Última Presentación Nacional: Control de Almacenes e Inventarios 20 de Septiembre, México D.F.

[Lic. Monica Armenta]

[IMAGE]

!Promociones Especiales para Actualizar a todo su personal!

Mayores informes responda este correo electrsnico con los siguientes
datos.
Empresa:
Nombre:
Telifono:
Email:
Nzmero de Interesados:
Y en breve le haremos llegar la informacisn completa del evento. 
O bien comunmquense a nuestros telifonos  un ejecutivo con gusto le
atendera
Tels. (33) 8851-2365, (33)8851-2741.

Copyright (C) 2010, PMS Capacitacisn Efectiva de Mixico  S.C. Derechos
Reservados. PMS de Mixico, El logo de PMS de Mixico son marcas
registradas. ADVERTENCIA PMS de Mixico no cuenta con alianzas
estratigicas de ningzn tipo dentro de la Republica Mexicana. NO SE DEJE
ENGAQAR - DIGA NO A LA PIRATERIA. Todos los logotipos, marcas comerciales
e imagenes son propiedad de sus respectivas corporaciones y se utilizan
con fines informativos solamente.

Este Mensaje ha sido enviado a misc@openbsd.org  como usuario de Pms de
Mixico o bien un usuario le refiris para recibir este boletmn.
Como usuario de Pms de Mixico, en este acto autoriza de manera expresa
que Pms de Mixico le puede contactar vma correo electrsnico u otros
medios.
Si usted ha recibido este mensaje por error, haga caso omiso de el y
reporte su cuenta respondiendo este correo con el subject BAJAALMACENES

Unsubscribe to this mailing list, reply a blank message with the subject
UNSUBSCRIBE BAJAALMACENES
Tenga en cuenta que la gestisn de nuestras bases de datos es de suma
importancia y no es intencisn de la empresa la inconformidad del
receptor.

[demime 1.01d removed an attachment of type image/jpeg which had a name of 3 
almacenes e inventarios.jpg]

Re: dmesg bug

[rhsv6]

cat /var/run/dmesg.boot

 A friend of mine has old Asus A3F and I have found a very 
interesting
 bug in dmesg. When I type dmesg I don't get regular dmesg output. 
It
 starts in the middle of regular dmesg output and then it prints 
it 2
 more times.

Re: Activating ip6.forwarding and accept_rtadv at the same time

[Martin Pelikán]

2010/9/6, Claudio Jeker cje...@diehard.n-r-g.com:
 Only if you plan to use NAT in the near future. /64 is like a /32 in IP.
 Not enough in most cases.

Why? You can always use DHCPv6 and split the rank further... I haven't
much studied the protocol itself, but in practice the only system that
has trouble with it is Linux due to insufficient kernel-userland
interaction - passing of autonomous flag in RA to dhcp6 client. That
is obviously a design fault and is only a matter of time before it
gets straight (whichever way they choose).

 A per interface rtadv switch was actually planned. Having it global is
 stupid. The problem is that in the ivory tower end user systems only have
 one interface and only routers have more then one interface. The reality
 is a bit different.

How would it look like? New ifconfig parameter?

 NAT is a much simpler concept than IPv6.

I have to agree with that. But in long term, many companies need
better solution than multiple NATs and NAT to multiple addresses under
heavy load. So why not rewrite it from scratch (and hope not to make
the same mistakes again)...

Any particular feature that shows the unnecessary complexity? (no
flame, if you want to continue to discuss, I'd be glad off list)
-- 
Martin Pelikan

Re: Bridge Monitoring

[Kenneth R Westerback]

On Mon, Sep 06, 2010 at 09:26:09PM -0700, James Peltier wrote:
 Hi All,
 
 Now that I have my new bridge in place and happily filtering away I would 
 like 
 to look at monitoring and graphing it.  I'd like to setup a monitor port 
 style 
 so that I can send the traffic over to another box for processing.
 
 I was thinking of installing symon on the bridge itself and sending it over 
 to 
 another box.  Additionally, I was looking at setting up a pflow device and 
 sending it to another box and analyze using something like netflow dashboard.
 
 We currently use a Cisco sending data to a GNU/Linux box running MRTG.  We 
 use 
 arpwatch, IP Audit and other tools.
 
 Any ideas what might be best to use in this case?  What are others using to 
 monitor their network firewalls, bridges or networks in general?
 
  ---
 James A. Peltier james_a_pelt...@yahoo.ca
 

pfstat and nfsen.

