: apic 4 int 11 ehci0: timed out waiting for BIOS usb0 at ehci0: USB revision 2.0 uhub0 at usb0 NVIDIA EHCI root hub rev 2.00/1.00 addr 1 pciide0 at pci0 dev 4 function 0 NVIDIA MCP55 IDE rev 0xa1: DMA, channel 0 con figured to compatibility, channel 1 configured to compatibility pciide0: channel 0 disabled (no drives) pciide0: channel 1 disabled (no drives) pciide1 at pci0 dev 5
Re: hint on starting tftpd -r
On 02/24/2013 11:32 PM, David Gwynne wrote: what are you using the rewrite stuff for? netbooting. pxeboot is unable to pick a kernel based on machine. and as I run an oddball mix of current/stable i386/amd64 (and sparc64 but it does not count as ofwboot.net does specify kernel) so I use tftpd rewrite rules to load the correct kernel. I use my constantly growing collection of old machines sort of in the manner you would use a vm. copy tree, send wol, have new server. In all honesty it is sort of stupid, but I am having fun setting it up. And just for grins and giggles this is what I am using to rewrite I am sure my inexperience shows but it is good to learn somthing new #!/usr/local/bin/python #rewrite tftp requests import socket, os tftpd_rewrite_address = '/var/run/tftpd.sock' tftpd_rewrite_address = '/tmp/tftpd.sock' tftpd_base = '/tftpboot' if os.path.exists(tftpd_rewrite_address): os.unlink(tftpd_rewrite_address) listen_socket = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) listen_socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) listen_socket.bind(tftpd_rewrite_address) listen_socket.listen(1) tftpd_socket, addr = listen_socket.accept() REQUEST_ADDR = 0 REQUEST_CMD = 1 REQUEST_FILE = 2 cmd_list = ['quit'] cmd = '' while cmd != 'quit': tftp_request = tftpd_socket.recv(1024) for request in tftp_request.strip().split('\n'): if request in cmd_list: cmd = request else: request_data = request.split(' ', 3) if len(request_data) == 3: response = request_data[REQUEST_FILE] + '\n' host_name = socket.gethostbyaddr(request_data[REQUEST_ADDR]) short_name = host_name[0].split('.')[0] if os.path.isdir(os.path.join(tftpd_base, short_name)): if os.path.isabs(response): response = response[1:] #remove leading / short_name = '/' + short_name response = os.path.join(short_name, response) send_size = tftpd_socket.send(response) tftpd_socket.close() listen_socket.close()
hint on starting tftpd -r
So I am using tftpd -r socket and my rewrite script works however I am at a loss as to the best way to start tftpd. From my experiments, the rewrite engine has to start before tftpd, tftpd expects the socket to exist. however tftpd is started rather earlier in /etc/rc than than a pkg_scripts rc.d entry(my initial choice). So my options as I see them are. 1 modify /etc/rd.d/tftpd to start the rewrite engine benifit:the two programs really do need to run together problems: will get erased during upgrade. 2 modify /etc/rc to start tftpd_rewrite_engine before tftps problems: nonstandard rc, changes will get erased during upgrade 3 remove tftpd from rc.conf.local and make custom rc.d/tftpd_local that will start both processes from pkg_scripts problems: nonstandard tftpd start I am hoping I have missed somthing obvious but will probably go with choice three(the pkg_scripts tftpd) And, if anyone whishes to see it, I would be happy to share my rewrite script, however about the best that can be said about it is It works. It is written in python and I have little experiance writing socket code.
OpenBSD Customer Gateway to Amazon VPC
I found the following thread on this issue from 2010: http://comments.gmane.org/gmane.os.openbsd.misc/168129 Amazon still only supports route-based VPNs, but they have removed the requirement for BGP and instead allow for static routes. I was able to get a tunnel working without using BGP based on the info from the post above, but it would stop handling the reply traffic after a short time. The esp packets arrive at the gateway, but never get decrypted into enc0. Tearing down the tunnels and waiting an hour or so seems to permit another short-lived VPN, but it still doesn't stay up. Has anyone been successful establishing a customer gateway VPN connection into Amazon VPC using OpenBSD? Does the fact that they only support a route-based VPN exclude the possibility of using a policy-based system like OpenBSD?
Re: UNIX A to Z List RFC
On 02/02/2013 01:59 PM, Chris Hettrick wrote: Hi Misc, I made a list of the most classical UNIX commands / utilities from section one where there is only one per letter of the english alphabet (it's for my OpenBSD obsessed five year old son :) ). I know that this subject is very personal and steeped in tradition and history, so I was looking for your opinions and suggestions. A quick note about the list: some hard choices were made concerning letters such as c, p, m, etc. For instance, kill(1) is not included for two reasons: it is included in the shell, and it needs ps(1) to be properly used (which conflicts with pwd(1) which I think is _more_ useful for a UNIX beginner). mv(1) was not included because a cp(1) and rm(1) can suffice. snip heh there is a fortune for that A is for awk, which runs like a snail, and B is for biff, which reads all your mail. C is for cc, as hackers recall, while D is for dd, the command that does all. E is for emacs, which rebinds your keys, and F is for fsck, which rebuilds your trees. G is for grep, a clever detective, while H is for halt, which may seem defective. I is for indent, which rarely amuses, and J is for join, which nobody uses. K is for kill, which makes you the boss, while L is for lex, which is missing from DOS. M is for more, from which less was begot, and N is for nice, which it really is not. O is for od, which prints out things nice, while P is for passwd, which reads in strings twice. Q is for quota, a Berkeley-type fable, and R is for ranlib, for sorting ar table. S is for spell, which attempts to belittle, while T is for true, which does very little. U is for uniq, which is used after sort, and V is for vi, which is hard to abort. W is for whoami, which tells you your name, while X is, well, X, of dubious fame. Y is for yes, which makes an impression, and Z is for zcat, which handles compression. -- THE ABC'S OF UNIX which got me thinking and I came with this terrifying monstrosity find $(echo ${PATH} | tr ':' ' ') -perm -0100 -maxdepth 1 ! -type d \ | sed -E -f basename.sed \ | awk -f tag.awk \ | sort -n -k 1,1 \ | sort -u -k 2,2 \ | awk -f display.awk with basename.sed: s/.*\/([^\/]*)$/\1/ #much faster then my first attempt | xargs -n 1 basename tag.awk: { printf %s %s %s\n, int(rand() * 1000), substr($0, 1, 1), $0 } display.awk: { man_cmd = man -f $3 | tail -n 1 man_cmd | getline man_str printf %s is for %s\n, $2, man_str } Now, the prose is a little off, but I blame the documentation writers. I am certain mdoc(7) has a section about the rhyming characteristics needed for .Nm on alternate lettered commands. And let me just say I was quite pleased with my random pick one per letter group system(the tag-sort nonsense) First attempt was with awk associative arrays and that was getting nasty quick. So I just wanted to thank you for reminding me how much fun unix can be. and I wish you and your son many hours of happy hacking togther.
Re: trunking
On 01/03/13 16:11, Stuart Henderson wrote: On 2013-01-03, Friedrich Locke friedrich.lo...@gmail.com wrote: Hi folks! What happens if i have a trunk(loadbalance) interface setted for 2 physical interfaces and connect each physical one on different switches? Tnx From the manual; The trunk protocols loadbalance and roundrobin require a switch which supports IEEE 802.3ad static link aggregation; otherwise protocols such as inet6(4) duplicate address detection (DAD) cannot properly deal with duplicate packets. you usually can't configure this across two switches (it may be possible with some fancy switch stacking protocol, but not in the normal case). trunk(failover) works perfectly well in this scenario. I thought 802.3ad the switch requirement was for when all your trunk legs plug into the same switch. That is, if your trunk legs are on separated networks you would not need static link aggregation. That said, the one time I played with a trunked interface, I direct connected the legs.
Re: Best postscript printer with network support?
On 12/27/12 02:58, Girish Venkatachalam wrote: I want to print from my OpenBSD machines on the ethernet LAN. I asked HP and Epson but did not get a good response. I want to avoid HP. I want basic printing with Postscript ability over the network. Also good value for money. I don't think I should spend more than 300$. Are there any recommendations? Or can we make do with HP's PCL on port 9100? Will this work well on OpenBSD? -Girish While I have no clue about various printers and manufactures, here is an anecdotal experience that I found pretty damn cool. While at work a little used lj2100dn caught my eye. Now I have printed from a openbsd machine before, why not? so read lpd(8), printcap(5) and a quick web search to get started /etc/printcap lp|lj2055 operations c:\ :rm=oc-printer:rp=auto:sd=/var/spool/output:lf=/var/log/lpd-errs: and start lpd yep it was that simple. the hp printer network stack has a lpd daemon.
pci graphics on sparc64?
I recently picked up a pair of sun netras to play around with and I noticed they have a pci slot. I was wondering what would happen if I put a pci graphics card in there. While I expect X would work. Would I get a console? My guess is ofw prompts would not show as that would require bios/vga emulation that probably does not exist(or ofw compat firmware on card, unlikely), and the console probably just uses whatever ofw tells it to. The console may appear when vga(4) attaches, But I can't tell from the man pages(probably not).
Re: USB hubs
I can confirm this all is true, but due to USB power being the way it is YMMV. I use hubs regularly for host attachment and for standalone charging. The hub in my desktop monitor is intentionally disconnected from the host in order to provide charging, but it doesn't always work. A main thing is that some devices are really using the USB connector for convenience, but draw way more power than your USB provides with their wall charger. Check your device wall chargers to see if they provide more than 500mA and keep in mind that anything that goes with a charger supplying more than that will charge slower on the hub, if at all. The other thing to check is the hub, and possibly return it. Sometimes they aren't totally honest about the hub being self-powered. I have had good luck with Belkin in the past, but for all I know they have bad models I never purchased. Also check the electical power supply that came with the hub and make sure it is providing enough current. It is best to have at least 500mA per-port, so a 4-port hub should have at least a 2000mA supply. If the supply is undersized you could see issues where it simply can't provide enough juice. I have seen undersized supplies on cheaper hubs, since the part is cheaper than a higher-capacity supply. Really all the pain starts with the decision to combine the power plug with the USB, but that genie is out of the bottle now. Good luck.
Re: Upgrade to 5.2?
On 11/01/2012 07:04 AM, Kurt Mosiejczuk wrote: Otto Moerbeek wrote: untarring the sets and copying the kernel by hand is not recommended. I used the perfect phrase for this in a presentation on PF a week ago: You wouldn't ever do this... unless maybe you hate yourself. --Kurt Err, I do this all the time. if there is a better way I would love to hear it. as I pretty much had to figure it out myself. See my use case is I have a number of netboot trees and when I want to update one of them I have found the best way is to untar all the sets and put the kernel where it can be found, really I just more or less followed what the install script did. The hard part was getting /dev(first sparc64 machine) built. I think I used bsd.rd for this. I was going off the theory different archs would have different dev numbers(I could be wrong) Every once in a while I work on scripting the process but this is just for fun right now.
Re: Bitcoin client for OpenBSD?
On 10/16/2012 04:06 PM, Anonymous wrote: You wrote: 2012/10/16 Fritz Wuehler fr...@spamexpire-201210.rodent.frell.theremailer.net: ...snip... Bottom line appears to be a lone miner with a normal desktop computer is not going to be able to do anything but heat up his room. I agree bitcoin is a cool concept and design and the history is fascinating. But we are probably priced out. I don't see much difference to 'real money' when thinking from standpoint of a lone miner with a normal desktop printer. we don't create the money, we just trade it, be it buying things or working to earn it etc.. That's a good comparison and it is the point I was making. Nobody has ever legally printed money with his own printer but people have been able to mine bitcoins with their own computers until recently. That was the original point of bitcoin and it is already on the verge of disappearing. bitcoin was supposed to be decentralized currency but because of increasing resources needed for mining that part is no longer relevant. Do you really want another unelected federal reserve board of bitcoin? That kind of defeats the purpose. Yes, the point of mining was to have a decentralized method of destributing bitcoins. The guy who invented the system could of said hey I have 23 million cryptographic tokens, lets use them as currency! and start passing them out and he would have been rightly laughed out of the room. So he spent a lot of effort to invent a system where the tokens emerge(with effort) out of thin air. The end result is the same, 23 million cryptographic tokens, but now they are spread around and people feel they have real value(sometimes). Not sure if bitcoin will work, but I do admire the system that got it out there.
Re: SSI
I initially thought this thread was about Social Security Insurance, but instead it is about something like SGI UV.
Re: happy alix user ?
Definitely OT, but I second the FW-7535. Good gear and Lanner is easy to work with direct even for small projects.
Re: happy alix user ?
On Thu, Sep 27, 2012 at 2:10 PM, Michel Blais mic...@targointernet.com wrote: Same with LEI technologie, the're division in Canada. Good catch. I now remember that was the actual entity I dealt with, not Lanner. Started with the main Lanner sales office for NA, but they directed me to LEI in Canada. From then on it was only a few days before I had hardware on my bench. The pair here is on 100/100 Internet and regularly handles around 20-25k states with ease.
