PF: (max-src-conn 1, max-src-conn-rate 1/1, overload )

Hello,  I’m not part of this maillist, so rply me directly if necessery. (Sent this pf@ which seems do not exists any more)   Following is given in pf.conf:   ### int pass in on int from any to any keep state \         (max-src-conn 1, max-src-conn-rate 1/1, overload ) pass out on int from any

Re: Reboot and re-link

Why the f I have old kernel? The ONE taking care of all sh. On Thu, 20 Jun 2019 at 22:43, Maxim Bourmistrov wrote: > btw, after reboot, sys converted to 6.4 kernel. yet again > I removed all /bsd* > Do I need to rm /usr/obj* as well > > On Thu, 20 Jun 2019 at 22:12, Theo

Re: Reboot and re-link

d, Jun 19, 2019 at 11:29:32PM +0200, Maxim Bourmistrov wrote: > > > >> Hey, > >> > >> long story short: reboot and re-link is not practical. > >> > >> Long story: > >> Time to upgrade 6.4 to 6.5. > >> If re-link been active in 6.4

Reboot and re-link

Hey, long story short: reboot and re-link is not practical. Long story: Time to upgrade 6.4 to 6.5. If re-link been active in 6.4 (don't remember) - I never noticed it. Installing via NOT RECOMMENDED WAY(following upgrade65.html) - scripting on steroides (ansible). All down. Reboot. and now I

Re: Upgrade 6.0 -> 6.1: ix mmba is not mem space

Yepp. I ended up with a -stable kernel and syspatch refusing to pull down patches, but this is another story. It’s up2date now. Thanks all. Br > 30 maj 2018 kl. 09:36 skrev Peter Hessler : > > Assuming 1.140 is the "problem", 1.151 should fix it.

Re: Upgrade 6.0 -> 6.1: ix mmba is not mem space

supported anymore, > and in any event, you need to include full dmesg so that others without DL360 > Gen9 have a chance at helping you. > > Maxim Bourmistrov [m...@alumni.chalmers.se] wrote: >> Hey, >> While moving one of machines from 6.0 to 6.1, I found 6.1 not able to attac

Upgrade 6.0 -> 6.1: ix mmba is not mem space

Hey, While moving one of machines from 6.0 to 6.1, I found 6.1 not able to attach ix-device. Machine is HP DL360 Gen9. ix0 at pci5 dev 0 function 0 "Intel 82599" rev 0x01: mmba is not mem space ix1 at pci5 dev 0 function 1 "Intel 82599" rev 0x01: mmba is not mem space Found this thread

Re: nsd does not stop

Is nsd.conf broken? shell# nsd-checkconf /var/nsd/etc/nsd.conf > 3 maj 2018 kl. 16:27 skrev Vivek Vinod : > > Dear Misc, > > on stopping nsd from command line, nsd does not stop at all > > Config: > OpenBSD 6.3 > nsd remote control is disabled > nsd ipv6 is disabled

Re: Intel X-550T 10 GbE Adapter cards

> 6 maj 2018 kl. 22:43 skrev Sebastian Benoit : > > Peter J. Philipp(p...@centroid.eu) on 2018.05.06 21:47:02 +0200: >> Hi, >> >> The ix(4) manpage mentions there is support: >> >> o Intel X550-T 10GbE Adapter (10GbaseT/1000baseT/100baseTX) >> >> However there is a

Re: OSPF over gif on top of IPsec transport -current

> 13 mars 2018 kl. 11:56 skrev Marc Peters : > > On Tue, Mar 13, 2018 at 10:24:43AM +0100, Remi Locherer wrote: >>> and it is harder for traffic inside the tunnel >>> to leak out of ipsec. more specifically, gif handles 3 ip protocols, >>> ipv4, ipv6, and mpls, which are ip

Re: acme-client No registration exists matching provided key

I also had to remove /etc/acme/letsencrypt-privkey.pem and re-do the process. Just updating link to pdf not helped out. > 2 feb. 2018 kl. 05:01 skrev Predrag Punosevac : > > Jordan Geoghegan wrote: > >> Hi, >> >> I recently dealt with this issue

Re: Kernel panic with openbsd 6.2

As Stuart mentioned, em(4) on top of e1000 proven to be more stable. Even under higher load. Vmx starting to misbehave under high load, resulting for ex. with unstable CARP setup. //mxb > 25 jan. 2018 kl. 02:40 skrev trondd : > > On Mon, January 22, 2018 10:47 am, Mik J

