have
nobody except a bunch of busy and lazy students to administer the boxes
OpenBSD would be a painless choice...
Thanks,
Jussi Peltola
?
HTH,
Jussi Peltola
[demime 1.01d removed an attachment of type application/pgp-signature which had
a name of signature.asc]
machine to work around
the problem. Print server IP stacks tend to be funny, especially in case
of non-1500 MTU.
--
Jussi Peltola
On Fri, Mar 23, 2007 at 08:35:19AM +0100, carlopmart wrote:
My problem is wih pf rules. If I put on pf.conf pass all, all works ok.
Did you remember to pass loopback connections?
Try pressing the key that brings up the boot device menu (F12 on my
ThinkPads, IIRC).
I've often found it won't ever boot from CD if there is a valid MBR
on the HD without using the menu (that makes it boot faster...)
--
Jussi Peltola
read the man page of spamd? There is also a list of databases
and links to the man pages at http://www.openbsd.org/spamd/.
--
Regards,
Jussi Peltola
Export / with NFS, mount it somewhere and you will see the old contents.
4-5 years, but I'm still learning lots and lots every day.
It really depends a lot on the definition of mastering, since using an
OS also requires understanding the real world situation where you use
the OS in. I felt at home on *nix after 2-3 years, which I think is
something easier to define.
I use an X22 with Linux, and I simply added chvt to my suspend script to
change to a text console before suspend. OpenBSD does not have chvt as
far as I know, but Google found the following:
http://www.cs.cmu.edu/~joshuad/wsswitch.c
I haven't tested it, but I guess it should do the job, unless
#/etc/dhcpd.conf
option domain-name-servers 200.232.140.1;
subnet 200.232.140.0 netmask 255.255.255.0 {
option routers 200.232.140.1;
range 200.232.140.20 200.232.140.200;
}
subnet 172.16.255.0 netmask 255.255.255.0 {
option routers 172.16.255.1;
range 172.16.255.20 172.16.255.200;
seen, it has an integrated USB-serial converter which
should work just fine. With today's trends I wouldn't be surprised if
software USB modems had emerged, however...
--
Jussi Peltola
On Wed, Jan 16, 2008 at 10:27:10PM +1300, [EMAIL PROTECTED] wrote:
I seem to be getting a fair few of these on my firewall recently,
looking like arp cache poisoning. it may be related to me losing service
occasionally.
I can't see how i could get pf to filter on what is effectively a
brain and take my answers with a
large grain of salt.
--
Jussi Peltola
everyday life.
--
Jussi Peltola
X22, which does support APM :(
Oh - and to answer your question, not that I know of. Sorry.
--
Jussi Peltola
-to) that you need to
statefully route to the correct interface using PF.
Anyway, I have a very hard time writing correct rulesets with route-to /
reply-to, so hopefully someone more experienced can comment / beat me
with a clue stick.
--
Jussi Peltola
On Sun, Jan 20, 2008 at 07:13:02AM +0200, Jussi Peltola wrote:
On Sun, Jan 20, 2008 at 03:48:16PM +1100, Sunnz wrote:
pass out on pppoe1 route-to (pppoe0 pppoe0:peer) \
from any to pppoe0
I don't think that will work. Anyone trying to reach pppoe0 will not get
routed out
users from looking at each others' files, chmod
their home directories to 711. There is very little reason to chroot
users in a secure system, just chmod your secrets so they can not see
them.
--
Jussi Peltola
-to does not work with UDP connections? I
don't have a UDP service to test this out now, but I probably will
have some UDP service in the future.
pf keeps state on UDP (and ICMP) just fine.
--
Jussi Peltola
of stateful filtering: the connection is to
pppoe0:0 but the replies are from pppoe0:0, and the rule will not
match them when it is stateful. Try adding no state to your rules
(which is not recommended) or using reply-to.
--
Jussi Peltola
) pppoe0 response pppoe1 wrong and dropped by the ISP.
And I need to change 2) to...
3) pppoe0 response pppoe0
Or am I terribly wrong?
That is correct as far as I can see.
--
Jussi Peltola
devices to a WLAN. Those usually
have a convenient external antenna connection, too. With PoE one of
those would probably be my choice to solve the problem if I had an
external antenna - if I had to hack something together I'd use a USB
dongle and some kitchenware as a reflector.
--
Jussi Peltola
On Thu, Jan 24, 2008 at 07:16:17PM +0100, Firas Kraiem wrote:
Really ? I tried that but it didn't seem to work...
The only sure thing about usb boot is that it depends on your BIOS...
--
Jussi Peltola
, the netservers being a bit less so than some of
the worst. I'd recommend just carrying a bunch of them home and throwing
out the useless ones.
--
Jussi Peltola
there are many potential people who might be able to help.
