Re: newbie help with PF. block all, then allowing port 22 doesnt work.
Hello, Yes it loaded properly. Yes I had missied the macro for the external NIC it is included in the original ruleset. t_externa = fxp0 This is the result for pfctl -sr: match in all scrub (no-df) block drop all pass out all flags S/SA keep state pass out quick on fxp0 inet proto tcp from (fxp0) to 208.67.222.220 port = domain flags S/SA keep state pass out quick on fxp0 inet proto tcp from (fxp0) to 208.67.222.222 port = domain flags S/SA keep state pass out quick on fxp0 inet proto tcp from (fxp0) to 4.2.2.1 port = domain flags S/SA keep state pass out quick on fxp0 inet proto tcp from (fxp0) to 4.2.2.2 port = domain flags S/SA keep state pass out quick on fxp0 inet proto udp from (fxp0) to 208.67.222.220 port = domain keep state pass out quick on fxp0 inet proto udp from (fxp0) to 208.67.222.222 port = domain keep state pass out quick on fxp0 inet proto udp from (fxp0) to 4.2.2.1 port = domain keep state pass out quick on fxp0 inet proto udp from (fxp0) to 4.2.2.2 port = domain keep state pass in quick on fxp0 inet proto tcp from any to (fxp0) port = ssh flags S/SA keep state pass in quick on fxp0 inet proto tcp from any to (fxp0) port = 8080 flags S/SA keep state pass in quick on fxp0 inet proto udp from any to (fxp0) port = ssh keep state pass in quick on fxp0 inet proto udp from any to (fxp0) port = 8080 keep state pass out quick on fxp0 inet proto tcp from (fxp0) to any port = www flags S/SA modulate state pass out quick on fxp0 inet proto tcp from (fxp0) to any port = https flags S/SA modulate state pass out inet proto icmp all icmp-type echoreq keep state pass out inet proto icmp all icmp-type unreach keep state As soon as I hit pfctl -f /etc/pf.conf and pfctl -e iam locked and I cannot SSH in from the outside. Where am I blocking port SSH in? :( Andres On Wed, Apr 21, 2010 at 9:45 PM, Daniel Ouellet dan...@presscom.net wrote: ## Traffic IN pass in log quick on $t_externa inet proto { tcp, udp } from any to ($t_externa) \ port { 22 8080 } keep state In your pf configuration it doesn't show where you actually define the macro for your interface $t_externa. Are you sure the rules you run are what you think they are. Did it load properly and may be you want to check the rules as active with pfctl -sr And check that display. I think you may find what you are looking for. Compare your pf.conf with what you actually see in pfctl -sr and you will work your issue out. Best, Daniel
Re: newbie help with PF. block all, then allowing port 22 doesnt work.
Hello, THat solved the issue but I have about 20 rulesets that have the same syntax. I dont see anything yet also about this. Please elaborate. Andres On Thu, Apr 22, 2010 at 3:59 PM, Alexander Hall alexan...@beard.se wrote: On 04/22/10 18:22, Allie Daneman wrote: Why are you doing from any to (fxp0) ? That's your problem. Change all I fail to see why that would cause any issues. Care to elaborate? /Alexander the rules like that to from any to any since you're already putting the rule on that interface and it should fix you up. As long as you're not redirecting you can turn logging on specific rules and see why they're blocking as well if that doesn't fix your issue. Andres Salazar wrote: Hello, Yes it loaded properly. Yes I had missied the macro for the external NIC it is included in the original ruleset. t_externa = fxp0 This is the result for pfctl -sr: match in all scrub (no-df) block drop all pass out all flags S/SA keep state pass out quick on fxp0 inet proto tcp from (fxp0) to 208.67.222.220 port = domain flags S/SA keep state pass out quick on fxp0 inet proto tcp from (fxp0) to 208.67.222.222 port = domain flags S/SA keep state pass out quick on fxp0 inet proto tcp from (fxp0) to 4.2.2.1 port = domain flags S/SA keep state pass out quick on fxp0 inet proto tcp from (fxp0) to 4.2.2.2 port = domain flags S/SA keep state pass out quick on fxp0 inet proto udp from (fxp0) to 208.67.222.220 port = domain keep state pass out quick on fxp0 inet proto udp from (fxp0) to 208.67.222.222 port = domain keep state pass out quick on fxp0 inet proto udp from (fxp0) to 4.2.2.1 port = domain keep state pass out quick on fxp0 inet proto udp from (fxp0) to 4.2.2.2 port = domain keep state pass in quick on fxp0 inet proto tcp from any to (fxp0) port = ssh flags S/SA keep state pass in quick on fxp0 inet proto tcp from any to (fxp0) port = 8080 flags S/SA keep state pass in quick on fxp0 inet proto udp from any to (fxp0) port = ssh keep state pass in quick on fxp0 inet proto udp from any to (fxp0) port = 8080 keep state pass out quick on fxp0 inet proto tcp from (fxp0) to any port = www flags S/SA modulate state pass out quick on fxp0 inet proto tcp from (fxp0) to any port = https flags S/SA modulate state pass out inet proto icmp all icmp-type echoreq keep state pass out inet proto icmp all icmp-type unreach keep state As soon as I hit pfctl -f /etc/pf.conf and pfctl -e iam locked and I cannot SSH in from the outside. Where am I blocking port SSH in? :( Andres On Wed, Apr 21, 2010 at 9:45 PM, Daniel Ouellet dan...@presscom.net wrote: ## Traffic IN pass in log quick on $t_externa inet proto { tcp, udp } from any to ($t_externa) \ port { 22 8080 } keep state In your pf configuration it doesn't show where you actually define the macro for your interface $t_externa. Are you sure the rules you run are what you think they are. Did it load properly and may be you want to check the rules as active with pfctl -sr And check that display. I think you may find what you are looking for. Compare your pf.conf with what you actually see in pfctl -sr and you will work your issue out. Best, Daniel
newbie help with PF. block all, then allowing port 22 doesnt work.
Hello all. I have a ruleset where iam explicitly allowing incoming connections on port 22.. (default is block log all) .. for some weird reason they are getting blocked log says: Apr 21 17:09:49.105052 rule 1/(match) block in on fxp0: my.client.ip.here.54711 my.server.ip.here.22: S 2999658291:2999658291(0) win 5840 mss 1460,sackOK,timestamp 7094694[|tcp] ( Using OBSD 4.6 .. the name of the interface does match with ifconfig (only 1 network card) pass out works without any problem. dns_servers = { 208.67.222.220, 208.67.222.222, 4.2.2.1, 4.2.2.2 } set block-policy drop set loginterface $t_externa set skip on lo set debug urgent ##scrub match in all scrub (no-df) ##translation ## filter rules block log all pass out antispoof quick for { lo $t_externa } ## Traffic IN pass in log quick on $t_externa inet proto { tcp, udp } from any to ($t_externa) \ port { 22 8080 } keep state ## Traffic OUT pass out quick on $t_externa inet proto { tcp, udp } from ($t_externa) to $dns_servers \ port 53 keep state pass out quick on $t_externa inet proto { tcp } from ($t_externa) to any \ port { 80 443 } flags S/SA modulate state pass out inet proto icmp all icmp-type { echoreq, unreach } keep state Please help! Thanks Andres
Newbie - Identifying IO bottlenick with systat. How to make sense of these numbers?
Hello.. Iam trying to use systat for identifying if when my applications/db runs there is an IO bottleneck. Linux systat shows more info and it seems there are more examples on the net.. but even though with BSDs iostat i dont know how to make sense of all these numbers. I ran it this way: systat iostat 2 usersLoad 1.94 1.06 0.68 Mon Mar 22 11:57:16 2010 DEVICE READWRITE RTPS WTPS SEC STATS sd0 6786252 8530739 138 521 0.6 11839 numbufs cd0 0000 0.0 11828 freebufs Totals6786252 8530739 138 521 0.6 47350 numbufpages 0 numfreepages 96 numdirtypages 47210 numcleanpages -17 pendingwrites 0 pendingreads 2611 numwrites 2532 numreads 22564 cachehits Basically my biggest concern is that whenever I do a mysqldump all other queries are queued and mysql just gets waay slow. Also.. this Hard disk is marked as 30Gb/sec (384 megabytes / sec) .. Is it possible to saturate my HD IO and view the traffic /megabyte to see what is the maximum i can achieve? Thanks... Andres
possible relayd bug? intermittent SSL handshake errors SSL3_GET_FINISHED:digest check failed) , SSL3_GET_RECORD:decryption failed or bad record mac)
Hello, I have a very simple relayd config: ## Macros # relayd_addr=xx.xx.xx.xx relayd_port=81 web_port=80 table web_hosts { xx.xx.xx.xx } ## Global Options # # Interval in seconds at which the back-end hosts # will be checked (default: 10 seconds) interval 10 # Timeout for back-end servers to respond. Set to # 200 for local servers and around 1000 for servers # on other subnets. (default: 200 milliseconds) timeout 1000 # Number of child processes to run. (default: 5) prefork 5 # Log state notifications after completed host # checks. State can be up, down or unknown. log updates http protocol httpfilter { ### TCP performance options tcp { nodelay, sack, socket buffer 65536, backlog 100 } ### Return HTTP/HTML error pages return error ### allow logging of remote client ips to internal web servers header append $REMOTE_ADDR to X-Forwarded-For ### set Keep-Alive timeout to global timeout header change Keep-Alive to $TIMEOUT ### close connections upon receipt header change Connection to close ssl { sslv3, tlsv1, ciphers HIGH:!ADH:!MD5, no sslv2 } ssl session cache disable } relay httpproxy { listen on $relayd_addr port $relayd_port ssl protocol httpfilter forward to web_hosts port $web_port mode loadbalance check icmp } Intermittently the client making requests to it get this error. 90% of the time it works without errors. (SSL: error:1408C095:SSL routines:SSL3_GET_FINISHED:digest check failed) while SSL handshaking to upstream, client: THen also.. sometimes my client gets this error.. (this is more rare) (SSL: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking to upstream, client: I have started relayd -vv -n and I dont get any errors BUT sometimes for the last error mentioned I get this error in relayd: SSL library error: httpproxy: relay_ssl_accept: error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac I have tried querying from the outside the relayd box directly with this command: openssl s_client -connect ip.of.relayd.box:81 -state -ssl3 -no_ssl2 -no_tls1 I have repeated that 100times and I never get any errors.. My remote client can GET any other SSL website without any problem. The cert installed in relayd is valid with the exception that it doesnt match the hostname being asked for .. but that shouldnt be an issue right?? Please help. Andres
Re: Average time for compiling userland? == benchmarking CPU/IO? best result for database hosting?
