Re: http load balancing with pf (apache access log)

[Marian Hettwer]

Hej Bob,

Bob Beck schrieb:

* Marian Hettwer [EMAIL PROTECTED] [2007-01-29 09:49]:

Hi OpenBSD'lers,

I'm about to use OpenBSD's pf(4) for load balancing some webservers. So 
far, everything is looking just perfect.

Compared to pound, pf(4) is incredibly fast with few CPU and memory usage.
So I'd say: Thats great :)

However, one thing is bothering me.
Obviously, my apache access logs on those load balanced machines can 
only show the IP address of my load balancer, not the real remote ip of 
the request.


Completely untrue. if you are doing an rdr, it will change the
destination IP, not the source IP 

Thats true so far... however, I was told by Stuart that the connections 
are going like this:


quote
requests go like this:
origin - balancer - destination

replies like this:
destination - origin

but they need to go like this so they can be un-rdr'ed:
destination - balancer - origin

I'm not certain whether it will help so I won't bother posting to misc@
now, but you could try adding a NAT rule in addition to the RDR.
/quote


Unless in *addition* to load balancing you are doing NAT.


I do, which seems I have to.
My boxes are some dedicated servers with a standard network 
configuration. Means, official IP address, some default gateway and off 
they go.
However, I can't change the network configuration as those boxes are 
rented servers with no possibility to mess around with the network config.



I'm not using NAT, my load balancer looks like this:

web2# more /etc/pf/webmail_servers
142.244.12.130
142.244.12.132
142.244.12.133
142.244.12.134
142.244.12.135
142.244.12.136
142.244.12.137
142.244.12.138
142.244.12.139
142.244.12.140

pf.conf:

table webmail_servers persist file /etc/pf/webmail_servers
WEBMAIL_IP = {129.128.98.89}
rdr pass on $ext_if proto tcp to $WEBMAIL_IP port 80 - webmail_servers port 8
0 round-robin sticky-address
rdr pass on $ext_if proto tcp to $WEBMAIL_IP port 443 - webmail_servers port 
443 round-robin sticky-address


I get the real connection IP's in my apache log.


That looks interesting.
I wonder why I need NAT to get the communication working... strange...
How are you webmail servers configured (in regards to networking) ?


Regards,
./Marian

Re: http load balancing with pf (apache access log)

[Marian Hettwer]

Henning Brauer schrieb:

* Marian Hettwer [EMAIL PROTECTED] [2007-01-29 18:46]:

Ah... there we go.
I can't setup the webservers with their default gateway to my load 
balancer. The boxes are dedicated servers and I have no possibility to 
change the network settings.
These are rented servers (dedicated boxes) at some cheap ISP and all 
they have is an official IP address.

Changing the default gateway isn't possible...
Sorry 'bout that.


nothing you can d about it then.

you get what you pay for...


My bad... time to watch out for another ISP ;)
It wasn't my decision to go with this cheap ISP (Strato), however, I'll 
have to live with it for the time being.


./Marian

Re: http load balancing with pf (apache access log)

[Marian Hettwer]

Hej Stuart,

Stuart Henderson schrieb:

On 2007/01/29 16:21, Marian Hettwer wrote:
Is there any possible way to get the real ip addresses in my apache 
access log?


Readers who didn't see the earlier posts about setting this up, they're
here: http://marc.theaimsgroup.com/?l=openbsd-miscm=116905272009036w=2
- it's not the standard setup with PF sitting directly on the route
between client and webserver.

That's the drawback to this method: in order to get that information
you'd need to rearrange the network so the balancer is in the IP route
between the webservers and the end users so you can skip the NATs.

If moving to a more... flexible... ISP isn't an option, you may be able
to do something with tunneling. You need to decide which method will suck
the least in your situation.

You're right. Both situations suck, but for now I'll have to go with 
that cheap ISP and therefor live with having a castrated access.log

I'll buy me some security via mod_security on those remote apaches ;)

(and of course, keep my fingers crossed that no bloody botnet tries to 
attack).


Cheers,
Marian

Re: http load balancing with pf (apache access log)

[Paul de Weerd]

On Tue, Jan 30, 2007 at 09:09:46AM +0100, Marian Hettwer wrote:
| quote
| requests go like this:
| origin - balancer - destination
|
| replies like this:
| destination - origin

This sounds a lot like what certain loadbalancers call DSR or
Direct Server Return. Basically, this is layer 2 NAT'ing. Here's how
it works :

You configure outside interface of the loadbalancer with a VIP, which
you also configure on lo0 on your webservers. The loadbalancer
receives a request on VIP and selects one of the webservers as the
destination (based on variable levels of intelligent selection
methods). It now forwards the IP-packet as-is to this webserver,
changing the destination MAC address in the Ethernet frame. This frame
is picked up by the destination webserver (as it has the correct MAC
address) and is acted upon by the IP layer (as the system has the VIP
configured). The webserver processes the request and returns the
answer directly to the origin, without going through the loadbalancer.

This can be beneficial in certain circumstances where your webservers
do more outgoing b/w than incoming. Say you have a big document store
(where documents are your MP3-collection or a big library of (large)
PDF's or whatnot) that you wish to serve over HTTP. Many of these
requests will fit in a 100MB/s connection. Not quite as many answers
fit in that same 100MB/s going back to the original requestor.
Aggregating 10 webservers' 100MB/s you can fill a 1GB/s link with your
loadbalancer and your webservers all at 100MB/s. This also gets you
the IP address of the requestor in your weblogs.

It would be cool if pf could support DSR. Since I'm not a programmer,
I'll shut up now because I won't be producing patches anytime soon.

Cheers,

Paul 'WEiRD' de Weerd

--
[++-]+++.+++[---].+++[+
+++-].++[-]+.--.[-]
 http://www.weirdnet.nl/

[demime 1.01d removed an attachment of type application/pgp-signature]

Istanbul - Skopje Flights by MAT Macedonian Airlines / MAT Makedonya Havayollari Üsküp - Istanbul Uçuslarina Basliyor ......

[ZENITH Air Services]

[EMAIL PROTECTED] address book`unuza kaydedin, ZENITH E-posta size
ulassin.

for ENGLISH version click here

[IMAGE]

[IMAGE]

[IMAGE]

1 Subat`tan itibaren her pazartesi, persembe, cumartesi
ISTANBUL - \SK\P (Skopje)

Makedonya`nin milli havayolu olan MAT Macedonian Airlines filosundaki
modern Boeing 737 ve Bombardier tarafindan |retilen, T|rk vzel sektvr
havayollarinin da filosunda bulunan Canadair Regional Jet CRJ900 tipi
ugaklar ile Istanbul`a uguslarina basliyor.

1 Subattan itibaren Makedonya`nin baskenti \sk|p`ten (Skopje) 13:30
kalkisla 15:50`de Istanbul`a inecek ugak, 16:40`ta Istanbul`dan hareketle
17:00`da \sk|p`e varacak. Simdilik haftada karsilikli 3 sefer
gergeklestirilecek uguslarin sayisinin, yaz tarifesi ile birlikte haftada
karsilikli 4 sefere gikarilmasi planlanmaktadir.

MAT`in filosunu teskil eden ugaklarla ilgili daha genis bilgilere
* http://www.boeing.com/commercial/737family/index.html ve
* http://www.crj.bombard ier.com linklerine tiklayarak ulasabilirsiniz.

MAT`in T|rkiye Temsilciligi ve Genel Satis Acentaligi gvrevini |stlenen
sirket ZENITH`i; bvlgede gerek is, gerekse ailevi baglari olan siz
degerli yolcularimiz 18 yildir yakindan tanimaktasiniz.

Ilklerde ZENITH ..
Istanbul`a ilk uguslari \sk|p ve Ljubljana`dan Adria, Sarajevo`dan Air
Bosna, Podgorica`dan Montenegro Airlines`in temsilcileri olarak
tanidiginiz, g|lery|zl| ve yolcu memnuniyetini ilke edinen bizler, simdi
de MAT ile \sk|p`te sizinleyiz.

[IMAGE]

Merkez: Ordu Cad., No. 206/1, Laleli 34134 Istanbul, Tel :90 (212) 512
5435, Fax : 512 5436, E-mail : [EMAIL PROTECTED]

Atat|rk Havalimani, Dishatlar Gidis Kati, Yesilkvy 34149 Istanbul, Tel
:90 (212) 465 5023, Fax : 465 4092, E-mail : [EMAIL PROTECTED]



Mail listemizden gikmak igin buraya tiklayiniz ve konu/subject kismina
remove yazip mesajinizi gvnderiniz.

To remove from our mailing list click here, write remove in subject line
and send it.

ADI 1988b Sound Device

[Sam Fourman Jr.]

hello Misc@
Would someone know if this sound device that is on several new Asus
boards is supported in OpenBSD?

unless someone knows otherwise I don't think FreeBSD has support either

http://www.analog.com/UploadedFiles/Data_Sheets/AD1988A_1988B.pdf

Sam Fourman Jr.