 Ken

Re: Bridge Monitoring

[Jason Dixon]

On Mon, Sep 06, 2010 at 09:26:09PM -0700, James Peltier wrote:
 Hi All,
 
 Now that I have my new bridge in place and happily filtering away I would 
 like 
 to look at monitoring and graphing it.  I'd like to setup a monitor port 
 style 
 so that I can send the traffic over to another box for processing.
 
 I was thinking of installing symon on the bridge itself and sending it over 
 to 
 another box.  Additionally, I was looking at setting up a pflow device and 
 sending it to another box and analyze using something like netflow dashboard.
 
 We currently use a Cisco sending data to a GNU/Linux box running MRTG.  We 
 use 
 arpwatch, IP Audit and other tools.
 
 Any ideas what might be best to use in this case?  What are others using to 
 monitor their network firewalls, bridges or networks in general?

Off the top of my head (probably forgetting a lot):

munin, symon, cacti, reconnoiter, nfsen, netflow dashboard

-- 
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/

Acount Locked!

[PIRAEUS BANK]

[IMAGE]

Χρηστη σας ειναι κλειδωμενο



Προσεξαμε οτι αντιμετωπiσατε προβληματα 
συνδ εσης στο winbank.

Μετα απο τρεις ανεπιτυχεiς προσπαθειες για 
να αποκτησετε προσβαση οτον
λογαριασμο σας, το i-bank
χρηστη εχει κλειδωθεi.

Αυτο εγινε για να εξασφαλiσει τους 
λογαριασμους σας και για την προστασiα
ιδιωτικες πληροφορiες σας.

Παρακαλω συνδεωεiτε με το i–τραπεζα και 
ακολουθηστε τα βηματα για τιν
αποκατασταση της προσβασης
του χρηστη

Internet Banking εiσοδος:
https://www.winbank.gr/EL/Pages/default.aspx



Winbank,
www.winbank.gr

Revista El Patio y novedades

[boletin]

[IMAGE]

Editorial Pila Teleqa

Estimado compaqer@ de Educacisn Fmsica,
===

Permmteme unos minutos para presentarte un libro de texto para tus
alumnos.

Fundamentos Tesricos de la Educacisn Fmsica
He aqum un botsn como ejemplo, el mndice:

Bloque 1: condicisn fmsica
1. La actividad fmsica
2. El calentamiento
3. Los estiramientos
4. Condicisn fmsica y capacidades fmsicas basicas
5. La fuerza
6. La resistencia
7. La velocidad
8. La flexibilidad

Bloque 2: habilidades especmficas
9. Cualidades motrices: el movimiento coordinado
10. El equilibrio
11. La coordinacisn

Bloque 3: Educacisn Fmsica y salud
12. El cuerpo humano: bases anatsmicas y fisiolsgicas
13. Postura corporal
14. Nutricisn y entrenamiento
15. Relajacisn
16. Primeros auxilios
17. Planificacisn para un programa de entrenamiento

Bloque 4
18. La Educacisn Fmsica en la historia
19. Educacisn Fmsica y deporte
20. El movimiento Olmmpico

Este libro recoge justamente lo que su nombre indica,  los fundamentos de
nuestra asignatura. Lo que toda persona que haya terminado la Educacisn
Secundaria Obligatoria deberma  saber a lo largo de su vida adulta.
Es un solo libro para toda la ESO y el Bachillerato. Lo utilizas como
herramienta de lectura y escritura cuando te parezca bien en tu
programacisn.
Un libro de referencia sobre la actividad fmsica y lo motriz.

Un excelente libro para cualquier persona
interesada en lo deportivo.

Una magnmfica obra para aquellos que quieren saber y
entender los porquis de la actividad fmsica y la la mntima relacisn de la
Educacisn Fmsica con los valores y el deporte.

Esta escrito de manera pedagsgica, clara y facil de entender.

Si quieres saber mas, haz click aqum

P.S. La editorial Pila Teleqa es es una pequeqa editorial. Si lo compras
y no te gusta, nos comprometemos a devolverte el dinero, pero por favor
no nos pidas muestras gratuitas, porque simplemente no podemos competir
con las grandes marcas del sector. !Te esperamos! en www.pilatelena.com
Mov. 609 25 20 82
pilatel...@pilatelena.com

Si no quieres recibir mas informacisn escribe a
bajas.bole...@pilatelena.com

Re: Checking Routes/Gateways For Good Connection

[dontek]

On Aug 30, 2010 at 3:36 PM, Henning Brauer wrote:


 why don't you look at the real interfaces instead of speculating.

 pflog is a bit messy, but that's another story hopefully solved soon.