Hello, I dont have obj on ram, or /tmp . Iam using make build. Thank you Andres On Mon, Mar 1, 2010 at 5:48 AM, Marc Espie es...@nerim.net wrote: On Sun, Feb 28, 2010 at 11:02:37AM -0600, Andres Salazar wrote: Hello, Iam confused on the different result I get when I compile userland on any machine better then a Dual Core 2.5Ghz 2GB RAM 160GB 7200 SATA / SATA ii You're not even telling us how you compile userland. How should we help ? is your obj in ram ? your tmp in ram ? are you building with make build ? make -j4 build ? something else ?
Average time for compiling userland? == benchmarking CPU/IO? best result for database hosting?
Hello, Iam confused on the different result I get when I compile userland on any machine better then a Dual Core 2.5Ghz 2GB RAM 160GB 7200 SATA / SATA ii On some machines I get a compile time of 45min, other machines 30min.. and the best of the case I get 30min. Sometimes that machine that takes 45min is far better hardware then a DualCore, in this case a QuadCore with SATA II/sata... Iam going to use these machines for database and Iam very concerned about these results Based on that I have this question: Is it normal that this varies so much? (Afterall a variation from 35min to 45min represents an increase of about %25 less efficiency!!) Is there a better way to benchmark the IO of a Hard Disk on OpenBSD , what should be the normal of a hard disk scanned as sd SATA/ SATA II with similar CPU/RAM as mentioned? Andres
Re: Average time for compiling userland? == benchmarking CPU/IO? best result for database hosting?
On Sun, Feb 28, 2010 at 11:10 AM, Bret S. Lambert bret.lamb...@gmail.com wrote: Iam going to use these machines for database and Iam very concerned about these results Honestly, you'd do better asking that on a list dedicated to whatever database you're going to be running. In addition to helping you choose hardware to fit your needs, they'll totally pimp your configs, too. Thanks, it will still be interested then to know what the avergae userland compilation is on similar hardware? Also any standard way of benchmarking IO on openbsd? Thanks Andres
slow IO on PowerEdge R210 QUAD-CORE X3460 2.8GHz 4gb of RAM tested in AHCI ATA mode.
Hello, I have 2 SATA drives without an additional SATA controller on this box. I have tried this in ATA Mode, and also in AHCI mode. Disk reads are 50% higher. Userland compilation takes 55min when the usual on other similar hardware is 35 min. Could somebody check my dmesg and comment? It brings to my attention an error about the clock speed of the processor. Iam running 4.6 OpenBSD i386 Please note that the kernel iam using is a stable kernel, i also tried with the release GENERIC.MP same result. OpenBSD 4.6-stable (GENERIC-13-12-09.MP) #0: Tue Feb 23 08:52:54 CST 2010 r...@odeon.my.domain:/usr/src/sys/arch/i386/compile/GENERIC-13-12-09.MP cpu0: Intel(R) Xeon(R) CPU X3460 @ 2.80GHz (GenuineIntel 686-class) 2.80 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,CX16,xTPR real mem = 3210936320 (3062MB) avail mem = 3110584320 (2966MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 09/11/09, BIOS32 rev. 0 @ 0xfa0a0, SMBIOS rev. 2.6 @ 0xbf79c000 (62 entries) bios0: vendor Dell Inc. version 1.0.4 date 09/11/2009 bios0: Dell Inc. PowerEdge R210 acpi0 at bios0: rev 2 acpi0: tables DSDT FACP APIC SPCR HPET DM__ MCFG WD__ SLIC ERST HEST BERT EINJ TCPA SSDT acpi0: wakeup devices PCI0(S5) USBA(S0) USBB(S0) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: unknown i686 model 0x1e, can't get bus clock (0x0) cpu0: apic clock running at 132MHz cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Xeon(R) CPU X3460 @ 2.80GHz (GenuineIntel 686-class) 2.80 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,CX16,xTPR cpu2 at mainbus0: apid 4 (application processor) cpu2: Intel(R) Xeon(R) CPU X3460 @ 2.80GHz (GenuineIntel 686-class) 2.80 GHz cpu2: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,CX16,xTPR cpu3 at mainbus0: apid 6 (application processor) cpu3: Intel(R) Xeon(R) CPU X3460 @ 2.80GHz (GenuineIntel 686-class) 2.80 GHz cpu3: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,CX16,xTPR cpu4 at mainbus0: apid 1 (application processor) cpu4: Intel(R) Xeon(R) CPU X3460 @ 2.80GHz (GenuineIntel 686-class) 2.80 GHz cpu4: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,CX16,xTPR cpu5 at mainbus0: apid 3 (application processor) cpu5: Intel(R) Xeon(R) CPU X3460 @ 2.80GHz (GenuineIntel 686-class) 2.80 GHz cpu5: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,CX16,xTPR cpu6 at mainbus0: apid 5 (application processor) cpu6: Intel(R) Xeon(R) CPU X3460 @ 2.80GHz (GenuineIntel 686-class) 2.80 GHz cpu6: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,CX16,xTPR cpu7 at mainbus0: apid 7 (application processor) cpu7: Intel(R) Xeon(R) CPU X3460 @ 2.80GHz (GenuineIntel 686-class) 2.80 GHz cpu7: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,CX16,xTPR ioapic0 at mainbus0: apid 0 pa 0xfec0, version 20, 24 pins acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (LYD0) acpiprt2 at acpi0: bus -1 (LYD2) acpiprt3 at acpi0: bus 2 (PEX0) acpiprt4 at acpi0: bus -1 (PEX4) acpiprt5 at acpi0: bus -1 (PEX5) acpiprt6 at acpi0: bus 3 (COMP) acpicpu0 at acpi0: C3, C2, C1 acpicpu1 at acpi0: C3, C2, C1 acpicpu2 at acpi0: C3, C2, C1 acpicpu3 at acpi0: C3, C2, C1 acpicpu4 at acpi0: C3, C2, C1 acpicpu5 at acpi0: C3, C2, C1 acpicpu6 at acpi0: C3, C2, C1 acpicpu7 at acpi0: C3, C2, C1 bios0: ROM list: 0xc/0x8000 0xc8000/0x1000 0xc9000/0x2200 0xec000/0x4000! ipmi at mainbus0 not configured cpu0: EST: unknown system bus clock pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 vendor Intel, unknown product 0xd130 rev 0x11 ppb0 at pci0 dev 3 function 0 vendor Intel, unknown product 0xd138 rev 0x11: apic 0 int 16 (irq 0) pci1 at ppb0 bus 1 vendor Intel, unknown product 0xd155 (class system subclass miscellaneous, rev 0x11) at pci0 dev 8 function 0 not configured vendor Intel, unknown product 0xd156 (class system subclass miscellaneous, rev 0x11) at pci0 dev 8 function 1 not configured vendor Intel, unknown product 0xd157 (class system subclass miscellaneous, rev 0x11) at pci0 dev 8 function 2 not configured vendor Intel, unknown
Re: slow IO on PowerEdge R210 QUAD-CORE X3460 2.8GHz 4gb of RAM tested in AHCI ATA mode.