Re: pxeboot, machine dependent kernel
On 09/08/12 03:34, Ville Valkonen wrote: On 7 September 2012 14:08, russell russ...@dotplan.dyndns.org wrote: I have doing quite a lot of netbooting lately. However I can not figure out how to configure a specific machine to use a specific kernel. Is there a way for pxeboot to load a kernel based on something machine dependent, for example, mac address? If not, I have been digging around in sys/stand/boot/boot.c while I have not found where to get the mac address yet would it be preferable to a. look for a boot.conf.macaddress before an unadorned boot.conf b. if not otherwise specified fall back to /bsd.macadress c. macro expansion in boot.conf(somthing in the manner of machine $macaddress) I like option a as that seems like it would be easy to put in and provide configuration power where needed while not complicating the setup in the common case of only ever needing one kernel. Have you checked man 8 diskless ? -- Ville heh, diskless(8), thats my bible. but my problem is. dhcp: filename directive can be per machine but it does not point to a kernel. it points to a pxeboot. pxeboot: can be configured via boot.conf but there is no way to specify a kernel based on the machine actually booting, can only hard code the kernel image in. and even if I kept different pxeboot binarys they would still use the same boot.conf when different machines (say one is amd64 and the other is i386) need different kernels one boot.conf will not work. I was hoping there was something obvious I missed when setting it up. cause right now I am typing in the kernel name by hand when booting, which sucks and kind of defeats the purpose of netbooting. my intention is to hack boot.c(my guess, at this point I am still just looking at source) to check for and use some sort of global kernel macaddress var pxeboot claims to set. It may seem I have no idea what I am doing, this is true. However I figure this is a good chance to learn.
pxeboot, machine dependent kernel
I have doing quite a lot of netbooting lately. However I can not figure out how to configure a specific machine to use a specific kernel. Is there a way for pxeboot to load a kernel based on something machine dependent, for example, mac address? If not, I have been digging around in sys/stand/boot/boot.c while I have not found where to get the mac address yet would it be preferable to a. look for a boot.conf.macaddress before an unadorned boot.conf b. if not otherwise specified fall back to /bsd.macadress c. macro expansion in boot.conf(somthing in the manner of machine $macaddress) I like option a as that seems like it would be easy to put in and provide configuration power where needed while not complicating the setup in the common case of only ever needing one kernel.
Re: wol for nfe
On 08/30/12 10:41, Stefan Sperling wrote: On Wed, Aug 29, 2012 at 07:53:54AM -0700, russell wrote: finally even though it did not work out for me. ( my nics were nfe(4) which has no WOL bits in OBSD, I blame nvidia, those secretive assholes.) Yes, but they cannot hide their secrets forever ;) The nfe driver already knows the which register to poke, and in fact it currently attempts to enable WOL by default. However, it always shuts down the receive engine when the interface goes down which prevents wol from working. The diff below disables wol by default and makes it configurable. Works for me with: nfe0 at pci0 dev 5 function 0 NVIDIA nForce3 LAN rev 0xa2: apic 1 int 9, address 00:11:d8:90:b3:56 rlphy0 at nfe0 phy 1: IP101 10/100 PHY, rev. 4 Can you please test if this works for you, too? snip diff Very cool, like Christmas came early this year. Sorry for the wait, caught me with my metaphorical trousers down much to my shame I did not have a build environment set up. I can now confirm the patch does work.(I tested with -current) before: nfe0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 hwfeatures=37CSUM_IPv4,CSUM_TCPv4,CSUM_UDPv4,VLAN_MTU,VLAN_HWTAGGING lladdr 00:e0:81:77:e8:78 priority: 0 groups: netboot egress media: Ethernet autoselect (1000baseT full-duplex) status: active inet 192.168.16.11 netmask 0xff00 broadcast 192.168.16.255 after: nfe0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 hwfeatures=8037CSUM_IPv4,CSUM_TCPv4,CSUM_UDPv4,VLAN_MTU,VLAN_HWTAGGING,WOL lladdr 00:e0:81:77:e8:78 priority: 0 groups: netboot egress media: Ethernet autoselect (1000baseT full-duplex) status: active inet 192.168.16.11 netmask 0xff00 broadcast 192.168.16.255 I can set and disable the WOL flag with wol and -wol When set, i can turn off machine and turn it back on with arp -W This is great, Thank you very much.
Re: setting WOL for Realtek 8168
On 08/31/12 05:38, Stefan Sperling wrote: On Thu, Aug 30, 2012 at 07:58:07PM -0500, Ed Ahlsen-Girard wrote: I'm all good now, actually - apparently wol has to be reset by rc.local each startup. Yes, or alternatively add the 'wol' keyword to '/etc/hostname.re0'. The option doesn't stick across reboots. Derp. Yes the netstart scripts would be a better place to put it. I was thinking in linux and how you have to find somewhere to hide that infernal ehttool command.
Re: setting WOL for Realtek 8168
On 08/29/12 06:56, Ed Ahlsen-Girard wrote: While I can set wol for this interface, the setting does not survive shutdown. I have found no bios settings that seem to pertain. This system is not dual-boot. Is this a quirk of the 8168? Do I need to look for jumpers? As far as I can tell from my attempts on setting WOL on linux the NIC driver resets the WOL flag on system start I think I saw the same in the OBSD code. windows drivers also do the same, so I am guessing it's normal. just reactivate the WOL flag in rc.local. finally even though it did not work out for me. ( my nics were nfe(4) which has no WOL bits in OBSD, I blame nvidia, those secretive assholes.) I do love the ifconfig based wol syntax, miles ahead of the linux bullshit
Re: CARP and transit network to ISP
I have set up a pair of gateways for a similar scenario where the provider gave me /30 and an ethernet jack instead of providing a router on-premises. This is what I did: -Configured an interface on each machine to come up with no IP. -Configured a carpdev to use the no IP interface on each machine. -Configured my ip from the /30 on the carpdev on each machine. Other things included CARP on other interfaces like LAN and DMZ. In my case those IP networks were large enough to allow me 1 CARP IP and an IP for each gateway. Not sure if that helps, but the best general advice is to draw a picture of what you want. Read the FAQ/manpages to draft a config. Test all that, and if you are like me, realize you didn't really want bridge at the one place in the drawing and revise--repeat. Good luck!
Re: OpenBSD forked
On 06/22/2012 06:35 AM, Diana Eichert wrote: morons if you can't write forth code you should stay home. diana I Love me my hand crafted postscripts... Does that count?
Re: Mounting a partition, cdrom, usb as a user
On 06/16/2012 04:39 AM, Mik J wrote: Hello, I'm able to mount a partition as a user if I have kern.usermount=1 # ls -l /dev/wd2* brw-rw 1 root operator0, 0 May 7 21:54 /dev/wd2a # ls -l /mnt drwxrwxr-x 2 myuser operator 512 May 7 22:38 extpart and # grep operator /etc/group operator:*:5:root,myuser However, I'm unable to mount the partition if the owner of /mnt/extpart is root although that mount point is rwx by the group operator and myuser belongs to that group. # ls -l /mnt drwxrwxr-x 2 root operator 512 May 7 22:38 extpart I assume that kern.usermount allows a partition to be mounted only if the mount point is owned by a user and the group owner is not considered. I have search for a variable kern.groupmount but there is not such thing. So my question is: Is it possible to allow a group to mount partitions (or usb keys, cdrom) ? Thank you quite suprised. no love so far for fbtab(5)
Re: Mounting a partition, cdrom, usb as a user
On 06/19/2012 06:40 AM, Christopher Zimmermann wrote: On Mon, 18 Jun 2012 22:26:57 -0700 russellruss...@dotplan.dyndns.org wrote: quite suprised. no love so far for fbtab(5) The fbtab file is used by login(1) to chown(2) the specified files to the user who has performed a login. Additionally, chmod(2) is used to set the devices to the specified permission. When a user logs out, init(8) is responsible for performing the inverse operation, which results in the files once again belonging to root. Nice. But how is this supposed to work for multiple logins or system crashes (power outage during login)? how many people are you gonna cram at the local machine anyhow? that is, remote users don't need to mount cd/floppy/usb
Re: Customizing the install process
On 06/07/2012 04:21 PM, Tomasz Marszal wrote: Yes i red it as well as the FreeBSD handbook section about PXE. So my idea is to install bsd system then install gnome then tar the installed system make img from tar. Later configure dhcp and tftp and nfs on a PXE server. Put bsd.rd and other files mentioned in OpenBSD FAQ into tftpboot directory and put the image to your nfs server. Enable PXE on booted machine obtain ip address from dhcp and kernel with bsd.rd from tftp then in shell mount nfs (as described in handbook) and dd system.img from it to local hdd finaly reboot and here we go :) Heh, I started off setting up an enviroment for pxe bsd.rd boots to aid in installs... started getting into it... now I have three diskless(8) machines and I am eyeing a few others. *sigh* I'm terrible
Re: llround(), round() broken?
On 06/04/2012 07:31 PM, Alan Corey wrote: man intro (3) comes close in OpenBSD (I did man -k libraries to find it) It just seems like if a function requires a special library that should be mentioned in the function's man page as well as the header file since it needs both to work. I guess it depends on how surprised you are that the function isn't built-in. round() at least is perfectly ordinary in Pascal/Delphi and in Java/Javascript it might be something like math.round(). Alan On 6/4/12, Anthony J. Bentleyanthonyjbent...@gmail.com wrote: Alan Corey writes: They probably aren't broken, looks like I need to link in some library. I get undefined reference to when I try to compile/link. Shouldn't this be mentioned in the man page? FreeBSD has a Library section in its man page: LIBRARY Math Library (libm, -lm) I recall reading on the mandoc mailing lists that OpenBSD man pages do not contain this section, but I don't know why that is. -- Anthony J. Bentley what are you looking for? $man round SYNOPSIS #include math.h $man math DESCRIPTION These functions constitute the C math library, libm. The link editor searches this library under the ``-lm'' option. Declarations for these functions may be obtained from the include file math.h. seams well documented to me. however I had a similer problem with a program built with djgpp(dos gcc) that had libm built in(auto included, I am not sure) which had me confused as to whay it was not building on obsd. just needed the -lm
Re: Load balancing and fail-over
On Wed, May 16, 2012 at 9:40 AM, Indunil Jayasooriya induni...@gmail.com wrote: If yes, How to ping external internet host when that link is DOWN? I find it difficult? I tried it with below commands ping -I WAN1_if_ip www.google.lk ping -I WAN2_if_ip www.google.lk Some times it works? some times it does NOT? Could you pls explain why? I have been asked by management a few times about why some pings fail when you ping things like google servers and core routers at the ISP. The short answer I give is that things like that are too busy being the Internet to respond to all the ping traffic that doesn't do anything to enable them to be the Internet. Best advice is to consult your routing tables or contact your ISP and have your ifstated ping the far-end of your internet connection. Those systems are typically less busy and have a higher expectation of answering all pings while up.
Re: Song copyright
Shucks! I was working on a baby mulching machine that was going to play the song while it operates. http://www.monkey.org/openbsd/archive/source-changes/0105/msg01243.html
Re: IPSec isakmpd pre shared interoperability with Fortigate VPN
Does look like the line, but is the OpenBSD ipsec VPN new to you? If it is I suggest building one between two OpenBSD machines and testing to see how you can break/change things from the defaults in the man pages. Doing that really made a difference for me after completely flopping on the first try with an OpenBSD to whatever our co-location has VPN. I got it together after some lab work and everything just worked magically on my second go. Cheers.
Re: Intel ICH9R compatibility with OpenBSD
Hello Axton, thanks for your reply. I do not want use RAID, I just need S-ATA to connect HDD and install system on it. You will be fine. I have Dell gear here that includes the Intel Matrix RAID ICH, and it doesn't have an issue with OpenBSD. The controller checks for a RAID pair at startup and then should revert to normal AHCI when none is found. Those chips also have a setting in the BIOS as an additional failsafe that will disable the R features and force them into AHCI or even IDE-compatible for older operating systems.
Re: My OpenBSD 5.0 installation experience (long rant)
It really is amazing how much the install is genuinely loved on OpenBSD. I think there are other distributions out there where the installer is liked or even praised, but I would describe my feelings and what I see here as love. It is always a pleasure when I have the chance to show someone the install process for the first time or hear their accounts of success or failure. I started out with OpenBSD around 2.3 and the funny thing is that I am most impressed by how the installer disk setup is improved since those days. At least I don't have to start off the discussion about how c is the whole disk, etc.
Re: My OpenBSD 5.0 installation experience (long rant)
I am absolutely intrigued by this story despite my better judgement. You were able to cook your own full OpenBSD installer on a USB stick with GRUB instead of downloading an ISO or using PXE, but you failed disk setup in the installer? It really would be interesting to see if you can read just http://www.openbsd.org/faq/faq4.html , particularly 4.5.3 and then come back to us with anything other than a mea culpa. There are always going to be stumbling points in computing, but the question is do we learn from them or just reject them and act like they are not the great opportunities for growth that they are.
Re: Problem filtering CARP in PF
In the spirit of K.I.S.S. I use: pass quick proto carp Since that should match the number on 4 and 6 packets. Your block rule had inet so you were probably blocking IPv4 only. But because of the send errors (due to pf blocking) fw1 started to demote itself.
