date:20051006

Re: xorg with Nvidia Go5600 at 1600x1200

2005-10-06 Thread Andrew Daugherity

On 10/6/05, pirge <[EMAIL PROTECTED]> wrote:
> Add this to your xorg.conf in the Device section for the nv driver:
>
> Option "FlatPanel" True
>
> and remove the Modes lines in the Screen section. It should default to
> the largest res it can find.
> Then double check the HorizSync and VertRefresh you have defined in
> the Monitor section.

Better yet, comment them out.  As printed in your log, it already
detects the panel size as 1600x1200, and it should autodetect suitable
HSync/VSync ranges (and should also detect the sync ranges of any
external monitor you connect, providing it's not a really ancient
model lacking DDC support, although that may require restarting X to
get proper values).

Your 31.5 - 64.3 HorizSync range is artificially limiting your
capabilities; the highest mode that range will support is
[EMAIL PROTECTED]  If for some reason letting it detect the sync ranges
(by removing your explicit entries) fails, raise the upper bound to
75.0, which should support [EMAIL PROTECTED]

Generally it's best to hard-code as few things as possible.  My
general procedure is to run "Xorg -configure" (or "XFree86
-configure"), and then make a few changes to the generated file as
necessary.  Much quicker and less painful than going through 20
screens of the xf86config tool.

-Andrew

Re: CARP+Pfsync+Bind

2005-10-06 Thread Lars Hansson

On Thu, 6 Oct 2005 22:15:25 +0100
ed <[EMAIL PROTECTED]> wrote:
> Works fine on on the 2 domains where it's been implemented, of which
> I handled the conversion from BIND style to djbdns. No problems on UDP
> lookups alone, including some deep CNAMEs, which are just not required,
> but I'll deal with those at a later date.
> 
> I haven't seen any problems since the change. Lookup times have
> improved, I can't state if this is due to the lack of TCP or the file
> system overheads with zone files, but I expect a mixture of the two.

If you look at netstat on your tinydns boxes you'll notice that something
is listening on tcp/53. That something is dnscache so you should allow
tcp/53 in to your dns caches.

---
Lars Hansson

Re: Problem with altq cbq queuing.. please assist?

2005-10-06 Thread Lars Hansson

On Fri, 7 Oct 2005 14:31:45 +1000
"Luke Fogarty" <[EMAIL PROTECTED]> wrote:
> 
> #allow all traffic to and from lan
> 
> pass in  on $int_if from $int_if:network to any keep state

keeping state affects queuing in subtle ways. Try:
pass in on $int_if from $luke to any keep state queue luke_in
pass in on $int_if from $luke to any keep state queue pete_in
pass in on $int_if from $luke to any keep state queue nick_in

> pass out on $int_if from any to $int_if:network keep state
> pass out on $int_if from any to $luke queue luke_in
> pass out on $int_if from any to $pete queue pete_in
> pass out on $int_if from any to $nick queue nick_in

---
Lars Hansson

Re: dual DVI graphics card

2005-10-06 Thread Martin Schröder

On 2005-10-06 14:37:03 -0700, Aaron Glenn wrote:
> I wasn't clear enough in my original post. I'm looking to run
> 1920x1200 on two DVI monitors; and I'd like some sort of OpenGL
> hardware acceleration support, however minor. None of the ATi chipsets
> currently support 1920x1200 on two DVI monitors.

One DVI port does up to 1600x1200, so you need four DVI (two
dual-link) ports.

Best
Martin
-- 
http://www.tm.oneiros.de

Problem with altq cbq queuing.. please assist?

2005-10-06 Thread Luke Fogarty

Hi

I'm sharing a connection and I'm trying to set aside bandwidth for some
users. Here is the pftop -v queue log

QUEUEBANDW SCH  PRIO PKTSBYTES
DROP_P   DROP_B QLEN   BORROW SUSPENDS P/S B/S
std_outpriq   35055249
0
dns_outpriq46  464
0games_out  priq5  461
255660ssh_outpriq6
000tcp_ack_outpriq
7000root_xl0
10M cbq 0  657   1045720
 std_in 7M cbq657   104572
0
 luke_in1M cbq  00
0
 pete_in1M cbq  00
0
 nick_in1M cbq  00
0


As you can see the priq outbound queues work, But I can't get the cbq to
work for inbound connections. All connections just go to the default
queue.

Here is my pf.conf -> love to hear your thoughts, I've tried everything!

# cat /etc/pf.conf
# macros
int_if = "xl0"
ext_if = "xl1"
tcp_services = "{ 22, 113, 5050, 443, 80 }"
udp_services = "{ 443, 5050 }"
icmp_types = "echoreq"
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
luke = "192.168.0.15"
nick = "192.168.0.49"
pete = "192.168.0.20"
myth = "192.168.0.253"
obsd = "192.168.0.250"
games = "{ 6112:6119, 4711, 29900:29901, 1024:1124, 1500:4999, 27900,
28910, 16567, 55123:55125, 27910, 27960, 4000, 27020:27050, 1200,
27000:27015 }"

# options
set block-policy return
set loginterface $ext_if
set optimization aggressive

# scrub
scrub in all
scrub out on $ext_if all random-id

#prioritization

#outbound

altq on $ext_if priq bandwidth 10Mb queue { std_out, web_req, dns_out,
games_out, ssh_out, tcp_ack_out }

queue std_out priq(default)
queue web_req priority 3
queue dns_out priority 4
queue games_out priority 5
queue ssh_out priority 6
queue tcp_ack_out priority 7

#inbound

altq on $int_if cbq bandwidth 10Mb queue { std_in, luke_in, pete_in,
nick_in }

queue std_in bandwidth 70% cbq(default borrow ecn)
queue luke_inbandwidth 10% cbq(borrow ecn)
queue pete_inbandwidth 10% cbq(borrow ecn)
queue nick_inbandwidth 10% cbq(borrow ecn)

# nat/rdr
nat on $ext_if from $int_if:network to any -> ($ext_if) static-port
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
rdr on $int_if proto tcp from any to any port www -> 127.0.0.1 port 3128
rdr on $ext_if proto { tcp, udp } from any to any port 443 -> $int_if
port 22
rdr on $ext_if proto { tcp, udp } from any to any port www -> $myth port
www

# filter rules
block log all

pass quick on lo0 all

#stop spoofing

block drop in  quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets

#pass rules

pass in on $ext_if proto tcp from port 20 to ($ext_if) user proxy flags
S/SA keep state
pass in on $ext_if proto tcp from any to any port $tcp_services modulate
state flags S/SA
pass in on $ext_if proto udp from any to any port $udp_services keep
state

#allow icmp

pass in inet proto icmp all icmp-type $icmp_types keep state

#allow all traffic to and from lan

pass in  on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
pass out on $int_if from any to $luke queue luke_in
pass out on $int_if from any to $pete queue pete_in
pass out on $int_if from any to $nick queue nick_in


#let internal traffic access external using queues defined above

pass out on $ext_if proto tcp all modulate state flags S/SA queue
(std_out, tcp_ack_out)
pass out on $ext_if proto { udp, icmp } all keep state queue std_out
pass out on $ext_if proto tcp from any to any port www modulate state
queue web_req
pass out on $ext_if proto { tcp udp } from any to any port domain keep
state queue dns_out
pass out on $ext_if proto { tcp udp } from any to any port $games keep
state queue games_out
pass out on $ext_if proto tcp from any to any port ssh modulate state
queue ssh_out

Shared Queues / Queuing on Multiple Interfaces

2005-10-06 Thread Brian A. Seklecki

I think I fumbled last week when I posted this original message in reply 
to one serveral months old (causing it to not be seen by MUA threading)


The question remains:

Can traffic travelling ingress on one-of-a-three-interface router be 
queued as it egresses the other two possible interfaces, enforcing a 
Frame-Relay "CIR" style sharing policy, but allowing either queue to 
borrow up to the maxiumum possible "Downstream" bandwidth on the original 
inteface?


See URL and msg below:

http://digitalfreaks.org/~lavalamp/Queues.png

~BAS

-- Forwarded message --
Date: Mon, 3 Oct 2005 11:28:24 -0400 (EDT)
From: Brian A. Seklecki <[EMAIL PROTECTED]>
To: Henning Brauer <[EMAIL PROTECTED]>
Cc: misc@openbsd.org, Tony Sarendal <[EMAIL PROTECTED]>,
jared r r spiegel <[EMAIL PROTECTED]>, Seamus Wassman <[EMAIL PROTECTED]>
Subject: Queing on Multiple Interfaces Revisited (WAS: Re: matching queues
in both directions with stateful rulesets)


On Mon, October 25, 2004 12:50 pm, Henning Brauer said:

* Tony Sarendal <[EMAIL PROTECTED]> [2004-10-25 16:48]:

Is there a way to assign wich queues stateful traffic
will use in both directions ?


yes, you can have queues with the same names on multiple interfaces.

i. e. you create the queue "customer1" on both your external (dc0) and
"his" interface (vlan1). outbond will go to the one on dc0, inbound to
the one on vlan1.


A better topic would be perhaps "upstream bandwidth
distribution...downstream"

All, the PF FAQ states several fundementals about queuing:

1) "queuing is only useful for packets in the outbound direction"

..then later:

2) "Note that queue designation can happen on an interface other than the
one defined in the altq on directive:
  [...example rule set..]

 Queueing is enabled on fxp0 but the designation takes place on dc0. If
packets matching the pass rule exit from interface fxp0, they will be
queued in the ftp queue. This type of queueing can be very useful on
routers."

-

I think a lot of confusion on this topic of multiple interfaaces
originates from three problems:

*) The FAQ/documentation doesn't discuss how stateful rules effect
behavior of queue assigment of returing traffic.

*) The FAQ/documentation doesn't really clarify how matching traffic
inbound on one interface (of which the destination traffic matched will
travel outbound on an inteface on which queuing is enabled) and applying
it to the "outbound" queue of the designated interface (point #2 above)
differs in behavior from simply matching traffic "outbound" on said
queuing-enabled interface.

*) The documentation is a bit ambiguous in the use of terminology such as
"direction", "inbound", "outbound", "upstream", "downstream", "ingress",
"egress", etc.,
this is especially important with regards to the naming conventions on
queues and also when the behavior of an example rulset is described.

Back to the multiple interface issue:

Let's looks at an example like a Frame Relay network mightsay that
your objective is an SLA for your customers worded as so:

"Customer 1 has a 300Kbps bi-directional CIR. Customer 2 has a 500Kbps
bi-directional CIR.  Both may borrow from the total available."

*) 1 or 2 physical interface, 3 logical, whatever.
*) The upstream "external" interface is broadband/narrowband delivered via
Fast Ethernet (xl0)
*) For the sake of sanity, the narrowband connectivity is
synchronous/symetric
*) Customer handoff is 100mbs Ethernet (vlan10,vlan20), switch trunked
*) The OpenBSD router is a "perimeter router" with a "pass all" style
ruleset (with scrubbing and RFC1918 bogon filters, etc.)

In this case, you can use a generic template to enforce "upstream" or
"outbound" queues on xl0.

altq on xl0 cbq queue { std-up cust1-up cust2-up }
queue std-up cbq(default ecn)
queue cust1-up bandwidth 10Mb cbq(ecn)
queue cust2-up bandwidth 10Mb cbq(ecn)

pass out on xl0 from $vlan10_subnet to any keep state queue cust1-up
pass out on xl0 from $vlan20_subnet to any keep state queue cust1-up
# these filters will match customer FTP uploads and HTTP GETs from
cuomster-hosted web servers, etc.
# this rule is redundant because the traffic would be forwarded anyway, it
exists simply to match traffic into a queue and create a state table entry
while we're at it.

...

But then let's say you want to invert those rules.

**NOTE**, if customer1 and customer2 were visibile via the same interface,
then you could easily create a queue on that shared customer-facing
interface with a "bandwidth" statement that matches the max hypothetical
"downstream" speed of the broadband connection.  Then divy it up using
sub-queues and borrow statements.

...but what if Customer 1 and Customer 2 are on seperate interfaces?

1) You could create non-stateful matching rules as "pass in on $ext_if"
2) You could create non-stateful matching rules as "pass out on $cust1
...", "pass out on $cust2...",

But the question remains: Into what queue?  What type of queue would be
used to des

Re: CARP+Pfsync+Bind

2005-10-06 Thread eric

On Thu, 2005-10-06 at 22:15:52 +0100, ed proclaimed...

> TCP for for DNS lookups are probably going to incur latency. I'd rather
> just block that off and ensure that the DNS being provided does not leak
> excess > 512 bytes. This might cause some problems with huge round robin
> lists, but we can all use pf round robin at the level should we require
> a huge address list.

You really should be pumping gas at a gas station or something. Clearly
you're not intersted in doing things correctly.

> DJB woke a large portion of the world when he released djbdns, I'd not
> knock it, and it's pretty good advice at the above URL.

And the advice refers to an RFC (which was not written by djb) that
specifically states that TCP can be used.

I'm not knocking djb, I use qmail. I used to use tinydns, but then there
were a whole world of problems with no ipv6 support natively, etc., and I
just didn't want to bother anymore.

Re: Sendmail TLS

2005-10-06 Thread Claus Assmann

On Thu, Oct 06, 2005, Eric Dillenseger wrote:

> I'm trying to setup a sendmail config using tls to use gmail as a smart-host.

Why?  Why don't you send mail directly?

> Now I see it successfully connected to gmail smtp, but didn't authenticate.
> My question is, how can I make it authenticate?

See the fine documentation... but first you need to figure out what
kind of authentication gmail requires: SMTP AUTH or STARTTLS?  For
the former see

Providing SMTP AUTH Data when sendmail acts as Client

in cf/README.

Re: CARP+Pfsync+Bind

2005-10-06 Thread ed

On Thu, 6 Oct 2005 15:07:23 -0500
eric <[EMAIL PROTECTED]> wrote:

> On Thu, 2005-10-06 at 14:04:20 +0100, ed proclaimed...
> 
> > I use TinyDNS here, so we don't really need to transfer zones as its
> > handled with a single data file. CARP can be good with DNS.
> 
> 53/tcp *is* required to answer normal queries.

TCP for for DNS lookups are probably going to incur latency. I'd rather
just block that off and ensure that the DNS being provided does not leak
excess > 512 bytes. This might cause some problems with huge round robin
lists, but we can all use pf round robin at the level should we require
a huge address list.

> Since you're drinking djb's koolaid, see 
> 
> 
> 
> 512-bytes uncommon or a "mistake"? I think not.

