Mail

[D. E. Evans]

Is there an append function ~a for inserting text, especially regarding
signatures?

Re: CARP interface incorrectly comes up as INIT on boot - PROBLEM IDENTIFIED

[Jason Dixon]

On Oct 8, 2005, at 12:49 AM, Tim wrote:

Sorry, I wasn't clear in my post.  I meant to say "3 or more  
interfaces created as backup".  I can add as many master carp  
interfaces as I want and it seems to be fine.  Try adding a 3rd  
backup carp to one of your physical interfaces and let me know what  
happens.


(Posting back to list)

Wrong again.  Works fine, even with 3 or more interfaces in BACKUP.

carp0: flags=8843 mtu 1500
carp: BACKUP carpdev fxp1 vhid 1 advbase 1 advskew 100
groups: carp
inet 192.168.0.20 netmask 0xff00 broadcast 255.255.255.0
carp1: flags=8843 mtu 1500
carp: BACKUP carpdev fxp1 vhid 2 advbase 1 advskew 0
groups: carp
inet 192.168.0.20 netmask 0xff00 broadcast 255.255.255.0
carp2: flags=8843 mtu 1500
carp: BACKUP carpdev fxp0 vhid 1 advbase 1 advskew 100
groups: carp
inet 10.0.0.1 netmask 0xff00 broadcast 255.255.255.0
carp3: flags=8843 mtu 1500
carp: BACKUP carpdev fxp0 vhid 2 advbase 1 advskew 0
groups: carp
inet 10.0.0.1 netmask 0xff00 broadcast 255.255.255.0
carp4: flags=8843 mtu 1500
carp: BACKUP carpdev fxp1 vhid 3 advbase 1 advskew 0
groups: carp
inet 192.168.0.80 netmask 0xff00 broadcast 255.255.255.0
carp5: flags=8843 mtu 1500
carp: BACKUP carpdev fxp1 vhid 4 advbase 1 advskew 0
groups: carp
inet 192.168.0.81 netmask 0xff00 broadcast 255.255.255.0
carp6: flags=8843 mtu 1500
carp: BACKUP carpdev fxp1 vhid 5 advbase 1 advskew 0
groups: carp
inet 192.168.0.82 netmask 0xff00 broadcast 255.255.255.0


--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net

Re: CARP interface incorrectly comes up as INIT on boot - PROBLEM IDENTIFIED

[Jason Dixon]

On Oct 8, 2005, at 12:18 AM, Tim wrote:

After some experimentation, it turns out that if I create 3 or more  
carp
interfaces on the same physical interface, then carp0 always comes  
up as INIT on
boot.  I have replicated this on two other machines, so this is not  
just a fluke.


Wrong.  Here are the carp interfaces from a test server.  The first  
two (carp0, carp1) are for an arp-balance config on fxp1.  The next  
two (carp2, carp3) are another arp-balance config on fxp0.  The last  
three I just created to test your claim.  They were all added to  
fxp1, giving me five carp interfaces on fxp1.  Note that none of  
these interfaces are in INIT.



carp0: flags=8843 mtu 1500
carp: BACKUP carpdev fxp1 vhid 1 advbase 1 advskew 0
groups: carp
inet 192.168.0.20 netmask 0xff00 broadcast 255.255.255.0
carp1: flags=8843 mtu 1500
carp: BACKUP carpdev fxp1 vhid 2 advbase 1 advskew 100
groups: carp
inet 192.168.0.20 netmask 0xff00 broadcast 255.255.255.0
carp2: flags=8843 mtu 1500
carp: BACKUP carpdev fxp0 vhid 1 advbase 1 advskew 0
groups: carp
inet 10.0.0.1 netmask 0xff00 broadcast 255.255.255.0
carp3: flags=8843 mtu 1500
carp: BACKUP carpdev fxp0 vhid 2 advbase 1 advskew 100
groups: carp
inet 10.0.0.1 netmask 0xff00 broadcast 255.255.255.0
carp4: flags=8843 mtu 1500
carp: MASTER carpdev fxp1 vhid 3 advbase 1 advskew 0
groups: carp
inet 192.168.0.80 netmask 0xff00 broadcast 255.255.255.0
carp5: flags=8843 mtu 1500
carp: MASTER carpdev fxp1 vhid 4 advbase 1 advskew 0
groups: carp
inet 192.168.0.81 netmask 0xff00 broadcast 255.255.255.0
carp6: flags=8843 mtu 1500
carp: MASTER carpdev fxp1 vhid 5 advbase 1 advskew 0
groups: carp
inet 192.168.0.82 netmask 0xff00 broadcast 255.255.255.0


--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net

samsung sens p29 won't boot

[Dulmandakh Sukhbaatar]

Yesterday I bought new laptop samsung sens p29. When I tried to install 
OpenBSD 3.7, booting from cd it hangs on pckbc0, so won't boot. Any 
suggestions? Please help. Sorry for my poor english


Dulmandakh

Re: High Interrupt Mode Reported by 'Top' for Soekris 4801

[Chris Kuethe]

On 06/10/05, Craig Barraclough <[EMAIL PROTECTED]> wrote:
> You'll find a few of us are running the interrupt holdoff patch, which IIRC,
> comes from the FreeBSD tree via [EMAIL PROTECTED] (See below).
> Patch trades off timeliness of response for reduced interrupts.

Hasn't broken anything for me (yet?) on a checkout of -current as of
this afternoon. Even while dragging stuff to and from the office at
720KB/s and running tor, my ssh sessions are still plenty responsive
and I have a whopping 12% cpu free.

Not the sort of box I'd want to run a large enterprise through, but it
runs cool and quiet, takes up less room on my comms shelf than the
cable modem, and has a feature set vastly superior to any other home
router I've seen.

--
GDB has a 'break' feature; why doesn't it have 'fix' too?

Re: CARP interface incorrectly comes up as INIT on boot - PROBLEM IDENTIFIED

[Tim]

Tim  timdarby.net> writes:

> 
> I'm using CARP under 3.7 release version on two boxes that aren't firewalls,
 so
> no pfsync involved and CARP configured as described in the FAQ.  What I'm
 seeing
> is that the box I've designated as BACKUP always boots with carp0 as INIT
 and

After some experimentation, it turns out that if I create 3 or more carp
interfaces on the same physical interface, then carp0 always comes up as INIT on
boot.  I have replicated this on two other machines, so this is not just a 
fluke.

Tim

Re: CUPS failing

[Christopher JS Vance]

On Sat, Oct 08, 2005 at 03:56:22AM +0200, [EMAIL PROTECTED] wrote:

I notice the "Unknown device: hl1250" error, which is actually the name of the
driver (hl1430 uses hl1250), but I can't make any sense of the above.

How do I go from here? 


The OpenBSD version of ghostscript doesn't include the driver you need.

You could pay for
 a supported printer, or
 for somebody to port the CUPS-recommended ghostscript to OpenBSD, or
 for somebody to include the driver in a special ghostscript for you.

Or you could do the work yourself.

There are probably other alternatives which will come to mind...

--
Christopher Vance

CUPS failing

[coolzone]

Hi, 

During these past couple of weeks I have been making some extensive testing on
the CUPS port/package. 

I have testet a Brother HL-1430 laser printer. 

I have got the apropriate PPD driver from foomatic.

I have testet it on several OpenBSD installations, on different hadrware yet
all i386. 

I can't get it to print no matter how I set it up.

I have then testet the exact same PPD driver with CUPS on FreeBSD 5.4 RELEASE,
and on Kubuntu 5.10. In both cases I have no problems printing.

>From the log I get the following using loglevel debug:

D [08/Oct/2005:05:40:29 +0200] [Job 12] GNU Ghostscript 7.05 (2002-04-22)
D [08/Oct/2005:05:40:29 +0200] [Job 12] Copyright (C) 2002 artofcode LLC,
Benicia, CA.  All rights reserved.
D [08/Oct/2005:05:40:29 +0200] [Job 12] This software comes with NO WARRANTY:
see the file PUBLIC for details.
D [08/Oct/2005:05:40:29 +0200] [Job 12] Unknown device: hl1250
D [08/Oct/2005:05:40:29 +0200] [Job 12] renderer return value: 1
D [08/Oct/2005:05:40:29 +0200] [Job 12] renderer received signal: 1
D [08/Oct/2005:05:40:29 +0200] [Job 12] Process dying with "error closing
*main::STDOUT", exit stat: 9
D [08/Oct/2005:05:40:29 +0200] [Job 12] Process dying with "Possible error on
renderer command line or PostScript error. Check options.", exit stat: 3
D [08/Oct/2005:05:40:29 +0200] [Job 12] error closing *main::STDOUT
D [08/Oct/2005:05:40:29 +0200] [Job 12] Possible error on renderer command
line or PostScript error. Check options.
D [08/Oct/2005:05:40:29 +0200] [Job 12] 0 %%Trailer
D [08/Oct/2005:05:40:29 +0200] [Job 12] Saw Trailer!
D [08/Oct/2005:05:40:29 +0200] [Job 12] Saw EOF!
D [08/Oct/2005:05:40:29 +0200] [Job 12]
D [08/Oct/2005:05:40:29 +0200] [Job 12] Closing renderer
D [08/Oct/2005:05:40:29 +0200] [Job 12] KID4 exited with status 9
D [08/Oct/2005:05:40:29 +0200] [Job 12] Renderer exit stat: 9
D [08/Oct/2005:05:40:29 +0200] [Job 12] Renderer process finished
D [08/Oct/2005:05:40:29 +0200] [Job 12] Killing process 5158 (KID3)
D [08/Oct/2005:05:40:29 +0200] [Job 12] Process dying with "Error closing
renderer", exit stat: 9
D [08/Oct/2005:05:40:29 +0200] [Job 12] Error closing renderer
E [08/Oct/2005:05:40:29 +0200] PID 414 stopped with status 9!

I notice the "Unknown device: hl1250" error, which is actually the name of the
driver (hl1430 uses hl1250), but I can't make any sense of the above.

How do I go from here? 

Friendly,
Rico.

Re: Sun Ultra 5 as a firewall?

[Rod.. Whitworth]

On 07 Oct 2005 18:07:30 -0700, Byron Morton wrote:

>Well, I have successfully run my Ultra5 (270ghz) as a natting firewall
>with caching dns, apache, ices, mysql, php(6 dynamic sites) sendmail
>w/auth smtp (also for the 6 domains) and never saw problems or
>bottlenecks. I ran it with the hme($ext_if on dsl), and a couple of xl's
>and was totally happy with it.
>

Gee, I'd reckon a 270ghz unit could do that and calculate a few more
large primes every second.
 
_I'd_ never make a tyop like that!   ;-)
>From the land "down under": Australia.
Do we look  from up over?

Do NOT CC me - I am subscribed to the list.
Replies to the sender address will fail except from the list-server.

Re: Sun Ultra 5 as a firewall?