Re: CD/DVD CDROM support
I found USB is easy with a thumbdrive big enough to hold the files, or there is pxe which is probably easier if you can control the DHCP on the network. My manual process for thumbdrive involved: Assume thumb is empty, otherwise insert to system and run. Also make sure you know the dev name from insert message (this example it is sd0): dd if=/dev/zero of=/dev/rsd0a bs=32k This will zero the drive out. Then run: fdisk i /dev/rsd0c then y to overwrite and save MBR. Then edit disklabel: disklabel E /dev/rsd0c then a take all defaults, then w and finally q just like old times! Then create the FS: newfs /dev/rsd0a Now mount: mount /dev/sd0a /mnt/thumb and mount /dev/cd0a /mnt/cd Copy CD to thumb: cp r /mnt/cd/* /mnt/thumb/ and cp /usr/mdec/boot /mnt/thumb/ BOOT VOODOO: /usr/mdec/installboot /mnt/thumb/boot /usr/mdec/biosboot sd0 On Fri, Feb 24, 2012 at 6:12 PM, Duncan Patton a Campbell campb...@neotext.ca wrote: I have run into a most peculiar phenomenon, that it appears that the CDrom driver support has dropped from the install CDs, apparently as of about version 5. This is not an old board, but admittedly ATAPI CDs are. I can boot all the images from 4.9release thru 5.1snap (today's) but only 4.9 shows any evidence of the CD after booting and in the rest CDROM is not an option for install media and there's no evidence of the device in the dmesgs, either. the sysctls after booting each cd: kern.osrelease=4.9 hw.machine=amd64 hw.model=AMD Phenom(tm) II X4 840 Processor hw.product=M4A88TD-V EVO/USB3 hw.disknames=cd0:,sd0:,wd0:e09436d04e1d70c4,rd0:2870906e5854e337,sd1:0e7d30fe 615c49b0 hw.ncpufound=4 kern.osrelease=5.0 hw.machine=amd64 hw.model=AMD Phenom(tm) II X4 840 Processor hw.product=M4A88TD-V EVO/USB3 hw.disknames=sd0:,wd0:e09436d04e1d70c4,rd0:efa10dd049a97542 hw.ncpufound=4 kern.osrelease=5.0 hw.machine=amd64 hw.model=AMD Phenom(tm) II X4 840 Processor hw.product=M4A88TD-V EVO/USB3 hw.disknames=sd0:,wd0:e09436d04e1d70c4,rd0:10f77ef34d162647,sd1:0e7d30fe615c4 9b0 hw.ncpufound=4 kern.osrelease=5.1 hw.machine=amd64 hw.model=AMD Phenom(tm) II X4 840 Processor hw.product=M4A88TD-V EVO/USB3 hw.disknames=sd0:,wd0:e09436d04e1d70c4,rd0:7c8ac10ea613493f,sd1:0e7d30fe615c4 9b0 hw.ncpufound=4 And, following, the dmesg output for these same install media. Any idea how this is so would help, thanks. Dhu OpenBSD 4.9 (RAMDISK_CD) #858: Wed Mar 2 07:04:48 MST 2011 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD real mem = 3488153600 (3326MB) avail mem = 3383611392 (3226MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.5 @ 0x9f000 (66 entries) bios0: vendor American Megatrends Inc. version 1702 date 12/22/2010 bios0: ASUSTeK Computer INC. M4A88TD-V EVO/USB3 acpi0 at bios0: rev 2 acpi0: sleep states S0 S1 S3 S4 S5 acpi0: tables DSDT FACP APIC MCFG OEMB SRAT HPET SSDT acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: AMD Phenom(tm) II X4 840 Processor, 3214.66 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,LONG,3DNOW2,3DN OW cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache cpu0: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative cpu0: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative cpu0: apic clock running at 200MHz cpu at mainbus0: not configured cpu at mainbus0: not configured cpu at mainbus0: not configured ioapic0 at mainbus0: apid 4 pa 0xfec0, version 21, 24 pins acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (P0P1) acpiprt2 at acpi0: bus -1 (PCE2) acpiprt3 at acpi0: bus -1 (PCE3) acpiprt4 at acpi0: bus -1 (PCE4) acpiprt5 at acpi0: bus 2 (PCE9) acpiprt6 at acpi0: bus 3 (PCEA) acpiprt7 at acpi0: bus 4 (P0PC) acpiprt8 at acpi0: bus 6 (PE21) pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 AMD RS780 Host rev 0x00 ppb0 at pci0 dev 1 function 0 vendor Asustek, unknown product 0x9602 rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 5 function 0 ATI Radeon HD 4250 rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) ATI Radeon HD 4200 HD Audio rev 0x00 at pci1 dev 5 function 1 not configured ppb1 at pci0 dev 9 function 0 AMD RS780 PCIE rev 0x00: apic 4 int 17 (irq 10) pci2 at ppb1 bus 2 vendor VIA, unknown product 0x3403 (class serial bus subclass Firewire, rev 0x00) at pci2 dev 0 function 0 not configured pciide0 at pci2 dev 0 function 1 vendor VIA, unknown product 0x0415 rev 0xa0: DMA (unsupported), channel 0 wired to native-PCI, channel 1 wired to native-PCI pciide0: using apic 4 int 17 (irq 10) for native-PCI interrupt atapiscsi0 at pciide0 channel 0 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: HL-DT-ST, RW/DVD GCC-H20N, 1.05 ATAPI 5/cdrom removable pciide0: channel 1 ignored
Re: IPSEC Site-to-Site not routing packages
I can confirm this. Spent way too much time in my VMWare lab on this until I thought to add a default route to the host-only interfaces I was running the tunnel on. All you need is default route and it will work. I have found that fleshed out config for networking on OpenBSD is a sure way to clear up some of the more strange things that can happen. On Thu, Feb 23, 2012 at 10:43 AM, Aner Perez a...@ncstech.com wrote: See the thread titled ipsec tunnel traffic getting icmp host unreachable on this same list. In short, the answer is that you need a standard route (in addition to the encap route) to the destination networks. Any route that covers your destination network will do. In my case, instead of adding routes for each of my ipsec tunnels, I just added a default route and that fixed the problem. It won't actually use the gateway listed on this route, for that it uses the encap route. - Aner On 02/22/2012 05:22 PM, Morten Christensen wrote: Dear fellow OpenBSD friends. I'm setting up 2 FW's that should form a VPN tunnel securing the net behind each FW - simple NET x - FW x - WAN - FW y - NET y I'm using ipsec.conf / ipsecctl. OpenBSD 5, pf is disabled. On FW x # cat /etc/ipsec.conf ike esp from 10.21.35.0/24 to 10.20.0.0/16 peer 212.37.141.59 psk lotsofFishs4meAndyou netstat -rn Encap: Source Port DestinationPort Proto SA(Address/Proto/Type/Direction) 10.20/16 0 10.21.35/240 0 212.37.141.59/esp/use/in 10.21.35/240 10.20/16 0 0 212.37.141.59/esp/require/out # ipsecctl -sa FLOWS: flow esp in from 10.20.0.0/16 to 10.21.35.0/24 peer 212.37.141.59 srcid 212.37.141.60/32 dstid 212.37.141.59/32 type use flow esp out from 10.21.35.0/24 to 10.20.0.0/16 peer 212.37.141.59 srcid 212.37.141.60/32 dstid 212.37.141.59/32 type require SAD: esp tunnel from 212.37.141.59 to 212.37.141.60 spi 0xc2e3c650 auth hmac-sha2-256 enc aes esp tunnel from 212.37.141.60 to 212.37.141.59 spi 0xc5853584 auth hmac-sha2-256 enc aes On FW y # cat /etc/ipsec.conf ike esp from 10.20.0.0/16 to 10.21.35.0/24 peer 212.37.141.60 psk lotsofFishs4meAndyou netstat -rn Encap: Source Port DestinationPort Proto SA(Address/Proto/Type/Direction) 10.21.35/240 10.20/16 0 0 212.37.141.60/esp/use/in 10.20/16 0 10.21.35/240 0 212.37.141.60/esp/require/out # ipsecctl -sa FLOWS: flow esp in from 10.21.35.0/24 to 10.20.0.0/16 peer 212.37.141.60 srcid 212.37.141.59/32 dstid 212.37.141.60/32 type use flow esp out from 10.20.0.0/16 to 10.21.35.0/24 peer 212.37.141.60 srcid 212.37.141.59/32 dstid 212.37.141.60/32 type require SAD: esp tunnel from 212.37.141.59 to 212.37.141.60 spi 0xc2e3c650 auth hmac-sha2-256 enc aes esp tunnel from 212.37.141.60 to 212.37.141.59 spi 0xc5853584 auth hmac-sha2-256 enc aes Offcourse on both machines net.inet.ip.forwarding=1 Pinging from a host on NET x Request timeout for icmp_seq 1402 36 bytes from 10.21.35.1: Destination Host Unreachable Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 5400 736e 0 40 01 cfa4 10.21.35.100 10.20.0.10 The gateway clearly answers that it can't route the packet!? Pinging directly from FWx to FWy WORKS !!! ??? # ping -I 10.21.35.1 10.20.0.1 PING 10.20.0.1 (10.20.0.1): 56 data bytes 64 bytes from 10.20.0.1: icmp_seq=0 ttl=255 time=1.185 ms 64 bytes from 10.20.0.1: icmp_seq=1 ttl=255 time=0.829 ms Dump while ping # tcpdump -i enc0 -n tcpdump: listening on enc0, link-type ENC 13:52:24.297384 (authentic,confidential): SPI 0xc5853584: 10.21.35.1 10.20.0.1: icmp: echo request (encap) 13:52:24.297508 (authentic,confidential): SPI 0xc2e3c650: 10.20.0.1 10.21.35.1: icmp: echo reply (encap) 13:52:25.299664 (authentic,confidential): SPI 0xc5853584: 10.21.35.1 10.20.0.1: icmp: echo request (encap) 13:52:25.299760 (authentic,confidential): SPI 0xc2e3c650: 10.20.0.1 10.21.35.1: icmp: echo reply (encap) Routing is the problem ? what is the cause ? It looks like each FW doesn't permit routing packets from LAN hosts. Thanks for you help Regards Morten Bech Christensen
Re: network throughput tool suggestion
On Tue, Feb 14, 2012 at 3:13 PM, Christiano F. Haesbaert haesba...@haesbaert.org wrote: On 14 February 2012 17:59, Mihai Popescu mihp...@gmail.com wrote: Hi, I need to test a commercial router for throughtput and I decided to put it between 2 OpenBSD systems running network benchmark software. Looking on openports.se I found iperf, netperf and ttcp. Could you suggest one from them, based on your experience, please ? Thanks. We have tcpbench in base, that's what most devs use. I have used iperf on OpenBSD 4.9 to run get some quick basic numbers and experiment with jumbo frames. My test also involved a Windows system, so the cross-platform part was nice. Haven't used tcpbench before, but it is built-in to recent OpenBSD systems and looks pretty nice according to the man page.
Re: problem running named in non 0 rdomain
On Sun, Jan 1, 2012 at 5:40 PM, Stuart Henderson s...@spacehopper.org wrote: I'm pretty sure the child will be inheriting the rdomain from the process which forked it. I can offer the anecdote that when I ran sshd using the route -exec wrapper my child session would exist in whatever rdomain was hosting the daemon. Ended up backing away from this approach and sticking with pf rules, so I didn't have sshd parent processes littering my machine. I'll assume you don't want to use pf to land queries on the daemon, so the next question is did you try creating a loopback address in the non-zero rdomain to get the control port you need?
Re: [PF] bug in port range.
For those of us playing the CS home game. Is this an example of left-to right evaluation? My thought on this was that the value 81 isn't greater than 82 and isn't less than 80, so the rule doesn't match.
Re: strange tcp rst with rdomain
I have found that I need to add something like: !route -T 2 exec /usr/sbin/sshd To the pertinent hostname.if file to make sure sshd is listening in addtional routing tables, but I do not know if this is best. On Mon, Dec 19, 2011 at 1:02 PM, PP;QQ P(P8P?P8QP8P= chipits...@gmail.com wrote: Hello. I'm running multihomed OpenBSD server: vlan5/carp5 - default vlan2/carp2 and vlan4/carp4 are connected to other ISPs. when there's no rdomain thing, everything seems to be working, except all outgoing packets goes through vlan5/carp5. so, I did f2n0:/root#cat /etc/hostname.vlan2 vlan 2 vlandev trunk0 mtu 1300 up f2n0:/root#cat /etc/hostname.carp2 vhid 62 pass m1pass carpdev vlan2 X.X.X.X/26 rdomain 2 !/sbin/route -T 2 add 0.0.0.0/0 X.X.X.Z f2n0:/root#cat /etc/hostname.vlan4 vlan 4 vlandev trunk0 mtu 1300 up f2n0:/root#cat /etc/hostname.carp4 vhid 64 pass m1pass carpdev vlan4 Y.Y.Y.Y/26 rdomain 4 !/sbin/route -T 4 add 0.0.0.0/0 Y.Y.Y.Z f2n0:/root# also, I did f2n0:/root#grep -v ^# /etc/pf.conf set skip on lo pass in vlan2 rtable 2 pass in vlan4 rtable 4 pass pingis working good, packets go out via appropriate interface. however, ssh ends with tcp rst, for example. how can the reason for that tcp rst might be detected? am I doing anything wrong with rdomains? Ilya Shipitsin
Re: OT: some news here
Wonderful news Eric! Good to know opportunities like these exist. Happy Holidays and good luck with the program.
Re: using ssh to forward the install console
On Wed, Dec 7, 2011 at 2:47 PM, Eric Oyen eric.o...@gmail.com wrote: hello group. I have an interesting (and fairly technical) question. the question is: how can I forward the install screen via ssh to another machine on my network? I ask this because I didn't see any specific instructions that applied. my issue right now is that I need a sighted assistant to read me the screen and help with installing the base system (and setting up ssh). I would like to run the install like from a serial port output (like the old spark pizza boxes) but none of my current machines have a serial port to do this on. comments? suggestions? -eric Any possibility of using USB serial adapters on these systems? You may need to blind-type to the boot loader in order to get it up on the serial redirection with an attached keyboard, but as I recall that isn't a big issue for Eric. ;) Then you would just need a crossover to the other DTE port on a host running cu and ssh to handle the install. We would do a similar thing with our v210's except they had built-in serial.