Re: OpenBSD 6.2 (up2date with syspatch) - HANGING

rel and stable here. Eat it”. //mxb > 21 dec. 2017 kl. 23:19 skrev Maxim Bourmistrov <m...@alumni.chalmers.se>: > > > Fixed in HEAD?! - my ass. Whom puts HEAD into prod?! Not me any more, that's > for sure. > IS LIKE DROPPING A TURBO ENGINE INTO CAR WITH N

Re: OpenBSD 6.2 (up2date with syspatch) - HANGING

dec. 2017 kl. 23:07 skrev Maxim Bourmistrov <m...@alumni.chalmers.se>: > > Solved?1 > > What abt OPTIONS in relay_http.c ? > Solved? > Maybe in HEAD.(?) > I have to hand-rolle this in src for 6.2 to have it working. > —> toread=0; > You know. > > /

Re: OpenBSD 6.2 (up2date with syspatch) - HANGING

Solved?1 What abt OPTIONS in relay_http.c ? Solved? Maybe in HEAD.(?) I have to hand-rolle this in src for 6.2 to have it working. —> toread=0; You know. //mxb > 21 dec. 2017 kl. 22:40 skrev Janne Johansson <icepic...@gmail.com>: > > 2017-12-21 21:58 GMT+01:00 Ma

Re: OpenBSD 6.2 (up2date with syspatch) - HANGING

I had to bypass relayd to roll prod stable. Down to apache. Taking care of http and https. By redirect. Now this setup (if I can call it) is stable. . P.S. Looks like we have to move forward from here. > 21 dec. 2017 kl. 21:58 skrev Maxim Bourmistrov <m...@alumni.chalmers.se>: >

Re: OpenBSD 6.2 (up2date with syspatch) - HANGING

Sorry, but I have to say Releases after 5.9 are NOT production stable. (Until all bugs are smashed within stack changes and SMP unlock). After 5.9 - cost money and effort. MONEY. //mxb > 21 dec. 2017 kl. 20:29 skrev Maxim Bourmistrov <m...@alumni.chalmers.se>: > > Hey, > Af

Re: OpenBSD 6.2 (up2date with syspatch) - HANGING

2017 kl. 20:29 skrev Maxim Bourmistrov <m...@alumni.chalmers.se>: > > Hey, > After upgrading from 6.0-stable to 6.2-stable (syspatch) existing setup > started to hang. > As of burst of emails from me following is known: > > Relayd is a main process to take CPU. > Also

OpenBSD 6.2 (up2date with syspatch) - HANGING

Hey, After upgrading from 6.0-stable to 6.2-stable (syspatch) existing setup started to hang. As of burst of emails from me following is known: Relayd is a main process to take CPU. Also running ospfd and bgpd (for blocklist distrib) With 6.0, relayd used to have two or more procs with high CPU

Re: IPMI still requires Java! I'm screwed.

Yepp. I have bios0: Supermicro X10DRT-PT With latest IPMI firmware and have html5. > 21 dec. 2017 kl. 12:00 skrev kasak <ka...@kasakoff.net>: > > >> 21 дек. 2017 г., в 12:16, Maxim Bourmistrov <m...@alumni.chalmers.se> >> написал(а): >> >>

Re: IPMI still requires Java! I'm screwed.

Even X10 can be upgraded to get in html5. > 21 dec. 2017 kl. 06:50 skrev kasak : > > >> 21 дек. 2017 г., в 0:03, Chris Bennett >> написал(а): >> >> I found a new server that uses IPMI and offers using it >> to setup your own custom OS.

Re: Upgrade 6.1 -> 6.2: No /mnt/etc/myname

This is, indeed, a symlink. Thanks for opening my eyes. //mxb > 12 okt. 2017 kl. 01:42 skrev Steven McDonald : > > This is a complete guess, but is /etc/myname a symbolic link? If it is > a symlink to an absolute path, that is unlikely to exist in the bsd.rd >

Re: relayd: high CPU usage by one or two proc. of many

to accommodate relayd. Am I safe to have 1+M of fds as kern.maxfiles ?? //mxb > 27 sep. 2017 kl. 21:34 skrev Maxim Bourmistrov <m...@alumni.chalmers.se>: > > My intention with this mail is to gather more qualitative help > to, hopefully, ever solve this or to have more info so

