Re: http load balancing with pf (apache access log)
Hej Bob, Bob Beck schrieb: * Marian Hettwer [EMAIL PROTECTED] [2007-01-29 09:49]: Hi OpenBSD'lers, I'm about to use OpenBSD's pf(4) for load balancing some webservers. So far, everything is looking just perfect. Compared to pound, pf(4) is incredibly fast with few CPU and memory usage. So I'd say: Thats great :) However, one thing is bothering me. Obviously, my apache access logs on those load balanced machines can only show the IP address of my load balancer, not the real remote ip of the request. Completely untrue. if you are doing an rdr, it will change the destination IP, not the source IP Thats true so far... however, I was told by Stuart that the connections are going like this: quote requests go like this: origin - balancer - destination replies like this: destination - origin but they need to go like this so they can be un-rdr'ed: destination - balancer - origin I'm not certain whether it will help so I won't bother posting to misc@ now, but you could try adding a NAT rule in addition to the RDR. /quote Unless in *addition* to load balancing you are doing NAT. I do, which seems I have to. My boxes are some dedicated servers with a standard network configuration. Means, official IP address, some default gateway and off they go. However, I can't change the network configuration as those boxes are rented servers with no possibility to mess around with the network config. I'm not using NAT, my load balancer looks like this: web2# more /etc/pf/webmail_servers 142.244.12.130 142.244.12.132 142.244.12.133 142.244.12.134 142.244.12.135 142.244.12.136 142.244.12.137 142.244.12.138 142.244.12.139 142.244.12.140 pf.conf: table webmail_servers persist file /etc/pf/webmail_servers WEBMAIL_IP = {129.128.98.89} rdr pass on $ext_if proto tcp to $WEBMAIL_IP port 80 - webmail_servers port 8 0 round-robin sticky-address rdr pass on $ext_if proto tcp to $WEBMAIL_IP port 443 - webmail_servers port 443 round-robin sticky-address I get the real connection IP's in my apache log. That looks interesting. I wonder why I need NAT to get the communication working... strange... How are you webmail servers configured (in regards to networking) ? Regards, ./Marian
Re: http load balancing with pf (apache access log)
Henning Brauer schrieb: * Marian Hettwer [EMAIL PROTECTED] [2007-01-29 18:46]: Ah... there we go. I can't setup the webservers with their default gateway to my load balancer. The boxes are dedicated servers and I have no possibility to change the network settings. These are rented servers (dedicated boxes) at some cheap ISP and all they have is an official IP address. Changing the default gateway isn't possible... Sorry 'bout that. nothing you can d about it then. you get what you pay for... My bad... time to watch out for another ISP ;) It wasn't my decision to go with this cheap ISP (Strato), however, I'll have to live with it for the time being. ./Marian
Re: http load balancing with pf (apache access log)
Hej Stuart, Stuart Henderson schrieb: On 2007/01/29 16:21, Marian Hettwer wrote: Is there any possible way to get the real ip addresses in my apache access log? Readers who didn't see the earlier posts about setting this up, they're here: http://marc.theaimsgroup.com/?l=openbsd-miscm=116905272009036w=2 - it's not the standard setup with PF sitting directly on the route between client and webserver. That's the drawback to this method: in order to get that information you'd need to rearrange the network so the balancer is in the IP route between the webservers and the end users so you can skip the NATs. If moving to a more... flexible... ISP isn't an option, you may be able to do something with tunneling. You need to decide which method will suck the least in your situation. You're right. Both situations suck, but for now I'll have to go with that cheap ISP and therefor live with having a castrated access.log I'll buy me some security via mod_security on those remote apaches ;) (and of course, keep my fingers crossed that no bloody botnet tries to attack). Cheers, Marian
Re: http load balancing with pf (apache access log)
On Tue, Jan 30, 2007 at 09:09:46AM +0100, Marian Hettwer wrote: | quote | requests go like this: | origin - balancer - destination | | replies like this: | destination - origin This sounds a lot like what certain loadbalancers call DSR or Direct Server Return. Basically, this is layer 2 NAT'ing. Here's how it works : You configure outside interface of the loadbalancer with a VIP, which you also configure on lo0 on your webservers. The loadbalancer receives a request on VIP and selects one of the webservers as the destination (based on variable levels of intelligent selection methods). It now forwards the IP-packet as-is to this webserver, changing the destination MAC address in the Ethernet frame. This frame is picked up by the destination webserver (as it has the correct MAC address) and is acted upon by the IP layer (as the system has the VIP configured). The webserver processes the request and returns the answer directly to the origin, without going through the loadbalancer. This can be beneficial in certain circumstances where your webservers do more outgoing b/w than incoming. Say you have a big document store (where documents are your MP3-collection or a big library of (large) PDF's or whatnot) that you wish to serve over HTTP. Many of these requests will fit in a 100MB/s connection. Not quite as many answers fit in that same 100MB/s going back to the original requestor. Aggregating 10 webservers' 100MB/s you can fill a 1GB/s link with your loadbalancer and your webservers all at 100MB/s. This also gets you the IP address of the requestor in your weblogs. It would be cool if pf could support DSR. Since I'm not a programmer, I'll shut up now because I won't be producing patches anytime soon. Cheers, Paul 'WEiRD' de Weerd -- [++-]+++.+++[---].+++[+ +++-].++[-]+.--.[-] http://www.weirdnet.nl/ [demime 1.01d removed an attachment of type application/pgp-signature]
Istanbul - Skopje Flights by MAT Macedonian Airlines / MAT Makedonya Havayollari Üsküp - Istanbul Uçuslarina Basliyor ......
[EMAIL PROTECTED] address book`unuza kaydedin, ZENITH E-posta size ulassin. for ENGLISH version click here [IMAGE] [IMAGE] [IMAGE] 1 Subat`tan itibaren her pazartesi, persembe, cumartesi ISTANBUL - \SK\P (Skopje) Makedonya`nin milli havayolu olan MAT Macedonian Airlines filosundaki modern Boeing 737 ve Bombardier tarafindan |retilen, T|rk vzel sektvr havayollarinin da filosunda bulunan Canadair Regional Jet CRJ900 tipi ugaklar ile Istanbul`a uguslarina basliyor. 1 Subattan itibaren Makedonya`nin baskenti \sk|p`ten (Skopje) 13:30 kalkisla 15:50`de Istanbul`a inecek ugak, 16:40`ta Istanbul`dan hareketle 17:00`da \sk|p`e varacak. Simdilik haftada karsilikli 3 sefer gergeklestirilecek uguslarin sayisinin, yaz tarifesi ile birlikte haftada karsilikli 4 sefere gikarilmasi planlanmaktadir. MAT`in filosunu teskil eden ugaklarla ilgili daha genis bilgilere * http://www.boeing.com/commercial/737family/index.html ve * http://www.crj.bombard ier.com linklerine tiklayarak ulasabilirsiniz. MAT`in T|rkiye Temsilciligi ve Genel Satis Acentaligi gvrevini |stlenen sirket ZENITH`i; bvlgede gerek is, gerekse ailevi baglari olan siz degerli yolcularimiz 18 yildir yakindan tanimaktasiniz. Ilklerde ZENITH .. Istanbul`a ilk uguslari \sk|p ve Ljubljana`dan Adria, Sarajevo`dan Air Bosna, Podgorica`dan Montenegro Airlines`in temsilcileri olarak tanidiginiz, g|lery|zl| ve yolcu memnuniyetini ilke edinen bizler, simdi de MAT ile \sk|p`te sizinleyiz. [IMAGE] Merkez: Ordu Cad., No. 206/1, Laleli 34134 Istanbul, Tel :90 (212) 512 5435, Fax : 512 5436, E-mail : [EMAIL PROTECTED] Atat|rk Havalimani, Dishatlar Gidis Kati, Yesilkvy 34149 Istanbul, Tel :90 (212) 465 5023, Fax : 465 4092, E-mail : [EMAIL PROTECTED] Mail listemizden gikmak igin buraya tiklayiniz ve konu/subject kismina remove yazip mesajinizi gvnderiniz. To remove from our mailing list click here, write remove in subject line and send it.
