Compatibility question for the New Sun X4100 server with 4FastEthernet as possible BGP routers, or stick with HP DL-145 G2?

[Daniel Ouellet]

Hi,

I am stuck with many Cisco routers 7206 VXR that now run at 100% CPU 
process time to time. The BGP table grow to a level that when combine 
with a few access list on these routers, it now run out of steam! At a 
minimum, more then I would like to see anyway!


I guess no one will be surprise on that!

So, I need to convert them in dummy aggregation router for T1's, etc but 
without BGP or anything else on them for that matter, until I can get a 
few good and tested cards for channel DS3 and the like that will work 
well in OpenBSD.


I am stuck on this one and at the same time please to replace more Cisco 
gear!


However, picking the best servers for this is also important.

I was looking at the HP DL-145 G2 with SCSI on them and I also saw the 
new Sun X4100.


I really would need a minimum of 4x 10/100/1000 Ethernet ports in these 
boxes.


So, hopefully someone will be able to answer this question for me.

Looking at the less then complete technical information on the Sun 
server, I don't see the details of the chip set use in that server, 
network card, etc. So, I can't search to see if OpenBSD may work on it 
or not.


Google haven't return query with the X4100 and OpenBSD yet on this as 
well. To new most likely.


So, is anyone can actually confirm or deny if OpenBSD actually work well 
on this new Sun or not at all, or stay away from it, it would be greatly 
appreciated!


I saw a few posts on the Sun DL-145 G2 and looks like issues are solve 
with it and Brad work for the Broadcom network cards look like a 
success, but I am not 100% sure on the SCSI yet however. I need to read 
more on that.


I do use the DL-145 with great please so far, so I may be incline to 
stick with HP, but the Sun default 4x Ethernet ports did attract me however!


Any word of wisdom on my best bet? I need 8 of these new servers to 
start with, so I sure want to be sure to pick them right. Throwing money 
down the tube is not my forte if you know what I mean!


May be someone know something even better for this stuff?

I saw posts from Henning for best network cards, still true and what 
about a 4x ports in these new servers?


Many thanks for your input and your time as well!

Daniel

Re: Compatibility question for the New Sun X4100 server with 4FastEthernet as possible BGP routers, or stick with HP DL-145 G2?

[Daniel Ouellet]

Henning Brauer wrote:
  I am more curious about the 2100 actually. Finally a vendor got it and
made a (apparently) decent single-CPU amd64 1U machine with a reasonable 
price tag. I am uncertain what chipset they use, might be nForce, might 


I like the 2100 better, but was looking at the 4100 ONLY because of the 
4 built in GigEs. Never to many Ethernet cards when use as a router! (; 
I would actually love a box with 8x and one with 8 fiber ports. That 
would be sweet! But you got me thinking twice now!

BGP session clear by remote end when MD5 is configure AND the session was initiate from OpenBSD side failed and do not recover.

[Daniel Ouellet]

I am not sure that this is normal for routers configure with MD5 or not 
to react like this. Both side can and should be allow to initiate the 
bgp session. But when the session is not initiate from bgpd, then 
unexpected results occur.


OpenBSD  --- Cisco routers.

With MD5.

If the session is initiate from the OpenBSD side (tcp/xxx - to tcp/179) 
on a remote Cisco router, then any 'bgpctl neighbor x.x.x.x clear' on 
that remote router will work and the session clear and comes back 
instantly. Great!


However if the session in that condition is clear from the Cisco side 
(clear ip bgp x.x.x.x), then the OpenBSD side doesn't really reset the 
session and it will continue to expect the packets on the same return 
port tcp/xxx oppose to accept the new session on the port 179 that is 
initiate at that time from the remote side and then reply to the tcp/xxx 
request port.


When the session is reset from the remote side, then it should become 
Cisco - OpenBSD with ( tcp/xxx to tcp/179) so the 179 port should be on 
the OpenBSD side then no?


Then you will start to get the error in the log like this:

%TCP-6-BADAUTH: No MD5 digest from OpenBSD(179) to Cisco(48384) (RST)

where the OpenBSD is the OpenBSD IP's and same for the Cisco IP's.

Also, I haven't been able yet to establish a session where the Cisco 
side would initiate the session and then the OpenBSD side would be the 
remote side when the MD5 is configure. It may be possible and sure 
should be, but I haven't been able to yet.


I can provide more details if need be, or tests more as well, but that's 
in short what is going on.


It's been many days so far and that what I found on why my sessions with 
MD5 are not coming up, or when clear doesn't come back to live.


Looks to me like the bgpd wants to be the initiator of the connection 
every time and then it will work for itself well. Is it the case here?


I started to check deeper when I realize that one side always reset the 
session quicker then the other without MD5 and then got stuck when MD5 
is in use.


This is on 3.7 and I had what look like the same problem with 3.6 and 
3.8-current ( sep 29).


Am I missing something here? Was the the intention from the start?

Many thanks for putting some light on this for me.

Daniel

Re: BGP session clear by remote end when MD5 is configure AND the session was initiate from OpenBSD side failed and do not recover.

[Daniel Ouellet]

More on this with test results, example, setup use, and more details.

The short of it is that bgpd will not establish an MD5 connection as 
slave ever! So, if you do get an MD5 session in normal operation, it may 
well not stay stable at all depending of bgp flap and who will try to 
become master after a flap. You may end up with bgp down until human 
action is perform to get it back up from both side of the session.


How did I show that. Checking the various possibility without MD5 
configure and then ONLY adding the MD5 on the working setup.


Tested summary. Try to see the results when one side is always force to 
be master or slave and see the impact of it. Also, make sure that after 
a reset the master will stay the master. The use of filter will 
accomplish this to try to isolate a possible problem.


Please read on, as I think this show the situation as is.

Daniel

==

Without MD5 configure.

With bgpd master
Clear session from bgpd side, session comes back up right away.
Clear session from remote side, session comes back up with delay.

With bgpd slave
Clear session from bgpd side, session comes back up with delay.
Clear session from remote side, session comes back up with possible very 
long delay. Much bigger then when master.




Now with MD5 configure. We only add

tcp md5sig password test on bgpd side and
neighbor 66.63.12.108 password test on the Cisco side.

With bgpd master
Clear session from bgpd side, session comes back up right away.
Clear session from remote side, session comes back up with possible very 
long delay.


With bgpd slave
Just can't establish a session what so ever! The Cisco side will get 
stuck in the OpenSent mode and cycle a few times all without success.


66.63.12.1084 65001   0   1000 neverOpenSent

The OpenBSD side will show an active session, but not up yet obviously:

dev1# bgpctl s neigh 66.63.12.107
BGP neighbor is 66.63.12.107, remote AS 65001
 Description: iBGP Test
  BGP version 4, remote router-id 0.0.0.0
  BGP state = Active
  Last read Never, holdtime 240s, keepalive interval 80s

  Message statistics:
  Sent   Received
  Opens1  0
  Notifications0  0
  Updates  0  0
  Keepalives   0  0
  Route Refresh0  0
  Total1  0

  Local host:  66.63.12.108, Local port:179
  Remote host: 66.63.12.107, Remote port: 56923

And the Cisco side will keep cycling there from active to open and back 
to active to open, etc.


66.63.12.1084 65001   0   2000 neverActive

Now looking at the logs from each side. OpenBSD try to use the port 
tcp/56923 and from the Cisco side we see this error:


35: *Oct  5 13:38:43.503 EDT: %TCP-6-BADAUTH: No MD5 digest from 
66.63.12.108(179) to 66.63.12.107(56923) (RST)
36: *Oct  5 13:38:44.503 EDT: %TCP-6-BADAUTH: No MD5 digest from 
66.63.12.108(179) to 66.63.12.107(56923) (RST)


Looks like the OpenBSD side do not provide the MD5 to the Cisco to 
establish the session.


It doesn't matter if I clean the session from the Cisco side, or the 
bgpd side, order, etc. Both side, many times, what ever. It will simply 
not come up!


Even reloading the Cisco router and killing the bpgd and starting new, 
it will not come up!


Always the same errors in the logs.

No MD5 digest received from the OpenBSD side looks like.

===

Why is bgpd will not establish a session as slave when MD5 is configure 
even if the RFC said both sides should be allow to do so?


bgpd wants to be the master every time?

Something sure looks weird here.



Setup and tests done with results.

OpenBSD 3.7 and Cisco 5350 connected via Fast Ethernet switch.

OpenBSD - switch - Cisco 5350

BGP minimal configurations used:


OpenBSD side:

dev1# more /etc/bgpd.conf
# Macros
Peer_Test=66.63.12.107

# Default global configuration
holdtime 30
holdtime min 10
listen on 66.63.12.108
AS 65001
router-id 66.63.12.108

# List of networks to announce from the router.
network 10.0.1.0/24

# neighbors and peers
group Peering iBGP on AS65001 {
remote-as 65001
local-address   66.63.12.108
announceall
neighbor $Peer_Test {
descr   iBGP Test
}
}

==
Cisco side:

router bgp 65001
 no synchronization
 bgp log-neighbor-changes
 network 10.0.0.0 mask 255.255.255.0
 neighbor 66.63.12.108 remote-as 65001
 neighbor 66.63.12.108 version 4
 neighbor 66.63.12.108 soft-reconfiguration inbound
 no auto-summary

===
Filters used and apply to the Fast Ethernet configuration of the Cisco 
router like this:


interface FastEthernet0/0
 description Connection to OpenBSD Test Lab
 ip address 66.63.12.107 255.255.255.192
 ip 

Re: BGP session clear by remote end when MD5 is configure AND the session was initiate from OpenBSD side failed and do not recover.

[Daniel Ouellet]

Claudio Jeker wrote:

With bgpd master
Clear session from bgpd side, session comes back up right away.
Clear session from remote side, session comes back up with delay.

With bgpd slave
Clear session from bgpd side, session comes back up with delay.
Clear session from remote side, session comes back up with possible very 
long delay. Much bigger then when master.





I think this is fixed in -current. Henning commited something to make the
delays on neighbor clears faster.


My first tests was done with current (sep 29), but with a small 
difference in the setup lab. It was done in live network. But I will 
sure redo it again. It's to important to me for not be 150% sure it's 
working well. So far, it just wasn't. I have well over 100+ peer 
sessions, of witch ~70+  are using MD5 and I can't not have them stable. 
Plus I have no choice as well to either buy bigger Cisco routers, and 
hell I don't want that! Or use OpenBSD and that's what I want. I ma fed 
up with CPU limitation power of Cisco and I will kiss them goodbye!


Even reloading the Cisco router and killing the bpgd and starting new, 
it will not come up!


Always the same errors in the logs.

No MD5 digest received from the OpenBSD side looks like.




It looks like the tcpmd5 is enabled to late when opeining a session.
I try to have a look at it.


You have no idea how much I would appreciate that! I started to look at 
the code, but that's a long process for me.



===

Why is bgpd will not establish a session as slave when MD5 is configure 
even if the RFC said both sides should be allow to do so?


bgpd wants to be the master every time?

Something sure looks weird here.




That's more like a bug. Btw. MD5 between to bgpd is working, at least it
works for me.


That's what I thought, but I know better then starting to say there is a 
bug. Before I do, I sure want to be sure, but it does look like it to me 
however so far. My tests so far show that you can have MD5 as long as 
OpenBSD is master, but clear sessions, depending with side initiate it, 
doesn't come back in one case and are slow in the other. (That was with 
3.7 for my last tests on this one) Will redo.



==

But it should be establish however for MD5 for sure as any sides can be 
the master in a bgp session.


However, not here?

Comments on this?

I think my tests are valid. Am I doing something I should be doing here? 
I don't think so, but that's what I found so far and why I can't keep a 
stable session with MD5 enable on it.





For me it looks like a bug for now.


Same thought here.

Daniel

Re: BGP session clear by remote end when MD5 is configure AND the session was initiate from OpenBSD side failed and do not recover.

[Daniel Ouellet]

Claudio Jeker wrote:

On Wed, Oct 05, 2005 at 06:33:05PM -0400, Daniel Ouellet wrote:


==

Without MD5 configure.

With bgpd master
Clear session from bgpd side, session comes back up right away.
Clear session from remote side, session comes back up with delay.

With bgpd slave
Clear session from bgpd side, session comes back up with delay.
Clear session from remote side, session comes back up with possible very 
long delay. Much bigger then when master.





I see similar delays with my test setup. Most of the time it takes longer
for a session to come back up because of different timers that are run.
After a clear a reopen is tried immediately and that is most often
blocked. In my case the cisco seems to be to slow to close the session in
time for the reopen.
It also matters where you close the connection because in one case the
idle timer is run (30s) instead of the connect retry timer (120s).
Also the idle timer has starts to grow if you flap the session often.


The interesting facts here for me were how different it was for each 
side. I did this many times 10x+ on each setup to see. bgpd master to 
Cisco and clear from bgpd side to Cisco, the Cisco session comes back up 
instantly. As for Cisco master initiate clear to bgpd, was the slowest 
by far. I mean much longer. The other two possibilities are pretty much 
equal. It was interesting finding never the less. Why, I am not sure 
however.




Now with MD5 configure. We only add

tcp md5sig password test on bgpd side and
neighbor 66.63.12.108 password test on the Cisco side.

With bgpd master
Clear session from bgpd side, session comes back up right away.
Clear session from remote side, session comes back up with possible very 
long delay.


With bgpd slave
Just can't establish a session what so ever! The Cisco side will get 
stuck in the OpenSent mode and cycle a few times all without success.


66.63.12.1084 65001   0   1000 neverOpenSent




I can't reproduce this. On my test setup all session come back up.


I will try current again, and send even more details on my setup, or if 
you ever want to check it out, I have no problem what so ever to provide 
you access to both boxes directly for you to check it out as well. Just 
say the words if interested? I try Cisco IOS 12.3x and 12.4x, same 
results so far.


Now looking at the logs from each side. OpenBSD try to use the port 
tcp/56923 and from the Cisco side we see this error:


35: *Oct  5 13:38:43.503 EDT: %TCP-6-BADAUTH: No MD5 digest from 
66.63.12.108(179) to 66.63.12.107(56923) (RST)
36: *Oct  5 13:38:44.503 EDT: %TCP-6-BADAUTH: No MD5 digest from 
66.63.12.108(179) to 66.63.12.107(56923) (RST)





This is a Cizzz-coee / RFC feature. They enforce a TCP MD5 digest on TCP RST
packets. Now that's just stupid because it is not possible to do that in
some cases because the other side does not know the key at that time (e.g.
to signalize that the port is unavailable).
In your case this means that somehow the connection from the cisco to your
OpenBSD box is blocked or there is nothing listening on port 179.


Last tests at ~5 AM this morning, still show me this and nothing was in 
the path for blocking it a tall. I will recheck as it's been a few days 
without sleep so far, so I admit, I could start to be fussz a bit. Lack 
of sleep, but I will make sure before saying false things here. But in 
any case, not that I like it what so ever, I am not sure of the 
Cizzz-coee stuff. The sad thing is that they have a huge portions of the 
Internet routers still, hopefully changing quickly, but still, we need 
to interact with them a lots.


Looks like the OpenBSD side do not provide the MD5 to the Cisco to 
establish the session.





OpenBSD only misses the MD5 digest on the RST packets and that is actually 
OK. RFC 2385 actually mentions this special case in 4.1:

   A connectionless reset will be ignored by the receiver of the reset,
   since the originator of that reset does not know the key, and so
   cannot generate the proper signature for the segment.  This means,
   for example, that connection attempts by a TCP which is generating
   signatures to a port with no listener will time out instead of being
   refused.  Similarly, resets generated by a TCP in response to
   segments sent on a stale connection will also be ignored.
   Operationally this can be a problem since resets help BGP recover
   quickly from peer crashes. 