Upgrade 6.1 -> 6.2: No /mnt/etc/myname

Hey, Upgrade from 6.1 to 6.2 via bsd.rd fails. Mounting /dev/sd0a /mnt - OK No /mnt/etc/myname! # Mount of sd0a as read-only OK - shows in ’mount’ #cat /mnt/etc/myname - no such file Booting back to bsd (6.1) and file is there. 6.2 files are as of Oct 4 from ftp.eu.openbsd.org

Re: relayd: high CPU usage by one or two proc. of many

My intention with this mail is to gather more qualitative help to, hopefully, ever solve this or to have more info so it can be provided to someone whom can solve this, if it is a bug. What I know for sure is that those boxes (dual-node setup) are exposed to a large HTTP PUT/POST requests.

Re: relayd: high CPU usage by one or two proc. of many

Hey, had to bring this up again as I’m facing the same problem. Exactly with the same ’error 35’ in trace. This time it is a 6.0-stable. Anything else can be done to track this down? Br Maxim > 24 feb. 2016 kl. 10:53 skrev Stuart Henderson : > > On 2016-02-24, mxb

OpenBSD 6.1-stable lock up

Hey, having a dual-node setup of 6.0 in prod, I decided to move forward with one of machines and upgrade to 6.1-stable. Ending up in benchmark tool ”locking” the 6.1 machine. Background: Nodes are Xeon E5-2642v3 3.4Ghz x12, 16G RAM, 64G DOM modules as hdd, 4x X540T (ix) - 2x on-board and 2x

Re: relayd l7 loadbalancing

Once connection is established, state is created in PF. Subsequent requests will be ’pipelined’. It is possible to influence this behavior by manipulating tcp.established in pf.conf, but I don’t think this is what you want. > 16 aug. 2017 kl. 10:05 skrev Mischa Peters : > >

rdomain and loopback ifs

Hey, Not sure if this already known, but while creating rdomain shell# ifconfig vmx5 rdomain 1 OS assumes that for this particular domain number 1, lo1 will be used as a ”glue” between domains. However, it is not checked if this loopback is already within any rdomain. I my case, it is yet

Re: Limit internet connection by time of day and number of hours

Hey, I have somewhat similar situation at home. However, I never found a straight forward setup. I can do a manual BLOCK OUT with a script, and probably, if I’d link this script to a cron, I’d get some how setup you are after. I do depend on dhcpd giving out static IP to a give MAC and thus I

Re: relayd: incomplete response from a TLS-accelerated apache

Compiling relayd with -DDEBUG=3 and watching the output gave me nothing. No errors what so ever about out of buffers or something else. However, removing 'socket buffer 65536’ solved my problem. Br > 8 maj 2017 kl. 13:27 skrev Maxim Bourmistrov <m...@alumni.chalmers.se>: >

relayd: incomplete response from a TLS-accelerated apache

Hey, I investigate a problem were TLS-asselerated machine response is incomplete. I was able to reproduce this on OpenBSD 5.9, 6.0 and 6.1. Test on 5.8 is about to be. Following env I have: relay1: relayd machine web1: apache 2.2.31 serving the request client1: requester relay1 is configured

Re: OpenBSD 6.1: relayd does not start more than 3 processes

> 5 maj 2017 kl. 15:55 skrev Maxim Bourmistrov <m...@alumni.chalmers.se>: > > >> 5 maj 2017 kl. 14:41 skrev Hiltjo Posthuma <hil...@codemadness.org>: >> >> On Fri, May 05, 2017 at 12:30:56PM +0200, Maxim Bourmistrov wrote: >>> >>> Hey,

Re: OpenBSD 6.1: relayd does not start more than 3 processes

> 5 maj 2017 kl. 14:41 skrev Hiltjo Posthuma <hil...@codemadness.org>: > > On Fri, May 05, 2017 at 12:30:56PM +0200, Maxim Bourmistrov wrote: >> >> Hey, >> on OpenBSD 6.0-stable I have following configuration for relayd: >> >> snip——— >&g

OpenBSD 6.1: relayd does not start more than 3 processes

Hey, on OpenBSD 6.0-stable I have following configuration for relayd: snip——— interval 10 timeout 1200 prefork 15 log all —— Respective login.conf to spawn more relayd procs: relayd:\ :maxproc-max=31:\ :maxproc-cur=15:\ :openfiles=65536:\

