Re: Question about PHP safe mode
On 2015-06-23, Markus Rosjat ros...@ghweb.de wrote: Hi there, just a short question... I have quiet old 4.2 OpenBSD with a 5.2.4 PHP version. The safe_mode is on, a Costumer wants to have it off. Is there any security risk to it or do I need to check something on the system level to disable it but still have my environement secured ? safe_mode was removed in PHP 5.4. Take a look at http://php.net/supported-versions.php - so, safe_mode is not available in any version of PHP which is still receiving security updates. PHP 5.2.4 definitely has a security risk to it, if you're running PHP, *especially* with customer-provided or otherwise untrusted scripts, you really ought to be tracking recent versions closely. Suggestion: setup a new machine/VM with OpenBSD 5.7, install the newest PHP version, run openup (https://stable.mtier.org/) regularly to get updated versions, and get your customer to move across to it (this should be an easy decision for them to make as they want safe_mode off anyway). And arrange a process to keep things up-to-date...
Re: httpd feature request: auto index.txt
On 2015-06-23 Tue 08:23 AM |, Nick Holland wrote: On 06/23/15 06:14, Craig Skinner wrote: Ummm I was thinking of something that could generate $RELEASE index.txt files, including siteXX.tgz siteXX-hostname.tgz files. oh please no. That is NOT the web server's job! This is a task easily -- and properly! -- done outside the web server. Your script is the right idea, but it should be run whenever whatever updates the contents of the directory runs, rather than periodically from cron. The release-indexer script is run manually as an unpriv user, after building siteXX files. The script I use to generate siteXX files needs to run as root. I have unpriv cron run release-indexer too, incase I forget that step... Even if the idea of generating a /very/ special purpose file in the web server wasn't a bad idea all around, you will note that this also violates the design of the chrooted webserver -- not only do you now have the webserver CREATING files, you have it doing it in the content area. When httpd auto generates an index.html, it doesn't get written to disk. I was thinking httpd could pump out an index.txt file too. Probably pretty much the same code, without the CSS links. Yes? -- Show respect for age. Drink good whisky for a change.
Re: httpd feature request: auto index.txt
On Tue, June 23, 2015 6:15 am, Craig Skinner wrote: On 2015-06-22 Mon 12:39 PM |, Noah wrote: On Mon, Jun 22, 2015 at 11:58 AM, Craig Skinner skin...@britvault.co.uk wrote: *) either/both .txt/.html *) .txt output something like: ls [-l[h]] | fgrep -v index.txt Does auto index do the trick? It doesn't make an index.html/txt file, but it does provide file names and links as you'd expect. Ummm I was thinking of something that could generate $RELEASE index.txt files, including siteXX.tgz siteXX-hostname.tgz files. e.g: $ ftp -o /tmp/internal-index.txt http://mirror.internal/pub/OpenBSD/5.6/i386/index.txt Are you trying to generate the index on this internal mirror or on the system that's downloading the install sets? At the moment, I'm using a cron driven script to create index.txt files: $ fgrep index ~webmaster/crontab.bak @weekly release-indexer $ cat ~webmaster/bin/release-indexer Maybe there is something specific you need to work around by I feel like you're making this a lot more complicated than it needs to be. When you populate the mirror why not just generate the index then? All it takes is: ls -nT index.txt Tim.
Re: httpd feature request: auto index.txt
On 06/23/15 06:14, Craig Skinner wrote: On 2015-06-22 Mon 12:39 PM |, Noah wrote: On Mon, Jun 22, 2015 at 11:58 AM, Craig Skinner skin...@britvault.co.uk wrote: *) either/both .txt/.html *) .txt output something like: ls [-l[h]] | fgrep -v index.txt Does auto index do the trick? It doesn't make an index.html/txt file, but it does provide file names and links as you'd expect. Ummm I was thinking of something that could generate $RELEASE index.txt files, including siteXX.tgz siteXX-hostname.tgz files. oh please no. That is NOT the web server's job! This is a task easily -- and properly! -- done outside the web server. Your script is the right idea, but it should be run whenever whatever updates the contents of the directory runs, rather than periodically from cron. Even if the idea of generating a /very/ special purpose file in the web server wasn't a bad idea all around, you will note that this also violates the design of the chrooted webserver -- not only do you now have the webserver CREATING files, you have it doing it in the content area. (actually, if you are intent on doing this wrong, you might be able to use the location key word to call a CGI script when you try to fetch index.txt...but again, this is (in my opinion) the wrong way to do THIS task) Nick.
Re: enable-ec_nistp_64_gcc_128 available with LibreSSL or does it require OpenSSL?
On 2015-06-22, nusenu nus...@openmailbox.org wrote: when starting tor on OpenBSD, tor complains about missing accelerated support for P-224/P-256: [notice] We were built to run on a 64-bit CPU, with OpenSSL 1.0.1 or later, but with a version of OpenSSL that apparently lacks accelerated support for the NIST P-224 and P-256 groups. Building openssl with such support (using the enable-ec_nistp_64_gcc_128 option when configuring it) would make ECDH much faster. What is the preferred way to add support for that? I'm installing tor from ports via cd /usr/ports/net/tor make install on OpenBSD 5.7. I found this: http://article.gmane.org/gmane.os.openbsd.misc/218924 so it should be available but it is not enabled by default. We tried that before, it breaks SSH with ecdsa keys.
Re: PF Packet Flow Diagram
Haha, Oops! thanks Doug.. Here it is instead.. http://s12.postimg.org/i4pggq465/Open_BSDPFPacket_Flow.jpg http://s12.postimg.org/i4pggq465/Open_BSDPFPacket_Flow.jpg Cheers, Andy. On 23 Jun 2015, at 14:13, Doug Hogan d...@acyclic.org wrote: On Tue, Jun 23, 2015 at 11:56:17AM +0100, Andy Lemin wrote: I was updating an old copy of the PF flow diagram I had lying around and thought I'd post here quickly for comments / additions / corrections? Would be nice to update this and make it comprehensive as possible. [demime 1.01d removed an attachment of type application/pdf which had a name of OpenBSDPFPacketFlow.pdf] [demime 1.01d removed an attachment of type image/jpeg which had a name of OpenBSDPFPacketFlow.jpeg] The attachments were stripped when sent to the list.