I can deal with that delay and I agree that it makes sense to refuse the 
reset, or ignore it, however, looks like so far, the session doesn't 
resets. May be because it does receive message still from the Cisco side 
on wrong ports, but somehow see it as keep alive. I really don't know 
what I am saying here, just a weird thoughts, but so far the results are 
that it doesn't resets. I will tests in more details again. But just 
know that something is not active in the best interest of the session 
here

Re: The Wikipedia article on OpenBSD

[Daniel Ouellet]

Chris Zakelj wrote:

Jan Izary wrote:



Recently I and several other people have worked to improve the OpenBSD
article contained in the Wikipedia, I'm sure I need not explain how it
works.

Anyways, I've worked to get as much easily accessable information
regarding OpenBSD in that article as possible and I've pretty much run
into a wall, I've got little else I can add.

I am putting a call out to the OpenBSD community at large to give a
look at the article and see if they can improve it, fleshing out
anything that has gaps and explaining some of the more complex concepts.

Things like OpenBSD centred screenshots would be nice if people would
be willing to upload them and list them in the gallery.

I would have put this on the advocacy list, but really it seems to be
dead and most advocacy seems to run through the misc list.

Thanks

http://en.wikipedia.org/wiki/OpenBSD



Looks pretty good.  My only suggestions would be to note that Nick
handles the official FAQ, and adding Daniel Ouellet as the
organizer/caretaker of the unofficial user's library.


If you have any article(s) that you want to find a home for, I would be 
more then happy to provide it! Contributions have been rare, so calls 
was maid before, many times in fact. But actual contributions were very 
fare in between.


I do have two or three articles now that are waiting my free time to be 
posted, I apologies to the brave soles that actually send them to me! My 
apology guys, but I haven't forgotten them trust me.


As for more place to post things, my own view and that doesn't represent 
anyone else views, is that we sure don't need to duplicate efforts. The 
locations are available, up to the users to make it happen.


Again, great stuff directly for the system that deserve a place on 
OpenBSD.org, should be sent to the always ready and incredibly brave 
sole of Nick if that's a great quality for the FaQ. He sure will tell 
you if it is. But first, read his requirements here:


http://www.holland-consulting.net/obsd/faq-help.html

Then send what you have based on that, either to him, if it is FaQ stuff 
and of great quality, or me if that doesn't apply to the FaQ and we will 
find it a home.


Daniel

Re: BGP session clear by remote end when MD5 is configure AND the session was initiate from OpenBSD side failed and do not recover.

[Daniel Ouellet]

Claudio Jeker wrote:

On Wed, Oct 05, 2005 at 06:33:05PM -0400, Daniel Ouellet wrote:



Now with MD5 configure. We only add

tcp md5sig password test on bgpd side and
neighbor 66.63.12.108 password test on the Cisco side.

With bgpd master
Clear session from bgpd side, session comes back up right away.
Clear session from remote side, session comes back up with possible very 
long delay.


With bgpd slave
Just can't establish a session what so ever! The Cisco side will get 
stuck in the OpenSent mode and cycle a few times all without success.


66.63.12.1084 65001   0   1000 neverOpenSent




I can't reproduce this. On my test setup all session come back up.


Configuration with MD5.

Well, let see if this help or not. Two example below. One might not be 
very elegant, but I think it may well show the problem. I force the bgpd 
to try to be slave using some filter on the Cisco router. The filter 
WILL be temporary in my case anyway as I want the session to be stuck in 
OpenSent mode and then at that time I will remove the filter an sit back 
and watch. So, what happen is that the session will never come up, I 
think it should anyway, but it doesn't.


Then when I see on the Cisco router OpenSent, I will simply remove the 
filter to be 100% sure nothing is blocking the regular traffic and see 
if the session can recover. It doesn't.


So, I use this filter to force this stage on the Interface facing the bgpd.

ip access-list extended bgpd-slave
 permit tcp any eq bgp any neq bgp
 deny   tcp any neq bgp any eq bgp
 permit ip any any

and apply it like this

interface FastEthernet0/0
 description Connection to OpenBSD Test Lab
 ip address 66.63.12.107 255.255.255.192
 ip access-group bgpd-slave in

I save my config and to be ultra sure nothing else interfere, I simply 
reload. No need to do that and it is stupid anyway, but just to be 
paranoid here I do that.


After I can ping the Cisco for a few seconds, I initiate my bgpd on both 
version of OpenBSD and then when I see the OpenSent stage on the Cisco 
router, because even if it should establish a slave connection with this 
filter, it doesn't. Why, I wish I knew, but anyway it doesn't. Then when 
in OpenSent mode, I remove the filter for the interface totally to be 
sure nothing is in the way. Also, remember no pf is running as well and 
the two server are fresh install with nothing on them other then they 
install and then configuring the bgpd. That's it.



So, when I see:

NeighborVAS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down 
State/PfxRcd

66.63.12.1064 65001   0   1000 neverOpenSent
66.63.12.1084 65001   0   1000 neverOpenSent

I do

no ip access-group bgpd-slave in

on my fast Ethernet interface and the sit back. Nothing will ever happen 
here. No session will ever get up. Never! It will cycle in close - idle 
- active - OpenSent and then stay there for a few minutes and then 
cycle again to the same point and do that over and over again.


What I see on the OpenBSD on 3.7 is

# bgpctl s neigh 66.63.12.107
BGP neighbor is 66.63.12.107, remote AS 65001
 Description: iBGP Test
  BGP version 4, remote router-id 0.0.0.0
  BGP state = Active
  Last read Never, holdtime 240s, keepalive interval 80s

  Message statistics:
  Sent   Received
  Opens1  0
  Notifications0  0
  Updates  0  0
  Keepalives   0  0
  Route Refresh0  0
  Total1  0

  Local host:  66.63.12.106, Local port:179
  Remote host: 66.63.12.107, Remote port: 14670

==

and at each cycle of close - idle - active - OpenSent, the port above 
will changed and in current, after the first cycle, it will show


Last error: unknown error code

instead and no ports informations and error logs like this:

Oct  7 05:44:42 dev2 bgpd[21803]: startup
Oct  7 05:44:42 dev2 bgpd[14625]: route decision engine ready
Oct  7 05:44:42 dev2 bgpd[16756]: listening on 66.63.12.106
Oct  7 05:44:42 dev2 bgpd[16756]: session engine ready
Oct  7 05:44:42 dev2 bgpd[16756]: neighbor 66.63.12.107 (iBGP Test): 
state change None - Idle, reason: None
Oct  7 05:44:42 dev2 bgpd[16756]: neighbor 66.63.12.107 (iBGP Test): 
state change Idle - Connect, reason: Start
Oct  7 05:44:42 dev2 bgpd[16756]: neighbor 66.63.12.107 (iBGP Test): 
state change Connect - OpenSent, reason: Connection open

ed
Oct  7 05:44:42 dev2 bgpd[16756]: neighbor 66.63.12.107 (iBGP Test): 
write error: Invalid argument
Oct  7 05:44:42 dev2 bgpd[16756]: neighbor 66.63.12.107 (iBGP Test): 
state change OpenSent - Idle, reason: Fatal error

Oct  7 05:44:49 dev2 ntpd[24590]: adjusting local clock by -170.192293s
Oct  7 05:45:12 dev2 bgpd[16756]: neighbor 66.63.12.107 (iBGP Test): 
state change Idle - Connect, reason: Start
Oct  7 05:46

Re: Sun's AMD 64 lineup

[Daniel Ouellet]

OpenBSD Admin wrote:

Does anyone have any experience with these sun boxes eg (the 'X' series
or aquarius are pretty new;

X2100
X4100
X4200


These three are new and not available now. Last time I check with Sun, 
they will start to ship early November. So, I don't expect to many 
feedback on these yet! (;




v20z
v40z


The archive provide feedback on them and well as the hardware support 
page will give you some too.


Daniel

Re: Happy Birthday OpenBSD ! 10 years !

[Daniel Ouellet]

Marco Peereboom wrote:

Neat now OpenBSD and I share the same birthday :-)


Neat in fact! But we won't wish you happy 10th birthday right?

Or you sure would have started to bang on that keyboard very early for 
sure! (; May be that's where some of the early bugs came from! (;


Unless you were already thinking OpenBSD before you see the light! (: 
Always possible I guess...


I know some of the OpenBSD guys really spend their life on the project, 
but that would be way to much...


Happy birthday to both of you early then!

Daniel

Re: BGP session clear by remote end when MD5 is configure AND the session was initiate from OpenBSD side failed and do not recover.

[Daniel Ouellet]

Hi all,

Here is my latest update on this one and a work around as well. Not 
great, but it work for now until this bug is fix.


To reproduce the problem, you only need to enable:

ip tcp selective-ack

on your Cisco router and as soon as you will clean the BGP session setup 
with MD5 on your OpenBSD from the Cisco side, regardless of OS version, 
and even on current, it will never comes back to life. The only way 
would be for you to clear your cisco and when in idle mode, to clear 
form the OpenBSD side, then and only then will the session will come 
back up.


However, you will still have a LOTS of errors messages in your logs if 
you look regarding this MD5 session. These don't go away until a reload 
is done, so on busy network, not very friendly either, nor practical as 
well.


*** This bug ONLY show up when MD5 is configure WITH ip tcp 
selective-ack ***


Without MD5, it's working very well thank you! May be the same bug is 
there, but just not affecting the session, may be possible, but I do not 
know that however. My tests didn't show that to be true so far anyway.


I have been looking at the code for a few days, and I have to admit, I 
get lost at times trying to follow it. But it look to me that it would 
be either in tcp_input.c or tcp_output.c. Most likely in tcp_input.c and 
in the section that process the reset received command from the remote 
end. It also have to be when TCP_SIGNATURE is enable as well, so I 
would assume that it have to be common between the two, but that's just 
a guess for now. Looking at the standard from the September 81 page 65 
to 73, on how the process should be done, look it might be there, but I 
still haven't fully understood that yet. The tcp_input.c follow that 
very strictly, but there have to be a step omitted someplace and I can't 
put my finger on it yet. But look like a possibility of reply to the 
remote reset with ACK without the MD5 in the packet may be the cause of 
it, but again, not sure of that fact.


Why, no problem to setup the session at the start, and only show the 
problem when a reset is received at witch point the remote end expect 
the ack with MD5 and doesn't get it and will stay stuck in FINWAIT1 mode 
for ever. The OpenBSD show connected stage, but the remote end show 
OpenSent stage and will stay there.


The work around I use for now is to compile a kernel with

option  TCP_SACK# Selective Acknowledgements for TCP

disable. Not great I have to admit, but as I do not control the remote 
end of multiples peers and some may actually use the ip tcp 
selective-ack feature on their routers if they try to get more 
efficiency out of it, I would be the one impacted by this and I can't 
really see myself telling them not to use it because I have a bug on my 
side.


So, for now, I simply compile a kernel with that TCP_SACK disable and 
then no selective acknowledgment will be in use and then all peer 
sessions with MD5 will not suffer this bug.


So, if anyone is actually using BGPd on their network AND also use MD5, 
I would recommend to use for now a kernel without TCP_SACK enable in 
it if they do not want their bgp session going dead in case of reset 
from remote end and have to do manual interventions from both side to 
get it back up. If you are 100% sure that none of your peer actually use 
this feature, then, you are home free and don't even change anything 
with it!


Hope this help some, it sure helped me. I got stuck with this one and 
lost a few hairs in the process. (;



May be someone with better understanding of the process and specially of 
the tcp_input.c file might find the reason for this, great. If possible 
however, if someone find the problem, I would love if I may ask, to give 
me a bit of feedback if time allow on how the problem was solved as I 
would love to learn that in the process. I think I am getting close to 
it, but I can't put my finger on it yet. So, learning from it would be 
greatly appreciated if you would be so kind!


Regards,

Daniel

Re: iptables vs pf

[Daniel Ouellet]

I actually was reading a good document on PF tonight and I came across 
this quote that I think would answer your question as to the difference 
between iptables and pf.


OK, may be it's more poetic, but still I really liked it.

Hope it make you think as well! (:

And I think it describe it very well if you have played with them!

Daniel

Quote:

Compared to working with iptables, PF is like this haiku:

A breath of fresh air,
floating on white rose petals,
eating strawberries.

Now Im getting carried away:

Hartmeier codes now,
Henning knows not why it fails,
fails only for n00b.

Tables load my lists,
tarpit for the asshole spammer,
death to his mail store.

CARP due to Cisco,
redundant blessed packets,
licensed free for me.

Jason Dixon, on the PF email list, May 20th, 2004 
(http://www.benzedrine.cx/pf/msg04702.html)

Re: C++ exceptions with OpenBSD 3.6 on amd64

[Daniel Ouellet]

Chad M Stewart wrote:
And if you'd pre-ordered 3.8 then you might have gotten an email like  I 
did today. :-)  Now I just need enough revenue from my new company  so I 
can replace all of my servers with real boxes like V20z and  X4100.  
Funny now that I'm now longer an employee of Sun I'll  potentially be 
purchasing more hardware from them than when I was an  employee.


Well, welcome to the self employed world!

Just to things for you here!

First, your business WILL be successful because you already maid the 
most important decision of all! You pick OpenBSD to run your business 
with! I did that 7 years ago after doing research for efficient OS and 
most importantly to me then and still now, security. Small business have 
limited resources and waisting your time trying to have your servers 
stay stable is not something that will be productive and help you! Many 
times, small business are one men game, or just a few friends at best, 
so all the time you have available needs to be put into making your 
business work!


The last thing you need is spending it doing patches and rebuilt like 
with Micro$oft, God help me here! (:


Now the second thing however, make sure you pick hardware that is fully 
supported and make your choices wisely. The X4100 is to new and now out 
yet, now do we know if it is supported yet. I love the box myself and I 
most likely will get one to test, but that's only because now I am able 
in limits obviously to get hardware and then put it on the self for a 
year if need be because it doesn't work now.


For the V20z, as far as I know, it work well!

So, welcome to the big OpenBSD small successful businesses!

You already had done the most important work!

Pick the right OS to get some most definitely needed good sleep in the 
months ahead! (: With OpenBSD on your server, you KNOW you can sleep at 
night when you actually have time to do so when you built your own business!


Good luck to you and welcome to OpenBSD!

I choose that OS 7 years ago and NEVER looked back!

Daniel

PS: Just a wise advise however, make it a policy to keep upgrading to 
the new OS when they release it as well and don't use the excuse that it 
work now, so why change it! I suffer this over confidence stage with the 
release 3.0 where I got bitten, by my own fault I have to admit, by the 
only bug ever known to OpenBSD and that Christmas, almost put me out of 
business! No one else to blame but myself on that one! I always been to 
busy doing business work and fell that I could wait a bit more to 
upgrade my server and why do it, it works well as it is now! If I can 
offer one advise, take it from my own stupidity and don't do that one! 
There is plenty of other one you will do! (:

Re: OpenBSD MetaStore: Distributed hosting?

[Daniel Ouellet]

Please guys, can we stop this fight over who does what and how to be 
accessible from where.


In the interest of bringing peace back on misc@ I will extend the offer 
to host this on high capacity network if the community really want it.


More then once the community always say, yes this is great, we need 
that, why don't we have this, and someone should do it!


So far, each time this happened, it was more wind talks then anything 
else and never was pursue for real! With few exceptions to be fully 
honest to some really brave sole that actually step in here and 
contribute something! But in every case, the wind blow and then the 
leafs fall on the ground to leave empty trees that never see the spring 
again!


If you really want it and if that is useful to some, I will offer to 
make it available to EVERYONE!