[Byron Morton]

Joe S <[EMAIL PROTECTED]> writes:

> Is anyone on the list running an Ultra 5 as firewall? I would like to move my
> firewall from an overpowered P4-3GHz box to a Sun Ultra 5 360MHz.
> 
> My main concern is wondering if the Ultra 5 is slow enough to become a
> bottleneck from one interface to another interface. However, I know some of 
> you
> run Soekris boxen and 486's for firewalls, so I may be just fine.
> 
> Any thoughts?

Well, I have successfully run my Ultra5 (270ghz) as a natting firewall
with caching dns, apache, ices, mysql, php(6 dynamic sites) sendmail
w/auth smtp (also for the 6 domains) and never saw problems or
bottlenecks. I ran it with the hme($ext_if on dsl), and a couple of xl's
and was totally happy with it.

It moved only a couple months ago to get replaced with 3.7-current on an
x86 to do some java/mod_jk bits, but after that's done, 3.8-current will
probably go on it and it will resume its place in the corner.

Building /usr/src is normally something started before a 9pm movie on
this box with the new binaries done for a morning reboot...

HTH

-- 
byr0n

Re: CARP+Pfsync+Bind

[Léo Goehrs]

Then, you can forget about DNSSEC for example ...

Lio

-Message d'origine-
De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de ed
Envoyi : vendredi 7 octobre 2005 19:25
Cc : misc@openbsd.org
Objet : Re: CARP+Pfsync+Bind

On Thu, 6 Oct 2005 19:52:31 -0400
"Dave Anderson" <[EMAIL PROTECTED]> wrote:

> Responses long enough so that required information is truncated should
> be rare, so perhaps you've been lucky and not encountered any yet.

I understand fully what you are saying, but I just don't want to serve
DNS via TCP. I'm as sure as I can be that no replies exceed 512 bytes.
If it ever becomes a problem I'll use tcpserver to provide it, but it's
been fine for a long time, and it's safe, at least in my case, to assume
TCP is for zone transfers, YMMV.

-- 
Regards, Ed http://www.usenix.org.uk

Re: Sun Ultra 5 as a firewall? <- clarification

[Bill]

On Fri, 7 Oct 2005 19:15:29 -0400
Bill <[EMAIL PROTECTED]> spake:

> On Fri, 07 Oct 2005 13:28:28 -0700
> Joe S <[EMAIL PROTECTED]> spake:
> 
> > Is anyone on the list running an Ultra 5 as firewall? I would like to 
> > move my firewall from an overpowered P4-3GHz box to a Sun Ultra 5 360MHz.
> > 
> > My main concern is wondering if the Ultra 5 is slow enough to become a 
> > bottleneck from one interface to another interface. However, I know some 
> > of you run Soekris boxen and 486's for firewalls, so I may be just fine.
> > 
> > Any thoughts?
> 
> I dunno know about a Sun 360Mhz, but I just set up a AMD 350Mhz with
> two 100MB cards and can filter at about 70Mb/sec (9,000 pkt / sec)
> across it (100Mb networks).  This is with two FA311 cards.  If your
> firewalling an internet connection it should be more than fine.
> Turning on PF caused a bit of a drop (to the above stats) but after
> that not much seemed to phase it.  I did some tests turning on and off
> quick / scrub / etc / etc if anyone is interested.
> 
> * tests done using iperf, netstat and two cross over cables.  hitech
> stuff here :)
> 

The stats using PF are those listed above... they were slightly higher
before turning on PF.

Package-update dates

[Moy Easwaran]

Hi guys,

A suggestion regarding the package-updates page
.  It would be nice to have the
date of the update in addition to the package name and update type, like
on the main security-updates page
.

Moy

Re: Sun Ultra 5 as a firewall?

[Bill]

On Fri, 07 Oct 2005 13:28:28 -0700
Joe S <[EMAIL PROTECTED]> spake:

> Is anyone on the list running an Ultra 5 as firewall? I would like to 
> move my firewall from an overpowered P4-3GHz box to a Sun Ultra 5 360MHz.
> 
> My main concern is wondering if the Ultra 5 is slow enough to become a 
> bottleneck from one interface to another interface. However, I know some 
> of you run Soekris boxen and 486's for firewalls, so I may be just fine.
> 
> Any thoughts?

I dunno know about a Sun 360Mhz, but I just set up a AMD 350Mhz with
two 100MB cards and can filter at about 70Mb/sec (9,000 pkt / sec)
across it (100Mb networks).  This is with two FA311 cards.  If your
firewalling an internet connection it should be more than fine.
Turning on PF caused a bit of a drop (to the above stats) but after
that not much seemed to phase it.  I did some tests turning on and off
quick / scrub / etc / etc if anyone is interested.

* tests done using iperf, netstat and two cross over cables.  hitech
stuff here :)



-- 

Bill Chmura
Director of Internet Technology
Explosivo ITG
Wolcott, CT

p: 860.621.8693
e: [EMAIL PROTECTED]
w. http://www.explosivo.com

Re: CARP+Pfsync+Bind

[ed]

On Thu, 6 Oct 2005 19:52:31 -0400
"Dave Anderson" <[EMAIL PROTECTED]> wrote:

> Responses long enough so that required information is truncated should
> be rare, so perhaps you've been lucky and not encountered any yet.

I understand fully what you are saying, but I just don't want to serve
DNS via TCP. I'm as sure as I can be that no replies exceed 512 bytes.
If it ever becomes a problem I'll use tcpserver to provide it, but it's
been fine for a long time, and it's safe, at least in my case, to assume
TCP is for zone transfers, YMMV.

-- 
Regards, Ed http://www.usenix.org.uk

Re: Sun Ultra 5 as a firewall?

[Marco Peereboom]

I ran an Ultra-5 for 2 years straight as my home firewall.  It got replaced
with an hppa just because I could :-) My mailserver is still an ultra-5 that
has run for 3 years.  The only time it has been down is when my ups gave out.
Sparc + OpenBSD = bliss

On Fri, Oct 07, 2005 at 02:58:45PM -0700, Joe S wrote:
> >There's no way for anyone to know without describing your  throughput.  
> 
> My apologies. I forgot to include that information. This is stricly a 
> home network. I am not concerned about the throughtput between my 
> network and the internet, but rather between local networks. I'll post 
> my iperf results later.
> 
> >P.S.  Not to rant, but I've never understood why people ask these  
> >questions on the list.  Why not just setup a test network and run  iperf 
> >against it?
> I'm doing that now. I wanted to find out what others' experiences were
> and if this was a bad idea to start with.

Re: Sun Ultra 5 as a firewall?

[Joe S]

There's no way for anyone to know without describing your  throughput.  


My apologies. I forgot to include that information. This is stricly a 
home network. I am not concerned about the throughtput between my 
network and the internet, but rather between local networks. I'll post 
my iperf results later.


P.S.  Not to rant, but I've never understood why people ask these  
questions on the list.  Why not just setup a test network and run  iperf 
against it?

I'm doing that now. I wanted to find out what others' experiences were
and if this was a bad idea to start with.

Re: Sun Ultra 5 as a firewall?

[Jason Dixon]

On Oct 7, 2005, at 4:28 PM, Joe S wrote:

Is anyone on the list running an Ultra 5 as firewall? I would like  
to move my firewall from an overpowered P4-3GHz box to a Sun Ultra  
5 360MHz.


My main concern is wondering if the Ultra 5 is slow enough to  
become a bottleneck from one interface to another interface.  
However, I know some of you run Soekris boxen and 486's for  
firewalls, so I may be just fine.


There's no way for anyone to know without describing your  
throughput.  That said, I've run OpenBSD/PF firewalls on old Sparc  
IPX (SS2) boxes.  An Ultra 5 should certainly handle quite a bit,  
considering a Soekris can handle a T1.


P.S.  Not to rant, but I've never understood why people ask these  
questions on the list.  Why not just setup a test network and run  
iperf against it?


--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net

Re: Sun Ultra 5 as a firewall?

[Kevin]

> Is anyone on the list running an Ultra 5 as firewall? I would like to
> move my firewall from an overpowered P4-3GHz box to a Sun Ultra 5 360MHz.
>
> My main concern is wondering if the Ultra 5 is slow enough to become a
> bottleneck from one interface to another interface. However, I know some
> of you run Soekris boxen and 486's for firewalls, so I may be just fine.
>
> Any thoughts?
Sure. What size network? Home? Small company? All of Microsoft corporate? ;-)

A ltle more info here would go a long way.







--
http://www.ebiinc.com :
Background Screening / Drug Testing from EBI
corporate background screening, worldwide.

Re: NetMos 4S question

[Fred Crowson]

Genadijus Paleckis wrote:
I have 4 NetMos 4S serial cards and wanted to place them into single 
machine, all four cards is detected but it seems that only two of them 
is working. Is there any limitation of serial ports number on system ?


Thank you.



post your dmesg.

You may need to create extra cua's to use them all.

HTH

Fred

Re: Sun Ultra 5 as a firewall?

[Matthew R Powell]

Joe S wrote:
> Is anyone on the list running an Ultra 5 as firewall? I would like to
> move my firewall from an overpowered P4-3GHz box to a Sun Ultra 5 360MHz.
> 
> My main concern is wondering if the Ultra 5 is slow enough to become a
> bottleneck from one interface to another interface. However, I know some
> of you run Soekris boxen and 486's for firewalls, so I may be just fine.
> 
> Any thoughts?


I don't have any problems running my (home) firewall on an old
SparcStation 20.  It's a damn shame that I can't take advantage of the
dual 100 mhz processors with OpenBSD... then maybe it would be powerful
enough to serve websites, svn, postgresql and email too... or not.

But if there's no (noticeable) bottleneck between the Happy meals on my
box, I can't imagine any problems for you on the Ultra5.

Unless the U5 is the one that uses RFC 1149 ethernet adapters...

Good luck.

Re: Sun Ultra 5 as a firewall?

[Spruell, Darren-Perot]

From: Joe S [mailto:[EMAIL PROTECTED]
> Is anyone on the list running an Ultra 5 as firewall? I would like to 
> move my firewall from an overpowered P4-3GHz box to a Sun 
> Ultra 5 360MHz.
> 
> My main concern is wondering if the Ultra 5 is slow enough to 
> become a 
> bottleneck from one interface to another interface. However, 
> I know some 
> of you run Soekris boxen and 486's for firewalls, so I may be 
> just fine.

Your traffic requirements determine that.

DS

Re: Sun Ultra 5 as a firewall?

[Matt Rowley]

> Is anyone on the list running an Ultra 5 as firewall? I would like to 
> move my firewall from an overpowered P4-3GHz box to a Sun Ultra 5 360MHz.
> 
> My main concern is wondering if the Ultra 5 is slow enough to become a 
> bottleneck from one interface to another interface. However, I know some 
> of you run Soekris boxen and 486's for firewalls, so I may be just fine.

I ran my home firewall off an Ultra5/333mhz... it was plenty fast for passing
packets (used an fxp pci card for the second interface).  Felt kinda sluggish
for compiling, and disk I/O was pretty bleh.  Not sure how it'd scale in
terms of packets per second.

cheers,
Matt

Re: Sun Ultra 5 as a firewall?

