Re: inteldrm_attach still broken

[Alexander Polakov]

* listmail listm...@entertech.com [111230 08:52]:
 Hi,
 
 Back in June of 2011, I reported problems with the Supermicro P8SCI and P8SCT
 motherboards failing to boot OpenBSD 4.8 and 4.9, due to a kernel page fault
 trap at interdrm_attach. Just for fun, I tried OpenBSD 5.0 tonight, and the
 same problem still happens. 
 
 Has anyone found a workaround for this, or are there any plans to fix it? I
 have several of these motherboards running in firewalls, and unless I can find
 a fix, these boxes are trapped at OpenBSD 4.7 until I can replace them all.

Have you tried 

 boot -c
 disable inteldrm

If it works, use config -ef /bsd to make it permanent.

-- 
Alexander Polakov | plhk.ru

Re: how to choose outgoing IPv4 address/interface ?

[Gregory Edigarov]

On Fri, 30 Dec 2011 09:21:07 +0500
PP;QQ P(P8P?P8QP8P= chipits...@gmail.com wrote:

 Hello!

 I'm runnning BGP server which is also dns resolver.

 so, host can go to internet using 2 addresses

 a) vlan379, which is connected to bgp peer
 b) vlan200, which is my own routable network

 bgp peer is strange. it permits only bgp and icmp traffic over
 vlan379, the rest is silently dropped.
 I'd like to use vlan379 address for bgp communication and vlan200 for
 dns resolver (and the rest of the traffic), but OpenBSD simply uses
 vlan379 address.

 well, I can use NAT on outgoing traffic, but it doesn't seem to be a
 proper solution.
 why does OpenBSD choose vlan379 ? how can I make it use vlan200 for
 all outgoing traffic except bgp communication ?

this could be configured on per-service basis. for example, with named
read man 5 named.conf, paying particular attention to 'server' section.


--
With best regards,
Gregory Edigarov

Re: how to choose outgoing IPv4 address/interface ?

[Gregory Edigarov]

On Fri, 30 Dec 2011 10:14:08 +0200
Gregory Edigarov g...@bestnet.kharkov.ua wrote:

 On Fri, 30 Dec 2011 09:21:07 +0500
 PP;QQ P(P8P?P8QP8P= chipits...@gmail.com wrote:

  Hello!
 
  I'm runnning BGP server which is also dns resolver.
 
  so, host can go to internet using 2 addresses
 
  a) vlan379, which is connected to bgp peer
  b) vlan200, which is my own routable network
 
  bgp peer is strange. it permits only bgp and icmp traffic over
  vlan379, the rest is silently dropped.
  I'd like to use vlan379 address for bgp communication and vlan200
  for dns resolver (and the rest of the traffic), but OpenBSD simply
  uses vlan379 address.
 
  well, I can use NAT on outgoing traffic, but it doesn't seem to be a
  proper solution.
  why does OpenBSD choose vlan379 ? how can I make it use vlan200 for
  all outgoing traffic except bgp communication ?

 this could be configured on per-service basis. for example, with named
 read man 5 named.conf, paying particular attention to 'server'
 section.
also listen and query_source directives are at your service


--
With best regards,
Gregory Edigarov

I want buy labtop ,work OpenBSD, wireless network must work

[Mostaf Faridi]

Hello all guys,
After long time I want buy labtop and I want use it in my work place , in
my work place we have only wireless network and we do not have wire network
and we have linksys router and other guys connect to linksys and use
network .other guys use Windows ,but I want use OpenBSD , and I do not know
which models ,I must buy .my new labtop must work in wireless network .
Please help me which model I must buy . I can find Lenovo and Asus in here
and I can find some model of Sony too.
I want use OpenBSD with GNOME and I want use it as Desktop.
Please guide me which model I must buy ? My notebook or my labtop must has
6 gigabytes of RAM and has very powerful CPU

Re: I want buy labtop ,work OpenBSD, wireless network must work

[Vitali]

On Fri, Dec 30, 2011 at 9:41 AM, Mostaf Faridi mostafafar...@gmail.com
wrote:
 Hello all guys,
 After long time I want buy labtop and I want use it in my work place , in
 my work place we have only wireless network and we do not have wire network
 and we have linksys router and other guys connect to linksys and use
 network .other guys use Windows ,but I want use OpenBSD , and I do not know
 which models ,I must buy .my new labtop must work in wireless network .
 Please help me which model I must buy . I can find Lenovo and Asus in here
 and I can find some model of Sony too.
 I want use OpenBSD with GNOME and I want use it as Desktop.
 Please guide me which model I must buy ? My notebook or my labtop must has
 6 gigabytes of RAM and has very powerful CPU


http://www.openbsd.org/faq/faq6.html#Wireless
Please, look here. There is a list of the supported WiFie devices.


