Re: Trying to open a port
On 06/10/13 09:17, Rhys Ap Mihangel wrote: Hi, I'm trying to open port 9001 on my gateway machine for a tor relay. I've been trying different combinations for some time now only to have syntax errors, etc on pfctl -nvf /etc/pf.conf. Why am I finding it so difficult? I would expect simple statements like this to just work pass in on (egress) to (egress) port 9001 pass in on (rl0) to (rl0) port 9001 thanks rhys Two things, when specifying a port you have to also specify what type of network and what protocol. Secondly you don't give your full ruleset so it's hard to know what's going on, but based on what you have sent to the list unless you're trying to get to port 9001 on your gateway machine on the rl0 interface only then the second rule you sent should read something like: pass in on rl0 inet proto tcp to any port 9001 Aaron
root device not found
Hi, I have been running OpenBSD 4.9 on a Tyan S5160 for a couple years now just fine. I backed up my data and did a fresh install of 5.3. The install went flawlessly but after the install and the reboot, the system boots but then panics when looking for the root device. I have tried changing all of the sata controller options in the bios (enhanced/compatible) and the ahci options as well (enable/disable) to no avail. I did a fresh install of 5.2 after that thinking there might be something about the MB that 5.3 didn't like but got the exact same result. I have a single sata hdd installed as my OS drive that shows up and sd1 during install that I install the OS onto and an areca 1210 4 port sata raid card installed for storage that shows up as sd0 during install. I have included dmesg and the debugger trace and ps below. Thanks, Aaron # cu -eo -l /dev/cua00 -s 115200 Connected Phoenix TrustedCore(tm) Server Copyright 1985-2004 Phoenix Technologies Ltd. All Rights Reserved TYAN Tomcat i7230A S5160 BIOS v1.05 CPU = 1 Processors Detected, Cores per Processor = 2 Intel(R) Pentium(R) D CPU 3.00GHz 1023M System RAM Passed 2048 KB L2 Cache per Processor Core System BIOS shadowed Video BIOS shadowed Fixed Disk 0: ST3160815AS ATAPI CD-ROM: ATAPI DVD A DH16A1S Press F2 to enter SETUP OpenBSD/i386 BOOT 3.21 boot booting hd0a:/bsd: 8425188+1102788 [52+382544+368841]=0x9cdb6c entry point at 0x200120 [ using 751812 bytes of bsd ELF symbol table ] Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2013 OpenBSD. All rights reserved. http://www.OpenBSD.org OpenBSD 5.3 (GENERIC.MP) #58: Tue Mar 12 18:43:53 MDT 2013 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel(R) Pentium(R) D CPU 3.00GHz (GenuineIntel 686-class) 3.01 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,LONG,SSE3,DTES64,MWAIT,DS-CPL,VMX,CNXT-ID,CX16,xTPR,PDCM,LAHF real mem = 1071706112 (1022MB) avail mem = 1043185664 (994MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 05/10/07, BIOS32 rev. 0 @ 0xfd450, SMBIOS rev. 2.31 @ 0x3feea000 (42 entries) bios0: vendor Phoenix Technologies LTD version 6.00 date 05/10/2007 bios0: TYAN Computer S5160 acpi0 at bios0: rev 0 acpi0: sleep states S0 S1 S4 S5 acpi0: tables DSDT FACP MCFG APIC BOOT SPCR SSDT acpi0: wakeup devices DEV1(S4) EXP1(S4) LAN1(S4) LAN2(S4) PCIB(S4) KBC0(S4) MSE0(S4) AC97(S1) PWRB(S3) USB1(S4) USB24) USB4(S4) EUSB(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimcfg0 at acpi0 addr 0xe000, bus 0-9 acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 200MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Pentium(R) D CPU 3.00GHz (GenuineIntel 686-class) 3.01 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,LONG,SSE3,DTES64,MWAIT,DS-CPL,VMX,CNXT-ID,CX16,xTPR,PDCM,LAHF ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (DEV1) acpiprt2 at acpi0: bus 4 (EXP1) acpiprt3 at acpi0: bus 5 (LAN1) acpiprt4 at acpi0: bus 6 (LAN2) acpiprt5 at acpi0: guration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel E7230 Host rev 0x81 ppb0 at pci0 dev 1 function 0 Intel E7230 PCIE rev 0x81: apic 2 int 16 pci1 at ppb0 bus 1 ppb1 at pci1 dev 0 function 0 Intel IOP332 PCIE-PCIX rev 0x07 pci2 at ppb1 bus 2 arc0 at pci2 dev 14 function 0 Areca ARC-1210 rev 0x00: apic 2 int 18 arc0: 4 ports, 256MB SDRAM, firmware V1.47 2009-07-02 scsibus0 at arc0: 16 targets sd0 at scsibus0 ppb2 at pci1 dev 0 function 2 Intel IOP332 PCIE-PCIX rev 0x07 pci3 at ppb2 bus 3 ppb3 at pci0 dev 28 function 0 Intel 82801GB PCIE rev 0x01: apic 2 int 20 pci4 at ppb3 bus 4 ppb4 at pci0 dev 28 function 4 Intel 82801G PCIE rev 0x01: apic 2 int 20 pci5 at ppb4 bus 5 bge0 at pci5 dev 0 function 0 Broadcom BCM5721 rev 0x11, BCM5750 B1 (0x4101): apic 2 int 16, address 00:e0:81:5e:1d:4f brgphy0 at bge0 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0 ppb5 at pci0 dev 28 function 5 Intel 82801G PCIE rev 0x01: apic 2 int 21 pci6 at ppb5 bus 6 bge1 at pci6 dev 0 function 0 Broadcom BCM5721 rev 0x11, BCM5750 B1 (0x4101): apic 2 int 17, address 00:e0:81:5e:1d:4e brgphy1 at bge1 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0 uhci0 at pci0 dev 29 function 0 Intel 82801GB USB rev 0x01: apic 2 int 23 uhci1 at pci0 dev 29 function 1 Intel 82801GB USB rev 0x01: apic 2 int 19 uhci2 at pci0 dev 29 function 2 Intel 82801GB USB rev 0x01: apic 2 int 18 uhci3 at pci0 dev 29 function 3 Intel 82801GB USB rev 0x01: apic 2 int 16 ehci0 at pci0 dev 29 function 7 Intel 82801GB USB rev 0x01: apic 2 int 23 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1 ppb6 at pci0
Re: root device not found
(no drives) pciide0: channel 1 disabled (no drives) ahci0 at pci0 dev 31 function 2 Intel 82801GR AHCI rev 0x01: msi, AHCI 1.1 ahci0: PHY offline on port 2 ahci0: PHY offline on port 3 scsibus1 at ahci0: 32 targets sd1 at scsibus1 targ 0 lun 0: ATA, ST3160815AS, 3.CH SCSI3 0/dadt0 at iic0 addr 0x2e: sch5017 rev 0x8a spdmem0 at iic0 addr 0x50: 512MB DDR2 SDRAM non-parity PC2-5300CL5 spdmem1 at iic0 addr 0x52: 512MB DDR2 SDRAM non-parity PC2-5300CL5 usb1 at uhci0: USB revision 1.0 uhub1 at usb1 Intel UHCI root hub rev 1.00/1.00 addr 1 usb2 at uhci1: USB revision 1.0 uhub2 at usb2 Intel UHCI root hub rev 1.00/1.00 addr 1 usb3 at uhci2: USB revision 1.0 uhub3 at usb3 Intel UHCI root hub rev 1.00/1.00 addr 1 usb4 at uhci3: USB revision 1.0 uhub4 at usb4 Intel UHCI root hub rev 1.00/1.00 addr 1 isa0 at ichpcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com0: console com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 spkr0 at pcppi0 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 fdc0 afd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec mtrr: Pentium Pro MTRR support vscsi0 at root scsibus2 at vscsi0: 256 targets softraid0 at root scsibus3 at softraid0: 256 targets disklabels not read: sd1 cd0 fd0 root device (default sd1a): swap device (default sd1b): root on sd1a swap on sd1b dump on sd1b Automatic boot in progress: starting file system checks. /dev/sd1a (6e74d7f65ecaa74a.a): file system is clean; not checking setting tty flags pf enabled starting network starting early daemons: syslogd pflogd ntpd. starting RPC daemons:. savecore: no core dump checking quotas: done. clearing /tmp starting pre-securelevel daemons:. setting kernel security level: kern.securelevel: 0 - 1 creating runtime link editor directory cache. preserving editor files. starting network daemons: sshd sendmail inetd sndiod. starting local daemons: cron. Fri Jun 7 22:18:00 EDT 2013 On 06/07/13 19:20, Ted Unangst wrote: On Fri, Jun 07, 2013 at 17:19, Aaron Martinez wrote: I have a single sata hdd installed as my OS drive that shows up and sd1 during install that I install the OS onto and an areca 1210 4 port sata raid card installed for storage that shows up as sd0 during install. arc0 at pci2 dev 14 function 0 Areca ARC-1210 rev 0x00: apic 2 int 18 arc0: 4 ports, 256MB SDRAM, firmware V1.47 2009-07-02 scsibus0 at arc0: 16 targets sd0 at scsibus0 ppb2 at pci1 dev 0 function 2 Intel IOP332 PCIE-PCIX This is somewhat unusual. There's supposed to be more printed, and ppb2 should be on a new line. What happens if you type -a at the boot prompt and specify sd1a?
Re: expect and spawn
On Tue, 2010-11-09 at 12:11 -0800, Jim Lucas wrote:
On 11/9/2010 12:00 PM, Aaron Martinez wrote:
On Tue, Nov 09, 2010 at 09:48:15AM -0600, Aaron Martinez wrote:
I am trying to use openbsd as my workstation here at work but one of the
tools we use, creates an expect script and it's not working at all. The
developer of the tool uses linux primarily so he's not sure except to
tell me that the expect in openbsd doesn't know spawn which I looked and
the expect man page is loaded with stuff about spawn.