[Brian A. Seklecki]

On Fri, 7 Oct 2005, Joe S wrote:

Is anyone on the list running an Ultra 5 as firewall? I would like to move my 
firewall from an overpowered P4-3GHz box to a Sun Ultra 5 360MHz.


My main concern is wondering if the Ultra 5 is slow enough to become a 
bottleneck from one interface to another interface. However, I know some of 
you run Soekris boxen and 486's for firewalls, so I may be just fine.


Any thoughts?


You'll be fine.  Crazy people run Checkpoint-1 on Solaris on these 
machines and filter at wire-speed.


~BAS






l8*
-lava

x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8

Re: pf tables and interface groups

[Ryan Puckett]

Sorry, should have indicated I'm using OpenBSD version 3.8

dmesg:

OpenBSD 3.8-current (GENERIC) #169: Sun Oct  2 15:06:50 MDT 2005
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium III ("GenuineIntel" 686-class, 512KB L2 cache) 549
MHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE
real mem  = 670658560 (654940K)
avail mem = 604418048 (590252K)
using 4278 buffers containing 33636352 bytes (32848K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(1e) BIOS, date 02/23/00, BIOS32 rev. 0 @
0xfd7a0
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 30102 dobusy 0 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xfd7a0/0x860
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf30/176 (9 entries)
pcibios0: PCI Interrupt Router at 000:07:0 ("Intel 82371FB ISA" rev
0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc/0x8000 0xc8000/0x6600 0xce800/0x800
0xcf000/0x800 0xe/0x4000! 0xe4000/0xc000
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x03
ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x03
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "ATI Rage Magnum" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
pcib0 at pci0 dev 7 function 0 "Intel 82371AB PIIX4 ISA" rev 0x02
pciide0 at pci0 dev 7 function 1 "Intel 82371AB IDE" rev 0x01: DMA,
channel 0 wired to compatibility, channel 1 wired to compatibility
pciide0: channel 0 ignored (disabled)
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0:  SCSI0
5/cdrom removable
cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
uhci0 at pci0 dev 7 function 2 "Intel 82371AB USB" rev 0x01: irq 9
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
"Intel 82371AB Power" rev 0x02 at pci0 dev 7 function 3 not configured
yds0 at pci0 dev 12 function 0 "Yamaha 740C" rev 0x03: irq 10
xl0 at pci0 dev 13 function 0 "3Com 3c905B 100Base-TX" rev 0x30: irq 11,
address 00:50:da:22:7c:7e
exphy0 at xl0 phy 24: 3Com internal media interface
ahc1 at pci0 dev 14 function 0 "Adaptec AHA-29160 U160" rev 0x02: irq 5
scsibus1 at ahc1: 16 targets
sd0 at scsibus1 targ 0 lun 0:  SCSI3 0/direct
fixed
sd0: 8761MB, 14384 cyl, 3 head, 415 sec, 512 bytes/sec, 17942584 sec
total
xl1 at pci0 dev 15 function 0 "3Com 3c905C 100Base-TX" rev 0x74: irq 10,
address 00:01:02:46:25:77
bmtphy0 at xl1 phy 24: Broadcom 3C905C internal PHY, rev. 6
xl2 at pci0 dev 16 function 0 "3Com 3c905C 100Base-TX" rev 0x74: irq 9,
address 00:01:02:73:ec:be
bmtphy1 at xl2 phy 24: Broadcom 3C905C internal PHY, rev. 6
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: 
spkr0 at pcppi0
sysbeep0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom0: console
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
biomask f365 netmask ff65 ttymask ffe7
pctr: 686-class user-level performance counters enabled
mtrr: Pentium Pro MTRR support
ahc1: target 0 using 16bit transfers
ahc1: target 0 synchronous at 20.0MHz, offset = 0x1f
dkcsum: sd0 matches BIOS drive 0x80
root on sd0a
rootdev=0x400 rrootdev=0xd00 rawdev=0xd02
ac97: codec id 0x41445303 (Analog Devices AD1819)
ac97: codec features Analog Devices Phat Stereo
audio0 at yds0
opl0 at yds0: model OPL3
midi1 at opl0: 
mpu at yds0 not configured
mpu at yds0 not configured
mpu at yds0 not configured
mpu at yds0 not configured


On Fri, 2005-10-07 at 14:30 -0600, Ryan Puckett wrote:
> Under the Tables section in the pf.conf(5) man page, it is indicated
> that tables can be created with a valid interface group.  I'm taking
> this to mean I can do the following:
> 
> table  { vlan }
> 
> or better yet:
> 
> table  { egress }
> 
> but when loading up the ruleset or even trying to manually add the table
> via command line "pfctl -t outside -T add egress" I receive:
> 
> no IP address found for egress
> 
> I have no problems when specifying the exact interface such as vlan0.
> 
> So my question is: did I misread this?  
> 
> 
> Thanks

-Ryan

pf tables and interface groups

[Ryan Puckett]

Under the Tables section in the pf.conf(5) man page, it is indicated
that tables can be created with a valid interface group.  I'm taking
this to mean I can do the following:

table  { vlan }

or better yet:

table  { egress }

but when loading up the ruleset or even trying to manually add the table
via command line "pfctl -t outside -T add egress" I receive:

no IP address found for egress

I have no problems when specifying the exact interface such as vlan0.

So my question is: did I misread this?  


Thanks

-Ryan

Sun Ultra 5 as a firewall?

[Joe S]

Is anyone on the list running an Ultra 5 as firewall? I would like to 
move my firewall from an overpowered P4-3GHz box to a Sun Ultra 5 360MHz.


My main concern is wondering if the Ultra 5 is slow enough to become a 
bottleneck from one interface to another interface. However, I know some 
of you run Soekris boxen and 486's for firewalls, so I may be just fine.


Any thoughts?

Re: cpio/gzip problem or are my tapes too old?

[Michael Shalayeff]

Making, drinking tea and reading an opus magnum from Joe Szedula:
> >On 10/7/05 1:32 PM, Michael Shalayeff ([EMAIL PROTECTED]) wrote:
> >> I use a command like:
> >> 
> >> cpio -o -z -v -F /dev/rst0 < in.lst > out.lst
> >> 
> >> to perform a backup. But when I attempt to index the tape contents using:
> >> 
> >> cpio -i -t -v -z -F /dev/rst0
> >> 
> >> I get:
> >> 
> >> gzip: /dev/stdin: unrecognized file format
> >> cpio: End of archive volume 1 reached
> >> Oct  7 11:50:48 sys /bsd: st0: 10-byte record too big
> >> Oct  7 11:50:48 sys /bsd: st0: 10-byte record too big
> > (snip)
> >
> >you have to pipe it thru dd.
> >tapes work in blocks. gzip is not exactly like that
> 
> I don't understand. How do I do that with cpio? cpio doesn't use stdin or 
> stdout (except for lists of files and messages) does it? Doesn't "-z" on 
> the cpio command line mean Compress/Uncompress archive using gzip(1) 
> format.

cpio -o -z -v | dd of=/dev/nrst0
dd if=/dev/nrst0 | cpio -i -t -z -v

-- 
paranoic mickey   (my employers have changed but, the name has remained)

Re: CARP interface incorrectly comes up as INIT on boot

[Michael Shalayeff]

Making, drinking tea and reading an opus magnum from Tim:
> William Bloom  eldocomp.com> writes:
> 
> > 
> > If I'd had this experience, I'd be tempted to use tcpdump on whichever 
> physical 
> > interface is carpdev for the suspect carp interface in order to verify that 
> > multicast is enabled on your switch.  With carp interfaces up, you should
>  see 
> > periodic multicast messages.  If you don't see any, then you've found your 
> > problem (and you need to revisit the switch configuration in order to fix
>  it). 
> > Bill
> > 
> 
> Thanks Bill.  I'd suspect the switch too except that all 3 carp interfaces are
> on the same physical interface in this case, yet it's only carp0 that
> experiences this behavior.  Nevertheless, I will haul out tcpdump and see 
> what's
> going on.  To answer your question, no, pf is not running on these boxes.  I
> also have two 3.7 CARP/pfsync firewalls that have never exhibited this 
> behavior
> and they are on the same switch.

dude
your carp0 is down. unless you "up" it -- nothing will happen.
i suggest you compare your hostname.carp* files to discover
what exactly you have missed in the hostname.carp0 .

cu

-- 
paranoic mickey   (my employers have changed but, the name has remained)

Re: cpio/gzip problem or are my tapes too old?

[Joe Szedula]

>On 10/7/05 1:32 PM, Michael Shalayeff ([EMAIL PROTECTED]) wrote:
>> I use a command like:
>> 
>> cpio -o -z -v -F /dev/rst0 < in.lst > out.lst
>> 
>> to perform a backup. But when I attempt to index the tape contents using:
>> 
>> cpio -i -t -v -z -F /dev/rst0
>> 
>> I get:
>> 
>> gzip: /dev/stdin: unrecognized file format
>> cpio: End of archive volume 1 reached
>> Oct  7 11:50:48 sys /bsd: st0: 10-byte record too big
>> Oct  7 11:50:48 sys /bsd: st0: 10-byte record too big
> (snip)
>
>you have to pipe it thru dd.
>tapes work in blocks. gzip is not exactly like that

I don't understand. How do I do that with cpio? cpio doesn't use stdin or 
stdout (except for lists of files and messages) does it? Doesn't "-z" on 
the cpio command line mean Compress/Uncompress archive using gzip(1) 
format.


Joe Szedula
Email: [EMAIL PROTECTED]

Re: CARP interface incorrectly comes up as INIT on boot

[Tim]

William Bloom  eldocomp.com> writes:

> 
> If I'd had this experience, I'd be tempted to use tcpdump on whichever 
physical 
> interface is carpdev for the suspect carp interface in order to verify that 
> multicast is enabled on your switch.  With carp interfaces up, you should
 see 
> periodic multicast messages.  If you don't see any, then you've found your 
> problem (and you need to revisit the switch configuration in order to fix
 it). 
> Bill
> 

Thanks Bill.  I'd suspect the switch too except that all 3 carp interfaces are
on the same physical interface in this case, yet it's only carp0 that
experiences this behavior.  Nevertheless, I will haul out tcpdump and see what's
going on.  To answer your question, no, pf is not running on these boxes.  I
also have two 3.7 CARP/pfsync firewalls that have never exhibited this behavior
and they are on the same switch.

Tim

Re: cpio/gzip problem or are my tapes too old?