 --
 Henning Brauer, h...@bsws.de, henn...@openbsd.org
 BS Web Services, http://bsws.de
 Full-Service ISP - Secure Hosting, Mail and DNS Services
 Dedicated Servers, Rootservers, Application Hosting


I took your advice and ran a log on both external interfaces in addition to
pflog0.  What I found was that there was no problem with my pass rules.  I
failed to realize that the match rules for the NAT were affecting the packet
prior to the pass rules (duh) and after translation I wasn't seeing the
output in the log because I was logging for only the addresses of the
internal interfaces.

What I found _IS_ the problem is that my match rules for NAT are failing to
match every time.  They are as follows:

match out on $ext_if_1 from (vether0) nat-to ($ext_if_1)
match out on $ext_if_2 from (vether1) nat-to ($ext_if_2)

What I'm seeing by logging the two external interfaces is the result of:

$ traceroute -s 172.16.0.1 -n google.com

(172.16.0.1 is the IP for vether0)

...sometimes gets matched by the nat-to rule, which correctly shows up in
tcpdump on the external interface with the source being the external
interface's IP address.  The result of this command of course gets the
expected traceroute replies.

The problem is, when running the exact same command over and over, is that
half the time I'm seeing the traceroute requests going out on the external
interface with the source being 172.16.0.1.  This of course gets no replies
because the NAT isn't happening.

Any clues as to why my match rules work only half the time?

Carp trying to send packet on wrong domain

[Stefano]

Dear list,
I found impossible to have a carp interface in rdomain environment on 
both the stable and current distributions.


Inserting this configuration:
ifconfig em0 up
ifconfig vlan101 172.26.196.2 netmask 255.255.255.248 vlan 101 vlandev 
em0 rdomain 101
ifconfig carp101 vhid 1 pass testpw carpdev vlan101 rdomain 101 
172.26.196.6 netmask 255.255.255.248


produces this system messages:
carp101: trying to send packet on wrong domain. 101 vs. 0, AF 2
carp101: trying to send packet on wrong domain. 101 vs. 0, AF 2
carp101: trying to send packet on wrong domain. 101 vs. 0, AF 2
and the carp does not work.

Obviously, removing the rdomain option from carp ifconfig, it's works 
but the system installs the route in the default domain and this is 
unwelcome.


Thank you in advance,
Stefano

Re: Distribute bandwidth by IP's

[Hermes Ojeda Ruiz]

On 07/09/10 13:21, roberth wrote:

On Tue, 07 Sep 2010 13:15:03 -0500
Hermes Ojeda Ruizhermes@gmail.com  wrote:

   

Hi, Maybe this is a basic question, but I've read the man pages and
the PF book and I don't know how solve this problem.

- I have an E1 and the problem is how to distribute the bandwidth
equally on all the ip's. There are some constraints like use DHCP,
and no block ports. The company provide full access internet to the
clients, and the only limit to the client is the bandwidth, that one
client don't consume all the bandwidth, and all have a good service.

I have some simple firewalls with prioritization, but I don't know
how should do that. May be with CBQ but they are a lot of rules.

I found this: http://marc.info/?l=openbsd-pfm=111772724522153w=2

Can I do that with PF?  Need another tool?

Sorry, my english is a really bad thing.

Thanks in advance with your support.

 

Start here:
http://www.openbsd.org/faq/pf/queueing.html
   

Yes, I have read it.
May be with CBQ I can do that, but there are ~150 ip's

Thanks for your fast reply.

Re: Distribute bandwidth by IP's

[Hermes Ojeda Ruiz]

Sorry, if my explanation don't have enough details.

- The internet connection is an E1
- There are ~150 users (IPs)
- The company give full internet access to the clients. With no service 
restriction.

- There only a C class LAN.

E1 --- OpenBSD Firewall --- LAN with ~150 IPs

The problem is to distribute equally the bandwidth to the users.  My 
first approach is a CBQ rule by user giving a minimum bandwidth quote 
and using the borrow option, to use the remaining bandwidth when some 
users don't waste the bandwidth. But the number of rules is so big.


I hope that my explanation can be useful.