But, please understand this! STOP bugging the project with these things, 
they do what they do best and they don't need this to improve our 
beloved OS! So trying to make that part of the official project is 
really waisting everyone times.


And finally, no hardware company, or very few if you search the archive 
ever contribute back to the project, so if you think this might become a 
source of income for the project it's really an utopia! You want the 
project to get more income, well as far as I know, it's there:


http://openbsd.org/donations.html

Just give, to think you can setup something that will turn into a source 
of income and that the project will take under it's wing is having it's 
eyes close and not knowing that no one will step to actually do it and 
make it work and the dev's HAVE other things to do, nor do they are 
interested to do this! Don't forget, they do this OS for themselves and 
offer us the benefit to use it! They don't need a site providing 
supported hardware for them to see what they should use or have!


For crying at loud! If they like some hardware and it's not working for 
them! How long do you think it will take them to make it work on it if 
really they want it, hmmm!!!


Do you think they will even care about what's supported or not!!!

Think about it for a few seconds and you will have your answer!

Looked at the Sharp Zaurus C3000 PDAs It was a new CPU and OpenBSD 
wasn't design for it at all, but hey, they like that little box, so how 
long did it really take them!? If they want it, they don't need any of 
us to tell them what hardware it might work on! If they want it really 
badly, they will simply make it work for themselves!!!


So, I am done. I really didn't want to fall into answering this tread, 
but here I did, shame on me for doing it! I will not answer more on this 
list either for this tread.


If some of you want this moved, or hosted else where, or provide me the 
data to make it public, I will be more then happy to do so, but do it 
off list and lets stop this fight here please!


Can we do that?

I waisted way to much of everyone times already! Sorry for doing so!

Now NO ONE have any reason to continue complaining about this anymore. 
You want this else where fully accessible, I make the offer to do it in 
the interest of peace!


So, either put up of shut up!!! What will it be?

Your move next! And lets take it off list please!

Best regards,

Daniel

Re: openssh in other products

[Daniel Ouellet]

ok, i have sent them some nice feedback.
if some other people want to voice their dismay,
you can do it here: http://www.docs.hp.com/en/feedback.html
keep the flames in your fireplace at home,
probably just a massive typo...


Thanks Feedback sent in officially from my business with the list of 
hardware I got from them as well!


Daniel

[Fwd: Re: Your web comment on docs.hp.com]

[Daniel Ouellet]

Some feedback already.

Keep sending the feedback.

They extracted only that part for my email to them however.

I wrote more then that and strongly suggested that a politically correct 
moved would also be to give some hardware back to the project they 
benefit as well!


At a minimum, respecting the license and put a URL back to the project 
would be a minimum they could and should do!


Hope this help any! I won't hold my breath however, but may be they will 
fell guilty and do something... May be


Daniel


 Original Message 
Subject: Re: Your web comment on docs.hp.com
Date: Tue, 25 Oct 2005 12:28:58 -0600
From: [EMAIL PROTECTED] [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
CC: [EMAIL PROTECTED]
References: [EMAIL PROTECTED]

Hi Daniel,

You sent feedback to Hewlett-Packard:


However, seeing how you don't even give credit, or respect that license of 
OpenSSH that you DO use in your product makes me very sad at best! The license 
for OpenSSH is not a public domain like you point out here:


We regret this error and are in the process of notifying the author to
immediately correct the book. Once corrected, it will be re-published
with the correct attribution.

At no time does Hewlett-Packard ever want to mis-represent the hard
work of the Open Source Community.  We are proud or our participation
in the Community and regret this mistake.

Thank you for calling it to our attention.

And thanks for using docs.hp.com,

Re: PHP-MySQL-Apache madness!

[Daniel Ouellet]

Kelly Martin wrote:

OpenBSD kernel panic'ed or was otherwise unresponsive. A full reboot
was required by pulling the plug, because the console would not
respond (I walked my brother through this over the phone - remote
location). When the system came back up, Apache would not start.


I know you wrote not to suggest to upgrade to 3.8, but look to me that 
you have your brother available to help. I know I wrote the instruction 
before for a friend that never even touch Unix in his life before on how 
to set this up (OpenBSD). If you think about it for a few seconds. I 
would definitely argue that you would have lost less time by writing the 
instruction and sending them to your brother, let him wipe it clean and 
bring it back up where you can then ssh to it and do all that you need 
form that point. From the CD, or even from the bsd.rd version, setting 
up a box is really quick, ok if you need to download the full system 
from the bsd.rd version over ftp it may take a bit more time, but still, 
a few simple question to answer and you are home free, unless you really 
don't trust your brother, but even then...


Not what you want to ear I know for sure, but just think about it...

I am sure it would take you less time this way and you would not have to 
deal with madness...


I am sure you can setup your box from scratch in less then 10 minutes 
with a CD. Have your brother do that over the phone if you have to. I am 
sure he will fell good in the end and your problem will be gone as well, 
plus you would have an upgraded version.


Think how much time you already spend on it.

Hope this provide you some moral support anyway.

Daniel

Re: pf.conf to only allow port 22, 25 and 80 to my server.

[Daniel Ouellet]

Larry Llong wrote:

I just want to allow port 22, 25 and 80 to my server.

I know I can activate and deactive pf with -e and -d, but that doesn't 
seem to reload the configuration. Does it?


Read the informations available here:

http://openbsd.org/faq/pf/index.html

Or even a very good step by step with a lots of explications here:

http://www.bgnett.no/~peter/pf/en/pf-firewall.pdf in PDF or
http://www.bgnett.no/~peter/pf/en/ in html.

Much better to understand what you are doing instead of using the cut 
and paste configuration of someone else.


Peter document will sure get you started and provide you valuable 
information in a step by step if you need that.

Re: Telnet daemon retired in 3.8 ?

[Daniel Ouellet]

Matthew S Elmore wrote:
I cannot appear to locate a telnet daemon in 3.8 installs now. It 
appears to have silently disappeared between 3.7 and 3.8.


Not really silently, but not with huge party either.

http://marc.theaimsgroup.com/?l=openbsd-cvsm=111700017509177w=2

I know it was announce as well, can't put my finger right away on the 
article, but definitely it was talked about and said to be gone.


I good thing really!

Re: Anyone tried a sun fire X2100 server yet?

[Daniel Ouellet]

Will H. Backman wrote:

Anyone put OpenBSD 3.8 on a Sun Fire X2100 AMD server yet?



Not yet. My shipping date for the X2100 is:

**BACK ORDERED ETA OF 11/22/05**


For the X4100, well...

**BACK ORDERED CONSTRAINED** (NO ETA AS OF 11-07-05)

So, my guess is not before December will have be able to put my hands on 
one at best.


Any feedback prior to this obviously would be more then welcome!

Re: pf.conf to only allow port 22, 25 and 80 to my server.

[Daniel Ouellet]

Larry Llong wrote:

this list is no where as bad as people say.


The list is very good and welcoming to users that do their homework and 
try to find the answer first before asking. I think it's even one of the 
best one, if not THE BEST one!


People that told you the list is bad are most likely the one that didn't 
even read the wonderful FaQ to start with and that expected others to 
tell them what to do! I am the lazy King of the Unix, please feed me my 
meat with a spoon...


You will find that more research you do, more welcome you will be and 
more help you will get! In short, if a person don't want to help itself, 
none will jump the cliff to help them, why should they!

Re: mysql problem

[Daniel Ouellet]

Marcos Laufer wrote:

Now what?


http://openbsdsupport.org/mysql.htm

Re: mysql problem

[Daniel Ouellet]

Marcos Laufer wrote:

Ok , i had followed the instructions at http://openbsdsupport.org/mysql.htm


Go back and read again many times over until you get it.

You didn't read it and you didn't pay attention to statement in bold 
either. I could tell you what to do to fix it, but then you wouldn't 
learn from it. If it wasn't explain there, I would be happy to tell you, 
but it is there and pretty clear as well.


You get the error #9 that is exactly explain there and instructions on 
how to address that is provided as well.


Read it please and you will see your mistake.

Just a hint in the text:

Remember, if you don't do this, it will use the default class! Same if 
you restart MySQL manually! Class are read and use on login


Hope this help you.

Also, there is reference to man pages there. You looked at them too right?

Best,

Daniel

Re: mysql problem

[Daniel Ouellet]

Marcos Laufer wrote:

Ok , i had followed the instructions at http://openbsdsupport.org/mysql.htm


I also forgot to add this as well in my previous reply, also in the text 
of the document you have been pointed to.


So, be wise and change what you need to change for your setup! But only 
what you need to absolutely change. Don't go nuts and start turning 
knobs left and right. That may well be what you need to do on some other 
Unix, or variations of... But on OpenBSD the default setup is really 
good and is done as such to protect youself. The bottom line is: don't 
change what you don't need to change and know what you do and why!


So, just don't go put big numbers and any numbers anywhere to make it 
work. This will give you more problem in the future. Do what you need to 
do for your setup and just that. And more importantly, learn why you 
need to do them, it will help you in many others situations.


Best,

Daniel

Re: mysql problem

[Daniel Ouellet]

Marcos Laufer wrote:

When i post a message on the OpenBSD misc list it is because one
of two reasons:


Mostly one looks like.


1) I want to report an error i found while testing OpenBSD, and by
reporting it i might be helping the project, somebody might be able
 to fix it and the OS grows.

2) I could be asking for help to the OpenBSD users, as it was this case.
I know this was not an OpenBSD or MySQL problem, but a
configuration problem , and  maybe some other OpenBSD user might
 have already been there and willing to help other OpenBSD users to
work things out.


And you got a lots of help from many. Just for fun however, I looked to 
see how many times you actually help or reply, versus how many times you 
actually started a tread asking for help, or provided not helpful 
feedback but added to complains:


http://marc.info/?a=11490241131r=1w=2

You do as you see fit, but doesn't look to me a lots of help, but mostly 
request. So, take, but gave back I am not saying I help as much as 
many on this list, some are very, very helpful, but I do my share when I 
know the answer, or can help anyway.



If you are an OpenBSD developer then i must tell you that i understand
your 'I could tell you what to do to fix it, but then you wouldn't learn
from it' attitude .
It's logic to think that developers want users to learn how to handle the OS
and how to properly use it.

If you are not an OpenBSD developer, but an OpenBSD user instead ,
then i must tell you that your 'I could tell you what to do to fix it, but
then you wouldn't learn from it' attitude just sucks.
I was asking for help, i mentioned that this was a production
server with 100 databases on it and i was urged to solve
it fast. That's why i asked help to other OpenBSD users who might have
suffered this problem on a production server and needed to solve it fast.

But i will take a shot and assume you are just another OpenBSD user, just
like me and many others looking for help in this list .
So , Daniel consider this : Next time i ask for help on this list , my post
won't be meant to be answered by you , i now know that you don't have a
helping community spirit but a 'bofh' attitude instead probably due to a
wannabeadeveloper feeling. If you want to help a user to solve his problems
that's just fine, but to talk other users in that tone, to me for example,
i won't allow it.


You got many replies to help you and tell you exactly where to look.

How can it be more specific then that?

You get the error #9 that is exactly explain there and instructions on 
how to address that is provided as well.


In short your calls wasn't use properly. The rest is for you to find why 
in your case.


Your problem was as you explain it to a modification on the
mysqld_safe script, so instead of complaining to me, or others for help 
we extended to you and pointed you where the problem was, may be you 
should kick the head of the admin that actually did something very 
stupid here in the first place by changing application script instead of 
doing a properly done setup!


In the end, it still stand. The error was with not using the class 
properly, period.


I said that it's important to learn from it, then you just learn that 
changing scripts to fix an issue quickly instead of doing the right 
thing will bit you in the future.


Granted as you said it wasn't you, so you got stuck by it, so be it. But 
don't get upset at me for helping you as no one could have told you that 
the problem was in the script changed, but that your setup simply didn't 
use the class properly and that's what the problem was. Up to you to 
find out why in your setup.


Even in the same document I explain how to test the exact error you got, 
error #9 by doing this:


mysqlcheck -m -A -uYourUsers -pYourPassword

If you get the error #9, then you simply don't use that class properly.

I think I provided you as much help as I could possibly have done in 
this instance. It's pretty obvious.


Get upset to the one that did this stupid thing and learn from it.

In the end, you can be upset, but still the document that you read and 
work with still I wrote it and it help you anyway. So, you can say what 
ever you want, I still helped you, even if you don't like it.


But if that make you fell better and relieve your frustrations, sure you 
can get upset at me. I have a pretty think skin and seen way worst as well.


Learn to get upset at the right people.

So, you are welcome!

Best,

Daniel

Re: support for Sun Fire

[Daniel Ouellet]

Toni Mueller wrote:

Hi Mark,

On Tue, 29.05.2007 at 14:13:06 +0100, mark reardon [EMAIL PROTECTED] wrote:

I just got a x2100 M2 from Sun yesterday on a 60 day trial and am having
trouble setting the MTU on one of the bge NICs. Just some initial findings.
Not a big problem for me really.


did you get it to run OpenBSD properly? Which model do you have?


I have one as well. Some results in the archive as well, but my biggest 
griff with it is with the admin console for this unit. Sun really cut 
way to short on it to make if a decent remote admin box. Plus the share 
the BGE with the admin port, instead of the nVidia, witch I could do 
without. The box is not bad, but could be better. It's more expensive, 
but it make me definitely switch to the 4100 instead. I only got one, 
and wouldn't get an other one, unless it's not in a remote setup 
configuration witch is pretty rear these days.


Even the serial console is limited in operation and work until OpenBSD 
start when it goes dead. Then you can do some more from the Ethernet 
port instead, but then if you reboot the box, you loose the admin on the 
Ethernet port and needs to go back to the serial console.


My own feedback is not a top of the line box, but not the worst either. 
Just not as good as it should be for me to recommend it however. It work 
well in some setup, not all.


YMMV,

Daniel

Re: support for Sun Fire

[Daniel Ouellet]

Dag Richards wrote:

I would recommend you take a look at the HP DL360,
one U
hardware raid
and have nice little management interface you can ssh to
which allows pretty complete console access, go into bios, watch boot 
messages, power set the system.


The Sun 4100 is a pretty good one as well. I have a few of them and I am 
happy so far. If you can swing the difference in price however.


The HP-145 M1 and IBM e326, witch both works well, with the IBM giving 
me some minor issues every few months, but looks like it cleared up over 
time with various upgrades.


However, a few more months before I can tell more, but so far looks like 
the Sun 4100 would be my favorite, specially if the built in RAID can be 
maid to work and I know based on the archive that there is/was some work 
done on it.


That's all for my feedback on this.

Best,

Daniel

Re: Allocate more memory than 512 MB with squid

[Daniel Ouellet]

Patrick Hemmen wrote:
Squid runs under the user _squid and this user is in the login class 
daemon in which the data size is set to infinity. Or do I have to set 
a another capability?


How do you start your squid is the key.

man 5 login.conf
man 8 rc

explain it. Just putting the class there for a specific user doesn't 
make it use it unless you specify that class at the start in your rc.local


It's not for squid, but check the principal and ideas here:

http://openbsdsupport.org/mysql.htm#/etc/login.conf
http://openbsdsupport.org/mysql.htm#/etc/rc.local

You will see that unless you specifically tell it to use it, it will not 
use it and only gets the default class no matter what you put in there.


Hope this help you.

Daniel

Re: VPN site to site with ipsec

[Daniel Ouellet]

sonjaya wrote:

http://www.openbsdsupport.org/vpn-ipsec.html


This is almost 3 years old and there is so many changes, please don't 
follow this on 4.1!


I most likely will remove it if we can get an updated version.


Consider this:

http://www.serverwatch.com/tutorials/article.php/3659686

or

may be this:

http://www.securityfocus.com/infocus/1859

But just read the man page witch will help you much more.

