Re: Trouble with OpenBSD 4.2 DNS server setup

[Stuart Henderson]

On 2008/05/07 19:21, Sam Fourman Jr. wrote:
> >  > I assume that if I want to host email for 10 different domains I have
> >  > to have these set
> >  >
> >  > allow-recursion { any; };
> >
> >  This allows anybody to use your nameserver as a resolver (e.g.
> >  anyone can ask you to lookup domains for them). You shouldn't
> >  do this at all without a very good reason (one example being if
> >  you're providing DNS to VPN clients and filtering non-VPN traffic).
> >  Doing so without other controls leaves you open to being an
> >  attack amplifier for anyone who can send a UDP packet with an
> >  invalid source address, and also may open you up to DNS poisoning.
> >
> >  If you're currently using a setup that involves the same IP
> >  address for both authoritative (domains you host) and recursive
> >  queries (client DNS requests), you should get these split onto
> >  separate addresses.
> >
> 
> so if I understand this, the correct way to setup DNS
> is to have one nameserver do just recursive quires
> and a separate name server on a separate ip address have the actual domain 
> files

That's how I usually do things, it gives a clear separation, and
most people don't need a powerful machine to host authoritative dns.

Other options include running two daemons bound to different
addresses (I have some systems where I do this, usually with nsd
for auth, BIND for resolver), or using one daemon with views
and "match-destinations".

It's also possible to use views with "match-clients", but I'm
not keen on this, it makes things difficult when customers transfer
a domain away, and makes it hard to filter or separate things onto
different machines if you want to do that sometime.

I also usually run named on mail servers, just answering to
localhost queries, forwarding to a main resolver - this saves a
bunch of local network traffic when you have messages stuck in
queues.

Re: Problem with state and PF on a 4.3 setup

[Stuart Henderson]

On 2008-05-08, Jon Radel <[EMAIL PROTECTED]> wrote:
>
> You appear making use of the default pass rule for all your outbound
> traffic, as I didn't notice a single rule that applied to outbound
> traffic (other than your block port 0, CARP, PFSync, and ping rules).  I
> don't believe that can be counted on to establish state.

Unless I missed anything in the commits from the last couple of
days, the implicit "pass" rules definitely do not establish state.

OpenBSD 4.3 CD, T-Shirts, Books arrived at ShenZhen, China.

[Zhang Huangbin]

Hi, guys.

Just want to let you know, it arrived :)

- 15 CD sets.
- 8 Books (*7, *1).
- 5 T-Shirts.

It taken about one week from USA -> China.

Thanks all people who made this possible. :D

--
Best Regards.

Zhang Huangbin

- OpenBSD 4.2 -release, i386.
- RHEL 5.1 Client

nagios monitoring of a remote openntp service

[Pete Vickers]

Hi,

Has anybody gotten Nagois' check_ntp_* to play nicely with a remote  
openntp service ? It appears to  rely upon services not implemented  
in openntp ?


/Pete

Re: How to copy/pipe console buffert to file?

[Josh Grosse]

On Thu, 8 May 2008 12:37:47 +0200, rancor wrote
> Hi
> 
> Is there any way of copy/pipe the information on the console to a 
> file? I need the same information that I can see of I hold down 
> Ctrl+Shift and using PageUp/Down when I'm on the console. I'm not 
> using serial, that would be simple but I'm stuck right on the machine.
>

For many people, the built-in script(1) program works well.  Some also find
that using col(1) with the "-b" option removes extraneous control 
characters very nicely.

How to copy/pipe console buffert to file?

[rancor]

Hi

Is there any way of copy/pipe the information on the console to a file? I
need the same information that I can see of I hold down Ctrl+Shift and using
PageUp/Down when I'm on the console. I'm not using serial, that would be
simple but I'm stuck right on the machine.

I'm using OpenBSD 4.3

Best Regards rancor

Re: nagios monitoring of a remote openntp service

[Dave Ewart]

On Thursday, 08.05.2008 at 11:53 +0200, Pete Vickers wrote:

> Has anybody gotten Nagois' check_ntp_* to play nicely with a remote
> openntp service ? It appears to  rely upon services not implemented
> in openntp ?

openntpd does not listen on port 123 by default: that's what Nagios
would use to monitor,

Check man ntpd.conf for the 'listen' option.

Dave.

-- 
Dave Ewart [EMAIL PROTECTED], jabber:[EMAIL PROTECTED], freenode:davee
All email from me is now digitally signed, http://www.sungate.co.uk/
Fingerprint: AEC5 9360 0A35 7F66 66E9 82E4 9E10 6769 CD28 DA92

Re: How to copy/pipe console buffert to file?

[mickey]

On Thu, May 08, 2008 at 12:37:47PM +0200, rancor wrote:
> Hi
> 
> Is there any way of copy/pipe the information on the console to a file? I
> need the same information that I can see of I hold down Ctrl+Shift and using
> PageUp/Down when I'm on the console. I'm not using serial, that would be
> simple but I'm stuck right on the machine.

dd if=/dev/mem of=/tmp/a bs=32k skip=23 count=1
cu
-- 
paranoic mickey   (my employers have changed but, the name has remained)

Re: How to copy/pipe console buffert to file?

[mickey]

On Thu, May 08, 2008 at 10:59:46AM +, mickey wrote:
> On Thu, May 08, 2008 at 12:37:47PM +0200, rancor wrote:
> > Hi
> > 
> > Is there any way of copy/pipe the information on the console to a file? I
> > need the same information that I can see of I hold down Ctrl+Shift and using
> > PageUp/Down when I'm on the console. I'm not using serial, that would be
> > simple but I'm stuck right on the machine.
> 
> dd if=/dev/mem of=/tmp/a bs=32k skip=23 count=1

if you ain't require original color pipe thru
hexdump -e '"%_c\n"' | awk 'NR % 2 {s=s $0} END {print s}'|more 
cu
-- 
paranoic mickey   (my employers have changed but, the name has remained)

Re: Problem with state and PF on a 4.3 setup

[Steve Johnson]

Thanks for the information. This is the first time that I've used PF as 
a router based firewall and not with NAT. I didn't know that the state 
was on a per interface basis, and not global to the system. So this 
means that unless I want to allow all outbound traffic from my firewall, 
I need to have a matching pass out rule for all the pass in rules for 
which I want to restrict the inbound interface (ie for which I don't 
want to put just pass for)?


The reason I need quick, especially on a few of these rules, is that the 
firewall will be establishing 3 to 6 thousand new sessions per second 
and managing betwee 300 000-500 000 state entries. This means that if 
it's one state entry per interface, this effectively doubles the state 
table size.


Thanks for the other tips by other people for lists and the implicit 
keep state, I hadn't even realized I had omitted important lists and 
didn't know about the implicit keep state.


Jon Radel wrote:

You appear making use of the default pass rule for all your outbound
traffic, as I didn't notice a single rule that applied to outbound
traffic (other than your block port 0, CARP, PFSync, and ping rules).  I
don't believe that can be counted on to establish state.

So a packet arrives on an interface, is allowed in with a "pass in quick
on XX" and state is established.  The packet is then routed out YY,
which is allowed since there is no rule to block it.  There is, however,
no state established on interface YY, so the return packet is dropped
unless you have a rule explicitly allowing that packet in.

Try dropping a

pass out all

into the rule set to see if things get better.  (As a test, think about
the implications before you put that into production.)

--Jon Radel

Re: nagios monitoring of a remote openntp service

[Pete Vickers]

Hi,

That's not the problem ! - the hosting is correctly listening, and  
indeed other hosts are correctly syncing to it. It's only the nagios  
check_ntp_* that doesn't like it.



$ ~> grep -i listen /etc/ntpd.conf
# Addresses to listen on (ntpd does not listen by default)
listen on *

$ ~> ps -aux | grep ntp
_ntp 18182  0.0  0.0   468   612 ??  S 19Nov065:57.94  
ntpd: ntp engine (ntpd)
root 10889  0.0  0.0   512   616 ??  Is19Nov060:00.24  
ntpd: [priv] (ntpd)




/Pete


On 8 May 2008, at 12:59 PM, Dave Ewart wrote:


On Thursday, 08.05.2008 at 11:53 +0200, Pete Vickers wrote:


Has anybody gotten Nagois' check_ntp_* to play nicely with a remote
openntp service ? It appears to  rely upon services not implemented
in openntp ?


openntpd does not listen on port 123 by default: that's what Nagios
would use to monitor,

Check man ntpd.conf for the 'listen' option.

Dave.

--
Dave Ewart [EMAIL PROTECTED], jabber:[EMAIL PROTECTED],  
freenode:davee

All email from me is now digitally signed, http://www.sungate.co.uk/
Fingerprint: AEC5 9360 0A35 7F66 66E9 82E4 9E10 6769 CD28 DA92

Re: Problem with state and PF on a 4.3 setup

[Otto Moerbeek]

On Thu, May 08, 2008 at 07:23:41AM -0400, Steve Johnson wrote:

> Thanks for the information. This is the first time that I've used PF as a 
> router based firewall and not with NAT. I didn't know that the state was on 
> a per interface basis, and not global to the system. So this means that 
> unless I want to allow all outbound traffic from my firewall, I need to 
> have a matching pass out rule for all the pass in rules for which I want to 
> restrict the inbound interface (ie for which I don't want to put just pass 
> for)?

No, states are by default global and not tied to an interface. See man
pf.conf. 

-Otto

>
> The reason I need quick, especially on a few of these rules, is that the 
> firewall will be establishing 3 to 6 thousand new sessions per second and 
> managing betwee 300 000-500 000 state entries. This means that if it's one 
> state entry per interface, this effectively doubles the state table size.
>
> Thanks for the other tips by other people for lists and the implicit keep 
> state, I hadn't even realized I had omitted important lists and didn't know 
> about the implicit keep state.
>
> Jon Radel wrote:
>> You appear making use of the default pass rule for all your outbound
>> traffic, as I didn't notice a single rule that applied to outbound
>> traffic (other than your block port 0, CARP, PFSync, and ping rules).  I
>> don't believe that can be counted on to establish state.
>>
>> So a packet arrives on an interface, is allowed in with a "pass in quick
>> on XX" and state is established.  The packet is then routed out YY,
>> which is allowed since there is no rule to block it.  There is, however,
>> no state established on interface YY, so the return packet is dropped
>> unless you have a rule explicitly allowing that packet in.
>>
>> Try dropping a
>>
>> pass out all
>>
>> into the rule set to see if things get better.  (As a test, think about
>> the implications before you put that into production.)
>>
>> --Jon Radel

Re: nagios monitoring of a remote openntp service

[Stuart Henderson]

On 2008-05-08, Pete Vickers <[EMAIL PROTECTED]> wrote:
> Has anybody gotten Nagois' check_ntp_* to play nicely with a remote  
> openntp service ? It appears to  rely upon services not implemented  
> in openntp ?

this is against an OpenNTP server;

<[EMAIL PROTECTED]:12>$ /usr/local/libexec/nagios/check_ntp_time -H ntp
NTP OK: Offset -0.002711469308 secs|offset=-0.002711s;60.00;120.00;

so, it can work.

Re: Problem with state and PF on a 4.3 setup

[Henning Brauer]

* Otto Moerbeek <[EMAIL PROTECTED]> [2008-05-08 13:47]:
> On Thu, May 08, 2008 at 07:23:41AM -0400, Steve Johnson wrote:
> 
> > Thanks for the information. This is the first time that I've used PF as a 
> > router based firewall and not with NAT. I didn't know that the state was on 
> > a per interface basis, and not global to the system. So this means that 
> > unless I want to allow all outbound traffic from my firewall, I need to 
> > have a matching pass out rule for all the pass in rules for which I want to 
> > restrict the inbound interface (ie for which I don't want to put just pass 
> > for)?
> 
> No, states are by default global and not tied to an interface. See man
> pf.conf. 

now you conusd him even more :)

while otto is right, contrary to your belief, the direction of creation 
is in the state. so given routing doesn't change they are effectively 
per-interface. it;s just that they can move onto another interfaces if 
routing changes.

for your case, consider skipping filtering on one interface (set skip 
em5)

-- 
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam

Re: Problem with state and PF on a 4.3 setup

[Stuart Henderson]

On 2008-05-08, Otto Moerbeek <[EMAIL PROTECTED]> wrote:
> On Thu, May 08, 2008 at 07:23:41AM -0400, Steve Johnson wrote:
>
>> Thanks for the information. This is the first time that I've used PF as a 
>> router based firewall and not with NAT. I didn't know that the state was on 
>> a per interface basis, and not global to the system. So this means that 
>> unless I want to allow all outbound traffic from my firewall, I need to 
>> have a matching pass out rule for all the pass in rules for which I want to 
>> restrict the inbound interface (ie for which I don't want to put just pass 
>> for)?
>
> No, states are by default global and not tied to an interface. See man
> pf.conf. 

But they are sensitive to direction; if you keep state for a new incoming
session on an interface, you:

1. *do* pass _return_ traffic associated with that connection,
2. *do not* pass the incoming traffic that created the state (or any
following incoming traffic from the same connection) out of another
interface to send to another machine

For 2. you can either pass the outbound traffic separately, or you
can tag the inbound traffic and pass outbound traffic that has been
tagged.

...
>> The reason I need quick, especially on a few of these rules, is that the
>> firewall will be establishing 3 to 6 thousand new sessions per second

You should read this set of articles:
http://undeadly.org/cgi?action=article&sid=20060927091645

Re: Editing C with...

[Hannah Schroeter]

Hi!

On Sun, May 04, 2008 at 11:42:53AM -0400, Nick Holland wrote:
>ropers wrote:
>> 2008/5/4 Nick Holland <[EMAIL PROTECTED]>:
>>>  "[vim] alters files in unexpected ways", which I consider a
>>>  major sin.

>> I didn't know that, and cursory googling didn't turn up anything
>> enlightening. Could you elaborate?

>> Thanks and regards,
>> --ropers

>It might have been better if I had said, "alters my input", instead
>of implying that I edit a file with vim and it gets saved
>differently than loaded without my deliberately changing anything.

>And yes, tabs and auto indent were some of the things.

Now, nvi has auto-indent too (:set ai), just not enabled by default.

>I also had
>an experience with it auto-inserting line breaks which caused me
>large amounts of problem.

Could happen with nvi too (:set wrapmargin=42). Just not enabled by
default.

>All this stuff is there for a reason, and is great for the
>intended purposes.  HOWEVER, it's annoying as heck when one's
>purposes don't jive with the editor's defaults.

Now, on *OpenBSD*, the defaults of vim are quite sane IMO. (I.e. syntax
highlighting, auto-indent, text wrapping, smart-tabs, tab expansion,
etc. *off* by default, I have to enable all the fancy I really want in
my $HOME/.vimrc). It's vim as it's distributed on some Linux
distributions that sucks rocks through tiny holes.

>Yes, all those
>defaults can be changed, but on the machine I was fighting with
>at the time, they were in some very inappropriate for my needs, and
>quite unexpected behavior for something I invoked with the command
>"vi".  I won't dispute vim is a great editor...I just dislike it
>pretending to be vi on some distributions of another OS.  In all
>likelihood, it COULD pass as vi, but not with all the options
>turned on.

Yes. Probably it works for me especially because I mostly use it on
OpenBSD. :-)

>Nick.

Kind regards,

Hannah.

Re: nagios monitoring of a remote openntp service

[Pete Vickers]

that works fine:

$ ~>/usr/local/libexec/nagios/check_ntp_time  -H ntp1
NTP OK: Offset 0.0008395434124 secs|offset=0.000840s; 
60.00;120.00;


but, I'm trying to verifty the NTP server's health, not that my  
monitoring host is sync'd to it.


"Notes:
 This plugin checks the clock offset between the local host and a
 remote NTP server. It is independent of any commandline programs or
 external libraries.

 If you'd rather want to monitor an NTP server, please use
 check_ntp_peer."


but that doesn't work (for me) :

$ ~>/usr/local/libexec/nagios/check_ntp_peer -H ntp1 -t 3
CRITICAL - Socket timeout after 3 seconds



/Pete



On 8 May 2008, at 1:55 PM, Stuart Henderson wrote:


On 2008-05-08, Pete Vickers <[EMAIL PROTECTED]> wrote:

Has anybody gotten Nagois' check_ntp_* to play nicely with a remote
openntp service ? It appears to  rely upon services not implemented
in openntp ?


this is against an OpenNTP server;

<[EMAIL PROTECTED]:12>$ /usr/local/libexec/nagios/check_ntp_time -H ntp
NTP OK: Offset -0.002711469308 secs|offset=-0.002711s; 
60.00;120.00;


so, it can work.

