Re: OpenBSD as a PDC on a windows network
From what I've heard, Samba 4.0 will be able to fully replace an Active Directory PDC. Current Samba version (3.x) is only able to fully replace an NT-style PDC. On 11/2/06, Gustavo Rios [EMAIL PROTECTED] wrote: When you say about samba 4.0, you mean it can be used as a fully replacement for a WINDOWS PDC? Thanks in advance!
Is apropos on OBSD 3.9 broken?
[EMAIL PROTECTED]:~$ apropos libnet Net::Config (3) - Local configuration data for libnet Net::Config (3p) - Local configuration data for libnet libnetFAQ (3) - libnet Frequently Asked Questions libnetFAQ (3p) - libnet Frequently Asked Questions libnetcfg (1) - configure libnet [EMAIL PROTECTED]:~$ man 3 libnetFAQ man: no entry for libnetFAQ in section 3 of the manual. CL
Upgrade problem on spac64 3.9-4.0
Hello, I'm trying to upgrade from 3.9 to 4.0 from sources. I'm currently running 3.9. My gcc version: $ gcc --version gcc (GCC) 3.3.5 (propolice) When i'm trying to compile kernel i have the following error : [EMAIL PROTECTED]/usr/src/sys/arch/sparc64/compile/GENERIC% make depend mkdir -p /usr/src/sys/arch/sparc64/compile/GENERIC/lib/kern depending the kern library objects depending the compat library objects sh /usr/src/sys/arch/sparc64/compile/GENERIC/../../../../kern/genassym.sh cc -O2 -Werror -Wall -Wstrict-prototypes -Wmissing-prototypes -Wno-uninitialized -Wno-format -Wno-main -Wstack-larger-than-2047 -Wa,-Av9a, -mno-fpu -fno-builtin-printf -fno-builtin-log -pipe -nostdinc -I. -I/usr/src/sys/arch/sparc64/compile/GENERIC/../../../../arch -I/usr/src/sys/arch/sparc64/compile/GENERIC/../../../.. -DDDB -DDIAGNOSTIC -DKTRACE -DACCOUNTING -DKMEMSTATS -DPTRACE -DCRYPTO -DSYSVMSG -DSYSVSEM -DSYSVSHM -DUVM_SWAP_ENCRYPT -DCOMPAT_35 -DCOMPAT_43 -DLKM -DFFS -DFFS_SOFTUPDATES -DUFS_DIRHASH -DQUOTA -DEXT2FS -DMFS -DXFS -DTCP_SACK -DTCP_ECN -DTCP_SIGNATURE -DNFSCLIENT -DNFSSERVER -DCD9660 -DUDF -DMSDOSFS -DFIFO -DPORTAL -DINET -DALTQ -DINET6 -DIPSEC -DPPP_BSDCOMP -DPPP_DEFLATE -DMROUTING -DBOOT_CONFIG -DPCIVERBOSE -DUSER_PCICONF -DAPERTURE -DUSBVERBOSE -DISP_COMPILE_FW=1 -DISP_COMPILE_1000_FW=1 -D_KERNEL -DMAXUSERS=64 /usr/src/sys/arch/sparc64/compile/GENERIC/../../../../arch/sparc64/sparc64/genassym.cf assym.h.tmp mv -f assym.h.tmp assym.h cc1: error: unrecognized option `-Wstack-larger-than-2047' *** Error code 1 _ Best regards, Frangois Visconte
Re: Upgrade problem on spac64 3.9-4.0
I'm trying to upgrade from 3.9 to 4.0 from sources. [...] When i'm trying to compile kernel i have the following error : http://www.openbsd.org/faq/upgrade-old.html#20060727
Re: Nintendo Wifi Connector and Nintendo DS (WEP)
Damian Wiest wrote: On Tue, Oct 31, 2006 at 11:08:15AM +0100, Guido Tschakert wrote: Hello, after reading through the ralink broken after last update thread and seeing that Bruno is using an Nintendo Wifi Connector I wonder if someone has connected a Nintendo DS via an OpenBSD Box and the Nintendo Wifi Connector as AP using WEP. Without WEP everything works fine for me (i put my /etc/hostname.ural0 at the bottom of this message) But I haven't worked out how to configure WEP. What worked was using WEP for a connection between the Wifi Connector as Accesspoint and my notebook. So if anybody know in which format I have to use the WEP Key on both the OpenBSD Box and the Nintendo DS, I really would like to know. thanks guido /etc/hostname.ural0 inet 192.168.22.1 255.255.255.252 NONE media DS2 mediaopt hostap mode 11b nwid zelda chan 12 -nwkey (btw the DS only works with 2Mbps) I've got a couple DS's (and a PSP :( ) at home and have been using them with various systems (FreeBSD and OpenBSD with Aironet and Prism cards and a Linksys 54WRTG) acting as access points. I don't seem to recall encountering any problems. What does the Nintendo wireless adapter attach as? Hello the dmesg of the adapter is: ural0 at uhub4 port 1 ural0: Nintendo Nintendo Wi-Fi USB Connector, rev 2.00/0.01, addr 2 ural0: MAC/BBP RT2570 (rev 0x05), RF RT2526, address xx:xx:xx:xx:xx:xx Is there some reason you're hardcoding the transmit speed on your AP? I had no end of trouble trying to connect when I tried this. I believe that if you specify the transmit speed, then all devices must use that speed. Meaning, you can't have one using DS2, one using DS11 and your AP doing autoselect. At least I couldn't get that sort of setup to function. the reason for hardcoding the transmit speed is because the (u)ral manual says: The ural driver supports automatic control of the transmit speed in BSS mode only. Therefore the use of a ural adapter in Host AP mode is discouraged. But that is no problem, I use this access point only for DS (and upcoming Wii ;-) ) But I haven't worked out to use the WEP key on the DS. I used the following line to configure the adapter: inet 192.168.22.1 255.255.255.252 NONE media ds2 mediaopt hostap mode 11b nwid zelda chan 12 nwkey mario As for the WEP key, you should enter it just like you did on your AP. Then I serached for Access Points with the DS and found zelda, encrypted with WEP. I typed mario as wep key and then the DS told me: cannot connect to access point. I tried 40 and 104 Bits, hexadecimal and ascii keys on both the Openbsd box and the DS, but nothing worked. (now that I know how the DS recognize if it is hexa or ascii (it's the length of the string), but after reading through the wifi website of nintendo I believe they are not really interested in security. They tell you to use an easy to remember wep key, e.g. your cellphone number) Connecting from a Laptop to the Adapter using wep works just without problems. thanks guido
Re: Is apropos on OBSD 3.9 broken?
On Thu, Nov 02, 2006 at 09:30:30AM +0100, Karel Kulhavy wrote: [EMAIL PROTECTED]:~$ apropos libnet Net::Config (3) - Local configuration data for libnet Net::Config (3p) - Local configuration data for libnet libnetFAQ (3) - libnet Frequently Asked Questions libnetFAQ (3p) - libnet Frequently Asked Questions libnetcfg (1) - configure libnet [EMAIL PROTECTED]:~$ man 3 libnetFAQ man: no entry for libnetFAQ in section 3 of the manual. there are two issues here. first of all, this will work: $ man Net::libnetFAQ that's because the perl doc has differing fields in it's name. i think that is a change the perl people would have to make, not us. the second issue is you appear to have both section 3 and 3p entries for some pages. i don;t have anything to hand i can check so: can you find those files and provide ls -l for them. check that some are not old pages that never got removed. is this a machine that gets its apropos database updated regularly? you could try updating it... i certainly don;t have it here: $ apropos libnet Net::Config (3p) - Local configuration data for libnet libnetFAQ (3p) - libnet Frequently Asked Questions libnetcfg (1) - configure libnet jmc
Re: Upgrade problem on spac64 3.9-4.0
Hi Francois, I'm trying to upgrade from 3.9 to 4.0 from sources. Why? http://www.openbsd.org/faq/upgrade40.html HTH... Nico
Re: Upgrade problem on spac64 3.9-4.0
On Thu, 2 Nov 2006, Francois Visconte wrote: Hello, I'm trying to upgrade from 3.9 to 4.0 from sources. I'm currently running 3.9. My gcc version: $ gcc --version gcc (GCC) 3.3.5 (propolice) When i'm trying to compile kernel i have the following error : Search the archives; or do yourself a favor and do a binary upgrade. -Otto [EMAIL PROTECTED]/usr/src/sys/arch/sparc64/compile/GENERIC% make depend mkdir -p /usr/src/sys/arch/sparc64/compile/GENERIC/lib/kern depending the kern library objects depending the compat library objects sh /usr/src/sys/arch/sparc64/compile/GENERIC/../../../../kern/genassym.sh cc -O2 -Werror -Wall -Wstrict-prototypes -Wmissing-prototypes -Wno-uninitialized -Wno-format -Wno-main -Wstack-larger-than-2047 -Wa,-Av9a, -mno-fpu -fno-builtin-printf -fno-builtin-log -pipe -nostdinc -I. -I/usr/src/sys/arch/sparc64/compile/GENERIC/../../../../arch -I/usr/src/sys/arch/sparc64/compile/GENERIC/../../../.. -DDDB -DDIAGNOSTIC -DKTRACE -DACCOUNTING -DKMEMSTATS -DPTRACE -DCRYPTO -DSYSVMSG -DSYSVSEM -DSYSVSHM -DUVM_SWAP_ENCRYPT -DCOMPAT_35 -DCOMPAT_43 -DLKM -DFFS -DFFS_SOFTUPDATES -DUFS_DIRHASH -DQUOTA -DEXT2FS -DMFS -DXFS -DTCP_SACK -DTCP_ECN -DTCP_SIGNATURE -DNFSCLIENT -DNFSSERVER -DCD9660 -DUDF -DMSDOSFS -DFIFO -DPORTAL -DINET -DALTQ -DINET6 -DIPSEC -DPPP_BSDCOMP -DPPP_DEFLATE -DMROUTING -DBOOT_CONFIG -DPCIVERBOSE -DUSER_PCICONF -DAPERTURE -DUSBVERBOSE -DISP_COMPILE_FW=1 -DISP_COMPILE_1000_FW=1 -D_KERNEL -DMAXUSERS=64 /usr/src/sys/arch/sparc64/compile/GENERIC/../../../../arch/sparc64/sparc64/genassym.cf assym.h.tmp mv -f assym.h.tmp assym.h cc1: error: unrecognized option `-Wstack-larger-than-2047' *** Error code 1 _ Best regards, Frangois Visconte
4.0 Packages. bad URL
From http://www.openbsd.org/faq/faq15.html#PkgFind following URLs: liIn the package lists on the OpenBSD website: ul lia href=http://www.openbsd.org/4.0_packages/;Packages for OpenBSD 4.0/a but: http://www.openbsd.org/4.0_packages/ Not Found The requested URL /4.0_packages/ was not found on this server. -- Cris, member of G.U.F.I Italian FreeBSD User Group http://www.gufi.org/
Re: Upgrade problem on spac64 3.9-4.0
On 2006/11/02 09:39, Francois Visconte wrote: I'm trying to upgrade from 3.9 to 4.0 from sources. I'm currently running 3.9. Use a binary upgrade instead. Upgrading without install media on http://www.openbsd.org/faq/upgrade40.html may help.
Re: OpenBSD as a PDC on a windows network
Leonardo Rodrigues wrote: From what I've heard, Samba 4.0 will be able to fully replace an Active Directory PDC. Current Samba version (3.x) is only able to fully replace an NT-style PDC. That is correct.
