Re: dhcpleased losing route
Yes this is now fixed. Thanks everyone! Stuart's suggestion of "received-on" is indeed excellent and is what I've used. On Thu, May 11, 2023 at 04:13:34PM +0200, Florian Obser wrote: > On 2023-05-11 08:08 +10, David Diggles wrote: > > On Thu, May 11, 2023 at 07:27:22AM +1000, Jonathan Matthew wrote: > >> > >> This looks like the thing I ran into a while ago where I had an overly > >> broad nat-to rule for outgoing traffic that applied to traffic from the > >> host as well as the networks behind it. This meant dhcpleased's unicast > >> packets appeared to come from a high port, so my provider's dhcp server > >> rejected them. It looks like David is actually using the same provider > >> as me. > >> > >> If there's a pf rule like 'match out on $iface nat-to ($iface)', making > >> that only apply to traffic received on another interface will probably > >> help. > > > > The nat rule I have > > > > match out on egress nat-to (egress) > > > > Yes, pretty sure this is causing your issue, like Jonathan was > describing. > > -- > In my defence, I have been left unsupervised. >
Re: dhcpleased losing route
t;x" PR:SM+TZ+DG+DN+NS+HN+WNS MSZ:1500 CID:1.32.201.208.21.60.163 23:34:54.068231 202.63.66.1.67 > 202.63.67.36.68: xid:0xede3396c C:202.63.67.36 Y:202.63.67.36 S:172.21.116.42 vend-rfc1048 DHCP:ACK SM:255.255.254.0 DG:202.63.66.1 NS:119.40.106.35,119.40.106.36 NTP:125.253.59.254 LT:600 SID:202.63.66.1 MSZ:1500 CID:1.32.201.208.21.60.163 [tos 0xc0] 23:38:54.011351 202.63.67.36.68 > 202.63.66.1.67: xid:0xede3396c C:202.63.67.36 vend-rfc1048 DHCP:REQUEST LT:86400 HN:"x" PR:SM+TZ+DG+DN+NS+HN+WNS MSZ:1500 CID:1.32.201.208.21.60.163 23:38:54.065951 202.63.66.1.67 > 202.63.67.36.68: xid:0xede3396c C:202.63.67.36 Y:202.63.67.36 S:172.21.116.42 vend-rfc1048 DHCP:ACK SM:255.255.254.0 DG:202.63.66.1 NS:119.40.106.35,119.40.106.36 NTP:125.253.59.254 LT:600 SID:202.63.66.1 MSZ:1500 CID:1.32.201.208.21.60.163 [tos 0xc0] 23:43:06.011349 202.63.67.36.68 > 202.63.66.1.67: xid:0xede3396c C:202.63.67.36 vend-rfc1048 DHCP:REQUEST LT:86400 HN:"x" PR:SM+TZ+DG+DN+NS+HN+WNS MSZ:1500 CID:1.32.201.208.21.60.163 23:43:06.059754 202.63.66.1.67 > 202.63.67.36.68: xid:0xede3396c C:202.63.67.36 Y:202.63.67.36 S:172.21.116.42 vend-rfc1048 DHCP:ACK SM:255.255.254.0 DG:202.63.66.1 NS:119.40.106.35,119.40.106.36 NTP:125.253.59.254 LT:600 SID:202.63.66.1 MSZ:1500 CID:1.32.201.208.21.60.163 [tos 0xc0] 23:47:11.081188 202.63.67.36.68 > 202.63.66.1.67: xid:0xede3396c C:202.63.67.36 vend-rfc1048 DHCP:REQUEST LT:86400 HN:"x" PR:SM+TZ+DG+DN+NS+HN+WNS MSZ:1500 CID:1.32.201.208.21.60.163 23:47:11.130797 202.63.66.1.67 > 202.63.67.36.68: xid:0xede3396c C:202.63.67.36 Y:202.63.67.36 S:172.21.116.42 vend-rfc1048 DHCP:ACK SM:255.255.254.0 DG:202.63.66.1 NS:119.40.106.35,119.40.106.36 NTP:125.253.59.254 LT:600 SID:202.63.66.1 MSZ:1500 CID:1.32.201.208.21.60.163 [tos 0xc0] 23:51:10.011259 202.63.67.36.68 > 202.63.66.1.67: xid:0xede3396c C:202.63.67.36 vend-rfc1048 DHCP:REQUEST LT:86400 HN:"x" PR:SM+TZ+DG+DN+NS+HN+WNS MSZ:1500 CID:1.32.201.208.21.60.163 23:51:10.059479 202.63.66.1.67 > 202.63.67.36.68: xid:0xede3396c C:202.63.67.36 Y:202.63.67.36 S:172.21.116.42 vend-rfc1048 DHCP:ACK SM:255.255.254.0 DG:202.63.66.1 NS:119.40.106.35,119.40.106.36 NTP:125.253.59.254 LT:600 SID:202.63.66.1 MSZ:1500 CID:1.32.201.208.21.60.163 [tos 0xc0] 23:56:04.011188 202.63.67.36.68 > 202.63.66.1.67: xid:0xede3396c C:202.63.67.36 vend-rfc1048 DHCP:REQUEST LT:86400 HN:"x" PR:SM+TZ+DG+DN+NS+HN+WNS MSZ:1500 CID:1.32.201.208.21.60.163 23:56:04.061148 202.63.66.1.67 > 202.63.67.36.68: xid:0xede3396c C:202.63.67.36 Y:202.63.67.36 S:172.21.116.42 vend-rfc1048 DHCP:ACK SM:255.255.254.0 DG:202.63.66.1 NS:119.40.106.35,119.40.106.36 NTP:125.253.59.254 LT:600 SID:202.63.66.1 MSZ:1500 CID:1.32.201.208.21.60.163 [tos 0xc0] On Thu, May 11, 2023 at 09:13:04AM +0200, Mike Fischer wrote: > You are still getting a 5 minute lease. So that seems to be normal for your > provider? (Maybe they only have a very limited pool of IPv4 addresses and > want to be able to reuse them ASAP? Might explain why the initial DHCP:OFFER > took so long as well.) > > But you don???t show what happens when the lease is to be renewed in your > dump. That is where you received the NAK on OpenBSD which caused your machine > to temporarily loose the IP, the gateway and the name servers. > > Does your provider offer IPv6? You may be better off using that. > > > Am 11.05.2023 um 05:08 schrieb David Diggles : > > > > Ok here's the Apple pcap for a working implementation. > > > > tcpdump -r airport.dhcp.pcap > > > > tcpdump: WARNING: snaplen raised from 116 to 1500 > > 12:26:04.010316 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0x5fc12750 > > secs:28 vend-rfc1048 DHCP:DISCOVER LT:86400 HN:"x" PR:SM+TZ+DG+DN+NS+HN+WNS > > MSZ:1500 CID:1.32.201.208.21.60.163 [tos 0x10] > > 12:26:27.806275 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0xb4e0b61a > > vend-rfc1048 DHCP:DISCOVER LT:86400 HN:"x" PR:SM+TZ+DG+DN+NS+HN+WNS > > MSZ:1500 CID:1.32.201.208.21.60.163 [tos 0x10] > > 12:26:33.010312 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0xb4e0b61a > > secs:6 vend-rfc1048 DHCP:DISCOVER LT:86400 HN:"x" PR:SM+TZ+DG+DN+NS+HN+WNS > > MSZ:1500 CID:1.32.201.208.21.60.163 [tos 0x10] > > 12:26:44.010312 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0xb4e0b61a > > secs:17 vend-rfc1048 DHCP:DISCOVER LT:86400 HN:"x" PR:SM+TZ+DG+DN+NS+HN+WNS > > MSZ:1500 CID:1.32.201.208.21.60.163 [tos 0x10] > > 12:26:49.707196 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0x5886fe16 > > vend-rfc1048 DHCP:DISCOVER LT:86400 HN:"x" PR:SM+TZ+DG+DN+NS+HN+WNS > > MSZ:1500 CID:1.32
Re: dhcpleased losing route