The script I try to run is this:
# cat 227254.test
#!/usr/local/bin/expect -f
set timeout -1
spawn -noecho ssh -X -vvv -p 22 -o StrictHostKeyChecking=no -o \
UserKnownHostsFile=/dev/null -o GSSAPIAuthentication=no \
r...@192.168.0.10
interact {
\034 exit
}
Executing this from the command line returns the following:
# sh -x 227254.test
When invoked like this, the interpreter is sh, not expect.
--
Will Maier
http://will.m.aier.us/
Thanks Will,
silly question, how would then I do a good test?
Thanks.
Aaron
# chmod 0744 227254.test
# ./227254.test
Ok,
I was able to test this simplified script and it works just fine when I
run it, the output is below. The problem arises when I try to execute
the full script which is:
$ cat expect_full.test
#!/usr/local/bin/expect -f
set timeout -1
spawn -noecho ssh -X -vvv -p 22 -l test -o StrictHostKeyChecking=no \
-o UserKnownHostsFile=/dev/null -o GSSAPIAuthentication=no 192.168.0.10
match_max 10
expect assword
sleep .1
send -- tester\r
expect {
-re ]|test|\$
}
sleep .1
send -- export LANG=en_US.UTF-8\r
expect -re ]|test|\$
sleep .1
send -- su -\r
expect assword
sleep .1
send -- root_tester\r
expect -re #|assword|root|ROOT|%
sleep .1
send -- export LANG=en_US.UTF-8\r
expect -re ]|root|#
sleep .1
trap { stty rows [stty rows] columns [stty columns] \
$spawn_out(slave,name)} WINCH
interact {
\034 exit
}
--
I get brought back to what looks to be a password prompt but then when i
try to type a password it actually prints whatever I type right on the
screen. Hitting enter does nothing and the session just sits there
indefinitely.
Just a bit more information, I am connecting from an OpenBSD 4.8 system
to a RedHat 5.5 system.
The output when executing the full script is also below.
Output from simple script:
$ ./expect_simple_ssh_verbose.test
OpenSSH_5.6, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /home/apmartinez/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to 192.168.0.10 [192.168.0.10] port 22.
debug1: Connection established.
debug1: identity file /home/apmartinez/.ssh/id_rsa type -1
debug1: identity file /home/apmartinez/.ssh/id_rsa-cert type -1
debug1: identity file /home/apmartinez/.ssh/id_dsa type -1
debug1: identity file /home/apmartinez/.ssh/id_dsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH_4*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.6
debug2: fd 5 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit:
ssh-rsa-cert-...@openssh.com,ssh-dss-cert-...@openssh.com,ssh-rsa-cert-...@openssh.com,ssh-dss-cert-...@openssh.com,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac...@openssh.com,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac...@openssh.com,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,z...@openssh.com,zlib
debug2: kex_parse_kexinit: none,z...@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-...@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-...@lysator.liu.se
expect and spawn
Hi All,
I am trying to use openbsd as my workstation here at work but one of the
tools we use, creates an expect script and it's not working at all. The
developer of the tool uses linux primarily so he's not sure except to
tell me that the expect in openbsd doesn't know spawn which I looked and
the expect man page is loaded with stuff about spawn.
The script I try to run is this:
# cat 227254.test
#!/usr/local/bin/expect -f
set timeout -1
spawn -noecho ssh -X -vvv -p 22 -o StrictHostKeyChecking=no -o \
UserKnownHostsFile=/dev/null -o GSSAPIAuthentication=no \
r...@192.168.0.10
interact {
\034 exit
}
Executing this from the command line returns the following:
# sh -x 227254.test
+ set timeout -1
+ spawn -noecho ssh -X -vvv -p 22 -o StrictHostKeyChecking=no -o
UserKnownHostsFile=/dev/null -o GSSAPIAuthentication=no
r...@192.168.0.10
227254.test[3]: spawn: not found
+ interact {
227254.test[4]: interact: not found
+ 034 exit
227254.test[5]: 034: not found
227254.test[6]: syntax error: `}' unexpected
Is the format of his expect script all wrong or??
Thanks,
Aaron Martinez
Re: expect and spawn
On Tue, Nov 09, 2010 at 09:48:15AM -0600, Aaron Martinez wrote:
I am trying to use openbsd as my workstation here at work but one of the
tools we use, creates an expect script and it's not working at all. The
developer of the tool uses linux primarily so he's not sure except to
tell me that the expect in openbsd doesn't know spawn which I looked and
the expect man page is loaded with stuff about spawn.
The script I try to run is this:
# cat 227254.test
#!/usr/local/bin/expect -f
set timeout -1
spawn -noecho ssh -X -vvv -p 22 -o StrictHostKeyChecking=no -o \
UserKnownHostsFile=/dev/null -o GSSAPIAuthentication=no \
r...@192.168.0.10
interact {
\034 exit
}
Executing this from the command line returns the following:
# sh -x 227254.test
When invoked like this, the interpreter is sh, not expect.
--
Will Maier
http://will.m.aier.us/
Thanks Will,
silly question, how would then I do a good test?
Thanks.
Aaron
Re: expect and spawn
On 11/09/10 15:48, Aaron Martinez wrote:
Hi All,
I am trying to use openbsd as my workstation here at work but one of the
tools we use, creates an expect script and it's not working at all. The
developer of the tool uses linux primarily so he's not sure except to
tell me that the expect in openbsd doesn't know spawn which I looked and
the expect man page is loaded with stuff about spawn.
The script I try to run is this:
# cat 227254.test
#!/usr/local/bin/expect -f
set timeout -1
spawn -noecho ssh -X -vvv -p 22 -o StrictHostKeyChecking=no -o \
UserKnownHostsFile=/dev/null -o GSSAPIAuthentication=no \
r...@192.168.0.10
interact {
\034 exit
}
Executing this from the command line returns the following:
# sh -x 227254.test
+ set timeout -1
+ spawn -noecho ssh -X -vvv -p 22 -o StrictHostKeyChecking=no -o
UserKnownHostsFile=/dev/null -o GSSAPIAuthentication=no
r...@192.168.0.10
227254.test[3]: spawn: not found
+ interact {
227254.test[4]: interact: not found
+ 034 exit
227254.test[5]: 034: not found
227254.test[6]: syntax error: `}' unexpected
Is the format of his expect script all wrong or??
Thanks,
Aaron Martinez
This might be a silly question but have you installed expect from the
ports? Also expect depends on tl and tcl which will be installed which
are installed along with expect.
regards,
Paul
Hi Paul,
I do have expect installed but not via ports, I just used the packages.
Thanks.
Aaron
Re: expect and spawn
On 11/9/2010 12:00 PM, Aaron Martinez wrote:
On Tue, Nov 09, 2010 at 09:48:15AM -0600, Aaron Martinez wrote:
I am trying to use openbsd as my workstation here at work but one of
the
tools we use, creates an expect script and it's not working at all.
The
developer of the tool uses linux primarily so he's not sure except to
tell me that the expect in openbsd doesn't know spawn which I looked
and
the expect man page is loaded with stuff about spawn.
The script I try to run is this:
# cat 227254.test
#!/usr/local/bin/expect -f
set timeout -1
spawn -noecho ssh -X -vvv -p 22 -o StrictHostKeyChecking=no -o \
UserKnownHostsFile=/dev/null -o GSSAPIAuthentication=no \
r...@192.168.0.10
interact {
\034 exit
}
Executing this from the command line returns the following:
# sh -x 227254.test
When invoked like this, the interpreter is sh, not expect.
--
Will Maier
http://will.m.aier.us/
Thanks Will,
silly question, how would then I do a good test?
Thanks.
Aaron
# chmod 0744 227254.test
# ./227254.test
wow, I guess i should have just tried that before asking. Unfortunately
i'm heading out of town to a funeral won't be able to test it until
tomorrow.
Thanks jim,
Aaron
dual head on 4.8, almost...
