Re: protect mailserver using spamd
Kevin Chadwick writes: >> We didn't see any noticeable increase in >> spam received or load on content filterning when going to two minutes >> IIRC. YMMV, may contain nuts etc. > > Did you see an increase in legitimate mail getting through without > whitelisting? Or any getting through sooner? Judging from the few cases where I've actually been looking for a specific message from a new contact to get through, the time to clearing greylisting went down to the five minute range or thereabouts. The parameters we don't have any control over, such as the other side's retry frequency, remain a large part of the equation. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Seminario internacional abril 2011 - Dr. Reynaldo PERRONE
Director: Dr. Horacio Serebrinsky - Director Acadimico: Dr. Marcelo R. Ceberio La Escuela Sistimica Argentina es una institucisn que desarrolla actividades de formacisn de Terapeutas familiares sistimicos, investigacisn y asistencia psicolsgica, en esta ocasisn tenemos el honor de presentar: Seminario internacional 2011AGRESIVIDAD, AGRESIONES, VIOLENCIA Y PSICOPATOLOGMA Dr. Reynaldo PERRONE Las observaciones clmnicas realizadas durante cientos de consultas, han permitido determinar que la capacidad a defenderse de las amenazas y de los ataques del entorno relacional es determinante para el equilibrio y la salud mental de las personas. Una gran parte de las terapias tienen que ver con el sufrimiento provocado -en las personas que consultan- por la impotencia vivida ante las agresiones provenientes de los individuos con los que se vive tanto sea en el marco de la pareja, de la familia o del trabajo. En un alto porcentaje de casos la causa es la dificultad personal de aquellos sujetos a instrumentalizar la agresividad; poner en evidencia esta falencia y eventualmente, remediarla, parece ser la vma mas acertada de tratamiento. En este seminario el Dr. Perrone desarrollara la problematica de la agresividad, la dialictica de la dominacisn y de la sumisisn, explicara ciertas derivas psicopatolsgicas de la violencia y evocara algunas formas de suicidio caractermsticas de este trastorno. Naturalmente, las lmneas terapiuticas y las ticnicas asociadas seran desarrolladas ampliamente. SABADO 30 DE ABRILDE 09 A 13 Y DE 15 A 19hs * PLAN DE LA PRESENTACISN Agresividad, agresisn y violencia. Nociones claves A propssito de la agresividad: una conceptualizacisn innovadora de la relacisn entre personas y grupos 3 formas de violencia. Secuelas, evolucisn y psicopatologma Los bajos fondos del suicidio: suicidio como represalia, como manifestacisn de auto desprecio y como punto final ganador El smndrome del Angel Terapia de la falta de agresividad. Ejercicios y ticnicas * OBJETIVOS Conceptualizar la funcisn de la agresividad Establecer una diferencia entre agresividad, agresisn y violencia Proponer una lectura de la relacisn interpersonal e inter grupal con respecto a la agresividad Analizar la problematica de la violencia, su evolucisn y las secuelas psicopatolsgicas Discutir sobre unas formas de suicidio propias a la violencia Comunicar un smndrome clmnico Explicar las modalidades de la terapia de los problemas ligados a la falta de agresividad (1) Smntesis del Curriculum Vitae Graduado en la Universidad Nacional del Litoral, Rosario, Argentina (1967) Psychiatria, terapeuta de familia y de pareja Medico asistente en hospitales psiquiatricos de Suiza (1973-1977) Medico asistente y responsable de Sector en Paido-psichiatria en el Hospital Universitario St Jean Bonnefonds de St Etienne, Francia (1973-1984) Consultante especializado en problemas de violencia y abusos sexuales en el Servicio de Salud Escolar de Saint Etienne, Francia (1984-1991) Psiquiatra en el Servicio de Urgencias en el Hospital Eduard Herriot en Lyon, Francia (1991-1993). Psiquiatra consultante en la Sauvegarde de lEnfance en Lyon, Francia (1994-2006) Profesor Asociado de Psicopatologma en la Facultad de Psicologma Pierre Mindez France de Grenoble, Francia (1992-1997) Fundador y director (1984-1994) del IFATC (Instituto de Formacisn y de Aplicacisn de Terapias de la Comunicacisn), de Lyon, Francia. Responsable del mismo Instituto (1997-2008) y actual Director de Estudios del IFATC. Formador de ticnicas de terapia en hospitales y centros de formacisn en Francia, Europa y Amirica Latina Formador y supervisor en el marco de diferentes consejos Regionales franceses : Alpes Marmtimos, Loire, Loire Atlantique, Haute Loire, Rhtne Alpes Formador y supervisor en Francia, Suiza, Espaqa, Bilgica, Canada, Argentina, Guadalupe, Guyana en terapia de familia, en terapia de pareja y terapia breve Profesor en Master de Ticnicas de terapia en la Universidad de Salamanca, en la Universidad del Pams Vasco en San Sebastian y en la Universidad Complutense de Madrid, Espaqa Docente en la Escuela de Servicios Sociales en la Universidad St Joseph en Beirut, Lmbano Formador de trabajadores sociales, psicslogos, psiquiatras, educadores, pediatras, jueces, en programas de entrenamiento de la prevencisn y del tratamiento de violencia y de abusos sexuales en la familia Autor de numerosos artmculos sobre la violencia, los abusos sexuales y los defectos de interiorizacisn de la ley Co-autor del libro + Violencia y abusos sexuales en la familia ; editado en francis (ESF editores, quinta edicisn) y en espaqol (Paidos, quinta edicisn) Autor de numerosas ticnicas inductivas de terapia Terapeuta y formador en terapia breve INFORMES E INSCRIPCISN E.S.A.: Fray Justo S. M. de Oro 1843 (C1414DBC) Cap. Fed. Te/Fax: 4774-2875/6112 4899-1053 Web: i...@escuelasistemica.com.ar / www.escuelasistemica.com.ar Auspiciant
Re: Predictable network interface numbering
On Wed, Feb 2, 2011 at 9:00 AM, Jean H. Theoret wrote: > How is it possible to control the network interface numbering assignment > order? The short answer is no. previous discussion: http://marc.info/?t=12194157011&r=1&w=2 If you are concerned about this, I believe my previous suggestion still represents the state of the art (although you may need to make some adjustments for your environment): http://marc.info/?l=openbsd-misc&m=122609201024773&w=2
Re: nat static-port option
> Currently there are about 2^32.7 living humans; I expect to live long > enough to see 2^33.3 > Imagine everyone having at least two devices. How many do you have? There's a depression coming along. Many would be glad just to have a job and food. I don't use any such toys, and probably many will minimize such expenses. So I don't imagine any switch will occur real soon. A question to a wireless ISP sysadmin, isn't it easy to use NAT with cellphone web traffic since they have unique number?
Re: Predictable network interface numbering
On 02/02/11 08:59, Jean H. Theoret wrote: > This one's got me stumped for a few days now... > > How is it possible to control the network interface numbering assignment > order? barely. > Here's my specific case: the box has 2 on-board Ethernet interfaces and > a 3rd one on a PCI-Express card. They come up as: > >re0: PCI-Express card >re1: on-board interface #1 >re2: on-board interface #2 > > A recent event had disabled the PCI card, and the remaining network > interfaces ended up being reassigned (upon the next reboot, of course) as: > >re0: on-board interface #1 >re1: on-board interface #2 > > Could this have been prevented by forcing network interface assignment > to on-board interface _first_, then the PCI card? Your problems would have changed. IN YOUR CASE, it may have changed from a problem you weren't ready for to a one you were, but you didn't eliminate the problem. > Or is there a way to > bind network interface assignment to the adapter's MAC address as > numbering hint? Give it a chance and I think you will start to see where the OpenBSD system is a lot easier. Yes, when things change in the system, things change in your config, which can cause breakage. OpenBSD's device numbering system is somewhat simplistic, which means it has simple problems which are easy to fix. Having worked with similar problems (and their recovery) on other OSs...ick. A much better solution to your original problem would be to have spare parts on hand enabling you to replace the failed re0, in which case you would have NOTHING to change, ANY screwdriver literate tech could fix your system and bring it back up without any reconfiguration, and no sharing of an admin PW (or walking someone through vi over the phone). Nick.
NSA-The MLM Documentary
While checking out NSA I stumbled over your email address online at http://www.mail-archive.com Thought you would want to see this MLM Documentary.it is a two year documentary inside the MLM world www.TheMLMJourney.com Duke Kevorkian 813-786-8752
Taller de Actualización de Licitaciones de Obra y su Reglamento, Febrero 16 2011.
186135 [IMAGE] !Promociones Especiales para grupos! Capacitacisn Impartida por: Mtro. Gerardo Coronado Lspez Pms Capacitacisn Efectiva de Mixico presenta: Taller de Licitaciones para la LEY de Obras Pzblicas y su Reglamento Experto Consultor Mtro. Gerardo Coronado Lspez Empresa Registrada ante la STPS Reg. COLG640205CP30005 Smguenos en Twitter@pmscapacitacion o bien en Facebook PMS de Mixico Mayores informes responda este correo electrsnico con los siguientes datos. Empresa: Nombre: Telifono: Email: Nzmero de Interesados: Y en breve le haremos llegar la informacisn completa del evento. O bien comunmquense a nuestros telifonos un ejecutivo con gusto le atendera Tels. (33) 8851-2365, (33)8851-2741. Copyright (C) 2010, PMS Capacitacisn Efectiva de Mixico S.C. Derechos Reservados. PMS de Mixico, El logo de PMS de Mixico son marcas registradas. ADVERTENCIA PMS de Mixico no cuenta con alianzas estratigicas de ningzn tipo dentro de la Republica Mexicana. NO SE DEJE ENGAQAR - DIGA NO A LA PIRATERIA. Todos los logotipos, marcas comerciales e imagenes son propiedad de sus respectivas corporaciones y se utilizan con fines informativos solamente. Este Mensaje ha sido enviado a misc@openbsd.org como usuario de Pms de Mixico o bien un usuario le refiris para recibir este boletmn. Como usuario de Pms de Mixico, en este acto autoriza de manera expresa que Pms de Mixico le puede contactar vma correo electrsnico u otros medios. Si usted ha recibido este mensaje por error, haga caso omiso de el y reporte su cuenta respondiendo este correo con el subject BAJAOBRA Unsubscribe to this mailing list, reply a blank message with the subject UNSUBSCRIBE BAJAOBRA3 Tenga en cuenta que la gestisn de nuestras bases de datos es de suma importancia y no es intencisn de la empresa la inconformidad del receptor. [demime 1.01d removed an attachment of type image/jpeg which had a name of obras_publicas_feb.jpg]
Re: nat static-port option
2011/2/2 Bret S. Lambert : > On Wed, Feb 02, 2011 at 10:23:43PM +0100, Martin Schr?der wrote: >> Yeah. And there'll never be more than 2^32 IP devices in the world. > > Inorite? I mean, if I can't get an IP for my toaster, I'm just gonna *die*! Currently there are about 2^32.7 living humans; I expect to live long enough to see 2^33.3 Imagine everyone having at least two devices. How many do you have? Best Martin
Re: nat static-port option
On Wed, Feb 02, 2011 at 10:23:43PM +0100, Martin Schr?der wrote: > 2011/2/2 Kevin Chadwick : > > Also, If you look at the GeoIP lookup data you'll see great swathes were > > allocated early on and seemingly never actually used. > > Yeah. And there'll never be more than 2^32 IP devices in the world. Inorite? I mean, if I can't get an IP for my toaster, I'm just gonna *die*! > > Best >Martin
Re: nat static-port option
You are probably on the right track. AFAIK, most Indian ISP's have city or state level blocks of IPs. Ultra big cities like Mumbai, Delhi, Bangalore itself has several blocks. So theoretically they could NAT the same IP in different cities or different blocks at the same time, and none the wiser. > I read, the same ips are being used by ISPS in different parts of the > world with a kind of global nat. > > Also, If you look at the GeoIP lookup data you'll see great swathes were > allocated early on and seemingly never actually used.