Re: OpenBSD as a PDC on a windows network
On Wed, Nov 01, 2006 at 11:54:24PM +0100, Marc Balmer wrote: stuartv wrote: I might have just about talked my boss into replacing our current WindowsNT (soon to be Win2003) primary file server with an OpenBSD server. Unfortunately, since most of our work is done using Access databases (and other Microsoft Office products) we will have to continue using Windows systems for our desktop systems (for now). This is a mix of Win98 and WinXP systems. The File server will have to act as a primary domain controller on a windows network handling logins and permissions for various shares around the network and share a couple network printers. I would also like to use an encrypted file system on which to store important data that needs to be protected (in case of theft etc). Your setup is easy to do with OpenBSD but the encrypted filesystem OpenBSD does not offer. And it is not needed. Nobody will steal your file server. Actually, OpenBSD does offer encrypted filesystems - well, technically, svnd(4) is an encrypting block device, but that's close enough. This project is all part of my devious plan to gradually convert to an all (or at least mostly) OpenBSD environment here at work (psst... don't tell my boss). If this pans out, I think replacing our SQL server with MySQL on an OpenBSD box will be the next big conquest. :) Replacing any SQL server with MySQL is just plain stupid. Use PostgreSQL, which unlike the crappy MySQL toy is a real database system. Depends on what you want to do. MySQL might not be a real SQL server, but it's damn fast at simple lookups. That said, I'll stick with PostgreSQL. Joachim
Re: ipsec vpn
On Wed, Nov 01, 2006 at 05:49:18PM -0800, Bryan Irvine wrote: I'm going to upgrading a couple of our firewalls soon and as part of the upgrade I will be implementing VPN between a couple of our sites. Does this page still apply: http://www.securityfocus.com/infocus/1859 Yes, although some additions have been made since (notably, AH works too). Any pitfalls or changes I should watch out for? Filtering IPsec traffic might take some experimentation to get right. These firewall are running CARP. Don't forget sasyncd; it has gotten *much* better in 4.0. Joachim
Re: OpenBSD as a PDC on a windows network
Hi Stuart, On Wed, Nov 01, 2006 at 04:59:21PM -0500, stuartv wrote: This project is all part of my devious plan to gradually convert to an all (or at least mostly) OpenBSD environment here at work (psst... don't tell my boss). If this pans out, I think replacing our SQL server with MySQL on an OpenBSD box will be the next big conquest. :) I would not do that if i were you. It does not matter if you use MySQL or PostgreSQL or any other. Changeing the backend for MSAccess is a pain in the a**, especially if you have frontends written in VisualBasic (dudes checking for -1 instead of false...). You will become at least problems with compatibility of the data types. /dev/rainer
Re: OpenBSD as a PDC on a windows network
You might be willing to look at man vnconfig for hints regarding encrypted partitions. I do not agree with nobody will steal your file server. But surely I am that sort of admin who prefers password protection for single user shells at the console of servers in locked rooms. Just being paranoid doesn't mean they are not out to get you. ;-) And in a world without 100% security it is all about not making an attackers life easier than necessary ... On 1 Nov 2006 at 23:54, Marc Balmer wrote: stuartv wrote: [snip] I would also like to use an encrypted file system on which to store important data that needs to be protected (in case of theft etc). Your setup is easy to do with OpenBSD but the encrypted filesystem OpenBSD does not offer. And it is not needed. Nobody will steal your file server. [snip] -- Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! Ideal f|r Modem und ISDN: http://www.gmx.net/de/go/smartsurfer
Interface groups configuration
Hello, Is there a native way to configure interface groups in hostname.if instead of doing manually ifconfig if ... group mygroup or calling ifconfig from the hostname.if file like this ... !ifconfig if group mygroup ? This is not documented in hostname.if(5). thanks
Re: OpenBSD as a PDC on a windows network
You will become at least problems I want to become a vegetable. (SCNR.) ;-P Aaargh, what a shame! ;(
Re: Interface groups configuration
On Nov 2, 2006, at 6:43 AM, Luca Corti wrote: Hello, Is there a native way to configure interface groups in hostname.if instead of doing manually ifconfig if ... group mygroup or calling ifconfig from the hostname.if file like this ... !ifconfig if group mygroup ? This is not documented in hostname.if(5). Sure it is. It tells you that options come last. Example: # cat /etc/hostname.em1 inet 192.168.0.1 255.255.255.0 192.168.0.255 description LAN group internal -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: Interface groups configuration
On Thu, Nov 02, 2006 at 12:43:22PM +0100, Luca Corti wrote: Hello, Is there a native way to configure interface groups in hostname.if instead of doing manually ifconfig if ... group mygroup or calling ifconfig from the hostname.if file like this ... !ifconfig if group mygroup ? This is not documented in hostname.if(5). it is documented...the options part of hostname.if(5) are ifconfig(8) options, as noted in the man page. so you could do: inet 10.0.0.1 255.255.255.0 10.0.0.255 group bob jmc
Re: OpenBSD as a PDC on a windows network
On 2006/11/02 11:53, Joachim Schipper wrote: On Wed, Nov 01, 2006 at 11:54:24PM +0100, Marc Balmer wrote: stuartv wrote: with an OpenBSD server. Unfortunately, since most of our work is done using Access databases (and other Microsoft Office products) we will have to continue using Windows systems for our desktop systems (for now). This is a mix You might not have too much work to move to a proper SQL backend and still use Access as the user-interface, there are ODBC drivers for pgsql/mysql, mdbtools and sqlfairy to help with translating. If you stick with keeping the data in mdb files, investigate oplock settings, google will find some references. Your setup is easy to do with OpenBSD but the encrypted filesystem OpenBSD does not offer. And it is not needed. Nobody will steal your file server. If people steal line cards from live routers (as reportedly was the cause of level3's outage in london yesterday) it's possible. Actually, OpenBSD does offer encrypted filesystems - well, technically, svnd(4) is an encrypting block device, but that's close enough. this isn't quite the same thing, the encrypted filesystem relevant to SMB file-serving is where individual files are (DES-)crypted by the server with public-key crypto to encrypt the DES key which is then stored with the file (the private key is stored as part of the user's login profile). As such this is something that would have to be implemented by Samba, not the OS. It's not something that's entirely useful - guess what - the file is sent over the wire in the clear. duh.
ppp.conf
hey all Has anyone got an explanation for this: Example: /etc/ppp/ppp.conf default : set log ... when i run ppp ... i getWarning line 2 missing colon or something like that but when i do this everything is all right and i don't get any warnings /etc/ppp/ppp.conf default: set log ... notice the position of set log Why is that so important -- Welcome to The Zone, where normal things don't happen very often.
Re: Nintendo Wifi Connector and Nintendo DS (WEP)
Would it be too much trouble to post the entire dmesg from the Nintendo DS? Sam Fourman Jr. On 11/2/06, Guido Tschakert [EMAIL PROTECTED] wrote: Damian Wiest wrote: On Tue, Oct 31, 2006 at 11:08:15AM +0100, Guido Tschakert wrote: Hello, after reading through the ralink broken after last update thread and seeing that Bruno is using an Nintendo Wifi Connector I wonder if someone has connected a Nintendo DS via an OpenBSD Box and the Nintendo Wifi Connector as AP using WEP. Without WEP everything works fine for me (i put my /etc/hostname.ural0 at the bottom of this message) But I haven't worked out how to configure WEP. What worked was using WEP for a connection between the Wifi Connector as Accesspoint and my notebook. So if anybody know in which format I have to use the WEP Key on both the OpenBSD Box and the Nintendo DS, I really would like to know. thanks guido /etc/hostname.ural0 inet 192.168.22.1 255.255.255.252 NONE media DS2 mediaopt hostap mode 11b nwid zelda chan 12 -nwkey (btw the DS only works with 2Mbps) I've got a couple DS's (and a PSP :( ) at home and have been using them with various systems (FreeBSD and OpenBSD with Aironet and Prism cards and a Linksys 54WRTG) acting as access points. I don't seem to recall encountering any problems. What does the Nintendo wireless adapter attach as? Hello the dmesg of the adapter is: ural0 at uhub4 port 1 ural0: Nintendo Nintendo Wi-Fi USB Connector, rev 2.00/0.01, addr 2 ural0: MAC/BBP RT2570 (rev 0x05), RF RT2526, address xx:xx:xx:xx:xx:xx Is there some reason you're hardcoding the transmit speed on your AP? I had no end of trouble trying to connect when I tried this. I believe that if you specify the transmit speed, then all devices must use that speed. Meaning, you can't have one using DS2, one using DS11 and your AP doing autoselect. At least I couldn't get that sort of setup to function. the reason for hardcoding the transmit speed is because the (u)ral manual says: The ural driver supports automatic control of the transmit speed in BSS mode only. Therefore the use of a ural adapter in Host AP mode is discouraged. But that is no problem, I use this access point only for DS (and upcoming Wii ;-) ) But I haven't worked out to use the WEP key on the DS. I used the following line to configure the adapter: inet 192.168.22.1 255.255.255.252 NONE media ds2 mediaopt hostap mode 11b nwid zelda chan 12 nwkey mario As for the WEP key, you should enter it just like you did on your AP. Then I serached for Access Points with the DS and found zelda, encrypted with WEP. I typed mario as wep key and then the DS told me: cannot connect to access point. I tried 40 and 104 Bits, hexadecimal and ascii keys on both the Openbsd box and the DS, but nothing worked. (now that I know how the DS recognize if it is hexa or ascii (it's the length of the string), but after reading through the wifi website of nintendo I believe they are not really interested in security. They tell you to use an easy to remember wep key, e.g. your cellphone number) Connecting from a Laptop to the Adapter using wep works just without problems. thanks guido
Month of the Kernel bug fuzzing tools
Anyone tried these fuzzing tools on OpenBSD? http://projects.info-pull.com/mokb/ What's the purpose of the MoKB ? Publish one bug on daily basis for the month of November, 2006. Show tools and procedures useful for testing the strength and quality of kernel code (ex. networking, filesystem handling) in existing operating systems (Mac OS X, FreeBSD, Solaris, GNU/Linux, etc).
Re: ppp.conf
On 2006/11/02 15:19, martin g wrote: Has anyone got an explanation for this: default : set log ... when i run ppp ... i getWarning line 2 missing colon or something like that but when i do this everything is all right and i don't get any warnings /etc/ppp/ppp.conf default: set log ... rtfm ppp(8) o A label name starts in the first column and is followed by a `:' character. o A command line must contain a space or tab in the first column.
