Re: pop-before-smtp and spamd
-Urspr|ngliche Nachricht- Von: Adam Jacob Muller [EMAIL PROTECTED] Gesendet: 27.02.08 05:57:42 An: Juan Miscaro [EMAIL PROTECTED] CC: Cameron Schaus [EMAIL PROTECTED], misc@openbsd.org Betreff: Re: pop-before-smtp and spamd pop-before-smtp is highly insecure. Use SMTP auth. -Adam On Feb 26, 2008, at 6:33 PM, Juan Miscaro wrote: --- Cameron Schaus [EMAIL PROTECTED] wrote: Juan Miscaro wrote: Are there standard solutions for dealing with the obvious collision between pop-before-smtp and spamd (in greylisting mode)? I know many will say to use SMTP AUTH but right now I want to try to get my current setup to work. My first idea was to hack the pop-before-smtp Perl script to have the thing (daemon) add connecting/authenticating sender IPs to a pf whitelist table. I'm running OpenBSD 4.2 (stable) with Postfix 2.5. Why not use port 587 to send mail, instead of port 25, and only allow SMTP Auth from this port. Right now I'm talking about using pop-before-smtp. /juan Looking for the perfect gift? Give the gift of Flickr! http://www.flickr.com/gift/ -- Mit freundlichen Gr|_en, STEFAN WOLLNY --- Regulatory Reporting Consultancy Tel.: +49 (0) 177 655 7875 Mail: [EMAIL PROTECTED]
Re: OpenBSD 4.1 Strange Problem
On Tue, Feb 26, 2008 at 10:25:04AM +0800, Wong Peter wrote: Hello all respect network administrator, i have set up a openbsd gateway but the wireless connection(gateway) is not detected by client but before this is ok. Can see it widnows but now cannot. I don't know what wrong with it. I sure my configuration is ok because i didn't edit it. Another problem now is when oot up to process starting network, previously i did not need to enter ctrl + C to proceeed to DHCP request for rl0 but now i need that. I alos don't know what wrong. Third problem is from openbsd canno ping to LAN client ip but client can ping to openbsd. I try router add 176.16.10.11(destination) 176.16.10.1(gateway) return file exists. If this routing is exists, then should be no problem but who come cannot ping from openbsd to client. I hope you can help me out. becuase my hair has drop until no more hair. If you all need extra information or configuration, please let me know. A billion thanks for your help. 1. dmesg 2. full ifconfig output
Re: pop-before-smtp and spamd
NAT. -Adam On Feb 27, 2008, at 3:49 AM, Stefan Wollny wrote: Adam, could you please point to where to find more information on why pop- before-smtp is highly insecure? Or provide here a little bit of background information? It would be really appreciated. Thank you! -STEFAN -Urspr|ngliche Nachricht- Von: Adam Jacob Muller [EMAIL PROTECTED] Gesendet: 27.02.08 05:57:42 An: Juan Miscaro [EMAIL PROTECTED] CC: Cameron Schaus [EMAIL PROTECTED], misc@openbsd.org Betreff: Re: pop-before-smtp and spamd pop-before-smtp is highly insecure. Use SMTP auth. -Adam On Feb 26, 2008, at 6:33 PM, Juan Miscaro wrote: --- Cameron Schaus [EMAIL PROTECTED] wrote: Juan Miscaro wrote: Are there standard solutions for dealing with the obvious collision between pop-before-smtp and spamd (in greylisting mode)? I know many will say to use SMTP AUTH but right now I want to try to get my current setup to work. My first idea was to hack the pop-before-smtp Perl script to have the thing (daemon) add connecting/authenticating sender IPs to a pf whitelist table. I'm running OpenBSD 4.2 (stable) with Postfix 2.5. Why not use port 587 to send mail, instead of port 25, and only allow SMTP Auth from this port. Right now I'm talking about using pop-before-smtp. /juan Looking for the perfect gift? Give the gift of Flickr! http://www.flickr.com/gift/ -- Mit freundlichen Gr|_en, STEFAN WOLLNY --- Regulatory Reporting Consultancy Tel.: +49 (0) 177 655 7875 Mail: [EMAIL PROTECTED]
Re: pop-before-smtp and spamd
Adam, could you please point to where to find more information on why pop-before-smtp is highly insecure? Or provide here a little bit of background information? It would be really appreciated. Thank you! -STEFAN -Urspr|ngliche Nachricht- Von: Adam Jacob Muller [EMAIL PROTECTED] Gesendet: 27.02.08 05:57:42 An: Juan Miscaro [EMAIL PROTECTED] CC: Cameron Schaus [EMAIL PROTECTED], misc@openbsd.org Betreff: Re: pop-before-smtp and spamd pop-before-smtp is highly insecure. Use SMTP auth. -Adam On Feb 26, 2008, at 6:33 PM, Juan Miscaro wrote: --- Cameron Schaus [EMAIL PROTECTED] wrote: Juan Miscaro wrote: Are there standard solutions for dealing with the obvious collision between pop-before-smtp and spamd (in greylisting mode)? I know many will say to use SMTP AUTH but right now I want to try to get my current setup to work. My first idea was to hack the pop-before-smtp Perl script to have the thing (daemon) add connecting/authenticating sender IPs to a pf whitelist table. I'm running OpenBSD 4.2 (stable) with Postfix 2.5. Why not use port 587 to send mail, instead of port 25, and only allow SMTP Auth from this port. Right now I'm talking about using pop-before-smtp. /juan Looking for the perfect gift? Give the gift of Flickr! http://www.flickr.com/gift/ -- Mit freundlichen Gr|_en, STEFAN WOLLNY --- Regulatory Reporting Consultancy Tel.: +49 (0) 177 655 7875 Mail: [EMAIL PROTECTED]
Re: spamd and freemail hosts
Peter N. M. Hansteen wrote: The spamd.alloweddomains method is useful Hi, Peter. Where can i find more information about spamd.alloweddomains? It doesn't appear in spamd(8) (OpenBSD 4.2 -release, i386). Thanks very much.
Re: spamd and freemail hosts
Zhang Huangbin [EMAIL PROTECTED] writes: Where can i find more information about spamd.alloweddomains? It doesn't appear in spamd(8) (OpenBSD 4.2 -release, i386). It should, in the GREYTRAPPING section (page down a few screenfuls) -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: kernel naming proposal
2008/2/25, Don Jackson [EMAIL PROTECTED]: The issue is that when building and installing new kernels (eg, when a new security patch is released), it is not totally obvious to the (automated) build script what the file /bsd really is, is it the uniprocessor kernel, or a link to the multiprocessor kernel? If the latter, than blindly copying the new uniprocessor kenel to /bsd is probably not what you want to do. With my proposal, new kernels can be safely copied to /, since they have unique and distinct names. Just use links. Works great for me. # ls -1i /flash/bsd* 6 /flash/bsd 5 /flash/bsd.old 5 /flash/bsd_large_42_PCENGINES_CUST2_vrpatch_err05_cvs24-01-2008 6 /flash/bsdl42_PCENGINES_err08_cvs25-02-2008-patch_vr-pach_ike P.K.
Re: relayd http check connection failures; hoststated operates correctly
Brad Arrington [EMAIL PROTECTED] wrote: Hi, I ran into the same problem you did, I thought it was something I was doing wrong until I read your email... Here is the fix I came up with. --- check_tcp.c-current Mon Feb 25 15:11:40 2008 +++ check_tcp.c Mon Feb 25 23:48:45 2008 @@ -82,6 +82,7 @@ if (fcntl(s, F_SETFL, O_NONBLOCK) == -1) goto bad; + gettimeofday(cte-table-conf.timeout, NULL); bcopy(cte-table-conf.timeout, tv, sizeof(tv)); if (connect(s, (struct sockaddr *)cte-host-conf.ss, len) == -1) { if (errno != EINPROGRESS) I should check for return codes on gettimeofday but here it is anyway... I submited a bug report too. -Brad Hi Brad, Your fix is wrong, you run in a timeout which happens because the default relayd configuration supposes you are in the same broadcast domain than your relayed host and has a 200ms timeout. The error reporting is a bit confusing and should just mention that a timeout occured, I will fix that. The gettimeofday you used indeed fixed your issue but is really wrong since it modifies the value you specify in the configuration file. A simple fix for you would be to specify: timeout 1000 # (or any appropriate timeout value for your application) in your configuration file. startup init_filter: filter init done tcp_write: connect timed out relay_privinit: adding relay www init_tables: created 0 tables hce_notify_done: aa.bb.cc.209 (tcp_write: connect failed) protocol 0: name http host aa.bb.cc.209, check http code (3ms), state unknown - down, availability 0.00% flags: 0x0004 tcp_write: connect timed out The timeout is mentionned here. type: hce_notify_done: aa.bb.cc.211 (tcp_write: connect failed) http And then a connect failed error happens which might have confused you. pyr.