Why would that be , Marco? What special about this hardware? On Tue, Feb 23, 2010 at 10:15 AM, Marco Peereboom sl...@peereboom.us wrote: You need -current to have a fighting chance with that server. On Tue, Feb 23, 2010 at 09:10:45AM -0600, Andres Salazar wrote: Hello, I have 2 SATA drives without an additional SATA controller on this box. I have tried this in ATA Mode, and also in AHCI mode. Disk reads are 50% higher. Userland compilation takes 55min when the usual on other similar hardware is 35 min. Could somebody check my dmesg and comment? It brings to my attention an error about the clock speed of the processor. Iam running 4.6 OpenBSD i386 Please note that the kernel iam using is a stable kernel, i also tried with the release GENERIC.MP same result. OpenBSD 4.6-stable (GENERIC-13-12-09.MP) #0: Tue Feb 23 08:52:54 CST 2010 r...@odeon.my.domain:/usr/src/sys/arch/i386/compile/GENERIC-13-12-09.MP cpu0: Intel(R) Xeon(R) CPU X3460 @ 2.80GHz (GenuineIntel 686-class) 2.80 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,C X16,xTPR real mem = 3210936320 (3062MB) avail mem = 3110584320 (2966MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 09/11/09, BIOS32 rev. 0 @ 0xfa0a0, SMBIOS rev. 2.6 @ 0xbf79c000 (62 entries) bios0: vendor Dell Inc. version 1.0.4 date 09/11/2009 bios0: Dell Inc. PowerEdge R210 acpi0 at bios0: rev 2 acpi0: tables DSDT FACP APIC SPCR HPET DM__ MCFG WD__ SLIC ERST HEST BERT EINJ TCPA SSDT acpi0: wakeup devices PCI0(S5) USBA(S0) USBB(S0) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: unknown i686 model 0x1e, can't get bus clock (0x0) cpu0: apic clock running at 132MHz cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Xeon(R) CPU X3460 @ 2.80GHz (GenuineIntel 686-class) 2.80 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,C X16,xTPR cpu2 at mainbus0: apid 4 (application processor) cpu2: Intel(R) Xeon(R) CPU X3460 @ 2.80GHz (GenuineIntel 686-class) 2.80 GHz cpu2: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,C X16,xTPR cpu3 at mainbus0: apid 6 (application processor) cpu3: Intel(R) Xeon(R) CPU X3460 @ 2.80GHz (GenuineIntel 686-class) 2.80 GHz cpu3: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,C X16,xTPR cpu4 at mainbus0: apid 1 (application processor) cpu4: Intel(R) Xeon(R) CPU X3460 @ 2.80GHz (GenuineIntel 686-class) 2.80 GHz cpu4: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,C X16,xTPR cpu5 at mainbus0: apid 3 (application processor) cpu5: Intel(R) Xeon(R) CPU X3460 @ 2.80GHz (GenuineIntel 686-class) 2.80 GHz cpu5: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,C X16,xTPR cpu6 at mainbus0: apid 5 (application processor) cpu6: Intel(R) Xeon(R) CPU X3460 @ 2.80GHz (GenuineIntel 686-class) 2.80 GHz cpu6: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,C X16,xTPR cpu7 at mainbus0: apid 7 (application processor) cpu7: Intel(R) Xeon(R) CPU X3460 @ 2.80GHz (GenuineIntel 686-class) 2.80 GHz cpu7: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,C X16,xTPR ioapic0 at mainbus0: apid 0 pa 0xfec0, version 20, 24 pins acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (LYD0) acpiprt2 at acpi0: bus -1 (LYD2) acpiprt3 at acpi0: bus 2 (PEX0) acpiprt4 at acpi0: bus -1 (PEX4) acpiprt5 at acpi0: bus -1 (PEX5) acpiprt6 at acpi0: bus 3 (COMP) acpicpu0 at acpi0: C3, C2, C1 acpicpu1 at acpi0: C3, C2, C1 acpicpu2 at acpi0: C3, C2, C1 acpicpu3 at acpi0: C3, C2, C1 acpicpu4 at acpi0: C3, C2, C1 acpicpu5 at acpi0: C3, C2, C1 acpicpu6 at acpi0: C3, C2, C1 acpicpu7 at acpi0: C3, C2, C1 bios0: ROM list: 0xc/0x8000 0xc8000/0x1000 0xc9000/0x2200 0xec000/0x4000! ipmi at mainbus0 not configured cpu0: EST: unknown system bus clock pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 vendor Intel, unknown product 0xd130 rev 0x11 ppb0 at pci0 dev 3 function 0 vendor Intel, unknown product 0xd138 rev 0x11: apic 0 int 16 (irq 0) pci1 at ppb0 bus 1 vendor Intel, unknown product 0xd155 (class
Slow IO in PowerEdge R200 X3330 2.66Ghz 2x3MB Cache.
Hello, I had a R201 running in 4.6 i386 stable..I was told this configuration was very new.. so I got a new box this time its a PowerEdge is R200 without any special PCI SATA controller. With 2 SATA II Hard Disks. BIOS Sata setting is set to be in ATA Mode (its either this or OFF). Either after all this change, and a clean install the IO is 55% greater then all my other machines. For example a userland recompile takes 55min , vrs the same proc and ram on another box is 35 min. Below is my dmesg.. which I dont see any flag?? Possibly there must be some incompatibility with the hard disk? OpenBSD 4.6-stable (GENERIC-13-12-09.MP) #0: Tue Feb 23 16:08:43 CST 2010 r...@bazz.my.domain:/usr/src/sys/arch/i386/compile/GENERIC-13-12-09.MP cpu0: Intel(R) Xeon(R) CPU X3330 @ 2.66GHz (GenuineIntel 686-class) 2.67 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,CX16,xTPR real mem = 3487866880 (3326MB) avail mem = 3383250944 (3226MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 05/15/09, BIOS32 rev. 0 @ 0xfac90, SMBIOS rev. 2.5 @ 0xcff9c000 (46 entries) bios0: vendor Dell Inc. version 1.4.3 date 05/15/2009 bios0: Dell Inc. PowerEdge R200 acpi0 at bios0: rev 2 acpi0: tables DSDT FACP APIC SPCR HPET MCFG WD__ SLIC ERST HEST BERT EINJ SSDT SSDT SSDT SSDT SSDT acpi0: wakeup devices PCI0(S5) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 333MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Xeon(R) CPU X3330 @ 2.66GHz (GenuineIntel 686-class) 2.67 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,CX16,xTPR cpu2 at mainbus0: apid 2 (application processor) cpu2: Intel(R) Xeon(R) CPU X3330 @ 2.66GHz (GenuineIntel 686-class) 2.67 GHz cpu2: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,CX16,xTPR cpu3 at mainbus0: apid 3 (application processor) cpu3: Intel(R) Xeon(R) CPU X3330 @ 2.66GHz (GenuineIntel 686-class) 2.67 GHz cpu3: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,CX16,xTPR ioapic0 at mainbus0: apid 4 pa 0xfec0, version 20, 24 pins ioapic0: misconfigured as apic 0, remapped to apid 4 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (PEX1) acpiprt2 at acpi0: bus 2 (SBE0) acpiprt3 at acpi0: bus 3 (SBE4) acpiprt4 at acpi0: bus 4 (SBE5) acpiprt5 at acpi0: bus 5 (COMP) acpicpu0 at acpi0: PSS acpicpu1 at acpi0: PSS acpicpu2 at acpi0: PSS acpicpu3 at acpi0: PSS bios0: ROM list: 0xc/0x9000 0xc9000/0x1000 0xca000/0x1800 0xec000/0x4000! ipmi at mainbus0 not configured cpu0: Enhanced SpeedStep 2667 MHz: speeds: 2667, 2333, 2000 MHz pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel 3200/3210 Host rev 0x01 ppb0 at pci0 dev 1 function 0 Intel 3200/3210 PCIE rev 0x01: apic 4 int 16 (irq 15) pci1 at ppb0 bus 1 ppb1 at pci0 dev 28 function 0 Intel 82801I PCIE rev 0x02: apic 4 int 16 (irq 15) pci2 at ppb1 bus 2 ppb2 at pci0 dev 28 function 4 Intel 82801I PCIE rev 0x02 pci3 at ppb2 bus 3 bge0 at pci3 dev 0 function 0 Broadcom BCM5721 rev 0x21, BCM5750 C1 (0x4201): apic 4 int 16 (irq 15), address 00:25:64:3c:7f:8c brgphy0 at bge0 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0 ppb3 at pci0 dev 28 function 5 Intel 82801I PCIE rev 0x02 pci4 at ppb3 bus 4 bge1 at pci4 dev 0 function 0 Broadcom BCM5721 rev 0x21, BCM5750 C1 (0x4201): apic 4 int 17 (irq 14), address 00:25:64:3c:7f:8d brgphy1 at bge1 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0 uhci0 at pci0 dev 29 function 0 Intel 82801I USB rev 0x02: apic 4 int 21 (irq 11) uhci1 at pci0 dev 29 function 1 Intel 82801I USB rev 0x02: apic 4 int 20 (irq 10) uhci2 at pci0 dev 29 function 2 Intel 82801I USB rev 0x02: apic 4 int 21 (irq 11) ehci0 at pci0 dev 29 function 7 Intel 82801I USB rev 0x02: apic 4 int 21 (irq 11) usb0 at ehci0: USB revision 2.0 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1 ppb4 at pci0 dev 30 function 0 Intel 82801BA Hub-to-PCI rev 0x92 pci5 at ppb4 bus 5 vga1 at pci5 dev 5 function 0 ATI ES1000 rev 0x02 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) radeondrm0 at vga1: apic 4 int 19 (irq 5) drm0 at radeondrm0 ichpcib0 at pci0 dev 31 function 0 Intel 82801IR LPC rev 0x02: PM disabled pciide0 at pci0 dev 31 function 2 Intel 82801I SATA rev 0x02: DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI pciide0: using apic 4 int 23 (irq 6) for native-PCI interrupt wd0 at pciide0 channel 0 drive 0: ST3250310NS wd0: 16-sector
Re: Slow IO in PowerEdge R200 X3330 2.66Ghz 2x3MB Cache.