Hi All, I have a freshly installed 4.8 amd64 system and I was trying to get it set up in dual head mode. I know this has been discussed before and I have searched through the archives on marc, but for some reason I haven't been able to get it fully working. The current state of this are as such, when i fire up gdm or startx, it looks like it's working, I have to screens, the login in gdm comes up on the left monitor and not on the right. The right monitor however has the same pattern as when you run the X -config xorg_file command, kind of a pixely checker pattern. I can move the curser from the left monitor over to the right, but then it's stuck in that monitor, I can't move it back to the left monitor. Additionally at that point I can't CTRLALTbackspace to kill X and I can't even use CTRLALTF-KEY to switch to a non-X desktop/screen. Any and all help greatly appreciated. My xorg.conf and Xorg.0.log are below. Thanks in advance. Aaron Section ServerLayout Identifier X.org Configured Screen 0 Screen0 0 0 Screen 1 Screen1 RightOf Screen0 InputDeviceMouse0 CorePointer InputDeviceKeyboard0 CoreKeyboard EndSection Section Files ModulePath /usr/X11R6/lib/modules FontPath /usr/X11R6/lib/X11/fonts/misc/ FontPath /usr/X11R6/lib/X11/fonts/TTF/ FontPath /usr/X11R6/lib/X11/fonts/OTF/ FontPath /usr/X11R6/lib/X11/fonts/Type1/ FontPath /usr/X11R6/lib/X11/fonts/100dpi/ FontPath /usr/X11R6/lib/X11/fonts/75dpi/ EndSection Section Module Load dbe Load dri Load dri2 Load extmod Load glx Load record EndSection Section InputDevice Identifier Keyboard0 Driver kbd EndSection Section InputDevice Identifier Mouse0 Driver mouse Option Protocol wsmouse Option Device /dev/wsmouse Option ZAxisMapping 4 5 6 7 EndSection Section Monitor Identifier Monitor0 VendorName Dell ModelNameP2210h HorizSync 30-83 VertRefresh 56-76 EndSection Section Monitor Identifier Monitor1 VendorName Dell ModelNameP2210h HorizSync 30-83 VertRefresh 56-76 EndSection Section Device Identifier Card0 Driver radeon VendorName ATI BoardName Radeon HD 2400 XT BusID PCI:1:0:0 Screen 0 EndSection Section Device Identifier Card1 Driver radeon VendorName ATI BoardName Radeon HD 2400 X BusID PCI:1:0:0 Screen 1 EndSection Section Screen Identifier Screen0 Device Card0 MonitorMonitor0 SubSection Display Viewport 0 0 Depth 1 Virtual 3840 1080 EndSubSection SubSection Display Viewport 0 0 Depth 4 Virtual 3840 1080 EndSubSection SubSection Display Viewport 0 0 Depth 8 Virtual 3840 1080 EndSubSection SubSection Display Viewport 0 0 Depth 15 Virtual 3840 1080 EndSubSection SubSection Display Viewport 0 0 Depth 16 Virtual 3840 1080 EndSubSection SubSection Display Viewport 0 0 Depth 24 Virtual 3840 1080 EndSubSection EndSection Section Screen Identifier Screen1 Device Card1 MonitorMonitor1 SubSection Display Viewport 0 0 Depth 1 EndSubSection SubSection Display Viewport 0 0 Depth 4 EndSubSection SubSection Display Viewport 0 0 Depth 8 EndSubSection SubSection Display Viewport 0 0 Depth 15 EndSubSection SubSection Display Viewport 0 0 Depth 16 EndSubSection SubSection Display Viewport 0 0 Depth 24 EndSubSection EndSection Xorg.0.log [211864.187] X.Org X Server 1.8.2 Release Date: 2010-07-01 [211864.187] X Protocol Version 11, Revision 0 [211864.187] Build Operating System: OpenBSD 4.8 amd64 [211864.188] Current Operating System: OpenBSD apmobsd48.proficuous.com 4.8 GENERIC.MP#335 amd64 [211864.188] Build Date: 08 August 2010 11:21:57PM [211864.188] [211864.188] Current version of pixman: 0.16.6 [211864.188]Before reporting problems, check http://wiki.x.org to make sure that you have the latest version.
Re: dual head on 4.8, almost...
On 11/02/10 14:10, Aaron Martinez wrote: Hi All, I have a freshly installed 4.8 amd64 system and I was trying to get it set up in dual head mode. I know this has been discussed before and I have searched through the archives on marc, but for some reason I haven't been able to get it fully working. The current state of this are as such, when i fire up gdm or startx, it looks like it's working, I have to screens, the login in gdm comes up on the left monitor and not on the right. The right monitor however has the same pattern as when you run the X -configxorg_file command, kind of a pixely checker pattern. I can move the curser from the left monitor over to the right, but then it's stuck in that monitor, I can't move it back to the left monitor. Additionally at that point I can't CTRLALTbackspace to kill X and I can't even useCTRLALTF-KEY to switch to a non-X desktop/screen. Any and all help greatly appreciated. My xorg.conf and Xorg.0.log are below. Thanks in advance. Aaron It took me a while to figure out how to make this work. I hope it works for you. Here are the relevant parts of my xorg.conf: Section Monitor Identifier Monitor0 VendorName LCD ModelNameSP9106 HorizSync31.0 - 83.0 VertRefresh 56.0 - 75.0 Option DPMS EndSection Section Monitor Identifier Monitor1 Option RightOf Monitor0 EndSection Section Device Identifier Card0 Driver radeonhd VendorName ATI BoardName Radeon HD 4850 BusID PCI:1:0:0 Option Monitor-DVI-I_1/digital Monitor0 Option Monitor-DVI-I_2/digital Monitor1 EndSection Section Screen Identifier Screen0 Device Card0 MonitorMonitor0 SubSection Display Viewport 0 0 Depth 1 EndSubSection SubSection Display Viewport 0 0 Depth 4 EndSubSection SubSection Display Viewport 0 0 Depth 8 EndSubSection SubSection Display Viewport 0 0 Depth 15 EndSubSection SubSection Display Viewport 0 0 Depth 16 EndSubSection SubSection Display Viewport 0 0 Depth 24 EndSubSection EndSection --Bryan Hi Brian, Did you have to use the xrandr in your .xinitrc as well along with this, or are you saying that you have dual head working without the xrandr? I was a little surprised when I saw that you have it working like this because man xorg.conf states the following: Screen number This option is mandatory for cards where a single PCI entity can drive more than one display (i.e., multiple CRTCs sharing a sin- gle graphics accelerator and video memory). One Device section is required for each head, and this parameter determines which head each of the Device sections applies to. The legal values of number range from 0 to one less than the total number of heads per entity. Most drivers require that the primary screen (0) be present. I am going to try your configuration tomorrow however as it seems a little cleaner. One additional thing that I have noticed is that your config doesn't mention the virtual option on the display subsections. When I have run xrandr it complains with the following error: xrandr: screen cannot be larger than 1920x1080 (desired size 3840x1080) Thanks Aaron
relayd to load balance xmpp/jabberd??
Greetings everyone, I am considering setting up a jabberd2 installation of maybe 4-5 servers and since I haven't seen any built in cluster options I was thinking of using relayd to load balance the systems. I have a few questions that hopefully the list gurus can help with. I'm wondering what the thoughts are about whether to use layer 3 vs. layer 7 for this. I would definitely want connections to be sticky and i like the route to options in the layer 3 for this, but not familiar enough w/the xmpp protocol to know if this is feasible. Also, if one of the machines were to become unresponsive that had active conversations going on, would there be any way to keep them alive and move to another server? CARP?? using proxy instead of direct to server? Lastly, I see there are a few different ways to determine if the hosts behind relayd are up, I'm wondering if there is any way to determine this with snmp. Could the check script directive run an snmpget and look for some value? How would relayd determine if the value was good or bad? Thanks in advance. Aaron
authpf for incoming connections
Hi All, I am setting up an openbsd 4.5 stable based pf firewall and was wondering if there is a way to make it so only certain users could log in from certain IP addresses. I have authpf set up and working well, but the problem is if someone that isn't coming from one of my safe ip addresses, i don't want them to be able to log in using a login name that has a standard shell like ksh. I saw the Match statement for sshd but it looks like the only things that can be set are: AllowAgentForwarding, AllowTcpForwarding, Banner, ChrootDirectory, ForceCommand, GatewayPorts, GSSAPIAuthentication, HostbasedAuthentication, KbdInteractiveAuthentication, KerberosAuthentication, MaxAuthTries, MaxSessions, PasswordAuthentication, PermitEmptyPasswords, PermitOpen, PermitRootLogin, RhostsRSAAuthentication, RSAAuthentication, X11DisplayOffset, X11Forwarding and X11UseLocalHost. none of which would allow for what i'm trying. (if i'm understanding this correctly) I'm trying to have authpf authenticate people before they are able to use certain services behind the firewall, i.e. pptp server, pop server etc., while allowing certain people from static IP addresses to actually log into the openbsd firewall. Any ideas greatly appreciated. Thanks in advance. Aaron Martinez
Re: authpf for incoming connections
On 22 May 2009 at 15:05, Aaron Martinez wrote: Hi All, I am setting up an openbsd 4.5 stable based pf firewall and was wondering if there is a way to make it so only certain users could log in from certain IP addresses. I have authpf set up and working well, but the problem is if someone that isn't coming from one of my safe ip addresses, i don't want them to be able to log in using a login name that has a standard shell like ksh. I saw the Match statement for sshd but it looks like the only things that can be set are: AllowAgentForwarding, AllowTcpForwarding, Banner, ChrootDirectory, ForceCommand, GatewayPorts, GSSAPIAuthentication, HostbasedAuthentication, KbdInteractiveAuthentication, KerberosAuthentication, MaxAuthTries, MaxSessions, PasswordAuthentication, PermitEmptyPasswords, PermitOpen, PermitRootLogin, RhostsRSAAuthentication, RSAAuthentication, X11DisplayOffset, X11Forwarding and X11UseLocalHost. none of which would allow for what i'm trying. (if i'm understanding this correctly) I'm trying to have authpf authenticate people before they are able to use certain services behind the firewall, i.e. pptp server, pop server etc., while allowing certain people from static IP addresses to actually log into the openbsd firewall. You did say you are setting up a pf firewall, so why not use its firewalling functionality to limit those services to the specific _static IP addresses_? This is one of the simplest use cases for pf! Any ideas greatly appreciated. Thanks in advance. Aaron Martinez I don't want to limit the services behind the firewall to certain IP addressed, only to people that can authenticate with authpf at the firewall, they can be at any IP. Then after they authenticate a rule is loaded to allow their IP to get to the pop or pptp server behind the firewall. The safe addresses are for people that need to do administration on the fw and have an account on the fw system itself that has a shell other than authpf. Thanks.