OpenBSD's bind: CVE-2007-0493 and CVE-2007-0494

[Stephan A. Rickauer]

CVE-2007-0493: If recursion is enabled, a remote attacker can
dereference a freed fetch context causing the daemon to abort / crash.

CVE-2007-0494: By sending specific DNS query responses with multiple
RRSETS attackers could cause BIND to exit abnormally.


Is this of relevance also for OpenBSD's bind? I guess not, but maybe
some insider could shed some photons on it.


-- 

 Stephan A. Rickauer

 ---
 Institute of Neuroinformatics Tel  +41 44 635 30 50
 University / ETH Zurich   Sec  +41 44 635 30 52
 Winterthurerstrasse 190   Fax  +41 44 635 30 53
 CH-8057 ZurichWeb  www.ini.unizh.ch

 RSA public key:  https://www.ini.uzh.ch/~stephan/pubkey.asc
 ---

Re: OpenBSD 3.9 (i386) and mount_udf - big problem

[Andreas Kahari]

On 29/01/07, Pedro Martelletto [EMAIL PROTECTED] wrote:

Andreas,

On Mon, Jan 29, 2007 at 09:45:14AM +, Andreas Kahari wrote:
 I had the same problem (FSD does not lie within the partition! when
 trying to mount a UDF DVD disc).  I applied the patch below from Pedro
 to a current i386 system, but that resulted in a locked system
 (everything waiting in 'inode') when trying to mount the disc again.

Sorry about that, the diff had a little mistake. Could you please try
this one?

[cut]

The patch will make the machine not lock up, but it still doesn't
mount the DVD disc.  This time, I get no messages from the kernel in
/var/log/messages, but I get the error message mount_udf: mount:
Invalid argument in the console.

This is the disklabel from the DVD disc:
$ sudo disklabel cd0
# /dev/rcd0c:
type: ATAPI
disk: Talks
label: fictitious
flags:
bytes/sector: 2048
sectors/track: 100
tracks/cylinder: 1
sectors/cylinder: 100
cylinders: 20449
total sectors: 2044832
rpm: 300
interleave: 1
trackskew: 0
cylinderskew: 0
headswitch: 0   # microseconds
track-to-track seek: 0  # microseconds
drivedata: 0

3 partitions:
# sizeoffset  fstype [fsize bsize  cpg]
 a:   2044832 0 UDF   # Cyl 0 - 20448*
 c:   2044832 0 UDF   # Cyl 0 - 20448*

I've tried mounting cd0a and cd0c but it doesn't seem to make a difference.

Regards,
Andreas

--
Andreas Kahari
Somewhere in the general Cambridge area, UK

Re: OpenBSD 3.9 (i386) and mount_udf - big problem

[Pedro Martelletto]

Andreas,

On Tue, Jan 30, 2007 at 09:55:28AM +, Andreas Kahari wrote:
 The patch will make the machine not lock up, but it still doesn't
 mount the DVD disc.  This time, I get no messages from the kernel in
 /var/log/messages, but I get the error message mount_udf: mount:
 Invalid argument in the console.

Can you please try this diff, so that we know the exact point of
failure? (It should apply over your already patched udf_vfsops.c.)

Thanks,

-p.

--- udf_vfsops.c.orig   Tue Jan 30 11:50:58 2007
+++ udf_vfsops.cTue Jan 30 11:51:52 2007
@@ -327,6 +327,7 @@ udf_mountfs(struct vnode *devvp, struct 
}
 
if (!part_found || !logvol_found) {
+   printf(udf_mountfs(): %d, %d\n, part_found, logvol_found);
error = EINVAL;
goto bail;
}

Re: New routing ideas for OpenBSD ;) (Was: Is Theo still hiking ????)

[Brian Candler]

On Mon, Jan 29, 2007 at 04:09:41PM +, Jeroen Massar wrote:
  There is *NO* demand from anyone for giving /48's to customers. It is
  only a suggestion.
  
  Talking again about RIPE policy, section 5.4.1 requires /48, or larger for
  very large subscribers. Exceptions are made to allow /64 when it is known
  that one and only one subnet is needed by design, and /128 when it is
  absolutely known that one and only one device is connecting
 
 As I said it is only a suggestion. When a LIR gives out /56's they can
 do this. No RIPE police will be knocking on their doors.

But surely, if LIR's feel it is necessary to make smaller allocations than
/48's, it's a tacit admission that this supposedly near-infinite IPv6 space
is *already* under pressure.

I think you're right in one sense: /48 end-user allocations are stupid. With
128 bits of address space, you could give most end users a /112, which would
still be the equivalent of a whole class B in the current Internet. But the
current IPv6 design is broken.

 BTW: calculate how many /48's are in 2000::/3 and you'll get an idea.

France Telecom got a /19. Does this mean they have a plan to connect 2^29
(over 500 million) customers in the next two years? I don't think so.

Making your network aggregatable means having a lot of address sparseness,
and therefore a large amount of wastage.

The attitude which says I'll allocate a /32 here, rather than the /39 I
actually need, because the boundary is easier to see and type compounds
this problem by orders of magnitude.

  So NAT will be deployed because it has *commercial* benefits. The IPv6
  techno-utopians will continue to be unhappy.
 
 No the application programmer will remain unhappy as they need to fiddle
 to get around that NAT all the time.

Well, any protocol which has separate control and data connections will
require application layer gateway magic at the firewall, even without NAT,
since the firewall has to open new [src,srcport,dst,dstport] tuples in
response to requests negotiated down the control connection, and therefore
it has to fully parse and understand the control messages. Adding support
for NAT is only a small extra bit of work.

Some would argue that all firewalls should be application layer gateways
anyway. Do I want my clients talking HTTP directly, packet-by-packet, to
untrusted servers on the Internet? Or should the firewall take a HTTP
request, forward it, accept and validate the whole response, passing it in
sanitised form back to the client?

The former leaves the clients vulnerable to all sorts of attacks from
malicious servers. The latter allows the firewall to validate data. As a
side effect it can also give an audit log of activity at layer 7, which many
companies require for compliance reasons anyway.

Regards,

Brian.

Re: OpenBSD 3.9 (i386) and mount_udf - big problem

[Andreas Kahari]

udf_mountfs(): 0, 1

On 30/01/07, Pedro Martelletto [EMAIL PROTECTED] wrote:

Andreas,

On Tue, Jan 30, 2007 at 09:55:28AM +, Andreas Kahari wrote:
 The patch will make the machine not lock up, but it still doesn't
 mount the DVD disc.  This time, I get no messages from the kernel in
 /var/log/messages, but I get the error message mount_udf: mount:
 Invalid argument in the console.

Can you please try this diff, so that we know the exact point of
failure? (It should apply over your already patched udf_vfsops.c.)

Thanks,

-p.

--- udf_vfsops.c.orig   Tue Jan 30 11:50:58 2007
+++ udf_vfsops.cTue Jan 30 11:51:52 2007
@@ -327,6 +327,7 @@ udf_mountfs(struct vnode *devvp, struct
}

if (!part_found || !logvol_found) {
+   printf(udf_mountfs(): %d, %d\n, part_found, logvol_found);
error = EINVAL;
goto bail;
}




--
Andreas Kahari
Somewhere in the general Cambridge area, UK

Re: OpenBSD 3.9 (i386) and mount_udf - big problem

[Pedro Martelletto]

On Tue, Jan 30, 2007 at 11:46:31AM +, Andreas Kahari wrote:
 udf_mountfs(): 0, 1

Okay, I know how to fix this. The problem is, unless you volunteer to
test a whole set of diffs, some of which will probably crash your box, I
need access to the disc. Another problem is, I don't have any DVD drive.
Or a CD drive for that matter. Is the data on the disc dd'able, in terms
of length and content?

-p.

httpd corrupted after make build?

[Sebastian Rother]

Hello everybody,

I`ve build oBSD from source after my mashined crashed (HW fault).

I did fetched the src again via anoncvs to prevent that the system gets
build from corrupt sources.

Well I did the usual 'cvs -q get -rOPENBSD_4_0 src' and started
the build.

After the build was finished I tried to start my httpd but it didn4t
want to work...


apachectl start
fopen: No such file or directory
httpd: could not open document config
file /usr/local/apache/conf/http.conf /usr/sbin/apachectl start: httpd
could not be started

It`s the first time I`ve noticed such a issue and it just happened
after the rebuild. I did not changed my (working) httpd.conf and it
clearly sets the RootDirectory to /var/www.

It seams that the directory patch got set during the compiling wich
would mean that the sources from the anoncvs are propably modified.