Experimenting with httpd
The httpd.conf man page uses the term request path, which I assumed when reading the man page would be the full http://company.com/web/page;, but I found through experimentation that it would be /web/page. The httpd.conf man page says that for the location directive The path argument will be matched against the request path with shell globbing rules. I eventually figured that this was not true. Shell gobbing does not allow '*' to match any '/' httpd's globbing does match '/'. I did not experiment to find out how it treats a leading '.', or '{' and '}'. I thought the location directive was going to be awkward to use, but eventually I realized that every location directive that match the request path would be applied, and the rules would be accumulated for that request path The man page makes no reference of what happens will overlapping location directives, I think it should. I assume that if there are conflicting rules with in the location directives the last one wins. I don't know, but also I did not experiment with a rule not within a location directive that conflicts and follows a rule within a location directive. The block directive allows an optional uri. Which would mean you would expect to start with http://; or something similar. The block does, as in the examples, work with that syntax, but it also accepts a request path, simplifying simple redirection. I had a server default directive. And in that I did expected $SERVER_NAME to be the DNS name of the server, not the word default. Is there a table of what the build in types are. Thee should be a refrence to that table in the httpd.conf man page.
Re: mail server on rental server ,cannot send mail
sorry , i hide real adress and name for my privacy . Vice versa at my home , i cansentmail but cannot recieve mail . i first doubt dovecot setting . /etc/dovecot/dovecot.conf -- protocols = imap listen = * !include conf.d/*.conf /etc/dovecot/conf.d/10-mail.conf mail_location = maildir:~/Maildir namespace inbox { inbox = yes } mmap_disable = yes first_valid_uid = 1000 mail_plugin_dir = /usr/local/lib/dovecot mbox_write_locks = fcntl /etc/dovecot/conf.d/10-ssl.conf ssl = no # Correction ssl_cert = /etc/ssl/dovecotcert.pem ssl_key = /etc/ssl/private/dovecot.pem in mailer ,sylpheed -- smtp port ;587 imap4 port:143 # -Correction but in my company i can recieve mail by sylpheed with ( {protocols = imap in dovecot.conf} + { imap4 port 993 in sylpheed } ) . 143=imap 993=imaps /var/log/maillog does not show nothing when i recieve mail . to test relaying , i use http://www.rbl.jp/svcheck.php . it says only 'Error: Can't connect to abc.vs.sakura.ne.jp' it shows that the problem may be port closing . so i nmap my home address. result is PORT STATESERVICE 22/tcp open ssh 25/tcp filtered smtp 80/tcp open http namely ports 143 doesnot open. (so cannot revieve) ports 587 also doesnot open. (but can send ? ) i set wifi router at home 1) port forwarding 1 192.168.100.101 22 - 22 TCPUDP effective 2 192.168.100.101 80 - 80 TCPUDP effective 3 192.168.100.101 143 - 143 TCPUDP effective 4 192.168.100.101 587 - 587 TCPUDP effective 5 192.168.100.101 993 - 993 TCPUDP effective 2)pfctl -sr pass in on run0 inet proto tcp from any to (run0:0) port = 22 flags S/SA pass in on run0 inet proto tcp from any to (run0:0) port = 80 flags S/SA pass in on run0 inet proto tcp from any to (run0:0) port = 143 flags S/SA pass in on run0 inet proto tcp from any to (run0:0) port = 587 flags S/SA pass in on run0 inet proto tcp from any to (run0:0) port = 993 flags S/SA are there another point about opening ports ? i think opensmtpd and postfix and sendmail have the power of sending mail . -- regards
panic during boot of 5.7 in de(4) running in Hyper-V
I installed 5.7 from http://ftp3.usa.openbsd.org/pub/OpenBSD/5.7/amd64/install57.iso in a Windows Server 2012 R2 Hyper-V VM using the Legacy Network Adapter. I always get a kernel panic in the de(4) driver during boot. If I remove the legacy NIC from the VM config, then I successfully boot, but obviously with no network access. What additional information can I provide to help with diagnosis and create a proper bug report? OpenBSD/amd64 BOOT 3.28 ... wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) de0 at pci0 dev 10 function 0 DEC 21140 rev 0x20panic: Non dma-reachable buffer at curaddr 0x107762b70(raw) Stopped at Debugger+0x9: leave Debugger() at Debugger+0x9 panic() at panic+0xfe _bus_dmamap_load_buffer() at _bus_dmamap_load_buffer+0x1b6 _bus_dmamap_load() at _bus_dmamap_load+0x7f tulip_busdma_init() at tulip_busdma_init+0xa0 tulip_attach() at tulip_attach+0x2a4 config_attach() at config_attach+0x1bc pci_probe_device() at pci_probe_device+0x467 pci_enumerate_bus() at pci_enumerate_bus+0xe9 config_attach() at config_attach+0x1bc end trace frame: 0x81a28e60, count: 0 RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC! DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION! ddb trace Debugger() at Debugger+0x9 panic() at panic+0xfe _bus_dmamap_load_buffer() at _bus_dmamap_load_buffer+0x1b6 _bus_dmamap_load() at _bus_dmamap_load+0x7f tulip_busdma_init() at tulip_busdma_init+0xa0 tulip_attach() at tulip_attach+0x2a4 config_attach() at config_attach+0x1bc pci_probe_device() at pci_probe_device+0x467 pci_enumerate_bus() at pci_enumerate_bus+0xe9 config_attach() at config_attach+0x1bc cpu_configure() at cpu_configure+0x1b main() at main+0x3df end trace frame: 0x0, count: -14 ddb ps PID PPID PGRPUID S FLAGS WAIT COMMAND *0 -1 0 0 7 0x10200 swapper -- Tom Schutter
ifconfig carp30 state backup