alternate shell not running
I'm running OpenBSD 4.4 Stable and have created a little shell script menu program that I want certain users to have as their only interaction with the system. I created users using the script as their shell and also put it in /etc/shells but when the user logs in they get a standard shell. I was testing it through ssh so I thought maybe it had something to do with the environment but the same thing happens when I log in locally. If log in as root and then su - username the script runs as expected. Is this the wrong way to do this? Would it be better putting something in the .profile? Can anyone shed any light as to why this is happening? Thanks, Aaron Martinez
Re: alternate shell not running
On 4/25/09, Aaron Martinez m...@proficuous.com wrote: I'm running OpenBSD 4.4 Stable and have created a little shell script menu program that I want certain users to have as their only interaction with the system. I created users using the script as their shell and also put it in /etc/shells but when the user logs in they get a standard shell. I was testing it through ssh so I thought maybe it had something to do with the environment but the same thing happens when I log in locally. If log in as root and then su - username the script runs as expected. Is this the wrong way to do this? Would it be better putting something in the .profile? Can anyone shed any light as to why this is happening? Thanks, Aaron Martinez As a mind reader I'm guessing permissions... some more info might make it less of a guess I suppose it could be permissions, but the file/script is located in /usr/local/bin with permissions set to 755. Additionally, when i log in as one of the restricted users that are supposed to have the script as their shell, i have no problem running the script if i call it manually. What additional information would be helpful? I'd be glad to provide it. Aaron
Re: alternate shell not running
On Sat, Apr 25, 2009 at 3:39 PM, Aaron Martinez m...@proficuous.com wrote: I'm running OpenBSD 4.4 Stable and have created a little shell script menu program that I want certain users to have as their only interaction with the system. I created users using the script as their shell and also put it in /etc/shells but when the user logs in they get a standard shell. I was testing it through ssh so I thought maybe it had something to do with the environment but the same thing happens when I log in locally. If log in as root and then su - username the script runs as expected. Is this the wrong way to do this? Would it be better putting something in the .profile? Can anyone shed any light as to why this is happening? Works for me: $ ls -l /usr/local/bin/foo -rwxr-xr-x 1 root wheel 55 Apr 25 17:25 /usr/local/bin/foo $ cat /usr/local/bin/foo #!/bin/sh echo hello! read help echo $help exit 0 $ grep testing /etc/passwd testing:*:1009:1009:Test User,,,:/home/users/testing:/usr/local/bin/foo $ ...and when I log in on a terminal as 'testing', I get the expected hello! and it echos my first line on input and then exits. So: 1) what does the /etc/passwd entry for one of these users look like? lgf:*:1010:1::/home/ght:/usr/local/bbox/bin/login_script 2) when you say they get a standard shell, what *EXACTLY* do you mean? (If you mean they get a /bin/sh prompt and it runs their .profile, then please say that) when logging in as user ght $ env _=/usr/bin/env SSH_CONNECTION=192.168.7.128 39782 192.168.7.254 22 PATH=/home/lgf/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin:/usr/local/bin:/usr/local/sbin:/usr/games:. SHELL=/usr/local/bin/login_script USER=lgf MAIL=/var/mail/ght HOME=/home/ght SSH_CLIENT=192.168.7.128 39782 22 TERM=xterm SSH_TTY=/dev/ttyp0 LOGNAME=ght $ lss ksh: lss: not found (looks like i'm getting ksh as my shell) 3) what does the top of the shell script look like? #!/bin/ksh tput clear goodchoice= until [ -n $goodchoice ] do echo 'Please choose one of the following: Philip Guenther
Re: alternate shell not running
Aaron Martinez wrote: On Sat, Apr 25, 2009 at 3:39 PM, Aaron Martinez m...@proficuous.com wrote: 1) what does the /etc/passwd entry for one of these users look like? lgf:*:1010:1::/home/ght:/usr/local/bbox/bin/login_script 2) when you say they get a standard shell, what *EXACTLY* do you mean? (If you mean they get a /bin/sh prompt and it runs their .profile, then please say that) when logging in as user ght You changed shell for user lgf; then login as ght? sorry.. i was just preserving identities.. and missed one lgf entry.. the actual user is lgf. i just was changing it to ght. So everything is in fact lgf there is no mixing of id's. $ ls -l /usr/local/login_script -rwxr-xr-x 1 root wheel 2132 Apr 23 00:22 /usr/local/login_script thanks again for the ideas. Aaron
Re: creating release and kernels
So what you actually want is create a ramdisk that recognizes NTFS. you're not interested in a running kernel, but a boot kernel, right ? Actually, just the opposite, I wanted a normal functioning system running a kernel with the experimental ntfs support. It's worked well enough in the past for ro operations and I often like to boot up w/an infected XP system drive to recover/scan files before blowing the drive away. Look around in distrib, that's where the instructions to build boot kernels happen. You need to tweak/clone the right ramdisk for your purpose. Of course, there's no guarantee that will work. I can tell that including NTFS on a floppy won't fit, and I haven't ever tried it on bsd.rd nor the cd ramdisk. There might be some other issues at work. Good luck. I think now from all the replies it make more sense to just stick w/the standard release(8) process and keep a ntfs enabled /bsd file on the system for when I need it. Thanks to all for the help.
Re: creating release and kernels
On Fri, 13 Mar 2009 14:13:35 -0500 (CDT) Aaron Martinez m...@proficuous.com wrote: I'm running 4.4 Stable on i386 hardware and was wanting to make a release. I was reading through the release man page and noticed it said a GENERIC kernel is included with the release. I'm just wondering if there is a way to include or replace the generic kernel with a modified kernel. The only change i'm making is adding NTFS read support. Thanks Aaron You have a few different issues here: 1.) NTFS support is clearly marked experimental 2.) Enabling NTFS support *increases* the size of your kernel 3.) Modifying 'GENERIC' 'GENERIC.MP' and 'RAMDISK*' is a very bad idea because you'll be running kernels that others *think* are normal, but are actually custom. You probably understood #1, but the ramifications of #2 are the real killer, and #3 will only aggravate others if you need help. The increase in kernel size can (and most likely will) break the creation of various install images such as the floppy disk images (i.e. too big to fit on the floppy). Even if you don't use floppy disk images for installing, this is still a very bad idea. The easiest way to achieve what you want, namely to install a kernel with NTFS support by default, is to keep the release as is, and use the siteXX.tgz file to make modifications at the *end* of the installation process (i.e. replacing the GENERIC kernel(s) you just installed with the custom NTFS kernels you want to actually run). http://www.openbsd.org/faq/faq4.html#site Thanks for the reminder.. It has been a while since i had read this section of the faq and had forgotten about this. At the very end of the installation process, the siteXX.tgz file is unarchived in the same ways as the others (tar xzf siteXX.tgz) rooted at the / directory. This means you should be able to over-write the initially installed GENERIC kernels with your custom versions before the first reboot. Personally, I would leave the GENERIC kernels on the system (just in case) and *add* your custom kernels (SP MP) to the system with different names. To have your system boot to your custom kernels, you can use create a custom /etc/boot.conf and put that in your siteXX.tgz file (see boot.conf(8) for details). Another great suggestion.. thanks!!! As long as you haven't done anything insane like having a super huge root partition (resulting in the start of your custom kernels potentially being outside of the bootable address range), you should have no problems booting to your additional custom kernel(s) on most modern x86 hardware. If you're using *really* old x86 hardware, you might hit this problem. Typically, if you keep your root partition to the 512MB suggested in the FAQ, you should be fine. -- J.C. Roberts
creating release and kernels
I'm running 4.4 Stable on i386 hardware and was wanting to make a release. I was reading through the release man page and noticed it said a GENERIC kernel is included with the release. I'm just wondering if there is a way to include or replace the generic kernel with a modified kernel. The only change i'm making is adding NTFS read support. Thanks Aaron
Re: creating release and kernels
On Fri, Mar 13, 2009 at 02:13:35PM -0500, Aaron Martinez wrote: I'm running 4.4 Stable on i386 hardware and was wanting to make a release. I was reading through the release man page and noticed it said a GENERIC kernel is included with the release. I'm just wondering if there is a way to include or replace the generic kernel with a modified kernel. The only change i'm making is adding NTFS read support. I'm a little unclear; are you talking about release(8), or just having a kernel with NTFS support? yes, release(8). So at the beginning of the release, i update my sources, rebuild the kernel, with the one mod for ntfs support, rebuild userland and then do a release. I'm wondering if there is any way to get the ntfs enabled kernel into the release. could i just copy my running /bsd /bsd.rd and /boot files into the reldir and create my release cd to install that way? Thanks again. Aaron Thanks Aaron
Re: creating release and kernels
On 13 March 2009 c. 22:13:35 Aaron Martinez wrote: I'm running 4.4 Stable on i386 hardware and was wanting to make a release. I was reading through the release man page and noticed it said a GENERIC kernel is included with the release. I'm just wondering if there is a way to include or replace the generic kernel with a modified kernel. The only change i'm making is adding NTFS read support. Well, nothing stops you in replacing bsd* files in release directory with your own built ones after building release itself. :) Or you want to automate this work? Automating is always good, but copying a couple files one time is something I can handle, just didn't realize it wasn't creating a release of the current running kernel. Would i also need to copy the /boot file as well or just the bsd* files? Thanks -- Best wishes, Vadim Zhukov
Re: creating release and kernels
On Fri, Mar 13, 2009 at 02:54:23PM -0500, Aaron Martinez wrote: On Fri, Mar 13, 2009 at 02:13:35PM -0500, Aaron Martinez wrote: I'm running 4.4 Stable on i386 hardware and was wanting to make a release. I was reading through the release man page and noticed it said a GENERIC kernel is included with the release. I'm just wondering if there is a way to include or replace the generic kernel with a modified kernel. The only change i'm making is adding NTFS read support. I'm a little unclear; are you talking about release(8), or just having a kernel with NTFS support? yes, release(8). So at the beginning of the release, i update my sources, rebuild the kernel, with the one mod for ntfs support, rebuild userland and then do a release. I'm wondering if there is any way to get the ntfs enabled kernel into the release. could i just copy my running /bsd /bsd.rd and /boot files into the reldir and create my release cd to install that way? From a quick reading of release(8) and src/etc/Makefile, it looks like make release pulls the kernel from the running system into the generated release. I thought that as well, but when i installed from the newly created release cd, I wasn't able to mount ntfs partitions. I went back to my build machine and diff'ed /bsd and /usr/rel/bsd and they are different.. is that to be expected? $ diff bsd /bsd Binary files bsd and /bsd differ Thanks, Aaron Thanks again. Aaron Thanks Aaron
gd without xbase?