[Michael Shalayeff]

Making, drinking tea and reading an opus magnum from Joe Szedula:
> I use a command like:
> 
> cpio -o -z -v -F /dev/rst0 < in.lst > out.lst
> 
> to perform a backup. But when I attempt to index the tape contents using:
> 
> cpio -i -t -v -z -F /dev/rst0
> 
> I get:
> 
> gzip: /dev/stdin: unrecognized file format
> cpio: End of archive volume 1 reached
> Oct  7 11:50:48 sys /bsd: st0: 10-byte record too big
> Oct  7 11:50:48 sys /bsd: st0: 10-byte record too big
> 
> ATTENTION! cpio archive volume change required.
> Ready for archive volume: 1
> Input archive name or "." to quit cpio.
> Archive name > .
> Quitting cpio!
> cpio: Sorry, unable to determine archive format.
> 
> as the result. I've tried this with a few tapes of varying usage although 
> they are all the same age. If I remove "-z" from the commands the write & 
> index work no error messages.
> 
> I'm running OpenBSD 3.7 (GENERIC) #50
> 
> the "st" portion of dmesg is:
> 
> st0 at scsibus0 targ 1 lun 0:  SCSI2 
> 1/sequential removable
> st0: density code 0x80, 1024-byte blocks, write-enabled
> 
> Any suggestions for solving this problem?

you have to pipe it thru dd.
tapes work in blocks. gzip is not exactly like that

cu

-- 
paranoic mickey   (my employers have changed but, the name has remained)

Re: CARP interface incorrectly comes up as INIT on boot

[William Bloom]

If I'd had this experience, I'd be tempted to use tcpdump on whichever physical 
interface is carpdev for the suspect carp interface in order to verify that 
multicast is enabled on your switch.  With carp interfaces up, you should see 
periodic multicast messages.  If you don't see any, then you've found your 
problem (and you need to revisit the switch configuration in order to fix it). 
I've seen a few cases in the past where action had to be taken in order to 
enable multicast on a switch; else CARP (or VRRP, or HSRP) of course fails to 
transition to proper states.

You mention that this machine is not a firewall and you're not using pfsync, 
but 
you didn't say right out loud whether you're running pf.  Probably you're not, 
but there do exist some non-firewall applications where pf is used, and I don't 
know whether your machine falls into that category.  If it does, then also make 
sure the pf ruleset isn't blocking multicast.


Bill

Tim wrote:
> I'm using CARP under 3.7 release version on two boxes that aren't firewalls, 
> so
> no pfsync involved and CARP configured as described in the FAQ.  What I'm 
> seeing
> is that the box I've designated as BACKUP always boots with carp0 as INIT and
> carp1 and carp2 both come up BACKUP as expected.  The other box always boots
> with all 3 carp interfaces correctly as MASTER.  On the backup box, I can
> execute 'ifconfig carp0 up' and the interface correctly transitions to 
> BACKUP. 
> To prove to myself that this was not a problem with that particular box, I 
> tried
> switching the roles making the backup the master and vice versa and the 
> problem
> moves to the other box.  Here's the output of ifconfig -A on the backup box 
> and
> I can supply more info if needed:
> 
> lo0: flags=8049 mtu 33224
> inet 127.0.0.1 netmask 0xff00 
> inet6 ::1 prefixlen 128
> inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
> pflog0: flags=0<> mtu 33224
> pfsync0: flags=0<> mtu 2020
> enc0: flags=0<> mtu 1536
> dc0: flags=8943 mtu 1500
> address: 00:10:a4:c7:51:4e
> media: Ethernet autoselect (100baseTX full-duplex)
> status: active
> inet 192.168.0.3 netmask 0xff00 broadcast 192.168.0.255
> inet6 fe80::210:a4ff:fec7:514e%dc0 prefixlen 64 scopeid 0x5
> inet 192.168.0.12 netmask 0xff00 broadcast 192.168.0.255
> inet 192.168.0.22 netmask 0xff00 broadcast 192.168.0.255
> inet 192.168.0.42 netmask 0xff00 broadcast 192.168.0.255
> carp0: flags=8802 mtu 1500
> carp: INIT carpdev dc0 vhid 4 advbase 1 advskew 100
> inet 192.168.0.20 netmask 0xff00 broadcast 192.168.0.255
> carp1: flags=8843 mtu 1500
> carp: BACKUP carpdev dc0 vhid 3 advbase 1 advskew 100
> inet 192.168.0.10 netmask 0xff00 broadcast 192.168.0.255
> carp2: flags=8843 mtu 1500
> carp: BACKUP carpdev dc0 vhid 6 advbase 1 advskew 100
> inet 192.168.0.40 netmask 0xff00 broadcast 192.168.0.255
> 
> Tim
> 

-- 
William Bloom| Snr Systems Engineer|M P H A S I S Architecting Value | Eldorado 
Computing
5353 North 16th Street, Suite 400 Phoenix, Az 85016 | Direct: +11-602-604-3100 
| 
Fax: +11-602-604-3115| http://www.eldocomp.com

-- CONFIDENTIALITY NOTICE --

Information transmitted by this e-mail is proprietary to MphasiS and/or its 
Customers and is intended for use only by the individual or entity to which it 
is addressed, and may contain information that is privileged, confidential or 
exempt from disclosure under applicable law. If you are not the intended 
recipient or it appears that this mail has been forwarded to you without proper 
authority, you are notified that any use or dissemination of this information 
in any manner is strictly prohibited. In such cases, please notify us 
immediately at [EMAIL PROTECTED] and delete this mail from your records.

YOUR REQUEST HAS BEEN RECEIVED

[Photo System]

Your request has been received and will be processed as soon as possible
usually within 24 hours, excluding Sunday and Holidays.

The recommended photo sizes for Tempo are 640 X 480 Pixels or about 72
to 150 DPI. This should result in a file size of around 150KB.

Please use the links below each topic for more detailed information:



v   Instructions for adding your own photos or Virtual Tours to
Tempo.



v   Instructions for submitting photos to Sandicor for Tempo.




v   Out of area photo map codes. This is a list of Map code pages
where free photos will NOT be taken. Listings in these map pages will
require you to submit your own photos.



v   Approved Virtual Tours. These are the approved URL / Web
addresses for the Virtual Tours. They must match this format in order to
be accepted by Tempo.


http://www.sandicor.com/help_desk/tours.pdf

v   Missing photos or wrong photos reports can be sent to
[EMAIL PROTECTED]

   You must include the following information on the subject
line.

o   MLS Number
o   Property Address
o   Agent Name

Example subject line:
03169, 123 Some St, Bob Doe

Contact Info:

Tech support at Sandicor   858.622.6200 or Fax  858.622.6222 or Email
[EMAIL PROTECTED]

cpio/gzip problem or are my tapes too old?

[Joe Szedula]

I use a command like:

cpio -o -z -v -F /dev/rst0 < in.lst > out.lst

to perform a backup. But when I attempt to index the tape contents using:

cpio -i -t -v -z -F /dev/rst0

I get:

gzip: /dev/stdin: unrecognized file format
cpio: End of archive volume 1 reached
Oct  7 11:50:48 sys /bsd: st0: 10-byte record too big
Oct  7 11:50:48 sys /bsd: st0: 10-byte record too big

ATTENTION! cpio archive volume change required.
Ready for archive volume: 1
Input archive name or "." to quit cpio.
Archive name > .
Quitting cpio!
cpio: Sorry, unable to determine archive format.

as the result. I've tried this with a few tapes of varying usage although 
they are all the same age. If I remove "-z" from the commands the write & 
index work no error messages.

I'm running OpenBSD 3.7 (GENERIC) #50

the "st" portion of dmesg is:

st0 at scsibus0 targ 1 lun 0:  SCSI2 
1/sequential removable
st0: density code 0x80, 1024-byte blocks, write-enabled

Any suggestions for solving this problem?

Thanks,

Joe

CARP interface incorrectly comes up as INIT on boot

[Tim]

I'm using CARP under 3.7 release version on two boxes that aren't firewalls, so
no pfsync involved and CARP configured as described in the FAQ.  What I'm seeing
is that the box I've designated as BACKUP always boots with carp0 as INIT and
carp1 and carp2 both come up BACKUP as expected.  The other box always boots
with all 3 carp interfaces correctly as MASTER.  On the backup box, I can
execute 'ifconfig carp0 up' and the interface correctly transitions to BACKUP. 
To prove to myself that this was not a problem with that particular box, I tried
switching the roles making the backup the master and vice versa and the problem
moves to the other box.  Here's the output of ifconfig -A on the backup box and
I can supply more info if needed:

lo0: flags=8049 mtu 33224
inet 127.0.0.1 netmask 0xff00 
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
pflog0: flags=0<> mtu 33224
pfsync0: flags=0<> mtu 2020
enc0: flags=0<> mtu 1536
dc0: flags=8943 mtu 1500
address: 00:10:a4:c7:51:4e
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.0.3 netmask 0xff00 broadcast 192.168.0.255
inet6 fe80::210:a4ff:fec7:514e%dc0 prefixlen 64 scopeid 0x5
inet 192.168.0.12 netmask 0xff00 broadcast 192.168.0.255
inet 192.168.0.22 netmask 0xff00 broadcast 192.168.0.255
inet 192.168.0.42 netmask 0xff00 broadcast 192.168.0.255
carp0: flags=8802 mtu 1500
carp: INIT carpdev dc0 vhid 4 advbase 1 advskew 100
inet 192.168.0.20 netmask 0xff00 broadcast 192.168.0.255
carp1: flags=8843 mtu 1500
carp: BACKUP carpdev dc0 vhid 3 advbase 1 advskew 100
inet 192.168.0.10 netmask 0xff00 broadcast 192.168.0.255
carp2: flags=8843 mtu 1500
carp: BACKUP carpdev dc0 vhid 6 advbase 1 advskew 100
inet 192.168.0.40 netmask 0xff00 broadcast 192.168.0.255

Tim

dynamic ip aliases?

[kami petersen]

what are the chances of getting multiple dynamic ip's assigned to one 
dhclient interface, as can be done with aliases for static ip's?


there's an alias specification in dhclient.conf(5) but it's not really 
clear whether you would be able to use it to get more than one dynamic 
ip (assuming that the dhcpd in the other end is willing to provide more).


the reason for all this is that my dsl provider says they are providing 
up to 5 dynamic ip's, and that could be useful for separating different 
services behind the firewall without nat.


/kami

OpenCON registration

[Michele 'mydecay' Marchetto]

hi list,

the OpenCON registration is now online.
Everyone who is going to attend the conference should fill in this form:
http://www.opencon.org/registration.php
to allow us to organize the place and the parties :)

thank you.

-- 
Michele 'mydecay' Marchetto
S.P.I.N.E. Group - http://www.spine-group.org/
PGP Key: http://www.spine-group.org/keys/mydecay.asc
Key fingerprint = 667A 4E73 EA53 66AC E2AB  D0CA 2908 1484 1F26 4C40

uvm_mapent_alloc: out of static map entries, check MAX_KMAPENT

[Brad]

To all end users experiencing the panic message as
mentioned in the topic above.

If you are looking for some relief from these panics
then I would highly recommend trying out a -current
snapshot. As of a week ago pedro@ had commited what
should be a permanent fix for this problem. Now instead
of your system panicing, the kernel will try to allocate
more memory for additional map entries. The kernel will
print ouf the usual

uvm_mapent_alloc: out of static map entries

but not panic. Also, looking at the vmstat display of
systat you will see that "kmapent" has been added to
the bottom right corner, this will show you the number
of map entries currently in use by the kernel.

