bgpd.conf rules changed?
Hi, I am trying to upgrade an OpenBSD based BGP router from an old version to 7.2. But on OpenBSD 7.2, the config file results in several errors, despite the man page not indicating any thing "obvious". Eg. I get syntax errors on softreconfig in yes softreconfig out yes announce self announce all announce default-route I also get errors on tcp md5sig password somesecrethere if the secret contains special characters. I have tried to comment the softreconfig lines, but can't do away with the 'announce' statements. Is there some overview about what changed over the course of time, and possibly, some better error messages to help diagnose the errors? Thanks a lot, Toni
Re: bgpd.conf rules changed?
Hi Claudio, On Mon, Dec 19, 2022 at 01:10:15PM +0100, Claudio Jeker wrote: > You update from a very old version of OpenBGPD. true. Your tips worked a treat, though, and adjusting the config wasn't too difficult. Thanks a lot, Toni
Re: Local mail relay
Hi,
On Thu, 20.11.2008 at 14:57:21 +0200, Yuriy A. Dmitrishin <[EMAIL PROTECTED]>
wrote:
> router sm-msp-queue[3879]: mAFNUix6020927: to=root, delay=4+12:59:18,
> xdelay=00:00:00, mailer=relay, pri=19473085, relay=[127.0.0.1], dsn=4.0.0,
> stat=Deferred: Connection refused by [127.0.0.1]
>
> How can I tell it send to [EMAIL PROTECTED] if mail relay is on another
> server (ip 192.168.0.2)? I'm not familiar with sendmail.
I'm also not really familiar with sendmail after abandoning it years
ago, but would try these things:
1. In /etc/mail/aliases, enter [EMAIL PROTECTED] as the alias for
root. Run 'newaliases' to update your aliases database.
2. [Sendmail experts will probably flame me] In /etc/mail/*.cf, there
is an option line starting with 'DS' ('Define Smarthost'). Change
this line to read DS[192.168.0.2]
The recommended way to change Sendmail's configuration is to not do
what I suggested above, but instead to go to /usr/share/sendmail/cf,
edit one of the files in there, and re-run 'make' to update the real
configuration in /etc/mail, but I don't know how to do the same
thing in those .mc files.
3. Restart sendmail.
Kind regards,
--Toni++
pf: how to set per-rule options?
Hi, I have the following problem: For some packets, I would like to say that some options be applied to packets. Example: pass on $ext_if all max-mss 1400 This line yields a syntax error. According to pf.conf(5), this should work, with the following derivation: line -> pf-rule -> action "on" ifspec hosts filteropt-list and filteropt-list -> filteropt -> "max-mss" number This problem occurs with both 4.3 and 4.4, but not for all, only for some, options. Amongst those that don't work, are "no-df", "max-mss", and "min-ttl". I'm now confused as to whether I'm just misreading the manual, or whether this functionality is just not implemented, and pfctl catches that case. Kind regards, --Toni++
Re: pf: how to set per-rule options?
Hi, thanks for your answer. On Thu, 11.12.2008 at 02:29:22 +, Stuart Henderson wrote: > On 2008-12-10, Toni Mueller wrote: > > Example: > > pass on $ext_if all max-mss 1400 > you should use "scrub on ... max-mss 1400" I have seen, and verified, that that works, but I hoped to apply such a rule to only some of the packets (think different transport media etc.pp.). > the BNF section is wrong, there should be a separate 'scrub-rule' > and the relevant options (max-mss, set-tos, no-df and some others) > should be moved to something like 'scrubopt'. > > any volunteers for a diff? :-) this (in src/share/man/man5/pf.conf.5) > is plaintext, you don't even need mdoc.samples(7). Would it be a big problem to adjust the code instead? Kind regards, --Toni++
Re: Running another OS under OpenBSD
Hi, On Thu, 11.12.2008 at 21:35:36 +0200, Jussi Peltola wrote: > On Thu, Dec 11, 2008 at 10:30:50AM -0800, Jeff_1981 wrote: > > Please can you indicate me how to run Windows or Linux under OpenBSD ? > > Under Linux for example there is possibility to virtualize another OS. > > If the other OS is hacked from the web does it compromizes the security of > > OpenBSD ? this is generally possible. If you kept an eye on the virtualization methods under Linux, you will have encountered several cases where it was possible for virtual machines to break out of their compartment, and invade the host or other guest systems. Search eg. for "blue pill" if you want more details. > Who cares; if your service gets hacked, it doesn't help to keep the > underlying OS clean, your service is still compromised. This is true, but also true is that recovery from a compromized virtual machine is generally much faster than recovery from a compromized physical machine, provided you have a clean image lying around, and you are sure that the host is not compromized. But noone can guarantee you that. -- Kind regards, --Toni++
Re: pf: how to set per-rule options?
Hi, On Thu, 11.12.2008 at 21:12:43 +, Stuart Henderson wrote: > On 2008-12-11, Toni Mueller wrote: > > On Thu, 11.12.2008 at 02:29:22 +, Stuart Henderson > > wrote: > >> On 2008-12-10, Toni Mueller wrote: > >> > Example: > >> > pass on $ext_if all max-mss 1400 > >> you should use "scrub on ... max-mss 1400" > > > > I have seen, and verified, that that works, but I hoped to apply such a > > rule to only some of the packets (think different transport media > > etc.pp.). > > scrub supports that. I've recently run into problems which looked to me like PMTUD does not work across IPSEC. But I'll check again. Kind regards, --Toni++
Re: OT, .. but eCommerce?
Hi, On Sat, 13.12.2008 at 01:09:35 -0500, bofh wrote: > Really unfortunate nothing non-PHP based. well, we're running Interchange (www.icdevgroup.org), which is Perl-based, but will most likely switch to Satchmo (www.satchmoproject.com), which was already mentioned, which works on top of Django (www.djangoproject.com). > Hopefully one day, some one will have an itch to scratch that will not > be PHP based. No need to let yourself be blinded by the plethora of PHP stuff, imho. Kind regards, --Toni++
Re: CARP under heavy load
On Mon, 15.12.2008 at 10:14:41 +0200, Jussi Peltola wrote: > IME forwarded packets seem to somehow have a higher priority than > self-originated traffic in most OS's; don't know why this is, just a gut > feeling. I guess that this is true. In any case, if he would be able to maintain a bandwidth difference between the routers and his uplink, things should start working again. The bandwidth difference could probably be achieved by trunking. -- Kind regards, --Toni++
Re: OpenBSD 4.4 amd64 bsd.mp can't detect 4GB memory
Hello, On Mon, 15.12.2008 at 15:47:06 +0100, Paul de Weerd wrote: > On Mon, Dec 15, 2008 at 10:40:44PM +0800, C. Soragan Ong wrote: > | I am using OpenBSD 4.4 and is having problem detecting 4GB ram. Below is the > | dmesg > > Well, all memory is found (see the spdmem entries in your dmesg), but these messages suggest that he has 4GB of RAM installed in his machine, right? > not all of it is supported by the default kernel. You'll have to > enable bigmem and compile a new kernel yourself. I thought that 4GB of RAM *are* supported in the default kernel? But apart from that, I'm having a quite similar problem with a completely different machine. It turns out that very much RAM is eaten, depending on various BIOS settings. I haven't figured out how to tune it, but currently I'm losing some 700+MB this way (really AWFUL!). I have found out that enabling PXE eats some 20MB per NIC on which it is enabled, though. Kind regards, --Toni++
Re: Ethernet flow control
Hi,
thanks for answering. I have some comments, though:
On Wed, 17.12.2008 at 07:33:19 -0700, Duncan Patton a Campbell
wrote:
> On Wed, 17 Dec 2008 13:40:35 +0100 Toni Mueller wrote:
> > I have question regarding Ethernet flow control. It would be nice to be
> > able to see and/or adjust the current flow control configuration for
> > individual interfaces from the command line, at 100 and 1000MBit/s. My
> > interfaces usually use the fxp(4) or em(4) drivers. I dimly remember
> > having seen such a thing somewhere ("tx_pause,rx_pause"), but can't
> > find it right now. Checking my machines did not turn up anything.
>
> This sort of thing is usually controlled by firmware and os driver
> access is inherently limited to "known good" parameters. To play
> with this stuff you will prob'ly need cards that allow you download
> your own (modded) firmware.
if my dealer is correct, at least some/most/all of the em(4) (server)
cards allow downloading firmware, required for enabling them to netboot
via PXE, or to talk iSCSI instead.
The intel control utility for Windows that came with my 10-years-old
fxp(4) cards allowed to adjusting such parameters (and much more).
In any case, I want control over these parameters to improve
interoperability with (currently) one special application where I only
control one end (GRMPF!).
A "sane default" seems to be to turn these two parameters on, but I
can't see nor set what's going on.
I have experienced random loss of connectivity with one piece of gear
because the other box (Lucent MetroWAN) seems to sometimes just get
jammed, according to the current theory, and often doesn't recover.
If someone can recommend a switch that features this kind of control,
your advice is much welcome, too.
Kind regards,
--Toni++
Ethernet flow control
Hello,
I have question regarding Ethernet flow control. It would be nice to be
able to see and/or adjust the current flow control configuration for
individual interfaces from the command line, at 100 and 1000MBit/s. My
interfaces usually use the fxp(4) or em(4) drivers. I dimly remember
having seen such a thing somewhere ("tx_pause,rx_pause"), but can't
find it right now. Checking my machines did not turn up anything.
Kind regards,
--Toni++
IPSEC in 4.3 and 4.4: strange packet loss
Hi, I have a VPN running which, for this problem, looks roughly like this: net-West - West - East - net-East | +--- South - net-South "West" is the central site, and "East" and "South" are quite similarly configured branch offices. Esp., regarding the packet filter configuration on "West", both sites are configured symmetrically. Traffic between (West, East) and (West, South) is permitted to flow freely in both directions. "West", "East" and "South" are OpenBSD-based firewalls. "East" has a default route to "West", but "South" has only a route to "net-West". Now the problem: "Ping" with oversized packets (I see 1548 bytes with tcpdump, and the user set a packet size of slightly more than 1500 bytes) from "net-West" to "net-East" work fine, all the time, while the same command from "net-West" to "net-South" does not work, also most of the time, with success rates varying between zero and three packets returning, out of four. At "South", the packets which arrive, are only 1528 bytes long, so I've lost some 20 bytes on the road. Running tcpdump on the internal LAN interface and on enc0 of "West" shows, that not all of the packets which enter the LAN interface, and which are destined for net-South, even enter the enc0 interface. Conclusion: Packets are lost within the Firewall (but I can't see anything on pflog0, too). "West" are two machines, one runs OpenBSD 4.3 amd64, with the GENERIC.MP kernel, and the other runs OpenBSD 4.4 i386, with the GENERIC.MP kernel (fully patched). Any ideas about how to better debug such a problem are very much appreciated! Kind regards, --Toni++
Re: IPSEC in 4.3 and 4.4: strange packet loss (addendum)
On Fri, 19.12.2008 at 10:38:28 +0100, Toni Mueller wrote: > "Ping" with oversized packets (I see 1548 bytes with tcpdump, and the > user set a packet size of slightly more than 1500 bytes) from The user uses this command to test from his desktop computer: ping 1.2.3.4 -l 1500 -n 1 with 1.2.3.4 being an IP located in net-South. -- Kind regards, --Toni++
Re: pppoe not reconnecting
Hi, On Sat, 20.12.2008 at 14:13:34 +, Christian Weisgerber wrote: > However, sometimes pppoe just seems get wedged and stop retrying. > Does anybody else see this too? "yes", across a number of versions of OpenBSD, and for the last few years. I have static IPs, too, but are disconnected every now and then. Connections actually seem to fail several times per day, more often at some locations than at others, so it may be a question of what's at the other end, or what the copper can do. When it happens, I can't "see" what's going on since then, I'm locked out. I have installed cron jobs, though, which detect the situation and try to speed up recovery by killing the (probably) wegded pppoe and ppp programs, and run this every one or two minutes. When things recover on their own, it sometimes takes about half an hour to do so, and sometimes fail (afair). And sometimes, I need several attempts to get a useful connection. So far, I was writing this off as "you get what you pay for", although I have much less trouble with Linux connecting to the same ISP. Kind regards, --Toni++
Re: Yahoo! mail and OpenBSD greylisting
Hi, On Tue, 23.12.2008 at 14:49:40 +0530, Girish Venkatachalam wrote: > Well we discussed long ago that there is no such thing as a standard > that says that mails be retried from the same IP address. > > So technically speaking yahoo! does not break any standard. I dimly remember that I had the same problem with Pipex and a few places in the US as well. I ended up whitelisting /24s as they came by. What bothers me more is that, at least until very recently, some moderately well-known outfit over here, who claims to do "unified messaging" and sells application hosting, esp. email, bounced messages upon 4xx without retrying at all. :( -- Kind regards, --Toni++
Re: Yahoo! mail and OpenBSD greylisting
Hi, On Mon, 22.12.2008 at 15:59:29 -0600, Jim Aragon wrote: > This may be helpful: > http://tech.groups.yahoo.com/group/ygmailadmin/ thanks for the info! But I'm aggravated about them taking for granted that they need an exception for their mail service, instead of just playing by the rules, especially as they mostly filed my mails to Yahoo! members into the member's junk folder, and so far didn't respond as to why they're doing it, or how one could change that. -- Kind regards, --Toni++
Re: Trouble ticket system suggestions
Hi, On Tue, 23.12.2008 at 19:44:57 +0200, open...@bgone.net wrote: > I would like to get your suggestions and experience with some Trouble > Ticket Systems on OpenBSD. > It should be rather simple. > Users should be able to sand notes to support and check status of it. > Support should be able to answer the tickets and check old tickets from > the same user, etc. > No need of phone integration. this is still very sparse information about what you need. I suggest test-driving some systems and then deciding to use one. Ticket systems out there are quite different, according to their intended usage, so what might work for me, might not work for you. Some somewhat popular projects to look at should imho include Request Tracker, Trac, Roundup, and maybe OTRS. Kind regards, --Toni++
Re: Trouble ticket system suggestions
Hi, On Tue, 23.12.2008 at 16:02:02 -0500, Andrew Ruscica wrote: > Seconds for OTRS; obsd has been running it well for me for the last > four years. I deliberately tried to make a "neutral" kind of statement, because some systems work better in one context, and some systems work better in a different context. Having said that, I listed OTRS because I know it's popular, but personally, I'd take RT (big) or Roundup (small) any day over OTRS, which I dislike quite a bit. For software development in particular, Trac is quite attractive to me, but I know of people doing general ticketing with it. If it's still the case that some of these systems don't run well on OpenBSD (this was at some point the case with RT, which tends to require rather current Perl stuff), I'd prefer to resolve these problems instead of switching software packages. Kind regards, --Toni++
pfsync
Hi, I just discovered that pfsync needs the sync device to be numbered, even if I simply try to use the multicast address and don't specify a syncpeer. Not numbering it, but simply pulling it up, yielded (eg.) # ifconfig pfsync0 syncdev ste3 ifconfig: SIOCSETPFSYNC: No buffer space available In some emails regarding this issue, but pertaining to older versions of OpenBSD, it was suggested that an unnumbered interface would do, and I think that it should if one uses the multicast addresses, so I'd suggest that this could be mentioned in the documentation (unless I hit a bug, of course). This is OpenBSD 4.4-stable. Kind regards, --Toni++
Re: OpenLDAP w/o bdb okay?