Re: nagios monitoring of a remote openntp service

[Dave Ewart]

On Thursday, 08.05.2008 at 13:29 +0200, Pete Vickers wrote:

>>> Has anybody gotten Nagois' check_ntp_* to play nicely with a remote
>>> openntp service ? It appears to  rely upon services not implemented
>>> in openntp ?
>>
>> openntpd does not listen on port 123 by default: that's what Nagios
>> would use to monitor,
>>
>> Check man ntpd.conf for the 'listen' option.
>
> That's not the problem ! - the hosting is correctly listening, and  
> indeed other hosts are correctly syncing to it. It's only the nagios  
> check_ntp_* that doesn't like it.

On this network, Nagios runs on a Debian Etch machine and issuing:

  /usr/lib/nagios/plugins/check_ntp -H myhostname

returns

  NTP OK: Offset -0.0001729539945 secs|offset=-0.0001729539945

What output do *you* get when you run check_ntp?

Dave.
-- 
Dave Ewart [EMAIL PROTECTED], jabber:[EMAIL PROTECTED], freenode:davee
All email from me is now digitally signed, http://www.sungate.co.uk/
Fingerprint: AEC5 9360 0A35 7F66 66E9 82E4 9E10 6769 CD28 DA92

Re: Editing C with...

[Hannah Schroeter]

Hi!

On Wed, May 07, 2008 at 04:55:55PM +0100, overdrive openbsd wrote:
>I don't want to start a flamewar, but I will say my experience; after
>lot of years using vi and vim, I decide 'taste' emacs. Now I can see
>that the major part of users those use vi/vim is because they never
>tried more than 5 minutes on emacs or directly they never tried. Now I
>am more productive (-; of course stupid devels will be stupid in vi or
>emacs, but they will be slower to write their stupid code!

I beg to differ. Used emacs (back then when 19 was the current version,
heck, even *ported* emacs 19 to my machine then) for quite a long time
and moved to vim. Bottom line: YMMV. Find the tool(s) that fit(s) you
best and get proficient in it/them.

>Borja Tarraso

Kind regards,

Hannah.

Re: Problem with state and PF on a 4.3 setup

[Steve Johnson]

Ah, that explains a lot! Thanks for the information. Yes, what Otto had 
mentioned was indeed confusing me :-)


Especially when I look at the following statement from the faq:
http://www.openbsd.org/faq/pf/filter.html#state

" When a rule creates state, the first packet matching the rule creates 
a "state" between the sender and receiver. Now, not only do packets 
going from the sender to receiver match the state entry and bypass 
ruleset evaluation, but so do the reply packets from receiver to sender."


Plus, in the pf.conf(5)  stated that floating was the default behaviour, 
which I now notice is what Otto pointed out, but that meant me think 
even more that the pass out would not have been needed, since the state 
was created with the pass in.


I've added a "pass out from ! self" rule that should take care of 
everything that I've allowed to come in. It also explains why the state 
table will grow so much, if there's a state entry for each direction. 
I'll look more into the tag part which should be even better as well as 
that link on optimization.


Is the state direction tracking something that changed at one point of 
the PF development or has it always been like that?


Thanks again to all for the responses and references,
Steve

Stuart Henderson wrote:

On 2008-05-08, Otto Moerbeek <[EMAIL PROTECTED]> wrote:
  

On Thu, May 08, 2008 at 07:23:41AM -0400, Steve Johnson wrote:


Thanks for the information. This is the first time that I've used PF as a 
router based firewall and not with NAT. I didn't know that the state was on 
a per interface basis, and not global to the system. So this means that 
unless I want to allow all outbound traffic from my firewall, I need to 
have a matching pass out rule for all the pass in rules for which I want to 
restrict the inbound interface (ie for which I don't want to put just pass 
for)?
  

No, states are by default global and not tied to an interface. See man
pf.conf. 



But they are sensitive to direction; if you keep state for a new incoming
session on an interface, you:

1. *do* pass _return_ traffic associated with that connection,
2. *do not* pass the incoming traffic that created the state (or any
following incoming traffic from the same connection) out of another
interface to send to another machine

For 2. you can either pass the outbound traffic separately, or you
can tag the inbound traffic and pass outbound traffic that has been
tagged.

...
  

The reason I need quick, especially on a few of these rules, is that the
firewall will be establishing 3 to 6 thousand new sessions per second
  


You should read this set of articles:
http://undeadly.org/cgi?action=article&sid=20060927091645

Thinkpad T42 + OpenBSD 4.3 Freeze

[Gonzalo Lionel Rodriguez]

Hi, everyone, i have a problem with my IBM Thinkpad T42 2373 and OpenBSD 4.3
(stable and current), with 512mb of ram (default) works fine, when i add 1gb
(kingston) the system works fine a few minutes, and then freeze without
error o message.

Here is my dmesg:


OpenBSD 4.3 (GENERIC) #698: Wed Mar 12 11:07:05 MDT 2008
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Pentium(R) M processor 1.60GHz ("GenuineIntel" 686-class)
1.60 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,TM,SBF,EST,TM2
real mem  = 1609527296 (1534MB)
avail mem = 1547259904 (1475MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 07/27/05, BIOS32 rev. 0 @ 0xfd750,
SMBIOS rev. 2.33 @ 0xe0010 (61 entries)
bios0: vendor IBM version "1RETDLWW (3.17 )" date 07/27/2005
bios0: IBM 2373RY1
apm0 at bios0: Power Management spec V1.2
apm0: battery life expectancy 97%
apm0: AC on, battery charge high
acpi at bios0 function 0x0 not configured
pcibios0 at bios0: rev 2.1 @ 0xfd6e0/0x920
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdea0/272 (15 entries)
pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82371FB ISA" rev 0x00)
pcibios0: PCI bus #6 is the last bus
bios0: ROM list: 0xc/0x1 0xd/0x1000 0xd1000/0x1000
0xdc000/0x4000! 0xe/0x1
cpu0 at mainbus0
cpu0: Enhanced SpeedStep 1600 MHz (1340 mV): speeds: 1600, 1400, 1200, 1000,
800, 600 MHz
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82855PM Host" rev 0x03
agp0 at pchb0: aperture at 0xd000, size 0x1000
ppb0 at pci0 dev 1 function 0 "Intel 82855PM AGP" rev 0x03
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "ATI Radeon Mobility M7 LW" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
uhci0 at pci0 dev 29 function 0 "Intel 82801DB USB" rev 0x01: irq 11
uhci1 at pci0 dev 29 function 1 "Intel 82801DB USB" rev 0x01: irq 11
uhci2 at pci0 dev 29 function 2 "Intel 82801DB USB" rev 0x01: irq 11
ehci0 at pci0 dev 29 function 7 "Intel 82801DB USB" rev 0x01: irq 11
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ppb1 at pci0 dev 30 function 0 "Intel 82801BAM Hub-to-PCI" rev 0x81
pci2 at ppb1 bus 2
cbb0 at pci2 dev 0 function 0 "TI PCI4520 CardBus" rev 0x01: irq 11
cbb1 at pci2 dev 0 function 1 "TI PCI4520 CardBus" rev 0x01: irq 11
em0 at pci2 dev 1 function 0 "Intel PRO/1000MT (82540EP)" rev 0x03: irq 11,
address 00:11:25:d5:bb:e2
ipw0 at pci2 dev 2 function 0 "Intel PRO/Wireless 2100" rev 0x04: irq 11,
address 00:13:e8:02:d6:9a
cardslot0 at cbb0 slot 0 flags 0
cardbus0 at cardslot0: bus 3 device 0 cacheline 0x8, lattimer 0xb0
pcmcia0 at cardslot0
cardslot1 at cbb1 slot 1 flags 0
cardbus1 at cardslot1: bus 6 device 0 cacheline 0x8, lattimer 0xb0
pcmcia1 at cardslot1
ichpcib0 at pci0 dev 31 function 0 "Intel 82801DBM LPC" rev 0x01: 24-bit
timer at 3579545Hz
pciide0 at pci0 dev 31 function 1 "Intel 82801DBM IDE" rev 0x01: DMA,
channel 0 configured to compatibility, channel 1 configured to co
mpatibility
wd0 at pciide0 channel 0 drive 0: 
wd0: 16-sector PIO, LBA, 28615MB, 58605120 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0:  SCSI0
5/cdrom removable
cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
ichiic0 at pci0 dev 31 function 3 "Intel 82801DB SMBus" rev 0x01: irq 11
iic0 at ichiic0
spdmem0 at iic0 addr 0x50: 512MB DDR SDRAM non-parity PC2700CL2.5
spdmem1 at iic0 addr 0x51: 1GB DDR SDRAM non-parity PC2700CL2.5
auich0 at pci0 dev 31 function 5 "Intel 82801DB AC97" rev 0x01: irq 11, ICH4
AC97
ac97: codec id 0ac97: codec features headphone, 20 bit DAC, No 3D Stereo
audio0 at auich0
"Intel 82801DB Modem" rev 0x01 at pci0 dev 31 function 6 not configured
usb1 at uhci0: USB revision 1.0
uhub1 at usb1 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb2 at uhci1: USB revision 1.0
uhub2 at usb2 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb3 at uhci2: USB revision 1.0
uhub3 at usb3 "Intel UHCI root hub" rev 1.00/1.00 addr 1
isa0 at ichpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: 
spkr0 at pcppi0
aps0 at isa0 port 0x1600/31
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
biomask effd netmask effd ttymask 
mtrr: Pentium Pro MTRR support
ugen0 at uhub3 port 2 "STMicroelectronics Biometric Coprocessor" rev
1.00/0.01 addr 2
softraid0 at root
root on wd0a swap on wd0b dump on wd0b
WARNING: / was not properly unmounted
x41445374 (Analog Devices AD1981B)

Any idea?

Regards.

Re: nagios monitoring of a remote openntp service

[Stuart Henderson]

On 2008/05/08 14:33, Pete Vickers wrote:
>
> that works fine:
>
> $ ~>/usr/local/libexec/nagios/check_ntp_time  -H ntp1
> NTP OK: Offset 0.0008395434124 
> secs|offset=0.000840s;60.00;120.00;
>
> but, I'm trying to verifty the NTP server's health, not that my 
> monitoring host is sync'd to it.

check_ntp_time should be fine for that.

> "Notes:
>  This plugin checks the clock offset between the local host and a
>  remote NTP server. It is independent of any commandline programs or
>  external libraries.
>
>  If you'd rather want to monitor an NTP server, please use
>  check_ntp_peer."

I think that's just useful for ISC ntpd, it checks stratum.

Re: Problem with state and PF on a 4.3 setup

[Henning Brauer]

* Steve Johnson <[EMAIL PROTECTED]> [2008-05-08 14:57]:
> Is the state direction tracking something that changed at one point of the 
> PF development or has it always been like that?

it has always been like that.

it is the only sane thing to do. once you exceed that little 2 
interfaces firewall scenario you'll see why... you put policies on 
interfaces, and anyonegoing fron netA to netB must pass the outbound 
policy on the netA facing interface and the inbound policy in the netB 
facing interface (to make things more confusing, the inbound policy is 
what gets written as "pass ->out<- on... anyway). with the one state 
covering everything you bypass netB's inbound policy, which is both 
dangerous and stupid.

ipfilter does it that way.

-- 
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam

Re: How to copy/pipe console buffert to file?

[rancor]

Thanks! That did the trick =)

// rancor


On Thu, May 8, 2008 at 1:13 PM, mickey <[EMAIL PROTECTED]> wrote:

> On Thu, May 08, 2008 at 10:59:46AM +, mickey wrote:
> > On Thu, May 08, 2008 at 12:37:47PM +0200, rancor wrote:
> > > Hi
> > >
> > > Is there any way of copy/pipe the information on the console to a file?
> I
> > > need the same information that I can see of I hold down Ctrl+Shift and
> using
> > > PageUp/Down when I'm on the console. I'm not using serial, that would
> be
> > > simple but I'm stuck right on the machine.
> >
> > dd if=/dev/mem of=/tmp/a bs=32k skip=23 count=1
>
> if you ain't require original color pipe thru
> hexdump -e '"%_c\n"' | awk 'NR % 2 {s=s $0} END {print s}'|more
> cu
> --
>paranoic mickey   (my employers have changed but, the name has
> remained)

Re: Thinkpad T42 + OpenBSD 4.3 Freeze

[Adam Patterson]

Gonzalo Lionel Rodriguez wrote:

Hi, everyone, i have a problem with my IBM Thinkpad T42 2373 and OpenBSD 4.3
(stable and current), with 512mb of ram (default) works fine, when i add 1gb
(kingston) the system works fine a few minutes, and then freeze without
error o message.

Here is my dmesg:
  
I have this same laptop somewhere at my closet. Ill give it a shot when 
I get home. I dont have the exact memstick though.


Are you mounting it or just having it plugged in. Also, show your dmesg 
right after you plug in the device if you can before it locks up.


.adam.

System memory available for kernel and PF

[Steve Johnson]

Hi,

Sorry for asking something else again so soon, but in my previous 
question, I received a link with a lot of useful information in regards 
to PF (http://undeadly.org/cgi?action=article&sid=20060927091645). 
However, one piece of information in that article could create an 
important issue for us:


"Not all memory of the host is available to the kernel, and the way the 
amount of physical RAM affects the amount available to the kernel 
depends on architecture and kernel options and version. As of OpenBSD 
3.6, an i386 kernel can use up to 256MB of memory. Prior to 3.6, that 
limit was much lower for i386. You could have 8GB of RAM in your host, 
and still pf would fail to allocate memory beyond a small fraction of 
that amount."


I saw at other places that there were some patches for 3.x that made it 
up to 768MB, and one other place that thought it was now default, but 
didn't manage to find any concluding information on the current status 
of this limitation. If it is still present, what's the current value and 
is there any way to manipulate it? The firewall for which this system 
will be used is a 4.3 i386 server, replacing an IPTables system, that 
will manage hundreds of thousands of sessions, but most of them generate 
little throughput, with answers that have around 20 bytes of payload.


We basically want to make sure that there will be sufficient memory to 
scale our current and future session tracking needs, especially as this 
service will increase in load.


Thanks again,
Steve Johnson

Re: Thinkpad T42 + OpenBSD 4.3 Freeze

[Stephan Andre']