It just would like to know if other users made the same experience


Kind regards,
Sebastian

Re: SVND -k and -K ERRATUM

[Don Smith]

I looked at the source code. In /src/sys/dev/vnd.c, it
has the lines:

blf_ecb_encrypt(vnd-sc_keyctx, iv, sizeof(iv));
if (encrypt)
blf_cbc_encrypt(vnd-sc_keyctx, iv, addr, bsize);

This looks like it encrypts the key using the iv of
all zeroes. True, it doesn't add any salt using -k,
but it doesn't look like the user's key is the key
that is actually used. I am curious what happens if
the user enters a key longer than 448 bits. If the
user enters a 456 bit key, would the extra 8 bits just
be dropped from the key? 

I was playing around on my system, and it seems that
you can enter around 248 or so of the 256 possible
characters. Exceptions include CTRl+C,CTRL+D, and a
few others. 


 

Expecting? Get great news right away with email Auto-Check. 
Try the Yahoo! Mail Beta.
http://advision.webevents.yahoo.com/mailbeta/newmail_tools.html 

Re: http load balancing with pf (apache access log)

[Rui Miguel Silva Seabra]

Seg, 2007-01-29 C s 09:54 -0700, Bob Beck escreveu:
   I'm not using NAT, my load balancer looks like this:

 web2# more /etc/pf/webmail_servers
(...)
 pf.conf:

 table webmail_servers persist file /etc/pf/webmail_servers
 WEBMAIL_IP = {129.128.98.89}
 rdr pass on $ext_if proto tcp to $WEBMAIL_IP port 80 - webmail_servers
port 8
 0 round-robin sticky-address
 rdr pass on $ext_if proto tcp to $WEBMAIL_IP port 443 - webmail_servers
port
 443 round-robin sticky-address

By the way, what do you use/recommend in order to manage the webserver
pool? 1 test/min (in cron for instance) is too large a value for many
use cases, so what would be best in your opinion?

It's likely I'll need this for the near future and this thread basically
cut my investigation time in over 90% ;)

Regards,
Rui

--
+ No matter how much you do, you never do enough -- unknown
+ Whatever you do will be insignificant,
| but it is very important that you do it -- Gandhi
+ So let's do it...?

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: http load balancing with pf (apache access log)

[Stuart Henderson]

On 2007/01/30 13:06, Rui Miguel Silva Seabra wrote:
 By the way, what do you use/recommend in order to manage the webserver
 pool?

hoststated.

Re: http load balancing with pf (apache access log)

[Pierre-Yves Ritschard]

On Tue, 30 Jan 2007 13:06:00 +
Rui Miguel Silva Seabra [EMAIL PROTECTED] wrote:

 By the way, what do you use/recommend in order to manage the webserver
 pool? 1 test/min (in cron for instance) is too large a value for many
 use cases, so what would be best in your opinion?
 
 It's likely I'll need this for the near future and this thread
 basically cut my investigation time in over 90% ;)

Maybe hoststated can suit your needs. You will need to build it from
source since it's not linked in right now.

See http://spootnik.org/hoststated for more information

Re: Atheros WIFI card can scan, but can't connect.

[Sunnz]

Please CC to [EMAIL PROTECTED] too if it works in the future... I had
to use FreeBSD on this wireless machine for the time being.

2007/1/31, Ido Admon [EMAIL PROTECTED]:

  Have already tried that... I try again just for the sake of hoping it
works...
 
  Any other ideas?

 From your dmesg:

ath0 at pci1 dev 8 function 0 Atheros AR5212 rev 0x01: apic 2 int 12 (irq 12)
ath0: AR5213 7.9 phy 4.5 rf2112a 5.6, FCC2A*, address 00:0f:b5:4f:3f:42


See http://marc.theaimsgroup.com/?l=openbsd-miscm=114851461330633w=2

Or, to quote the essence of Reyk Floeter's answer in the above linked
message: The rf2112 is an unsupported chipset...
The diff he's proposed has been committed to -current since, as you can
see for yourself, but it doesn't solve the problem (it just disables the
RF radio not supported message and forces the rf chip to attach).

I have the exact same issue with a D-Link DWL-G520. With the diff (I run
4.0 release) it attaches but fails to connect find any networks (and in
AP mode other computers can't find any wireless networks).

Is there hope of adding support for this chip in the future sometime?

Thanks,
Ido.
(please CC, I'm not on the list)



  2007/1/21, Saint Aardvark the Carpeted
[EMAIL PROTECTED]:
  Sunnz writes:
   After boot up, log in, first thing I do is:
   # ifconfig ath0 nwid 624wn up;
 
  I think you may also have to specify the channel:
 
  ifconfig ath0 nwid 624wn chan 1 up
 
  That's what I have to do with my laptop, anyhow.
 
  HTH,
  Hugh
 
  --
  Saint Aardvark the Carpeted
  [EMAIL PROTECTED]
  Because the plural of Anecdote is Myth.




--
sunnz.net - sunnz.com - sunnz.org

Re: ACPI tests on a Jetway J7F2 board

[Mark Zimmerman]

Not to belabor this thread too much more, but if you peruse the
openchrome-users mailing list for a bit, you will see that these
boards are developing a reputation for hard lockups under linux, so it
is not just me. The developing consesnus over there is that the only
way to prevent lockups is to disable all DMA in the BIOS.

I left the DMA enabled for the OpenBSD tests as an experiment. I was
actually pleased to see that OpenBSD detected the problem and
downgraded the DMA mode rather than descend into a frozen state.

-- Mark

On Mon, Jan 29, 2007 at 09:38:03AM -0600, Marco Peereboom wrote:
 Or missing interrupts...
 
 On Mon, Jan 29, 2007 at 04:29:52PM +0100, Dimitry Andric wrote:
  Mark Zimmerman wrote:
   You will notice the sucky DMA of the Jetway board in all of them.
  ...
   wd0a:  aborted command, interface CRC error reading fsbn 671456 of 
   671456-0 (wd0 bn 5571281; cn 5527 tn 1 sn 2), retrying
   wd0: transfer error, downgrading to Ultra-DMA mode 4
   wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 4
   wd0a:  aborted command, interface CRC error reading fsbn 671456 of 
   671456-0 (wd0 bn 5571281; cn 5527 tn 1 sn 2), retrying
   wd0: soft error (corrected)
   wd0: transfer error, downgrading to Ultra-DMA mode 3
   wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 3
   wd0a:  aborted command, interface CRC error reading fsbn 671168 of 
   671168-0 (wd0 bn 5570993; cn 5526 tn 12 sn 29), retrying
   wd0: soft error (corrected)
  
  These sorts of errors are usually caused by bad cabling, connectors, or
  dying drives.  Try replacing the cables or drives, to see if it helps.

Re: http load balancing with pf (apache access log)

[Joachim Schipper]

On Mon, Jan 29, 2007 at 05:36:12PM +0100, Marian Hettwer wrote:
 Pierre-Yves Ritschard schrieb:
 On Mon, 29 Jan 2007 17:20:50 +0100
 Marian Hettwer [EMAIL PROTECTED] wrote:
 
 Which would mean, I send a SYN to my load balancer, which forwards
 the SYN to one of my webservers, and the webserver would send a
 SYN-ACK back to me. But my machine, obviously can't do anything with
 a SYN-ACK from an IP address it didn't even asked...
 The client would assume to get a SYN-ACK from the load balancer
 (which he asked...)
 
 understood?
 
 no you don't get it.
 I believe I do get it. But I missed an important information about my 
 load balancing setup. See below.
 you setup your webservers with the load balancer as default gateway
 then use rdr as I described in my previous mail. hence all the traffic
 goes through the load-balancer and real client ips are preserved.

 Ah... there we go.
 I can't setup the webservers with their default gateway to my load 
 balancer. The boxes are dedicated servers and I have no possibility to 
 change the network settings.
 These are rented servers (dedicated boxes) at some cheap ISP and all 
 they have is an official IP address.
 Changing the default gateway isn't possible...
 Sorry 'bout that.

I'm fairly sure that sufficient abuse of pf can get the webservers to
send all replies to traffic to port 80/443 to your loadbalancer.

Of course, that's pf, and your webservers are Linux. But I would be
surprised if something similar couldn't be arranged.

Joachim

Re: httpd corrupted after make build?

[Joachim Schipper]

On Tue, Jan 30, 2007 at 01:37:49PM +0100, Sebastian Rother wrote:
 Hello everybody,
 
 I`ve build oBSD from source after my mashined crashed (HW fault).
 
 I did fetched the src again via anoncvs to prevent that the system gets
 build from corrupt sources.
 
 Well I did the usual 'cvs -q get -rOPENBSD_4_0 src' and started
 the build.
 
 After the build was finished I tried to start my httpd but it didn4t
 want to work...
 
 
 apachectl start
 fopen: No such file or directory
 httpd: could not open document config
 file /usr/local/apache/conf/http.conf /usr/sbin/apachectl start: httpd
 could not be started
 
 It`s the first time I`ve noticed such a issue and it just happened
 after the rebuild. I did not changed my (working) httpd.conf and it
 clearly sets the RootDirectory to /var/www.
 