--
### Coonardoo - PQP8P=P8QP:P0 Q QQP=Q / The Well In The Shadow / Le
Puits
Dans L'Ombre ###

Re: I want buy labtop ,work OpenBSD, wireless network must work

[Mostaf Faridi]

Thanks all guys .
Sorry for my bad English , I must use laptop , but I used labtop .
For me model is very important ,for example I want know which model of
Lenovo work good with OpenBSD . For example I want know Lenovo ThinkPad
7000t work good or no
On Dec 30, 2011 12:28 PM, Vitali coonar...@gmail.com wrote:

 On Fri, Dec 30, 2011 at 9:41 AM, Mostaf Faridi mostafafar...@gmail.com
 wrote:
  Hello all guys,
  After long time I want buy labtop and I want use it in my work place , in
  my work place we have only wireless network and we do not have wire
 network
  and we have linksys router and other guys connect to linksys and use
  network .other guys use Windows ,but I want use OpenBSD , and I do not
 know
  which models ,I must buy .my new labtop must work in wireless network .
  Please help me which model I must buy . I can find Lenovo and Asus in
 here
  and I can find some model of Sony too.
  I want use OpenBSD with GNOME and I want use it as Desktop.
  Please guide me which model I must buy ? My notebook or my labtop must
 has
  6 gigabytes of RAM and has very powerful CPU
 

 http://www.openbsd.org/faq/faq6.html#Wireless
 Please, look here. There is a list of the supported WiFie devices.


 --
 ### Coonardoo - P QP8P=P8Q P:P0 Q  Q Q P=Q  / The Well In The Shadow / Le
 Puits
 Dans L'Ombre ###

UTM appliance

[Hassan Monfared]

Hi,
I wanna choose a hardware appliance to make a UTM based on OpenBSD, does
anybody have recommendation?
Regards,
Hassan H. Monfared

Re: I want buy labtop ,work OpenBSD, wireless network must work

[Vitali]

 Lenovo work good with OpenBSD . For example I want know Lenovo ThinkPad
 7000t work good or no


I also got Lenovo G565 with Broadcom 4313 unsupported yet by OpenBSD,
but this is not an issue to me, so I can wait until the driver is
ported.
You should print out the list of supported WiFi's and consult your
notebook distributor when buying a note to be sure.
Some distributors may provide hardware configuration according to the
client's wish. I don't know how it is in your country.

 On Dec 30, 2011 12:28 PM, Vitali coonar...@gmail.com wrote:

 On Fri, Dec 30, 2011 at 9:41 AM, Mostaf Faridi mostafafar...@gmail.com
 wrote:
  Hello all guys,
  After long time I want buy labtop and I want use it in my work place ,


--
### Coonardoo - PQP8P=P8QP:P0 Q QQP=Q / The Well In The Shadow / Le
Puits
Dans L'Ombre ###

Re: inteldrm_attach still broken

[Stuart Henderson]

On 2011-12-30, listmail listm...@entertech.com wrote:
 Back in June of 2011, I reported problems with the Supermicro P8SCI and P8SCT
 motherboards failing to boot OpenBSD 4.8 and 4.9, due to a kernel page fault
 trap at interdrm_attach. Just for fun, I tried OpenBSD 5.0 tonight, and the
 same problem still happens. 

I don't see any posts from June about this. There's a thread from
May where oga@ mentioned he had committed a possible fix. Since this
seems to not be working, send a new report with a ddb trace,
ideally from -current.

Re: Longsoon/Godson MIPS boxes, where to buy?

[Pruttel]

i saw them on face book and amazon also 250  500 us dollars

On 12/28/2011 04:07 AM, Alan Cheng wrote:On Wed, Dec 28, 2011 at 2:09 
AM, Dave U. Random  anonym...@anonymitaet-im-inter.net wrote:

Are the Longson/Godson MIPS boxes available over the counter yet? If so
where is the best place to order one? Thanks.



checkout http://www.tekmote.nl/

Re: I want buy labtop ,work OpenBSD, wireless network must work

[Daniel Bolgheroni]

On Fri, Dec 30, 2011 at 12:36:11PM +0330, Mostaf Faridi wrote:
 Thanks all guys .
 Sorry for my bad English , I must use laptop , but I used labtop .
 For me model is very important ,for example I want know which model of
 Lenovo work good with OpenBSD . For example I want know Lenovo ThinkPad
 7000t work good or no
 On Dec 30, 2011 12:28 PM, Vitali coonar...@gmail.com wrote:

Most distributors have only 1 bit to deal with this info:

- wifi
- no wifi

In such places, asking just for the brand is ask to much
already. Depending on where you live, you'll have to figure it out
yourself.