Hello, I believe that these disks are SATA II (http://www.seagate.com/ww/v/index.jsp?vgnextoid=6278576e14ee9110VgnVCM10 f5ee0a0aRCRD) and thus would always fall under wd driver as per the man page. I believe that sd is for scsi only. Is this assumption correct? Andres On Tue, Feb 23, 2010 at 3:36 PM, Marco Peereboom sl...@peereboom.us wrote: Your disks are still wd so io sucks. Use -current. On Tue, Feb 23, 2010 at 03:22:28PM -0600, Andres Salazar wrote: Hello, I had a R201 running in 4.6 i386 stable..I was told this configuration was very new.. so I got a new box this time its a PowerEdge is R200 without any special PCI SATA controller. With 2 SATA II Hard Disks. BIOS Sata setting is set to be in ATA Mode (its either this or OFF). Either after all this change, and a clean install the IO is 55% greater then all my other machines. For example a userland recompile takes 55min , vrs the same proc and ram on another box is 35 min. Below is my dmesg.. which I dont see any flag?? Possibly there must be some incompatibility with the hard disk? OpenBSD 4.6-stable (GENERIC-13-12-09.MP) #0: Tue Feb 23 16:08:43 CST 2010 r...@bazz.my.domain:/usr/src/sys/arch/i386/compile/GENERIC-13-12-09.MP cpu0: Intel(R) Xeon(R) CPU X3330 @ 2.66GHz (GenuineIntel 686-class) 2.67 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,C X16,xTPR real mem = 3487866880 (3326MB) avail mem = 3383250944 (3226MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 05/15/09, BIOS32 rev. 0 @ 0xfac90, SMBIOS rev. 2.5 @ 0xcff9c000 (46 entries) bios0: vendor Dell Inc. version 1.4.3 date 05/15/2009 bios0: Dell Inc. PowerEdge R200 acpi0 at bios0: rev 2 acpi0: tables DSDT FACP APIC SPCR HPET MCFG WD__ SLIC ERST HEST BERT EINJ SSDT SSDT SSDT SSDT SSDT acpi0: wakeup devices PCI0(S5) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 333MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Xeon(R) CPU X3330 @ 2.66GHz (GenuineIntel 686-class) 2.67 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,C X16,xTPR cpu2 at mainbus0: apid 2 (application processor) cpu2: Intel(R) Xeon(R) CPU X3330 @ 2.66GHz (GenuineIntel 686-class) 2.67 GHz cpu2: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,C X16,xTPR cpu3 at mainbus0: apid 3 (application processor) cpu3: Intel(R) Xeon(R) CPU X3330 @ 2.66GHz (GenuineIntel 686-class) 2.67 GHz cpu3: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,C X16,xTPR ioapic0 at mainbus0: apid 4 pa 0xfec0, version 20, 24 pins ioapic0: misconfigured as apic 0, remapped to apid 4 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (PEX1) acpiprt2 at acpi0: bus 2 (SBE0) acpiprt3 at acpi0: bus 3 (SBE4) acpiprt4 at acpi0: bus 4 (SBE5) acpiprt5 at acpi0: bus 5 (COMP) acpicpu0 at acpi0: PSS acpicpu1 at acpi0: PSS acpicpu2 at acpi0: PSS acpicpu3 at acpi0: PSS bios0: ROM list: 0xc/0x9000 0xc9000/0x1000 0xca000/0x1800 0xec000/0x4000! ipmi at mainbus0 not configured cpu0: Enhanced SpeedStep 2667 MHz: speeds: 2667, 2333, 2000 MHz pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel 3200/3210 Host rev 0x01 ppb0 at pci0 dev 1 function 0 Intel 3200/3210 PCIE rev 0x01: apic 4 int 16 (irq 15) pci1 at ppb0 bus 1 ppb1 at pci0 dev 28 function 0 Intel 82801I PCIE rev 0x02: apic 4 int 16 (irq 15) pci2 at ppb1 bus 2 ppb2 at pci0 dev 28 function 4 Intel 82801I PCIE rev 0x02 pci3 at ppb2 bus 3 bge0 at pci3 dev 0 function 0 Broadcom BCM5721 rev 0x21, BCM5750 C1 (0x4201): apic 4 int 16 (irq 15), address 00:25:64:3c:7f:8c brgphy0 at bge0 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0 ppb3 at pci0 dev 28 function 5 Intel 82801I PCIE rev 0x02 pci4 at ppb3 bus 4 bge1 at pci4 dev 0 function 0 Broadcom BCM5721 rev 0x21, BCM5750 C1 (0x4201): apic 4 int 17 (irq 14), address 00:25:64:3c:7f:8d brgphy1 at bge1 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0 uhci0 at pci0 dev 29 function 0 Intel 82801I USB rev 0x02: apic 4 int 21 (irq 11) uhci1 at pci0 dev 29 function 1 Intel 82801I USB rev 0x02: apic 4 int 20 (irq 10) uhci2 at pci0 dev 29 function 2 Intel 82801I USB rev 0x02: apic 4 int 21 (irq 11) ehci0 at pci0 dev 29 function 7 Intel 82801I USB rev 0x02: apic 4 int 21 (irq 11) usb0 at ehci0: USB revision 2.0 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1 ppb4 at pci0 dev 30 function 0 Intel 82801BA Hub-to-PCI rev 0x92 pci5 at ppb4 bus 5
Broadcom NetXtreme II BCM5716 1000Base-T being recognized with bnx instead of bge.. is that OK?
Greetings. I have a R210 DELL with a built in Broadcom NetXtreme II BCM5716 1000Base-T being recognized with bnx instead of bge .. iam having problems starting the network within the OPenBSD 4.6 installer. I noticed that the manual for bge says: The bge driver provides support for various NICs based on the Broadcom BCM570x, 571x That would include my BCM5716 wouldnt it? Is there a problem if its getting recognized with the other driver? Thanks Andres
possible to configure PF to simulate latency and 1% packet loss?
Hello, Is it possible to do some rule in pf to simulate 300ms of latency? This is for testing purposes. A plus would be to simulate 1% packet loss. Many Thanks!!
Encrypt entire filesystem with AES 256bit. Softraid tutorial?
Hello, Iam looking for ways to encrypt my entire filesystem, but it must be with AES 256bits... Ive bene searching and I deduce that the only option I have is using softraid, however iam unable to find any tutorial or guide. Anybody know if this is possible, if I have any other option (with 256 AES cipher) and if there is a guide? Thank you. Andres
PF: Help with a very simple bandwidth capping using hfsc
Hello, For some reason I cannot get this to work properly... We have a 1Megabyte/sec connection, and I want this box to be capped at up to 200KiloBytes/sec . However everytime I try, it just always ends up using the entire link. If I modify it to 1Kb , it ends up using around 80Kilobytes/sec . # cat /etc/pf.conf t_externa = re0 ## Queueing altq on $t_externa bandwidth 200Kb hfsc queue { bulk, ack } queue ackbandwidth 20% priority 2 qlimit 500 hfsc (realtime 20%) queue bulk bandwidth 80% priority 1 qlimit 500 hfsc (realtime 60% default) block all #pass out from self to any antispoof quick for { lo0 } pass in quick on $t_externa inet proto tcp from any to ($t_externa) \ port 22 keep state pass out quick on $t_externa inet proto { tcp, udp } from ($t_externa) to any \ port 53 keep state pass out quick on $t_externa inet proto tcp from ($t_externa) to any \ port { 80 443 } ### ICMP pass inet proto icmp all icmp-type { echoreq, unreach } keep state This is what systat queues says: 5 usersLoad 0.77 0.53 0.42 Wed Dec 9 17:59:16 2009 QUEUE BW SCH PRIO PKTSBYTES DROP_P DROP_B QLEN BORROW SUSPEN P/S B/S root_re0200K hfsc000 000 0 0 ack 4 hfsc200 000 0 0 bulk 160K hfsc 27060 1818302 00 62 373 25006 This is what I can download at:776 KiB/sec using lynx Iam using OPenBSD 4.6 . Thanks Andres
Re: PF: Help with a very simple bandwidth capping using hfsc
Hello, In this case the queue bulk is the one set as default and indeed I do see the traffic passing through it with the command you gave me. Please advise. Thanks Andres
Re: PF: Help with a very simple bandwidth capping using hfsc
Thank you for your suggestions.. however in this particular case I still can download at 615Kbytes/sec .. at least now I can download at a lesser rate with the following: altq on $t_externa bandwidth 200Kb hfsc queue { bulk, ack } queue ack bandwidth 20% priority 2 qlimit 500 hfsc (realtime 40Kb upperlimit 40Kb) queue bulk bandwidth 80% priority 1 qlimit 500 hfsc (realtime 120Kb upperlimit 120Kb default) But I still cannot accomplish what I need. Andres On Wed, Dec 9, 2009 at 2:01 PM, Bryan S. Leaman lea...@bitbytes.com wrote: Andres Salazar wrote: Hello, For some reason I cannot get this to work properly... We have a 1Megabyte/sec connection, and I want this box to be capped at up to 200KiloBytes/sec . However everytime I try, it just always ends up using the entire link. If I modify it to 1Kb , it ends up using around 80Kilobytes/sec . I don't think you can use the upperlimit directive in the altq definition, but you can use it on each queue to force a maximum amount of bandwidth, i.e. queue ack bandwidth 20% priority 2 qlimit 500 hfsc (realtime 40Kb upperlimit 40Kb). If you want each child to be able to borrow free bandwidth from the total 200Kb, then you can create a queue with upperlimit of 200Kb and create your ack and bulk as subqueues with realtime of 40Kb and 160Kb so they have guaranteed bandwidth, but then they can also borrow any free bandwidth from the 200Kb parent when it's available. I'm doing this in one case and it works fine. Bryan
Re: PF: Help with a very simple bandwidth capping using hfsc
I just tried on a new install in 4.5, and still no go. Help is appreciated.
About priorities in /etc/resolv.conf
Hello, I have experienced that even though I set up 3 servers in /etc/resolv.conf , if the first one gets slow apparently it will not utilize the others untill it is completely down. Is there anyway to actually force the OS to pick another resolver if one of them is very slow? Thank you Andres
Anyway to force IP to be assigned only if MAC matches?
Hello, I Have dhcp enabled on my LAN which assigns an IP according to the clients MAC address, however if a user wanted to be malicious he can statically assign any IP to his NIC. Isnt there anyway I can force my ARP tables to only allow IPs to be assigned if the MAC address matches? Thanks Andres
PF:. Possible to loadbalance connectiity of a LAN to different gateways per IP?
Hey guys, I know it is possible to route an interface to another gateway via route-to. But what If I want to loadbalance specific IPs to specific gateways in my box? Is this possible? Thank you --Andres
nfe0: tx v2 error 6204UNDERFLOW
Hello all, I have three machines that have a integrated NIC. Dmesg says they are : nfe0 at pci0 dev 7 function 0 NVIDIA MCP61 LAN rev 0xa2: apic 2 int 10 (irq 10), address 00:0f:ea:63:41:fd rlphy0 at nfe0 phy 1: RTL8201L 10/100 PHY, rev. 1 However, all of them when a download is initiated they spit this error: nfe0: tx v2 error 6204UNDERFLOW Iam using 4.5 stable. Is this a significant error? I dont see a performance issue... but id like to know what are the implications. Thank you -- Andres
PF simple rdr help?