 It seams that the directory patch got set during the compiling wich
 would mean that the sources from the anoncvs are propably modified.
 
 It just would like to know if other users made the same experience

If that's stock httpd, then yes, there is something very wrong.
/usr/local/apache?

Joachim

Re: OpenBSD's bind: CVE-2007-0493 and CVE-2007-0494

[Dimitry Andric]

Stephan A. Rickauer wrote:
 CVE-2007-0493: If recursion is enabled, a remote attacker can
 dereference a freed fetch context causing the daemon to abort / crash.
 
 CVE-2007-0494: By sending specific DNS query responses with multiple
 RRSETS attackers could cause BIND to exit abnormally.
 
 
 Is this of relevance also for OpenBSD's bind? I guess not, but maybe
 some insider could shed some photons on it.

This was fixed on 2007-01-25:

http://marc.theaimsgroup.com/?l=openbsd-cvsm=116970956517411w=2

Re: http load balancing with pf (apache access log)

[Rui Miguel Silva Seabra]

Ter, 2007-01-30 C s 14:25 +0100, Pierre-Yves Ritschard escreveu:
 On Tue, 30 Jan 2007 13:06:00 +
 Rui Miguel Silva Seabra [EMAIL PROTECTED] wrote:

  By the way, what do you use/recommend in order to manage the webserver
  pool? 1 test/min (in cron for instance) is too large a value for many
  use cases, so what would be best in your opinion?
 
  It's likely I'll need this for the near future and this thread
  basically cut my investigation time in over 90% ;)

 Maybe hoststated can suit your needs. You will need to build it from
 source since it's not linked in right now.

 See http://spootnik.org/hoststated for more information

Promising, it does say that it's now part of the OpenBSD system, but
sine when? CURRENT? I can't seem to find it in the 4.0 CD's...

Rui

--
+ No matter how much you do, you never do enough -- unknown
+ Whatever you do will be insignificant,
| but it is very important that you do it -- Gandhi
+ So let's do it...?

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: OpenBSD's bind: CVE-2007-0493 and CVE-2007-0494

[Martin Schröder]

2007/1/30, Dimitry Andric [EMAIL PROTECTED]:

This was fixed on 2007-01-25:


In stable?

Best
  Martin

Mounting FreeBSD partitions on OpenBSD

[roger]

I'm trying to mount my FreeBSD partitions in OpenBSD. OpenBSD has no
problem finding, reading and writing to the root partition for FreeBSD but
doesn't see the other partitions(/home, /usr, /var). I know I have to
manually edit the disklabel to add those partitions. My problem is that
the disklabel editor doesn't want to change or edit a partition that isn't
on the OpenBSD slice. Is there anyway to edit the disklabel using
disklabel without resorting to an editor like vi since I don't feel
entirely comfortable manually computing and changing the tabel, or if that
is my only option, what is the required entries to the table I need to
provide?

thanks,
roger

Here is the disklabel from FreeBSD:
# /dev/ad0s2:
8 partitions:
#size   offsetfstype   [fsize bsize bps/cpg]
  a:  102400004.2BSD0 0 0
  b:  4096000  1024000  swap
  c: 393592500unused0 0 # raw part,
don't edit
  d:  1024000  5124.2BSD0 0 0
  e:  1024000  61440004.2BSD0 0 0
  f: 1024  71680004.2BSD0 0 0
  g: 21951250 174080004.2BSD0 0 0

And here is the disklabel from OpenBSD: j is the partition I want to add
# /dev/rwd0c:
type: ESDI
disk: ESDI/IDE disk
label: HTS541060G9AT00
flags:
bytes/sector: 512
sectors/track: 63
tracks/cylinder: 16
sectors/cylinder: 1008
cylinders: 16383
total sectors: 117210240
rpm: 3600
interleave: 1
trackskew: 0
cylinderskew: 0
headswitch: 0# microseconds
track-to-track seek: 0# microseconds
drivedata: 0
16 partitions:
# sizeoffset  fstype [fsize bsize  cpg]

  a:   1023435  78734565  4.2BSD   2048 16384  328 # Cyl 78109*-
79124
  b:   4095504  79758000swap   # Cyl 79125 -
83187
  c: 117210240 0  unused  0 0  # Cyl 0
-116279
  d:   1024128  83853504  4.2BSD   2048 16384  328 # Cyl 83188 -
84203
  e:   1024128  84877632  4.2BSD   2048 16384  328 # Cyl 84204 -
85219
  f:  10240272  85901760  4.2BSD   2048 16384  328 # Cyl 85220 -
95378
  g:  21068208  96142032  4.2BSD   2048 16384  328 # Cyl 95379
-116279
  i:  3937525263   MSDOS   # Cyl 0*-
39062*
  j:  39359250  39375315 unknown   # Cyl 39062*-
78109*

Re: http load balancing with pf (apache access log)

[Pierre-Yves Ritschard]

On Tue, 30 Jan 2007 15:20:42 +
Rui Miguel Silva Seabra [EMAIL PROTECTED] wrote:

 Ter, 2007-01-30 `s 14:25 +0100, Pierre-Yves Ritschard escreveu:
  On Tue, 30 Jan 2007 13:06:00 +
  Rui Miguel Silva Seabra [EMAIL PROTECTED] wrote:
  
   By the way, what do you use/recommend in order to manage the
   webserver pool? 1 test/min (in cron for instance) is too large a
   value for many use cases, so what would be best in your opinion?
   
   It's likely I'll need this for the near future and this thread
   basically cut my investigation time in over 90% ;)
  
  Maybe hoststated can suit your needs. You will need to build it from
  source since it's not linked in right now.
  
  See http://spootnik.org/hoststated for more information
 
 Promising, it does say that it's now part of the OpenBSD system, but
 sine when? CURRENT? I can't seem to find it in the 4.0 CD's...
 
 Rui
 
Pending the link of hoststated in the builds you can follow the
instructions i just put up on http://spootnik.org/hoststated#install .

Re: SDL game crashing

[Edd Barrett]

On 1/28/07, Michael [EMAIL PROTECTED] wrote:

Hi,

I compiled and installed version 0.2.8.2.1 of the armagetronad game
client (with default configure). (http://www.armagetronad.net/)

When I play it on OpenBSD 4.0 it just works, but the game crashes every
single time with 4.0-current when I die. I tried this on different boxes
and it is the all the same. (Vmware server with 4.0 works too.)

Currently I am out of ideas, maybe someone else can point out some
changes since 4.0-release that could lead to this strange behavior?

Any help is really appreciated.


 - Michael




Have you tried building it with debug symbols (-g) and then running it
through gdb?

--
Best Regards

Edd

Re: SDL game crashing

[Michael]

Hi,

Edd Barrett schrieb:
 Have you tried building it with debug symbols (-g) and then running it
 through gdb?

Thanks for your answer but the problem was already officially solved by
the reverting to an older version of usr/libexec/loader.c

The previous changes that were made to usr/libexec/loader.c caused a
program to dump core when GLU was linked and using exceptions in cpp.


 - Michael

ftp docs directory

[Marti Martinez]

I'm guessing there's a simple answer to this, but what happened to the
docs directory on the FTP server that holds the single page versions
of the FAQ and PF guide -- the links from the online FAQ page aren't
working?

Marti

--
Systems Programmer, Senior
Electrical  Computer Engineering
The University of Arizona
[EMAIL PROTECTED]
(520) 465-6257

Re: ftp docs directory

[Marti Martinez]

And to answer my own question, its back five minutes later.

On 1/30/07, Marti Martinez [EMAIL PROTECTED] wrote:

I'm guessing there's a simple answer to this, but what happened to the
docs directory on the FTP server that holds the single page versions
of the FAQ and PF guide -- the links from the online FAQ page aren't
working?

Marti

--
Systems Programmer, Senior
Electrical  Computer Engineering
The University of Arizona
[EMAIL PROTECTED]
(520) 465-6257




--
Systems Programmer, Senior
Electrical  Computer Engineering
The University of Arizona
[EMAIL PROTECTED]
(520) 465-6257

Re: OpenBSD's bind: CVE-2007-0493 and CVE-2007-0494

[Travers Buda]

* Martin Schr?der [EMAIL PROTECTED] [2007-01-30 16:19:04]:

 2007/1/30, Dimitry Andric [EMAIL PROTECTED]:
 This was fixed on 2007-01-25:
 
 In stable?
 
 Best
   Martin
 

No. Release and stable are using 9.3.2-P1. Things of interest
include named -v and /usr/src/usr.sbin/bind/version.

-- 
Travers Buda

Re: Atheros WIFI card can scan, but can't connect.

[Ido Admon]

 Have already tried that... I try again just for the sake of hoping it 
works...