On Thursday 08 May 2008 08:59:22 Gonzalo Lionel Rodriguez wrote:
> Hi, everyone, i have a problem with my IBM Thinkpad T42 2373 and OpenBSD
> 4.3 (stable and current), with 512mb of ram (default) works fine, when i
> add 1gb (kingston) the system works fine a few minutes, and then freeze
> without error o message.
>
> Here is my dmesg:
>
>
> OpenBSD 4.3 (GENERIC) #698: Wed Mar 12 11:07:05 MDT 2008
> [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
> cpu0: Intel(R) Pentium(R) M processor 1.60GHz ("GenuineIntel" 686-class)
> 1.60 GHz
> cpu0:
> FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX
>,FXSR,SSE,SSE2,SS,TM,SBF,EST,TM2 real mem  = 1609527296 (1534MB)
> avail mem = 1547259904 (1475MB)
> mainbus0 at root
> bios0 at mainbus0: AT/286+ BIOS, date 07/27/05, BIOS32 rev. 0 @ 0xfd750,
> SMBIOS rev. 2.33 @ 0xe0010 (61 entries)
> bios0: vendor IBM version "1RETDLWW (3.17 )" date 07/27/2005
> bios0: IBM 2373RY1
> apm0 at bios0: Power Management spec V1.2
> apm0: battery life expectancy 97%
> apm0: AC on, battery charge high
> acpi at bios0 function 0x0 not configured
> pcibios0 at bios0: rev 2.1 @ 0xfd6e0/0x920
> pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdea0/272 (15 entries)
> pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82371FB ISA" rev 0x00)
> pcibios0: PCI bus #6 is the last bus
> bios0: ROM list: 0xc/0x1 0xd/0x1000 0xd1000/0x1000
> 0xdc000/0x4000! 0xe/0x1
> cpu0 at mainbus0
> cpu0: Enhanced SpeedStep 1600 MHz (1340 mV): speeds: 1600, 1400, 1200,
> 1000, 800, 600 MHz
> pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
> pchb0 at pci0 dev 0 function 0 "Intel 82855PM Host" rev 0x03
> agp0 at pchb0: aperture at 0xd000, size 0x1000
> ppb0 at pci0 dev 1 function 0 "Intel 82855PM AGP" rev 0x03
> pci1 at ppb0 bus 1
> vga1 at pci1 dev 0 function 0 "ATI Radeon Mobility M7 LW" rev 0x00
> wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
> wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
> uhci0 at pci0 dev 29 function 0 "Intel 82801DB USB" rev 0x01: irq 11
> uhci1 at pci0 dev 29 function 1 "Intel 82801DB USB" rev 0x01: irq 11
> uhci2 at pci0 dev 29 function 2 "Intel 82801DB USB" rev 0x01: irq 11
> ehci0 at pci0 dev 29 function 7 "Intel 82801DB USB" rev 0x01: irq 11
> usb0 at ehci0: USB revision 2.0
> uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
> ppb1 at pci0 dev 30 function 0 "Intel 82801BAM Hub-to-PCI" rev 0x81
> pci2 at ppb1 bus 2
> cbb0 at pci2 dev 0 function 0 "TI PCI4520 CardBus" rev 0x01: irq 11
> cbb1 at pci2 dev 0 function 1 "TI PCI4520 CardBus" rev 0x01: irq 11
> em0 at pci2 dev 1 function 0 "Intel PRO/1000MT (82540EP)" rev 0x03: irq 11,
> address 00:11:25:d5:bb:e2
> ipw0 at pci2 dev 2 function 0 "Intel PRO/Wireless 2100" rev 0x04: irq 11,
> address 00:13:e8:02:d6:9a
> cardslot0 at cbb0 slot 0 flags 0
> cardbus0 at cardslot0: bus 3 device 0 cacheline 0x8, lattimer 0xb0
> pcmcia0 at cardslot0
> cardslot1 at cbb1 slot 1 flags 0
> cardbus1 at cardslot1: bus 6 device 0 cacheline 0x8, lattimer 0xb0
> pcmcia1 at cardslot1
> ichpcib0 at pci0 dev 31 function 0 "Intel 82801DBM LPC" rev 0x01: 24-bit
> timer at 3579545Hz
> pciide0 at pci0 dev 31 function 1 "Intel 82801DBM IDE" rev 0x01: DMA,
> channel 0 configured to compatibility, channel 1 configured to co
> mpatibility
> wd0 at pciide0 channel 0 drive 0: 
> wd0: 16-sector PIO, LBA, 28615MB, 58605120 sectors
> wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
> atapiscsi0 at pciide0 channel 1 drive 0
> scsibus0 at atapiscsi0: 2 targets
> cd0 at scsibus0 targ 0 lun 0:  SCSI0
> 5/cdrom removable
> cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
> ichiic0 at pci0 dev 31 function 3 "Intel 82801DB SMBus" rev 0x01: irq 11
> iic0 at ichiic0
> spdmem0 at iic0 addr 0x50: 512MB DDR SDRAM non-parity PC2700CL2.5
> spdmem1 at iic0 addr 0x51: 1GB DDR SDRAM non-parity PC2700CL2.5
> auich0 at pci0 dev 31 function 5 "Intel 82801DB AC97" rev 0x01: irq 11,
> ICH4 AC97
> ac97: codec id 0ac97: codec features headphone, 20 bit DAC, No 3D Stereo
> audio0 at auich0
> "Intel 82801DB Modem" rev 0x01 at pci0 dev 31 function 6 not configured
> usb1 at uhci0: USB revision 1.0
> uhub1 at usb1 "Intel UHCI root hub" rev 1.00/1.00 addr 1
> usb2 at uhci1: USB revision 1.0
> uhub2 at usb2 "Intel UHCI root hub" rev 1.00/1.00 addr 1
> usb3 at uhci2: USB revision 1.0
> uhub3 at usb3 "Intel UHCI root hub" rev 1.00/1.00 addr 1
> isa0 at ichpcib0
> isadma0 at isa0
> pckbc0 at isa0 port 0x60/5
> pckbd0 at pckbc0 (kbd slot)
> pckbc0: using irq 1 for kbd slot
> wskbd0 at pckbd0: console keyboard, using wsdisplay0
> pms0 at pckbc0 (aux slot)
> pckbc0: using irq 12 for aux slot
> wsmouse0 at pms0 mux 0
> pcppi0 at isa0 port 0x61
> midi0 at pcppi0: 
> spkr0 at pcppi0
> aps0 at isa0 port 0x1600/31
> npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
> biomask effd netmask effd ttymask 
> mtrr: Pentium Pro MTRR support
> ugen0 at uhub3 port 2 "STMicroelectronics Biometric Coprocessor" r

Post-intrusion forensics

[Chris Cameron]

For our Windows/Solaris/Linux servers, we've had PWC say that they're
qualified and able to do post-intrusion forensics on our server(s).
I'm told this will go a long way in making everyone in our company as
well as our customers feel better. Partly because it's an outside
party verification of what happened, and partly because everyone knows
PWC.

What PWC won't do for us is OpenBSD forensics; and thus the reason for
this email. Does anyone know of a company that does this? We like big
names, but management seems to understand that that isn't always
possible with OpenBSD.


Any help would be appreciated.

Chris

Re: Thinkpad T42 + OpenBSD 4.3 Freeze

[Mortheres]

Le Thu, 8 May 2008 09:59:22 -0300,
"Gonzalo Lionel Rodriguez" <[EMAIL PROTECTED]> a icrit :

Hi,

> Hi, everyone, i have a problem with my IBM Thinkpad T42 2373 and
> OpenBSD 4.3 (stable and current), with 512mb of ram (default) works
> fine, when i add 1gb (kingston) the system works fine a few minutes,
> and then freeze without error o message.

Did you run a test of your RAM (with memtest for example) ? I had
the same problem last year and I realized I have an half-assed memory
module.

Regards,


Guillaume

Re: nagios monitoring of a remote openntp service

[Brian A. Seklecki]

On Thu, 2008-05-08 at 14:33 +0200, Pete Vickers wrote:
> that works fine:
> 
> $ ~>/usr/local/libexec/nagios/check_ntp_time  -H ntp1
> NTP OK: Offset 0.0008395434124 secs|offset=0.000840s; 
> 60.00;120.00;
> 
> but, I'm trying to verifty the NTP server's health, not that my  
> monitoring host is sync'd to it.


Nagios checks almost never have sufficient debugging mechanisms, and UDP
services dont send RST+ICMP.

You an always: $ sudo ntpdate -qdv [host to check]

~BAS

> "Notes:
>   This plugin checks the clock offset between the local host and a
>   remote NTP server. It is independent of any commandline programs or
>   external libraries.
> 
>   If you'd rather want to monitor an NTP server, please use
>   check_ntp_peer."
> 
> 
> but that doesn't work (for me) :
> 
> $ ~>/usr/local/libexec/nagios/check_ntp_peer -H ntp1 -t 3
> CRITICAL - Socket timeout after 3 seconds
> 
> 
> 
> /Pete
> 
> 
> 
> On 8 May 2008, at 1:55 PM, Stuart Henderson wrote:
> 
> > On 2008-05-08, Pete Vickers <[EMAIL PROTECTED]> wrote:
> >> Has anybody gotten Nagois' check_ntp_* to play nicely with a remote
> >> openntp service ? It appears to  rely upon services not implemented
> >> in openntp ?
> >
> > this is against an OpenNTP server;
> >
> > <[EMAIL PROTECTED]:12>$ /usr/local/libexec/nagios/check_ntp_time -H ntp
> > NTP OK: Offset -0.002711469308 secs|offset=-0.002711s; 
> > 60.00;120.00;
> >
> > so, it can work.
> 
-- 
Brian A. Seklecki <[EMAIL PROTECTED]>
Collaborative Fusion, Inc.

Re: Thinkpad T42 + OpenBSD 4.3 Freeze

[Adam Patterson]

Gonzalo Lionel Rodriguez wrote:

Sorry, but the 1gb is RAM not a mestick. 1 GB Kingston RAM + 512 MB
(default) = 1.5 Gb ram the system freeze, with 512 mb ram (default) the
system works fine.

regards


  

then its probably just a bad stick of memory :/

Re: nagios monitoring of a remote openntp service

[Chris Kuethe]

On Thu, May 8, 2008 at 8:52 AM, Brian A. Seklecki
<[EMAIL PROTECTED]> wrote:
>  Nagios checks almost never have sufficient debugging mechanisms, and UDP
>  services dont send RST+ICMP.

you should get an ICMP port unreachable if there is no UDP service listening.

i haven't looked at nagios, but i wonder if it's not trying to use NTP
"mode 6" control messages to get more status information out of the
daemon. openntpd doesn't support these queries...

>  You an always: $ sudo ntpdate -qdv [host to check]

or "rdate -pnv ". quite some time ago i added a check to make
rdate bail out if the server is unsync'd.

...
if ((data.status & STATUS_ALARM) == STATUS_ALARM) {
warnx("Ignoring NTP server with alarm flag set");
return (-1);
}
...

CK

-- 
GDB has a 'break' feature; why doesn't it have 'fix' too?

gmake error, please help :)

[vatocleti]

Hey all,
  I'm running OpenBSD 4.2/i386 and am booting bsd.mp. I have brought over a
linux program that uses gcc as the compiler.

I have installed the following sets:

- gmake-3.80p1.tgz
- gettext-0.14.6p0.tgz
- libiconv-1.9.2p3.tgz

and when I do a "gmake" I get the following two errors:

- " /bin/gmake[1]: ELF: not found"
- "/bin/gmake[365]: no closing quote

any ideas?

Thanks,
v.

-- 
View this message in context: 
http://www.nabble.com/gmake-error%2C-please-help-%3A%29-tp17129307p17129307.html
Sent from the openbsd user - misc mailing list archive at Nabble.com.

Re: Editing C with...

[Marco Peereboom]

Or you could just use vim...

On May 7, 2008, at 3:12 PM, "overdrive openbsd" <[EMAIL PROTECTED] 
> wrote:



You can always use the name of comand instead keystrokes. Also you can
customize these keys and change the defaults (customizable)

On Wed, May 7, 2008 at 6:28 PM, Marco Peereboom <[EMAIL PROTECTED]>  
wrote:
I gave emacs quite the fighting chance.  Used it for 4 weeks and  
could

not deal with the sore hands & fingers anymore.

emacs is great for people that don't mind finger gymnastics.  Vim is
much nicer for people with sore hands.


On Wed, May 07, 2008 at 04:55:55PM +0100, overdrive openbsd wrote:



Hi Jordi,

I don't want to start a flamewar, but I will say my experience;  
after

lot of years using vi and vim, I decide 'taste' emacs. Now I can see
that the major part of users those use vi/vim is because they never
tried more than 5 minutes on emacs or directly they never tried.  
Now I
am more productive (-; of course stupid devels will be stupid in  
vi or

emacs, but they will be slower to write their stupid code!

Borja Tarraso

On Sat, May 3, 2008 at 6:56 PM, Jordi Espasa Clofent
<[EMAIL PROTECTED]> wrote:
Yes, I know, it's completely a dumb question; but I'm curious  
about it.


I'm just learning C applied in networking area and I wonder what  
editor is

preferred by OpenBSD developers.

At present moment I use vim.

--
Thanks,
Jordi Espasa Clofent

Re: gmake error, please help :)

[Louis V. Lambrecht]

vatocleti wrote:

Hey all,
  I'm running OpenBSD 4.2/i386 and am booting bsd.mp. I have brought over a
linux program that uses gcc as the compiler.

I have installed the following sets:

- gmake-3.80p1.tgz
- gettext-0.14.6p0.tgz
- libiconv-1.9.2p3.tgz

and when I do a "gmake" I get the following two errors:

- " /bin/gmake[1]: ELF: not found"
- "/bin/gmake[365]: no closing quote

any ideas?

Thanks,
v.

  

gmake != gcc != g++

Re: gmake error, please help :)

[Andreas Maus]

On Thu, May 08, 2008 at 10:22:01AM -0700, vatocleti wrote:
> Hey all,
Hi.

>   I'm running OpenBSD 4.2/i386 and am booting bsd.mp. I have brought over a
> linux program that uses gcc as the compiler.
> 
> I have installed the following sets:
> 
> - gmake-3.80p1.tgz
> - gettext-0.14.6p0.tgz
> - libiconv-1.9.2p3.tgz
> 
> and when I do a "gmake" I get the following two errors:
> 
> - " /bin/gmake[1]: ELF: not found"
> - "/bin/gmake[365]: no closing quote
*ahem*
Where does /bin/gmake come from ?
The gmake from gmake-3.80p1.tgz lives in /usr/local/bin/gmake

(And your /bin/gmake looks like a shell script.
Did you take a look at this script?)

HTH,

Andreas.


-- 
Windows 95: A 32-bit patch for a 16-bit GUI shell running on top of
an 8-bit operating system written for a 4-bit processor by a 2-bit
company who cannot stand 1 bit of competition.

Re: Thinkpad T42 + OpenBSD 4.3 Freeze

[Gonzalo Lionel Rodriguez]

Yes, Its the memory, the memtest freeze just like OpenBSD.

Thanks all.

Gonzalo.

2008/5/8 Adam Patterson <[EMAIL PROTECTED]>:

> Gonzalo Lionel Rodriguez wrote:
>
> > Sorry, but the 1gb is RAM not a mestick. 1 GB Kingston RAM + 512 MB
> > (default) = 1.5 Gb ram the system freeze, with 512 mb ram (default) the
> > system works fine.
> >
> > regards
> >
> >
> >
> >
> then its probably just a bad stick of memory :/

Re: gmake error, please help :)

[vatocleti]

Louis V. Lambrecht-3 wrote:
> 
> vatocleti wrote:
>> Hey all,
>>   I'm running OpenBSD 4.2/i386 and am booting bsd.mp. I have brought over
>> a
>> linux program that uses gcc as the compiler.
>>
>> I have installed the following sets:
>>
>> - gmake-3.80p1.tgz
>> - gettext-0.14.6p0.tgz
>> - libiconv-1.9.2p3.tgz
>>
>> and when I do a "gmake" I get the following two errors:
>>
>> - " /bin/gmake[1]: ELF: not found"
>> - "/bin/gmake[365]: no closing quote
>>
>> any ideas?
>>
>> Thanks,
>> v.
>>
>>   
> gmake != gcc != g++
> 
> 
> 
Hi,
  This worked for me on a different system running the amd64 image, but
trying the same process with the same sets on a i386 (bsd.mp) image, I get
the error...not sure why? If I have a linux app, should I be able to build
with the native bsd make or do I need GNU (gmake)?

thanks in advance.
-- 
View this message in context: 
http://www.nabble.com/gmake-error%2C-please-help-%3A%29-tp17129307p17134268.html
Sent from the openbsd user - misc mailing list archive at Nabble.com.

Re: Editing C with...

[Martin Marcher]

On Thu, May 8, 2008 at 4:37 AM, Matthew Szudzik <[EMAIL PROTECTED]> wrote:
> And anyway, I'm a minimalist (that's why I run OpenBSD).

Really?

Funny, I get the feeling that I was forced to be a minimalist for
_not_ using OpenBSD the more I discover it...


-- 
http://tumblr.marcher.name
http://noneisyours.marcher.name
http://www.xing.com/profile/Martin_Marcher
http://www.linkedin.com/in/martinmarcher

You are not free to read this message,
by doing so, you have violated my licence
and are required to urinate publicly. Thank you.

Re: Window Manager

[Manuel Wildauer]

Fluxbox

On Sun, May 04, 2008 at 09:29:42PM -0300, Gonzalo Lionel Rodriguez wrote:
> I dont know if it is the place to ask it, but that window manager uses? And
> why?
> 
> Regards
---end quoted text---

Re: gmake error, please help :)

[Philip Guenther]

On Thu, May 8, 2008 at 1:05 PM, vatocleti <[EMAIL PROTECTED]> wrote:
...
>  This worked for me on a different system running the amd64 image, but
> trying the same process with the same sets on a i386 (bsd.mp) image, I get
> the error...not sure why?

amd64 and i386 are NOT interchangeable or compatible: you cannot run
an amd64 binary under the i386 kernel, nor vice versa.

(I'm actually surprised that the packages installed.  Did you copy the
binaries over instead of installing the packages?  Or did you override
pkg_add's warnings and use the -A or -Farch options?)


> If I have a linux app, should I be able to build
> with the native bsd make or do I need GNU (gmake)?

That depends on whether the app's makefiles were written to require
GNU make or not.  Since you didn't say what app this is, we can't
answer the question.

Of course, if this app has been added to the ports tree then building
it from there would be the simplest way forward.


Philip Guenther

(stupid?) softraid question

[Per olof Ljungmark]

Hi,
Just got 4.3 up and running and saw in dmesg output:
softraid0 at root

Well, I do not want softraid and did not try to configure it. Can I just 
safely ignore the message?


Thanks,

--per

Re: Editing C with...

[Marc Balmer]

The nice thing about editors is that we have so many of them to choose  
from.