Re: protect mailserver using spamd
On Wed, Feb 2, 2011 at 1:33 PM, Peter N. M. Hansteen wrote: > the initial '451 temporary local problem' response). The other, more > visible issue is when the sender retries from a different IP address, > and it turns lottery-like in a hurry (sometimes referred to as the See that? If everybody put their outgoing mail server pool behind NAT we wouldn't have this problem. :)
routing issue with carp
Hello list, I have a setup with 2 firewalls (openbsd 4.7 MP ) and using carp for redundancy. All systems are using the ip number of the inside carp interface as default gateway. There is another router in that subnet that is used to reach another network so i have static route to that network on the firewall systems. For example : clients are in network 10.1.1.0/24 and carp interface ip is 10.1.1.3 and the other router in het network is 10.1.1.1 . Both firewalls also have a ip number on the physical interface in that subnet, for example firewall1 has 10.1.1.7 and firewall2 has 10.1.1.8. The static route on the firewalls is 10.0.0.0/8 via 10.1.1.1 . Now the problem is that not all traffic goes very well to the 10.0.0.0/8 network, most of the traffic takes longer to complete or connections are broken sometimes. The clients are using a terminal client to reach a AS400 system and when they do some print jobs it takes 10 or 20 times much longer to complete that print. The weird thing about this is that when set the client gateway to 10.1.1.7 ( assuming that one is the master) there are no problems , also when i created a static route on the client for 10.0.0.0/8 via 10.1.1.1 . Any have clue how to fix this without placing the other router in a different subnet or using static routes on the clients ? Many thanks, Peter
Re: nat static-port option
2011/2/2 Kevin Chadwick : > Also, If you look at the GeoIP lookup data you'll see great swathes were > allocated early on and seemingly never actually used. Yeah. And there'll never be more than 2^32 IP devices in the world. Best Martin
Re: equivalent of Linux "mount -o bind"
On 3 February 2011 03:13, wrote: > Update: I have it on fairly good authority that this behavior is > considered a bug in the Linux kernel, which will be fixed as soon as > someone gets around to it. If you are a kernel maintainer and know > more about this issue, or are willing to fix it, I'd love to hear from > you! I'd suggest that (a) an OpenBSD mailing list probably isn't the best place to talk about Linux kernel bugs or go looking for maintainers (b) you patch your systems. Linux 2.4.9 is of a similar age to OpenBSD 3.0, says Google: released nine+ years ago. Linux 2.4.20 is a year or so newer than that (c) you retest with a newer Linux kernel before reporting any bugs, once you have located the appropriate non-OpenBSD fora in which to do so That said, I suppose you _could_ use this behaviour to populate chroots, since you can use it for individual files and directories, as well as whole filesystems. But OpenBSD preference seems to be to keep such places as desolate as possible, so what use? John
Re: protect mailserver using spamd
On Wed, 02 Feb 2011 20:35:34 +0100 pe...@bsdly.net (Peter N. M. Hansteen) wrote: > We didn't see any noticeable increase in > spam received or load on content filterning when going to two minutes > IIRC. YMMV, may contain nuts etc. Did you see an increase in legitimate mail getting through without whitelisting? Or any getting through sooner?
Re: protect mailserver using spamd
On Wed, 02 Feb 2011 19:33:31 +0100 pe...@bsdly.net (Peter N. M. Hansteen) wrote: > I could offer mine for public consumption, but I would need > to sanity check it first for outdated data. If it's no bother to get and post it, then I'd be interested in the unsanitised data? Even the problematic domains without ips would do.
Don't forget to plug the project
(10 minutes of me helping debug an ssh config problem proceeds this) 15:34 < tobym> oh wow 15:34 < tobym> that fixed it 15:48 < N1JER> tobym: word 15:48 < N1JER> tobym: you should take this time to donate to the openssh project 15:49 < tobym> time or money? :) 15:49 < N1JER> either 15:49 < N1JER> :) 15:52 < achin_> yes, the openssh project deserves a lot of love (both the tangible and untangible kind) 15:52 < tobym> donation sent -- Jeremy Chase http://twitter.com/jeremychase
Re: protect mailserver using spamd
OpenBSD Geek writes: > Do you think, that it will solve my mistake ? The devil is in the details, as always, but lowering the minimum wait before retry means that those who retry faster than 25 minutes will clear greylisting sooner. We didn't see any noticeable increase in spam received or load on content filterning when going to two minutes IIRC. YMMV, may contain nuts etc. - P -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: nat static-port option
On Wed, 2 Feb 2011 11:53:35 -0600 patric conant wrote: > 2^24=16,777.216 > So they are close. I read, the same ips are being used by ISPS in different parts of the world with a kind of global nat. Also, If you look at the GeoIP lookup data you'll see great swathes were allocated early on and seemingly never actually used.
SESION GRATIS DEPENDENCIA AFECTIVA
Si desea seguir recibiendo nuestros avisos, agregue este remitente a su lista de contactos admitidos. No es considerado SPAM ningzn correo-e mientras incluya una forma de ser removido:Seccisn 301, parrafo (a)(2)(C) de S.1618. Bajo el decreto S.1618 titulo 3ro.Aprobado por el 105 congreso base de las normativas internacionales sobre SPAM. REMOVER: remo...@corporativomexico.com
ПРИБЫЛь в 2011 ___xrj 81738
__ Mnbne b m`kncnnaknfemhh OPHA[KH b 2011 cnds. "OEPEG@CPSGJ@" 11 tebp`k 2011, c.Jheb (044) 22~91~999 Vek| lepnophrh: 1. P`qqlnrper| `aqnk~rmn mnbs~ qhqrels m`kncnnaknfemhe opha{kh. 2. Ophmvhoh`k|mn oepeqlnrper| m`kncnbne lhpnbnggpemhe. __ ** 1. J`jhe nrwerm{e oephnd{ dk m`knc` m` opha{k| ophlem~rq b 2011 cnds. 2. Hglememhe p`glepnb qr`bjh m`knc` m` opha{k|. 3. Bnglnfmnqr| jnmqnkhdhpnb`mmni sok`r{ m`knc`. 4. G`lem` lernd` +oepbncn qna{rh; oph nopedekemhh b`knbncn dnund` h b`knb{u p`qundnb m` nopedekemhe dnundnb h p`qundnb on asuc`krepqjnls lernds m`whqkemh. 5. Nrp`femhe b qnqr`be dnundnb h p`qundnb pegsk|r`rnb noep`vhi, ophundyhuq m` oepeundm{i oephnd: * eqkh opednok`r` hkh nrcpsgj` a{kh swrem{ on lernds +oepbncn qna{rh; dn 01.04.2011 c., ` qnnrberqrbemmn nrcpsgj` hkh nok`r` nqsyeqrbk~rq onqke 01.04.2011 c.; * j`j swhr{b`r| nqr`rjh RLV (o.5.9); * swer qsll m`jnokemm{u sa{rjnb; * specskhpnb`mhe aegm`defmni g`dnkfemmnqrh, bngmhjxei dn 01.04.2011 c. 6. Hglememh b onpdje swera rajhu qsll, jaj: * bngbparma thmamqnba onlny| nr swpedhrek; * qsll{ jaohrak|m{u hmbeqrhvhi, onkswemm{u hg a~dfera; * b{okar{ b qbgh q slem|xemhel paglepa sqrabmncn jaohraka. 7. Nqnaemmnqrh nopedekemh dnunda nr peakhgavhh, b qkswae onkswemh vekebncn thmamqhpnbamh, oph b{onkmemhh dnkcnqpnwm{u dncnbnpnb. 8. Jaqqnb{i lernd dk opedophrhi FJU. 9. Bhd{ paqundnb: qeaeqrnhlnqr|, adlhmhqrparhbm{e paqund{, paqund{ ma qa{r. 10. Rpeanbamh j ntnplkemh~ dnjslemrnb, ondrbepfda~yhu dnund{ h paqund{. Onb{xemhe nrberqrbemmnqrh ga hu opabhk|mne ntnplkemhe. 11. Jaj b{onkmr| rpeanbamhe n qnnrberqrbhh paqundnb, bundyhu b qnqrab qeaeqrnhlnqrh, q ophgmamm{l dnundnl. Srnwmemhe b qbgh q }rhl swermni onkhrhjh opedophrh: onpdnj nopedekemh qrnhlnqrh megabepxemmncn opnhgbndqrba h qrnhlnqrh cnrnbni opndsjvhh, paqopedekemhe nayeopnhgbndqrbemm{u h rpamqonprmn-gacnrnbhrek|m{u paqundnb, lernd{ qohqamh garpar, mnplarhbm{e onjagarekh. 12. Nrpafemhe b swere adlhmhqrparhbm{u paqundnb. Nqnaemmnqrh bjk~wemh b qnqrab paqundnb qsll makncnb h qanpnb, gapaanrmni okar{. 13. Hglememh b onpdje swera paqundnb ma kecjnb{e abrnlnahkh, sqksch qbgh h opedqrabhrek|qjhe paqund{, a rajfe b bhde akacnrbnphrek|mnqrh h oepewhqkemhi b onk|gs opntqn~gnb hkh paanrndarekei. 14. Ncpamhwemh dk sqksc, onkswemm{u nr mepeghdemrnb on jnmqakrhmcs, lapjerhmcs, pejkale, hmfhmhphmcs. 15. Gaoper ma bjk~wemhe b paqund{ qsll nokar{ ga rnbap{, paanr{, sqksch, onqrabkemm{e WO-edhmyhjalh. Jaj q mhlh lnfmn qnrpsdmhwar| b mnb{u sqknbhu. 16. Nqnaemmnqrh swera paqundnb, nxhanwmn me bjk~wemm{u b paqund{ opnxk{u ker hkh rejsyecn oephnda. 17. Hglememh b waqrh paqundnb dbnimncn magmawemh: * ncpamhwemh oph nokare pnkrh b onk|gs mepeghdemra hkh meokarek|yhja maknca ma opha{k|; mnbne b swere paqundnb ma naswemhe paanrmhjnb ga qwer opedophrh; * capamrhim{e pelnmr{; * paqund{ ma qrpaunbamhe; * sqramnbkemhe opedek|m{u qsll qsrnwm{u bn bpel jnlamdhpnbjh; * swer paqundnb ma qrpaunbamhe paanrmhjnb. 18. Onpdnj oepepaqwera dnundnb h paqundnb b qkswae bngbpara rnbapnb. 19. @lnprhgavh on-mnbnls: * onpdnj opnbedemh hmbemraphgavhh NQ ma 01 aopek 2011 cnda dk onnazejrmncn swera; * nrpafemhe pagmhv{ lefds damm{lh makncnbncn h asucakrepqjncn swernb; * paqopedekemhe nazejrnb NQ on 16-rh cpsooal; * b{anp lerndnb alnprhgavhh; * alnprhgavh melarephak|m{u ajrhbnb. 20. Hglememh b swere noepavhi nqnancn bhda: * nrpafemhe noepavhi b hmbak~re q ophlememhel asucakrepqjhu ophmvhonb, b r.w. h oph swere jspqnb{u pagmhv; * paqwer{ qn qbgamm{lh khvalh; * mnbne b onpdje b{okar{ dhbhdemdnb; * nqnaemmnqrh swera bn bpel penpcamhgavhh opedophrhi. 21. Ophlememhe k|cnrmni mskebni qrabjh maknca ma opha{k|: * rpeanbamh j nazels b{pswjh h spnbm~ gapokar{; * sqknbh dk oepeunda sfe deiqrbs~yhu opedophrhi j ophlememh~ mskebni qrabjh; * bhd{ derek|mnqrh, me ongbnk~yhe oepeirh ma k|cnrm{i pefhl. Jaj nanirh rajhe ncpamhwemh; * rpeanbamhe na nagarek|mnl hqonk|gnbamhh b rewemhe cnda meoepewhqkemm{u b a~dfer qsll dk ononkmemh menanpnrm{u h nanpnrm{u ajrhbnb. 22. Dnonkmhrek|mn sqramnbkemm{e k|cnr{: dk sweam{u gabedemhi mecnqsdapqrbemmni tnpl{ qnaqrbemmnqrh, dk opedophrhi }mepcerhweqjni nrpaqkh, dk cnqrhmhwmncn ahgmeqa, dk kecjni opnl{xkemmnqrh, dk qsdn- h qalnkernqrpnemh, dk acpnlaxhmnqrpnemh, dk jhmelarncpathh, dk jnqlhweqjni nrpaqkh. 23. Onpdnj paqopedekemh paqundnb, nrmnqyhuq j k|cnrhpsel{l h mek|cnrhpsel{l on makncs ma opha{k| bhdal derek|mnqrh. 24. Nrber{ ma bnopnq{ swaqrmhjnb. Ma opnrfemhh bqecn qelhmapa hder oplne nayemhe q kejrnpnl, wrn daer bnglnfmnqr| onkswhr| jbakhthvhpnbamm{i h nanqmnbamm{i nrber ma hmrepeqs~yhi Baq bnopnq. __ ***
Re: Printing (well anything) using lpd...