Relayd: session timeout

Hey list, I have following relay configured on two-node setup. Each node acts as MASTER for one IP and BACKUP for another. The opposite on the second node. tcp protocol tcp_proto { tcp { nodelay, sack, socket buffer 65536, backlog 128 } } relay rabbitmq { listen on $VIP1 port

Re: Playstations and PF de-fragmentation

Thanks for sharing. I’ll re-use this at home. Br > 1 maj 2017 kl. 01:43 skrev Kevin Chadwick : > > > I find that to prevent connection timeouts on playstations, the > following is required. Hopefully they will fix their packet AND > connection handling one day. > > match

Re: torrent downloads

ISO is burned down to the CD you buy. To install you really just need to PXE. > 27 apr. 2017 kl. 13:55 skrev Thuban : > > Hello, > I was wondering if there is any particular reason explaining why there > is no torrent file to retrieve OpenBSD *.fs and *.iso. > > I've

Re: 6.1: /usr/local/bin/node: W^X binary outside wxallowed mountpoint

Thanks all for replying. The key part was 1) in Todds’ answer. Mounted /home with wxallowed already. Just needed to ’cp’ binary into it. Br > 25 apr. 2017 kl. 22:43 skrev Todd C. Miller <todd.mil...@courtesan.com>: > > On Tue, 25 Apr 2017 16:49:36 +0200, Maxim Bourmistrov w

6.1: /usr/local/bin/node: W^X binary outside wxallowed mountpoint

Hey, Any work around for this one? Mount with wxallowed not working. Br

Re: Can't kill a state with pfctl?

I’m doing something like this at home. table persist ### block machines out block out quick on egress tagged BLOCK pass out quick on egress from to any nat-to (egress:0) keep state \ (max-src-conn 1, max-src-conn-rate 1/1, overload flush global) tag BLOCK Then I just add IP to , the

Re: relayd(8) relay: redirect based on URL paths

table { 192.168.10.31 } table { 192.168.10.78 } http protocol somename { tcp { nodelay, sack, backlog 1024 } match header set "Proxy" value "filtered" match header set "X-Forwarded-For" value "$REMOTE_ADDR" match header set "X-Forwarded-By" value

Re: Content filtering through pf?

privoxy will be faster I think. as well as footprint on the system. But both privoxy and squid are a bit different, especially if you’ll need to chain proxies. > 24 feb. 2017 kl. 17:39 skrev Alan Corey : > > I'm looking at privoxy although I'm not sure it's more

Re: two ip with carp

Just create carp3 and configure it the same way as carp0, except for the password. No aliases what so ever. Later in pf.conf do a nat-to from dnz to carp3. fw1# ifconfig trunk0 trunk0: flags=8943 mtu 1500 lladdr 00:25:90:f9:74:b0

Re: OSPFd stucks in EXCHG/EXSTA

recv_db_description: neighbor ID 10.4.255.29: seq num mismatch, bad flags > 14 feb. 2017 kl. 11:56 skrev Maxim Bourmistrov <m...@alumni.chalmers.se>: > > >> 14 feb. 2017 kl. 11:33 skrev Jeremie Courreges-Anglas <j...@wxcvbn.org <mailto:j...@wxcvbn.org>>: >> >>

Re: OSPFd stucks in EXCHG/EXSTA

> 14 feb. 2017 kl. 11:33 skrev Jeremie Courreges-Anglas : > > I have no idea why you're getting this kind of error, but maybe you > can simplify your setup a bit more. Can you reproduce when using just > em1 (out of the trunk) instead of trunk1? Just bnx1? I’ll try to modd

Re: OSPFd stucks in EXCHG/EXSTA

=1 .96=1.97 > from -current. This will track interface MTU changes. > > > On 2017 Feb 09 (Thu) at 14:51:05 +0100 (+0100), Maxim Bourmistrov wrote: > :This actually a default setting for this switch, then you don’t configure > :jumbo at all. > :'sh running-config all’ shows

Re: OSPFd stucks in EXCHG/EXSTA

Hm, seems that I mistyped MTU in my original mail. lacp system-priority 1 rate-limit cpu direction input pps 1024 system jumbo mtu 1518 It is 1518 by default. > 9 feb. 2017 kl. 14:51 skrev Maxim Bourmistrov <m...@alumni.chalmers.se>: > > > This actually a default setti

Re: OSPFd stucks in EXCHG/EXSTA

net packet which should > be 1518 (16 bytes for the ethernet header). > > Is it fixed if you change it to 1518, or drop that line completely? > > > > On 2017 Feb 09 (Thu) at 14:12:32 +0100 (+0100), Maxim Bourmistrov wrote: > :I see similar behavior with Cisco Nexus and 5.