Everyone will be happy, like some prefer blondes, other brunettes ... ;)

Today one of our servers decided to send one of it's disks to the abyss,
I was happy to be able to edit /etc/fstab in ed while in single user  
mode.


ymmv, yemv!

Re: How to copy/pipe console buffert to file?

[Joachim Schipper]

On Thu, May 08, 2008 at 12:37:47PM +0200, rancor wrote:
> Hi
> 
> Is there any way of copy/pipe the information on the console to a file? I
> need the same information that I can see of I hold down Ctrl+Shift and using
> PageUp/Down when I'm on the console. I'm not using serial, that would be
> simple but I'm stuck right on the machine.

While Mickey's solution is rather cool, misc/screen would allow you to
copy text off the screen (Ctrl-A [, select. Ctrl-A ]). It also has a lot
of other useful commands.

Of course, screen isn't found everywhere, while dd pretty much is.

Joachim

-- 
TFMotD: term (7) - conventions for naming terminal types

Problems going from 4.3-release to -stable

[Mike]

Hello,

After a fresh install of obsd on a new server, I cannot update my system 
to -stable.


The src has been obtained from cvs in the usual manner.

Here is the error :-

# cd /usr/src/sys/arch/sparc64/conf/
# ls
CVS GENERIC.MP  RAMDISK RAMDISKU5
GENERIC Makefile.sparc64RAMDISKU1   files.sparc64
# config GENERIC
../../../../conf/files:1005: syntax error
../../../../conf/files:1006: syntax error
../../../../conf/files:1007: syntax error
../../../../conf/files:1008: syntax error
../../../../conf/files:1009: syntax error
../../../../conf/files:1010: syntax error
../../../../conf/files:1011: syntax error
../../../../conf/files:1012: syntax error
../../../../conf/files:1013: syntax error
../../../../conf/files:1014: syntax error
../../../../conf/files:1015: syntax error
../../../../conf/files:1016: syntax error
../../../../conf/files:1017: syntax error
../../../../conf/files:1018: syntax error
../../../../conf/files:1019: syntax error
../../../../conf/files:1020: syntax error
../../../../conf/files:1021: syntax error
../../../../conf/files:1022: syntax error
../../../../conf/files:1023: syntax error
../../../../conf/files:1024: syntax error
../../../../conf/files:1025: syntax error
../../../../conf/files:1026: syntax error
../../../../conf/files:1027: syntax error
../../../../conf/files:1028: syntax error
../../../../conf/files:1029: syntax error
../../../../conf/files:1030: syntax error
../../../../conf/files:1031: syntax error
../../../../conf/files:1032: syntax error
../../../../conf/files:1033: syntax error
../../../../conf/files:1034: syntax error
../../../../conf/files:1035: syntax error
../../../../conf/files:1036: syntax error
../../../../conf/files:1037: syntax error
../../../../conf/files:1038: syntax error
*** Stop.
# uname -a
OpenBSD atom 4.2 GENERIC#1427 sparc64

Am i missing something obvious?  This has not occured on 4.2

Cheers, Mike

eeepc acpi

[Pete Vickers]

Hi Matthieu,

Just a quick note concerning the eeepc i386-laptop.html entry. I  
acquired one today, and installed OpenBSD via pxeboot using the  
builtin ethernet interface. Then I discovered it's not entire acpi  
that causes panics, it's only acpibat. If you boot -c (or config -e)  
then:

- disable apm
- enable acpi
- disable acpibat

you'll get the following:

# sysctl hw
hw.machine=i386
hw.model=Intel(R) Celeron(R) M processor 900MHz ("GenuineIntel" 686- 
class)

hw.ncpu=1
hw.byteorder=1234
hw.pagesize=4096
hw.disknames=wd0,sd0
hw.diskcount=2
hw.sensors.acpitz0.temp0=54.05 degC (zone temperature)
hw.sensors.acpiac0.indicator0=On (power supply)
hw.cpuspeed=631
hw.setperf=100
hw.vendor=ASUSTeK Computer INC.
hw.product=701
hw.version=x.x
hw.serialno=EeePC-1234567890
hw.uuid=80480a3a-bf04-dd81-37b7-001fc65688ff
hw.physmem=527527936
hw.usermem=527523840
#

and

# apmd
# apm -A
# apm
Battery state: absent, 0% remaining, unknown life estimate
A/C adapter state: connected
Performance adjustment mode: auto (75 MHz)


Full dmesg below:


/Pete


OpenBSD 4.3-current (GENERIC) #853: Fri May  2 04:37:23 MDT 2008
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Celeron(R) M processor 900MHz ("GenuineIntel" 686- 
class) 631 MHz
cpu0:  
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH 
,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,TM,SBF

real mem  = 527527936 (503MB)
avail mem = 501972992 (478MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 03/03/08, BIOS32 rev. 0 @  
0xf0010, SMBIOS rev. 2.5 @ 0xf06e0 (37 entries)

bios0: vendor American Megatrends Inc. version "0910" date 03/03/2008
bios0: ASUSTeK Computer INC. 701
apm at bios0 function 0x15 not configured
acpi0 at bios0: rev 0
acpi0: tables DSDT FACP APIC OEMB MCFG
acpi0: wakeup devices P0P3(S0) P0P4(S0) P0P5(S0) P0P6(S0) P0P7(S0)  
MC97(S0) USB1(S0) USB2(S0) USB3(S0) USB4(S0) EUSB(S0)

acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 5 (P0P3)
acpiprt2 at acpi0: bus 3 (P0P5)
acpiprt3 at acpi0: bus 1 (P0P6)
acpiec0 at acpi0
acpicpu0 at acpi0: C3, C2
acpitz0 at acpi0: critical temperature 90 degC
acpibat at acpi0 not configured
acpiac0 at acpi0: AC unit online
acpiasus0 at acpi0
acpibtn0 at acpi0: LID_
acpibtn1 at acpi0: SLPB
acpibtn2 at acpi0: PWRB
bios0: ROM list: 0xc/0xf800!
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82915GM Host" rev 0x04
vga1 at pci0 dev 2 function 0 "Intel 82915GM Video" rev 0x04
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
agp0 at vga1: aperture at 0xd000, size 0x1000
"Intel 82915GM Video" rev 0x04 at pci0 dev 2 function 1 not configured
azalia0 at pci0 dev 27 function 0 "Intel 82801FB HD Audio" rev 0x04:  
irq 5

azalia0: codec[s]: Realtek/0x0662
audio0 at azalia0
ppb0 at pci0 dev 28 function 0 "Intel 82801FB PCIE" rev 0x04: irq 5
pci1 at ppb0 bus 4
ppb1 at pci0 dev 28 function 1 "Intel 82801FB PCIE" rev 0x04: irq 11
pci2 at ppb1 bus 3
lii0 at pci2 dev 0 function 0 "Attansic Technology L2" rev 0xa0: irq  
11, address 00:1f:c6:56:88:ff
ukphy0 at lii0 phy 1: Generic IEEE 802.3u media interface, rev. 2:  
OUI 0x001374, model 0x0002

ppb2 at pci0 dev 28 function 2 "Intel 82801FB PCIE" rev 0x04: irq 10
pci3 at ppb2 bus 1
uhci0 at pci0 dev 29 function 0 "Intel 82801FB USB" rev 0x04: irq 3
uhci1 at pci0 dev 29 function 1 "Intel 82801FB USB" rev 0x04: irq 7
uhci2 at pci0 dev 29 function 2 "Intel 82801FB USB" rev 0x04: irq 10
uhci3 at pci0 dev 29 function 3 "Intel 82801FB USB" rev 0x04: irq 5
ehci0 at pci0 dev 29 function 7 "Intel 82801FB USB" rev 0x04: irq 3
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ppb3 at pci0 dev 30 function 0 "Intel 82801BAM Hub-to-PCI" rev 0xd4
pci4 at ppb3 bus 5
ichpcib0 at pci0 dev 31 function 0 "Intel 82801FBM LPC" rev 0x04: PM  
disabled
pciide0 at pci0 dev 31 function 2 "Intel 82801FBM SATA" rev 0x04:  
DMA, channel 0 wired to compatibility, channel 1 wired to compatibility

wd0 at pciide0 channel 1 drive 0: 
wd0: 1-sector PIO, LBA, 3815MB, 7815024 sectors
wd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 4
ichiic0 at pci0 dev 31 function 3 "Intel 82801FB SMBus" rev 0x04: irq 7
iic0 at ichiic0
spdmem0 at iic0 addr 0x50: 512MB DDR2 SDRAM non-parity PC2-5300CL5 SO- 
DIMM

usb1 at uhci0: USB revision 1.0
uhub1 at usb1 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb2 at uhci1: USB revision 1.0
uhub2 at usb2 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb3 at uhci2: USB revision 1.0
uhub3 at usb3 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb4 at uhci3: USB revision 1.0
uhub4 at usb4 "Intel UHCI root hub" rev 1.00/1.00 addr 1
isa0 at ichpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)

Re: Problems going from 4.3-release to -stable

[Maurice Janssen]

On Thursday, May  8, 2008 at 21:08:54 +, Mike wrote:
>Hello,
>
>After a fresh install of obsd on a new server, I cannot update my system 
>to -stable.
>
>The src has been obtained from cvs in the usual manner.
>
>Here is the error :-
>
># cd /usr/src/sys/arch/sparc64/conf/
># ls
>CVS GENERIC.MP  RAMDISK RAMDISKU5
>GENERIC Makefile.sparc64RAMDISKU1   files.sparc64
># config GENERIC

>../../../../conf/files:1038: syntax error
>*** Stop.
># uname -a
>OpenBSD atom 4.2 GENERIC#1427 sparc64

You are still running 4.2, not 4.3.  You cannot compile 4.3-stable on a
system running 4.2.  Did you really do a fresh install?

Maurice

BTW: you can find binaries for 4.3-stable at
ftp://ftp.z74.net/pub/OpenBSD/4.3-stable/ .  Not for all architectures,
but sparc64 is available.  Of course it's up to you to decide if you
have enough trust in me to use them.

Re: Problems going from 4.3-release to -stable

[Mike]

Ignore that question, the 'obvious' has come and hit me in the face after 
scratching my head for 4 hours, answer - I have installed 4.2 and not 4.3 
hence it wont build

Sorry guys!

On Thu, 8 May 2008, Mike wrote:


Hello,

After a fresh install of obsd on a new server, I cannot update my system to 
-stable.


The src has been obtained from cvs in the usual manner.

Here is the error :-

# cd /usr/src/sys/arch/sparc64/conf/
# ls
CVS GENERIC.MP  RAMDISK RAMDISKU5
GENERIC Makefile.sparc64RAMDISKU1   files.sparc64
# config GENERIC
../../../../conf/files:1005: syntax error
../../../../conf/files:1006: syntax error
../../../../conf/files:1007: syntax error
../../../../conf/files:1008: syntax error
../../../../conf/files:1009: syntax error
../../../../conf/files:1010: syntax error
../../../../conf/files:1011: syntax error
../../../../conf/files:1012: syntax error
../../../../conf/files:1013: syntax error
../../../../conf/files:1014: syntax error
../../../../conf/files:1015: syntax error
../../../../conf/files:1016: syntax error
../../../../conf/files:1017: syntax error
../../../../conf/files:1018: syntax error
../../../../conf/files:1019: syntax error
../../../../conf/files:1020: syntax error
../../../../conf/files:1021: syntax error
../../../../conf/files:1022: syntax error
../../../../conf/files:1023: syntax error
../../../../conf/files:1024: syntax error
../../../../conf/files:1025: syntax error
../../../../conf/files:1026: syntax error
../../../../conf/files:1027: syntax error
../../../../conf/files:1028: syntax error
../../../../conf/files:1029: syntax error
../../../../conf/files:1030: syntax error
../../../../conf/files:1031: syntax error
../../../../conf/files:1032: syntax error
../../../../conf/files:1033: syntax error
../../../../conf/files:1034: syntax error
../../../../conf/files:1035: syntax error
../../../../conf/files:1036: syntax error
../../../../conf/files:1037: syntax error
../../../../conf/files:1038: syntax error
*** Stop.
# uname -a
OpenBSD atom 4.2 GENERIC#1427 sparc64

Am i missing something obvious?  This has not occured on 4.2

Cheers, Mike

Re: uvm_fault after fsck on OpenBSD 3.9

[Kirk Ismay]

You can probably test if I'm barking up the right tree or barking
mad by booting a 4.3 bsd.rd and see if you can fsck your root
partition.  Since you appear to have a serial console, I'd try to
do this by booting single user, mount -f / (to skip the fsck), start
the rest of the system, and copy over a 4.3 bsd.rd, then reboot off
it.  If the fsck works, reboot, and upgrade the machine, please.

Nick.
  
Turned out to be bad RAM. Fortunately the system had 2 512MB sticks, so 
we just pulled one and its running fine.


I'll be upgrading soon.

--

Sincerely, 
Kirk Ismay

System Administrator

--
Net Idea
201-625 Front Street Nelson, BC V1L 4B6
P:250-352-3512 | F:250-352-9780 | TF:1-888-352-3512

Check out our brand new website! www.netidea.com

Re: Problems going from 4.3-release to -stable

[Pierre Riteau]

On Thu, May 08, 2008 at 09:08:54PM +, Mike wrote:
> Hello,
>
> After a fresh install of obsd on a new server, I cannot update my system to 
> -stable.
>
> The src has been obtained from cvs in the usual manner.
>
> Here is the error :-
>
> # cd /usr/src/sys/arch/sparc64/conf/
> # ls
> CVS GENERIC.MP  RAMDISK RAMDISKU5
> GENERIC Makefile.sparc64RAMDISKU1   files.sparc64
> # config GENERIC
> ../../../../conf/files:1005: syntax error
> ../../../../conf/files:1006: syntax error
> ../../../../conf/files:1007: syntax error
> ../../../../conf/files:1008: syntax error
> ../../../../conf/files:1009: syntax error
> ../../../../conf/files:1010: syntax error
> ../../../../conf/files:1011: syntax error
> ../../../../conf/files:1012: syntax error
> ../../../../conf/files:1013: syntax error
> ../../../../conf/files:1014: syntax error
> ../../../../conf/files:1015: syntax error
> ../../../../conf/files:1016: syntax error
> ../../../../conf/files:1017: syntax error
> ../../../../conf/files:1018: syntax error
> ../../../../conf/files:1019: syntax error
> ../../../../conf/files:1020: syntax error
> ../../../../conf/files:1021: syntax error
> ../../../../conf/files:1022: syntax error
> ../../../../conf/files:1023: syntax error
> ../../../../conf/files:1024: syntax error
> ../../../../conf/files:1025: syntax error
> ../../../../conf/files:1026: syntax error
> ../../../../conf/files:1027: syntax error
> ../../../../conf/files:1028: syntax error
> ../../../../conf/files:1029: syntax error
> ../../../../conf/files:1030: syntax error
> ../../../../conf/files:1031: syntax error
> ../../../../conf/files:1032: syntax error
> ../../../../conf/files:1033: syntax error
> ../../../../conf/files:1034: syntax error
> ../../../../conf/files:1035: syntax error
> ../../../../conf/files:1036: syntax error
> ../../../../conf/files:1037: syntax error
> ../../../../conf/files:1038: syntax error
> *** Stop.
> # uname -a
> OpenBSD atom 4.2 GENERIC#1427 sparc64
>
> Am i missing something obvious?  This has not occured on 4.2
>
> Cheers, Mike
>

Well, the error is pretty obvious. Whatever you did, you are on 
OpenBSD 4.2 trying to build OpenBSD 4.3.
This doesn't work.

-- 
Pierre Riteau

Re: Editing C with...

[Darrin Chandler]

On Thu, May 08, 2008 at 10:02:22PM +0200, Marc Balmer wrote:
> The nice thing about editors is that we have so many of them to choose 
> from.
> Everyone will be happy, like some prefer blondes, other brunettes ... ;)
>
> Today one of our servers decided to send one of it's disks to the abyss,
> I was happy to be able to edit /etc/fstab in ed while in single user mode.

If the name is ed, I doubt if blonde or brunette will make a difference
to me.

> ymmv, yemv!

Yes, apparently. ;-)

-- 
Darrin Chandler|  Phoenix BSD User Group  |  MetaBUG
[EMAIL PROTECTED]   |  http://phxbug.org/  |  http://metabug.org/
http://www.stilyagin.com/  |  Daemons in the Desert   |  Global BUG Federation

fsck large filesystem, memory limit problem

[Will]

Hello all,

I just upgraded to 4.3, and I would like to congratulate the devs on
another wonderful release! shutdown -p works and the wbng sensor
support was a nice surprise. However, the most useful feature to me
was the support for ffs2.