There was major changes to this to make your life much simpler.

Best,

Daniel

Re: VPN site to site with ipsec

[Daniel Ouellet]

sonjaya wrote:

http://www.openbsdsupport.org/vpn-ipsec.html


May be you could also have a look at this nice presentation that show 
many changes done on OpenBSD.


You can start here to see some OpenBSD suggestions, but you can look it 
all as well as it's nice. (;


http://openbsd.org/papers/asiabsdcon07-ipsec/mgp00057.html

Re: dmesg amd64-current on Sun Fire X4600 M2

[Daniel Ouellet]

Rolf Sommerhalder wrote:

Please find below the dmesg of amd64.mp-current (snapshot 23-Aug-2007)
on a Sun Fire X4600 M2 which is equipped with four dual-core Opteron
8220 CPU, 32 GB of RAM and four built-in NICs.


Sadly, the only problem is that you will not be able to use that much 
memory here.

Re: Options for 1U server with watchdog?

[Daniel Ouellet]

K K wrote:

happens on the same approximate schedule.  I suspect a power glitch.


It this is power glitch to the point of affecting your server, wouldn't 
the LOM also show that to you? Then you would know the answer.


lomloghistory
Eventlog:
   +0h35m1s host power on
   +0h37m51s host power off
   +0h0m0s LOM booted
   +0h0m4s host power on
   +279d+16h50m55s host reset
   +279d+17h2m22s host reset
   +279d+17h8m9s host reset
   +298d+18h49m51s host reset
   +298d+18h57m39s host reset
   +298d+19h9m31s host reset

Re: bioctl on X4100 M2

[Daniel Ouellet]

Henning Brauer wrote:

bio is not implemented for mpi (yet).
bioctl in 4.2 onwards shows some inquiry data (vendor model fw serial) 
for non-bio-capable disks. i. e. it falls back from bioctl -i to bioctl 
-q if teh disk doesn't support bio.


Thanks Henning!

Re: bioctl on X4100 M2

[Daniel Ouellet]

Jonathan Gray wrote:

mpi(4) currently has no bioctl support.

The  2 port LSI SAS RAID (mfi(4)) supports bioctl, however
sun don't sell any machines with this interestingly enough.


Thanks! That's what I figure, but wanted to check in case I wasn't 
looking at the right place. Oh well. May be one day. One guy can dream.


Thanks

Re: OT: Sun X4100 M2 management interface out of wack suggestions?

[Daniel Ouellet]

Hi,

Quick updates on this one.

My problem is now solved and I got very nice help from some gentlemen 
working at Sun that step in off list to help me out and all is now 
finally work.


Nice to see some good guys following misc@ and be interested to make 
sure Sun hardware (some of them anyway) works with our favorite OS.


Thanks

Daniel

Re: Show your appreciation and get your 4.2 DVD

[Daniel Ouellet]

On Tue, 11 Sep 2007, Siju George wrote:


Can't find a DVD in

[snip]

As stated in the beginning of this thread,
DVD discs are not available, just CDs in DVD case.


Yes guys. It was my mistake in my Divine Vast Drewling extase of the 
event instead of the Complete Domination release of 4.2. I maid a 
mistake in my emails. I guess when I wrote it, it was to existed and cut 
off on some words.


Excuse my mishaps that so many enjoy pointing out. It was just that a 
mistake.


Never the less, don't let that hold you up and go get your new release 
of your Compete Domination in a Durable Valuable Docket. (;


Best,

Daniel

Re: unstable and multiple reboot for 4.2 on Sun X4100 M2 with ACPI enable on AMD64 bsd.mp with SAS RAID 1 setup.

[Daniel Ouellet]

Rolf Sommerhalder wrote:

I did observe similar behaviour on four X4100 M2 as well (two with one
socket dual-core, two with two sockets dual-core Opterons) using amd64
bsd.mp snapshots from 23 and 28 Aug..

Currently, amd64 bsd.mp snapshot 28. Aug is running stable on those
four servers, although using a single SAS disk without RAID.


You said same action above for 23  28, and here you say stable for 28? 
However, I have it unstable for the 28 for sure.



Several days ago, there was a commit in kernel CVS about delaying
start of IPMI which is causing annoying delays at startup of amd64.
Eventually, a more recent snapshot becomes available which includes
this modification, before I get around to build a -current kernel.



I justed look now on the site and the latest snapshots was done just a 
few hours ago:


ftp ls pub/OpenBSD/snapshots/amd64/bsd.mp
227 Entering Passive Mode (129,128,5,191,167,61)
150 Have a Gorilla.
-r--r--r--1 1114 1114  6708422 Sep 11 23:14 bsd.mp
226 There, everyone likes a Gorilla.
ftp

So, I am not sure what testing you did, unless you built your own. new 
Snapshots was just release now, witch I will be happy to test tonight 
and see the results and report back.


Thanks

Daniel

Re: unstable and multiple reboot for 4.2 on Sun X4100 M2 with ACPI enable on AMD64 bsd.mp with SAS RAID 1 setup.

[Daniel Ouellet]

Here is the new dmesg for current.

So far the boot process is much faster and do not hang anymore.

I am doing install on three more boxes now and will do a bunch of reboot 
cycles to see the end results.


Still some acpi not configure in the dmesg, but so far does look better.

Also, note this is on the latest bios and ilom as well as the latest SAS 
drivers as well. Not the one that comes directly from Sun.


ILOM: 1.1.8
BIOS: 39, not the standard 34 version.
SAS: 1.16.40, not the 1.16.00

More later.

Daniel

==

OpenBSD 4.2-current (GENERIC.MP) #1384: Tue Sep 11 22:09:44 MDT 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 3757625344 (3583MB)
avail mem = 3635904512 (3467MB)
User Kernel Config
UKC enable acpi
270 acpi0 enabled
UKC exit
Continuing...
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.3 @ 0xfbd50 (70 entries)
bios0: vendor American Megatrends Inc. version 0ABJX039 date 04/11/2007
bios0: Sun Microsystems Sun Fire X4100 M2
acpi0 at mainbus0: rev 2
acpi0: tables DSDT FACP APIC SPCR SLIT OEMB HPET IPET SRAT SSDT
acpitimer at acpi0 not configured
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Dual-Core AMD Opteron(tm) Processor 2216, 2393.94 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,CX16,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 
64b/line 16-way L2 cache

cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative
cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative
cpu0: apic clock running at 199MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Dual-Core AMD Opteron(tm) Processor 2216, 2393.64 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,CX16,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW
cpu1: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 
64b/line 16-way L2 cache

cpu1: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative
cpu1: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative
cpu2 at mainbus0: apid 2 (application processor)
cpu2: Dual-Core AMD Opteron(tm) Processor 2216, 2393.64 MHz
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,CX16,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW
cpu2: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 
64b/line 16-way L2 cache

cpu2: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative
cpu2: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative
cpu3 at mainbus0: apid 3 (application processor)
cpu3: Dual-Core AMD Opteron(tm) Processor 2216, 2393.64 MHz
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,CX16,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW
cpu3: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 
64b/line 16-way L2 cache

cpu3: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative
cpu3: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative
ioapic0 at mainbus0 apid 15 pa 0xfec0, version 11, 24 pins
ioapic1 at mainbus0 apid 16 pa 0xfeafd000, version 11, 7 pins
ioapic1: misconfigured as apic 0, can't remap to apid 16
ioapic2 at mainbus0 apid 17 pa 0xfeafc000, version 11, 7 pins
ioapic2: misconfigured as apic 1, can't remap to apid 17
ioapic3 at mainbus0 apid 14 pa 0xfeaff000, version 11, 24 pins
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (P0P1)
acpiprt2 at acpi0: bus 4 (P0P4)
acpiprt3 at acpi0: bus 5 (P0P5)
acpiprt4 at acpi0: bus 128 (PCIB)
acpiprt5 at acpi0: bus 133 (POGA)
acpiprt6 at acpi0: bus 134 (POGB)
acpiprt7 at acpi0: bus 131 (BR5D)
acpiprt8 at acpi0: bus 132 (BR5E)
acpiprt9 at acpi0: bus 255 (PCIC)
acpiprt10 at acpi0: bus -1 (POGA)
acpiprt11 at acpi0: bus -1 (POGB)
acpicpu at acpi0 not configured
acpicpu at acpi0 not configured
acpicpu at acpi0 not configured
acpicpu at acpi0 not configured
acpibtn at acpi0 not configured
ipmi0 at mainbus0: version 1.5 interface KCS iobase 0xca4/2 spacing 1
pci0 at mainbus0 bus 0: configuration mode 1
NVIDIA nForce4 DDR rev 0xa3 at pci0 dev 0 function 0 not configured
pcib0 at pci0 dev 1 function 0 NVIDIA nForce4 ISA rev 0xa3
nviic0 at pci0 dev 1 function 1 NVIDIA nForce4 SMBus rev 0xa2
iic0 at nviic0: disabled to avoid ipmi0 interactions
iic1 at nviic0: disabled to avoid ipmi0 interactions
ohci0 at pci0 dev 2 function 0 NVIDIA nForce4 USB rev 0xa2: apic 15 
int 11 (irq 11), version 1.0, legacy support
ehci0 at pci0 dev 2 function 1 NVIDIA nForce4 USB rev 0xa3: apic 15 
int 5 (irq 5)

usb0 at ehci0: USB revision 2.0
uhub0 at usb0: NVIDIA EHCI root hub, rev 2.00/1.00, addr 1
pciide0 at pci0 dev 6 function 0 NVIDIA nForce4 IDE rev 0xf2: DMA, 
channel 0 configured to 

Re: unstable and multiple reboot for 4.2 on Sun X4100 M2 with ACPI enable on AMD64 bsd.mp with SAS RAID 1 setup.

[Daniel Ouellet]

Tobias Weingartner wrote:

In article [EMAIL PROTECTED], Daniel Ouellet wrote:
 So, I am not sure what testing you did, unless you built your own. new 
 Snapshots was just release now, witch I will be happy to test tonight 
 and see the results and report back.


If you guys could test out my ACPI diff I posted to tech@, that may help.



I follow tech@ as well, but I guess I miss that one. I will check it out 
and see what come out of it. I assume it's not into current now right?

Re: The Atheros story in much fewer words

[Daniel Ouellet]

I have been very quiet on this for weeks now, but this really start to 
piss me off at the highest level!


The bottom line is original work was stolen and copyrights are not 
respected period!


Dance as much as you want around it, hide behind lawyers, word 
definition twisted, false pretend, what not! The facts remains. Any half 
brain, even with a lobotomy on top of that can get that! Even a monkey 
knows when you give him a banana and when he steal it! I guess this 
gives us a reference point here to compare it to.


This really make me loose any kind of respect what so ever for the FSF, 
SFLC, GNU and what I will have to call now the Evil GPL side all 
together. It never been my favorite choice, but I respected it before 
and understood why someone would pick that license, now, more and more 
not only do I dislike it, lost respect for it's use and now start to 
hate it badly too. Where will it stop! I for now now know for sure. I 
will never release anything under GPL EVER!!! Or even promote it's use. 
I see no good from it and no good intentions either from it's defenders 
anymore.


Look to me they are pretending to protect against the evil Micro$oft 
empire and others, but look to me big time now that even Micro$oft is 
the nice guy here.


Even Solaris and Sun finally start to see the light and come slowly on 
the right side. At a minimum, the evil Micro$oft like GPL clan likes to 
call them, respect the copyrights and you can see it in in their code!


This piss me off so bad now that you can count me in as a partial 
funding source should Reyk decide to get his rights corrected and to put 
back the open source community where it should be.


Working together for the greater good, not against one an other for the 
benefit of the corporation. I am sure for once they are enjoying this 
very much, and make no mistakes about it. The corporation have a lots 
more to gain to see this going down the tube, so I would see very much 
that they would be interested to finance such a case to discredit, 
destroy and remove the open source for their ways, and then get back to 
a hold you by the balls situation like it was many years ago!


I guess this Robbery by higher drain wash power theft on one side, 
forget what they are fighting for!


Just reminds me of many wars in the history, many times it's start for 
some stupid issue between two higher dictator refusing to see the common 
goods for their people and then after 20 years of fighting by others, 
everyone hate the other side, but they have no clue why they are 
fighting for and just keep killing, and none can tell you why it 
actually started! But the two dictator enjoy more power and control in 
the end.


You want to control the mass, don't educate them, give them something to 
focus their thoughts and force them to fights without having the time to 
look back and you control them for ever.


Look to me if a corporation wanted to kill the open source, they 
couldn't pick a better way to do it and here the GPL is walking right 
into it! Or may be some guys are well paid to create the problem and 
destroy from inside what they can't kill from outside.


There was a lots of press a few years ago on how Linux was killing 
Micro$oft and it wasn't good for innovations and all that bullshit. Look 
to me, not that much anymore as it just couldn't kill it and more and 
more people was joining in anyway as a freedom choice. What happen to 
that now! Then just do what was done a very long time ago. Kill it from 
inside then. Le cheval de Troie


Take your pick!

Best,

Daniel

PS: Sorry for this writing and I do not want to write again on this. But 
rights are broken and stolen and it's wrong and needs to be corrected 
period!

Re: OpenBSD Install Goal

[Daniel Ouellet]

On Thu, 13 Sep 2007 20:35:35 -0400, Stephan Andre' wrote:


I hope one day soon OpenBSD will adopt a nice ncurses setup similar
to something like FreeBSD with ease to it.

Honestly, I don't see why.  How does making the installer more
complicated is going to help anything.

I recently sat a friend down to show how easy an install was.  This
was on a 400MHz Dell with a 10G disk.  Putting the disk in the box
to having a system that booted up took 11 minutes, with me 
making comments about each step.  


Once the machine came up, I said it was done, the system was ready
to use.


To me easy of install and improvements is what's already done and added 
time to time that show really how this is so easy and better. Example, 
sure here is one that I notice in 4.2 and the first time, I read it as 
it was different and I was use to always do the same thing, may be not 
in 3 minutes flat like J.C., but may be 4:15. I guess he has faster box 
then me. (; Anyway, to the point.


In 4.2 there is the new way to specify your ntp server at the install 
time. I always use to go back in and change it manually every time. Now 
I don't have to, so it shave a few seconds in the install now for sure.


That's improvements. GUI and what not doesn't add anything and actually 
slow down the process. Simple is better.


Now, if you were talking about adding a way to change the root 
destination in the aliases at install time and allow me to specify it, 
then that would improvements as well and I wouldn't have to go back in 
and change it each time as well. This might get me closer to J.C. 
results in install time! (;


Great job guys! (;

Thanks

Daniel

Re: serial port usage

[Daniel Ouellet]

As we are on the subject and I do not want to deviate from the original 
question, I would however appreciate suggestions as to how I can have a 
one server witch can actually have up to 32 serial console to control 
LOM on Sun server. I may need up to 48 in one case, but instead of using 
a bunch of Cisco 2509 and 2511, I would much prefer using one good 
OpenBSD server with proper PF, etc to have the same console control on 
legacy Sun boxes.


I have been looking for some time and still the best way I found was to 
still use old Cisco routers for that.


Any clue stick would be nice if any ideas are better then this.

Thanks

Daniel

Re: The Atheros story in much fewer words

[Daniel Ouellet]

Rui Miguel Silva Seabra wrote:

I'd love to see how an user who gets a modified binary version has the
freedom to modify it. Go ahead. Prove me that it doesn't allow some users
to loose freedom...


You make the point of using BLOB so well, Thank you!

Looking forward to see you fight for documentation freedom and no NDA 
that reduce and eliminate freedom.