Re: kernel naming proposal
On Wed, Feb 27, 2008 at 01:15:56PM +0100, Piotrek Kapczuk wrote: 2008/2/25, Don Jackson [EMAIL PROTECTED]: The issue is that when building and installing new kernels (eg, when a new security patch is released), it is not totally obvious to the (automated) build script what the file /bsd really is, is it the uniprocessor kernel, or a link to the multiprocessor kernel? If the latter, than blindly copying the new uniprocessor kenel to /bsd is probably not what you want to do. let's rename ls(1) -- it's so 80s man! cu -- paranoic mickey (my employers have changed but, the name has remained)
OpenBSD and Mysql+Sun
Sun +Mysql.. The mysql database will be portable in the next Openbsd versions? How openbsd team loook this?
Re: OpenBSD and Mysql+Sun
Quoting Gustavo Polillo [EMAIL PROTECTED]: Sun +Mysql.. The mysql database will be portable in the next Openbsd versions? How openbsd team loook this? OpenBSD has had a MySQL port for nearly 9 years now.* I would imagine that nothing will change in that respect, and from everything that I have read about the Sun-MySQL deal it will be business as usual for MySQL, just with lots more cash laying around. *http://www.openbsd.org/cgi-bin/cvsweb/ports/databases/mysql/Makefile?rev=1.1content-type=text/x-cvsweb-markup -- Tim Donahue This message was sent using IMP, the Internet Messaging Program.
Re: OpenBSD and Mysql+Sun
On Wed, Feb 27, 2008 at 6:42 PM, Gustavo Polillo [EMAIL PROTECTED] wrote: Sun +Mysql.. The mysql database will be portable in the next Openbsd versions? How openbsd team loook this? Didn't quite grasp your mail clearly, but based on what-ever I understood of it, here goes; SUN is going to continue keeping MySQL open sourced, only that they are going try and monetise on the fact that people would like to buy SUN hardware to run their DB on. Nothing else changes. Best, ~Mayuresh
Re: P2V with VMWare - ERR M
Hi, Did you use http://www.openbsd.org/faq/faq14.html#Backup to restore your old box to a vmware server image. The only part I am confused by is At the end I installed the boot loader as described in the manpages with success. What man page are you referring to? What steps did you use to restore the boot loader? Just curious. Could be good fodder for setting up a wiki or howto for transferring openbsd physical setups to virtual setups on vmware. Zlfar M. E. Johnson Sk}rr [EMAIL PROTECTED] 569 5100 http://www.skyrr.is http://www.skyrr.is/legal/disclaimer.txt -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fabian Heusser Sent: 26. febrzar 2008 23:48 To: misc@openbsd.org Subject: Re: P2V with VMWare - ERR M Nick, thank you for taking the time to answer my questions. As you successfully detected, i have done some brute force with no luck. Thank you for your tip about dump/restore, i applied it with success. With the help of a OpenBSD live CD i managed to do some instant dump restore over the network. For this i used a command sequence like the following for each partition: # mount /dev/sd0a /mnt/hd1 # cd /mnt/hd1 # ssh 192.168.1.52 dump -0f - /dev/sd0a | restore -rvf - # cd / # umount /dev/sd0a At the end I installed the boot loader as described in the manpages with success. What was confusing me was that fdisk /dev/sd0c returns the same as the proper fdisk /dev/sd0 which mixed up my idea of the things. Fabian Fabian Heusser wrote: Hello I have an old box (3.6) which makes a lot of noise, so i like to virtualize it. I made an Image with acronis and converted it with vmware converter. When i start the virtual machine Loading... ERR M is shown. (dmesg at the bottom) I loaded cd36.iso as cdrom and at the boot prompt tried the following: machine boot hd0b - ERR M I'm surprised you get THAT error, but it is a nonsense command. boot hd0a:/bsd - Invalid argument failed(22). will try /bsd also with hd0b, hd0c um. did you really think that /bsd might be on the b, c, or d partitions?? if i boot with the cd, select shell and run the following # mount /dev/sd0c /mnt i get Inappropriate filetype or format. also with /dev/sd0a - d I'd *hope* you can't mount sd0c like that. If i run # cp /usr/mdec/boot /boot # /usr/mdec/installboot -v /boot /usr/mdec/biosboot sd0 i get the following output: -8-- boot: /boot proto: /usr/mdec/biosboot device: /dev/rsd0c /usr/mdec/biosboot: entry point 0 proto bootblock size 512 installboot: cross-device install -8-- but the error persists. You couldn't read the file system, so you figured you would just run a utility to alter a random sector someplace on the disk. Did you notice the little error message? cross-device install??? Read the man page, read the FAQ, and think about that command. Does anyone have an idea what i'm doing wrong? Almost everything so far. You can't just type random commands without understanding what you are saying to the computer. What you are doing is very, very dangerous. If you want to get some idea what went wrong, boot a CD, and do a disklabel sd0 and fdisk sd0, see what that tells you. There was obviously something that went very wrong with your imaging transfer process, which doesn't surprise me, the process of migrating OpenBSD is so simple, it is hard to get anyone worried about making a special tool, 'specially since it wouldn't have this kind of flexibility. Quit using special tools, and use the OS. SIMPLE way: dump(8) each existing partition to a file, move the file, then restore(8) the files to the partitions of the new disk. Install your boot loader (PROPERLY this time), and done. And YES, I am being deliberately vague about how to do this. You need to spend some time with the man pages and the FAQ and thinking about how things work, not magic commands to type. The PROPER way of doing this, however, being this is a many year old, unmaintained install, is to build a new 4.2 or 4.3 system, install the apps, and transfer the data files. I'm guessing it is a screwed up system, or it would have been properly maintained and be running 4.2 now. So, why would you want to blindly migrate a mess to new hardware? Nick.
Re: OpenBSD and Mysql+Sun
Tim Donahue wrote: Quoting Gustavo Polillo [EMAIL PROTECTED]: Sun +Mysql.. The mysql database will be portable in the next Openbsd versions? How openbsd team loook this? OpenBSD has had a MySQL port for nearly 9 years now.* I would imagine that nothing will change in that respect, and from everything that I have read about the Sun-MySQL deal it will be business as usual for MySQL, just with lots more cash laying around. *http://www.openbsd.org/cgi-bin/cvsweb/ports/databases/mysql/Makefile?rev=1.1content-type=text/x-cvsweb-markup Bizness as usual, with Project Indiana (OpenSolaris core + netwoking) with GNU applications above, they target Linux users who cannot think of a server not being LAMP. Hence, Sun has a LAMP package. Fwiw, they also bought VirtualBox recently. This is the desktop market. Would I dare, I would say: desktop = Indiana Sun still heavily supports PostgreSQL. Still daring: Nevada is the server.
Re: relayd http check connection failures; hoststated operates correctly
Hi Pierre-Yves, I guess we are both wrong... I used a few different timeout values including 1000 before changing any code. I just checked relayd(the unpatched version) again and I get the same results. These web servers just serve the default apache index page. I can connect to them instantly from the load balancer (using lynx) or any other (client)machine I have tested. So either the timeout value is not read/set correctly or it is something else. -Brad -Original Message- From: [EMAIL PROTECTED] Sent: Wed, 27 Feb 2008 11:53:03 +0100 To: [EMAIL PROTECTED] Subject: Re: relayd http check connection failures; hoststated operates correctly Brad Arrington [EMAIL PROTECTED] wrote: Hi, I ran into the same problem you did, I thought it was something I was doing wrong until I read your email... Here is the fix I came up with. --- check_tcp.c-current Mon Feb 25 15:11:40 2008 +++ check_tcp.c Mon Feb 25 23:48:45 2008 @@ -82,6 +82,7 @@ if (fcntl(s, F_SETFL, O_NONBLOCK) == -1) goto bad; + gettimeofday(cte-table-conf.timeout, NULL); bcopy(cte-table-conf.timeout, tv, sizeof(tv)); if (connect(s, (struct sockaddr *)cte-host-conf.ss, len) == -1) { if (errno != EINPROGRESS) I should check for return codes on gettimeofday but here it is anyway... I submited a bug report too. -Brad Hi Brad, Your fix is wrong, you run in a timeout which happens because the default relayd configuration supposes you are in the same broadcast domain than your relayed host and has a 200ms timeout. The error reporting is a bit confusing and should just mention that a timeout occured, I will fix that. The gettimeofday you used indeed fixed your issue but is really wrong since it modifies the value you specify in the configuration file. A simple fix for you would be to specify: timeout 1000 # (or any appropriate timeout value for your application) in your configuration file. startup init_filter: filter init done tcp_write: connect timed out relay_privinit: adding relay www init_tables: created 0 tables hce_notify_done: aa.bb.cc.209 (tcp_write: connect failed) protocol 0: name http host aa.bb.cc.209, check http code (3ms), state unknown - down, availability 0.00% flags: 0x0004 tcp_write: connect timed out The timeout is mentionned here. type: hce_notify_done: aa.bb.cc.211 (tcp_write: connect failed) http And then a connect failed error happens which might have confused you. pyr.