Of course, you shouldn't forget the people who have made the same
mistake as I: never bring servers, especially ones you hardly can carry,
home. They will probably be happy to let you take them away.
--
Jussi Peltola
:)
--
Jussi peltola
cheap) 21 CRTs and a color calibration
instrument still beat LCDs for almost anything. If it weren't for the
heat and noise I'd probably use even more CRTs, currently I only have 5
(of which 3 are in my projector :)
--
Jussi Peltola
.
--
Jussi Peltola
, and find more ways to use them. You can avoid the need for gigabit
sometimes with channel bonding, too.
--
Jussi Peltola
ports here and there.
Mine blocks nothing. Many people are stuck with monopolistic evil ISPs
without a choice, and those are the ones most likely to sell such crap
as internet service...
--
Jussi Peltola
getting more and more useful to
avoid congestion.
--
Jussi Peltola
and more common,
even to the point were the telecommunications regulation authority here
officially recommends it to ISPs. Love the spammers and stupid users...
--
Jussi Peltola
with the 1-2Mbit/s internet speeds to foreign countries,
for all I care they could very well make it slower and spend the money
on competent administrators instead...
--
Jussi Peltola
it is a good idea to run an outgoing MTA on a dynamic
residential address is silly. It may work for you, but it does have its
problems. People wishing to correspond with many companies whose IT
people you don't control probably don't want to do it.
--
Jussi Peltola
.
PS. I'm at 14 euros now... keep complaining.
--
Jussi Peltola
On Thu, Feb 21, 2008 at 07:01:21PM +0100, Xavier Millihs-Lacroix wrote:
We need to be able to do 'quite' everything remotely (from installing
(virtual floppy / cd / dvd) to exploitation).
I prefer PXE booted bsd.rd and a serial console, with BIOS serial
redirection it is quite close to a LOM
).
--
Jussi Peltola
without using a script or a long
and inelegant alias - or if it is, I'd be interested in how it can be
done in case I need to work on some ancient unix.
--
Jussi Peltola
gateway to point at .121, which will then
handle the translation of return packets and pass them through its
default route to the cable modem.
Disclaimer: I'm tired and on GPRS.
--
Jussi Peltola
On Tue, Feb 26, 2008 at 10:25:04AM +0800, Wong Peter wrote:
Hello all respect network administrator, i have set up a openbsd gateway but
the wireless connection(gateway) is not detected by client but before this
is ok. Can see it widnows but now cannot. I don't know what wrong with it.
I
).
Couldn't you bridge the DMZ? Not as simple, but not a hack either.
If you're as clever as you (or people on a mailing list) can be when
configuring things, fixing any breakages can be a bit of a problem.
Agreed :)
--
Jussi Peltola
as vipw, vigr and find -exec chown.
--
Jussi Peltola
On Tue, Mar 11, 2008 at 11:37:16PM +1100, Sunnz wrote:
Oh, so you need to change the user id on the client computers to use
NFS properly... that seems kind of like a hack... is that the usual
way NFS is used? What if there are multiple accounts on the client
that you like to share?
You use
haven't tried using set tty in boot.conf, have you?
There is nothing you can see on a VGA console that you can't see with
one set in boot.conf, except the pretty colors.
--
Jussi Peltola
of something inputting crap at the
prompt making it, of course, not boot?
--
Jussi Peltola
On Sat, Mar 15, 2008 at 04:10:58PM +0100, Erwin van Maanen wrote:
Okay, let me try to be even clearer :)
- If I set the bios to always, this results in weird data on the terminal.
(hence my first question: can I use always in the bios for impi output,
which apperently I can't)
- If I set
On Tue, Mar 18, 2008 at 01:11:45PM +0100, Henning Brauer wrote:
well. it depends a LOT on your users' usage profile. I could not serve
our customers from such an old machine.
ok, the frontends are still 360MHz Sun netra t1s. But the storage
backend is a 14 disk raid5 of 15k RPM U320 drives,
On Sun, Mar 23, 2008 at 08:15:34PM +0700, sonjaya wrote:
Also default minimac is only 1 ethernet how to add another ethernet
can support in minimac and openbsd.
USB? Slow, but works pretty well if there's a driver (see the lists on
the man pages).
in a separate VLAN firewalled with an OpenBSD router.)
--
Jussi Peltola
because of write cycles but to
avoid filling my 256M CF card) and it's been working just fine for a few
years. Your experience may vary, but since you need to have backups
anyway, is it so bad to possibly have to replace a CF card after many
years?
--
Jussi Peltola
, and they probably couldn't care
less even if they did. They will use whatever software that gets their
job done. The argument of introducing people to free software is
rather weak, and the arguments against it, like the win32 port of gcc,
have been discussed on this list before.