ADI 1988b Sound Device
hello Misc@ Would someone know if this sound device that is on several new Asus boards is supported in OpenBSD? unless someone knows otherwise I don't think FreeBSD has support either http://www.analog.com/UploadedFiles/Data_Sheets/AD1988A_1988B.pdf Sam Fourman Jr.
OpenBSD's bind: CVE-2007-0493 and CVE-2007-0494
CVE-2007-0493: If recursion is enabled, a remote attacker can dereference a freed fetch context causing the daemon to abort / crash. CVE-2007-0494: By sending specific DNS query responses with multiple RRSETS attackers could cause BIND to exit abnormally. Is this of relevance also for OpenBSD's bind? I guess not, but maybe some insider could shed some photons on it. -- Stephan A. Rickauer --- Institute of Neuroinformatics Tel +41 44 635 30 50 University / ETH Zurich Sec +41 44 635 30 52 Winterthurerstrasse 190 Fax +41 44 635 30 53 CH-8057 ZurichWeb www.ini.unizh.ch RSA public key: https://www.ini.uzh.ch/~stephan/pubkey.asc ---
Re: OpenBSD 3.9 (i386) and mount_udf - big problem
On 29/01/07, Pedro Martelletto [EMAIL PROTECTED] wrote: Andreas, On Mon, Jan 29, 2007 at 09:45:14AM +, Andreas Kahari wrote: I had the same problem (FSD does not lie within the partition! when trying to mount a UDF DVD disc). I applied the patch below from Pedro to a current i386 system, but that resulted in a locked system (everything waiting in 'inode') when trying to mount the disc again. Sorry about that, the diff had a little mistake. Could you please try this one? [cut] The patch will make the machine not lock up, but it still doesn't mount the DVD disc. This time, I get no messages from the kernel in /var/log/messages, but I get the error message mount_udf: mount: Invalid argument in the console. This is the disklabel from the DVD disc: $ sudo disklabel cd0 # /dev/rcd0c: type: ATAPI disk: Talks label: fictitious flags: bytes/sector: 2048 sectors/track: 100 tracks/cylinder: 1 sectors/cylinder: 100 cylinders: 20449 total sectors: 2044832 rpm: 300 interleave: 1 trackskew: 0 cylinderskew: 0 headswitch: 0 # microseconds track-to-track seek: 0 # microseconds drivedata: 0 3 partitions: # sizeoffset fstype [fsize bsize cpg] a: 2044832 0 UDF # Cyl 0 - 20448* c: 2044832 0 UDF # Cyl 0 - 20448* I've tried mounting cd0a and cd0c but it doesn't seem to make a difference. Regards, Andreas -- Andreas Kahari Somewhere in the general Cambridge area, UK
Re: OpenBSD 3.9 (i386) and mount_udf - big problem
Andreas, On Tue, Jan 30, 2007 at 09:55:28AM +, Andreas Kahari wrote: The patch will make the machine not lock up, but it still doesn't mount the DVD disc. This time, I get no messages from the kernel in /var/log/messages, but I get the error message mount_udf: mount: Invalid argument in the console. Can you please try this diff, so that we know the exact point of failure? (It should apply over your already patched udf_vfsops.c.) Thanks, -p. --- udf_vfsops.c.orig Tue Jan 30 11:50:58 2007 +++ udf_vfsops.cTue Jan 30 11:51:52 2007 @@ -327,6 +327,7 @@ udf_mountfs(struct vnode *devvp, struct } if (!part_found || !logvol_found) { + printf(udf_mountfs(): %d, %d\n, part_found, logvol_found); error = EINVAL; goto bail; }
Re: New routing ideas for OpenBSD ;) (Was: Is Theo still hiking ????)
On Mon, Jan 29, 2007 at 04:09:41PM +, Jeroen Massar wrote: There is *NO* demand from anyone for giving /48's to customers. It is only a suggestion. Talking again about RIPE policy, section 5.4.1 requires /48, or larger for very large subscribers. Exceptions are made to allow /64 when it is known that one and only one subnet is needed by design, and /128 when it is absolutely known that one and only one device is connecting As I said it is only a suggestion. When a LIR gives out /56's they can do this. No RIPE police will be knocking on their doors. But surely, if LIR's feel it is necessary to make smaller allocations than /48's, it's a tacit admission that this supposedly near-infinite IPv6 space is *already* under pressure. I think you're right in one sense: /48 end-user allocations are stupid. With 128 bits of address space, you could give most end users a /112, which would still be the equivalent of a whole class B in the current Internet. But the current IPv6 design is broken. BTW: calculate how many /48's are in 2000::/3 and you'll get an idea. France Telecom got a /19. Does this mean they have a plan to connect 2^29 (over 500 million) customers in the next two years? I don't think so. Making your network aggregatable means having a lot of address sparseness, and therefore a large amount of wastage. The attitude which says I'll allocate a /32 here, rather than the /39 I actually need, because the boundary is easier to see and type compounds this problem by orders of magnitude. So NAT will be deployed because it has *commercial* benefits. The IPv6 techno-utopians will continue to be unhappy. No the application programmer will remain unhappy as they need to fiddle to get around that NAT all the time. Well, any protocol which has separate control and data connections will require application layer gateway magic at the firewall, even without NAT, since the firewall has to open new [src,srcport,dst,dstport] tuples in response to requests negotiated down the control connection, and therefore it has to fully parse and understand the control messages. Adding support for NAT is only a small extra bit of work. Some would argue that all firewalls should be application layer gateways anyway. Do I want my clients talking HTTP directly, packet-by-packet, to untrusted servers on the Internet? Or should the firewall take a HTTP request, forward it, accept and validate the whole response, passing it in sanitised form back to the client? The former leaves the clients vulnerable to all sorts of attacks from malicious servers. The latter allows the firewall to validate data. As a side effect it can also give an audit log of activity at layer 7, which many companies require for compliance reasons anyway. Regards, Brian.
Re: OpenBSD 3.9 (i386) and mount_udf - big problem
udf_mountfs(): 0, 1 On 30/01/07, Pedro Martelletto [EMAIL PROTECTED] wrote: Andreas, On Tue, Jan 30, 2007 at 09:55:28AM +, Andreas Kahari wrote: The patch will make the machine not lock up, but it still doesn't mount the DVD disc. This time, I get no messages from the kernel in /var/log/messages, but I get the error message mount_udf: mount: Invalid argument in the console. Can you please try this diff, so that we know the exact point of failure? (It should apply over your already patched udf_vfsops.c.) Thanks, -p. --- udf_vfsops.c.orig Tue Jan 30 11:50:58 2007 +++ udf_vfsops.cTue Jan 30 11:51:52 2007 @@ -327,6 +327,7 @@ udf_mountfs(struct vnode *devvp, struct } if (!part_found || !logvol_found) { + printf(udf_mountfs(): %d, %d\n, part_found, logvol_found); error = EINVAL; goto bail; } -- Andreas Kahari Somewhere in the general Cambridge area, UK
Re: OpenBSD 3.9 (i386) and mount_udf - big problem
On Tue, Jan 30, 2007 at 11:46:31AM +, Andreas Kahari wrote: udf_mountfs(): 0, 1 Okay, I know how to fix this. The problem is, unless you volunteer to test a whole set of diffs, some of which will probably crash your box, I need access to the disc. Another problem is, I don't have any DVD drive. Or a CD drive for that matter. Is the data on the disc dd'able, in terms of length and content? -p.
httpd corrupted after make build?