On Tue, Feb 1, 2011 at 8:59 AM, Manuel Giraud wrote: > Jacob Meuser writes: > >> foomatic is pretty easy to set up. > > Thread hijacker here. I tried to setup a lpd/foomatic for a printer over > network and always end-up with this kind of message in > /var/log/lpd-errs: > --8<---cut here---start->8--- > Feb B 1 13:46:29 K lpd[6548]: restarted > foomatic-rip version 4.0.4.217 running... > called with arguments: '-w132', '-l66', '-i0', '-n', 'manuel', '-j', 'foo.pdf', '-h', 'K', '/etc/foomatic/HPcolor.ppd' > Parsing PPD file ... > Added option Resolution > Added option PageSize > Added option Model > Added option PrintoutMode > Added option InputSlot > Added option Duplex > Added option Quality > Added option ImageableArea > Added option PaperDimension > Added option Font > > Parameter Summary > - > > Spooler: lpd > Printer: > Shell: /bin/ksh > PPD file: /etc/foomatic/HPcolor.ppd > ATTR file: > Printer model: HP Color LaserJet 4500 hpijs pcl3, 3.10.4.16 > Options: foo.pdf > Job title: foo.pdf > File(s) to be printed: > > > Printing system options: > Pondering option 'foo.pdf' > Unknown boolean option "foo.pdf". > Options from the PPD file: > > > > File: > > > > Filetype: PDF > Process is dying with "Cannot find a writable temp dir.", exit stat 9 > Cleaning up... > Feb B 1 13:46:58 K lpd[24642]: col: filter 'f' exited (retcode=9) > Feb B 1 13:48:01 K lpd[24642]: mail sent to user manuel about job foo.pdf on printer col (FILTERERR) > Feb B 1 13:48:01 K lpd[24642]: col: job could not be printed (cfA007K) > --8<---cut here---end--->8--- > > I'm using 4.8 stable with packages. /etc/foomatic/HPcolor.ppd is a copy > of > /usr/local/share/foomatic/db/source/PPD/HP/hp-color_laserjet_4500-hpijs-pcl3. ppd.gz > from the hpijs package. > > I've also installed foomatic-filters and my /etc/printcap is: > --8<---cut here---start->8--- > col|HP Color: \ > B B B B :lp=9100@192.168.0.12:\ > B B B B :af=/etc/foomatic/HPcolor.ppd:\ > B B B B :if=/usr/local/bin/foomatic-rip:\ > B B B B :sd=/var/spool/output:\ > B B B B :lf=/var/log/lpd-errs:\ > B B B B :sh: > --8<---cut here---end--->8--- > > Well. Searching the web, this seems to be related to this: > http://old.nabble.com/foomatic-stops-working-again-td29285534.html#a29287775 > And might be already fixed in -current (i think i should shut up and > test then). > -- > Manuel Giraud > > I think this was fixed in current: http://marc.info/?l=openbsd-ports&m=128893326227486&w=2 http://bzr.linuxfoundation.org/loggerhead/openprinting/foomatic/foomatic-filt ers/revision/241 Greetings.
Re: protect mailserver using spamd
Do you think, that it will solve my mistake ? Thank you for your replies, everybody. On Wed, 02 Feb 2011 19:35:47 +0100, pe...@bsdly.net (Peter N. M. Hansteen) wrote: > Kevin Chadwick writes: > >> That's a big part of how it works. You can tune the delay with >> spamd_flags in /etc/rc.conf.local. > > yes, a box not too far from here has > > spamd_flags="-v -G 2:8:864 -w 1" > > - P
Re: nat static-port option
Comcast has 15.930 million high-speed internet customers. According to the wikipedia article. 2^24=16,777.216 So they are close. How about the smartphone market, are they largely being natted? Or are we likely to see a doubling of the need for IP addresses in the next couple of years, as non-smart phones die out. Is IPv4/64 a reference to IPv6, or a plan to make v4's address space bigger, without changing it significantly otherwise? On Wed, Feb 2, 2011 at 11:38 AM, VICTOR TARABOLA CORTIANO < vt...@c3sl.ufpr.br> wrote: > There would be more ip adresses if some greedy companies didn't > take a lot of addresses for themselves...
Re: nat static-port option
On Wed, Feb 2, 2011 at 11:23 AM, Martin Schrvder wrote: > 2011/2/2 Henning Brauer : >> who sez that your made up isp has to hand out network-wide unique IPs >> to his customers? > > AFAIK Comcast already has >2^24 customers. And they seem to be doing just fine. What's the problem again?
Re: protect mailserver using spamd
Kevin Chadwick writes: > That's a big part of how it works. You can tune the delay with > spamd_flags in /etc/rc.conf.local. yes, a box not too far from here has spamd_flags="-v -G 2:8:864 -w 1" - P -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: protect mailserver using spamd
OpenBSD Geek writes: > But when spamd is enabled, mails take a long time(sometimes a day or less) > to arrive in our box. Sometimes, we don't receive mails. > Disabled (spamd), all works fine. I don't understand why it doesn't work > fine, i read spamd(8) man page. This sounds like you're seeing senders that for one reason or the other do not play well with greylisting. Senders that have not contacted you for a while will see an initial delay anyway (the length of which is mainly a function of how soon they retry delivery after the initial '451 temporary local problem' response). The other, more visible issue is when the sender retries from a different IP address, and it turns lottery-like in a hurry (sometimes referred to as the google effect). > What i have done to enable spamd, perhaps i'm wrong somewhere ... > > In pf.conf, i added : > table persist > table persist file "/etc/mail/nospamd" If you can't get the other end to set up for proper timely retries, you will have to populate nospamd with the IP addresses of the outgoing MXes in the problematic sites (edit the file, reload your PF config). I could offer mine for public consumption, but I would need to sanity check it first for outdated data. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: protect mailserver using spamd
On Wed, 02 Feb 2011 21:39:51 +0400 OpenBSD Geek wrote: > But when spamd is enabled, mails take a long time(sometimes a day or less) > to arrive in our box. Sometimes, we don't receive mails. That's a big part of how it works. You can tune the delay with spamd_flags in /etc/rc.conf.local. Some servers like hotmail don't follow the rfcs of four hours retry, giving up after an hour which is why the default delay is 25 mins. 25 * 2 = >1h and 3rd attempt Other servers maybe even more stupid or keep using different ips which you can white list or not care about.
