Negative Reviews are killing your reputation

[Jigna Patel]

Dear Hotel Owner,

Reviews about your hotel can make or break your hotel's success.

If you don't enough positive reviews on Expedia, Google, Tripadvisor,
Yahoo Travel and other such sites, you are losing the game.

If you have negative reviews about your hotel, you are at serious
disdvantage.

Allow us to manage your reviews:

1) Our US-based, native English writers will create most effective
management response to the negative reviews about your property.

2) We will also assist you in getting more positive reviews on all top
portals.

3) We will monitor your reputation to ensure that you get more positive
reviews.

Respond today to protect your reputation on Internet.

Regards,
Jigna Patel.
Cell : (331) 465-9247

Re: strange X problem after Aug11 snapshot

[Matthieu Herrb]

On Mon, Aug 15, 2011 at 8:02 PM, dsp d...@2f30.org wrote:
 Hi list :)
 sorry for not be able to debug this problem a lot but
 i haven't the slightest idea where to start!
 after the Aug 11 snapshot i started to experience screen blackenings

How old was your previous snapshot?

-- 
Matthieu Herrb

rebuild RAID1

[Wesley MOUEDINE ASSABY]

Hi, 

I'm trying to test softraid. 
I use OpenBSD 4.8 Release, i have 2 disks : 

wd0 250G Openbsd is installed ; wd0k slice is part of RAID (200G) 
wd1 500G wd1k slice is part of RAID (200G) 

I built my RAID using this : bioctl -c 1 -l wd0k,wd1k softraid0 
All is ok, sd0c is mounted in /home (cf /etc/fstab) 

Now i disconnected wd1, restart computer. /home is available, but RAID1 is
degraded. 

Add wd1, restart computer, try bioctl -R sd0 0:1.0 (give me an error like
not part in /dev/bio.) 

How can i rebuild ? 

Thank you very much. 

Wesley.

Re: strange X problem after Aug11 snapshot

[Thomas Pfaff]

On Tue, 16 Aug 2011 09:32:47 +0200
Matthieu Herrb mhe...@gmail.com wrote:

 On Mon, Aug 15, 2011 at 8:02 PM, dsp d...@2f30.org wrote:
  Hi list :)
  sorry for not be able to debug this problem a lot but
  i haven't the slightest idea where to start!
  after the Aug 11 snapshot i started to experience screen blackenings
 
 How old was your previous snapshot?


dsp told me he had rebuilt devel/sdl with three patches removed and
this made the problem go away.  I did what he did and it solved the
problem for me too (amd64 Aug 7 snapshot -- dmesg in previous post).

The patches removed are patch-src_video_x11_SDL_x11{sym_h,video_[ch]}
They're the latest patches in the port dated 2011/05/13 and deal with
XRandR and VidMode.

Thinking back a few snapshots I believe it was around this time that
I first saw ffplay fail in this way, but I made no real notice about
it since I rarely use it and xine and mplayer worked fine anyway.

Thanks to dsp for sharing.  Now I can play with qemu again ;-)

Re: rebuild RAID1

[joshua stein]

 I built my RAID using this : bioctl -c 1 -l wd0k,wd1k softraid0 
 All is ok, sd0c is mounted in /home (cf /etc/fstab) 
 
 Now i disconnected wd1, restart computer. /home is available, but RAID1 is
 degraded. 
 
 Add wd1, restart computer, try bioctl -R sd0 0:1.0 (give me an error like
 not part in /dev/bio.) 

from the man page:

 The following command starts a rebuild of the degraded softraid volume
 sd0 using a new chunk on wd0d:

# bioctl -R /dev/wd0d sd0

so in your case it would be:

bioctl -R /dev/wd1k sd0

pf shape download

[Michel Blais]

Hi,

I'm having a problem to shape download with PF. I have 2 HFSC queue
(main and second) created on my internal NIC. Main is my default
queue. If I try to match download traffic to the second queue, it still
go trought the main queue.

The IP I want to download trought the second queue for my test
unit is 10.254.200.2
$ext_if=re0
$int_if=re1

My rule to foward traffic to second queue is :
match out on $int_if from any to 10.254.200.2
I also try with pass instead of match

Look fine if I check the bob exemple in this faq :
http://www.openbsd.org/faq/pf/queueing.html#example1

pfctl -vvsq still show traffic on main queue :

queue  main on re1 bandwidth 1Mb priority 2 qlimit 100 hfsc( red default 
upperlimit 97Mb )
  [ pkts:  24701  bytes:   37333295  dropped pkts:  0 
bytes:  0 ]

  [ qlength:   0/100 ]
  [ measured:   236.4 packets/s, 2.86Mb/s ]
queue  second on re1 bandwidth 1Mb priority 0 qlimit 250 hfsc( red 
upperlimit 97Mb )
  [ pkts:  0  bytes:  0  dropped pkts:  0 
bytes:  0 ]

  [ qlength:   0/250 ]
  [ measured: 0.0 packets/s, 0 b/s ]

pftop -v rules show me that the rule don't match
12 Pass out re1 K 0 0 0 inet from any to 10.254.200.2/32flags   
S/SA queue second


I can see my download with tcpdump :
# tcpdump -i re1 host 10.254.200.2
...
10:49:19.802505 10.254.200.2.49266  hammurabi.acc.umu.se.www: . ack 
832200 win 64240 (DF)
10:49:19.802716 hammurabi.acc.umu.se.www  10.254.200.2.49266: . 
832200:833660(1460) ack 1 win 6564 (DF)
10:49:19.802911 hammurabi.acc.umu.se.www  10.254.200.2.49266: . 
833660:835120(1460) ack 1 win 6564 (DF)
10:49:19.803040 hammurabi.acc.umu.se.www  10.254.200.2.49266: . 
835120:836580(1460) ack 1 win 6564 (DF)
10:49:19.803211 10.254.200.2.49266  hammurabi.acc.umu.se.www: . ack 
836580 win 64240 (DF)
10:49:19.803248 hammurabi.acc.umu.se.www  10.254.200.2.49266: . 
836580:838040(1460) ack 1 win 6564 (DF)
10:49:19.803252 hammurabi.acc.umu.se.www  10.254.200.2.49266: . 
838040:839500(1460) ack 1 win 6564 (DF)
10:49:19.803367 hammurabi.acc.umu.se.www  10.254.200.2.49266: . 
839500:840960(1460) ack 1 win 6564 (DF)

...

I have pass days on this with OpenBSD 4.9 and
FreeBSD 8.2 without result.

I even tryed every 8 possible rules at the same time and
pfctl was still showing traffic trought the main queue on :

match in on re0 from any to 10.254.200.2 queue second
match in on re1 from any to 10.254.200.2 queue second
match out on re0 from any to 10.254.200.2 queue second
match out on re0 from any to 10.254.200.2 queue second
match in on re0 from 10.254.200.2 to any queue second
match in on re1 from 10.254.200.2 to any queue second
match out on re0 from 10.254.200.2 to any queue second
match out on re0 from 10.254.200.2 to any queue second

in this case, pftop was showing that it
match out on re0 from 10.254.200.2 to any
match on re1 from 10.254.200.2 to any
it look like only upload rule match

Can somebody help me on this ?