Hello everybody, I`ve build oBSD from source after my mashined crashed (HW fault). I did fetched the src again via anoncvs to prevent that the system gets build from corrupt sources. Well I did the usual 'cvs -q get -rOPENBSD_4_0 src' and started the build. After the build was finished I tried to start my httpd but it didn4t want to work... apachectl start fopen: No such file or directory httpd: could not open document config file /usr/local/apache/conf/http.conf /usr/sbin/apachectl start: httpd could not be started It`s the first time I`ve noticed such a issue and it just happened after the rebuild. I did not changed my (working) httpd.conf and it clearly sets the RootDirectory to /var/www. It seams that the directory patch got set during the compiling wich would mean that the sources from the anoncvs are propably modified. It just would like to know if other users made the same experience Kind regards, Sebastian
Re: SVND -k and -K ERRATUM
I looked at the source code. In /src/sys/dev/vnd.c, it has the lines: blf_ecb_encrypt(vnd-sc_keyctx, iv, sizeof(iv)); if (encrypt) blf_cbc_encrypt(vnd-sc_keyctx, iv, addr, bsize); This looks like it encrypts the key using the iv of all zeroes. True, it doesn't add any salt using -k, but it doesn't look like the user's key is the key that is actually used. I am curious what happens if the user enters a key longer than 448 bits. If the user enters a 456 bit key, would the extra 8 bits just be dropped from the key? I was playing around on my system, and it seems that you can enter around 248 or so of the 256 possible characters. Exceptions include CTRl+C,CTRL+D, and a few others. Expecting? Get great news right away with email Auto-Check. Try the Yahoo! Mail Beta. http://advision.webevents.yahoo.com/mailbeta/newmail_tools.html
Re: http load balancing with pf (apache access log)
Seg, 2007-01-29 C s 09:54 -0700, Bob Beck escreveu: I'm not using NAT, my load balancer looks like this: web2# more /etc/pf/webmail_servers (...) pf.conf: table webmail_servers persist file /etc/pf/webmail_servers WEBMAIL_IP = {129.128.98.89} rdr pass on $ext_if proto tcp to $WEBMAIL_IP port 80 - webmail_servers port 8 0 round-robin sticky-address rdr pass on $ext_if proto tcp to $WEBMAIL_IP port 443 - webmail_servers port 443 round-robin sticky-address By the way, what do you use/recommend in order to manage the webserver pool? 1 test/min (in cron for instance) is too large a value for many use cases, so what would be best in your opinion? It's likely I'll need this for the near future and this thread basically cut my investigation time in over 90% ;) Regards, Rui -- + No matter how much you do, you never do enough -- unknown + Whatever you do will be insignificant, | but it is very important that you do it -- Gandhi + So let's do it...? [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: http load balancing with pf (apache access log)
On 2007/01/30 13:06, Rui Miguel Silva Seabra wrote: By the way, what do you use/recommend in order to manage the webserver pool? hoststated.
Re: http load balancing with pf (apache access log)
On Tue, 30 Jan 2007 13:06:00 + Rui Miguel Silva Seabra [EMAIL PROTECTED] wrote: By the way, what do you use/recommend in order to manage the webserver pool? 1 test/min (in cron for instance) is too large a value for many use cases, so what would be best in your opinion? It's likely I'll need this for the near future and this thread basically cut my investigation time in over 90% ;) Maybe hoststated can suit your needs. You will need to build it from source since it's not linked in right now. See http://spootnik.org/hoststated for more information
Re: Atheros WIFI card can scan, but can't connect.
Please CC to [EMAIL PROTECTED] too if it works in the future... I had to use FreeBSD on this wireless machine for the time being. 2007/1/31, Ido Admon [EMAIL PROTECTED]: Have already tried that... I try again just for the sake of hoping it works... Any other ideas? From your dmesg: ath0 at pci1 dev 8 function 0 Atheros AR5212 rev 0x01: apic 2 int 12 (irq 12) ath0: AR5213 7.9 phy 4.5 rf2112a 5.6, FCC2A*, address 00:0f:b5:4f:3f:42 See http://marc.theaimsgroup.com/?l=openbsd-miscm=114851461330633w=2 Or, to quote the essence of Reyk Floeter's answer in the above linked message: The rf2112 is an unsupported chipset... The diff he's proposed has been committed to -current since, as you can see for yourself, but it doesn't solve the problem (it just disables the RF radio not supported message and forces the rf chip to attach). I have the exact same issue with a D-Link DWL-G520. With the diff (I run 4.0 release) it attaches but fails to connect find any networks (and in AP mode other computers can't find any wireless networks). Is there hope of adding support for this chip in the future sometime? Thanks, Ido. (please CC, I'm not on the list) 2007/1/21, Saint Aardvark the Carpeted [EMAIL PROTECTED]: Sunnz writes: After boot up, log in, first thing I do is: # ifconfig ath0 nwid 624wn up; I think you may also have to specify the channel: ifconfig ath0 nwid 624wn chan 1 up That's what I have to do with my laptop, anyhow. HTH, Hugh -- Saint Aardvark the Carpeted [EMAIL PROTECTED] Because the plural of Anecdote is Myth. -- sunnz.net - sunnz.com - sunnz.org
Re: ACPI tests on a Jetway J7F2 board
Not to belabor this thread too much more, but if you peruse the openchrome-users mailing list for a bit, you will see that these boards are developing a reputation for hard lockups under linux, so it is not just me. The developing consesnus over there is that the only way to prevent lockups is to disable all DMA in the BIOS. I left the DMA enabled for the OpenBSD tests as an experiment. I was actually pleased to see that OpenBSD detected the problem and downgraded the DMA mode rather than descend into a frozen state. -- Mark On Mon, Jan 29, 2007 at 09:38:03AM -0600, Marco Peereboom wrote: Or missing interrupts... On Mon, Jan 29, 2007 at 04:29:52PM +0100, Dimitry Andric wrote: Mark Zimmerman wrote: You will notice the sucky DMA of the Jetway board in all of them. ... wd0a: aborted command, interface CRC error reading fsbn 671456 of 671456-0 (wd0 bn 5571281; cn 5527 tn 1 sn 2), retrying wd0: transfer error, downgrading to Ultra-DMA mode 4 wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 4 wd0a: aborted command, interface CRC error reading fsbn 671456 of 671456-0 (wd0 bn 5571281; cn 5527 tn 1 sn 2), retrying wd0: soft error (corrected) wd0: transfer error, downgrading to Ultra-DMA mode 3 wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 3 wd0a: aborted command, interface CRC error reading fsbn 671168 of 671168-0 (wd0 bn 5570993; cn 5526 tn 12 sn 29), retrying wd0: soft error (corrected) These sorts of errors are usually caused by bad cabling, connectors, or dying drives. Try replacing the cables or drives, to see if it helps.
Re: http load balancing with pf (apache access log)
On Mon, Jan 29, 2007 at 05:36:12PM +0100, Marian Hettwer wrote: Pierre-Yves Ritschard schrieb: On Mon, 29 Jan 2007 17:20:50 +0100 Marian Hettwer [EMAIL PROTECTED] wrote: Which would mean, I send a SYN to my load balancer, which forwards the SYN to one of my webservers, and the webserver would send a SYN-ACK back to me. But my machine, obviously can't do anything with a SYN-ACK from an IP address it didn't even asked... The client would assume to get a SYN-ACK from the load balancer (which he asked...) understood? no you don't get it. I believe I do get it. But I missed an important information about my load balancing setup. See below. you setup your webservers with the load balancer as default gateway then use rdr as I described in my previous mail. hence all the traffic goes through the load-balancer and real client ips are preserved. Ah... there we go. I can't setup the webservers with their default gateway to my load balancer. The boxes are dedicated servers and I have no possibility to change the network settings. These are rented servers (dedicated boxes) at some cheap ISP and all they have is an official IP address. Changing the default gateway isn't possible... Sorry 'bout that. I'm fairly sure that sufficient abuse of pf can get the webservers to send all replies to traffic to port 80/443 to your loadbalancer. Of course, that's pf, and your webservers are Linux. But I would be surprised if something similar couldn't be arranged. Joachim
Re: httpd corrupted after make build?