Ok here's the Apple pcap for a working implementation. tcpdump -r airport.dhcp.pcap tcpdump: WARNING: snaplen raised from 116 to 1500 12:26:04.010316 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0x5fc12750 secs:28 vend-rfc1048 DHCP:DISCOVER LT:86400 HN:"x" PR:SM+TZ+DG+DN+NS+HN+WNS MSZ:1500 CID:1.32.201.208.21.60.163 [tos 0x10] 12:26:27.806275 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0xb4e0b61a vend-rfc1048 DHCP:DISCOVER LT:86400 HN:"x" PR:SM+TZ+DG+DN+NS+HN+WNS MSZ:1500 CID:1.32.201.208.21.60.163 [tos 0x10] 12:26:33.010312 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0xb4e0b61a secs:6 vend-rfc1048 DHCP:DISCOVER LT:86400 HN:"x" PR:SM+TZ+DG+DN+NS+HN+WNS MSZ:1500 CID:1.32.201.208.21.60.163 [tos 0x10] 12:26:44.010312 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0xb4e0b61a secs:17 vend-rfc1048 DHCP:DISCOVER LT:86400 HN:"x" PR:SM+TZ+DG+DN+NS+HN+WNS MSZ:1500 CID:1.32.201.208.21.60.163 [tos 0x10] 12:26:49.707196 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0x5886fe16 vend-rfc1048 DHCP:DISCOVER LT:86400 HN:"x" PR:SM+TZ+DG+DN+NS+HN+WNS MSZ:1500 CID:1.32.201.208.21.60.163 [tos 0x10] 12:26:55.010311 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0x5886fe16 secs:6 vend-rfc1048 DHCP:DISCOVER LT:86400 HN:"x" PR:SM+TZ+DG+DN+NS+HN+WNS MSZ:1500 CID:1.32.201.208.21.60.163 [tos 0x10] 12:27:03.010312 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0x5886fe16 secs:14 vend-rfc1048 DHCP:DISCOVER LT:86400 HN:"x" PR:SM+TZ+DG+DN+NS+HN+WNS MSZ:1500 CID:1.32.201.208.21.60.163 [tos 0x10] 12:27:12.010312 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0x5886fe16 secs:23 vend-rfc1048 DHCP:DISCOVER LT:86400 HN:"x" PR:SM+TZ+DG+DN+NS+HN+WNS MSZ:1500 CID:1.32.201.208.21.60.163 [tos 0x10] 12:27:57.010496 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0x34861165 vend-rfc1048 DHCP:DISCOVER LT:86400 HN:"x" PR:SM+TZ+DG+DN+NS+HN+WNS MSZ:1500 CID:1.32.201.208.21.60.163 [tos 0x10] 12:27:57.227277 202.63.66.1.bootps > 255.255.255.255.bootpc: xid:0x34861165 flags:0x8000 Y:202.63.67.36 S:172.21.116.42 ether 20:c9:d0:15:3c:a3 vend-rfc1048 DHCP:OFFER SM:255.255.254.0 DG:202.63.66.1 NS:119.40.106.35,119.40.106.36 NTP:125.253.59.254 LT:600 SID:202.63.66.1 MSZ:1500 CID:1.32.201.208.21.60.163 [tos 0xc0] 12:27:57.228177 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0x34861165 vend-rfc1048 DHCP:REQUEST SID:202.63.66.1 LT:86400 RQ:202.63.67.36 HN:"x" PR:SM+TZ+DG+DN+NS+HN+WNS MSZ:1500 CID:1.32.201.208.21.60.163 [tos 0x10] 12:27:58.075046 202.63.66.1.bootps > 255.255.255.255.bootpc: xid:0x34861165 flags:0x8000 Y:202.63.67.36 S:172.21.116.42 ether 20:c9:d0:15:3c:a3 vend-rfc1048 DHCP:ACK SM:255.255.254.0 DG:202.63.66.1 NS:119.40.106.35,119.40.106.36 NTP:125.253.59.254 LT:600 SID:202.63.66.1 MSZ:1500 CID:1.32.201.208.21.60.163 [tos 0xc0] On Thu, May 11, 2023 at 12:20:48AM +0200, Sebastian Benoit wrote: > i think that putput does not help mmuch because it does not show the DHCP > packet contents. > > You could write the capture to a file with "-w filename" and then copy the > file to the OpenBSD box for printing with "-r filename". Or send the raw > pcap file. > > /B.