Re: correct netmask on carp interfaces
On Thu, Nov 24, 2011 at 2:40 PM, Henning Brauer lists-open...@bsws.de wrote: if your carpdev has an IP and the IP(s) on the carp interface are in the same subnet, is it best to have the real netmask on the carpdev and all-ones netmasks on the carp interface, for the case where you're carp slave. and the rule of thumb remains, one IP per subnet per rdomain in the system with the real netmask, all others all-ones - aka /32 for the one and only real protocol. Example: em5 - no IP carp5 - 10.0.0.0/30 mask on carpdev em5 right. em4 - 9.0.0.0/32 for mgmt carp4 - 9.0.0.0/28 acting as gateway for 9.0.0.0 net on carpdev em4 carp4 - aliases on 9.0.0.0 with /32 masks on carpdev em4 here it is better to have the /28 on em4 and /32 on the carp ifs. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/ This was very helpful information and I have implemented it, but I am still wondering about a related issue with routing. My default route on the pair of firewalls is set to an IP on the carp5 IP network, so I don't have a useable default route to the Internet on the backup until it fails over. I think that Kapetanakis was referencing that same issue when he responded to me which led to me discovering it on my production setup. Is there anything I can do about this given the /30 on the em5/carp5 network. In the Firewall Redundancy with Carp and pfsync section of the PF Users Guide FAQ at http://www.openbsd.org/faq/pf/carp.html there is an example where the WAN/Internet connection has IP addresses assigned on the physical and CARP interfaces. The all ones mask rule isn't set out there, since the ifconfig commands for the underlying physical interfaces aren't included in the examples. In fact, the rule is violated by the included ifconfig commands for the carp IP addresses by including a permissive mask. I am pretty sure this is where my misunderstanding started, since I followed this FAQ to get started on my redundant firewall setup. It may be good to revise this and possibly even add discussion about the default route in the case where you have a /30 from your ISP to deal with. For now I can live with the lack of Internet access on the slave and having to SSH to the master and then hop over to the slave using the /28 for remote management. I did get Internet-sourced SSH access to the backup working with a nat-to on the master, but it was ugly and only worked when I set the translated source to the carp4 IP instead of the master's em4 IP. Ended up rolling it back since the indirect method works well enough. Any possible resolution to the default route issue would be greatly appreciated.
Snmpd and socket file creation
It appears to me that the OpenBSD SNMP daemon: /usr/sbin/snmpd should create it's own socket file: /var/run/snmpd.sock upon startup. There seems to be an error which occurs at startup: # /usr/sbin/snmpd -d startup fatal: snmpe: failed to bind SNMP UDP socket check_child: lost child: snmp engine exited terminating I am running OpenBSD 5.0 on a Vmware image. I've run snmpd previously on OpenBSD 4.7 without problems. Russell -- Russell Sutherand I+TS e: russell.sutherl...@utoronto.ca t: +1.416.978.0470 f: +1.416.978.6620 m: +1.416.803.0080
Audacity/Sound recording on a Mac Mini
I have a G4 Mac Mini (PowerMac 10,1) and have successfully installed OpenBSD 5.0 on it. I have also successfully built audacity from the ports tree. My thought was to create a small footprint audio recording system for a small charitable organization using OpenBSD. I've had two small problems: A. When sound is played e.g. When KDE starts up, there is a loud hissing sound which comes from the internal speaker(s). B. I am not really able to see any sound input coming from either the native MacMini audio input/output jack (aoa) nor from a USB (iMic) microphone (uaudio). Audacity seems to only show one source of audio input: sndio. Any help with be greatly appreciated. I do not want to have to go back to an unsupported version of Mac OS X, nor a Linux/Debian option. Has anyone used OpenBSD to do sound recording on a MacMini or other Apple PowerPC devices? Russell -- Russell Sutherand I+TS e: russell.sutherl...@utoronto.ca t: +1.416.978.0470 f: +1.416.978.6620 m: +1.416.803.0080
Re: correct netmask on carp interfaces
I had some experience with this and found another thread where the best thing to do for your routing is to have only one /(32-n) mask and then all /32 for any given subnet and rdomain combination on a system. I have set up my system accordingly and my advice is to set your carp primary IP to the proper network mask (especially if it is using the carp IP to provide a gateway to the connected network) and then any other IP/interfaces to /32 per subnet. Example: em5 - no IP carp5 - 10.0.0.0/30 mask on carpdev em5 em4 - 9.0.0.0/32 for mgmt carp4 - 9.0.0.0/28 acting as gateway for 9.0.0.0 net on carpdev em4 carp4 - aliases on 9.0.0.0 with /32 masks on carpdev em4 Before this I had the same mask on em4 and carp4 primary IP. It worked, but I noticed the ARP had tell: set to the em4 MAC/IP and that the route for that network was homed to em4 in the table. After the change ARP has tell: set to the carp MAC/IP and the network is on the carp4 if, which seemed more consistent to me. Can't tell you for sure if that is better for you, but it is worth a shot. I can also advise that ifconfig on runtime can have different effects than editing hostname.if and using netstart. One example I can think of is all the self-routing stuff that happens with netstart. I also find it good to get a reboot in at some point just to double-check that the hostname.if files and netstart do what you want on a system that hasn't had any previous networking setup. Good luck, happy hacking. 2011/11/21 Kapetanakis Giannis bil...@edu.physics.uoc.gr: Hi, I'm a bit confused on setting appropriate netmask on carp interface when the carpdev has an IP address. Till yesterday (following http://openbsd.org/faq/pf/carp.html#failover) my carp interfaces had the same netmask as the carpdev interfaces: em1: (no inet adddress) vlanXX: vlan: 102 priority: 0 parent interface: em1 inet xxx.xxx.xxx.18 netmask 0xfff8 broadcast xxx.xxx.xxx.23 carp0: carp: MASTER carpdev vlanXX inet xxx.xxx.xxx.20 netmask 0xfff8 broadcast xxx.xxx.xxx.23 I've read this from Henning http://marc.info/?l=openbsd-miscm=123464537104366w=2 so I tried to switch to /32 netmask on the carp interfaces # ifconfig carp0 xxx.xxx.xxx.20/32 But now I get Nov 21 11:45:09 fw /bsd: carp0: state transition: BACKUP - MASTER Nov 21 11:45:09 fw /bsd: arp_rtrequest: bad gateway value Nov 21 11:45:10 fw /bsd: carp1: state transition: BACKUP - MASTER Nov 21 11:45:10 fw /bsd: arp_rtrequest: bad gateway value every time the state changes on each firewall. Apart from this I don't see any other problem. Is this normal behavior? Should I change back to the /29 netmask? regards, Giannis
Multi Link PPP support in Kernel
Is it possible to enable multilink PPP using the kernel based: pppoe(4) ? Or does one have to resort to the userland pppoe/ppp(8) ? -- Russell Sutherand I+TS e: russell.sutherl...@utoronto.ca t: +1.416.978.0470 f: +1.416.978.6620 m: +1.416.803.0080
hostname.if routing question
I am having trouble figuring out how I should configure a physical interface and a carp virtual interface where the carp IP will serve as a default route for hosts on the network and also hold some aliases for server re-directs. From what I have seen the routes built at startup home the route for the network on the interface that is configured with the actual network mask so: /etc/hostname.em0 inet A.B.C.14 255.255.255.240 A.B.C.15 rdomain 2 /etc/hostname.carp0 vhid 9 pass rdomain 2 inet A.B.C.1 255.255.255.255 A.B.C.15 rdomain 2 inet alias A.B.C.3 255.255.255.255 A.B.C.15 rdomain 2 inet alias A.B.C.4 255.255.255.255 A.B.C.15 rdomain 2 Will put the A.B.C.0/28 entry in table 2 to: A.B.C.0/28 link#1 UC 0 0 - 4 em0 Changing the masks so carp0 has the open mask on its first ip and em0 is all 1s yields: A.B.C.0/28 link#9 UC 0 0 - 4 carp0 Is it better for that to be on carp0 instead of em0, given that carp0 will be the router for that network?
problem connecting to verizon.net
I discovered an odd issue once I upgraded my OpenBSD pf firewall/router that manifested itself by preventing my email server from sending to verizon.net customers. The strange thing was that mail was going out to other domains. I figured out that I did something odd in my ruleset and fixed it, so now I am wondering what is going on. I am only aware of one other individual with these symptoms, but he was using a bridge with pf and our fixes are at least semantically different. I have reduced everything to basic working parts and tested a few times to narrow down what is happening. In summary, I found that I can create two pass-only rules to nat outgoing traffic using carp and rdomains, but the traffic to verizon.net doesn't work unless I use a combination of two pass rules and a match rule. The basic setup where you can see this behavior follows (public IPs changed to protect the innocent): # ifconfig em0 em0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:90:0b:1f:72:e4 priority: 0 groups: egress media: Ethernet autoselect (1000baseT full-duplex,master,rxpause,txpause) status: active inet 10.0.0.1 netmask 0xfffc broadcast 10.0.0.3 # ifconfig em1 em1: flags=28b43UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST,NOINET6 rdomain 1 mtu 1500 lladdr 00:90:0b:1f:72:e5 priority: 0 media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause) status: active inet 9.9.9.170 netmask 0xfff0 broadcast 9.9.9.175 # ifconfig carp1 carp1: flags=28843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6 rdomain 1 mtu 1500 lladdr 00:00:5e:00:01:09 priority: 0 carp: MASTER carpdev em1 vhid 9 advbase 1 advskew 0 groups: carp status: master inet 9.9.9.167 netmask 0xfff0 broadcast 9.9.9.175 inet 9.9.9.168 netmask 0x broadcast 9.9.9.168 # route -T 0 -n show -inet Routing tables Internet: DestinationGatewayFlags Refs Use Mtu Prio Iface default10.0.0.1 UGS09 - 8 em0 10.0.0.0/30link#1 UC 20 - 4 em0 10.0.0.1 00:90:0b:1f:72:e4 HLc10 - 4 lo0 10.0.0.2 00:14:22:2e:ba:8c UHLc 0 10 - 4 em0 9.9.9.168 127.0.0.1 UGHS 00 33200 8 lo0 127/8 127.0.0.1 UGRS 00 33200 8 lo0 127.0.0.1 127.0.0.1 UH 20 33200 4 lo0 224/4 127.0.0.1 URS00 33200 8 lo0 # route -T 1 -n show -inet Routing tables Internet: DestinationGatewayFlags Refs Use Mtu Prio Iface default9.9.9.161 UGS0 14 - 8 em1 9.9.9.160/28 link#2 UC 10 - 4 em1 9.9.9.161 00:1b:54:b7:81:a8 UHLc 10 - 4 em1 9.9.9.168/32 9.9.9.168 U 0 10 - 4 carp1 # cat /etc/hostname.em0 inet 10.0.0.1 255.255.255.252 NONE # cat /etc/hostname.em1 inet 9.9.9.170 255.255.255.240 9.9.9.175 rdomain 1 !route -T 1 add default 9.9.9.161 # cat /etc/hostname.carp1 inet 9.9.9.167 255.255.255.240 9.9.9.175 vhid 9\ pass password rdomain 1 inet alias 9.9.9.168 255.255.255.255 # cat /etc/mygate 10.0.0.1 # cat /etc/pf.conf set skip on lo block # LAN to Internet with three rules and rdomain # (fixes the verizon issue) #match out on em1 inet from 10.0.0.2\ to any nat-to 9.9.9.170 #pass out on em1 inet from 9.9.9.170\ to any #pass in on em0 from 10.0.0.2\ to any rtable 1 # example LAN to Internet with two rules and rdomain # (doesn't work) # Seeing TTL expired in transit #pass in on em0 inet from 10.0.0.2\ to any nat-to 9.9.9.170 rtable 1 #pass out on em1 inet from 9.9.9.170 to any # Internet access over rdomain and carp # (creates the verizon issue) pass in quick on em0 inet from 10.0.0.2\ to any nat-to 9.9.9.168 rtable 1 pass out quick on em1 inet from 9.9.9.168\ to any --- From 10.0.0.2 I run the following commands: (first a non-verizon smtp server) telnet 207.155.253.210 25 (works, but a little slower to display the banner under the pass-only rules) (now one of the relay.verizon.net smtp servers) telnet 206.46.232.11 25 (fails to connect unless I use the match/pass rule combo) In the rules above I also found that the two-rule setup doesn't work in any case with the public if physical IP in the rdomain. I have looked at these over tcpdump and I can see the traffic going out with the proper NAT to either server, but the returning SYN/ACKs in the handshake from verizon arrive and do not forward to the internal host. One thing I have noticed is that the verizon ttl is higher than the other server,
Multiple Ethernet over IP tunnels.
I am trying to create multiple L2 over L3 tunnels using OpenBSD. The man page for gif(4), the generic tunnel interface, gives excellent instructions for creating _one_ bridge over a wide area network to join two remote LANs. I have tried to extend this idea by bridging two other LANs over the same gif0 tunnel. No such luck. Here's a representative stick diagram: routerA routerB LAN1 fxp1 fxp1 LAN1 \ / LAN2 fxp2--OpenBSD 1.2.3.4 --- WAN --- 4.3.2.1 OpenBSD fxp2 LAN2 /fxp0fxp0 \ LAN3 fxp3 fxp3 LAN3 The first tunnel works as documented: routerA: #cat /etc/hostname.bridge1 up add fxp1 add gif0 #cat /etc/hostname.gif0 tunnel 1.2.3.4 4.3.2.1 routerB: #cat /etc/hostname.bridge1 up add fxp1 add gif0 #cat /etc/hostname.gif0 tunnel 4.3.2.1 1.2.3.4 However if one tries to bridge the other LANS as follows: #cat /etc/hostname.bridge2 up add fxp2 add gif0 This fails. Does one need to create alias addresses on fxp0 and create gif1? e.g. Tunnel 1.2.3.5 - 4.3.2.2 Or is there an easier way to do this? -- Russell Sutherand e: russell.sutherl...@utoronto.ca t: +1.416.978.0470 f: +1.416.978.6620 m: +1.416.803.0080
faq 14.15
Just a thank you for the awesome documentation. Was upgrading my home file server, doing my normal half assed job. decided to install 49 while I was at it and during the disklabel I though my new disk was bigger?, oh shit... you do keep a backup disklabel right?, well... err... *cough* I do now. and then the angels sang out, a beam of light came down and when the glare settled there was faq 14.15 /var/backup! score! I have a copy of that somewhere. bonus: scanffs(8), my new favorite man page.