Hey misc@, I have 2-node CARP setup in master/backup. carp30 configuration follows: carp30: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5e:00:01:0f description: EXT_30 priority: 0 carp: carpdev trunk0 advbase 1 balancing ip-stealth state MASTER vhid 15 advskew 0 state MASTER vhid 25 advskew 0 groups: carp status: master inet 155.4.x.x netmask 0xff80 broadcast 155.4.x.x Then 'ifconfig carp30 state backup' is issued, carp30 becomes BACKUP for a very short period and then returns to MASTER. advskew is 100 on the second node. Question is if it is expected behavior? According to man I can force it to become BACKUP on the first node. Br //mxb
Re: panic during boot of 5.7 in de(4) running in Hyper-V
I looked into this last year but lost interest. It seems like the DMA buffer is being placed past the UVM constraint for DMA ( eg 4GB). A configuration buffer is in the softc. It should be allocated to be dma-reachable. This driver is quite ugly. Maybe the following diff works? Index: if_de.c === RCS file: /cvs/src/sys/dev/pci/if_de.c,v retrieving revision 1.120 diff -u -p -u -r1.120 if_de.c --- if_de.c 15 May 2015 11:36:30 - 1.120 +++ if_de.c 24 Jun 2015 00:05:05 - @@ -49,6 +49,7 @@ #include sys/kernel.h #include sys/device.h #include sys/timeout.h +#include sys/pool.h #include net/if.h #include net/if_media.h @@ -2907,7 +2908,7 @@ tulip_addr_filter(tulip_softc_t * const * go into hash perfect mode (512 bit multicast * hash and one perfect hardware). */ - bzero(sc-tulip_setupdata, sizeof(sc-tulip_setupdata)); + bzero(sc-tulip_setupdata, TULIP_SETUP); if (ac-ac_multirangecnt 0) { sc-tulip_flags |= TULIP_ALLMULTI; sc-tulip_flags = ~(TULIP_WANTHASHONLY|TULIP_WANTHASHPERFECT); @@ -4085,8 +4086,7 @@ tulip_txput_setup(tulip_softc_t * const sc-tulip_if.if_start = tulip_ifstart; return; } -bcopy(sc-tulip_setupdata, sc-tulip_setupbuf, - sizeof(sc-tulip_setupbuf)); +bcopy(sc-tulip_setupdata, sc-tulip_setupbuf, TULIP_SETUP); /* * Clear WANTSETUP and set DOINGSETUP. Set know that WANTSETUP is * set and DOINGSETUP is clear doing an XOR of the two will DTRT. @@ -4357,16 +4357,17 @@ tulip_busdma_init(tulip_softc_t * const { int error = 0; +sc-tulip_setupbuf = dma_alloc(TULIP_SETUP, PR_WAITOK); +sc-tulip_setupdata = malloc(TULIP_SETUP, M_DEVBUF, M_WAITOK); + /* * Allocate dmamap for setup descriptor */ error = bus_dmamap_create(sc-tulip_dmatag, sizeof(sc-tulip_setupbuf), 2, - sizeof(sc-tulip_setupbuf), 0, BUS_DMA_NOWAIT, - sc-tulip_setupmap); + TULIP_SETUP, 0, BUS_DMA_NOWAIT, sc-tulip_setupmap); if (error == 0) { error = bus_dmamap_load(sc-tulip_dmatag, sc-tulip_setupmap, - sc-tulip_setupbuf, sizeof(sc-tulip_setupbuf), - NULL, BUS_DMA_NOWAIT); + sc-tulip_setupbuf, TULIP_SETUP, NULL, BUS_DMA_NOWAIT); if (error) bus_dmamap_destroy(sc-tulip_dmatag, sc-tulip_setupmap); } Index: if_devar.h === RCS file: /cvs/src/sys/dev/pci/if_devar.h,v retrieving revision 1.33 diff -u -p -u -r1.33 if_devar.h --- if_devar.h 10 Feb 2015 03:51:58 - 1.33 +++ if_devar.h 24 Jun 2015 00:04:36 - @@ -600,8 +600,10 @@ struct _tulip_softc_t { * one is the one being sent while the other is the one being * filled. */ -u_int32_t tulip_setupbuf[192/sizeof(u_int32_t)]; -u_int32_t tulip_setupdata[192/sizeof(u_int32_t)]; +#define TULIP_SETUP(192 / sizeof(u_int32_t)) +u_int32_t *tulip_setupbuf; +u_int32_t *tulip_setupdata; + char tulip_boardid[16];/* buffer for board ID */ u_int8_t tulip_rombuf[128]; struct device *tulip_pci_busno;/* needed for multiport boards */
Re: HA / load balancing / fail-over using CARP
Hi, You can already do active-active CARP with OpenBSD. I believe it hashes by the MAC address (the MAC hash dictates which firewall responds to an ARP for the gateway IP). However you may have issues with states and state synchronisation depending on the pps and firewall hardware performance, meaning you might be forced to enable sloppy states, or at the very least enable defer on pfsync. But allowing sloppy states is bad as it throws away a significant proportion of OpenBSD's awesome TCP security. In short, it is *much* better to buy hardware where each firewall on its own is able to handle the full load, and run in active-backup mode. Generally speaking, I've always found the layer 2 high availability provided by CARP to be rock solid, and if you want to do full stateful firewalling, this is your only sensible choice. If you have no need for full statefull firewalling then you can do active-active at layer 3 using OSPF etc for the HA, and enable defer and sloppy and your all done. It depends on what network feeds you are connected to and what your requirements are. http://www.openbsd.org/papers/pfsync_v5.pdf http://www.openbsd.org/papers/pfsync_v5.pdf NB; We run Transtec servers with are just custom built Supermicro servers with a 3.5GHz E5-2609v2 CPU (with only two cores enabled and Turbo Plus enabled giving us two 3.7GHz cores). The highest I have seen these do with 10gig NICs is almost 1Mpps with PF enabled. So their is little excuse for people to complain about OpenBSD PF performance unless you are talking about higher than 10gig networking. But with all the work the devs are doing at the moment freeing up parts of the kernel from the BIG LOCK (http://quigon.bsws.de/papers/2015/asiabsdcon-openbsdupdate/ http://quigon.bsws.de/papers/2015/asiabsdcon-openbsdupdate/), it won't be much longer before the Network stack goes MP too (it is happening but its not trivial). After which discussions on throughput and performance really do become a moot point, and instead we'll start seeing big enterprises start using OpenBSD and pushing for things like an Openflow agent ;) So in short, stay active-backup, and sleep better :) Hope this helps. Cheers, Andy. Just for fun; https://events.yandex.com/events/ruBSD/2013/talks/104/ https://events.yandex.com/events/ruBSD/2013/talks/104/ On 22 Jun 2015, at 09:08, Romain FABBRI romain.fab...