Re: relayd http check connection failures; hoststated operates correctly
Brad Arrington [EMAIL PROTECTED] wrote: Hi Pierre-Yves, I guess we are both wrong... I used a few different timeout values including 1000 before changing any code. I just checked relayd(the unpatched version) again and I get the same results. These web servers just serve the default apache index page. I can connect to them instantly from the load balancer (using lynx) or any other (client)machine I have tested. So either the timeout value is not read/set correctly or it is something else. Please try with an insanely high value (10seconds) and see if you still get a connection timeout message. To make logging more meaningful you can try with this diff and send me the relayd -dv output: Index: check_tcp.c === RCS file: /cvs/src/usr.sbin/relayd/check_tcp.c,v retrieving revision 1.31 diff -u -p -r1.31 check_tcp.c --- check_tcp.c 7 Dec 2007 17:17:00 - 1.31 +++ check_tcp.c 27 Feb 2008 13:40:45 - @@ -109,21 +109,24 @@ tcp_write(int s, short event, void *arg) if (event == EV_TIMEOUT) { log_debug(tcp_write: connect timed out); cte-host-up = HOST_DOWN; - } else { - len = sizeof(err); - if (getsockopt(s, SOL_SOCKET, SO_ERROR, err, len)) - fatal(tcp_write: getsockopt); - if (err != 0) - cte-host-up = HOST_DOWN; - else - cte-host-up = HOST_UP; + close(s); + hce_notify_done(cte-host, tcp_write: connect timed out); + return; } + len = sizeof(err); + if (getsockopt(s, SOL_SOCKET, SO_ERROR, err, len)) + fatal(tcp_write: getsockopt); + if (err != 0) + cte-host-up = HOST_DOWN; + else + cte-host-up = HOST_UP; + if (cte-host-up == HOST_UP) tcp_host_up(s, cte); else { close(s); - hce_notify_done(cte-host, tcp_write: connect failed); + hce_notify_done(cte-host, tcp_write: connection refused); } }
Re: P2V with VMWare - ERR M
Sorry, I refered to the second example in installboot(8) : http://www.openbsd.org/cgi-bin/man.cgi?query=installbootapropos=0sektion=0; manpath=OpenBSD+Currentarch=i386format=html It's the same as this step from your linked FAQ # cp /usr/mdec/boot /mnt/boot # /usr/mdec/installboot -v /mnt/boot /usr/mdec/biosboot sd0 Yes a howto would be nice, for windows there are many, for linux some, and for Openbsd not so many. But as Nick said, it's realy simple if you go the dump/restore route. It's 90% percent of the FAQ you are referring. But If you go the Diskimage route it's not so easy. In the FAQ, they restore first / and boot into single user mode and then restore the rest. Does somone know if it makes any difference if i restore all partitions in one step and then booting in the finished restore? On Wed, Feb 27, 2008 at 3:32 PM, Zlfar M. E. Johnson [EMAIL PROTECTED] wrote: Hi, Did you use http://www.openbsd.org/faq/faq14.html#Backup to restore your old box to a vmware server image. The only part I am confused by is At the end I installed the boot loader as described in the manpages with success. What man page are you referring to? What steps did you use to restore the boot loader? Just curious. Could be good fodder for setting up a wiki or howto for transferring openbsd physical setups to virtual setups on vmware. Zlfar M. E. Johnson Sk}rr [EMAIL PROTECTED] 569 5100 http://www.skyrr.is http://www.skyrr.is/legal/disclaimer.txt -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fabian Heusser Sent: 26. febrzar 2008 23:48 To: misc@openbsd.org Subject: Re: P2V with VMWare - ERR M Nick, thank you for taking the time to answer my questions. As you successfully detected, i have done some brute force with no luck. Thank you for your tip about dump/restore, i applied it with success. With the help of a OpenBSD live CD i managed to do some instant dump restore over the network. For this i used a command sequence like the following for each partition: # mount /dev/sd0a /mnt/hd1 # cd /mnt/hd1 # ssh 192.168.1.52 dump -0f - /dev/sd0a | restore -rvf - # cd / # umount /dev/sd0a At the end I installed the boot loader as described in the manpages with success. What was confusing me was that fdisk /dev/sd0c returns the same as the proper fdisk /dev/sd0 which mixed up my idea of the things. Fabian Fabian Heusser wrote: Hello I have an old box (3.6) which makes a lot of noise, so i like to virtualize it. I made an Image with acronis and converted it with vmware converter. When i start the virtual machine Loading... ERR M is shown. (dmesg at the bottom) I loaded cd36.iso as cdrom and at the boot prompt tried the following: machine boot hd0b - ERR M I'm surprised you get THAT error, but it is a nonsense command. boot hd0a:/bsd - Invalid argument failed(22). will try /bsd also with hd0b, hd0c um. did you really think that /bsd might be on the b, c, or d partitions?? if i boot with the cd, select shell and run the following # mount /dev/sd0c /mnt i get Inappropriate filetype or format. also with /dev/sd0a - d I'd *hope* you can't mount sd0c like that. If i run # cp /usr/mdec/boot /boot # /usr/mdec/installboot -v /boot /usr/mdec/biosboot sd0 i get the following output: -8-- boot: /boot proto: /usr/mdec/biosboot device: /dev/rsd0c /usr/mdec/biosboot: entry point 0 proto bootblock size 512 installboot: cross-device install -8-- but the error persists. You couldn't read the file system, so you figured you would just run a utility to alter a random sector someplace on the disk. Did you notice the little error message? cross-device install??? Read the man page, read the FAQ, and think about that command. Does anyone have an idea what i'm doing wrong? Almost everything so far. You can't just type random commands without understanding what you are saying to the computer. What you are doing is very, very dangerous. If you want to get some idea what went wrong, boot a CD, and do a disklabel sd0 and fdisk sd0, see what that tells you. There was obviously something that went very wrong with your imaging transfer process, which doesn't surprise me, the process of migrating OpenBSD is so simple, it is hard to get anyone worried about making a special tool, 'specially since it wouldn't have this kind of flexibility. Quit using special tools, and use the OS. SIMPLE way: dump(8) each existing partition to a file, move the file, then restore(8) the files to the partitions of the new disk. Install your boot loader (PROPERLY this time), and done. And YES, I am being deliberately vague about how to do this. You need to spend some time with the man pages
Re: Power fluctuation and hard disk crashes
This is a totally non-technical solution, but reading what you wrote I immediately thought: How much of these 56 GB of data is changing? Is the bulk of this data stuff that you *need* to constantly access for the next couple of weeks? If not, then wouldn't it be much safer to just take one of the disks with its copy of the 56 GB of data offline, switch it off, disconnect it, and store it in a safe place? Then do online/Internet delta backups of just the stuff that you're changing, which hopefully will not be in the order of GBs. If your active disk fails, buy a replacement (which may be cheaper than that fancy UPS), restore from the inactive disk plus online delta backups, and lather, rinse, repeat till you're the heck outta there. Sorry if this sounds stupid, it was just a thought that popped into my head. Thanks and regards, --ropers