--
Jussi Peltola
On Wed, May 14, 2008 at 05:30:18PM -0700, Ben Calvert wrote:
On May 14, 2008, at 5:22 PM, Darrin Chandler wrote:
On Thu, May 15, 2008 at 01:45:51AM +0200, raven wrote:
A decent analysis can be found here... just to understand what can
do a
comment /* */ :)
, which I have done for
years.
--
Jussi Peltola
for the first static IP then this port is also 'taken' for the second IP as
well!
Apparently you didn't have the service bind on the first one, but on 0.0.0.0,
which is all interfaces. You need to tell the service the address of the first
interface and tell it to bind to that.
--
Jussi Peltola
If the different subnets are on different physical interfaces, do not use
shared-network - just list the subnets at the top level config.
If they are on the same subnet, you'll need to list the machines by MAC address
or dhcpd can't know which machine you want in which subnet...
--
Jussi
Short answer: use HTTP redirects.
Long answer: provide more information, and read about the HTTP Host:
header and think how it applies to your setup.
On Wed, Jul 30, 2008 at 08:15:45PM +0200, Amaury De Ganseman wrote:
Jul 30 20:11:34 gateway named[472]: could not open entropy source
/dev/arandom: file not found
Search the archives, it's related to chroot and it's normal.
On Sun, Aug 17, 2008 at 04:22:33PM +0100, Edd Barrett wrote:
Hi,
We have this BSD box with some films on, and someone had the idea of
hookiing it up to the TV so we can watch DVD's etc in the living room.
Not a bad idea, but I don't know how.
My friend bought a VGA-Scart cable, and I have
are usually used in laptops with cooperation of the video
hardware. A simple modeline will not make your video card output
S-Video.
--
Jussi Peltola
are that it is
easier to use ethernet bridge filtering than make routing work with
them. AFAIK Apple isn't targeting these services for large networks
anyway, they are to ease setting up a home or other small network that
is a single broadcast domain.
Regards,
Jussi Peltola
with the Redmonds, so I might have
forgotten things along the way.
--
Jussi Peltola
On Wed, Feb 07, 2007 at 02:46:57PM -0800, Jonathan Whiteman wrote:
Thank you both for your responses. I have made this diagram
clearer because I sort of *am* using the same subnet on both
sides of the bridge... or at least that was my intent, but
obviously the address ranges have to be
Office3
rl1: inet 192.168.2.254 netmask 0xff00 broadcast 192.168.2.255
description: Internal interface
tun1: inet 10.8.0.2 -- 10.8.0.1 netmask 0x
description: office2 interface
netstat -rn -f inet
Routing tables
Internet:
Destination
providers cost. Without good relations with your ISP it's not
going to be easy to keep your connection at all when the users get
nasty.
--
Jussi Peltola
Most application protocols running on TCP are quite vulnerable to DoS,
but nobody has seemed to care so far...
Holy god... I just donated 40% of my income this month. Great job.
--
Jussi Peltola
If you're the copyright holder, you can release it under any license you
want. If other people have made significant contributions, however, you
can't re-license those. Only the copyright holder can.
For anything more specific, ask a lawyer.
echo '@reboot screen -d -m -L /dev/cua00 9600' | crontab -
but mind your existing crontab.
On Tue, Oct 28, 2008 at 02:45:07PM +0100, Marc Balmer wrote:
I could suggest you run cu in a screen session. I have used
cu ... | tee logfile
in the past, but there are possibly more elegant solutions
Screen can do logging and open windows to serial ports directly by
itself (as I
for a little green box when I think my
OpenBSD box can handle it.
If you have two ethernets and you want to round-robin, trunk(4) might
work too.
--
Jussi Peltola
I see no problem in setting interface groups based on mac address.
You should be able to hack a suitable script to do that in a few
minutes.
What about VLANs? At least I wouldn't torture myself with ancient/cheap
switches that don't support them.
Of course, then you have to worry about the switch breaking or getting
its config reset...
On Mon, Nov 10, 2008 at 05:42:50PM +0100, Jvrg Streckfu_ wrote:
It seems that the first ip (10.0.0.1) which is also the public ip for the
webserver pool is unavailable. Each request, which should be forwarded to the
first webserver will stuck for a moment and then relayd redirects it to
the
On Wed, Nov 12, 2008 at 04:38:39AM +0300, igor denisov wrote:
# use a macro for the interface name, so it can be changed easily
ext_if = fx0
I think you mean fxp0.
# map daemon on to appear to be on ssl
rdr on $ext_if proto tcp from any to any port ?? - 127.0.0.1 port
Use UKC to disable IDE DMA. Cards other than SanDisk seem not to honor
the reset line, so the normal downgrade to PIO modes won't work. It's
more or less a feature.
. With the small
(depth-wise) supermicro servers it might actually fit in 1U but that's a
bit hack-ish.
--
Jussi Peltola
about a machine that is turned off and not
connected to a network.