Hi, On Tue, 06.01.2009 at 01:08:27 +0100, Henning Brauer wrote: > I am using openldap with ldbm backend in an not exactly small > installation for 9 or 10 years now. I have never ever experienced a > broken database. never. my last encounter with ldbm, a few years back, drove me to bdb really fast, because my - though small - installation(s) seem to behave the opposite way. In any case, knowing how to repair a broken ldbm database would be a good thing. With bdb, there is dbX.Y_recover, which worked nicely for me when I needed it. Having said that, bdb appears to be the prerequisite for the ability to modify existing object's DNs. > openldap is still a piece of shit, but the ldbm backend is probably the > sanest one. This pattern comes up often, but almost noone suggests an alternative LDAP server package. -- Kind regards, --Toni++
Re: CARP issues 4.3
Hi, On Tue, 06.01.2009 at 17:11:45 -0600, Jon Slusher wrote: > and for some reason it tried to take over as the MASTER, while its CARP a shot in the dark: Are you sure that CARP traffic flows freely between the two firewalls, and that they both have the same password? That the IP setup is generally consistent? (Eg. I have trouble with what you call a "WAN" interface - those interfaces that I am aware of, should not be able to support CARP operation because they are point-to-point interfaces.) > LAN interface would also not go beyond the INIT state. I had to shut it I've seen this, too, and tracked it down to be either a misconfiguration (eg. a typo), or overlapping networks. Eg. I have something like this on a pair of firewalls: interface1: 10.10.0.0/16 interface2: 10.10.10.0/24 Doing this manually works like a charm, but CARP can't handle it (at least not in 4.4). Try "sh netstart " to see proper error messages. Kind regards, --Toni++
Re: OpenLDAP w/o bdb okay?
On Tue, 06.01.2009 at 06:27:17 -0500, ppruett-lists wrote: > Actually a lot linux users suggest using mysql for the non relational > authentication tables > ;) I knew you've got to be kidding! -- Kind regards, --Toni++
Re: OpenLDAP w/o bdb okay?
Hi, On Tue, 06.01.2009 at 14:42:09 +0100, Henning Brauer wrote: > * Toni Mueller [2009-01-06 12:25]: > > This pattern comes up often, but almost noone suggests an alternative > > LDAP server package. > I am not aware of any. Lack of options doesn't make openldap better. agreed, but it makes bashing openldap sort of futile. -- Kind regards, --Toni++
Re: Release IP-adress OpenBSD 3.8
Hi, On Thu, 08.01.2009 at 08:50:57 +0100, Maurice Janssen wrote: > There's another option: change the MAC address of the new card to match > the old card's MAC address. Somthing like this in your hostname.if: > dhcp NONE NONE NONE lladdr aa:bb:cc:dd:ee:ff this obviously "only" works for the OpenBSD side of things, not necessarily for the other machines he mentioned, and if he'd be switching legs, he'd had to shuffle around several MACs per try (obviously). Kind regards, --Toni++
Re: Virtualization, OpenBSD as host
On Fri, 16.01.2009 at 14:42:05 -0500, Nick Guenther wrote: > Out of curiousity, what are you doing in Java that needs Windows? Maybe writing Java apps that use specific Windows APIs (at least "optionally")? I'm guess that you don't get these in non-Windows builds of Java... Kind regards, --Toni++
OT: Hard Disk Problems (was: Re: Dealing with Seagate's problematic 7200.11 firmware.)
Hi, On Fri, 23.01.2009 at 21:28:34 +, Dieter wrote: > Recovering from Seagate's problematic 7200.11 firmware. first off, several other product lines are affected, too. In particular, the popular ES and ES.2 "server grade" disks are also affected, to the best of my knowledge. Seagate only admits to problems with ES.2 drives, not ES drives, though. > Seagate's response has been less than wonderful. We need > a FLOSS solution. Right. > We need for this to work with any flavor of Unix, We need to do this from within a running system. > We need for this to work on one drive without affecting > other drives. My first idea is that smartmontools probably provide much of the required framework alreaedy, and could possibly extended to work with this situation, too. > If Maxtorman is correct, then once the drive has been operating awhile, Seagate sent me the following link http://seagate.custkb.com/seagate/crm/selfservice/search.jsp?DocId=207931 which imho contributes to the impression of a less-than-stellar response by stating "Based on the low risk as determined by an analysis of actual field return data, Seagate believes that the affected drives can be used as is." (current as of _now_). > that works properly. Since Seagate's solution will require attaching > the drive to an x86 system and booting a FreeDOS ISO from CD, if the log > is at 320 that boot will brick the drive. As far as I understood, the firmware has a sort of a boot loader which reads the actual firmware from the drive, and also writes new firmware to the drive. This leads me to suspect that writing a modified boot loader firmware which does not contain such log entry reading or writing, could bypass the 'brickedness' caused by the broken firmware which is actually on the platters (ie, which is what the boot loader needs to load to begin with). So, if a modified boot loader would eg. abstain from loading the firmware on the drive, the corruption of said firmware on the drive would not occur, thus not blocking the remainder of the hardware. However, if, and how, such a new boot loader could be placed into the ???ROMs of the drive, I really don't know. > Once Seagate releases working firmware, we want to be able to install > it from Unix, on any CPU arch. Seagate's release can only install > on x86 using FreeDOS. -> smartmontools come to mind. > Is Maxtorman correct about the 320 log entries? My dealer told me a similar story, but I don't know where he had it from. Kind regards, --Toni++
Re: Altq doesn't works as I expect on OpenBSd 4.4
Hi, On Thu, 20.11.2008 at 17:08:31 +, Stuart Henderson wrote: > also note you can queue the _inbound_ packets, which will associate > a queue with the state table entry, then the queue of this name will > be used when those packets are sent _out_. this sounds like it fills a gap in the man page, imho. > many of the views from pftop are also available in systat > (in the base OS) these days. > > see "systat queues", "systat rules", "systat pf" etc. "systat queues" does not work if you're not root, but otherwise, it fills a gap, too. Thank you! Kind regards, --Toni++
Re: OT: Hard Disk Problems (was: Re: Dealing with Seagate's problematic 7200.11 firmware.)
Hi, On Sun, 25.01.2009 at 16:27:14 +, Dieter wrote: > I wrote: > > You wrote: > > > Is Maxtorman correct about the 320 log entries? > > My dealer told me a similar story, but I don't know where he had it > > from. > > I guess the next step is to find out if Maxtorman is correct about this > 320 log entries stuff, and if the SMART log entries as reported by > smartmontools is the log to worry about, or if there is some other log. I don't have an account on /., and also feel incapable of actually working on this problem, but someone who has and can, could probably try to nag maxtorman about improving smartmontools to the point that they do the right thing, or try to get him to connect one to somebody else who can verify the issue and/or provide more technical details. If he can find a way to almost-anonymously post to /., he might be able to give some hints to the smartmontools gyus, too. Then, we only need them to integrate everything and make a new release. Personally, I'd say that it'd be best if Seagate themselves would grab the opportunity to partially make good on the issue, but I heavily doubt that they "understand", or want to understand, what's it about with FLOSS. Kind regards, --Toni++
Re: Dealing with Seagate's problematic 7200.11 firmware.
Hi, On Mon, 26.01.2009 at 15:39:36 +0100, Raimo Niskanen wrote: > How can I know if I have a suspicious drive? you won't, imho, until Seagate will deliver usable data on this issue. Their statements so far were a long way from being trust-inspiring, imho. My best bet is currently to wait for a definite statement of my dealer, who also carries the burden of providing warranty to me (so I hope he'll think twice before saying something he doesn't at least believe). In the meantime, I've opted to not power down or reboot any machine as long as I have definite answers, which turns out to be quite a nuisance! -- Kind regards, --Toni++
Re: OT: Hard Disk Problems (was: Re: Dealing with Seagate's problematic 7200.11 firmware.)
Hi, On Mon, 26.01.2009 at 17:08:51 +, Dieter wrote: > It is easy to set up a slashdot account. Or you can post as "anonymous > coward". yes, but I don't want to set up a /. account right now, and posting as AC wouldn't likely solve the problem. > that he has another slashdot account that isn't anonymous. Problem I > have is I can't find a way to send him a PM (private message). Most web This is exactly the point. > forums have a facility for sending other users a PM. We can post a reply > to the thread, but he would have to read the thread again to see it. > Any slashdot wizards out there have an idea? Post to the thread and offer one's own email address (maybe time-limited or so), and hope for the best... not exactly a silver bullet, but maybe better than nothing. > It isn't even just FLOSS. Any non-x86 machine is out of luck. > Proprietary Unix is out of luck. Anything embedded is out of luck. > Even Mac is probably out of luck. And if the reboot to run the > firmware installer bricks the drive(s) even wintel is out of luck. Yes, and smartmontools claims to run on all platforms you mentioned (except MAC OS 9). Ie, they even run on Windows and/or together with Cygwin. Therefore, I think that this is a strategic point from where the problem could be solved for a really broad range of systems, and in one go. > I don't understand the common corporate policy of keeping everything > secret. All they are doing is hurting their previously loyal customers. > It didn't used to be this way. Oh... over here, we have a saying: "Sea gate, oder sie geht net." (meaning: "it works, or it doesn't" - it's a pun on the pronounciation of "Seagate"). Yes, many people, me included, thought they had reformed... > Supposedly there was a broken test machine that didn't zero out some > special area after writing a test pattern. So only drives that were > tested on that machine are at risk. I'd like to not speculate about the cause of the problem any longer, but instead devise a plan to acquire the required knowledge to beef up smartmontools to solve the problem. I could only believe such claims about the causes, but presently, Seagate destroyed about as much trust as they possibly could, at least with me. So, except for the hard-core technical data, they're out of the loop as far as I'm concerned. > If we can find out what area > this is (I assume it isn't in the normal space used for user storage) > and how to zero it (if not already zero) there is no need to update > the firmware. I'd rather say that the (ring) buffer has some external counter, also stored somewhere, which needs to be adjusted. I'd not bet that simply zeroing the area(s) will do. > Good question. Seagate has some web page that supposedly will tell you, > but of course it is broken and doesn't work with all browsers. At some time, they had a page where you could enter your model and serial number, but reportedly this page delivered a lot of false positives and false negatives. After deciding that the results were far too unreliable, the page was pulled. > Toni reports that ES and ES.2 may be affected. This I took from a Seagate web page. Stuart Henderson has posted the link, and I had the same link in my email which I received from Seagate, so, I'd say, the link is "genuine" (despite the contents of the page being almost worthless, imho). > From what I've read it sounds like the counter must be exactly 320 AND some > location must have a test pattern rather than zero when you init (power up > or reboot) the drive. From Maxtorman's description, the log is circular, > so it will eventually wrap around to 320 again. My dealer, who claimed that he also had information directly from Seagate, told me that the buffer was 256 entries long (makes a lot of sense, imho), but nevermind. "We" need hard facts, preferably in the form of photocopies of internal design papers or so, not speculations. > So keeping the counter away from 320 is an okay short term workaround, This would require to periodically check the log position and eg. reset it to zero at shutdown, to be on the safe side. > but long term we want to either zero out the magic location or update the > firmware. We want to have updated firmware and the ability to update firmware for "all" drives, also from other manufacturers. Updating firmware for a drive shouldn't be any more complicated or risky than updating the BIOS on the motherboard. > There is supposed to be some document that explains all this, > with enough details to create a fix. If anyone finds this > document I need a copy please. Me too! > If you have one or more of the suspect drives, if it running, > try to keep it running and don't reboot. If it is powered down > leave it powered down if possible until this all gets sorted out. Yes... but that still doesn't help you in the face of a system's crash. What to do then? No need to answer this one... -- Kind regards, --Toni++
Re: OT: Hard Disk Problems (was: Re: Dealing with Seagate's problematic 7200.11 firmware.)