Thanks

Michel

P.S : I have a VoIP queue that I will add after that will need the
realtime option, that why I'm using HFSC.

relayd problems

[James Flom]

Hi all,

Using a snapshot from Aug 1st I can't get more than one of these relays to run
at the same time with the fallback forward to in there, but up to 3 at once
with that line removed from each relay, with 4 relays though it always fails.
Any idea if this is a bug or configuration issue?

Thanks,
-James

Relayd.conf
# Macros
http_port=80
https_port=443

# Define server/service macros
include /etc/relays/hosts.conf

# Global Configuration
interval 20
timeout 200
prefork 10
log updates

# failover table
table fallback disable { 10.1.0.20 retry 2 }

include /etc/relays/relays.conf
# END


hosts.conf (/etc/relays/hosts.conf)
# www_a
www_a_ext=10. 0.0.193
www_a_01_int=172.20.30.137
table www_a { $www_a_01_int }

# www_b
www_b_ext=10.0.0.194
www_b_01_int=172.20.30.133
table www_b { $www_b_01_int }

# www_c
www_c_ext=10. 0.0.200
www_c_01_int=172.20.30.140
table www_c { $www_c_01_int }

# www_d
www_d_ext=10. 0.0.195
www_d_01_int=172.20.30.142
table www_d { $www_d_01_int }
# END


relays.conf (/etc/relays/relays.conf)
# www_a
relay www_a_com {
listen on $www_a_ext port 80
forward to www_a port 80 check http / code 200
forward to fallback port 80 timeout 300 check tcp
}

# www_b
relay www_b_com {
listen on $www_b_ext port 80
forward to www_b port 80 check http / code 200
forward to fallback port 80 timeout 300 check tcp
}

# www_c
relay www_c_com {
listen on $www_c_ext port 80
forward to www_c port 80 check http / code 200
forward to fallback port 80 timeout 300 check tcp
}

# www_d
relay www_d_com {
listen on $www_d_ext port 80
forward to www_d port 80 check http / code 200
forward to fallback port 80 timeout 300 check tcp
}
# END



# relayd -vvd
startup
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
warning: macro 'http_port' not used
socket_rlimit: max open files 1024
warning: macro 'https_port' not used
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
relay_privinit: adding relay www_a_com
protocol -1: name default
flags: used, relay flags:
type: tcp
relay_privinit: adding relay www_b_com
protocol -1: name default
flags: used, relay flags:
type: tcp
relay_privinit: adding relay www_c_com
protocol -1: name default
flags: used, relay flags:
type: tcp
relay_privinit: adding relay www_d_com
protocol -1: name default
flags: used, relay flags:
type: tcp
adding 1 hosts from table www_a:80
relay_launch: running relay www_a_com
adding 1 hosts from table www_b:80
relay_launch: running relay www_b_com
adding 1 hosts from table www_c:80
adding 1 hosts from table www_a:80
relay_launch: running relay www_c_com
adding 1 hosts from table www_d:80
relay_launch: running relay www_d_com
relay_launch: running relay www_a_com
adding 1 hosts from table www_b:80
relay_launch: running relay www_b_com
adding 1 hosts from table www_c:80
relay_launch: running relay www_c_com
adding 1 hosts from table www_d:80
relay_launch: running relay www_d_com
adding 1 hosts from table www_a:80
relay_launch: running relay www_a_com
adding 1 hosts from table www_b:80
adding 1 hosts from table www_a:80
relay_launch: running relay www_b_com
relay_launch: running relay www_a_com
adding 1 hosts from table www_b:80
adding 1 hosts from table www_c:80
relay_launch: running relay www_c_com
relay_launch: running relay www_b_com
adding 1 hosts from table www_d:80
adding 1 hosts from table www_c:80
relay_launch: running relay www_d_com
relay_launch: running relay www_c_com
adding 1 hosts from table www_d:80
relay_launch: running relay www_d_com
adding 1 hosts from table www_a:80
relay_launch: running relay www_a_com
adding 1 hosts from table www_b:80
relay_launch: running relay www_b_com
adding 1 hosts from table www_c:80
relay_launch: running relay www_c_com
adding 1 hosts from table www_d:80
relay_launch: running relay www_d_com
hce_notify_done: 172.20.30.133 (http code ok)
host 172.20.30.133, check http code (2ms), state unknown - up, availability
100.00%
hce_notify_done: 172.20.30.137 (http code ok)
host 172.20.30.137, check http code (2ms), state unknown - up, availability
100.00%
hce_notify_done: 172.20.30.142 (http code ok)
host 172.20.30.142, check http code (2ms), state unknown - up, availability
100.00%
fatal: pfe_dispatch_imsg: invalid host id
hce exiting, pid 28386
lost child: hce exited okay
lost child: pfe exited abnormally
relay exiting, pid 672
relay exiting, pid 13247
relay exiting, pid 30099
relay exiting, pid 11566
relay exiting, pid 16851
parent terminating, pid 28820

Re: relayd problems

[David Hill]

What are the spaces in the IP addresses?