Re: dhcpleased losing route
Thanks Florian, here's a tcpdump from the Apple (NetBSD) router. This implementatin isn't losing the default route. tcpdump -n -i mgi1 -s1500 -vv port 67 or 68 tcpdump: listening on mgi1, link-type EN10MB (Ethernet), capture size 1500 bytes 07:15:36.010329 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], length: 328) 0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] UDP, length: 300 07:15:40.326961 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], length: 328) 0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] UDP, length: 300 07:15:47.010316 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], length: 328) 0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] UDP, length: 300 07:15:47.065803 IP (tos 0xc0, ttl 128, id 47543, offset 0, flags [none], length: 328) 202.63.66.1.67 > 255.255.255.255.68: [udp sum ok] UDP, length: 300 07:15:47.066581 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], length: 328) 0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] UDP, length: 300 07:15:47.281209 IP (tos 0xc0, ttl 128, id 59063, offset 0, flags [none], length: 328) 202.63.66.1.67 > 255.255.255.255.68: [udp sum ok] UDP, length: 300 07:20:42.239765 IP (tos 0x0, ttl 64, id 31050, offset 0, flags [none], length: 328, bad cksum 0 (->e6b6)!) 202.63.67.36.68 > 202.63.66.1.67: [bad udp cksum 8b57!] UDP, length: 300 07:20:42.288197 IP (tos 0xc0, ttl 128, id 45441, offset 0, flags [none], length: 328) 202.63.66.1.67 > 202.63.67.36.68: [udp sum ok] UDP, length: 300 07:25:07.019747 IP (tos 0x0, ttl 64, id 18503, offset 0, flags [none], length: 328, bad cksum 0 (->17ba)!) 202.63.67.36.68 > 202.63.66.1.67: [bad udp cksum 8b57!] UDP, length: 300 07:25:07.085454 IP (tos 0xc0, ttl 128, id 28472, offset 0, flags [none], length: 328) 202.63.66.1.67 > 202.63.67.36.68: [udp sum ok] UDP, length: 300 07:30:08.019746 IP (tos 0x0, ttl 64, id 46516, offset 0, flags [none], length: 328, bad cksum 0 (->aa4c)!) 202.63.67.36.68 > 202.63.66.1.67: [bad udp cksum 8b57!] UDP, length: 300 07:30:08.068323 IP (tos 0xc0, ttl 128, id 21000, offset 0, flags [none], length: 328) 202.63.66.1.67 > 202.63.67.36.68: [udp sum ok] UDP, length: 300 On Wed, May 10, 2023 at 04:38:25PM +0200, Florian Obser wrote: > ( this is a good dhcp state diagram to follow along at home: > https://commons.wikimedia.org/wiki/File:DHCP_Client_State_Diagram_-_en.png ) > > On 2023-05-10 23:07 +10, David Diggles wrote: > > I probably should have done numeric tcpdump output. Here's both again. > > > > tcpdump: WARNING: snaplen raised from 116 to 1500 > > 22:36:40.276682 0.0.0.0.68 > 255.255.255.255.67: xid:0x74253f08 > > vend-rfc1048 DHCP:REQUEST HN:"sarah" CID:1.220.159.219.40.20.191 > > PR:SM+DG+NS+HN+DN+BR+119+121 RQ:202.63.67.36 [tos 0x10] > > dhcpleased starts up and we have a lease file in /var/db/dhcpleased/, we > are in INIT-REBOOT and ask the dhcp server via broadcast if we can use > our previous IP address 202.63.67.36. We go to state REBOOTING. > > > 22:36:40.327371 202.63.66.1.67 > 255.255.255.255.68: xid:0x74253f08 > > flags:0x8000 Y:202.63.67.36 S:172.21.116.42 ether dc:9f:db:28:14:bf > > vend-rfc1048 DHCP:ACK SM:255.255.254.0 DG:202.63.66.1 > > NS:119.40.106.35,119.40.106.36 NTP:125.253.59.254 LT:600 SID:202.63.66.1 > > CID:1.220.159.219.40.20.191 [tos 0xc0] > > dhcp server: yeah, that's fine (DHCP:ACK). Lifetime is 600 seconds. We > configure the interface and go into state BOUND. > > some time passes > > > 22:41:40.422661 202.63.67.36.56480 > 202.63.66.1.67: (request) > > xid:0xa180ce6b C:202.63.67.36 vend-rfc1048 DHCP:REQUEST HN:"sarah" > > CID:1.220.159.219.40.20.191 PR:SM+DG+NS+HN+DN+BR+119+121 > > Time T1 expires, we send a unicast DHCPREQUEST to the dhcpserver: is it > OK to hold on to our IP address? We go into state RENEWING. > > > 22:41:40.434534 202.63.66.1.67 > 202.63.67.36.68: xid:0xa180ce6b > > C:202.63.67.36 S:172.21.116.42 vend-rfc1048 DHCP:NACK SID:202.63.66.1 > > CID:1.220.159.219.40.20.191 [tos 0xc0] > > dhcp server: Absolutely not! DHCP:NACK. > > RFC 2131 has this: > > If the client receives a DHCPNAK message, it cannot reuse its > remembered network address. It must instead request a new > address by restarting the configuration process, this time > using the (non-abbreviated) procedure described in section > 3.1. This action also corresponds to the client moving to > the INIT state in the DHCP state diagram. > > There is not a lot of wiggle room, we MUST remove our address. We go to > state INIT. > > > 22:41:40.442012 0.0.0.0.68 > 255.255.255.255.67: xid:0x6a13ec33 > > vend-rfc1048 DHCP:DISCOVER HN:"sarah" CID:1.220.159.219.40.20.191 > > PR:SM+DG+NS+HN+DN+BR+119+121 [
Re: dhcpleased losing route
On Thu, May 11, 2023 at 07:27:22AM +1000, Jonathan Matthew wrote: > > This looks like the thing I ran into a while ago where I had an overly > broad nat-to rule for outgoing traffic that applied to traffic from the > host as well as the networks behind it. This meant dhcpleased's unicast > packets appeared to come from a high port, so my provider's dhcp server > rejected them. It looks like David is actually using the same provider > as me. > > If there's a pf rule like 'match out on $iface nat-to ($iface)', making > that only apply to traffic received on another interface will probably > help. The nat rule I have match out on egress nat-to (egress)
Re: dhcpleased losing route
I probably should have done numeric tcpdump output. Here's both again. tcpdump: WARNING: snaplen raised from 116 to 1500 22:36:40.276682 0.0.0.0.68 > 255.255.255.255.67: xid:0x74253f08 vend-rfc1048 DHCP:REQUEST HN:"sarah" CID:1.220.159.219.40.20.191 PR:SM+DG+NS+HN+DN+BR+119+121 RQ:202.63.67.36 [tos 0x10] 22:36:40.327371 202.63.66.1.67 > 255.255.255.255.68: xid:0x74253f08 flags:0x8000 Y:202.63.67.36 S:172.21.116.42 ether dc:9f:db:28:14:bf vend-rfc1048 DHCP:ACK SM:255.255.254.0 DG:202.63.66.1 NS:119.40.106.35,119.40.106.36 NTP:125.253.59.254 LT:600 SID:202.63.66.1 CID:1.220.159.219.40.20.191 [tos 0xc0] 22:41:40.422661 202.63.67.36.56480 > 202.63.66.1.67: (request) xid:0xa180ce6b C:202.63.67.36 vend-rfc1048 DHCP:REQUEST HN:"sarah" CID:1.220.159.219.40.20.191 PR:SM+DG+NS+HN+DN+BR+119+121 22:41:40.434534 202.63.66.1.67 > 202.63.67.36.68: xid:0xa180ce6b C:202.63.67.36 S:172.21.116.42 vend-rfc1048 DHCP:NACK SID:202.63.66.1 CID:1.220.159.219.40.20.191 [tos 0xc0] 22:41:40.442012 0.0.0.0.68 > 255.255.255.255.67: xid:0x6a13ec33 vend-rfc1048 DHCP:DISCOVER HN:"sarah" CID:1.220.159.219.40.20.191 PR:SM+DG+NS+HN+DN+BR+119+121 [tos 0x10] 22:41:41.532272 0.0.0.0.68 > 255.255.255.255.67: xid:0x6a13ec33 vend-rfc1048 DHCP:DISCOVER HN:"sarah" CID:1.220.159.219.40.20.191 PR:SM+DG+NS+HN+DN+BR+119+121 [tos 0x10] 22:41:41.653804 202.63.66.1.67 > 255.255.255.255.68: xid:0x6a13ec33 flags:0x8000 Y:202.63.67.36 S:172.21.116.42 ether dc:9f:db:28:14:bf vend-rfc1048 DHCP:OFFER SM:255.255.254.0 DG:202.63.66.1 NS:119.40.106.35,119.40.106.36 NTP:125.253.59.254 LT:600 SID:202.63.66.1 CID:1.220.159.219.40.20.191 [tos 0xc0] 22:41:41.658881 0.0.0.0.68 > 255.255.255.255.67: xid:0xdafa3da4 