Re: relayd http check connection failures; hoststated operates correctly
On Wed, Feb 27, 2008 at 11:53:03AM +0100, Pierre-Yves Ritschard wrote: Your fix is wrong, you run in a timeout which happens because the default relayd configuration supposes you are in the same broadcast domain than your relayed host and has a 200ms timeout. While my relay server isn't in the same broadcast domain as my backend servers, there is on average 2ms rtt between the systems. Average response time from the HTTP servers is about 300ms. The error reporting is a bit confusing and should just mention that a timeout occured, I will fix that. The gettimeofday you used indeed fixed your issue but is really wrong since it modifies the value you specify in the configuration file. A simple fix for you would be to specify: timeout 1000 # (or any appropriate timeout value for your application) in your configuration file. I hate to say this Pierre-Yves, but this occurs even with a timeout of 5000ms in my configuration file. The *very* same system, polling the *very same* hosts with hoststated does not have this problem. startup init_filter: filter init done tcp_write: connect timed out relay_privinit: adding relay www init_tables: created 0 tables hce_notify_done: aa.bb.cc.209 (tcp_write: connect failed) protocol 0: name http host aa.bb.cc.209, check http code (3ms), state unknown - down, availability 0.00% flags: 0x0004 tcp_write: connect timed out The timeout is mentionned here. # grep timeout /root/relayd.conf timeout 5000 type: hce_notify_done: aa.bb.cc.211 (tcp_write: connect failed) http And then a connect failed error happens which might have confused you. If you look here, the connect succeeds.. The initial SYN: 11:07:56.249025 aa.bb.cc.140.43847 dd.ee.ff.209.80: S [tcp sum ok] 1292907170:1292907170(0) win 16384 mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 3626625731 0 (DF) (ttl 64, id 10238, len 64) The SYN/ACK: 11:07:56.250782 dd.ee.ff.209.80 aa.bb.cc.140.43847: S [tcp sum ok] 394683021:394683021(0) ack 1292907171 win 5792 mss 1460,sackOK,timestamp 1366160992 3626625731,nop,wscale 2 (DF) (ttl 54, id 0, len 60) The RST (by the host initiating the session in the first place): 11:07:56.250814 aa.bb.cc.140.43847 dd.ee.ff.209.80: R [tcp sum ok] 1292907171:1292907171(0) win 0 (DF) (ttl 64, id 17473, len 40) Ben
4.3-beta upgrade stalls on base43.tgz
While doing a direct upgrade of an amd64 machine from -current (approx end of Jan) to the Feb 26 snapshot, the installer stalls on base43.tgz. This happens at 99%, 46640KB. I've tried the following three methods with the same results: - bsd.rd and get sets from an ftp mirror - bsd.rd and get sets from disk - boot and get sets from CD (install43.iso, md5 ok) Different mirrors were used for the above trials. I can interrupt and install the other sets. The system boots and is apparently normal. Nest step will be to do a clean install. OpenBSD 4.3-beta (GENERIC) #1354: Tue Feb 26 05:39:34 MST 2008 [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC real mem = 2147020800 (2047MB) avail mem = 2073526272 (1977MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.2 @ 0xf (40 entries) bios0: vendor Phoenix Technologies, LTD version 6.00 PG date 01/31/2005 bios0: soyocomputer nForce acpi0 at bios0: rev 0 acpi0: tables DSDT FACP APIC acpi0: wakeup devices HUB0(S5) HUB1(S4) USB0(S3) USB1(S3) USB2(S3) F139(S3) MMAC(S5) MMCI(S5) UAR1(S5) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 2 (HUB0) acpiprt2 at acpi0: bus 1 (AGPB) acpiprt3 at acpi0: bus -1 (HUB1) acpicpu0 at acpi0 acpitz0 at acpi0: critical temperature 95 degC acpibtn0 at acpi0: PWRB cpu0 at mainbus0: (uniprocessor) cpu0: AMD Athlon(tm) 64 Processor 3000+, 2020.12 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,NXE,MMXX,LONG,3DNOW2,3DNOW cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: AMD errata 86, 89, 97, 104 present, BIOS upgrade may be required pci0 at mainbus0 bus 0: configuration mode 1 pchb0 at pci0 dev 0 function 0 NVIDIA nForce3 PCI Host rev 0xa4 agp at pchb0 not configured pcib0 at pci0 dev 1 function 0 NVIDIA nForce3 ISA rev 0xa6 nviic0 at pci0 dev 1 function 1 NVIDIA nForce3 SMBus rev 0xa4 iic0 at nviic0 spdmem0 at iic0 addr 0x50: 1GB DDR SDRAM non-parity PC3200CL3.0 spdmem1 at iic0 addr 0x51: 1GB DDR SDRAM non-parity PC3200CL3.0 iic1 at nviic0 iic1: addr 0x4e 00=2a 01=02 02=10 03=72 05=80 06=0e 09=c8 0a=37 0e=e0 0f=ff 3e=37 48=37 4a=37 4e=37 fe=37 words 00=2aff 01=02ff 02=10ff 03=72ff 04=00ff 05=80ff 06=0eff 07=00ff 08=00ff 09=c8ff 0a=37ff 0b=00ff 0c=00ff 0d=00ff 0e=e0ff 0f= ohci0 at pci0 dev 2 function 0 NVIDIA nForce3 USB rev 0xa5: irq 5, version 1.0, legacy support ohci1 at pci0 dev 2 function 1 NVIDIA nForce3 USB rev 0xa5: irq 5, version 1.0, legacy support ehci0 at pci0 dev 2 function 2 NVIDIA nForce3 USB rev 0xa2: irq 5 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 NVIDIA EHCI root hub rev 2.00/1.00 addr 1 nfe0 at pci0 dev 5 function 0 NVIDIA nForce3 LAN rev 0xa5: irq 11, address 04:4b:80:80:80:03 icsphy0 at nfe0 phy 1: ICS1893 10/100 PHY, rev. 1 auich0 at pci0 dev 6 function 0 NVIDIA nForce3 AC97 rev 0xa2: irq 11, nForce3 AC97 ac97: codec id 0x434d4961 (C-Media Electronics CMI9739) audio0 at auich0 pciide0 at pci0 dev 8 function 0 NVIDIA nForce3 IDE rev 0xa5: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: Maxtor 6Y120L0 wd0: 16-sector PIO, LBA, 117246MB, 240119808 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 6 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: TSSTcorp, CD/DVDW TS-H552B, TS10 SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 ppb0 at pci0 dev 10 function 0 NVIDIA nForce3 PCI-PCI rev 0xa2 pci1 at ppb0 bus 2 vga1 at pci1 dev 7 function 0 ATI Radeon VE QY rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) ppb1 at pci0 dev 11 function 0 NVIDIA nForce3 PCI-PCI rev 0xa4 pci2 at ppb1 bus 1 ATI Radeon 9200 SE Sec rev 0x01 at pci2 dev 0 function 0 not configured ATI Radeon 9200 SE rev 0x01 at pci2 dev 0 function 1 not configured pchb1 at pci0 dev 24 function 0 AMD AMD64 HyperTransport rev 0x00 pchb2 at pci0 dev 24 function 1 AMD AMD64 Address Map rev 0x00 pchb3 at pci0 dev 24 function 2 AMD AMD64 DRAM Cfg rev 0x00 pchb4 at pci0 dev 24 function 3 AMD AMD64 Misc Cfg rev 0x00 isa0 at pcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pmsi0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pmsi0 mux 0 mpu0 at isa0 port 0x330/2: generic MPU-401 compatible midi0 at mpu0: MPU-401 MIDI UART pcppi0 at isa0 port 0x61 midi1 at pcppi0: PC speaker spkr0 at pcppi0 it0 at isa0 port 0x290/8: IT8712F rev 0x06 usb1 at ohci0: USB revision
Re: relayd http check connection failures; hoststated operates correctly