On Tue, Aug 16, 2011 at 11:46:26AM -0500, James Flom wrote:
:Hi all,
:
:Using a snapshot from Aug 1st I can't get more than one of these relays to run
:at the same time with the fallback forward to in there, but up to 3 at once
:with that line removed from each relay, with 4 relays though it always fails.
:Any idea if this is a bug or configuration issue?
:
:Thanks,
:-James
:
:Relayd.conf
:# Macros
:http_port=80
:https_port=443
:
:# Define server/service macros
:include /etc/relays/hosts.conf
:
:# Global Configuration
:interval 20
:timeout 200
:prefork 10
:log updates
:
:# failover table
:table fallback disable { 10.1.0.20 retry 2 }
:
:include /etc/relays/relays.conf
:# END
:
:
:hosts.conf (/etc/relays/hosts.conf)
:# www_a
:www_a_ext=10. 0.0.193
:www_a_01_int=172.20.30.137
:table www_a { $www_a_01_int }
:
:# www_b
:www_b_ext=10.0.0.194
:www_b_01_int=172.20.30.133
:table www_b { $www_b_01_int }
:
:# www_c
:www_c_ext=10. 0.0.200
:www_c_01_int=172.20.30.140
:table www_c { $www_c_01_int }
:
:# www_d
:www_d_ext=10. 0.0.195
:www_d_01_int=172.20.30.142
:table www_d { $www_d_01_int }
:# END
:
:
:relays.conf (/etc/relays/relays.conf)
:# www_a
:relay www_a_com {
:listen on $www_a_ext port 80
:forward to www_a port 80 check http / code 200
:forward to fallback port 80 timeout 300 check tcp
:}
:
:# www_b
:relay www_b_com {
:listen on $www_b_ext port 80
:forward to www_b port 80 check http / code 200
:forward to fallback port 80 timeout 300 check tcp
:}
:
:# www_c
:relay www_c_com {
:listen on $www_c_ext port 80
:forward to www_c port 80 check http / code 200
:forward to fallback port 80 timeout 300 check tcp
:}
:
:# www_d
:relay www_d_com {
:listen on $www_d_ext port 80
:forward to www_d port 80 check http / code 200
:forward to fallback port 80 timeout 300 check tcp
:}
:# END
:
:
:
:# relayd -vvd
:startup
:socket_rlimit: max open files 1024
:socket_rlimit: max open files 1024
:socket_rlimit: max open files 1024
:warning: macro 'http_port' not used
:socket_rlimit: max open files 1024
:warning: macro 'https_port' not used
:socket_rlimit: max open files 1024
:socket_rlimit: max open files 1024
:relay_privinit: adding relay www_a_com
:protocol -1: name default
:flags: used, relay flags:
:type: tcp
:relay_privinit: adding relay www_b_com
:protocol -1: name default
:flags: used, relay flags:
:type: tcp
:relay_privinit: adding relay www_c_com
:protocol -1: name default
:flags: used, relay flags:
:type: tcp
:relay_privinit: adding relay www_d_com
:protocol -1: name default
:flags: used, relay flags:
:type: tcp
:adding 1 hosts from table www_a:80
:relay_launch: running relay www_a_com
:adding 1 hosts from table www_b:80
:relay_launch: running relay www_b_com
:adding 1 hosts from table www_c:80
:adding 1 hosts from table www_a:80
:relay_launch: running relay www_c_com
:adding 1 hosts from table www_d:80
:relay_launch: running relay www_d_com
:relay_launch: running relay www_a_com
:adding 1 hosts from table www_b:80
:relay_launch: running relay www_b_com
:adding 1 hosts from table www_c:80
:relay_launch: running relay www_c_com
:adding 1 hosts from table www_d:80
:relay_launch: running relay www_d_com
:adding 1 hosts from table www_a:80
:relay_launch: running relay www_a_com
:adding 1 hosts from table www_b:80
:adding 1 hosts from table www_a:80
:relay_launch: running relay www_b_com
:relay_launch: running relay www_a_com
:adding 1 hosts from table www_b:80
:adding 1 hosts from table www_c:80
:relay_launch: running relay www_c_com
:relay_launch: running relay www_b_com
:adding 1 hosts from table www_d:80
:adding 1 hosts from table www_c:80
:relay_launch: running relay www_d_com
:relay_launch: running relay www_c_com
:adding 1 hosts from table www_d:80
:relay_launch: running relay www_d_com
:adding 1 hosts from table www_a:80
:relay_launch: running relay www_a_com
:adding 1 hosts from table www_b:80
:relay_launch: running relay www_b_com
:adding 1 hosts from table www_c:80
:relay_launch: running relay www_c_com
:adding 1 hosts from table www_d:80
:relay_launch: running relay www_d_com
:hce_notify_done: 172.20.30.133 (http code ok)
:host 172.20.30.133, check http code (2ms), state unknown - up, availability
:100.00%
:hce_notify_done: 172.20.30.137 (http code ok)
:host 172.20.30.137, check http code (2ms), state unknown - up, availability
:100.00%
:hce_notify_done: 172.20.30.142 (http code ok)
:host 172.20.30.142, check http code (2ms), state unknown - up, availability
:100.00%
:fatal: pfe_dispatch_imsg: invalid host id
:hce exiting, pid 28386
:lost child: hce exited okay
:lost child: pfe exited abnormally
:relay exiting, pid 672
:relay exiting, pid 13247
:relay exiting, pid 30099
:relay exiting, pid 11566
:relay exiting, pid 16851
:parent terminating, pid 28820
:

-- 
Everyone is a genius.  It's just that 

Only the first nameserver entry in resolv.conf is being queried

[Brett]

Hi misc'ers,

I have customised dhclient.conf so I can use nameservers other than my ISP's. 
The first one on my list is unreliable, but instead of going to the next on the 
list, ping, xxxterm and firefox are not finding the sites (ie DNS queries are 
not being answered).

I am running Aug 14 -current, amd64. 

The man page for resolv.conf says 
Up to MAXNS (currently 3) name servers may be listed, one per
 line.  If there are multiple servers, the resolver library
 queries them in the order listed.  If no nameserver entries
 are present, the default is to use the name server on the
 local machine.  (The algorithm used is to try a name server,
 and if the query times out, try the next, until out of name
 servers, then repeat trying all name servers until a maximum
 number of retries are performed.)

But this is not what seems to happen.

---
My /etc/dhclient.conf:

# $OpenBSD: dhclient.conf,v 1.2 2011/04/04 11:14:52 krw Exp $
# DHCP Client Configuration
supersede domain-name-servers 208.71.35.137, 84.22.100.250, 67.212.90.199;

When I run dhclient, it generates this file in /etc/resolv.conf:

nameserver 208.71.35.137
nameserver 84.22.100.250
nameserver 67.212.90.199

---
The nameserver at 208.71.35.137 does not seem to be returning DNS queries with 
the above resolv.conf configuration. 
If I try to ping, I get:

# ping unsw.edu.au
ping: unknown host: unsw.edu.au
# ping ucla.edu
ping: unknown host: ucla.edu

Also xxxterm and firefox could not find web pages. 
eg, xxxterm says: 
Unable to load page 
Problem occurred while loading the URL 
http://public-root.com/root-server-locations.htm
Cannot resolve hostname (public-root.com)

(Although one time the page did load - presumably the 208.71.35.137 server came 
online for a few seconds then back offline again).

-
If I comment out the first line of the above resolv.conf, I get:

# ping unsw.edu.au
PING unsw.edu.au (149.171.96.60): 56 data bytes
64 bytes from 149.171.96.60: icmp_seq=0 ttl=239 time=201.043 ms
...
--- unsw.edu.au ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 201.043/201.212/201.372/0.535 ms

# ping ucla.edu   
PING ucla.edu (169.232.33.224): 56 data bytes
64 bytes from 169.232.33.224: icmp_seq=0 ttl=48 time=48.711 ms
--- ucla.edu ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 48.711/48.711/48.711/0.000 ms

-
This looks to me like if the first nameserver is not responding, the next on 
the list is ignored.
I looked at the mailing lists and a bunch of man pages: dhclient.conf, 
dhclient-script, gethostbyname, resolver, resolv.conf, and dhclient and could 
not see a way to change this behaviour.

Am I misinterpreting what is happening when the pings are not finding the 
hosts, or doing something wrong in my config?

Thanks,
Brett.

Nuovo messaggio

[INFO]

Benvenuto nel piC9 completo Midi Professionale
e supporto mp3 del sito Internet.
Con migliaia di Midi top e canzoni mp3.
Siete nel posto giusto !!

WWW.GIGAMUSIC.EU


Midi canzoni Italiane e straniere
Musica nuova2011
Cucina italiana
Video diversi

tutto su www.gigamusic.eu

GRAZIE PER LA VOSTRA VISITA E BUONA NAVIGAZIONE!!!

PF tcp sessions/s rate evaluation

[Quentin Aebischer]

Hello everyone,

I'm currently a master degree student, and I'd like to benchmark  
packet filter over the number of tcp sessions per seconds it can handle.