DJB woke a large portion of the world when he released djbdns, I'd not
knock it, and it's pretty good advice at the above URL.

-- 
Regards, Ed http://www.usenix.org.uk

RE: Re: sh-script executing

2005-10-06 Thread tony

The editing is perfectlty safe.
It is the reading of a file that is being changed that is unsafe.

Of course there's Microsoft Windows.

>- --- Original Message --- -
>From: [EMAIL PROTECTED]
>To: misc@openbsd.org
>Sent: Fri, 7 Oct 2005 09:39:47
>
>OM> I know this behaviour form every Unix system
>I've worked on. Besides,
>OM> the nice thing about the current way of doing
>things is that you can
>OM> read a script form a pipe and have the desired
>behaviour without any
>OM> special case code.
>
>This behavior has any advantages for regular files
>? Compatibility ?
>
>  If so, do any editor has option to safe editing
>for this case ?
>(of course, I always can do editor wraparound).

Re: sh-script executing

2005-10-06 Thread Ilya A. Kovalenko

OM> I know this behaviour form every Unix system I've worked on. Besides,
OM> the nice thing about the current way of doing things is that you can
OM> read a script form a pipe and have the desired behaviour without any
OM> special case code.

This behavior has any advantages for regular files ? Compatibility ?

  If so, do any editor has option to safe editing for this case ?
(of course, I always can do editor wraparound).

Re: High Interrupt Mode Reported by 'Top' for Soekris 4801

2005-10-06 Thread Craig Barraclough

On Fri, 7 Oct 2005 09:08, you wrote:
> I wondered that as well, but there appear to be lots (so it appears from
> other postings I found using google) of 4801s in use with OpenBSD, doing
> essentially the same thing as myself (Soekris w/ carp/pf/pfsynch).  Yet,
> AFAICT, I'm the only one who's posted about this symptom.  Since there are
> lots of people who do what I do, and if the problem were indeed that the
> 4801 processor is too wimpy, then wouldn't there be more problems like mine
> mentioned in the lists?  And I'm running into high interrupts with only
> about 4Mbs throughput while others have claimed much higher values.
>
> Before I used this firewall that I have now, I used m0n0wall on FreeBSD.  I
> chose OpenBSD over m0n0wall/FreeBSD due to m0n0wall state table limitations
> and lack of mature redundance features.  But the m0n0wall handled this much
> traffic, and more, with a relatively low interrupt mode.  As widely as
> OpenBSD is used on Soekris for firewalling compared to m0n0wall/FreeBSD
> with relatively few problems, I'm still not quite ready to decide that I
> haven't gotten myself a setup flaw somewhere.  Just can't figure out where
> it could be.
>
>
You'll find a few of us are running the interrupt holdoff patch, which IIRC, 
comes from the FreeBSD tree via [EMAIL PROTECTED] (See below).
Patch trades off timeliness of response for reduced interrupts.

Index: src/sys/dev/pci/if_sis.c
===
RCS file: /cvs/src/sys/dev/pci/if_sis.c,v
retrieving revision 1.46
diff -u -r1.46 if_sis.c
--- src/sys/dev/pci/if_sis.c27 May 2005 04:52:24 -  1.46
+++ src/sys/dev/pci/if_sis.c7 Jun 2005 07:14:37 -
@@ -1692,6 +1692,10 @@
sis_stop(sc);
sc->sis_stopped = 0;

+   /* Configure interrupt holdoff register. */
+   if (sc->sis_type == SIS_TYPE_83815 && sc->sis_srr == NS_SRR_16A)
+   CSR_WRITE_4(sc, NS_IHR, NS_IHR_VALUE);
+
mii = &sc->sc_mii;

/* Set MAC address */
Index: src/sys/dev/pci/if_sisreg.h
===
RCS file: /cvs/src/sys/dev/pci/if_sisreg.h,v
retrieving revision 1.21
diff -u -r1.21 if_sisreg.h
--- src/sys/dev/pci/if_sisreg.h 22 May 2005 05:40:52 -  1.21
+++ src/sys/dev/pci/if_sisreg.h 7 Jun 2005 07:14:38 -
@@ -208,6 +208,20 @@
 SIS_IMR_RX_IDLE|\
 SIS_IMR_SYSERR)

+/* Interrupt Holdoff Register */
+#define NS_IHR_HOLDCTL 0x0100
+
+/*
+ * Interrupt holdoff value for NS DP8316. We can have the chip
+ * delay interrupt delivery for a certain period. Units are in
+ * 100us, and the default is 100us holdoff.
+ */
+#ifndef NS_IHR_DELAY
+#define NS_IHR_DELAY   2
+#endif
+
+#define NS_IHR_VALUE   (NS_IHR_HOLDCTL|NS_IHR_DELAY)
+
 #define SIS_IER_INTRENB0x0001

 #define SIS_PHYCTL_ACCESS  0x0010

-- 
Craig

Re: The Wikipedia article on OpenBSD

2005-10-06 Thread Daniel Ouellet


Chris Zakelj wrote:

Jan Izary wrote:



Recently I and several other people have worked to improve the OpenBSD
article contained in the Wikipedia, I'm sure I need not explain how it
works.

Anyways, I've worked to get as much easily accessable information
regarding OpenBSD in that article as possible and I've pretty much run
into a wall, I've got little else I can add.

I am putting a call out to the OpenBSD community at large to give a
look at the article and see if they can improve it, fleshing out
anything that has gaps and explaining some of the more complex concepts.

Things like OpenBSD centred screenshots would be nice if people would
be willing to upload them and list them in the gallery.

I would have put this on the advocacy list, but really it seems to be
dead and most advocacy seems to run through the misc list.

Thanks

http://en.wikipedia.org/wiki/OpenBSD



Looks pretty good.  My only suggestions would be to note that Nick
handles the official FAQ, and adding Daniel Ouellet as the
organizer/caretaker of the unofficial user's library.


If you have any article(s) that you want to find a home for, I would be 
more then happy to provide it! Contributions have been rare, so calls 
was maid before, many times in fact. But actual contributions were very 
fare in between.


I do have two or three articles now that are waiting my free time to be 
posted, I apologies to the brave soles that actually send them to me! My 
apology guys, but I haven't forgotten them trust me.


As for more place to post things, my own view and that doesn't represent 
anyone else views, is that we sure don't need to duplicate efforts. The 
locations are available, up to the users to make it happen.


Again, great stuff directly for the system that deserve a place on 
OpenBSD.org, should be sent to the always ready and incredibly brave 
sole of Nick if that's a great quality for the FaQ. He sure will tell 
you if it is. But first, read his requirements here:


http://www.holland-consulting.net/obsd/faq-help.html

Then send what you have based on that, either to him, if it is FaQ stuff 
and of great quality, or me if that doesn't apply to the FaQ and we will 
find it a home.


Daniel

Re: dual DVI graphics card

2005-10-06 Thread Matthew Weigel

Aaron Glenn wrote:

> Perhaps you could drop the cocky attitude and do something productive
> with your catty prose?

No, actually - the catty prose itself is unproductive.  But you worked so
hard to eliminate the productive options, I didn't want to give you
anything but what you wanted.

> Thanks for the radeon(4) reference; I'm sure if
> any of the Radeon chips did 1920x1200 on two DVI it would have been
> very helpful.

I'm no good at not helping; if you don't believe me, go take a look at the
video cards that Apple sells.  They specifically say their 9600 supports
two 1920x1200 displays over DVI.  If you'd like to wager that the 9600
that ATI sells specifically for Macs does less than the OEM 9600 that
Apple sells, I'll give you good odds.
-- 
 Matthew Weigel
 hacker
 [EMAIL PROTECTED]

Wireless issue (ath0: bogus xmit rate 0x0 error)

2005-10-06 Thread Fred Crowson


Hi List,

I'm running 3.8 from the snapshot 2nd Oct, which I upgraded from 3.7, on 
a soekris net4501.


My problem, is probably offtopic, but I'm hoping the wisdom of this list 
will point me in the right direction.


I have an apple iBook G4 which will not connect to my OpenBSD ath0 
minipci card in the soekris, I just get the following errors:


ath0: bogus xmit rate 0x0

The iBook associates with the wireless network and I can connect to two 
other OpenBSD machines with wi0 and ipw0 cards in, which are running on 
the same wireless LAN.


When the net4501 was running 3.7 I would get the same error message, but 
if I toggled the airport on and off on the ibook I would usually get a 
connection, or the soekris would crash, I caught a ps and partial trace 
from one of the 3.7 crashes which is shown below.


Can anyone suggest away of resolving the iBooks inability to talk to the 
ath0 card?


My dmesg, hostname.ath0 and the ps and trace follow.

Thanks, in advance,

Fred


kernel:kernel: page fault trap, code=0
Stopped at  Xrecurse_legacy8+0x7d:  movl0x4(%ebx),%eax
ddb> ps
   PID   PPID   PGRPUID  S   FLAGS  WAIT   COMMAND
kernel: page fault trap, code=0
Faulted in DDB; continuing...
ddb> trace
Xrecurse_legacy8() at Xrecurse_legacy8+0x7d
--- interrupt ---
Xspllower(800,3a,0,0) at Xspllower+0xe
cnputc(3a,6,d06d1bac,d01e24d1,6) at cnputc+0x26
db_putchar(3a,14,0,6) at db_putchar+0xc6
kprintf(d04fbc88,14,0,0,d06d1c98) at kprintf+0xe20
db_printf(d04fbc88,0,0,0) at db_printf+0x2d
kdbprinttrap(6,0,0,0,0) at kdbprinttrap+0x18
kdb_trap(6,0,d06d1d34,600) at kdb_trap+0x46
trap() at trap+0xa9
--- trap (number 6) ---
pmap_extract(d05cf940,d66d6800,d06d1dcc,0,d05cf940) at pmap_extract+0x36
_bus_dmamap_load_buffer(d0570440,d0836880,d66d6800,600,0) at 
_bus_dmamap_load_b

uffer+0x58
_bus_dmamap_load_mbuf(d0570440,d0836880,d29c3100,1) at 
_bus_dmamap_load_mbuf+0x

90
ath_tx_start(d0839000,d092cc00,d083c5cc,d29c3100) at ath_tx_start+0x1b9
ath_start(d0839030,d65591b8,4c1b8,d65591e4) at ath_start+0xfc
ath_rx_proc(d0839000,1,d0101f20,d06d21b4) at ath_rx_proc+0x1d6
ath_intr1(d0839000) at ath_intr1+0x130
Xrecurse_legacy10() at Xrecurse_legacy10+0x8a
--- interrupt ---
--db_more--   Xdoreti() at Xdoreti+0x23
--- interrupt ---
Xdoreti() at Xdoreti+0x23
--- interrupt ---
Xdoreti() at Xdoreti+0x7
--- interrupt ---
Xdoreti() at Xdoreti+0x23
--- interrupt ---
Xdoreti() at Xdoreti+0x23
--- interrupt ---
Xdoreti() at Xdoreti+0x23
--- interrupt ---
Xdoreti() at Xdoreti+0x23
--- interrupt ---
Xdoreti() at Xdoreti+0x23
--- interrupt ---
Xdoreti() at Xdoreti+0x7
--- interrupt ---
Xdoreti() at Xdoreti+0x11
--- interrupt ---
Xdoreti() at Xdoreti+0x23
--- interrupt ---
Xdoreti() at Xdoreti+0x7
--db_more--

At this point I pressed the wrong key on the console and the soekris 
rebooted.


Here is my hostname.ath0:

inet 10.0.5.1 255.255.255.0 NONE media DS11 mediaopt hostap nwid wifinet 
nwkey x


Here is the complete dmesg:

OpenBSD 3.8-current (GENERIC) #169: Sun Oct  2 15:06:50 MDT 2005
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: AMD Am486DX4 W/B or Am5x86 W/B 150 ("AuthenticAMD" 486-class)
cpu0: FPU
real mem  = 66691072 (65128K)
avail mem = 53411840 (52160K)
using 839 buffers containing 3436544 bytes (3356K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(00) BIOS, date 20/41/22, BIOS32 rev. 0 @ 0xf7840
pcibios0 at bios0: rev 2.0 @ 0xf/0x1
pcibios0: pcibios_get_intr_routing - function not supported
pcibios0: PCI IRQ Routing information unavailable.
pcibios0: PCI bus #0 is the last bus
bios0: ROM list: 0xc8000/0x9000
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
elansc0 at pci0 dev 0 function 0 "AMD ElanSC520 PCI" rev 0x00: product 0 
stepping 1.1, CPU clock 133MHz, reset 1

gpio0 at elansc0: 32 pins
ath0 at pci0 dev 16 function 0 "Atheros AR5212" rev 0x01: irq 10
ath0: AR5213 5.9 phy 4.3 rf5112 3.6, FCC2A*, address 00:02:6f:21:ef:1c
sis0 at pci0 dev 18 function 0 "NS DP83815 10/100" rev 0x00: DP83816A, 
irq 11, address 00:00:24:c3:ff:20

nsphyter0 at sis0 phy 0: DP83815 10/100 PHY, rev. 1
sis1 at pci0 dev 19 function 0 "NS DP83815 10/100" rev 0x00: DP83816A, 
irq 5, address 00:00:24:c3:ff:21

nsphyter1 at sis1 phy 0: DP83815 10/100 PHY, rev. 1
sis2 at pci0 dev 20 function 0 "NS DP83815 10/100" rev 0x00: DP83816A, 
irq 9, address 00:00:24:c3:ff:22

nsphyter2 at sis2 phy 0: DP83815 10/100 PHY, rev. 1
isa0 at mainbus0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard
wdc0 at isa0 port 0x1f0/8 irq 14
wd0 at wdc0 channel 0 drive 0: 
wd0: 1-sector PIO, LBA, 488MB, 1000944 sectors
wd0(wdc0:0:0): using BIOS timings
pcppi0 at isa0 port 0x61
midi0 at pcppi0: 
spkr0 at pcppi0
sysbeep0 at pcppi0
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom0: console
pccom1 at isa0 port 0x2f8/8 irq 3

Re: The Wikipedia article on OpenBSD

2005-10-06 Thread Chris Zakelj

Jan Izary wrote:

> Recently I and several other people have worked to improve the OpenBSD
> article contained in the Wikipedia, I'm sure I need not explain how it
> works.
>
> Anyways, I've worked to get as much easily accessable information
> regarding OpenBSD in that article as possible and I've pretty much run
> into a wall, I've got little else I can add.
>
> I am putting a call out to the OpenBSD community at large to give a
> look at the article and see if they can improve it, fleshing out
> anything that has gaps and explaining some of the more complex concepts.
>
> Things like OpenBSD centred screenshots would be nice if people would
> be willing to upload them and list them in the gallery.
>
> I would have put this on the advocacy list, but really it seems to be
> dead and most advocacy seems to run through the misc list.
>
> Thanks
>
> http://en.wikipedia.org/wiki/OpenBSD

Looks pretty good.  My only suggestions would be to note that Nick
handles the official FAQ, and adding Daniel Ouellet as the
organizer/caretaker of the unofficial user's library.