On 07/09/10 13:43, Johan Beisser wrote:

On Tue, Sep 7, 2010 at 11:15 AM, Hermes Ojeda Ruizhermes@gmail.com  wrote:
   

Hi, Maybe this is a basic question, but I've read the man pages and the PF
book and I don't know how solve this problem.

- I have an E1 and the problem is how to distribute the bandwidth equally on
all the ip's. There are some constraints like use DHCP, and no block ports.
 

What exactly are you trying to accomplish. Please explain a little
more, in detail.


   

I have some simple firewalls with prioritization, but I don't know how
should do that. May be with CBQ but they are a lot of rules.
 

If you're trying to set up a fair service, remember that PF simply
processes the packets as they come in. So turn off queues, or define
what you're trying to accomplish first.

If you're trying to ensure some kinds of traffic can always leave
fairly take a look at using HFSC queuing, then define the queues
based on ports and use packet tagging to define what matches each
queue.

http://cvs.openbsd.org/faq/pf/tagging.html


jb

Re: Distribute bandwidth by IP's

[Hermes Ojeda Ruiz]

:) ok, that was my last option. I was looking a more elegant solution, 
may be using tables or something like that. But if there is no choice, 
I'll do that.


Thanks for your reply
On 07/09/10 13:56, roberth wrote:

your config

Re: Distribute bandwidth by IP's

[James Peltier]

- Original Message 

 From: Hermes Ojeda Ruiz hermes@gmail.com
 To: misc@openbsd.org
 Sent: Tue, September 7, 2010 12:09:03 PM
 Subject: Re: Distribute bandwidth by IP's
 
 Sorry, if my explanation don't have enough details.
 
 - The internet  connection is an E1
 - There are ~150 users (IPs)
 - The company give full  internet access to the clients. With no service 
 restriction.
 - There only  a C class LAN.
 
 E1 --- OpenBSD Firewall --- LAN with ~150 IPs
 
 The  problem is to distribute equally the bandwidth to the users.  My 
 first  approach is a CBQ rule by user giving a minimum bandwidth quote 
 and using  the borrow option, to use the remaining bandwidth when some 
 users don't  waste the bandwidth. But the number of rules is so big.
 
 I hope that my  explanation can be useful.
 
 On 07/09/10 13:43, Johan Beisser  wrote:
  On Tue, Sep 7, 2010 at 11:15 AM, Hermes Ojeda Ruizhermes@gmail.com   
wrote:
 
  Hi, Maybe this is a basic question, but  I've read the man pages and the PF
  book and I don't know how solve  this problem.
 
  - I have an E1 and the problem is how to  distribute the bandwidth equally 
on
  all the ip's. There are some  constraints like use DHCP, and no block 
ports.
   
  What exactly are you trying to accomplish. Please explain a  little
  more, in detail.
 
 
 
  I have some simple firewalls with prioritization, but I don't know  how
  should do that. May be with CBQ but they are a lot of  rules.
   
  If you're trying to set up a  fair service, remember that PF simply
  processes the packets as they come  in. So turn off queues, or define
  what you're trying to accomplish  first.
 
  If you're trying to ensure some kinds of traffic can  always leave
  fairly take a look at using HFSC queuing, then define the  queues
  based on ports and use packet tagging to define what matches  each
  queue.
 
  http://cvs.openbsd.org/faq/pf/tagging.html
 
 
   jb
 


Why are you trying to do this?  It seems overly complex to setup a queue for 
each IP on the network just to allow them to borrow bandwidth from each other 
which they would be doing anyway.

It would seem more manageable to either segment the network (DMZ, IT Staff, 
Users) such that you can assign a segment to respective queues or in a 
different 
method to queue based on traffic type (http/ftp/ssh,etc).  Filtering rules 
would 
also be incredibly more simplified.

 ---
James A. Peltier james_a_pelt...@yahoo.ca

Re: Distribute bandwidth by IP's

[roberth]

On Tue, 07 Sep 2010 13:34:45 -0500
Hermes Ojeda Ruiz hermes@gmail.com wrote:

 On 07/09/10 13:21, roberth wrote:
  On Tue, 07 Sep 2010 13:15:03 -0500
  Hermes Ojeda Ruizhermes@gmail.com  wrote:
 
 
  Hi, Maybe this is a basic question, but I've read the man pages and
  the PF book and I don't know how solve this problem.
 
  - I have an E1 and the problem is how to distribute the bandwidth
  equally on all the ip's. There are some constraints like use DHCP,
  and no block ports. The company provide full access internet to the
  clients, and the only limit to the client is the bandwidth, that
  one client don't consume all the bandwidth, and all have a good
  service.
 