I upgraded without a hitch, and repartitioned from a 1tb filesystem to
a 2tb share mount point. However, when I try to fsck the system just
to make sure everything is ok, I receive this error:

# fsck -f /dev/sd0i
** /dev/rsd0i
** File system is already clean
cannot alloc 485015042 bytes for lncntp

I just upgraded to 3gb ram, so that should be a non-issue according to the faq.

I have tried `ulimit -d unlimited` (as suggested previously in the
archives), but the data limit will not go above 1048576, which I
suspect to be the problem. I'm sure that there is another silly limit
I am missing somewhere.

Thanks for any help!
-William

Here is a dmesg of my system:

OpenBSD 4.3 (GENERIC.MP) #1: Sat May  3 17:08:02 EDT 2008
   [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 3219636224 (3070MB)
avail mem = 3110854656 (2966MB)
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.51 @ 0xbfeea000 (35 entries)
bios0: vendor Phoenix Technologies LTD version "6.00" date 07/12/2006
bios0: Supermicro PDSM4+
acpi0 at bios0: rev 0
acpi0: tables DSDT FACP MCFG APIC BOOT SSDT
acpi0: wakeup devices PXHA(S5) PXHB(S5) DEV3(S5) EXP1(S5) EXP5(S5)
EXP6(S5) PCIB(S5) KBC0(S1) MSE0(S1) COM1(S5) COM2(S5) USB1(S4) USB2(S4)
USB3(S4) USB4(S4) EUSB(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz, 2394.32 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR,NXE,LONG
cpu0: 4MB 64b/line 16-way L2 cache
cpu0: apic clock running at 266MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz, 2394.00 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR,NXE,LONG
cpu1: 4MB 64b/line 16-way L2 cache
ioapic0 at mainbus0 apid 2 pa 0xfec0, version 20, 24 pins
ioapic1 at mainbus0 apid 3 pa 0xfecc, version 20, 24 pins
ioapic2 at mainbus0 apid 4 pa 0xfecc0400, version 20, 24 pins
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 2 (PXHA)
acpiprt2 at acpi0: bus 3 (PXHB)
acpiprt3 at acpi0: bus -1 (DEV3)
acpiprt4 at acpi0: bus 9 (EXP1)
acpiprt5 at acpi0: bus 13 (EXP5)
acpiprt6 at acpi0: bus 14 (EXP6)
acpiprt7 at acpi0: bus 15 (PCIB)
acpicpu0 at acpi0
acpicpu1 at acpi0
acpibtn0 at acpi0: PWRB
ipmi at mainbus0 not configured
pci0 at mainbus0 bus 0: configuration mode 1
pchb0 at pci0 dev 0 function 0 "Intel E7230 Host" rev 0xc0
ppb0 at pci0 dev 1 function 0 "Intel E7230 PCIE" rev 0xc0: apic 2 int 16
(irq 10)
pci1 at ppb0 bus 1
ppb1 at pci1 dev 0 function 0 "Intel PCIE-PCIE" rev 0x09
pci2 at ppb1 bus 2
"Intel IOxAPIC" rev 0x09 at pci1 dev 0 function 1 not configured
ppb2 at pci1 dev 0 function 2 "Intel PCIE-PCIE" rev 0x09
pci3 at ppb2 bus 3
ppb3 at pci3 dev 3 function 0 "Intel IOP331 PCIX-PCIX" rev 0x07
pci4 at ppb3 bus 4
ami0 at pci4 dev 14 function 0 "Symbios Logic MegaRAID SATA 4x/8x" rev
0x07: apic 4 int 4 (irq 10)
ami0: LSI 3008, 32b, FW 815C, BIOS vH432, 128MB RAM
ami0: 1 channels, 0 FC loops, 1 logical drives
scsibus0 at ami0: 40 targets
sd0 at scsibus0 targ 0 lun 0:  SCSI2 0/direct fixed
sd0: 1907348MB, 243152 cyl, 255 head, 63 sec, 512 bytes/sec, 3906248704
sec total
scsibus1 at ami0: 16 targets
"Intel IOxAPIC" rev 0x09 at pci1 dev 0 function 3 not configured
ppb4 at pci0 dev 28 function 0 "Intel 82801GB PCIE" rev 0x01: apic 2 int
17 (irq 11)
pci5 at ppb4 bus 9
ppb5 at pci0 dev 28 function 4 "Intel 82801G PCIE" rev 0x01: apic 2 int 17
(irq 11)
pci6 at ppb5 bus 13
em0 at pci6 dev 0 function 0 "Intel PRO/1000MT (82573E)" rev 0x03: apic 2
int 16 (irq 10), address 00:30:48:8b:b6:76
ppb6 at pci0 dev 28 function 5 "Intel 82801G PCIE" rev 0x01: apic 2 int 16
(irq 10)
pci7 at ppb6 bus 14
em1 at pci7 dev 0 function 0 "Intel PRO/1000MT (82573L)" rev 0x00: apic 2
int 17 (irq 11), address 00:30:48:8b:b6:77
uhci0 at pci0 dev 29 function 0 "Intel 82801GB USB" rev 0x01: apic 2 int
23 (irq 5)
uhci1 at pci0 dev 29 function 1 "Intel 82801GB USB" rev 0x01: apic 2 int
19 (irq 10)
uhci2 at pci0 dev 29 function 2 "Intel 82801GB USB" rev 0x01: apic 2 int
18 (irq 11)
uhci3 at pci0 dev 29 function 3 "Intel 82801GB USB" rev 0x01: apic 2 int
16 (irq 10)
ehci0 at pci0 dev 29 function 7 "Intel 82801GB USB" rev 0x01: apic 2 int
23 (irq 5)
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ppb7 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0xe1
pci8 at ppb7 bus 15
vga1 at pci8 dev 4 function 0 "ATI ES1000" rev 0x02
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emula

Re: fsck large filesystem, memory limit problem

[David J. Stillman]

Isn't this the 1GB application limit mentioned in FAQ 14.7 - " By the 
time one gets to a 2TB file system with default fragment and block 
sizes, fsck will require 1GB RAM to run, which is the application limit 
under OpenBSD. Larger fragments and/or blocks will reduce the number of 
inodes, and allow for larger file systems."?


Will wrote:

Hello all,

I just upgraded to 4.3, and I would like to congratulate the devs on
another wonderful release! shutdown -p works and the wbng sensor
support was a nice surprise. However, the most useful feature to me
was the support for ffs2.

I upgraded without a hitch, and repartitioned from a 1tb filesystem to
a 2tb share mount point. However, when I try to fsck the system just
to make sure everything is ok, I receive this error:

# fsck -f /dev/sd0i
** /dev/rsd0i
** File system is already clean
cannot alloc 485015042 bytes for lncntp

I just upgraded to 3gb ram, so that should be a non-issue according to the faq.

I have tried `ulimit -d unlimited` (as suggested previously in the
archives), but the data limit will not go above 1048576, which I
suspect to be the problem. I'm sure that there is another silly limit
I am missing somewhere.

Thanks for any help!
-William

Here is a dmesg of my system:

OpenBSD 4.3 (GENERIC.MP) #1: Sat May  3 17:08:02 EDT 2008
   [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 3219636224 (3070MB)
avail mem = 3110854656 (2966MB)
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.51 @ 0xbfeea000 (35 entries)
bios0: vendor Phoenix Technologies LTD version "6.00" date 07/12/2006
bios0: Supermicro PDSM4+
acpi0 at bios0: rev 0
acpi0: tables DSDT FACP MCFG APIC BOOT SSDT
acpi0: wakeup devices PXHA(S5) PXHB(S5) DEV3(S5) EXP1(S5) EXP5(S5)
EXP6(S5) PCIB(S5) KBC0(S1) MSE0(S1) COM1(S5) COM2(S5) USB1(S4) USB2(S4)
USB3(S4) USB4(S4) EUSB(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz, 2394.32 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR,NXE,LONG
cpu0: 4MB 64b/line 16-way L2 cache
cpu0: apic clock running at 266MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz, 2394.00 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR,NXE,LONG
cpu1: 4MB 64b/line 16-way L2 cache
ioapic0 at mainbus0 apid 2 pa 0xfec0, version 20, 24 pins
ioapic1 at mainbus0 apid 3 pa 0xfecc, version 20, 24 pins
ioapic2 at mainbus0 apid 4 pa 0xfecc0400, version 20, 24 pins
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 2 (PXHA)
acpiprt2 at acpi0: bus 3 (PXHB)
acpiprt3 at acpi0: bus -1 (DEV3)
acpiprt4 at acpi0: bus 9 (EXP1)
acpiprt5 at acpi0: bus 13 (EXP5)
acpiprt6 at acpi0: bus 14 (EXP6)
acpiprt7 at acpi0: bus 15 (PCIB)
acpicpu0 at acpi0
acpicpu1 at acpi0
acpibtn0 at acpi0: PWRB
ipmi at mainbus0 not configured
pci0 at mainbus0 bus 0: configuration mode 1
pchb0 at pci0 dev 0 function 0 "Intel E7230 Host" rev 0xc0
ppb0 at pci0 dev 1 function 0 "Intel E7230 PCIE" rev 0xc0: apic 2 int 16
(irq 10)
pci1 at ppb0 bus 1
ppb1 at pci1 dev 0 function 0 "Intel PCIE-PCIE" rev 0x09
pci2 at ppb1 bus 2
"Intel IOxAPIC" rev 0x09 at pci1 dev 0 function 1 not configured
ppb2 at pci1 dev 0 function 2 "Intel PCIE-PCIE" rev 0x09
pci3 at ppb2 bus 3
ppb3 at pci3 dev 3 function 0 "Intel IOP331 PCIX-PCIX" rev 0x07
pci4 at ppb3 bus 4
ami0 at pci4 dev 14 function 0 "Symbios Logic MegaRAID SATA 4x/8x" rev
0x07: apic 4 int 4 (irq 10)
ami0: LSI 3008, 32b, FW 815C, BIOS vH432, 128MB RAM
ami0: 1 channels, 0 FC loops, 1 logical drives
scsibus0 at ami0: 40 targets
sd0 at scsibus0 targ 0 lun 0:  SCSI2 0/direct fixed
sd0: 1907348MB, 243152 cyl, 255 head, 63 sec, 512 bytes/sec, 3906248704
sec total
scsibus1 at ami0: 16 targets
"Intel IOxAPIC" rev 0x09 at pci1 dev 0 function 3 not configured
ppb4 at pci0 dev 28 function 0 "Intel 82801GB PCIE" rev 0x01: apic 2 int
17 (irq 11)
pci5 at ppb4 bus 9
ppb5 at pci0 dev 28 function 4 "Intel 82801G PCIE" rev 0x01: apic 2 int 17
(irq 11)
pci6 at ppb5 bus 13
em0 at pci6 dev 0 function 0 "Intel PRO/1000MT (82573E)" rev 0x03: apic 2
int 16 (irq 10), address 00:30:48:8b:b6:76
ppb6 at pci0 dev 28 function 5 "Intel 82801G PCIE" rev 0x01: apic 2 int 16
(irq 10)
pci7 at ppb6 bus 14
em1 at pci7 dev 0 function 0 "Intel PRO/1000MT (82573L)" rev 0x00: apic 2
int 17 (irq 11), address 00:30:48:8b:b6:77
uhci0 at pci0 dev 29 function 0 "Intel 82801GB USB" rev 0x01: apic 2 int
23 (irq 5)
uhci1 at pci0 dev 29 function 1 "Intel 82801GB USB" rev 0x01: apic 2 int
19 (irq 10)
uhci2 at pci0 dev 29 function 2 "Intel 82801GB USB" rev 0x01: apic 2 int
18 (irq 11)
uhci3 at pci0 dev 29 function 3 "Intel 82801GB USB" rev 0x01: apic 2 int
16 (irq 10)
ehci0 at pci0 dev 29

PF Congestion and state table question

[Steve Johnson]

Hi,

After successfully putting into testing the new firewall setup with some 
of our services, we are seeing some low congestion issues It's not 
major, but since I'm only throwing it half our expected traffic for the 
time being, I would have liked it to be at 0.


Our setup is a 4.3 i386 (Xeon 3GHz) box with 6 Intel gigabit interfaces 
(em), all of them having at least one carp interface, and 2 of them 
having trunked VLANs. NAT is only applied to outgoing traffic, which is 
very minimal. Just about all of the traffic that I'm sending to it right 
now consists of very small XML requests over HTTP, so low throughput but 
very high session count. All the interfaces have the speed and duplex 
hardcoded at the switch and system level.


Here's a link that includes some possible debugging information from 
pfctl -si, some sysctl parameters, top load and dmesg:

http://www.sjohnson.info/other/diaginfo.txt

And here's the set of PF rules that are active:
http://www.sjohnson.info/other/pf.conf

Just about all the traffic that is coming in at the moment is hitting 
that first "pass in quick" rule.


Is the congestion issue that I'm getting considered "normal" under that 
type of traffic and with the present hardware? Are there any other 
settings that I should look into tweaking?


Also, is it expected that a total of 135K sessions in our link load 
balancers give us around 550K sessions with PF? I now know it's supposed 
to be at least double because of the directional state entry, but I just 
find the number alerting, especially since it was close to a 1:1 when we 
compared them to our netfilter states (agreeing that state processing is 
completely different between the two). This is with aggressive setting, 
as I was getting passed 750K sessions with conservative setting.


Thanks again for help,
Steve Johnson

Re: fsck large filesystem, memory limit problem

[Will]

I did see that, but did not realize that the 1GB limit is not a
user-configurable feature.

Even so, the FAQ implies that a 2TB filesystem is possible with
default options, which is what I have.

relevant output of df:

Filesystem  512-blocks  Used Avail Capacity  Mounted on
/dev/sd0i   3758267452 1935576944 163477713654%/mnt/share