Re: CARP+Pfsync+Bind

2005-10-06 Thread Dave Anderson

** Reply to message from ed <[EMAIL PROTECTED]> on Thu, 6 Oct 2005
22:15:25 +0100

>On Thu, 6 Oct 2005 15:49:02 -0400
>"Dave Anderson" <[EMAIL PROTECTED]> wrote:
>
>> That's not quite the whole story: 53/tcp is also used when the
>> response to a query is too big for a single UDP packet (the resolver
>> sends a UDP query and gets a 'truncated' UDP reply, so the resolver
>> retries the query using TCP) -- you should always pass both UDP and
>> TCP for port 53 to avoid occasional obscure failures.
>
>Works fine on on the 2 domains where it's been implemented, of which
>I handled the conversion from BIND style to djbdns. No problems on UDP
>lookups alone, including some deep CNAMEs, which are just not required,
>but I'll deal with those at a later date.
>
>I haven't seen any problems since the change. Lookup times have
>improved, I can't state if this is due to the lack of TCP or the file
>system overheads with zone files, but I expect a mixture of the two.

According to RFC 1035 section 4.2.1 you're riding for a fall:

Messages carried by UDP are restricted to 512 bytes (not 
counting the IP or UDP headers).  Longer messages are 
truncated and the TC bit is set in the header.

RFC 2671 modifies this by specifying a method for using UDP packets
containing more than 512 bytes, but the maximum size is still limited.

RFC 2181 section 9 is quite clear:

The TC bit should be set in responses only when an RRSet 
is required as a part of the response, but could not be 
included in its entirety.  The TC bit should not be set 
merely because some extra information could have been 
included, but there was insufficient room.  This includes 
the results of additional section processing.  In such 
cases the entire RRSet that will not fit in the response 
should be omitted, and the reply sent as is, with the TC 
bit clear.  If the recipient of the reply needs the 
omitted data, it can construct a query for that data and 
send that separately.

Where TC is set, the partial RRSet that would not 
completely fit may be left in the response.  When a DNS 
client receives a reply with TC set, it should ignore 
that response, and query again, using a mechanism, such 
as a TCP connection, that will permit larger replies.

Responses long enough so that required information is truncated should
be rare, so perhaps you've been lucky and not encountered any yet.

Dave

-- 
Dave Anderson
<[EMAIL PROTECTED]>

Re: dual DVI graphics card

2005-10-06 Thread Stuart Henderson


--On 06 October 2005 16:11 -0700, Aaron Glenn wrote:


I had used Matrox cards exclusively up until Parhelia was released
however long ago. I think my Millenium II card is still chugging along
in a closet somewhere. From what I can tell on Matrox's site, the
Parhelia and the Millenium P750 are two distinct chipsets.


Millenium Pxxx and Parhelia share drivers. I bought a P650 before 
realising this, the only way I found to make it run with X is by 
extracting the relevant file from their closed-source i386 linux driver 
(they're not os-specific). It sits in a windows box now.

Re: High Interrupt Mode Reported by 'Top' for Soekris 4801

2005-10-06 Thread William Bloom

I wondered that as well, but there appear to be lots (so it appears from other 
postings I found using google) of 4801s in use with OpenBSD, doing essentially 
the same thing as myself (Soekris w/ carp/pf/pfsynch).  Yet, AFAICT, I'm the 
only one who's posted about this symptom.  Since there are lots of people who 
do 
what I do, and if the problem were indeed that the 4801 processor is too wimpy, 
then wouldn't there be more problems like mine mentioned in the lists?  And I'm 
running into high interrupts with only about 4Mbs throughput while others have 
claimed much higher values.

Before I used this firewall that I have now, I used m0n0wall on FreeBSD.  I 
chose OpenBSD over m0n0wall/FreeBSD due to m0n0wall state table limitations and 
lack of mature redundance features.  But the m0n0wall handled this much 
traffic, 
and more, with a relatively low interrupt mode.  As widely as OpenBSD is used 
on 
Soekris for firewalling compared to m0n0wall/FreeBSD with relatively few 
problems, I'm still not quite ready to decide that I haven't gotten myself a 
setup flaw somewhere.  Just can't figure out where it could be.

Bill

Theo de Raadt wrote:
>>>If the Soekris did not come with ethernet chipsets which are just
>>>slightly over the bar of rl(4), the wimpy processor in the machine
>>>might be able to cope.
>>
>>Throughput is only marginally better using an em in the pci slot of a 
>>4801. I think there's some other problem.
> 
> 
> Yeah -- the super wimpy processor.

-- 
William Bloom| Snr Systems Engineer|M P H A S I S Architecting Value | Eldorado 
Computing
5353 North 16th Street, Suite 400 Phoenix, Az 85016 | Direct: +11-602-604-3100 
| 
Fax: +11-602-604-3115| http://www.eldocomp.com

-- CONFIDENTIALITY NOTICE --

Information transmitted by this e-mail is proprietary to MphasiS and/or its 
Customers and is intended for use only by the individual or entity to which it 
is addressed, and may contain information that is privileged, confidential or 
exempt from disclosure under applicable law. If you are not the intended 
recipient or it appears that this mail has been forwarded to you without proper 
authority, you are notified that any use or dissemination of this information 
in any manner is strictly prohibited. In such cases, please notify us 
immediately at [EMAIL PROTECTED] and delete this mail from your records.

Re: dual DVI graphics card

2005-10-06 Thread Aaron Glenn

On 10/6/05, Stuart Henderson <[EMAIL PROTECTED]> wrote:
>
> Their old cards used to be a good choice for open-source, but
> Parhelia-based cards are too proprietary. Pity.
>

I had used Matrox cards exclusively up until Parhelia was released
however long ago. I think my Millenium II card is still chugging along
in a closet somewhere. From what I can tell on Matrox's site, the
Parhelia and the Millenium P750 are two distinct chipsets.

aaron.glenn

Re: dual DVI graphics card

2005-10-06 Thread Stuart Henderson


experiences setting it up? I've got my eye on the Matrox Millennium
P750 card, but I can't find anything on any kind of support for
OpenBSD (I'm not looking to run Linux, Solaris, or even FreeBSD all of
which seem to have some sort of support).


Their old cards used to be a good choice for open-source, but 
Parhelia-based cards are too proprietary. Pity.

Re: High Interrupt Mode Reported by 'Top' for Soekris 4801

2005-10-06 Thread Stuart Henderson


--On 06 October 2005 16:00 -0600, Theo de Raadt wrote:


If the Soekris did not come with ethernet chipsets which are just
slightly over the bar of rl(4), the wimpy processor in the machine
might be able to cope.


Throughput is only marginally better using an em in the pci slot of a 
4801. I think there's some other problem.

Re: High Interrupt Mode Reported by 'Top' for Soekris 4801

2005-10-06 Thread Theo de Raadt

> > If the Soekris did not come with ethernet chipsets which are just
> > slightly over the bar of rl(4), the wimpy processor in the machine
> > might be able to cope.
> 
> Throughput is only marginally better using an em in the pci slot of a 
> 4801. I think there's some other problem.

Yeah -- the super wimpy processor.

Re: dual DVI graphics card

2005-10-06 Thread Aaron Glenn

On 10/6/05, Matthew Weigel <[EMAIL PROTECTED]> wrote:
> It appears I was correct in guessing that simply mentioning that radeon(4)
> is where to look would not give you the information you need in order to
> arrive at the fact that the Radeon 9600 drives the products for which you
> are searching.  Given the quality and tone of your response, I will avoid
> correcting you and encourage you to buy what ever it is that you can find
> that can meet your needs.

Perhaps you could drop the cocky attitude and do something productive
with your catty prose? Thanks for the radeon(4) reference; I'm sure if
any of the Radeon chips did 1920x1200 on two DVI it would have been
very helpful.

You see, just because the box or spec sheet says "supports 1920x1200"
doesn't mean the GPU will do 1920x1200 on both DVI ports. Infact,
colorgraphics, which specializes in multi-display graphics cards, and
uses the ATi Radeon GPU, notes that you get a max of 1600x1200 when
using both DVI ports.

So with that helpful lesson out of the way, you can shut your trap
about radeon(4) and your patently stupid recommendations.

> Given the accuracy and completeness of the research you've done so far,
> I'm confident that something amusing will result.

I'm confident you either lack basic reading comprehension skills, or
talk out of your ass on a regular basis...or maybe both? Either way
you can keep your future quality reponses right where they came from,
your ass.

Re: The Wikipedia article on OpenBSD

2005-10-06 Thread Marcos Latas

On 06/10/05, Jan Izary <[EMAIL PROTECTED]> wrote:
> Recently I and several other people have worked to improve the OpenBSD
> article contained in the Wikipedia, I'm sure I need not explain how it
> works.
>
> Anyways, I've worked to get as much easily accessable information regarding
> OpenBSD in that article as possible and I've pretty much run into a wall,
> I've got little else I can add.
>
> I am putting a call out to the OpenBSD community at large to give a look at
> the article and see if they can improve it, fleshing out anything that has
> gaps and explaining some of the more complex concepts.
>
> Things like OpenBSD centred screenshots would be nice if people would be
> willing to upload them and list them in the gallery.
>
> I would have put this on the advocacy list, but really it seems to be dead
> and most advocacy seems to run through the misc list.
>
> Thanks
>
> http://en.wikipedia.org/wiki/OpenBSD
>
> _
> MSN. Calendar keeps you organized and takes the effort out of scheduling
> get-togethers.
> http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines
>   Start enjoying all the benefits of MSN. Premium right now and get the
> first two months FREE*.
>
>

I had already noticed it and I was wondering who was doing it... Very nice work!

Re: dual DVI graphics card

2005-10-06 Thread Matthew Weigel

Aaron Glenn wrote:
> On 10/6/05, Matthew Weigel <[EMAIL PROTECTED]> wrote:
>>
>> In theory, you should be able to answer your question simply by me
>> mentioning that radeon(4) supports dual displays on video cards still
>> available through retail channels.
>
> I wasn't clear enough in my original post. I'm looking to run
> 1920x1200 on two DVI monitors; and I'd like some sort of OpenGL
> hardware acceleration support, however minor. None of the ATi chipsets
> currently support 1920x1200 on two DVI monitors.

It appears I was correct in guessing that simply mentioning that radeon(4)
is where to look would not give you the information you need in order to
arrive at the fact that the Radeon 9600 drives the products for which you
are searching.  Given the quality and tone of your response, I will avoid
correcting you and encourage you to buy what ever it is that you can find
that can meet your needs.

Given the accuracy and completeness of the research you've done so far,
I'm confident that something amusing will result.
-- 
 Matthew Weigel
 hacker
 [EMAIL PROTECTED]

Re: dual DVI graphics card

2005-10-06 Thread L. V. Lammert

On Thu, 6 Oct 2005, Matthew Weigel wrote:

> In theory, you should be able to answer your question simply by me
> mentioning that radeon(4) supports dual displays on video cards still
> available through retail channels.
>
> Finally, I can vouch for dual displays working fine on Radeon cards,
> although I use a card with one DVI and one VGA output.
>
PMFJI, but is there some sort of desktop 'manager' tool like Hydra to
control the desktop space?

Lee


  Leland V. Lammert[EMAIL PROTECTED]
Chief Scientist Omnitec Corporation
 Network/Internet Consultants   www.omnitec.net

Re: About VLAN and Carp

2005-10-06 Thread Mathieu Sauve-Frankel

On Thu, Oct 06, 2005 at 11:17:04PM +0200, L?o Goehrs wrote:
> ifconfig vlan0 vlan 11 vlandev carp0
> 
> 
> 
> It gives me an error. Is there a way to do that?

Yes there is.
 
The vlandev has to be the physical interface. 
Then you use the vlan interface as the carpdev.

Example: 

ifconfig em0 up
ifconfig vlan0 vlan 11 vlandev em0
ifconfig carp0 inet 10.0.0.1 netmask 255.255.255.0 vhid 1 carpdev vlan0


-- 
Mathieu Sauve-Frankel

The Wikipedia article on OpenBSD

2005-10-06 Thread Jan Izary

Recently I and several other people have worked to improve the OpenBSD 
article contained in the Wikipedia, I'm sure I need not explain how it 
works.


Anyways, I've worked to get as much easily accessable information regarding 
OpenBSD in that article as possible and I've pretty much run into a wall, 
I've got little else I can add.


I am putting a call out to the OpenBSD community at large to give a look at 
the article and see if they can improve it, fleshing out anything that has 
gaps and explaining some of the more complex concepts.


Things like OpenBSD centred screenshots would be nice if people would be 
willing to upload them and list them in the gallery.


I would have put this on the advocacy list, but really it seems to be dead 
and most advocacy seems to run through the misc list.


Thanks

http://en.wikipedia.org/wiki/OpenBSD

_
MSN. Calendar keeps you organized and takes the effort out of scheduling 
get-togethers. 
http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines 
 Start enjoying all the benefits of MSN. Premium right now and get the 
first two months FREE*.

Re: High Interrupt Mode Reported by 'Top' for Soekris 4801

2005-10-06 Thread Theo de Raadt

If the Soekris did not come with ethernet chipsets which are just
slightly over the bar of rl(4), the wimpy processor in the machine
might be able to cope.

Re: dual DVI graphics card

2005-10-06 Thread Aaron Glenn

On 10/6/05, Matthew Weigel <[EMAIL PROTECTED]> wrote:
>
> In theory, you should be able to answer your question simply by me
> mentioning that radeon(4) supports dual displays on video cards still
> available through retail channels.

I wasn't clear enough in my original post. I'm looking to run
1920x1200 on two DVI monitors; and I'd like some sort of OpenGL
hardware acceleration support, however minor. None of the ATi chipsets
currently support 1920x1200 on two DVI monitors.