Hi, On Mon, 26.01.2009 at 17:08:51 +, Dieter wrote: > Your suggestion of smartmontools is helpful, thank you. thanks - I have just sent an email to them, esp. after seeing that there are people from big name companies involved, who could procure at least some of the required documentation inhouse. -- Kind regards, --Toni++
Re: OT: Hard Disk Problems (was: Re: Dealing with Seagate's problematic 7200.11 firmware.)
Hi, On Tue, 27.01.2009 at 21:37:28 +, Dieter wrote: > Toni writes: > > positives and false negatives. After deciding that the results were > > far too unreliable, the page was pulled. > > That too. For one thing people were entering the serial numbers > using lower case letters and getting false negatives. this is a joke, right? > There is a reason I want to look into zeroing out the magic area as > an alternative to risking updating the firmware. :-( Understood... I'm looking for a different vendor, too. :-| > the power fails. So not a great workaround, but better than nothing, Right. > As I understand it, updating the firmware on some mainboards IS risky. It may well be that some combinations don't work, but at some point, I'd say that this should fall into the category of "you get what you pay for". IOW, I can't imagine that doing this kind of stuff right would cost more than, say, $1 for a drive, and $5 for a motherboard, and I think that everyone should be prepared to add, say, $50 to a small server to get these things, ie, (much) less broken designs, imho. But the bigger problem is that currently there appears to be no way to add $50, or even $500, to a server, to get these things right because there seems to be no vendor who offers such stuff. > > > There is supposed to be some document that explains all this, > > > with enough details to create a fix. If anyone finds this > > > document I need a copy please. > > > > Me too! > > Sounds like you are on good terms with your dealer. Can your dealer get > you a copy? LOL. I can ask him, but don't expect too much... Kind regards, --Toni++
Re: OpenBGPD Flaps, 32bit ASn in the wild.
Hi, On Sat, 10.01.2009 at 12:11:03 -0600, tico wrote: > http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/bgpd/rde.c looking at CVS, it seems that multiple patches are needed, right? And we get the joy of threading them together ourselves, understanding OpenBGPd's code in the process... maybe. Kind regards, --Toni++
Re: pf: how to set per-rule options?
Hi Henning, On Mon, 22.12.2008 at 21:41:18 +0100, Henning Brauer wrote: > scrub in $somewhere from $foo to $bar max-mss 1400 > > is perfectly valid. thanks for the example! -- Kind regards, --Toni++
Re: OpenBGPD Flaps, 32bit ASn in the wild.
Hi, On Thu, 29.01.2009 at 14:47:30 +0100, Toni Mueller wrote: > And we get the joy of threading them together ourselves, understanding > OpenBGPd's code in the process... maybe. can I just "plug in" a bgpd from -current into a 4.4, or preferably 4.3 system, assuming that I compile the code from source? Or did any kernel structures or system calls change that would cause problems? Overall, the code from -current looks like having been much improved, but unfortunately, just swapping out the box is currently not an attractive option (despite having capable standby hardware). TIA! -- Kind regards, --Toni++
Re: OpenBGPD Flaps, 32bit ASn in the wild.
Hi Stuart, On Thu, 29.01.2009 at 16:52:55 +, Stuart Henderson wrote: > This should work, but I run -current everywhere, I have no 4.4 boxes > to test it on. thanks! I'll try that first, although I hoped to also bag the other improvements while I'm at it. > Incidentally this looks like the same approach suggested by the > draft RFC4893bis I should dig this one up. In any case, the patch looks much like the minimal patch that Claudio floated on the list in December. Can someone please promote it to "errata"? -- Kind regards, --Toni++
Re: OpenBGPD Flaps, 32bit ASn in the wild.
Hi Claudio, On Thu, 29.01.2009 at 17:13:32 +0100, Claudio Jeker wrote: > Will most probably not work. The -current bgpd has a reworked kroute.c > that needs a -current kernel. thanks for confirming my doubts. Now I can try to find out whether the changes in kroute.c are sufficiently isolated from the rest... Btw, I've just rebuilt bgpd with code tagged OPENBSD_4_3_BASE, but the checksum is different from that in the distribution. The difference shown with "cmp -l" is way too large to be just a different timestamp and/or what(1) info. Now I'm a bit scared... -- Kind regards, --Toni++
altq problem: how to correctly "borrow" in hfsc?
Hi,
I'd like to have both the most bandwidth and the most throughput for
"fast", if traffic classified as eligible for "fast" needs to be
transferred, and otherwise most of the bandwidth available for "slow",
but leaving 100Kb free for "fast" at any one time, and, preferably,
also leaving a bit of free capacity for "slow", and for some other
tasks, open, at any one time. Eg, I'd like to reserve 10% for 'fast',
and 5% each for all other tasks which can't be assigned to any other
queues, but share the rest according to priority and demand.
I have a topology like this:
netA gwA --- Internet gwB netB
On gwA I configured altq like this:
altq on $ext_if bandwidth 1800Kb qlimit 2500 hfsc (linkshare 1800Kb upperlimit
1800Kb) queue { otheroffice, some other queues }
queue otheroffice priority 5 bandwidth 970Kb qlimit 500 hfsc (linkshare 970Kb
upperlimit 970Kb) { fast, slow }
queue fast priority 7 bandwidth 20% qlimit 500 hfsc (realtime 100Kb upperlimit
50%)
queue slow priority 6 bandwidth 10% qlimit 500 hfsc (upperlimit 80%)
This results in traffic in the "slow" queue being limited to 97000 bits
per second, which is _awfully_ slow. But when I read the queue
definition of "slow", it says that the queue should be able to use up
to 80% of 970Kb (= 776Kb), only that it doesn't.
Any ideas, please?
Kind regards,
--Toni++
Re: OpenBGPD Flaps, 32bit ASn in the wild.
Hi, On Fri, 30.01.2009 at 04:08:34 -0800, OpenBSD User wrote: > Just to add my vote. > > I'm with Claudio on this one. me too. > Validate the input yes, but don't tamper with what's > not yours After reading the thread on idr, I'm under the impression that the suggested "fix" is suggested in order to cope for a bug in some versions of JunOS. Some people don't seem to have any interest in standardized interoperations, as it seems. It seems to be just too convenient for the big guys to strongarm their way into the standards, at the expense of at least everyone else. Kind regards, --Toni++
Re: altq problem: how to correctly "borrow" in hfsc?
On Fri, 30.01.2009 at 13:51:23 +0100, Toni Mueller
wrote:
> altq on $ext_if bandwidth 1800Kb qlimit 2500 hfsc (linkshare 1800Kb
> upperlimit 1800Kb) queue { otheroffice, some other queues }
>
> queue otheroffice priority 5 bandwidth 970Kb qlimit 500 hfsc (linkshare 970Kb
> upperlimit 970Kb) { fast, slow }
> queue fast priority 7 bandwidth 20% qlimit 500 hfsc (realtime 100Kb
> upperlimit 50%)
> queue slow priority 6 bandwidth 10% qlimit 500 hfsc (upperlimit 80%)
>
>
> This results in traffic in the "slow" queue being limited to 97000 bits
> per second, which is _awfully_ slow. But when I read the queue
> definition of "slow", it says that the queue should be able to use up
> to 80% of 970Kb (= 776Kb), only that it doesn't.
I forgot to say:
If I leave off the 'bandwidth' options from the sub-queues, I get
errors about exceeding the parent's bandwidth.
This is on OpenBSD 4.4.
--
Kind regards,
--Toni++
Re: Backup strategies
Hi, On Sat, 31.01.2009 at 14:04:32 +, Dieter wrote: > ISO files have a 2 GB filesize limit, so large files don't fit. are you sure? I can fetch files that are well over 4GB and burn them on DVD. These files are called as "ISO" files, but I don't know exactly what's inside of these files. Sample file: > ftp://ftp.gwdg.de/linux/knoppix/dvd/KNOPPIX_V5.3.1DVD-2008-03-26-EN.iso (4342594 KB) I never tried to burn a CD or DVD under OpenBSD, though. > Backing up the big stuff is problematic. Right. Kind regards, --Toni++
Re: Backup strategies
On Sun, 01.02.2009 at 13:01:52 +, Matthew Szudzik wrote: > See > > http://en.wikipedia.org/wiki/ISO_9660#The_4_GiB_.28or_2_GiB_depending_on_implementation.29_file_size_limit Thanks for the heads-up, but > Some operating systems can handle files up to 4GB on an ISO 9660 > filesystem, and other operating systems can handle more than 4GB. But > if you want your ISO 9660 filesystem to be fully portable, you should > stick to the 2GB limit. if I'm not mistaken, quite a bit of software today comes on DVDs, crammed to the brim. So I wonder whether the standard has been extended, whether there's a convention about how to deal with larger files, or whether it's sheer accident that it works. Besides, having media types that can't be fully utilized is neither useful nor acceptable, imho, but the solution can't be "make only smaller media". Kind regards, --Toni++
Re: Backup strategies
Hi, On Sun, 01.02.2009 at 18:34:31 +0100, Pierre Riteau wrote: > You seem to be mistaken. yes. Thanks to all of you, and note to self: Don't post when tired and distracted... Kind regards, --Toni++
STM-1 connectivity (OT?)
Hi, I'm looking into ways to handle STM-1 connections. I dimly remember that there were Marconi cards, that were supported, but can't find them anymore. What would be the recommended method these days to terminate STM-1 circuits, possibly on an OpenBSD based router, please? What alternatives do you suggest? TIA! Kind regards, --Toni++
Re: request for package: Distributed Checksum Clearinghouses (DCC)
Hi, On Thu, 19.02.2009 at 20:55:09 -0500, Juan Miscaro wrote: > Are there any plans to package DCC for anti-spam gateways? Thanks. "once upon a time" I converted the Debian package for pyzor to OpenBSD, which is tedious, but otherwise rather straightforward. It never never hit the ports tree, though. If there is demand, I can probably put it online (again). Kind regards, --Toni++
Re: OpenBSD AMD64 4.4 install hangs at boot (softraid0 at root) on Intel Q9550, 8GB RAM, 1TB WD
Hi, On Fri, 20.02.2009 at 00:24:28 -0500, David Heinrich wrote: > sd0 - sd3 are because of my CF card reader. However, I don't want to > install the latest beta-versin of OpenBSD; those of us who have hardware that is not, or not well supported by the release version of OpenBSD, get to check out the latest and greatest in OpenBSD to see if it works better. It's also part of what we usually can, and generally should, contribute back to the project, imho. The alternative is to try work around the problem somehow, eg. by reconfiguring the hardware (eg. less memory, different nics, whatever). I suggest that you go with the 'beta'. Kind regards, --Toni++
Re: STM-1 connectivity (OT?)