So I've got a very basic setup working, consisting of one server  
running OpenBSD 4.9 with PF (acting as firewall-router), and 2 PC's  
running Linux, acting respectively as client and webserver (running  
apache2 for the last).


Basically, the client spams standard HTTP requests to the server via  
the firewall using a basic HTTP injector tool and evaluates the number  
of sucessful processed requests per seconds.


As one can expect, there is an inverse relationship between the number  
of sessions/s a firewall can sustain and the size of the object of the  
request. To achieve maximum throughput, you've got to request big size  
objects (i.e 50KB or more), whereas to achieve maximum sessions rate  
per second, you've got to make requests with 0 size objects.


Prior to this, I've run some tests with a Linux firewall running  
iptables, and I've come up with an average rate of 11300 sessions/s  
for 0 size objects (straight up results, no tweaks or improvements  
made).


Moving on to the OpenBSD tests, I only achieved an average rate of  
7000 sessions/s for 0 size object (starting up at 8000, slowly  
decreasing to 7000 - 6500 ...), which is way above the linux/iptables  
average rate . I then tried to make some tweaks in /etc/sysctl.conf,  
but no improvement so far. The ruleset I use is the following (copied  
from the OpenBSD pf tutorial) :


set block-policy drop
pass out quick
pass in on $WAN inet proto tcp port 80 rdr-to $HTTP_SERVER_IP
pass in inet proto icmp all
pass in on $LAN.


So I come here now to know whether you guys have any idea what sort of  
tweaks I could try to significantly enhance the number of tcp sessions  
per seconds processed by PF. I'm kind of a PF newbie, so I'm clueless  
for the moment . Any hints, thoughts or ideas is appreciated !

Re: relayd problems

[James Flom]

Typos from me removing the real IP addresses, they were not in there when I
ran the actual test.

-James

-Original Message-
From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of
David Hill
Sent: Tuesday, August 16, 2011 12:18 PM
To: misc@openbsd.org
Subject: Re: relayd problems

What are the spaces in the IP addresses?

On Tue, Aug 16, 2011 at 11:46:26AM -0500, James Flom wrote:
:Hi all,
:
:Using a snapshot from Aug 1st I can't get more than one of these relays to
run :at the same time with the fallback forward to in there, but up to 3 at
once :with that line removed from each relay, with 4 relays though it always
fails.
:Any idea if this is a bug or configuration issue?
:
:Thanks,
:-James
:
:Relayd.conf
:# Macros
:http_port=80
:https_port=443
:
:# Define server/service macros
:include /etc/relays/hosts.conf
:
:# Global Configuration
:interval 20
:timeout 200
:prefork 10
:log updates
:
:# failover table
:table fallback disable { 10.1.0.20 retry 2 }
:
:include /etc/relays/relays.conf
:# END
:
:
:hosts.conf (/etc/relays/hosts.conf)
:# www_a
:www_a_ext=10. 0.0.193
:www_a_01_int=172.20.30.137
:table www_a { $www_a_01_int }
:
:# www_b
:www_b_ext=10.0.0.194
:www_b_01_int=172.20.30.133
:table www_b { $www_b_01_int }
:
:# www_c
:www_c_ext=10. 0.0.200
:www_c_01_int=172.20.30.140
:table www_c { $www_c_01_int }
:
:# www_d
:www_d_ext=10. 0.0.195
:www_d_01_int=172.20.30.142
:table www_d { $www_d_01_int }
:# END
:
:
:relays.conf (/etc/relays/relays.conf)
:# www_a
:relay www_a_com {
:listen on $www_a_ext port 80
:forward to www_a port 80 check http / code 200
:forward to fallback port 80 timeout 300 check tcp
:}
:
:# www_b
:relay www_b_com {
:listen on $www_b_ext port 80
:forward to www_b port 80 check http / code 200
:forward to fallback port 80 timeout 300 check tcp
:}
:
:# www_c
:relay www_c_com {
:listen on $www_c_ext port 80
:forward to www_c port 80 check http / code 200
:forward to fallback port 80 timeout 300 check tcp
:}
:
:# www_d
:relay www_d_com {
:listen on $www_d_ext port 80
:forward to www_d port 80 check http / code 200
:forward to fallback port 80 timeout 300 check tcp
:}
:# END
:
:
:
:# relayd -vvd
:startup
:socket_rlimit: max open files 1024
:socket_rlimit: max open files 1024
:socket_rlimit: max open files 1024
:warning: macro 'http_port' not used
:socket_rlimit: max open files 1024
:warning: macro 'https_port' not used
:socket_rlimit: max open files 1024
:socket_rlimit: max open files 1024
:relay_privinit: adding relay www_a_com
:protocol -1: name default
:flags: used, relay flags:
:type: tcp
:relay_privinit: adding relay www_b_com
:protocol -1: name default
:flags: used, relay flags:
:type: tcp
:relay_privinit: adding relay www_c_com
:protocol -1: name default
:flags: used, relay flags:
:type: tcp
:relay_privinit: adding relay www_d_com
:protocol -1: name default
:flags: used, relay flags:
:type: tcp
:adding 1 hosts from table www_a:80
:relay_launch: running relay www_a_com
:adding 1 hosts from table www_b:80
:relay_launch: running relay www_b_com
:adding 1 hosts from table www_c:80
:adding 1 hosts from table www_a:80
:relay_launch: running relay www_c_com
:adding 1 hosts from table www_d:80
:relay_launch: running relay www_d_com
:relay_launch: running relay www_a_com
:adding 1 hosts from table www_b:80
:relay_launch: running relay www_b_com
:adding 1 hosts from table www_c:80
:relay_launch: running relay www_c_com
:adding 1 hosts from table www_d:80
:relay_launch: running relay www_d_com
:adding 1 hosts from table www_a:80
:relay_launch: running relay www_a_com
:adding 1 hosts from table www_b:80
:adding 1 hosts from table www_a:80
:relay_launch: running relay www_b_com
:relay_launch: running relay www_a_com
:adding 1 hosts from table www_b:80
:adding 1 hosts from table www_c:80
:relay_launch: running relay www_c_com
:relay_launch: running relay www_b_com
:adding 1 hosts from table www_d:80
:adding 1 hosts from table www_c:80
:relay_launch: running relay www_d_com
:relay_launch: running relay www_c_com
:adding 1 hosts from table www_d:80
:relay_launch: running relay www_d_com
:adding 1 hosts from table www_a:80
:relay_launch: running relay www_a_com
:adding 1 hosts from table www_b:80
:relay_launch: running relay www_b_com
:adding 1 hosts from table www_c:80
:relay_launch: running relay www_c_com
:adding 1 hosts from table www_d:80
:relay_launch: running relay www_d_com
:hce_notify_done: 172.20.30.133 (http code ok) :host 172.20.30.133, check http
code (2ms), state unknown - up, availability :100.00%
:hce_notify_done: 172.20.30.137 (http code ok) :host 172.20.30.137, check http
code (2ms), state unknown - up, availability :100.00%
:hce_notify_done: 172.20.30.142 (http code ok) :host 172.20.30.142, check http
code (2ms), state unknown - up, availability :100.00%
:fatal: pfe_dispatch_imsg: 

Re: strange X problem after Aug11 snapshot

[David Coppa]

On Tue, Aug 16, 2011 at 4:54 PM, Thomas Pfaff tpf...@tp76.info wrote:

 dsp told me he had rebuilt devel/sdl with three patches removed and
 this made the problem go away.  I did what he did and it solved the
 problem for me too (amd64 Aug 7 snapshot -- dmesg in previous post).