  I have some simple firewalls with prioritization, but I don't know
  how should do that. May be with CBQ but they are a lot of rules.
 
  I found this: http://marc.info/?l=openbsd-pfm=111772724522153w=2
 
  Can I do that with PF?  Need another tool?
 
  Sorry, my english is a really bad thing.
 
  Thanks in advance with your support.
 
   
  Start here:
  http://www.openbsd.org/faq/pf/queueing.html
 
 Yes, I have read it.
 May be with CBQ I can do that, but there are ~150 ip's
 
 Thanks for your fast reply.
 

(...)

So just put ~150 (*2 for both directions) child queues in your config.
Seems tedious, but that's the way it works atm.
Only shortcut i am aware of is to use a script to generate those lines
instead of copy/paste/edit. ;)

Re: Distribute bandwidth by IP's

[Hermes Ojeda Ruiz]

Yes, It's a little complex but is a requirement to guarantee a little 
bandwidth to the user.  (and of course use the remaining unused bandwidth).


There is another way?

Thanks for the reply
On 07/09/10 15:14, James Peltier wrote:

- Original Message 

   

From: Hermes Ojeda Ruizhermes@gmail.com
To: misc@openbsd.org
Sent: Tue, September 7, 2010 12:09:03 PM
Subject: Re: Distribute bandwidth by IP's

Sorry, if my explanation don't have enough details.

- The internet  connection is an E1
- There are ~150 users (IPs)
- The company give full  internet access to the clients. With no service
restriction.
- There only  a C class LAN.

E1 --- OpenBSD Firewall --- LAN with ~150 IPs

The  problem is to distribute equally the bandwidth to the users.  My
first  approach is a CBQ rule by user giving a minimum bandwidth quote
and using  the borrow option, to use the remaining bandwidth when some
users don't  waste the bandwidth. But the number of rules is so big.

I hope that my  explanation can be useful.

On 07/09/10 13:43, Johan Beisser  wrote:
 

On Tue, Sep 7, 2010 at 11:15 AM, Hermes Ojeda Ruizhermes@gmail.com
   

wrote:
 


   

Hi, Maybe this is a basic question, but  I've read the man pages and the PF
book and I don't know how solve  this problem.

- I have an E1 and the problem is how to  distribute the bandwidth equally
 

on
 

all the ip's. There are some  constraints like use DHCP, and no block
 

ports.
   


 

What exactly are you trying to accomplish. Please explain a  little
more, in detail.



   

I have some simple firewalls with prioritization, but I don't know  how
should do that. May be with CBQ but they are a lot of  rules.

 

If you're trying to set up a  fair service, remember that PF simply
processes the packets as they come  in. So turn off queues, or define
what you're trying to accomplish  first.

If you're trying to ensure some kinds of traffic can  always leave
fairly take a look at using HFSC queuing, then define the  queues
based on ports and use packet tagging to define what matches  each
queue.

http://cvs.openbsd.org/faq/pf/tagging.html


  jb
   


 

Why are you trying to do this?  It seems overly complex to setup a queue for
each IP on the network just to allow them to borrow bandwidth from each other
which they would be doing anyway.

It would seem more manageable to either segment the network (DMZ, IT Staff,
Users) such that you can assign a segment to respective queues or in a different
method to queue based on traffic type (http/ftp/ssh,etc).  Filtering rules would
also be incredibly more simplified.

  ---
James A. Peltier james_a_pelt...@yahoo.ca

Re: Activating ip6.forwarding and accept_rtadv at the same time

[Claudio Jeker]

On Tue, Sep 07, 2010 at 10:23:19AM +0200, Martin Pelikan wrote:
 2010/9/6, Claudio Jeker cje...@diehard.n-r-g.com:
  Only if you plan to use NAT in the near future. /64 is like a /32 in IP.
  Not enough in most cases.
 
 Why? You can always use DHCPv6 and split the rank further... I haven't
 much studied the protocol itself, but in practice the only system that
 has trouble with it is Linux due to insufficient kernel-userland
 interaction - passing of autonomous flag in RA to dhcp6 client. That
 is obviously a design fault and is only a matter of time before it
 gets straight (whichever way they choose).

As soon as you spilt a /64 into something smaler you left IPv6 land end
entered something that looks like IPv6 but isn't. Sure it is possible but
by doing it you make every IPv6 disciple scream in agony (which is
probably a good thing anyway).