vend-rfc1048 DHCP:REQUEST HN:"sarah" CID:1.220.159.219.40.20.191 PR:SM+DG+NS+HN+DN+BR+119+121 RQ:202.63.67.36 SID:202.63.66.1 [tos 0x10] 22:41:42.414218 202.63.66.1.67 > 255.255.255.255.68: xid:0xdafa3da4 flags:0x8000 Y:202.63.67.36 S:172.21.116.42 ether dc:9f:db:28:14:bf vend-rfc1048 DHCP:ACK SM:255.255.254.0 DG:202.63.66.1 NS:119.40.106.35,119.40.106.36 NTP:125.253.59.254 LT:600 SID:202.63.66.1 CID:1.220.159.219.40.20.191 [tos 0xc0] 22:46:42.512451 202.63.67.36.63976 > 202.63.66.1.67: (request) xid:0x953f83f1 C:202.63.67.36 vend-rfc1048 DHCP:REQUEST HN:"sarah" CID:1.220.159.219.40.20.191 PR:SM+DG+NS+HN+DN+BR+119+121 22:46:42.525222 202.63.66.1.67 > 202.63.67.36.68: xid:0x953f83f1 C:202.63.67.36 S:172.21.116.42 vend-rfc1048 DHCP:NACK SID:202.63.66.1 CID:1.220.159.219.40.20.191 [tos 0xc0] 22:46:42.531574 0.0.0.0.68 > 255.255.255.255.67: xid:0x66009a6e vend-rfc1048 DHCP:DISCOVER HN:"sarah" CID:1.220.159.219.40.20.191 PR:SM+DG+NS+HN+DN+BR+119+121 [tos 0x10] 22:46:43.622162 0.0.0.0.68 > 255.255.255.255.67: xid:0x66009a6e vend-rfc1048 DHCP:DISCOVER HN:"sarah" CID:1.220.159.219.40.20.191 PR:SM+DG+NS+HN+DN+BR+119+121 [tos 0x10] 22:46:43.762685 202.63.66.1.67 > 255.255.255.255.68: xid:0x66009a6e flags:0x8000 Y:202.63.67.36 S:172.21.116.42 ether dc:9f:db:28:14:bf vend-rfc1048 DHCP:OFFER SM:255.255.254.0 DG:202.63.66.1 NS:119.40.106.35,119.40.106.36 NTP:125.253.59.254 LT:600 SID:202.63.66.1 CID:1.220.159.219.40.20.191 [tos 0xc0] 22:46:43.768051 0.0.0.0.68 > 255.255.255.255.67: xid:0xfe3d764f vend-rfc1048 DHCP:REQUEST HN:"sarah" CID:1.220.159.219.40.20.191 PR:SM+DG+NS+HN+DN+BR+119+121 RQ:202.63.67.36 SID:202.63.66.1 [tos 0x10] 22:46:44.526556 202.63.66.1.67 > 255.255.255.255.68: xid:0xfe3d764f flags:0x8000 Y:202.63.67.36 S:172.21.116.42 ether dc:9f:db:28:14:bf vend-rfc1048 DHCP:ACK SM:255.255.254.0 DG:202.63.66.1 NS:119.40.106.35,119.40.106.36 NTP:125.253.59.254 LT:600 SID:202.63.66.1 CID:1.220.159.219.40.20.191 [tos 0xc0] state_transition[cnmac2] Down -> Rebooting, timo: 1 DHCPREQUEST on cnmac2 parse_dhcp, from: 0e:a2:00:04:00:03, to: ff:ff:ff:ff:ff:ff parse_dhcp: 202.63.66.1:67 -> 255.255.255.255:68 dhcp_hdr op: Boot Reply (2) dhcp_hdr htype: Ethernet (1) dhcp_hdr hlen: 6 dhcp_hdr hops: 0 dhcp_hdr xid: 0x74253f08 dhcp_hdr secs: 0 dhcp_hdr flags: 0x8000 dhcp_hdr ciaddr: 0.0.0.0 dhcp_hdr yiaddr: 202.63.67.36 dhcp_hdr siaddr: 172.21.116.42 dhcp_hdr giaddr: 0.0.0.0 dhcp_hdr chaddr: dc:9f:db:28:14:bf () DHO_DHCP_MESSAGE_TYPE: DHCPACK DHO_SUBNET_MASK: 255.255.254.0 DHO_ROUTER: 202.63.66.1 DHO_DOMAIN_NAME_SERVERS: 119.40.106.35 (1/2) DHO_DOMAIN_NAME_SERVERS: 119.40.106.36 (2/2) DHO_42, len: 4 DHO_DHCP_LEASE_TIME 600s DHO_DHCP_SERVER_IDENTIFIER: 202.63.66.1 DHO_END DHCPACK on cnmac2 from 0e:a2:00:04:00:03/202.63.66.1 to ff:ff:ff:ff:ff:ff/255.255.255.255 adding 202.63.67.36 to cnmac2 (lease from 202.63.66.1) adding nameservers 119.40.106.35 119.40.106.36 (lease from 202.63.66.1 on cnmac2) state_transition[cnmac2] Rebooting -> Bound, timo: 300 configure_interface cnmac2 iface_timeout[3]: Bound state_transition[cnmac2] Bound -> Renewing, timo: 112 DHCPREQUEST on cnmac2 parse_dhcp, from: 0e:a2:00:04:00:03, to: dc:9f:db:28:14:bf parse_dhcp: 202.63.66.1:67 -> 202.63.67.36:68 dhcp_hdr op: Boot Reply (2)
Re: dhcpleased losing route
On Wed, May 10, 2023 at 05:55:28AM -, Stuart Henderson wrote:
> On 2023-05-10, David Diggles wrote:
> > My ISP provides connection via DHCP.
> >
> > Every 5 minutes or so when dhcpleased is renewing the lease,
> > my default route disappears for a few seconds.