> However, I'll point out a bit more: Google suggests that Radeons as far
> back as the 7500 have supported 1920x1200, and the Radeon 9600 has
> specific mention on ATI's site for supporting 1920x1200 (without
> 'dual-link' DVI).  ATI sells a Radeon 9600 "PC/Mac Edition" with two DVI
> outputs for $199, so it looks like everything is in place.  Further, it
> looks like NewEgg stocks a card sold by "HIS Hightech" that is also a
> Radeon 9600 with two DVI outputs.

That's great and all, but that isn't how it works: I need 1920x1200 on
EACH monitor, over DVI. Sorry I wasn't clear enough in my original
post to convey this.

> Finally, I can vouch for dual displays working fine on Radeon cards,
> although I use a card with one DVI and one VGA output.

That doesn't help much, because I'm looking for a supported card that
does 1920x1200 on two DVI monitors; not dvi and one vga (there is a
difference in driver/chipset support)

Thanks,
aaron.glenn

Re: WLAN (Linksys WPC111) + WEP

2005-10-06 Thread Joost Tr

Here's an explenation of open vs shared
http://www.dslreports.com/forum/remark,8645211~reverse=0;days=10;root=wlan;mode=full

From: Nikolaus Hiebaum <[EMAIL PROTECTED]>
To: OpenBSD mailing list - misc 
Subject: Re: WLAN (Linksys WPC111) + WEP
Date: Thu, 6 Oct 2005 22:03:50 +0200 (CEST)

* Joost Tr wrote on Oct 6, 2005 [10:00, -] :

> can you connect with open authentication (-A 1) when you set to open 
auth.

> AP too

Yes, with open authentication it works. I am not savvy enough to understand 
the difference.
What is the difference between open and shared key? And what does it mean 
that the open auth.

works and the shared one doesn't?

--
Beste Gr|_e / Best regards ,
Nikolaus Hiebaum

Re: xorg with Nvidia Go5600 at 1600x1200

2005-10-06 Thread pirge

Add this to your xorg.conf in the Device section for the nv driver:

Option "FlatPanel" True

and remove the Modes lines in the Screen section. It should default to
the largest res it can find.
Then double check the HorizSync and VertRefresh you have defined in
the Monitor section.


On 06/10/05, stefan hoffmann <[EMAIL PROTECTED]> wrote:
> Hi,
>
> thank you for your answer.
>
> pirge wrote:
> > nv will do 1600x1200 - I run a geforce 2 go (dell inspiron 8100) with
> > openbsd 3.7 generic at that resolution.
>  > Reading the nv man page I'm not sure it supports the Go5600..?
> As you can see in the log, the chipset is listed.
>
> > Need to see your xorg.conf and xorg log
>
> ---xorg.conf:
> ---# File generated by xorgconfig.
>
> # all comments removed
>
> Section "Module"
>  Load"dbe"  # Double buffer extension
>  SubSection  "extmod"
>Option"omit xfree86-dga"   # don't initialise the DGA extension
>  EndSubSection
>  Load"type1"
>  Load"freetype"
> EndSection
>
> Section "Files"
>  RgbPath"/usr/X11R6/lib/X11/rgb"
>  FontPath   "/usr/X11R6/lib/X11/fonts/misc/"
>  FontPath   "/usr/X11R6/lib/X11/fonts/TTF/"
>  FontPath   "/usr/X11R6/lib/X11/fonts/Type1/"
>  FontPath   "/usr/X11R6/lib/X11/fonts/CID/"
>  FontPath   "/usr/X11R6/lib/X11/fonts/75dpi/"
>  FontPath   "/usr/X11R6/lib/X11/fonts/100dpi/"
>  FontPath   "/usr/X11R6/lib/X11/fonts/local/"
> EndSection
>
> Section "ServerFlags"
> EndSection
>
> Section "InputDevice"
>  Identifier "Keyboard1"
>  Driver "kbd"
>  Option "AutoRepeat" "500 30"
>  Option "XkbRules"  "xorg"
>  Option "XkbModel"  "pc104"
>  Option "XkbLayout" "de"
> EndSection
>
> Section "InputDevice"
>  Identifier "Mouse1"
>  Driver "mouse"
>  Option "Protocol""wsmouse"
>  Option "Device"  "/dev/wsmouse"
>  Option "ZAxisMapping" "4 5"
> EndSection
>
> Section "Monitor"
>  Identifier  "My Monitor"
>  HorizSync   31.5 - 64.3
>  VertRefresh 40-150
> EndSection
>
> Section "Device"
>  Identifier "Standard VGA"
>  VendorName "Unknown"
>  BoardName  "Unknown"
>  Driver "vga"
> EndSection
>
> # Device configured by xorgconfig:
>
> Section "Device"
>  Identifier  "nVidia Go5600"
>  Driver  "nv"
> EndSection
>
> Section "Screen"
>  Identifier  "Screen 1"
>  Device  "nVidia Go5600"
>  Monitor "My Monitor"
>  DefaultDepth 24
>  Subsection "Display"
>  Depth   16
>  Modes   "1280x1024" "1024x768" "800x600" "640x480"
>  ViewPort0 0
>  EndSubsection
>  Subsection "Display"
>  Depth   24
>  Modes   "1600x1200" "1280x1024" "800x600" "640x480"
>  ViewPort0 0
>  EndSubsection
> EndSection
>
> Section "ServerLayout"
>  Identifier  "Simple Layout"
>  Screen "Screen 1"
>  InputDevice "Mouse1" "CorePointer"
>  InputDevice "Keyboard1" "CoreKeyboard"
> EndSection
> ---xorg.conf.
>
> ---Xorg.0.log:
> (--) checkDevMem: using aperture driver /dev/xf86
> (--) Using wscons driver in pcvt compatibility mode (version 3.32)
> (WW) GARTInit: AGPIOC_INFO failed (Device not configured)
>
> X Window System Version 6.8.2
> Release Date: 9 February 2005
> X Protocol Version 11, Revision 0, Release 6.8.2
> Build Operating System: OpenBSD 3.7 i386 [ELF]
> Current Operating System: OpenBSD tymon.my.domain 3.7 GENERIC#50 i386
> Build Date: 16 March 2005
> Before reporting problems, check http://wiki.X.Org
> to make sure that you have the latest version.
> Module Loader present
> Markers: (--) probed, (**) from config file, (==) default setting,
> (++) from command line, (!!) notice, (II) informational,
> (WW) warning, (EE) error, (NI) not implemented, (??) unknown.
> (==) Log file: "/var/log/Xorg.0.log", Time: Thu Oct  6 13:25:14 2005
> (==) Using config file: "/etc/X11/xorg.conf"
> (==) ServerLayout "Simple Layout"
> (**) |-->Screen "Screen 1" (0)
> (**) |   |-->Monitor "My Monitor"
> (**) |   |-->Device "nVidia Go5600"
> (**) |-->Input Device "Mouse1"
> (**) |-->Input Device "Keyboard1"
> (**) FontPath set to
> "/usr/X11R6/lib/X11/fonts/misc/,/usr/X11R6/lib/X11/fonts/TTF/,/usr/X11R6/lib/X11/fonts/Type1/,/usr/X11R6/lib/X11/fonts/CID/,/usr/X11R6/lib/X11/fonts/75dpi/,/usr/X11R6/lib/X11/fonts/100dpi/,/usr/X11R6/lib/X11/fonts/local/"
> (**) RgbPath set to "/usr/X11R6/lib/X11/rgb"
> (==) ModulePath set to "/usr/X11R6/lib/modules"
> (II) Module ABI versions:
> X.Org ANSI C Emulation: 0.2
> X.Org Video Driver: 0.7
> X.Org XInput driver : 0.4
> X.Org Server Extension : 0.2
> X.Org Font Renderer : 0.4
> (II) Loader running on openbsd
> (II) LoadModule: "bitmap"
> (II) Loading /usr/X11R6/lib/modules/fonts/libbitmap.a
> (II) Module bitmap: vendor="X.Org Foundation"
> compiled for 6.8.2, module version = 1.0.0
> Module class: X.Org Font

Sendmail TLS

2005-10-06 Thread Eric Dillenseger

Hello list,

I'm trying to setup a sendmail config using tls to use gmail as a smart-host.

I made a copy of openbsd-proto.mc as follows:
divert(-1)
#
# Default OpenBSD sendmail configuration for systems accepting mail
# from the internet.
#
# Note that lines beginning with "dnl" below are comments.

divert(0)dnl
VERSIONID(`@(#)openbsd-proto.mc $Revision: 1.11 $')dnl
OSTYPE(openbsd)dnl
define(`SMART_HOST', `smtp.gmail.com')dnl
define(`confPRIVACY_FLAGS',
`authwarnings,needmailhelo,noexpn,novrfy,nobodyreturn')dnl
define(`confCW_FILE', `-o MAIL_SETTINGS_DIR`'local-host-names')dnl
define(`confCT_FILE', `-o MAIL_SETTINGS_DIR`'trusted-users')dnl
FEATURE(nouucp, `reject')dnl
FEATURE(`access_db', `hash -o -T /etc/mail/access')dnl
FEATURE(`blacklist_recipients')dnl
FEATURE(`use_cw_file')dnl
FEATURE(`mailertable', `hash -o /etc/mail/mailertable')dnl
FEATURE(`use_ct_file')dnl
FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable')dnl
FEATURE(genericstable, `hash -o /etc/mail/genericstable')dnl
FEATURE(always_add_domain)dnl
FEATURE(redirect)dnl
FEATURE(`no_default_msa')dnl
DAEMON_OPTIONS(`Family=inet, Address=0.0.0.0, Name=MTA')dnl
DAEMON_OPTIONS(`Family=inet6, Address=::, Name=MTA6, M=O')dnl
DAEMON_OPTIONS(`Family=inet, Address=0.0.0.0, Port=587, Name=MSA, M=E')dnl
DAEMON_OPTIONS(`Family=inet6, Address=::, Port=587, Name=MSA6, M=O, M=E')dnl
CLIENT_OPTIONS(`Family=inet, Address=0.0.0.0')dnl
CLIENT_OPTIONS(`Family=inet6, Address=::')dnl
define(`confBIND_OPTS', `WorkAroundBroken')dnl
define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confCACERT', `CERT_DIR/CAcert.pem')dnl
define(`confSERVER_CERT', `CERT_DIR/localsendmailcert.pem')dnl
define(`confSERVER_KEY', `CERT_DIR/localsendmailkey.pem')dnl
define(`confCLIENT_CERT', `CERT_DIR/localsendmailcert.pem')dnl
define(`confCLIENT_KEY', `CERT_DIR/localsendmailkey.pem')dnl
MAILER(local)dnl
MAILER(smtp)dnl
LOCAL_RULESETS
HMessage-Id: $>CheckMessageId

SCheckMessageId
R< $+ @ $+ >$@ OK
R$* $#error $: 553 Header Error

Followed by:
# make mysendmail.cf
rm -f mysendmail.cf
( cd /usr/share/sendmail/cf && /usr/bin/m4
/usr/share/sendmail/cf/../m4/cf.m4 mysendmail.mc >
/usr/share/sendmail/cf/mysendmail.cf )
echo "### mysendmail.mc ###" >>mysendmail.cf
sed -e 's/^/# /' /usr/share/sendmail/cf/mysendmail.mc >>mysendmail.cf
chmod 444 mysendmail.cf

Then I created the necessary certificates:
$ sudo mkdir /etc/mail/certs

$ sudo openssl dsaparam 1024 -out dsa1024.pem
Generating DSA parameters, 1024 bit long prime
This could take some time
+..++++*
.+..+...+.+.+.++.+...+...+..+.+...+.+.+...+..+...+.+++*
$ sudo openssl req -x509 -nodes -days 365 -newkey dsa:dsa1024.pem
  -out /etc/mail/certs/localsendmailcert.pem
  -keyout /etc/mail/certs/localsendmailkey.pem
Generating a 1024 bit DSA private key
writing new private key to '/etc/mail/certs/localsendmailkey.pem'
-
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-
Country Name (2 letter code) []:FR
State or Province Name (full name) []:Alsace
Locality Name (eg, city) []:Strasbourg
Organization Name (eg, company) []:Me
Organizational Unit Name (eg, section) []:mail
Common Name (eg, fully qualified host name) []:localhost
Email Address []:[EMAIL PROTECTED]

$ sudo ln -s /etc/mail/certs/localsendmailcert.pem /etc/mail/certs/CAcert.pem
$ sudo rm dsa1024.pem

$ sudo chmod -R go-rwx /etc/mail/certs

Then I ran sendmail with -C/etc/mail/mysendmail.cf

When I tried to send an email from mutt, I got the following log:
Oct  6 22:53:04 castor sm-mta[29257]: starting daemon (8.13.4):
[EMAIL PROTECTED]:30:00
Oct  6 22:53:06 castor sm-mta[20830]: STARTTLS=client,
relay=smtp.gmail.com, version=TLSv1/SSLv3, verify=FAIL,
cipher=DES-CBC3-SHA, bits=168/168
Oct  6 22:53:06 castor sm-mta[20830]: j95E6r6E009458:
to=<[EMAIL PROTECTED]>, delay=1+06:46:13,
xdelay=00:00:02, mailer=relay, pri=5611353, relay=smtp.gmail.com
[72.14.205.109], dsn=5.0.0, stat=Service unavailable
Oct  6 22:55:14 castor sendmail[17077]: j96KtEQB017077: from=ericd,
size=561, class=0, nrcpts=1,
msgid=<[EMAIL PROTECTED]>, [EMAIL PROTECTED]
Oct  6 22:55:14 castor sendmail[17077]: STARTTLS=client,
relay=[127.0.0.1], version=TLSv1/SSLv3, verify=FAIL,
cipher=DHE-DSS-AES256-SHA, bits=256/256
Oct  6 22:55:14 castor sm-mta[721]: STARTTLS=server,
[EMAIL PROTECTED] [127.0.0.1], version=TLSv1/SSLv3, verify=NO,
cipher=DHE-DSS-AES256-SHA, bits=256/256
Oct  6 22:55:14 castor sm-mta[721]: j96KtEx1000721:
from=

About VLAN and Carp

2005-10-06 Thread Léo Goehrs

Hi Everyone,



I am using OpenBSD and the great pf in a production environment.



I want to be able to use vlan and carp at the same time.



I have two firewalls. These two boxes are responsible for a number of subnet.
I want to have a number of vlan defined on the openbsd to feed my Distribution
Switch. Now I can do it, but only on the physical interface so I loose the
redundancy.



On a cisco, it would mean having a few VLAN with a router-interface for each.

Each virtual interface would have VRRP enabled.