Routing table growing large, full of IP6 routes I don't recognise
My OpenBSD 4.6 system (which is on a Soekris net5501) seems to have a large number of routes in its IP6 routing table. I don't understand why. For example: --snip-- ff02::1:ff00:115%vr1 link#2 UHc0 0 - 4 vr1 ff02::1:ff00:116%vr1 link#2 UHc0 0 - 4 vr1 ff02::1:ff00:117%vr1 link#2 UHc0 0 - 4 vr1 ff02::1:ff00:118%vr1 link#2 UHc0 0 - 4 vr1 ff02::1:ff00:119%vr1 link#2 UHc0 0 - 4 vr1 ff02::1:ff00:11a%vr1 link#2 UHc0 0 - 4 vr1 ff02::1:ff00:11b%vr1 link#2 UHc0 0 - 4 vr1 --snip-- Like I say, there are many such entries: # netstat -nr | grep ff02:: | wc -l 2514 In case it is relevant, I use a the IPv6 tunnel broker service at tunnelbroker.net. The system has been running with this configuration for over 400 days and has otherwise been very reliable. Is this harmful? Where did these routes come from? Many thanks, James. [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
Re: nat static-port option
* Martin Schrvder [2011-02-02 18:35]: > 2011/2/2 Henning Brauer : > > who sez that your made up isp has to hand out network-wide unique IPs > > to his customers? > AFAIK Comcast already has >2^24 customers. > Any major chinese or indian ISP has or will have >2^24 customers. > Heck, even DTAG will probably have >2^24 devices in their network soon. so? > NAT is a band-aid. ah right, I forgot that you get to decide that. > So Comcast has to apply more band-aids under their band-aid? > Can you even imagine the problems a potential chinese ISP with say > 2^28 devices will have with v4? > Do you think this is sane? at least 2^24 times saner than ipvshit. > PS: I'm NOT claiming that v6 is the perfect answer. it's not an answer at all. i'm outta here, have fun playing with vshit in your sandbox. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
protect mailserver using spamd
Hi, I use OpenBSD 4.7 Release, with Sendmail MTA. All works fine, i can send and receive mails on the box. But when spamd is enabled, mails take a long time(sometimes a day or less) to arrive in our box. Sometimes, we don't receive mails. Disabled (spamd), all works fine. I don't understand why it doesn't work fine, i read spamd(8) man page. What i have done to enable spamd, perhaps i'm wrong somewhere ... In pf.conf, i added : table persist table persist file "/etc/mail/nospamd" pass in on egress proto tcp from any to any port smtp \ rdr-to 127.0.0.1 port spamd pass in on egress proto tcp from to any port smtp pass in on egress proto tcp from to any port smtp in my /etc/rc.conf.local : spamd_flags="" enable spamd-setup in root crontab Run spamd : /usr/libexec/spamd verify : netstat -anf inet | grep LISTEN Listen on 8025 and 8026 ports If someone can help me. Thank you very much.
Re: equivalent of Linux "mount -o bind"
On Wed, 2 Feb 2011 09:13:04 -0800 travis+ml-openbsd-m...@subspacefield.org wrote: > I have it on fairly good authority that this behavior is > considered a bug in the Linux kernel So what's wrong with user rights and what exactly is the use of this (when this bug is fixed) apart from for confusion especially when adding lines of possibly buggy code to the kernel? Strange, in an attempt to answer a question that as far as I can see no-one asked you've made me ask the question you attempted to answer???
Re: OpenVPN client on OpenBSD
Errr...sorry for the double-post...it's my first time using a mailing list and I thought my first e-mail wasn't going through so I sent another one...please ignore the first post...
Re: nat static-port option
There would be more ip adresses if some greedy companies didn't take a lot of addresses for themselves...
Re: Predictable network interface numbering
On Wed, Feb 2, 2011 at 3:00 PM, Jean H. Theoret wrote: > This one's got me stumped for a few days now... > > How is it possible to control the network interface numbering assignment order? > > Here's my specific case: the box has 2 on-board Ethernet interfaces and > a 3rd one on a PCI-Express card. They come up as: > > re0: PCI-Express card > re1: on-board interface #1 > re2: on-board interface #2 > > A recent event had disabled the PCI card, and the remaining network > interfaces ended up being reassigned (upon the next reboot, of course) as: > > re0: on-board interface #1 > re1: on-board interface #2 > > Could this have been prevented by forcing network interface assignment > to on-board interface _first_, then the PCI card? Or is there a way to > bind network interface assignment to the adapter's MAC address as > numbering hint? According to the guy who will bring his Consistent Network Device Naming to Fedora15 even numbering based on MAC address has it's weaknesses. See his comment to @not-a-fanboy dated January 26, 2011 at 10:13 am at http://domsch.com/blog/?p=455 It is not an answer to your question, I know ;)
Re: nat static-port option
2011/2/2 Henning Brauer : > who sez that your made up isp has to hand out network-wide unique IPs > to his customers? AFAIK Comcast already has >2^24 customers. Any major chinese or indian ISP has or will have >2^24 customers. Heck, even DTAG will probably have >2^24 devices in their network soon. NAT is a band-aid. So Comcast has to apply more band-aids under their band-aid? Can you even imagine the problems a potential chinese ISP with say 2^28 devices will have with v4? Do you think this is sane? Best Martin PS: I'm NOT claiming that v6 is the perfect answer.
Re: ipsec packets don't show up at destination enc0 interface
That seems to have fixed it, thanks! --Paul On Feb 2, 2011, at 5:12 AM, Otto Moerbeek wrote: > On Wed, Feb 02, 2011 at 03:05:49AM -0500, Paul Suh wrote: > >> Folks, >> >> I'm running 4.8-stable on one end and 4.5-stable at the other of a >> site-to-site IPSec VPN tunnel. (I'm trying to make sure that things are >> working before upgrading the 4.5-stable end.) The tunnel is configured using >> ipsec.conf and ipsecctl, and the relevant portions of the configs are: > > http://www.openbsd.org/faq/upgrade47.html#hmac-sha2 > > -Otto > >> >> 4.8 side >> -- >> ike esp from $internal_subnet \ >>to $outpost_subnet \ >>local $fios_tunnel_host \ >>peer $outpost_tunnel_host >> >> 4.5 side >> -- >> ike passive esp from $local_network to $remote_network peer >> $remote_gateway_ip >> >> The flows and SAs that come up are: >> >> 4.8 side >> -- >> FLOWS: >> flow esp in from 192.168.140.0/24 to 192.168.137.0/24 peer 64.237.99.79 srcid >> 71.163.154.173/32 dstid 64.237.99.79/32 type use >> flow esp out from 192.168.137.0/24 to 192.168.140.0/24 peer 64.237.99.79 srcid >> 71.163.154.173/32 dstid 64.237.99.79/32 type require >> >> SAD: >> esp tunnel from 71.163.154.173 to 64.237.99.79 spi 0x0b2168ad auth >> hmac-sha2-256 enc aes >> esp tunnel from 64.237.99.79 to 71.163.154.173 spi 0x2d0b auth >> hmac-sha2-256 enc aes >> >> 4.5 side >> -- >> FLOWS: >> flow esp in from 192.168.137.0/24 to 192.168.140.0/24 peer 71.163.154.173 >> srcid 64.237.99.79/32 dstid 71.163.154.173/32 type use >> flow esp out from 192.168.140.0/24 to 192.168.137.0/24 peer 71.163.154.173 >> srcid 64.237.99.79/32 dstid 71.163.154.173/32 type require >> >> SAD: >> esp tunnel from 71.163.154.173 to 64.237.99.79 spi 0x0b2168ad auth >> hmac-sha2-256 enc aes >> esp tunnel from 64.237.99.79 to 71.163.154.173 spi 0x2d0b auth >> hmac-sha2-256 enc aes >> >> Relevant pf rules are: >> >> 4.8 side >> -- >> pass in quick on sis1 inet proto udp from 64.237.99.79 to 71.163.154.173 port >> = isakmp keep state >> pass in quick on sis1 inet proto esp from 64.237.99.79 to 71.163.154.173 keep >> state >> pass out quick on sis1 inet proto udp from 71.163.154.173 to 64.237.99.79 port >> = isakmp keep state >> pass out quick on sis1 inet proto esp from 71.163.154.173 to 64.237.99.79 keep >> state >> >> 4.5 side >> -- >> pass log quick on enc0 >> pass in quick on $ext_if proto udp from 71.163.154.173 to 64.237.99.79 port >> 500 >> pass out quick on $ext_if proto udp from 64.237.99.79 to 71.163.154.173 port >> 500 >> pass in quick on $ext_if proto udp from 71.163.154.173 to 64.237.99.79 port >> 4500 >> pass out quick on $ext_if proto udp from 64.237.99.79 to 71.163.154.173 port >> 4500 >> pass in quick on $ext_if proto esp from 71.163.154.173 to 64.237.99.79 >> pass out quick on $ext_if proto esp from 64.237.99.79 to 71.163.154.173 >> >> >> The security associations come up just fine, and I can see packets going into >> the tunnel at the 4.8 end on enc0, and I can see the packets going out over >> ESP to the destination, but they never show up on enc0 at the 4.5 end. What's >> really frustrating is that >> >> a) other tunnels to Sonicwall devices work just fine from the 4.8 side >> >> b) I am upgrading the device that is now 4.8 from a 4.5 installation, >> and the >> tunnel worked just fine before. >> >> Any ideas on what might be happening or how to further troubleshoot this? >> >> >> >> --Paul >> >> [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s] [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
OpenVPN client on OpenBSD