 Any other ideas?

From your dmesg:

ath0 at pci1 dev 8 function 0 Atheros AR5212 rev 0x01: apic 2 int 12 (irq 12)
ath0: AR5213 7.9 phy 4.5 rf2112a 5.6, FCC2A*, address 00:0f:b5:4f:3f:42


See http://marc.theaimsgroup.com/?l=openbsd-miscm=114851461330633w=2

Or, to quote the essence of Reyk Floeter's answer in the above linked 
message: The rf2112 is an unsupported chipset...
The diff he's proposed has been committed to -current since, as you can 
see for yourself, but it doesn't solve the problem (it just disables the 
RF radio not supported message and forces the rf chip to attach).


I have the exact same issue with a D-Link DWL-G520. With the diff (I run 
4.0 release) it attaches but fails to connect find any networks (and in 
AP mode other computers can't find any wireless networks).


Is there hope of adding support for this chip in the future sometime?

Thanks,
Ido.
(please CC, I'm not on the list)



 2007/1/21, Saint Aardvark the Carpeted 
[EMAIL PROTECTED]:

 Sunnz writes:
  After boot up, log in, first thing I do is:
  # ifconfig ath0 nwid 624wn up;

 I think you may also have to specify the channel:

 ifconfig ath0 nwid 624wn chan 1 up

 That's what I have to do with my laptop, anyhow.

 HTH,
 Hugh

 --
 Saint Aardvark the Carpeted
 [EMAIL PROTECTED]
 Because the plural of Anecdote is Myth.

Re: http load balancing with pf (apache access log)

[Rui Miguel Silva Seabra]

Ter, 2007-01-30 C s 16:44 +0100, Pierre-Yves Ritschard escreveu:
 On Tue, 30 Jan 2007 15:20:42 +
 Rui Miguel Silva Seabra [EMAIL PROTECTED] wrote:
  Promising, it does say that it's now part of the OpenBSD system, but
  sine when? CURRENT? I can't seem to find it in the 4.0 CD's...
 
 Pending the link of hoststated in the builds you can follow the
 instructions i just put up on http://spootnik.org/hoststated#install .

Yeah, thought so, well, one more item to the compile VM :)

Thanks!

--
+ No matter how much you do, you never do enough -- unknown
+ Whatever you do will be insignificant,
| but it is very important that you do it -- Gandhi
+ So let's do it...?

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: Atheros WIFI card can scan, but can't connect.

[Travers Buda]

* Ido Admon [EMAIL PROTECTED] [2007-01-30 15:24:48]:

  Have already tried that... I try again just for the sake of hoping it 
 works...
 
  Any other ideas?
 
 From your dmesg:
 
 ath0 at pci1 dev 8 function 0 Atheros AR5212 rev 0x01: apic 2 int 12 (irq 
 12)
 ath0: AR5213 7.9 phy 4.5 rf2112a 5.6, FCC2A*, address 00:0f:b5:4f:3f:42
 
 
 See http://marc.theaimsgroup.com/?l=openbsd-miscm=114851461330633w=2
 
 Or, to quote the essence of Reyk Floeter's answer in the above linked 
 message: The rf2112 is an unsupported chipset...
 The diff he's proposed has been committed to -current since, as you can 
 see for yourself, but it doesn't solve the problem (it just disables the 
 RF radio not supported message and forces the rf chip to attach).
 
 I have the exact same issue with a D-Link DWL-G520. With the diff (I run 
 4.0 release) it attaches but fails to connect find any networks (and in 
 AP mode other computers can't find any wireless networks).
 
 Is there hope of adding support for this chip in the future sometime?
 
 Thanks,
 Ido.
 (please CC, I'm not on the list)
 

Also see
http://marc.theaimsgroup.com/?l=openbsd-techm=115869124319973w=2

It looks like there has not been much churn on this lately
aside from getting the driver to attach to these new radios.

--
Travers Buda

Problem routing 10.x.x.x networks through a firewall

[John Brahy]

Hello,

I am having a problem routing IP traffic on my network. my firewall
has three interfaces.

 |
+-+--+
|  P2P - t1  |
|   router   |
|  10.1.2.1  |
+-+--+
 |
+-+--+
|  10.1.2.2  |
|   router   |
|  10.1.3.1  |
+-+--+
 |
+-+--+ +---+
|  10.1.3.2  | |  DMZ host |
|  firewall  +-+ 10.1.15.10 |
|  10.1.1.1  | +---+
+-+--+
 |
+-+--+
| 10.1.11.100 |
++

I have net.ip.forwarding=1 and my pf.conf is completely empty right
now. From the 10.1.1.100 client, I can't ping the internet from
10.1.11.100, but I can from my firewall. Is there anything special I
have to do to route private networks? Here's the ipv4 info from
netstat.

Routing tables

Internet:
DestinationGatewayFlagsRefs  UseMtu  Interface
default10.1.3.1   UGS 03  -   em0
10.1.3/24  link#1 UC  10  -   em0
10.1.3.1   00:b0:a2:89:13:45  UHLc1 1469  -   em0
10.1.11/24 link#3 UC  00  -   em2
10.1.15/24 link#2 UC  00  -   em1
127/8  127.0.0.1  UGRS00  33192   lo0
127.0.0.1  127.0.0.1  UH  10  33192   lo0
224/4  127.0.0.1  URS 00  33192   lo0

Any help would be greatly appreciated.

Thanks!

John

Re: Problem routing 10.x.x.x networks through a firewall

[Cristiano Deana]

2007/1/30, John Brahy [EMAIL PROTECTED]:


I have net.ip.forwarding=1 and my pf.conf is completely empty right
now. From the 10.1.1.100 client, I can't ping the internet from
10.1.11.100, but I can from my firewall. Is there anything special I
have to do to route private networks? Here's the ipv4 info from
netstat.


Does your(s) router(s) know the route to reach 10.1.1.0/24 ?
On your router(s) you must have something like
route add -net 10.1.1.0/24 10.1.3.2

--
Cris, member of G.U.F.I
Italian FreeBSD User Group
http://www.gufi.org/

dmesg and fdisk do not match about usb external disk

[frantisek holop]

hi there,

please compare the following for my external usb disk:

amaaq sudo fdisk sd0
Disk: sd0   geometry: 60801/255/63 [976768065 Sectors]
Offset: 0   Signature: 0xAA55
 Starting   Ending   LBA Info:
 #: idC   H  S -C   H  S [   start:  size   ]

 0: 070   1  1 - 16317 254 63 [  63:   262148607 ] HPFS/QNX/AUX
 1: 0C 16318   0  1 - 32635 254 63 [   262148670:   262148670 ] Win95 FAT32L
 2: 83 32636   0  1 - 60800 254 63 [   524297340:   452470725 ] Linux files*
 3: 000   0  0 -0   0  0 [   0:   0 ] unused


and the dmesg when plugged in:

umass0 at uhub3 port 4 configuration 1 interface 0
umass0: Western Digital External HDD, rev 2.00/0.00, addr 2
umass0: using SCSI over Bulk-Only
scsibus1 at umass0: 2 targets
sd0 at scsibus1 targ 1 lun 0: WD, 5000AAJS Externa, 101a SCSI2 0/direct fixed
sd0: 476940MB, 476940 cyl, 64 head, 32 sec, 512 bytes/sec, 976773168 sec total


the cylinders, heads, sectors and the number of total sectors do not match.
what does this mean?
-- 
dinner: dead animals and some stuff out of the ground.

Re: Problem routing 10.x.x.x networks through a firewall

[Will H. Backman]

John Brahy wrote:

Hello,

I am having a problem routing IP traffic on my network. my firewall
has three interfaces.

 |
+-+--+
|  P2P - t1  |
|   router   |
|  10.1.2.1  |
+-+--+
 |
+-+--+
|  10.1.2.2  |
|   router   |
|  10.1.3.1  |
+-+--+
 |
+-+--+ +---+
|  10.1.3.2  | |  DMZ host |
|  firewall  +-+ 10.1.15.10 |
|  10.1.1.1  | +---+
+-+--+
 |
+-+--+
| 10.1.11.100 |
++

I have net.ip.forwarding=1 and my pf.conf is completely empty right
now. From the 10.1.1.100 client, I can't ping the internet from
10.1.11.100, but I can from my firewall. Is there anything special I
have to do to route private networks? Here's the ipv4 info from
netstat.

Routing tables

Internet:
DestinationGatewayFlagsRefs  UseMtu  
Interface

default10.1.3.1   UGS 03  -   em0
10.1.3/24  link#1 UC  10  -   em0
10.1.3.1   00:b0:a2:89:13:45  UHLc1 1469  -   em0
10.1.11/24 link#3 UC  00  -   em2
10.1.15/24 link#2 UC  00  -   em1
127/8  127.0.0.1  UGRS00  33192   lo0
127.0.0.1  127.0.0.1  UH  10  33192   lo0
224/4  127.0.0.1  URS 00  33192   lo0

Any help would be greatly appreciated.