So, please try this out on any systems which have
experienced this panic in the past, and this affects
3.8 too, and post the results back to the list.

Re: ssh key question

[William Bloom]

I've done this precise sort of thing on a set of Solaris machines (duplicated 
the SSH host key) that participate in a cluster.  There is no reason I can 
imagine why this wouldn't be a reasonable thing for you to do for the 
circumstances you describe.  Decide which machine's SSH host key is the one to 
be used for both machines, then copy /etc/ssh/ssh_host*key* from that machine 
to 
the other.  You may like to first save the old keys from the target machine in 
another backup directory for fallback, just in case an unexpected problem 
arises 
later.

Once this is done, any SSH clients who have established connections to the 2nd 
machine in the past while it was still using its original host key may now 
still 
have that old public key in their private 'known hosts' list.  That's OK, but 
the user of the SSH client may see a warning that a host-spoof is suspected as 
soon as he/she tries to connect (after the host key has been replaced).  So you 
might get a few phone calls.  If possible and practical, it would be good to 
check all the SSH clients' 'known hosts' lists and remove the obsolete entry 
(it 
will get recreated automatically later during the next SSH connection).


Bill


[EMAIL PROTECTED] wrote:
> Maybe this is slightly off topic because it is more of an ssh question,
> sorry.
> 
> I have two openbsd boxes running sshd.  They are mirrors of each other, and
> we switch between them every two weeks.  They have their own IP numbers,
> 10.1.1.42, and 10.1.1.43, but whichever machine is the production box gets
> the IP number 10.1.1.44 and you can no longer get to that machine via it's
> own IP number.
> 
> Currently all employee's telnet into the production box.  I want to get that
> switched over to ssh.  The trouble is the host key appearing to change every
> two weeks.  Can I just duplicate the host key from one box onto the other
> box?  And which key file[s] would that be that I need to copy?  Or do I need
> to see about turning off host key checking on our client?
> 
> --ja
> 

-- 
William Bloom| Snr Systems Engineer|M P H A S I S Architecting Value | Eldorado
Computing
5353 North 16th Street, Suite 400 Phoenix, Az 85016 | Direct: +11-602-604-3100 |
Fax: +11-602-604-3115| http://www.eldocomp.com

-- CONFIDENTIALITY NOTICE --

Information transmitted by this e-mail is proprietary to MphasiS and/or its 
Customers and is intended for use only by the individual or entity to which it 
is addressed, and may contain information that is privileged, confidential or 
exempt from disclosure under applicable law. If you are not the intended 
recipient or it appears that this mail has been forwarded to you without proper 
authority, you are notified that any use or dissemination of this information 
in any manner is strictly prohibited. In such cases, please notify us 
immediately at [EMAIL PROTECTED] and delete this mail from your records.

Re: How to apply patches on a small PC

[Damon McMahon]

Frederic,

I have OpenBSD installed on a similar spec machine (P-75 with 40 MB of 
RAM, 1 GB disk).


Last time I recompiled a kernel was when it had release 3.5 installed 
on it, and I think it took 4-5 hours to build - not too bad, really. 
Since then I think the compiler has changed and from memory gcc3 may 
take longer to build, so ymmv.


Best wishes,
Damon


--

Date: Fri, 30 Sep 2005 15:23:01 +0200
From: "Frederic Durodie @ JET" <[EMAIL PROTECTED]>
To: 
Subject: How to apply patches on a small PC
Message-ID: <[EMAIL PROTECTED]>

Hi,

I'm trying to use a small older pc (75MHz first generation Pentium 
64MB ram
3 GB of disk) as a webserver/fileserver using OBSD 3.6. I'm OK to 
install
the patches but some of them require to rebuild the kernel which I 
suspect
could take forever on this pc (haven't tried it though) and eats up a 
lot of

the disk space available.

Is there another way to apply those patches : e.g. can one copy the 
kernel
from another pc running 3.6 where the patch has been applied. In 
general can

I copy the patched executables (possibly using rsync) ?

Thanks.
Frederic


--

Re: BGP (was Re: Two Isp Fault Tollerance Help)

[Karl Austin]

Claudio Jeker wrote:


On Fri, Oct 07, 2005 at 04:35:51PM +0200, Olivier Mehani wrote:


On Fri, 7 Oct 2005 16:09:28 +0200
Lio Goehrs <[EMAIL PROTECTED]> wrote:



The address space can be given by one of the provider.


But then, I understand that the route to these addresses will go
through the address-providing ISP. Correct ?




No. You need provider independent address space for such setups plus a AS
number. At least for IPv4 it goes this way. In IPv6 land it is no longer
possible to get provider independent address space and so multihoming is
broken and this makes IPv6 unusable in the real life.

You don't have to have PI space at all, many providers will let you 
punch a hole in their PA allocation if you do not have your own PA 
allocation (Not technically a great practice, but it adds the same extra 
NLRI to the routing table as PI space would). However I am guessing in 
this situation that BGP is going to be overkill and the providers 
wouldn't configure it unless we're talking about leased lines/E1, T1 
etc. etc.


Thanks,

Karl Austin

Re: BGP (was Re: Two Isp Fault Tollerance Help)

[Claudio Jeker]

On Fri, Oct 07, 2005 at 04:35:51PM +0200, Olivier Mehani wrote:
> On Fri, 7 Oct 2005 16:09:28 +0200
> Lio Goehrs <[EMAIL PROTECTED]> wrote:
> 
> > The address space can be given by one of the provider.
> 
> But then, I understand that the route to these addresses will go
> through the address-providing ISP. Correct ?
> 

No. You need provider independent address space for such setups plus a AS
number. At least for IPv4 it goes this way. In IPv6 land it is no longer
possible to get provider independent address space and so multihoming is
broken and this makes IPv6 unusable in the real life.

> Or is the very role of bgpd to tell the _other_ provider that the
> adresses are also reachable through his routers, which will then
> propagate the information to the whole internet ?
> 

The role of bgp is just to exchange routing information and selecting the
best path. So yes that's the role of bgpd.

> (I absolutely don't know about BGP, thought it was time I started
> getting information ;))
> 
> Morevover, I guess not every provider accepts BGP information from its
> clients. And what prevents me from sending crafted BGP packects saying
> that I can route to a specific address space I actually don't own ?
> 

Getting a bgp session from a provider is normaly the smallest problem. OK
most will refuse to do that for a private customer but for business
customers with fat pipes this is mostly no porblem.

Address spoofing is a known problem at that's why the upstream providers
should filter what you send to them. It is possible to hijack address room
at least for part of the internet. As an example it happend once through
missconfiguration that a small customer started to announce a /8 as
individual /24 networks. This resulted in a major internet outage because
some backbone cisco routers started to reload because of memory shortage.

-- 
:wq Claudio

Re: Two Isp Fault Tollerance Help

[Roberto Pereyra]

Hi

Where I can find bgp uses examples (simples, for newbies) ?

Thanks

roberto

2005/10/7, Abraham Al-Saleh <[EMAIL PROTECTED]>:
> On 10/7/05, Olivier Mehani <[EMAIL PROTECTED]> wrote:
> >
> > On Fri, 7 Oct 2005 14:29:08 +0200
> > "Johan M:son Lindman" <[EMAIL PROTECTED]> wrote:
> >
> >
> > > > One of my clients has got an Internet connection with a no much
> > > > affidable provider. He reports continual disconnection and so on. I
> > > > would like to do a second connection with another provider to
> > > > obtain a sort of redundancy, a fault tollerance. What I have to do
> > > > to obtain the automatic connection with both of the providers and
> > > > to shift to the one that is connected when the other is in trouble?
> > > > ( without problems for the client).
> > > Border Gateway Protocol.
> >
> > Doesn't it imply that said client has its own IP addresses range and
> > not NATing behind one single ISP-provided address ?
>
>
> yes.
>
> Alternatively, look at route-to in pf.conf
>
> --
> > Olivier Mehani <[EMAIL PROTECTED]>
> > PGP fingerprint: 3720 A1F7 1367 9FA3 C654 6DFB 6845 4071 E346 2FD1
> >
> >
>
>
> --
> Abe Al-Saleh
> And then came the Apocolypse. It actually wasn't that
> bad, everyone got the day off and there were barbeques
> all around.

BGP (was Re: Two Isp Fault Tollerance Help)

[Olivier Mehani]

On Fri, 7 Oct 2005 16:09:28 +0200
Lio Goehrs <[EMAIL PROTECTED]> wrote:

> The address space can be given by one of the provider.

But then, I understand that the route to these addresses will go
through the address-providing ISP. Correct ?

Or is the very role of bgpd to tell the _other_ provider that the
adresses are also reachable through his routers, which will then
propagate the information to the whole internet ?

(I absolutely don't know about BGP, thought it was time I started
getting information ;))

Morevover, I guess not every provider accepts BGP information from its
clients. And what prevents me from sending crafted BGP packects saying
that I can route to a specific address space I actually don't own ?

-- 
Olivier Mehani <[EMAIL PROTECTED]>
PGP fingerprint: 3720 A1F7 1367 9FA3 C654 6DFB 6845 4071 E346 2FD1

Re: It ain't quick, but it's sure fun

[Rogier Krieger]

On 10/7/05, Nick Holland <[EMAIL PROTECTED]> wrote:
> Rogier Krieger wrote:

Somehow, I expected you'd reply :)


> > Giving up on the BIOS built-in LANdesk
> > 0.99 PXEboot was a little harder, but the machine is a wee bit beyond
> > its supported life cycle.
>
> If that's on the fxp card/chip, you might have luck downloading and
> updating the boot ROMs.  I did eventually find an Intel download which
> works on most of my fxp cards with the 0.99 PXE stuff.

I'm not sure yet whether the PXE lives on the card or within the BIOS.
So far, the only way to get to the PXE was through enabling "Boot from
LAN first", although I do not find it entirely conclusive. The Realtek
card is just the first piece we found lying around to put in the spare
(and only) PCI slot. The fxp is integrated on the board.

I saw several posts in the misc@ archives detailing problems with the
0.99 revision. I'll dig around the Intel jungle to see what I can find
and report on success/failure.


> Typically, around 1M of RAM is required to fsck 1G of disk.  You can use
> a swap partition (NOT a swap file, as that isn't activated yet), but
> that's slow.

I know; I created wd0a to fit well within the 504M limit as listed in
the FAQ. There also is a ~900M swap partition to deal with the ~200G
data partition. That said, let's say I place a good deal of faith in
the machine's uptime potential to not need to fsck. Also, fsck
shouldn't be too fast: otherwise my 9k6 serial console may fall behind
:)


> But yes...fun. :)

Indeed; a perfect tinkering thing for a Friday afternoon.


Cheers,

Rogier
--
If you don't know where you're going, any road will get you there.