On Wed, Feb 27, 2008 at 06:28:40PM +0100, Pierre-Yves Ritschard wrote: Please try with an insanely high value (10seconds) and see if you still get a connection timeout message. To make logging more meaningful you can try with this diff and send me the relayd -dv output: I can't set timeout to 10s (complains of global timeout exceeds interval. Here are the results with your diff: # obj/relayd -dv -f /root/relayd.conf startup init_filter: filter init done tcp_write: connect timed out relay_privinit: adding relay www init_tables: created 0 tables hce_notify_done: dd.ee.ff.209 (tcp_write: connect timed out) protocol 0: name http host dd.ee.ff.209, check http code (2ms), state unknown - down, availability 0.00% flags: 0x0004 tcp_write: connect timed out type: hce_notify_done: dd.ee.ff.211 (tcp_write: connect timed out) http host dd.ee.ff.211, check http code (3ms), state unknown - down, availability 0.00% pfe_dispatch_imsg: state -1 for host 3 dd.ee.ff.209 request pfe_dispatch_imsg: state -1 for host 2 dd.ee.ff.211 append $SERVER_ADDR:$SERVER_PORT to X-Forwarded-By request append $REMOTE_ADDR to X-Forwarded-For relay_init: max open files 1024 relay_init: max open files 1024 relay_init: max open files 1024 relay_init: max open files 1024 relay_init: max open files 1024 adding 2 hosts from table webhosts:80 adding 2 hosts from table webhosts:80 adding 2 hosts from table webhosts:80 adding 2 hosts from table webhosts:80 adding 2 hosts from table webhosts:80 relay_launch: running relay www relay_launch: running relay www relay_launch: running relay www relay_launch: running relay www relay_launch: running relay www tcp_write: connect timed out hce_notify_done: dd.ee.ff.209 (tcp_write: connect timed out) tcp_write: connect timed out hce_notify_done: dd.ee.ff.211 (tcp_write: connect timed out) ^Chost check engine exiting kill_tables: deleted 0 tables flush_rulesets: flushed rules pf update engine exiting socket relay engine exiting socket relay engine exiting socket relay engine exiting socket relay engine exiting socket relay engine exiting terminating The configuration file I'm using: # cat /root/relayd.conf ext_addr=aa.bb.cc.114 webhost1=dd.ee.ff.209 webhost2=dd.ee.ff.211 timeout table webhosts { $webhost1 $webhost2 } http protocol http { header append $REMOTE_ADDR to X-Forwarded-For header append $SERVER_ADDR:$SERVER_PORT to X-Forwarded-By tcp { nodelay, sack, socket buffer 65536, backlog 128 } } relay www { listen on $ext_addr port 80 protocol http forward to webhosts port http mode loadbalance \ check http / host www.mysite.com code 200 } Ben
Re: relayd http check connection failures; hoststated operates correctly
Hi Ben, Try changing the interval value to a higher value. I tested it the results are the same. (with timeout set to 10 seconds) -Brad -Original Message- From: [EMAIL PROTECTED] Sent: Wed, 27 Feb 2008 11:27:19 -0800 To: [EMAIL PROTECTED] Subject: Re: relayd http check connection failures; hoststated operates correctly On Wed, Feb 27, 2008 at 06:28:40PM +0100, Pierre-Yves Ritschard wrote: Please try with an insanely high value (10seconds) and see if you still get a connection timeout message. To make logging more meaningful you can try with this diff and send me the relayd -dv output: I can't set timeout to 10s (complains of global timeout exceeds interval. Here are the results with your diff: # obj/relayd -dv -f /root/relayd.conf startup init_filter: filter init done tcp_write: connect timed out relay_privinit: adding relay www init_tables: created 0 tables hce_notify_done: dd.ee.ff.209 (tcp_write: connect timed out) protocol 0: name http host dd.ee.ff.209, check http code (2ms), state unknown - down, availability 0.00% flags: 0x0004 tcp_write: connect timed out type: hce_notify_done: dd.ee.ff.211 (tcp_write: connect timed out) http host dd.ee.ff.211, check http code (3ms), state unknown - down, availability 0.00% pfe_dispatch_imsg: state -1 for host 3 dd.ee.ff.209 request pfe_dispatch_imsg: state -1 for host 2 dd.ee.ff.211 append $SERVER_ADDR:$SERVER_PORT to X-Forwarded-By request append $REMOTE_ADDR to X-Forwarded-For relay_init: max open files 1024 relay_init: max open files 1024 relay_init: max open files 1024 relay_init: max open files 1024 relay_init: max open files 1024 adding 2 hosts from table webhosts:80 adding 2 hosts from table webhosts:80 adding 2 hosts from table webhosts:80 adding 2 hosts from table webhosts:80 adding 2 hosts from table webhosts:80 relay_launch: running relay www relay_launch: running relay www relay_launch: running relay www relay_launch: running relay www relay_launch: running relay www tcp_write: connect timed out hce_notify_done: dd.ee.ff.209 (tcp_write: connect timed out) tcp_write: connect timed out hce_notify_done: dd.ee.ff.211 (tcp_write: connect timed out) ^Chost check engine exiting kill_tables: deleted 0 tables flush_rulesets: flushed rules pf update engine exiting socket relay engine exiting socket relay engine exiting socket relay engine exiting socket relay engine exiting socket relay engine exiting terminating The configuration file I'm using: # cat /root/relayd.conf ext_addr=aa.bb.cc.114 webhost1=dd.ee.ff.209 webhost2=dd.ee.ff.211 timeout table webhosts { $webhost1 $webhost2 } http protocol http { header append $REMOTE_ADDR to X-Forwarded-For header append $SERVER_ADDR:$SERVER_PORT to X-Forwarded-By tcp { nodelay, sack, socket buffer 65536, backlog 128 } } relay www { listen on $ext_addr port 80 protocol http forward to webhosts port http mode loadbalance \ check http / host www.mysite.com code 200 } Ben FREE ONLINE PHOTOSHARING - Share your photos online with your friends and family! Visit http://www.inbox.com/photosharing to find out more!
Re: [ami] Unable to set Hot Spare from bioctl on a Dell PERC 4/Di
On Thu, 21 Feb 2008, Matthew Mulrooney wrote: On Wed, 20 Feb 2008, Marco Peereboom wrote: My natural answer is that this is a firmware issue. But since you I will upgrade the firmware and rerun my test case. I've upgraded my firmware to the latest version: Firmware version: 252D Firmware release date: July 17, 2007 And re-run the test case with the same results. Matthew On Wed, Feb 20, 2008 at 01:42:59AM -0700, Matthew Mulrooney wrote: Hi there, I'm back with another LSI controller, and I'm experiencing problems with creating hot spares from bioctl. This seems to be the same problem that I posted to misc@ on Oct 16, 2006 with the subject line of: [ami] Unable to set Hot Spare on MegaRAID SATA 300-8x I've got the same symptoms, but now with a PERC 4/Di controller. [And this time I've found a better work around than just avoiding bioctl -H with this LSI controller :).] Problem summary === When I use bioctl to mark an Unused drive as a Hot Spare, that drive will fail to be integrated when another disk fails. The only way, that I've found, to make that drive properly act as a Hot Spare, is to only set it as such from the LSI boot menu. If you have already marked it as a Hot Spare from bioctl, pull the Hot Spare-marked drive, and replace it (it can be the same physical disk). At that point your disk should be showing up as an 'Unused' disk, from where you can go do the thing in the LSI boot menu. This is an improvement over my 2006 analysis of the situation, where I couldn't find a way to reset the drive back to Unused (after Hot Sparing it from bioctl). The LSI boot menu requires a drive to be in an Unused state before it will allow me to correctly mark it as a Hot Spare. If you're interested, please let me know what I can do to be of assistance in trouble shooting this. I have a limited window