When I try



ifconfig vlan0 vlan 11 vlandev carp0



It gives me an error. Is there a way to do that?



Regards



Leo Goehrs
CTO



Work: +33 1 39 02 76 15
Mobile: +33 6 89 99 14 06
Fax: +33 1 39 02 01 51

Email: [EMAIL PROTECTED] 
IM: 10257254 (ICQ)






Alionis 
15 rue de la Paroisse
 Versailles 78000
France

[demime 1.01d removed an attachment of type image/jpeg which had a name of 
image001.jpg]

Re: CARP+Pfsync+Bind

2005-10-06 Thread ed

On Thu, 6 Oct 2005 15:49:02 -0400
"Dave Anderson" <[EMAIL PROTECTED]> wrote:

> That's not quite the whole story: 53/tcp is also used when the
> response to a query is too big for a single UDP packet (the resolver
> sends a UDP query and gets a 'truncated' UDP reply, so the resolver
> retries the query using TCP) -- you should always pass both UDP and
> TCP for port 53 to avoid occasional obscure failures.

Works fine on on the 2 domains where it's been implemented, of which
I handled the conversion from BIND style to djbdns. No problems on UDP
lookups alone, including some deep CNAMEs, which are just not required,
but I'll deal with those at a later date.

I haven't seen any problems since the change. Lookup times have
improved, I can't state if this is due to the lack of TCP or the file
system overheads with zone files, but I expect a mixture of the two.

-- 
Regards, Ed http://www.usenix.org.uk

Re: xorg with Nvidia Go5600 at 1600x1200

2005-10-06 Thread Stephan Tesch

Am Donnerstag, 6. Oktober 2005 11:36 schrieben Sie:

Hi Stefan,

> (II) NV(0): Not using mode "1600x1200" (no mode of this name)

This seems to be your problem. Caused by this:

> (II) NV(0): Not using default mode "1600x1200" (hsync out of range)

You should try to create a modeline for 1600x1200 matching your screens 
capabilities. gtf(1) seems to be the way to go for that.

Regards, 
Stephan

Re: dual DVI graphics card

2005-10-06 Thread Matthew Weigel

Aaron Glenn wrote:
> I'm looking for a well supported dual DVI graphics card to run
> 1920x1200 on two monitors. Is anyone running this type of setup
> currently, and if so could you detail the graphics card model and your
> experiences setting it up?

In theory, you should be able to answer your question simply by me
mentioning that radeon(4) supports dual displays on video cards still
available through retail channels.

However, I'll point out a bit more: Google suggests that Radeons as far
back as the 7500 have supported 1920x1200, and the Radeon 9600 has
specific mention on ATI's site for supporting 1920x1200 (without
'dual-link' DVI).  ATI sells a Radeon 9600 "PC/Mac Edition" with two DVI
outputs for $199, so it looks like everything is in place.  Further, it
looks like NewEgg stocks a card sold by "HIS Hightech" that is also a
Radeon 9600 with two DVI outputs.

Finally, I can vouch for dual displays working fine on Radeon cards,
although I use a card with one DVI and one VGA output.
-- 
 Matthew Weigel
 hacker
 [EMAIL PROTECTED]

High Interrupt Mode Reported by 'Top' for Soekris 4801

2005-10-06 Thread William Bloom

I am a new owner of two Soekris 4801s running OpenBSD 3.7 (generic) with 
pf/pfsynch/carp for redundant firewalling.  I've encountered a problem with 
high 
interrupts (and some packet loss), and after having perused the on-line 
FAQ/forums and finding nothing that I could identify as matching the symptoms 
I've observed, I am now looking for pointers on how to isolate the problem and 
perhaps fix it.

I have sis0 in use for the outer interface, sis2 for the inner, sis1 for 
pfsync. 
  There is an inner carp'd interface address (carp0) and an outer (carp1).  The 
configuration is generally along the lines of the FAQ and man pages.

When traffic through the Soekris reaches approximately 4Mbs, the interrupt mode 
reported by top reaches 75% or higher and there is a measurable packet loss (1% 
- 5% or so).  From 'pfctl -si', the congestion counter goes up rapidly when the 
interrupts are highest.  The interrupt mode increases as the traffic volume 
increases, and goes down to about 1% when I failover to the other firewall. 
When I failover, I observe exactly the same behavior on the newly active 
firewall.

Checking forums, I see that there have been reports of very high interrupts on 
the  sis device in the past for OpenBSD on Soekris, but I read that these were 
all corrected in recent OpenBSD releases (and the problem I read about only 
applied whenever one sis interface was left 'down', which is not the case for 
my 
circumstances since all interfaces are in use).

I've checked with Soekris, and they've not heard of symptoms such as I describe 
with OpenBSD 3.7.  I've not noticed anything amiss in dmesg or 
/var/log/messages 
(well, all sis devices are sharing IRQ 10 but this is normal on a 4801, the FAQ 
states that this is not a problem, and other 4801 users haven't reported 
symptoms like the ones I describe).  I haven't posted dmesg or other info in 
this message (I thought it might be rude to do so without being asked).

Can anyone offer pointers on how I might go about isolating this problem?


Bill
-- 
William Bloom| Systems Engineer|M P H A S I S Architecting Value | Eldorado 
Computing
5353 North 16th Street, Suite 400 Phoenix, Az 85016 | Direct: +11-602-604-3100 
| 
Fax: +11-602-604-3115| http://www.eldocomp.com

-- CONFIDENTIALITY NOTICE --

Information transmitted by this e-mail is proprietary to MphasiS and/or its 
Customers and is intended for use only by the individual or entity to which it 
is addressed, and may contain information that is privileged, confidential or 
exempt from disclosure under applicable law. If you are not the intended 
recipient or it appears that this mail has been forwarded to you without proper 
authority, you are notified that any use or dissemination of this information 
in any manner is strictly prohibited. In such cases, please notify us 
immediately at [EMAIL PROTECTED] and delete this mail from your records.

Re: [Soekris] Ubiquity 400mW mini-PCI

2005-10-06 Thread Vincent Immler


maybe this link helps:

http://www.exergia.biz/ptp/exap-GMF.htm

Re: CARP+Pfsync+Bind

2005-10-06 Thread eric

On Thu, 2005-10-06 at 14:04:20 +0100, ed proclaimed...

> I use TinyDNS here, so we don't really need to transfer zones as its
> handled with a single data file. CARP can be good with DNS.

53/tcp *is* required to answer normal queries.

Since you're drinking djb's koolaid, see 



512-bytes uncommon or a "mistake"? I think not.

Re: WLAN (Linksys WPC111) + WEP

2005-10-06 Thread Nikolaus Hiebaum

* Joost Tr wrote on Oct 6, 2005 [10:00, -] :

> can you connect with open authentication (-A 1) when you set to open auth.
> AP too

Yes, with open authentication it works. I am not savvy enough to understand the 
difference.
What is the difference between open and shared key? And what does it mean that 
the open auth.
works and the shared one doesn't?

-- 
Beste Gr|_e / Best regards ,
Nikolaus Hiebaum

Re: CARP+Pfsync+Bind

2005-10-06 Thread Dave Anderson

** Reply to message from ed <[EMAIL PROTECTED]> on Thu, 6 Oct 2005
14:04:20 +0100

>Zone transfers are on tcp/53, DNS lookups are 53/udp, so:

That's not quite the whole story: 53/tcp is also used when the response
to a query is too big for a single UDP packet (the resolver sends a UDP
query and gets a 'truncated' UDP reply, so the resolver retries the
query using TCP) -- you should always pass both UDP and TCP for port 53
to avoid occasional obscure failures.

>pass in on $ext_if proto udp from any to $DNS port 53 keep state
>
>and if required:
>
>pass in on $ext_if proto tcp from $ext_net to $DNS port 53 keep state

Dave

-- 
Dave Anderson
<[EMAIL PROTECTED]>

Re: BGP session clear by remote end when MD5 is configure AND the session was initiate from OpenBSD side failed and do not recover.

2005-10-06 Thread Daniel Ouellet


Claudio Jeker wrote:

On Wed, Oct 05, 2005 at 06:33:05PM -0400, Daniel Ouellet wrote:


==

Without MD5 configure.

With bgpd master
Clear session from bgpd side, session comes back up right away.
Clear session from remote side, session comes back up with delay.

With bgpd slave
Clear session from bgpd side, session comes back up with delay.
Clear session from remote side, session comes back up with possible very 
long delay. Much bigger then when master.





I see similar delays with my test setup. Most of the time it takes longer
for a session to come back up because of different timers that are run.
After a clear a reopen is tried immediately and that is most often
blocked. In my case the cisco seems to be to slow to close the session in
time for the reopen.
It also matters where you close the connection because in one case the
idle timer is run (30s) instead of the connect retry timer (120s).
Also the idle timer has starts to grow if you flap the session often.


The interesting facts here for me were how different it was for each 
side. I did this many times 10x+ on each setup to see. bgpd master to 
Cisco and clear from bgpd side to Cisco, the Cisco session comes back up 
instantly. As for Cisco master initiate clear to bgpd, was the slowest 
by far. I mean much longer. The other two possibilities are pretty much 
equal. It was interesting finding never the less. Why, I am not sure 
however.




Now with MD5 configure. We only add

tcp md5sig password test on bgpd side and
neighbor 66.63.12.108 password test on the Cisco side.

With bgpd master
Clear session from bgpd side, session comes back up right away.
Clear session from remote side, session comes back up with possible very 
long delay.


With bgpd slave
Just can't establish a session what so ever! The Cisco side will get 
stuck in the OpenSent mode and cycle a few times all without success.


66.63.12.1084 65001   0   1000 neverOpenSent




I can't reproduce this. On my test setup all session come back up.


I will try current again, and send even more details on my setup, or if 
you ever want to check it out, I have no problem what so ever to provide 
you access to both boxes directly for you to check it out as well. Just 
say the words if interested? I try Cisco IOS 12.3x and 12.4x, same 
results so far.


Now looking at the logs from each side. OpenBSD try to use the port 
tcp/56923 and from the Cisco side we see this error:


35: *Oct  5 13:38:43.503 EDT: %TCP-6-BADAUTH: No MD5 digest from 
66.63.12.108(179) to 66.63.12.107(56923) (RST)
36: *Oct  5 13:38:44.503 EDT: %TCP-6-BADAUTH: No MD5 digest from 
66.63.12.108(179) to 66.63.12.107(56923) (RST)





This is a Cizzz-coee / RFC feature. They enforce a TCP MD5 digest on TCP RST
packets. Now that's just stupid because it is not possible to do that in
some cases because the other side does not know the key at that time (e.g.
to signalize that the port is unavailable).
In your case this means that somehow the connection from the cisco to your
OpenBSD box is blocked or there is nothing listening on port 179.


Last tests at ~5 AM this morning, still show me this and nothing was in 
the path for blocking it a tall. I will recheck as it's been a few days 
without sleep so far, so I admit, I could start to be fussz a bit. Lack 
of sleep, but I will make sure before saying false things here. But in 
any case, not that I like it what so ever, I am not sure of the 
Cizzz-coee stuff. The sad thing is that they have a huge portions of the 
Internet routers still, hopefully changing quickly, but still, we need 
to interact with them a lots.


Looks like the OpenBSD side do not provide the MD5 to the Cisco to 
establish the session.





OpenBSD only misses the MD5 digest on the RST packets and that is actually 
OK. RFC 2385 actually mentions this special case in 4.1:

   A connectionless reset will be ignored by the receiver of the reset,
   since the originator of that reset does not know the key, and so
   cannot generate the proper signature for the segment.  This means,
   for example, that connection attempts by a TCP which is generating
   signatures to a port with no listener will time out instead of being
   refused.  Similarly, resets generated by a TCP in response to
   segments sent on a stale connection will also be ignored.
   Operationally this can be a problem since resets help BGP recover
   quickly from peer crashes. 


I can deal with that delay and I agree that it makes sense to refuse the 
reset, or ignore it, however, looks like so far, the session doesn't 
resets. May be because it does receive message still from the Cisco side 
on wrong ports, but somehow see it as keep alive. I really don't know 
what I am saying here, just a weird thoughts, but so far the results are 
that it doesn't resets. I will tests in more details again. But just 
know that something is not active in the best interest of the session 
here somewh

dual DVI graphics card

2005-10-06 Thread Aaron Glenn

I'm looking for a well supported dual DVI graphics card to run
1920x1200 on two monitors. Is anyone running this type of setup
currently, and if so could you detail the graphics card model and your
experiences setting it up? I've got my eye on the Matrox Millennium
P750 card, but I can't find anything on any kind of support for
OpenBSD (I'm not looking to run Linux, Solaris, or even FreeBSD all of
which seem to have some sort of support).

any advice is appreciated,
aaron.glenn

Re: CARP+Pfsync+Bind

2005-10-06 Thread ed

On Thu,  6 Oct 2005 16:55:05 +0400
Vladimir Potapov <[EMAIL PROTECTED]> wrote:

> We have 1 server on which running firewall and DNS master service. And
> we planned to install another server for load balancing and redudancy.
> 2 servers(each have running PF and BIND) will balancing load (or one
> will master and other slave) for DNS and PF.
> Does anyone protect DNS service via CARP and PFsync? Does it work?
> Whether there can be problems(for example, with zones transfers, dns
> queries 

Zone transfers are on tcp/53, DNS lookups are 53/udp, so:

pass in on $ext_if proto udp from any to $DNS port 53 keep state

and if required:

pass in on $ext_if proto tcp from $ext_net to $DNS port 53 keep state

I use TinyDNS here, so we don't really need to transfer zones as its
handled with a single data file. CARP can be good with DNS.

-- 
Regards, Ed http://www.usenix.org.uk

Re: kernel pppoe problem : pppoe0 : timeout

2005-10-06 Thread Didier Wiroth

concerning my original post:
sorry, I made a typo error in my hostname.pppoe0.
I have this line:
!/sbin/ifconfig \$if inet 0.0.0.0 0.0.0.1 netmask 0x

I do NOT have  "link1" in the line, as written in the previous mail!!!

Re: BGP session clear by remote end when MD5 is configure AND the session was initiate from OpenBSD side failed and do not recover.

2005-10-06 Thread Daniel Ouellet


Claudio Jeker wrote:

With bgpd master
Clear session from bgpd side, session comes back up right away.
Clear session from remote side, session comes back up with delay.

With bgpd slave
Clear session from bgpd side, session comes back up with delay.
Clear session from remote side, session comes back up with possible very 
long delay. Much bigger then when master.