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: I want buy labtop ,work OpenBSD, wireless network must work

[STeve Andre']

On 12/30/11 04:06, Mostaf Faridi wrote:

Thanks all guys .
Sorry for my bad English , I must use laptop , but I used labtop .
For me model is very important ,for example I want know which model of
Lenovo work good with OpenBSD . For example I want know Lenovo ThinkPad
7000t work good or no
On Dec 30, 2011 12:28 PM, Vitalicoonar...@gmail.com  wrote:



It's not the newest model, but the W500 is a wonderful laptop.  I
am using it now.  2.8G core two, 8G ram, one or two disks, Intel
em ethernet and iwn wireless, USB 2, ATI Raedon video.

Look for them; since they are not new, the price has come
down.

--STeve Andre'

Re: Longsoon/Godson MIPS boxes, where to buy?

[Anonymous Remailer (austria)]

 i saw them on face book and amazon also 250  500 us dollars

Like Kurt Russell said, That's TOO FUCKING HIGH!!!

When they start selling them for a fair price let's say 50 bucks for the
black box and maybe 150 for a loaded laptop then it's time to buy. Until
then, tekmote isn't getting my business.

Re: Longsoon/Godson MIPS boxes, where to buy?

[Richard Thornton]

most netbooks with Intel Atom retail in the $250 to $400 range;  what's
your damage?

On Fri, Dec 30, 2011 at 7:39 AM, Anonymous Remailer (austria) 
mixmas...@remailer.privacy.at wrote:

  i saw them on face book and amazon also 250  500 us dollars

 Like Kurt Russell said, That's TOO FUCKING HIGH!!!

 When they start selling them for a fair price let's say 50 bucks for the
 black box and maybe 150 for a loaded laptop then it's time to buy. Until
 then, tekmote isn't getting my business.

Re: Longsoon/Godson MIPS boxes, where to buy?

[Steffen Daode Nurpmeso]

Richard Thornton wrote [2011-12-30 14:25+0100]:
 what's your damage?

The damage of Fritz WChler is that he doesn't read books.
I'm currently reading
Richtisch beese MC$uler (Hessische Satiren)
Reallybad   Jaws   (Satires from Hesse)
a retrospective of humour from my little homeland :),
and one of the stories therein is
Heinrich Hoffmann - HandbCchlein fCr WChler
  - 'Little [or: Petty] Handbook' for Agitators

The same author also wrote The Story of Little Suck-a-Thumb.
You get the idea ...

Fritz - stop your handwork, read this first.
Bye!  beside that.

--steffen

Re: Two ISPs on the same interface

[Papo Napolitano]

On 2011-12-29 18:56, Joseph Yeager wrote:


Hello all,

I got two ISP lines (1 Mb and 6 Mb) and was planning to route outgoing
guest traffic thru the smaller one.
Problem is my FW only has two NICs.
If both external routers are connected to a Cisco switch as well as the
external OpenBSD interface, is it possible to use route-to to send
packets to the ISP gateway I choose?
All the examples I found use three NICs.

Thanks.-


  The key to figuring this out is a little more detail on the
specifics of your ISP connections and provided devices.  Are they using
just basic modems or devices acting as gateways?  If those devices are
gateways then you could simply configure the internal side of those
gateways to different subnets: say 192.168.1.0/24
http://192.168.1.0/24 for non guest traffic and 192.168.2.0/24
http://192.168.2.0/24 for guest traffic.  The firewall will be
assigned IPs from both subnets on the same interface via an alias.  Your
route-to rules for both sides of traffic would use the same network
interface, but specify 192.168.2.1 (assuming .1 is the ISP gateway
address) as the gateway IP for guest traffic.
  The other side is if the ISP device is a modem/bridge/media
converter and your firewall gets assigned the public IP addresses.  In
that case you need each connection to have a different gateway (which
usually would mean the IPs are on different subnets).  If they have
different gateways, you can do the same thing as above except change the
IP addresses to the public ones.  If they happen to have the same
gateway, I would look more into aggregating those links and then using
ALTQ to throttle guest traffic on your firewall.