-William

On Thu, May 8, 2008 at 5:04 PM, David J. Stillman
<[EMAIL PROTECTED]> wrote:
> Isn't this the 1GB application limit mentioned in FAQ 14.7 - " By the time
> one gets to a 2TB file system with default fragment and block sizes, fsck
> will require 1GB RAM to run, which is the application limit under OpenBSD.
> Larger fragments and/or blocks will reduce the number of inodes, and allow
> for larger file systems."?
>
> Will wrote:
>>
>> Hello all,
>>
>> I just upgraded to 4.3, and I would like to congratulate the devs on
>> another wonderful release! shutdown -p works and the wbng sensor
>> support was a nice surprise. However, the most useful feature to me
>> was the support for ffs2.
>>
>> I upgraded without a hitch, and repartitioned from a 1tb filesystem to
>> a 2tb share mount point. However, when I try to fsck the system just
>> to make sure everything is ok, I receive this error:
>>
>> # fsck -f /dev/sd0i
>> ** /dev/rsd0i
>> ** File system is already clean
>> cannot alloc 485015042 bytes for lncntp
>>
>> I just upgraded to 3gb ram, so that should be a non-issue according to the
>> faq.
>>
>> I have tried `ulimit -d unlimited` (as suggested previously in the
>> archives), but the data limit will not go above 1048576, which I
>> suspect to be the problem. I'm sure that there is another silly limit
>> I am missing somewhere.
>>
>> Thanks for any help!
>> -William
>>
>> Here is a dmesg of my system:
>>
>> OpenBSD 4.3 (GENERIC.MP) #1: Sat May  3 17:08:02 EDT 2008
>>   [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
>> real mem = 3219636224 (3070MB)
>> avail mem = 3110854656 (2966MB)
>> mainbus0 at root
>> bios0 at mainbus0: SMBIOS rev. 2.51 @ 0xbfeea000 (35 entries)
>> bios0: vendor Phoenix Technologies LTD version "6.00" date 07/12/2006
>> bios0: Supermicro PDSM4+
>> acpi0 at bios0: rev 0
>> acpi0: tables DSDT FACP MCFG APIC BOOT SSDT
>> acpi0: wakeup devices PXHA(S5) PXHB(S5) DEV3(S5) EXP1(S5) EXP5(S5)
>> EXP6(S5) PCIB(S5) KBC0(S1) MSE0(S1) COM1(S5) COM2(S5) USB1(S4) USB2(S4)
>> USB3(S4) USB4(S4) EUSB(S4)
>> acpitimer0 at acpi0: 3579545 Hz, 24 bits
>> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
>> cpu0 at mainbus0: apid 0 (boot processor)
>> cpu0: Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz, 2394.32 MHz
>> cpu0:
>>
>> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR,NXE,LONG
>> cpu0: 4MB 64b/line 16-way L2 cache
>> cpu0: apic clock running at 266MHz
>> cpu1 at mainbus0: apid 1 (application processor)
>> cpu1: Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz, 2394.00 MHz
>> cpu1:
>>
>> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR,NXE,LONG
>> cpu1: 4MB 64b/line 16-way L2 cache
>> ioapic0 at mainbus0 apid 2 pa 0xfec0, version 20, 24 pins
>> ioapic1 at mainbus0 apid 3 pa 0xfecc, version 20, 24 pins
>> ioapic2 at mainbus0 apid 4 pa 0xfecc0400, version 20, 24 pins
>> acpiprt0 at acpi0: bus 0 (PCI0)
>> acpiprt1 at acpi0: bus 2 (PXHA)
>> acpiprt2 at acpi0: bus 3 (PXHB)
>> acpiprt3 at acpi0: bus -1 (DEV3)
>> acpiprt4 at acpi0: bus 9 (EXP1)
>> acpiprt5 at acpi0: bus 13 (EXP5)
>> acpiprt6 at acpi0: bus 14 (EXP6)
>> acpiprt7 at acpi0: bus 15 (PCIB)
>> acpicpu0 at acpi0
>> acpicpu1 at acpi0
>> acpibtn0 at acpi0: PWRB
>> ipmi at mainbus0 not configured
>> pci0 at mainbus0 bus 0: configuration mode 1
>> pchb0 at pci0 dev 0 function 0 "Intel E7230 Host" rev 0xc0
>> ppb0 at pci0 dev 1 function 0 "Intel E7230 PCIE" rev 0xc0: apic 2 int 16
>> (irq 10)
>> pci1 at ppb0 bus 1
>> ppb1 at pci1 dev 0 function 0 "Intel PCIE-PCIE" rev 0x09
>> pci2 at ppb1 bus 2
>> "Intel IOxAPIC" rev 0x09 at pci1 dev 0 function 1 not configured
>> ppb2 at pci1 dev 0 function 2 "Intel PCIE-PCIE" rev 0x09
>> pci3 at ppb2 bus 3
>> ppb3 at pci3 dev 3 function 0 "Intel IOP331 PCIX-PCIX" rev 0x07
>> pci4 at ppb3 bus 4
>> ami0 at pci4 dev 14 function 0 "Symbios Logic MegaRAID SATA 4x/8x" rev
>> 0x07: apic 4 int 4 (irq 10)
>> ami0: LSI 3008, 32b, FW 815C, BIOS vH432, 128MB RAM
>> ami0: 1 channels, 0 FC loops, 1 logical drives
>> scsibus0 at ami0: 40 targets
>> sd0 at scsibus0 targ 0 lun 0:  SCSI2 0/direct fixed
>> sd0: 1907348MB, 243152 cyl, 255 head, 63 sec, 512 bytes/sec, 3906248704
>> sec total
>> scsibus1 at ami0: 16 targets
>> "Intel IOxAPIC" rev 0x09 at pci1 dev 0 function 3 not configured
>> ppb4 at pci0 dev 28 function 0 "Intel 82801GB PCIE" rev 0x01: apic 2 int
>> 17 (irq 11)
>> pci5 at ppb4 bus 9
>> ppb5 at pci0 dev 28 function 4 "Intel 82801G PCIE" rev 0x01: apic 2 

ftpchroot root directories

[David Newman]

Greetings. I'm setting up ftp access* for a number of users to a 
directory structure like this (assume "/" is an alias for the top of the 
tree):


Username directory perms

user1/  rw
user2/projects  r
user3/projects  rw
user4/  r

The FAQ and the ftpd(8) manpage say that chrooting goes to a user's home 
directory, and nothing about permissions.


Is there some other way of setting this up?

thanks

dn

ps. FTP is the client's choice, not mine. Same with this directory 
structure.

Re: (stupid?) softraid question

[Stuart Henderson]

On 2008-05-08, Per olof Ljungmark <[EMAIL PROTECTED]> wrote:
> Hi,
> Just got 4.3 up and running and saw in dmesg output:
> softraid0 at root
>
> Well, I do not want softraid and did not try to configure it. Can I just 
> safely ignore the message?

Yes.

Re: nagios monitoring of a remote openntp service

[Stuart Henderson]

On 2008-05-08, Chris Kuethe <[EMAIL PROTECTED]> wrote:
> On Thu, May 8, 2008 at 8:52 AM, Brian A. Seklecki
><[EMAIL PROTECTED]> wrote:
>>  Nagios checks almost never have sufficient debugging mechanisms, and UDP
>>  services dont send RST+ICMP.
>
> you should get an ICMP port unreachable if there is no UDP service listening.
>
> i haven't looked at nagios, but i wonder if it's not trying to use NTP
> "mode 6" control messages to get more status information out of the
> daemon. openntpd doesn't support these queries...

check_ntp_peer does exactly that.

>>  You an always: $ sudo ntpdate -qdv [host to check]
>
> or "rdate -pnv ". quite some time ago i added a check to make
> rdate bail out if the server is unsync'd.
>
> ...
> if ((data.status & STATUS_ALARM) == STATUS_ALARM) {
> warnx("Ignoring NTP server with alarm flag set");
> return (-1);
> }
> ...
>
> CK
>

check_ntp_time says "NTP CRITICAL: Offset unknown|" if that happens,
same as if the server isn't running. Not quite as much information as it
could give, but if you're basically looking to be alerted when your server
is broken, it's still helpful.

Re: gmake error, please help :)

[Louis V. Lambrecht]

vatocleti wrote:

Louis V. Lambrecht-3 wrote:
  

vatocleti wrote:


Hey all,
  I'm running OpenBSD 4.2/i386 and am booting bsd.mp. I have brought over
a
linux program that uses gcc as the compiler.

I have installed the following sets:

- gmake-3.80p1.tgz
- gettext-0.14.6p0.tgz
- libiconv-1.9.2p3.tgz

and when I do a "gmake" I get the following two errors:

- " /bin/gmake[1]: ELF: not found"
- "/bin/gmake[365]: no closing quote

any ideas?

Thanks,
v.

  
  

gmake != gcc != g++





Hi,
  This worked for me on a different system running the amd64 image, but
trying the same process with the same sets on a i386 (bsd.mp) image, I get
the error...not sure why? If I have a linux app, should I be able to build
with the native bsd make or do I need GNU (gmake)?

thanks in advance.
  

We need more info:
- you list 3 applications you installed, to compile with gcc, but you 
don't list gcc

- you have an error /bin/gmake[1]: ELF: not found line 1, the shabang.
on my system which gmake returns /usr/local/bin/gmake
- an error as "no closing quotes" can be what it means. It can be an 
error of the author.
It can be caused by a Linuxism as using Ctrl+Enter to write a 
non-breaking space.
Can be caused by a plain cp from one slice to the other without using 
FTP or NFS

(which make the needed conversions as dos2unix ...)
List goes on.  Can be a bug.
- have both systems you tried on the same toolchain?

What is a Linux app?
Portable sources should not have problems to compile with the proper 
toolchain.

Re: PF Congestion and state table question

[Steve Johnson]

Hi,

Sorry, I hadn't noticed that I had removed that part of information by 
mistake when I split the debug information in a different file. I had 
been told about that setting and had seen the thread, which stated 
around 256MB per gigabit interface. I had tested from 1000 up to 2500, 
and although it did reduce the congestion a lot, I was still seeing over 
1 per second, which I can't consider that safe for production. I haven't 
tested higher than 2500 though.


Thanks,
Steve

Thomas Althoff wrote:

What about net.inet.ip.ifq.maxlen  ?

Try net.inet.ip.ifq.maxlen=2500 at least.

I don't recall Henning's rule, search the archive something like X times
your number of nics.

-Thomas


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Steve Johnson
Sent: den 8 maj 2008 23:18
To: misc@openbsd.org
Subject: PF Congestion and state table question

Hi,

After successfully putting into testing the new firewall setup with some
of our services, we are seeing some low congestion issues It's not
major, but since I'm only throwing it half our expected traffic for the
time being, I would have liked it to be at 0.

Our setup is a 4.3 i386 (Xeon 3GHz) box with 6 Intel gigabit interfaces
(em), all of them having at least one carp interface, and 2 of them
having trunked VLANs. NAT is only applied to outgoing traffic, which is
very minimal. Just about all of the traffic that I'm sending to it right
now consists of very small XML requests over HTTP, so low throughput but
very high session count. All the interfaces have the speed and duplex
hardcoded at the switch and system level.

Here's a link that includes some possible debugging information from
pfctl -si, some sysctl parameters, top load and dmesg:
http://www.sjohnson.info/other/diaginfo.txt

And here's the set of PF rules that are active:
http://www.sjohnson.info/other/pf.conf

Just about all the traffic that is coming in at the moment is hitting
that first "pass in quick" rule.

Is the congestion issue that I'm getting considered "normal" under that
type of traffic and with the present hardware? Are there any other
settings that I should look into tweaking?

Also, is it expected that a total of 135K sessions in our link load
balancers give us around 550K sessions with PF? I now know it's supposed
to be at least double because of the directional state entry, but I just
find the number alerting, especially since it was close to a 1:1 when we
compared them to our netfilter states (agreeing that state processing is
completely different between the two). This is with aggressive setting,
as I was getting passed 750K sessions with conservative setting.

Thanks again for help,
Steve Johnson

OpenBSD and MSA500

[OpenBSD - Wire Consulting]

Hi!

Did anyone had success with OpenBSD using one of this beasts.
Actually OpenBSD runs on the DL380 nicely, but I was unable to
detect the MSA500 Disk Array...
Any ideas or it simply isn't supported?

dmesg follows

thanks,

Pedro


OpenBSD 4.3 (GENERIC) #698: Wed Mar 12 11:07:05 MDT 2008
   [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Xeon(TM) CPU 3.40GHz ("GenuineIntel" 686-class) 3.41 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,CNXT-ID,CX16,xTPR

real mem  = 1073258496 (1023MB)
avail mem = 1029750784 (982MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 12/31/99, BIOS32 rev. 0 @ 0xf, 
SMBIOS rev. 2.3 @ 0xec000 (74 entries)

bios0: vendor HP version "P51" date 12/02/2004
bios0: HP ProLiant DL380 G4
acpi0 at bios0: rev 2
acpi0: tables DSDT FACP SPCR MCFG APIC
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpiprt0 at acpi0: bus 1 (IP2P)
acpiprt1 at acpi0: bus 3 (PCXA)
acpiprt2 at acpi0: bus 4 (PCXB)
acpiprt3 at acpi0: bus 2 (PTA0)
acpiprt4 at acpi0: bus 6 (PCXC)
acpiprt5 at acpi0: bus 10 (PCXD)
acpiprt6 at acpi0: bus 5 (PTC0)
acpiprt7 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0
acpitz0 at acpi0: critical temperature 31 degC
bios0: ROM list: 0xc/0x8000 0xc8000/0x4000! 0xcc000/0x1800 
0xee000/0x2000!

cpu0 at mainbus0
cpu0: Enhanced SpeedStep disabled by BIOS
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel E7520 Host" rev 0x0c
ppb0 at pci0 dev 2 function 0 "Intel E7520 PCIE" rev 0x0c
pci1 at ppb0 bus 2
ppb1 at pci1 dev 0 function 0 "Intel PCIE-PCIE" rev 0x09
pci2 at ppb1 bus 3
bge0 at pci2 dev 1 function 0 "Broadcom BCM5704C" rev 0x10, BCM5704 B0 
(0x2100): irq 5, address 00:12:79:cf:c0:eb

brgphy0 at bge0 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0
bge1 at pci2 dev 1 function 1 "Broadcom BCM5704C" rev 0x10, BCM5704 B0 
(0x2100): irq 5, address 00:12:79:cf:c0:ea

brgphy1 at bge1 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0
ppb2 at pci1 dev 0 function 2 "Intel PCIE-PCIE" rev 0x09
pci3 at ppb2 bus 4
ciss0 at pci3 dev 3 function 0 "Compaq Smart Array 64xx" rev 0x01: irq 5
ciss0: 1 LD, HW rev 1, FW 2.36/2.36
scsibus0 at ciss0: 1 targets
sd0 at scsibus0 targ 0 lun 0:  SCSI0 0/direct 
fixed

sd0: 34727MB, 4427 cyl, 255 head, 63 sec, 512 bytes/sec, 71122560 sec total
ppb3 at pci0 dev 6 function 0 "Intel E7520 PCIE" rev 0x0c: irq 5
pci4 at ppb3 bus 5
ppb4 at pci4 dev 0 function 0 "Intel PCIE-PCIE" rev 0x09
pci5 at ppb4 bus 6
ppb5 at pci4 dev 0 function 2 "Intel PCIE-PCIE" rev 0x09
pci6 at ppb5 bus 10
uhci0 at pci0 dev 29 function 0 "Intel 82801EB/ER USB" rev 0x02: irq 5
uhci1 at pci0 dev 29 function 1 "Intel 82801EB/ER USB" rev 0x02: irq 5
uhci2 at pci0 dev 29 function 2 "Intel 82801EB/ER USB" rev 0x02: irq 5
uhci3 at pci0 dev 29 function 3 "Intel 82801EB/ER USB" rev 0x02: irq 5
ehci0 at pci0 dev 29 function 7 "Intel 82801EB/ER USB2" rev 0x02: irq 5
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ppb6 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0xc2
pci7 at ppb6 bus 1
vga1 at pci7 dev 3 function 0 "ATI Rage XL" rev 0x27
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
"Compaq iLO" rev 0x01 at pci7 dev 4 function 0 not configured
"Compaq iLO" rev 0x01 at pci7 dev 4 function 2 not configured
ichpcib0 at pci0 dev 31 function 0 "Intel 82801EB/ER LPC" rev 0x02
pciide0 at pci0 dev 31 function 1 "Intel 82801EB/ER IDE" rev 0x02: DMA, 
channel 0 configured to compatibility, channel 1 configured to compatibility

atapiscsi0 at pciide0 channel 0 drive 0
scsibus1 at atapiscsi0: 2 targets
cd0 at scsibus1 targ 0 lun 0:  SCSI0 
5/cdrom removable

cd0(pciide0:0:0): using PIO mode 4
pciide0: channel 1 disabled (no drives)
usb1 at uhci0: USB revision 1.0
uhub1 at usb1 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb2 at uhci1: USB revision 1.0
uhub2 at usb2 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb3 at uhci2: USB revision 1.0
uhub3 at usb3 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb4 at uhci3: USB revision 1.0
uhub4 at usb4 "Intel UHCI root hub" rev 1.00/1.00 addr 1
isa0 at ichpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: 
spkr0 at pcppi0
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pccom1: probed fifo depth: 0 bytes
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
biomask ede5 netmask ede5 ttymask ffe7
mtrr: Pentium Pro MTRR support
softraid0 at root
root on sd0a swap on sd0b dump on sd0b

Re: PF Congestion and state table question

[Thomas Althoff]

What about net.inet.ip.ifq.maxlen  ?

Try net.inet.ip.ifq.maxlen=2500 at least.

I don't recall Henning's rule, search the archive something like X times
your number of nics.

-Thomas


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Steve Johnson
Sent: den 8 maj 2008 23:18
To: misc@openbsd.org
Subject: PF Congestion and state table question

Hi,

After successfully putting into testing the new firewall setup with some
of our services, we are seeing some low congestion issues It's not
major, but since I'm only throwing it half our expected traffic for the
time being, I would have liked it to be at 0.

Our setup is a 4.3 i386 (Xeon 3GHz) box with 6 Intel gigabit interfaces
(em), all of them having at least one carp interface, and 2 of them
having trunked VLANs. NAT is only applied to outgoing traffic, which is
very minimal. Just about all of the traffic that I'm sending to it right
now consists of very small XML requests over HTTP, so low throughput but
very high session count. All the interfaces have the speed and duplex
hardcoded at the switch and system level.

Here's a link that includes some possible debugging information from
pfctl -si, some sysctl parameters, top load and dmesg:
http://www.sjohnson.info/other/diaginfo.txt

And here's the set of PF rules that are active:
http://www.sjohnson.info/other/pf.conf

Just about all the traffic that is coming in at the moment is hitting
that first "pass in quick" rule.

Is the congestion issue that I'm getting considered "normal" under that
type of traffic and with the present hardware? Are there any other
settings that I should look into tweaking?

Also, is it expected that a total of 135K sessions in our link load
balancers give us around 550K sessions with PF? I now know it's supposed
to be at least double because of the directional state entry, but I just
find the number alerting, especially since it was close to a 1:1 when we
compared them to our netfilter states (agreeing that state processing is
completely different between the two). This is with aggressive setting,
as I was getting passed 750K sessions with conservative setting.