Re: OSPFd stucks in EXCHG/EXSTA

I see similar behavior with Cisco Nexus and 5.9-stable. How ever not 100% sure if it is the same trigger. > 9 feb. 2017 kl. 14:08 skrev Maxim Bourmistrov <m...@alumni.chalmers.se>: > > Hey, > > ospfd on 6.0-stable stucks in EXCHG/EXSTA while neighboring with Dell N304

OSPFd stucks in EXCHG/EXSTA

Hey, ospfd on 6.0-stable stucks in EXCHG/EXSTA while neighboring with Dell N3048 switch. According to some documentation around, this is due to MTU mismatch. This is not in my case. N3048: system jumbo mtu 1512 obsd: trunk1: flags=8943 mtu 1500

OpenBSD 5.2-current - panic: mtx_enter: locking against myself

Hi, I'm getting panic: mtx_enter: locking against myself on not so -current OpenBSD 5.2-current (snapshot). Machine is not dropping into ddb even if sysctl.conf says it should. Console is filled with panic: mtx_enter: locking against myself and seems to loop. OpenBSD 5.2-current (GENERIC.MP)

Re: PF: table sync

On Feb 5, 2012, at 10:47 AM, Otto Moerbeek wrote: pfsync does not sync pf tables. Exactly, but it would be nice to have. //maxim

Re: PF: table sync

On Feb 5, 2012, at 8:17 PM, Camiel Dobbelaar wrote: On 5-2-2012 16:01, OSN | Marian Fischer wrote: Am 05.02.2012 11:32, schrieb Maxim Bourmistrov: On Feb 5, 2012, at 10:47 AM, Otto Moerbeek wrote: pfsync does not sync pf tables. Exactly, but it would be nice to have. //maxim Hi, you

PF: table sync

Hi misc@, my question is probably directed to devs working with/on PF. Is something like table sync is planed to implement in PF? eg: table tbl persist sync would sync all entries to the remote peer, inc. tracking add/del to it. //maxim

Re: pfsync states growing on carp backup firewall

You might test to pull down if_pfsync.c from -current or flush states much sooner on failover with pf.conf (adaptive.start adaptive.end) //maxim On Nov 9, 2011, at 9:49 AM, ML mail wrote: Hi, I am running OpenBSD 5.0 amd64 on two firewalls using CARP (one master and one backup) for

Re: pfsync states growing on carp backup firewall

with: set timeout { adaptive.start 1, adaptive.end 3 } So despite this small issue, is the fail-over with keeping states still functional? Regards, ML - Original Message - From: Maxim Bourmistrov m...@alumni.chalmers.se To: ML mail mlnos...@yahoo.com Cc: misc@openbsd.org misc

Re: PFSYNC - pf.conf best practice

, 2011 at 11:25 AM, Mike Belopuhov m...@crypt.org.ru wrote: On Thu, Oct 27, 2011 at 11:18 AM, Mike Belopuhov m...@crypt.org.ru wrote: On 26-10-2011 20:32, Maxim Bourmistrov wrote: The side question, after observing 'systat -s1 states', is WHY failover-side doubles exp. time?? I'm more expected

Re: CARP failover and states expiration

For the record: mikeb@ picked this up in PFSYNC - pf.conf best practice-thread. On 10/31/2011 12:48 PM, Henning Brauer wrote: * Maxim Bourmistrovm...@alumni.chalmers.se [2011-10-26 08:23]: I have a CARP setup in failover. Is there any reason for ESTABLISHED states on the failover node to

Re: pfsync on more than 2 hosts

On 10/27/2011 03:16 PM, Laurent CARON wrote: On Wed, Oct 19, 2011 at 12:46:49PM +0200, Laurent CARON wrote: Hi, I'm currently wondering what is the best way to run pfsync between 4 hosts. If I'm not mistaken, pfsync only has one interface, aka pfsync0 If I use it in unicast mode, i'm then

CARP failover and states expiration

Hi list, I have a CARP setup in failover. Is there any reason for ESTABLISHED states on the failover node to have double expiration time? Eg. on master the exp. time is 5h (set optimisation aggressive), while on slave it is 10h. Is there any way to control it? Both machines are 5.0-current.