@alienconsulting.net wrote: Not sure you really want to do that but you could achieve some IP or MAC Load Balancing using this kind of setup : http://www.kernel-panic.it/openbsd/carp/carp4.html -Message d'origine- De : owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] De la part de Aviolat Romain Envoyé : lundi 22 juin 2015 09:40 À : 'misc@openbsd.org' (misc@openbsd.org) Objet : HA / load balancing / fail-over using CARP Dear OpenBSD community, I'll deploy a new redundant firewalls setup in few weeks (waiting for the hardware...). It'll be composed of two 1U supermicro servers and few additional 10GbE nics. The idea was to use CARP + pfsync as the fail-over mechanism. I already deployed that few time in the past, and we're pretty happy with this setup; maintenance is easy and the setup is rock solid. The only disadvantage IMHO is that there is no way to achieve load balancing between the members of the CARP cluster, one machine is always working while the other is idle. I could define some VLANs on top of CARP interfaces to be MASTER on routerA and some on routerB but still it's not real load balancing. So before making the same setup again I wanted to have your input about that, maybe I'm not aware of other ways to achieve HA/load-balancing using OpenBSD ? Thanks for your help ! Romain Aviolat Senior System Administrator - RD and ops Infrastructure Kudelski Security - Kudelski Group rte de Genève 22-24, 1033 Cheseaux, SWITZERLAND +41 21 732 03 79
Question about PHP safe mode
Hi there, just a short question... I have quiet old 4.2 OpenBSD with a 5.2.4 PHP version. The safe_mode is on, a Costumer wants to have it off. Is there any security risk to it or do I need to check something on the system level to disable it but still have my environement secured ? regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: Question about PHP safe mode
Markus, are you kidding? http://www.cvedetails.com/vulnerability-list/vendor_id-74/product_id-128/version_id-50739/PHP-PHP-5.2.5.html And OpenBSD 4.2 is released Nov 1, 2007. You dont think it is important to upgrade? Best Regards, Heiko Am 23.06.2015 um 11:44 schrieb Markus Rosjat: Hi there, just a short question... I have quiet old 4.2 OpenBSD with a 5.2.4 PHP version. The safe_mode is on, a Costumer wants to have it off. Is there any security risk to it or do I need to check something on the system level to disable it but still have my environement secured ? regards
Re: mail server on rental server ,cannot send mail
thanks Matthew Martin. you give me important hints . i rewrite main.cf /etc/postfix/main.cf myhostname = abc.vs.sakura.ne.jp mydomain = vs.sakura.ne.jp myorigin = $myhostname inet_interfaces = all home_mailbox = Maildir/ relay_domains = $mydestination #- relayhost = #- mynetworks = 127.0.0.0/8#- mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain #- queue_directory = /var/spool/postfix command_directory = /usr/local/sbin daemon_directory = /usr/local/libexec/postfix data_directory = /var/postfix mail_owner = _postfix inet_protocols = all unknown_local_recipient_reject_code = 550 debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id sleep 5 sendmail_path = /usr/local/sbin/sendmail newaliases_path = /usr/local/sbin/newaliases mailq_path = /usr/local/sbin/mailq setgid_group = _postdrop html_directory = /usr/local/share/doc/postfix/html manpage_directory = /usr/local/man sample_directory = /etc/postfix readme_directory = /usr/local/share/doc/postfix/readme smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/isp_auth smtp_sasl_security_options = noanonymous disable_dns_lookups = yes then i can send the srver via KEITAI(pocket phone ?) but i cannot send mail by PC . i guess the cause of not sending mail is company's router beause /var/log/maillog says - Jun 23 15:15:47 abc postfix/smtpd[20788]: lost connection after UNKNOWN from p123.akita.ocn.ne.jp[123.189.32.456] Jun 23 15:15:47 abc postfix/smtpd[20788]: disconnect from p123.akita.ocn.ne.jp[123.189.32.456] unknown=0/1 commands=0/1 Jun 23 15:16:32 abc dovecot: imap-login: Login: user=tuyosi, method=PLAIN, rip=123.189.32.456, lip=160.16.114.201, mpid=16847, TLS, session=UkDnVCkZQwDdvSB/ --- regards
Illumos adopting arc4random
Hello, haven't seen this in OpenBSD related press nor mailing list, so I've thought it may be good to let you know that Illumos which is former-OpenSolaris fork has adopted arc4random from OpenBSD in a commit done on April 7 by Robert Mustacchi. Kudos to OpenBSD team and especially to people who worked on that. Thanks! Karel PS: I'm not affiliated in any way with Illumos nor with Robert and his employer. I've just being browsing Illumos-gate commit history and seen this https://github.com/illumos/illumos-gate/commit/9d12795f87b63c2e39e87bff369182edd34677d3
Issue with OpenBGPD
Hi, I'm adding a static route to the OpenBGPD process. The route is distributed correctly. But when I delete the route, OpenBGPD still distribute it, even it is no longer in the routing table ( netstat -rn4). I have to restart the OpenBGPD process to delete the route. I'm using pfsense 2.2.2 (FreeBSD release 10.1) Is there any way to force OpenBGPD to delete the routes without restart? Thanks! -- *CHIKHI Hatim* *Stage Administrateur Réseau et Sécurité* *Linkbynet*
Re: HA / load balancing / fail-over using CARP