Re: ALIX/current as an Access Point
On 02/27/2011 10:25 AM, Joe Snikeris wrote: On Sun, Feb 27, 2011 at 11:07 AM, Nerius Landysnlan...@gmail.com wrote: snip In general people say that Atheros chips are the best supported (use the ath driver). Slightly off topic: Is anyone using a card with an AR5213 chip? I've got a Cisco AIR-PI21AG-A-K9 that I'd love to use to replace my crappy router, but my machine freezes while booting when it's plugged in. ath(4) mentions a bunch of AR5212 cards, but no AR5213 cards. This is my build. currently using it as a nat/firewall box. Was intending to us it as an ap as well. but, sigh obsd does not like my radios. and have not been motivated enough to get off my ass and do somthing about it. OpenBSD 4.8 (GENERIC) #136: Mon Aug 16 09:06:23 MDT 2010 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Geode(TM) Integrated Processor by AMD PCS (AuthenticAMD 586-class) 432 MHz cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX real mem = 133791744 (127MB) avail mem = 121712640 (116MB) snip vr0 at pci0 dev 9 function 0 VIA VT6105M RhineIII rev 0x96: irq 10, address 00:0d:b9:12:e0:90 ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034 vr1 at pci0 dev 11 function 0 VIA VT6105M RhineIII rev 0x96: irq 12, address 00:0d:b9:12:e0:91 ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034 ath0 at pci0 dev 12 function 0 Atheros AR2413 rev 0x01: irq 9 ath0: AR2413 7.8 phy 4.5 rf 5.6, FCC2A*, address 00:80:48:7e:13:be ath1 at pci0 dev 14 function 0 Atheros AR2413 rev 0x01: irq 11 ath1: AR2413 7.8 phy 4.5 rf 5.6, FCC2A*, address 00:80:48:7e:14:36 snip So I am still using an old k6-2 400Mhz ps with a ral(4) radio on 44 that I keep meaning to update. OpenBSD 4.4 (GENERIC) #1021: Tue Aug 12 17:16:55 MDT 2008 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: AMD-K6(tm) 3D processor (AuthenticAMD 586-class) 451 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,PGE,MMX real mem = 267939840 (255MB) avail mem = 250646528 (239MB) snip rl0 at pci0 dev 10 function 0 Realtek 8139 rev 0x10: irq 10, address 00:e0:7d:c2:0f:87 rlphy0 at rl0 phy 0: RTL internal PHY em0 at pci0 dev 11 function 0 Intel PRO/1000MT (82541GI) rev 0x00: irq 5, address 00:0e:0c:72:80:8a eso0 at pci0 dev 12 function 0 ESS SOLO-1 AudioDrive rev 0x01: ES1946, irq 11 eso0: mapping Audio 1 DMA using VC I/O space at 0x90c0 audio0 at eso0 opl0 at eso0: model OPL3 midi0 at opl0: ESO Yamaha OPL3 mpu at eso0 not configured isa0 at pcib0 isadma0 at isa0 com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi1 at pcppi0: PC speaker spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 usb0 at ohci0: USB revision 1.0 uhub0 at usb0 SiS OHCI root hub rev 1.00/1.00 addr 1 cardslot0 at cbb0 slot 0 flags 0 cardbus0 at cardslot0: bus 2 device 0 cacheline 0x8, lattimer 0x20 pcmcia0 at cardslot0 biomask f355 netmask f775 ttymask f7ff mtrr: K6-family MTRR support (2 registers) softraid0 at root root on wd0a swap on wd0b dump on wd0b WARNING: / was not properly unmounted ral0 at cardbus0 dev 0 function 0 Ralink RT2560 rev 0x01: irq 12, address 00:0e:3b:08:45:41 ral0: MAC/BBP RT2560 (rev 0x04), RF RT2525 works great, I have not tried many radios, but... all my ral based radios have worked (ral, rum) none of my ath based radios have bees supported. and my zyd radio delevered corrupted packets.
Re: Wifi host AP thoughts
On 01/01/2011 10:43 PM, Greg Steuck wrote: I was thinking of building a new wifi AP. The following is a stream of thoughts on the subject. Any constructive suggestions are welcome. Requirements: * Compatibility with Androids, Kindles, x86 Linux, OpenBSD wifi clients * Strong in-doors signal * Maximum control Nice to have: * Combine the AP with the wired Ethernet OpenBSD router. * Low power noise. Complications: * A few wireless networks in nearby houses * OpenBSD AP capable devices have a CAVEAT: Host AP mode doesn't support power saving. Clients attempting to use power saving mode may experience significant packet loss (disabling power saving on the client will fix this). Possible design: * OpenBSD host with 2 or more wired Ethernets * USB wifi device (free to switch host hardware) * External Hi-Gain antenna Detailed implementation: * small i386 or armish machine for the host (Soekris?) * Hawking HWUG1 (rum(4)) ( http://goo.gl/ccd6Q ) rum(4) did not like hostap mode the few times I tried. via the man page I think this is a problem with all usb radios so I tend to stick with pci/pcmcia cards ral(4) for my APs, however I have not had any other problems with rum. And fwiw I have had the worst luck picking out ath radios. * Hawking HAI7SIP Antenna ( http://goo.gl/Axg7j ) Does anybody know if the CAVEAT above present a problem in real life for the clients I listed? Thanks Greg -- nest.cx is Gmail hosted, use PGP for anything private. Key: http://tinyurl.com/ho8qg Fingerprint: 5E2B 2D0E 1E03 2046 BEC3 4D50 0B15 42BD 8DF5 A1B0
Re: OpenBSD Access Point? (Summary)
On 12/13/2010 04:29 AM, Lists Account wrote: Hi All, Summarising, for future reference... I received some six responses. Overall the feedback was a little disappointing. Three responses suggested that it would be easier/less time consuming/more stable to simply connect a consumer access point device via Ethernet. Of course, I wouldn't learn as much by doing this :-(. The background to this seems to be mostly issues with the configuration and stability of drivers e.g. ath and ral. At least a couple of the respondents are successfully using ALIX boards, including the desired 2D13. None of the responses related to the specific wireless devices that I asked about. Some of those mentioned as having been used included the AR5212 and AR5413 (with ath) and the RT2561C (ral). A couple of responses indicated that OpenBSD doesn't support 802.11n. I got my initial information from the athn manual page. It begins: ... NAME athn - Atheros IEEE 802.11a/g/n wireless network device ... The athn driver provides support for a wide variety of Atheros 802.11n devices ... Which I incorrectly took to mean that n networking was supported... However, further down in the same man page, under caveats, it states: ... The athn driver does not support any of the 802.11n capabilities offered by the adapters. Additional work is required in ieee80211(9) before those features can be supported. ... That should teach me (yet again) to read the whole man page :-) Cato Auestad provided a very helpful link to a description of his working (ral based) OpenBSD configuration: http://bleakgadfly.com/notes/openbsd_wifi.html There he mentions that support from the hostap daemon - hostapd(8) - is also necessary for such a configuration. Something else that I hadn't realised. So, based on the feedback, it looks like while this might be a fun project, it could be hard to create a stable production access point. Thanks for all the info. I use ral(4) in b/g mode, works great for my usage. ~4 users. the card does flake out every once in a while. ifconfig ral0 down; ifconfig ral0 upworks hostapd is for more than one AP that share a ssid. it keeps all the AP synced up, so overkill on mine. still 4.4 as I have ejabberd running on that box and menisia databases are a pain and a half to transfer/convert. overall, very happy running obsd as an ap. dmesg snip... OpenBSD 4.4 (GENERIC) #1021: Tue Aug 12 17:16:55 MDT 2008 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: AMD-K6(tm) 3D processor (AuthenticAMD 586-class) 451 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,PGE,MMX real mem = 267939840 (255MB) avail mem = 250646528 (239MB) snip... ral0 at cardbus0 dev 0 function 0 Ralink RT2560 rev 0x01: irq 12, address 00:0e:3b:08:45:41 ral0: MAC/BBP RT2560 (rev 0x04), RF RT2525 hostname.ral0 inet 192.168.32.1 0xff00 NONE mode 11g chan 8 nwid bervix_castor mediaopt hostap sysctl net.inet.ip.forwarding=1 was all that was needed to get it going. running open as I am always thankfull when I find an open AP so just returning the favor. plus a few pf rules to keep guests out of the wired network. authpf does a good job modifing that to allow real users.
stumped on a linker problem.
Trying to compile Hercules (a s/390 emulator) on 4.8/sparc64 and hit this error. .libs/herculesS.o(.rodata+0x2d0): undefined reference to `aliases2_lookup' that particular function is in libiconv. I managed to get ld to produce verbose output and saw attempt to open /usr/local/lib/libiconv.so.6.0 succeeded -liconv (/usr/local/lib/libiconv.so.6.0) hell I even checked libiconv with nm so what else should I look for? here is the full gcc command. gcc -W -Wall -O3 -o hercules .libs/herculesS.o bootstrap.o hdlmain.o -pthread -pthread -Wl,-E -L/usr/local/lib ./.libs/dyngui.a ./.libs/dyninst.a ./.libs/hdteq.a ./.libs/hdt1403.a ./.libs/hdt3420.a ./.libs/hdt2703.a ./.libs/hdt3705.a ./.libs/hdt3088.a ./.libs/hdt3270.a ./.libs/hdt3505.a ./.libs/hdt3525.a ./.libs/hdtqeth.a ./.libs/hdt1052c.a /usr/people/russell/hercules-3.07/.libs/libherc.a ./.libs/libherc.a /usr/people/russell/hercules-3.07/.libs/libherct.a /usr/people/russell/hercules-3.07/.libs/libhercd.a /usr/people/russell/hercules-3.07/.libs/libhercu.a /usr/people/russell/hercules-3.07/.libs/libhercs.a /usr/people/russell/hercules-3.07/decNumber/.libs/libdecNumber.a ./.libs/libhercs.a -liconv -lpthread -lz -lm -Wl,-rpath,/usr/local/lib -Wl,-rpath,/usr/local/lib
Re: diskmap(4) interface and live USB fstab file
On 11/05/2010 04:27 PM, Jacob Meuser wrote: fwiw, in -current, USB attach order should be quite predictable. there are no longer multiple threads attaching USB devices. attachment is now done in a single thread, and it is done in the same order every time. of course, if you change which USB ports the devices are connected to between boots, or disconnect/reconnect while booted then the order might change. The stable attach order is very appreciated here let me tell you. I recently had a linux install that was driving me insane. The damn thing could not keep it's network interfaces straight across boots. worst was that they were not even similer interfaces, what on bsd would be vr(4) and em(4). (saving that rant for another day)
Re: password-less console-only access and ssh remote access?
On 10/22/2010 09:43 AM, Joachim Schipper wrote: On Thu, Oct 21, 2010 at 07:46:50PM +0200, Bret S. Lambert wrote: On Thu, Oct 21, 2010 at 05:38:54PM +, Jay K wrote: My ideal setup would be: 1) no passwords (* in /etc/passwd or via vipw) 2) only ssh for remote access i.e. no password-based security, only something better 3) except console, where anyone should be able to login without any password (granted, I only have two users, root and jay) You can get almost the same thing by setting PasswordAuthentication to no in your sshd_config file, and hand out (...) simple passwords (...) Well, except when someone runs login(1) from an SSH'ed shell... I'm pretty sure you can just add a line along the lines of ttyC0 //bin/ksh vt220 on to /etc/ttys, if you insist. Joachim Don't I wish, as I have a box I would like to do this on(main function in life is a 3270 emulator). but getty sets a few enviroment variables that ksh wants, best I could figure out was to make a getty-like stub that would set the env and excve ksh. one of the many thing on my to-do-when-I-have-time list I will never get around to.
Re: sys/tcp.h does not compile with _POSIX_SOURCE
On 10/21/2010 09:52 AM, hyjial wrote: Hi list ! There is a u_int on line 50 of sys/tcp.h. u_int is defined only if __BSD_VISIBLE is which it is not is _POSIX_SOURCE is defined. Is this intended ? Hit into this when trying to build a program which uses libsoup. Thanks, hyjial I was hit with this once (surf before it was ported) I just patched out the POSIX_SOURCE define in the code I was trying to compile. However, I to am curious about the politics of that particular ifdef.
Re: Router components
Stuart Henderson wrote: On 2010-10-04, David Higgs hig...@gmail.com wrote: I am building a replacement router/firewall for home use and am soliciting suggestions/commentary/alternatives on the components below. What sort of internet connection and what will be running over it? Will you be doing crypto on the firewall (ipsec/some other vpn)? I was planning to use an SSD in the 32 GB size range, but the archives indicate we don't have TRIM support yet. Though this obviously isn't a showstopper to usage, am I better off getting an older-generation SSD that doesn't require TRIM, or perhaps hold off on SSDs until the tech is more mature? Newer SSDs don't *require* TRIM, it is optional. I think it's probably a better idea to get the newer generation. Though a 2-4GB CF might be quite good enough too. For what a lot of people need for a router/firewall a 2-4GB CF card in an IDE adapter would be fine too (smaller works too if you can still find them, but it's easier to have this much space). Finally, I want this box to act as wireless AP, and hope to have out-of-the-box 802.11n support (when eventually available). I've read that run(4) is a solid chipset in this regard; any other suggestions? run(4) does not support host AP. athn(4) is likely the best choice, I haven't used it with OpenBSD but it looks like this is the most actively developed wireless driver at the moment. I have used it with commercial APs running their embedded linux-based OS and the hardware itself works very well indeed. As I think you're aware we don't support 802.11n capabilities yet, also note we don't support clients that use power-saving mode (this is an absolute show-stopper for some users; some client hardware has no way to disable this). I tend to swear by ral(4) Mainly due to the unscientific but proven mechanisim all my ral cards have worked, and all my ath cards end up having a unsupported chipset. and there was something freaky about that zyd, almost working is worse than not working at all. Given half a chance stay away from usb radios. but ral has always been there for me. best of luck. I know I enjoy my k6-2(450) based firewall/nat device infinitely more than the netgear piece of crap it replaced.