 The patches removed are patch-src_video_x11_SDL_x11{sym_h,video_[ch]}
 They're the latest patches in the port dated 2011/05/13 and deal with
 XRandR and VidMode.

Yes, it's a patch that was added to have working brightness regulation
with openarena.

I confirm the buggy behaviour with 'mplayer -vo sdl' on amd64 and that
removing those patches fixes the issue.

 Thinking back a few snapshots I believe it was around this time that
 I first saw ffplay fail in this way, but I made no real notice about
 it since I rarely use it and xine and mplayer worked fine anyway.

 Thanks to dsp for sharing.  Now I can play with qemu again ;-)

Thanks.
I think that commit should be reverted...

Ciao,
David

Re: Only the first nameserver entry in resolv.conf is being queried

[Daniel Melameth]

On Tue, Aug 16, 2011 at 12:05 PM, Brett brett.ma...@gmx.com wrote:
 I have customised dhclient.conf so I can use nameservers other than my
ISP's. The first one on my list is unreliable, but instead of going to the
next on the list, ping, xxxterm and firefox are not finding the sites (ie DNS
queries are not being answered).

 When I run dhclient, it generates this file in /etc/resolv.conf:

 nameserver 208.71.35.137
 nameserver 84.22.100.250
 nameserver 67.212.90.199

 The nameserver at 208.71.35.137 does not seem to be returning DNS queries
with the above resolv.conf configuration.
 If I try to ping, I get:

 # ping unsw.edu.au
 ping: unknown host: unsw.edu.au
 # ping ucla.edu
 ping: unknown host: ucla.edu

 Also xxxterm and firefox could not find web pages.
 eg, xxxterm says:
 Unable to load page
 Problem occurred while loading the URL
http://public-root.com/root-server-locations.htm
 Cannot resolve hostname (public-root.com)

 (Although one time the page did load - presumably the 208.71.35.137 server
came online for a few seconds then back offline again).

 If I comment out the first line of the above resolv.conf, I get:

 # ping unsw.edu.au
 PING unsw.edu.au (149.171.96.60): 56 data bytes
 64 bytes from 149.171.96.60: icmp_seq=0 ttl=239 time=201.043 ms

 # ping ucla.edu
 PING ucla.edu (169.232.33.224): 56 data bytes
 64 bytes from 169.232.33.224: icmp_seq=0 ttl=48 time=48.711 ms

 This looks to me like if the first nameserver is not responding, the next on
the list is ignored.
 I looked at the mailing lists and a bunch of man pages: dhclient.conf,
dhclient-script, gethostbyname, resolver, resolv.conf, and dhclient and could
not see a way to change this behaviour.

 Am I misinterpreting what is happening when the pings are not finding the
hosts, or doing something wrong in my config?

A quick dig @208.71.35.137 shows it is responding, but not providing
an answer.  I imagine if 208.71.35.137 was not responding at all,
resolv.conf would behave as expected.

Re: PF tcp sessions/s rate evaluation

[Stuart Henderson]

On 2011-08-16, Quentin Aebischer quentin.aebisc...@usherbrooke.ca wrote:
 Hello everyone,

 I'm currently a master degree student, and I'd like to benchmark  
 packet filter over the number of tcp sessions per seconds it can handle.

 So I've got a very basic setup working, consisting of one server  
 running OpenBSD 4.9 with PF (acting as firewall-router), and 2 PC's  
 running Linux, acting respectively as client and webserver (running  
 apache2 for the last).

 Basically, the client spams standard HTTP requests to the server via  
 the firewall using a basic HTTP injector tool and evaluates the number  
 of sucessful processed requests per seconds.

 As one can expect, there is an inverse relationship between the number  
 of sessions/s a firewall can sustain and the size of the object of the  
 request. To achieve maximum throughput, you've got to request big size  
 objects (i.e 50KB or more), whereas to achieve maximum sessions rate  
 per second, you've got to make requests with 0 size objects.

 Prior to this, I've run some tests with a Linux firewall running  
 iptables, and I've come up with an average rate of 11300 sessions/s  
 for 0 size objects (straight up results, no tweaks or improvements  
 made).

 Moving on to the OpenBSD tests, I only achieved an average rate of  
 7000 sessions/s for 0 size object (starting up at 8000, slowly  
 decreasing to 7000 - 6500 ...), which is way above the linux/iptables  
 average rate . I then tried to make some tweaks in /etc/sysctl.conf,  
 but no improvement so far. The ruleset I use is the following (copied  
 from the OpenBSD pf tutorial) :

 set block-policy drop
 pass out quick
 pass in on $WAN inet proto tcp port 80 rdr-to $HTTP_SERVER_IP
 pass in inet proto icmp all
 pass in on $LAN.


 So I come here now to know whether you guys have any idea what sort of  
 tweaks I could try to significantly enhance the number of tcp sessions  
 per seconds processed by PF. I'm kind of a PF newbie, so I'm clueless  
 for the moment . Any hints, thoughts or ideas is appreciated !



Make sure your state limits are high enough (set limits states XX;
default is 1).

Also check sysctl net.inet.ip.ifq; if there are drops then you may
want to gradually increase net.inet.ip.ifq.maxlen

Note that the ruleset you have shown does not block anything
(default if there is *no* matching rule at all is to statelessly
pass a packet).

Re: PF tcp sessions/s rate evaluation

[Ryan McBride]

There is not much to tweak, performance-wise. OpenBSD avoids such
buttons like the plague, and besides: benchmarks should be run with a
stock install, which is what 99% of users are going to be doing as well.

You can try looking at the output of 'pfctl -si' and see if any of those
is increasing a lot, it may give you some more hints. The only thing
that jumps to mind is the states limit; if it's getting hit you'll see
the memory counter increase. I can't make any suggestion for a good
value for 'set limit states' though because you included zero
information about the hardware you're testing on.



On Tue, Aug 16, 2011 at 02:12:01PM -0400, Quentin Aebischer wrote:
 Hello everyone,
 
 I'm currently a master degree student, and I'd like to benchmark
 packet filter over the number of tcp sessions per seconds it can
 handle.
 
 So I've got a very basic setup working, consisting of one server
 running OpenBSD 4.9 with PF (acting as firewall-router), and 2 PC's
 running Linux, acting respectively as client and webserver (running
 apache2 for the last).
 
 Basically, the client spams standard HTTP requests to the server via
 the firewall using a basic HTTP injector tool and evaluates the
 number of sucessful processed requests per seconds.
 