Hello guys, I have the following rules .. iam trying to put the IP of the PF box into the browser and have it get the page thats on 208.99.249.95. When I do that the connection just hangs and doesnt give me any content. cat /etc/pf.conf ## Macros ## TABLES ## GLOBAL OPTIONS ## TRAFFIC NORMALIZATION ## QUEUEING RULES ## TRANSLATION RULES (NAT) rdr pass on re0 proto tcp from any to any port 80 - 208.99.249.95 ## FILTER RULES pass in log all keep state pass out log all keep state # cat /etc/sysctl.conf net.inet.ip.forwarding=1# 1=Permit forwarding (routing) of IPv4 packets net.inet.ip.mforwarding=1 # 1=Permit forwarding (routing) of IPv4 multicast packets pflog says: Oct 08 00:44:27.605603 rule 0/(match) rdr in on re0: my.ip.here.50755 208.99.249.95.80: S 6447955:6447955(0) win 5840 mss 1460,sackOK,timestamp 8290643[|tcp] (DF) Oct 08 00:44:27.605612 rule 1/(match) pass out on re0: my.ip.here.50755 208.99.249.95.80: S 6447955:6447955(0) win 5840 mss 1460,sackOK,timestamp 8290643[|tcp] (DF) Thanks for the help. Andres
Re: PF simple rdr help?
Dorian, Thank you. I take it for granted that match is for 4.6 . Thats fine. What is the difference passing it onto netcat, then doing it directly? Aside from this I also need to redirect a range of ports (1500-2000).. and I think the issue would get more difficult if i do it with this method.. --Andres On Wed, Oct 7, 2009 at 6:38 PM, Dorian B|ttner dorian.buett...@gmx.de wrote: Probably what you want might be something like this in pf.conf match in on $int_if proto tcp from any to ($ext_if) port www rdr-to 127.0.0.1 port 5000 and in inetd.conf: 127.0.0.1:5000 stream tcp nowait nobody /usr/bin/nc nc -w 20 my.internal.gateway.ip.here 80 I believe this was somewhere in the pf faq, not exactly sure, you should start inetd of course. If I'm right you wanna see what's your home hosted httpd doing on the outside interface using your dyndns fqdn from internal network or similar. Actually there's changes in pf so you might want to specify your version. Regards, Dorian
applying errata vrs building userland from source
Hello, What is the best practice when building a new machine, or why would one prefer one aside from the other: a.) Compile kernel and userland from a recent -stable src checkout or b.) Apply all the errata from http://www.openbsd.org/errata45.html ? Both are equivalent is this correct? Thank you. --Andres
KVM macros and OpenBSD
Hello, Iam sure other people have run into the same dilemma whereas some macros dont work on a KVM Brands tested: Lantronix SLS / Raritan dominion KX2 232 Macros are being received by the system as you can do the ctrl alt f2 macro which changes the current terminal - this works. I do not know why it is not accepting ctrl alt del at the OS level, (niether is it accepting ctrl+alt+esc for ddb) but it does so at bios level (reboot the box, let it go through bios then ask the keyboard macro to perform ctrl alt del - this works) sysctl.conf contains: ddb.panic=0 machdep.kbdreset=1 ddb.console=1 Help appreciated. Andres
Boxes hanging intermittently. Anybody seen such ?
Hello, During the past week two boxes two boxes on the same network have stopped responding, they carry OpenBSD 4.5 i386 and I have logged at every possible log to find out why this occurs however I havent been able to spot anything unusual. All of the sudden they just stop responding requests. What these freezes do have in common is that when the boxes are reached via the KVM they present the login screen, they allow text to be entered in the login field... but upon hitting enter for it to ask the password thats when it just hangs. Iam afraid this will keep on happening and I woudl like to know if anybody has experienced this before.. these have been perfectly working boxes and it would be just odd both would have the same problem in the same few days. Upon a reboot everything returns to normal. Thank you. Andres
apache1.3 without jail and PHP cannot execute some system binaries..why?
Hello, I have a script that is being called from the web , it invokes the system() function and I try to test running some system commands to see if they are properly invoked. Apache is running without jail (-d) due to special needs. mv and cp do not display any output (this do not execute), while cat and ls do. If I run the script via the command line all of the commands display ouput (even if its the usage help info of each command) . I have tried running the commands with the absolute path, and without. The permissions and ownerhsip for /bin are all the same and are system defaults. What could be wrong? Andres
Re: apache1.3 without jail and PHP cannot execute some system binaries..why?
Yes, iam sorry typo I meant i disabled chroot with -u i went over the php.ini and there is nothing listed in disable_functions Please advise. thanks
Re: apache1.3 without jail and PHP cannot execute some system binaries..why?
I have also tried using the user www and executing the script.. it works fine.. It just doesnt work via the web. On Fri, Aug 14, 2009 at 11:04 AM, Andres Salazarndrsslz...@gmail.com wrote: Yes, iam sorry typo I meant i disabled chroot with -u i went over the php.ini and there is nothing listed in disable_functions Please advise. thanks
Re: apache1.3 without jail and PHP cannot execute some system binaries..why?
ls -la /bin pretty much says that the permissions and ownership are the same for mv, cp, cat, ls I dont think its a permission/ownerhsip issue. Please advise. On Fri, Aug 14, 2009 at 11:18 AM,# ls -la total 14192 drwxr-xr-x 2 root wheel1024 Aug 4 11:58 . drwxr-xr-x 14 root wheel 512 Aug 4 11:59 .. -r-xr-xr-x 2 root bin 82636 Aug 4 11:58 [ -r-xr-xr-x 1 root bin 99020 Aug 4 11:58 cat -r-xr-xr-x 3 root bin180940 Aug 4 11:58 chgrp -r-xr-xr-x 1 root bin 99020 Aug 4 11:58 chio -r-xr-xr-x 3 root bin180940 Aug 4 11:58 chmod -r-xr-xr-x 5 root bin123596 Aug 4 11:58 cksum -r-xr-xr-x 1 root bin111308 Aug 4 11:58 cp -r-xr-xr-x 3 root bin271052 Aug 4 11:58 cpio -r-xr-xr-x 1 root bin291532 Aug 4 11:58 csh -r-xr-xr-x 1 root bin103116 Aug 4 11:58 date -r-xr-xr-x 1 root bin 90828 Aug 4 11:58 dd -r-xr-xr-x 1 root bin 94924 Aug 4 11:58 df -r-xr-xr-x 1 root bin 82636 Aug 4 11:58 domainname -r-xr-xr-x 1 root bin 78540 Aug 4 11:58 echo -r-xr-xr-x 1 root bin168652 Aug 4 11:58 ed -r-xr-xr-x 2 root bin209612 Aug 4 11:58 eject -r-xr-xr-x 1 root bin119500 Aug 4 11:58 expr -r-xr-xr-x 1 root bin 82636 Aug 4 11:58 hostname -r-xr-xr-x 1 root bin 82636 Aug 4 11:58 kill -r-xr-xr-x 3 root bin332492 Aug 4 11:58 ksh -r-xr-xr-x 1 root bin 82636 Aug 4 11:58 ln -r-xr-xr-x 1 root bin180940 Aug 4 11:58 ls -r-xr-xr-x 5 root bin123596 Aug 4 11:58 md5 -r-xr-xr-x 1 root bin 99020 Aug 4 11:58 mkdir -r-xr-xr-x 2 root bin209612 Aug 4 11:58 mt -r-xr-xr-x 1 root bin164556 Aug 4 11:58 mv -r-xr-xr-x 3 root bin271052 Aug 4 11:58 pax -r-xr-xr-x 1 root bin201420 Aug 4 11:58 ps -r-xr-xr-x 1 root bin 82636 Aug 4 11:58 pwd -r-xr-xr-x 1 root bin221900 Aug 4 11:58 rcp -r-xr-xr-x 3 root bin332492 Aug 4 11:58 rksh -r-xr-xr-x 1 root bin180940 Aug 4 11:58 rm -r-xr-xr-x 1 root bin 86732 Aug 4 11:58 rmail -r-xr-xr-x 5 root bin123596 Aug 4 11:58 rmd160 -r-xr-xr-x 1 root bin 99020 Aug 4 11:58 rmdir -r-xr-xr-x 3 root bin332492 Aug 4 11:58 sh -r-xr-xr-x 5 root bin123596 Aug 4 11:58 sha1 -r-xr-xr-x 1 root bin 99020 Aug 4 11:58 sleep -r-xr-xr-x 1 root bin115404 Aug 4 11:58 stty -r-xr-xr-x 5 root bin123596 Aug 4 11:58 sum -r-xr-xr-x 1 root bin 82636 Aug 4 11:58 sync -r-xr-xr-x 1 root bin352972 Aug 4 11:58 systrace -r-xr-xr-x 3 root bin271052 Aug 4 11:58 tar -r-xr-xr-x 2 root bin 82636 Aug 4 11:58 test
Intermittent Segmentation fault (11) with new port updates for Compilation of apache-httpd-2.2.11 and php5.2.10 . Bug??