Hi, On 23 Jun 2015, at 10:50, Aviolat Romain romain.avio...@nagra.com wrote: Hi Andy, Thanks for your detailed answer. Yes we are doing statefull firewalling and we want to keep it like that, we of course plan to have servers that are able to take the full load in case of failure of the other. We dont have yet requirements to go higher than the actual 1Mpps limit (around 500Mbit/s for standard web traffic), but we would be pleased to have MP supported on the Network stack ! Their is no hardcoded limit, it is purely down to the single core CPU performance and packet size that dictates the achievable throughput. We would have enabled only one core if it were't for the fact that we're running so many daemons too. OpenBSD is pretty sensible when it comes to scheduling user land stuff and so daemons rarely get in the way of your PF busy core. Ill follow your advice and stay in active-backup mode for now. Doesn't mean you should't try active-active out (in a lab).. But if you're only talking 500mbps, stick with steady and stable ;) Romain From: Andy Lemin [mailto:a...@brandwatch.com] Sent: mardi 23 juin 2015 11:25 To: Romain FABBRI Cc: Aviolat Romain; 'misc@openbsd.org' (misc@openbsd.org) Subject: Re: HA / load balancing / fail-over using CARP Hi, You can already do active-active CARP with OpenBSD. I believe it hashes by the MAC address (the MAC hash dictates which firewall responds to an ARP for the gateway IP). However you may have issues with states and state synchronisation depending on the pps and firewall hardware performance, meaning you might be forced to enable sloppy states, or at the very least enable defer on pfsync. But allowing sloppy states is bad as it throws away a significant proportion of OpenBSD's awesome TCP security. In short, it is *much* better to buy hardware where each firewall on its own is able to handle the full load, and run in active-backup mode. Generally speaking, I've always found the layer 2 high availability provided by CARP to be rock solid, and if you want to do full stateful firewalling, this is your only sensible choice. If you have no need for full statefull firewalling then you can do active-active at layer 3 using OSPF etc for the HA, and enable defer and sloppy and your all done. It depends on what network feeds you are connected to and what your requirements are. http://www.openbsd.org/papers/pfsync_v5.pdf http://www.openbsd.org/papers/pfsync_v5.pdf NB; We run Transtec servers with are just custom built Supermicro servers with a 3.5GHz E5-2609v2 CPU (with only two cores enabled and Turbo Plus enabled giving us two 3.7GHz cores). The highest I have seen these do with 10gig NICs is almost 1Mpps with PF enabled. So their is little excuse for people to complain about OpenBSD PF performance unless you are talking about higher than 10gig networking. But with all the work the devs are doing at the moment freeing up parts of the kernel from the BIG LOCK (http://quigon.bsws.de/papers/2015/asiabsdcon-openbsdupdate/ http://quigon.bsws.de/papers/2015/asiabsdcon-openbsdupdate/), it won't be much longer before the Network stack goes MP too (it is happening but its not trivial). After which discussions on throughput and performance really do become a moot point, and instead we'll start seeing big enterprises start using OpenBSD and pushing for things like an Openflow agent ;) So in short, stay active-backup, and sleep better :) Hope this helps. Cheers, Andy. Just for fun; https://events.yandex.com/events/ruBSD/2013/talks/104/ https://events.yandex.com/events/ruBSD/2013/talks/104/ On 22 Jun 2015, at 09:08, Romain FABBRI romain.fab...@alienconsulting.net mailto:romain.fab...@alienconsulting.net wrote: Not sure you really want to do that but you could achieve some IP or MAC Load Balancing using this kind of setup : http://www.kernel-panic.it/openbsd/carp/carp4.html http://www.kernel-panic.it/openbsd/carp/carp4.html -Message d'origine- De : owner-m...@openbsd.org mailto:owner-m...@openbsd.org [mailto:owner-m...@openbsd.org mailto:owner-m...@openbsd.org] De la part de Aviolat Romain Envoyé : lundi 22 juin 2015 09:40 À : 'misc@openbsd.org mailto:misc@openbsd.org' (misc@openbsd.org mailto:misc@openbsd.org) Objet : HA / load balancing / fail-over using CARP Dear OpenBSD community, I'll deploy a new redundant firewalls setup in few weeks (waiting for the hardware...). It'll be composed of two 1U supermicro servers and few additional 10GbE nics. The idea was to use CARP + pfsync as the fail-over mechanism. I already deployed that few time in the past, and we're pretty happy with this setup; maintenance is easy and the setup is rock solid. The only disadvantage IMHO is that there is no way to achieve load balancing between the members of the CARP cluster, one machine is always working while the other is idle. I could define some VLANs on top of CARP interfaces to be MASTER on routerA and some on routerB but
Re: HA / load balancing / fail-over using CARP
Hi Andy, Thanks for your detailed answer. Yes we are doing statefull firewalling and we want to keep it like that, we of course plan to have servers that are able to take the full load in case of failure of the other. We don't have yet requirements to go higher than the actual 1Mpps limit (around 500Mbit/s for standard web traffic), but we would be pleased to have MP supported on the Network stack ! I'll follow your advice and stay in active-backup mode for now. Romain From: Andy Lemin [mailto:a...