I am running 4.4 stable on i386 for the sole purpose of running nagios. So that I could get visualizations on the statusmap, nagios docs say that gd is required. I have performed just a minimal install, bsd, base44, etc44 and man44. When i try installing gd i come up with the following error: # pkg_add -nv gd parsing gd-2.0.35 Dependencies for gd-2.0.35 resolve to: libiconv-1.12, jpeg-6bp3, png-1.2.28 (todo: jpeg-6bp3,png-1.2.28) gd-2.0.35:parsing jpeg-6bp3 found libspec c.48.0 in /usr/lib Pretending to add gd-2.0.35:jpeg-6bp3 gd-2.0.35:parsing png-1.2.28 Pretending to add gd-2.0.35:png-1.2.28 found libspec c.48.0 in /usr/lib found libspec expat.9.0 in /usr/lib Can't install gd-2.0.35: lib not found fontconfig.5.1 Dependencies for gd-2.0.35 resolve to: libiconv-1.12, jpeg-6bp3, png-1.2.28 (todo: jpeg-6bp3,png-1.2.28) Full dependency tree is libiconv-1.12,jpeg-6bp3,png-1.2.28 Can't install gd-2.0.35: lib not found freetype.16.1 found libspec iconv.5.0 in package libiconv-1.12 found libspec jpeg.62.0 in package jpeg-6bp3 found libspec m.3.0 in /usr/lib found libspec png.7.0 in package png-1.2.28 found libspec z.4.1 in /usr/lib /dev/wd0g: 1432 bytes /dev/wd0f: 1381968 bytes I did some searching on this and found it most recently referenced about Openbsd 3.9 where people were indicating that gd was not going to have the x dependency in future releases. I have another machine that i did my nagios testing on that does NOT have gd installed but the .gd2 icons are displayed correctly in the statusmap. I do have php5-gd installed and doing a test install of php5-gd-no_x11 which works. My question here is, even though nagios doesn't use php, is the php-gd what is allowing the icons to display in this case since i don't actually have gd installed? Is there any other way to make this work? i didn't really want to install php or xbase on this box. Thanks in advance and dmesg below. Aaron Martinez OpenBSD 4.4-stable (GENERIC) #1: Fri Dec 5 15:52:41 CST 2008 r...@obsdbuild.minn.example.com:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) 4 CPU 2.66GHz (GenuineIntel 686-class) 2.67 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID,xTPR real mem = 527986688 (503MB) avail mem = 502087680 (478MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 07/10/03, BIOS32 rev. 0 @ 0xeb4e0, SMBIOS rev. 2.3 @ 0xf8dd4 (57 entries) bios0: vendor Hewlett-Packard version 786B2 v1.11 date 07/10/2003 bios0: Hewlett-Packard HP d530 SFF(DG781A) acpi0 at bios0: rev 0 acpi0: tables DSDT FACP SSDT SSDT SSDT SSDT SSDT SSDT SSDT APIC SSDT ASF! SSDT SSDT SSDT SSDT SSDT SSDT SSDT SSDT SSDT SSDT SSDT acpi0: wakeup devices PCI0(S4) HUB_(S4) COM1(S4) COM2(S4) USB1(S3) USB2(S3) USB3(S3) USB4(S3) EUSB(S3) PBTN(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 5 (HUB_) acpicpu0 at acpi0 acpibtn0 at acpi0: PBTN bios0: ROM list: 0xc/0xa600 0xca600/0x2000 0xe0c00/0x9a00! cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82865G Host rev 0x02 vga1 at pci0 dev 2 function 0 Intel 82865G Video rev 0x02 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) agp0 at vga1: aperture at 0xf000, size 0x800 drm at vga1 unsupported uhci0 at pci0 dev 29 function 0 Intel 82801EB/ER USB rev 0x02: irq 11 uhci1 at pci0 dev 29 function 1 Intel 82801EB/ER USB rev 0x02: irq 5 uhci2 at pci0 dev 29 function 2 Intel 82801EB/ER USB rev 0x02: irq 10 ehci0 at pci0 dev 29 function 7 Intel 82801EB/ER USB2 rev 0x02: irq 10 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1 ppb0 at pci0 dev 30 function 0 Intel 82801BA Hub-to-PCI rev 0xc2 pci1 at ppb0 bus 5 bge0 at pci1 dev 2 function 0 Broadcom BCM5782 rev 0x03, BCM5705 A3 (0x3003): irq 5, address 00:0e:7f:f3:46:a7 brgphy0 at bge0 phy 1: BCM5705 10/100/1000baseT PHY, rev. 2 ichpcib0 at pci0 dev 31 function 0 Intel 82801EB/ER LPC rev 0x02 pciide0 at pci0 dev 31 function 1 Intel 82801EB/ER IDE rev 0x02: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: ST340014A wd0: 16-sector PIO, LBA, 38166MB, 78165360 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets, initiator 7 cd0 at scsibus0 targ 0 lun 0: LITEON, CD-ROM LTN486S, YQSM ATAPI 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, DMA mode 2 pciide1 at pci0 dev 31 function 2 Intel 82801EB SATA rev 0x02: DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI pciide1: using irq 10 for native-PCI interrupt auich0 at pci0 dev 31 function 5 Intel 82801EB/ER AC97 rev 0x02: irq 5, ICH5 AC97 ac97: codec id 0x41445374 (Analog Devices AD1981B) ac97: codec features headphone, 20 bit DAC, No 3D
4.4 snapshot and evolution
I installed 4.4 snapshot 1090 and also evolution so that I could connect to exchange eliminating the need for my window's machine but I'm having a little issue and I thought I'd ask if this was openbsd related before I ask the evolution people. I have the following evolution packages installed: pkg_info | grep evolution evolution-2.22.3.1 integrated email and PIM software for GNOME evolution-data-server-2.22.3 data backends for the Evolution mail/PIM suite evolution-plugin-webcal-2.21.92 webcal(endar) handler for GNOME When i start up evolution and add a mail account, under server types i get no option for exchange. I then create a standard IMAP account for a different account just to get into the preference. I went under plugins and verified that the exchange operations plugin is indeed enabled. I went to add an additional account and again when get to choosing a server type, no option for exchange. Am i missing something or is this not available in the OpenBSD version? I have seen a lot of talk about evolution-exchange but I thought (which might be part of the problem) that the exchange operations plugin replaced that. Thanks in advance, Aaron Martinez dmesg: OpenBSD 4.4-current (GENERIC) #1090: Sat Oct 11 15:35:21 MDT 2008 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) D CPU 3.40GHz (GenuineIntel 686-class) 3.41 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,CNXT-ID,CX16,xTPR real mem = 3220631552 (3071MB) avail mem = 3120496640 (2975MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 09/28/06, BIOS32 rev. 0 @ 0xea4b0, SMBIOS rev. 2.4 @ 0xedb20 (74 entries) bios0: vendor Hewlett-Packard version 786D7 v01.03 date 09/28/2006 bios0: Hewlett-Packard HP xw4400 Workstation acpi0 at bios0: rev 0 acpi0: tables DSDT FACP SSDT APIC ASF! MCFG TCPA acpi0: wakeup devices PCI0(S4) PEG1(S4) PCX1(S4) PCX2(S4) PCX5(S4) PCX6(S4) HUB_(S4) COM1(S4) COM2(S4) USB1(S3) USB2(S3) USB3(S3) USB4(S3) EUSB(S3) PBTN(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (PEG1) acpiprt2 at acpi0: bus 16 (PCX1) acpiprt3 at acpi0: bus -1 (PCX2) acpiprt4 at acpi0: bus 40 (PCX5) acpiprt5 at acpi0: bus 63 (PCX6) acpiprt6 at acpi0: bus 5 (HUB_) acpicpu0 at acpi0 acpibtn0 at acpi0: PBTN bios0: ROM list: 0xc/0xf200 0xcf200/0x1000 0xd0200/0x1c00 0xe7a00/0x8600! cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel 82975X Host rev 0x00 ppb0 at pci0 dev 1 function 0 Intel 82975X PCIE rev 0x00: irq 10 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 vendor ATI, unknown product 0x7152 rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) vendor ATI, unknown product 0x7172 (class display subclass miscellaneous, rev 0x00) at pci1 dev 0 function 1 not configured azalia0 at pci0 dev 27 function 0 Intel 82801GB HD Audio rev 0x01: irq 11 azalia0: codec[s]: Realtek/0x0262 audio0 at azalia0 ppb1 at pci0 dev 28 function 0 Intel 82801GB PCIE rev 0x01 pci2 at ppb1 bus 16 ppb2 at pci0 dev 28 function 4 Intel 82801G PCIE rev 0x01: irq 10 pci3 at ppb2 bus 40 ppb3 at pci0 dev 28 function 5 Intel 82801G PCIE rev 0x01: irq 10 pci4 at ppb3 bus 63 bge0 at pci4 dev 0 function 0 Broadcom BCM5755 rev 0x02, BCM5755 A2 (0xa002): irq 10, address 00:19:bb:53:00:42 brgphy0 at bge0 phy 1: BCM5755 10/100/1000baseT PHY, rev. 0 uhci0 at pci0 dev 29 function 0 Intel 82801GB USB rev 0x01: irq 5 uhci1 at pci0 dev 29 function 1 Intel 82801GB USB rev 0x01: irq 11 uhci2 at pci0 dev 29 function 2 Intel 82801GB USB rev 0x01: irq 11 uhci3 at pci0 dev 29 function 3 Intel 82801GB USB rev 0x01: irq 11 ehci0 at pci0 dev 29 function 7 Intel 82801GB USB rev 0x01: irq 5 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1 ppb4 at pci0 dev 30 function 0 Intel 82801BA Hub-to-PCI rev 0xe1 pci5 at ppb4 bus 5 fxp0 at pci5 dev 9 function 0 Intel 82559 rev 0x08, i82559: irq 11, address 00:03:47:0a:45:0c inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4 ichpcib0 at pci0 dev 31 function 0 Intel 82801GB LPC rev 0x01: PM disabled pciide0 at pci0 dev 31 function 1 Intel 82801GB IDE rev 0x01: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility atapiscsi0 at pciide0 channel 0 drive 0 scsibus0 at atapiscsi0: 2 targets, initiator 7 cd0 at scsibus0 targ 0 lun 0: HL-DT-ST, DVD+-RW GSA-H21L, 1.04 ATAPI 5/cdrom removable cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 3 pciide0: channel 1 disabled (no drives) ahci0 at pci0 dev 31 function 2 Intel 82801GR AHCI rev 0x01: irq 5, AHCI 1.1 ahci0: PHY offline on port 1 ahci0: PHY offline on port 2 ahci0: PHY offline on port 3 scsibus1 at ahci0: 32 targets, initiator 32 sd0 at scsibus1 targ 0 lun 0: ATA, SAMSUNG HD160JJ/, ZM10 SCSI3 0/direct fixed sd0: 152627MB, 512 bytes
pkg_add ftp options
I've just installed OpenBSD from a snapshot yesterday and noticed afterwards I can't seem to ftp out from the command line either passive or active. I finally issued an ftp -AaE some ftp site and it works just fine so I'm guessing that the firewall i'm sitting behind is doing something wrong with control connections. Unfortunately most people here are using windows and it seems to work fine from winbloze. This does however make installing packages rather difficult. Is there any way to specify to pkg_add any ftp options so I can get around this issue? I saw in the man page that you can set the FTPMODE environment variable to active, which I did, but still no luck. Thanks, Aaron Martinez
rdr and bridge
Hi All,
I'm trying to get redirection working on an OpenBSD 4.3 stable bridge
and not having any luck getting redirection to work.