Re: pfsync0 MTU

I rolled out those patches on my prod. boxes and it works fine so far. On 10/24/2011 03:59 PM, Maxim Bourmistrov wrote: It seems to work as long as BOTH sides have equal setup, eg syncdev and pfsync are set with MTU 9000. carp: pfsync0 demoted group carp by 1 to 129 (pfsync bulk start) carp

PFSYNC - pf.conf best practice

Hi list, I have faced an interesting problem in active-failover setup for two OpenBSD firewalls with CARP. I'm not sure if this is my fault or if there is something else I just miss. Two 5.0-current in active-failover setup share the same pf.conf. Both are setup with CARP ext/int. pf.conf is

Re: PFSYNC - pf.conf best practice

clearly in comments, incase any should take over after me. //maxim On Oct 26, 2011, at 8:50 PM, Camiel Dobbelaar wrote: On 26-10-2011 20:32, Maxim Bourmistrov wrote: The side question, after observing 'systat -s1 states', is WHY failover-side doubles exp. time?? I'm more expected to have

Re: pfsync0 MTU

On 10/23/2011 07:47 AM, David Gwynne wrote: mike, might have to tweak hardmtu in attach too. maybe. dlg On 23/10/2011, at 6:18 AM, Mike Belopuhov wrote: On Sat, Oct 22, 2011 at 20:14 +0200, Maxim Bourmistrov wrote: On both sides I use em(4) with MTU 9000. Then tried to set the same value

Re: pfsync0 MTU

, Maxim Bourmistrov m...@alumni.chalmers.se wrote: Hi, I patched on side of this tandem do you mean 'one'? then you should obviously patch both. i mean, come on, you wanted to do some research on your own, so do it. and had following setup: fw1: em0 mtu 9000, pfsync0 mtu 2048 fw2: em0 mtu 9000

Re: do not understand how to upgrade to-CURRENT

Try one more time, if no success - give up and stay on whatever you have right now. On Oct 23, 2011, at 4:50 PM, Zantgo wrote: !!I read the FAQ, becouse I don't understand this Zantgo El 23-10-2011, a las 10:33, Marcos Ariel Laufer mar...@ipversion4.com escribiC3: This idiot,

Re: do not understand how to upgrade to-CURRENT

update one snapshot to another would. Zantgo El 23-10-2011, a las 12:03, Maxim Bourmistrov m...@alumni.chalmers.se escribis: Try one more time, if no success - give up and stay on whatever you have right now. On Oct 23, 2011, at 4:50 PM, Zantgo wrote: !!I read the FAQ, becouse I don't

Re: pfsync0 MTU

, 2011 at 10:40 +0200, Maxim Bourmistrov wrote: Hi list, is there any reason for MTU on pfsync0 to be limited to 2048? yes, when pfsync(4) was written, there was only one mbuf cluster pool: MCLBYTES (2048) sized one. now we have several. Any benefit from having it lager, say up to 9000

pfsync0 MTU

Hi list, is there any reason for MTU on pfsync0 to be limited to 2048? Any benefit from having it lager, say up to 9000? I enabled MTU 9000 on syncdev and tried on pfsync0. As seen in tcpdump now, sync pkts are large but not as large as 9000(2048 limit). //maxim

Re: iked+CARP/ active,passive

Hi all, I clearly have to pay attention what I put into pf.conf! Tunnel works fine so far. //maxim On Oct 16, 2011, at 1:40 PM, Maxim Bourmistrov wrote: Both side are now 5.0-current, so this fix is already there. However, tunnel timeout is still there. In logs is see that almost exactly

Co-existens of iked and isakmpd on the same machine

Hi list, is there a way? I know isakmpd can be bound to a specific IP via isakmpd.conf, but iked seems to bind to any, eg. there is no way to bind it like isakmpd(as far as I know). //maxim

Re: Traffic through default pf queue

Use pass log and tag TAGGED in pf rules, then tcpdump -i pflog0 On 10/17/2011 02:40 PM, Claudiu Pruna wrote: Hi everyone, I have a question, could anyone give me an ideea how can I see (like tcpdump or something) the traffic that is passing throught the default queue of pf ?