>
> That isn't supposed to happen. I just checked on a machine which has
> 10 minute leases and I don't see that problem or those log messages.
>
> I'd run dhcpleased in the foreground with debug logging and collect a
> couple of cycle's worth to see if that gives any clues. Saving a
> packet capture might be useful too ("tcpdump -i cnmac2 -s1500 -w
> /tmp/dhcp.pcap port 67 or 68").
>
> > Definitely I'll be looking at requesting a longer lease by
> > putting a setting in /etc/dhclient.conf but is there any way
> > I can stop the default route disappearing with each renew event?
>
> dhcpleased doesn't support this yet though it would certainly be a
> feature that's useful to have.
Ok Stuart, here's a couple of rounds of dhcpleased -vvv with the tcpdump.
root@sarah log:130# rcctl stop dhcpleased
dhcpleased(ok)
root@sarah log:0# which dhcpleased
/sbin/dhcpleased
root@sarah log:0# /sbin/dhcpleased -d -vvv
state_transition[cnmac2] Down -> Rebooting, timo: 1
DHCPREQUEST on cnmac2
parse_dhcp, from: 0e:a2:00:04:00:03, to: ff:ff:ff:ff:ff:ff
parse_dhcp: 202.63.66.1:67 -> 255.255.255.255:68
dhcp_hdr op: Boot Reply (2)
dhcp_hdr htype: Ethernet (1)
dhcp_hdr hlen: 6
dhcp_hdr hops: 0
dhcp_hdr xid: 0x74253f08
dhcp_hdr secs: 0
dhcp_hdr flags: 0x8000
dhcp_hdr ciaddr: 0.0.0.0
dhcp_hdr yiaddr: 202.63.67.36
dhcp_hdr siaddr: 172.21.116.42
dhcp_hdr giaddr: 0.0.0.0
dhcp_hdr chaddr: dc:9f:db:28:14:bf ()
DHO_DHCP_MESSAGE_TYPE: DHCPACK
DHO_SUBNET_MASK: 255.255.254.0
DHO_ROUTER: 202.63.66.1
DHO_DOMAIN_NAME_SERVERS: 119.40.106.35 (1/2)
DHO_DOMAIN_NAME_SERVERS: 119.40.106.36 (2/2)
DHO_42, len: 4
DHO_DHCP_LEASE_TIME 600s
DHO_DHCP_SERVER_IDENTIFIER: 202.63.66.1
DHO_END
DHCPACK on cnmac2 from 0e:a2:00:04:00:03/202.63.66.1 to
ff:ff:ff:ff:ff:ff/255.255.255.255
adding 202.63.67.36 to cnmac2 (lease from 202.63.66.1)
adding nameservers 119.40.106.35 119.40.106.36 (lease from 202.63.66.1 on
cnmac2)
state_transition[cnmac2] Rebooting -> Bound, timo: 300
configure_interface cnmac2
iface_timeout[3]: Bound
state_transition[cnmac2] Bound -> Renewing, timo: 112
DHCPREQUEST on cnmac2
parse_dhcp, from: 0e:a2:00:04:00:03, to: dc:9f:db:28:14:bf
parse_dhcp: 202.63.66.1:67 -> 202.63.67.36:68
dhcp_hdr op: Boot Reply (2)
dhcp_hdr htype: Ethernet (1)
dhcp_hdr hlen: 6
dhcp_hdr hops: 0
dhcp_hdr xid: 0xa180ce6b
dhcp_hdr secs: 0
dhcp_hdr flags: 0x0
dhcp_hdr ciaddr: 202.63.67.36
dhcp_hdr yiaddr: 0.0.0.0
dhcp_hdr siaddr: 172.21.116.42
dhcp_hdr giaddr: 0.0.0.0
dhcp_hdr chaddr: dc:9f:db:28:14:bf ()
DHO_DHCP_MESSAGE_TYPE: DHCPNAK
DHO_DHCP_SERVER_IDENTIFIER: 202.63.66.1
DHO_END
DHCPNAK on cnmac2 from 0e:a2:00:04:00:03/202.63.66.1 to
dc:9f:db:28:14:bf/202.63.67.36
deleting nameservers 119.40.106.35 119.40.106.36 (lease from 202.63.66.1 on
cnmac2)
deleting 202.63.67.36 from cnmac2 (lease from 202.63.66.1)
state_transition[cnmac2] Renewing -> Init, timo: 1
DHCPDISCOVER on cnmac2
deconfigure_interface cnmac2
iface_timeout[3]: Init