Has anyone ever gotten OpenVPN to run as a client successfully with a VPN subscription? OpenBSD seems to be the only OS I can't get OpenVPN up successfully on for some reason, and I'd like to make it work. So I've confirmed it's not a server-side issue as I've tested it on other operating systems as well as other people who are currently using the VPN service without a problem (except none of them are on OpenBSD). The issue is that when I connect with OpenVPN, it's apparently "connected", but I can't seem to ping the gateway, any websites such as Google, nor use any internet-relying services such as browsing to a website or going on IRC. I am running OpenBSD 4.8 release, with almost a default install. I've just got openvpn, scrotwm, firefox, and p7zip pkg_added on top of the barebones/fresh install. Here are some logs/configs: /etc/hostname.tun0 $ cat /etc/hostname.tun0 up !/usr/local/sbin/openvpn --daemon --config /etc/openvpn/client.ovpn /* I'd like to mention here that even after rebooting, the tun0 interface does NOT come up. An ifconfig shows that it is still down, and OpenVPN is not started up at boottime. I have no idea why /etc/hostname.tun0 isn't being read. */ OpenVPN client config: $ cat /etc/client.ovpn # VPN config ns-cert-type server tls-client pull verb 3 tls-timeout 6 cipher BF-CBC keysize 256 pkcs12 cert.dat keepalive 30 120 hand-window 120 route-delay 2 persist-tun persist-key redirect-gateway def1 remote-random route-metric 2 route-method exe dev tun0 topology subnet proto tcp-client remote [vpn url] 11000 remote [vpn ip] 11000 connect-retry 10 proto udp remote [vpn url] 11000 remote [vpn ip] 11000 /* The square brackets contain the URL and IP address of the VPN service I connect to. I filtered them out as to not spam/advertise their service. */ OpenVPN connection log: $ sudo openvpn --config /etc/openvpn/client.ovpn Wed Feb 2 10:19:53 2011 OpenVPN 2.1.0 i386-unknown-openbsd4.8 [SSL] [LZO2] built on Aug 10 2010 Wed Feb 2 10:19:53 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Wed Feb 2 10:19:53 2011 WARNING: file 'cert.dat' is group or others accessible Wed Feb 2 10:19:53 2011 Control Channel MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:0 ] Wed Feb 2 10:19:53 2011 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ] Wed Feb 2 10:19:53 2011 Local Options hash (VER=V4): '91138c76' Wed Feb 2 10:19:53 2011 Expected Remote Options hash (VER=V4): 'f5a300ca' Wed Feb 2 10:19:53 2011 Socket Buffers: R=[41600->65536] S=[9216->65536] Wed Feb 2 10:19:53 2011 UDPv4 link local (bound): [undef]:1194 Wed Feb 2 10:19:53 2011 UDPv4 link remote: [vpn ip]:11000 Wed Feb 2 10:19:53 2011 TLS: Initial packet from [vpn ip]:11000, sid=a16fdfdd b22d9c39 Wed Feb 2 10:19:54 2011 VERIFY OK: depth=1, /C=US/ST=NY/L=New_York/O= example.com/CN=example.com_CA/emailAddress=ad...@example.com Wed Feb 2 10:19:54 2011 VERIFY OK: nsCertType=SERVER Wed Feb 2 10:19:54 2011 VERIFY OK: depth=0, /C=US/ST=NY/L=New_York/O= example.com/CN=server/emailAddress=ad...@example.com Wed Feb 2 10:20:02 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 256 bit key Wed Feb 2 10:20:02 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Feb 2 10:20:02 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 256 bit key Wed Feb 2 10:20:02 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Feb 2 10:20:02 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA Wed Feb 2 10:20:02 2011 [server] Peer Connection Initiated with [vpn ip]:11000 Wed Feb 2 10:20:04 2011 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) Wed Feb 2 10:20:04 2011 PUSH: Received control message: 'PUSH_REPLY,route 10.100.2.0 255.255.255.0,redirect-gateway,dhcp-option DNS 10.100.2.1,route-gateway 10.100.2.1,topology subnet,ping 30,ping-restart 120,ifconfig 10.100.2.106 255.255.255.0' Wed Feb 2 10:20:04 2011 OPTIONS IMPORT: timers and/or timeouts modified Wed Feb 2 10:20:04 2011 OPTIONS IMPORT: --ifconfig/up options modified Wed Feb 2 10:20:04 2011 OPTIONS IMPORT: route options modified Wed Feb 2 10:20:04 2011 OPTIONS IMPORT: route-related options modified Wed Feb 2 10:20:04 2011 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Wed Feb 2 10:20:04 2011 ROUTE default_gateway=192.168.1.1 Wed Feb 2 10:20:04 2011 /sbin/ifconfig tun0 destroy Wed Feb 2 10:20:04 2011 /sbin/ifconfig tun0 create Wed Feb 2 10:20:04 2011 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure Wed Feb 2 10:20:04 2011 /sbin/ifconfig tun0 10.100.2.106 netmask 255.255.255.0 mtu 1500 broadcast 10.100.2.255 link0 Wed Feb 2 10:20:04 2011 TUN/TAP device /dev/tun0 opened Wed Feb 2 10:20:07 2011 /sbin/route add -net [vpn ip] 192.168.1.1 -netmask 255.255.255.255 add net [vpn ip]: gateway 192.168.1.1 Wed Feb 2 10:20:07 2011 /sbin/route add -net 0.0.0.0 10.100.2.1
Re: equivalent of Linux "mount -o bind"
On Fri, Jan 28, 2011 at 03:52:53PM -0800, Travis H. wrote: > So I'm curious if there's something in OpenBSD that's similar to the > "mount -o bind /dir1 /dir2" to make dir1 appear where dir2 is. For those who asked, one sample use is for something like this: Starting with the 2.4-series Linux kernels, it has been possible to mount a filesystem simultaneously in two different places. "Aha!" you might think, as I did. "Then surely we can mount the backups read-only in /snapshot, and read-write in /root/snapshot at the same time!" Alas, no. Say your backups are on the partition /dev/hdb1. If you run the following commands, mount /dev/hdb1 /root/snapshot mount --bind -o ro /root/snapshot /snapshot then (at least as of the 2.4.9 Linux kernel--updated, still present in the 2.4.20 kernel), mount will report /dev/hdb1 as being mounted read-write in /root/snapshot and read-only in /snapshot, just as you requested. Don't let the system mislead you! In the example above, the second mount call will cause both of the mounts to become read-only, and the backup process will be unable to run. Scratch this one. Update: I have it on fairly good authority that this behavior is considered a bug in the Linux kernel, which will be fixed as soon as someone gets around to it. If you are a kernel maintainer and know more about this issue, or are willing to fix it, I'd love to hear from you! -- Effing the ineffable since 1997. | http://www.subspacefield.org/~travis/ My emails do not usually have attachments; it's a digital signature that your mail program doesn't understand. If you are a spammer, please email j...@subspacefield.org to get blacklisted. [demime 1.01d removed an attachment of type application/pgp-signature]
Re: PF match counter seems to be hitting a limit
Ok, thanks for the tip. I've removed the settings through sysctl, but unfortunately I still see those alerts being triggered, then mostly resolved during the next check. The system seems to have some issues during heavy UDP session bursts (the monitoring system issues a stream of requests to a couple hundred systems), yet all system resources seem OK. I have looked at port switches and there are no Ethernet errors either. Any other hints or settings I should look at would be very appreciated. The connections are going through Intel PRO/1000 PT interfaces. Here's the DMESG, in case. Thanks again. OpenBSD 4.8 (GENERIC.MP) #335: Mon Aug 16 09:09:20 MDT 2010 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 3483697152 (3322MB) avail mem = 3377143808 (3220MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xcfb9c000 (66 entries) bios0: vendor Dell Inc. version "2.2.6" date 02/05/2008 bios0: Dell Inc. PowerEdge 1950 acpi0 at bios0: rev 2 acpi0: sleep states S0 S4 S5 acpi0: tables DSDT FACP APIC SPCR HPET MCFG WD__ SLIC ERST HEST BERT EINJ TCPA acpi0: wakeup devices PCI0(S5) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Xeon(R) CPU E5405 @ 2.00GHz, 1995.29 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,NXE,LONG cpu0: 6MB 64b/line 16-way L2 cache cpu0: apic clock running at 332MHz cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Xeon(R) CPU E5405 @ 2.00GHz, 1995.02 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,NXE,LONG cpu1: 6MB 64b/line 16-way L2 cache cpu2 at mainbus0: apid 1 (application processor) cpu2: Intel(R) Xeon(R) CPU E5405 @ 2.00GHz, 1995.02 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,NXE,LONG cpu2: 6MB 64b/line 16-way L2 cache cpu3 at mainbus0: apid 3 (application processor) cpu3: Intel(R) Xeon(R) CPU E5405 @ 2.00GHz, 1995.02 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,NXE,LONG cpu3: 6MB 64b/line 16-way L2 cache ioapic0 at mainbus0: apid 4 pa 0xfec0, version 20, 24 pins ioapic0: misconfigured as apic 0, remapped to apid 4 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 4 (PEX2) acpiprt2 at acpi0: bus 5 (UPST) acpiprt3 at acpi0: bus 6 (DWN1) acpiprt4 at acpi0: bus 8 (DWN2) acpiprt5 at acpi0: bus 1 (PEX3) acpiprt6 at acpi0: bus -1 (PE2P) acpiprt7 at acpi0: bus 10 (PEX4) acpiprt8 at acpi0: bus 12 (PEX6) acpiprt9 at acpi0: bus 2 (SBEX) acpiprt10 at acpi0: bus 14 (COMP) acpicpu0 at acpi0: C3 acpicpu1 at acpi0: C3 acpicpu2 at acpi0: C3 acpicpu3 at acpi0: C3 ipmi at mainbus0 not configured pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 "Intel 5000X Host" rev 0x12 ppb0 at pci0 dev 2 function 0 "Intel 5000 PCIE" rev 0x12 pci1 at ppb0 bus 4 ppb1 at pci1 dev 0 function 0 "Intel 6321ESB PCIE" rev 0x01 pci2 at ppb1 bus 5 ppb2 at pci2 dev 0 function 0 "Intel 6321ESB PCIE" rev 0x01 pci3 at ppb2 bus 6 ppb3 at pci3 dev 0 function 0 "ServerWorks PCIE-PCIX" rev 0xc3 pci4 at ppb3 bus 7 bnx0 at pci4 dev 0 function 0 "Broadcom BCM5708" rev 0x12: apic 4 int 16 (irq 6) ppb4 at pci2 dev 1 function 0 "Intel 6321ESB PCIE" rev 0x01 pci5 at ppb4 bus 8 ppb5 at pci1 dev 0 function 3 "Intel 6321ESB PCIE-PCIX" rev 0x01 pci6 at ppb5 bus 9 ppb6 at pci0 dev 3 function 0 "Intel 5000 PCIE" rev 0x12 pci7 at ppb6 bus 1 mfi0 at pci7 dev 0 function 0 "Symbios Logic SAS1078" rev 0x04: apic 4 int 16 (irq 6), Dell PERC 6/i integrated mfi0: logical drives 1, version 6.0.2-0002, 256MB RAM scsibus0 at mfi0: 1 targets sd0 at scsibus0 targ 0 lun 0: SCSI3 0/direct fixed sd0: 69376MB, 512 bytes/sec, 142082048 sec total ppb7 at pci0 dev 4 function 0 "Intel 5000 PCIE x8" rev 0x12: apic 4 int 16 (irq 0) pci8 at ppb7 bus 10 em0 at pci8 dev 0 function 0 "Intel PRO/1000 PT (82571EB)" rev 0x06: apic 4 int 16 (irq 6), address 00:15:17:19:96:98 em1 at pci8 dev 0 function 1 "Intel PRO/1000 PT (82571EB)" rev 0x06: apic 4 int 17 (irq 5), address 00:15:17:19:96:99 ppb8 at pci0 dev 5 function 0 "Intel 5000 PCIE" rev 0x12 pci9 at ppb8 bus 11 ppb9 at pci0 dev 6 function 0 "Intel 5000 PCIE x8" rev 0x12: apic 4 int 16 (irq 0) pci10 at ppb9 bus 12 em2 at pci10 dev 0 function 0 "Intel PRO/1000 PT (82571EB)" rev 0x06: apic 4 int 16 (irq 6), address 00:15:17:19:95:84 em3 at pci10 dev 0 function 1 "Intel PRO/1000 PT (82571EB)" rev 0x06: apic 4 int 17 (irq 5), address 00:15:17:19:95:85 ppb10 at pci
OpenVPN client on OpenBSD