before this box will have to be pushed into production, and I can live with the current situation (an after hours reboot in the case of a drive failure is perfectly fine). Matthew Test case = s = step succeeded F = step failed Normal case (RAID 1 + one hot spare) --- s Configure array from the LSI boot menu s Clear configuration s New configuration s Disks 0, 1: RAID 1 array s Disk 2: Hot spare s Install OpenBSD-4.2 s Single disk failure s Disk 0: Fails (I pulled it from the hot swap cage) s Disk 2: Automatically replaces it s Observe the RAID 1 array get fully rebuilt s Replace failed disk s Replace Disk 0 with a new disk s Observe that Disk 0 is marked as Unused through bioctl s Set Disk 0 to be a hot spare (through bioctl) s Single disk failure s Disk 1: Fails (I pulled it) F Disk 0: FAILS TO GET INTEGRATED, DESPITE STILL BEING MARKED AS A HOT SPARE - Array is still degraded. s Reboot, enter into the LSI boot menu s Configure View/Add Configurarion s Highlight disk 0 F4 (hot spare) s This Physical Drive is already a HOTSPARE\nPress any key to continue s F10 (Configure), Esc, Esc s Exit? = YES s Please REBOOT YOUR SYSTEM, CTRL-ALT-DEL s Recheck array F Disk 0: Still failing to integrate. Array still degraded. s Attempt to shake loose the 'Hot Spare' bit from disk 0 s Remove disk 0 s Replace disk 0 (with the same physical disk) s Disk 0 is *no longer* marked as a 'Hot Spare' (either through bioctl or through the LSI boot menu). Yeah! :) [I don't think I tested this method with my SATA 300-8x.] Log file # The output is generated by: #date; bioctl ami0 ## # Created a new RAID 1 array from the LSI boot menu and installed OpenBSD 4.2 Tue Feb 19 04:01:42 MST 2008 Volume Status Size Device ami0 0 Scrubbing146695782400 sd0 RAID1 3% done 0 Online 146811125760 0:0.0 safte0 MAXTOR ATLAS10K5_146SCAJNZM 1 Online 146811125760 0:1.0 safte0 SEAGATE ST3146807LC DS09 ami0 1 Hot spare146811125760 0:2.0 safte0 IBM IC35L146UCDY10-0S27F Tue Feb 19 10:02:15 MST 2008 Volume Status Size Device ami0 0 Scrubbing146695782400 sd0 RAID1 94% done 0 Online 146811125760 0:0.0 safte0 MAXTOR ATLAS10K5_146SCAJNZM 1 Online 146811125760 0:1.0 safte0 SEAGATE ST3146807LC DS09 ami0 1 Hot spare146811125760 0:2.0 safte0 IBM IC35L146UCDY10-0S27F Tue Feb 19 10:12:15 MST 2008 Volume Status Size Device ami0 0 Scrubbing146695782400 sd0 RAID1 97% done 0 Online 146811125760 0:0.0 safte0 MAXTOR ATLAS10K5_146SCAJNZM 1 Online
Re: switching off the lid parks and spins up the hard drive too frequently in spite of atactl
From man (8) atactl: apmset power-management-level Enables and sets the advanced power management level to the re- quested level on the specified device (if supported). Device performance may increase with increasing power management levels at the cost of potentially requiring more power. Values up to and including 126 allow the device to go into standby mode and spin-down the disk. This may cause disk time-outs and is there- fore not recommended. These values are more suitable optimiza- tion for low power usage on infrequently used devices. Values 127 up to and including 253 do not allow the device to go to standby mode and are more suitable for optimization for perfor- mance. Support for advanced power management is indicated by the device with `Advanced Power Management feature set' in the output of the identify command. So it would appear that it just reduces wd0's need for electricity. Have you tried something else, like atactl /dev/wd0c setstandby ###? I just put an old dell latitude D600 hard drive into standby by using atactl /dev/wd0c apmset 200 It appears to come back on when I use the command-line, and I get a device timeout error when it spins back up... funny enough, it also appears to come out of standby mode when I run atactl /dev/wd0c checkpower... I get one current power status: Standby mode, it pauses a second, I get the soft error message in the console window, then it comes back to active mode... On Wed, Feb 27, 2008 at 9:50 AM, Pau Amaro-Seoane [EMAIL PROTECTED] wrote: Hi, I am having a small trouble... I attached an external monitor to my thinkpad T41; when I do this, I switch off the laptop lid by pressing fn+f3, in the hope that its life will be longer (and to spare a bit of energy) and there's a clear correlation between doing it and hearing the hard drive parking and spinning again in intervals of some seconds... I tried to set it to atactl wd0 apmset 253 but this didn't help. atactl wd0 checkpower yields Standby mode / Active mode alternatively every some seconds or so. Some output spree(pb)| sudo atactl /dev/wd0c identify Model: SAMSUNG HM121HC, Rev: LS100-10, Serial #: S12SJD0P910425 Device type: ATA, fixed Cylinders: 16383, heads: 16, sec/track: 63, total sectors: 234441648 Device capabilities: ATA standby timer values IORDY operation IORDY disabling Device supports the following standards: ATA-1 ATA-2 ATA-3 ATA-4 ATA-5 ATA-6 ATA-7 ATA-8 Master password revision code 0xfffe Device supports the following command sets: NOP command READ BUFFER command WRITE BUFFER command Host Protected Area feature set Read look-ahead Write cache Power Management feature set Security Mode feature set SMART feature set Flush Cache Ext command Flush Cache command Device Configuration Overlay feature set 48bit address feature set Automatic Acoustic Management feature set Set Max security extension commands Advanced Power Management feature set DOWNLOAD MICROCODE command IDLE IMMEDIATE with UNLOAD FEATURE SMART self-test SMART error logging Device has enabled the following command sets/features: NOP command READ BUFFER command WRITE BUFFER command Host Protected Area feature set Read look-ahead Write cache Power Management feature set SMART feature set Flush Cache Ext command Flush Cache command Device Configuration Overlay feature set 48bit address feature set Automatic Acoustic Management feature set Advanced Power Management feature set DOWNLOAD MICROCODE command - With lid SWITCHED OFF: == spree(pb)| while true; do ; sudo atactl wd0 checkpower ; date '+%Hh%mmin%Ssec' ; sleep 5 ; done Current power status: Active mode 18h02min53sec Current power status: Active mode 18h02min58sec Current power status: Active mode 18h02min03sec Current power status: Active mode 18h02min08sec Current power status: Active mode 18h02min13sec Current power status: Standby mode 18h02min18sec Current power status: Active mode 18h02min23sec Current power status: Standby mode 18h02min28sec Current power status: Active mode 18h02min34sec Current power status: Active mode 18h02min39sec Current power status: Active mode 18h02min44sec Current power status: Standby mode 18h02min49sec Current power status: Active mode 18h02min54sec Current power status: Standby mode 18h02min59sec Current power status: Active mode 18h02min04sec Current power
Re: 4.3-beta upgrade stalls on base43.tgz (Ok on clean install)
On Wed, Feb 27, 2008 at 02:18:12PM -0500, Andrew Ruscica wrote: While doing a direct upgrade of an amd64 machine from -current (approx end of Jan) to the Feb 26 snapshot, the installer stalls on base43.tgz. This happens at 99%, 46640KB. ... Nest step will be to do a clean install. The clean install was fine...