Both devices are modem/bridge/media converter and each provides 5 public 
IPs directly to the firewall.
And as each subnet has it's own gateway on a different subnet, I'll just 
try the vlan + alias + route-to approach.


Thanks!

Re: OpenBSD as router for UK FTTC?

[percy piper]

On 30 December 2011 01:17, Stuart Henderson s...@spacehopper.org wrote:

 I haven't seen this with pppoe(4) and any of: zen fttc, demon adsl
 (ipstream), aaisp adsl (ipstream or 21cn), bogons adsl (ipstream).

OK thanks. That's a decent list of positives.

 Does your ISP have reachable technical people that might be able to
 give a bit of insight into what they're seeing?

They do (even taking time out from their vacation!). They observed
that we did not attempt to negotiate mru, but none of us could see why
that might cause the AC to fail to ack or nak our auth response. As we
were impinging on their holiday and we had a workaround we agreed to
look more deeply into it at a later date.

Unfortunately we're in a catch 22 scenario because:
a. Every single pppoe capable device we tested worked straight away
except pppoe(4).
b. No other customer has apparently had issues similar to this.

We've gone with a non OpenBSD router for the pppoe link for now as
userland ppp performance was too poor and quite erratic. I hope we'll
have a chance to revisit this when the 3rd line techs are back in the
office in the new year.

Thanks very much for your time and insights. They are very much appreciated.

Re: I want buy labtop ,work OpenBSD, wireless network must work

[Dave Anderson]

On Fri, 30 Dec 2011, Mostaf Faridi wrote:

Hello all guys,
After long time I want buy labtop and I want use it in my work place , in
my work place we have only wireless network and we do not have wire network
and we have linksys router and other guys connect to linksys and use
network .other guys use Windows ,but I want use OpenBSD , and I do not know
which models ,I must buy .my new labtop must work in wireless network .
Please help me which model I must buy . I can find Lenovo and Asus in here
and I can find some model of Sony too.
I want use OpenBSD with GNOME and I want use it as Desktop.
Please guide me which model I must buy ? My notebook or my labtop must has
6 gigabytes of RAM and has very powerful CPU

This can be very difficult to deal with since most manufacturers not
only won't tell you exactly what parts they're using but will change
them without notice.  What I did was to install the latest amd64
snapshot to a USB stick, boot that on the demo machines in stores, and
save the dmesg to the stick so I could analyze it later for unsupported
hardware.  Most (but not all) stores here were willing to let me do
this.  I eventually found a model where everything I cared about worked.

Dave

-- 
Dave Anderson
d...@daveanderson.com

Re: how to choose outgoing IPv4 address/interface ?

[Henning Brauer]

* PP;QQ P(P8P?P8QP8P= chipits...@gmail.com [2011-12-30 05:21]:
 why does OpenBSD choose vlan379 ? how can I make it use vlan200 for
 all outgoing traffic except bgp communication ?

for wildcard binds (INADDR_ANY aka 0.0.0.0, connect without bind has the
same effect) the address is chosen based on the route to the destination.

i. e. for www.google.com from my location:

br...@cr10.ham  $ route -n get 173.194.69.105
   route to: 173.194.69.105
destination: 173.194.69.0
   mask: 255.255.255.0
gateway: 80.81.203.34
  interface: carp0
 if address: 80.81.203.19
   priority: 48 (bgp)
  flags: UP,GATEWAY,DONE
 use   mtuexpire
 1431189 0 0 

the if address is used.

how's the if address figured out? easy. if the route lookup gives a
gateway route (as in the above example, gateway 80.81.203.34), a lookup
for the route to that gateway is done (basically, i simplify a bit).
if needed this is repeated until we get a connected route - which we
have straight after looking up the route to the gateway from the
previous route in this case.

br...@cr10.ham  $ route -n get 80.81.203.34
   route to: 80.81.203.34
destination: 80.81.203.34
  interface: carp0
 if address: 80.81.203.19
   priority: 4 (connected)
  flags: UP,HOST,DONE,LLINFO,CLONED
 use   mtuexpire
  20 0   224 

so now we have our connected route. as in,
  ($dest  $mask) == ($ifaddr  $mask)
binary  of course, and mask is taken from the interface. et voila, we
have the interface address figured out and use that as src address.

so all you need to do is getting your routes right. from your
description (which leads to the impression that your ISP makes you use
a pretty strange setup) you'll need to set the nexthop to your ISP's
address on that other vlan in your bgpd.conf - look for set nexthop
in bgpd.conf.5

-- 
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/

Re: UTM appliance

[Henning Brauer]

* Hassan Monfared hmonfa...@gmail.com [2011-12-30 10:18]:
 I wanna choose a hardware appliance to make a UTM based on OpenBSD, does
 anybody have recommendation?

yes, I have one.

stop believing marketing lies.