 As one can expect, there is an inverse relationship between the
 number of sessions/s a firewall can sustain and the size of the
 object of the request. To achieve maximum throughput, you've got to
 request big size objects (i.e 50KB or more), whereas to achieve
 maximum sessions rate per second, you've got to make requests with 0
 size objects.
 
 Prior to this, I've run some tests with a Linux firewall running
 iptables, and I've come up with an average rate of 11300 sessions/s
 for 0 size objects (straight up results, no tweaks or improvements
 made).
 
 Moving on to the OpenBSD tests, I only achieved an average rate of
 7000 sessions/s for 0 size object (starting up at 8000, slowly
 decreasing to 7000 - 6500 ...), which is way above the
 linux/iptables average rate . I then tried to make some tweaks in
 /etc/sysctl.conf, but no improvement so far. The ruleset I use is
 the following (copied from the OpenBSD pf tutorial) :
 
 set block-policy drop
 pass out quick
 pass in on $WAN inet proto tcp port 80 rdr-to $HTTP_SERVER_IP
 pass in inet proto icmp all
 pass in on $LAN.
 
 
 So I come here now to know whether you guys have any idea what sort
 of tweaks I could try to significantly enhance the number of tcp
 sessions per seconds processed by PF. I'm kind of a PF newbie, so
 I'm clueless for the moment . Any hints, thoughts or ideas is
 appreciated !
 

-- 

Re: pf shape download

[Stuart Henderson]

It would be easier to look for what's wrong if you include the whole ruleset



On 2011-08-16, Michel Blais mic...@targointernet.com wrote:

 I'm having a problem to shape download with PF. I have 2 HFSC queue
 (main and second) created on my internal NIC. Main is my default
 queue. If I try to match download traffic to the second queue, it still
 go trought the main queue.

 The IP I want to download trought the second queue for my test
 unit is 10.254.200.2
 $ext_if=re0
 $int_if=re1

 My rule to foward traffic to second queue is :
 match out on $int_if from any to 10.254.200.2
 I also try with pass instead of match

 Look fine if I check the bob exemple in this faq :
 http://www.openbsd.org/faq/pf/queueing.html#example1

 pfctl -vvsq still show traffic on main queue :

 queue  main on re1 bandwidth 1Mb priority 2 qlimit 100 hfsc( red default 
 upperlimit 97Mb )
[ pkts:  24701  bytes:   37333295  dropped pkts:  0 
 bytes:  0 ]
[ qlength:   0/100 ]
[ measured:   236.4 packets/s, 2.86Mb/s ]
 queue  second on re1 bandwidth 1Mb priority 0 qlimit 250 hfsc( red 
 upperlimit 97Mb )
[ pkts:  0  bytes:  0  dropped pkts:  0 
 bytes:  0 ]
[ qlength:   0/250 ]
[ measured: 0.0 packets/s, 0 b/s ]

 pftop -v rules show me that the rule don't match
 12 Pass out re1 K 0 0 0 inet from any to 10.254.200.2/32flags   
 S/SA queue second

 I can see my download with tcpdump :
 # tcpdump -i re1 host 10.254.200.2
 ...
 10:49:19.802505 10.254.200.2.49266  hammurabi.acc.umu.se.www: . ack 
 832200 win 64240 (DF)
 10:49:19.802716 hammurabi.acc.umu.se.www  10.254.200.2.49266: . 
 832200:833660(1460) ack 1 win 6564 (DF)
 10:49:19.802911 hammurabi.acc.umu.se.www  10.254.200.2.49266: . 
 833660:835120(1460) ack 1 win 6564 (DF)
 10:49:19.803040 hammurabi.acc.umu.se.www  10.254.200.2.49266: . 
 835120:836580(1460) ack 1 win 6564 (DF)
 10:49:19.803211 10.254.200.2.49266  hammurabi.acc.umu.se.www: . ack 
 836580 win 64240 (DF)
 10:49:19.803248 hammurabi.acc.umu.se.www  10.254.200.2.49266: . 
 836580:838040(1460) ack 1 win 6564 (DF)
 10:49:19.803252 hammurabi.acc.umu.se.www  10.254.200.2.49266: . 
 838040:839500(1460) ack 1 win 6564 (DF)
 10:49:19.803367 hammurabi.acc.umu.se.www  10.254.200.2.49266: . 
 839500:840960(1460) ack 1 win 6564 (DF)
 ...

 I have pass days on this with OpenBSD 4.9 and
 FreeBSD 8.2 without result.

 I even tryed every 8 possible rules at the same time and
 pfctl was still showing traffic trought the main queue on :

 match in on re0 from any to 10.254.200.2 queue second
 match in on re1 from any to 10.254.200.2 queue second
 match out on re0 from any to 10.254.200.2 queue second
 match out on re0 from any to 10.254.200.2 queue second
 match in on re0 from 10.254.200.2 to any queue second
 match in on re1 from 10.254.200.2 to any queue second
 match out on re0 from 10.254.200.2 to any queue second
 match out on re0 from 10.254.200.2 to any queue second

 in this case, pftop was showing that it
 match out on re0 from 10.254.200.2 to any
 match on re1 from 10.254.200.2 to any
 it look like only upload rule match

 Can somebody help me on this ?

 Thanks

 Michel

 P.S : I have a VoIP queue that I will add after that will need the
 realtime option, that why I'm using HFSC.

OpenBSD 4.9 + Sound Blaster Live!

[James Colannino]

Hey everyone,

I have a question about the emu driver and a sound blaster live.  I'm 
trying to make my sound card work under OpenBSD 4.9, and have managed 
only to get a bunch of white noise coming through the front speakers. 
Does anyone have any experience with this card, and if so, would you 
like to share some configuration tips? :)


I've been reading the Multimedia section of the OpenBSD documentation, 
have made sure to unmute my card and set the master volume level, but I 
can't get this working.  I should also mention that I am VERY new to 
sound on OpenBSD :-P


Thanks!

James

Re: Only the first nameserver entry in resolv.conf is being queried

[Brett]

From: Brett brett.ma...@gmx.com
To: Daniel Melameth dan...@melameth.com
Subject: Re: Only the first nameserver entry in resolv.conf is being queried
Date: Tue, 16 Aug 2011 16:46:15 -0700
X-Mailer: Sylpheed 3.1.1 (GTK+ 2.24.5; x86_64-unknown-openbsd5.0)


  nameserver 208.71.35.137
  nameserver 84.22.100.250
  nameserver 67.212.90.199
 
  The nameserver at 208.71.35.137 does not seem to be returning DNS queries
  with the above resolv.conf configuration.

On Tue, 16 Aug 2011 13:16:02 -0600
Daniel Melameth dan...@melameth.com wrote:
 
 A quick dig @208.71.35.137 shows it is responding, but not providing
 an answer.  I imagine if 208.71.35.137 was not responding at all,
 resolv.conf would behave as expected.
 

I just tried a putting a couple of random IP addresses as the first nameserver 
on the list, and now resolv.conf is indeed going through the list when the 
first one fails to give an answer.

Thanks, Daniel!

Brett.