Hi, On Fri, 20.02.2009 at 11:49:19 -0600, tico wrote: > Toni Mueller wrote: >> I'm looking into ways to handle STM-1 connections. I dimly remember >> that there were Marconi cards, that were supported, but can't find them >> anymore. What would be the recommended method these days to terminate >> STM-1 circuits, possibly on an OpenBSD based router, please? >> > I don't ever remember hearing about a (OpenBSD-supported) PCI card that > would handle an STM-1 -- there are a couple that will handle T1/E1, but > I believe that the "biggest" TDM circuit that OpenBSD can terminate > directly is perhaps a DS3, via a lmc(4) card, though I have yet to > find/use one myself. in hindsight, I may have confused support in FreeBSD with support in OpenBSD for an STM-1 ATM card, a few years ago. Sorry. > You can find a number of vendors that supply DS3-to-100BaseT or > STM1-to-GigE media converter, STM-1-offerings seem to be much less frequent than DS3-offerings. > but you have to run in them in pairs on both ends of your > point-to-point circuit of course. For DS3, that would be true, but I've been told that this would not be true for STM-1 circuits. > If you're getting a transit from an upstream provider you're screwed > unless the provider will deliver ethernet to you (which is > increasingly the case, since TDM circuits are super expensive per > megabit compared to [metro-] ethernet). Perceived cost is one of the reasons why I'm looking into operating an STM-1 circuit instead of a Fast-Ethernet Circuit. But I don't have hard numbers yet. > If you go with the "media converter on both ends" option, be sure to > find one that drops the link on the ethernet side when the STM1 side > goes down, and vice versa, so your routing protocols can take > appropriate action and not continue to blackhole traffic during outages. Right. That's another issue with the Ethernet I currently have: It does _not_ drop link when the fibre goes down. There is even no ETA as to when this will be fixed - the carrier only talked about "wait for a fix from , but don't know when it will be available". > Imagestream (proprietary+linux based) works for a good+cheap solution > that can talk iBGP to your other ethernet-only routers. Or just get a > used Juniper/Crisco/whatever. See also Sangoma's Wanpipe offerings > (FreeBSD/linux). Thanks for your advice, but I want a "solution" centered around OpenBSD. I've been burned by vendor lock-in often enough to try hard to avoid doing it again. FWIW, I've talked to Imagestream a few years ago, and was really not impressed with their offering, in several respects. Kind regards, --Toni++
Re: NAT, Firewall & pf
Hi, On Mon, 23.02.2009 at 17:58:20 -0800, Hilco Wijbenga wrote: > c. How can I get pflog to flush immediately? I noticed I have to wait > a minute or so before logged lines show up. you don't need to. Listen on pflog0 instead. Kind regards, --Toni++
IPSEC: certificate ignored
Hi,
I'm trying to get a VPN connection to work which should actually be a
no-brainer (and I have quite similar things out there, for years):
network 1
|
Linux w/ isakmpd ("u...@road-warrior")
|
|
Internet
|
|
OpenBSD w/ isakmpd ("office-router")
|
network 2
Authentication should be done with X.509 certificates. I have my small
CA that issues these certificates. On startup, OpenBSD reads all
required certificates from /etc/isakmpd/{certs,ca} plus its key from
/etc/isakmpd/private just fine (I double-checked using openssl and
grep), but when it comes to checking the client's incoming cert, it goes
like this:
223644.842092 Plcy 30 keynote_cert_obtain: failed to open
"/etc/isakmpd/keynote//u...@road-warrior/credentials"
223644.842516 Default get_raw_key_from_file: monitor_fopen
("/etc/isakmpd/pubkeys//ufqdn/u...@road-warrior", "r") failed: Permission denied
223644.842707 Default rsa_sig_decode_hash: no public key found
223644.842903 Default dropped message from 1.2.3.4 port 500 due to notification
type INVALID_ID_INFORMATION
In isakmpd.policy(5), I read:
"When X509-based authentication is performed in Main Mode, any X509 cer-
tificates received from the remote IKE daemon are converted to very sim-
ple KeyNote credentials. The conversion is straightforward: the issuer
of the X509 certificate becomes the Authorizer of the KeyNote credential,
the subject becomes the only Licensees entry, while the Conditions field
simply asserts that the credential is only valid for "IPsec policy" use
(see the app_domain action attribute below)."
Please note that the Linux box can identify the OpenBSD box just fine,
too. It's only that the OpenBSD box (various 4.5 snapshots, actually,
the latest being "4.5 GENERIC.MP#63 i386" of Feb 10th, don't seem to do
this conversion of certificates to credentials anymore, or I'm making
some stupid mistake that I'm too blind to see.
Any help is much appreciated!
--
Kind regards,
--Toni++
Re: IPSEC: certificate ignored
Hi,
thanks for answering to Mitja and you.
On Sat, 07.03.2009 at 19:28:09 +0100, Heinrich Rebehn
wrote:
> Am 06.03.2009 um 22:56 schrieb Toni Mueller:
>> 223644.842092 Plcy 30 keynote_cert_obtain: failed to open "/etc/
>> isakmpd/keynote//u...@road-warrior/credentials"
>> 223644.842516 Default get_raw_key_from_file: monitor_fopen ("/etc/
>> isakmpd/pubkeys//ufqdn/u...@road-warrior", "r") failed: Permission
>> denied
>
> ?? Permission denied? Could this be the problem?
No, it couldn't. These files don't exist.
I was able to find my own errors so far, as that now the correct
certificate gets used. This is what I have, and had, for several years
now. The problem was a missing semicolon in isakmpd.policy.
I still get "no policy" errors while in state "INFO encrypted", which
are imho hard to debug. If anyone has tips to share, I'd be very
grateful.
What I want to achieve (from my isakmpd.policy):
Conditions: app_domain == "IPsec policy"
&& esp_present == "yes"
&& esp_enc_alg == "aes"
&& phase_1 == "main"
&& phase1_group_desc == "5"
&& esp_encapsulation == "tunnel"
&& ah_present == "no"
&& esp_auth_alg == "hmac-sha2-512"
&& esp_key_length == "256"
&& pfs == "yes"
&& some-checks-on-the-remote-ids -> "true";
But I don't know if Linux supports them all. OpenBSD <-> OpenBSD worked
just fine...
Kind regards,
--Toni++
raidframe and hotplugd on 4.4
Hi, while trying to "repair" a 4.4 machine, I recently added two SATA disks to the two SATA disks already there (dmesg below), which were only detected after reboot, contrary to my expectations. The first thing to note after reboot was that the formerly second disk (wd1) has now become wd2, although the physical arrangement looks like this (1HE): front view: (left side) | disk1 disk2 disk3 disk4 | (right side) In the process, I found out that there is hotplugd, but hotplugd didn't find the disks also before I rebooted the machine. The next issue is that hotplugd logs this immediately after pushing out a few initial "attach xxx" messages: ... hotplugd[7128]: waitpid: Error 10 I didn't yet find out what that means. Last but not least, when I wanted to configure a RAIDFRAME type raid on the two new disks, it said: /bsd: Hosed component: /dev/wd3d and: /bsd: raid1: Ignoring /dev/wd3d. When I unconfigured the raid and tried again, literally using the same commands from the shell's history, I got no such error message. The kernel used is a custom kernel which is GENERIC.MP with RAIDFRAME enabled. Kind regards, --Toni++ OpenBSD 4.4-stable (GENERIC.MPR) #0: Mon Dec 15 14:29:41 CET 2008 r...@localhost:/usr/src/sys/arch/amd64/compile/GENERIC.MPR real mem = 3474718720 (3313MB) avail mem = 3371180032 (3215MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xcff66000 (52 entries) bios0: vendor Phoenix Technologies LTD version "1.2" date 11/04/2008 bios0: Supermicro X7DWU acpi0 at bios0: rev 2 acpi0: tables DSDT FACP _MAR TCPA APIC MCFG HPET BOOT SPCR ERST HEST BERT EINJ SLIC SSDT SSDT SSDT SSDT SSDT SSDT SSDT SSDT SSDT acpi0: wakeup devices P0P1(S5) BPD0(S5) BPD1(S5) P0P5(S5) P0P7(S5) P0P9(S5) PEX0(S5) USB1(S5) USB2(S5) USB3(S5) EUSB(S5) PCIB(S5) KBC0(S1) MSE0(S1) COM1(S5) COM2(S5) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Xeon(R) CPU L5420 @ 2.50GHz, 2500.38 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR,NXE,LONG cpu0: 6MB 64b/line 16-way L2 cache cpu0: apic clock running at 333MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Xeon(R) CPU L5420 @ 2.50GHz, 2500.09 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR,NXE,LONG cpu1: 6MB 64b/line 16-way L2 cache cpu2 at mainbus0: apid 2 (application processor) cpu2: Intel(R) Xeon(R) CPU L5420 @ 2.50GHz, 2500.09 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR,NXE,LONG cpu2: 6MB 64b/line 16-way L2 cache cpu3 at mainbus0: apid 3 (application processor) cpu3: Intel(R) Xeon(R) CPU L5420 @ 2.50GHz, 2500.09 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR,NXE,LONG cpu3: 6MB 64b/line 16-way L2 cache ioapic0 at mainbus0 apid 4 pa 0xfec0, version 20, 24 pins ioapic1 at mainbus0 apid 5 pa 0xfec89000, version 20, 24 pins acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 1 (P0P1) acpiprt1 at acpi0: bus 2 (P0P3) acpiprt2 at acpi0: bus 3 (BMF0) acpiprt3 at acpi0: bus 4 (BPD0) acpiprt4 at acpi0: bus -1 (BPD1) acpiprt5 at acpi0: bus 6 (P0P5) acpiprt6 at acpi0: bus 7 (P0P7) acpiprt7 at acpi0: bus 8 (P0P9) acpiprt8 at acpi0: bus 0 (PCI0) acpiprt9 at acpi0: bus -1 (PEX0) acpiprt10 at acpi0: bus 9 (PCIB) acpicpu0 at acpi0 acpicpu1 at acpi0 acpicpu2 at acpi0 acpicpu3 at acpi0 acpibtn0 at acpi0: PWRB ipmi at mainbus0 not configured cpu0: unknown i686 model 7, can't get bus clockcpu0: EST: unknown system bus clock pci0 at mainbus0 bus 0: configuration mode 1 pchb0 at pci0 dev 0 function 0 vendor "Intel", unknown product 0x4003 rev 0x20 ppb0 at pci0 dev 1 function 0 "Intel E4500 PCIE" rev 0x20: apic 5 int 0 (irq 11) pci1 at ppb0 bus 1 ppb1 at pci0 dev 3 function 0 "Intel E4500 PCIE" rev 0x20 pci2 at ppb1 bus 2 ppb2 at pci2 dev 0 function 0 "Intel 6321ESB PCIE" rev 0x01 pci3 at ppb2 bus 3 ppb3 at pci3 dev 0 function 0 "Intel 6321ESB PCIE" rev 0x01 pci4 at ppb3 bus 4 ppb4 at pci2 dev 0 function 3 "Intel 6321ESB PCIE-PCIX" rev 0x01 pci5 at ppb4 bus 5 ppb5 at pci0 dev 5 function 0 "Intel E4500 PCIE" rev 0x20: apic 5 int 4 (irq 11) pci6 at ppb5 bus 6 em0 at pci6 dev 0 function 0 "Intel PRO/1000 PT (82571EB)" rev 0x06: apic 5 int 4 (irq 11), address 00:15:17:95:07:62 em1 at pci6 dev 0 function 1 "Intel PRO/1000 PT (82571EB)" rev 0x06: apic 5 int 12 (irq 11), address 00:15:17:95:07:63 ppb6 at pci0 dev 7 function 0 "Intel E4500 PCIE" rev 0x20: apic 5 int 6 (irq 11) pci7 at ppb6 bus 7 ppb7 at pci0 dev 9 function 0 "Intel E4500 PCIE" rev 0x20: apic 5 int 8 (irq 1
Re: raidframe and hotplugd on 4.4
Hi,
On Tue, 17.03.2009 at 00:16:20 -0700, Philip Guenther
wrote:
> On Mon, Mar 16, 2009 at 4:46 AM, Toni Mueller wrote:
> > ... B hotplugd[7128]: waitpid: Error 10
> > I didn't yet find out what that means.
>
> Hmm, 10 == ECHILD.
ok.
> After you see that, do the attach or detach scripts show in the output
> of "ps xauww"? If so, what does it show for them?
I see no traces of these scripts in the 'ps' output, and also nothing
in the way of command line mangling of hotplugd, like eg. sendmail
does.
The scripts themselves run fine, though:
/etc/hotplug/attach:
#!/bin/sh
DEVCLASS=$1
DEVNAME=$2
case $DEVCLASS in
2)
# disk devices
disklabel=`/sbin/disklabel $DEVNAME 2>&1 | \
sed -n '/^label: /s/^label: //p'`
logger -p kern.info "Disk ${DEVNAME} attached: $disklabel"
;;
esac
/etc/hotplug/detach:
#!/bin/sh
DEVCLASS=$1
DEVNAME=$2
case $DEVCLASS in
2)
# disk devices
logger -p kern.info "Disk ${DEVNAME} detached"
;;
esac
Kind regards,
--Toni++
Re: altq incoming vpn connections
Hi, On Mon, 16.03.2009 at 16:31:12 +0200, Eugeni Akmuradov wrote: > is out there any possibility to load queues from separate file and/or > via anchors. I don't know what you want to achieve, but look at # pfctl -A -f some-queue-definitions-in-this-file (man pfctl) Kind regards, --Toni++
Re: openbsd in virtualization
Hi, On Wed, 18.03.2009 at 09:33:38 +, Stuart Henderson wrote: > how does one increase efficiency and reduce IT costs by making things > more complicated? sorry, but this is the wrong question. Using virtual machines makes some things more complicated, but it also enables simplification of other things. Eg. I use some virtual machines for things I need only occasionally where using physical machines would just be a great waste, and I'm aware of other outfits who use virtual machines to avoid having to tend to a zoo of underutilized servers, but where putting everything into one server was impractical, too. Now they have a few servers running this stuff as virtual machines, while at the same time providing automatic failover in case one of the physical "carrier" machines goes down. So, these guys now have better overall utilization of (much) better hardware, plus increased reliability, plus reduced cost because their hosts and the management suite on top of that provides them with much better facilities and flexibility than having said zoo of individual tin boxes could provide. Kind regards, --Toni++
Re: openbsd in virtualization
Hi,
On Wed, 18.03.2009 at 23:10:01 +0100, Marc Balmer wrote:
> Machines that are exposed to the internet run on real hardware,
> for security reasons. I don't trust the underlying virtualization
> software to be secure/stable/good.
I generally second that, but have a nagging doubt that one still needs
to plug the "blue pill" hole. Unfortunately, I don't see the "how", but
only the need. If OpenBSD could do something to thwart such attacks,
and side-channel attacks like those created by Intel's management
platform ("AMT"), that would be great!