On Tue, Jan 30, 2007 at 01:37:49PM +0100, Sebastian Rother wrote: Hello everybody, I`ve build oBSD from source after my mashined crashed (HW fault). I did fetched the src again via anoncvs to prevent that the system gets build from corrupt sources. Well I did the usual 'cvs -q get -rOPENBSD_4_0 src' and started the build. After the build was finished I tried to start my httpd but it didn4t want to work... apachectl start fopen: No such file or directory httpd: could not open document config file /usr/local/apache/conf/http.conf /usr/sbin/apachectl start: httpd could not be started It`s the first time I`ve noticed such a issue and it just happened after the rebuild. I did not changed my (working) httpd.conf and it clearly sets the RootDirectory to /var/www. It seams that the directory patch got set during the compiling wich would mean that the sources from the anoncvs are propably modified. It just would like to know if other users made the same experience If that's stock httpd, then yes, there is something very wrong. /usr/local/apache? Joachim
Re: OpenBSD's bind: CVE-2007-0493 and CVE-2007-0494
Stephan A. Rickauer wrote: CVE-2007-0493: If recursion is enabled, a remote attacker can dereference a freed fetch context causing the daemon to abort / crash. CVE-2007-0494: By sending specific DNS query responses with multiple RRSETS attackers could cause BIND to exit abnormally. Is this of relevance also for OpenBSD's bind? I guess not, but maybe some insider could shed some photons on it. This was fixed on 2007-01-25: http://marc.theaimsgroup.com/?l=openbsd-cvsm=116970956517411w=2
Re: http load balancing with pf (apache access log)
Ter, 2007-01-30 C s 14:25 +0100, Pierre-Yves Ritschard escreveu: On Tue, 30 Jan 2007 13:06:00 + Rui Miguel Silva Seabra [EMAIL PROTECTED] wrote: By the way, what do you use/recommend in order to manage the webserver pool? 1 test/min (in cron for instance) is too large a value for many use cases, so what would be best in your opinion? It's likely I'll need this for the near future and this thread basically cut my investigation time in over 90% ;) Maybe hoststated can suit your needs. You will need to build it from source since it's not linked in right now. See http://spootnik.org/hoststated for more information Promising, it does say that it's now part of the OpenBSD system, but sine when? CURRENT? I can't seem to find it in the 4.0 CD's... Rui -- + No matter how much you do, you never do enough -- unknown + Whatever you do will be insignificant, | but it is very important that you do it -- Gandhi + So let's do it...? [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: OpenBSD's bind: CVE-2007-0493 and CVE-2007-0494
2007/1/30, Dimitry Andric [EMAIL PROTECTED]: This was fixed on 2007-01-25: In stable? Best Martin
Mounting FreeBSD partitions on OpenBSD
I'm trying to mount my FreeBSD partitions in OpenBSD. OpenBSD has no problem finding, reading and writing to the root partition for FreeBSD but doesn't see the other partitions(/home, /usr, /var). I know I have to manually edit the disklabel to add those partitions. My problem is that the disklabel editor doesn't want to change or edit a partition that isn't on the OpenBSD slice. Is there anyway to edit the disklabel using disklabel without resorting to an editor like vi since I don't feel entirely comfortable manually computing and changing the tabel, or if that is my only option, what is the required entries to the table I need to provide? thanks, roger Here is the disklabel from FreeBSD: # /dev/ad0s2: 8 partitions: #size offsetfstype [fsize bsize bps/cpg] a: 102400004.2BSD0 0 0 b: 4096000 1024000 swap c: 393592500unused0 0 # raw part, don't edit d: 1024000 5124.2BSD0 0 0 e: 1024000 61440004.2BSD0 0 0 f: 1024 71680004.2BSD0 0 0 g: 21951250 174080004.2BSD0 0 0 And here is the disklabel from OpenBSD: j is the partition I want to add # /dev/rwd0c: type: ESDI disk: ESDI/IDE disk label: HTS541060G9AT00 flags: bytes/sector: 512 sectors/track: 63 tracks/cylinder: 16 sectors/cylinder: 1008 cylinders: 16383 total sectors: 117210240 rpm: 3600 interleave: 1 trackskew: 0 cylinderskew: 0 headswitch: 0# microseconds track-to-track seek: 0# microseconds drivedata: 0 16 partitions: # sizeoffset fstype [fsize bsize cpg] a: 1023435 78734565 4.2BSD 2048 16384 328 # Cyl 78109*- 79124 b: 4095504 79758000swap # Cyl 79125 - 83187 c: 117210240 0 unused 0 0 # Cyl 0 -116279 d: 1024128 83853504 4.2BSD 2048 16384 328 # Cyl 83188 - 84203 e: 1024128 84877632 4.2BSD 2048 16384 328 # Cyl 84204 - 85219 f: 10240272 85901760 4.2BSD 2048 16384 328 # Cyl 85220 - 95378 g: 21068208 96142032 4.2BSD 2048 16384 328 # Cyl 95379 -116279 i: 3937525263 MSDOS # Cyl 0*- 39062* j: 39359250 39375315 unknown # Cyl 39062*- 78109*
Re: http load balancing with pf (apache access log)
On Tue, 30 Jan 2007 15:20:42 + Rui Miguel Silva Seabra [EMAIL PROTECTED] wrote: Ter, 2007-01-30 `s 14:25 +0100, Pierre-Yves Ritschard escreveu: On Tue, 30 Jan 2007 13:06:00 + Rui Miguel Silva Seabra [EMAIL PROTECTED] wrote: By the way, what do you use/recommend in order to manage the webserver pool? 1 test/min (in cron for instance) is too large a value for many use cases, so what would be best in your opinion? It's likely I'll need this for the near future and this thread basically cut my investigation time in over 90% ;) Maybe hoststated can suit your needs. You will need to build it from source since it's not linked in right now. See http://spootnik.org/hoststated for more information Promising, it does say that it's now part of the OpenBSD system, but sine when? CURRENT? I can't seem to find it in the 4.0 CD's... Rui Pending the link of hoststated in the builds you can follow the instructions i just put up on http://spootnik.org/hoststated#install .
Re: SDL game crashing
On 1/28/07, Michael [EMAIL PROTECTED] wrote: Hi, I compiled and installed version 0.2.8.2.1 of the armagetronad game client (with default configure). (http://www.armagetronad.net/) When I play it on OpenBSD 4.0 it just works, but the game crashes every single time with 4.0-current when I die. I tried this on different boxes and it is the all the same. (Vmware server with 4.0 works too.) Currently I am out of ideas, maybe someone else can point out some changes since 4.0-release that could lead to this strange behavior? Any help is really appreciated. - Michael Have you tried building it with debug symbols (-g) and then running it through gdb? -- Best Regards Edd
Re: SDL game crashing
Hi, Edd Barrett schrieb: Have you tried building it with debug symbols (-g) and then running it through gdb? Thanks for your answer but the problem was already officially solved by the reverting to an older version of usr/libexec/loader.c The previous changes that were made to usr/libexec/loader.c caused a program to dump core when GLU was linked and using exceptions in cpp. - Michael
ftp docs directory
I'm guessing there's a simple answer to this, but what happened to the docs directory on the FTP server that holds the single page versions of the FAQ and PF guide -- the links from the online FAQ page aren't working? Marti -- Systems Programmer, Senior Electrical Computer Engineering The University of Arizona [EMAIL PROTECTED] (520) 465-6257
Re: ftp docs directory
And to answer my own question, its back five minutes later. On 1/30/07, Marti Martinez [EMAIL PROTECTED] wrote: I'm guessing there's a simple answer to this, but what happened to the docs directory on the FTP server that holds the single page versions of the FAQ and PF guide -- the links from the online FAQ page aren't working? Marti -- Systems Programmer, Senior Electrical Computer Engineering The University of Arizona [EMAIL PROTECTED] (520) 465-6257 -- Systems Programmer, Senior Electrical Computer Engineering The University of Arizona [EMAIL PROTECTED] (520) 465-6257
Re: OpenBSD's bind: CVE-2007-0493 and CVE-2007-0494
* Martin Schr?der [EMAIL PROTECTED] [2007-01-30 16:19:04]: 2007/1/30, Dimitry Andric [EMAIL PROTECTED]: This was fixed on 2007-01-25: In stable? Best Martin No. Release and stable are using 9.3.2-P1. Things of interest include named -v and /usr/src/usr.sbin/bind/version. -- Travers Buda
Re: Atheros WIFI card can scan, but can't connect.