Re: PF tcp sessions/s rate evaluation

[Quentin Aebischer]

Thx for the reply. Well I've already increased the state table size to  
15 entries, 1 was not enough (there was up to 7  
simultaneous state entries during the test). Hardware wise, I'm using  
a xeon 2.4 GHz monocore with 1 GB of RAM. Since this server is used as  
firewall only, I've raised the kernel space memory to up to 90% of  
total memory. I don't want to make hasty conclusion, so I'll keep  
searching..




Ryan McBride mcbr...@openbsd.org a C)critB :


There is not much to tweak, performance-wise. OpenBSD avoids such
buttons like the plague, and besides: benchmarks should be run with a
stock install, which is what 99% of users are going to be doing as well.

You can try looking at the output of 'pfctl -si' and see if any of those
is increasing a lot, it may give you some more hints. The only thing
that jumps to mind is the states limit; if it's getting hit you'll see
the memory counter increase. I can't make any suggestion for a good
value for 'set limit states' though because you included zero
information about the hardware you're testing on.



On Tue, Aug 16, 2011 at 02:12:01PM -0400, Quentin Aebischer wrote:

Hello everyone,

I'm currently a master degree student, and I'd like to benchmark
packet filter over the number of tcp sessions per seconds it can
handle.

So I've got a very basic setup working, consisting of one server
running OpenBSD 4.9 with PF (acting as firewall-router), and 2 PC's
running Linux, acting respectively as client and webserver (running
apache2 for the last).

Basically, the client spams standard HTTP requests to the server via
the firewall using a basic HTTP injector tool and evaluates the
number of sucessful processed requests per seconds.

As one can expect, there is an inverse relationship between the
number of sessions/s a firewall can sustain and the size of the
object of the request. To achieve maximum throughput, you've got to
request big size objects (i.e 50KB or more), whereas to achieve
maximum sessions rate per second, you've got to make requests with 0
size objects.

Prior to this, I've run some tests with a Linux firewall running
iptables, and I've come up with an average rate of 11300 sessions/s
for 0 size objects (straight up results, no tweaks or improvements
made).

Moving on to the OpenBSD tests, I only achieved an average rate of
7000 sessions/s for 0 size object (starting up at 8000, slowly
decreasing to 7000 - 6500 ...), which is way above the
linux/iptables average rate . I then tried to make some tweaks in
/etc/sysctl.conf, but no improvement so far. The ruleset I use is
the following (copied from the OpenBSD pf tutorial) :

set block-policy drop
pass out quick
pass in on $WAN inet proto tcp port 80 rdr-to $HTTP_SERVER_IP
pass in inet proto icmp all
pass in on $LAN.


So I come here now to know whether you guys have any idea what sort
of tweaks I could try to significantly enhance the number of tcp
sessions per seconds processed by PF. I'm kind of a PF newbie, so
I'm clueless for the moment . Any hints, thoughts or ideas is
appreciated !



--

Group ownership of files at creation time

[Stefan Johnson]

Hello list.

I have a question about the following observed behavior.

Let's assume that a user (user_a) belongs to two groups (group_a and
group_b.)
The user creates a directory called testdir and the ownership permissions
are
user_a:group_a after the directory is made.  The user runs:

chown user_a:group_b testdir

to change the group ownership to the user's secondary
group.  When the user changes to the new directory and creates a new file
with

touch test

the new file is created with the following ownership permissions:

user_a:group_b

On most of the unix / unix-like systems I support, this behavior would be
different.  The file would be created with user_a:group_a (since group_a is
the primary group.)  This is true on AIX, Solaris, Linux, and HP-UX per my
testing earlier today.  On Tru64 and OpenBSD, the group ownership seems
to be inherited by the parent directory rather than set by the user's
primary group
membership.  For AIX et.al. the setgid bit on the parent directory would
change
the behavior such that files created inside that directory would be owned by
the
parent directory group owner regardless of user's primary group membership.

It appears that OpenBSD (and Tru64) treat the directory as setgid (when
compared to the other OSes) but it is not.

My question is, is this the expected behavior, and what was the reasoning
when deciding to implement it this way if it is (expected behavior?)  Also,
is
there a known way to change this behavior to match the default behavior of
AIX and friends?

Testing of OpenBSD behavior was performed on version 4.8 running on alpha
and 4.9 running in qemu emulating i386.  Testing was done on mount points
with no options running other than rw as well as mounts with nodev and
nosuid options set.

I know this is a small thing, and comparing OpenBSD to the other systems
is kind of moot, I only bring this up because I'm trying to grasp the
reasoning
for this behavior.

Thank you for any responses,
Stefan Johnson

Re: PF tcp sessions/s rate evaluation

[Ryan McBride]

Just to clarify a bit, I would not be surprised if IPTables performs
more quickly than PF in this particular test, for a couple of reasons:

- PF uses a red-black tree for the session tracking, while iptables uses
  a hash table. The red-black tree means performance scales smoothly as
  the number of sessions increases (and avoids attacks on individual
  hash buckets), see http://www.benzedrine.cx/pf-paper.html for details,
  but the insert/delete cost is higher, which is what you're probably
  seeing here.

- PF does full TCP session checking by default (verifying TCP sequence
  numbers, etc). You could try testing with 'sloppy' state tracking to
  see if this makes a difference (NOT recommended in production unless
  you know what you're doing, so please don't report such results in a
  performance comparison). 

One problem with the test setup you've described (doing rdr-to for the
session to the webserver) is that you can't repeat the tests without the
firewall enabled to determine if it's a PF vs. iptables difference or
just an OpenBSD vs. Linux difference.

Also, if you post a dmesg of the system you're using and tell us what
interfaces $WAN and $LAN are, we can check you're not doing tests with
some ghastly network cards...



I don't know what knob you've twisted to raise the kernel space
memory, but such things are not recommended and I would prefer for you
to report worse results with a non-tweaked install than report a bunch
of settings that shouldn't be touched.

In general, the design goals of PF go somewhat in the following order
(I'll admit that we have a lot of work to do still on #2 in some areas
of PF):

1) Free software
2) Correct, readable code
3) Secure, robust packet filtering
4) Flexible but simple to use
5) Good performance

I don't think anyone here cares much if iptables is 'faster' as long as
we're ahead on the first 4 items above.

We already have enough fast, insecure systems. -- Bruce Schneier



On Tue, Aug 16, 2011 at 08:16:02PM -0400, Quentin Aebischer wrote:
 Thx for the reply. Well I've already increased the state table size
 to 15 entries, 1 was not enough (there was up to 7
 simultaneous state entries during the test). Hardware wise, I'm
 using a xeon 2.4 GHz monocore with 1 GB of RAM. Since this server is
 used as firewall only, I've raised the kernel space memory to up to
 90% of total memory. I don't want to make hasty conclusion, so I'll
 keep searching..
 
 
 
 Ryan McBride mcbr...@openbsd.org a C)critB :
 
 There is not much to tweak, performance-wise. OpenBSD avoids such
 buttons like the plague, and besides: benchmarks should be run with a
 stock install, which is what 99% of users are going to be doing as well.
 