@brandwatch.com] Sent: mardi 23 juin 2015 11:25 To: Romain FABBRI Cc: Aviolat Romain; 'misc@openbsd.org' (misc@openbsd.org) Subject: Re: HA / load balancing / fail-over using CARP Hi, You can already do active-active CARP with OpenBSD. I believe it hashes by the MAC address (the MAC hash dictates which firewall responds to an ARP for the gateway IP). However you may have issues with states and state synchronisation depending on the pps and firewall hardware performance, meaning you might be forced to enable sloppy states, or at the very least enable defer on pfsync. But allowing sloppy states is bad as it throws away a significant proportion of OpenBSD's awesome TCP security. In short, it is *much* better to buy hardware where each firewall on its own is able to handle the full load, and run in active-backup mode. Generally speaking, I've always found the layer 2 high availability provided by CARP to be rock solid, and if you want to do full stateful firewalling, this is your only sensible choice. If you have no need for full statefull firewalling then you can do active-active at layer 3 using OSPF etc for the HA, and enable defer and sloppy and your all done. It depends on what network feeds you are connected to and what your requirements are. http://www.openbsd.org/papers/pfsync_v5.pdf NB; We run Transtec servers with are just custom built Supermicro servers with a 3.5GHz E5-2609v2 CPU (with only two cores enabled and Turbo Plus enabled giving us two 3.7GHz cores). The highest I have seen these do with 10gig NICs is almost 1Mpps with PF enabled. So their is little excuse for people to complain about OpenBSD PF performance unless you are talking about higher than 10gig networking. But with all the work the devs are doing at the moment freeing up parts of the kernel from the BIG LOCK (http://quigon.bsws.de/papers/2015/asiabsdcon-openbsdupdate/), it won't be much longer before the Network stack goes MP too (it is happening but its not trivial). After which discussions on throughput and performance really do become a moot point, and instead we'll start seeing big enterprises start using OpenBSD and pushing for things like an Openflow agent ;) So in short, stay active-backup, and sleep better :) Hope this helps. Cheers, Andy. Just for fun; https://events.yandex.com/events/ruBSD/2013/talks/104/ On 22 Jun 2015, at 09:08, Romain FABBRI romain.fab...@alienconsulting.netmailto:romain.fab...@alienconsulting.net wrote: Not sure you really want to do that but you could achieve some IP or MAC Load Balancing using this kind of setup : http://www.kernel-panic.it/openbsd/carp/carp4.html -Message d'origine- De : owner-m...@openbsd.orgmailto:owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] De la part de Aviolat Romain Envoyé : lundi 22 juin 2015 09:40 À : 'misc@openbsd.orgmailto:misc@openbsd.org' (misc@openbsd.orgmailto:misc@openbsd.org) Objet : HA / load balancing / fail-over using CARP Dear OpenBSD community, I'll deploy a new redundant firewalls setup in few weeks (waiting for the hardware...). It'll be composed of two 1U supermicro servers and few additional 10GbE nics. The idea was to use CARP + pfsync as the fail-over mechanism. I already deployed that few time in the past, and we're pretty happy with this setup; maintenance is easy and the setup is rock solid. The only disadvantage IMHO is that there is no way to achieve load balancing between the members of the CARP cluster, one machine is always working while the other is idle. I could define some VLANs on top of CARP interfaces to be MASTER on routerA and some on routerB but still it's not real load balancing. So before making the same setup again I wanted to have your input about that, maybe I'm not aware of other ways to achieve HA/load-balancing using OpenBSD ? Thanks for your help ! Romain Aviolat Senior System Administrator - RD and ops Infrastructure Kudelski Security - Kudelski Group rte de Genève 22-24, 1033 Cheseaux, SWITZERLAND +41 21 732 03 79
Re: mail server on rental server ,cannot send mail
On 6/23/15, Tuyosi Takesima nakajin.fu...@gmail.com wrote: thanks Matthew Martin. you give me important hints . i rewrite main.cf /etc/postfix/main.cf myhostname = abc.vs.sakura.ne.jp mydomain = vs.sakura.ne.jp myorigin = $myhostname inet_interfaces = all home_mailbox = Maildir/ relay_domains = $mydestination #- relayhost = #- mynetworks = 127.0.0.0/8#- mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain #- queue_directory = /var/spool/postfix command_directory = /usr/local/sbin daemon_directory = /usr/local/libexec/postfix data_directory = /var/postfix mail_owner = _postfix inet_protocols = all unknown_local_recipient_reject_code = 550 debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id sleep 5 sendmail_path = /usr/local/sbin/sendmail newaliases_path = /usr/local/sbin/newaliases mailq_path = /usr/local/sbin/mailq setgid_group = _postdrop html_directory = /usr/local/share/doc/postfix/html manpage_directory = /usr/local/man sample_directory = /etc/postfix readme_directory = /usr/local/share/doc/postfix/readme smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/isp_auth smtp_sasl_security_options = noanonymous disable_dns_lookups = yes then i can send the srver via KEITAI(pocket phone ?) but i cannot send mail by PC . i guess the cause of not sending mail is company's router beause /var/log/maillog says - Jun 23 15:15:47 abc postfix/smtpd[20788]: lost connection after UNKNOWN from p123.akita.ocn.ne.jp[123.189.32.456] Jun 23 15:15:47 abc postfix/smtpd[20788]: disconnect from p123.akita.ocn.ne.jp[123.189.32.456] unknown=0/1 commands=0/1 Jun 23 15:16:32 abc dovecot: imap-login: Login: user=tuyosi, method=PLAIN, rip=123.189.32.456, lip=160.16.114.201, mpid=16847, TLS, session=UkDnVCkZQwDdvSB/ --- regards I really don't know anything about Postfix. And right now their webserver seems down and I can't see their documentation. Have you tried OpenSMTPD? :) p123.akita.ocn.ne.jp's IP is different now, and still seems impossible. .456? I'm not familiar enough with postfix/sasl/etc... to help with anything else, but that IP can't be correct. Octets only go up to 255. I'd see what's going on with that before looking at anything else.