Thanks!

John


You have a network behind a network.
The router that is connected to the internet only knows about the 
networks that it is directly attached to.
You would need to tell the external router about the innermost network 
through a static route.

Re: Problem routing 10.x.x.x networks through a firewall

[John Brahy]

On 1/30/07, Will H. Backman [EMAIL PROTECTED] wrote:

John Brahy wrote:
 Hello,

 I am having a problem routing IP traffic on my network. my firewall
 has three interfaces.

  |
 +-+--+
 |  P2P - t1  |
 |   router   |
 |  10.1.2.1  |
 +-+--+
  |
 +-+--+
 |  10.1.2.2  |
 |   router   |
 |  10.1.3.1  |
 +-+--+
  |
 +-+--+ +---+
 |  10.1.3.2  | |  DMZ host |
 |  firewall  +-+ 10.1.15.10 |
 |  10.1.11.1  | +---+
 +-+--+
  |
 +-+--+
 | 10.1.11.100 |
 ++

 I have net.ip.forwarding=1 and my pf.conf is completely empty right
 now. From the 10.1.1.100 client, I can't ping the internet from
 10.1.11.100, but I can from my firewall. Is there anything special I
 have to do to route private networks? Here's the ipv4 info from
 netstat.

 Routing tables

 Internet:
 DestinationGatewayFlagsRefs  UseMtu
 Interface
 default10.1.3.1   UGS 03  -   em0
 10.1.3/24  link#1 UC  10  -   em0
 10.1.3.1   00:b0:a2:89:13:45  UHLc1 1469  -   em0
 10.1.11/24 link#3 UC  00  -   em2
 10.1.15/24 link#2 UC  00  -   em1
 127/8  127.0.0.1  UGRS00  33192   lo0
 127.0.0.1  127.0.0.1  UH  10  33192   lo0
 224/4  127.0.0.1  URS 00  33192   lo0

 Any help would be greatly appreciated.

 Thanks!

 John

You have a network behind a network.
The router that is connected to the internet only knows about the
networks that it is directly attached to.
You would need to tell the external router about the innermost network
through a static route.




From 10.1.11.100 I am not able to ping 10.1.3.1.

Re: Problem routing 10.x.x.x networks through a firewall

[John Brahy]

On 1/30/07, John Brahy [EMAIL PROTECTED] wrote:

On 1/30/07, Will H. Backman [EMAIL PROTECTED] wrote:
 John Brahy wrote:
  Hello,
 
  I am having a problem routing IP traffic on my network. my firewall
  has three interfaces.
 
   |
  +-+--+
  |  P2P - t1  |
  |   router   |
  |  10.1.2.1  |
  +-+--+
   |
  +-+--+
  |  10.1.2.2  |
  |   router   |
  |  10.1.3.1  |
  +-+--+
   |
  +-+--+ +---+
  |  10.1.3.2  | |  DMZ host |
  |  firewall  +-+ 10.1.15.10 |
  |  10.1.11.1  | +---+
  +-+--+
   |
  +-+--+
  | 10.1.11.100 |
  ++
 
  I have net.ip.forwarding=1 and my pf.conf is completely empty right
  now. From the 10.1.1.100 client, I can't ping the internet from
  10.1.11.100, but I can from my firewall. Is there anything special I
  have to do to route private networks? Here's the ipv4 info from
  netstat.
 
  Routing tables
 
  Internet:
  DestinationGatewayFlagsRefs  UseMtu
  Interface
  default10.1.3.1   UGS 03  -   em0
  10.1.3/24  link#1 UC  10  -   em0
  10.1.3.1   00:b0:a2:89:13:45  UHLc1 1469  -   em0
  10.1.11/24 link#3 UC  00  -   em2
  10.1.15/24 link#2 UC  00  -   em1
  127/8  127.0.0.1  UGRS00  33192   lo0
  127.0.0.1  127.0.0.1  UH  10  33192   lo0
  224/4  127.0.0.1  URS 00  33192   lo0
 
  Any help would be greatly appreciated.
 
  Thanks!
 
  John
 
 You have a network behind a network.
 The router that is connected to the internet only knows about the
 networks that it is directly attached to.
 You would need to tell the external router about the innermost network
 through a static route.


From 10.1.11.100 I am not able to ping 10.1.3.1.




ok, thank you very much. I put static routes into my router and now
it's dialed in.

thanks!

msk(4) with SK-9S91: Can not set 1000baseSX Single Mode Fiber Media Type

[Rolf Sommerhalder]

Hello misc,

Two identically configured SUN V210, each equipped with a SK-9S91 PCI
NIC (single port, single mode fiber 1 Gbit/s), run -current snapshot
dated 20 Jan 07
The kernel detects those fiber NICs, besides the four on-board bge,
see dmesg below. After boot, the msk0 come up in autoselect media
type, but the two fiber NICs' link status remains at no carrier,
despite having connected the two NIC with a cross-over fiber patch
cable and forcing them up.

Forcing the  media type 1000baseSX according to msk(4) fails:
# ifconfig msk0 media 1000baseSX
ifconfig: SIOCSIFMEDIA: Invalid argument
#

Indeed, this option is missing in the list of media types and options
supported by the card:
# ifconfig -m msk0
msk0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
   lladdr 00:00:5a:72:fc:58
   media: Ethernet autoselect (100baseTX half-duplex)
   status: no carrier
   supported media:
   media none
   media 10baseT
   media 10baseT mediaopt full-duplex
   media 100baseTX
   media 100baseTX mediaopt full-duplex
   media 1000baseT
   media 1000baseT mediaopt full-duplex
   media autoselect
   inet6 fe80::200:5aff:fe72:fc58%msk0 prefixlen 64 scopeid 0x5
   inet 10.10.0.218 netmask 0xff00 broadcast 10.10.0.255
#

Maybe I am mistaken by assuming that 1000baseSX should be accepted
by msk() for these NICs?

After taking a look at the msk() and eephy() driver sources, I still
can not figure out if I have a misconception about the use of msk(),
or the fiber NICs features, or even if there is a problem with the
driver(s) and Gig fiber support.
Both fiber NICs are new out-of-the-box. To exclue any hardware
problem, I might test them under Solaris 8, According to prior
experience, I know that they should work after installing a suitable
driver.

I can patch and re-test, if this should be of interest. Thanks for any
hints and suggestions,
Rolf

# dmesg
console is /[EMAIL PROTECTED],60/[EMAIL PROTECTED]/[EMAIL PROTECTED],3f8
Copyright (c) 1982, 1986, 1989, 1991, 1993
   The Regents of the University of California.  All rights reserved.
Copyright (c) 1995-2007 OpenBSD. All rights reserved.  http://www.OpenBSD.org

OpenBSD 4.0-current (GENERIC) #1049: Fri Jan 19 18:36:23 MST 2007
   [EMAIL PROTECTED]:/usr/src/sys/arch/sparc64/compile/GENERIC
total memory = 1073741824
avail memory = 969416704
using 6553 buffers containing 53682176 bytes of memory
bootpath: /[EMAIL PROTECTED],60/[EMAIL PROTECTED],0/[EMAIL PROTECTED],0
mainbus0 (root): Sun Fire V210
cpu0 at mainbus0: SUNW,UltraSPARC-IIIi (rev 3.4) @ 1336 MHz, version 0 FPU
cpu0: physical 32K instruction (32 b/l), 64K data (32 b/l), 1024K
external (64 b/l)
memory-controller at mainbus0 not configured
schizo0 at mainbus0: Tomatillo, version 4, ign 7c0, bus B 0 to 0
schizo0: dvma map c000-dfff, iotdb 4d16000-4d96000
pci0 at schizo0
bge0 at pci0 dev 2 function 0 Broadcom BCM5704C rev 0x00, BCM5704 B0
(0x2100): ivec 0x7c8, address 00:14:4f:64:0c:52
brgphy0 at bge0 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0
bge1 at pci0 dev 2 function 1 Broadcom BCM5704C rev 0x00, BCM5704 B0
(0x2100): ivec 0x7c9, address 00:14:4f:64:0c:53
brgphy1 at bge1 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0
schizo1 at mainbus0: Tomatillo, version 4, ign 780, bus A 0 to 0
schizo1: dvma map c000-dfff, iotdb 547e000-54fe000
pci1 at schizo1
ebus0 at pci1 dev 7 function 0 Acer Labs M1533 ISA rev 0x00
flashprom at ebus0 addr 0-f, 290-290 not configured
rtc0 at ebus0 addr 70-71: m5819p
pcfiic0 at ebus0 addr 320-321 ipl 46
iic0 at pcfiic0
SUNW,i2c-imax at iic0 addr 0xb not configured
SUNW,i2c-imax at iic0 addr 0xc not configured
at24c64 at iic0 addr 0x51 not configured
at24c64 at iic0 addr 0x54 not configured
at24c64 at iic0 addr 0x58 not configured
at34c02 at iic0 addr 0x5b not configured
at34c02 at iic0 addr 0x5c not configured
at34c02 at iic0 addr 0x5d not configured
at34c02 at iic0 addr 0x5e not configured
ds1307 at iic0 addr 0x68 not configured
at24c64 at iic0 addr 0x28 not configured
pca9555 at iic0 addr 0x22 not configured
pca9555 at iic0 addr 0x23 not configured
pca9555 at iic0 addr 0x34 not configured
pca9556 at iic0 addr 0x38 not configured
power0 at ebus0 addr 800-82f ipl 32: can't map register space
com0 at ebus0 addr 3f8-3ff ipl 44: ns16550a, 16 byte fifo
com0: console
com1 at ebus0 addr 2e8-2ef ipl 44: ns16550a, 16 byte fifo
rmc-comm at ebus0 addr 3e8-3ef ipl 44 not configured
Acer Labs M7101 Power rev 0x00 at pci1 dev 6 function 0 not configured
ohci0 at pci1 dev 10 function 0 Acer Labs M5237 USB rev 0x03: ivec
0x7a7, version 1.0, legacy support
usb0 at ohci0: USB revision 1.0
uhub0 at usb0
uhub0: Acer Labs OHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
pciide0 at pci1 dev 13 function 0 Acer Labs M5229 UDMA IDE rev 0xc4:
DMA, channel 0 configured to native-PCI, channel 1 configured to
native-PCI
pciide0: 