Re: ppp.conf
On Thu, 2 Nov 2006 15:19:05 +0100 martin g [EMAIL PROTECTED] wrote: hey all Hi Has anyone got an explanation for this: Example: /etc/ppp/ppp.conf default : set log ... when i run ppp ... i getWarning line 2 missing colon or something like that but when i do this everything is all right and i don't get any warnings /etc/ppp/ppp.conf default: set log ... notice the position of set log notice de position of the colon
Re: OpenBSD as a PDC on a windows network
On Thu, Nov 02, 2006 at 12:12:32PM +, Stuart Henderson wrote: On 2006/11/02 11:53, Joachim Schipper wrote: OpenBSD does offer encrypted filesystems - well, technically, svnd(4) is an encrypting block device, but that's close enough. this isn't quite the same thing, the encrypted filesystem relevant to SMB file-serving is where individual files are (DES-)crypted by the server with public-key crypto to encrypt the DES key which is then stored with the file (the private key is stored as part of the user's login profile). As such this is something that would have to be implemented by Samba, not the OS. It's not something that's entirely useful - guess what - the file is sent over the wire in the clear. duh. Hmm, I was not aware of this particular 'encryption' scheme. Is there any point to it, then? Breaking DES should be quite possible, anyway. And if you want to cryptographically protect files from unauthenticated access or somesuch, one could use Kerberos or the like. In fact, this is what Samba and friends use. Joachim
Re: OpenBSD as a PDC on a windows network
Rainer Giedat wrote: Hi Stuart, On Wed, Nov 01, 2006 at 04:59:21PM -0500, stuartv wrote: This project is all part of my devious plan to gradually convert to an all (or at least mostly) OpenBSD environment here at work (psst... don't tell my boss). If this pans out, I think replacing our SQL server with MySQL on an OpenBSD box will be the next big conquest. :) I would not do that if i were you. It does not matter if you use MySQL or PostgreSQL or any other. Changeing the backend for MSAccess is a pain in the a**, especially if you have frontends written in VisualBasic (dudes checking for -1 instead of false...). You will become at least problems with compatibility of the data types. /dev/rainer But that is exactly what we _did_ do at work. We moved from MS Access to PostgreSQL seamlessly by using psqlodbc. That let us put our data in a real database, eliminated all of the data corruption problems we were having with Access, and let our users continue to use the forms and whatnot that they were used to while we coded up a web front end (using php, to throw a comment out there to another thread running on misc@). The boolean problem mentioned above is a checkbox in the ODBC driver configs--not a very big PITA compared to supporting Access! The only downside to the whole process was trying to debug something by tailing Postgres's logs when someone was doing a query in Access. One lookup generates a couple of thousand lines of logs! Jeff
Re: Sun BlackBox
On Wed, Nov 01, 2006 at 01:31:01PM -0500, Nick Guenther wrote: On 11/1/06, Chris Cameron [EMAIL PROTECTED] wrote: On Wed, 2006-11-01 at 14:55 -0300, Gustavo Rios wrote: Dear list members, While visiting sun blackbox home page, i saw they have a new project called blackbox. But i don't know whether openbsd could be used within it. Gustavo Rios Do you plan to need a trailer full of Sun hardware? They're just normal Sun machines in a trailer. Why would you ever want a trailer of computers? So you can go RV'ing and still hack?; get a double degree in Hick/Nerdism? -Nick I haven't priced shipping containers lately, but I imagine this sort of setup could be useful in more rural areas instead of building out a facility. Plus, they're shipping containers so you could stack a bunch of them together. -Damian
Re: Sun BlackBox
I think that there primary focus group for this product is the military. They are the only group that I can think of that would benifit from it. I am also pretty sure that they are the only ones that could turn a nice ROI with it. With the amount of hardware that is in that thing, they are probably not cheap. On 11/2/06, Damian Wiest [EMAIL PROTECTED] wrote: On Wed, Nov 01, 2006 at 01:31:01PM -0500, Nick Guenther wrote: On 11/1/06, Chris Cameron [EMAIL PROTECTED] wrote: On Wed, 2006-11-01 at 14:55 -0300, Gustavo Rios wrote: Dear list members, While visiting sun blackbox home page, i saw they have a new project called blackbox. But i don't know whether openbsd could be used within it. Gustavo Rios Do you plan to need a trailer full of Sun hardware? They're just normal Sun machines in a trailer. Why would you ever want a trailer of computers? So you can go RV'ing and still hack?; get a double degree in Hick/Nerdism? -Nick I haven't priced shipping containers lately, but I imagine this sort of setup could be useful in more rural areas instead of building out a facility. Plus, they're shipping containers so you could stack a bunch of them together. -Damian -- Thx Joshua Gimer
Re: Sun BlackBox
There's an interesting couple of articles on this project in Jonathan Schwartz's blog here: http://blogs.sun.com/jonathan On 2-Nov-06, at 8:03 AM, Joshua Gimer wrote: I think that there primary focus group for this product is the military. They are the only group that I can think of that would benifit from it. I am also pretty sure that they are the only ones that could turn a nice ROI with it. With the amount of hardware that is in that thing, they are probably not cheap. On 11/2/06, Damian Wiest [EMAIL PROTECTED] wrote: On Wed, Nov 01, 2006 at 01:31:01PM -0500, Nick Guenther wrote: On 11/1/06, Chris Cameron [EMAIL PROTECTED] wrote: On Wed, 2006-11-01 at 14:55 -0300, Gustavo Rios wrote: Dear list members, While visiting sun blackbox home page, i saw they have a new project called blackbox. But i don't know whether openbsd could be used within it. Gustavo Rios Do you plan to need a trailer full of Sun hardware? They're just normal Sun machines in a trailer. Why would you ever want a trailer of computers? So you can go RV'ing and still hack?; get a double degree in Hick/Nerdism? -Nick I haven't priced shipping containers lately, but I imagine this sort of setup could be useful in more rural areas instead of building out a facility. Plus, they're shipping containers so you could stack a bunch of them together. -Damian -- Thx Joshua Gimer
RAIDframe: spare disk and initialy degraded array
Hello, I want to migrate from one-disk installation to RAID1 array where initial boot disk will be one of the components of array. I created RAID1 in degraded mode (I have only two IDE disks: wd0 and wd1, but in raid0.conf I wrote /dev/wd2b and /dev/wd1d). Then I copied my current boot disk contents to new array (tar -Xcpf - / | tar -C /mnt -xvpf -) and marked raid0 as root (raidctl -A root raid0). After reboot I have raid as boot disk. In the raid0 I have now failed component0 and optimal /dev/wd1b. After adding /dev/wd0b as spare disk, reconstruction failed component0 to it (raidctl -F component0 raid0) and initialization of parity (raidctl -P raid0) I have such raid0: # raidctl -s raid0 raid0 Components: component0: spared /dev/wd1b: optimal Spares: /dev/wd0b: used_spare Parity status: clean Reconstruction is 100% complete. Parity Re-write is 100% complete. Copyback is 100% complete. It's good but I want to have two optimal raid0 components: /dev/wd0b and /dev/wd1b, not as spared component0 and used_spare /dev/wd0b. What I need to do for it? And one more question. I have raid0b as swap partition but kernel puts on boot: swapmount: no device Kernel was booted from /dev/wd0a and /dev/wd0b is a raid partition. Where does it search swap partition 'b': on wd0 or on new root - raid0?
Re: Sun BlackBox
Google has been doing this for a while, and the so called portable-datacenter idea isn't all that new. What's unique about Sun's solution compared to an internal solution such as Google's is that its relatively mainstream hardware, fully contained power/environmental controls, and very easily portable (from what I've read/seen). The utility of portable datacenter blocks is very clear, think beyond the cool or why factors and look at the following: - Large scale development projects - Emergency response (can you imagine how useful this would've been during Katrina, along with a portable interface to COWS, the cell network could have been up and running in 72 hours or less) - Disaster recovery for remote datacenters, CLEC's, etc. The potential utility here is great. Now, let just hope that it's all its cracked up to be. Regards, Mike Lockhart =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Mike Lockhart[Systems Engineering Operations] StayOnline, Inc http://www.stayonline.net/ mailto: [EMAIL PROTECTED] GPG: 8714 6F73 3FC8 E0A4 0663 3AFF 9F5C 888D 0767 1550 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Damian Wiest Sent: Thursday, November 02, 2006 11:49 AM To: misc@openbsd.org Subject: Re: Sun BlackBox On Wed, Nov 01, 2006 at 01:31:01PM -0500, Nick Guenther wrote: On 11/1/06, Chris Cameron [EMAIL PROTECTED] wrote: On Wed, 2006-11-01 at 14:55 -0300, Gustavo Rios wrote: Dear list members, While visiting sun blackbox home page, i saw they have a new project called blackbox. But i don't know whether openbsd could be used within it. Gustavo Rios Do you plan to need a trailer full of Sun hardware? They're just normal Sun machines in a trailer. Why would you ever want a trailer of computers? So you can go RV'ing and still hack?; get a double degree in Hick/Nerdism? -Nick I haven't priced shipping containers lately, but I imagine this sort of setup could be useful in more rural areas instead of building out a facility. Plus, they're shipping containers so you could stack a bunch of them together. -Damian
Re: OpenBGPD issue 250000 prefix limit reached
I've done some more digging and I believe it is an issue that AS path
updates are added added to the RIB rather than replacing the current
entry in the RIB. When I dump the RIB from one neighbor:
$ bgpctl show rib neighbor $ciscoip cisco
Then count the entries with and without duplicate prefixes I get
different prefix counts:
$ cat cisco | wc -l
212066
$ cat cisco | sort -u -k2 | wc -l
179908
Any insight would be appreciated.
Thanks,
Dustin Lundquist
Dustin Lundquist wrote:
We have a rather mysterious issue with our OpenBGPD box. We use it to
inject a bogon BGP feed and as a router monitor. We recently upgrade
from 3.6 to 4.0 and bgpd keeps closing the session because max-prefix
has been reached. I configured MRTG to generate graphs of prefixes on
each of our BGP session and can see the prefix count slowly growing from
about 16 to 25 over an 18 hour period. The Cisco router in
question would hit hardware limitations before it could announce 250k
prefixes, so I'm wondering if this could be an incompatibility or bug.
The same configuration was working under 3.6.
Cisco config except:
neighbor --openbsdbox-- remote-as --ourasn--
neighbor --openbsdbox-- description iBGP with OpenBGPD
neighbor --openbsdbox-- password 7 --md5 password removed--
neighbor --openbsdbox-- version 4
neighbor --openbsdbox-- next-hop-self
neighbor --openbsdbox-- route-map bogons in
neighbor --openbsdbox-- maximum-prefix 1000 70
/etc/bgpd.conf except:
group iBGP {
remote-as --ourasn--
announce all
max-prefix 25 restart 5
multihop 3
neighbor --cisco-- {
descr iBGP with cisco
tcp md5sig password --md5 password removed--
}
neighbor --anothercisco-- {
descr iBGP with anothercisco
tcp md5sig password --md5 password removed--
}
}
stopping command issued from shell script
I have a bourne shell script with a menu. One menu entry is for running an executable to produce output (non-stop logging on a busy server) on the screen. How can I stop this program and get kicked back to my script (menu) when I have seen enough? So far all I can do is Ctrl-C which kicks me back to my command prompt with no more output coming through (something that happens if I merely start it in the background)? I am using the bash shell on OpenBSD 3.9. Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: Sun BlackBox
On Thu, Nov 02, 2006 at 11:03:06AM -0700, Joshua Gimer wrote: I think that there primary focus group for this product is the military. From internal mailling list traffic, the primary customer group is anyone that is out of space and/or power(cooling) in their existing data centres. The idea is that rather than build an extension on your data centre, stick some of these on the roof, or in the cellar, where-ever. It is also about the time savings over building a conventional data centre: Rent some empty warehouse, dark fibre it, pop in a blackbox and be running in weeks rather than months/years for a conventional data centre. The sideways racks take conventional Sun rack mountable servers, eg 250 U's of x2100s. I imagine you will be able to buy a container and (partially) fill it with what ever you want. I guess the factory I work at in Scotland (one of Sun's largest) will be the European just-in-time assembly line, as we are for E25Ks and the like. -- Craig Skinner | http://www.kepax.co.uk | [EMAIL PROTECTED]
[PTLRT #646681] Re: [?? Probable Spam]
= wa{e soob}enie polu~eno kompaniej peterlink =
i budet obrabotano na{imi sotrudnikami ===
==prosim obratitx wnimanie na prawila napisaniq zaprosow ==
==po |tomu adresu, ukazannye nive - |to uskorit obrabotku==
==pisxma.==
=== YOUR MESSAGE RECEIVED =
=== AND WILL BE PROCESSED =
===
dannoe soob}enie sformirowano awtomati~eski.
povalujsta, ne otwe~ajte na nego. otwet ne budet polu~en.
THIS MESSAGE WAS CREATED AUTOMATICALLY,
PLEASE DO NOT REPLY. THE REPLY WON'T BE RECEIVED.
===
zDRAWSTWUJTE,
wA[E PISXMO S TEMOJ [?? Probable Spam]
OT 2006-11-02 20:31:56, OTPRAWLENNOE S ADRESA misc@openbsd.org
POLU^ENO KOMPANIEJ pETERLINK I EMU PRISWOEN IDENTIFIKACIONNYJ NOMER646681.
tEKST wA[EGO ZAPROSA PREDSTAWLEN W KONCE DANNOGO SOOB]ENIQ.
pRI DALXNEJ[EJ PEREPISKE, POVALUJSTA, NE IZMENQJTE W wA[IH PISXMAH POLE
tEMA, KOTOROE SODERVIT \TOT NOMER - \TO POZWOLIT OBRABATYWATX wA[I
ZAPROSY BOLEE \FFEKTIWNO I SOHRANITX ISTORI@ PEREPISKI. pROSIM TAKVE NAZYWATX
CIFROWOJ NOMER PISXMA PRI OBRA]ENII W ABONENTSKIJ OTDEL KOMPANII ILI W SLUVBU
TEHNI^ESKOJ PODDERVKI PRI WOZNIKNOWENII WOPROSOW.
pO ADRESU [EMAIL PROTECTED] [EMAIL PROTECTED] PISXMA KLIENTOW KOMPANII,
[EMAIL PROTECTED] WOPROSOW PO STATISTIKE I OPLATE, SMENY TARIFOW, ZAKAZA NOWYH
USLUG.
w INYH SLU^AQH PROSIM ISPOLXZOWATX DRUGIE ADRESA NA[EJ kOMPANII.
iH SPISOK wY MOVETE POLU^ITX NA STRANICE
http://www.peterlink.ru/peterlink/e-mail
dLQ USKORENIQ OBRABOTKI PISEM PROSIM OBRATITX WNIMANIE NA [EMAIL PROTECTED]
PRAWILA:
A) tEKST wA[EGO ZAPROSA NEOBHODIMO [EMAIL PROTECTED] W TELO PISXMA.
pOVALUJSTA, NE ISPOLXZUJTE PRILOVENNYE FAJLY (doc,rtf I DRUGIE) - \TO SDELAET
OBRABOTKU ZAPROSA NEWOZMOVNOJ.