Kind regards,
--Toni++
Re: openbsd in virtualization
Hi, On Thu, 19.03.2009 at 10:23:18 +0100, Julian Leyh wrote: > Pehr Svderman schrieb: >> Let me put it this way: I don't mind creating 60 virtual instances to >> give each student in a course a server to mess around with. I can wipe >> them and reinstall them in a matter of minutes if a student messes up >> a server. I would love those servers to be OpenBSD. >> >> Installing 60 physical servers to give the students something to play >> with is not fun :( > > You could do it just as easy, using netboot. wiping/reinstalling would > have to take place only on one server, probably not much more as > restoring the exported filesystems or boot images from a previous backup. but it still increases the cost considerably: With virtualization, it suffices to give a thin client to each student, or maybe even less if not all 60 students are expected to work simultanously. With physical machines, this still creates much more hassle, and cost. Also, if one of the students decides to work somewhere else (eg. at home), he could, in theory, simply copy the VM to his computer and carry it away. I highly doubt that someone wants to manage lending out physical machines... Kind regards, --Toni++
Re: prioritizing carp interfaces
Hi, On Fri, 20.03.2009 at 14:28:46 +0100, Joerg Streckfuss wrote: > How does CARP behaves when on the master node two "unimportantly" interfaces > fail and on the backup node only the uplink interface fails? Does CARP > failover > to the backup node and as consequence the whole network will be disconnected > from the internet? my reading of carp(4) is that the behaviour depends on the setting of net.inet.carp.preempt If set to 1, then firewalls only fail over as a whole, while if set to 0, interfaces fail over individually. With interfaces failing over individually, and with appropriate routing between your firewalls, traffic should flow through the remaining interfaces. Please note that having interfaces fail over individually makes playing with pfsync and sasync *quite* interesting. Please also note that you could have more than two firewalls running CARP, so maybe the third (fourth, ...) firewall will keep you online. I guess that the real solution is to have a known-good hardware that you can bring up in minutes sitting on the shelf, and yes, to live with some downtime. Kind regards, --Toni++
intel 5400 chipset support, was: Re: raidframe and hotplugd on 4.4
Hi, [ hijacking my own thread in order to avoid posting the dmesg twice... ] I tried to enable AHCI mode on this computer with the intel 5400 chipset on board. This resulted in the kernel not finding the disks, after they were registered fine with the BIOS. So I thought, I'd peek at the disks using the CD, but running bsd.rd caused a hard crash which required me to press the reset button. This is the error message that I got (typed from a blurred image): ... isa0 at mainbus0 com0 at isa0 port 0x3f8/0 irq4: ns8240, .. fifo fatal integer divide fault in supervisor mode trap type 8 code 0 rip 88291c53 cs 0 rflags 286 cr2 0 cpi e rsp f8960725e0 The operating system has halted. Please press any key to reboot. rebooting... At that point, the machine requires me to press the reset button. I don't know if this has something to do with the fact that I'm using an USB keyboard or not (legacy support is enabled). The machine runs fine when I have AHCI support switched off. Kind regards, --Toni++
Re: intel 5400 chipset support, was: Re: raidframe and hotplugd on 4.4
Hi David, On Mon, 23.03.2009 at 09:48:36 +0100, David Vasek wrote: > On Sun, 22 Mar 2009, Toni Mueller wrote: >> isa0 at mainbus0 >> com0 at isa0 port 0x3f8/0 irq4: ns8240, .. fifo > > Not that I would be able to help with this, just note that these two > lines are very different from the dmesg you posted previously. My guess > is you should prepare yourself for retyping the full dmesg. yesterday, I typed from a blurry handset photo. Anyway, I re-did the experiment and managed to write down the exact error message. As far as I can see, booting proceeds as normal to this point: pciide0: channel 1 ignored (disabled) Then, AHCI is detected and immediately followed by a crash: ahci0 at pci0 dev 31 function 2 "Intel 6321ESD AHCI" rev 0x09: irq 11, AHCI 1.1 fatal protection fault in supervisor mode trap type 4 mode 18b rip 802ba2f8 cs8 rflags 10202 cr2 0 cpi e rsp 80b21b20 The operating system has halted. ... While poking around in the BIOS, I also saw an option which suggested that the machine can do something called "EFI OS booting" (or similar). Should I enable this? Kind regards, --Toni++
Re: European orders
Hi, On Wed, 25.03.2009 at 17:37:54 +0200, Ross Cameron wrote: > On Wed, Mar 25, 2009 at 4:51 PM, frantisek holop wrote: > > Theo has made some serious allegations and i hope he has evidence > > to back it up. > Theo may be many things,... but a liar I have never found him to be. I don't have personal experience with Theo, only with Wim, so I'd say that he's (also) not a liar. But Wim's story diverges from Theo's story in a way which is probably beyond reconciliation. All in all, this is a very sad event from my point of view. Kind regards, --Toni++
Re: "persistent bios infection" paper and openbsd
Hi, On Wed, 25.03.2009 at 10:05:13 -0600, Theo de Raadt wrote: > The operating systems are not vulnerable. > > The *machines* are. this begs the question: Which machines are NOT vulnerable? > There really is absolutely nothing we can do about it. I'd say that, at least for running machines, some precautionary measures should be possible to take to thwart hackers that try to rob your machine from under your fingertips. Eg. a driver that wipes sensitive kernel memory areas after forcefully halting most tasks and doing a basic flushing of disk buffers... Kind regards, --Toni++
Re: "persistent bios infection" paper and openbsd
Hi, On Thu, 26.03.2009 at 12:21:31 -0600, Theo de Raadt wrote: > I wrote: > > I'd say that, at least for running machines, some precautionary > > measures should be possible to take to thwart hackers that try to rob > > your machine from under your fingertips. > > > > Eg. a driver that wipes sensitive kernel memory areas after forcefully > > halting most tasks and doing a basic flushing of disk buffers... > > That won't help. I messed up a bit, sorry. I did not want to say that this would help with the specific problem of someone attacking a flashable BIOS or by other machines that can't be readily observed by the user. But what I think such a program *will* help with, is the problem when you're happily hacking away at your computer, and the doorbell rings unexpectedly (or rather, the window shatters). Sort of an emercency halt for the machine, specifically taking this nasty "RAM in liquid nitrogen"-problem into account. Kind regards, --Toni++
Re: OpenBSD mta with postfix
Hi, [ I don't yet see how this is related to Postfix, or OpenBSD ] On Sat, 28.03.2009 at 11:47:41 +0200, Lars NoodC)n wrote: > I run into it a lot. My guess is that it's to distract from the "IT" > team having selected software which doesn't work reliably. So if they > make enough extra problems, no one will take the time to get to the real > cause: MS Exchange. there are other instances of this as well, as other "mail server software" packages tend to break, too. I've just encountered a competing product simply eating emails it doesn't understand (closed source, of course). Kind regards, --Toni++
Re: European orders
Hello, On Wed, 01.04.2009 at 08:58:40 +0200, Artur Grabowski wrote: > Where do they come from? Suddenly there's this astroturfing campaign > about... what? forcing Theo to do business with someone he has no > intention of doing business with anymore? this is a bit besides the issue, methinks. There are several issues being discussed, and alluded to, here: 1. Theo not wanting to do business with Wim anymore. 2. The reasons(s) given why Theo does not want to do business with Wim anymore. 3. Theo's handling of the case. 4. Wim's handling of the case. 5. People voicing opinions about the case. 6. "Fairness" [ Sidebar: ] While not strictly required by law, fairness in business is of utmost importance to me. I'm going to discuss mainly the second issue. If a business relationship breaks up for whatever reason, one mainly has two options: * Declare the relationship terminated, and give no reason. XOR... * declare the relationship terminated, and give a lengthy explanation. It is certainly Theo's prerogative to choose to do business with whomever he wants to (ignoring any potential contract issues for the moment), but if he gives a reason in the first place, the reason has to be sound and verifiable, like with any other statement, too. This is currently not the case. I can only see two statements on the table which (at least) I can't reconcile: Theo's statement that Wim hasn't paid for a very long time, and Wim's statement that he has paid in full, and in a timely manner (sometimes in advance, too). Wim has published his version of this story on his homepage, decorated with numbers, but I haven't seen anything comparable from Theo, except for these messages on this mailing list. Without having audited both side's paperwork, there is no way to say what actually happened, or should have happened, unless one declares one set of arguments void. I have no reason to believe that Theo or Wim have pulled their stories entirely out of thin air, and I also don't believe in both person's attempts to feed me their respective "Fox News style" opinion and demand exclusive truth for it, too. If I have missed something important, please point it out to me. I'd like to note that I don't want to "take sides", but I am very interested in getting some sanity back into this discussion. So, I'd say that everyone interested reads through Wim's statement and then thinks about how much sense this all makes to him, or her. Leaving out most if not all of the "moral" discussion about how to use, or not use, the disputed money, and instead concentrate on "contract and accounting issues" would imho help. My current personal assessment is that this story is far from being as black and white as it's being painted by the protagonists, and some of the audience, too. And last but not least, please keep in mind that "believing" something is the opposite of "knowing" something. I'd rather know and not believe (because I have no way to know). Kind regards, --Toni++
Re: Wim
Hi, On Thu, 02.04.2009 at 00:17:35 -0600, Theo de Raadt wrote: > This guy some of you think is so honest. He's filtering port 25 > from cvs.openbsd.org. did you try sending from a different server thereafter? I've seen a failure mode where a machine appears to be up, but slowly stops accepting ever more tcp connections over time, until the system comes to a grinding halt, the last thing being becoming unresponsive to ping and finally, console lockup, on several machines. They are all different hardware, but are intel or AMD CPUs. I've seen this for a long time (years), but have no way to reproduce it, and also no way to catch debug info in the actual cases (eg. "boot crash" doesn't do anything), and therefore not reported it, since you don't want incomplete bug reports. I was so far unable to detect a pattern. A machine usually runs fine for months, then takes a few hours or up to 2-3 days, to get into that state. If it happens, I can usually only press the reset button. If I may have a wish granted, then please, pretty please, try to keep USB, and especially USB keyboards, alive for as long as possible, because otherwise, I can't do anything in most cases of such a lockup. > For what reason would he do that? I don't know, either, but since he's allegedly on the road, it might be difficult for him to fix it soonish, if it is a problem like the one described above. Kind regards, --Toni++
Re: Wim
Hi Kili, On Thu, 02.04.2009 at 22:15:13 +0200, Matthias Kilian wrote: > Wim *does* filter traffic from cvs.openbsd.org. At least on ports > 25 and 80: > > $ telnet www.kd85.com 25 > Trying 62.116.6.182... > > [nothing] > Silly. So silly. I've seen many kinds of breakage, but right now, I can telnet to his server to port 25 from here. If you can't, then I tend to agree that port 25 is filtered. I also think that such kind of filtering - for policy reasons - is a stupid idea. -- Kind regards, --Toni++
Re: where to order now ?
Hi, On Fri, 03.04.2009 at 00:56:16 +0200, Martin SchrC6der wrote: > 30 is 60% of 50. :-) > > I seriously doubt that other european resellers donate the 20 profit > they make. can we agree that you shouldn't make such blanket assumptions about other people's books, please? Btw, the mentioned "international shipping" cannot cover much more than the stamp, and, only with some luck, the envelope in which the CD set arrives. Kind regards, --Toni++
Re: VPN client-to-site over IPSec
Hi, On Fri, 03.04.2009 at 12:43:33 -0300, JoC#o Salvatti wrote: > Is it possible to implement a client-to-site VPN over IPSec? I have > searched on the web, but only found site-to-site models. what exactly do you mean by "client to site"? You can distinguish between transport mode, where you use the IP that you actually use, as an endpoint, and tunnel mode, where you assign an IP of your chosing for use inside the tunnel, and then use that IP for all of your connections. Usually, "site-to-site" is associated with tunnel mode, and I currently see no reason, and much less any advantage, in using transport mode. Kind regards, --Toni++
Re: VPN client-to-site over IPSec
Hi, On Fri, 03.04.2009 at 18:26:45 -0300, Marcello Cruz wrote: > Do you mean a VPN where only a HOST will access an entire NETWORK? If so, > then the answer is YES. I don't "need" anything specifically right now which would fit into this thread, but asked questions to better understand what the original poster wanted to achieve. > For instance, I have some OpenBSD servers acting as VPN Server and they > allow me to connect from home to the networks behind those OpenBSD > servers. Me too. > PC -- Internet -- OpenBSD LAN > PC IPSec Tunnel -- LAN > > I also have other situations where I need an entire LAN communicate with > other LAN, like: > > LAN -- OpenBSD/Other -- Internet --- OpenBSD -- LAN > LAN --- IPSec Tunnel --- LAN I just wanted to say that, network-wise, configuring the first scenario, assuming that you mean transport mode, almost never makes sense, or at least not to me, and that the the second scenario should be the default configuration, even if "LAN" and "OpenBSD/Other" might collapse into only one computer. Kind regards, --Toni++
Re: Anyone using munin?
Hi, On Sat, 04.04.2009 at 12:15:35 +0200, Cezary Morga wrote: > I think munin comes with a bunch of plugins already. If not you can grab some > Linux package (like Debian's munin-node) and extract them from it. These are > simple scripts (shell, perl, python) so they might run on OpenBSD even > without > any modifications. I think that this is very optimistic, since a lot of Linux specific facilities are being used. Eg. several scripts parse the output of iptables, or read /proc... Kind regards, --Toni++
Re: [semi-OT] Can anyone recommend an OpenBSD-compatible colour laser printer?