Re: Remotely connect to gnome
Jean-Francois wrote: Hi All, I've set up an OpenBSD server running gnome and administered locally or remotely for home use. I've understood that unixes are made to work as workstations and that gnome and kde could handle that. Could you please help me to get on the way to make remote connections possible to gnome for session login and desktop use ? Thanks for help, Regards J-F I usually just use ssh -Y when I need a X application. ssh -X should work but I always run into x auth issues. It will not give you a desktop environment, but that is why you use the command line, right, The one dimensional desktop.
Re: CGI : Shell Script
Mayuresh Kathe wrote: Has anyone experimented with using a set of shell scripts as CGI under the stock Apache delivered with OpenBSD? I did. I wanted to learn more involved shell programing. and perhaps a little about some of the old unix languages. so I built this mini wikipedia ish thing out of ksh, sed awk rcs and m4. (collaborative revision controlled cms) It is a complete mess, I don't think I would be able to sleep at night if it were out in the wild. but it actually works quite well, humming along on the old p133 I keep it on. Regarding the collective horror with using shell scripts as cgi. why? Now mine is not safe but mainly I think thats because of the m4 thrown in there. If you watch your inputs it should be fine. And ksh is a static executable, I would think it would run fine in a chroot. I would hate, however, to do a lot of string processing using only ksh. main reason for m4 being in there was template processing. If there is any scientific curiosity just ask and I can send a copy. But it ru
ipsec.conf syntax
I am trying to set up an ipsec bridge using the template and instructions found in the brconfig man page (OpenBSD 4.6): Create Security Associations (SAs) between the external IP address of each bridge and matching ingress flows by using the following ipsec.conf(5) file on bridge1: esp from 1.2.3.4 to 4.3.2.1 spi 0x4242:0x4243 \ authkey file auth1:auth2 enckey file enc1:enc2 flow esp proto etherip from 1.2.3.4 to 4.3.2.1 I was curious as to the exact meaning of the colon, specifically the auth1:auth2 and enc1:enc2 arguments. Do they mean references to the 4 keys, two on each of the machines? E.g. om 1.2.3.4 to 4.3.2.1 spi 0x4242:0x4243 \ authkey file /etc/keys/auth1:/etc/keys/auth2 enckey file /etc/keys/enc1:/etc/keys/enc2 flow esp proto etherip from 1.2.3.4 to 4.3.2.1 --- Russell P. Sutherland Email: russ @ madhaus.cns.utoronto.ca 4 Bancroft Ave., Rm. 102Voice: +1.416.978.0470 University of Toronto Fax: +1.416.978.6620 Toronto, ON M5S 1C1 CANADA
Re: Soekris net5501 locks up with Ralink 2860 miniPCI
I am curious, though, what brands of wifi cards OpenBSD folks use for APs. From when I was investigating this a year or so ago the ral cards (per the man pages) were about the only ones without some sort of caveat in AP mode. yep, ral(4) works quite well for me ifconfig ral0 ral0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:0e:3b:08:45:41 groups: wlan media: IEEE802.11 autoselect mode 11g hostap status: active ieee80211: nwid bervix_castor chan 8 bssid 00:0e:3b:08:45:41 100dBm dmesg snip cardslot0 at cbb0 slot 0 flags 0 cardbus0 at cardslot0: bus 2 device 0 cacheline 0x8, lattimer 0x20 pcmcia0 at cardslot0 biomask f355 netmask f775 ttymask f7ff mtrr: K6-family MTRR support (2 registers) softraid0 at root root on wd0a swap on wd0b dump on wd0b ral0 at cardbus0 dev 0 function 0 Ralink RT2560 rev 0x01: irq 12, address 00:0e:3b:08:45:41 ral0: MAC/BBP RT2560 (rev 0x04), RF RT2525 I have two different pcmcia ral(4) cards that work great in hostap mode and a rum(4) usb radio that tries(no errors) but people have trouble connecting. I bought a couple mini pci ath cards to go with a pcengine board that was going to replace my AP(currently a old ibm aptiva with a pcmcia card) but they turned out to be ath 2413 and they don't quite work right. I am sure it will only take a minor tweak to get them going but I have never got around to it. My other ath card, a 5424 in a eeepc 701, does not work ether, I am thinking that would take a little more work to get going however. Speaking of which, I would love to test patches for the ath 5424, be awesome if I could use the internal radio..
Adding custom termcap entries.
I want to add a custom termcap entry for rxvt-unicode. Is the proper way simply editing /etc/termcap? I notice that it is a symlink to /usr/share/misc/termcap. Perhaps I should delete the symlink and copy it from there into /etc? I tried editing in my termcap entry, but when I do, and run the following command, I get errors: # tset -IsQ rxvt-unicode TERM=rxvt-unicode; tset: termcap names not colon terminated: No such file or directory TERMCAP='# -- Russell Harmon RTP Computer Science House
Re: Adding custom termcap entries.
The output of the infocmp command isn't valid in /etc/termcap. It doesn't even use the same syntax! -- Russell Harmon RTP Computer Science House On Sun, Apr 4, 2010 at 05:42, Nicholas Marriott nicholas.marri...@gmail.com wrote: OpenBSD uses its own terminfo database format, but the default paths are searched as well so you can just use tic(1): $ ftp -o rxvt-unicode.terminfo \ http://cvs.schmorp.de/rxvt-unicode/doc/etc/rxvt-unicode.terminfo?revision=1.26 $ sudo TERMINFO=/usr/share/terminfo tic -x rxvt-unicode.terminfo $ ls -l /usr/share/terminfo/r/rxvt-unicode -rw-r--r-- 1 root wheel 2.1K Apr 4 10:40 /usr/share/terminfo/r/rxvt-unicode $ infocmp rxvt-unicode # Reconstructed via infocmp from file: /usr/share/terminfo/r/rxvt-unicode rxvt-unicode|rxvt-unicode terminal (X Window System), ... Job done. On Sun, Apr 04, 2010 at 04:44:11AM -0400, Russell Harmon wrote: I want to add a custom termcap entry for rxvt-unicode. Is the proper way simply editing /etc/termcap? I notice that it is a symlink to /usr/share/misc/termcap. Perhaps I should delete the symlink and copy it from there into /etc? I tried editing in my termcap entry, but when I do, and run the following command, I get errors: # tset -IsQ rxvt-unicode TERM=rxvt-unicode; tset: termcap names not colon terminated: No such file or directory TERMCAP='# -- Russell Harmon RTP Computer Science House
Re: Adding custom termcap entries.
I'm sorry for my inexperience with termcap/terminfo entries, but unless I misunderstood, your original response didn't fully answer my question. I wanted to install a termcap entry for rxvt-unicode. Now you told me how to install a terminfo entry, and I hadn't even realized that openbsd used terminfo (so thank you), but there still isn't a termcap entry. The infocmp program outputs a termcap entry, but I'm not sure what to do with it. -- Russell Harmon RTP Computer Science House On Sun, Apr 4, 2010 at 06:01, Nicholas Marriott nicholas.marri...@gmail.com wrote: Sometimes I wonder why I bother... On Sun, Apr 04, 2010 at 05:55:01AM -0400, Russell Harmon wrote: The output of the infocmp command isn't valid in /etc/termcap. It doesn't even use the same syntax! -- Russell Harmon RTP Computer Science House On Sun, Apr 4, 2010 at 05:42, Nicholas Marriott [1]nicholas.marri...@gmail.com wrote: OpenBSD uses its own terminfo database format, but the default paths are searched as well so you can just use tic(1): $ ftp -o rxvt-unicode.terminfo \ [2] http://cvs.schmorp.de/rxvt-unicode/doc/etc/rxvt-unicode.terminfo?revision=1.26 $ sudo TERMINFO=/usr/share/terminfo tic -x rxvt-unicode.terminfo $ ls -l /usr/share/terminfo/r/rxvt-unicode -rw-r--r-- **1 root **wheel ** 2.1K Apr **4 10:40 /usr/share/terminfo/r/rxvt-unicode $ infocmp rxvt-unicode # ** ** ** Reconstructed via infocmp from file: /usr/share/terminfo/r/rxvt-unicode rxvt-unicode|rxvt-unicode terminal (X Window System), ... Job done. On Sun, Apr 04, 2010 at 04:44:11AM -0400, Russell Harmon wrote: I want to add a custom termcap entry for rxvt-unicode. Is the proper way simply editing /etc/termcap? I notice that it is a symlink to /usr/share/misc/termcap. Perhaps I should delete the symlink and copy it from there into /etc? I tried editing in my termcap entry, but when I do, and run the following command, I get errors: # tset -IsQ rxvt-unicode TERM=rxvt-unicode; tset: termcap names not colon terminated: No such file or directory TERMCAP='# -- Russell Harmon RTP Computer Science House References Visible links 1. mailto:nicholas.marri...@gmail.com 2. http://cvs.schmorp.de/rxvt-unicode/doc/etc/rxvt-unicode.terminfo?revision=1.26
Re: Adding custom termcap entries.
Thank you, I didn't use the -C option when I originally tried it. -- Russell Harmon RTP Computer Science House On Sun, Apr 4, 2010 at 06:18, Nicholas Marriott nicholas.marri...@gmail.com wrote: If you want termcap as well, do: $ cd /usr/share/misc $ infocmp -C rxvt-unicode termcap $ rm termcap.db cap_mkdb -f termcap termcap But few programs require it so usually it isn't worth the time. Remember that upgrades will overwrite these files, you may be better putting them in ~ instead. On Sun, Apr 04, 2010 at 05:55:01AM -0400, Russell Harmon wrote: The output of the infocmp command isn't valid in /etc/termcap. It doesn't even use the same syntax! -- Russell Harmon RTP Computer Science House On Sun, Apr 4, 2010 at 05:42, Nicholas Marriott [1]nicholas.marri...@gmail.com wrote: OpenBSD uses its own terminfo database format, but the default paths are searched as well so you can just use tic(1): $ ftp -o rxvt-unicode.terminfo \ [2] http://cvs.schmorp.de/rxvt-unicode/doc/etc/rxvt-unicode.terminfo?revision=1.26 $ sudo TERMINFO=/usr/share/terminfo tic -x rxvt-unicode.terminfo $ ls -l /usr/share/terminfo/r/rxvt-unicode -rw-r--r-- **1 root **wheel ** 2.1K Apr **4 10:40 /usr/share/terminfo/r/rxvt-unicode $ infocmp rxvt-unicode # ** ** ** Reconstructed via infocmp from file: /usr/share/terminfo/r/rxvt-unicode rxvt-unicode|rxvt-unicode terminal (X Window System), ... Job done. On Sun, Apr 04, 2010 at 04:44:11AM -0400, Russell Harmon wrote: I want to add a custom termcap entry for rxvt-unicode. Is the proper way simply editing /etc/termcap? I notice that it is a symlink to /usr/share/misc/termcap. Perhaps I should delete the symlink and copy it from there into /etc? I tried editing in my termcap entry, but when I do, and run the following command, I get errors: # tset -IsQ rxvt-unicode TERM=rxvt-unicode; tset: termcap names not colon terminated: No such file or directory TERMCAP='# -- Russell Harmon RTP Computer Science House References Visible links 1. mailto:nicholas.marri...@gmail.com 2. http://cvs.schmorp.de/rxvt-unicode/doc/etc/rxvt-unicode.terminfo?revision=1.26
Favorite 2 or 4-port GigE NIC for i386/AMD64 OpenBSD 4.6?
I was recently bit by some reliability problems with a late-model Quad GigE Intel NIC, and I'm looking for a replacement. (Details below if you're interested in the problems.) So I'm looking for a gigabit Ethernet NIC that has good OpenBSD compatibility and model stability. Do you have a favorite? You're welcome to respond off-list if you like, I'll happily summarize back to the list. Quad port would be ideal, I'll take dual and settle on single-port if I have to. PCIe. I need autonegotiation on speed and duplex, and 802.1q VLAN support. It will be used for an OpenBSD firewall (currently 4.6), PF, NAT. Current hardware is Dell R200. The built-in BGE0 and BGE1 seem to work well, this is to add additional Ethernet ports. By model stability, I mean I'm seeking a brand that I can have some assurance will be around for a couple of years, and won't switch chipsets on the same model number. Problems with the Intel card: The most obvious symptom is that some ports will not go to 1000baseT. You can see someone else describing my symptoms here: http://www.pubbs.net/openbsd/200911/33252/ I cannot get em1 and em3 to go higher than 100baseTX. If I force it to 1000, I lose connection. HP Procurve 5406ZL switch. I have also had a few kernel panics that mentioned pf. I'm assuming its related to the card, but that's a big assumption on my part. The card doesn't have a lot of identifying marks. On the backplane metal, it has D61627-003. It was purchased from Dell with the R200s. I have one pulled out, another is in a running machine. If I can post some useful info, let me know. If I'm correct that the NIC is the source of my trouble, then my priority isn't getting it to work, but replacing it. Happy to do some tests if desired, though. If one of the Intel NIC driver developers wants this NIC, let me know where to ship it. Ryan
Re: How to disable IPv6?
Hey! I use tn3270. Well actually c3270 as it is a bit saner when remapping keys. But I was very presently surprised to find tn3270 in base. Saved my day once. And thread hijack. As far as I can tell wscons does not send/set Shift+Fn keys. was sort of looking for them as I like to map that to PF11-PF22 It was quite the adventure trying to figure out how(and in what form) a key gets to the app. again a sort of nonquestion. I think it is key wscons set this via wsconsctl termcap/terminfo might be able to set it here but termcap scares me tn3270/c3270 hah yet another keymap so minimum 3 different keymaps add X to the mix and it adds it's own freakish system into the mix.