B) w PISXME NEOBHODIMO UKAZATX wA[E REGISTRACIONNOE IMQ.
W) pRI NEOBHODIMOSTI PROIZWESTI KAKIE-LIBO DEJSTWIQ S wA[IM S^ETOM ILI
IZMENENIE NABORA USLUG, POVALUJSTA WYSYLAJTE PISXMO S ISPOLXZOWANIEM
e-mail ADRESA I USLUG DOSTUPA ^EREZ ODIN IZ MODEMNYH PULOW ILI ^EREZ
WYDELENNU@ LINI@, ZAREGESTRIROWANNYH W NA[EJ KOMPANII.
G) sOGLASNO pREJSKURANTU, SMENA TARIFA WOZMOVNA TOLXKO S 1-GO ^ISLA MESQCA,
[EMAIL PROTECTED] ZA MESQCEM, W KOTOROM POLU^EN wA[ ZAPROS.
D) sOGLASNO P.4.6. rEGLAMENTA (pRILOVENIE 2 K dOGOWORU), PRIOSTANOWLENIE
OBSLUVIWANIQ (UMOROZKA) WOZMOVNO NA [EMAIL PROTECTED] KOLI^ESTWO POLNYH
KALENDARNYH MESQCEW, NE BOLX[E 6, T.E. S 1-GO ^ISLA MESQCA ([EMAIL PROTECTED]
ZA MESQCEM, KOGDA POLU^EN wA[ ZAPROS) DO POSLEDNEGO.
pROSIM POSLATX wA[E PISXMO E]E RAZ PRI WOZMOVNOSTI EGO PRIWESTI W
SOOTWETSTWIE WY[EUKAZANNYM PRAWILAM, S UKAZANIEM W TEME PISXMA STROKI
[PTLRT #646681]
zARANEE SPASIBO!
tAKVE wY MOVETE POZWONITX W ABONENTSKIJ OTDEL PO TELEFONU (812) 327-5343 W
EGO RABO^IE ^ASY (S 9 DO 19 W BUDNIE DNI, I S 11 DO 17 ^ASOW W SUBBOTU).
s UWAVENIEM,
zao pETERLINK
TEL. +7 (812) 327-5343
==
tEKST POLU^ENNOGO OT wAS ZAPROSA:
-
oT: misc@openbsd.org
2006-11-02 20:31:56
-
??I???,?/??qb8??V?s%?~?c-?7{]?Jr?1/L`?8l?5?jo???6H??\?\]*?V^A?D4?yY?`??Kux?p??RJ??(???R.N??S?H???D???s??|??0c`?[??W17G?0j?#[i*?L??F1?Kx-tv~???[?ygt?{?
?D
??O?;??E??R???a}G???I??C?h???r???NQ?[w
???oEq4z_?$lu_?
A^ .?{???e??
?z?Mn??H??Dm?
??Pn*??y??rt?Aj?E??
;??F#3Z?c#-?n???0El?
Sn???:k2??y??E?V?_O?U?-?m?c?:v9^S?}Re?cyA?C???`{?A?'?D:?C?e?[?,???m?j_??h???D?t.N?!{78?g??
?3'?!???l??Q??u?c?3*2u??t???Rs??Of??y?6/x?U???
7,d??eTF???Qm?)??s?vz??n???9!B?HC?,?9A?S???~Z???Z?h4p???YRnPg.!?k?8?Y`
?:l?,f???J?6???w;g?n???8?R??4?hv???Coeq?Q??K)?2?j???i,s???zVvNs
O,XA/}?4!??D?-?n??$hh;?X6???|Ft???hZ?z?s(?wT??TJCq??-???a?Ra?e?D
???1T?5??Wcn???M?dn?SF?|?
?H?O???6p{?
V??|c!?Fx?]K??o?x???,o]q??/?%??^
f??k`]U???vq???Y.?9??q9???O
*.bB?{C???%?P3?b?W[???^?P??J$?1G???
?oSuG???,m2
?b??gK?)??B?!?
J?K?G'?G?u?0?]??}?*??Q/??:Y.???{_tz^8??BIBF?Tj???G,?N?4?K`?d??s??'Okl1;??4??m???'j:??L%:f?P?5??/dBz?8?;5p??D??I.
5??VuM?3?||??B5D?jno?I?
?M:s?V?uz T8u?zD???{??z?/O:???q??\4?b
9???|c.???5j??l???L`g(?I1?)?d??h?$?t
???%y?mio?Ow??f
???a???9IXKs???K???]??L?^?G?x?|_?8?y??N?AB?m?s??,??MZ?1?_iw}??G??Cw?RqI?G??/?X5?{sj_.???n
?4{??5s???b`r??26?^Cov8
8[)??[\E??TA?P?[?vM??%#B`0??O???*C?$4Nc?hc??LLx??j?4yDH?%???o?/x
r??n???|*???r???NsQ??x?I???;?0{??{Ud???$?W???t??L/8}$R???ugv?cw?Kr
???
CPU selection
Hi I'm in the process of configuring a Dell PowerEdge 860 as firewall and I debating what kind of CPU to get for the firewall for an office of about 50 people, 20MB metro ethernet, and 15 lightly used Internet servers: FTP, web, DNS, email, NTP, etc ... In addition for the computer being a firewall it will also act as a NIDS and IPSEC peer (something like 10 concurrent tunnels). The options I have for the CPU are: 1. Intel Celeron 336 at 2.8Ghz/256K cache, 533Mhz FSB. 2. Dual Core Intel Pentium D 915 at 2.8Ghz/2x2MB cache, 800Mhz FSB. 3. Dual Core Xeon 3050, 2.13Ghz, 2MB cache, 1066Mhz FSB. 4. Dual Core Xeon 3060, 2.40Ghz, 4MB cache, 1066Mhz FSB. 5. Dual Core Xeon 3070, 2.66Ghz, 4MB cache, 1066Mhz FSB. I have to be very price concious so will the celeron CPU hold the load or should I take one of the Xeon CPU's for the load? TIA Paolo
Re: OpenBGPD 4.0 released Nov 1, 2006
On 11/2/06, Henning Brauer [EMAIL PROTECTED] wrote: We are pleased to announce the official release of OpenBGPD 4.0. Thanks for the great update. Is this a reason I should install from the latest snapshot via ftp instead of my soon to arrive disc set?
Re: CPU selection
I don't think the celeron CPU will have any problems coping with that. Consider getting two of the machines and CARPing them, for redundancy and load balancing (not that you will likely really need that). Also consider putting some extra cash down on a hw raid controller, and 2 scsi disks for each machine, and run raid 1 on them, for even more failover safety. Alec Paolo Supino wrote: Hi I'm in the process of configuring a Dell PowerEdge 860 as firewall and I debating what kind of CPU to get for the firewall for an office of about 50 people, 20MB metro ethernet, and 15 lightly used Internet servers: FTP, web, DNS, email, NTP, etc ... In addition for the computer being a firewall it will also act as a NIDS and IPSEC peer (something like 10 concurrent tunnels). The options I have for the CPU are: 1. Intel Celeron 336 at 2.8Ghz/256K cache, 533Mhz FSB. 2. Dual Core Intel Pentium D 915 at 2.8Ghz/2x2MB cache, 800Mhz FSB. 3. Dual Core Xeon 3050, 2.13Ghz, 2MB cache, 1066Mhz FSB. 4. Dual Core Xeon 3060, 2.40Ghz, 4MB cache, 1066Mhz FSB. 5. Dual Core Xeon 3070, 2.66Ghz, 4MB cache, 1066Mhz FSB. I have to be very price concious so will the celeron CPU hold the load or should I take one of the Xeon CPU's for the load? TIA Paolo
Re: CPU selection
On 11/2/06, Paolo Supino [EMAIL PROTECTED] wrote: I'm in the process of configuring a Dell PowerEdge 860 as firewall and I debating what kind of CPU to get for the firewall for an office of about 50 people, 20MB metro ethernet, and 15 lightly used Internet servers: FTP, web, DNS, email, NTP, etc ... In addition for the computer being a firewall it will also act as a NIDS and IPSEC peer (something like 10 concurrent tunnels). So the only processes running on-box would be pf, IPSEC, and NIDS? What sort of NIDS? The Celeron @2.8Ghz should be sufficient, I do not recall if the PE860 with Celeron can be upgraded to Xeon later. Kevin
Re: CPU selection
I would go with option number 2 :) The NIDS will probably be the most cpu/memory intensive, and if your running snort or something like that, be sure to get plenty of memory ( eg, over a gig ). Cheers, Josh On Thu, 2006-11-02 at 15:38 -0500, Paolo Supino wrote: Hi I'm in the process of configuring a Dell PowerEdge 860 as firewall and I debating what kind of CPU to get for the firewall for an office of about 50 people, 20MB metro ethernet, and 15 lightly used Internet servers: FTP, web, DNS, email, NTP, etc ... In addition for the computer being a firewall it will also act as a NIDS and IPSEC peer (something like 10 concurrent tunnels). The options I have for the CPU are: 1. Intel Celeron 336 at 2.8Ghz/256K cache, 533Mhz FSB. 2. Dual Core Intel Pentium D 915 at 2.8Ghz/2x2MB cache, 800Mhz FSB. 3. Dual Core Xeon 3050, 2.13Ghz, 2MB cache, 1066Mhz FSB. 4. Dual Core Xeon 3060, 2.40Ghz, 4MB cache, 1066Mhz FSB. 5. Dual Core Xeon 3070, 2.66Ghz, 4MB cache, 1066Mhz FSB. I have to be very price concious so will the celeron CPU hold the load or should I take one of the Xeon CPU's for the load? TIA Paolo
Re: OpenBGPD 4.0 released Nov 1, 2006
* nuffnough [EMAIL PROTECTED] [2006-11-02 22:38]: On 11/2/06, Henning Brauer [EMAIL PROTECTED] wrote: We are pleased to announce the official release of OpenBGPD 4.0. Thanks for the great update. Is this a reason I should install from the latest snapshot via ftp instead of my soon to arrive disc set? no, 4.0is on the CDs -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: CPU selection
Paolo, Celerons will work fine, but in the interests of long term capacity planning, I would recommend going with the low end Dual Core Xeon. Regards, Mike Lockhart =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Mike Lockhart[Systems Engineering Operations] StayOnline, Inc http://www.stayonline.net/ mailto: [EMAIL PROTECTED] GPG: 8714 6F73 3FC8 E0A4 0663 3AFF 9F5C 888D 0767 1550 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paolo Supino Sent: Thursday, November 02, 2006 3:39 PM To: misc@openbsd.org Subject: CPU selection Hi I'm in the process of configuring a Dell PowerEdge 860 as firewall and I debating what kind of CPU to get for the firewall for an office of about 50 people, 20MB metro ethernet, and 15 lightly used Internet servers: FTP, web, DNS, email, NTP, etc ... In addition for the computer being a firewall it will also act as a NIDS and IPSEC peer (something like 10 concurrent tunnels). The options I have for the CPU are: 1. Intel Celeron 336 at 2.8Ghz/256K cache, 533Mhz FSB. 2. Dual Core Intel Pentium D 915 at 2.8Ghz/2x2MB cache, 800Mhz FSB. 3. Dual Core Xeon 3050, 2.13Ghz, 2MB cache, 1066Mhz FSB. 4. Dual Core Xeon 3060, 2.40Ghz, 4MB cache, 1066Mhz FSB. 5. Dual Core Xeon 3070, 2.66Ghz, 4MB cache, 1066Mhz FSB. I have to be very price concious so will the celeron CPU hold the load or should I take one of the Xeon CPU's for the load? TIA Paolo
Re: CPU selection
Hi K Kadow The NIDS would be snort. TIA Paolo K Kadow wrote: On 11/2/06, Paolo Supino [EMAIL PROTECTED] wrote: I'm in the process of configuring a Dell PowerEdge 860 as firewall and I debating what kind of CPU to get for the firewall for an office of about 50 people, 20MB metro ethernet, and 15 lightly used Internet servers: FTP, web, DNS, email, NTP, etc ... In addition for the computer being a firewall it will also act as a NIDS and IPSEC peer (something like 10 concurrent tunnels). So the only processes running on-box would be pf, IPSEC, and NIDS? What sort of NIDS? The Celeron @2.8Ghz should be sufficient, I do not recall if the PE860 with Celeron can be upgraded to Xeon later. Kevin
Re: CPU selection
On 2006/11/02 13:36, Alexander Lind wrote: Consider getting two of the machines and CARPing them, for redundancy agreed, it makes servicing, upgrades and fault diagnosis much simpler. Also consider putting some extra cash down on a hw raid controller, and 2 scsi disks for each machine, and run raid 1 on them, for even more failover safety. but that doubles the cost of the machine and makes for a more complex system - if that type of money is available, the extra box is probably more useful
Re: OpenBSD 4.0 vulnerable?