pf+queue+pass in+statfeful out
I know queuing only applies to outbound traffic. I'm using ssh -w tunnelling to the pf+gateway. I, therefore, have pass in on #ext_if inet proto tcp ... keep state queue (QSHH, QLOWLAT), which, if I understand correctly, should assign the stateful reply/return (outbound) traffic be queued on QSHH and QLOWLAT accordingly. It doesn't do so. 1. With the queue(QSHH,QLOWLAT) arguments in place, there is NO returning traffic flow. Return traffic seems to vanish. pflog0 is silent on any blocking. 2. The QSSH stats (pfctl -vvsq) counters are zero and remain at zero. If I use the identical rule sets but omit the queue(QSHH,QLOWLAT) options, reply traffic flows correctly, except no queuing. The queues are working for everything else (default, voip, lowlat, etc). The /etc/pf.conf fragment follows --snip-- # -v- pass in log quick on $ext_if inet proto tcp \ from !ssh_pests to ($ext_if:0) \ flags S/SA keep state \ (max-src-conn-rate 3/120, overload ssh_pests flush global) \ queue(QSHH,QLOWLAT) label SSHVPNGRP # pass in log quick on tun0 inet \ from (tun0:peer) to any \ tag VTUN keep state label SSHVPNGRP # pass out log quick on $int_if inet \ tagged VTUN keep state label SSHVPNGRP # -^- --end-snip-- It's as if there needs to be a pass out, but ??? because state is handling that. Thanks,
netiquette: please don't post to misc with a spamtrap as reply-to
I find it somewhat astonishing, bordering on the incredible, that someone who claims to be knowledgeable about such things as spamd and a few related pieces of software would first post to this list with a reply-to address that the recipient mail server bounces as undeliverable, then later progress to posting here with the reply-to address set to something the receiving system considers a 'spamtrap'. But indeed it has happened. You know who you are, please stop it. If this nonsense continues, I will post *all* the data. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
named dhcpd network problems after update
Heya misc: Base dhcpd and named are failing to start after an update. I'm really confused at this point. Other daemons are working fine and I can't see anything else 'wrong' with the system. Any thoughts at all would be greatly appreciated. This was a 4.2-release system. I followed the standard process (build kernel, reboot, build userland). I've done it twice now figuring I screwed something up (which i still believe) I updated my source tree with: cvs -d$CVSROOT update -rOPENBSD_4_2 -Pd src cvs -d$CVSROOT update -rOPENBSD_4_2 -Pd ports Here is a snippit of /var/log/messages during bootup: Feb 27 15:54:49 vash named[21321]: starting BIND 9.3.4 Feb 27 15:54:50 vash named[21321]: /usr/src/usr.sbin/bind/lib/isc/unix/ifiter_getifaddrs.c:107: INSIST(ifa != 0L) failed Feb 27 15:54:50 vash named[21321]: exiting (due to assertion failure) Feb 27 15:54:51 vash savecore: no core dump Feb 27 15:54:52 vash dhcpd: Can't listen on bge0 - it has no IP address. Feb 27 15:54:52 vash dhcpd: No interfaces to listen on. Feb 27 15:54:52 vash dhcpd: exiting. Feb 27 15:54:54 vash squid[3353]: Squid Parent: child process 19826 started Trying to start named and dhcpd manually we get: root:/root/scripts:8# named -f -g -d7 Starting privilege seperation 27-Feb-2008 16:32:47.378 starting BIND 9.3.4 -f -g -d7 27-Feb-2008 16:32:47.381 loading configuration from '/etc/named.conf' 27-Feb-2008 16:32:47.397 set maximum stack size to 33554432: success 27-Feb-2008 16:32:47.397 set maximum data size to 1073741824: success 27-Feb-2008 16:32:47.397 set maximum core size to 9223372036854775807: success 27-Feb-2008 16:32:47.397 set maximum open files to 1024: success 27-Feb-2008 16:32:47.397 /usr/src/usr.sbin/bind/lib/isc/unix/ifiter_getifaddrs.c:107: INSIST(ifa != 0L) failed 27-Feb-2008 16:32:47.397 exiting (due to assertion failure) root:/root/scripts:9# dhcpd -d -f No interfaces to listen on. exiting. root:/root/scripts:10# Random pieces of possibly useful output follow root:/root/scripts:7# ifconfig -a lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33168 groups: lo inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 bge0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:0a:e4:26:dd:30 description: Internal to my cube media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause) status: active inet 192.168.24.5 netmask 0xff00 broadcast 192.168.24.255 inet6 fe80::20a:e4ff:fe26:dd30%bge0 prefixlen 64 scopeid 0x1 em0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:11:0a:60:0d:82 description: Lans Scare Me groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet 10.100.7.38 netmask 0xff00 broadcast 10.100.7.255 inet6 fe80::211:aff:fe60:d82%em0 prefixlen 64 scopeid 0x2 em1: flags=8802BROADCAST,SIMPLEX,MULTICAST mtu 1500 lladdr 00:11:0a:60:0d:83 media: Ethernet autoselect (none) status: no carrier enc0: flags=0 mtu 1536 pflog0: flags=141UP,RUNNING,PROMISC mtu 33168 groups: pflog root:/root/scripts:3# uname -a OpenBSD vash.copart.com 4.2 GENERIC#2 amd64 root:/root/scripts:5# cat /var/run/dmesg.boot OpenBSD 4.2-stable (GENERIC) #2: Wed Feb 27 14:31:04 PST 2008 [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC real mem = 1609551872 (1534MB) avail mem = 1549684736 (1477MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.33 @ 0xefeb0 (37 entries) bios0: vendor Sun Microsystems version R01-B5 S1 date 09/29/2006 bios0: Sun Microsystems W1100z/2100z acpi at mainbus0 not configured cpu0 at mainbus0: (uniprocessor) cpu0: AMD Opteron(tm) Processor 144, 1795.14 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,NXE,MMXX,LONG,3DNOW2,3 DNOW cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 64b/line 16-way L2 cache cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: AMD errata 86, 89, 97, 104 present, BIOS upgrade may be required pci0 at mainbus0 bus 0: configuration mode 1 ppb0 at pci0 dev 6 function 0 AMD 8111 PCI-PCI rev 0x07 pci1 at ppb0 bus 1 ohci0 at pci1 dev 0 function 0 AMD 8111 USB rev 0x0b: irq 11, version 1.0, legacy support ohci1 at pci1 dev 0 function 1 AMD 8111 USB rev 0x0b: irq 11, version 1.0, legacy support ohci2 at pci1 dev 3 function 0 NEC USB rev 0x43: irq 10, version 1.0, legacy support ohci3 at pci1 dev 3 function 1 NEC USB rev 0x43: irq 11, version 1.0, legacy support ehci0 at pci1 dev 3 function 2 NEC USB rev 0x04: irq 5 usb0 at ehci0: USB revision 2.0 uhub0 at usb0: NEC EHCI root hub, rev 2.00/1.00, addr 1 TI TSB43AB22 FireWire rev 0x00 at pci1 dev 4 function 0 not configured usb1 at ohci0: USB revision 1.0 uhub1 at usb1: AMD OHCI
Re: ipsecctl and isakmpd
Dear list, I have a firewall and an ipsec.conf with 42 ike esp connections: ike esp from 192.168.100.0/24 to 192.168.129.0/24 peer my.firewall \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des group modp1024 \ psk mekmitasdigoat tag yet.another.connection ISAkmpd is started with the -K -T. I am talking to lots of Watchguard Fireboxes by the way. All connections are established and traffic flows over enc0, all seems good. However, when I try to reload ipsec.conf due to a rule change, either isakmpd dies with nothing in the logs whatsoever and/or my /var/log/daemon is filling up with messages like these: Feb 25 14:00:41 evo-access isakmpd[27974]: attribute_unacceptable: AUTHENTICATION_METHOD: got PRE_SHARED, expected RSA_SIG Feb 25 14:00:41 evo-access isakmpd[27974]: message_negotiate_sa: no compatible proposal found Feb 25 14:00:41 evo-access isakmpd[27974]: dropped message from some.ipsec.peer port 500 due to notification type NO_PROPOSAL_ CHOSEN I would like to be using something other than shared keys but the Watchguard boxes only support fancy things like that through a Watchguard System Manager which I'd like to avoid. So for the moment I am stuck with preshared keys. If I do ipsecctl -F and do a kill and restart of isakmpd the connections seem to be established succesfully again. Am I missing something obvious in reloading/adding connections to ipsec.conf ? Is a simple ipsecctl -f /etc/ipsec.conf sufficient when adding a rule or do I need to give isakmpd a SIGHUP? Thanks in advance, -- Michiel van der Kraats Backup Service / BackupStore I'm sure wiser minds than me may prove me wrong, but I have a similar situation with some Cisco and Linksys devices - OpenBSD. I think the Watchguard devices are quite happily waiting for their key lifetime to expire before re-negotiating with your isakmpd. By reloading isakmpd you are forcing expiry and re-negotiation. Do you lose all SA's when you change rules, or just to devices affected by your rule change? I've had better luck with other devices by using ike passive, but that's probably unrelated. Cheers
Re: Serial console questions on i386 and amd64
Nick Holland wrote: Don Jackson wrote: I use serial consoles on all my OpenBSD servers for remote serial access to the machines, both during initial install via pxeboot, and later on in regular use after the install. I'm currently running either 4.2 or 4.1 on all my machines. The FAQ states: Only the first serial port (com0) is supported for console on amd64 and i386 http://www.openbsd.org/faq/faq7.html#SerCon Why is this the case? because that's the way the code was written... Why does OpenBSD care which serial port I use? because that's the way the code was written... Will it simply not work if I specify set tty com1 in /etc/boot.conf ? I certainly wouldn't plan on it working. Feel free to try. Don't whine if things work as advertised. Well, I've been informed that at least for -current (and I'm pretty sure that means for -recent :) it DOES (at least sometimes) work. I just tried it on one of my machines with -current, it Just Worked. (and on -current, it works Just Cool. Set it up with com1, not only does it install on com1, it sets the config files up for com1) So, I'm happy to report that I and the FAQ are at least partly, and very possibly completely wrong on this. I'm pretty sure this was true at one point, obviously that limitation was removed, and tom@ is probably going to pull up a list of 20 test cases I ran for him, but I don't remember that. FAQ will be fixed once I make sure deleting the warning is 100% appropriate. Nick.