But, lets not loose sight that a violation of a copyright was done, and 
as it look from the outside was endorse here.


Richard, I am s surprise by your silence as violation of copyright 
are done by a movement you fight so hard to create long ago. I can't say 
what to make of it.


Best,

Daniel

Re: unstable and multiple reboot for 4.2 on Sun X4100 M2 with ACPI enable on AMD64 bsd.mp with SAS RAID 1 setup.

[Daniel Ouellet]

Rolf Sommerhalder wrote:

The latest snapshot (13. Sept). of amd64 bsd.mp with ACPI enabled runs
stable on two X4100 M2 which are identically configured (single SAS
disk only, no RAID-1 yet, with current BIOS/SP/SAS Firmware from Sun).


Be caution and with reserved! Not stable if you do not add as well the 
patch sent to tech two days ago too. It will crash without it just 
trying to compile a simple kernel is you use bsd.mp as the running 
kernel. It will not is you use the bsd kernel however. So, be caution 
here on this statement. It is not there yet.



As  Daniel already observed with a snapshot that is two days older,
booting is much faster than with previous shapshots, no long dalys
around IPMI startup.


It's stable yes/no, as long as you work on it locally anyway. If you try 
to push and pull heavy traffic on that box, it will crash big time right 
away and reboot! No exception there yet what so ever, again with the 
bsd.mp and at time with the bsd one. If you do not do heavy traffic, 
then it runs, but with a box like that, you want heavy traffic, that's 
what I got it for anyway. 4 of them and I still can't use them yet, 
unless I run the i386 instead of the MAD64 kernel and that I disable 
ACPI in bios and that I load the latest BIOS in that box too.


So, it's much better then the release version obviously that is simply 
not usable on that box anyway as a AMD64 bsd.mp kernel and almost not 
usable on the amd64 kernel. I can't speak of other box running that 
kernel however. But the release version is not usable as is and 
shouldn't be loaded on production servers for sure with ACPI enable or 
you will cry!



Keeping an eye on stability over the next few days while putting this
firewall cluster into pre-production (it runs pf, pfsync, a bunch of
VLANs with CARP on almost every VLAN, named, sendmail, OpenVPN, Squid,
and some other application-level gateway/proxies).
Next wekk, I also intend to insert a second SAS disk and add RAID-1.


If you want to use that box, by all mean please do yourself a favor and 
DO NOT run the AMD64 kernel on it, any flavor and make sure you DISABLE 
the ACPI in BIOS, or you will loose sleep I tell you.


Be warn.

Best,

Daniel

PS: Again, I can't speak knowingly for other platform, but on X4100 of 
Sun, don;'t do it. I was going to test it on HP and IBM if I can get 
some time to do so, but I need to move what is running on it in 
production first before I can test it, witch is not that easy to do at 
this time as I am rolling out about 80 servers at the moment.

Re: SMP Support?

[Daniel Ouellet]

Paul Taulborg wrote:
I appologize for not including this, here is the dmesg of a successful 
boot of the amd 4.2 DEFAULT kernel:


Paul,

Not sure all the tests you did, but first do not run AMD64 on Intel 
processor. I would do this first thing if you haven't done already.


- Go into BIOS and disable ACPI in BIOS.
- Wipe your box out and start with a snapshot for i386.
- When install and reboot, make sure you put the bsd.mp as you boot 
default, or try just to see at boot time


boot bsd.mp

Then let see what you get, but first disable ACPI in BIOS.

Best of luck.

Daniel

Re: SMP Support?

[Daniel Ouellet]

Paul Taulborg wrote:
Kind of bummer, as I will be losing 64 bit support by use i386. This is 
an Intel Xeon, which should be compatible with the amd64 branch.


I am not expert to say yes or no here. May be someone else will confirm 
or deny. For now I would assume wrongly may be, but I wouldn't use AMD64 
on Intel processor until I know for sure I can, witch I haven't done a 
lots or research to be honest, but assume I can't.



In any case; when attempting to run the i386 bsd.mp it hangs here:
mtrr: Pentium Pro MTRR support


Based on your previous emails, looks like you tried with 4.1, not 
current. Unless I miss read them, that's what I got from it and that's 
why I suggested to start with current on i386.


It's a hard freeze-up, the keyboard will not respond. Again, I have no 
way to get a serial console hookup, to get the full output from this. :( 
I can type up (manually) what is visible on the screen, if that will 
help? (Or perhaps the dmesg from a successful boot of i386 DEFAULT?)


Not sure what you are saying here. Hang or boot. You said successful 
boot of i386 default. If hang or it boot? May be you are saying the i386 
bsd works, but the i386 bsd.mp hang? Is this current, or as you wrote 
for the 4.1.


Even when running boot -c, it never enters ddb, just hard freezes with 
that line being the last that is displayed on the screen.


One final note; acpi is disabled in the kernel (confirmed with disable 
acpi), and sadly, there are no options in the bios to change any ACPI 
related settings.


Again, I am saying to disable ACPI in BIOS. There must be a way to do 
it. Disabling it in kernel will not really help you here much in some 
cases. I have boxes that are not stable at all with ACPI enable in BIOS, 
but that will be happy, most of them anyway if I disable the ACPI in BIOS.


So, again, check for that please.

Hope this help you some.

Daniel

Re: SMP Support?

[Daniel Ouellet]

Paul Taulborg wrote:

Update:

I ran boot -c with verbose on, and here are the last entries:
various probing failed messages (doesn't look like any problems), then:
ioapic0: conflicting map entries for pin 0
pctr: 686-class user-level performance counters enabled
mtrr: Pentium Pro MTRR Support

hard hang -- no further messages outputted, no response from keyboard, 
etc.


Again, I can't say if this is current from the 13 of September or not 
and then there is also something to try that was sent to tech just a few 
days ago that may or may not help you and if tested properly may get you 
some help. But it needs to be current, and I am still not sure what you 
are running now.


http://marc.info/?l=openbsd-techm=118975639013313w=2

But obviously all this involve work for you. (;

Re: SMP Support?

[Daniel Ouellet]

Paul Taulborg wrote:
Kind of bummer, as I will be losing 64 bit support by use i386. This is 
an Intel Xeon, which should be compatible with the amd64 branch.


To answer your question, I guess it depend on the version of your processor.

http://marc.info/?l=openbsd-miscm=117112049507303w=2

I trust Nick answer better then mine! (;

So, I can't say for sure that 100% will work, but looks like if not that 
old version you run should be fine to use the AMD64 kernel on it.


Hope this help some.

Daniel

Re: SMP Support?

[Daniel Ouellet]

Paul,

If you want to try the AMD64 mp kernel with the patch I point out to you 
on tech of a few days ago and see if that help you or not, I can make 
the kernel I built that night for you to download and try if you trust 
it. I would say to built your own, but if you want to do a quick test 
and see if that help you boot, I have no problem doing that for you.


Just let me know and I can post it on the net for you to try as long as 
if it does help you, you send the feedback requested on tech@ back to 
that person.


est,

Daniel

Re: SMP Support?

[Daniel Ouellet]

Paul Taulborg wrote:
I went through every option in the BIOS, and there is nothing at all 
related to ACPI. :(


Your BIOS is version 35, and there is a very long list of BIOS upgrades 
from Intel. The latest one for this board, if I am not mistaken is 44 
and you have 35.


 bios0: vendor Intel Corporation version
 S3000.86B.02.00.0035.111020061326 date 11/10/2006

May be a good idea to check it out:

http://downloadcenter.intel.com/Detail_Desc.aspx?agr=NProductID=2569DwnldID=13871strOSs=AllOSFullName=All%20Operating%20Systemslang=eng

I am not saying it will fix your problem, but if I was you, I would try 
it and see. Worst case, if you don't like it, you can flash the old one 
back.


Just a thought.

Daniel

Re: SMP Support?

[Daniel Ouellet]

Paul Taulborg wrote:
Booya! Updated my BIOS to the latest version (44), and applied the patch 
that was kindly provided to me here:

http://marc.info/?l=openbsd-techm=118975639013313w=2

I also enabled acpi0 in the kernel by default (required to see the other 
processors), and tada!


I had to apply the patch above, as it would die with out of bounds error.

I will let you know if I run into any stability issues, but am really 
happy to get this working! Thanks for all the help!


Please do not forget to send the feedback requested back to Chris. Find 
the email in the URL above.


mkdir mymachine
cd mymachine
cp /var/run/dmesg.boot .
sudo acpidump -o mymachine  mymachine.aml
cd ..
tar zcf mymachine.tgz mymachine

Re: SMP Support?

[Daniel Ouellet]

Also Paul,

Now that is working do me a favor and try to compile the userland and 
kernel with that bsd.mp acpi enable kernel.


Also, try if possible to make transfer of huge files between two boxes 
well connected to try to at a minimum get close to 100Mb/sec of 
transfer, or more if you have Gb access.


In my case, it will crash every time still.

Then the compile is ok with bsd, but still crash with bsd.mp in some cases.

I am curious to know if that specific to my hardware, or if others have 
the same problem.


Thanks

Daniel.

Re: Define hosts lookup for pf.conf

[Daniel Ouellet]

pichi wrote:

Sorry if I ran into the Big Boys forum crying. I will be more cautious about
what I ask next time. Is there a forum for people who are starting out with
OpenBSD? The thing is I am new to it and I am in a situation where reading
pages and pages of Google is taking a lot of time away from making it work.
But just working a few days with this OS I can see that its very solid and
worth the many hours of searching for documentation. 


If you are new, then start by reading the most excellent FAQ, all of it, 
and it will take you less time then searching Google for hours. It's the 
place to start. Then if you wan to know more about a special function, 
the man page are more then excellent.


The difference you will find here on OpenBSD is that the developers are 
spending an incredible amount of time to make excellent man page and as 
you will see in the FAQ, if the man page is not exact, or represent 
what's the system is doing, that is consider a bug and they will fix it 
right away.


As for the FAQ, Nick is really a hero if you asked me for the quality of 
the FAQ that he put together and how well he keeps it up to.


So, forget about Google for now and start with the FAQ, then the man 
page and if you have a very good question after that, then Google is 
your friend.


You may simply not be use to a system that also have the quality of the 
documentation equal to it's own source.


OpenBSD is second to none when it comes to documentations.

Try it, you will see.

Best of luck,

Daniel

Re: Microsoft gets the Most Secure Operating Systems award

[Daniel Ouellet]

Henning Brauer wrote:

* The One [EMAIL PROTECTED] [2007-09-19 11:17]:

What I meant to say was that Leopard's release will solve every
current problem prevailant in OS X Tiger and people's opinions about
the Macintosh platform, although their current, so-called opinions
have no evidence behind them, whatsoever.


Well, I think that OS X is an insecure piece of shit.


WOW.

I don't see Henning replying with such an unusual American type of grace 
so often. (;


You got me smiling men.

I think in German, it's call Chaise or something very close to that I 
believe, but I am absolutely sure the spelling is not good. But, I am 
however sure that with a few seconds of thinking you will understand it. 
Kind of pronounce in Francais / using English for a Germen word.


Best,

Daniel

Re: SMP Support?

[Daniel Ouellet]

Boris Goldberg wrote:

  I  have  pretty  much the same picture with HP ProLiant 320 G5 (Dual Core
Pentium-D  925).  The  server  is  new  and  passes  all  tests from the HP
maintenance CD.


I couldn't make what BIOS version you were actually running there, but 
you did check to make sure you have the latest one right?


http://h18023.www1.hp.com/support/files/server/us/revision/9753.html

Le me know how it goes with current, I am curious as so far all feedback 
I got is no one yet can get an AMD64.mp stable at this time, witch is 
pretty unusual for a release to come to not be stable in regular 
operation. Looks like will have to use i386.mp instead, witch so far, 
looks ok for me anyway, but I can't run the amd64 version, single or 
multi processor in a stable way, so no way this can go into production. 
Kind of a bummer.

Re: another spamd-setup question

[Daniel Ouellet]

Juan Miscaro wrote:

I tried it but whenever I include the larger 'uatraps' I get:


Look at set limit table-entries.

man pf

Re: SMP Support?

[Daniel Ouellet]

Stuart Henderson wrote:

On 2007/09/19 19:00, Daniel Ouellet wrote:
Le me know how it goes with current, I am curious as so far all feedback I 
got is no one yet can get an AMD64.mp stable at this time


this must be hardware-dependent, my main desktop is amd64 MP
(opteron 175 i.e. dual-core) and gives no trouble on -current.


And that's what I am trying to find out as to where the problem possibly 
might be.


There was feedback as to not having any problem with the Sun X4100 on 
the list before. May be they were not multi core, and/or multi 
processor, I can't say as it wasn't said, but I have 4 of them and all 4 
can't be stable by any mean with amd64. Very obvious with the mp and 
less sensitive with the single processor kernel, but still crash. All 
four of them, so that's not a single hardware box problem. I tried 
current, some special patches, stable, went back to 4.1 and none are 
stable by any mean. I have been doing research for many weeks so far and 
try to isolate the problem the best way I can and still no success yet. 
I haven't give up yet, but I am honestly starting to run out of ideas 
however. Try different BIOS version, RAID no RAID, custom kernel, acpi 
on/off. Disable component in BIOS, etc. Still same results, not to the 
same extend every time, but no stable box yet that I could beat up and 
fell confident in it.


I have one more stupid idea I will try tonight, but for this I need to 
drive to the site these boxes are install and that's about 2 hours drive 
back and forth. However, it is worth the trip to me as I think it might 
be something that may help isolate part of the problem anyway.


But that's where I am now.

ifconfig output for nfe

[Daniel Ouellet]

Hi,

Looking on the man page, the ifconfig is suppose to show the stage of 
the network cards, and it can't show the proper configuration on the nfe 
cards, even if I force the configuration to fix value, I always get the 
same results:


nfe0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:14:4f:7d:91:ea
media: Ethernet autoselect (1000baseSX full-duplex)
status: active
inet 192.168.100.77 netmask 0xff00 broadcast 192.168.100.255
inet6 fe80::214:4fff:fe7d:91ea%nfe0 prefixlen 64 scopeid 0x1

Plus I know for sure here it can't be Gb as the switch it is connected 
to is not a Gb.


This is the same results with 4.1, 4.2 and current. Same box Sun X4100 M2.

Any clue on this?

Re: ifconfig output for nfe

[Daniel Ouellet]

Here is more. May be I do not understand the reading, I understand it to 
mean for example:


 media: Ethernet 10baseT (1000baseSX half-duplex)

Would be hard configuration to be 10mb half-duplex and then the (xx) 
would show what is actually in use.


Isn't this correct?

I may be confuse, but that's what I understand.

Now if so, here below some of the various display and changes to see the 
results.