--
Jussi Peltola
then using it all day).
--
Jussi Peltola
as
molasses, I doubt that CARP can work very well either.
--
Jussi Peltola
/ bridging to do. Config wise few things can be worse than
configuring separate subnets for everyone, anyway.
--
Jussi Peltola
OpenBSD already has an SSL cert. Just publish the checksums over HTTPS.
Of course, that implies trust on the SSL PKI, but the moaners will
surely accept that.
--
Jussi Peltola
On Wed, Dec 17, 2008 at 04:11:43PM -0500, Ted Unangst wrote:
On Wed, Dec 17, 2008 at 3:56 PM, Jussi Peltola pe...@pelzi.net wrote:
OpenBSD already has an SSL cert. Just publish the checksums over HTTPS.
It's that easy?
To silence the people demanding magic security dust? Yes.
To guarantee
Disable power saving on the clients.
think
if you find such a thing, it is cheaper to buy a new laptop ;-)
and another thing: maybe it would help to tweak your vpn config, but
therefore it is needed!
Soekris has minipci hifn cards, but I agree, a crypto accelerator is the
wrong solution.
--
Jussi Peltola
On Sun, Oct 23, 2011 at 12:08:22AM +0200, Jan Stary wrote:
Just out of curiosity, what would be an example
situation for using a machine that simultaneously
(1) acts as a name-server for others
(2) gets its network settings dynamicaly reconfigured
Any kind of box that is connected to an
I had some similar looking problems some releases back. Using a separate
carp if for ipv6 mostly fixed it. Didn't write down the exact problem,
though.
My em(4)'s stopped working with 5.0 - has anyone seen this on 82571EBs?
I'll try backing out the MSO patch.
Perhaps this is related:
ftp://download.intel.com/design/network/specupdt/82571eb_72ei.pdf
Page 22, Errata 7: Device Transmit Operation Might Halt in TCP
Segmentation Offload (TSO) Mode
You can ignore the clueless parts in my previous message :)
I can set up remote access to one of these machines if needed.
This made the ems work again:
--- if_em.c.origWed Nov 9 21:37:39 2011
+++ if_em.c Wed Nov 9 21:39:01 2011
@@ -331,6 +331,2 @@
- /* Only use MSI on the
On Sat, Nov 19, 2011 at 08:58:46PM -0500, quartz wrote:
is there a way to set up altq+priq on an internet connection with highly
variable/unknown bandwidth?
I'd like to create a simple one layer queue system that prioritizes empty
ACKs over anything else (always, all the time, no matter the
of the link. 2) is possible without 1),
assuming that some lower bound of the link speed is known. 1) is
obviously possible without any prioritization at all.
Jussi Peltola
You can work around this by pointing a default at your provider, too.
But it is kind of yucky.
On Sat, Jan 07, 2012 at 09:21:35AM +0100, Pete Vickers wrote:
SOO can be used for loop detection, but only if your bgp peerings don't strip
extended communities.
another dirty hack would be to get
I have a vlan on top of a vlan on an em. It connects to a remote switch
that requires me to use a specified lladdr.
Everything works just fine if I change the lladdr on em0, or run tcpdump
to switch it to promiscuous mode, but I need another lladdr on the other
vlans.
Setting the lladdr on the
On Sun, Jul 31, 2011 at 02:16:15PM -0700, David Newman wrote:
2. CARP heartbeat messages use multicast. This means a switch with
dual-stack CARP-attached devices should support not only IGMP snooping
for IPv4 but also MLD snooping for IPv6.
Hmm. carppeer does not seem to like an inet6 address
I'm lazy.
On Sun, May 24, 2009 at 02:49:53PM +0200, Martin Schrvder wrote:
2009/5/24, Stuart Henderson s...@spacehopper.org:
The P (Private) suggests some kind of privacy.
MPLS is well suited to the task as it provides traffic isolation and
differentiation without substantial overhead.
Doesn't
I'd rather run pfsync in its own vlan than over a realtek card. It's
probably not any slower (what could be slower than a realtek...) and
it's not really any less reliable (what use is pfsync if your business
network goes down?)
money for making the internet links redundant.
--
Jussi Peltola
On Fri, Jun 05, 2009 at 04:11:39PM -0400, Joe Gidi wrote:
Also, the machine has no serial port, so I can't try the serial console
trick.
It does, but you need the port replicator to access it. Maybe you can
find one you can borrow.
--
Jussi Peltola
much :)
--
Jussi Peltola
But even measuring the ripple with a scope won't guarantee it's OK.
Swapping out all of the hardware is sometimes the only way to find out.
Same goes for memtest86+: it can prove it's broken, but if it doesn't
find problems it doesn't guarantee there are none.
--
Jussi Peltola
1 - 100 of 202 matches
Mail list logo