OpenBSD Strange Problem
Hello all respect network administrator, i have set up a openbsd gateway but the wireless connection(gateway) is not detected by client but before this is ok. Can see it widnows but now cannot. I don't know what wrong with it. I sure my configuration is ok because i didn't edit it. Another problem now is when oot up to process starting network, previously i did not need to enter ctrl + C to proceeed to DHCP request for rl0 but now i need that. I alos don't know what wrong. Third problem is from openbsd canno ping to LAN client ip but client can ping to openbsd. I try router add 176.16.10.11(destination) 176.16.10.1(gateway) return file exists. If this routing is exists, then should be no problem but who come cannot ping from openbsd to client. My Version of openbsd is 4.1 I hope you can help me out. becuase my hair has drop until no more hair. If you all need extra information or configuration, please let me know. A billion thanks for your help -- Linux
Re: OpenBSD Strange Problem
On Wed, Feb 27, 2008 at 9:51 PM, Wong Peter [EMAIL PROTECTED] wrote: Hello all respect network administrator, i have set up a openbsd gateway but the wireless connection(gateway) is not detected by client but before this is ok. Can see it widnows but now cannot. I don't know what wrong with it. I sure my configuration is ok because i didn't edit it. Another problem now is when oot up to process starting network, previously i did not need to enter ctrl + C to proceeed to DHCP request for rl0 but now i need that. I alos don't know what wrong. Third problem is from openbsd canno ping to LAN client ip but client can ping to openbsd. I try router add 176.16.10.11(destination) 176.16.10.1(gateway) return file exists. If this routing is exists, then should be no problem but who come cannot ping from openbsd to client. My Version of openbsd is 4.1 I hope you can help me out. becuase my hair has drop until no more hair. If you all need extra information or configuration, please let me know. A billion thanks for your help -- Linux Sounds like something with your pf.conf. Try allowing everything in/out just to test and be sure pf is enabled...
Re: named dhcpd network problems after update
On Wed, Feb 27, 2008 at 7:38 PM, xSAPPYx [EMAIL PROTECTED] wrote: Heya misc: Base dhcpd and named are failing to start after an update. I'm really confused at this point. Other daemons are working fine and I can't see anything else 'wrong' with the system. Any thoughts at all would be greatly appreciated. This was a 4.2-release system. I followed the standard process (build kernel, reboot, build userland). I've done it twice now figuring I screwed something up (which i still believe) I updated my source tree with: cvs -d$CVSROOT update -rOPENBSD_4_2 -Pd src cvs -d$CVSROOT update -rOPENBSD_4_2 -Pd ports Here is a snippit of /var/log/messages during bootup: Feb 27 15:54:49 vash named[21321]: starting BIND 9.3.4 Feb 27 15:54:50 vash named[21321]: /usr/src/usr.sbin/bind/lib/isc/unix/ifiter_getifaddrs.c:107: INSIST(ifa != 0L) failed Feb 27 15:54:50 vash named[21321]: exiting (due to assertion failure) Feb 27 15:54:51 vash savecore: no core dump Feb 27 15:54:52 vash dhcpd: Can't listen on bge0 - it has no IP address. Feb 27 15:54:52 vash dhcpd: No interfaces to listen on. Feb 27 15:54:52 vash dhcpd: exiting. Feb 27 15:54:54 vash squid[3353]: Squid Parent: child process 19826 started Trying to start named and dhcpd manually we get: root:/root/scripts:8# named -f -g -d7 Starting privilege seperation 27-Feb-2008 16:32:47.378 starting BIND 9.3.4 -f -g -d7 27-Feb-2008 16:32:47.381 loading configuration from '/etc/named.conf' 27-Feb-2008 16:32:47.397 set maximum stack size to 33554432: success 27-Feb-2008 16:32:47.397 set maximum data size to 1073741824: success 27-Feb-2008 16:32:47.397 set maximum core size to 9223372036854775807: success 27-Feb-2008 16:32:47.397 set maximum open files to 1024: success 27-Feb-2008 16:32:47.397 /usr/src/usr.sbin/bind/lib/isc/unix/ifiter_getifaddrs.c:107: INSIST(ifa != 0L) failed 27-Feb-2008 16:32:47.397 exiting (due to assertion failure) root:/root/scripts:9# dhcpd -d -f No interfaces to listen on. exiting. root:/root/scripts:10# Random pieces of possibly useful output follow root:/root/scripts:7# ifconfig -a lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33168 groups: lo inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 bge0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:0a:e4:26:dd:30 description: Internal to my cube media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause) status: active inet 192.168.24.5 netmask 0xff00 broadcast 192.168.24.255 inet6 fe80::20a:e4ff:fe26:dd30%bge0 prefixlen 64 scopeid 0x1 em0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:11:0a:60:0d:82 description: Lans Scare Me groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet 10.100.7.38 netmask 0xff00 broadcast 10.100.7.255 inet6 fe80::211:aff:fe60:d82%em0 prefixlen 64 scopeid 0x2 em1: flags=8802BROADCAST,SIMPLEX,MULTICAST mtu 1500 lladdr 00:11:0a:60:0d:83 media: Ethernet autoselect (none) status: no carrier enc0: flags=0 mtu 1536 pflog0: flags=141UP,RUNNING,PROMISC mtu 33168 groups: pflog root:/root/scripts:3# uname -a OpenBSD vash.copart.com 4.2 GENERIC#2 amd64 root:/root/scripts:5# cat /var/run/dmesg.boot OpenBSD 4.2-stable (GENERIC) #2: Wed Feb 27 14:31:04 PST 2008 [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC real mem = 1609551872 (1534MB) avail mem = 1549684736 (1477MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.33 @ 0xefeb0 (37 entries) bios0: vendor Sun Microsystems version R01-B5 S1 date 09/29/2006 bios0: Sun Microsystems W1100z/2100z acpi at mainbus0 not configured cpu0 at mainbus0: (uniprocessor) cpu0: AMD Opteron(tm) Processor 144, 1795.14 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,NXE,MMXX,LONG,3DNOW2,3 DNOW cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 64b/line 16-way L2 cache cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: AMD errata 86, 89, 97, 104 present, BIOS upgrade may be required pci0 at mainbus0 bus 0: configuration mode 1 ppb0 at pci0 dev 6 function 0 AMD 8111 PCI-PCI rev 0x07 pci1 at ppb0 bus 1 ohci0 at pci1 dev 0 function 0 AMD 8111 USB rev 0x0b: irq 11, version 1.0, legacy support ohci1 at pci1 dev 0 function 1 AMD 8111 USB rev 0x0b: irq 11, version 1.0, legacy support ohci2 at pci1 dev 3 function 0 NEC USB rev 0x43: irq 10, version 1.0, legacy support ohci3 at pci1 dev 3 function 1 NEC USB rev 0x43: irq 11, version 1.0, legacy support ehci0 at pci1 dev 3
Re: Power fluctuation and hard disk crashes
Girish Venkatachalam schreef: wd0 lost interrupt. fsbn blah blah blah 234023409-234234.. You get it? The SMPS in the PC is not able to provide the power that these higher capacity disk's stepper motors demand. It never occurred to me so far that disk failures were a natural consequence of my little power games if one can call it that. I am not an authority on the subject at all but... A non-tech solution might be to buy a cheap notebook and use that as your workstation and/or backup device. If power fails or drops the battery will automatically take over and you should not experience any disk problems. Matt
Re: IPSec tunnel problem
Jeff Quast wrote: you need to declare a bypass flow on the side of the network where the router, presumably on 192.168.0.0/24 requires communication to the local network segment also on 192.168.0.0/24. It is probobly trying to send this across the tunneled wire, which won't reach its destination. Create a bypass for flows from 192.168 to 192.168, like so: flow esp from 192.168.0.0/24 to 192.168.0.0/24 type bypass That's it! Thanks. -- Alexey Vatchenko http://www.bsdua.org
Re: bgp routing question
i now have a session i turned on update loging ob bpgd but the routes do not get inserted. any ideas? AS41412: update 123.123.123.0/24 via xxx..xx. ( the router where the network is, yes pingable) Erich schrieb: Claudio Jeker schrieb: On Tue, Feb 26, 2008 at 09:51:05AM +0100, Erich wrote: hi, is there a way to announce the same AS an different locations? lets say 123.123.123.0/23 is mine and i want to have 123.123.123.0/24 @location1 and 23.123.124.0/24 @location2, right now i have the problem that the bgpd seems to drop the routes to each other, means the networks are reachable from everywhere, so it seems to work, but they cannot reach each other.. You need an iBGP sessions between the two routers. This is the only way the two routers will accept the routes/as pathes of the other one. For eBGP sessions loop free AS pathes are enforced. ah ok, thx so far :) and it shouldnt be an issue if those ibgp sessions are going over serval hops? erich