Re: msk(4) with SK-9S91: Can not set 1000baseSX Single Mode Fiber Media Type

[Siegbert Marschall]

Hi,

 # ifconfig -m msk0
 msk0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
 lladdr 00:00:5a:72:fc:58
 media: Ethernet autoselect (100baseTX half-duplex)
 status: no carrier
 supported media:
 media none
 media 10baseT
 media 10baseT mediaopt full-duplex
 media 100baseTX
 media 100baseTX mediaopt full-duplex
 media 1000baseT
 media 1000baseT mediaopt full-duplex
 media autoselect
 inet6 fe80::200:5aff:fe72:fc58%msk0 prefixlen 64 scopeid 0x5
 inet 10.10.0.218 netmask 0xff00 broadcast 10.10.0.255
 #

 Maybe I am mistaken by assuming that 1000baseSX should be accepted
 by msk() for these NICs?
try media 1000baseT mediaopt full-duplex , 1G fiberlinks should be
always fullduplex, rest ist not relevant since it's purely a hardware-
question. wonder how the thing got it's head on 100BaseTX...

apart from that it's a good idea to test them with something else,
to make sure the fibers are crossed and signal-levels are okay.

with single-mode fiber and short cables sometimes you need to insert
a dampening-block since the signal can be too strong for the receiver,
don't think it's the case here though.

-sm

some basic questions

[ronald jiang]

obsd 4.0 i386 without X on an ibm  thinkpad t30

a. How to map Alt to Meta?
  In ksh, Alt really works as meta, but in emcas it doesn't (esc as meta).
b. When compile emacs22, it encounters an error, what say:
  ... don't know how to make faces.elc\n Error code 2
c. adduser within group wheel, but cannot 'sudo', what's the problem?
d. Do I have to install gmake to make mplayer?
e. My hard disk has ten thounds more cylinders, but when install, the 
maximum allowed is 1024, why?

some basic problems

[ronald jiang]

obsd 4.0 i386 without X on an ibm thinkpad t30

a. How to map alt to meta? It's already find in ksh, but not in emacs.
b. My hard disk really has more then 10 thounds cylinders, but fdisk allows 
1024 at most...
c. emacs22 compiling encounter an error which says don't know how to make 
faces.elc

d. adduser in grp `wheel', but can't sudo, why?
e. To compile mplayer, do I have to get a gmake, can make work?

Re: msk(4) with SK-9S91: Can not set 1000baseSX Single Mode Fiber Media Type

[Rolf Sommerhalder]

On 1/30/07, Siegbert Marschall [EMAIL PROTECTED] wrote:


try media 1000baseT mediaopt full-duplex , 1G fiberlinks should be
always fullduplex, rest ist not relevant since it's purely a hardware-
question. wonder how the thing got it's head on 100BaseTX...

apart from that it's a good idea to test them with something else,
to make sure the fibers are crossed and signal-levels are okay.

with single-mode fiber and short cables sometimes you need to insert
a dampening-block since the signal can be too strong for the receiver,
don't think it's the case here though.



Thanks for your quick reply. Unfortunately, this does not activate the
link either:

# ifconfig msk0 media 1000baseT mediaopt full-duplex
# ifconfig -m msk0
msk0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
   lladdr 00:00:5a:72:fc:58
   media: Ethernet 1000baseT full-duplex (none)
   status: no carrier
   supported media:
   media none
   media 10baseT
   media 10baseT mediaopt full-duplex
   media 100baseTX
   media 100baseTX mediaopt full-duplex
   media 1000baseT
   media 1000baseT mediaopt full-duplex
   media autoselect
   inet6 fe80::200:5aff:fe72:fc58%msk0 prefixlen 64 scopeid 0x5
   inet 10.10.0.218 netmask 0xff00 broadcast 10.10.0.255
#

Three months ago I used the exact same fiber patch cable with two
other SK-9S91 under Solaris 8 in some other V210 or V240, and the
fiber link worked fine back then. Thus, the fiber should be OK
(crossover, attenuation, etc.). But will cross-check that by
installing Solaris again.

Further, I noticed ifmedia(4) differentiates between 1000baseT, SX and
LX. From this I actually realize that I should be able to set
1000baseLX for single mode fiber, not SX which is for multi mode
fiber.

Or, are you saying that the Marvell PHY 88112 does not really care
about if T, SX or LX is set, because for the optical GBIC
electrically all is the same?

Rolf

Re: some basic problems

[Nickolay A. Burkov]

On Wed, Jan 31, 2007 at 05:52:51AM +0800, ronald jiang wrote:
 obsd 4.0 i386 without X on an ibm thinkpad t30
 
 a. How to map alt to meta? It's already find in ksh, but not in emacs.
 b. My hard disk really has more then 10 thounds cylinders, but fdisk allows 
 1024 at most...
 c. emacs22 compiling encounter an error which says don't know how to make 
 faces.elc
 d. adduser in grp `wheel', but can't sudo, why?
 e. To compile mplayer, do I have to get a gmake, can make work?
 

a. http://www.gnu.org/software/emacs/#Manuals
b. http://www.gnu.org/software/emacs/#Manuals
c. edit /etc/sudoers after reading man sudoers(5)
d. yes, see http://www.mplayerhq.hu/DOCS/HTML/en/softreq.html for other 
requirements
e. just use 1024 until you haven't working emacs

-- 
I do not fear computers.  I fear the lack of them. (c)

Re: Mounting FreeBSD partitions on OpenBSD

[Ted Unangst]

On 1/30/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:

I'm trying to mount my FreeBSD partitions in OpenBSD. OpenBSD has no
problem finding, reading and writing to the root partition for FreeBSD but
doesn't see the other partitions(/home, /usr, /var). I know I have to
manually edit the disklabel to add those partitions. My problem is that
the disklabel editor doesn't want to change or edit a partition that isn't
on the OpenBSD slice. Is there anyway to edit the disklabel using
disklabel without resorting to an editor like vi since I don't feel
entirely comfortable manually computing and changing the tabel, or if that
is my only option, what is the required entries to the table I need to
provide?


use 'b' to set the disk boundary.

Re: SVND -k and -K ERRATUM

[Ted Unangst]

On 1/30/07, Don Smith [EMAIL PROTECTED] wrote:

I looked at the source code. In /src/sys/dev/vnd.c, it
has the lines:

blf_ecb_encrypt(vnd-sc_keyctx, iv, sizeof(iv));
   if (encrypt)
   blf_cbc_encrypt(vnd-sc_keyctx, iv, addr, bsize);

This looks like it encrypts the key using the iv of
all zeroes. True, it doesn't add any salt using -k,


the iv is the block number.


but it doesn't look like the user's key is the key
that is actually used. I am curious what happens if


it is turned into a key suitable for blowfish to use.


the user enters a key longer than 448 bits. If the
user enters a 456 bit key, would the extra 8 bits just
be dropped from the key?


the extra is ignored.

Re: msk(4) with SK-9S91: Can not set 1000baseSX Single Mode Fiber Media Type

[Henning Brauer]

* Rolf Sommerhalder [EMAIL PROTECTED] [2007-01-30 21:48]:
 Two identically configured SUN V210, each equipped with a SK-9S91 PCI
 NIC (single port, single mode fiber 1 Gbit/s), run -current snapshot
 dated 20 Jan 07
 The kernel detects those fiber NICs, besides the four on-board bge,
 see dmesg below. After boot, the msk0 come up in autoselect media
 type, but the two fiber NICs' link status remains at no carrier,
 despite having connected the two NIC with a cross-over fiber patch
 cable and forcing them up.
 