Thanks again for help,
Steve Johnson

Re: PF Congestion and state table question

[Stuart Henderson]

On 2008-05-08, Steve Johnson <[EMAIL PROTECTED]> wrote:
> Is the congestion issue that I'm getting considered "normal" under that
> type of traffic and with the present hardware? Are there any other
> settings that I should look into tweaking?

>> CPU states:  0.2% user,  0.0% nice,  1.9% system, 38.1% interrupt, 59.8% idle

cpu% in interrupt (which includes PF processing) will almost certainly 
spike higher than this instantaneous reading at times, leading to congestion.

>> scrub all random-id fragment reassemble

do you need to scrub/random-id _all_ of the traffic, in+out, on all
interfaces?

you're natting on the network Henning suggested you 'set skip' on
aren't you... if you can live with that breaking to test, try the 'set
skip' anyway and see if it helps enough to be worth working out
something else for the nat.

btw personally I'd rather have all the information in the list post
than have to fetch it by http, I expect it's probably the same for others..

snmpd

[Tim Kuijsten]

I'm a total noob to snmp and was excited snmpd from Reyk is included in 4.3. I 
started snmpd with the default config and net-snmp-walked the tree.

It looks like there is no info about disk usage, memory usage, load and other 
sensor stuff. I have no clue where to find the mibs (locate mib or locate .txt 
| grep snmp have no results) or how to load them..

Can I easily extend it with this mib 
http://www.packetmischief.ca/openbsd/snmp/sensors-mib-tree.txt or is there 
another way to get disk usage info from OpenBSD's new snmpd?

With king regards,

Tim


  

Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  
http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

Re: Post-intrusion forensics

[Joachim Schipper]

On Thu, May 08, 2008 at 09:02:48AM -0600, Chris Cameron wrote:
> For our Windows/Solaris/Linux servers, we've had PWC say that they're
> qualified and able to do post-intrusion forensics on our server(s).
> I'm told this will go a long way in making everyone in our company as
> well as our customers feel better. Partly because it's an outside
> party verification of what happened, and partly because everyone knows
> PWC.
> 
> What PWC won't do for us is OpenBSD forensics; and thus the reason for
> this email. Does anyone know of a company that does this? We like big
> names, but management seems to understand that that isn't always
> possible with OpenBSD.

You may get more useful responses if you are willing to share your
location... is UpNIX your company, or do you happen to have an account
with them?

Have you considered http://www.openbsd.org/support.html? Of course, all
those firms are somewhat smaller than PricewaterhouseCoopers. On the
other hand, some developers may be found there (I found Otto Moerbeek
and Reyk Floeter in the past; I'm sure I've missed some), and there are
quite a few firms specializing in security in one way or another. I am
not familiar with any of them, and any advice is likely to be
location-dependent anyway.

If you find an organization on http://www.openbsd.org/users.html that is
in some way related to your own, they may be able to offer some
assistance.

This is probably not an option for you, but it may be easier to find an
company that can audit/pentest OpenBSD than one that can do
post-intrusion forensics. OpenBSD has some tricks that can make actually
exploiting some common security vulnerabilities more difficult, but that
is not necessarily a problem unless you require a pen-test to actually
penetrate (as opposed to using it as a way of finding potentially
exploitable bugs).

If you are willing to undertake action yourself, note that AIDE is in
ports (security/aide) and security(8) runs nightly (and can be tuned to
watch additional files). Either can be very useful in post-intrusion
analysis or even in detecting an intrustion, especially on systems were
,ery few files change legitimately - like on a firewall, where only log
files will change. If so inclined, you could include AIDE on a bootable
CD containing file checksums. I've also seen a Samhain port on ports@,
and tools/sleuthkit is also available.
This is not necessarily sufficient for a general range of systems; but
if you use OpenBSD (only) as a router and firewall platform, this is a
very good - and cheap - way of doing intrusion detection and forensics.

Joachim

-- 
TFMotD: quiz (6) - random knowledge tests

Re: snmpd

[Brian A. Seklecki]

On Thu, 2008-05-08 at 15:22 -0700, Tim Kuijsten wrote:
> It looks like there is no info about disk usage, memory usage, load
> and other sensor stuff. I have no clue where to find the mibs (locate
> mib or locate .txt | grep snmp have no results) or how to load them..

That's all in HOST-RESOURCES-MIB and UCD-DISKIO-MIB

Try:

$ snmptable -v2c -c [comm] [host] HOST-RESOURCES-MIB::hrStorageTable
$ snmptable -v2c -c [comm] [host] UCD-DISKIO-MIB::diskIOTable

The sensor stuff should be committed into the Ports version of Net-SNMP
by now.  I can get it committed to Pkgsrc if not.  Its just not been at
the top of my priority list.


-- 
Brian A. Seklecki <[EMAIL PROTECTED]>
Collaborative Fusion, Inc.

Re: ftpchroot root directories

[Joachim Schipper]

On Thu, May 08, 2008 at 02:52:50PM -0700, David Newman wrote:
> Greetings. I'm setting up ftp access* for a number of users to a directory 
> structure like this (assume "/" is an alias for the top of the tree):
>
> Username directory perms
> 
> user1/  rw
> user2/projects  r
> user3/projects  rw
> user4/  r
>
> The FAQ and the ftpd(8) manpage say that chrooting goes to a user's home 
> directory, and nothing about permissions.
>
> Is there some other way of setting this up?

> ps. FTP is the client's choice, not mine. Same with this directory 
> structure.

You could switch to a more featureful FTP daemon - vsftpd is likely to
be enough. It also supports FTP-with-SSL, which, while a many-tentacled
monstrosity, is at least preferable to plain FTP. As long as you don't
have to traverse stateful firewalls. (In vsftpd's defence, you can open
a range of ports only.)

However, OpenBSD's ftpd(8) should do. Aside from user4 being able to
write to /tmp and so on, at least - user/group permissions should
suffice. (Mode 0640? Feel free to set umask to 0137, see login.conf(5))

But you should probably at least try to get your client to consider
using sftp instead. Note that you can now have per-user chroots and
sftp-only accounts using sshd, and it's both less of a firewall-headache
and more secure than FTP. WinSCP is a very usable[1] interface for
anyone who is able to use an FTP client.

Also note that using sshd makes this directory layout almost sane.

FInally, if you do go with FTP, don't allow FTP accounts to log in.

Joachim

[1] Well, it is a graphical program and runs on Windows. But within
those constraints, I haven't had many problems with it.

-- 
PotD: x11/xcursor-themes - X11 Cursors themes

Re: PF Congestion and state table question

[Henning Brauer]

* Steve Johnson <[EMAIL PROTECTED]> [2008-05-09 00:25]:
> Sorry, I hadn't noticed that I had removed that part of information by 
> mistake when I split the debug information in a different file. I had been 
> told about that setting and had seen the thread, which stated around 256MB 
> per gigabit interface. I had tested from 1000 up to 2500, and although it 
> did reduce the congestion a lot, I was still seeing over 1 per second, 
> which I can't consider that safe for production. I haven't tested higher 
> than 2500 though.

you can try a bit more. modern nics tend to shovel a lot of packets per 
interrupt, and you have 6 of them. don't blindly increase, be careful, 
but don't stop to early either.

-- 
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam

pftop doesn't build with -current

[Chris Smith]

After upgrading to -current today pf did not run after building the 
kernel and rebooting. After building the userland and rebooting that 
problem is resolved. But now I can no longer build pftop from ports 
(cvs):

===>  Checking files for pftop-0.7
`/usr/ports/distfiles/pftop-0.7.tar.gz' is up to date.
>> (SHA256) pftop-0.7.tar.gz: OK
===>  Verifying specs:  c curses c curses
===>  found c.44.0 curses.10.0
===>  Extracting for pftop-0.7
===>  Patching for pftop-0.7
===>  Configuring for pftop-0.7
===>  Building for pftop-0.7
cc -O2 -pipe -Wall -DOS_LEVEL=42   -nostdinc -idirafter /usr/include -c 
pftop.c
pftop.c: In function `print_rule':
pftop.c:1478: error: structure has no member named `states'
*** Error code 1

Stop in /usr/ports/sysutils/pftop/w-pftop-0.7/pftop-0.7 (line 92 
of /usr/share/mk/sys.mk).
*** Error code 1

Stop in /usr/ports/sysutils/pftop (line 2112 
of /usr/ports/infrastructure/mk/bsd.port.mk).
*** Error code 1

Stop in /usr/ports/sysutils/pftop (line 1412 
of /usr/ports/infrastructure/mk/bsd.port.mk).
*** Error code 1

Stop in /usr/ports/sysutils/pftop (line 1910 
of /usr/ports/infrastructure/mk/bsd.port.mk).
*** Error code 1

Stop in /usr/ports/sysutils/pftop (line 1442 
of /usr/ports/infrastructure/mk/bsd.port.mk).


Thank you for any assistance.
-- 
Chris

n2k8 network hackathon

[Theo de Raadt]

Perhaps some who watch the commit logs have already figured out that
most of the network developers are currently involved in a week-long
network hackathon in Japan.

A bit more information about this can be found at
http://openbsd.org/hackathons.html#n2k8

We are in a rather old hotel with an onsen in a seaside village, but
even with all the local distractions, the developer's noses are mostly
stuck in the code.  There are lots of commits happening to the network
parts of the tree.  Many future projects are being worked on too.

We would really like to thank Mark Uemura for putting us up in this
location and doing so much preparation and setup for the event.

www.rchaker.com

[IGEE]

Hebergement + Domaine Gratuit

Economy
Plan Features
 10 GB Space
 300 GB Transfer
 500 Email Accounts
 No FTP access
 10 MySQL Databases
 50 Email Forwards
 Forums, Blogging, Photos  
1300 DH/an 


Deluxe
Plan Features
 150 GB Space
 1,500 GB Transfer
 1,000 Email Accounts
 Unlimited Web sites
 FTP access
 25 MySQL Databases
 Unlimited Email Forwards
 Forums, Blogging, Photo Galleries 
3500 DH/an


Premium
Plan Features
 FREE! SSL Certificate
 300 GB Space
 3,000 GB Transfer
 2,000 Email Accounts
 Unlimited Web sites
 FTP access
 50 MySQL Databases
 Unlimited Email Forwards
 Forums, Blogging, Photos  
6000 DH/an





Nos services

Resolution des problemes
Optimisation de la vitesse
 d'ordinateur
Gestion et protection
Computer Upgrades
Assemblage d'ordinateur, 
installation de logiciels
Data Recovery
Conception de sites Web
Reparation de PC et aide 
a distance
Securite des systemes, 
WAN et LANs
Modelisation et simulation 
informatiques
Formation profesionnelle


www.rchaker.com

OpenBSD release building systems

[Olivier Mehani]

Hi list,

After reading [0], [1] and [2] once again (it never hurts, hey?), I
started wondering the following.

We know [3] that big parts of OpenBSD releases, for several
archs, are built in Theo's basement [4]. But what I have not been able
to work out is what version of OpenBSD these machines are actually
running.  Is this -current, or the latest -stable?

Moreover, when it comes to upgrading these machines, what is the
preferred way to do so? Is this using the freshly backed new install
media to upgrade, maybe bsd.rd [5], or is it a complete reinstall?

I'm just being curious here (:

Thanks.

[0] http://www.openbsd.org/stable.html
[1] http://www.openbsd.org/faq/upgrade43.html
[2] http://www.openbsd.org/faq/faq5.html
[3] http://marc.info/?l=openbsd-misc&m=110098157015931&w=2
[4] http://www.openbsd.org/images/newrack.jpg
[5] http://www.openbsd.org/faq/faq4.html#bsd.rd

-- 
Olivier Mehani <[EMAIL PROTECTED]>
PGP fingerprint: 3720 A1F7 1367 9FA3 C654  6DFB 6845 4071 E346 2FD1

tpwireless

[Adam Patterson]

Anyone know of any documentation on tpwireless? Specifically how to 
"re-set" the bit that it unsets. There isnt a man page and there aren't 
and switches to cause 'usage' to show up.


I'm not completely sure that this is the problem but my X41 does not see 
the original iwi card that was in there. My dmesg is exactly the same as 
a regular X41, just doesn't show anything about the card anymore. Also 
no error on boot about the card being "non-centrino" like I have seen 
when cards just need to be reseated.


Would be willing to try to reset this bit to see if that helps. If not i 
guess i can recompile it.


Any thoughts would be greatly appreciated.
Thank you
.adam.

Re: n2k8 network hackathon

[Gaby vanhegan]

On 8 May 2008, at 20:24, Theo de Raadt wrote:

> Perhaps some who watch the commit logs have already figured out that
> most of the network developers are currently involved in a week-long
> network hackathon in Japan.
>
> A bit more information about this can be found at
> http://openbsd.org/hackathons.html#n2k8

Any pictures of the festivities online?

Gaby.

--
Junkets for bunterish lickspittles since 1998!
http://www.playr.co.uk/

Re: OpenBSD release building systems

[Joachim Schipper]

On Fri, May 09, 2008 at 10:39:39AM +1000, Olivier Mehani wrote:
> Hi list,
> 
> After reading [0], [1] and [2] once again (it never hurts, hey?), I
> started wondering the following.
> 
> We know [3] that big parts of OpenBSD releases, for several
> archs, are built in Theo's basement [4]. But what I have not been able
> to work out is what version of OpenBSD these machines are actually
> running.  Is this -current, or the latest -stable?
> 
> Moreover, when it comes to upgrading these machines, what is the
> preferred way to do so? Is this using the freshly backed new install
> media to upgrade, maybe bsd.rd [5], or is it a complete reinstall?

OpenBSD, as a general rule, can only be built on a system "close" to the
target: -release to -stable, -current to a -current released not much
later, and so on. So I'm fairly certain the machines used for -stable
run -stable, etc.

In general, upgrading is done by the documented upgrade procedure,
although those specific machines could be handled another way. I don't
know.

Joachim

-- 
TFMotD: evcount, evcount_attach, evcount_detach (9) - generic interrupt
and event counter kernel API

Re: ral(4) hostap plea

[Clint Pachl]

James Turner wrote:
I've been trying to get my new ral(4) card to work like I would expect it 
to. I've read through most if not all the talk on misc@ about running these

cards in hostap mode.  I would really like to replace my wi(4), which
works really well, with my new ral(4) and enjoy 11g and later wpa.
Sadly, the performance is just not there in both 11b or 11g modes.

Some info, the ral(4) is a Gigabyte GN-WP01GS which is an RT2561S.  My
basic hostname.ral0 reads: inet 192.168.1.1 255.255.255.0 NONE media
autoselect mode 11g mediaopt hostap nwid my_net nwkey secret chan 11.
I've enabled RAL_DEBUG in my kernel and selected one of the standard
channels with the highest power.  This is on 4.2 -release + patches.  If
anyone has any new or additional information that might be helpful I
would greatly appreciate it, otherwise I guess I'll stick to my trusted
wi(4).
  


I used to have terrible reception and connectivity with my ral(4) when 
using OBSD4.0. It was always shutting down the interface, setting the 
OACTIVE bit. There was a nice patch in 4.1 that fixed this issue and 
upgrading almost eliminated my problems. I also determined that my 
ral(4) had a crappy antenna. I used an antenna with a 2 foot pigtail in 
order to get it up above my equipment. Then I built a parabolic shield 
like the one found here: http://www.freeantennas.com/projects/template/.


After that, my WLAN works like a dream. I was so frustrated for such a 
long time and was ready to go back to my Linksys wireless router. 
However, a little troubleshooting, upgrading, and tweaking got 
everything running like a champ.


I would say don't blame the OS. I have also had the experience that no 
matter what I do the reception/connectivity just sucks. That has been my 
experience with Planet Wireless NICs. I'm currently using LevelOne NICs 
(PCI and PCcard) and I'm extremely satisfied. We also have Macs that 
wirelessly stream video via 11g through the OpenBSD firewall and I've 
never had a problem. I would know if there were issues because my 
girlfriend would be bitching if she couldn't stream her shows.


I'd also like to note that antenna impedance matching can play a factor. 
I've got a Planet Wireless antenna connected to the LevelOne NIC. I was 
able to get higher signal strength on the LevelOne NIC with the Planet 
W. antenna than with the original LevelOne antenna.


One other thing I noticed is that my 2.4GHz cordless phones reduced 
signal for some NICs more than others. Try experimenting with different 
channels.