# ifconfig -m nfe0
nfe0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:14:4f:7d:a6:de
media: Ethernet 100baseTX full-duplex (1000baseSX full-duplex)
status: active
supported media:
media none
media 10baseT
media 10baseT mediaopt full-duplex
media 100baseTX
media 100baseTX mediaopt full-duplex
media 1000baseSX
media 1000baseSX mediaopt full-duplex
media 1000baseT
media 1000baseT mediaopt full-duplex
media autoselect
inet 192.168.100.75 netmask 0xff00 broadcast 192.168.100.255
inet6 fe80::214:4fff:fe7d:a6de%nfe0 prefixlen 64 scopeid 0x1
# ifconfig nfe0 media 10baseT
# ifconfig nfe0
nfe0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:14:4f:7d:a6:de
media: Ethernet 10baseT (1000baseSX half-duplex)
status: active
inet 192.168.100.75 netmask 0xff00 broadcast 192.168.100.255
inet6 fe80::214:4fff:fe7d:a6de%nfe0 prefixlen 64 scopeid 0x1
# ifconfig nfe0 media 10baseT mediaopt full-duplex
# ifconfig nfe0
nfe0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:14:4f:7d:a6:de
media: Ethernet 10baseT full-duplex (1000baseSX full-duplex)
status: active
inet 192.168.100.75 netmask 0xff00 broadcast 192.168.100.255
inet6 fe80::214:4fff:fe7d:a6de%nfe0 prefixlen 64 scopeid 0x1
# ifconfig nfe0 media 100baseTX
# ifconfig nfe0
nfe0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:14:4f:7d:a6:de
media: Ethernet 100baseTX (1000baseSX half-duplex)
status: no carrier
inet 192.168.100.75 netmask 0xff00 broadcast 192.168.100.255
inet6 fe80::214:4fff:fe7d:a6de%nfe0 prefixlen 64 scopeid 0x1
# ifconfig nfe0 media 100baseTX mediaopt full-duplex
# ifconfig nfe0
nfe0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:14:4f:7d:a6:de
media: Ethernet 100baseTX full-duplex (1000baseSX full-duplex)
status: active
inet 192.168.100.75 netmask 0xff00 broadcast 192.168.100.255
inet6 fe80::214:4fff:fe7d:a6de%nfe0 prefixlen 64 scopeid 0x1
# ifconfig nfe0 media 1000baseSX

Re: ifconfig output for nfe

[Daniel Ouellet]

SX looks plain wrong anyway.  Can you provide a dmesg?  This is perhaps
related to the phy that attaches to nfe rather than nfe itself.


Sure, here is one of them.

OpenBSD 4.2 (GENERIC.MP) #1378: Tue Aug 28 10:48:58 MDT 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 3757625344 (3583MB)
avail mem = 3635965952 (3467MB)
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.3 @ 0xfbd50 (70 entries)
bios0: vendor American Megatrends Inc. version 0ABJX039 date 04/11/2007
bios0: Sun Microsystems Sun Fire X4100 M2
acpi at mainbus0 not configured
ipmi0 at mainbus0: version 1.5 interface KCS iobase 0xca4/2 spacing 1
mainbus0: Intel MP Specification (Version 1.4)
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Dual-Core AMD Opteron(tm) Processor 2216, 2393.96 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,CX16,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 
64b/line 16-way L2 cache

cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative
cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative
cpu0: apic clock running at 199MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Dual-Core AMD Opteron(tm) Processor 2216, 2393.64 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,CX16,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW
cpu1: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 
64b/line 16-way L2 cache

cpu1: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative
cpu1: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative
cpu2 at mainbus0: apid 2 (application processor)
cpu2: Dual-Core AMD Opteron(tm) Processor 2216, 2393.64 MHz
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,CX16,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW
cpu2: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 
64b/line 16-way L2 cache

cpu2: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative
cpu2: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative
cpu3 at mainbus0: apid 3 (application processor)
cpu3: Dual-Core AMD Opteron(tm) Processor 2216, 2393.64 MHz
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,CX16,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW
cpu3: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 
64b/line 16-way L2 cache

cpu3: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative
cpu3: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative
mpbios: bus 0 is type PCI
mpbios: bus 1 is type PCI
mpbios: bus 2 is type PCI
mpbios: bus 3 is type PCI
mpbios: bus 4 is type PCI
mpbios: bus 5 is type PCI
mpbios: bus 128 is type PCI
mpbios: bus 129 is type PCI
mpbios: bus 130 is type PCI
mpbios: bus 131 is type PCI
mpbios: bus 132 is type PCI
mpbios: bus 133 is type PCI
mpbios: bus 134 is type PCI
mpbios: bus 135 is type ISA
ioapic0 at mainbus0 apid 15 pa 0xfec0, version 11, 24 pins
ioapic1 at mainbus0 apid 16 pa 0xfeafd000, version 11, 7 pins
ioapic1: misconfigured as apic 0, can't remap to apid 16
ioapic2 at mainbus0 apid 17 pa 0xfeafc000, version 11, 7 pins
ioapic2: misconfigured as apic 1, can't remap to apid 17
ioapic3 at mainbus0 apid 14 pa 0xfeaff000, version 11, 24 pins
pci0 at mainbus0 bus 0: configuration mode 1
NVIDIA nForce4 DDR rev 0xa3 at pci0 dev 0 function 0 not configured
pcib0 at pci0 dev 1 function 0 NVIDIA nForce4 ISA rev 0xa3
nviic0 at pci0 dev 1 function 1 NVIDIA nForce4 SMBus rev 0xa2
iic0 at nviic0: disabled to avoid ipmi0 interactions
iic1 at nviic0: disabled to avoid ipmi0 interactions
ohci0 at pci0 dev 2 function 0 NVIDIA nForce4 USB rev 0xa2: apic 15 
int 11 (irq 11), version 1.0, legacy support
ehci0 at pci0 dev 2 function 1 NVIDIA nForce4 USB rev 0xa3: apic 15 
int 5 (irq 5)

usb0 at ehci0: USB revision 2.0
uhub0 at usb0: NVIDIA EHCI root hub, rev 2.00/1.00, addr 1
pciide0 at pci0 dev 6 function 0 NVIDIA nForce4 IDE rev 0xf2: DMA, 
channel 0 configured to compatibility, channel 1 configured to compatibility

atapiscsi0 at pciide0 channel 0 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: TEAC, DW-224SL-R, 1.0A SCSI0 5/cdrom 
removable

cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 ignored (disabled)
ppb0 at pci0 dev 9 function 0 NVIDIA nForce4 PCI-PCI rev 0xa2
pci1 at ppb0 bus 1
vga1 at pci1 dev 3 function 0 ATI Rage XL rev 0x27
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
nfe0 at pci0 dev 10 function 0 NVIDIA CK804 LAN rev 0xa3: apic 15 int 
15 (irq 15), address 00:14:4f:7d:91:ea

eephy0 at nfe0 phy 1: Marvell 88E Gigabit PHY, rev. 2
ppb1 at pci0 dev 11 function 0 NVIDIA nForce4 PCIE rev 0xa3

Crash on X4100 M2 with more details

[Daniel Ouellet]

OK,

To follow on this and to try to isolate more problem, I did the 
following tests.


- Setup two boxes, both Sun X4100 M2.
- The source box is using i386.mp version 4.2
- The destination box is using amd64.mp version 4.2 (same with current)
- Configure public IP's on the em0 interface of both.
- Configure RFC1918 Ip's on the nfe0 of both of them.
- Created a dummy big file to transfer between them like below
dd if=/dev/zero of=/tmp/bigdummy bs=1m count=1000

- Then initiate the transfer using the nfe0 cards.

So, server 1 to server 2 like this:

scp /tmp/bigdummy [EMAIL PROTECTED]:/tmp/

The transfer was successful no problem, but slow as I couldn't force the 
usage of the network card properly. No matter what I do, it does use 
10mb hald-duplex. I sent a previous email on that to misc@ title 
ifconfig output for nfe with the issue for that specific network card.


Now did the exact same thing, everything else stay equal, but this time 
using the em0 card on both servers like this:


scp /tmp/bigdummy [EMAIL PROTECTED]:/tmp/

Note the IP above, I use a block of 66.63.19.64/27 for this test, so 
both server would use that em0 interface instead and then very shortly 
after the start of the transfer, the destination server crash and reset 
itself, every time.


Now is that exclusively a problem with em, I can't say for sure as I can 
start to transfer the file between then and full saturate the 100Mb port 
and then crash, but I can't saturate the port with the nfe, as I can't 
configure it to use 100Mb and the auto negotiation do not work on it wither.


So, would it crash if the same transfer speed would be equal, that I 
wish I could answer, but I can't right now, until I find a way to push 
the traffic at the same level using the two different network card.


Daniel

Re: ifconfig output for nfe

[Daniel Ouellet]

Jonathan Gray wrote:

SX looks plain wrong anyway.  Can you provide a dmesg?  This is perhaps
related to the phy that attaches to nfe rather than nfe itself.


A bit more. Looking in logs, etc. I found this:

nfe0: tx v2 error 0x6004

Searching on google didn't bring much other then a problem that was 
visible in 3.9 and that was fixed then based on the archive content:


http://archives.neohapsis.com/archives/openbsd/2006-04/1326.html
http://archives.neohapsis.com/archives/openbsd/2006-04/1308.html

That's all I have so far.

Re: ifconfig output for nfe

[Daniel Ouellet]

Daniel Ouellet wrote:

Jonathan Gray wrote:

SX looks plain wrong anyway.  Can you provide a dmesg?  This is perhaps
related to the phy that attaches to nfe rather than nfe itself.


A bit more. Looking in logs, etc. I found this:

nfe0: tx v2 error 0x6004

Searching on google didn't bring much other then a problem that was 
visible in 3.9 and that was fixed then based on the archive content:


http://archives.neohapsis.com/archives/openbsd/2006-04/1326.html
http://archives.neohapsis.com/archives/openbsd/2006-04/1308.html

That's all I have so far.


Also this error too:

nfe0: tx v2 error 0x6204UNDERFLOW

Re: isakmp phase 2 negotiation failed

[Daniel Ouellet]

n0g0013 wrote:

having a nightmare getting two openbsd (one 3.8, one 4.0) boxes to
setup a tunnel.  finally got the phase 1 negotiation going (or so i
believe from reviewing the logs) but it appears that the phase two
starts and is just abandoned.


This may not be the best advise, but there have been so many changes in 
the area of ipsec, key work and isakmp in the last few release, I would 
strongly suggest that you first try to set this up with 4.1 as it's 
become so much easier now for most of these things oppose to before that
I am not sure I would waist any time trying to set this up on earlier 
version, plus 3.8 is not even supported for a while already and 4.0 will 
not be in a month from now, so why invest so much time trying, specially 
if that doesn't work now after many tries as you express it.


Do, as you see fit, but my advise to you, wouldn't be to help trying to 
get it up as is now, but first run 4.1, then try the new way of doing 
it. I think that would be much better spend of time.


But again, I could be wrong, that's just me.

Best of luck.

Daniel

Re: SMP Support?

[Daniel Ouellet]

Boris Goldberg wrote:

Hello Daniel,

  Just  want  to  make sure that we are on the same page: I'm talking about
i386.  It  seems  from  below  that your concern is more about amd64, but I
didn't really try it, because my CPU isn't even a Xeon.


You are 100% right. An oversight on my part here. Yes, my concern are 
definitely more with the AMD64.


In your case, you should now be good to go.

Re: SMTP flood + spamdb

[Daniel Ouellet]

patrick keshishian wrote:

They seemed pretty random to me, but I did a quick
check after reading your response and I see 468 unique
fake email address @my-domain, only one was
duplicated twice.


Put greyscanner from Bob in there and sit back and enjoy the look! (;

Make sure you pick the version for your OS however. 4.0 and below oppose 
to 4.1.


It will take care of that in a hart beat!

Re: Speed Problems

[Daniel Ouellet]

Claudio Jeker wrote:

Could you add the dmesg of the test box to the website?
Do you have any other network cards you could test? (I'm mostly interested
in bnx but sk, msk, bge and nfe could be interesting as well).


This box if the M2 version also come with nfe cards as well, but there 
is issue with it at the moment. dmesg available:


http://cvs.openbsd.org/cgi-bin/query-pr-wrapper?full=yesnumbers=5587

Daniel

Re: Speed Problems

[Daniel Ouellet]

Tony Sarendal wrote:



On 10/3/07, *Daniel Ouellet* [EMAIL PROTECTED] 
mailto:[EMAIL PROTECTED] wrote:


Claudio Jeker wrote:
  Could you add the dmesg of the test box to the website?
  Do you have any other network cards you could test? (I'm mostly
interested
  in bnx but sk, msk, bge and nfe could be interesting as well).

This box if the M2 version also come with nfe cards as well, but there
is issue with it at the moment. dmesg available:

http://cvs.openbsd.org/cgi-bin/query-pr-wrapper?full=yesnumbers=5587
http://cvs.openbsd.org/cgi-bin/query-pr-wrapper?full=yesnumbers=5587


Dmesg's are on the site now.
http://www.layer17.net/openbsd-test-setup.html 
http://www.layer17.net/openbsd-test-setup.html


Note that the box actually has 8Gigs of memory.

Since I'm off-site I had to get someone else to powercycle the box for me
to wake up the nfe I use as management interface, so the MP dmesg is
from the logs.

Running with the SP kernel the nfe's seem to work ok.


You can't manually fix the option on that card and if you do:

ifconfig -m nfe0

You will see the option for:
media 1000baseSX
media 1000baseSX mediaopt full-duplex

Witch are obviously wrong.

Also, some issue with the AMD64 mp kernel, make the box crash when you 
push a lots of traffic to it.


Lots of comment in archive and tests as well. The i386 looks ok so far, 
except the nfe still bad no matter what, however the AMD64 is not really 
stable and if you put the ACPI on, well...



I'm running the same set of tests with the SP kernel right now.
The 64 byte frames issue in the throughput/latency test looks to be 
gone... cross fingers...


I have 4 of these and still sadly haven't put any in production yet 
because of various stability issue with them.


So, I wouldn't put it as a router right now, but YMMV I guess.

Test well before you do.

Daniel

Re: Get developers some big machines to support more RAM

[Daniel Ouellet]

OK guys,

Instead of fighting about using, or not using it, or i386 being 
obsolete, PAE not being good, or slow, etc.


I for one would be very happy if we can support more then 4GB of memory 
on it and I would be more then happy to test it as I now have machine 
that actually have more then 4GB in them.


If other would test as well, may be instead of talking about it, we 
could make progress on it.


I would be way more then happy to turn over full access to a Sun X4100 
M2 fully accessible on the net as well if that help any for a month or 
two, or more if needed, if any one is interested. I would even load it 
up with 16GB of memory if that would be useful from the 8GB that is 
already there.


This box is sadly not as stable as it should be anyway and I can't use 
it in production using the AMD64-MP kernel, so anything that can help 
it, I can test or turn it over to someone that actually would be 
interested to play with it. If someone even want to really bag it out, I 
would even turn over 4 of them if that's any help.


Anyway, as of now, if there is something that needs testing, I could do 
that in the nest of my ability.


Anything else is just talk and doesn't help any does make any progress 
in the right direction either.


Thanks.

Daniel

Re: spdmem: what does PC25100 mean?

[Daniel Ouellet]

Alexey Suslikov wrote:

CL5 is CAS latency I think, but what does PC25100 mean here? :)


PC2-5100

Re: spdmem: what does PC25100 mean?

[Daniel Ouellet]

ropers wrote:

On 08/10/2007, Daniel Ouellet [EMAIL PROTECTED] wrote:

Alexey Suslikov wrote:

CL5 is CAS latency I think, but what does PC25100 mean here? :)

PC2-5100


Hm, Wikipedia currently only knows PC2-5300.
http://en.wikipedia.org/wiki/DDR2_SDRAM

Of course Wikipedia is infallible... ;-P


And what's your point?

Did you asked what it mean here, or if they exists?

Re: Expat in OpenBSD -current

[Daniel Ouellet]

Sam Fourman Jr. wrote:

how do I install xbase without reformatting and reinstalling the whole OS?


http://openbsd.org/faq/faq4.html#AddFileSet

Re: About Xen: maybe a reiterative question but ..

[Daniel Ouellet]

Theo de Raadt wrote:

The security benefits are at the ability to buy a steak for dinner
level.


I vote to add it to theo.c.