Sure a /64 is a bit more then a /32 since a /64 represents one single LAN
compared to a single address but in the end it is far less then 2^64 IPs.

 
  A per interface rtadv switch was actually planned. Having it global is
  stupid. The problem is that in the ivory tower end user systems only have
  one interface and only routers have more then one interface. The reality
  is a bit different.
 
 How would it look like? New ifconfig parameter?
 

That was the plan.

  NAT is a much simpler concept than IPv6.
 
 I have to agree with that. But in long term, many companies need
 better solution than multiple NATs and NAT to multiple addresses under
 heavy load. So why not rewrite it from scratch (and hope not to make
 the same mistakes again)...
 

In some cases companies could run without the double and tripple NAT but
the don't want it. It is a requirement for them. Reality is different then
the IPv6 theory and this is slowly recognized.

 Any particular feature that shows the unnecessary complexity? (no
 flame, if you want to continue to discuss, I'd be glad off list)

I think the number 1 question I have about IPv6 is:
What is wrong with arp?
and maybe as an alternation
Why rely so massivly on multicast instead of a simple LAN broadcast?

These two things are partially responsible for the failure of IPv6. 
There is more political nonsense but on the technical side it is the thing
that makes IPv6 so stupidly complex.

-- 
:wq Claudio

Re: Activating ip6.forwarding and accept_rtadv at the same time

[Theo de Raadt]

 I think the number 1 question I have about IPv6 is:
 What is wrong with arp?

Nothing is wrong with arp.

As a result of avoiding arp, IPv6 is a duck sitting in a tailing
pond.  It isn't dead yet.

Re: Distribute bandwidth by IP's

[James Peltier]

- Original Message 

 From: Hermes Ojeda Ruiz hermes@gmail.com
 To: misc@openbsd.org
 Sent: Tue, September 7, 2010 1:38:41 PM
 Subject: Re: Distribute bandwidth by IP's
 
 Yes, It's a little complex but is a requirement to guarantee a little 
 bandwidth to the user.  (and of course use the remaining unused  bandwidth).
 
 There is another way?
 
 Thanks for the reply
 On  07/09/10 15:14, James Peltier wrote:
  - Original Message  
 
 
  From: Hermes Ojeda Ruizhermes@gmail.com
  To: misc@openbsd.org
  Sent: Tue,  September 7, 2010 12:09:03 PM
  Subject: Re: Distribute bandwidth by  IP's
 
  Sorry, if my explanation don't have enough  details.
 
  - The internet  connection is an  E1
  - There are ~150 users (IPs)
  - The company give  full  internet access to the clients. With no service
   restriction.
  - There only  a C class  LAN.
 
  E1 --- OpenBSD Firewall --- LAN with ~150  IPs
 
  The  problem is to distribute equally the  bandwidth to the users.  My
  first  approach is a CBQ rule  by user giving a minimum bandwidth quote
  and using  the  borrow option, to use the remaining bandwidth when some
  users  don't  waste the bandwidth. But the number of rules is so  big.
 
  I hope that my  explanation can be  useful.
 
  On 07/09/10 13:43, Johan Beisser   wrote:
   
  On Tue, Sep 7, 2010 at  11:15 AM, Hermes Ojeda Ruizhermes@gmail.com
  
  wrote:
   
 
 
   Hi, Maybe this is a basic question, but  I've read the man pages and 
  the  
PF
  book and I don't know how solve  this  problem.
 
  - I have an E1 and the problem  is how to  distribute the bandwidth 
equally

  on
   
  all the ip's. There are some  constraints like use  DHCP, and no block
   
  ports.
 
 
   
  What exactly are you trying to accomplish. Please explain  a  little
  more, in  detail.
 
 
 
  
  I have some simple firewalls with  prioritization, but I don't know  how
  should do that.  May be with CBQ but they are a lot of   rules.
 
   
  If you're trying to set up a  fair service, remember that  PF simply
  processes the packets as they come  in. So turn  off queues, or define
  what you're trying to accomplish   first.
 
  If you're trying to ensure some kinds of  traffic can  always leave
  fairly take a look at using  HFSC queuing, then define the  queues
  based on ports and  use packet tagging to define what matches  each
   queue.
 
  http://cvs.openbsd.org/faq/pf/tagging.html
 
 
 jb
 
 

  Why are you trying to do this?  It seems overly  complex to setup a queue 
for
  each IP on the network just to allow them  to borrow bandwidth from each 
other
  which they would be doing  anyway.
 