On 11/2/06, Bert Koelewijn [EMAIL PROTECTED] wrote: Hi, Are all security patches applied to MAIN, already applied to the OPENBSD_4_0 stable branche? If not, does this have any security consequences? No, if you read the FAQ you'd see that -RELEASE differs from -STABLE, however all the only security-based patches are announced on the Errata page: http://www.openbsd.org/errata.html. There are no security consequences. Even if there were, they would be minor because OpenBSD is already so secure by default. This does not mean OpenBSD systems can not be broken though! It is up to you, the admin, to keep them secure. -Nick
Building 4.0 problem
Hey there. Following the man release page, I get this: === usr.bin/tn3270/tn3270 cd /usr/src/usr.bin/tn3270/tn3270/../tools/mkastosc; make make: don't know how to make /usr/destdir/usr/lib/crt0.o. Stop in /usr/src/usr.bin/tn3270/tools/mkastosc. *** Error code 2 Stop in /usr/src/usr.bin/tn3270/tn3270 (line 86 of /usr/src/usr.bin/tn3270/tn3270/Makefile). *** Error code 1 Stop in /usr/src/usr.bin/tn3270. *** Error code 1 Stop in /usr/src/usr.bin. *** Error code 1 Stop in /usr/src. Any ideas? Im sure its something dumb of done... Thanks, Josh
Re: CPU selection
Hi Alexander I completely agree with you and in the long run it will happen, but getting a second machine is beyond my budget for the next couple of months. TIA Paolo Alexander Lind wrote: I don't think the celeron CPU will have any problems coping with that. Consider getting two of the machines and CARPing them, for redundancy and load balancing (not that you will likely really need that). Also consider putting some extra cash down on a hw raid controller, and 2 scsi disks for each machine, and run raid 1 on them, for even more failover safety. Alec Paolo Supino wrote: Hi I'm in the process of configuring a Dell PowerEdge 860 as firewall and I debating what kind of CPU to get for the firewall for an office of about 50 people, 20MB metro ethernet, and 15 lightly used Internet servers: FTP, web, DNS, email, NTP, etc ... In addition for the computer being a firewall it will also act as a NIDS and IPSEC peer (something like 10 concurrent tunnels). The options I have for the CPU are: 1. Intel Celeron 336 at 2.8Ghz/256K cache, 533Mhz FSB. 2. Dual Core Intel Pentium D 915 at 2.8Ghz/2x2MB cache, 800Mhz FSB. 3. Dual Core Xeon 3050, 2.13Ghz, 2MB cache, 1066Mhz FSB. 4. Dual Core Xeon 3060, 2.40Ghz, 4MB cache, 1066Mhz FSB. 5. Dual Core Xeon 3070, 2.66Ghz, 4MB cache, 1066Mhz FSB. I have to be very price concious so will the celeron CPU hold the load or should I take one of the Xeon CPU's for the load? TIA Paolo
oBSD 4.0 remote installation - Is Yaifo dead?
Well some time ago I used Yaifo to install oBSD 3.8 remote. It realy rocked and worked well (better then using dd via SSH and foo). It seams the Yaifo-Project is kinda death. I`ve tried to get Yaifo but the websites are down and just version 0.1 is Avaiable. Could somebody send me yaifo 0.2 so that I propably can make the changes to the code by myself? The yaifo 0.1-Errors during the make are just driving me crazy and I`m sure some where fixed in 0.2 (at least I do hope so). Or does somebody propably know another (like yaifo..) project/tool do to remote installations? :) Kind regards, Sebastian
uvm_fault upgrading to 4.0
Issues upgrading to 4.0 from 3.9 with the CD's. The cause is to do with the onboard nic. The nic is on an Intel 945 chipset motherboard in a whitebox. The motherboard also has firewire, and onboard audio which have both been disabled in the bios. Issues with the 4.0 Release and 4.0 Current. Attached is the dmesg's for current, with and without the onboard nic enabled in the bios. Also included is the dmesg for 3.9 with the onboard nic enabled. There is only one nic in the machine, and that is onboard. The only other device in the machine is a hardware raid controller (Intel branded, LSI Chipset). OpenBSD/amd64 CDBOOT 1.07 boot booting cd0a:/4.0/amd64/bsd.rd: 2104800+418190+2251072+0+326088 [80+213360+13196 8]=0x932208 entry point at 0x1001e0 [7205c766, 3404, 24448b12, 7820a304]*Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2006 OpenBSD. All rights reserved. http://www.OpenBSD.org OpenBSD 4.0-current (RAMDISK_CD) #927: Tue Oct 31 18:21:35 MST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/comp real mem = 1063313408 (1038392K) avail mem = 900526080 (879420K) using 22937 buffers containing 106541056 bytes (104044K) of memory RTC BIOS diagnostic error 80clock_battery mainbus0 (root) cpu0 at mainbus0: (uniprocessor) cpu0: Intel(R) Pentium(R) D CPU 2.66GHz, 2667.12 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF LUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,NXE,LONG cpu0: 1MB 64b/line 8-way L2 cache pci0 at mainbus0 bus 0: configuration mode 1 pchb0 at pci0 dev 0 function 0 Intel 82945GP rev 0x02 vga1 at pci0 dev 2 function 0 Intel 82945G Video rev 0x02 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) ppb0 at pci0 dev 28 function 0 Intel 82801GB PCIE rev 0x01 pci1 at ppb0 bus 1 em0 at pci1 dev 0 function 0 Intel PRO/1000MT (82573E) rev 0x03: irq 11, addre ss 00:16:76:44:d6:e7 vendor Intel, unknown product 0x108f (class communications subclass serial, re v 0x03) at pci1 dev 0 function 3 not configured em1 at pci1 dev 0 function 4 Intel PRO/1000PT (82573E) rev 0x03: irq 10uvm_fau lt(0x8098f060, 0x80006585e000, 0, 1) - e fatal page fault in supervisor mode trap type 6 code 0 rip 8029ed13 cs 8 rflags 10202 cr2 80006585eb50 cpl e rsp 809e39f0 The operating system has halted. Please press any key to reboot. OpenBSD/amd64 CDBOOT 1.07 boot booting cd0a:/4.0/amd64/bsd.rd: 2104800+418190+2251072+0+326088 [80+213360+13196 8]=0x932208 entry point at 0x1001e0 [7205c766, 3404, 24448b12, 7820a304]*Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2006 OpenBSD. All rights reserved. http://www.OpenBSD.org OpenBSD 4.0-current (RAMDISK_CD) #927: Tue Oct 31 18:21:35 MST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/RAMDISK_CD real mem = 1063313408 (1038392K) avail mem = 900526080 (879420K) using 22937 buffers containing 106541056 bytes (104044K) of memory RTC BIOS diagnostic error 80clock_battery mainbus0 (root) cpu0 at mainbus0: (uniprocessor) cpu0: Intel(R) Pentium(R) D CPU 2.66GHz, 2667.10 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF
Re: oBSD 4.0 remote installation - Is Yaifo dead?
The yaifo 0.1-Errors during the make are just driving me crazy and I`m sure some where fixed in 0.2 (at least I do hope so). The issues are not fixed in 0.2. I know because I just fixed them recently my personal version of this installer. However, you've been such a disrespectful little ass lately, I don't really see why I should share my work with you. You don't deserve any help. -- Mathieu Sauve-Frankel
Re: CPU selection
Also consider putting some extra cash down on a hw raid controller, and 2 scsi disks for each machine, and run raid 1 on them, for even more failover safety. but that doubles the cost of the machine and makes for a more complex system - if that type of money is available, the extra box is probably more useful i don't agree, the cost of a hw raid card and a second scsi disk is more money than one sata disk, but it does not exactly double the price. setting up openbsd on a raided machine is also extremely simple (provided you use a supported raid card of course). the harddrives, next after the psu:s, are in my experience the most common points of failure, so whenever i set up a server to be used in production (even if it has a carp buddy) i try to make sure they are raided also. alec
Missing checksums.
Hi, I'd like to verify that the OpenBSD 4.0 files I've downloaded are correct. However, I can't find MD5 or CKSUM checksums on the FTP mirrors for a number of files. The files in question are i386/xbase40.tgz i386/xetc40.tgz i386/xfont40.tgz i386/xserv40.tgz i386/xshare40.tgz ports.tar.gz src.tar.gz sys.tar.gz XF4.tar.gz Are these checksums omitted intentionally? If not, can someone reply with them? I would prefer to have original CDs for my install to avoid this issue entirely, but circumstances don't allow it right now and I'll have to get the CDs later. Thanks, Emerson Low, Low, Low Rates! Check out Yahoo! Messenger's cheap PC-to-Phone call rates (http://voice.yahoo.com)
Re: Building 4.0 problem
On 11/2/06, Josh [EMAIL PROTECTED] wrote: Following the man release page [...] Could you elaborate on what branch (-release, -stable, -current) and version you're trying to build 4.0 on? And of course: which 4.0 branch are you trying to build? If it's not working, try the regular binary upgrade or snapshots. The regular bits of documentation (upgrade guide, tracking -current) still apply, of course. Cheers, Rogier -- If you don't know where you're going, any road will get you there.
Re: oBSD 4.0 remote installation - Is Yaifo dead?
The yaifo 0.1-Errors during the make are just driving me crazy and I`m sure some where fixed in 0.2 (at least I do hope so). The issues are not fixed in 0.2. I know because I just fixed them recently my personal version of this installer. However, you've been such a disrespectful little ass lately, I don't really see why I should share my work with you. You don't deserve any help. And you realy think I`m the only guy with a remote Server who may looks for a solution? Sure if you keep it secret you`ve ya little piece of happyness but the trade off is also that nobody else propably gets it. So not helping the community because of the one guy you`re hating? The choice is yours... :p Kind regards, Sebastian
Re: ipsec vpn
On 11/2/06, Joachim Schipper [EMAIL PROTECTED] wrote: On Wed, Nov 01, 2006 at 05:49:18PM -0800, Bryan Irvine wrote: I'm going to upgrading a couple of our firewalls soon and as part of the upgrade I will be implementing VPN between a couple of our sites. Does this page still apply: http://www.securityfocus.com/infocus/1859 Yes, although some additions have been made since (notably, AH works too). Any pitfalls or changes I should watch out for? Filtering IPsec traffic might take some experimentation to get right. These firewall are running CARP. Don't forget sasyncd; it has gotten *much* better in 4.0. Now that's a nice touch :-) Also[1], there may be the need for an occasional connection from users just using the windows vpn client. Anybody doing this? I rarely even see windows so I'm not sure what to look for there. Do I need to import a key of some sort, or set authentication somehow?