-- 
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/

Re: inteldrm_attach still broken

[Henning Brauer]

* Alexander Polakov polac...@gmail.com [2011-12-30 09:11]:
 * listmail listm...@entertech.com [111230 08:52]:
  Back in June of 2011, I reported problems with the Supermicro P8SCI and 
  P8SCT
  motherboards failing to boot OpenBSD 4.8 and 4.9, due to a kernel page fault
  trap at interdrm_attach. Just for fun, I tried OpenBSD 5.0 tonight, and the
  same problem still happens. 
  
  Has anyone found a workaround for this, or are there any plans to fix it? I
  have several of these motherboards running in firewalls, and unless I can 
  find
  a fix, these boxes are trapped at OpenBSD 4.7 until I can replace them all.
 
 Have you tried 
 
  boot -c
  disable inteldrm
 
 If it works, use config -ef /bsd to make it permanent.

no, don't do that. that just stupidly hides the bug and pretty much
makes sure it won't get fixed (unless someone else runs into it too
and doesn't pick stupid workarounds).

this however IS useful to (mostly) verify inteldrm itself is to blame.

-- 
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/

Re: inteldrm_attach still broken

[listmail]

On Fri, 30 Dec 2011 17:11:18 +0100, Henning Brauer wrote
 * Alexander Polakov polac...@gmail.com [2011-12-30 09:11]:
  * listmail listm...@entertech.com [111230 08:52]:
   Back in June of 2011, I reported problems with the Supermicro P8SCI and
P8SCT
   motherboards failing to boot OpenBSD 4.8 and 4.9, due to a kernel page 
   fault
   trap at interdrm_attach. Just for fun, I tried OpenBSD 5.0 tonight, and 
   the
   same problem still happens. 
   
  Have you tried 
  
   boot -c
   disable inteldrm
  
  If it works, use config -ef /bsd to make it permanent.
 
 no, don't do that. that just stupidly hides the bug and pretty much
 makes sure it won't get fixed (unless someone else runs into it too
 and doesn't pick stupid workarounds).
 
 this however IS useful to (mostly) verify inteldrm itself is to blame.
 
Thanks to Alexander and Henning for the suggestions. By disabling inteldrm at
boot time, I was able to get one of the Supermicro mobos to boot OpenBSD 5.0. 
From that instance, I used sendbug(1) to mail a bug report. From looking at
the changelog http://openbsd.org/plus48.html I see that two changes were
checked in between 4.7 and 4.8 related to inteldrm. Hopefully this helps the
maintainer of that module to track down and fix the problem.


Happy New Year to All!

Cheers,
--Bill

Re: how to choose outgoing IPv4 address/interface ?

[Stuart Henderson]

On 2011-12-30, Henning Brauer lists-open...@bsws.de wrote:
 * chipits...@gmail.com [2011-12-30 05:21]:
 why does OpenBSD choose vlan379 ? how can I make it use vlan200 for
 all outgoing traffic except bgp communication ?

 for wildcard binds (INADDR_ANY aka 0.0.0.0, connect without bind has the
 same effect) the address is chosen based on the route to the destination.

IPv6's source address selection logic is so awesome there's a 23-page
RFC to describe it. and it's not even deterministic! if you exhaust the
set of 8 priorities to follow, the OS can choose whichever address it
likes! clever eh? you couldn't make this up.

guess which company authored the RFC.

Re: how to choose outgoing IPv4 address/interface ?

[Amit Kulkarni]

On Fri, Dec 30, 2011 at 2:36 PM, Stuart Henderson s...@spacehopper.org wrote:
 On 2011-12-30, Henning Brauer lists-open...@bsws.de wrote:
 * chipits...@gmail.com [2011-12-30 05:21]:
 why does OpenBSD choose vlan379 ? how can I make it use vlan200 for
 all outgoing traffic except bgp communication ?

 for wildcard binds (INADDR_ANY aka 0.0.0.0, connect without bind has the
 same effect) the address is chosen based on the route to the destination.