I think this is fixed in -current. Henning commited something to make the
delays on neighbor clears faster.


My first tests was done with current (sep 29), but with a small 
difference in the setup lab. It was done in live network. But I will 
sure redo it again. It's to important to me for not be 150% sure it's 
working well. So far, it just wasn't. I have well over 100+ peer 
sessions, of witch ~70+  are using MD5 and I can't not have them stable. 
Plus I have no choice as well to either buy bigger Cisco routers, and 
hell I don't want that! Or use OpenBSD and that's what I want. I ma fed 
up with CPU limitation power of Cisco and I will kiss them goodbye!


Even reloading the Cisco router and killing the bpgd and starting new, 
it will not come up!


Always the same errors in the logs.

No MD5 digest received from the OpenBSD side looks like.




It looks like the tcpmd5 is enabled to late when opeining a session.
I try to have a look at it.


You have no idea how much I would appreciate that! I started to look at 
the code, but that's a long process for me.



===

Why is bgpd will not establish a session as slave when MD5 is configure 
even if the RFC said both sides should be allow to do so?


bgpd wants to be the master every time?

Something sure looks weird here.




That's more like a bug. Btw. MD5 between to bgpd is working, at least it
works for me.


That's what I thought, but I know better then starting to say there is a 
bug. Before I do, I sure want to be sure, but it does look like it to me 
however so far. My tests so far show that you can have MD5 as long as 
OpenBSD is master, but clear sessions, depending with side initiate it, 
doesn't come back in one case and are slow in the other. (That was with 
3.7 for my last tests on this one) Will redo.



==

But it should be establish however for MD5 for sure as any sides can be 
the master in a bgp session.


However, not here?

Comments on this?

I think my tests are valid. Am I doing something I should be doing here? 
I don't think so, but that's what I found so far and why I can't keep a 
stable session with MD5 enable on it.





For me it looks like a bug for now.


Same thought here.

Daniel

kernel pppoe problem : pppoe0 : timeout

2005-10-06 Thread Didier Wiroth

Hello,
(sorry for the long post!)
I used the ppp pppoe (for my dsl connection)  for some while and decided to 
switch to the kernel implementation.

I'm actually having a problem with kernel pppoe, after a reboot or when I try 
to connect/reconnect it takes about 
1 minute before it is able to connect. While running "ifconfig pppoe0 debug" 
(see below) I noticed a few "pppoe0: timeout"

When I used the ppp's pppoe implementation the connection and reconnection were 
almost instant. 

For information, here is my old ppp.conf:

default:
 set log Phase tun command
 set redial 7 0
 set reconnect 7 1

provider:
 set device "!/usr/sbin/pppoe -i sis2"
 disable acfcomp iface-alias deflate protocomp vjcomp pred1 ipv6cp
 deny acfcomp
 set mtu max 1454
 set mru max 1454
 set speed sync
 enable lqr
 set lqrperiod 5
 set dial
 set login
 set timeout 0
 set authname "xyz"
 set authkey xyz
 add default HISADDR
 enable mssfixup
 set server /var/run/internet "" 0177


Now, here is my new hostname.pppoe0
pppoedev sis2
!/sbin/ifconfig sis2 up media 10baseT 
!/usr/sbin/spppcontrol \$if myauthproto=pap myauthname=xyz \
myauthkey=xyz
!/sbin/ifconfig \$if inet 0.0.0.0 0.0.0.1 netmask 0x link1
!/sbin/route add default 0.0.0.1
!/usr/local/sbin/noip2 -c /etc/no-ip2.conf
up

Here is my dmesg and "ifconfig pppoe0 debug" output:

Oct  6 19:29:10 gate /bsd: syncing disks... done
Oct  6 19:29:10 gate /bsd: OpenBSD 3.8 (GENERIC) #1: Fri Sep 30 21:09:23 CEST 
2005
Oct  6 19:29:10 gate /bsd: [EMAIL 
PROTECTED]:/home/cvs/OPENBSD_3_8/src/sys/arch/i386/compile/GENERIC
Oct  6 19:29:10 gate /bsd: cpu0: Geode(TM) Integrated Processor by National 
Semi ("Geode by NSC" 586-class) 267 MHz
Oct  6 19:29:10 gate /bsd: cpu0: FPU,TSC,MSR,CX8,CMOV,MMX
Oct  6 19:29:10 gate /bsd: cpu0: TSC disabled
Oct  6 19:29:10 gate /bsd: real mem  = 133799936 (130664K)
Oct  6 19:29:10 gate /bsd: avail mem = 115470336 (112764K)
Oct  6 19:29:10 gate /bsd: using 1658 buffers containing 6791168 bytes (6632K) 
of memory
Oct  6 19:29:10 gate /bsd: mainbus0 (root)
Oct  6 19:29:10 gate /bsd: bios0 at mainbus0: AT/286+(00) BIOS, date 20/50/29, 
BIOS32 rev. 0 @ 0xf7840
Oct  6 19:29:10 gate /bsd: pcibios0 at bios0: rev 2.0 @ 0xf/0x1
Oct  6 19:29:10 gate /bsd: pcibios0: pcibios_get_intr_routing - function not 
supported
Oct  6 19:29:10 gate /bsd: pcibios0: PCI IRQ Routing information unavailable.
Oct  6 19:29:10 gate /bsd: pcibios0: PCI bus #0 is the last bus
Oct  6 19:29:10 gate /bsd: bios0: ROM list: 0xc8000/0x9000
Oct  6 19:29:10 gate /bsd: cpu0 at mainbus0
Oct  6 19:29:10 gate /bsd: pci0 at mainbus0 bus 0: configuration mode 1 (bios)
Oct  6 19:29:10 gate /bsd: pchb0 at pci0 dev 0 function 0 "Cyrix GXm PCI" rev 
0x00
Oct  6 19:29:10 gate /bsd: sis0 at pci0 dev 6 function 0 "NS DP83815 10/100" 
rev 0x00: DP83816A, irq 10, address 00:00:24:c2:9d:38
Oct  6 19:29:10 gate /bsd: nsphyter0 at sis0 phy 0: DP83815 10/100 PHY, rev. 1
Oct  6 19:29:10 gate /bsd: sis1 at pci0 dev 7 function 0 "NS DP83815 10/100" 
rev 0x00: DP83816A, irq 10, address 00:00:24:c2:9d:39
Oct  6 19:29:10 gate /bsd: nsphyter1 at sis1 phy 0: DP83815 10/100 PHY, rev. 1
Oct  6 19:29:10 gate /bsd: sis2 at pci0 dev 8 function 0 "NS DP83815 10/100" 
rev 0x00: DP83816A, irq 10, address 00:00:24:c2:9d:3a
Oct  6 19:29:11 gate /bsd: nsphyter2 at sis2 phy 0: DP83815 10/100 PHY, rev. 1
Oct  6 19:29:11 gate /bsd: hifn0 at pci0 dev 10 function 0 "Hifn 7955/7954" rev 
0x00: LZS 3DES ARC4 MD5 SHA1 RNG AES PK, 32KB dram, irq 11
Oct  6 19:29:11 gate /bsd: gscpcib0 at pci0 dev 18 function 0 "NS SC1100 ISA" 
rev 0x00
Oct  6 19:29:11 gate /bsd: gpio0 at gscpcib0: 64 pins
Oct  6 19:29:11 gate /bsd: "NS SC1100 SMI/ACPI" rev 0x00 at pci0 dev 18 
function 1 not configured
Oct  6 19:29:11 gate /bsd: pciide0 at pci0 dev 18 function 2 "NS SCx200 IDE" 
rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to 
compatibility
Oct  6 19:29:11 gate /bsd: wd0 at pciide0 channel 0 drive 0: 
Oct  6 19:29:11 gate /bsd: wd0: 16-sector PIO, LBA, 19077MB, 39070080 sectors
Oct  6 19:29:11 gate /bsd: wd1 at pciide0 channel 0 drive 1: 
Oct  6 19:29:11 gate /bsd: wd1: 1-sector PIO, LBA, 245MB, 501760 sectors
Oct  6 19:29:11 gate /bsd: wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
Oct  6 19:29:11 gate /bsd: wd1(pciide0:0:1): using PIO mode 4, DMA mode 2
Oct  6 19:29:11 gate /bsd: geodesc0 at pci0 dev 18 function 5 "NS SC1100 X-Bus" 
rev 0x00: iid 6 revision 3 wdstatus 0
Oct  6 19:29:11 gate /bsd: ohci0 at pci0 dev 19 function 0 "Compaq USB 
OpenHost" rev 0x08: irq 5, version 1.0, legacy support
Oct  6 19:29:11 gate /bsd: usb0 at ohci0: USB revision 1.0
Oct  6 19:29:11 gate /bsd: uhub0 at usb0
Oct  6 19:29:11 gate /bsd: uhub0: Compaq OHCI root hub, rev 1.00/1.00, addr 1
Oct  6 19:29:11 gate /bsd: uhub0: 3 ports with 3 removable, self powered
Oct  6 19:29:11 gate /bsd: isa0 at gscpcib0
Oct  6 19:29:11 gate /bsd: isadma0 at isa0
Oct  6 19:29:11 gate /bsd: pckbc0 at isa0 port 0x60/5
Oct  6 19:29:11 gate /bsd: pckb

Re: Transit with OpenBGPd... How to allow only on or two as neighbor only ?

2005-10-06 Thread tony sarendal

On 06/10/05, Xavier Beaudouin <[EMAIL PROTECTED]> wrote:
> [...]
>
> >
> > The announce keyword is mostly for simple setups. For transit providers
> > announce should be set to all and real bgp filtering should be used.
> >
> > The idea of announce is that small multihomed setups with e.g. two uplinks
> > just work in a save manner (defaulting to self and so not the full table
> > is reexported).
> >
>
> Thanks Claudio,
>
> But can you provide me a more detailed example. Because I have some
> difficulies to make a filter for such setup...
>

The best way to make a scalable setup is by using bgp communities.
That way your transit/peering routers advertise based on information
you can set on origin or ingress into your network, not depending on
the prefix/as itself.

I have not checked how bgpd and community support looks in -current,
but when experimenting a few months back I had some problems with
setting multiple communities and I was also forced to use an external
route-server to see what was happening in my test network. I intend to
give this a new try when I have finished the project I'm currently
working on.

/Tony

--
Tony Sarendal - [EMAIL PROTECTED]
IP/Unix
   -= The scorpion replied,
   "I couldn't help it, it's my nature" =-

Error on pkg_add on openbsd 3.8

2005-10-06 Thread gwost

Hello

I have smaller server with openbsd 3.8 on it. It all doing greate, exept the
finction pgk_add. I get:

bash-3.00# pkg_add -v ftp://ftp.openbsd.org/pub/OpenBSD/s.../symon-2.71.tgz
Can't locate object method "add_size" via package
"OpenBSD::PackingElement::FDESC" at
/usr/libdata/perl5/OpenBSD/PackingElement.pm line 545, <$fh> line 8.


How to fix that?

thanks

Re: sh-script executing

2005-10-06 Thread Han Boetes

Otto Moerbeek wrote:
> On Thu, 6 Oct 2005, Han Boetes wrote:
> > In the meanwhile this behaviour has been changed in CVS.
> > Perhaps this will get backported as well. And if not it's
> > pretty easy to backport I'd guess.
>
> What commit are you referring to? You can say that I'm closely
> involved, but I have no idea which commit you are referring to.

Oops

I completely misread this message. My bad.


-
Synopsis: sh executing extra lines, if script file was changed (grown) during 
execution

State-Changed-From-To: open->closed
State-Changed-By: tom
State-Changed-When: Thu Oct 6 05:16:19 MDT 2005
State-Changed-Why:
Don't edit shell scripts while they are running.  This is standard
UNIX behaviour.  Sorry.
--


# Han

Fwd: Fwd: ntop

2005-10-06 Thread Jernej Vodopivec

Again forgot to cc:

-- Forwarded message --
From: Jernej Vodopivec <[EMAIL PROTECTED]>
Date: Oct 6, 2005 5:22 PM
Subject: Re: Fwd: ntop
To: Andreas Bihlmaier <[EMAIL PROTECTED]>


ntop
- displays data in html - can be viewed from any workstation withoud
installing additional products so
- it is easier to use
- displays traffic statistics
- stores statistics data...

Jernej

On 10/6/05, Andreas Bihlmaier <[EMAIL PROTECTED]> wrote:
> Just as a question: In what way is "ntop" superior to "pftop -v speed -o 
> rate" ?
> Sure it perhaps is a matter of preference, but I just wan't to know :)

unsuscribe

2005-10-06 Thread RGKärcher

unsuscribe

Ricardo german Kdrcher

[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]







___ 
1GB gratis, Antivirus y Antispam 
Correo Yahoo!, el mejor correo web del mundo 
http://correo.yahoo.com.ar

Re: Transit with OpenBGPd... How to allow only on or two as neighbor only ?

2005-10-06 Thread Xavier Beaudouin

[...]

>
> The announce keyword is mostly for simple setups. For transit providers
> announce should be set to all and real bgp filtering should be used.
>
> The idea of announce is that small multihomed setups with e.g. two uplinks
> just work in a save manner (defaulting to self and so not the full table
> is reexported).
>

Thanks Claudio,

But can you provide me a more detailed example. Because I have some
difficulies to make a filter for such setup...

/Xavier
-- 
Quand on essaye continuellement, on finit par y arriver. Donc, plus ca
rate, plus on a de chance que ca marche...
(Proverbe Shadok)

Re: BGP session clear by remote end when MD5 is configure AND the session was initiate from OpenBSD side failed and do not recover.

2005-10-06 Thread Claudio Jeker

On Wed, Oct 05, 2005 at 06:33:05PM -0400, Daniel Ouellet wrote:
> More on this with test results, example, setup use, and more details.
> 

> ==
> 
> Without MD5 configure.
> 
> With bgpd master
> Clear session from bgpd side, session comes back up right away.
> Clear session from remote side, session comes back up with delay.
> 
> With bgpd slave
> Clear session from bgpd side, session comes back up with delay.
> Clear session from remote side, session comes back up with possible very 
> long delay. Much bigger then when master.
> 

I see similar delays with my test setup. Most of the time it takes longer
for a session to come back up because of different timers that are run.
After a clear a reopen is tried immediately and that is most often
blocked. In my case the cisco seems to be to slow to close the session in
time for the reopen.
It also matters where you close the connection because in one case the
idle timer is run (30s) instead of the connect retry timer (120s).
Also the idle timer has starts to grow if you flap the session often.