Re: CPU selection
Hello Paolo Then at least make sure you get a machine with a backup psu and raid. If downtime is expensive (and it tends to be for most companies) you want to make sure that your assets are covered when the hw fails :) Alec Paolo Supino wrote: Hi Alexander I completely agree with you and in the long run it will happen, but getting a second machine is beyond my budget for the next couple of months. TIA Paolo Alexander Lind wrote: I don't think the celeron CPU will have any problems coping with that. Consider getting two of the machines and CARPing them, for redundancy and load balancing (not that you will likely really need that). Also consider putting some extra cash down on a hw raid controller, and 2 scsi disks for each machine, and run raid 1 on them, for even more failover safety. Alec Paolo Supino wrote: Hi I'm in the process of configuring a Dell PowerEdge 860 as firewall and I debating what kind of CPU to get for the firewall for an office of about 50 people, 20MB metro ethernet, and 15 lightly used Internet servers: FTP, web, DNS, email, NTP, etc ... In addition for the computer being a firewall it will also act as a NIDS and IPSEC peer (something like 10 concurrent tunnels). The options I have for the CPU are: 1. Intel Celeron 336 at 2.8Ghz/256K cache, 533Mhz FSB. 2. Dual Core Intel Pentium D 915 at 2.8Ghz/2x2MB cache, 800Mhz FSB. 3. Dual Core Xeon 3050, 2.13Ghz, 2MB cache, 1066Mhz FSB. 4. Dual Core Xeon 3060, 2.40Ghz, 4MB cache, 1066Mhz FSB. 5. Dual Core Xeon 3070, 2.66Ghz, 4MB cache, 1066Mhz FSB. I have to be very price concious so will the celeron CPU hold the load or should I take one of the Xeon CPU's for the load? TIA Paolo
thank you openbsd
For many things, but specifically for not signing scary deals with microsoft, ever.
EUSecWest/London CFP extended to Nov. 7
Hi folks, some brief news: Some people have asked for late submissions to the EUSecWest paper selections. In the interest of fairness, we are extending the deadline for all until next Tuesday (November 7), at which time the submissions will be reviewed. Details of submissions can be found on the http://eusecwest.com site under the speakers sections. PacSec/Tokyo paper descriptions have been published, and CanSecWest/Vancouver early discount registration is now available. thanks, --dr -- World Security Pros. Cutting Edge Training, Tools, and Techniques Tokyo, JapanNovember 27-30 2006http://pacsec.jp pgpkey http://dragos.com/ kyxpgp
Re: oBSD 4.0 remote installation - Is Yaifo dead?
Sure if you keep it secret you`ve ya little piece of happyness but the trade off is also that nobody else propably gets it. It's not a secret. Anybody who knows even a small amount of C and make can fix the installer with a pretty minimal amount of effort. Anyone who actually reads source changes will be able to figure it out pretty quickly. Why don't you put your thinking cap on and try to fix it yourself ? So not helping the community because of the one guy you`re hating? The choice is yours... :p The people I consider community are more than welcome to contact me privately for the diff if they don't feel like wasting 15 minutes of their time. If community means so much to you, why don't YOU do something for the community and fix it yourself and release your own diff. -- Mathieu Sauve-Frankel
Re: ipsec vpn
In article [EMAIL PROTECTED], [EMAIL PROTECTED] (Bryan Irvine) writes: Also[1], there may be the need for an occasional connection from users just using the windows vpn client. Anybody doing this? I rarely even see windows so I'm not sure what to look for there. Do I need to import a key of some sort, or set authentication somehow? My understanding is, if you want to support the simple connection of Windows clients, using the built-in VPN connector (eg. control panel - network - make new connection - VPN - L2TP), the server side needs: 1. IPSec VPN transport mode, most likely with dynamic IP endpoint 2. L2TP tunneling daemon 3. PPP daemon You will also need NAT traversal in the server and client IPSec implementation, if the client is connecting from behind a NAT firewall/device. 2000 and XP will support NAT traversal with the right service packs, OpenBSD 4.0, according to my checking of man pages this evening, should support NAT-T too. 2000 and XP will support authentication using X.509 (ie. SSL like) certificates, only XP will support PSK (pre-shared-key). This is from my recent research of trying to get this working with Debian, but I gave up because the server versions of s/w I was using didn't support NAT-T, AFAICS. I've not tried it with OpenBSD, yet. All AIUI, some of that could be wrong as I've not had it working yet. -Paul-
Re: RAIDframe: spare disk and initialy degraded array
On Fri, Nov 03, 2006 at 12:09:49AM +0500, Igor Goldenberg wrote: Hello, I want to migrate from one-disk installation to RAID1 array where initial boot disk will be one of the components of array. I created RAID1 in degraded mode (I have only two IDE disks: wd0 and wd1, but in raid0.conf I wrote /dev/wd2b and /dev/wd1d). Then I copied my current boot disk contents to new array (tar -Xcpf - / | tar -C /mnt -xvpf -) and marked raid0 as root (raidctl -A root raid0). After reboot I have raid as boot disk. In the raid0 I have now failed component0 and optimal /dev/wd1b. After adding /dev/wd0b as spare disk, reconstruction failed component0 to it (raidctl -F component0 raid0) and initialization of parity (raidctl -P raid0) I have such raid0: # raidctl -s raid0 raid0 Components: component0: spared /dev/wd1b: optimal Spares: /dev/wd0b: used_spare Parity status: clean Reconstruction is 100% complete. Parity Re-write is 100% complete. Copyback is 100% complete. It's good but I want to have two optimal raid0 components: /dev/wd0b and /dev/wd1b, not as spared component0 and used_spare /dev/wd0b. What I need to do for it? And one more question. I have raid0b as swap partition but kernel puts on boot: swapmount: no device Kernel was booted from /dev/wd0a and /dev/wd0b is a raid partition. Where does it search swap partition 'b': on wd0 or on new root - raid0? I'd venture a guess the kernel is happily [1] swapping to wd0b. Don't use the b part of the boot disk for anything other than swap. Joachim [1] For some values of...
Hardware RAID
On 2006/11/02 13:36, Alexander Lind wrote: Also consider putting some extra cash down on a hw raid controller, and 2 scsi disks for each machine, and run raid 1 on them, for even more failover safety. To this end, I'm considering adding a RAID controller to existing machines (Dell servers with the unsupported Adaptec Ultra-160 RAID controller). Is the $340 LSI MegaRAID 320-1 my best option for a new SCSI RAID card? http://www.zipzoomfly.com/jsp/ProductDetail.jsp?ProductCode=132600 Thanks, Kevin
Re: ipsec vpn
On Thu, Nov 02, 2006 at 03:51:04PM -0800, Bryan Irvine wrote: On 11/2/06, Joachim Schipper [EMAIL PROTECTED] wrote: On Wed, Nov 01, 2006 at 05:49:18PM -0800, Bryan Irvine wrote: I'm going to upgrading a couple of our firewalls soon and as part of the upgrade I will be implementing VPN between a couple of our sites. Does this page still apply: http://www.securityfocus.com/infocus/1859 Yes, although some additions have been made since (notably, AH works too). Any pitfalls or changes I should watch out for? Filtering IPsec traffic might take some experimentation to get right. These firewall are running CARP. Don't forget sasyncd; it has gotten *much* better in 4.0. Now that's a nice touch :-) Also[1], there may be the need for an occasional connection from users just using the windows vpn client. Anybody doing this? I rarely even see windows so I'm not sure what to look for there. Do I need to import a key of some sort, or set authentication somehow? There is some stuff in the archives about Windows clients; the consensus seems to be that the built-in Windows stuff sucks, and that better third-party clients can be had for free (as in beer). I remember hearing Greenbow somewhere. In such a case, there's no more need to use keys than with another OpenBSD box (as in, you probably should use them, but it's not required). Joachim [1] Footnote not found. Not mine, anyway.
Re: CPU selection
Paolo Supino wrote: Hi Alexander I completely agree with you and in the long run it will happen, but getting a second machine is beyond my budget for the next couple of months. Then, you should go grab a couple OLD machines, and build your firewall with them. You probably won't be implementing all the cool stuff right away, anyway... Save buying the new machines for when you can do it right. For reference, we got a DS3 (45Mbps) and 900 users going through a CARPed pair of five year old machines. Primary is a 600MHz Celeron, the standby is a PIII-750MHz. Not running IPsec or IDS on them, but these machines seem to have a fair amount of growth potential on 'em. And yes, the primary machine is slower than the backup. You need the second machine. Even if you don't run CARP, you need a second machine. If you DO run CARP, I'd even argue you need a third machine: Rapid repair: Don't rely on someone else to get yourself back running. Testing: What happens if I do X? upgrades: do your upgrade on the second system, make sure all goes as you expect before doing it on the production machine. etc. Granted, your second (or third) machine could be the second machine for a lot of different systems in your company, if you standardize your HW. As for RAID on a firewall, uh...no, all things considered, I'd rather AVOID that, actually. Between added complexity, added boot time, and disks that can't be used without the RAID controller, it is a major loser when it comes to total up-time if you do things right. Put a second disk in the machine, and regularly dump the primary to the secondary. Blow the primary drive, you simply remove it, and boot off the secondary (and yes, you test test test this to make sure you did it right!). RAID is great when you have constantly changing data and you don't want to lose ANYTHING EVER (i.e., mail server). When you have a mostly-static system like a firewall, there are simpler and better ways. A couple months ago, our Celeron 600 firewall seemed to be having problems, which we thought may have been due to processor load. We were able to pull the disk out of it, put it in a much faster machine, adjust a few files, and we were back up and running quickly...and found that the problem was actually due to a router misconfig and a run-away nmap session. Would not have been able to do that with a RAID card. Nick.
Re: Hardware RAID
On 2006/11/02 18:56, K Kadow wrote: On 2006/11/02 13:36, Alexander Lind wrote: Also consider putting some extra cash down on a hw raid controller, and 2 scsi disks for each machine, and run raid 1 on them, for even more failover safety. To this end, I'm considering adding a RAID controller to existing machines (Dell servers with the unsupported Adaptec Ultra-160 RAID controller). Is the $340 LSI MegaRAID 320-1 my best option for a new SCSI RAID card? http://www.zipzoomfly.com/jsp/ProductDetail.jsp?ProductCode=132600 if it's a 2U box and you need a low-profile card, get the LP version instead, the normal one has connectors mounted the wrong way to actually plug a cable in and close the lid of the server. e.g. http://www.zipzoomfly.com/jsp/ProductDetail.jsp?ProductCode=132619
Large scale deployments
All, Here's a question that I wanted to pose to the OpenBSD community about managing and maintaining a large number of OpenBSD systems in the field. To provide some background, we currently have 650+ OpenBSD 3.2 systems in the field, and I've been dealing with a fair share of headaches bringing our software to a baseline across the board on all these systems. Keep in mind most of what I'm working on is independent from the OS install itself. Here's the things that I've got solutions in place for, but would like some input on projects available, or good feedback from other's who have maintained a large number of disparate systems: 1. Reliable package building system to auto-generate OpenBSD packages that are compliant as much as possible with the standards enforced by OpenBSD. I've got scripts to do this right now, but I'm not happy with them. 2. Command and Control. What projects or capabilities are available for performing remote command and control over services, packages, and system health? Currently, all push/pull is done with perl/sh scripts to bring files over, sanity check, install, update, etc. I've been leaning towards creating a daemon that runs on each system and has a secure connection back to a centralized location for determining if updates are available. My proof of concept works, but thoughts on how to do this right are GREATLY appreciated. 3. Remote upgrading. Going from 3.2 - 3.8 or 4.0 is going to be very difficult, and the approach that I am taking right now is creating a bsd.rd based kernel/image that will boot fully into memory, and contain the appropriate scripts to re-initialized the disks, rsync/scp/ftp/get/whatever the new base image and kernel over, then reboot, and go into the new image, and perform the rest of the upgrade from there. Has anyone done something similar to this or know of any projects along these lines? Anyway, just wanted to get some feedback from the community and see what everyone had to say on this stuff. Thanks in advance everyone. Regards, Mike Lockhart =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Mike Lockhart[Systems Engineering Operations] StayOnline, Inc http://www.stayonline.net/ mailto: [EMAIL PROTECTED] GPG: 8714 6F73 3FC8 E0A4 0663 3AFF 9F5C 888D 0767 1550 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Re: why my LCD monitor repeat black screen
I'm not inclined to believe it is a problem with your monitor, however, sometimes X picks some really boarder-line specs...and I've seen at least CRTs flake out when run at the edge for too long. Run xvidtune, see what the vertical refresh rate is. If you took great pride in running it up to some high number, slap yourself on the wrist, and back it down to 60Hz or 70Hz, see if it settles it down. On an LCD monitor, it doesn't matter. It may be more likely, however, that your machine's BIOS is turning the display off, and it is not recognizing the keyboard or mouse activity to keep it on or turn it back on. Going into your BIOS configuration and disabling anything related to power saving may be productive. I tried change setting in BIOS, but problem still in there. and test with a CRT monitor get same problem. it's really wired.