 IPv6's source address selection logic is so awesome there's a 23-page
 RFC to describe it. and it's not even deterministic! if you exhaust the
 set of 8 priorities to follow, the OS can choose whichever address it
 likes! clever eh? you couldn't make this up.

 guess which company authored the RFC.


cisco? and no i didn't look

Re: how to choose outgoing IPv4 address/interface ?

[Stuart Henderson]

On 2011-12-30, Amit Kulkarni amitk...@gmail.com wrote:
 On Fri, Dec 30, 2011 at 2:36 PM, Stuart Henderson s...@spacehopper.org 
 wrote:
 On 2011-12-30, Henning Brauer lists-open...@bsws.de wrote:
 * chipits...@gmail.com [2011-12-30 05:21]:
 why does OpenBSD choose vlan379 ? how can I make it use vlan200 for
 all outgoing traffic except bgp communication ?

 for wildcard binds (INADDR_ANY aka 0.0.0.0, connect without bind has the
 same effect) the address is chosen based on the route to the destination.

 IPv6's source address selection logic is so awesome there's a 23-page
 RFC to describe it. and it's not even deterministic! if you exhaust the
 set of 8 priorities to follow, the OS can choose whichever address it
 likes! clever eh? you couldn't make this up.

 guess which company authored the RFC.


 cisco? and no i didn't look



Nope.

(Actually you can work-around this insanity with v6 by setting pltime 0
when you configure any addresses that you _don't_ want to be used as a
valid source).

Re: how to choose outgoing IPv4 address/interface ?

[Claudio Jeker]

On Fri, Dec 30, 2011 at 05:08:28PM +0100, Henning Brauer wrote:
 * PP;QQ P(P8P?P8QP8P= chipits...@gmail.com [2011-12-30 05:21]:
  why does OpenBSD choose vlan379 ? how can I make it use vlan200 for
  all outgoing traffic except bgp communication ?

 for wildcard binds (INADDR_ANY aka 0.0.0.0, connect without bind has the
 same effect) the address is chosen based on the route to the destination.

Many applications allow to bind(2) before doing the connect(2) so you can
define the outgoing address being used. I know that especialy the DNS
resolvers bind and unbound have that option.
This is your best option to go NAT free in your situation without calling
names at your ISP for insane filtering restrictions on the uplink.
Seems like they're stuck in the past where a bgp router was only a bgp
router and an easy target to other attacks (like telnet).

 i. e. for www.google.com from my location:

 br...@cr10.ham  $ route -n get 173.194.69.105
route to: 173.194.69.105
 destination: 173.194.69.0
mask: 255.255.255.0
 gateway: 80.81.203.34
   interface: carp0
  if address: 80.81.203.19
priority: 48 (bgp)
   flags: UP,GATEWAY,DONE
  use   mtuexpire
  1431189 0 0

 the if address is used.

 how's the if address figured out? easy. if the route lookup gives a
 gateway route (as in the above example, gateway 80.81.203.34), a lookup
 for the route to that gateway is done (basically, i simplify a bit).
 if needed this is repeated until we get a connected route - which we
 have straight after looking up the route to the gateway from the
 previous route in this case.

To be true the ifa (as in if address) is stored on each route individually
and can be forced by route(8). But yes, on route insertion the kernel will
do the mentioned dance by looking up the gateway unless userland provided
an ifa in advance. Now that does not help for BGP learened routes but can
be used for other tricks.

 so all you need to do is getting your routes right. from your
 description (which leads to the impression that your ISP makes you use
 a pretty strange setup) you'll need to set the nexthop to your ISP's
 address on that other vlan in your bgpd.conf - look for set nexthop
 in bgpd.conf.5

set nexthop will not work it is used for outgoing updates not for the FIB.
The only option I see to workaround the problem is to use multiple routing
tables (one with the BGP feed and one with just a default route) but it
still requires some pf(4) trickery to make packets switch between the
tables at the right moment.

--
:wq Claudio

Re: how to choose outgoing IPv4 address/interface ?