Re: iked+CARP/ active,passive

: CREATE_CHILD_SA from 10.1.1.1:500 to 20.1.1.2:55932, 240 bytes But this only seen on the home GW. //maxim On Oct 15, 2011, at 1:03 PM, Joosep wrote: On Sat, Oct 15, 2011 at 12:13 PM, Maxim Bourmistrov m...@alumni.chalmers.sewrote: Thanks for your replay, Trevor! Yes, indeed, PF was the case

Re: iked+CARP/ active,passive

wrote: On Oct 14, 2011, at 5:27 AM, Maxim Bourmistrov wrote: Hi all, problem is still there. Both sides are -current now (Oct 6 build). Any ideas what is wrong? //maxim Have you looked at your pf ruleset on both sides of the tunnel? Are you using blanket allow rules for ipsec traffic

em1 - watchdog timeout

Hi, I'm getting em1 watchdog timeout from bsd.rd while tried to snapshot already -current box. However, manually moving in bsd from the same date and booting it does not produces those messages. bsd.rd triggering those: OpenBSD 5.0-current (GENERIC) #81: Thu Oct 6 16:05:52 MDT 2011

Re: iked+CARP/ active,passive

Hi all, problem is still there. Both sides are -current now (Oct 6 build). Any ideas what is wrong? //maxim

iked+CARP/ active,passive

Hi misc@, I'm trying to understand why my IPSec tunnel not functioning as expected and especially why packets start flow as soon as I start to ping from the opposite side. Hopefully someone can explain what is going on and why. Following setup: Network Home(1.1.1.0/25) connecting to the

Re: iked+CARP/ active,passive

This is iked (IKEv2). No patches, plain from dist. On Oct 13, 2011, at 12:38 PM, Johan Ryberg wrote: 2011/10/13 Maxim Bourmistrov m...@alumni.chalmers.se: Hi misc@, I'm trying to understand why my IPSec tunnel not functioning as expected and especially why packets start flow as soon as I

Re: iked+CARP/ active,passive

As Johan suggested, I'd bring both side in sync first. Looks like both iked and isakmpd got patched. //maxim On Oct 13, 2011, at 12:38 PM, Johan Ryberg wrote: 2011/10/13 Maxim Bourmistrov m...@alumni.chalmers.se: Hi misc@, I'm trying to understand why my IPSec tunnel not functioning

Broken src-tree in CVS or is it just me?

Hi, trying to compile current on amd64 just checked out from anoncvs.eu.openbsd.org. Produces following below. Is it me or src? # cd /usr/src/sys/arch/amd64/compile/GENERIC.MP/ # make clean make depend make rm -f eddep *bsd *bsd.gdb tags *.[dio] [a-z]*.s [Ee]rrs linterrs assym.h cat

Re: IPSEC/SSL accelerator

: Hi! ubsec0 at pci5 dev 0 function 0 Broadcom 5862 rev 0x01: 3DES MD5 SHA1 AES PK, apic 9 int 0 (irq 10) Joosep On Wed, May 18, 2011 at 8:56 PM, Maxim Bourmistrov m...@alumni.chalmers.sewrote: How does it look in dmesg for this card? Sent from my iPhone On May 18, 2011, at 10:42, Joosep

Re: IPSEC/SSL accelerator

How does it look in dmesg for this card? Sent from my iPhone On May 18, 2011, at 10:42, Joosep joos...@gmail.com wrote: On Wed, May 18, 2011 at 10:06 AM, Patrick Oeschger patrick.oesch...@bluewin.ch wrote: thank you for your input why 'only' 400mbit? the specs say 2gbit for BCM5862 in a

Re: another slow connection on openbsd 3.4

Indeed. Solved many problems many times. //maxim On Aug 24, 2010, at 20:27, Kenneth R Westerback kwesterb...@rogers.com wrote: On Wed, Aug 25, 2010 at 12:46:16AM +0700, Hendro Susanto wrote: Hi, I just read the article from

pkg_delete

Hi, trying to update/upgrade pkges from 3.9 to 4.6. Long time touching this box, yes. However: # pkg_delete -F dependencies openldap-client Can't remove openldap-client-2.3.11p4 without also removing: cyrus-sasl-2.1.21p2-ldap (removing them as well) # pkg_info|grep ldap cyrus-sasl-2.1.21p2-ldap

pkg_add/pkg_delete

Dobrij den , citizens of this ship. While upgrading/updating my 3.6-old box to 4.6 I noticed some issues. Here it comes: I want -F force-flag for pkg_delete - I know what I'm dealing with and I don't want to spend my evening in front of a laptop-screen with my bottle of Stolichnaya. I want to