Re: Truncation Data Loss
Michal wrote, sometime around 11/11/09 11:40: I know this is a bit off topic, but storage devices have battery's on RAID cards for a reason. If you are worried about read/writes etc when a system dies, there are measures you can take Probably even more OT, but... Although some (most?) RAID cards which have a battery option will only let you enable the write cache if you have a battery installed. Certainly the HP P400 cards we have do. There has been endless discussion about data loss in these types of scenarios on the XFS mailing list - it journals metadata but not data, so if your application (e.g. vim) overwrites files by first truncating them to 0 length and then writing out the data, you'll find that the truncate and the resize of the file are all nicely replayed from the journal after the crash, but if the machine died before your data hit the disk, all you'll get when you read() is \0\0\0\0... Since ext4 has started to implement similar features in similar ways to XFS, the ext4 folk are running into the same old problems. -- Russell Howe, IT Manager. rh...@bmtmarinerisk.com BMT Marine Offshore Surveys Ltd.
Re: trunks and vlan madness
Marian Hettwer wrote, sometime around 23/07/09 16:07: Hi *, # cat /etc/hostname.bge0 up # cat /etc/hostname.bge1 up # cat /etc/hostname.trunk0 trunkproto failover trunkport bge0 trunkport bge1 up # cat /etc/hostname.trunk1 trunkproto failover trunkport bge0 trunkport bge1 up You can run both vlans over the one trunk. I'm not sure what happens if you have the same interface involved in more than one trunk, but it doesn't sound sensible to me. # rm /etc/hostname.trunk1 # cat /etc/hostname.vlan24 inet 10.46.24.101 255.255.255.0 10.46.24.255 vlan 24 vlandev trunk0 # cat /etc/hostname.vlan25 inet 10.46.25.101 255.255.255.0 10.46.25.255 vlan 25 vlandev trunk1 echo inet 10.46.25.101 255.255.255.0 10.46.25.255 vlan 25 \ vlandev trunk0 /etc/hostname.vlan25 -- Russell Howe, IT Manager. rh...@bmtmarinerisk.com BMT Marine Offshore Surveys Ltd.
Re: ADSL2+ PCI card
John Bond wrote: Hello, Im looking into bulding a home rourter device and my obvious OS choice is OpenBSD however im strugeling to find an ADSL2+ pci cards which i can use. I have only managed to find to devices which may work snagoma data card s519 -- http://www.sangoma.com/products_and_solutions/hardware/data_networking/s519.html or possibly the Viking PCI ADSL2+ Modem Card -- http://www.yawarra.com.au/pdfs/XC-P-ADSL2-V.pdf does anyone have any expirence with these cards and know if they do work with OpenBSD or know if they are better options These should work fine - the S518 presents itself as a special ADSL controller on the PCI bus, but AFAIK the 519 is actually an ethernet chip (Realtek 8139?) paired up with an ADSL modem on a PCI card, so all the computer sees is an ethernet card. I think you configure the ADSL modem by telnetting to it through the ethernet card, but I'm not sure. -- Russell Howe rh...@bmtmarinerisk.com
Re: Anyone using munin?
Martin SchrC6der wrote, sometime around 06/04/09 10:01: 2009/4/3, Marc Runkel mrun...@untangle.com: Trying to set up munin work with OpenBSD and was wondering if anyone had some plugins pre-written? In particular interface statistics but I'll take just about anything. Good luck. AFAIK there's a freebsd port, try that. And there are some plugins for pf at http://muninexchange.projects.linpro.no/ Munin can collect from SNMP, which makes life a LOT easier! OK, so that's not so useful if you want to collect some stats which OpenBSD's snmpd doesn't expose but assuming you do, this is what you need to do: munin-node can act as a proxy, forwarding requests to another box. This is handy if you want to monitor a bunch of hosts the other side of a firewall as you only need to punch a hole for the one machines. It can also do act as a munin-to-snmp one way bridge, forwarding incoming requests on to another node that speaks SNMP. Install munin-node somewhere (I installed it on a Debian box that I run munin on, which is also where I collect all syslog messages and run logcheck and nagios). Check that the box running munin-node can talk SNMP to OpenBSD: This works well enough for me as a test: $ snmpwalk -v 2c -c community address of obsd box Run munin-node-configure-snmp - you can pass either a single address or a CIDR range. It will scan for SNMP and configure any plugins which can monitor the stats it finds. Configure munin-node to allow connections from the host running munin e.g. echo 'allow ^10\.0\.0\.1$' /etc/munin/munin-node.conf where 10.0.0.1 is the IP address of the box running munin (the one which collects stats from all the nodes and draws graphs) Restart munin-node Wait for the pretty graphs to appear Debug, rejoice and go on an SNMP configuring rampage across your network (hint: this is useful for monitoring Windows boxes, if you have any of those). -- Russell Howe, IT Manager. rh...@bmtmarinerisk.com BMT Marine Offshore Surveys Ltd.
Re: Duplicate incoming packets to multiple destinations using pf
Simen Stavdal wrote, sometime around 05/11/08 14:14: Hi Damian/misc, I appreciate your input -I really do. Please see my comments below. I am not trying to escape the fact that one needs systems in place to manage large installations, I am merely looking for what *I* think would be a better way to deploy resources. As a service provider I can provide advice (and hence I posted this question in the first place to see if there was a good way to multicast traps to predefined destinations), but it is not in my power to manage a customers network - so this I'm afraid is out of my control - but I do agree with your point ...should *never* be a reason Maybe you answered your own question here - what if you sent your traps to a multicast address and had proper multicast routing? Not something I've ever tried, mind you... -- Russell Howe, IT Manager. [EMAIL PROTECTED] BMT Marine Offshore Surveys Ltd.
Re: Duplicate incoming packets to multiple destinations using pf
Simen Stavdal wrote, sometime around 05/11/08 15:25: Hi Russell, Thanks for your answer. Sending traps to multicast addresses seems like a good idea, except it would be up to the receiver to decide whether to use the trap or not (taking away the possibility to filter which hosts gets copied the traps (multicast traps to predefined destinations)). How about rdr-ing to different multicast addresses depending on who you want the packet to go to? Start doing this though, and the configuration is going to get a bit messy. e.g. 3 multicast addresses, with their members: mcastA - trapdest1 mcastB - trapdest2 mcastC - trapdest1,trapdest2 then you can decide who to send the trap to by rdr'ing it to one of mcastA, mcastB or mcastC Certainly seems to violate the principle of least astonishment... -- Russell Howe, IT Manager. [EMAIL PROTECTED] BMT Marine Offshore Surveys Ltd.
Re: OpenBSD and HP Proliant DL320/DL360 G5
Johan Strvm wrote, sometime around 15/09/08 16:39: On Sep 15, 2008, at 5:16 PM, Russell Howe wrote: Johan Strvm wrote, sometime around 15/09/08 15:46: Well, the main questions is if DL360/DL320 OpenBSD is working good together, the rest is only me thinking out loud :) They work fine for me. I have a pair of DL320 G5 machines each with a quad port Intel Pro/1000 PT card in them and they do all our vlan routing and pass traffic off into an OSPF area on its way to the internet. Sounds good. Are you using only these quad ports? Or the onboard too? Onboard too. I went a bit overkill and bonded everything into pairs. Onboard bonded crossover cable to the other box for pfsync/sasync then a couple of other bonded pairs off the quad port card with vlans on top of that. Basically, I have 3 more gigE interfaces available should I need them. (I can unbond one of the pairs - none of them need to be 2 x gigE). I've been thinking about using one onboard to external, one for pfsync and then get a dualport NIC where both ports are bonded to the switch. Since I will do both external and internal routing (but I'm not sure I will even be able to get that performance out of the box so might be a none-problem), it would be nice to have 2GBit in case I actually push 1 gig of traffic on the external interface (in which case the internal would be full too and thus internal routing would suffer).. You don't happen to have any numbers on performance do you? Never really benchmarked actually, so nothing specific, no. I do know that the carp failover is lovely, though. Nothing notices a box being rebooted (haven't yet tried yanking a power cable). iLO is fine - just set it up for serial console (if you want a GUI console you have to buy an 'Advanced iLO' license, but it's really not needed for a router box). You'll probably want to flip the iLO virtual serial port to be the 1st serial port, just to make life simpler. Yeah, openbsd works pretty good with the serial console, but how is it with BIOS etc? If I recall correct one can access RBSU (HPs rom boot thingy) etc from text console too. How is it with bootloader support for console? That works all the way right? Never used it myself in openbsd. Yep, it all works just fine. There are a few options for accessing the BIOS I think - text console or a curses-type interface. The DL320 can have proper RAID, but only if you buy an additional controller. I use a pair of 80G SATA drives with the onboard controller and they work fine (the box doesn't really do much disk I/O - all the network monitoring and graphing is elsewhere). Yep, thats my plan too (or well 250G since 250G is almost as cheap as 80G, and we are using 250G in other machines, no need for different spares), and use software raid. One thing I'm worried about though is if one disk fails, will the BIOS be able to boot from the other disk with a broken/empty disk in the first slot? I haven't seen any indications in the BIOS about being able to change, and I've had similar problems before (empty disk in slot1, disk with OS in slot2, box refusing to boot since disk1 is empty). I don't think this will work with the way I have it set up at present. The trick on Linux is to install the bootloader on disk 2 so that it is configured to boot from disk 1 (as disk #2 will become disk #1 when disk #1 is no longer there or operational). I haven't tried to figure out the necessary magic for that as yet. -- Russell Howe, IT Manager. [EMAIL PROTECTED] BMT Marine Offshore Surveys Ltd.
Re: OpenBSD and HP Proliant DL320/DL360 G5
Intel 82801GB IDE rev 0x01: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility pciide0: channel 0 disabled (no drives) pciide0: channel 1 disabled (no drives) pciide1 at pci0 dev 31 function 2 Intel 82801GB SATA rev 0x01: DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI pciide1: using irq 7 for native-PCI interrupt wd0 at pciide1 channel 0 drive 0: ST3808110AS wd0: 16-sector PIO, LBA48, 76319MB, 156301488 sectors wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5 wd1 at pciide1 channel 1 drive 0: ST3808110AS wd1: 16-sector PIO, LBA48, 76319MB, 156301488 sectors wd1(pciide1:1:0): using PIO mode 4, Ultra-DMA mode 5 usb2 at uhci0: USB revision 1.0 uhub2 at usb2 Intel UHCI root hub rev 1.00/1.00 addr 1 usb3 at uhci1: USB revision 1.0 uhub3 at usb3 Intel UHCI root hub rev 1.00/1.00 addr 1 usb4 at uhci2: USB revision 1.0 uhub4 at usb4 Intel UHCI root hub rev 1.00/1.00 addr 1 usb5 at uhci3: USB revision 1.0 uhub5 at usb5 Intel UHCI root hub rev 1.00/1.00 addr 1 isa0 at pcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com0: console com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 uhidev0 at uhub1 port 1 configuration 1 interface 0 HP Virtual Keyboard rev 1.10/0.02 addr 2 uhidev0: iclass 3/1 ukbd0 at uhidev0: 8 modifier keys, 6 key codes, country code 33 wskbd1 at ukbd0 mux 1 wskbd1: connecting to wsdisplay0 uhidev1 at uhub1 port 1 configuration 1 interface 1 HP Virtual Keyboard rev 1.10/0.02 addr 2 uhidev1: iclass 3/1 ums0 at uhidev1: 3 buttons wsmouse0 at ums0 mux 0 uhub6 at uhub1 port 2 HP Virtual Hub rev 1.10/0.01 addr 3 softraid0 at root root on wd0a swap on wd0b dump on wd0b -- Russell Howe, IT Manager. [EMAIL PROTECTED] BMT Marine Offshore Surveys Ltd.
Changed source address for packets from ospfd causing breakage?