Have already tried that... I try again just for the sake of hoping it works... Any other ideas? From your dmesg: ath0 at pci1 dev 8 function 0 Atheros AR5212 rev 0x01: apic 2 int 12 (irq 12) ath0: AR5213 7.9 phy 4.5 rf2112a 5.6, FCC2A*, address 00:0f:b5:4f:3f:42 See http://marc.theaimsgroup.com/?l=openbsd-miscm=114851461330633w=2 Or, to quote the essence of Reyk Floeter's answer in the above linked message: The rf2112 is an unsupported chipset... The diff he's proposed has been committed to -current since, as you can see for yourself, but it doesn't solve the problem (it just disables the RF radio not supported message and forces the rf chip to attach). I have the exact same issue with a D-Link DWL-G520. With the diff (I run 4.0 release) it attaches but fails to connect find any networks (and in AP mode other computers can't find any wireless networks). Is there hope of adding support for this chip in the future sometime? Thanks, Ido. (please CC, I'm not on the list) 2007/1/21, Saint Aardvark the Carpeted [EMAIL PROTECTED]: Sunnz writes: After boot up, log in, first thing I do is: # ifconfig ath0 nwid 624wn up; I think you may also have to specify the channel: ifconfig ath0 nwid 624wn chan 1 up That's what I have to do with my laptop, anyhow. HTH, Hugh -- Saint Aardvark the Carpeted [EMAIL PROTECTED] Because the plural of Anecdote is Myth.
Re: http load balancing with pf (apache access log)
Ter, 2007-01-30 C s 16:44 +0100, Pierre-Yves Ritschard escreveu: On Tue, 30 Jan 2007 15:20:42 + Rui Miguel Silva Seabra [EMAIL PROTECTED] wrote: Promising, it does say that it's now part of the OpenBSD system, but sine when? CURRENT? I can't seem to find it in the 4.0 CD's... Pending the link of hoststated in the builds you can follow the instructions i just put up on http://spootnik.org/hoststated#install . Yeah, thought so, well, one more item to the compile VM :) Thanks! -- + No matter how much you do, you never do enough -- unknown + Whatever you do will be insignificant, | but it is very important that you do it -- Gandhi + So let's do it...? [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: Atheros WIFI card can scan, but can't connect.
* Ido Admon [EMAIL PROTECTED] [2007-01-30 15:24:48]: Have already tried that... I try again just for the sake of hoping it works... Any other ideas? From your dmesg: ath0 at pci1 dev 8 function 0 Atheros AR5212 rev 0x01: apic 2 int 12 (irq 12) ath0: AR5213 7.9 phy 4.5 rf2112a 5.6, FCC2A*, address 00:0f:b5:4f:3f:42 See http://marc.theaimsgroup.com/?l=openbsd-miscm=114851461330633w=2 Or, to quote the essence of Reyk Floeter's answer in the above linked message: The rf2112 is an unsupported chipset... The diff he's proposed has been committed to -current since, as you can see for yourself, but it doesn't solve the problem (it just disables the RF radio not supported message and forces the rf chip to attach). I have the exact same issue with a D-Link DWL-G520. With the diff (I run 4.0 release) it attaches but fails to connect find any networks (and in AP mode other computers can't find any wireless networks). Is there hope of adding support for this chip in the future sometime? Thanks, Ido. (please CC, I'm not on the list) Also see http://marc.theaimsgroup.com/?l=openbsd-techm=115869124319973w=2 It looks like there has not been much churn on this lately aside from getting the driver to attach to these new radios. -- Travers Buda
Problem routing 10.x.x.x networks through a firewall
Hello, I am having a problem routing IP traffic on my network. my firewall has three interfaces. | +-+--+ | P2P - t1 | | router | | 10.1.2.1 | +-+--+ | +-+--+ | 10.1.2.2 | | router | | 10.1.3.1 | +-+--+ | +-+--+ +---+ | 10.1.3.2 | | DMZ host | | firewall +-+ 10.1.15.10 | | 10.1.1.1 | +---+ +-+--+ | +-+--+ | 10.1.11.100 | ++ I have net.ip.forwarding=1 and my pf.conf is completely empty right now. From the 10.1.1.100 client, I can't ping the internet from 10.1.11.100, but I can from my firewall. Is there anything special I have to do to route private networks? Here's the ipv4 info from netstat. Routing tables Internet: DestinationGatewayFlagsRefs UseMtu Interface default10.1.3.1 UGS 03 - em0 10.1.3/24 link#1 UC 10 - em0 10.1.3.1 00:b0:a2:89:13:45 UHLc1 1469 - em0 10.1.11/24 link#3 UC 00 - em2 10.1.15/24 link#2 UC 00 - em1 127/8 127.0.0.1 UGRS00 33192 lo0 127.0.0.1 127.0.0.1 UH 10 33192 lo0 224/4 127.0.0.1 URS 00 33192 lo0 Any help would be greatly appreciated. Thanks! John
Re: Problem routing 10.x.x.x networks through a firewall
2007/1/30, John Brahy [EMAIL PROTECTED]: I have net.ip.forwarding=1 and my pf.conf is completely empty right now. From the 10.1.1.100 client, I can't ping the internet from 10.1.11.100, but I can from my firewall. Is there anything special I have to do to route private networks? Here's the ipv4 info from netstat. Does your(s) router(s) know the route to reach 10.1.1.0/24 ? On your router(s) you must have something like route add -net 10.1.1.0/24 10.1.3.2 -- Cris, member of G.U.F.I Italian FreeBSD User Group http://www.gufi.org/
dmesg and fdisk do not match about usb external disk
hi there, please compare the following for my external usb disk: amaaq sudo fdisk sd0 Disk: sd0 geometry: 60801/255/63 [976768065 Sectors] Offset: 0 Signature: 0xAA55 Starting Ending LBA Info: #: idC H S -C H S [ start: size ] 0: 070 1 1 - 16317 254 63 [ 63: 262148607 ] HPFS/QNX/AUX 1: 0C 16318 0 1 - 32635 254 63 [ 262148670: 262148670 ] Win95 FAT32L 2: 83 32636 0 1 - 60800 254 63 [ 524297340: 452470725 ] Linux files* 3: 000 0 0 -0 0 0 [ 0: 0 ] unused and the dmesg when plugged in: umass0 at uhub3 port 4 configuration 1 interface 0 umass0: Western Digital External HDD, rev 2.00/0.00, addr 2 umass0: using SCSI over Bulk-Only scsibus1 at umass0: 2 targets sd0 at scsibus1 targ 1 lun 0: WD, 5000AAJS Externa, 101a SCSI2 0/direct fixed sd0: 476940MB, 476940 cyl, 64 head, 32 sec, 512 bytes/sec, 976773168 sec total the cylinders, heads, sectors and the number of total sectors do not match. what does this mean? -- dinner: dead animals and some stuff out of the ground.
Re: Problem routing 10.x.x.x networks through a firewall
John Brahy wrote: Hello, I am having a problem routing IP traffic on my network. my firewall has three interfaces. | +-+--+ | P2P - t1 | | router | | 10.1.2.1 | +-+--+ | +-+--+ | 10.1.2.2 | | router | | 10.1.3.1 | +-+--+ | +-+--+ +---+ | 10.1.3.2 | | DMZ host | | firewall +-+ 10.1.15.10 | | 10.1.1.1 | +---+ +-+--+ | +-+--+ | 10.1.11.100 | ++ I have net.ip.forwarding=1 and my pf.conf is completely empty right now. From the 10.1.1.100 client, I can't ping the internet from 10.1.11.100, but I can from my firewall. Is there anything special I have to do to route private networks? Here's the ipv4 info from netstat. Routing tables Internet: DestinationGatewayFlagsRefs UseMtu Interface default10.1.3.1 UGS 03 - em0 10.1.3/24 link#1 UC 10 - em0 10.1.3.1 00:b0:a2:89:13:45 UHLc1 1469 - em0 10.1.11/24 link#3 UC 00 - em2 10.1.15/24 link#2 UC 00 - em1 127/8 127.0.0.1 UGRS00 33192 lo0 127.0.0.1 127.0.0.1 UH 10 33192 lo0 224/4 127.0.0.1 URS 00 33192 lo0 Any help would be greatly appreciated. Thanks! John You have a network behind a network. The router that is connected to the internet only knows about the networks that it is directly attached to. You would need to tell the external router about the innermost network through a static route.