 You can try looking at the output of 'pfctl -si' and see if any of those
 is increasing a lot, it may give you some more hints. The only thing
 that jumps to mind is the states limit; if it's getting hit you'll see
 the memory counter increase. I can't make any suggestion for a good
 value for 'set limit states' though because you included zero
 information about the hardware you're testing on.
 
 
 
 On Tue, Aug 16, 2011 at 02:12:01PM -0400, Quentin Aebischer wrote:
 Hello everyone,
 
 I'm currently a master degree student, and I'd like to benchmark
 packet filter over the number of tcp sessions per seconds it can
 handle.
 
 So I've got a very basic setup working, consisting of one server
 running OpenBSD 4.9 with PF (acting as firewall-router), and 2 PC's
 running Linux, acting respectively as client and webserver (running
 apache2 for the last).
 
 Basically, the client spams standard HTTP requests to the server via
 the firewall using a basic HTTP injector tool and evaluates the
 number of sucessful processed requests per seconds.
 
 As one can expect, there is an inverse relationship between the
 number of sessions/s a firewall can sustain and the size of the
 object of the request. To achieve maximum throughput, you've got to
 request big size objects (i.e 50KB or more), whereas to achieve
 maximum sessions rate per second, you've got to make requests with 0
 size objects.
 
 Prior to this, I've run some tests with a Linux firewall running
 iptables, and I've come up with an average rate of 11300 sessions/s
 for 0 size objects (straight up results, no tweaks or improvements
 made).
 
 Moving on to the OpenBSD tests, I only achieved an average rate of
 7000 sessions/s for 0 size object (starting up at 8000, slowly
 decreasing to 7000 - 6500 ...), which is way above the
 linux/iptables average rate . I then tried to make some tweaks in
 /etc/sysctl.conf, but no improvement so far. The ruleset I use is
 the following (copied from the OpenBSD pf tutorial) :
 
 set block-policy drop
 pass out quick
 pass in on $WAN inet proto tcp port 80 rdr-to $HTTP_SERVER_IP
 pass in inet proto icmp all
 pass in on $LAN.
 
 
 So I come here now to know whether you guys have any idea what sort
 of tweaks I could 

Re: PF tcp sessions/s rate evaluation

[Theo de Raadt]

 Thx for the reply. Well I've already increased the state table size to  
 15 entries, 1 was not enough (there was up to 7  
 simultaneous state entries during the test). Hardware wise, I'm using  
 a xeon 2.4 GHz monocore with 1 GB of RAM. Since this server is used as  
 firewall only, I've raised the kernel space memory to up to 90% of  
 total memory. I don't want to make hasty conclusion, so I'll keep  
 searching..

Regardiing this last bit.

REALLY!  How did you do that?  I'd love to know.  Whatever you did
does not do what you think it does.  In fact, I bet it is doing
exactly the opposite of what you think it does.

Re: Group ownership of files at creation time

[Andres Perera]

S_ISGID bits on a directory are meaningful in sysv, whereas on bsd
open(2) acts as if they were always on

Re: Group ownership of files at creation time

[Ted Unangst]

On Tue, Aug 16, 2011, Stefan Johnson wrote:

 On most of the unix / unix-like systems I support, this behavior would be
 different.  The file would be created with user_a:group_a (since group_a is
 the primary group.)  This is true on AIX, Solaris, Linux, and HP-UX per my
 testing earlier today.  On Tru64 and OpenBSD, the group ownership seems
 to be inherited by the parent directory rather than set by the user's
 primary group
 membership.  For AIX et.al. the setgid bit on the parent directory would
 change
 the behavior such that files created inside that directory would be owned by
 the
 parent directory group owner regardless of user's primary group membership.
 
 It appears that OpenBSD (and Tru64) treat the directory as setgid (when
 compared to the other OSes) but it is not.

BSD derived systems always have the setgid directory behavior.

The rationale is that if you have users sharing a directory, this is the
behavior you want and you shouldn't need to remember to chmod every
directory created, especially since you may not be creating directories
by hand.

Relayd + pf redirect external ip address + domain name - invalid virtual ip

[Quintin Prinsloo]

We've been using pf for a number of years with one pf firewall serving
multiple backend servers (i.e. Load-balanced web farm). Now we've added more
backend servers with their own external ip addresses. It seems a waste to
have one firewall for low volume, specialized sites, forwarding to only one
set of servers  only.

We're trying to have the same OpenBSD server redirect traffic based on the
external ip address.

What we're having difficulty with right now is getting relayd and pf to
redirect the same ports, example 80  443 to different backend servers based
on external ip (and domain name). It does work on ip address but not domain
names.

In pf...
We have a relayd anchors where pf will forward based on tagged names.
Nothing special here. Pf filters port range 81:442, only directing 80  443
to 443 (always) to the specified internal server or farm based on the
tagged name

The following works in relayd.conf when the ip addresses are specified (most
macro's and tables have been removed for clarity

redirect webone{
listen on 1.2.3.4 port 80:443 interface $ext_if
tag tag_one
forward to int_ipone port 443 check tcp
}

redirect web2{
listen on 2.3.4.5 port 80:443 interface $ext_if
tag tag_two
forward to int_iptwo port 443 check tcp
}

The following does not work
redirect webone{
listen on sub.sub.domain1.com port 80:443 interface $ext_if
tag tag_one
forward to int_ipone port 443 check tcp
}

redirect web2{
listen on $sub.sub.domain2.com port 80:443 interface $ext_if
tag tag_two
forward to int_iptwo port 443 check tcp
}

When this is entered, relayd -d -vv -f /etc/relayd.conf will complain that
these listen lines have invalid virtual ip

Am I missing something crucial here? Or is this simply a limitation of the
technology?

Any suggestions or working examples would be greatly appreciated.

Q@Q

Re: Group ownership of files at creation time

[Stefan Johnson]

On Tue, Aug 16, 2011 at 11:09 PM, Ted Unangst t...@tedunangst.com wrote:

 On Tue, Aug 16, 2011, Stefan Johnson wrote:

  On most of the unix / unix-like systems I support, this behavior would be
  different.  The file would be created with user_a:group_a (since group_a
 is
  the primary group.)  This is true on AIX, Solaris, Linux, and HP-UX per
 my
  testing earlier today.  On Tru64 and OpenBSD, the group ownership seems
  to be inherited by the parent directory rather than set by the user's
  primary group
  membership.  For AIX et.al. the setgid bit on the parent directory
 would
  change
  the behavior such that files created inside that directory would be owned
 by
  the
  parent directory group owner regardless of user's primary group
 membership.
 
  It appears that OpenBSD (and Tru64) treat the directory as setgid (when
  compared to the other OSes) but it is not.

 BSD derived systems always have the setgid directory behavior.

 The rationale is that if you have users sharing a directory, this is the
 behavior you want and you shouldn't need to remember to chmod every
 directory created, especially since you may not be creating directories
 by hand.


Thank you both for the explanation.  I thought it might be a BSD vs SysV
situation, but I wasn't positive.  The reasoning is sound.  I appreciate the
quick responses!

Stefan Johnson