Thanks

Daniel

Index: src/usr.bin/mg/theo.c
===
RCS file: /cvs/src/usr.bin/mg/theo.c,v
retrieving revision 1.101
diff -u -p -r1.101 theo.c
--- src/usr.bin/mg/theo.c   28 Aug 2007 17:57:16 -  1.101
+++ src/usr.bin/mg/theo.c   24 Oct 2007 21:19:08 -
@@ -147,6 +147,7 @@ static const char *talk[] = {
cache aliasing is a problem that would have stopped in 1992 if 
someone had killed about 5 people who worked at Sun.,

Don't spread rumours about me being gentle.,
If municipal water filtering equipment was built by the gcc 
developers, the western world would be dead by now.,
+   The security benefits are at the 'ability to buy a steak for 
dinner' level.,

 };

 static const int ntalk = sizeof(talk)/sizeof(talk[0]);

Re: About Xen: maybe a reiterative question but ..

[Daniel Ouellet]

L. V. Lammert wrote:
Certainly! That is not the point, however. The point is that users of 
OTHER 'application domains' have better security with a VM (or one of 
the other approaches discussed) because THEIR environment has no ability 
to interact with the OTHER environments. The digression into VM vs. 
separate machine vs. compoud vulnerabilities is totally tangent to the 
original topic, and, while educational, is certainly no longer 
productive at this time.


May be if you were trying to explain your points in a more 'meat 
substance' some users may agree with you, or not, but at a minimum that 
might be productive somewhat and I think I have seen that many times and 
not be address properly.


I strongly suggest that we all retire with a lot of good information on 
vulnerabilities and an agreement that there are different methods for 
addressing security problems.


May be if put in more practical term it might help to make your point, 
if I even get that properly.


So, here is an example that you may try to use that may actually be 
somewhat valid. But again, I would have expected you to do so.


So, lets make it very simple and may be at the same time take a subject 
real that come regularly on this lists and that this may help, or not.


Please do not take this as a judgment on the merit of it. I only offer 
it as a way to make peace and may be at clarifying what may have been 
your intent may be if I even get that right.


So, here is the problem I will take to make this example.

- May users always asked how they can make their PHP web setup secure. 
Again, plenty of discussion on the subject, so lets not start this again.


- Also lets consider the fast that users at large are cheap and only 
wants to pay as little as possible. Again real life situation.


- Also consider that an ISP needs to make a profit to stay in business 
and as such can't make miracle.


So, what's to do next then.

Again, I am not saying it the right solutions as I will raise other 
problem with it, but anyway, lets just take the idea.


1. One regular setup. Hosting ABC provide virtual hosting at $10/month 
for a web site.


2. Hosting DEF provide the virtual hosting at $15/month with OpenBSD and 
JAIL setup, etc.


3. Hosting GHI provide virtual hosting at $20/month with VM.

4. Hosting JKL provide dedicated hosting at $100/month.

Now thew users have the choice, but they are cheap...

Now these are in the order of security. I think we can all agree to this 
right.


All/most would agree that when PHP is running on a virtual server, 
unless you run one instance of apache per user, etc. then a php script 
can access to space of others on the save server and it's not that hard 
to do right.


So, what you explain is that the third setup would be the best, if we 
consider costs in operations. 4 is the separated servers, witch is much 
more expensive, because of hardware, space, AC, power, setup, 
maintenance, etc, etc, etc.


1, 2 and 3 all use same space, most likely in small setup obviously to 
keep this under control for the discussion, same power, same ac, almost 
same maintenance, etc.


#1 and 2, someone sure could hack someone else web space and destroy it.

In case of #1 and 2, most likely is only one of the virtual hosting site 
is compromise via PHP, witch is not that difficult if the script itself 
is not well written and I will and do not want to argue this here, let 
just say Joe Blow can't write properly and anyone can hack it in 5 
minutes for the sake of discussions. Then all users on that box are 
compromise. Now will the bad guy destroy them all, or just Joe Blow. It 
is not relevant here and we should all agree to that. The bad guy can 
after compromise Joe Blow, sure can compromise everyone else in no time 
should (s)he choose to do so. That's the risk or using virtual hosting. 
Sadly your security is not under your control. We all have to agree to 
that no matter what.


Now #4, well it's all yours and is as good as you choose to do so, but 
is also the most expensive setup. Just like it was explain many times 
here on your question. So, we have the use of VM to save cost, witch all 
agree. Also, it doesn't maximize the utilization of the hardware like VM 
would, we all agree with that as well.


So, I guess so far, unless I didn't follow this properly. I would 
venture to say that everyone would agree up to this point right?


If not, I have to say, that I would need to get educated myself then on 
each one, but it is fair to say that's the case until now.


What's left now is the point #3, witch everyone beat it to death.

Why is that. I think because it is just not explain in a light that many 
could relate to. I don't have an expression in English that would 
translate as well as in French, but a direct translation would be that


You are tripping on the flowers of the carpet.

I know it doesn't make sense, but see it as someone that walk on your 
grandmother old carper that have flower design 

Re: Hacking interest checkout for VoIP replacement

[Daniel Ouellet]

Not a bad solutions, but doesn't really apply or work in a hosted 
solutions for multiple virtual PBX.

Why not?  Asterisk is fairly configurable in all sorts of ways.
Something as simple as having two group of users that can't dial each 
other by extensions, but that use the same extensions for example.

So, multiple virtual PBX, all of witch would have possible different 
feature groups can't be done.

The list is very long, but that's just one example.

Re: installing mysql-server from ports?

[Daniel Ouellet]

Didier Wiroth wrote:
hi,
i've installed 3.7 from cd and want to install mysql-server from the
ports.
unfortunately the port version only installs the client part, how do I
install the server part?
many thx
didier
If you look at the packages available, I see:
mysql-client-4.0.20.tgz
and
mysql-server-4.0.20.tgz
Look to me like it's not only the client side. (:
Hope this help.
Daniel

Re: built php4 from ports, but no mysql or postgresql support...how to enable support?

[Daniel Ouellet]

Yeah, but my question was about compiling different flavors.  This is 
because I'm dealing with an OpenBSD 3.0 machine.  The search continues...
How could anyone have guess that as it wasn't in your question?
There is so much improvement from then, that it may be time to switch to 
3.7...

Re: OBSD 3.7 ports -- mysql

[Daniel Ouellet]

Just FYI.

I am finishing up a port that hopefully will be put in for MySQL 4.1.12, 
their latest recommended stable version.


So far all works well and pass all the tests suites stuff, with the 
exception that I have to create three hard link to make it work still, 
but I am working on correcting that.


Would be nice to get some testing as well. I use it without problem so far.

I have the packages for i386 and amd64 ready for all clients, servers, 
and test, or the files if you want to make your own compile from source.


I haven't send it in yet to port@ as I am almost all there, not to my 
liking yet, but it does work and is all complete for the clients and 
servers part. I am still struggling with the tests part a bit.


I have amd64 done on stable 3.7 and i386 done on stable 3.6.

Testing if you want, may be good to do!

I can make the packages available if you like, or my files for making 
your own from source. Works for me...


Daniel

Re: OBSD 3.7 ports -- mysql

[Daniel Ouellet]

Per Engelbrecht wrote:


I'm about to launche a [3.7  AMD64  GENERIC.MP] mysql server (mysql 
backend for a lot of servers / production environment) and would like to 
test and use the new MySQL 4.1.12




I have the packages for i386 and amd64 ready for all clients, servers, 
and test, or the files if you want to make your own compile from source.



pkg would be nice.



You can get it from here for now for your amd64:

http://openbsdsupport.org/packages/amd64/

You will need to install the package p5-DBD-mysql-2.9004.tgz, but that's 
already available on the main site. So, get it from there. Then install 
the client and server. I didn't release the test suite as it doesn't go 
in the right place yet and I haven't finish the testing on it.


You can use these, but it will be better in a few days. May be two or 
so. I don't expect any changes in these two, but you never know.


Feedback would be welcome, but heavy testing would be best before using 
in production obviously!


Have fun!

Daniel

PS: I will let you know when the final package are done if there is any 
changes on it.

Re: Email Server

[Daniel Ouellet]

Damien Hull wrote:
I'm still a long ways away from designing a system. I haven't even 
decided which OS I want to use. If enough people on the list can 
convince me that OpenBSD is the way to go I'll install it on a system, 
ship it down to Seattle and collect my mail. This will be on a test 
domain of course.




I don't think anyone will try to convince you to use OpenBSD, really! 
It's great and does  a wonderful job and it is secure. But in the end, 
everyone will tell you, use what fit the job! Meaning, if you want to 
use FreeBSD as you express you did before, then go ahead with it. If you 
want something very secure that was design from the ground up with that 
#1 priority in mind, then use OpenBSD. But don't expect anyone to try to 
convince you to use OpenBSD. If you are not convince by yourself by 
reading the archive, or looking at the goal of the site and if security 
is not your top priority, then may be OpenBSD is not for you.


Me, I use it for security reason #1 and for years. I stick with that. If 
it is harder to install some applications, or can't even use some that I 
may want to, then that's that! I am simply not treading security for 
features, or even applications.


Everyone will tell you, use what fit the needs to have, regardless if 
that's OpenBSD, or anything else.


May be this can also answer your question:

http://openbsd.org/faq/faq1.html#WhyUse

Hope this help a bit.

Daniel

MySQL upgrade to 4.1.12 packages files

[Daniel Ouellet]

Hi,

May be this would be better this way as I can't figure out what to do to 
send the proper diff to have this put in the tree for the ports.


I am sure it's really stupid I guess as I have no problem for sending 
patches for other things, but for port packages, looks like I am not 
getting something right, or my brain it just not working well.


So, here is my first port to bring the in tree MySQL version to the 
latest stable recommended version 4.1.12. All works on AMD64 and I386.


I also added one more package for the benchmark as well as I use that 
too to test my port.


I did all the tests with the test suite, crash-me as well as the full 
benchmark and all pass very well after you adjust the max openfile as 
well as the resource in login.conf for the user _mysql.



Results for the test suite run:
All 278 tests were successful.


Summary results for the benchmark tests.
All 9 test executed successfully



In any case, as I am still without information on how to do this sending 
patches right for ports, so I put here ALL the files that makes the new 
port for mysql 4.1.12.


This replace all of witch is in the tree now to have it working when you 
do create your package locally.


http://openbsdsupport.org/mysql/

Hope this help some and that may be I may get the proper information as 
to how to send it in next time to save everyone times and trouble.


I also have put the complete packages for amd64 here as well for testing 
if you like to do so.


http://openbsdsupport.org/packages/amd64/

Thanks for your help and please if that's not asking to much, let me 
know how to do better next time around!


Feedback, good or bad is welcome!

Regards.

Daniel

Re: Port diff to bring MySQL to recommended latest version 4.1.12

[Daniel Ouellet]

Steve Shockley wrote:
I've found http://monkey.org/openbsd/archive/ports/0401/msg00044.html to 
be very helpful.


Thanks Steve!

That was instructive to me!

I got my patch send at ports@ earlier tonight.

But this is good to know and will help do a bit better next time!

Thanks

Daniel

Re: MySQL upgrade to 4.1.12 packages files

[Daniel Ouellet]

Per Engelbrecht wrote:

It's complete then :)


I would say yes. I tested it on different platform I have, run the
benchmark, tests, etc. Load a good amount of data in there and so far so
good! Obviously more testing would be good, but at first glance, it does
look very good so far.



datasize, maxproc and openfiles values should then be ... ?


Value really varies for your setup. But you can't run the full tests, or
benchmark test with the default value. You can however run individual
tests and they will terminate well, but the run-full-test will not until
you increase the openfiles value and change the login.conf.

I send emails about this before and it's in the archive. But what I did
here, not that it's the best setup, I just did it to test well, I
modified /etc/my.cnf with:

# The following options will be pass to safe_mysqld
[safe_mysqld]
open-files=1772

That's the maximum that you can have there in the default setup without 
any changes. If you try to have more, you will get an entry in your log 
error.


And in the /etc/login.conf, I put a section for the _mysql user as:

# Setting used by MySQL daemon
_mysql:\
:datasize=infinity:\
:maxproc=infinity:\
:openfiles-cur=4096:\
:openfiles-max=8192:\
:stacksize-cur=8M:\
:localcipher=blowfish,8:\
:tc=default:


I am not saying this is the best possibility, you should really adjust
for your server resources and what you are doing and the load you expect
to have. So, please adjust for your need, but I strongly recommend to 
have an entry for it in there. I will save you from the errorno 9 of 
mysql. (:


Read the:

man 5 login.conf

and adjust for your specifics, you will be better off doing it now!

But it worked for me. (:

Now, I can finally do sub query! (: I was really starting to miss that 
a lots!!!


Regards,

Daniel

Re: installing app just like Ports does, but with newer source

[Daniel Ouellet]

Miles Keaton wrote:

Do I have to learn how to make my own port?


In your case it might be easier to pack port the current version and 
make your own port for 3.7 as it is already done for you in current:


http://www.openbsd.org/cgi-bin/cvsweb/ports/databases/postgresql/?only_with_tag=

2 weeks  mbalmer  Security update to version 8.0.3 ok robert@

Or you can always run a snapshot on your server and use it as is.

I just finish my first port and it took me some time yes to learn how to 
do it, but it was well spend time as well.


I am not saying that it's the way to go as I really don't know as well 
as many guys here, but porting the actual one back to 3.7, might be 
doable in a reasonable amount of time. If I needed it so badly, I would 
try it.


Just a thought.

Daniel

Re: MySQL upgrade to 4.1.12 packages files

[Daniel Ouellet]

Per Engelbrecht wrote:
I know these values depend on setup, utilization and more, but if you 
had the-perfect-blend for a workhorse for this new port, it would be 
nice. You've done some testing already. That's all.


I posted what I used for now. But really it depend on your setup. May be 
you have a ultra busy server that work with 10 table and two database 
only, or a less busy server for a farm of web servers that use 200 
database with 50 table each. So, in both cases, the value will be way 
different as in one case the optimum would be cache may be and the 
other, you will run out of openfiles, but not in the first case. So, 
really, there isn't 'the-perfect-blend for a workhorse '. I don't know 
of one anyway that wouldn't need to be change for some setup. Plus it 
depend if you use it only with mysql only on the server or like many 
people with multiple stuff. What memory you have will also affect the 
size you can assign to various cache, etc.


To many variable, I can't think of the perfect one.

If anyone have that on the list, then may be they can share their inside 
and how they got to it. I don't.


Daniel

Re: OpenNTPD on OBSD 3.4

[Daniel Ouellet]

Edy Purnomo wrote:

How to install OpenNTPD on OBSD 3.4 ?
I've read this from newsgroup but can't understand.
Please advice.


Much better, just pop in the CD and then install OBSD 3.7 and OpenNTPD 
comes pre install with it! (:


Plus many other improvements as well...

Daniel

NPTD multiple timezone on same server

[Daniel Ouellet]

OK,

Here is a very stupid question I have to admit, but I still need to find 
a way to do this.


The problem: Stupid Cisco IP phones for 7905 and 7912 DO NOT process the 
EDT/EST time change properly like the higher model 7940  7960. Even 
request with plenty of SmartNet to Cisco still without answer other then 
their last release 7.4 remove the time display of the phone totally! 
Good way to fix it right!


Temporary solution: Program all the 7905  7912 to get their ntp from a 
server that have the clock off by one hour and manually change this at 
each EDT/EST time change instead of programing all phones.


How to: I wish to use the same server running ntpd from Henning as the 
server, but I haven't find a way to have two daemon running on different 
IP's that would be off by one hour each.


So, is it possible first to do that?

I know Henning makes the daemon simple and user proof so that it just 
work! And yes it does a great job! So, can I somehow trick it into doing 
this to address the stupidity of Cisco instead of installing yet an 
other server just for that? Sure, I will do so if I can't have my NTP 
server provide both. I run one service by servers, so by principal I 
would do so on my ntp server.