Afternoon misc, I recently added an extra loopback interface to an OpenBSD host running OpenOSPFd as a way of assigning specific IP addresses to the host in a way that didn't tie them to a specific physical interface. I'm using the addresses for NAT and also announcing them as a route into an OSPF area where there is another OpenBSD box (matched with this one running with carp/pfsync/sasync/openospfd) and two Linux machines running quagga's ospfd. Ever since I did this, my OSPF area fell over and I think it might be because ospfd is now sending packets with a source address matching one of the (public) addresses on this loopback interface instead of the address on the interface it is speaking OSPF on which matches its router-id. I've configured static routes for now, until I can figure out exactly what's going on. How does ospfd choose the address to send from? I thought it might be something to do with the multicast route, but that's set to be on 'lo0', whereas my new loopback interface is lo1. This is on OpenBSD 4.2 (I attempted to upgrade to 4.3 and the other node in the carp group died, so I'll be trying that again outside office hours, I think!). The machine is connected to the ospf area via the 'vlan20' interface which is configured with an IP address 192.168.50.10/24 and is supposed to be announcing all the networks it is connected to on other interfaces. I've anonymised the non-rfc1918 addresses, but (and this might be important) they are the 'lowest' addresses on the router. /etc/ospfd.conf: cost_vpn=100 cost_gige=10 cost_gige_shared=12 cost_gige_crossover=8 router-id 192.168.50.10 auth-key censored auth-type simple hello-interval 6 retransmit-interval 5 router-dead-time 10 redistribute connected redistribute static area 0.0.0.0 { interface trunk0 { metric $cost_gige_crossover } interface trunk2 { metric $cost_gige passive } interface vlan1 { metric $cost_gige_shared passive } interface vlan5 { metric $cost_gige_shared passive } interface vlan6 { metric $cost_gige_shared passive } interface vlan8 { metric $cost_gige_shared passive } interface vlan10 { metric $cost_gige_shared passive } interface vlan20 { metric $cost_gige_shared } interface lo1:1.2.3.4 { metric $cost_gige passive } interface lo1:1.2.3.5 { metric $cost_gige passive } interface lo1:1.2.3.6 { metric $cost_gige passive } interface lo1:1.2.3.7 { metric $cost_gige passive } interface lo1:1.2.3.8 { metric $cost_gige passive } } -- Russell Howe, IT Manager. BMT Marine Offshore Surveys Ltd. [EMAIL PROTECTED]
Re: UPDATE: mozilla-firefox-3.0
n0g0013 wrote: i'm sure SUN was/is hoping that someone will develop a java based animation toolkit to compete with flash but that's yet to happen. I think this is what JavaFX is aiming to be - unfortunately, it's probably missed the boat, what with Flash having been around for years and Microsoft having released Silverlight. One of the reasons Flash on Windows is so fast is that it is JIT-compiled to native code, plus it probably takes advantage of accelerated graphics rendering where it can. Neither of these seem to happen with the Linux flash plugin from Adobe (or if they do, it doesn't help - it's still dog slow). I think that was one of the things holding Adobe back from releasing an amd64 version of Flash (even for Windows!) - they didn't seem to be capable of porting their JIT compiler! The bug reference for that is here: https://bugs.adobe.com/jira/browse/FP-37 Looks like the JIT was released under the MPL/GPL/LGPL in 2006: http://www.mozilla.org/projects/tamarin/ -- Russell Howe [EMAIL PROTECTED]
Re: Hardware recommendation for firewalls (more than 4 NICs)
Claer wrote, sometime around 15/07/08 07:31: On Mon, Jul 14 2008 at 28:15, Mart?n Coco wrote: Thanks! Have you tried the quad nics on those Dells? We do have a couple of R200s, 860s and 850s running with 2 dual port cards no problem, but we have never tried the quad ports. Hello, I do have around 20 Dell 860 and R200 with 2 cards Intel Quad ports. That is a total of 10 interfaces on those cheap Dell. You'll never hit any problem if you use only one Quad port. Be careful with 2 cards on 860. You'll have to order Intel PRO/1000 PT Quad Port and *NOT* the Low profile one. For the moment, no issues with them. I run a pair of HP DL320 G5 boxes as a pair of failover gateways (pf/isakmpd/ospfd/dhcpd) and have an Intel Pro/1000 PT quad port card in each, giving me 6 interfaces. The onboard ethernet controller is bge, and the intel ones are em. I use the onboard for a crossover link between the two gateways, and then the other 4 connections are split into 2 bonded pairs. One is a plain old bond to a separate network and the other bonded pair has 5 VLANs running over it. Carp's used on all the links, pretty much, and it works great. I haven't performed any particularly scientific performance tests, but I did push ~800Mbit/s using iperf through them, from what I recall. If you were to stick two of the cards in, you'd need one full height and one low profile, as only one of the PCIe slots on the DL320 is full height. You'd also need to make sure you ordered the right version of the server (I think you can get it with one PCIe and one PCI-X slot as well as two PCIe slots). I'm still not sold on the benefits of bonding when you have a failover pair of gateways, but we had the budget for the extra ports, so why not? It gives me room to expand by breaking the bonds if necessary. Next task is to fix munin (or replace with something else) so that I can actually get bandwidth stats graphed. -- Russell Howe, IT Manager. [EMAIL PROTECTED] BMT Marine Offshore Surveys Ltd.
Redistributing routes for IPSec tunnels with OpenOSPFD
I have a pair of firewall routers running OpenBSD (4.1 and 4.2 at present - need to get them updated) and I recently added an IPsec tunnel to their configurations, using ipsecctl and ipsec.conf complete with sasyncd. This works fine, and the host which is master of the carp interface I've told isakmpd to use gets routes to and from the remote network in the Encap section of route(8)'s output. However, this does not seem to be advertised by ospfd. I've tried redistribute connected and redistribute static, as well as explicitly specifying the prefix (which I didn't expect to do much), but the route doesn't show in the output of ospfctl show rib. Is what I am trying to do possible? I know that IPsec isn't a routed protocol and so it's not normally useful to announce routes to other routers, plus the policy tends to restrict the type of traffic that is allowed to pass through the tunnel. Currently I've set a static route on the other gateway, and this is what's being redistributed into OSPF. I saw in the man page that you can redistribute based on rtlabel, but couldn't see that the IPsec routes (which I suspect aren't normal routes) can be assigned an rtlabel. This wouldn't be an issue if I tied all my carp interfaces together so that the same host was always master for all interfaces (or at least all interfaces on VPN-related networks). There's no real reason I haven't done that aside from thinking that it shouldn't be necessary, but maybe now it is... -- Russell Howe, IT Manager. [EMAIL PROTECTED] BMT Marine Offshore Surveys Ltd.
Kernel Compile Crashes
: Tue Aug 28 10:38:44 MDT 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: AMD Duron(tm) Processor (AuthenticAMD 686-class, 64KB L2 cache) 802 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR real mem = 796487680 (759MB) avail mem = 761987072 (726MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 02/16/01, BIOS32 rev. 0 @ 0xfa100, SMBIOS rev. 2.3 @ 0xfd490 (19 entries) bios0: vendor Compaq version 786K3 date 02/16/2001 bios0: Compaq Compaq PC pcibios0 at bios0: rev 2.1 @ 0xfa040/0x1000 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfa040/128 (6 entries) pcibios0: PCI Interrupt Router at 000:20:0 (VIA VT82C686 ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0x1 0xe9000/0x3000! 0xec000/0x4000! acpi at mainbus0 not configured cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 VIA VT8363 Host rev 0x81 ppb0 at pci0 dev 1 function 0 VIA VT8363 AGP rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 S3 ProSavage KM133 rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) vr0 at pci0 dev 3 function 0 VIA VT6105 RhineIII rev 0x86: irq 3, address 00:05:5d:78:c0:ae ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 4: OUI 0x004063, model 0x0034 vr1 at pci0 dev 4 function 0 VIA VT6105 RhineIII rev 0x86: irq 10, address 00:11:95:d2:d6:59 ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 5: OUI 0x004063, model 0x0034 vr2 at pci0 dev 5 function 0 VIA VT6105 RhineIII rev 0x86: irq 5, address 00:0f:3d:e9:29:9c ukphy2 at vr2 phy 1: Generic IEEE 802.3u media interface, rev. 4: OUI 0x004063, model 0x0034 pcib0 at pci0 dev 20 function 0 VIA VT82C686 ISA rev 0x22 pciide0 at pci0 dev 20 function 1 VIA VT82C571 IDE rev 0x10: ATA66, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: WDC WD5000AAKB-00YSA0 wd0: 16-sector PIO, LBA48, 476940MB, 976773168 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 4 wd1 at pciide0 channel 1 drive 0: WDC WD5000AAKB-00YSA0 wd1: 16-sector PIO, LBA48, 476940MB, 976773168 sectors wd1(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 4 uhci0 at pci0 dev 20 function 2 VIA VT83C572 USB rev 0x10: irq 11 uhci1 at pci0 dev 20 function 3 VIA VT83C572 USB rev 0x10: irq 11 viaenv0 at pci0 dev 20 function 4 VIA VT82C686 SMBus rev 0x30: HWM disabled: 32-bit timer at 3579545Hz auvia0 at pci0 dev 20 function 5 VIA VT82C686 AC97 rev 0x20: irq 10 ac97: codec id 0x41445348 (Analog Devices AD1881A) ac97: codec features headphone, Analog Devices Phat Stereo audio0 at auvia0 isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec usb0 at uhci0: USB revision 1.0 uhub0 at usb0: VIA UHCI root hub, rev 1.00/1.00, addr 1 usb1 at uhci1: USB revision 1.0 uhub1 at usb1: VIA UHCI root hub, rev 1.00/1.00, addr 1 biomask fb45 netmask ff6d ttymask ffef pctr: user-level cycle counter enabled mtrr: Pentium Pro MTRR support dkcsum: wd0 matches BIOS drive 0x80 dkcsum: wd1 matches BIOS drive 0x81 root on wd0a swap on wd0b dump on wd0b Any ideas? -Russell Ault Ask a question on any topic and get answers from real people. Go to Yahoo! Answers and share what you know at http://ca.answers.yahoo.com
Mozilla Firefox security updates
Could anyone enlighten me about how Mozilla Firefox security updates are implemented in OpenBSD? I notice that the version of Firefox I am using in OBSD is 2.0.0.6 whereas the latest versions on Windows and Ubuntu are both 2.0.0.11, and several security vulnerabilities are present in 2.0.0.6. In my version of Debian (Etch) Iceweasel is at version 2.0.0.10 but I note from the Mozilla site that the 2.0.0.11 update doesn't include any security fixes whereas 2.0.0.10 does include security fixes. Updates to Firefox are pretty regular things at present and if you are running Windows they always seem to emphasise the need to update as soon as a fix is announced, presumably meaning that vulnerabilities could well be exploited quickly. In Windows updates are downloaded from within the running program, in Ubuntu via the usual software update process (binary updates - either apt-get, aptitude or Synaptic). I presume the OBSD team are only concerned with updates to the basic OS and package updates are handled by the package developers. I can find the source of 2.0.0.11 on Mozilla's site. Can I assume I must use this and compile it myself? I have had a look at the ports source on the UK mirror site and it is dated 1 Sept 07 so I presume this includes only 2.0.0.6 and there is no port later than this. I am out on a limb regarding implementing 2.0.0.11 in source form - what do other people do? Russell
Re: Advice requested on security issues
Jussi Peltola wrote: On Tue, Jan 08, 2008 at 10:48:41AM -0500, Douglas A. Tutty wrote: I suppose the only way to have a trusted-secure box and an untrusted-insecure box with one disply/keyboard would be a KVM. Actual, physical separation of the machines is the only 100% secure way to prevent information from leaking between them. I'd be more worried about the network cable between them than a KVM, though. I looked at KVM and came to the same conclusion - that most now have some software (partly to allow the boot process to discover the keyboard, etc hardware), so there is a risk of some leakage. My configuration will be physical separation of secure box from main box with network cabling to the router as the only link. So my security measures on the secure box are a simple PF setup permitting only outgoing initiation of connections and some sort of restriction on the internet sites visited. i.e. simply setting up the appropriate bank sites as bookmarks and only using these as starting pages to visit. Plus maybe some form of whitelisting in the browser setup if I don't trust myself to be awake. Unfortunately some bank sites do use javascript and I have a concern over cross site scripting - only because I have yet to look deeper into this to see what the risks are. But if I never visit non-bank sites is this a problem? Russell
How to find all package files
I am new to OpenBSD and I am not sure what is the correct way to find packages. For example I have tried to install the xfce window manager, and at first I looked at the list of files in the packages list and there were a lot of files with xfce in the name / description. I looked for one which said something like this is the main package for xfce4 so that installing that and all dependencies would do the job, but couldn't find such a file. I resorted to looking for xfce in the INDEX and using all files where this was mentioned, i.e. forming a list with grep xfce INDEX | cut -d | -f 1 | sed 's/$/.tgz/g' /tmpdir/xfce4pkglist then pkg_add `cat /tmpdir/xfce4pkglist` I realise that for such a package there would be some parts which were optional, so needed to be separated out, but I thought there must be a more reliable way to determine which files to include. Is there a better way to do this? Russell
Re: Advice requested on security issues
On 05/01/2008, Nick Holland [EMAIL PROTECTED] wrote: snip Your PF rules would probably just block all incoming traffic and pass outgoing traffic. Or if you want to make sure it is used only for your desired app, block everything outbound 'cept for that traffic destined to your desired locations (note: this is a lot of fun to maintain). Yes I may consider only enabling the outbound locations, but probably will just block unsolicited incoming traffic. I once asked a bank for the list of urls they would use so I could whitelist them, but they said they couldn't give that to me. Strange how they claim to be concerned about security.. In order for your general purpose machine to impact your OpenBSD machine you would need to be running some app on the OpenBSD machine that is vulnerable to attack. So, in general, just don't add anything to the machine you don't need, and in your case, default install is about right. Thanks, this is what I thought. 2: Space for the P3 is limited and I would like to remove its printer and print bank statements across the LAN on the main PC (running Linux, or maybe FreeBSD in future) using CUPS. Does this introduce security risks? Some. Not much. If you end up (accidentally) running a poorly written service on your OpenBSD machine, yes you could be attacked. Even if you are initiating contact with a compromised machine, it *might* be able to send something back at you that could choke your app and cause Bad Things to happen. Choking the app is not so bad. Stealing passwords is the concern. I presume as password transmission is encrypted they can't be sniffed from somewhere else on the the LAN, so I guess it's down to whether CUPS (or some other app inside the PC) could be hacked somehow? I suspect this is such a remote possibility that I should stop worrying about it. The sad thing is you are being more careful with your system design than your bank probably is. :-/ By the time you are running OpenBSD on your banking computer, I suspect you have shifted the primary risk to the other end of the wire...your bank is a bigger risk to your data than you are. Agreed On 05/01/2008, Ted Unangst [EMAIL PROTECTED] wrote: you may or may not find this helpful. you should consider how much money you have, how many other people have that much or more money, how many of those people only use a windows pc to do their banking, and how many would-be thieves capable of infecting all those windows machines would decide to spend the extra effort figuring out your installation in order to exploit it instead of settling for only all the money of all the windows users. i actually have a similar setup, but have no concerns about the windows machine attacking the openbsd machines. Yes I understand I'm being more cautious than 99% of the population, but as I'm retired there isn't a whole lot of money coming in to replace lost savings. Internet savings accounts pay enough over accounts available on the high street to make the effort worthwhile, and why should I take a risk if it's avoidable with a little good organisation? you may or may not find this helpful - I am grateful for your comments and those from others, thanks.