  It would seem more manageable to either segment the  network (DMZ, IT Staff,
  Users) such that you can assign a segment to  respective queues or in a 
different
  method to queue based on traffic  type (http/ftp/ssh,etc).  Filtering rules 
would
  also be incredibly  more simplified.
 
---
  James A. Peltier james_a_pelt...@yahoo.ca
 


Well since you're talking service level agreements it is understandable that 
you 
might want to do such a thing and in such case you would have no choice but to 
create the individual queues/rules manually or by script.

Still, likely you will run into other issues, such as the number of queues 
available by default in the code that may need to be tweaked.  See a post 
earlier this month to misc@ about how to do that.

Also, perhaps there will be a performance hit in the evaluation of all the 
queues that might be more hindering than helpful?  Best to let the devs speak 
to 
that though.

---
James A. Peltier james_a_pelt...@yahoo.ca

NT360 SANAL TUR

[NT360]

NT360 SANAL TUR
===

TanD1tD1mlarD1nD1zda farklD1lD1k yaratacak, rakiplerinize karED1 sizi
bir adD1m daha C6ne taED1yacak, ucuz, zahmetsiz ve kaliteli bir
tanD1tD1m yC6ntemi olarak size NT360 SANAL TUR`u C6neriyoruz.

AC'D1k veya kapalD1 mekan tanD1tD1mlarD1nD1z iC'in ilk noktada sadece 150
TL, sonraki her noktadan yapD1lacak C'ekimler iC'inse sadece ve sadece 50
TL C6demeniz yeterli olacaktD1r.

Mevcut ekonomik Eartlarda bu tCr ucuz ve faydalD1 bir tanD1tD1mD1
mutlaka deDerlendirmelisiniz.

Crnek uygulamalara buradan ulaEabilirsiniz.



Not :

  * D0stanbul dD1ED1 C'ekim Ccretleri, belirtilen illerin uzaklD1DD1na
gC6re deDiEebilmektedir.

  * Fiyatlara KDV dahil deDildir.

NT360
Tel : 0532 786 03 45
www.nt-360.com

opensmtpd crashing intermittently

[Sacha El Masry]

Gilles (or anybody),

I've been using smtpd since 4.6-RELEASE, for one domain-several email
addresses, plus one constantly receiving mailing list emails (including
misc@). It's been great.

Problem is, I've just set up smtpd on 4.7-RELEASE, using a very simple
ruleset, with the aim of using this as an outgoing only smtp server, for
an in-house weekly newsletter, going out to 3000+ recipients. The
server crashes intermittently. With smtpd started with the -dvf
arguments, I can see where it breaks:

...
lookup_a mx2.mail.eu.yahoo.com:0
fatal: dns: fork: Resource temporarily unavailable
lookup_ptr success
mta: getting datafd
lost child: lookup agent exited abnormally
queue handler exiting
mail filter exiting
mail delivery agent exiting
control process exiting
mail transfer agent exiting
smtp server exiting
runner handler exiting
parent terminating
lookup_a success
loolookup_ptr success
kup_a mx1.mail.eu.yahoo.com:0
lookup_ptr success
lookup_a success
lookup_mx success
fatal: dns_dispatch_parent: msgbuf_write: Broken pipe
# (command prompt)
# lookup_ptr success
fatal: dns_dispatch_parent: msgbuf_write: Broken pipe


Obviously, the record being looked up constantly changes, but the crash
is always the same: msgbuf_write: Broken pipe.

Now, I realise, from reading this list, that smtpd is not meant to be
production-ready, but I'm happy to use it (so long as it works) and test
it, and send information back to the developers, where relevant.

Is this a bug that's been looked at and fixed since -RELEASE?