Hi, On Sun, 05.04.2009 at 15:24:09 -0400, System Administrator wrote: > device with most of the processing happening on the host. If you stick > to real "hardware" printers that provide built-in Postscript (or at > least PCL) language and fonts, you will have no problems with OpenBSD. these will imho easily bust a small budget, but are also the only viable choice if you intend to keep the device for some time. > For the longest time I used to be a fan of HP, although I have also > always liked Lexmark. I was also a fan of HP printers, especially after having bad experience with a medium-sized Lexmark printer, due to massive mechanical problems which looked like "designed-to-break", and very pricey replacement parts. > learned from a reseller that HP's cartridges include a page counter and > stop operating at the prescribed number of pages regardless of actual > utilization, which is in stark contrast to Lexmark whose cartridges are > guaranteed for "at least" a certain number of pages and the company > will replace it free of charge if it runs out sooner but does not > prevent you using it past that many pages. The page count mechanisms seem to be very common in many printers' cartridges, esp. in the lower price range. Try to ask your dealer about page counters in other printers' cartridges. I guess that you'll find them in more than half the models across the board. > On 5 Apr 2009 at 19:44, ropers wrote: > > I'm looking for a colour laser printer that's so cheap that I can I don't know what exactly you want to do, but you might be interested in reading some reports about the printing quality and operating cost, too. Eg. a good ink jet printer should deliver better quality printouts than a bad laser printer. If all you're doing is printing a few easy charts from your spread sheet, then this may be irrelevant to you. Kind regards, --Toni++
carp + 5.1/5.2 woes
Hi, I have a setup with three machines, all i386, and all plugged into one switch: A: 5.1 (IPv4: master) B: 5.0 (IPv4: backup) C: 5.2 (IPv4: master, IPv6: backup) Each host has two IPv4 carp interfaces, all on one interface (carp0 and carp1), and host C has an additional carp2 with only an IPv6 address (no IPv4). Now, A + B work nicely with two carp interfaces (IPv4), but A+C do not. While the carp interface for IPv6 goes into MASTER mode, as expected, if I change the advskew on A, the IPv4 interfaces don't go into MASTER mode, but stay in BACKUP mode instead, no matter what: Eg. from C: # cat /etc/hostname.carp* # carp0: inet 10.0.0.1 255.255.248.0 10.0.7.255 vhid 1 advskew 100 pass pass1 carpdev em0 # carp1: inet 10.1.1.1 255.255.255.0 10.1.1.255 vhid 2 advskew 100 pass pass2 carpdev em0 # carp2: inet6 3ffe:3ffe::1 32 vhid 3 advskew 100 pass pass3 carpdev em0 With this setup, carp1 will stay in BACKUP mode when I say "ifconfig carp1 advskew 120" on A, while on B, it would go into MASTER immediately. I also have trouble taking carp2 down and up again, like in "ifconfig carp2 down; ifconfig carp2 up". The result is that carp2 does no longer respond to any packets sent to 3ffe:3ffe::1. Sending to the IPv6 address bound to em0 continues to work like a charm, though. Saying "ifconfig carp2 destroy; sh /etc/netstart carp2" - which I thought would re-create the carp2 pseudy-device from scratch, does also not work, but elicits the following error message from the kernel: /bsd: in6_ifloop_request: ADD operation failed for 3ffe:3ffe::0001 (errno=17) There are error messages related to duplicate IPv6 addresses, mentioning the link-local auto-generated IPv6 address, which is the same for all carp interfaces, eg: /bsd: nd6_na_input: duplicate IP6 address fe80:0008::0200:5eff:fe00:0102 Touring the logs, I also find related error messages that I could not yet make sense of: /bsd: arpresolve: 10.0.0.1: route without link local address The mentioned address is being advertised by A as the master, and intended to be switched around by the CARP mechanism (works with A+B). On C, I have pf disabled. On all three systems, I have bgpd enabled. On A, I have pf enabled with these rules: # pfctl -s r block drop in quick on egress proto tcp from to any ... pass quick on em0 proto carp all keep state (no-sync) pass quick on em1 proto carp all keep state (no-sync) When I reboot the machine, the states of the CARP interface(s) are being set correctly, but I don't know how to change them thereafter, as described above. The desired target state is to have A + C as a pair of CARP'ed routers for both IPv4 and IPv6. What am I doing wrong? TIA! Kind regards, --Toni++
Re: carp + 5.1/5.2 woes
Hi, On Wed, Jan 02, 2013 at 04:53:02PM +0100, Patrick Lamaiziere wrote: > Le Wed, 2 Jan 2013 13:39:25 +0100, Toni Mueller a > écrit : > > With this setup, carp1 will stay in BACKUP mode when I say "ifconfig > > carp1 advskew 120" on A, while on B, it would go into MASTER > > immediately. > > Hmm, did you check the value of the carp demote counter? > > # ifconfig -g carp I just checked. The result is the same on all three machines: # ifconfig -g carp carp: carp demote count 0 Kind regards, --Toni++
Re: carp + 5.1/5.2 woes
Hi, On Wed, Jan 02, 2013 at 05:47:23PM +, Stuart Henderson wrote: > On 2013-01-02, Toni Mueller wrote: > > A: 5.1 (IPv4: master) > > B: 5.0 (IPv4: backup) > > C: 5.2 (IPv4: master, IPv6: backup) > > Is this 5.0 release or is it "something close to 5.0"? the (working!) 5.0 machine runs # uname -m -r -s -v OpenBSD 5.0 GENERIC#43 i386 The other machines were installed/upgraded from the official CDs. Kind regards, --Toni++
Re: carp + 5.1/5.2 woes [PARTIALLY SOLVED]
Hi, I have just discovered that I made a configuration error that had resulted in the undesired, but correct, carp behaviour for IPv4. Ie, OpenBSD operates as desired for this case. That leaves these questions open: On Wed, Jan 02, 2013 at 01:39:25PM +0100, Toni Mueller wrote: > I also have trouble taking carp2 down and up again, like in "ifconfig > carp2 down; ifconfig carp2 up". The result is that carp2 does no longer > respond to any packets sent to 3ffe:3ffe::1. Sending to the IPv6 address > bound to em0 continues to work like a charm, though. Saying "ifconfig > carp2 destroy; sh /etc/netstart carp2" - which I thought would re-create > the carp2 pseudy-device from scratch, does also not work, but elicits > the following error message from the kernel: > > /bsd: in6_ifloop_request: ADD operation failed for 3ffe:3ffe::0001 (errno=17) > > > There are error messages related to duplicate IPv6 addresses, mentioning > the link-local auto-generated IPv6 address, which is the same for all > carp interfaces, eg: > > /bsd: nd6_na_input: duplicate IP6 address fe80:0008::0200:5eff:fe00:0102 > > Touring the logs, I also find related error messages that I could not > yet make sense of: > > /bsd: arpresolve: 10.0.0.1: route without link local address I would still be glad to find that I simply configured junk, instead of running into real bugs... Kind regards, --Toni++
Re: carp + 5.1/5.2 woes [PARTIALLY SOLVED]
Hi, thanks for the insight. On Thu, Jan 03, 2013 at 01:37:38AM +, Stuart Henderson wrote: > On 2013-01-02, Toni Mueller wrote: > >> /bsd: in6_ifloop_request: ADD operation failed for 3ffe:3ffe::0001 > >> (errno=17) > > 17 is EEXIST - see errno(2) for a list of these - there's probably > a loopback route hanging around after destroying the interface, > check in netstat -rnfinet6, you could try deleting it.. this happens exactly the moment when the carp interface that has an IPv4 address assigned to it, goes into BACKUP state. > >> /bsd: nd6_na_input: duplicate IP6 address fe80:0008::0200:5eff:fe00:0102 > Yes, that happens ;) I can I ignore these, and/or can I safely remove the link-local addresses that seem to be lifted from the physical CARP device? > >> /bsd: arpresolve: 10.0.0.1: route without link local address > > I've seen this before, I think it was on a router with a (non-/32) > address on both the parent interface and the carp interface, though > I have a few routers doing exactly that which don't see it.. > (Normally it's recommended to use /32 on the carp interface, but > that's not going to work if you are announcing it into ospf). Ok. I do not use OSPF (only BGP), so I set all interfaces to IP address/ netmask of the connected network (eg. "32" for the IPv6 network). > Someone tracked down another situation where this can happen, > http://marc.info/?l=openbsd-misc&m=121455393316796&w=2 I therefore would expect the problem to show up for the IPv6-only CARP interface (ie, carp2) after that went down and refused to come up again, until the next reboot. But the error message specified the IPv4 address for a carp interface that is actually there, up, and *should* be working. Is this a known problem, or is it just me, that CARP interfaces come up only once? Kind regards, --Toni++
Re: spam from chrooted CMSes
Hi, On Fri, 10.04.2009 at 09:42:21 +0800, Uwe Dippel wrote: > I'm running postfix as MTA on a machine with several CMS, on a chrooted > Apache. Recently, there is a huge number of spam being sent from there, > alas. When I scan the postfix-logs, all those come from 'root', meaning > they don't come through port 25. I run OpenBSD with mini-sendmail, and > now I wonder how I could find out from which CMS they are sent. Is there > any chance to find out from which CMS they are sent? I don't know whether you have a chance to do so in the wake of your recent spam wave, but you can prepare to recognize - and more easily block - the offenders the next time by enforcing authenticated SMTP submission for those applications, each with their own username/password pair. You probably need to modify or reconfigure those CMS installations, though. Kind regards, --Toni++
Re: Is there any particular reason to not have RAIDFrame on RAMDISK_CD
Hi, On Mon, 20.04.2009 at 11:55:05 +0200, Henning Brauer wrote: > and in any case this is less about ramdisk size but more about > raidframe which we're going to get rid off eventually (when marco ever > gets softraid upt o a usable level, read rebuild working) please also wait for in-place conversion before ripping raidframe out, so users can say something like "raidctl upgrade raid0" or similar, if at all possible. Thank you! Kind regards, --Toni++
Re: Problem with slow disk I/O
On Thu, 23.04.2009 at 19:40:34 +0200, Thomas Pfaff wrote: > On Thu, 23 Apr 2009 17:25:57 +0200 Jan Stary wrote: > > On Apr 23 18:09:55, Thomas Pfaff wrote: > > > First on Ubuntu: > > > /dev/sda2 on / type ext3 (rw,relatime,errors=remount-ro) > > > ~$ time (tar -zxf ports.tar.gz && sync) > > > real 0m47.784s > > > user 0m1.576s > > > sys 0m5.024s 47.78 seconds wall clock time > > > Then the same commands on OpenBSD: > > > /dev/wd0k on /home type ffs (local, nodev, nosuid, softdep) > > > $ time (tar -zxf ports.tar.gz && sync) > > > 1m2.62s real 0m1.15s user 0m7.15s system ~ 1 minute 2.5 seconds wall clock time > > So you have ~52 seconds on ext3 mounted 'realtime' (whatever that means), > > versus ~63 seconds on ffs mounted with 'softdep'. > > What was the problem again? > > That I cannot get the job done in less than a minute on OpenBSD > while on Linux it takes only 18 seconds. This is a misconception, imho. Your test above shows that the performance difference is about 15 seconds, or roughly 25%. I can't see the 18 seconds anywhere except in your first email about your perceived performance for the task. It is imho useful to remember that Linux caches disk access much more aggressively than OpenBSD. So, in reality, you don't write that much faster to disk, but to RAM, and the OS flushes the buffers at it's own leisure, while you are working on something else. Which reminds me to ask what the state of having a UBC in OpenBSD is, please? -- Kind regards, --Toni++
Re: build fails on 4.5
On Mon, 27.04.2009 at 14:14:07 -0400, Ted Unangst wrote: > The mirror is broken because rsync, in its infinite wisdom, doesn't > copy directories named *.so. And since the mirror doesn't have that > directory, you don't have it either. Get it from somewhere else. dtalk has given the right answer already, but you can easily verify this for yourself: $ mkdir -p a/some.so b $ rsync -a a b $ find a b a a/some.so b b/a b/a/some.so $ Kind regards, --Toni++
Re: T1 card compatible with 4.4
On Fri, 24.04.2009 at 11:26:42 -0400, (private) HKS wrote: > I'm looking for a T1 card compatible with 4.4. ;) > There were a fair number of recommendations for Sangoma's a101 a few > years ago, followed by threads describing major problems and Sangoma > yanking support for OpenBSD. What alternatives work decently under > OpenBSD? A while back Accoom cards were very fine, and if you can get them, do it. I'm very much interested in getting two or three more, although they should be available only used by now. Please send me your offers off-list. Thank you! Kind regards, --Toni++
Re: Recipient Validation & Design Opinions
Hi, On Fri, 24.04.2009 at 08:47:00 -0400, Mario Vega wrote: > The two internal servers use several different domains and accept a > variety of different name formats. In addition, some users have one or > more aliases. Furthermore, only the primary address is published in > LDAP. One server serves approximately 1k users and the other > approximately 20. would it be possible to list all users in LDAP? Then you can "easily" verify against that list. > day, 115k of which are rejected as invalid. Does anyone have experience > with scam-backscatter or are there other solutions we should be > investigating? If you are able to weed out illegitimate recipients, this may go a long way to reduce spam, or at least it did for us. Looking the email address up in LDAP is *much* cheaper than doing a call-out to the backend server(s). Greylisting helps us, too, but seems to "cost" mail from broken servers (there are imho more than enough of these out there). > running Postfix, amavis, clamav and spamassassin. Due to the nature of > the store and scan system, we've noticed a tendency for the system to > become swamped under heavy load and take several hours to clear out. Imho, the bulk of the load should be consumed by spamassassin which could esp. lead to trashing if you can't restrict the parallelism of spamassassin runs. FWIW, I think that Postfix should generally be preferable to sendmail, and you also seem to have more Postfix experience already. > Furthermore, we're quarantining viruses and and obvious spam in the > neighborhood of 89k a day, which I would rather leave at the door. This you can only do if you don't accept the email, then scan and/or quarantine it. To do this, there are several possibilities, but I suggest taking a look at this program: http://smtpd.develooper.com/ You need to keep the connection with your clients open as long as you have decided on the fate of any given message, then you can emit a 5xx code at anytime, thus leaving part of the burden at the sender's side. > The OpenBSD system would be running spamd, the base sendmail, > smtp-vilter, clamav and spamassassin. Imho, both clamav and spamassassin are very heavyweight. If you can devise heuristics to weed out messages early, using these before feeding these two programs should reduce your load. Kind regards, --Toni++
Re: build fails on 4.5
Hi, On Mon, 27.04.2009 at 16:19:39 -0400, Ted Unangst wrote: > That's what I remembered from the last time it happened, but I just > double checked. It seems rsync only does this when -C cvs-exclude is > passed. The problem is that it ignores directories, not just files. that sounds broken, indeed. FWIW, to avoid such side effects, I don't use -C because it leads to the exclusion of .-style directories as well, and use --include and --exclude instead. Clumsy, but at least, I'm in control then. Kind regards, --Toni++
Re: Internet access over Bluetooth; a summary.