[Henning Brauer]

* Claudio Jeker cje...@diehard.n-r-g.com [2011-12-30 23:32]:
 On Fri, Dec 30, 2011 at 05:08:28PM +0100, Henning Brauer wrote:
  * PP;QQ P(P8P?P8QP8P= chipits...@gmail.com [2011-12-30 05:21]:
   why does OpenBSD choose vlan379 ? how can I make it use vlan200 for
   all outgoing traffic except bgp communication ?
  for wildcard binds (INADDR_ANY aka 0.0.0.0, connect without bind has the
  same effect) the address is chosen based on the route to the destination.
 Many applications allow to bind(2) before doing the connect(2) so you can
 define the outgoing address being used. I know that especialy the DNS
 resolvers bind and unbound have that option.

true.
i kinda exluded the per-app options.

  how's the if address figured out? easy. if the route lookup gives a
  gateway route (as in the above example, gateway 80.81.203.34), a lookup
  for the route to that gateway is done (basically, i simplify a bit).
  if needed this is repeated until we get a connected route - which we
  have straight after looking up the route to the gateway from the
  previous route in this case.
 To be true the ifa (as in if address) is stored on each route individually
 and can be forced by route(8). But yes, on route insertion the kernel will
 do the mentioned dance by looking up the gateway unless userland provided
 an ifa in advance. Now that does not help for BGP learened routes but can
 be used for other tricks.

in the common setup the true vs exit nexthop stuff will do the
trick, but indeed there are exceptions.

  so all you need to do is getting your routes right. from your
  description (which leads to the impression that your ISP makes you use
  a pretty strange setup) you'll need to set the nexthop to your ISP's
  address on that other vlan in your bgpd.conf - look for set nexthop
  in bgpd.conf.5
 set nexthop will not work it is used for outgoing updates not for the FIB.

you're right, thinko on my side.

--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully
Managed
Henning Brauer Consulting, http://henningbrauer.com/

Re: I want buy labtop ,work OpenBSD, wireless network must work

[Kevin Chadwick]

On Fri, 30 Dec 2011 04:42:43 -0500
STeve Andre' wrote:

 It's not the newest model, but the W500 is a wonderful laptop.  I
 am using it now.  2.8G core two

Should that be w500 with dual core. Core two duos have botched microcode
with security risks according to Theo, though I'm not sure of the
specifics/severity.

Re: I want buy labtop ,work OpenBSD, wireless network must work

[Juan Francisco Cantero Hurtado]

On 12/30/2011 10:06 AM, Mostaf Faridi wrote:

Thanks all guys .
Sorry for my bad English , I must use laptop , but I used labtop .
For me model is very important ,for example I want know which model of
Lenovo work good with OpenBSD . For example I want know Lenovo ThinkPad
7000t work good or no


Don't worry about the wireless adapter. If It isn't compatible, buy a 
nano wifi adapter [1] (are very cheap and compatible).


The other hardware is more important because you can't change this if 
your election is bad. Just buy a good laptop :)


1.- http://www.andahammer.com/assets/Uploads/HomePage/EDUPNano2.jpg

Cheers.

--
Juan Francisco Cantero Hurtado http://juanfra.info

Re: I want buy labtop ,work OpenBSD, wireless network must work

[STeve Andre']

On 12/30/11 21:23, Kevin Chadwick wrote:

On Fri, 30 Dec 2011 04:42:43 -0500
STeve Andre' wrote:


It's not the newest model, but the W500 is a wonderful laptop.  I
am using it now.  2.8G core two

Should that be w500 with dual core. Core two duos have botched microcode
with security risks according to Theo, though I'm not sure of the
specifics/severity.



Yes, W500's do have that potential problem.  It's a real issue,
which makes me think that not running Windows is a grand
idea.  I'm not sure there is a solution to this.  Laptops are
special--you can't take parts out or add them as easily as a
desktop.  *sigh*

--STeve Andre'

Re: UTM appliance

[Hassan Monfared]

So, what ?
where is the problem ?

On Fri, Dec 30, 2011 at 7:44 PM, Henning Brauer lists-open...@bsws.dewrote:

 * Hassan Monfared hmonfa...@gmail.com [2011-12-30 10:18]:
  I wanna choose a hardware appliance to make a UTM based on OpenBSD, does
  anybody have recommendation?

 yes, I have one.

 stop believing marketing lies.

 --
 Henning Brauer, h...@bsws.de, henn...@openbsd.org
 BS Web Services, http://bsws.de, Full-Service ISP
 Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully
 Managed
 Henning Brauer Consulting, http://henningbrauer.com/

Re: UTM appliance

[bofh]

There's no one size fits all.  A good packet inspection firewall with
IPS with application firewall (or application proxy really) and URL
filtering with antivirus and antispam, WIFI, DLP (data leakage
prevention), log monitoring and inspection, NAC and so on does not
really exist, whether you want to buy or make one.

It really can't.