My ruleset:

ext_if= re0
listen on $ext_if
map aliases { source db /etc/mail/aliases.db }
accept for local alias aliases deliver to maildir
accept from all for all relay
accept for all relay


My dmesg follows:

OpenBSD 4.7 (GENERIC.MP) #130: Wed Mar 17 20:48:50 MDT 2010
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 2145255424 (2045MB)
avail mem = 2078703616 (1982MB)
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xf0100 (39 entries)
bios0: vendor Award Software International, Inc. version F4 date 04/03/2009
bios0: Gigabyte Technology Co., Ltd. EP41-UD3L
acpi0 at bios0: rev 0
acpi0: tables DSDT FACP HPET MCFG APIC SSDT SSDT SSDT SSDT SSDT
acpi0: wakeup devices PEX0(S5) PEX1(S5) PEX2(S5) PEX3(S5) PEX4(S5) PEX5(S5) 
HUB0(S5) UAR1(S3) USB0(S3) USB1(S3) USB2(S3) USB3(S3) USBE(S3) AZAL(S5) PCI0(S5)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpihpet0 at acpi0: 14318179 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Pentium(R) Dual-Core CPU E5300 @ 2.60GHz, 2600.28 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR,NXE,LONG
cpu0: 2MB 64b/line 8-way L2 cache
cpu0: apic clock running at 199MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Pentium(R) Dual-Core CPU E5300 @ 2.60GHz, 2599.94 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR,NXE,LONG
cpu1: 2MB 64b/line 8-way L2 cache
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins
ioapic0: misconfigured as apic 0, remapped to apid 2
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 2 (PEX0)
acpiprt2 at acpi0: bus -1 (PEX1)
acpiprt3 at acpi0: bus -1 (PEX2)
acpiprt4 at acpi0: bus 3 (PEX3)
acpiprt5 at acpi0: bus -1 (PEX4)
acpiprt6 at acpi0: bus -1 (PEX5)
acpiprt7 at acpi0: bus 4 (HUB0)
acpicpu0 at acpi0: C3, C2, C1, FVS, 1600, 1200 MHz
acpicpu1 at acpi0: C3, C2, C1, FVS, 1600, 1200 MHz
acpibtn0 at acpi0: PWRB
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 Intel G41 Host rev 0x03
ppb0 at pci0 dev 1 function 0 vendor Intel, unknown product 0x2e31 rev 0x03: 
apic 2 int 16 (irq 10)
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 ATI Radeon HD 4550 rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
azalia0 at pci1 dev 0 function 1 ATI Radeon HD 4000 HD Audio rev 0x00: apic 2 
int 17 (irq 12)
azalia0: no supported codecs
azalia0: initialization failure, detaching
azalia1 at pci0 dev 27 function 0 Intel 82801GB HD Audio rev 0x01: apic 2 int 
16 (irq 10)
azalia1: codecs: Realtek ALC888
audio0 at azalia1
ppb1 at pci0 dev 28 function 0 Intel 82801GB PCIE rev 0x01: apic 2 int 16 
(irq 10)
pci2 at ppb1 bus 2
ppb2 at pci0 dev 28 function 3 Intel 82801GB PCIE rev 0x01: apic 2 int 19 
(irq 11)
pci3 at ppb2 bus 3
re0 at pci3 dev 0 function 0 Realtek 8168 rev 0x02: RTL8168C/8111C (0x3c00), 
apic 2 int 19 (irq 11), address 00:24:1d:d0:a2:d8
rgephy0 at re0 phy 7: RTL8169S/8110S PHY, rev. 2
uhci0 at pci0 dev 29 function 0 Intel 82801GB USB rev 0x01: apic 2 int 23 
(irq 5)
uhci1 at pci0 dev 29 function 1 Intel 82801GB USB rev 0x01: apic 2 int 19 
(irq 11)
uhci2 at pci0 dev 29 function 2 Intel 82801GB USB rev 0x01: apic 2 int 18 
(irq 7)
uhci3 at pci0 dev 29 

Re: Distribute bandwidth by IP's

[Jussi Peltola]

On Tue, Sep 07, 2010 at 01:56:57PM -0700, James Peltier wrote:
 Also, perhaps there will be a performance hit in the evaluation of all the 
 queues that might be more hindering than helpful?
 
With an E1?

Even if you lose a little bit of throughput (which I doubt, if you are
running hardware that you can do a regular install on), some kind of QoS
is a must on such an oversubscribed line. It will very likely be
completely unusable without it.

Jussi Peltola

Re: opensmtpd crashing intermittently

[Chris Palmer]

Sacha El Masry writes:

 fatal: dns: fork: Resource temporarily unavailable
 lost child: lookup agent exited abnormally
 fatal: dns_dispatch_parent: msgbuf_write: Broken pipe
 fatal: dns_dispatch_parent: msgbuf_write: Broken pipe

These messages make me wonder if you have a problem with RLIMIT_NPROC being
too low. Try giving the _smtpd user a higher limit? If you look at fork(2),
that and swap are really the only reasons fork should fail.

Just a guess, I don't really know.