PF Packet Flow Diagram
Hi, I was updating an old copy of the PF flow diagram I had lying around and thought I'd post here quickly for comments / additions / corrections? Would be nice to update this and make it comprehensive as possible. [demime 1.01d removed an attachment of type application/pdf which had a name of OpenBSDPFPacketFlow.pdf] [demime 1.01d removed an attachment of type image/jpeg which had a name of OpenBSDPFPacketFlow.jpeg]
Re: httpd feature request: auto index.txt
On 2015-06-22 Mon 12:39 PM |, Noah wrote: On Mon, Jun 22, 2015 at 11:58 AM, Craig Skinner skin...@britvault.co.uk wrote: *) either/both .txt/.html *) .txt output something like: ls [-l[h]] | fgrep -v index.txt Does auto index do the trick? It doesn't make an index.html/txt file, but it does provide file names and links as you'd expect. Ummm I was thinking of something that could generate $RELEASE index.txt files, including siteXX.tgz siteXX-hostname.tgz files. e.g: $ ftp -o /tmp/internal-index.txt http://mirror.internal/pub/OpenBSD/5.6/i386/index.txt Trying 192.168.1.1... Requesting http://mirror.internal/pub/OpenBSD/5.6/i386/index.txt (via http://gateway.internal) 100% |***| 181 00:00 181 bytes received in 0.00 seconds (792.64 KB/s) $ cat /tmp/internal-index.txt INSTALL.i386 SHA256 SHA256.sig base56.tgz bsd bsd.mp bsd.rd comp56.tgz etc56.tgz game56.tgz man56.tgz pxeboot xbase56.tgz xetc56.tgz xfont56.tgz xserv56.tgz xshare56.tgz site56.tgz At the moment, I'm using a cron driven script to create index.txt files: $ fgrep index ~webmaster/crontab.bak @weekly release-indexer $ cat ~webmaster/bin/release-indexer #!/bin/ksh # # $Id: release-indexer,v 1.9 2015/06/22 16:30:27 craig Exp $ # # vim: tabstop=4 shiftwidth=4 softtabstop=4 noexpandtab # #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- # # Copyright (c) 2014, 2015 Craig R. Skinner skin...@britvault.co.uk # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # # THE SOFTWARE IS PROVIDED AS IS AND THE AUTHOR DISCLAIMS ALL WARRANTIES # WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF # MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR # ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. # #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- # # Update OpenBSD $RELEASE index.txt files (was in /etc/daily.local) # # cron/batch/at job? [[ -t 0 ]] || renice -n 20 -p $$ /dev/null [[ -n ${RELEASEPATH} ]] || . /etc/pkg.env release=${RELEASEPATH%/*} find ${release%/*} -type d -maxdepth 2 -mindepth 2 ! -name packages | while read release do rel_index=${release}/index.txt tmp_index=$(mktemp) find ${release} \( -type f -or -type l \) ! -empty ! -name index.txt | sed s~${release}/~~ ${tmp_index} diff ${rel_index} ${tmp_index} || { install -m 664 -p -S ${tmp_index} ${rel_index} print \n\n*** Installed: ${rel_index}\n\n } rm ${tmp_index} done -- It's odd, and a little unsettling, to reflect upon the fact that English is the only major language in which I is capitalized; in many other languages You is capitalized and the i is lower case. -- Sydney J. Harris
Re: mail server on rental server ,cannot send mail
On 06/22/15 23:15, Tuyosi Takesima wrote: few days ago i rented renal server for coninience . and i made mail server. but i cannot send mail although i receive mail. i think problems is in postfix setting . please point out problems . /etc/postfix/main.cf - myhostname = abc.vs.sakura.ne.jp mydomain = vs.sakura.ne.jp myorigin = $myhostname inet_interfaces = all mydestination = $myhostname localhost.$mydomain home_mailbox = Maildir/ relayhost = mynetworks = 127.0.0.0/8 160.16.123.123 queue_directory = /var/spool/postfix command_directory = /usr/local/sbin daemon_directory = /usr/local/libexec/postfix data_directory = /var/postfix mail_owner = _postfix inet_protocols = all unknown_local_recipient_reject_code = 550 debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id sleep 5 sendmail_path = /usr/local/sbin/sendmail newaliases_path = /usr/local/sbin/newaliases mailq_path = /usr/local/sbin/mailq setgid_group = _postdrop html_directory = /usr/local/share/doc/postfix/html manpage_directory = /usr/local/man sample_directory = /etc/postfix readme_directory = /usr/local/share/doc/postfix/readme smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/isp_auth smtp_sasl_security_options = noanonymous disable_dns_lookups = yes The first thing the postfix guys will tell you is to try without chroot. /etc/postfix/master.cf --- smtp inet n - - - - smtpd submission inet n - - - - smtpd #- pickupunix n - - 60 1 pickup cleanup unix n - - - 0 cleanup qmgr unix n - - 300 1 qmgr tlsmgrunix - - - 1000? 1 tlsmgr rewrite unix - - - - - trivial-rewrite bounceunix - - - - 0 bounce defer unix - - - - 0 bounce trace unix - - - - 0 bounce verifyunix - - - - 1 verify flush unix n - - 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - - - - smtp relay unix - - - - - smtp showq unix n - - - - showq error unix - - - - - error retry unix - - - - - error discard unix - - - - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - - - - lmtp anvil unix - - - - 1 anvil scacheunix - - - - 1 scache /etc/pf.conf ext_if=vio0 tcp_services={ 22, 25, 80, 143, 587, 993 } # -submisson port icmp_types=echoreq set block-policy return set loginterface $ext_if set skip on lo match out on $ext_if inet from !($ext_if:network) to any nat-to($ext_if:0) set reassemble yes no-df block in log pass out quick antispoof quick for { lo } pass in on $ext_if inet proto tcp from any to ( $ext_if:0 ) port $tcp_services pass in inet proto icmp all icmp-type $icmp_types /etc/hosts 127.0.0.1 localhost ::1 localhost 160.16.114.201 abc.vs.sakura.ne.jp abc vs.sakura.ne.jp abc. 300 MX 10 abc.vs.sakura.ne.jp tk2-233-26197. abc300 A 160.16.114.201 /etc/resolv.conf -- lookup file bind nameserver 8.8.8.8 in mailer ,sylpheed -- smtp port ;587 imap4 port:993 erro is 'cannot connect SMTP server: abc.vs.sakura.ne.jp:587' tail /var/log/mail - Jun 23 13:09:41 abc postfix/smtpd[5923]: connect from p123.akita.ocn.ne.jp [210.789.321.123] -- regards