Has anyone been able to successfully use OpenVPN on OpenBSD with a VPN service? For some reason OpenBSD is the only OS I can't get my VPN subscription working on and I'd like to make it work. I am running OpenBSD 4.8-release, on an almost-fresh install. I only pkg_added openvpn, firefox, scrotwm, and p7zip. I have my client.ovpn and cert.dat in my /etc/openvpn directory. Contents of /etc/hostname.tun0 : up !/usr/local/sbin/openvpn --daemon --config /etc/openvpn/client.ovpn Contents of /etc/openvpn/client.ovpn : # VPN config ns-cert-type server tls-client pull verb 3 tls-timeout 6 cipher BF-CBC keysize 256 pkcs12 cert.dat keepalive 30 120 hand-window 120 route-delay 2 persist-tun persist-key redirect-gateway def1 remote-random route-metric 2 route-method exe dev tun0 topology subnet proto tcp-client remote [vpn url] 11000 remote [vpn ip] 11000 connect-retry 10 proto udp remote [vpn url] 11000 remote [vpn ip] 11000 The information within square brackets I removed as to not advertise the service. Logs of connecting to VPN: $ sudo openvpn --config client.ovpn Password: Wed Feb 2 10:14:39 2011 OpenVPN 2.1.0 i386-unknown-openbsd4.8 [SSL] [LZO2] built on Aug 10 2010 Wed Feb 2 10:14:39 2011 NOTE: OpenVPN 2.1 requires '--script- security 2' or higher to call user-defined scripts or executables Wed Feb 2 10:14:39 2011 WARNING: file 'cert.dat' is group or others accessible Wed Feb 2 10:14:39 2011 Control Channel MTU parms [ L:1543 D:140 EF:40 EB:0 ET:0 EL:0 ] Wed Feb 2 10:14:39 2011 Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:4 ET:0 EL:0 ] Wed Feb 2 10:14:39 2011 Local Options hash (VER=V4): 'bf6006bf' Wed Feb 2 10:14:39 2011 Expected Remote Options hash (VER=V4): '3ce6ab7f' Wed Feb 2 10:14:39 2011 Attempting to establish TCP connection with [vpn ip]:11000 [nonblock] Wed Feb 2 10:14:40 2011 TCP connection established with [vpn ip]:11000 Wed Feb 2 10:14:40 2011 Socket Buffers: R=[16384->65536] S=[16384- >65536] Wed Feb 2 10:14:40 2011 TCPv4_CLIENT link local: [undef] Wed Feb 2 10:14:40 2011 TCPv4_CLIENT link remote: [vpn ip]:11000 Wed Feb 2 10:14:40 2011 TLS: Initial packet from [vpn ip]:11000, sid=8683dadf 709ff51b Wed Feb 2 10:14:42 2011 VERIFY OK: depth=1, /C=US/ST=NY/L=New_York/O=example.com/CN=example.com_CA/emailAddress= ad...@example.com Wed Feb 2 10:14:42 2011 VERIFY OK: nsCertType=SERVER Wed Feb 2 10:14:42 2011 VERIFY OK: depth=0, /C=US/ST=NY/L=New_York/O=example.com/CN=server/emailAddress=admin@ex ample.com Wed Feb 2 10:14:46 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 256 bit key Wed Feb 2 10:14:46 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Feb 2 10:14:46 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 256 bit key Wed Feb 2 10:14:46 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Feb 2 10:14:46 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA Wed Feb 2 10:14:46 2011 [server] Peer Connection Initiated with [vpn ip]:11000 Wed Feb 2 10:14:49 2011 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) Wed Feb 2 10:14:49 2011 PUSH: Received control message: 'PUSH_REPLY,route 10.100.1.0 255.255.255.0,redirect-gateway,dhcp- option DNS 10.100.1.1,route-gateway 10.100.1.1,topology subnet,ping 120,ping-restart 360,socket-flags TCP_NODELAY,ifconfig 10.100.1.112 255.255.255.0' Wed Feb 2 10:14:49 2011 OPTIONS IMPORT: timers and/or timeouts modified Wed Feb 2 10:14:49 2011 OPTIONS IMPORT: --socket-flags option modified Wed Feb 2 10:14:49 2011 NOTE: setsockopt TCP_NODELAY=1 failed (No kernel support) Wed Feb 2 10:14:49 2011 OPTIONS IMPORT: --ifconfig/up options modified Wed Feb 2 10:14:49 2011 OPTIONS IMPORT: route options modified Wed Feb 2 10:14:49 2011 OPTIONS IMPORT: route-related options modified Wed Feb 2 10:14:49 2011 OPTIONS IMPORT: --ip-win32 and/or --dhcp- option options modified Wed Feb 2 10:14:49 2011 ROUTE default_gateway=192.168.1.1 Wed Feb 2 10:14:49 2011 /sbin/ifconfig tun0 destroy Wed Feb 2 10:14:49 2011 /sbin/ifconfig tun0 create Wed Feb 2 10:14:49 2011 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure Wed Feb 2 10:14:49 2011 /sbin/ifconfig tun0 10.100.1.112 netmask 255.255.255.0 mtu 1500 broadcast 10.100.1.255 link0 Wed Feb 2 10:14:49 2011 TUN/TAP device /dev/tun0 opened Wed Feb 2 10:14:51 2011 /sbin/route add -net [vpn ip] 192.168.1.1 - netmask 255.255.255.255 add net [vpn ip]: gateway 192.168.1.1 Wed Feb 2 10:14:51 2011 /sbin/route add -net 0.0.0.0 10.100.1.1 - netmask 128.0.0.0 add net 0.0.0.0: gateway 10.100.1.1 Wed Feb 2 10:14:51 2011 /sbin/route add -net 128.0.0.0 10.100.1.1 - netmask 128.0.0.0 add net 128.0.0.0: gateway 10.100.1.1 Wed Feb 2 10:14:51 2011 /sbin/route add -net 10.100.1.0 10.100.1.1 -netmask 255.255.255.0 add net 10.100.1.0: gateway 10.100.1.1 Wed Feb 2 10:14:51 2011 Initialization Sequence Completed ifconfig while I left the
Re: nat static-port option
* Martin Schrvder [2011-02-02 16:45]: > 2011/2/2 Henning Brauer : > > * Martin Schrvder [2011-02-02 15:06]: > >> Unless you are an ISP with more than 2^24 customers. > > you are talking bullshit. there is oh so much v4 space allocated that > Currently an ISP with more then 2^24 customers can't NAT them all > (as 10/8 has only 2^24 addresses) or has to allocate more than one > /8 for his customers, which makes routing etc. more difficult. you are talking bullshit, still. who sez that your made up isp has to hand out network-wide unique IPs to his customers? why do i even waste time on some ipvshit advocate that acts like a politician claiming we have to eat shit because there wouldn't be an alternative, making up a case out of nothing to "prove" his case? > > as if one incompetent isp mattered. > I'm sure most chinese and indian ISPs will agree. you sure know what you're talking about, that's obvious. look at the oh so bright future yourself, look at the code required to deal with that misdesigned piece of shit. did i just say "designed"? sorry. it's obvious that nothing remotely related to design was involved. u_int8_t mask2prefixlen(in_addr_t ina) { if (ina == 0) return (0); else return (33 - ffs(ntohl(ina))); } u_int8_t mask2prefixlen6(struct sockaddr_in6 *sa_in6) { u_int8_t l = 0, *ap, *ep; /* * sin6_len is the size of the sockaddr so substract the offset of * the possibly truncated sin6_addr struct. */ ap = (u_int8_t *)&sa_in6->sin6_addr; ep = (u_int8_t *)sa_in6 + sa_in6->sin6_len; for (; ap < ep; ap++) { /* this "beauty" is adopted from sbin/route/show.c ... */ switch (*ap) { case 0xff: l += 8; break; case 0xfe: l += 7; return (l); case 0xfc: l += 6; return (l); case 0xf8: l += 5; return (l); case 0xf0: l += 4; return (l); case 0xe0: l += 3; return (l); case 0xc0: l += 2; return (l); case 0x80: l += 1; return (l); case 0x00: return (l); default: fatalx("non continguous inet6 netmask"); } } return (l); } -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
Re: nat static-port option
2011/2/2 Henning Brauer : > * Martin Schrvder [2011-02-02 15:06]: >> Unless you are an ISP with more than 2^24 customers. > > you are talking bullshit. there is oh so much v4 space allocated that Currently an ISP with more then 2^24 customers can't NAT them all (as 10/8 has only 2^24 addresses) or has to allocate more than one /8 for his customers, which makes routing etc. more difficult. > as if one incompetent isp mattered. I'm sure most chinese and indian ISPs will agree. Best Martin
Skola stranih jezika (multimedija) na AKCIJI. Dobicete kurs za 27 stranih jezika u kompletu ukoliko porucite odmah i to nije sve!!!
- This mail is a HTML mail. Not all elements could be shown in plain text mode. - NEVEROVATNA PONUDA ZA SAMOSTALNO UCENJE STRANIH JEZIKA! na akciji! Ukoliko ste ljubitelj stranih jezika , znate nekoliko jezika ili biste voleli da ih naucite, mozete da zamislite situaciju u kojoj sledeci strani jezik koji biste zeleli da naucite pronalazite za nekoliko sekundi u elektronskoj (multimedijalnoj) formi, ne troseci dragoceno vreme na odlazak do skole stranih jezika koje su preskupe ili na kupovinu neproverenih multimedijalnih kurseva po mnogo vecim cenama od ove nase koju mi trenutno nudimo (pr. cena "neproverenog' multimedijalnog kursa za jedan jezik iznosi vise od nase cene za kurs koji cak 27 jezika ). Kursevi za sve jezike su obradjeni detaljno! SVE NA JEDNOM MESTU ! Sledeci jezici su obuhvaceni ovim programom : ?English(UK), English (US), French, Greek, German, Spanish(Lat.Am.), Spanish (Spain), Italian, Japanese, Latin, Russian, Arabic, Chinese, Danish, Hebrew, Hindi, Indonesian, Korean, Polish, Portuquese, Swahili, Swedish, Thai, Turkish, Vietnamese, Welsh, Dutch?. Sadrzaj komleta Rosetta Stone- programi za ucenje stranih jezika su zvanicno proglaseni za najkvalitetnije i najlakse programe. Veoma jednostavan za upotrebu, dovoljno je da dvd ubacite u racunar i program ce automatski biti pokrenut( nije potrebna nikakva instalacija). Najbolji i najnagradjivaniji multimedijalni program za ucenje kako engleskog tako i ostalih stranih jezika .. Ovaj kurs ce poboljsati vase znanje iz nekog od mnogobrojnih obradjenih jezika bez obzira na kom ste nivou, pocetnik ili zelite da usavrsite jezik. Program sadrzi vise kurseva-nivoa za sve jezike: OSNOVNI, SREDNJI, NAPREDNI, POSLOVNI. Sa preko 1000 sati ucenja ovaj program je trenutno najobimniji i najuspjesniji na trzistu. Program obuhvata citanje, pisanje, slusanje, govor, recnik, gramatiku i kulturu. Sam program pravi plan za Vas koliko da vezbate dnevno, proverava koliko ste presli, nivo Vaseg znanja, uci Vas pravilnom izgovoru reci, gramatici, priprema Vas za prave, realne dijaloge, osmisljava diktate za Vas, ukrstenice. Ukoliko imate mikrofon proverava tacnost vaseg izgovora. Uvek cete imati pravi pokazatelj nivoa na kome je Vase znanje, po tome koliko ste presli i sa kojom tacnoscu. Mozete poceti sa ucenjem od osnovnog kursa ili ako ste sigurni u svoje znanje jednostavno preskocite neki od kurseva i predjite na visi nivo a zatim se vratite i obnovite gradivo. Samo od Vas zavisi kako cete organizovati svoje vreme i kojom brzinom cete napredovati. Ovaj program koristi hiljade fotografija pracenih zvukom za obja?njenje i predstavljanje novih reci. Kori?cenjem ovog programa mo?ete na vrlo lak i jednostavan nacin nauciti jedan od mnogobrojnin jezika .. Komplet na dvd sadrzi porgram za ucenje 27 stranih jezika u multimedijalnoj formi po promo ceni od 1899,oo rsd (dinara). Troskove slanja (brzom postom) placamo mi ! Placanje tek po preuzimanju! Ukoliko porucite ovu neverovatnu ponudu besplatno cete dobiti kurs poslovnog engleskog na 4 diska, kao i dva odvojena recnika. Dakle ukoliko porucite odmah dobicete najbolji kurs za ucenje cak 27 stranih jezika i jos 6 gratis diskova za iznos koji je gore naveden. Ne propustite ovu priliku i porucite odmah! Ukoliko zellite da dobijete ovaj nesvakidasnji komplet po promo ceni potrebno je samo da nam dostavite Vase ime i prezime, kontakt telefon i adresu na: skolastranihjezika.off...@gmail.com Isporuka odmah!