Re: Problem routing 10.x.x.x networks through a firewall
On 1/30/07, Will H. Backman [EMAIL PROTECTED] wrote: John Brahy wrote: Hello, I am having a problem routing IP traffic on my network. my firewall has three interfaces. | +-+--+ | P2P - t1 | | router | | 10.1.2.1 | +-+--+ | +-+--+ | 10.1.2.2 | | router | | 10.1.3.1 | +-+--+ | +-+--+ +---+ | 10.1.3.2 | | DMZ host | | firewall +-+ 10.1.15.10 | | 10.1.11.1 | +---+ +-+--+ | +-+--+ | 10.1.11.100 | ++ I have net.ip.forwarding=1 and my pf.conf is completely empty right now. From the 10.1.1.100 client, I can't ping the internet from 10.1.11.100, but I can from my firewall. Is there anything special I have to do to route private networks? Here's the ipv4 info from netstat. Routing tables Internet: DestinationGatewayFlagsRefs UseMtu Interface default10.1.3.1 UGS 03 - em0 10.1.3/24 link#1 UC 10 - em0 10.1.3.1 00:b0:a2:89:13:45 UHLc1 1469 - em0 10.1.11/24 link#3 UC 00 - em2 10.1.15/24 link#2 UC 00 - em1 127/8 127.0.0.1 UGRS00 33192 lo0 127.0.0.1 127.0.0.1 UH 10 33192 lo0 224/4 127.0.0.1 URS 00 33192 lo0 Any help would be greatly appreciated. Thanks! John You have a network behind a network. The router that is connected to the internet only knows about the networks that it is directly attached to. You would need to tell the external router about the innermost network through a static route. From 10.1.11.100 I am not able to ping 10.1.3.1.
Re: Problem routing 10.x.x.x networks through a firewall
On 1/30/07, John Brahy [EMAIL PROTECTED] wrote: On 1/30/07, Will H. Backman [EMAIL PROTECTED] wrote: John Brahy wrote: Hello, I am having a problem routing IP traffic on my network. my firewall has three interfaces. | +-+--+ | P2P - t1 | | router | | 10.1.2.1 | +-+--+ | +-+--+ | 10.1.2.2 | | router | | 10.1.3.1 | +-+--+ | +-+--+ +---+ | 10.1.3.2 | | DMZ host | | firewall +-+ 10.1.15.10 | | 10.1.11.1 | +---+ +-+--+ | +-+--+ | 10.1.11.100 | ++ I have net.ip.forwarding=1 and my pf.conf is completely empty right now. From the 10.1.1.100 client, I can't ping the internet from 10.1.11.100, but I can from my firewall. Is there anything special I have to do to route private networks? Here's the ipv4 info from netstat. Routing tables Internet: DestinationGatewayFlagsRefs UseMtu Interface default10.1.3.1 UGS 03 - em0 10.1.3/24 link#1 UC 10 - em0 10.1.3.1 00:b0:a2:89:13:45 UHLc1 1469 - em0 10.1.11/24 link#3 UC 00 - em2 10.1.15/24 link#2 UC 00 - em1 127/8 127.0.0.1 UGRS00 33192 lo0 127.0.0.1 127.0.0.1 UH 10 33192 lo0 224/4 127.0.0.1 URS 00 33192 lo0 Any help would be greatly appreciated. Thanks! John You have a network behind a network. The router that is connected to the internet only knows about the networks that it is directly attached to. You would need to tell the external router about the innermost network through a static route. From 10.1.11.100 I am not able to ping 10.1.3.1. ok, thank you very much. I put static routes into my router and now it's dialed in. thanks!
msk(4) with SK-9S91: Can not set 1000baseSX Single Mode Fiber Media Type
Hello misc, Two identically configured SUN V210, each equipped with a SK-9S91 PCI NIC (single port, single mode fiber 1 Gbit/s), run -current snapshot dated 20 Jan 07 The kernel detects those fiber NICs, besides the four on-board bge, see dmesg below. After boot, the msk0 come up in autoselect media type, but the two fiber NICs' link status remains at no carrier, despite having connected the two NIC with a cross-over fiber patch cable and forcing them up. Forcing the media type 1000baseSX according to msk(4) fails: # ifconfig msk0 media 1000baseSX ifconfig: SIOCSIFMEDIA: Invalid argument # Indeed, this option is missing in the list of media types and options supported by the card: # ifconfig -m msk0 msk0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5a:72:fc:58 media: Ethernet autoselect (100baseTX half-duplex) status: no carrier supported media: media none media 10baseT media 10baseT mediaopt full-duplex media 100baseTX media 100baseTX mediaopt full-duplex media 1000baseT media 1000baseT mediaopt full-duplex media autoselect inet6 fe80::200:5aff:fe72:fc58%msk0 prefixlen 64 scopeid 0x5 inet 10.10.0.218 netmask 0xff00 broadcast 10.10.0.255 # Maybe I am mistaken by assuming that 1000baseSX should be accepted by msk() for these NICs? After taking a look at the msk() and eephy() driver sources, I still can not figure out if I have a misconception about the use of msk(), or the fiber NICs features, or even if there is a problem with the driver(s) and Gig fiber support. Both fiber NICs are new out-of-the-box. To exclue any hardware problem, I might test them under Solaris 8, According to prior experience, I know that they should work after installing a suitable driver. I can patch and re-test, if this should be of interest. Thanks for any hints and suggestions, Rolf # dmesg console is /[EMAIL PROTECTED],60/[EMAIL PROTECTED]/[EMAIL PROTECTED],3f8 Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2007 OpenBSD. All rights reserved. http://www.OpenBSD.org OpenBSD 4.0-current (GENERIC) #1049: Fri Jan 19 18:36:23 MST 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/sparc64/compile/GENERIC total memory = 1073741824 avail memory = 969416704 using 6553 buffers containing 53682176 bytes of memory bootpath: /[EMAIL PROTECTED],60/[EMAIL PROTECTED],0/[EMAIL PROTECTED],0 mainbus0 (root): Sun Fire V210 cpu0 at mainbus0: SUNW,UltraSPARC-IIIi (rev 3.4) @ 1336 MHz, version 0 FPU cpu0: physical 32K instruction (32 b/l), 64K data (32 b/l), 1024K external (64 b/l) memory-controller at mainbus0 not configured schizo0 at mainbus0: Tomatillo, version 4, ign 7c0, bus B 0 to 0 schizo0: dvma map c000-dfff, iotdb 4d16000-4d96000 pci0 at schizo0 bge0 at pci0 dev 2 function 0 Broadcom BCM5704C rev 0x00, BCM5704 B0 (0x2100): ivec 0x7c8, address 00:14:4f:64:0c:52 brgphy0 at bge0 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0 bge1 at pci0 dev 2 function 1 Broadcom BCM5704C rev 0x00, BCM5704 B0 (0x2100): ivec 0x7c9, address 00:14:4f:64:0c:53 brgphy1 at bge1 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0 schizo1 at mainbus0: Tomatillo, version 4, ign 780, bus A 0 to 0 schizo1: dvma map c000-dfff, iotdb 547e000-54fe000 pci1 at schizo1 ebus0 at pci1 dev 7 function 0 Acer Labs M1533 ISA rev 0x00 flashprom at ebus0 addr 0-f, 290-290 not configured rtc0 at ebus0 addr 70-71: m5819p pcfiic0 at ebus0 addr 320-321 ipl 46 iic0 at pcfiic0 SUNW,i2c-imax at iic0 addr 0xb not configured SUNW,i2c-imax at iic0 addr 0xc not configured at24c64 at iic0 addr 0x51 not configured at24c64 at iic0 addr 0x54 not configured at24c64 at iic0 addr 0x58 not configured at34c02 at iic0 addr 0x5b not configured at34c02 at iic0 addr 0x5c not configured at34c02 at iic0 addr 0x5d not configured at34c02 at iic0 addr 0x5e not configured ds1307 at iic0 addr 0x68 not configured at24c64 at iic0 addr 0x28 not configured pca9555 at iic0 addr 0x22 not configured pca9555 at iic0 addr 0x23 not configured pca9555 at iic0 addr 0x34 not configured pca9556 at iic0 addr 0x38 not configured power0 at ebus0 addr 800-82f ipl 32: can't map register space com0 at ebus0 addr 3f8-3ff ipl 44: ns16550a, 16 byte fifo com0: console com1 at ebus0 addr 2e8-2ef ipl 44: ns16550a, 16 byte fifo rmc-comm at ebus0 addr 3e8-3ef ipl 44 not configured Acer Labs M7101 Power rev 0x00 at pci1 dev 6 function 0 not configured ohci0 at pci1 dev 10 function 0 Acer Labs M5237 USB rev 0x03: ivec 0x7a7, version 1.0, legacy support usb0 at ohci0: USB revision 1.0 uhub0 at usb0 uhub0: Acer Labs OHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered pciide0 at pci1 dev 13 function 0 Acer Labs M5229 UDMA IDE rev 0xc4: DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI pciide0:
Re: msk(4) with SK-9S91: Can not set 1000baseSX Single Mode Fiber Media Type
Hi, # ifconfig -m msk0 msk0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5a:72:fc:58 media: Ethernet autoselect (100baseTX half-duplex) status: no carrier supported media: media none media 10baseT media 10baseT mediaopt full-duplex media 100baseTX media 100baseTX mediaopt full-duplex media 1000baseT media 1000baseT mediaopt full-duplex media autoselect inet6 fe80::200:5aff:fe72:fc58%msk0 prefixlen 64 scopeid 0x5 inet 10.10.0.218 netmask 0xff00 broadcast 10.10.0.255 # Maybe I am mistaken by assuming that 1000baseSX should be accepted by msk() for these NICs? try media 1000baseT mediaopt full-duplex , 1G fiberlinks should be always fullduplex, rest ist not relevant since it's purely a hardware- question. wonder how the thing got it's head on 100BaseTX... apart from that it's a good idea to test them with something else, to make sure the fibers are crossed and signal-levels are okay. with single-mode fiber and short cables sometimes you need to insert a dampening-block since the signal can be too strong for the receiver, don't think it's the case here though. -sm
some basic questions
obsd 4.0 i386 without X on an ibm thinkpad t30 a. How to map Alt to Meta? In ksh, Alt really works as meta, but in emcas it doesn't (esc as meta). b. When compile emacs22, it encounters an error, what say: ... don't know how to make faces.elc\n Error code 2 c. adduser within group wheel, but cannot 'sudo', what's the problem? d. Do I have to install gmake to make mplayer? e. My hard disk has ten thounds more cylinders, but when install, the maximum allowed is 1024, why?
some basic problems
obsd 4.0 i386 without X on an ibm thinkpad t30 a. How to map alt to meta? It's already find in ksh, but not in emacs. b. My hard disk really has more then 10 thounds cylinders, but fdisk allows 1024 at most... c. emacs22 compiling encounter an error which says don't know how to make faces.elc d. adduser in grp `wheel', but can't sudo, why? e. To compile mplayer, do I have to get a gmake, can make work?
Re: msk(4) with SK-9S91: Can not set 1000baseSX Single Mode Fiber Media Type
On 1/30/07, Siegbert Marschall [EMAIL PROTECTED] wrote: try media 1000baseT mediaopt full-duplex , 1G fiberlinks should be always fullduplex, rest ist not relevant since it's purely a hardware- question. wonder how the thing got it's head on 100BaseTX... apart from that it's a good idea to test them with something else, to make sure the fibers are crossed and signal-levels are okay. with single-mode fiber and short cables sometimes you need to insert a dampening-block since the signal can be too strong for the receiver, don't think it's the case here though. Thanks for your quick reply. Unfortunately, this does not activate the link either: # ifconfig msk0 media 1000baseT mediaopt full-duplex # ifconfig -m msk0 msk0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5a:72:fc:58 media: Ethernet 1000baseT full-duplex (none) status: no carrier supported media: media none media 10baseT media 10baseT mediaopt full-duplex media 100baseTX media 100baseTX mediaopt full-duplex media 1000baseT media 1000baseT mediaopt full-duplex media autoselect inet6 fe80::200:5aff:fe72:fc58%msk0 prefixlen 64 scopeid 0x5 inet 10.10.0.218 netmask 0xff00 broadcast 10.10.0.255 # Three months ago I used the exact same fiber patch cable with two other SK-9S91 under Solaris 8 in some other V210 or V240, and the fiber link worked fine back then. Thus, the fiber should be OK (crossover, attenuation, etc.). But will cross-check that by installing Solaris again. Further, I noticed ifmedia(4) differentiates between 1000baseT, SX and LX. From this I actually realize that I should be able to set 1000baseLX for single mode fiber, not SX which is for multi mode fiber. Or, are you saying that the Marvell PHY 88112 does not really care about if T, SX or LX is set, because for the optical GBIC electrically all is the same? Rolf
Re: some basic problems
On Wed, Jan 31, 2007 at 05:52:51AM +0800, ronald jiang wrote: obsd 4.0 i386 without X on an ibm thinkpad t30 a. How to map alt to meta? It's already find in ksh, but not in emacs. b. My hard disk really has more then 10 thounds cylinders, but fdisk allows 1024 at most... c. emacs22 compiling encounter an error which says don't know how to make faces.elc d. adduser in grp `wheel', but can't sudo, why? e. To compile mplayer, do I have to get a gmake, can make work? a. http://www.gnu.org/software/emacs/#Manuals b. http://www.gnu.org/software/emacs/#Manuals c. edit /etc/sudoers after reading man sudoers(5) d. yes, see http://www.mplayerhq.hu/DOCS/HTML/en/softreq.html for other requirements e. just use 1024 until you haven't working emacs -- I do not fear computers. I fear the lack of them. (c)
Re: Mounting FreeBSD partitions on OpenBSD
On 1/30/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I'm trying to mount my FreeBSD partitions in OpenBSD. OpenBSD has no problem finding, reading and writing to the root partition for FreeBSD but doesn't see the other partitions(/home, /usr, /var). I know I have to manually edit the disklabel to add those partitions. My problem is that the disklabel editor doesn't want to change or edit a partition that isn't on the OpenBSD slice. Is there anyway to edit the disklabel using disklabel without resorting to an editor like vi since I don't feel entirely comfortable manually computing and changing the tabel, or if that is my only option, what is the required entries to the table I need to provide? use 'b' to set the disk boundary.
Re: SVND -k and -K ERRATUM
On 1/30/07, Don Smith [EMAIL PROTECTED] wrote: I looked at the source code. In /src/sys/dev/vnd.c, it has the lines: blf_ecb_encrypt(vnd-sc_keyctx, iv, sizeof(iv)); if (encrypt) blf_cbc_encrypt(vnd-sc_keyctx, iv, addr, bsize); This looks like it encrypts the key using the iv of all zeroes. True, it doesn't add any salt using -k, the iv is the block number. but it doesn't look like the user's key is the key that is actually used. I am curious what happens if it is turned into a key suitable for blowfish to use. the user enters a key longer than 448 bits. If the user enters a 456 bit key, would the extra 8 bits just be dropped from the key? the extra is ignored.