Re: pkg_delete

PM, Philip Guenther wrote: On Fri, Jan 29, 2010 at 11:35 AM, Maxim Bourmistrov m...@alumni.chalmers.se wrote: However: # pkg_delete -F dependencies openldap-client Can't remove openldap-client-2.3.11p4 without also removing: cyrus-sasl-2.1.21p2-ldap (removing them as well) # pkg_info|grep

Re: mbuf KPI

, and handles differently. But I suspect you don't even know what you're asking for. Maxim Bourmistrov [maxim.bourmist...@unixconn.com] wrote: Hello, Is subject something nice to have/on TODO-list? If not, what are the reasons for not having it? //maxim -- Trying to bring taste and skill

Re: mbuf KPI

Thank you for the answer, Bret. Best regards Maxim Bourmistrov mailto: maxim.bourmist...@unixconn.com tfn.: +46735461332 On 1 aug 2009, at 10.35, Bret S. Lambert wrote: On Sat, Aug 01, 2009 at 10:23:55AM +0200, Maxim Bourmistrov wrote: Actually, I know what I'm asking for. I want

mbuf KPI

Hello, Is subject something nice to have/on TODO-list? If not, what are the reasons for not having it? //maxim

Re: Troubles in using the VmWare Tools vmt driver

From vmt(4): vmt provides access to the host machines clock as a timedelta sensor. That's all it can do for you. On 3 jul 2009, at 15.56, Alexandre Verriere wrote: Hi list, I'm using virtualization to make a lab testing environnement and i'm trying to automate power operations on a VmWare

Re: random crashes on a firewall with OpenBSD 4.5-stable

Overheating? On 26 jun 2009, at 17.50, Michal wrote: Well, you can check the Volt readings in the bios, most will give you a reading, but I am sure there is some BSD software out there, maybe someone in the list will know. On windows you can use Speedfan. Even if it's not this, it's worth

Re: Error with red consoles

You'll probably have to run on VESA. and as you are running OpenBSD as a virtual machine don't expect to things work as they should. Effects/problems you see are probably because of how Microsoft Corporation Virtual Machine virtualizes hardware. //maxim On 11 maj 2009, at 13.30, dMITRIJ

swap(encrypt) vs. vnd

Hello misc@, any one can answer the following question: why codebase used to encrypt/decrypt swap is not used to replace/ complement vnd? Complement, means skip the creation of encrypted image part and work directly with block device. //maxim

automaticaly mount/umount encrypted $HOME or ...

... yet another vnd-hack including modified login_passwd, sudo and .bash_logout: http://en.roolz.org/Blog/Entries/2009/4/27_Auto_mount_umount_of_encrypted_%24HOME_on_OpenBSD.html Read first-line warning carefully before usage/flame :). //maxim

Re: automaticaly mount/umount encrypted $HOME or ...

. The reason I haven't gotten around to using encrypted homes is just that it's awkward to do it in .profile because you'd have to remount your /home/$USER over top, but moving the mounting code into login(1) avoids that -Nick On 28/04/2009, Maxim Bourmistrov maxim.bourmist...@unixconn.com wrote: ... yet

European orders(Sweden) - nohup.se

Hello misc@, it has been almost a week since I sent an invoice for OpenBSD 4.5 CD/t- shirt to nohup.se. Well, there is no answer so far and the webpage is outdated and promoting old releases. Any one from Sweden has ever successfully ordered anything from this site lately? Any other

Re: more information about PF BUG

It is a one line-addition to ping.c. Then you use newly compiled ping like this: ping -D public IP This scenario works for NAT and attacker sitting on the local network. Tested on OpenBSD 4.3 acting as a NAT-box. //maxim On 12 apr 2009, at 22.05, Fernando Quintero wrote: Hi list, it's

Re: where to order now ?

Well, until Wim speaks up, this look to me as a major misuse of TRUST I'v ever seen in Open Source-community. Anyone considered Baltic inkasso? ;) On 3 apr 2009, at 20.13, Theo de Raadt wrote: I guess Wim would be more than happy to sell his stock of stickers and T-Shirts, and

Re: Richard Stallman...

and only the heavy weights slug it out. And for heaven's sake, please don't respond to this email on the list, if you feel strongly about it, mail me offlist. Best, ~Mayuresh Best regards Maxim Bourmistrov mailto: [EMAIL PROTECTED] tfn.: +46735461332

  1   2   >