Re: nat static-port option
* Martin Schrvder [2011-02-02 15:06]: > 2011/2/2 Henning Brauer : > > there is no ipv4 shortage. there is a a reclaiming issue. > Unless you are an ISP with more than 2^24 customers. you are talking bullshit. there is oh so much v4 space allocated that isn't used. and gobs of space that was allocated but isn't being used in a meaningful way. reclaiming that space gives us dozens of years and the chance to design something that isn't such a pile of poo as ipvshit. > > all hail ipv4/64, while at it. > Comcast will disagree. :-) as if one incompetent isp mattered. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
Re: nat static-port option
2011/2/2 Henning Brauer : > there is no ipv4 shortage. there is a a reclaiming issue. Unless you are an ISP with more than 2^24 customers. > all hail ipv4/64, while at it. Comcast will disagree. :-) Best Martin
Predictable network interface numbering
This one's got me stumped for a few days now... How is it possible to control the network interface numbering assignment order? Here's my specific case: the box has 2 on-board Ethernet interfaces and a 3rd one on a PCI-Express card. They come up as: re0: PCI-Express card re1: on-board interface #1 re2: on-board interface #2 A recent event had disabled the PCI card, and the remaining network interfaces ended up being reassigned (upon the next reboot, of course) as: re0: on-board interface #1 re1: on-board interface #2 Could this have been prevented by forcing network interface assignment to on-board interface _first_, then the PCI card? Or is there a way to bind network interface assignment to the adapter's MAC address as numbering hint? -- JHT
Re: Printing (well anything) using lpd...
Jacob Meuser writes: > On Tue, Feb 01, 2011 at 03:59:02PM +0100, Manuel Giraud wrote: >> Jacob Meuser writes: >> >> > foomatic is pretty easy to set up. >> >> Thread hijacker here. I tried to setup a lpd/foomatic for a printer over >> network and always end-up with this kind of message in >> /var/log/lpd-errs: > >> Well. Searching the web, this seems to be related to this: >> http://old.nabble.com/foomatic-stops-working-again-td29285534.html#a29287775 >> And might be already fixed in -current (i think i should shut up and >> test then). > > as we're now at 4.9-beta, it's definitely a good time to be testing > -current. FWIW it works like a charm with a snapshot and a recent hpijs, foomatic-filters. -- Manuel Giraud
Re: PF match counter seems to be hitting a limit
sigh. remove this bullshit and start over. * Steve Johnson [2011-02-01 22:38]: > Ok, thanks for the tips. I did not have any ifq drops, but have still just > increased the net.inet.icmp.errppslimit to 1 (from the 1000 that was > before and shown below) and will see if that helps anything. Thanks also for > the clarification on the match counter. > > I had forgotten to also include the sysctl changes that I had made as well, > mostly based from calomel.org, which were the following: > > kern.maxclusters=128000 > net.inet.icmp.errppslimit=1000 > net.inet.ip.ifq.maxlen=1536 > net.inet.ip.mtudisc=0 > net.inet.ip.ttl=254 > net.inet.ipcomp.enable=1 > net.inet.tcp.ackonpush=1 > net.inet.tcp.ecn=1 > net.inet.tcp.mssdflt=1472 > net.inet.tcp.recvspace=262144 > net.inet.tcp.rfc1323=1 > net.inet.tcp.rfc3390=1 > net.inet.tcp.sack=1 > net.inet.tcp.sendspace=262144 > net.inet.udp.recvspace=262144 > net.inet.udp.sendspace=262144 > vm.swapencrypt.enable=1 > > On Tue, Feb 1, 2011 at 3:15 PM, Henning Brauer wrote: > > > * Steve Johnson [2011-02-01 20:35]: > > > I currently have a system that has no match rule in the ruleset, but that > > > uses tables for a big chunk of the traffic, including our monitoring > > station > > > that has a pretty high SNMP request rate. That system has a state table > > that > > > usually stabilizes between 15-20K sessions, with a session search rate of > > > around 10K. The states limit has been raised to 10 and the frags to > > > 1, but all other limits are set to default values. > > > > you can increase that much more. the times where kmem was a very > > scarce ressource are long over. > > > > > However, the "match" > > > counter always states a rate between 199/200 per second. > > > > the counter has nothing to do with match rules. it is increased any > > time a rule matches, regardless of the type. > > > > > During some heavy > > > traffic period, we are getting some failures from the monitoring system > > and > > > the only thing that seems possibly out of health for the system is the > > match > > > counter rate. System processor and memory are fine and there is no other > > > noticeable impact, but clearly the monitoring tool is seeing an impact, > > as > > > it didn't reflect something this behavior before we implemented the PF > > > systems. > > > > you might hit some other limit, not necessarily pf. start with > > checking sysctl net.inet.ifq - in particular drops, and increase > > maxlen if you see it increasing. > > depending on how you monitor you might also run into the icmp err rate > > limit, play with the net.inet.icmp.errppslimit sysctl. > > > > -- > > Henning Brauer, h...@bsws.de, henn...@openbsd.org > > BS Web Services, http://bsws.de > > Full-Service ISP - Secure Hosting, Mail and DNS Services > > Dedicated Servers, Rootservers, Application Hosting > -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
Re: nat static-port option
* Ted Unangst [2011-02-02 01:52]: > On Tue, Feb 1, 2011 at 5:07 PM, Martin Schrvder wrote: > > So what will you tell your customers 2012 when you can't get ipv4 for them? > The same thing he told them in 2008. exactly. "i have enough ipv4 for a long while". there is no ipv4 shortage. there is a a reclaiming issue. all hail ipv4/64, while at it. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
PROMO TV -AUDIO VIDEO -GAMING CONSOLE 02 02 11
TV AUDIO VIDEO TV SAMSUNG 22 P2270HD 176,00 IVA INCLUSA ;&nbs p;&nb sp;&n bsp;& nbsp; 172,00 IVA INCLUSA ( MIN. 30 PZ) 168,00 IVA INCLUSA ( MIN. 100 PZ) TV SAMSUNG 32 32C350 287,50 IVA INCLUSA &nbs p;&nb sp;&n bsp;& nbsp; ;285,00 IVA INCLUSA ( MIN. 30 PZ) 281,00 IVA INCLUSA ( MIN. 100 PZ) LG 22 M227WDP-PC ;&nbs p;; 138.33 + IVA 135.83 + IVA ( MIN. 50 PZ) GAMING CONSOLE KINECT ADVENTURES X XBOX 128,00 IVA INCLUSA &nbs p;&nb sp;&n bsp;& nbsp; ; ; 126,00 IVA INCLUSA ( MIN. 30 PZ) 124,00 IVA INCLUSA ( MIN. 100 PZ) NINTENDO DSI ( 4 COLORI)128,00 IVA INCLUSA &nbs p;&nb sp;&n bsp;& nbsp; ; ; 126,00 IVA INCLUSA ( MIN. 10 PZ) NINTENDO DSI XL ( YELLOW, BLUE, GREEN) ;&nbs p; 135,00 + IVA 130,00 + IVA ( MIN. 50 PZ) sottocosto!!! NINTENDO DSI122,00 IVA INCLUSA ( MIN. 100 PZ) ( Sconti extra per q.t`) OFFERTA VALIDA FINO AD ESAURIMENTO SCORTE I PREZZI POSSONO VARIARE SENZA PREAVVISO -DISPONIBILTA VASTA GAMMA ACCESSORI GAMING X SONY/NINTENDO/MICROSOFT -DISPONIBILTA VASTA GAMMA ACCESSORI TV-CAVI AUDIO/VIDEO -DISPONIBILTA? VASTA GAMMA ACCESSORI NOTEBOOK/NETBOOK ALTRE GATEGORIE: -TELEFONIA...CELLULARI-NAVIGATORI-MP -CORNICI DIGITALI -CONSUMABILI -MEMORIE DIGITALI PEN DRIVE/SD... -CASES -STAMPANTI/MULTIFUNZIONE/MONITOR -CARTUCCE&TONER -RISME CARTA A4 & CARTAFOGRAFICA -GRUPPI DI CONTINUITA -VIDEOSORVEGLIANZA -CONTROL MONEY -RICAMBI NOTEBOOK/NETBOOK -ANTIVIRUS PRODOTTI ...AGFAPHOTO ACCESSORI PERSONAL COMPUTER -ACCESSORI IPOD MP3/4 -ACCESSORI NOTEBOOK/NETBOOK -ACCESSORI TV -ACCESSORI UFFICIO -ACCESSORI USB -ALIMENTATORI -AUDIO/SPEAKER -BAGS -BLUETOOTH -CARD READER/WRITERS -CARRELLINI PORTA PC -CASES -CASSETTI RACK -CAVI AUDIO/VIDEO- CAVI COMPUTER- CAVI RETE RJ45- CAVI TELEFONICI -EXPRESS CARD PCMCI -EXTERNAL ENCLOSURES -GAMING -HUB USB -MOUNTING FRAME -MOUSE -MULTRIPRESE -NETWORKING -PCI/PCI E CARDS -SWITCHES -TAPPETINI -TASTIERE -VENTOLE RAFFRADAMENTO -WEBCAM X INFO E CONFERME ORDINE Mariano Della Monica cell.: +39 392 5004800 mail1:mariano.dellamon...@tin.it mail2:vend...@marianodellamonica.it web: www.marianodellamonica.it Cordiali Saluti OFFERTA VALIDA FINO AD ESAURIMENTO SCORTE I PREZZI POSSONO VARIARE SENZA PREAVVISO RESTO A DISPOSIZIONE PER QUALSIASI CHIARIMENTO IN MERITO E IN TALE ATTESA GRADITE I MIEI MIGLIORI SALUTI Non esitate a contattarmi per quotazioni personalizzate. Buona giornata e buon lavoro. Best Regards Mariano Della Monica Agente di Vendita cell.: +39 392 50048 00 mariano.dellamon...@tin.it Le informazioni contenute in questo messaggio sono riservate e confidenziali. Il loro utilizzo e? consentito esclusivamente al destinatario del messaggio, per le finalit` indicate nel messaggio stesso. Qualora Lei non fosse la persona a cui il presente messaggio h destinato, La invitiamo ad eliminarlo dal Suo Sistema e a distruggere le varie copie o stampe, dandocene gentilmente comunicazione. Ogni utilizzo improprio e? contrario ai principi del D.lgs 196/03 ed alla legislazione europea (Direttiva 2002/58/CE). La informiamo inoltre che il trattamento dei dati degli iscritti al servizio della newsletter e' conforme a quanto previsto dal Codice in materia di protezione dei dati personali (Decreto legislativo 30 giugno 2003, n. 196).opera in conformit` del D.lgs 196/2003 e della legislazione europea. Gli indirizzi e-mail esistenti nell'archivio sono pervenuti direttamente al nostro recapito o estrapolati dagli elenchi di pubblico dominio. E' sufficiente inviare un messaggio