Re: Large scale deployments
On Thu, Nov 02, 2006 at 08:10:50PM -0500, Michael Lockhart wrote:
2. Command and Control. What projects or capabilities are
available for performing remote command and control over services,
packages, and system health? Currently, all push/pull is done
with perl/sh scripts to bring files over, sanity check, install,
update, etc. I've been leaning towards creating a daemon that
runs on each system and has a secure connection back to a
centralized location for determining if updates are available. My
proof of concept works, but thoughts on how to do this right are
GREATLY appreciated.
I've used cfengine on large (500+ nodes) Linux clusters. There lots
of things I wish were better in cfengine, but I haven't found a more
capable tool. For one-time mass administration tasks, I use dsh from
sysutils/clusterit, though the scenario you describe above seems
cfenginy to me.
3. Remote upgrading. Going from 3.2 - 3.8 or 4.0 is going to be
very difficult, and the approach that I am taking right now is
creating a bsd.rd based kernel/image that will boot fully into
memory, and contain the appropriate scripts to re-initialized the
disks, rsync/scp/ftp/get/whatever the new base image and kernel
over, then reboot, and go into the new image, and perform the rest
of the upgrade from there. Has anyone done something similar to
this or know of any projects along these lines?
Upgrading from 3.2 to 4.0 is going to be a headache. The clusters
I've worked in have all used network filesystems (mostly AFS) for
most data storage; reimaging a node has never cost much. Combined
with a well-thought-out configuration management system, and major
upgrades seem like less of a problem.
Of course, you need to vet your new system image with your
applications first.
I sure wish I had 600 OpenBSD boxes to worry about...Scientific
Linux is a headache.
--
o--{ Will Maier }--o
| web:...http://www.lfod.us/ | [EMAIL PROTECTED] |
*--[ BSD Unix: Live Free or Die ]--*
[PATCH] OpenBGPD 4.0 no refresh
Hi, recently upgraded to OpenBSD/BGPD 4 and suddenly stopped getting
routes from some neighbors.
This is what showed up in the logs... (IP's removed...)
Nov 2 14:20:56 strange bgpd[13739]: neighbor (XO): received
notification: error in OPEN message, unsupported capability
Nov 2 14:20:56 strange bgpd[13739]: neighbor (XO): disabling restart capability
bgpctl show fib nexthop reports the neighbor with a flag N.
While bgpctl show fib does not show any routes from the neighbor.
After talking with our upstream they said they were getting errors
about their refresh ability being disabled (or something along those
lines). Above you see bgpd turning off restart capability ... not
refresh? bug? (oh and i think they are running zebra, though not
sure). So i disabled refresh (set it to 0 in alloc_peer (parse.y)),
compiled and everything seemed to be nominal. (routes started coming
in...)
So just in case anyone else is hit by this here is a patch to allow
you to initially disable it on a per neighbor option. (sorry gmail...
patch breakage may occur)
Sorry if this is not the real fix, but it seems to be a work around...
at least for me.
If this is in fact a bug with openbgpd I can provide additional info...
Oh and thanks for the great product(s)!! Keep up the good work!
diff -u bgpd.orig/parse.y bgpd/parse.y
--- bgpd.orig/parse.y 2006-08-27 10:11:05.0 -0600
+++ bgpd/parse.y2006-11-02 17:37:35.0 -0700
@@ -149,7 +149,7 @@
%token AS ROUTERID HOLDTIME YMIN LISTEN ON FIBUPDATE
%token RDE EVALUATE IGNORE COMPARE
%token GROUP NEIGHBOR NETWORK
-%token REMOTEAS DESCR LOCALADDR MULTIHOP PASSIVE MAXPREFIX RESTART
+%token REMOTEAS DESCR LOCALADDR MULTIHOP PASSIVE MAXPREFIX RESTART REFRESH
%token ANNOUNCE DEMOTE
%token ENFORCE NEIGHBORAS CAPABILITIES REFLECTOR DEPEND DOWN SOFTRECONFIG
%token DUMP IN OUT
@@ -935,6 +935,9 @@
else
curpeer-conf.softreconfig_out = $3;
}
+ | REFRESH yesno {
+ curpeer-conf.capabilities.refresh = $2;
+ }
;
restart: /* nada */{ $$ = 0; }
@@ -1635,6 +1638,7 @@
{ qualify,QUALIFY},
{ quick, QUICK},
{ rde,RDE},
+ { refresh,REFRESH},
{ reject, REJECT},
{ remote-as, REMOTEAS},
{ restart,RESTART},
Re: Marvell 88E8055 Ethernet support?
Well, I've already emailed them back when I was trying to get their driver to work on FreeBSD, and I did ask for the open source version (I was feeling lucky...). Needless to say, I didn't get any reply... Anyway, I don't expect them to release the specs anytime soon, and I still need to use my nic in the meantime... Linux somehow managed to get it working (they probably reverse engineered it), and since OpenBSD already has the driver which is working for other versions of marvell nics, it looks like the problem could be fixed (or worked-around at least) without the specs... If this is not on your to do list... Oh well, I guess I'll to have to look at it myself, or keep using linux.. On Thu, 02 Nov 2006 20:29:16 -0500 Louis Bertrand [EMAIL PROTECTED] wrote: qsd wrote: Hi, I just tried to install OpenBSD 4.0 on my laptop with Marvell Yukon 88E8055 Gigabit ethernet chip. However, the link status says no carrier, and when I try to bring the interface up, it hangs, presumably waiting for the cable to be plugged in... Same card works under linux with sky2 driver. Any suggestions? I'm sorry if this is an already known bug. Thank you. Read up on the news. http://newsvac.newsforge.com/newsvac/06/10/10/1529219.shtml Marvell and many hardware vendors don't release hardware docs, so OpenBSD developers can't write drivers. Easiest thing you can do for OpenBSD is to add your voice to the call for hardware docs -- not closed source drivers or other crap. Email them, insistently. Ciao --Louis
Re: CPU selection
As for RAID on a firewall, uh...no, all things considered, I'd rather AVOID that, actually. Between added complexity, what complexity? added boot time, and disks that can't be used without the RAID controller, why would you want to use your disk WITHOUT the raid controller? it is a major loser when it comes to total up-time if you do things right. Put a second disk in the machine, and regularly dump the primary to the secondary. Blow the primary drive, you simply remove it, and boot off the secondary (and yes, you test test test this to make sure you did it right!). Now you're talking crazy. Lets consider the two setups: No-raid setup: - two separately controlled disks, you are in charge of syncing between them - if one dies, the machine goes down, and you go to the machine, and manually boot from the backup disk - IF you had important data on the dead disk not yet backed up, you are screwed. you could almost look at this as poor mans manual pretend raid. Raid setup: - two disks, constantly synced, if one dies, the machine does NOT go down - if a disk fails, just go and plug a new one in _at your convenience*_ and it will autmatically rebuild, a task any person could perform with proper direction. Not a seconds downtime. * this is _very_ important if your machine is hosted where you don't have easy physical access to it. Machines at a colo center would be a very common scenario. RAID is great when you have constantly changing data and you don't want to lose ANYTHING EVER (i.e., mail server). When you have a mostly-static system like a firewall, there are simpler and better ways. RAID is great for any server. So are scsi drives. If you are a company that loses more money on a few hours (or even minutes) downtime than it costs to invest in proper servers with proper hw raid + scsi disks, then you are ill-advised _not_ to raid all your missioncritical servers. And have backup machines, too! Preferably loadbalanced. A couple months ago, our Celeron 600 firewall seemed to be having problems, which we thought may have been due to processor load. We were able to pull the disk out of it, put it in a much faster machine, adjust a few files, and we were back up and running quickly...and found that the problem was actually due to a router misconfig and a run-away nmap session. Would not have been able to do that with a RAID card. Next time, you may want to check what the machine is actually doing before you start blaming your hardware. I personally would not trust the OS setup on one machine to run smoothly in any machine not more or less identical to itself as far as the hw goes. Especially not for a production unit. But if you really wanted too, you could move the entire raid array over to a different machine, if that makes you happy. Alec
Re: Sun BlackBox
I haven't priced shipping containers lately, but I imagine this sort of setup could be useful in more rural areas instead of building out a facility. Plus, they're shipping containers so you could stack a bunch of them together. I'm thinking the Vancouver economy could take on a whole new look if we buried the docks in AMD64 ...
No hardware 3D acceleration?
There have recently been some claims that OpenBSD does not support hardware 3D acceleration on any recent graphics chipsets. In particular, I'm thinking of the claims at http://www.softwareinreview.com/cms/content/view/55/ http://www.bsdforums.org/forums/showthread.php?t=45031goto=nextoldest But is that really true? According to the documentation at http://www.openbsd.org/cgi-bin/man.cgi?query=i810 http://www.openbsd.org/cgi-bin/man.cgi?query=radeon OpenBSD supports 3D acceleration for the Intel 8xx integrated graphics chips and for some ATI Radeon chips. Can somebody clear up these conflicting claims? Does OpenBSD support hardware 3D acceleration for any recent graphics chipsets?
Re: CPU selection
Perhaps you missed that Nick was talking about a pair of carp'ed firewalls. Failure of one machine means *no* downtime. Besides, firewalls rarely need to store any valuable data, almost by definition. Alexander Lind wrote on Thu, Nov 02, 2006 at 05:27:00PM -0800: Now you're talking crazy. That happens rarely to Nick. ;-) I remember about one or two instances where he was actually proven wrong, in a long time.
Re: Large scale deployments
I've noticed how much perspective on managing systems changes when the
distance between machines expands greatly. Managing 600+ systems in one
datacenter location is much easier than managing 600+ systems spread
throughout the country. Though a lot of the fundamentals are the same
(package management, security patches, service management, etc),
performing these functions become much more difficult, especially doing
critical system upgrades.
All the code we're writing has some pretty serious error handling,
working on implementing a rollback mechanism for our package management
system (outside of system packages, application packages), nothing ultra
fancy, but it works for now.
I'll have to take a look at those projects and see if they fit my needs.
Its getting to the point where I think with the work I've put into this
system so far, if I can't find any reasonable utilities I'll have to
clean up the bubble gum and popsicle sticks solution I've got right now.
Regards,
Mike Lockhart
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Mike Lockhart[Systems Engineering Operations]
StayOnline, Inc
http://www.stayonline.net/
mailto: [EMAIL PROTECTED]
GPG: 8714 6F73 3FC8 E0A4 0663 3AFF 9F5C 888D 0767 1550
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Will Maier
Sent: Thursday, November 02, 2006 8:46 PM
To: OpenBSD Misc
Subject: Re: Large scale deployments
On Thu, Nov 02, 2006 at 08:10:50PM -0500, Michael Lockhart wrote:
2. Command and Control. What projects or capabilities are
available for performing remote command and control over services,
packages, and system health? Currently, all push/pull is done
with perl/sh scripts to bring files over, sanity check, install,
update, etc. I've been leaning towards creating a daemon that
runs on each system and has a secure connection back to a
centralized location for determining if updates are available. My
proof of concept works, but thoughts on how to do this right are
GREATLY appreciated.