Hello, Environment: OpenBSD 4.5 stable , generic MP kernel. Dmesg here: http://pastebin.com/m5f5e96fe Summary: We have a special need to use Apache 2 with PHP5 and before the ports where updated from php5.2.6 and apache 2.2.9 this procedure worked 100% before and now even in a new install just by calling phpinfo() iam getting the following intermittent errors in the error log and a white screen: Error: [Sun Aug 09 12:47:27 2009] [notice] child pid 12566 exit signal Segmentation fault (11) Ruled out: I have ruled out hardware issues by totally replacing the box and also doing a fresh install.. I have made sure all X11 file sets where installed because they are needed for compilation. How to recreate the problem: a.) Compile kernel to stable rebooted, and compiled userland to stable. b.) Dowloaded the latest ports from the stable branch. c.) cd /usr/ports/www/apache-httpd/; make; make install. Confirmed sucessfull install of apache 2.2.11 d.) cd /usr/ports/www/php5/core; vi Makefile and changed: CONFIGURE_ARGS+=--with-apxs=/usr/sbin/apxs \ to CONFIGURE_ARGS+=--with-apxs2=/usr/local/sbin/apxs2 \ then make; make install. Confirmed the installation of php5.2.10 e.) Configured httpd2.conf so that it loads the php5 module: LoadModule php5_module /usr/local/lib/php/libphp5.so f.) cd /usr/ports/www/php5/extensions; vi Makefile and changed: CONFIGURE_ARGS+=--with-apxs=/usr/sbin/apxs \ to CONFIGURE_ARGS+=--with-apxs2=/usr/local/sbin/apxs2 \ then make; make install. g.) export PKG_PATH=/usr/ports/packages/i386/all/; pkg_add php5-bz2 php5-curl php5-gd php5-gmp php5-mbstring php5-mcrypt php5-mhash php5-mysql php5-shmop. (This will grab the packages compiled from the pkg:path). h.) Placed a info.php file in the apache2 htdocs and refresh it many times, many of those generate that error and images (logos) dont load. .. the issue is totally INTERMITTENT.. after I rebooted I could load phpinfo() fine but then I tried installing phpmyadmin and sometimes some functions just yield out the error. Sometimes the issue is so bad all the pages load half way. Iam about to throw myself out the window because Ive tried for days to look for a specific pattern towards when the Segmentation is generated, but it is absolutely random. Sometimes my sites dont generate the Seg fault error but they just log a 500 error without further explanation. I have repeated this so many times that sometimes it isnt even necessary to load the extensions just the php5-core will error. Please advise! Andres
Re: How to activate extensions after compiling php5 core and extensions? No instructions!
Aaaron, I suppose that according to the Makefile for the extensions all of them should be enabled. I also suppose that the correct extension_dir path for the modules to be placed would be: /var/www/lib/php/modules However, this isnt the case... where do I get the modules from to activate them in the php.ini ? Thanks Andres On Wed, Aug 5, 2009 at 11:06 PM, Bryanbra...@gmail.com wrote: On Wed, Aug 5, 2009 at 20:25, Andres Salazarndrsslz...@gmail.com wrote: Hello, OpenBSD 4.5 stable I have done the following: cd /usr/ports/www/php5/core; make; make install; cd /usr/ports/www/php5/extensions; make; make intall; That according to pkg_info installed: php5-core-5.2.10 B B server-side HTML-embedded scripting language php5-extensions-5.2.10 informational package about PHP5 extensions The instructions after finishing the extensions compiling said: --- php5-extensions-5.2.10 --- This is a place-holder package to inform you that the PHP port is now split into small sub-packages, designed to allow you to install modules independently of the main PHP engine. For example, to install the IMAP module, just pkg_add the php5-imap-5.2.10.tgz package and activate it using the 'phpxs' command. I tried doing pkg_add php5-mysql-5.2.10.tar however that just tries to install it from the packages (and off course it wont becuase the packages offers 5.2.8)... and then the phpxs command doesnt exist. What am I missing to actually finish the install of all the php5 extensions? I believe the instructions are in the php-core package. Back in the day, I would issue phpxs and the extension name to enable it... but I may be wrong... Regards, Bryan
How to activate extensions after compiling php5 core and extensions? No instructions!
Hello, OpenBSD 4.5 stable I have done the following: cd /usr/ports/www/php5/core; make; make install; cd /usr/ports/www/php5/extensions; make; make intall; That according to pkg_info installed: php5-core-5.2.10server-side HTML-embedded scripting language php5-extensions-5.2.10 informational package about PHP5 extensions The instructions after finishing the extensions compiling said: --- php5-extensions-5.2.10 --- This is a place-holder package to inform you that the PHP port is now split into small sub-packages, designed to allow you to install modules independently of the main PHP engine. For example, to install the IMAP module, just pkg_add the php5-imap-5.2.10.tgz package and activate it using the 'phpxs' command. I tried doing pkg_add php5-mysql-5.2.10.tar however that just tries to install it from the packages (and off course it wont becuase the packages offers 5.2.8)... and then the phpxs command doesnt exist. What am I missing to actually finish the install of all the php5 extensions? Thanks Andres
Re: PF: 3 NICS. 1 WAN, 2 LAN. How to manage each LAN open ports individually?
Hello Jason, Thank you for assisting me getting this together.. I do understand that translation happens before filtering (at least think i do), what I dont understand is why the filtering is done with pass in if traffic is actually going from within the int_if2 network to the outside? Where is the traffic actually going in? pass in on $int_if2 inet proto udp from $int_if2:network to any \ port 53 Thank you. Andres On Sun, Jul 26, 2009 at 6:36 PM, Jason Dixonja...@dixongroup.net wrote: On Sun, Jul 26, 2009 at 01:16:02PM -0500, Andres Salazar wrote: Hello Jason, I understood the purpose of allowing internet access for the firewall itself. However this is exactly where Iam still stuck. By doing this after our default block all: pass out on $ext_if inet proto { tcp udp } from ($ext_if) to any \ port { 53 80 22 443 } Iam actually allowing it for both $int_if and $int_if2 , thus the following port restriction rules are not getting evaluated. In an effort to simplify your ruleset I was guilty of forgetting that translation happens before filtering. Here is a new version that filters on the internal interfaces. Let me know if you have any questions. ext_if = re1 int_if = re0 int_if2 = re2 set skip on lo scrub in nat on $ext_if inet proto { tcp udp } from $int_if:network to any \ - ($ext_if) nat on $ext_if inet proto { tcp udp } from $int_if2:network to any \ - ($ext_if) block all pass out on $ext_if pass in on $int_if inet proto tcp from $int_if:network to any \ port { 53 80 } pass in on $int_if inet proto udp from $int_if:network to any \ port 53 pass in on $int_if2 inet proto tcp from $int_if2:network to any \ port { 22 53 80 443 } pass in on $int_if2 inet proto udp from $int_if2:network to any \ port 53 -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: PF: 3 NICS. 1 WAN, 2 LAN. How to manage each LAN open ports individually?
I apologize that my ruleset isnt very clear. Iam trying to put together a ruleset that will allow the following access: Outbound port 80 (web) 53 (domain) from users at $int_if via $ext_if Outbound port 80 (web) 53 (domain) 443 (ssl) 22 (ssh) from $int_if2 via $ext_if Thank you for the help. Andres
Re: PF: 3 NICS. 1 WAN, 2 LAN. How to manage each LAN open ports individually?
Thank you for the help, I believe that I already tried something similar and could not access the internet behind $int_if, ot $int_if2. Traffic is getting blocked by block all as per the following pflog1: Jul 26 05:11:51.250502 rule 0/(match) block out on re1: 192.168.1.2.55533 190.40.3.10.53: 22454+[|domain] (DF) Jul 26 05:11:51.407931 rule 0/(match) block out on re1: 192.168.1.2.63872 190.40.3.13.53: 37289+[|domain] (DF) Jul 26 05:11:51.408132 rule 0/(match) block out on re1: 192.168.1.2.51104 190.40.3.13.53: 14850+[|domain] (DF) 192.168.1.2 is the IP of the firewall itself in relationship to $ext_if. Additionally I tried the following: block all pass out on $ext_if pass out log on $ext_if inet proto tcp from $int_if:network to any \ port { 53 80 } pass out log on $ext_if inet proto udp from $int_if:network to any \ port 53 pass out log on $ext_if inet proto tcp from $int_if2:network to any \ port { 22 53 80 443 } pass out log on $ext_if inet proto udp from $int_if2:network to any \ port 53 However that way both $int_if and $int_if2 would have internet access but the port restriction rulesets would not match. I think there is some conflict with the rules and NAT, as the firewall once the packets are NATed then it doesnt recognize the real source? Iam confused. Thank you Andres On Sun, Jul 26, 2009 at 1:16 AM, Jason Dixon ja...@dixongroup.net wrote: On Sun, Jul 26, 2009 at 12:58:08AM -0500, Andres Salazar wrote: I apologize that my ruleset isnt very clear. Iam trying to put together a ruleset that will allow the following access: Outbound port 80 (web) 53 (domain) from users at $int_if via $ext_if Outbound port 80 (web) 53 (domain) 443 (ssl) 22 (ssh) from $int_if2 via $ext_if Here's a basic ruleset that meets your requirements. Hasn't been tested for syntax. Note that I make no effort to filter traffic between the two internal segments. This would require a different approach (no set skip on internal if's, pass in on the internal if's explicitly). There are also no pass out rules for traffic originating from the firewall itself, you'll probably want to add something for this. ext_if = re1 int_if = re0 int_if2 = re2 set skip on { lo $int_if $int_if2 } scrub in nat on $ext_if inet proto { tcp udp } from $int_if:network to any \ - ($ext_if) nat on $ext_if inet proto { tcp udp } from $int_if2:network to any \ - ($ext_if) block all pass out on $ext_if inet proto tcp from $int_if:network to any \ port { 53 80 } pass out on $ext_if inet proto udp from $int_if:network to any \ port 53 pass out on $ext_if inet proto tcp from $int_if2:network to any \ port { 22 53 80 443 } pass out on $ext_if inet proto udp from $int_if2:network to any \ port 53 -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: PF: 3 NICS. 1 WAN, 2 LAN. How to manage each LAN open ports individually?