--
http://www.glumbert.com/media/shift
http://www.youtube.com/watch?v=tGvHNNOLnCk
This officer's men seem to follow him merely out of idle curiosity.
-- Sandhurst officer cadet evaluation.
Securing an environment of Windows platforms from abuse - external or
internal - is akin to trying to install sprinklers in a fireworks
factory where smoking on the job is permitted.  -- Gene Spafford
learn french:  http://www.youtube.com/watch?v=30v_g83VHK4

Re: UTM appliance

[Hassan Monfared]

of course there is no perfect HW for every functionality of UTM.
l'm looking for average system applicable in small/medium range business
requirement for Firewalling,NAT, Caching,...
I understand that no HW brand/model is completely perfect, but there must
be a acceptable solutions from suppliers.
I personally found this products after some googling, but I'm looking for
low price and proofed solution based on OpenBSD,
http://www.holl.cn/product/en/productlist.asp?sortID=90

Regards, and Happy New Year for all OpenBSD fans

On Sat, Dec 31, 2011 at 8:30 AM, bofh goodb...@gmail.com wrote:

 There's no one size fits all.  A good packet inspection firewall with
 IPS with application firewall (or application proxy really) and URL
 filtering with antivirus and antispam, WIFI, DLP (data leakage
 prevention), log monitoring and inspection, NAC and so on does not
 really exist, whether you want to buy or make one.

 It really can't.

 --
 http://www.glumbert.com/media/shift
 http://www.youtube.com/watch?v=tGvHNNOLnCk
 This officer's men seem to follow him merely out of idle curiosity.
 -- Sandhurst officer cadet evaluation.
 Securing an environment of Windows platforms from abuse - external or
 internal - is akin to trying to install sprinklers in a fireworks
 factory where smoking on the job is permitted.  -- Gene Spafford
 learn french:  http://www.youtube.com/watch?v=30v_g83VHK4

Re: UTM appliance

[bofh]

I don't think you're getting the point.

*WHAT* are you looking for?  UTM means different things to different
people.  If all you want is a packet firewall and NAT with URL
caching, depending on how many people you're looking at servicing,
just about any box on the market will do it.  The only additional
thing you need to add is either something like squid or polipo.



--
http://www.glumbert.com/media/shift
http://www.youtube.com/watch?v=tGvHNNOLnCk
This officer's men seem to follow him merely out of idle curiosity.
-- Sandhurst officer cadet evaluation.
Securing an environment of Windows platforms from abuse - external or
internal - is akin to trying to install sprinklers in a fireworks
factory where smoking on the job is permitted.  -- Gene Spafford
learn french:  http://www.youtube.com/watch?v=30v_g83VHK4

Re: UTM appliance

[Hassan Monfared]

something like pfSense !

On Sat, Dec 31, 2011 at 9:13 AM, bofh goodb...@gmail.com wrote:

 I don't think you're getting the point.

 *WHAT* are you looking for?  UTM means different things to different
 people.  If all you want is a packet firewall and NAT with URL
 caching, depending on how many people you're looking at servicing,
 just about any box on the market will do it.  The only additional
 thing you need to add is either something like squid or polipo.



 --
 http://www.glumbert.com/media/shift
 http://www.youtube.com/watch?v=tGvHNNOLnCk
 This officer's men seem to follow him merely out of idle curiosity.
 -- Sandhurst officer cadet evaluation.
 Securing an environment of Windows platforms from abuse - external or
 internal - is akin to trying to install sprinklers in a fireworks
 factory where smoking on the job is permitted.  -- Gene Spafford
 learn french:  http://www.youtube.com/watch?v=30v_g83VHK4

Re: I want buy labtop ,work OpenBSD, wireless network must work

[Richard Thornton]

buy an i3 instead, but what is the deign flaw which cannot be fixed via
microcode updates?

On Fri, Dec 30, 2011 at 10:16 PM, STeve Andre' and...@msu.edu wrote:

 On 12/30/11 21:23, Kevin Chadwick wrote:

 On Fri, 30 Dec 2011 04:42:43 -0500
 STeve Andre' wrote:

  It's not the newest model, but the W500 is a wonderful laptop.  I
 am using it now.  2.8G core two

 Should that be w500 with dual core. Core two duos have botched microcode
 with security risks according to Theo, though I'm not sure of the
 specifics/severity.


  Yes, W500's do have that potential problem.  It's a real issue,
 which makes me think that not running Windows is a grand
 idea.  I'm not sure there is a solution to this.  Laptops are
 special--you can't take parts out or add them as easily as a
 desktop.  *sigh*

 --STeve Andre'