Re: Two Isp Fault Tollerance Help

[Johan M:son Lindman]

On Friday 07 October 2005 15.33, you wrote:
> On Fri, 7 Oct 2005 14:29:08 +0200
>
> "Johan M:son Lindman" <[EMAIL PROTECTED]> wrote:
> > > One of my clients has got an Internet connection with a no much
> > > affidable provider. He reports continual disconnection and so on. I
> > > would like to do a second connection with another provider to
> > > obtain a sort of redundancy, a fault tollerance. What I have to do
> > > to obtain the automatic connection with both of the providers and
> > > to shift to the one that is connected when the other is in trouble?
> > > (  without problems for the client).
> >
> > Border Gateway Protocol.
>
> Doesn't it imply that said client has its own IP addresses range  and
> not NATing behind one single ISP-provided address ?

Well the original post doesn't tell us jack about the type of connections this 
client of his has, really. It merely state that there's problem with 
connectivity at customer site. I'm not going to make assumptions either way, 
but for proper fault tolerant internet connectivity BGP is one (the?) way to 
go and is very well supported by OBSD.


Regards
Johan M:son

Re: Two Isp Fault Tollerance Help

[Abraham Al-Saleh]

On 10/7/05, Olivier Mehani <[EMAIL PROTECTED]> wrote:
>
> On Fri, 7 Oct 2005 14:29:08 +0200
> "Johan M:son Lindman" <[EMAIL PROTECTED]> wrote:
>
>
> > > One of my clients has got an Internet connection with a no much
> > > affidable provider. He reports continual disconnection and so on. I
> > > would like to do a second connection with another provider to
> > > obtain a sort of redundancy, a fault tollerance. What I have to do
> > > to obtain the automatic connection with both of the providers and
> > > to shift to the one that is connected when the other is in trouble?
> > > ( without problems for the client).
> > Border Gateway Protocol.
>
> Doesn't it imply that said client has its own IP addresses range and
> not NATing behind one single ISP-provided address ?


yes.

Alternatively, look at route-to in pf.conf

--
> Olivier Mehani <[EMAIL PROTECTED]>
> PGP fingerprint: 3720 A1F7 1367 9FA3 C654 6DFB 6845 4071 E346 2FD1
>
>


--
Abe Al-Saleh
And then came the Apocolypse. It actually wasn't that
bad, everyone got the day off and there were barbeques
all around.

ssh key question

[jabbott]

Maybe this is slightly off topic because it is more of an ssh question, sorry.

I have two openbsd boxes running sshd.  They are mirrors of each other, and we 
switch between them every two weeks.  They have their own IP numbers, 
10.1.1.42, and 10.1.1.43, but whichever machine is the production box gets the 
IP number 10.1.1.44 and you can no longer get to that machine via it's own IP 
number.

Currently all employee's telnet into the production box.  I want to get that 
switched over to ssh.  The trouble is the host key appearing to change every 
two weeks.  Can I just duplicate the host key from one box onto the other box?  
And which key file[s] would that be that I need to copy?  Or do I need to see 
about turning off host key checking on our client?

--ja

-- 

Re: Two Isp Fault Tollerance Help

[Léo Goehrs]

Absolutely, you need an AS

The address space can be given by one of the provider.

Lio

-Message d'origine-
De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Olivier Mehani
Envoyi : vendredi 7 octobre 2005 15:34
@ : misc@openbsd.org
Objet : Re: Two Isp Fault Tollerance Help

On Fri, 7 Oct 2005 14:29:08 +0200
"Johan M:son Lindman" <[EMAIL PROTECTED]> wrote:


> > One of my clients has got an Internet connection with a no much
> > affidable provider. He reports continual disconnection and so on. I
> > would like to do a second connection with another provider to
> > obtain a sort of redundancy, a fault tollerance. What I have to do
> > to obtain the automatic connection with both of the providers and
> > to shift to the one that is connected when the other is in trouble?
> > (  without problems for the client).
> Border Gateway Protocol.

Doesn't it imply that said client has its own IP addresses range  and
not NATing behind one single ISP-provided address ?

-- 
Olivier Mehani <[EMAIL PROTECTED]>
PGP fingerprint: 3720 A1F7 1367 9FA3 C654 6DFB 6845 4071 E346 2FD1

Re: newbie tcpdump pflog0 output, "rule number" question

[Didier Wiroth]

thx, problem solved with:
pfctl -sr -vv

Re: It ain't quick, but it's sure fun

[Nick Holland]

Rogier Krieger wrote:
> We recently deployed a new fileserver:)
> 
> Most surprising thing was that it recognised a 250 GByte HDD at the
> first go, without real effort.

Yes, I've been pleasantly surprised about how well big drives work on
old machines.  I've been assured that this is ok by people who
know...and my testing has been pretty abusive.

> Giving up on the BIOS built-in LANdesk
> 0.99 PXEboot was a little harder, but the machine is a wee bit beyond
> its supported life cycle.

If that's on the fxp card/chip, you might have luck downloading and
updating the boot ROMs.  I did eventually find an Intel download which
works on most of my fxp cards with the 0.99 PXE stuff.

> For those interested; it's a WinNET II 5BLIP board that will primarily
> route a few packets on a cable modem uplink. Thanks for making this
> work so painlessly.
> 
> Cheers,
> 
> Rogier
> 
> OpenBSD 3.8 (GENERIC) #0: Thu Oct  6 16:03:07 CEST 2005
> [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
> cpu0: Cyrix 6x86 (486-class)
> real mem  = 31825920 (31080K)
> avail mem = 21037056 (20544K)
...
> wdc0 at isa0 port 0x1f0/8 irq 14
> wd0 at wdc0 channel 0 drive 0: 
> wd0: 16-sector PIO, LBA48, 238475MB, 488397168 sectors

yikes.
Um...be really careful with this.  If that 250G drive is just because it
is what you had around, and you created the minimal partitions you
needed, no problem, but if you used the "I have the disk, I'm going to
allocate the whole thing, dang it!" philosophy, you may be in for
trouble if you have to fsck the thing.

Typically, around 1M of RAM is required to fsck 1G of disk.  You can use
a swap partition (NOT a swap file, as that isn't activated yet), but
that's slow.

But yes...fun. :)

Nick.

Re: Two Isp Fault Tollerance Help

[Olivier Mehani]

On Fri, 7 Oct 2005 14:29:08 +0200
"Johan M:son Lindman" <[EMAIL PROTECTED]> wrote:


> > One of my clients has got an Internet connection with a no much
> > affidable provider. He reports continual disconnection and so on. I
> > would like to do a second connection with another provider to
> > obtain a sort of redundancy, a fault tollerance. What I have to do
> > to obtain the automatic connection with both of the providers and
> > to shift to the one that is connected when the other is in trouble?
> > (  without problems for the client).
> Border Gateway Protocol.

Doesn't it imply that said client has its own IP addresses range  and
not NATing behind one single ISP-provided address ?

-- 
Olivier Mehani <[EMAIL PROTECTED]>
PGP fingerprint: 3720 A1F7 1367 9FA3 C654 6DFB 6845 4071 E346 2FD1

newbie tcpdump pflog0 output, "rule number" question

[Didier Wiroth]

Hi,
I've three questions.

1) regarding "tcpdump -nettti pflog0" output.

How do have to interpret the "rule 15" sample output of tcpdump below?
Sample
Oct 07 15:12:02.352998 rule 15/(match) block in on fxp0: x.x.x.x.18227 >
x.x.x.x.80: S 63197884:63197884(0) win 65535 

I had a look at my rules with pfctl -sr, here is rule 15:
block drop quick on fxp1 inet proto udp from  to any port
= netbios-dgm label "15"

FOR INFO, I'm using the "$nr" label macro to get the rule number!

2a) Is there a specific option available for pfctl to show the rule
number, or another tool?
2b) Is: label "$nr"   the only method to display the line number?

Many thanks
Didier

Here is the output of "pfctl -sr":

scrub in all fragment reassemble
scrub out on fxp0 all random-id fragment reassemble
block drop quick inet6 all label "2"
block drop log quick from  to any label "3"
block drop log quick from  to any label "4"
block drop quick on fxp2 inet proto tcp from  to any port
= netbios-ns label "5"
block drop quick on fxp2 inet proto tcp from  to any port
= netbios-dgm label "6"
block drop quick on fxp2 inet proto tcp from  to any port
= netbios-ssn label "7"
block drop quick on fxp2 inet proto udp from  to any port
= netbios-ns label "8"
block drop quick on fxp2 inet proto udp from  to any port
= netbios-dgm label "9"
block drop quick on fxp2 inet proto udp from  to any port
= netbios-ssn label "10"
block drop quick on fxp1 inet proto tcp from  to any port
= netbios-ns label "11"
block drop quick on fxp1 inet proto tcp from  to any port
= netbios-dgm label "12"
block drop quick on fxp1 inet proto tcp from  to any port
= netbios-ssn label "13"
block drop quick on fxp1 inet proto udp from  to any port
= netbios-ns label "14"
block drop quick on fxp1 inet proto udp from  to any port
= netbios-dgm label "15"
block drop quick on fxp1 inet proto udp from  to any port
= netbios-ssn label "16"
block drop log-all all label "17"
anchor "ftpsesame/*" all
pass inet proto icmp all icmp-type echoreq keep state label "19"
pass quick on lo0 all label "20"
pass out quick on fxp2 inet from 10.0.43.135 to any keep state label
"21"
pass out quick on fxp2 inet6 from fe80::290:27ff:fe9d:6df4 to any keep
state label "22"
pass quick inet proto tcp from 10.0.43.189 to 10.0.43.135 port = ssh
modulate state label "23"
pass quick inet proto tcp from 10.202.9.3 to 10.0.43.135 port = ssh
modulate state label "24"
pass quick inet proto tcp from  to  port = ssh
modulate state label "25"
pass inet proto tcp from any to 10.3.58.18 port = smtp modulate state
label "26"
pass inet proto tcp from any to 10.3.58.18 port = smtps modulate state
label "27"
pass inet proto tcp from any to 10.3.58.18 port = https modulate state
label "28"
pass inet proto tcp from any to 10.3.58.18 port = pop3s modulate state
label "29"
pass inet proto tcp from any to 10.3.58.18 port = imaps modulate state
label "30"
pass inet proto tcp from  to any port = smtp modulate state
label "31"
pass inet proto tcp from  to any port = ftp modulate state
label "32"
pass inet proto tcp from  to any port = ssh modulate state
label "33"
pass inet proto tcp from  to any port = www modulate state
label "34"
pass inet proto tcp from  to any port = https modulate state
label "35"
pass inet proto tcp from  to any port = cvsup modulate state
label "36"
pass inet proto tcp from  to any port = 13499 modulate state
label "37"
pass inet proto tcp from  to any port = nntp modulate state
label "38"
pass inet proto udp from  to any port = ntp keep state label
"39"
pass inet proto udp from  to any port = domain keep state
label "40"
pass inet proto udp from  to any port = 5999 keep state label
"41"

Here is pf.conf:
#DEFAULT BLOCK
block quick inet6 all label "$nr"
block log quick from  label "$nr"
block log quick from  label "$nr"
block quick on { $net_if, $int_if } inet proto { tcp, udp } from \
{  } to any port { 137,138,139 } label "$nr"
block log-all all label "$nr"
anchor "ftpsesame/*" label "$nr"
#ICMP
pass inet proto icmp all icmp-type echoreq keep state label "$nr"
#LOOPBACK
pass quick on lo0 all label "$nr"
#SECURE NET
pass out quick on $net_if from $net_if keep state label "$nr"
pass quick inet proto tcp from { lucy, 10.202.9.3 } to $net_if \
port ssh modulate state label "$nr"
pass quick inet proto tcp from  to  port ssh \
modulate state label "$nr"
#TO SERVER
pass inet proto tcp from any to $srv port { smtp, smtps, \
https, pop3s, imaps } modulate state label "$nr"
#INTERNAL TRAFFIC
pass inet proto tcp from  to any port { smtp, ftp, ssh, www, \
https, cvsup, 13499, nntp } modulate state label "$nr"
pass inet proto udp from  to any port { ntp, domain, cvsup } \
keep state label "$nr"

Re: CARP+Pfsync+Bind

[Vladimir Potapov]

Quoting ed <[EMAIL PROTECTED]>:


Zone transfers are on tcp/53, DNS lookups are 53/udp, so:

pass in on $ext_if proto udp from any to $DNS port 53 keep state

and if required:

pass in on $ext_if proto tcp from $ext_net to $DNS port 53 keep state

I use TinyDNS here, so we don't really need to transfer zones as its
handled with a single data file. CARP can be good with DNS.