 Forcing the  media type 1000baseSX according to msk(4) fails:
 # ifconfig msk0 media 1000baseSX
 ifconfig: SIOCSIFMEDIA: Invalid argument
 #
 
 Indeed, this option is missing in the list of media types and options
 supported by the card:
 # ifconfig -m msk0
 msk0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:00:5a:72:fc:58
media: Ethernet autoselect (100baseTX half-duplex)
status: no carrier
supported media:
media none
media 10baseT
media 10baseT mediaopt full-duplex
media 100baseTX
media 100baseTX mediaopt full-duplex
media 1000baseT
media 1000baseT mediaopt full-duplex
media autoselect
inet6 fe80::200:5aff:fe72:fc58%msk0 prefixlen 64 scopeid 0x5
inet 10.10.0.218 netmask 0xff00 broadcast 10.10.0.255
 #
 
 Maybe I am mistaken by assuming that 1000baseSX should be accepted
 by msk() for these NICs?

looks like the driver/phy driver lacks fibre support for the moment (or 
it's buggy. I dunno and am to lazy to check right now)

-- 
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg  Amsterdam

Re: msk(4) with SK-9S91: Can not set 1000baseSX Single Mode Fiber Media Type

[Mark Kettenis]

Hi Rolf,

Most likely something is not quite right with the eephy(4) driver.
The 88E1112 PHY apparently supports both copper and fiber, and I think
it should automatically switch over to fiber, but apparently it
doesn't.  Could you test some diffs for me on that machine?

Mark

Re: dmesg and fdisk do not match about usb external disk

[Nick Holland]

frantisek holop wrote:
 hi there,
 
 please compare the following for my external usb disk:
 
 amaaq sudo fdisk sd0
 Disk: sd0   geometry: 60801/255/63 [976768065 Sectors]
 Offset: 0   Signature: 0xAA55
  Starting   Ending   LBA Info:
  #: idC   H  S -C   H  S [   start:  size   ]
 
  0: 070   1  1 - 16317 254 63 [  63:   262148607 ] HPFS/QNX/AUX
  1: 0C 16318   0  1 - 32635 254 63 [   262148670:   262148670 ] Win95 FAT32L
  2: 83 32636   0  1 - 60800 254 63 [   524297340:   452470725 ] Linux files*
  3: 000   0  0 -0   0  0 [   0:   0 ] unused
 
 
 and the dmesg when plugged in:
 
 umass0 at uhub3 port 4 configuration 1 interface 0
 umass0: Western Digital External HDD, rev 2.00/0.00, addr 2
 umass0: using SCSI over Bulk-Only
 scsibus1 at umass0: 2 targets
 sd0 at scsibus1 targ 1 lun 0: WD, 5000AAJS Externa, 101a SCSI2 0/direct 
 fixed
 sd0: 476940MB, 476940 cyl, 64 head, 32 sec, 512 bytes/sec, 976773168 sec total
 
 
 the cylinders, heads, sectors and the number of total sectors do not match.
 what does this mean?

It means translation is stupid, but we keep doing it. :)

60801 x 255 x 63 = 976768065
476940 x 64 x 32 = 976773120 which is actually 48 sectors shy of what
the dmesg reports.

fdisk (and the partition system it supports) is basically cylinder
oriented, so we keep talking about cylinders, even though not only has
it all been completely bogus for the last many years, but a lot of
devices now aren't even rotating...  But by nature and the way they
are handled, you can't have fractional cylinders.

In reality, you have the number of sectors reported by dmesg, but you
can use the number reported by fdisk.  So, there are 5103 sectors you
can't use, and at half K each, that's about 2.5M of lost space on your
488,386,584k drive.  Ouch. :)

Now, before you accuse me of wasting space without caring, I do wish
to point out that the first computer I worked with with disk storage
had 90K floppy disks and 64K RAM.  I was thrilled to upgrade to a 640k
floppy disk system on the first big machine I owned, and when I
later installed hard disks on it, they were only twice as big as the
amount we are wasting here (5M).  In my basement is a PDP-11/23 that
can supposedly (just barely) run an early Unix on its 14 5M drives.

So yes, it hurts to lose that much space, but they keep telling me to
get over it.

:)

Nick.

Regarding your submission to the job entitled Information Security Engineer - Sydney

[resume-thanks]

We received your application for the job entitled 'Information Security 
Engineer - Sydney'.  However, this job requires that you include an English 
resume.  Please resubmit your application with an English resume.

Our thanks,
Google Staffing

Re: No HD DMA? (Was: Harddisk slow)

[Jonathan Gray]

On Tue, Jan 30, 2007 at 08:50:53AM +0100, Heinrich Rebehn wrote:
 
 attaching the drive to a notebook via a IDE/USB converter easily yields 
 20 MB/s. So the drive *is* faster. While i could live with 8 MB/s i 
 cannot accept the high CPU usage. It seems to make the installed crypto 
 accelerator almost ineffective because the interrupts cannot be served 
 fast enough.
 I suspect that the disk is not running in DMA mode. Is there any tool to 
 verify that (like Linux's hdparm)?
 
 Cheers,
   Heinrich

A dmesg and the output of atactl wd0

PF rules for outgoing FTP from firewall

[Steve Williams]

Hi,

I have a Sunfire V120, sparc64, OpenBSD 3.9 performing NAT and assorted 
firewall duties.  It is working 100%, including proxying ftp requests 
from the internal network.


Today I went to do an FTP directly from the server (perl CPAN), and it 
failed. 

Looking at blocked packets, I see that packets coming in to the ftp port 
(tcpdump -r /var/log/pflog) are being blocked.


Knowing a bit about ftp, I think I can understand why.

Normally, the traffic would be allowed by my  pass out keep state 
statement, but in the case of the bogus FTP protocol, data packets are 
coming back to the firewall without an outgoing packet to initiate the 
state.


To activate the proxy for the internal network, I am using:
rdr pass on $int_if proto tcp to port ftp - 127.0.0.1 port 8021

This works 100%

But in the case of traffic originating directly from the server, it 
won't have gone through the internal interface, so won't even hit the proxy.


What do I need to do to allow ftp to work directly from the firewall?

Thanks,
Steve Williams

Re: spamd openbsd 4.0 query

[RW]

On Sun, 28 Jan 2007 19:19:09 +, John wrote:

The only other thing I'm trying to find out now is whether whitelist.txt
can use domains rather than dotted quads

No. It doesn't do DNS as it is a fast lightweight single purpose
MTA-like daemon.
Besides which: Are you expecting to trust the domain in the HELO
transaction? Or maybe you trust the envelope sender?

Both are easily and commonly forged.

R/

From the land down under: Australia.
Do we look umop apisdn from up over?

Re: PF rules for outgoing FTP from firewall

[Darren Spruell]

On 1/30/07, Steve Williams [EMAIL PROTECTED] wrote:

Hi,

I have a Sunfire V120, sparc64, OpenBSD 3.9 performing NAT and assorted
firewall duties.  It is working 100%, including proxying ftp requests
from the internal network.

Today I went to do an FTP directly from the server (perl CPAN), and it
failed.

Looking at blocked packets, I see that packets coming in to the ftp port
(tcpdump -r /var/log/pflog) are being blocked.

Knowing a bit about ftp, I think I can understand why.


Have you tried ensuring that your CPAN module is configured to use
passive mode FTP?

http://sial.org/howto/perl/life-with-cpan/

This may prove a good workaround to having to tweak your firewall
config to compensate.

DS

Re: msk(4) with SK-9S91: Can not set 1000baseSX Single Mode Fiber Media Type

[Rolf Sommerhalder]

Hi Mark


Most likely something is not quite right with the eephy(4) driver.

eephy_status() in sys/dev/mii/eephy.c seems to be a candidate for
closer examination. It appears to fall through the if() clause and
does the else part, although we have a NIC with MIIF_IS_1000X :

319:if (sc-mii_flags  MIIF_IS_1000X) {
320:if (ssr  E1000_SSR_1000MBS)
321:
mii-mii_media_active |= IFM_1000_SX;
322:} else {
323:if (ssr  E1000_SSR_1000MBS)
324:
mii-mii_media_active |= IFM_1000_T;
325:else if (ssr  E1000_SSR_100MBS)
326:
mii-mii_media_active |= IFM_100_TX;
327:else
328:
mii-mii_media_active |= IFM_10_T;
329:}



Could you test some diffs for me on that machine?

Yes, I am happy to do that - I hope that I can continue to use those
two machines over the next few days. Just preparing them with CVSupped
source tree.

Rolf