Re: mail server on rental server ,cannot send mail
Log when sending and receiving to see what is happening i have postfix, dovecot, amavisd and works ok! Date: Tue, 23 Jun 2015 05:22:36 -0500 Subject: Re: mail server on rental server ,cannot send mail From: matt.a.mar...@gmail.com To: nakajin.fu...@gmail.com CC: misc@openbsd.org On 6/23/15, Tuyosi Takesima nakajin.fu...@gmail.com wrote: thanks Matthew Martin. you give me important hints . i rewrite main.cf /etc/postfix/main.cf myhostname = abc.vs.sakura.ne.jp mydomain = vs.sakura.ne.jp myorigin = $myhostname inet_interfaces = all home_mailbox = Maildir/ relay_domains = $mydestination #- relayhost = #- mynetworks = 127.0.0.0/8#- mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain #- queue_directory = /var/spool/postfix command_directory = /usr/local/sbin daemon_directory = /usr/local/libexec/postfix data_directory = /var/postfix mail_owner = _postfix inet_protocols = all unknown_local_recipient_reject_code = 550 debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id sleep 5 sendmail_path = /usr/local/sbin/sendmail newaliases_path = /usr/local/sbin/newaliases mailq_path = /usr/local/sbin/mailq setgid_group = _postdrop html_directory = /usr/local/share/doc/postfix/html manpage_directory = /usr/local/man sample_directory = /etc/postfix readme_directory = /usr/local/share/doc/postfix/readme smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/isp_auth smtp_sasl_security_options = noanonymous disable_dns_lookups = yes then i can send the srver via KEITAI(pocket phone ?) but i cannot send mail by PC . i guess the cause of not sending mail is company's router beause /var/log/maillog says - Jun 23 15:15:47 abc postfix/smtpd[20788]: lost connection after UNKNOWN from p123.akita.ocn.ne.jp[123.189.32.456] Jun 23 15:15:47 abc postfix/smtpd[20788]: disconnect from p123.akita.ocn.ne.jp[123.189.32.456] unknown=0/1 commands=0/1 Jun 23 15:16:32 abc dovecot: imap-login: Login: user=tuyosi, method=PLAIN, rip=123.189.32.456, lip=160.16.114.201, mpid=16847, TLS, session=UkDnVCkZQwDdvSB/ --- regards I really don't know anything about Postfix. And right now their webserver seems down and I can't see their documentation. Have you tried OpenSMTPD? :) p123.akita.ocn.ne.jp's IP is different now, and still seems impossible. .456? I'm not familiar enough with postfix/sasl/etc... to help with anything else, but that IP can't be correct. Octets only go up to 255. I'd see what's going on with that before looking at anything else.
Re: Illumos adopting arc4random
It's like, adopt, or die! Karel Gardas [gard...@gmail.com] wrote: Hello, haven't seen this in OpenBSD related press nor mailing list, so I've thought it may be good to let you know that Illumos which is former-OpenSolaris fork has adopted arc4random from OpenBSD in a commit done on April 7 by Robert Mustacchi. Kudos to OpenBSD team and especially to people who worked on that. Thanks! Karel PS: I'm not affiliated in any way with Illumos nor with Robert and his employer. I've just being browsing Illumos-gate commit history and seen this https://github.com/illumos/illumos-gate/commit/9d12795f87b63c2e39e87bff369182edd34677d3
Re: panic during boot of 5.7 in de(4) running in Hyper-V
On Tue, Jun 23, 2015 at 02:57:51PM -0600, Tom Schutter wrote: I installed 5.7 from http://ftp3.usa.openbsd.org/pub/OpenBSD/5.7/amd64/install57.iso in a Windows Server 2012 R2 Hyper-V VM using the Legacy Network Adapter. I always get a kernel panic in the de(4) driver during boot. If I remove the legacy NIC from the VM config, then I successfully boot, but obviously with no network access. I looked into this last year but lost interest. It seems like the DMA buffer is being placed past the UVM constraint for DMA ( eg 4GB). I'm not sure why that's happening, I only spent a day or so looking at it before I got bored and moved on to something else. A side note - the same config on hyperV seems to work on i386, but I noticed some strange clock skewing using that config so I gave up on that also. Another side note - disabling de(4) in config and letting the kernel fall back to dc(4) gets past this particular panic but doesn't allow any traffic to pass. -ml What additional information can I provide to help with diagnosis and create a proper bug report? OpenBSD/amd64 BOOT 3.28 ... wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) de0 at pci0 dev 10 function 0 DEC 21140 rev 0x20panic: Non dma-reachable buffer at curaddr 0x107762b70(raw) Stopped at Debugger+0x9: leave Debugger() at Debugger+0x9 panic() at panic+0xfe _bus_dmamap_load_buffer() at _bus_dmamap_load_buffer+0x1b6 _bus_dmamap_load() at _bus_dmamap_load+0x7f tulip_busdma_init() at tulip_busdma_init+0xa0 tulip_attach() at tulip_attach+0x2a4 config_attach() at config_attach+0x1bc pci_probe_device() at pci_probe_device+0x467 pci_enumerate_bus() at pci_enumerate_bus+0xe9 config_attach() at config_attach+0x1bc end trace frame: 0x81a28e60, count: 0 RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC! DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION! ddb trace Debugger() at Debugger+0x9 panic() at panic+0xfe _bus_dmamap_load_buffer() at _bus_dmamap_load_buffer+0x1b6 _bus_dmamap_load() at _bus_dmamap_load+0x7f tulip_busdma_init() at tulip_busdma_init+0xa0 tulip_attach() at tulip_attach+0x2a4 config_attach() at config_attach+0x1bc pci_probe_device() at pci_probe_device+0x467 pci_enumerate_bus() at pci_enumerate_bus+0xe9 config_attach() at config_attach+0x1bc cpu_configure() at cpu_configure+0x1b main() at main+0x3df end trace frame: 0x0, count: -14 ddb ps PID PPID PGRPUID S FLAGS WAIT COMMAND *0 -1 0 0 7 0x10200 swapper -- Tom Schutter