Re: msk(4) with SK-9S91: Can not set 1000baseSX Single Mode Fiber Media Type
* Rolf Sommerhalder [EMAIL PROTECTED] [2007-01-30 21:48]: Two identically configured SUN V210, each equipped with a SK-9S91 PCI NIC (single port, single mode fiber 1 Gbit/s), run -current snapshot dated 20 Jan 07 The kernel detects those fiber NICs, besides the four on-board bge, see dmesg below. After boot, the msk0 come up in autoselect media type, but the two fiber NICs' link status remains at no carrier, despite having connected the two NIC with a cross-over fiber patch cable and forcing them up. Forcing the media type 1000baseSX according to msk(4) fails: # ifconfig msk0 media 1000baseSX ifconfig: SIOCSIFMEDIA: Invalid argument # Indeed, this option is missing in the list of media types and options supported by the card: # ifconfig -m msk0 msk0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5a:72:fc:58 media: Ethernet autoselect (100baseTX half-duplex) status: no carrier supported media: media none media 10baseT media 10baseT mediaopt full-duplex media 100baseTX media 100baseTX mediaopt full-duplex media 1000baseT media 1000baseT mediaopt full-duplex media autoselect inet6 fe80::200:5aff:fe72:fc58%msk0 prefixlen 64 scopeid 0x5 inet 10.10.0.218 netmask 0xff00 broadcast 10.10.0.255 # Maybe I am mistaken by assuming that 1000baseSX should be accepted by msk() for these NICs? looks like the driver/phy driver lacks fibre support for the moment (or it's buggy. I dunno and am to lazy to check right now) -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: msk(4) with SK-9S91: Can not set 1000baseSX Single Mode Fiber Media Type
Hi Rolf, Most likely something is not quite right with the eephy(4) driver. The 88E1112 PHY apparently supports both copper and fiber, and I think it should automatically switch over to fiber, but apparently it doesn't. Could you test some diffs for me on that machine? Mark
Re: dmesg and fdisk do not match about usb external disk
frantisek holop wrote: hi there, please compare the following for my external usb disk: amaaq sudo fdisk sd0 Disk: sd0 geometry: 60801/255/63 [976768065 Sectors] Offset: 0 Signature: 0xAA55 Starting Ending LBA Info: #: idC H S -C H S [ start: size ] 0: 070 1 1 - 16317 254 63 [ 63: 262148607 ] HPFS/QNX/AUX 1: 0C 16318 0 1 - 32635 254 63 [ 262148670: 262148670 ] Win95 FAT32L 2: 83 32636 0 1 - 60800 254 63 [ 524297340: 452470725 ] Linux files* 3: 000 0 0 -0 0 0 [ 0: 0 ] unused and the dmesg when plugged in: umass0 at uhub3 port 4 configuration 1 interface 0 umass0: Western Digital External HDD, rev 2.00/0.00, addr 2 umass0: using SCSI over Bulk-Only scsibus1 at umass0: 2 targets sd0 at scsibus1 targ 1 lun 0: WD, 5000AAJS Externa, 101a SCSI2 0/direct fixed sd0: 476940MB, 476940 cyl, 64 head, 32 sec, 512 bytes/sec, 976773168 sec total the cylinders, heads, sectors and the number of total sectors do not match. what does this mean? It means translation is stupid, but we keep doing it. :) 60801 x 255 x 63 = 976768065 476940 x 64 x 32 = 976773120 which is actually 48 sectors shy of what the dmesg reports. fdisk (and the partition system it supports) is basically cylinder oriented, so we keep talking about cylinders, even though not only has it all been completely bogus for the last many years, but a lot of devices now aren't even rotating... But by nature and the way they are handled, you can't have fractional cylinders. In reality, you have the number of sectors reported by dmesg, but you can use the number reported by fdisk. So, there are 5103 sectors you can't use, and at half K each, that's about 2.5M of lost space on your 488,386,584k drive. Ouch. :) Now, before you accuse me of wasting space without caring, I do wish to point out that the first computer I worked with with disk storage had 90K floppy disks and 64K RAM. I was thrilled to upgrade to a 640k floppy disk system on the first big machine I owned, and when I later installed hard disks on it, they were only twice as big as the amount we are wasting here (5M). In my basement is a PDP-11/23 that can supposedly (just barely) run an early Unix on its 14 5M drives. So yes, it hurts to lose that much space, but they keep telling me to get over it. :) Nick.
Regarding your submission to the job entitled Information Security Engineer - Sydney
We received your application for the job entitled 'Information Security Engineer - Sydney'. However, this job requires that you include an English resume. Please resubmit your application with an English resume. Our thanks, Google Staffing
Re: No HD DMA? (Was: Harddisk slow)
On Tue, Jan 30, 2007 at 08:50:53AM +0100, Heinrich Rebehn wrote: attaching the drive to a notebook via a IDE/USB converter easily yields 20 MB/s. So the drive *is* faster. While i could live with 8 MB/s i cannot accept the high CPU usage. It seems to make the installed crypto accelerator almost ineffective because the interrupts cannot be served fast enough. I suspect that the disk is not running in DMA mode. Is there any tool to verify that (like Linux's hdparm)? Cheers, Heinrich A dmesg and the output of atactl wd0
PF rules for outgoing FTP from firewall
Hi, I have a Sunfire V120, sparc64, OpenBSD 3.9 performing NAT and assorted firewall duties. It is working 100%, including proxying ftp requests from the internal network. Today I went to do an FTP directly from the server (perl CPAN), and it failed. Looking at blocked packets, I see that packets coming in to the ftp port (tcpdump -r /var/log/pflog) are being blocked. Knowing a bit about ftp, I think I can understand why. Normally, the traffic would be allowed by my pass out keep state statement, but in the case of the bogus FTP protocol, data packets are coming back to the firewall without an outgoing packet to initiate the state. To activate the proxy for the internal network, I am using: rdr pass on $int_if proto tcp to port ftp - 127.0.0.1 port 8021 This works 100% But in the case of traffic originating directly from the server, it won't have gone through the internal interface, so won't even hit the proxy. What do I need to do to allow ftp to work directly from the firewall? Thanks, Steve Williams
Re: spamd openbsd 4.0 query
On Sun, 28 Jan 2007 19:19:09 +, John wrote: The only other thing I'm trying to find out now is whether whitelist.txt can use domains rather than dotted quads No. It doesn't do DNS as it is a fast lightweight single purpose MTA-like daemon. Besides which: Are you expecting to trust the domain in the HELO transaction? Or maybe you trust the envelope sender? Both are easily and commonly forged. R/ From the land down under: Australia. Do we look umop apisdn from up over?
Re: PF rules for outgoing FTP from firewall
On 1/30/07, Steve Williams [EMAIL PROTECTED] wrote: Hi, I have a Sunfire V120, sparc64, OpenBSD 3.9 performing NAT and assorted firewall duties. It is working 100%, including proxying ftp requests from the internal network. Today I went to do an FTP directly from the server (perl CPAN), and it failed. Looking at blocked packets, I see that packets coming in to the ftp port (tcpdump -r /var/log/pflog) are being blocked. Knowing a bit about ftp, I think I can understand why. Have you tried ensuring that your CPAN module is configured to use passive mode FTP? http://sial.org/howto/perl/life-with-cpan/ This may prove a good workaround to having to tweak your firewall config to compensate. DS
Re: msk(4) with SK-9S91: Can not set 1000baseSX Single Mode Fiber Media Type
Hi Mark Most likely something is not quite right with the eephy(4) driver. eephy_status() in sys/dev/mii/eephy.c seems to be a candidate for closer examination. It appears to fall through the if() clause and does the else part, although we have a NIC with MIIF_IS_1000X : 319:if (sc-mii_flags MIIF_IS_1000X) { 320:if (ssr E1000_SSR_1000MBS) 321: mii-mii_media_active |= IFM_1000_SX; 322:} else { 323:if (ssr E1000_SSR_1000MBS) 324: mii-mii_media_active |= IFM_1000_T; 325:else if (ssr E1000_SSR_100MBS) 326: mii-mii_media_active |= IFM_100_TX; 327:else 328: mii-mii_media_active |= IFM_10_T; 329:} Could you test some diffs for me on that machine? Yes, I am happy to do that - I hope that I can continue to use those two machines over the next few days. Just preparing them with CVSupped source tree. Rolf