Hello Jason, I understood the purpose of allowing internet access for the firewall itself. However this is exactly where Iam still stuck. By doing this after our default block all: pass out on $ext_if inet proto { tcp udp } from ($ext_if) to any \ port { 53 80 22 443 } Iam actually allowing it for both $int_if and $int_if2 , thus the following port restriction rules are not getting evaluated. Full ruleset is here: http://pastebin.com/d3f292c50 Andres On Sun, Jul 26, 2009 at 12:32 PM, Jason Dixon ja...@dixongroup.net wrote: On Sun, Jul 26, 2009 at 12:14:53PM -0500, Andres Salazar wrote: Thank you for the help, I believe that I already tried something similar and could not access the internet behind $int_if, ot $int_if2. Traffic is getting blocked by block all as per the following pflog1: Jul 26 05:11:51.250502 rule 0/(match) block out on re1: 192.168.1.2.55533 190.40.3.10.53: 22454+[|domain] (DF) Jul 26 05:11:51.407931 rule 0/(match) block out on re1: 192.168.1.2.63872 190.40.3.13.53: 37289+[|domain] (DF) Jul 26 05:11:51.408132 rule 0/(match) block out on re1: 192.168.1.2.51104 190.40.3.13.53: 14850+[|domain] (DF) 192.168.1.2 is the IP of the firewall itself in relationship to $ext_if. To reiterate: There are also no pass out rules for traffic originating from the firewall itself, you'll probably want to add something for this. Add a pass rule for outbound traffic from the firewall itself. Adjust for any additional services that it should be able to reach. pass out on $ext_if inet proto { tcp udp } from ($ext_if) to any port 53 -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: PF: 3 NICS. 1 WAN, 2 LAN. How to manage each LAN open ports individually?
Hello Patrick, I also tried your approach, but at the end it behaves the same. Without the pass out i dont have internet in any of the two interfaces, with it then I just have totally opened ports on both of the interfaces. The restrictive port rules are being ignored. Any help is much appreciated. Andres On Sun, Jul 26, 2009 at 1:05 AM, patrick keshishianpkesh...@gmail.com wrote: On Sat, Jul 25, 2009 at 9:23 PM, Jason Dixonja...@dixongroup.net wrote: On Sat, Jul 25, 2009 at 09:41:45PM -0500, Andres Salazar wrote: Hello OpenBSD-misc, I have a newbie question in pf that Ive been trying to debug on what would be wrong with my ruleset. Iam trying to have the users that are on $int_if only have ports 80 52 opened out, and users on $int_if be able to have less restrictions and more ports out. So far I have something like this but it isnt working: Allow me to be the first to say RTFAQ. ext_if = re1 int_if = re0 int_if2 = re2 set skip on lo scrub in nat on re1 from re0:network to any - re1 nat on re1 from re2:network to any - re1 block all pass quick on $ext_if // I have added this so that the firewall itself has full internet access #pass in quick on $int_if Here you're blocking all by default (inbound and outbound on all interfaces), but then you immediately pass quick (outbound *and* inbound) on your external interface. Very wrong. pass out log quick on $ext_if inet proto { tcp, udp } from ($ext_if) to any \ port 53 keep state pass out log quick on $ext_if inet proto { tcp } from ($ext_if) to any \ port 80 keep state Here you're passing outbound on your external interface for DNS and http traffic. But a) you've already allowed everything on $ext_if so this is unnecessary, and b) you've never allowed any traffic from your internal interfaces. Honestly, I don't know *what* you're trying to accomplish because your description doesn't match anything in your ruleset. Perhaps you can describe again what you're trying to do and what the differences are supposed to be between $int_if and $int_if2. I think he has a few typos in his email that cause confusion. I think what he wants is something like the following, which is not tested, and I know this is a copout, but I'm tired and should not be doing this: / --\ ext_if = re1 int_if = re0 # only ports 53 and 80 allowed out int_if2 = re2 # no restrictions on outbound traffic set skip on lo match in all scrub (no-df) # XXX # XXX I do not use NAT so leaving this to the experts nat on re1 from re0:network to any - re1 nat on re1 from re2:network to any - re1 block all pass out pass in on $int_if2 pass in log on $int_if inet proto { tcp, udp } from any to any port { 53, 80 } \ --/ He may need finer control over who from $int_if2 is allowed access to the firewall. --patrick
PF: 3 NICS. 1 WAN, 2 LAN. How to manage each LAN open ports individually?
Hello OpenBSD-misc, I have a newbie question in pf that Ive been trying to debug on what would be wrong with my ruleset. Iam trying to have the users that are on $int_if only have ports 80 52 opened out, and users on $int_if be able to have less restrictions and more ports out. So far I have something like this but it isnt working: ext_if = re1 int_if = re0 int_if2 = re2 set skip on lo scrub in nat on re1 from re0:network to any - re1 nat on re1 from re2:network to any - re1 block all pass quick on $ext_if // I have added this so that the firewall itself has full internet access #pass in quick on $int_if pass out log quick on $ext_if inet proto { tcp, udp } from ($ext_if) to any \ port 53 keep state pass out log quick on $ext_if inet proto { tcp } from ($ext_if) to any \ port 80 keep state I appreciate the help... Andres
Nagios package incomplete? Anybody got it working? OBSD 4.5
Hello, Iam using OBSD 4.5, and i tried to install Nagios nagios-3.0.6p1 (also tried nagios-3.0.6p1-chroot) from packages.. and Ive noticed that after the install the WebGUI files are missing and there is no instruction whatsoever if one should need to get these from somewhere else..? (the faq on nagios.org also takes for granted that the install includes the files). Seeing this failed, I also tried compiling from ports with no luck... the /var/www/nagios is created and left empty. What could it be that iam missing? Thanks Andres
Re: What kernel to use for a QuadProcesor, or Dual Xeon 3.0ghz
On Sat, Jul 11, 2009 at 1:54 AM, Jan-Erik Skata jesk...@gmail.com wrote Yes, you should use the SMP kernel on multicore CPUs aswell. I have usually just moved /bsd.mp onto /bsd and rebooted. Otherwise only one CPU and/or core will be used. Ok, however since this is Symmetric MultiProcessing then I wouldnt benefit from running a mysql server because this is a single thread and it would still only use one core, right? Does OpenBSD support asymmetrical processing ? Thank you Andres
What kernel to use for a QuadProcesor, or Dual Xeon 3.0ghz
Hello community, I have two boxes: Quad Core Processor with 4GB RAM Dual Xeon 3.0 Ghz with 2GB of RAM I have heard contradicting information as far as I can use both the MP and the REGULAR kernel (i386 or amd64) and that both would give me the same performance.. Isnt it true that If i apply the regular kernel on these boxes I would be wasting CPU power? Per top it would only show one CPU. Also.. is it better to use amd64 or i386.. or doesnt matter? Thank you. Andres
Re: Letting FTP out through PF with a default block all
Hmm.. Iam starting to think that ftp-proxy isnt possible with a default block all in the pf.conf due to BUG??? The PF FAQ at openbsd gives the example of ftp-proxy with block in pass outall Which actually defeats the purpose of doing ftp proxy for outgoing connections if you have free access to the outside!! So at the end, anybody can share if they have gotten to work fto-proxy with block all? Thanks Andres On Tue, May 26, 2009 at 5:51 PM, Andres Salazar ndrsslz...@gmail.comwrote: Hello, Before posting I acknowledge I have read the FAQ.. based on that this is my PF config: t_externa = re0 set block-policy drop set loginterface $t_externa set limit states 10 set limit frags 30 set limit src-nodes 5 set optimization aggressive set skip on lo0 set debug urgent scrub in on $t_externa all scrub out on $t_externa all random-id nat-anchor ftp-proxy/* rdr-anchor ftp-proxy/* rdr on $t_externa proto tcp from any to any port 21 - 127.0.0.1 port 8021 block all anchor ftp-proxy/* antispoof quick for { lo } #SSH pass in quick on $t_externa inet proto tcp from any to ($t_externa) \ port 22 flags S/SA modulate state ##DNS pass out log quick on $t_externa inet proto { tcp, udp } from ($t_externa) to any \ port 53 keep state ##FTP pass out log quick on $t_externa inet proto tcp from ($t_externa) to any \ port ftp flags S/SA modulate state pass out log quick on $t_externa inet proto tcp from ($t_externa) to any \ port 8021 flags S/SA modulate state If I do block log all .. a tcpdump on pflog recieves this: May 25 20:03:55.067671 rule 0/(match) block out on re0: 58.46.80.70.46330 129.128.5.191.64072: S 1312607360:1312607360(0) win 16384 mss 1460,nop,nop,sackOK,nop,wscale 0,[|tcp] (DF) May 25 20:03:55.375881 rule 0/(match) block in on re0: 129.128.5.191.20 58.46.80.70.63627: S 1300023739:1300023739(0) win 16384 mss 1460,nop,nop,sackOK,nop,wscale 0,[|tcp] (DF) May 25 20:04:01.372812 rule 0/(match) block in on re0: 129.128.5.191.20 58.46.80.70.63627: S 1300023739:1300023739(0) win 16384 mss 1460,nop,nop,sackOK,nop,wscale 0,[|tcp] (DF) May 25 20:04:13.373244 rule 0/(match) block in on re0: 129.128.5.191.20 58.46.80.70.63627: S 1300023739:1300023739(0) win 16384 mss 1460,nop,nop,sackOK,nop,wscale 0,[|tcp] (DF) 58 is my IP, 129 is ftp.openbsd.org I have also made sure that ftp-proxy is running, if I do telnet localhost 8021 I get: orion:~$telnet localhost 8021 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Connection closed by foreign host. Which I think suggests that iam running it correctly. orion:~$telnet localhost 8021 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Connection closed by foreign host.orion:~$telnet localhost 8021 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Connection closed by foreign host. orion:~$telnet localhost 8021 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Connection closed by foreign host My conclusion is that somehow the rdr part to port 8021 isnt taking place.. so the communication isnt channeled to the proxy..? pfctl -s all reads: # pfctl -s all TRANSLATION RULES: nat-anchor ftp-proxy/* all rdr-anchor ftp-proxy/* all rdr log on re0 inet proto tcp from any to any port = ftp - 127.0.0.1 port 8021 FILTER RULES: scrub in on re0 all fragment reassemble scrub out on re0 all random-id fragment reassemble block drop all anchor ftp-proxy/* all block drop in quick on ! lo inet from 127.0.0.0/8 to any block drop in quick on ! lo inet6 from ::1 to any block drop in quick inet6 from ::1 to any block drop in quick on lo0 inet6 from fe80::1 to any block drop in quick inet from 127.0.0.1 to any pass in quick on re0 inet proto tcp from any to (re0) port = ssh flags S/SA modulate state pass out quick on re0 inet proto tcp from (re0) to any port = ssh flags S/SA modulate state pass out quick on re0 inet proto tcp from (re0) to any port = domain flags S/SA keep state pass out quick on re0 inet proto udp from (re0) to any port = domain keep state pass out quick on re0 inet proto tcp from (re0) to any port = ftp flags S/SA modulate state pass out quick on re0 inet proto tcp from (re0) to any port = 8021 flags S/SA modulate state No queue in use I have also started ftp.proxy with and without the -r flag. Thank you. Andres
Best supported Asterisk interface for OpenBSD?