antispoof quick for self
Hi folks, If I add "antispoof quick for self" to my pf.conf to enable antispoofing on all interfaces, then I get these additional rules: block drop in quick on ! self inet from <__automatic_3df3184e_0> to any block drop in quick on ! self inet6 from ::1 to any block drop in quick inet6 from ::1 to any block drop in quick on lo0 inet6 from fe80::1 to any block drop in quick on em0 inet6 from fe80::260:e0ff:fe4b:d2ec to any block drop in quick on em1 inet6 from fe80::260:e0ff:fe4b:d2ed to any block drop in quick on em5 inet6 from fe80::260:e0ff:fe4b:d2f1 to any block drop in quick on em6 inet6 from fe80::260:e0ff:fe4b:d2f2 to any block drop in quick on carp0 inet6 from fe80::200:5eff:fe00:10a to any block drop in quick on carp1 inet6 from fe80::200:5eff:fe00:107 to any block drop in quick on carp5 inet6 from fe80::200:5eff:fe00:111 to any block drop in quick inet from <__automatic_3df3184e_1> to any The automatic tables contain the local networks and the local IP addresses, including carp interfaces. I am not sure about the "on ! self". Ain't this a contradiction in terms? Sorry for asking, but "self" is just very briefly described on pf.conf(5). Any helpful comment would be highly appreciated. Regards Harri
Re: pf rules for Load Balance Incoming Connections for webservers
> But, it always directs to one particular ip address. How to see load > balancing? > > today, I myself learnt it from the below url > http://www.openbsd.org/faq/pf/pools.html#incoming match in on $ext_if proto tcp to port 80 rdr-to $web_servers \ round-robin *sticky-address * * * Successive connections will be redirected to the web servers in a round-robin manner with connections from the same source being sent to the same web server. This "*sticky connection*" will exist as long as there are states that refer to this connection. Once the *states expire*, so will the sticky connection. Further connections from that host will be redirected to *the next web server* in the round robin. If i removed *sticky-address *from the above rule, It will load balance *one by one manner*. * *Thanks you all for your wonderful support. -- > Thank you > Indunil Jayasooriya > > -- Thank you Indunil Jayasooriya
Re: ipsec packets don't show up at destination enc0 interface
On Wed, Feb 02, 2011 at 03:05:49AM -0500, Paul Suh wrote: > Folks, > > I'm running 4.8-stable on one end and 4.5-stable at the other of a > site-to-site IPSec VPN tunnel. (I'm trying to make sure that things are > working before upgrading the 4.5-stable end.) The tunnel is configured using > ipsec.conf and ipsecctl, and the relevant portions of the configs are: http://www.openbsd.org/faq/upgrade47.html#hmac-sha2 -Otto > > 4.8 side > -- > ike esp from $internal_subnet \ > to $outpost_subnet \ > local $fios_tunnel_host \ > peer $outpost_tunnel_host > > 4.5 side > -- > ike passive esp from $local_network to $remote_network peer > $remote_gateway_ip > > The flows and SAs that come up are: > > 4.8 side > -- > FLOWS: > flow esp in from 192.168.140.0/24 to 192.168.137.0/24 peer 64.237.99.79 srcid > 71.163.154.173/32 dstid 64.237.99.79/32 type use > flow esp out from 192.168.137.0/24 to 192.168.140.0/24 peer 64.237.99.79 srcid > 71.163.154.173/32 dstid 64.237.99.79/32 type require > > SAD: > esp tunnel from 71.163.154.173 to 64.237.99.79 spi 0x0b2168ad auth > hmac-sha2-256 enc aes > esp tunnel from 64.237.99.79 to 71.163.154.173 spi 0x2d0b auth > hmac-sha2-256 enc aes > > 4.5 side > -- > FLOWS: > flow esp in from 192.168.137.0/24 to 192.168.140.0/24 peer 71.163.154.173 > srcid 64.237.99.79/32 dstid 71.163.154.173/32 type use > flow esp out from 192.168.140.0/24 to 192.168.137.0/24 peer 71.163.154.173 > srcid 64.237.99.79/32 dstid 71.163.154.173/32 type require > > SAD: > esp tunnel from 71.163.154.173 to 64.237.99.79 spi 0x0b2168ad auth > hmac-sha2-256 enc aes > esp tunnel from 64.237.99.79 to 71.163.154.173 spi 0x2d0b auth > hmac-sha2-256 enc aes > > Relevant pf rules are: > > 4.8 side > -- > pass in quick on sis1 inet proto udp from 64.237.99.79 to 71.163.154.173 port > = isakmp keep state > pass in quick on sis1 inet proto esp from 64.237.99.79 to 71.163.154.173 keep > state > pass out quick on sis1 inet proto udp from 71.163.154.173 to 64.237.99.79 port > = isakmp keep state > pass out quick on sis1 inet proto esp from 71.163.154.173 to 64.237.99.79 keep > state > > 4.5 side > -- > pass log quick on enc0 > pass in quick on $ext_if proto udp from 71.163.154.173 to 64.237.99.79 port > 500 > pass out quick on $ext_if proto udp from 64.237.99.79 to 71.163.154.173 port > 500 > pass in quick on $ext_if proto udp from 71.163.154.173 to 64.237.99.79 port > 4500 > pass out quick on $ext_if proto udp from 64.237.99.79 to 71.163.154.173 port > 4500 > pass in quick on $ext_if proto esp from 71.163.154.173 to 64.237.99.79 > pass out quick on $ext_if proto esp from 64.237.99.79 to 71.163.154.173 > > > The security associations come up just fine, and I can see packets going into > the tunnel at the 4.8 end on enc0, and I can see the packets going out over > ESP to the destination, but they never show up on enc0 at the 4.5 end. What's > really frustrating is that > > a) other tunnels to Sonicwall devices work just fine from the 4.8 side > > b) I am upgrading the device that is now 4.8 from a 4.5 installation, > and the > tunnel worked just fine before. > > Any ideas on what might be happening or how to further troubleshoot this? > > > > --Paul > > [demime 1.01d removed an attachment of type application/pkcs7-signature which > had a name of smime.p7s]
ipsec packets don't show up at destination enc0 interface
Folks, I'm running 4.8-stable on one end and 4.5-stable at the other of a site-to-site IPSec VPN tunnel. (I'm trying to make sure that things are working before upgrading the 4.5-stable end.) The tunnel is configured using ipsec.conf and ipsecctl, and the relevant portions of the configs are: 4.8 side -- ike esp from $internal_subnet \ to $outpost_subnet \ local $fios_tunnel_host \ peer $outpost_tunnel_host 4.5 side -- ike passive esp from $local_network to $remote_network peer $remote_gateway_ip The flows and SAs that come up are: 4.8 side -- FLOWS: flow esp in from 192.168.140.0/24 to 192.168.137.0/24 peer 64.237.99.79 srcid 71.163.154.173/32 dstid 64.237.99.79/32 type use flow esp out from 192.168.137.0/24 to 192.168.140.0/24 peer 64.237.99.79 srcid 71.163.154.173/32 dstid 64.237.99.79/32 type require SAD: esp tunnel from 71.163.154.173 to 64.237.99.79 spi 0x0b2168ad auth hmac-sha2-256 enc aes esp tunnel from 64.237.99.79 to 71.163.154.173 spi 0x2d0b auth hmac-sha2-256 enc aes 4.5 side -- FLOWS: flow esp in from 192.168.137.0/24 to 192.168.140.0/24 peer 71.163.154.173 srcid 64.237.99.79/32 dstid 71.163.154.173/32 type use flow esp out from 192.168.140.0/24 to 192.168.137.0/24 peer 71.163.154.173 srcid 64.237.99.79/32 dstid 71.163.154.173/32 type require SAD: esp tunnel from 71.163.154.173 to 64.237.99.79 spi 0x0b2168ad auth hmac-sha2-256 enc aes esp tunnel from 64.237.99.79 to 71.163.154.173 spi 0x2d0b auth hmac-sha2-256 enc aes Relevant pf rules are: 4.8 side -- pass in quick on sis1 inet proto udp from 64.237.99.79 to 71.163.154.173 port = isakmp keep state pass in quick on sis1 inet proto esp from 64.237.99.79 to 71.163.154.173 keep state pass out quick on sis1 inet proto udp from 71.163.154.173 to 64.237.99.79 port = isakmp keep state pass out quick on sis1 inet proto esp from 71.163.154.173 to 64.237.99.79 keep state 4.5 side -- pass log quick on enc0 pass in quick on $ext_if proto udp from 71.163.154.173 to 64.237.99.79 port 500 pass out quick on $ext_if proto udp from 64.237.99.79 to 71.163.154.173 port 500 pass in quick on $ext_if proto udp from 71.163.154.173 to 64.237.99.79 port 4500 pass out quick on $ext_if proto udp from 64.237.99.79 to 71.163.154.173 port 4500 pass in quick on $ext_if proto esp from 71.163.154.173 to 64.237.99.79 pass out quick on $ext_if proto esp from 64.237.99.79 to 71.163.154.173 The security associations come up just fine, and I can see packets going into the tunnel at the 4.8 end on enc0, and I can see the packets going out over ESP to the destination, but they never show up on enc0 at the 4.5 end. What's really frustrating is that a) other tunnels to Sonicwall devices work just fine from the 4.8 side b) I am upgrading the device that is now 4.8 from a 4.5 installation, and the tunnel worked just fine before. Any ideas on what might be happening or how to further troubleshoot this? --Paul [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
your VISA card 4XXX-XXXX-XXXX-XXXX: possible fraudulent transaction # 48295821
Dear VISA card holder, A recent review of your transaction history determined that your card was used at an ATM located in Iraq, but for security reasons the requested transaction was refused. You need to complete the VISA Card Holder form. You can do this by clicking the link below: http://www.visa.ca/en/merchant/index.jsp?=QjzKLt4g3NwfJmMVbxh ub6keaxZvHO3tCRAziHeECQfoFuaER5Y6Ku VISA Cards Support Message-ID: [ #d5fd5f7ddd963b44328c71d2d3ee7222# ]