Here is my LevelOne PCI card that I bought from NewEgg years ago:

ral0 at pci0 dev 12 function 0 "Ralink RT2561S" rev 0x00: irq 11, 
address 00:11:6b:37:07:b2

ral0: MAC/BBP RT2661B, RF RT2527

-pachl

Re: tpwireless

[Damien Miller]

On Thu, 8 May 2008, Adam Patterson wrote:

> Anyone know of any documentation on tpwireless? Specifically how to "re-set"
> the bit that it unsets. There isnt a man page and there aren't and switches to
> cause 'usage' to show up.

There are no flags.
There is no usage doc.

However, if you edit the source and change the line:

b |= 0x80;

to read:

b &= ~0x80;

recompile and execute tpwireless, then it will clear the magic bit instead
of setting it.

-d

Re: tpwireless

[Adam Patterson]

Damien Miller wrote:

On Thu, 8 May 2008, Adam Patterson wrote:

  

Anyone know of any documentation on tpwireless? Specifically how to "re-set"
the bit that it unsets. There isnt a man page and there aren't and switches to
cause 'usage' to show up.



There are no flags.
There is no usage doc.

However, if you edit the source and change the line:

b |= 0x80;

to read:

b &= ~0x80;

recompile and execute tpwireless, then it will clear the magic bit instead
of setting it.

-d

  


Well. I didn't think that was it because I heard that bit didn't do 
anything on these models. Changed source, recompiled and that worked 
perfect.


Thanks for such a quick response Damien.

Re: Thinkpad X41 and tpwireless

[Adam Patterson]

Thomas Menari wrote:

I have a X41 Tablet, and it has standard Atheros wireless:
04:02.0 Ethernet controller: Atheros Communications, Inc. AR5212
802.11abg NIC (rev 01)

Tom.

[demime 1.01d removed an attachment of type application/pgp-signature]

  
You have any issues with that card or does it work fine. Maybe I'll buy 
one of those instead of downgrading to this slower X40 just to use 
wireless. Although I got it for an extended trip to India but it doesn't 
seem like there will be much wireless around anyway. :)

on K8M800: k8pnow_read_pending_wait: change pending stuck. hangs machine [solved]

[Travers Buda]

Posting this so others may find this solution.

Recently, my box was hanging.  I noticed in my dmesg
"k8pnow_read_pending_wait: change pending stuck."

Essentially, when reducing the vid and fid (Cool'nQuiet,) something
goes awry.

I had recently replaced my video card with something else, then
something else again.  Both these cards were causing the problem.
The culprits are a radeon 9000 all-in-wonder and the integrated via 
unichrome pro igp video on the K8M800.

Googling for the problem, I found cases of linux users with the
same problem.  Some indications are that the EVGA e-GeForce MX 4000
will also cause the problem.

It seems that this is a problem with the K8M800 from via.  Here's
the link to their product page:
http://www.via.com.tw/en/products/chipsets/k8-series/k8m800/

The A00 revision of the Matrox G45+ (G450) works fine though, that's
what I'm currently using.

So: avoid the K8M800 unless you have a cache of video cards and you
don't mind which one you use.  Hell, I'd just avoid the K8M800, the
damn integrated video on the chip does not play well with the rest
of the chip!  Seriously, guys.

-- 
Travers Buda

Final EUSecWest 2008 Speakers London May 21/22

[Dragos Ruiu]

The selected papers for EUSecWest 2008 are:

*   PhlashDance, discovering permanent denial of service attacks against
embedded systems - Rich Smith, HP Labs

*   Attacking Near Field Communications (NFC) Mobile Phones - Collin Muliner,
trifinite

*   Abusing X.509 certificate features - Alexander Klink, Cynops GmbH

*   Phoenix, and automated vulnerability finding - Tim Burrell, Microsoft

*   Cisco IOS Rootkits - Sebastian Muqiz, Core

*   Advances in attacking interpreted languages - Justin Ferguson, IOActive

*   One Token to Rule Them All: Post-Exploitation Fun in Windows Environments
- Luke Jennings, MWR InfoSecurity

*   Building the bridge between the Web Application and the OS: GUI access
through SQL Injection - Alberto Revelli, Portcullis

*   Satellite Systems - Adam Laurie, RFIDIOt.org

*   Browser Exploits - Attacks and Defense - Saumil Shah, Net Square

*   WebSphere MQ Security - Martyn Ruks, MWR InfoSecurity

Paper synopses are now up on the website.

This year there will be three Security Masters Dojo courses
on May 19/20, including a new course from Foundstone:

*   Ultimate Web Hacking - Nick Murison, Foundstone, a division of McAfee

*   Advanced Honeypot Tactics - Thorsten Holz, Aachen University

*   The Exploit Laboratory - Advanced Edition Saumil Shah and Christopher Owen
Net-Square and Consault

cheers,
--dr

--
World Security Pros. Cutting Edge Training, Tools, and Techniques
London, U.K.   May 21/22 - 2008http://eusecwest.com
pgpkey http://dragos.com/ kyxpgp

Re: net-snmp and openbsd

[Parvinder Bhasin]

I got it going..finally just removed the package and installed it from  
ports and it worked like a charm.

Still having issues with graphing it using cacti.
Any know how...would be great to know.

Thx.

On May 7, 2008, at 4:15 PM, Aaron Glenn wrote:


On Tue, May 6, 2008 at 10:03 PM, Parvinder Bhasin
<[EMAIL PROTECTED]> wrote:


Appreciate any help.

Thanks :)


Does netstat show it listening on the correct IP? any reason to run
net-snmp? I'd use the base snmpd unless you have a very specific
reason to run net-snmp.

aaron.glenn

Re: How to copy/pipe console buffert to file?

[rancor]

Screen is a awesome tool but it can't capture everything what's happened
during boot.

The dd-solusion did the trick perfectly, exempt when I put the data into
Microsoft Windows because there was a bunch of unwritable characters that I
had to take care of.

Thanks anyway

Regards rancor

On Thu, May 8, 2008 at 10:06 PM, Joachim Schipper <
[EMAIL PROTECTED]> wrote:

> On Thu, May 08, 2008 at 12:37:47PM +0200, rancor wrote:
> > Hi
> >
> > Is there any way of copy/pipe the information on the console to a file? I
> > need the same information that I can see of I hold down Ctrl+Shift and
> using
> > PageUp/Down when I'm on the console. I'm not using serial, that would be
> > simple but I'm stuck right on the machine.
>
> While Mickey's solution is rather cool, misc/screen would allow you to
> copy text off the screen (Ctrl-A [, select. Ctrl-A ]). It also has a lot
> of other useful commands.
>
> Of course, screen isn't found everywhere, while dd pretty much is.
>
>Joachim
>
> --
> TFMotD: term (7) - conventions for naming terminal types

How to filter based on application protocol being used

[Srikant Tangirala]

Hello All

Since many of standard services can be made to
listen on any port on the server side, and proxies
with custom configuration can be used in cases
otherwise, how effective is a firewall if it blocks
based on standard service ports? Is there a way
in which the application protocols being used can
be detected and then this knowledge be used to
let pf know what to filter and what not?  So, is
there some way to ensure that traffic to port 53
is in fact not from a program like iodine and what
goes to port 80 is only HTTP/HTTPS, and so on
for all the common protocols? With my little bit
of knowledge what I figure is that we need some
piece of software(s) which understands each protocol
thoroughly, can look at raw packets in real-time
and detect the protocol being used. Even then,
it may get bypassed in cases like 'protocol obfuscation'
feature of eMule being used, or if sufficient amount
of random garbage traffic is generated to deter proper
analysis.

Please correct if I am wrong or the question itself
is impertinent to this list.

Any help will be great. Thanks in advance.

Srikant Tangirala.

Re: How to filter based on application protocol being used

[Reyk Floeter]

On Fri, May 09, 2008 at 10:40:18AM +0530, Srikant Tangirala wrote:
> let pf know what to filter and what not?  So, is
> there some way to ensure that traffic to port 53
> is in fact not from a program like iodine and what
> goes to port 80 is only HTTP/HTTPS, and so on
> for all the common protocols? With my little bit

you can redirect the outgoing traffic through a pf proxy which
understands and enforces the common parts of the protocol.  this does
not prevent anyone to tunnel something else in the well-defined
protocol, like SSH over DNS, but it at least allows to make it a
little bit stricter. 

examples are ftp-proxy(8), tftp-proxy(8), relayd(8) (DNS, HTTP, and
more), ... some people also like squid with pf patches from ports; but
i'm feeling sorry for them.

reyk

Re: n2k8 network hackathon

[Karl Sjodahl - dunceor]

On Fri, May 9, 2008 at 2:24 AM, Theo de Raadt <[EMAIL PROTECTED]> wrote:
> Perhaps some who watch the commit logs have already figured out that
> most of the network developers are currently involved in a week-long
> network hackathon in Japan.
>
> A bit more information about this can be found at
> http://openbsd.org/hackathons.html#n2k8
>
> We are in a rather old hotel with an onsen in a seaside village, but
> even with all the local distractions, the developer's noses are mostly
> stuck in the code.  There are lots of commits happening to the network
> parts of the tree.  Many future projects are being worked on too.
>
> We would really like to thank Mark Uemura for putting us up in this
> location and doing so much preparation and setup for the event.
>
>

Really cool.
I haven't kept an eye on the cvs logs so haven't noticed this. Very
nice that more specific hackathon are being held.
Keep up the good work and we look forward to test all kind of new stuff!!

Thanks!

BR
dunceor

Re: How to filter based on application protocol being used

[Reyk Floeter]

On Fri, May 09, 2008 at 10:40:18AM +0530, Srikant Tangirala wrote:
> for all the common protocols? With my little bit
> of knowledge what I figure is that we need some
> piece of software(s) which understands each protocol
> thoroughly, can look at raw packets in real-time
> and detect the protocol being used. Even then,

ah, i'm just looking at your mail again - you a are kidding, there is
no way to do content inspection in "real-time". go and use linux where
you can use stupid and dangerous stuff in the kernel. this is not what
openbsd is about.

reyk

what is different in socket connection handling ?

[Benoit Chesneau]

Hi all,

Since 2 months, I'm fighting with couhdb database document server
(http://www.couchdb.org) on openbsd but i have "performance" problem
while connecting to it :
https://issues.apache.org/jira/browse/COUCHDB-40

These problems are specific to openbsd, everything works on other os
(bsd, osx or even linux. It seem like when you don't close properly
the connexion with socket close() or http header "Connection: close"
(you access to couchdb via http) on the client side, the server
continue to listen on this socket/adress until it die, which it does
not on other os. So When I launch multiple GET serially with curl, it
take a long time between each request. Any idee what's going on and
wher I have to look for to improve it ?

- benont


--
- benont

Re: fsck large filesystem, memory limit problem

[Otto Moerbeek]

On Thu, May 08, 2008 at 05:18:26PM -0400, Will wrote:

> I did see that, but did not realize that the 1GB limit is not a
> user-configurable feature.
> 
> Even so, the FAQ implies that a 2TB filesystem is possible with
> default options, which is what I have.

It might be the 2TB limit is a little too high, and the actual limit
is lower. Can you show us your disklabel entry for /dev/sd0i and the
output of df -i?

-Otto

> 
> relevant output of df:
> 
> Filesystem  512-blocks  Used Avail Capacity  Mounted on
> /dev/sd0i   3758267452 1935576944 163477713654%/mnt/share
> 
> -William
> 
> On Thu, May 8, 2008 at 5:04 PM, David J. Stillman
> <[EMAIL PROTECTED]> wrote:
> > Isn't this the 1GB application limit mentioned in FAQ 14.7 - " By the time
> > one gets to a 2TB file system with default fragment and block sizes, fsck
> > will require 1GB RAM to run, which is the application limit under OpenBSD.
> > Larger fragments and/or blocks will reduce the number of inodes, and allow
> > for larger file systems."?
> >
> > Will wrote:
> >>
> >> Hello all,
> >>
> >> I just upgraded to 4.3, and I would like to congratulate the devs on
> >> another wonderful release! shutdown -p works and the wbng sensor
> >> support was a nice surprise. However, the most useful feature to me
> >> was the support for ffs2.
> >>
> >> I upgraded without a hitch, and repartitioned from a 1tb filesystem to
> >> a 2tb share mount point. However, when I try to fsck the system just
> >> to make sure everything is ok, I receive this error:
> >>
> >> # fsck -f /dev/sd0i
> >> ** /dev/rsd0i
> >> ** File system is already clean
> >> cannot alloc 485015042 bytes for lncntp
> >>
> >> I just upgraded to 3gb ram, so that should be a non-issue according to the
> >> faq.
> >>
> >> I have tried `ulimit -d unlimited` (as suggested previously in the
> >> archives), but the data limit will not go above 1048576, which I
> >> suspect to be the problem. I'm sure that there is another silly limit
> >> I am missing somewhere.
> >>
> >> Thanks for any help!
> >> -William
> >>
> >> Here is a dmesg of my system:
> >>
> >> OpenBSD 4.3 (GENERIC.MP) #1: Sat May  3 17:08:02 EDT 2008
> >>   [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> >> real mem = 3219636224 (3070MB)
> >> avail mem = 3110854656 (2966MB)
> >> mainbus0 at root
> >> bios0 at mainbus0: SMBIOS rev. 2.51 @ 0xbfeea000 (35 entries)
> >> bios0: vendor Phoenix Technologies LTD version "6.00" date 07/12/2006
> >> bios0: Supermicro PDSM4+
> >> acpi0 at bios0: rev 0
> >> acpi0: tables DSDT FACP MCFG APIC BOOT SSDT
> >> acpi0: wakeup devices PXHA(S5) PXHB(S5) DEV3(S5) EXP1(S5) EXP5(S5)
> >> EXP6(S5) PCIB(S5) KBC0(S1) MSE0(S1) COM1(S5) COM2(S5) USB1(S4) USB2(S4)
> >> USB3(S4) USB4(S4) EUSB(S4)
> >> acpitimer0 at acpi0: 3579545 Hz, 24 bits
> >> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> >> cpu0 at mainbus0: apid 0 (boot processor)
> >> cpu0: Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz, 2394.32 MHz
> >> cpu0:
> >>
> >> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR,NXE,LONG
> >> cpu0: 4MB 64b/line 16-way L2 cache
> >> cpu0: apic clock running at 266MHz
> >> cpu1 at mainbus0: apid 1 (application processor)
> >> cpu1: Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz, 2394.00 MHz
> >> cpu1:
> >>
> >> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR,NXE,LONG
> >> cpu1: 4MB 64b/line 16-way L2 cache
> >> ioapic0 at mainbus0 apid 2 pa 0xfec0, version 20, 24 pins
> >> ioapic1 at mainbus0 apid 3 pa 0xfecc, version 20, 24 pins
> >> ioapic2 at mainbus0 apid 4 pa 0xfecc0400, version 20, 24 pins
> >> acpiprt0 at acpi0: bus 0 (PCI0)
> >> acpiprt1 at acpi0: bus 2 (PXHA)
> >> acpiprt2 at acpi0: bus 3 (PXHB)
> >> acpiprt3 at acpi0: bus -1 (DEV3)
> >> acpiprt4 at acpi0: bus 9 (EXP1)
> >> acpiprt5 at acpi0: bus 13 (EXP5)
> >> acpiprt6 at acpi0: bus 14 (EXP6)
> >> acpiprt7 at acpi0: bus 15 (PCIB)
> >> acpicpu0 at acpi0
> >> acpicpu1 at acpi0
> >> acpibtn0 at acpi0: PWRB
> >> ipmi at mainbus0 not configured
> >> pci0 at mainbus0 bus 0: configuration mode 1
> >> pchb0 at pci0 dev 0 function 0 "Intel E7230 Host" rev 0xc0
> >> ppb0 at pci0 dev 1 function 0 "Intel E7230 PCIE" rev 0xc0: apic 2 int 16
> >> (irq 10)
> >> pci1 at ppb0 bus 1
> >> ppb1 at pci1 dev 0 function 0 "Intel PCIE-PCIE" rev 0x09
> >> pci2 at ppb1 bus 2
> >> "Intel IOxAPIC" rev 0x09 at pci1 dev 0 function 1 not configured
> >> ppb2 at pci1 dev 0 function 2 "Intel PCIE-PCIE" rev 0x09
> >> pci3 at ppb2 bus 3
> >> ppb3 at pci3 dev 3 function 0 "Intel IOP331 PCIX-PCIX" rev 0x07
> >> pci4 at ppb3 bus 4
> >> ami0 at pci4 dev 14 function 0 "Symbios Logic MegaRAID SATA 4x/8x" rev
> >> 0x07: apic 4 int 4 (irq 10)
> >> ami0: LSI 3008, 32b, FW 815C, BIOS vH432, 128MB RAM
> >> ami0: 1 channels, 0 FC loops, 1 logical drives
> >> scsib