On Tue, 28.04.2009 at 07:12:34 +0200, Otto Moerbeek wrote: > Caching only reduces load on the DNS system if the caches get used a > lot. Lots of caches that are virtually unused increase the load. > > Imagine every laptop owner would do this, and the resulting load of > root and other authorative namerservers. That may all well be true, but currently, bypassing your ISP's DNS cache looks like the best short-term workaround to getting manipulated answers while lawmakers around the globe move towards erecting more and more "great firewalls" as we speak. Yes, I'm fully aware of the fact that technology can't provide a solution to a social problem, but otoh, the already-deployed multicast roots should already scale quite a bit more than 13 simple hosts could. IOW, I'm not sure that the load argument still holds. -- Kind regards, --Toni++
Re: Samsung HD License Issue
Hi, On Mon, 04.05.2009 at 11:46:51 +0200, David Vasek wrote: > It seems we are no longer buying hardware products, we are only buying > permissions to use them - almost everything contains some form of > firmware or microcode now. You never _own_ that code built-in in your > hardware, you are only a licensee, thus you are bound by the license to > use the firmware. Crazy, really crazy world! I hope that such licenses > are illegal, illegal in every country. I also think that such a license should be illegal, the more so as it didn't say on the outside of the box that this product has hidden restrictions attached (however void they may be for other reasons). I'm also not prepared to accept "permission to use" in lieu of "ownership". Kind regards, --Toni++
Re: Samsung HD License Issue
Hi, On Mon, 04.05.2009 at 12:03:15 +0200, Jochem Kossen wrote: > On Mon, May 04, 2009 at 11:46:51AM +0200, David Vasek wrote: > > Possibly, but you need to get the mentioned license _from Microsoft_, as > > is written in the license: "...may require an additional license from > > Microsoft." > No, the response from EC explicitly mentions that if you don't use an > operating system from Microsoft, you don't need a license from > Microsoft. that may well be, but it doesn't make the text mentioned any better. This kind of wording imho borders extortion. Kind regards, --Toni++
Re: How do I enable bsd.mp kernel in 4.4/i386?
Hi, On Sat, 02.05.2009 at 19:15:59 -0600, Theo de Raadt wrote: > > > I am running the GENERIC OBSD 4.4/i386 'bsd' kernel and would like > > > to set up the bsd.mp kernel instead. > > cd / > > mv bsd bsd.sp > > mv bsd.mp bsd > > > > reboot what was wrong with: # echo 'set image /bsd.mp' >> /etc/boot.conf # reboot Kind regards, --Toni++
Re: How do I enable bsd.mp kernel in 4.4/i386?
Hi, On Sun, 03.05.2009 at 11:00:02 -0700, J.C. Roberts wrote: > I never said the boot.conf was not useful. I said the i386\amd64 hack I don't see how 'set image ...' is a hack, nor how it would be specific to i386 and amd64. > The new installer (destined for 4.6) in snapshots *already* picks the > right kernel (GENERIC or GENERIC.MP) for the system, and installs it > as /bsd. This makes it harder to move a set of already-installed disks to a different machine, a facility which I value for fast recovery. > On all archs, when you wish to boot to a different on-disk kernel you > cab do it either by copying/moving kernel file to /bsd, and/or > specifying the kernel file at boot time `boot /mybsd.custom.hack` I dislike moving kernels around, but editing boot.conf is ok. > When you treat i386\amd64 differently with the boot.conf kernel > designation feature, you are not only making things less portable, but > worse, you're showing a bias towards what many consider to be a flawed > system design. Hmmm... Can you please point me to some reading about the upcoming "non-flawed system design"? > Now, let's say you are using the /etc/boot.conf hack to boot to bsd.mp, > and you go to update your stable system running an MP kernel. You read > the FAQ and follow the directions for installing a new kernel and > rebooting before building the whole system. > > When you do `make install` in your ../compile/GENERIC.MP/ directory, > the newly built kernel gets installed as /bsd > > You supposedly reboot to your new kernel... and guess what? --Due to > your boot.conf hack you're still running your *old* /bsd.mp kernel > rather than your newly built /bsd kernel. This problem imho *only* arises as a consequence due to installing the new kernel in the wrong place. Would it have been installed in /bsd.mp, nothing would have gone wrong. You could even opt to overwrite /bsd.mp in that case, too, to make sure that you are backwards-compatible. Kind regards, --Toni++
Re: How do I enable bsd.mp kernel in 4.4/i386?
Hi Otto, On Mon, 04.05.2009 at 12:33:53 +0200, Otto Moerbeek wrote: > Summary: changes in the OpenBSD 4.6 install script, plus: after > building a new kernel 'make install' copies it to /bsd. In both cases > you end up running and old kernel. I agree to be guilty of posting before reading the entire thread, but after doing it, I still miss the reasoning behind this change (ie, *why* you want to install bsd.mp as bsd), and thus create installed disks individually and non-portably, as far as I can see from here. Kind regards, --Toni++
UTF-8 on the file system?
Hi, from a discussion around early November last year, I gather that OpenBSD has not much UTF-8 support right now. I am a bit unsure about whether having file names with UTF-8 characters are supported, though. I don't need to type the characters, nor see or print them, but only have a program like fd = open(filename_with_utf8_characters); succeed on a standard OpenBSD disk (FFS, if I'm not mistaken), using open(2) and fopen(3). I'm currently debugging a third-party application that happens to want to use UTF-8 filenames, but doesn't seem to find them, and, FWIW, the file names I get with "ls" are ISO-Latin-1 encoded, anyway. It would be great if someone could make a definite statement about this issue. -- Kind regards, --Toni++
Re: UTF-8 on the file system?
Hi Otto, thanks for the quick answer. On Wed, 13.05.2009 at 10:50:37 +0200, Otto Moerbeek wrote: > On Wed, May 13, 2009 at 10:35:25AM +0200, Toni Mueller wrote: > > fd = open(filename_with_utf8_characters); > > > > succeed on a standard OpenBSD disk (FFS, if I'm not mistaken), using > > open(2) and fopen(3). > > OpenBSD does not restrict or interpret filenames in any way, apart > from the obvious: / and NUL are not allowed in filenames. I guess, but don't know, that NUL is not part of any UTF-8 character... > So we accept funny chars in filenames, but do nothing special with them. Ok, that sounds great for a start. It means that the user can do whatever he likes, in terms of weird filenames. > > I'm currently debugging a third-party application that happens to want > > to use UTF-8 filenames, but doesn't seem to find them, and, FWIW, the > > file names I get with "ls" are ISO-Latin-1 encoded, anyway. > I suppose hwta you are seeing depends on your terminal. Erm... I did: ls -al | od -c > ls-output.txt and looked at that to determine what was on the file system, because I've been bitten by weird encoding problems often enough already. This way I determined that the special chars were indeed Latin1 encoded. Just saying 'ls -al' would only yield blanks in the offending places, and otherwise only tends to garble my display. > The kernel and base utilities encode nothing. Some utilities might > protect funny chars being printed on a terminal (e.g. see ls -q). Thanks for the hint. > The kernel and libc do not do any encoding or decoding. What third > part libs and applications do, who nows. ;) Kind regards, --Toni++
Re: UTF-8 on the file system?
Hi, On Wed, 13.05.2009 at 12:12:31 +0200, Otto Moerbeek wrote: > show me what filename you constructed (and how you did that) and the > contents of ls-output.txt. I prefer hexdump -C, btw. I can't send you a recipe for constructing these filenames because I didn't do it, and I also don't have the recipe. It's even unclear that these filenames were originally generated on the OpenBSD system where I saw the problem - on the application level, that is. Might very well be a bug in one of the associated applications if you say that OpenBSD leaves filenames alone, or a mishandling of data on behalf of the user who asked me to look into the problem. Unless there's a problem handling UTF-8 in one of the applications, eg. the FTP server that I use, the problem rests firmly in the realm of the user, who currently investigates changing his application in this respect to make it more robust, anyway. Nevertheless, I include that listing below, for your information and further reference. You can clearly see that the filenames contain characters in Latin1. Thank you for your effort! Kind regards, --Toni++ 74 6f 74 61 6c 20 32 37 36 0a 64 72 77 78 72 2d |total 276.drwxr-| 0010 78 72 2d 78 20 20 32 20 32 30 33 34 20 20 32 30 |xr-x 2 2034 20| 0020 33 34 20 20 32 30 34 38 20 41 70 72 20 32 32 20 |34 2048 Apr 22 | 0030 31 34 3a 35 34 20 2e 0a 64 72 77 78 72 2d 78 72 |14:54 ..drwxr-xr| 0040 2d 78 20 20 33 20 32 30 33 34 20 20 32 30 33 34 |-x 3 2034 2034| 0050 20 20 20 35 31 32 20 41 70 72 20 32 32 20 31 34 | 512 Apr 22 14| 0060 3a 35 34 20 2e 2e 0a 2d 72 77 2d 72 2d 2d 72 2d |:54 ...-rw-r--r-| 0070 2d 20 20 31 20 32 30 33 34 20 20 32 30 33 34 20 |- 1 2034 2034 | 0080 20 31 30 39 35 20 41 70 72 20 32 32 20 31 34 3a | 1095 Apr 22 14:| 0090 35 34 20 41 75 73 74 72 61 6c 69 65 6e 2e 70 6e |54 Australien.pn| 00a0 67 0a 2d 72 77 2d 72 2d 2d 72 2d 2d 20 20 31 20 |g.-rw-r--r-- 1 | 00b0 32 30 33 34 20 20 32 30 33 34 20 20 20 35 34 37 |2034 2034 547| 00c0 20 41 70 72 20 32 32 20 31 34 3a 35 34 20 42 65 | Apr 22 14:54 Be| 00d0 6c 67 69 65 6e 2e 70 6e 67 0a 2d 72 77 2d 72 2d |lgien.png.-rw-r-| 00e0 2d 72 2d 2d 20 20 31 20 32 30 33 34 20 20 32 30 |-r-- 1 2034 20| 00f0 33 34 20 20 31 31 31 35 20 41 70 72 20 32 32 20 |34 1115 Apr 22 | 0100 31 34 3a 35 34 20 42 72 61 73 69 6c 69 65 6e 2e |14:54 Brasilien.| 0110 70 6e 67 0a 2d 72 77 2d 72 2d 2d 72 2d 2d 20 20 |png.-rw-r--r-- | 0120 31 20 32 30 33 34 20 20 32 30 33 34 20 20 20 34 |1 2034 2034 4| 0130 32 37 20 41 70 72 20 32 32 20 31 34 3a 35 34 20 |27 Apr 22 14:54 | 0140 42 75 6c 67 61 72 69 65 6e 2e 70 6e 67 0a 2d 72 |Bulgarien.png.-r| 0150 77 2d 72 2d 2d 72 2d 2d 20 20 31 20 32 30 33 34 |w-r--r-- 1 2034| 0160 20 20 32 30 33 34 20 20 20 36 30 34 20 41 70 72 | 2034 604 Apr| 0170 20 32 32 20 31 34 3a 35 34 20 43 48 49 4e 41 2e | 22 14:54 CHINA.| 0180 70 6e 67 0a 2d 72 77 2d 72 2d 2d 72 2d 2d 20 20 |png.-rw-r--r-- | 0190 31 20 32 30 33 34 20 20 32 30 33 34 20 20 20 35 |1 2034 2034 5| 01a0 34 37 20 41 70 72 20 32 32 20 31 34 3a 35 34 20 |47 Apr 22 14:54 | 01b0 43 68 69 6c 65 2e 70 6e 67 0a 2d 72 77 2d 72 2d |Chile.png.-rw-r-| 01c0 2d 72 2d 2d 20 20 31 20 32 30 33 34 20 20 32 30 |-r-- 1 2034 20| 01d0 33 34 20 20 20 34 32 38 20 41 70 72 20 32 32 20 |34 428 Apr 22 | 01e0 31 34 3a 35 34 20 43 6f 73 74 61 20 52 69 63 61 |14:54 Costa Rica| 01f0 2e 70 6e 67 0a 2d 72 77 2d 72 2d 2d 72 2d 2d 20 |.png.-rw-r--r-- | 0200 20 31 20 32 30 33 34 20 20 32 30 33 34 20 20 20 | 1 2034 2034 | 0210 36 37 33 20 41 70 72 20 32 32 20 31 34 3a 35 34 |673 Apr 22 14:54| 0220 20 43 7a 65 63 68 20 52 65 70 75 62 6c 69 63 2e | Czech Republic.| 0230 70 6e 67 0a 2d 72 77 2d 72 2d 2d 72 2d 2d 20 20 |png.-rw-r--r-- | 0240 31 20 32 30 33 34 20 20 32 30 33 34 20 20 20 35 |1 2034 2034 5| 0250 33 39 20 41 70 72 20 32 32 20 31 34 3a 35 34 20 |39 Apr 22 14:54 | 0260 44 6f 6d 69 6e 69 6b 61 6e 69 73 63 68 65 20 52 |Dominikanische R| 0270 65 70 75 62 6c 69 6b 2e 70 6e 67 0a 2d 72 77 2d |epublik.png.-rw-| 0280 72 2d 2d 72 2d 2d 20 20 31 20 32 30 33 34 20 20 |r--r-- 1 2034 | 0290 32 30 33 34 20 20 20 35 33 37 20 41 70 72 20 32 |2034 537 Apr 2| 02a0 32 20 31 34 3a 35 34 20 44 e4 6e 65 6d 61 72 6b |2 14:54 DC$nemark| 02b0 2e 70 6e 67 0a 2d 72 77 2d 72 2d 2d 72 2d 2d 20 |.png.-rw-r--r-- | 02c0 20 31 20 32 30 33 34 20 20 32 30 33 34 20 20 20 | 1 2034 2034 | 02d0 37 37 30 20 41 70 72 20 32 32 20 31 34 3a 35 34 |770 Apr 22 14:54| 02e0 20 45 63 75 61 64 6f 72 2e 70 6e 67 0a 2d 72 77 | Ecuador.png.-rw| 02f0 2d 72 2d 2d 72 2d 2d 20 20 31 20 32 30 33 34 20 |-r--r-- 1 2034 | 0300 20 32 30 33 34 20 20 20 35 38 38 20 41 70 72 20 | 2034 588 Apr | 0310
Re: UTF-8 on the file system?