I realize this is stupid, but if we pass that, and over look why ( Cisco 
incapability to do it right), how can I do so, ( to temporary bypass the 
problem ) if possible?


Regards,

Daniel

Re: NPTD multiple timezone on same server (fix)

[Daniel Ouellet]

Henning Brauer wrote:

* Daniel Ouellet [EMAIL PROTECTED] [2005-06-02 20:57]:

How to: I wish to use the same server running ntpd from Henning as the 
server, but I haven't find a way to have two daemon running on different 
IP's that would be off by one hour each.


So, is it possible first to do that?



no.

well, you might just run version hacked up to alwas add an hour after 
doing the gettimeofday(), but that is really hacky.


I don't intend to add a knob for that, this is really Yet Another 
Cisco Fuckup.




Thanks!

I hacked it and my process is now called

Cisco brain dead ntp engine

Except that I did the changes in the server_dispatch instead.

The gettimeofday() actually would also affect the local time of the 
server. This way I changed only the message send in reply to clients and 
only affect that.


reply.rectime = d_to_lfp(3600 + rectime);
reply.reftime = d_to_lfp(3600 + conf-status.reftime);
reply.xmttime = d_to_lfp(3600 + gettime());

Not very elegant, but hey, that's for a brain dead Cisco VoIP phone! (:

I think I might just add an entry in my dns like this

edt-only-for-brain-dead-cisco-est-edt-timezone-like-ntp-client.presscom.net

It's a dirty hack, but it will address the issue until Cisco fix it's 
shit I hope! If not, I will need to make it remove the correction 
automatically for EST/EDT switch then.


Thanks for your time.

Daniel

Re: PHP or Mysql problem?

[Daniel Ouellet]

Kiraly Zoltan wrote:
  mysql error: Can't create/write to file '/tmp/#sql_4c99_0.MYD' 
(Errcode: 9)




snip

  mysql error: Can't find file: './bsdforums/administrator.frm' 
(errno: 9)




May be a simple search will help you.

http://www.google.com/search?hl=enq=mysql+openfiles+openbsdbtnG=Google+Search

http://marc.theaimsgroup.com/?l=openbsd-miscw=2r=1s=mysql+%2Berrcode+9q=b

Daniel

secure ftpd upload for specific file restricted by type?

[Daniel Ouellet]

Hi all,

I am trying to solve a problem I have to improve security and I am 
hoping someone will have a good idea or point me to docs that may 
suggest a good way to achieve this.


The setup: The various servers are only accessible from three specific 
location and all is done via ssh only. Any other access from the world, 
needs to be via VPN to other box and turn around to connect to these 
servers and all VPN gateway also use PF with OS signature and deny ALL 
Linux and the like OS connections to limit even more the access.


The issue: Some clients, even after refusal for a long time insists to 
use FTP to upload files to servers. So after a long discussion, it was 
agree to limit access to their office only and no login account on a 
OpenBSD box where they dump their PDF to be called on the web server. I 
wanted to use ssh, but look like the jail of ftpd with no shell works ok 
so far.


The current compromise: FTP was allow to two directory ONLY that are 
part of sub section of a web site. So, the site, other then very 
specific portion of the site is not accessible via FTP.


The risk: Now, if a php script is uploaded in the specific directory, 
then obviously a call to that page will run the php scripts and can open 
security that way and allow to do what ever the php was design for in 
the server jail space obviously, but still.


The goal: Only allow PDF upload to that directory with the ftp client 
and also no possibility to rename the files to .php for example.


Why: Looks like I can't win the battle to not opening up a bit more the 
ftp access and I refuse to do so until I can address the concern above. 
I will open it more ONLY if I find a way to limit this to PDF ONLY.


Having a cronjob delete any .php files, or any none PDF files from that 
directory is not really an option as you could still upload a file, call 
it, before the cronjob run and kill it.


So, any way this can be done?

Allow, delete, replace, upload of *.pdf ONLY via ftpd for the reason above?

May be it's not possible, but I am hoping that someone will have a 
clever idea and I would be able to do this.


Regards,

Daniel

Re: secure ftpd upload for specific file restricted by type?

[Daniel Ouellet]

Roy Morris wrote:
why not have a cron job that looks in a directory, and runs file(1) 
against it. parse the output and
see if it's 'really' a pdf or not? .. if yes - move it otherwise rm the 
junk. Or I could be nuts once

again :)



I really wanted to avoid cronjob if possible. Yes it would work, but it 
might be the only way. Still I am trying to explore different ways, if 
any obviously.


Daniel

Re: secure ftpd upload for specific file restricted by type?

[Daniel Ouellet]

Jonathan Franks wrote:


You probably already tried this but what about having them use 
something like Filezilla? it supports ftps (ssh) transfers and it's 
a breeze to use.




I didn't try it, no.

I am a firm believer to use what comes with the default install. The ftp 
with the system is plenty good and having the team looking over it makes 
me fell much better then replacing it with an other one. I do appreciate 
your suggestion however, but I am just way to paranoid and stubborn to 
add new stuff unless I have no choice what so ever.


I got bitten once and I promise myself never again It's been many 
years ago, but still carry it's shadow even today. I learn from my mistake.


I really do appreciate your suggestion however Jonathan and the time you 
took to answer me.


Daniel

Re: secure ftpd upload for specific file restricted by type?

[Daniel Ouellet]

T. Wojda3a wrote:


Perhaps you might also be interested in winscp application.
http://winscp.net/eng/index.php (you've stated in the goal description
that you would like to use ftp client + you want no login account,
nevertheless I hope you'll find the information potentially useful)


Thanks for the feedback. I have been using WinSCP for many years already 
and I am very happy with it. My problem isn't on the client side, but 
the server side. Client yes in the way the customer wants to use FTP. I 
know, don't beat me on it, I HATE IT It would be like managing your 
OpenBSD box with telnet instead of SSH. Glad I saw the telnet be ripped 
out of the up coming 3.8, but that's way off topic now.


I got a few suggestions that I am exploring, one of witch is more 
intriguing to me as a learning experience as I have been looking at it 
for some time, but never really dig in it for lack of good understanding 
I guess, may be fear of the unknown as well, who know. SYSTRACE. Look to 
me, it might be a good place to learn it at the same time. Or to cut my 
head off, not knowing it to well for sure.


But thanks for your suggestion however and the time you took to even reply.

Regards,

Daniel

OT: Quad Ethernet cards feedback on OpenBSD

[Daniel Ouellet]

Sorry for this off topic question. Looking at the archive, SK (Henning 
love them! (;) is what look likes the best Ethernet cards to use, a few 
months ago anyway. The network cards are changing so quickly that what 
was true 6 months ago, may well not be today.


For quad, can someone confirmed, deny or offer alternative known to work 
well before I get 12 of them. Hopefully I may be able to fit them into 
the Sun X2100, but will see.


Also, any issue to run a minimum of 100 VLan on them? I didn't see issue 
in the archive, so I take it as been no problem! I don't think of any.


Any other suggestions is also welcome, I am more concern at the 
efficiency of the cards as they will be routing and supporting many VLan 
and PF will in some of the setup use individual VLan firewall 
configuration, up to 125 in one case. Will see if I can make that work 
well, not sure of my possible success, but will see...


Thanks for your time.

Re: OT: Quad Ethernet cards feedback on OpenBSD

[Daniel Ouellet]

Hi guys,

Thanks for the feedback so far. I wish there was more, but just a quick 
notes, that there is not point of arguing on talking about different 
cards. Just trying to find the very efficient dual or quad card that can 
route almost full capacity traffic is really the goal. Having a great 
card that work for a home setup is well, but not really what I am 
looking for. This is to pull out Cisco routers with FastEthernet 
interface and Gb interface in peering points, and to be replace by 
OpenBSD. So, efficiency and reliability is really the key. If there is 
very good feedback great, if not, I will just need to tests a few 
different one and see the results. The good news is that at a minimum, 
the cards are not thousand of $ each, so testing in the end take time 
and cost some, but nothing to kill about either. The bad side is that it 
may affect connectivity and that's not something I wish to do, so the 
testing needs to be minimal. After all testing with live customers is 
not nice! (:


I think having a card that use less CPU would be great as it's more 
likely to be more efficient, but will see. Keep the feedback coming, on 
the list or in private to reduce the noise is fine by me.


Thanks

Daniel

Re: Motherboard recommendations? Pentium IV, 2GB+ RAM?

[Daniel Ouellet]

C. Bensend wrote:

Hey folks,

   I've been pouring over the archives for a couple of days now,
looking for recommendations for a Pentium IV motherboard for a new
server I'm building.  I've found a lot of AMD and AMD64 posts, but
hardly any P4s.  I would really appreciate any suggestions from any
of you that own motherboards with the following specs:


Well, that's because if you do use AMD64 instead of P4, you will get a 
box a hell of a lot faster and the price would be the same to you and 
believe me when I say that! You are MUCH better with AMD64 for a server 
then P4. Flame me if you like, but you will hardly find anyone here 
telling you to go use Intel instead of AMD64, specially if you have the 
choice from now and you can built what you want!


You would be much better off with AMD64, but that's just me!

Fell free to not follow my suggestion, but I would argue that would be a 
mistake!


Daniel

Re: help: pf pop3

[Daniel Ouellet]

Edy Purnomo wrote:

hi,

trying to:

block all pop3 to outbound connection BUT allow one client AND inbound 
(local mail server) connection.

any suggestion ?

-edy-


Read the informations available here:

http://openbsd.org/faq/pf/index.html

Or even a very good step by step with a lots of explications here:

http://www.bgnett.no/~peter/pf/en/pf-firewall.pdf in PDF or
http://www.bgnett.no/~peter/pf/en/ in html.

Much better to understand what you are doing instead of using the cut 
and paste configuration of someone else.


Peter document will sure get you started and provide you valuable 
information in a step by step if you need that.

Theorical question on dual core vs single CPU in routing setup.

[Daniel Ouellet]

Here a question I found interesting for my own education, and I am 
trying to come to peace with as far as applications usage with dual 
core, or multi-processor vs single one.


I was asking myself if I would actually benefit from a dual core 
processor, or multi-processor system in a routing setup and more I think 
about it, I would think not as the application is not multi-treads to 
start with and there isn't must else running as well.


Am I wrong in my understanding?

Looking at the code of bgpd/ospfs, I don't see it design as using 
multiple treads ( doesn't mean I understand it fully either) so it 
wouldn't benefit from a dual core server then, and as the routing table 
basically is process by the kernel, I would think it would be useless to 
have multi core no?


In a setup where multiple applications are running, or where the 
applications are design with treads in it, yes, but here am I wrong to 
think that for a setup where routing with multiple Ethernet ports and 
where bgpd/ospfd is running with pf that it wouldn't really be a 
benefit? They all are dependent on each other and as such would need to 
wait anyway if the routing table changed.


Can someone correct my understanding, or lack there of, I was curious 
about that now.


Multi-processor is only useful when you can do multiple things, not 
related to each other at the same time, or the application is design 
with treads in mind, so here I guess the benefit would be minimal no?


Unless I miss something in the code, or something in how bsd.mp works 
(as it would be required to run dual core CPU), may as well put the 
money for the speed instead of dual core no?


It's not a big issue, but it got me thinking about it at the point that 
I really got curious as to the outcome now, and wonder if I actually 
understand it right, or if I am full of it!


Thanks for your time.

Daniel

Re: Theorical question on dual core vs single CPU in routing setup.

[Daniel Ouellet]

Thank you to Otto, Ted and Joachim for your answers and time.

It confirmed most of my thinking and I was happy to see different point 
of view on the subject. So, I can spend my money a bit more wisely, or 
pretend to anyway! (:


Thanks

Daniel

Re: Updated CCD Mirroring HOWTO

[Daniel Ouellet]

In all these:


I'm going to take this thread for what I think it is... the old guard
telling us youngin's that our efforts are appreciated, but we've got a
bit more to learn about how things work, and how to write good
documentation, before we're really ready to jump into these things the
way we have been lately.  I've noticed a decent drop in the number of
How do I get PPPoE working and How do I get Apache+MySQL+PHP working
questions on the list, which is what prompted Daniel to create
openbsdsupport in the first place, so in a way, we've been successful in
what we set out to do.  



I may seem overly critical in debate but I still believe the work of
Daniel Ouellet and the HOWTO writers has been a worthwhile experiment. 
Though it has opened the door for the blind leading blind, only by

experimenting with new ideas will one be able to prove or disprove their
validity and in the process, you might learn something unexpected.


or
quote Are you subscribed to newbies?  We don't do the bullshit like the
HOWTOs or openbsdsupport.org.  We teach you how to help yourself. The
answers come with learning, so you can be a better admin.

There is many sad facts and true factors from both sides. Users have to 
and should look for informations and the proper way of doing things. 
Hopefully the fact that they decide to switch their OS to OpenBSD may 
open the light a bit and may have become a bit more critical to security 
anyway, so one would think they wouldn't jump on the first document they 
find and just do cut and paste. But the fact of life is also that you 
can be sure some will for sure just do that!


Other may read some documents and see something in it that haven't seen 
before and pick their curiously to go look why that is and actually 
improve their learning. Not the majority I agree!


So, nothing is perfect and never will be!

Is it better to provide some help to some users to get them started, or 
does it hurt them for not forcing them to dig in vain to fine something 
they would get easier. Will the results favor the laziness, or the 
curiosity! I wish I knew that answer! Who are lazy, most likely will 
stay that way. Some that are incline to change, may well see it as 
useful and change, who are doing their homework will take it for what it 
is, an other source of information and grab anything, or nothing they 
see fit from it, and finally who ever know it all, will see it as a 
waist and not look at it, why should they anyway! So, where you fit, 
will dictate your point of view on the subject I guess.


Does it mean it shouldn't exists as a side track? I still don't know for 
sure yet...


But, I think the best way might be to provide the informations in a cons 
ice matter WITH reference (URL) to more details and ALWAYS warn the 
users NOT to do simply cut and paste as this hurt them for sure, but to 
seek the understanding of what is suggested in the documents. Not the 
stage of things now of almost all side documents at this time and may 
well be never either.


But who never start walking will never be running either!

So, it's like, providing knobs to a monkey and he will turn them, that's 
why OpenBSD doesn't have knobs like many other OS, or very few knobs 
anyway! Generic default is best, so how to provide more informations and 
make it easier for users that are not use to do their research and help 
them use a better system and at the same time try to trigger them to 
learn it without aliening them! I wish I knew the solution for that!


But, I do believe this however, if a brain dead user switch from a less 
secure OS ( take your pick of OS here ) and comes to OpenBSD for 
security, documentations, curiosity, stability, what ever else, and stop 
using the less secure OS, what ever that might be, and in the process 
use what some would call bullshit and stupid brain dead HOWTOs for 
monkeys, and never learn more about it, and in the process, may even 
hurt it's own setup and making it less secure in the process by using 
the brain dead HOWTOs, wouldn't the system in the end still be more 
secure then the same setup in any other OS? Don't forget the common 
factor here. Brain dead setup to start with, so very likely to be miss 
configure in the first place and joint many other less secure system on 
the Internet and continue to pollute it.


I guess that's really the questions isn't it?

Sadly there will always be brain dead users that cut and paste without 
thinking, or knowing, or even wanted to know or learn, what ever you 
want to describe it, in the end the resulting system in use by the same 
brain dead users is still more secure then an other system setup in the 
same matter by the same brain dead users, so the facts remain that in a 
small matter, the Internet at large become a bit safer for all of us!


Isn't it all what we wish it to be!?

With all aspect been equal and you can't change the world, or some brain 
dead users, they will setup servers no matter what and infect