I'm doing the filtering and redirection on the external interface and
passing everything on the internal interfaces. I want to redirect
traffic coming into the external interface, destined for machines behind
the bridge, to the external interface to authenticate using authpf.
When i ssh to a host behind the bridge (192.168.5.2 for example) I don't
see any redirection happening when i watch the traffic with tcpdump. I
also tried doing the redirection on bridge0 with the same results.
Any help would be greatly appreciated.
TIA,
Aaron
interfaces:
lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33208
groups: lo
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
inet 127.0.0.1 netmask 0xff00
re0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500
lladdr 00:30:18:b1:eb:17
groups: egress
media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause)
status: active
inet6 fe80::230:18ff:feb1:eb17%re0 prefixlen 64 scopeid 0x1
inet 192.168.5.100 netmask 0xff00 broadcast 192.168.5.255
re1: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500
lladdr 00:30:18:b1:eb:18
media: Ethernet autoselect (autoselect half-duplex)
status: active
inet6 fe80::230:18ff:feb1:eb18%re1 prefixlen 64 scopeid 0x2
enc0: flags=0 mtu 1536
bridge0: flags=41UP,RUNNING mtu 1500
groups: bridge
pflog0: flags=141UP,RUNNING,PROMISC mtu 33208
groups: pflog
tcpdump output:
19:41:40.024232 arp who-has 192.168.5.2 tell 192.168.5.254
19:41:40.024484 arp reply 192.168.5.2 is-at 00:30:f1:01:d3:d8
19:41:40.024640 192.168.3.142.1177 192.168.5.2.22: S [tcp sum ok]
506892432:506892432(0) win 65535 mss 1260,nop,nop,sackOK (DF) (ttl
126, id 50179, len 48)
19:41:42.975391 192.168.3.142.1177 192.168.5.2.22: S [tcp sum ok]
506892432:506892432(0) win 65535 mss 1260,nop,nop,sackOK (DF) (ttl
126, id 51142, len 48)
19:41:49.011873 192.168.3.142.1177 192.168.5.2.22: S [tcp sum ok]
506892432:506892432(0) win 65535 mss 1260,nop,nop,sackOK (DF) (ttl
126, id 52381, len 48)
Here are my rules:
ext_if = re0
int_if = re1
lan = 192.168.5.0/24
allowed_in = www https
table lan_hosts const { 192.168.5.0/24 !fe80::230:18ff:feb1:eb18 }
table authpf_users persist
set limit states 2
set limit frags 1
set limit table-entries 500
set optimization normal
set block-policy drop
set timeout frag 10
set timeout tcp.established 3600
set skip on { lo }
set fingerprints /etc/pf.os
scrub out on re0 all random-id fragment reassemble
scrub in all fragment reassemble
nat-anchor /* all
nat-anchor /* all
rdr-anchor /* all
rdr-anchor /* all
rdr pass on re0 inet proto tcp from any to any port = ssh - 192.168.5.100
binat-anchor /* all
anchor /* from authpf_users to any
anchor /* all
block drop log all
block drop in quick from urpf-failed to any
pass in on re1 inet from lan_hosts to ! 127.0.0.1 flags S/SA keep state
pass in on re1 inet from lan_hosts to ! 192.168.5.100 flags S/SA keep
state
pass in on re0 inet proto tcp from any to any port = www flags S/SA keep
state
pass in on re0 inet proto tcp from any to any port = https flags S/SA
keep state
pass out on re1 inet all flags S/SA keep state
pass out on re0 inet proto udp from any to any port = domain keep state
pass in on re0 proto icmp all keep state
Re: problem building release for 4.3 stable
Anthony Roberts wrote: On Tue, May 6, 2008 1:27 am, Christer Solskogen wrote: Just to be 100% sure. Do you see libc.so.43.0 in /usr/dest/usr/lib ? I've come across the problem you got just a week ago, and my mistake was wrong tag, but the problem could be that you try to build 4.3 on a 4.3-current/snapshot. Yes, I have libc.so.43.0. I can also confirm the ISO I used to install matches the MD5 sum of cd43.iso at ftp://ftp.openbsd.org/pub/OpenBSD/4.3/i386/MD5, and I'm sure I used OPENBSD_4_3 to check the source out. On Tue, May 6, 2008 9:48 am, Maurice Janssen wrote: Yes, I noticed this as well. I think you can safely ignore this. Interesting. I checked on what's in src.tar.gz. The revision of src/distrib/sets/lists/base/md.i386 in src.tar.gz is NOT the same one as is tagged OPENBSD_4_3. The tarball's revision of the file is 1.693, but the revision of the file tagged for OPENBSD_4_3 is 1.692. I believe what happened is the machine used to generate the release and the tarballs has a newer version of the file than someone will get if they check out the source using the tag OPENBSD_4_3. I just came up against this exact same error a couple of days ago and thinking that it might have been the mirror, i tried another..with the same results: # cd /usr/src/distrib/sets # sh checkflist 115a116 ./etc/firmware/ral-rt2860 # I installed from the Disc1 i386 4.3 CD, pre loaded the src and ports tree from CD3. I connected to the machine via serial and copy and pasted the instructions directly from the faq so unless the tags are wrong in the faq for following stable i'm sure that isn't the case. I have attached the dmesg before and after and as much other relevant info as I can think of. Please let me know of anything else that is needed. Thanks in advance. Aaron Martinez # head -25 installing_updating_sources.out Script started on Wed May 14 04:51:08 2008 # mkdir /cd0 # mount /dev/cd0a /cd0 # ls -ltr /cd0/ total 477849 drwxr-xr-x 4 root wheel 2048 Aug 3 2007 4.3 drwxr-xr-x 2 root wheel 6144 Mar 7 18:01 Changelogs -rw-r--r-- 1 root wheel 127016299 Mar 12 11:32 src.tar.gz -rw-r--r-- 1 root wheel 1345 Mar 12 11:38 ports.tar.gz -rw-r--r-- 1 root wheel 103951738 Mar 12 11:40 xenocara.tar.gz -rw-r--r-- 1 root wheel 1523 Mar 13 15:39 SIZES -rw-r--r-- 1 root wheel 8344 Mar 13 15:39 README -rw-r--r-- 1 root wheel 2375 Mar 13 15:39 PORTS -rw-r--r-- 1 root wheel 3488 Mar 13 15:39 PACKAGES -rw-r--r-- 1 root wheel 2318 Mar 13 15:39 HARDWARE -r--r--r-- 1 root wheel513 Mar 13 15:41 TRANS.TBL -rw-r--r-- 1 root wheel 70 Mar 13 15:41 .slicemapfile # cd /usr/src # ls -l # tar zxf /cd0/src.tar.gz # export [EMAIL PROTECTED]:/cvs # cvs -d$CVSROOT up -rOPENBSD_4_3 -Pd The authenticity of host 'anoncvs1.usa.openbsd.org (204.152.184.203)' can't be established. RSA key fingerprint is 49:67:9a:46:62:8a:3f:4e:b3:63:ca:d6:41:29:2a:2f. Are you sure you want to continue connecting (yes/no)? yes # less kernel_build.out Script started on Wed May 14 18:11:08 2008 # cd /usr/src/sys/arch/i386/conf^M # config ^M# config GENERIC ^M# config GENERIC^M Don't forget to run make depend # cd ^M# cd ../compile/ ^M# cd ^M# cd ../compile/GENERIC/ ^M# cd ../compile/GENERIC/^M # make clean make depend make^M rm -f eddep *bsd bsd.gdb tags *.[io] [a-z]*.s [Ee]rrs linterrs makelinks assym. kernel_build.out rm -f param.c cp /usr/src/sys/arch/i386/compile/GENERIC/../../../../conf/param.c . sh /usr/src/sys/arch/i386/compile/GENERIC/../../../../kern/genassym.sh cc -Werr or -Wall -Wstrict-prototypes -Wmissing-prototypes -Wno-uninitialized -Wno-forma t -Wno-main -Wstack-larger-than-2047 -fno-builtin-printf -fno-builtin-log -O2 - snip Wstrict-prototypes -Wmissing-prototypes -Wno-uninitialized -Wno-format -Wno-ma in -Wstack-larger-than-2047 -fno-builtin-printf -fno-builtin-log -O2 -pipe -nos tdinc -I. -I/usr/src/sys/arch/i386/compile/GENERIC/../../../.. -I/usr/src/sys/ar ch/i386/compile/GENERIC/../../../../arch -DDDB -DDIAGNOSTIC -DKTRACE -DACCOUNTIN G -DKMEMSTATS -DPTRACE -DCRYPTO -DSYSVMSG -DSYSVSEM -DSYSVSHM -DUVM_SWAP_ENCRYPT -DCOMPAT_43 -DLKM -DFFS -DFFS2 -DFFS_SOFTUPDATES -DUFS_DIRHASH -DQUOTA -DEXT2FS -DMFS -DXFS -DTCP_SACK -DTCP_ECN -DTCP_SIGNATURE -DNFSCLIENT -DNFSSERVER -DCD96 60 -DUDF -DMSDOSFS -DFIFO -DPORTAL -DINET -DALTQ -DINET6 -DIPSEC -DPPP_BSDCOMP - DPPP_DEFLATE -DMROUTING -DBOOT_CONFIG -DUSER_PCICONF -DKVM86 -DUSER_LDT -DAPERTU RE
Re: rdr to squid proxy with authentication
Claer wrote: On Wed, Apr 23 2008 at 40:17, Monah Baki wrote: Hi all, Hi, I implemented the following rule and so far I can see that all users are accessing my proxy server Tried the following in /etc/inetd.conf 127.0.0.1:5000 stream tcp nowait nobody /usr/bin/nc nc -w \ 20 192.168.3.106 8080 rdr on $int_if proto tcp from $int_net to $ext_if port 80 - \ 127.0.0.1 port 5000 But I have one question, my proxy requires authentication before browsing, how can I have the firewall also authenticate, because if I disable on the squid proxy authentication, it works. If I enable it, all sites I try to visit comes up with a page that I need authentication first to use the proxy. Using transparent proxying + auth is generally considered a bad idea. But if you really want to do this, I would suggest using authpf. You can set up squid to do the proxying without authentication, set up pf to deny all traffic to the squid instance and set up authpf rules to allow all authenticated users passage to squid. http://www.openbsd.org/faq/pf/authpf.html Hope this helps. Aaron
Re: Installing Perl on openBSD 4.0