Hi, On Wed, 13.05.2009 at 19:26:59 +0900, Jordi Beltran Creix wrote: > print '?' or an octal escape sequence on nonprint chars. With a hacked > libc and a utf-8 version of multibyte functions as well as a few fixes > on apps solve most of these problems, gtk apps and scim will be happy > with just being able to set the locale(2). thanks for caring, but ATM I really don't need UTF-8 support in OpenBSD and on level 7. My only problem is that a user creates files with the wrong names, and then can't "find" them later. It's a (his) web app, so no terminal/scim/...-stuff is reqired here - it's really only the ability to handle UTF-8 filenames properly, and saying that OpenBSD won't interfere with any file names which comply with the rules Otto mentioned, imho amounts to saying that the problem is created somewhere within the application area, starting with his required "infrastructure" (eg, some apps from the ports tree), or even outside (farter awawy) of that. > However, advanced console applications will need the full character > support and also support in the console driver for full glitch-less > functionality. Your problem is likely 1 or 2. Ummm... Kind regards, --Toni++
Re: [dera...@cvs.openbsd.org: Re: I would like to send this to misc@ and security-announce@, from me.]
Hi, On Thu, 30.04.2009 at 11:21:50 -0600, Bob Beck wrote: > The best place to get OpenBSD is from an official CD set, produced in > a secured location FWIW, I have what I think are official CDs, and they contain OS code dated 2009-02-28 22:41 UTC. This means the official code was produced two months before the release date. -- Kind regards, --Toni++
strange performance problem (4.5)
Hi,
I've just upgraded a (server) machine to 4.5, and now experience a
strange performance problem. The problem itself manifests in about
95-100% CPU usage (0-1% idle), permanently, without being able to see
much in top. This is distributed to about 8-25% system and the rest
almost exclusively user. The most CPU intensive process, as seen by
'top', consumes between some 0-5% CPU, the second most intensive
process consumes 0-1%, and the rest appears to use negligible amounts
of CPU. Disk I/O, according to systat, is less than 50KB per second,
and network I/O is less than 10KB/s, aggregated (mostly under 1KB/s).
In other words, the machine should be 90-100% idle.
The machine had no such problems while running 4.4.
What gives?
Kind regards,
--Toni++
OpenBSD 4.5 (GENERIC.MP) #108: Sat Feb 28 14:58:58 MST 2009
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel Pentium III ("GenuineIntel" 686-class, 512KB L2 cache) 552 MHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE
real mem = 536424448 (511MB)
avail mem = 510390272 (486MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 10/19/99, BIOS32 rev. 0 @ 0xf06b0, SMBIOS
rev. 2.3 @ 0xf1f70 (45 entries)
bios0: vendor Award Software, Inc. version "ASUS P3B-F ACPI BIOS Revision 1004"
date 10/19/1999
bios0: ASUSTeK Computer INC. P3B-F
apm0 at bios0: Power Management spec V1.2 (BIOS management disabled)
apm0: APM power management enable: unrecognized device ID (9)
apm0: APM engage (device 1): power management disabled (1)
apm0: AC on, battery charge unknown
acpi at bios0 function 0x0 not configured
pcibios0 at bios0: rev 2.1 @ 0xf/0xf12
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf0e70/160 (8 entries)
pcibios0: PCI Interrupt Router at 000:04:0 ("Intel 82371FB ISA" rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc/0x8000 0xc8000/0x4c00 0xd/0x1000
cpu0 at mainbus0: (uniprocessor)
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x03
intelagp0 at pchb0
agp0 at intelagp0: aperture at 0xe400, size 0x400
ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x03
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "Matrox MGA G400/G450 AGP" rev 0x04
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
piixpcib0 at pci0 dev 4 function 0 "Intel 82371AB PIIX4 ISA" rev 0x02
pciide0 at pci0 dev 4 function 1 "Intel 82371AB IDE" rev 0x01: DMA, channel 0
wired to compatibility, channel 1 wired to compatibility
pciide0: channel 0 disabled (no drives)
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: ATAPI 5/cdrom
removable
cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
uhci0 at pci0 dev 4 function 2 "Intel 82371AB USB" rev 0x01: irq 9
piixpm0 at pci0 dev 4 function 3 "Intel 82371AB Power" rev 0x02: SMI
iic0 at piixpm0
lm1 at iic0 addr 0x2d: AS99127F
gdt0 at pci0 dev 10 function 0 "Vortex GDT7x18RN" rev 0x00: irq 12 dpmem
e100 2-bus 2 cache devices
gdt0: ver 11b, cache on, strategy 2, writeback on, blksz 32
gdt0: raw feat 1 cache feat 101
scsibus1 at gdt0: 35 targets
sd0 at scsibus1 targ 0 lun 0: SCSI2 0/direct fixed
sd0: 17500MB, 512 bytes/sec, 35841015 sec total
sd1 at scsibus1 targ 1 lun 0: SCSI2 0/direct fixed
sd1: 35236MB, 512 bytes/sec, 72163980 sec total
scsibus2 at gdt0: 16 targets, initiator 7
scsibus3 at gdt0: 16 targets, initiator 7
fxp0 at pci0 dev 13 function 0 "Intel 8255x" rev 0x08, i82559: irq 9, address
00:90:27:8f:88:23
inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4
isa0 at piixpcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0:
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
usb0 at uhci0: USB revision 1.0
uhub0 at usb0 "Intel UHCI root hub" rev 1.00/1.00 addr 1
biomask ff65 netmask ff65 ttymask
mtrr: Pentium Pro MTRR support
softraid0 at root
root on sd0a swap on sd0b dump on sd0b
Re: multilink VPN
Hi,
On Wed, 27.05.2009 at 22:07:25 -0300, James Mackinnon
wrote:
> I need to setup redundant VPN's between these locations without the use of
> BGP.
> I have used sasync in the past, pfsync etc however, I have not tried to setup
> a VPN where 2 ISPs are used without the ISPs setup with BGP. Because BGP
> convergance can take a bit of time, and the network in this case not being
> able to drop for 1 second, I need to determine what option is best.
I heavily doubt that you'll be able to keep the network up at all
times because even CARP failover will take longer than one second.
> I have spoke with a cisco guy today and they can do multilink VPN's on cisco
> for this,
Did he actually tell you how they make sure that there'll be no
downtime of even one second? Was the explanation technically sound?
How about error conditions in the Internet, between your sites?
FWIW, I've configured semi-"multilink" VPN in the past (before the
"CARP age"), with this kind of setup:
LAN1 --- FW{1,2} --- Internet --- FW{3,4} --- LAN2
with
LAN1, FW1, FW2: my end
FW3, FW4, LAN2: other end (not accessible to me)
Manually switching between FW1 and FW2 usually took on the order of
8-15 seconds.
The other side switched between FW3 and FW4 at their leisure, w/o
telling anyone.
The idea to configure this with isakmpd.conf was to have both peers
configured on both of your firewalls, and then add as many IPSEC
connections so that you cover all connection pairs.
That way, you can access LAN2 from LAN1 regardless whether FW3 or FW4
is operational. In my setup, one of the tunnels simply vanished and the
other appeared, if the other side switched their firewalls.
Now, if you can detect your conditions under which you want to fail
over to the other firewall (eg. fiber cut), it should be easy to
cook up a script and fire it on such an event.
But you won't get away without any downtime, and if you find out how to
do this on the IP level, I'm interested to hear about it.
I strongly suspect that if you really want to force less than 1 seconds
of downtime even in the case of error, then you need to swap IP for a
real high-reliability type of connection like telcos use in their long
hauls (eg. SDH).
But if you can weed out duplicate packets, you might be able to create
some magic with bridging and move all packets over both links all the
time, dropping one half at the receiving end(s). But this is only a
shot in the dark - I don't know how to do this.
I'm curious about what kind of application you have that does not
tolerate 1 second of downtime?
If someone has an idea about how to configure this with ipsec.conf, I'm
eager to hear.
Kind regards,
--Toni++
Re: Where's demime?
Hi, On Fri, 29.05.2009 at 09:29:39 +0200, ropers wrote: > I know that demime is being used on the misc mailing list. > I even tried to see if it's contained in some other package: > http://www.google.ie/search?q=demime+inurl%3Aopenbsd.org+inurl%3Acontents.html > > A Google search for openbsd and demime returns too many archived mails a quick search for 'demime', ie, w/o 'openbsd', returns this near the top of the list: http://www.freshports.org/mail/demime/ Kind regards, --Toni++
Re: arp table timeout / how to update automatically if foreign MAC changes?
Hi, On Tue, 11.03.2008 at 15:59:24 +0100, smartTERRA NOC wrote: > I have found a workaround: heartbeat. Heartbeat uses (like carp on > OpenBSD) a virtual MAC address, so there is no problem with the arp > cache on the OpenBSD firewall. how do I do this if the remote machines run OpenBSD, but can't run CARP? I tried to ping from the new machine to "distribute" the new MAC/IP association, but to no avail. The OpenBSD gateway just ignored the change and only learned the new address when I manually deleted the arp entry. TIA! Kind regards, --Toni++
Re: ipsec config with x509 certificates
Hi Eric, On Fri, 13.03.2009 at 19:16:32 +0100, Eric Belhomme wrote: > - copying my host private key on /etc/isakmpd/private/local.key > - copying my host public key on /etc/isakmpd/keynote//credentials I was so far unable to get this keynote-credentials stuff working. Therefore I set up X.509 authentication like this: With the x509 cert consisting of the two parts cert.crt and cert.key, I place the cert.key file in /etc/isakmpd/private and the cert.crt file in /etcisakmpd/certs. The cert has to be issued by a CA a cert of which is present in /etc/isakmpd/ca, and the name of the files has to correspond to the value of the SubjectAlternativeName section, which I mention in my isakmpd.conf and isakmpd.policy files. > The thing I can't figure is HOW the x509 certificates are handled, > because I'm not sure I did the right things : On OpenBSD, you can watch the negotiation using this command (assuming that fxp0 is your Internet-facing NIC: # tcpdump -s1500 -vvv -ni fxp0 host and \( port 500 or port 4500 or esp \) Kind regards, --Toni++