I've used cfengine on large (500+ nodes) Linux clusters. There lots
of things I wish were better in cfengine, but I haven't found a more
capable tool. For one-time mass administration tasks, I use dsh from
sysutils/clusterit, though the scenario you describe above seems
cfenginy to me.
3. Remote upgrading. Going from 3.2 - 3.8 or 4.0 is going to be
very difficult, and the approach that I am taking right now is
creating a bsd.rd based kernel/image that will boot fully into
memory, and contain the appropriate scripts to re-initialized the
disks, rsync/scp/ftp/get/whatever the new base image and kernel
over, then reboot, and go into the new image, and perform the rest
of the upgrade from there. Has anyone done something similar to
this or know of any projects along these lines?
Upgrading from 3.2 to 4.0 is going to be a headache. The clusters
I've worked in have all used network filesystems (mostly AFS) for
most data storage; reimaging a node has never cost much. Combined
with a well-thought-out configuration management system, and major
upgrades seem like less of a problem.
Of course, you need to vet your new system image with your
applications first.
I sure wish I had 600 OpenBSD boxes to worry about...Scientific
Linux is a headache.
--
o--{ Will Maier }--o
| web:...http://www.lfod.us/ | [EMAIL PROTECTED] |
*--[ BSD Unix: Live Free or Die ]--*
Re: No hardware 3D acceleration?
On Thu, Nov 02, 2006 at 10:27:24PM -0500, Matthew P Szudzik wrote: There have recently been some claims that OpenBSD does not support hardware 3D acceleration on any recent graphics chipsets. In particular, I'm thinking of the claims at http://www.softwareinreview.com/cms/content/view/55/ http://www.bsdforums.org/forums/showthread.php?t=45031goto=nextoldest But is that really true? According to the documentation at http://www.openbsd.org/cgi-bin/man.cgi?query=i810 http://www.openbsd.org/cgi-bin/man.cgi?query=radeon OpenBSD supports 3D acceleration for the Intel 8xx integrated graphics chips and for some ATI Radeon chips. Can somebody clear up these conflicting claims? Does OpenBSD support hardware 3D acceleration for any recent graphics chipsets? Those man pages are from the X.org project, we don't have all the other necessary bits in place to make it work just yet.
Re: Large scale deployments
On 11/2/06, Will Maier [EMAIL PROTECTED] wrote: I've used cfengine on large (500+ nodes) Linux clusters. There lots of things I wish were better in cfengine, but I haven't found a more capable tool. For one-time mass administration tasks, I use dsh from sysutils/clusterit, though the scenario you describe above seems cfenginy to me. I'd agree with that. It is pretty easy to leverage classes to do the work of getting everything to one place (convergence), although if you're not careful you'll end up maintaining many similar but slightly different configurations :) Monit is surprisingly powerful as well; don't let its simple syntax fool you. I'm evaluating possibly replacing cfengine with monit (and we make extensive use of cfengine). With some thought I think it may be quite possible.
building kernel for new release in previous stable system
Hello. Will it be possible to build GENERIC kernel for the next OpenBSD release 4.1 using release or stable 4.0 system (with comp40.tgz set installed)? I need this to know to decide put /usr on raid or not. Because if /usr will be on raid I'll need to rebuild new kernel before replace current raid enabled kernel with new one.
Re: CPU selection
Ingo Schwarze wrote: Perhaps you missed that Nick was talking about a pair of carp'ed firewalls. Failure of one machine means *no* downtime. Besides, firewalls rarely need to store any valuable data, almost by definition. I'm not saying that digging up parts and building a couple of machines out of old scrap that you could find in my attic (and you could find enough to build a server farm, I assure you) and making a whole farm of carp:ed firewalls will not do the trick. But from an enterprise point of view, spending a few hundred dollars extra to build machines that are very unlikely to go down in the first place - but if they do go down can be rebuilt with minimum effort - is usually going to be worthwhile. Carped or not. Different story for home users, or someone that are hard up for cash of course. Now you're talking crazy. That happens rarely to Nick. ;-) I remember about one or two instances where he was actually proven wrong, in a long time. Perhaps your memory just isn't that great? j/k ;) Alec
Re: CPU selection
Alexander Lind wrote: As for RAID on a firewall, uh...no, all things considered, I'd rather AVOID that, actually. Between added complexity, what complexity? RAID, kiddo. It's more complex. It is something else that can go wrong. And...it DOES go wrong. Either believe me now, or wish you believed me later. Your call. I spent a lot of time profiting from people who ignored my advice. :) added boot time, and disks that can't be used without the RAID controller, why would you want to use your disk WITHOUT the raid controller? Oh, say, maybe your RAID controller failed? Or the spare machine you had didn't happen to have the same brand and model RAID card? Or the replacement RAID card happened to have a different firmware on it, and the newer firmware wouldn't read your old disk pack? (yes, that's a real issue). it is a major loser when it comes to total up-time if you do things right. Put a second disk in the machine, and regularly dump the primary to the secondary. Blow the primary drive, you simply remove it, and boot off the secondary (and yes, you test test test this to make sure you did it right!). Now you're talking crazy. Lets consider the two setups: No-raid setup: - two separately controlled disks, you are in charge of syncing between them yep. you better test your work from time to time. (wow...come to think of it, you better test your RAID assumptions, too. Few people do that, they just assume it works. This leads to people proving me right about simplicity vs. complexity) - if one dies, the machine goes down, and you go to the machine, and manually boot from the backup disk yep. Meanwhile, the system has been running just fine on the SECONDARY SYSTEM. - IF you had important data on the dead disk not yet backed up, you are screwed. Ah, so you are in the habit of keeping important, non-backed up data on your firewall? wow. you could almost look at this as poor mans manual pretend raid. Or as part of RAIC: Redundant Array of Inexpensive Computers. Raid setup: - two disks, constantly synced, if one dies, the machine does NOT go down you are funny. Or inexperienced. - if a disk fails, just go and plug a new one in _at your convenience*_ and it will autmatically rebuild, a task any person could perform with proper direction. Not a seconds downtime. That's the way it is SUPPOSED to work. Reality is very, very different some times. Simple systems have simple problems. Complex systems have complex problems. Worst down-time events I've ever seen always seem to involve a RAID system, usually managed by someone who said, does NOT go down!, who believed that complexity was the solution to a problem A RAID controller never causes downtime in a system its not installed in. Power distribution boards don't fail on machines that don't have them. Hotplug backplanes don't fail on machines that don't have them. (seen 'em all happen). * this is _very_ important if your machine is hosted where you don't have easy physical access to it. Machines at a colo center would be a very common scenario. That is correct... IF that was what we were talking about. It isn't. You keep trying to use the wrong special case for the topic at hand. Design your solutions to meet the problem in front of you, not a totally unrelated problem. RAID is great when you have constantly changing data and you don't want to lose ANYTHING EVER (i.e., mail server). When you have a mostly-static system like a firewall, there are simpler and better ways. RAID is great for any server. WRONG. It is good for the right systems in the right places. There are a lot of those places. It is great when administered by someone who understands the limitations of it. That, sadly, is uncommon. So are scsi drives. I've been hearing that SCSI is better! stuff for 20 years, most of that while working in service and support of LOTS of companys' computers. It *may* be true that SCSI drives are more reliable than IDE drives, though I really suspect if it is really true on average, the variation between models is probably greater than the difference between interfaces. But that's just the drive, and I'm giving you that. HOWEVER, by the time you add the SCSI controller, the software and the other stuff in a SCSI solution, you have a much more cranky beast than your IDE disk systems usually are. No, it isn't supposed to be that way, but experience has shown me that SCSI cards suck, SCSI drivers suck, you rarely have the right cables and terminators on hand, and people rarely screw up IDE drivers or chips as badly as they do the SCSI chips and drivers (and I am most certainly not talking just OpenBSD here). No question in my mind on this. I've seen too many bad things happen with SCSI...none of which that should have...but they did, anyway. If you are a company that loses more money on a few hours (or even minutes) downtime than it costs to invest in proper servers with
Re: building kernel for new release in previous stable system
Will it be possible to build GENERIC kernel for the next OpenBSD release 4.1 using release or stable 4.0 system (with comp40.tgz set installed)? That would be a bit hard, since 4.1 is about 6 months away. But I get your drift. Can you use -current code to build a kernel. Yes, you can, but you really should not. Get the 4.0-stable codebase.
Re: CPU selection
what complexity? RAID, kiddo. It's more complex. It is something else that can go wrong. And...it DOES go wrong. Either believe me now, or wish you believed me later. Your call. I spent a lot of time profiting from people who ignored my advice. :) Of course raid are more complex on a hardware level, but that doesn't exactly make it more complex for _me_, the user, does it? I have deployed lots and lots of servers, both with and without raid and using various different OS:es, and I give you that it used to be a little tricky to get for example slackware to boot off some semi-supported raid devices back in the day, but nowadays its all pretty simple imho. And the times when disks have failed, we have plopped in new disks and they got rebuilt and I lived happily afterwards. So really, where is you're profit margin on someone like me? ;) added boot time, and disks that can't be used without the RAID controller, why would you want to use your disk WITHOUT the raid controller? Oh, say, maybe your RAID controller failed? Or the spare machine you had didn't happen to have the same brand and model RAID card? Or the replacement RAID card happened to have a different firmware on it, and the newer firmware wouldn't read your old disk pack? (yes, that's a real issue). If indeed the raid card failed, unlikely as it would be, then that could be a little messy. Not that I ever had this problem, but you ought to be able to downgrade raid cards if you run into the firmware problem? it is a major loser when it comes to total up-time if you do things right. Put a second disk in the machine, and regularly dump the primary to the secondary. Blow the primary drive, you simply remove it, and boot off the secondary (and yes, you test test test this to make sure you did it right!). Now you're talking crazy. Lets consider the two setups: No-raid setup: - two separately controlled disks, you are in charge of syncing between them yep. you better test your work from time to time. (wow...come to think of it, you better test your RAID assumptions, too. Few people do that, they just assume it works. This leads to people proving me right about simplicity vs. complexity) If you configure it right it tends to work right. At least it does for me. - if one dies, the machine goes down, and you go to the machine, and manually boot from the backup disk yep. Meanwhile, the system has been running just fine on the SECONDARY SYSTEM. - IF you had important data on the dead disk not yet backed up, you are screwed. Ah, so you are in the habit of keeping important, non-backed up data on your firewall? wow. of course, thats where i store my porn. you could almost look at this as poor mans manual pretend raid. Or as part of RAIC: Redundant Array of Inexpensive Computers. which may not always be feasible in an already densely packed rack where every U is expensive. Raid setup: - two disks, constantly synced, if one dies, the machine does NOT go down you are funny. Or inexperienced. master, you flatter me! maybe i'm a lucky bastard, but every single disk failure i have seen in a raided machine has been solved by pulling the disk out, and putting a new back in. rebuild for some time, and then the machine is happy again. i think this has happened to servers i maintain or help maintain 5 or so times now. - if a disk fails, just go and plug a new one in _at your convenience*_ and it will autmatically rebuild, a task any person could perform with proper direction. Not a seconds downtime. That's the way it is SUPPOSED to work. Reality is very, very different some times. my servers must be living in fantasyland or something. Simple systems have simple problems. Complex systems have complex problems. Worst down-time events I've ever seen always seem to involve a RAID system, usually managed by someone who said, does NOT go down!, who believed that complexity was the solution to a problem how exactly did the machine go down then, i wonder? A RAID controller never causes downtime in a system its not installed in. Power distribution boards don't fail on machines that don't have them. Hotplug backplanes don't fail on machines that don't have them. (seen 'em all happen). flawless logic sir, i wish courts would apply it in the same way concerning rapists genitals, and lying politicians left brainhalves (a study i read suggested the left side is most active when you lie). * this is _very_ important if your machine is hosted where you don't have easy physical access to it. Machines at a colo center would be a very common scenario. That is correct... IF that was what we were talking about. It isn't. You keep trying to use the wrong special case for the topic at hand. I don't think an firewall should be any less failsafe or easy to