I would like to ask the OBSD community if someone can recommend me a good supported interface for Asterisk on OBSD. I have heard that FreePBX is really a pain to configure because it assumes a linux environment. Please anybody share their experience? Thank you. Andres
Letting FTP out through PF with a default block all
Hello, Before posting I acklowedge I have read the FAQ.. based on that this is my PF config: t_externa = re0 set block-policy drop set loginterface $t_externa set limit states 10 set limit frags 30 set limit src-nodes 5 set optimization aggressive set skip on lo0 set debug urgent scrub in on $t_externa all scrub out on $t_externa all random-id nat-anchor ftp-proxy/* rdr-anchor ftp-proxy/* rdr on $t_externa proto tcp from any to any port 21 - 127.0.0.1 port 8021 block all anchor ftp-proxy/* antispoof quick for { lo } #SSH pass in quick on $t_externa inet proto tcp from any to ($t_externa) \ port 22 flags S/SA modulate state ##DNS pass out log quick on $t_externa inet proto { tcp, udp } from ($t_externa) to any \ port 53 keep state ##FTP pass out log quick on $t_externa inet proto tcp from ($t_externa) to any \ port ftp flags S/SA modulate state pass out log quick on $t_externa inet proto tcp from ($t_externa) to any \ port 8021 flags S/SA modulate state If I do block log all .. a tcpdump on pflog recieves this: May 25 20:03:55.067671 rule 0/(match) block out on re0: 58.46.80.70.46330 129.128.5.191.64072: S 1312607360:1312607360(0) win 16384 mss 1460,nop,nop,sackOK,nop,wscale 0,[|tcp] (DF) May 25 20:03:55.375881 rule 0/(match) block in on re0: 129.128.5.191.20 58.46.80.70.63627: S 1300023739:1300023739(0) win 16384 mss 1460,nop,nop,sackOK,nop,wscale 0,[|tcp] (DF) May 25 20:04:01.372812 rule 0/(match) block in on re0: 129.128.5.191.20 58.46.80.70.63627: S 1300023739:1300023739(0) win 16384 mss 1460,nop,nop,sackOK,nop,wscale 0,[|tcp] (DF) May 25 20:04:13.373244 rule 0/(match) block in on re0: 129.128.5.191.20 58.46.80.70.63627: S 1300023739:1300023739(0) win 16384 mss 1460,nop,nop,sackOK,nop,wscale 0,[|tcp] (DF) 58 is my IP, 129 is ftp.openbsd.org I have also made sure that ftp-proxy is running, if I do telnet localhost 8021 I get: orion:~$telnet localhost 8021 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Connection closed by foreign host. Which I think suggests that iam running it correctly. orion:~$telnet localhost 8021 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Connection closed by foreign host.orion:~$telnet localhost 8021 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Connection closed by foreign host. orion:~$telnet localhost 8021 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Connection closed by foreign host My conclusion is that somehow the rdr part to port 8021 isnt taking place.. so the communication isnt channeled to the proxy..? pfctl -s all reads: # pfctl -s all TRANSLATION RULES: nat-anchor ftp-proxy/* all rdr-anchor ftp-proxy/* all rdr log on re0 inet proto tcp from any to any port = ftp - 127.0.0.1 port 8021 FILTER RULES: scrub in on re0 all fragment reassemble scrub out on re0 all random-id fragment reassemble block drop all anchor ftp-proxy/* all block drop in quick on ! lo inet from 127.0.0.0/8 to any block drop in quick on ! lo inet6 from ::1 to any block drop in quick inet6 from ::1 to any block drop in quick on lo0 inet6 from fe80::1 to any block drop in quick inet from 127.0.0.1 to any pass in quick on re0 inet proto tcp from any to (re0) port = ssh flags S/SA modulate state pass out quick on re0 inet proto tcp from (re0) to any port = ssh flags S/SA modulate state pass out quick on re0 inet proto tcp from (re0) to any port = domain flags S/SA keep state pass out quick on re0 inet proto udp from (re0) to any port = domain keep state pass out quick on re0 inet proto tcp from (re0) to any port = ftp flags S/SA modulate state pass out quick on re0 inet proto tcp from (re0) to any port = 8021 flags S/SA modulate state No queue in use I have also started ftp.proxy with and without the -r flag. Thank you. Andres
Letting FTP out through PF with a default block all
Hello, Before posting I acknowledge I have read the FAQ.. based on that this is my PF config: t_externa = re0 set block-policy drop set loginterface $t_externa set limit states 10 set limit frags 30 set limit src-nodes 5 set optimization aggressive set skip on lo0 set debug urgent scrub in on $t_externa all scrub out on $t_externa all random-id nat-anchor ftp-proxy/* rdr-anchor ftp-proxy/* rdr on $t_externa proto tcp from any to any port 21 - 127.0.0.1 port 8021 block all anchor ftp-proxy/* antispoof quick for { lo } #SSH pass in quick on $t_externa inet proto tcp from any to ($t_externa) \ port 22 flags S/SA modulate state ##DNS pass out log quick on $t_externa inet proto { tcp, udp } from ($t_externa) to any \ port 53 keep state ##FTP pass out log quick on $t_externa inet proto tcp from ($t_externa) to any \ port ftp flags S/SA modulate state pass out log quick on $t_externa inet proto tcp from ($t_externa) to any \ port 8021 flags S/SA modulate state If I do block log all .. a tcpdump on pflog recieves this: May 25 20:03:55.067671 rule 0/(match) block out on re0: 58.46.80.70.46330 129.128.5.191.64072: S 1312607360:1312607360(0) win 16384 mss 1460,nop,nop,sackOK,nop,wscale 0,[|tcp] (DF) May 25 20:03:55.375881 rule 0/(match) block in on re0: 129.128.5.191.20 58.46.80.70.63627: S 1300023739:1300023739(0) win 16384 mss 1460,nop,nop,sackOK,nop,wscale 0,[|tcp] (DF) May 25 20:04:01.372812 rule 0/(match) block in on re0: 129.128.5.191.20 58.46.80.70.63627: S 1300023739:1300023739(0) win 16384 mss 1460,nop,nop,sackOK,nop,wscale 0,[|tcp] (DF) May 25 20:04:13.373244 rule 0/(match) block in on re0: 129.128.5.191.20 58.46.80.70.63627: S 1300023739:1300023739(0) win 16384 mss 1460,nop,nop,sackOK,nop,wscale 0,[|tcp] (DF) 58 is my IP, 129 is ftp.openbsd.org I have also made sure that ftp-proxy is running, if I do telnet localhost 8021 I get: orion:~$telnet localhost 8021 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Connection closed by foreign host. Which I think suggests that iam running it correctly. orion:~$telnet localhost 8021 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Connection closed by foreign host.orion:~$telnet localhost 8021 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Connection closed by foreign host. orion:~$telnet localhost 8021 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Connection closed by foreign host My conclusion is that somehow the rdr part to port 8021 isnt taking place.. so the communication isnt channeled to the proxy..? pfctl -s all reads: # pfctl -s all TRANSLATION RULES: nat-anchor ftp-proxy/* all rdr-anchor ftp-proxy/* all rdr log on re0 inet proto tcp from any to any port = ftp - 127.0.0.1 port 8021 FILTER RULES: scrub in on re0 all fragment reassemble scrub out on re0 all random-id fragment reassemble block drop all anchor ftp-proxy/* all block drop in quick on ! lo inet from 127.0.0.0/8 to any block drop in quick on ! lo inet6 from ::1 to any block drop in quick inet6 from ::1 to any block drop in quick on lo0 inet6 from fe80::1 to any block drop in quick inet from 127.0.0.1 to any pass in quick on re0 inet proto tcp from any to (re0) port = ssh flags S/SA modulate state pass out quick on re0 inet proto tcp from (re0) to any port = ssh flags S/SA modulate state pass out quick on re0 inet proto tcp from (re0) to any port = domain flags S/SA keep state pass out quick on re0 inet proto udp from (re0) to any port = domain keep state pass out quick on re0 inet proto tcp from (re0) to any port = ftp flags S/SA modulate state pass out quick on re0 inet proto tcp from (re0) to any port = 8021 flags S/SA modulate state No queue in use I have also started ftp.proxy with and without the -r flag. Thank you. Andres