Ok. This 2 servers DNS masters.
But if the one server will master(CARP master,not dns) and other CARP slave,
zones sends only from CARP master and I need some sync tool such as rsync to
syncing zones files between 2 master DNS servers(one master CARP and one slave
CARP)?
Or if I want to do load balancing with CARP, how it affect on BIND?

It ain't quick, but it's sure fun

[Rogier Krieger]

We recently deployed a new fileserver:)

Most surprising thing was that it recognised a 250 GByte HDD at the
first go, without real effort. Giving up on the BIOS built-in LANdesk
0.99 PXEboot was a little harder, but the machine is a wee bit beyond
its supported life cycle.

For those interested; it's a WinNET II 5BLIP board that will primarily
route a few packets on a cable modem uplink. Thanks for making this
work so painlessly.

Cheers,

Rogier

OpenBSD 3.8 (GENERIC) #0: Thu Oct  6 16:03:07 CEST 2005
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Cyrix 6x86 (486-class)
real mem  = 31825920 (31080K)
avail mem = 21037056 (20544K)
using 414 buffers containing 1695744 bytes (1656K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(74) BIOS, date 12/28/98, BIOS32 rev. 0 @ 0xfb120
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 30102 dobusy 0 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xf/0xb59c
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf60/64 (2 entries)
pcibios0: PCI Exclusive IRQs: 11 15
pcibios0: no compatible PCI ICU found: ICU vendor 0x1078 product 0x0002
pcibios0: Warning, unable to fix up PCI interrupt routing
pcibios0: PCI bus #0 is the last bus
bios0: ROM list: 0xc/0x8000
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "Cyrix GXm PCI" rev 0x00
rl0 at pci0 dev 7 function 0 "Realtek 8139" rev 0x10: irq 15 address
00:4f:4e:0f:74:bc
rlphy0 at rl0 phy 0: RTL internal phy
fxp0 at pci0 dev 8 function 0 "Intel 82557" rev 0x05, i82558: irq 11,
address 00:e0:c5:e8:15:17
inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 0
pcib0 at pci0 dev 18 function 0 "Cyrix GXm ISA" rev 0x00
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard
vga0 at isa0 port 0x3b0/48 iomem 0xa/131072
wsdisplay0 at vga0 mux 1: console (80x25, vt100 emulation), using wskbd0
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
wdc0 at isa0 port 0x1f0/8 irq 14
wd0 at wdc0 channel 0 drive 0: 
wd0: 16-sector PIO, LBA48, 238475MB, 488397168 sectors
wd0(wdc0:0:0): using BIOS timings
sb0 at isa0 port 0x220/24 irq 5 drq 1: dsp v4.12
midi0 at sb0: 
audio0 at sb0
opl0 at sb0: model OPL3
midi1 at opl0: 
pcppi0 at isa0 port 0x61
midi2 at pcppi0: 
spkr0 at pcppi0
sysbeep0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom0: console
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
biomask 7745 netmask ff45 ttymask ffc7
pctr: no performance counters in CPU
dkcsum: wd0 matches BIOS drive 0x80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302

And yes, I had my 3.8 CD's pre-ordered before making my own release. :)

--
If you don't know where you're going, any road will get you there.

Re: USB to RS232

[Matteo Mancini]

For the same purpose I'm using a Belkin serial converter F5U103, It's
quite expsensive but work great..

Bye

MAtteo


Dirk-Willem van Gulik wrote:
> On Fri, 7 Oct 2005, Eric Dillenseger wrote:
> 
> 
>>I'll soon buy a soekris, but just realized i have no serial port on my
>>laptop (duh!), has someone already tried to use a usb serial adapter?
> 
> 
> Check out
> 
>   ubsa(4)
> 
> that has a list.
> 
> Dw

Re: Two Isp Fault Tollerance Help

[Johan M:son Lindman]

On Thursday 06 October 2005 10.24, you wrote:
> Hi to all.
>
> One of my clients has got an Internet connection with a no much affidable
> provider. He reports continual disconnection and so on. I would like to do
> a second connection with another provider to obtain a sort of redundancy, a
> fault tollerance. What I have to do to obtain the automatic connection with
> both of the providers and to shift to the one that is connected when the
> other is in trouble? (  without problems for the client).

Border Gateway Protocol.
See bgpd(8).


Regards
Johan M:son

Re: USB to RS232

[Rod.. Whitworth]

On Fri, 7 Oct 2005 12:07:29 +0200, Eric Dillenseger wrote:

>Hi,
>
>I'll soon buy a soekris, but just realized i have no serial port on my
>laptop (duh!), has someone already tried to use a usb serial adapter?
>Most of the time this works as a traditional com port on windows, but
>what about openbsd, will it be ok for a serial console?

It is either supported or it is not. If it is supported it works et v
v.
I bought one 2 days ago. No name. Windows XP needed a CD with a driver.
My r50e laptop dual boots to OpenBSD where I found it as a uplcom and
it has been supported for 3 years.

My suggestion: buy it - try it - it probably works.
If not send it to a developer (ask about which one first) and next time
it probably will work.

Mine cost $AUD30 inc GST and I got change. Go figure.


>
>-- 
>"Any attempt to brew coffee with a teapot should result in the error
>code "418 I'm a teapot".
>The resulting entity body MAY be short and stout."
>-- HTCPCP Spec, RFC 2324
>
>

>From the land "down under": Australia.
Do we look  from up over?

Do NOT CC me - I am subscribed to the list.
Replies to the sender address will fail except from the list-server.

Re: USB to RS232

[Abel Talaverón Estevez]

El Viernes, 7 de Octubre de 2005 12:07, escribis:
> Hi,
>
> I'll soon buy a soekris, but just realized i have no serial port on my
> laptop (duh!), has someone already tried to use a usb serial adapter?
> Most of the time this works as a traditional com port on windows, but
> what about openbsd, will it be ok for a serial console?

Yes I do. It runs ok! I've tried a 

laptop running Windows XP + usb-serial + serial-serial + firewall running 
openbsd 

and it works

-- 
Abel Talaversn Estevez
Ingeniero Superior de Telecomunicaciones
Analista de Proyectos

OpenWired
Caballero 87 - Bajos
08029 - Barcelona
Tel. 93 495 0990
Fax. 93 419 4591

Openwired
Alejandro Villegas,29
28043 - MADRID - ESPAQA
Telifono: 91 300 51 09
Fax:  91 300 28 13
http://www.openwired.com

Re: USB to RS232

[Eric Huiban]

Eric Dillenseger a icrit :


Hi,

I'll soon buy a soekris, but just realized i have no serial port on my
laptop (duh!), has someone already tried to use a usb serial adapter?
Most of the time this works as a traditional com port on windows, but
what about openbsd, will it be ok for a serial console?

 

Trendnet TU-S9, cheap adapter tested on OpenBSD 3.7 - i386, and perhaps 
on SPARC64 (i dont' remember for the latest). It uses a classic pl2303. 
Please note that previous release of OpenBSD does detect the adapter but 
are not able to issue any communication : new chip... latest release... ;-)

Re: /etc/hostname.if convention

[Brian A. Seklecki]

It's a solaris/sunos thing
~BAS

On Fri, 2005-10-07 at 04:16, Stephan A. Rickauer wrote:
> Hello,
> 
> can anyone tell me, whether the current naming convention of 
> /etc/hostname.if is because of history of /etc/hostname (which has been 
> extended) or if there are other reasons. I am just curious, since it is 
> not very descriptive compared to /etc/mygate or /etc/myname.
> 
> As I say, I don't suggest to change it, I am just curious where it comes 
> from. Thanks!

Re: USB to RS232

[Olivier Mehani]

On Fri, 7 Oct 2005 12:07:29 +0200
Eric Dillenseger <[EMAIL PROTECTED]> wrote:

> I'll soon buy a soekris, but just realized i have no serial port on my
> laptop (duh!), has someone already tried to use a usb serial adapter?

Same problem here, I bought a Trendnet TU-S9, it works perfectly
(under Linux) to connect to my Soekris running OpenBSD.

Linux tells me that when I plug this in:
usbcore: registered new driver usbserial
drivers/usb/serial/usb-serial.c: USB Serial support registered for
Generic usbcore: registered new driver usbserial_generic
drivers/usb/serial/usb-serial.c: USB Serial Driver core v2.0
drivers/usb/serial/usb-serial.c: USB Serial support registered for
PL-2303 pl2303 4-1.1:1.0: PL-2303 converter detected
usb 4-1.1: PL-2303 converter now attached to ttyUSB0
usbcore: registered new driver pl2303
drivers/usb/serial/pl2303.c: Prolific PL2303 USB to serial adaptor
driver v0.12

Hope this answers your question.

-- 
Olivier Mehani <[EMAIL PROTECTED]>
PGP fingerprint: 3720 A1F7 1367 9FA3 C654 6DFB 6845 4071 E346 2FD1

question on the behavior of pfsync and interaction with pf...

[Stefan Sczekalla-Waldschmidt]

Hi, 

does somebody has an idea what happens if in an
two-machine-carp-failover-pfsync-setup the pf.conf isn't the same on
both machines.
e.g. by accident or intentionally ? 

Also I was wondering how to test a pfsync setup.  I know i can check the
state table on both machines - but how would I check this using a
connection which would "fail" in case pfsync is not working ? 

Kind regards, 

Stefan Sczekalla-Waldschmidt

Re: USB to RS232

[Dirk-Willem van Gulik]

On Fri, 7 Oct 2005, Eric Dillenseger wrote:

> I'll soon buy a soekris, but just realized i have no serial port on my
> laptop (duh!), has someone already tried to use a usb serial adapter?