pichi wrote: Josh, Thanks so much for clearing that up for me. That would explain why it was so hard to find documentation on installing Perl on an OpenBSD 4.0 box; because its already there! I will upgrade to the latest version. The only thing that worries me is this is a production box and I have never upgraded an OpenBSD server. Wish me luck, P. Remember too, when upgrading version jumping isn't supported.. you will want to upgrade to 4.1 and then to 4.2, _not_ 4.0 to 4.2. Aaron
Re: Optimising OpenBSD
Matthew Smith wrote: Quoth Rod Whitworth at 2008-04-09 08:04... Matthew, you are pretty new here so I'll be kind. Read http://www.openbsd.org/faq/faq5.html#Why For this, I apologise. I am currently in the situation that I don't know where to look for what. I might try writing a OpenBSD for Linux escapees somewhere down the track, because that's what I really need. Also Search The Fine Archives I now discover that they are under a different domain - which is why the site search wasn't pulling up much. I must pull out my copy of 'Google Hacks' and see if there is a way that an aggregated site search can be done that pulls in the list archives as well. the Marc archives have really been a savior for me http://marc.info/?l=openbsd-miscr=1w=2 they have a long history of openbsd list archives and the searches are blazing fast. HTH Aaron The GENERIC kernel has been compiled with all the right flags. The article you cite was never good advice and furthermore it is going on 8 years old. It's going to take me a while to get used to having a kernel that I don't HAVE to touch - not that I'm complaining! Don't do that either without a better reason. Postfix, for example, comes as a package in OpenBSD. Two versions (stable and snapshot, both good enough to use in critical service) and several flavours. Look at http://openports.se/mail/postfix/snapshot for a clue. Postfix I can probably take from a package. However, this server will need to duplicate the environment on my two Internet-facing Linodes (Linux virtual servers), plus my laptop, which is my main development platform. Apache and MySQL have to be hand-builds - my Apache installation is configured for a very specific environment (and all my apps would break if chrooted) and I have applications that rely on specific Apache modules. MySQL - well - I use 5.1 and that's not a production release, but has features that I need in my development environment. I'll probably get yelled at now, having entered a security conscious|paranoid community, but it would take MONTHS to change my environment and re-code everything to work otherwise. It is also a bit of a non-issue as regards this server - it's on an intranet with one user that logs in - me. From the land down under: Australia. Do we look umop apisdn from up over? No, but when I first came here, I was fascinated by the way water goes down the plughole the other way round. Thanks all for your replies and patience. Cheers M
routing/gateway woes.... help needed
I'm having some major woes with an OBSD 4.2 stable system and routing. I've racked my brain over the weekend trying to figure it out and haven't come up with anything.. hopefully someone here can shed some light. I have 5 interfaces, fxp0-3 and rl0. fxp0-3 are all primary interfaces for a corresponding carp interface. I need to have two /28 networks on my carp0 interface and one /27 network on carp1. Whenever I add an alias to my carp 0 or 1 interfaces i get the following error: Mar 2 22:03:32 fw1 /bsd: arp_rtrequest: bad gateway value Mar 2 22:03:32 fw1 /bsd: arp_rtrequest: bad gateway value Here are the contents of my hostname.if files. fxp0: inet 192.168.3.130 255.255.255.240 NONE fxp1: inet 192.168.2.162 255.255.255.224 NONE fxp2: inet 10.57.23.2 255.255.255.0 NONE fxp3: inet 10.181.247.2 255.255.255.0 NONE rl0: inet 10.23.183.1 255.255.255.252 NONE hostname.carp0: inet 192.168.3.129 255.255.255.240 192.168.3.143 vhid 1 carpdev fxp0 pass testing0 hostname.carp1 inet 192.168.2.161 255.255.255.224 192.168.2.191 vhid 2 carpdev fxp1 pass testing1 inet alias 192.168.2.164 255.255.255.255 hostname.carp2 inet 10.57.23.254 255.255.255.0 10.57.23.255 vhid 3 carpdev fxp2 pass testing2 hostname.carp3: inet 10.181.247.136 255.255.255.0 204.181.247.255 vhid 4 carpdev fxp3 pass testing3 here is the output from netstat -rnf inet: Routing tables Internet: DestinationGatewayFlagsRefs UseMtu Interface default192.168.3.142 UGS 2 148 - fxp0 10.23.183.0/30 link#5 UC 00 - rl0 10.57.23/24link#3 UC 00 - fxp2 10.57.23.254 10.57.23.254 UH 00 - carp2 127/8 127.0.0.1 UGRS00 33208 lo0 127.0.0.1 127.0.0.1 UH 2 20 33208 lo0 192.168.2.160/27 link#2 UC 00 - fxp1 192.168.2.161 192.168.2.161 UH 00 - carp1 192.168.2.164 192.168.2.164 UH 00 - carp1 192.168.2.164/32 192.168.2.164 U 00 - carp1 192.168.3.128/28 link#1 UC 10 - fxp0 192.168.3.129 192.168.3.129 UH 00 - carp0 192.168.3.142 00:40:f4:76:3d:d3 UHLc10 - fxp0 10.181.247/24 link#4 UC 10 - fxp3 10.181.247.25 00:08:02:0b:63:59 UHLc11 - fxp3 10.181.247.13610.181.247.136UH 00 - carp3 224/4 127.0.0.1 URS 00 33208 lo0 I think this looks right.. I'm wondering however why there are two instances of the 192.168.2.164. one with and one without the /32. This happens for every address i have as an inet alias. When i remove the alias line from the above hostname.carp1 and then run sh /etc/netstart i don't get the arp_rtrequest errors in messages, but the odd thing is that when i issue the netstat -rnf inet command again, the routes for 192.168.2.164 are still there. Isn't running /etc/netstart supposed to essentially flush everything and restart the networking? Also, it doesn't matter which (hostname.carp0 or hostname.carp1) I put the aliases in, I still get the error. The same error occurs when i have the following for hostname.carp0 and hostname.carp1: hostname.carp0: inet 192.168.3.129 255.255.255.240 192.168.3.143 vhid 1 carpdev fxp0 pass testing0 inet alias 192.168.3.132 255.255.255.255 hostname.carp1 inet 192.168.2.161 255.255.255.224 192.168.2.191 vhid 2 carpdev fxp1 pass testing1 Any help with this would be _greatly_ appreciated as i've beat my head against the wall trying to see what I'm doing wrong and I can't seem to figure it out. I googled for the error but what was returned seemed really old and even that i read but it didn't seem pertinent to my situation. Any other information needed please ask ask and I will provide it. Thanks in advance, Aaron Martinez DMESG: Mar 3 05:26:15 fw1 /bsd: OpenBSD 4.2-stable (GENERIC) #0: Fri Dec 28 19:29:04 CST 2007 Mar 3 05:26:15 fw1 /bsd: [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC Mar 3 05:26:15 fw1 /bsd: cpu0: Intel(R) Celeron(R) CPU 2.00GHz (GenuineIntel 686-class) 2 GHz Mar 3 05:26:15 fw1 /bsd: cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID Mar 3 05:26:15 fw1 /bsd: real mem = 268005376 (255MB) Mar 3 05:26:15 fw1 /bsd: avail mem = 251502592 (239MB) Mar 3 05:26:15 fw1 /bsd: mainbus0 at root Mar 3 05:26:15 fw1 /bsd: bios0 at mainbus0: AT/286+ BIOS, date 07/22/03, BIOS32 rev. 0 @ 0xfb160, SMBIOS rev. 2.3 @ 0xf0800 (38 entries) Mar 3 05:26:15 fw1 /bsd: bios0: vendor Award Software International, Inc. version 6.00 PG date 07/22/2003 Mar 3 05:26:15 fw1 /bsd: bios0: Supermicro
spamd and freemail hosts
I've got spamd up and running in the default greylisting mode on a 4.2 stable system. Things seem to be working great, however I've noticed that some freemail like yahoo and hotmail stuff isn't getting through. Valid mail that i'm sending from my yahoo and hotmail accounts to my home accounts where I'm running the spamd instances. I found that the IPs of the hosts are in the Blacklist. I was looking through my daemon log and found some of the (BLACK) instances of the mail I was sending from my yahoo account to valid addresses on my OpenBSD box. (BLACK) 69.147.97.90: [EMAIL PROTECTED] - [EMAIL PROTECTED] I was wondering, is this IP (69.147.97.90) Blacklisted or is this tuple blacklisted? Does anyone have any thoughts on white listing freemail hosts like hotmail and yahoo? I know that people do spam somewhat from these places, but I thought it was mainly from people forging the domains and I do get a lot of valid email that is not getting though. I also host a couple domains and want to be prepared if people start complaining that they aren't getting mail. Is there a way to whitelist domains on a per-recipient domain basis? Thanks in advance. Aaron Martinez
Re: ifstated and ping