> 
> 
> Now with MD5 configure. We only add
> 
> tcp md5sig password test on bgpd side and
> neighbor 66.63.12.108 password test on the Cisco side.
> 
> With bgpd master
> Clear session from bgpd side, session comes back up right away.
> Clear session from remote side, session comes back up with possible very 
> long delay.
> 
> With bgpd slave
> Just can't establish a session what so ever! The Cisco side will get 
> stuck in the OpenSent mode and cycle a few times all without success.
> 
> 66.63.12.1084 65001   0   1000 neverOpenSent
> 

I can't reproduce this. On my test setup all session come back up.

...

> Now looking at the logs from each side. OpenBSD try to use the port 
> tcp/56923 and from the Cisco side we see this error:
> 
> 35: *Oct  5 13:38:43.503 EDT: %TCP-6-BADAUTH: No MD5 digest from 
> 66.63.12.108(179) to 66.63.12.107(56923) (RST)
> 36: *Oct  5 13:38:44.503 EDT: %TCP-6-BADAUTH: No MD5 digest from 
> 66.63.12.108(179) to 66.63.12.107(56923) (RST)
> 

This is a Cizzz-coee / RFC feature. They enforce a TCP MD5 digest on TCP RST
packets. Now that's just stupid because it is not possible to do that in
some cases because the other side does not know the key at that time (e.g.
to signalize that the port is unavailable).
In your case this means that somehow the connection from the cisco to your
OpenBSD box is blocked or there is nothing listening on port 179.

> Looks like the OpenBSD side do not provide the MD5 to the Cisco to 
> establish the session.
> 

OpenBSD only misses the MD5 digest on the RST packets and that is actually 
OK. RFC 2385 actually mentions this special case in 4.1:
   A connectionless reset will be ignored by the receiver of the reset,
   since the originator of that reset does not know the key, and so
   cannot generate the proper signature for the segment.  This means,
   for example, that connection attempts by a TCP which is generating
   signatures to a port with no listener will time out instead of being
   refused.  Similarly, resets generated by a TCP in response to
   segments sent on a stale connection will also be ignored.
   Operationally this can be a problem since resets help BGP recover
   quickly from peer crashes. 

> It doesn't matter if I clean the session from the Cisco side, or the 
> bgpd side, order, etc. Both side, many times, what ever. It will simply 
> not come up!
> 
> Even reloading the Cisco router and killing the bpgd and starting new, 
> it will not come up!
> 
> Always the same errors in the logs.
> 
> No MD5 digest received from the OpenBSD side looks like.
> 

Does it initially come up? As I said I can not reproduce it.

> ===
> 
> Why is bgpd will not establish a session as slave when MD5 is configure 
> even if the RFC said both sides should be allow to do so?
> 
> bgpd wants to be the master every time?
> 
> Something sure looks weird here.
> 

Are you running pf? Perhaps the packet get blocked or modified on the way
in and so the session is reset.
Check with netstat -sptcp for the md5 counters.

BTW. I mostly reused your config. I just disabled soft-reconfig inbound
because my 2500 testbox would probably not survive that.

-- 
:wq Claudio

openbgpd server hardware

2005-10-06 Thread David Hill

Hello -
We are planning to build an OpenBSD server to be our edge router.  We are 
terminating 5 DS3's into two Cisco routers and using bridge-groups and vlans to 
separate the connections.  This works very well in our test setup.

We plan on building two servers and using carp for redundancy.  Our initial 
setup includes AMD Opterons with 1GB RAM.  We will need PCI-X, or at least 
PCI/66Mhz NIC's for this project.  I have been told SysKonnect is the way to 
go, but to wait on support for their new SK-9SXX series cards.  We need 2 
dual-port gigabit cards.

The time is approaching where we need to implement this.  Do any of the 
developers know the status of the support for the SysKonnect SK-9SXX series?  
What gigabit chipsets should be my second choice?

Thanks
David

Re: Fwd: ntop

2005-10-06 Thread shane mullins

Ntop has a built in webserver that displays data in html that can be
viewed from any workstation.

Shane

- Original Message - 
From: "Andreas Bihlmaier" <[EMAIL PROTECTED]>
To: 
Sent: Thursday, October 06, 2005 1:30 AM
Subject: Re: Fwd: ntop


> > I think he wants to compile version 3.1  - in ports tree there is
version 1.1.
> >
> > Are there any plans yes about porting newer version of ntop in next
> > versions of obsd?
>
> Just as a question: In what way is "ntop" superior to "pftop -v
speed -o rate" ?
> Sure it perhaps is a matter of preference, but I just wan't to know :)
>
> >
> > Jernej
> >
> > On 10/1/05, Brian A. Seklecki <[EMAIL PROTECTED]>
wrote:
> > > What platform are you on? Are you compiling it from source?
> > >
> > > It works just fine in 3.7/i386.
> > >
> > > Just:
> > >
> > > bash-3.00# cd /usr/ports/net/ntop && make install clean
> > >
> > >
> > > If you insist on source, try looking at
/usr/ports/net/ntop/patches/*
> > >
> > > Try reading about Ports in the FAQ.
> > >
> > > ~BAS
>
> Greetz,
> ahb

Re: Transit with OpenBGPd... How to allow only on or two as neighbor only ?

2005-10-06 Thread Claudio Jeker

On Thu, Oct 06, 2005 at 03:18:41PM +0200, Xavier Beaudouin wrote:
> Hello,
> 
> I'd like to find the good working solution when sending AS announces to
> our peering / transit neigbor.
> 
> In fact on bgpd.conf man page we have :
> 
> 
> neighbor $peer1 {
>remote-as 65001
>announce 
>}
> 
> With foo :
> 
>   announce (all|none|self|default-route)
> 
> Problem is that I need to announce for example a pair of AS number..
> 
> How can I do that with openbgpd ?
> 

The announce keyword is mostly for simple setups. For transit providers
announce should be set to all and real bgp filtering should be used.

The idea of announce is that small multihomed setups with e.g. two uplinks
just work in a save manner (defaulting to self and so not the full table
is reexported).

-- 
:wq Claudio

Re: sh-script executing

2005-10-06 Thread Otto Moerbeek

On Thu, 6 Oct 2005, Han Boetes wrote:

> Andreas Kahari wrote:
> > Yes, sh(1) will probably keep a descriptor to the old file and
> > keep using it until done.
> >
> > However, does this have any kind of other implications? The
> > behaviour that Ilya pointed out would not occur to me to be
> > expected...
> 
> In the meanwhile this behaviour has been changed in CVS. Perhaps
> this will get backported as well. And if not it's pretty easy to
> backport I'd guess.



What commit are you referring to? You can say that I'm closely
involved, but I have no idea which commit you are referring to.

-Otto

Re: sh-script executing

2005-10-06 Thread Han Boetes

Andreas Kahari wrote:
> Yes, sh(1) will probably keep a descriptor to the old file and
> keep using it until done.
>
> However, does this have any kind of other implications? The
> behaviour that Ilya pointed out would not occur to me to be
> expected...

In the meanwhile this behaviour has been changed in CVS. Perhaps
this will get backported as well. And if not it's pretty easy to
backport I'd guess.

# Han

Transit with OpenBGPd... How to allow only on or two as neighbor only ?

2005-10-06 Thread Xavier Beaudouin

Hello,

I'd like to find the good working solution when sending AS announces to
our peering / transit neigbor.

In fact on bgpd.conf man page we have :


neighbor $peer1 {
   remote-as 65001
   announce 
   }

With foo :

  announce (all|none|self|default-route)

Problem is that I need to announce for example a pair of AS number..

How can I do that with openbgpd ?

Thanks !
/Xavier

-- 
Quand on essaye continuellement, on finit par y arriver. Donc, plus ca
rate, plus on a de chance que ca marche...
(Proverbe Shadok)

Re: sh-script executing

2005-10-06 Thread Otto Moerbeek

On Thu, 6 Oct 2005, Andreas Kahari wrote:

> On 06/10/05, Ilya A. Kovalenko <[EMAIL PROTECTED]> wrote:
> > TK> just edit a copy, chmod +x and mv(1) it into place.
> >
> >   Slightly complicated, but works, because mv(1) removes
> > old file, so sh(1) working either old version or new one
> > (no "hybrids").
> 
> Yes, sh(1) will probably keep a descriptor to the old file and keep
> using it until done.
> 
> However, does this have any kind of other implications?  The behaviour
> that Ilya pointed out would not occur to me to be expected...

I know this behaviour form every Unix system I've worked on. Besides,
the nice thing about the current way of doing things is that you can
read a script form a pipe and have the desired behaviour without any
special case code.

-Otto

Re: sh-script executing

2005-10-06 Thread Andreas Kahari

On 06/10/05, Ilya A. Kovalenko <[EMAIL PROTECTED]> wrote:
> TK> just edit a copy, chmod +x and mv(1) it into place.
>
>   Slightly complicated, but works, because mv(1) removes
> old file, so sh(1) working either old version or new one
> (no "hybrids").

Yes, sh(1) will probably keep a descriptor to the old file and keep
using it until done.

However, does this have any kind of other implications?  The behaviour
that Ilya pointed out would not occur to me to be expected...

--
Andreas Kahari

CARP+Pfsync+Bind

2005-10-06 Thread Vladimir Potapov

Hello everyone!

We have 1 server on which running firewall and DNS master service. And we
planned to install another server for load balancing and redudancy.
2 servers(each have running PF and BIND) will balancing load (or one will master
and other slave) for DNS and PF.
Does anyone protect DNS service via CARP and PFsync? Does it work? Whether there
can be problems(for example, with zones transfers, dns queries and other)?

Re: sh-script executing

2005-10-06 Thread Ilya A. Kovalenko

TK> just edit a copy, chmod +x and mv(1) it into place.

  Slightly complicated, but works, because mv(1) removes
old file, so sh(1) working either old version or new one
(no "hybrids").

Re: WLAN (Linksys WPC111) + WEP

2005-10-06 Thread Joost Tr

can you connect with open authentication (-A 1) when you set to open auth. 
AP too




From: Nikolaus Hiebaum <[EMAIL PROTECTED]>
To: OpenBSD mailing list - misc 
Subject: Re: WLAN (Linksys WPC111) + WEP
Date: Wed, 5 Oct 2005 23:34:19 +0200 (CEST)

> > ifconfig wi0 192.168.200.2 255.255.255.0 nwid "scyld" nwkey 
"BACE8A21EA"

>
> According to the ifconfig man page, "The key can either be a string, a 
series
> of hexadecimal digits (preceded by `0x'), or a set of keys..." So I 
would try

> that.

Unfortunately, that didn't help.

--
Beste Gr|_e / Best regards ,
Nikolaus Hiebaum

Re: sh-script executing

2005-10-06 Thread Thomas Keusch

On Wed, Sep 28, 2005 at 11:53:08AM +0800, Ilya A. Kovalenko wrote:

Hello,

>  Greetings,
> 
>   I found out that sh(1) reads file in process of execution (instead of
> read whole file and execute it from memory image), which makes
> editing such scripts unreliable and/or dangerous. Is there any
> existing ways to solve this problem ?

just edit a copy, chmod +x and mv(1) it into place.


Regards,
 Thomas

Two Isp Fault Tollerance Help

2005-10-06 Thread Alessandro Coppelli


Hi to all.

One of my clients has got an Internet connection with a no much affidable 
provider. He reports continual disconnection and so on. I would like to do 
a second connection with another provider to obtain a sort of redundancy, a 
fault tollerance. What I have to do to obtain the automatic connection with 
both of the providers and to shift to the one that is connected when the 
other is in trouble? (  without problems for the client).


Ale

OBSD 3.7 @ Samsung P35: Ati powerplay, disable system beeps?

2005-10-06 Thread Vincent Immler


Hi folks,

I just installed OpenBSD 3.7 on my Samsung P35 XVM 1600 III. Speedstep 
works fine, but what about Ati's powerplay?

Another problem I have:
During system shutdown/reboot the system usually beeps, but on my P35 
this beep is very loud, how to disable it?


Thanks in advance,
Vincent

Re: SK-9821 v2 cards, TX consuming massive CPU time, RX affected

2005-10-06 Thread Schöberle Dániel

> I'm working on increasing the performance of our firewalls, 
> we picked up 
> two of the newer v2 syskonnect cards for testing, I was 
> getting pretty 
> low performance from the bridge so I started testing things 
> using a card 
> as an endpoint.
> 
> I was using Iperf to generate packets, but to make sure it 
> wasn't iperf
> causing a problem, I also did some quick tests with ping -f 
> which exhibit
> much the same behavior.
> 
> 192.168.0.7 is an OpenBSD host running 3.7, fresh install, with the 
> network configured.
> 192.168.0.5 is a linux host used in this test.
> 
> If I run some udp packets, 1mbps with the bsd box receiving
> no problems. But transmitting 1mbps stream eats up the CPU.

While testing with iperf I noticed it eats the CPU (sys and usr)
when running UDP tests but not with TCP ones. I suggest you
try monitoring CPU int usage instead of overall CPU usage.

> 
> When increasing to higher levels of traffic RX performance
> seems to get affected also, the cpu activity becomes very bursty.
> I'm still trying to characterize that a bit better.
 
> iostat 1
> ---
>5  136  0.00   0 0.00   0.00   0 0.00   0  0  0  0100
> 7  137  0.00   0 0.00   0.00   0 0.00   1  0  0  0 99
> 4  135  0.00   0 0.00   0.00   0 0.00   0  0  0  0100
> 3  447  0.00   0 0.00   0.00   0 0.00  12  0 21  0 67
> 0 1103  0.00   0 0.00   0.00   0 0.00  33  0 67  0  0
> 0  131  0.00   0 0.00   0.00   0 0.00  33  0 67  0  0
> 0  131  0.00   0 0.00   0.00   0 0.00  36  0 64  0  0
>ttywd0 cd0 cpu
>   tin tout  KB/t t/s MB/s   KB/t t/s MB/s  us ni sy in id
> 0  131  0.00   0 0.00   0.00   0 0.00  31  0 69  0  0
> 0  244  0.00   0 0.00   0.00   0 0.00  29  0 71  0  0
> 0  259  0.00   0 0.00   0.00   0 0.00  31  0 69  0  0
> 0  131  0.00   0 0.00   0.00   0 0.00  29  0 71  0  0
> 0  130  0.00   0 0.00   0.00   0 0.00  30  0 70  0  0
> 0  131  0.00   0 0.00   0.00   0 0.00  36  0 64  0  0
> 0  354  0.00   0 0.00   0.00   0 0.00  22  0 38  0 40

I don't know if CPU int usage data for iostat is accurate
or not, but your CPU shows 0% int usage. It's probably 
iperf eating the rest and your NIC may be idleing. Push
some more udp mbps and see if the NIC can take it.