Check out

ubsa(4)

that has a list.

Dw

USB to RS232

[Eric Dillenseger]

Hi,

I'll soon buy a soekris, but just realized i have no serial port on my
laptop (duh!), has someone already tried to use a usb serial adapter?
Most of the time this works as a traditional com port on windows, but
what about openbsd, will it be ok for a serial console?

-- 
"Any attempt to brew coffee with a teapot should result in the error
code "418 I'm a teapot".
The resulting entity body MAY be short and stout."
-- HTCPCP Spec, RFC 2324

Re: BGP session clear by remote end when MD5 is configure AND the session was initiate from OpenBSD side failed and do not recover.

[Daniel Ouellet]

Claudio Jeker wrote:

On Wed, Oct 05, 2005 at 06:33:05PM -0400, Daniel Ouellet wrote:



Now with MD5 configure. We only add

tcp md5sig password test on bgpd side and
neighbor 66.63.12.108 password test on the Cisco side.

With bgpd master
Clear session from bgpd side, session comes back up right away.
Clear session from remote side, session comes back up with possible very 
long delay.


With bgpd slave
Just can't establish a session what so ever! The Cisco side will get 
stuck in the OpenSent mode and cycle a few times all without success.


66.63.12.1084 65001   0   1000 neverOpenSent




I can't reproduce this. On my test setup all session come back up.


Configuration with MD5.

Well, let see if this help or not. Two example below. One might not be 
very elegant, but I think it may well show the problem. I force the bgpd 
to try to be slave using some filter on the Cisco router. The filter 
WILL be temporary in my case anyway as I want the session to be stuck in 
OpenSent mode and then at that time I will remove the filter an sit back 
and watch. So, what happen is that the session will never come up, I 
think it should anyway, but it doesn't.


Then when I see on the Cisco router OpenSent, I will simply remove the 
filter to be 100% sure nothing is blocking the regular traffic and see 
if the session can recover. It doesn't.


So, I use this filter to force this stage on the Interface facing the bgpd.

ip access-list extended bgpd-slave
 permit tcp any eq bgp any neq bgp
 deny   tcp any neq bgp any eq bgp
 permit ip any any

and apply it like this

interface FastEthernet0/0
 description Connection to OpenBSD Test Lab
 ip address 66.63.12.107 255.255.255.192
 ip access-group bgpd-slave in

I save my config and to be ultra sure nothing else interfere, I simply 
reload. No need to do that and it is stupid anyway, but just to be 
paranoid here I do that.


After I can ping the Cisco for a few seconds, I initiate my bgpd on both 
version of OpenBSD and then when I see the OpenSent stage on the Cisco 
router, because even if it should establish a slave connection with this 
filter, it doesn't. Why, I wish I knew, but anyway it doesn't. Then when 
in OpenSent mode, I remove the filter for the interface totally to be 
sure nothing is in the way. Also, remember no pf is running as well and 
the two server are fresh install with nothing on them other then they 
install and then configuring the bgpd. That's it.



So, when I see:

NeighborVAS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down 
State/PfxRcd

66.63.12.1064 65001   0   1000 neverOpenSent
66.63.12.1084 65001   0   1000 neverOpenSent

I do

no ip access-group bgpd-slave in

on my fast Ethernet interface and the sit back. Nothing will ever happen 
here. No session will ever get up. Never! It will cycle in close -> idle 
-> active -> OpenSent and then stay there for a few minutes and then 
cycle again to the same point and do that over and over again.


What I see on the OpenBSD on 3.7 is

# bgpctl s neigh 66.63.12.107
BGP neighbor is 66.63.12.107, remote AS 65001
 Description: iBGP Test
  BGP version 4, remote router-id 0.0.0.0
  BGP state = Active
  Last read Never, holdtime 240s, keepalive interval 80s

  Message statistics:
  Sent   Received
  Opens1  0
  Notifications0  0
  Updates  0  0
  Keepalives   0  0
  Route Refresh0  0
  Total1  0

  Local host:  66.63.12.106, Local port:179
  Remote host: 66.63.12.107, Remote port: 14670

==

and at each cycle of close -> idle -> active -> OpenSent, the port above 
will changed and in current, after the first cycle, it will show


Last error: unknown error code

instead and no ports informations and error logs like this:

Oct  7 05:44:42 dev2 bgpd[21803]: startup
Oct  7 05:44:42 dev2 bgpd[14625]: route decision engine ready
Oct  7 05:44:42 dev2 bgpd[16756]: listening on 66.63.12.106
Oct  7 05:44:42 dev2 bgpd[16756]: session engine ready
Oct  7 05:44:42 dev2 bgpd[16756]: neighbor 66.63.12.107 (iBGP Test): 
state change None -> Idle, reason: None
Oct  7 05:44:42 dev2 bgpd[16756]: neighbor 66.63.12.107 (iBGP Test): 
state change Idle -> Connect, reason: Start
Oct  7 05:44:42 dev2 bgpd[16756]: neighbor 66.63.12.107 (iBGP Test): 
state change Connect -> OpenSent, reason: Connection open

ed
Oct  7 05:44:42 dev2 bgpd[16756]: neighbor 66.63.12.107 (iBGP Test): 
write error: Invalid argument
Oct  7 05:44:42 dev2 bgpd[16756]: neighbor 66.63.12.107 (iBGP Test): 
state change OpenSent -> Idle, reason: Fatal error

Oct  7 05:44:49 dev2 ntpd[24590]: adjusting local clock by -170.192293s
Oct  7 05:45:12 dev2 bgpd[16756]: neighbor 66.63.12.107 (iBGP Test): 
state change Idle -> Connect, reason: Start
Oc

Re: Sendmail TLS

[Eric Dillenseger]

On Thu, Oct 06, 2005 at 08:40:35PM -0700, Claus Assmann wrote:
> On Thu, Oct 06, 2005, Eric Dillenseger wrote:
> 
> > I'm trying to setup a sendmail config using tls to use gmail as a 
> > smart-host.
> 
> Why?  Why don't you send mail directly?
> 
Because that way I can receive my mail and organize them in mutt with
procmail and reply to message transparently.
Some mailing lists do strict checking before accepting mail.
If gmail is sending the mail the gmail mx resolves correctly and so the
mail is accepted.
> > Now I see it successfully connected to gmail smtp, but didn't authenticate.
> > My question is, how can I make it authenticate?
> 
> See the fine documentation... but first you need to figure out what
> kind of authentication gmail requires: SMTP AUTH or STARTTLS?  For
> the former see
> 
> Providing SMTP AUTH Data when sendmail acts as Client
> 
> in cf/README.

As I could see, this requires to compile sendmail with -DSASL and
install cyrus-sasl, so I've found a workaround with msmtp, thanks
anyway.

-- 
"Any attempt to brew coffee with a teapot should result in the error
code "418 I'm a teapot".
The resulting entity body MAY be short and stout."
-- HTCPCP Spec, RFC 2324

Re: permissions on automatically created symlinks

[Hannah Schroeter]

Hello!

On Fri, Oct 07, 2005 at 11:50:42AM +0200, Isak Lyberth wrote:
>I have added a symlink that i need newly created users to automatically 
>get, when they are created, into /etc/skel
>when i add new users this symlink is created just fine, but the owner of 
>it is root:wheel
>i need it to be a certain group that can will have read access to the 
>symlink and to the destination folder.

Owner/Group/Permissions of symlinks are completely irrelevant
for readlink as well as access to the file/directory the link
points to. The only point where I've found a relevance is if
you want to remove the link again from a sticky directory, e.g.
/tmp.

Should *that* be a problem, see the -h option of chown.

So why do you really worry?

>[...]

Kind regards,

Hannah.

permissions on automatically created symlinks

[Isak Lyberth]

I have added a symlink that i need newly created users to automatically 
get, when they are created, into /etc/skel
when i add new users this symlink is created just fine, but the owner of 
it is root:wheel
i need it to be a certain group that can will have read access to the 
symlink and to the destination folder.


How do i make this possible?
i add users using addusers.
I have tried adding some chmod lines different places in the addusers 
perl script, but still its not working.



(i am using current)

Re: Wireless issue (ath0: bogus xmit rate 0x0 error)

[Reyk Floeter]

On Fri, Oct 07, 2005 at 02:20:37AM +0200, Fred Crowson wrote:
> ath0: bogus xmit rate 0x0
> 

ok, thanks. i think damien just fixed something similar in ral and
it's probably related to the switch to rssadapt(9).

reyk

NetMos 4S question

[Genadijus Paleckis]

I have 4 NetMos 4S serial cards and wanted to place them into single 
machine, all four cards is detected but it seems that only two of them 
is working. Is there any limitation of serial ports number on system ?


Thank you.

/etc/hostname.if convention

[Stephan A. Rickauer]

Hello,

can anyone tell me, whether the current naming convention of 
/etc/hostname.if is because of history of /etc/hostname (which has been 
extended) or if there are other reasons. I am just curious, since it is 
not very descriptive compared to /etc/mygate or /etc/myname.


As I say, I don't suggest to change it, I am just curious where it comes 
from. Thanks!


--

 Stephan A. Rickauer

 
 Institut f|r Neuroinformatik
 Universitdt / ETH Z|rich
 Winterthurerstriasse 190
 CH-8057 Z|rich

 Tel: +41 44 635 30 50
 Sek: +41 44 635 30 52
 Fax: +41 44 635 30 53

 http://www.ini.ethz.ch
 

Re: dual DVI graphics card

[Sam Vaughan]

On 07/10/2005, at 11:50 AM, Martin Schrvder wrote:



One DVI port does up to 1600x1200, so you need four DVI (two
dual-link) ports.



I beg to differ.  I'm currently using a 1920x1200 monitor at native
resolution connected to the DVI port of a three year old Radeon 7500
that certainly isn't dual link.

For an Apple 30" Cinema display at 2560x1600 then yeah, you'd need dual
link per display, but that's a completely different class of pixel real
estate!

Re: Problem with arla.

[Jan Johansson]

To summarize what I have seen of AFS on OpenBSD.

3.7:
Included arla works (sort of) but misses callbacks quite
often (might be bug in our servers as we are still running
1.2.xx).

3.8: (My guess as I have seen problems on what was 3.7-current)
Included arla will sometimes not find home cell (or other
cells).

3.8-current:
Included arla will sometimes not find home cell (or other
cells).

OpenAFS fails to build as i does not find the remove
extattr.h (FFS extended attributes was dropped after 3.8
release).

Arla 0.40 refuses to build as it does not find declaration of
MNT_UNION (layered filesystems was removed after 3.?).

I have not had time to examine this enough to make a proper
bugreport and I will not get the time in the near future.
Infact as of yesterday for the first time in six years I do not
own a computer that runs OpenBSD.

ober: Thanks for the howto it will be very usefull when I return
to this as my earlier attempts with OpenAFS on OpenBSD has failed.

Jan J