Giancarlo Razzolini wrote: Aaron escreveu: I am trying to configure ifstated on an i386 4.2 Stable pair of openbsd firewalls but having some issues on how to determine connectivity of a backup/secondary wan interface. The carp states seem solid and preempt seems to work great. The only thing I'm really worried about is an upstream link dying, carp staying master and traffic getting blackholed. I want ifstated to simply change the default route to the backup wan interface should connectivity out the primary get interrupted and then switch back when primary connectivity comes back. I'm just trying to get it figured out on one machine first before I move to the second. I'm having trouble figuring out if there is connectivity on the backup wan interface. I read some posts that suggested using ping -I so that the pings go out the appropriate interface, but this seems to not work, if i try to ping anything other than the backup wan's gateway, it still goes out the default route.. It is only able to ping the gateway address and with the (-r) option the pinged host has to be on the directly connected network. snip... Now this is what i call a lot of info. :) Well, let me drop my experience with ifstated and ping, and multiple wan links. First of all, avoid pinging external address like you would avoid devil himself. I say this, because it's isn't as reliable as many people think. How to do then? My advice is, use snmp. Almost all (if not all of them) network devices, which are fcc compliant, must have support for snmp, at least version 1 of it. Install net-snmp on openbsd, and do a snmpwalk on the modem, router, etc. Most of them will come with snmp enabled and with the default communities public and private. As you won't be changing anything, i recommend using the public comm. Try this: snmpwalk -v 1 -c public ip of your router This will give you a lot of info. There is a snmp MIB called IF. As you might guess, it refers to the interfaces of the device. This is the mib you will most certainly use. Take a look at the following output from one of my adsl devices: IF-MIB::ifDescr.1 = STRING: loopback (pseudo ethernet) IF-MIB::ifDescr.2 = STRING: ti IF-MIB::ifDescr.3 = STRING: Bridge IF-MIB::ifDescr.4 = STRING: Ethernet IF-MIB::ifDescr.5 = STRING: Ethernet over USB IF-MIB::ifDescr.6 = STRING: ATM IF-MIB::ifDescr.7 = STRING: RFC-2684B PPPoE Proxy IF-MIB::ifDescr.8 = STRING: PPPoE IF-MIB::ifType.1 = INTEGER: ethernetCsmacd(6) IF-MIB::ifType.2 = INTEGER: adsl(94) IF-MIB::ifType.3 = INTEGER: ethernetCsmacd(6) IF-MIB::ifType.4 = INTEGER: ethernetCsmacd(6) IF-MIB::ifType.5 = INTEGER: ethernetCsmacd(6) IF-MIB::ifType.6 = INTEGER: atm(37) IF-MIB::ifType.7 = INTEGER: ethernetCsmacd(6) IF-MIB::ifType.8 = INTEGER: ppp(23) . . . IF-MIB::ifOperStatus.1 = INTEGER: up(1) IF-MIB::ifOperStatus.2 = INTEGER: up(1) IF-MIB::ifOperStatus.3 = INTEGER: up(1) IF-MIB::ifOperStatus.4 = INTEGER: up(1) IF-MIB::ifOperStatus.5 = INTEGER: down(2) IF-MIB::ifOperStatus.6 = INTEGER: up(1) IF-MIB::ifOperStatus.7 = INTEGER: up(1) IF-MIB::ifOperStatus.8 = INTEGER: up(1) The ifDescr atributes tell you what kind of if is this. In this specific device i monitor the adsl, atm, and ppp if's. Any one of those that goes down, mean that your wan link is dead. The attribute that you will use to check it is the ifOperStatus. If some of the 3 if's i mentioned before is with it ifOperStatus down, instead of up, you certainly is with your wan link down. Then you can easily create a shell script to accomplish this task. As ifstated tests expect a 0 for success and 1 for error, your script only need to return this. Then you can call it directly from ifstated, beside this you can overcheck and se if there physical ethernet link. I do 3 checks in my ifstated: First the snmp check, to check for wan connectivity directly with the device, second i do ping the router to see if i can reach it (i know what i said about ping before, but this one is different, and can help you) and third i check the ethernet interface for connectivity. This way you can deal with the 3 cases: no wan connectivity, but if up and the router up (call your provider), no wan connectivity, and the router is down, but the if is up (most certainly your router is hang up, so take a look at it) and the third case, the if is down, can have 2 meanings: the router is totally down or the physical if is with problems. This way i can say you are all covered up. :) I also send nice mails to myself to inform of the three cases. Now to the failover part. It's not a good thing to change the router of the firewall itself. It will die the connections of clients instantly, what isn't a good thing. Instead, change the route of then using the route-to statement of pf, and let the new conn's migrate to the other wan link. Do this to avoid the connections dying when the primary link backs up. I had this problems, as i do have 3 wan connections. Well, there is much more to do, but the principle is
apache modules with mk.conf?
I want to change/lessen the number of default modules built with apache and would prefer to not have to recompile apache, separate from the rest of the userland, every time i update/upgrade my system. I'm currently running 4.1 and am running the stock install of apache which httpd -l reports: Compiled-in modules: http_core.c mod_env.c mod_log_config.c mod_mime.c mod_negotiation.c mod_status.c mod_include.c mod_autoindex.c mod_dir.c mod_cgi.c mod_asis.c mod_imap.c mod_actions.c mod_userdir.c mod_alias.c mod_access.c mod_auth.c mod_so.c mod_setenvif.c mod_keynote.c mod_ssl.c suexec: disabled; invalid wrapper /usr/sbin/suexec I would much prefer to have all of my modules dynamic and use AddModule commands in the httpd.conf file if possible. The question is, can i put configure commands for apache in the mk.conf file and then when i update/upgrade/rebuild userland, apache will be built that way from then on? If so, clues or pointers to help would be greatly appreciated. I did read the mk.conf man page but it left me more befuddled than before reading, at least as far as the scope of httpd or any other programs (named, dhcpd.. etc) are concerned. If i am way off base on this, which is a good possibility, is there some way i can accomplish what i'm after in another way..and subsequently.. where would i look to get started on it. Lastly, the logic behind this. I was reading a few tutorials/papers http://www.securityfocus.com/infocus/1694 http://www.apachesecurity.net/download/apachesecurity-ch02.pdf http://linuxplanet.com/linuxplanet/tutorials/1527/7/ and a couple others, on hardening apache and it seemed the all around consensus that the fewer modules compiled in, the better as far as security is concerned. If these articles are incorrect, please inform me of that as well. Thanks in advance, Aaron
interface order with multiple cards of same type
apologies if this has been covered in the past, I searched on this and couldn't find anything, although i'm sure it's the wording i'm using. My question is. I have OBSD 4.0 running on an Asus p3b-F with 6 pci slots that i'm wanting to use as a router/firewall. I have 5 fxp interfaces in the machine inserted starting from the bottom pci slot up. When the machine boots up it finds them just fine, but I never know what order the cards are in. (i.e. fxp0 was in the third slot as opposed to the first or last slot populated with a card, as i would have expected). Is there a way to hard code this into the hostname.fxpN file, as to assign the number of the interface based on the hardware address as opposed to the ordering of the cards in the machine? I looked in the man page for hostname.if but saw no way mentioned. A second related question, in the above example, how exactly does OBSD choose the interface number? I was under the impression it used the slot to assign the interface number which is why i was so surprised to see that fxp0 the third slot, fxp2 was in the top (occupied) slot and fxp4 was in the bottom. I have all of the pci slots set to auto in the bios if that makes any difference. Thanks in advance. Aaron
auto adding of hosts to bad_guys table
I run some services on non-standard ports and want to deal appropriately with people trying to connect to the standard ports. I read somewhere (unfortunately i can't find it now) that much like the 'overload' tool in pf that you can also dynamically add ip's to a table for connecting to a preset port. For instance, i don't run telnetd anywhere and so if a connection to port 23 is made, i would like to add the connecting machine's IP to a 'bad_guys' table on the fly so subsequent connects will be dropped. For the life of me i can't find where i read this.. is it possible or was i imagining it? Thanks in advance, Aaron
redundant firewalls with carp/pfsync single dsl connection? possible?
I have been wondering this for some time now and haven't seen anyone pose the question so i figured it's time. I have a single dsl connection coming in _not_ terminating on the normal cpe but going directly to my firewall (OBSD 4.0) via sangoma s518 dsl card. I then have a few nics for routing to different lans, DMZ etc. The question is, is it possible to create another firewall put a dsl card in the machine, split the phone line running the same dsl signal into each box and use carp, on the dsl interface, to provide failover / redundancy or would i need to get a dedicated dsl router and then run the two machines into a hub connecting to the dsl router? (which still leaves me with a single point of hardware failure) Thanks in advance, aaron