Re: BGP session clear by remote end when MD5 is configure AND the session was initiate from OpenBSD side failed and do not recover.

2005-10-06 Thread Claudio Jeker

On Wed, Oct 05, 2005 at 06:33:05PM -0400, Daniel Ouellet wrote:
> More on this with test results, example, setup use, and more details.
> 
> The short of it is that bgpd will not establish an MD5 connection as 
> slave ever! So, if you do get an MD5 session in normal operation, it may 
> well not stay stable at all depending of bgp flap and who will try to 
> become master after a flap. You may end up with bgp down until human 
> action is perform to get it back up from both side of the session.
> 
> How did I show that. Checking the various possibility without MD5 
> configure and then ONLY adding the MD5 on the working setup.
> 
> Tested summary. Try to see the results when one side is always force to 
> be master or slave and see the impact of it. Also, make sure that after 
> a reset the master will stay the master. The use of filter will 
> accomplish this to try to isolate a possible problem.
> 
> Please read on, as I think this show the situation as is.
> 
> Daniel
> 
> ==
> 
> Without MD5 configure.
> 
> With bgpd master
> Clear session from bgpd side, session comes back up right away.
> Clear session from remote side, session comes back up with delay.
> 
> With bgpd slave
> Clear session from bgpd side, session comes back up with delay.
> Clear session from remote side, session comes back up with possible very 
> long delay. Much bigger then when master.
> 

I think this is fixed in -current. Henning commited something to make the
delays on neighbor clears faster.

> 
> 
> Now with MD5 configure. We only add
> 
> tcp md5sig password test on bgpd side and
> neighbor 66.63.12.108 password test on the Cisco side.
> 
> With bgpd master
> Clear session from bgpd side, session comes back up right away.
> Clear session from remote side, session comes back up with possible very 
> long delay.
> 
> With bgpd slave
> Just can't establish a session what so ever! The Cisco side will get 
> stuck in the OpenSent mode and cycle a few times all without success.
> 
> 66.63.12.1084 65001   0   1000 neverOpenSent
> 
> The OpenBSD side will show an active session, but not up yet obviously:
> 
> dev1# bgpctl s neigh 66.63.12.107
> BGP neighbor is 66.63.12.107, remote AS 65001
>  Description: iBGP Test
>   BGP version 4, remote router-id 0.0.0.0
>   BGP state = Active
>   Last read Never, holdtime 240s, keepalive interval 80s
> 
>   Message statistics:
>   Sent   Received
>   Opens1  0
>   Notifications0  0
>   Updates  0  0
>   Keepalives   0  0
>   Route Refresh0  0
>   Total1  0
> 
>   Local host:  66.63.12.108, Local port:179
>   Remote host: 66.63.12.107, Remote port: 56923
> 
> And the Cisco side will keep cycling there from active to open and back 
> to active to open, etc.
> 
> 66.63.12.1084 65001   0   2000 neverActive
> 
> Now looking at the logs from each side. OpenBSD try to use the port 
> tcp/56923 and from the Cisco side we see this error:
> 
> 35: *Oct  5 13:38:43.503 EDT: %TCP-6-BADAUTH: No MD5 digest from 
> 66.63.12.108(179) to 66.63.12.107(56923) (RST)
> 36: *Oct  5 13:38:44.503 EDT: %TCP-6-BADAUTH: No MD5 digest from 
> 66.63.12.108(179) to 66.63.12.107(56923) (RST)
> 
> Looks like the OpenBSD side do not provide the MD5 to the Cisco to 
> establish the session.
> 
> It doesn't matter if I clean the session from the Cisco side, or the 
> bgpd side, order, etc. Both side, many times, what ever. It will simply 
> not come up!
> 
> Even reloading the Cisco router and killing the bpgd and starting new, 
> it will not come up!
> 
> Always the same errors in the logs.
> 
> No MD5 digest received from the OpenBSD side looks like.
> 

It looks like the tcpmd5 is enabled to late when opeining a session.
I try to have a look at it.

> ===
> 
> Why is bgpd will not establish a session as slave when MD5 is configure 
> even if the RFC said both sides should be allow to do so?
> 
> bgpd wants to be the master every time?
> 
> Something sure looks weird here.
> 

That's more like a bug. Btw. MD5 between to bgpd is working, at least it
works for me.

> ==
> 
> But it should be establish however for MD5 for sure as any sides can be 
> the master in a bgp session.
> 
> However, not here?
> 
> Comments on this?
> 
> I think my tests are valid. Am I doing something I should be doing here? 
> I don't think so, but that's what I found so far and why I can't keep a 
> stable session with MD5 enable on it.
> 

For me it looks like a bug for now.

-- 
:wq Claudio

Re: xorg with Nvidia Go5600 at 1600x1200

2005-10-06 Thread stefan hoffmann


Hi,

thank you for your answer.

pirge wrote:

nv will do 1600x1200 - I run a geforce 2 go (dell inspiron 8100) with
openbsd 3.7 generic at that resolution.

> Reading the nv man page I'm not sure it supports the Go5600..?
As you can see in the log, the chipset is listed.


Need to see your xorg.conf and xorg log


---xorg.conf:
---# File generated by xorgconfig.

# all comments removed

Section "Module"
Load"dbe" # Double buffer extension
SubSection  "extmod"
  Option"omit xfree86-dga"   # don't initialise the DGA extension
EndSubSection
Load"type1"
Load"freetype"
EndSection

Section "Files"
RgbPath "/usr/X11R6/lib/X11/rgb"
FontPath   "/usr/X11R6/lib/X11/fonts/misc/"
FontPath   "/usr/X11R6/lib/X11/fonts/TTF/"
FontPath   "/usr/X11R6/lib/X11/fonts/Type1/"
FontPath   "/usr/X11R6/lib/X11/fonts/CID/"
FontPath   "/usr/X11R6/lib/X11/fonts/75dpi/"
FontPath   "/usr/X11R6/lib/X11/fonts/100dpi/"
FontPath   "/usr/X11R6/lib/X11/fonts/local/"
EndSection

Section "ServerFlags"
EndSection

Section "InputDevice"
Identifier  "Keyboard1"
Driver  "kbd"
Option "AutoRepeat" "500 30"
Option "XkbRules" "xorg"
Option "XkbModel" "pc104"
Option "XkbLayout""de"
EndSection

Section "InputDevice"
Identifier  "Mouse1"
Driver  "mouse"
Option "Protocol""wsmouse"
Option "Device"  "/dev/wsmouse"
Option "ZAxisMapping" "4 5"
EndSection

Section "Monitor"
Identifier  "My Monitor"
HorizSync   31.5 - 64.3
VertRefresh 40-150
EndSection

Section "Device"
Identifier  "Standard VGA"
VendorName  "Unknown"
BoardName   "Unknown"
Driver "vga"
EndSection

# Device configured by xorgconfig:

Section "Device"
Identifier  "nVidia Go5600"
Driver  "nv"
EndSection

Section "Screen"
Identifier  "Screen 1"
Device  "nVidia Go5600"
Monitor "My Monitor"
DefaultDepth 24
Subsection "Display"
Depth   16
Modes   "1280x1024" "1024x768" "800x600" "640x480"
ViewPort0 0
EndSubsection
Subsection "Display"
Depth   24
Modes   "1600x1200" "1280x1024" "800x600" "640x480"
ViewPort0 0
EndSubsection
EndSection

Section "ServerLayout"
Identifier  "Simple Layout"
Screen "Screen 1"
InputDevice "Mouse1" "CorePointer"
InputDevice "Keyboard1" "CoreKeyboard"
EndSection
---xorg.conf.

---Xorg.0.log:
(--) checkDevMem: using aperture driver /dev/xf86
(--) Using wscons driver in pcvt compatibility mode (version 3.32)
(WW) GARTInit: AGPIOC_INFO failed (Device not configured)

X Window System Version 6.8.2
Release Date: 9 February 2005
X Protocol Version 11, Revision 0, Release 6.8.2
Build Operating System: OpenBSD 3.7 i386 [ELF]
Current Operating System: OpenBSD tymon.my.domain 3.7 GENERIC#50 i386
Build Date: 16 March 2005
Before reporting problems, check http://wiki.X.Org
to make sure that you have the latest version.
Module Loader present
Markers: (--) probed, (**) from config file, (==) default setting,
(++) from command line, (!!) notice, (II) informational,
(WW) warning, (EE) error, (NI) not implemented, (??) unknown.
(==) Log file: "/var/log/Xorg.0.log", Time: Thu Oct  6 13:25:14 2005
(==) Using config file: "/etc/X11/xorg.conf"
(==) ServerLayout "Simple Layout"
(**) |-->Screen "Screen 1" (0)
(**) |   |-->Monitor "My Monitor"
(**) |   |-->Device "nVidia Go5600"
(**) |-->Input Device "Mouse1"
(**) |-->Input Device "Keyboard1"
(**) FontPath set to 
"/usr/X11R6/lib/X11/fonts/misc/,/usr/X11R6/lib/X11/fonts/TTF/,/usr/X11R6/lib/X11/fonts/Type1/,/usr/X11R6/lib/X11/fonts/CID/,/usr/X11R6/lib/X11/fonts/75dpi/,/usr/X11R6/lib/X11/fonts/100dpi/,/usr/X11R6/lib/X11/fonts/local/"

(**) RgbPath set to "/usr/X11R6/lib/X11/rgb"
(==) ModulePath set to "/usr/X11R6/lib/modules"
(II) Module ABI versions:
X.Org ANSI C Emulation: 0.2
X.Org Video Driver: 0.7
X.Org XInput driver : 0.4
X.Org Server Extension : 0.2
X.Org Font Renderer : 0.4
(II) Loader running on openbsd
(II) LoadModule: "bitmap"
(II) Loading /usr/X11R6/lib/modules/fonts/libbitmap.a
(II) Module bitmap: vendor="X.Org Foundation"
compiled for 6.8.2, module version = 1.0.0
Module class: X.Org Font Renderer
ABI class: X.Org Font Renderer, version 0.4
(II) Loading font Bitmap
(II) LoadModule: "pcidata"
(II) Loading /usr/X11R6/lib/modules/libpcidata.a
(II) Module pcidata: vendor="X.Org Foundation"
compiled for 6.8.2, module version = 1.0.0
ABI class: X.Org Video Driver, version 0.7
(II) PCI: Probing config type using method 1
(II) PCI: Config type is 1
(II) PCI: stages = 0x03, oldVal1 = 0x, mode1Res1 = 0x8000
(II) PCI: PCI scan (all values are in hex)
(II) PCI: 00:00:0: chip 1039,0648 card 104d,814e rev 03 class 06,00,00 
hdr 80
(II) PCI: 00:01:0: chip 1039,0002 card , rev 00 class 06,04,00 
h

Re: detect if a flag-day has happened in the meanwhile

2005-10-06 Thread knitti

On 10/6/05, Antti Nykdnen <[EMAIL PROTECTED]> wrote:
> I think he wants to compare already built kernels, from two different
> snapshots.
>
sorry, how couldn't I think about snapshots...

--knitti

Re: PPTP client

2005-10-06 Thread Otto Moerbeek

On Wed, 5 Oct 2005, Waldemar Brodkorb wrote:

> Hi,
> Otto Moerbeek wrote,
> 
> > 
> > On Fri, 30 Sep 2005, Peter Bako wrote:
> > 
> > > I have a situation where I need to connect an OpenBSD box to a MS Windows
> > > PPTP server (yep, I know it is not secure, but in this case I have no 
> > > choice
> > > in the matter).
> > > 
> > > After looking around the net I found myself at
> > > http://pptpclient.sourceforge.net/.  So I downloaded, complied and 
> > > installed
> > > the program and tried to connect to my test box.  (Also complied a custom
> > > kernel using the GENERIC files with only the pseudo-device GRE line
> > > commented out.)  There aren't any OpenBSD specific instructions on the 
> > > site,
> > > but reading the generic docs, as well as the docs for NetBSD, the PPTP man
> > > pages, etc. I think I have enough to get started.  However when I try to
> > > connect up I get nothing but a list of errors (connection timed out, could
> > > not open connection, etc.)  I know the path from my OpenBSD box to the 
> > > test
> > > server is correct, because if I plug my Win2k laptop in it is able to
> > > successfully connect to the server.
> > > 
> > > As far as I can tell the problem is a lack of MPPE support either in the
> > > Kernel or in PPP.  However I cannot find any information on how to get 
> > > this
> > > support onto an OpenBSD system.
> > > 
> > > Has anyone gotten PPTP-client to work on an OpenBSD box and if yes, would
> > > you be kind enough to send me some steps or any other info on how you did
> > > it?
> > 
> > Check the pptp package. It's a port of pptpclient. There used to be a
> > FAQ entry about pptp, but it somehow was reduced to just mention pptp.
> > 
> > The most important thing is to put net.inet.gre.allow=1 into your
> > sysctl.conf. Or compile a kernel without gre(4), but why bother? It's
> > a bit strange the pptp man page still contains instructions to
> > recompile the kernel and does not mention the systcl. I'll prod the
> > maintainer.
> 
> Oh, that's probably me. What I never understood in the past:
> Do a PPTP user always have to set net.inet.gre.allow=1 ?

Yes, I think so. Though you should ask somebody like markus@ to
confirm that.

-Otto

Re: Fwd: ntop

2005-10-06 Thread Andreas Bihlmaier

> I think he wants to compile version 3.1  - in ports tree there is version 1.1.
> 
> Are there any plans yes about porting newer version of ntop in next
> versions of obsd?

Just as a question: In what way is "ntop" superior to "pftop -v speed -o rate" ?
Sure it perhaps is a matter of preference, but I just wan't to know :)

> 
> Jernej
> 
> On 10/1/05, Brian A. Seklecki <[EMAIL PROTECTED]> wrote:
> > What platform are you on? Are you compiling it from source?
> >
> > It works just fine in 3.7/i386.
> >
> > Just:
> >
> > bash-3.00# cd /usr/ports/net/ntop && make install clean
> >
> >
> > If you insist on source, try looking at /usr/ports/net/ntop/patches/*
> >
> > Try reading about Ports in the FAQ.
> >
> > ~BAS

Greetz,
ahb

76 matches

Mail list logo