state_transition[cnmac2] Init -> Init, timo: 2
DHCPDISCOVER on cnmac2
parse_dhcp, from: 0e:a2:00:04:00:03, to: ff:ff:ff:ff:ff:ff
parse_dhcp: 202.63.66.1:67 -> 255.255.255.255:68
dhcp_hdr op: Boot Reply (2)
dhcp_hdr htype: Ethernet (1)
dhcp_hdr hlen: 6
dhcp_hdr hops: 0
dhcp_hdr xid: 0x6a13ec33
dhcp_hdr secs: 0
dhcp_hdr flags: 0x8000
dhcp_hdr ciaddr: 0.0.0.0
dhcp_hdr yiaddr: 202.63.67.36
dhcp_hdr siaddr: 172.21.116.42
dhcp_hdr giaddr: 0.0.0.0
dhcp_hdr chaddr: dc:9f:db:28:14:bf ()
DHO_DHCP_MESSAGE_TYPE: DHCPOFFER
DHO_SUBNET_MASK: 255.255.254.0
DHO_ROUTER: 202.63.66.1
DHO_DOMAIN_NAME_SERVERS: 119.40.106.35 (1/2)
DHO_DOMAIN_NAME_SERVERS: 119.40.106.36 (2/2)
DHO_42, len: 4
DHO_DHCP_LEASE_TIME 600s
DHO_DHCP_SERVER_IDENTIFIER: 202.63.66.1
DHO_END
DHCPOFFER on cnmac2 from 0e:a2:00:04:00:03/202.63.66.1 to
ff:ff:ff:ff:ff:ff/255.255.255.255
state_transition[cnmac2] Init -> Requesting, timo: 1
DHCPREQUEST on cnmac2
parse_dhcp, from: 0e:a2:00:04:00:03, to: ff:ff:ff:ff:ff:ff
parse_dhcp: 202.63.66.1:67 -> 255.255.255.255:68
dhcp_hdr op: Boot Reply (2)
dhcp_hdr htype: Ethernet (1)
dhcp_hdr hlen: 6
dhcp_hdr hops: 0
dhcp_hdr xid: 0xdafa3da4
dhcp_hdr secs: 0
dhcp_hdr flags: 0x8000
dhcp_hdr ciaddr: 0.0.0.0
dhcp_hdr yiaddr: 202.63.67.36
dhcp_hdr siaddr: 172.21.116.42
dhcp_hdr giaddr: 0.0.0.0
dhcp_hdr chaddr: dc:9f:db:28:14:bf ()
DHO_DHCP_MESSAGE_TYPE: DHCPACK
DHO_SUBNET_MASK: 255.255.254.0
DHO_ROUTER: 202.63.66.1
DHO_DOMAIN_NAME_SERVERS: 119.40.106.35 (1/2)
DHO_DOMAIN_NAME_SERVERS: 119.40.106.36 (2/2)
DHO_42, len: 4
DHO_DHCP_LEASE_TIME 600s
DHO_DHCP_SERVER_IDENTIFIER: 202.63.66.1
DHO_END
DHCPACK on
Re: dhcpleased losing route
dhcpleasectl -l cnmac2 cnmac2 [Bound] inet x.x.x.x netmask x.x.x.x default gateway x.x.x.1 nameservers x.x.x.x x.x.x.x lease 6 minutes dhcp server x.x.x.1 I've gone on to try isc-dhcp-client from ports and it gets exactly the same problem. It's almost as though I have an arch issue - I've tried on another identical device with identical install - same problem. I've tried plugging in with Apple Airport Extreme (NetBSD 4.0 ARM) does not have the problem. I've tried plugging in with Linux/NetworkManger - does not have the problem. I might try swapping the egress interface from cnmac2 to cnmac1,cnmac0 and try my luck there. [ using 762392 bytes of bsd ELF symbol table ] Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2023 OpenBSD. All rights reserved. https://www.OpenBSD.org OpenBSD 7.3 (GENERIC.MP) #1242: Sat Mar 25 18:04:31 MDT 2023 dera...@octeon.openbsd.org:/usr/src/sys/arch/octeon/compile/GENERIC.MP real mem = 536870912 (512MB) avail mem = 521093120 (496MB) random: good seed from bootblocks mainbus0 at root: board 20002 rev 2.12, model CN3xxx/CN5xxx cpu0 at mainbus0: CN50xx CPU rev 0.1 500 MHz, Software FP emulation cpu0: cache L1-I 32KB 4 way D 16KB 64 way, L2 128KB 8 way cpu1 at mainbus0: CN50xx CPU rev 0.1 500 MHz, Software FP emulation cpu1: cache L1-I 32KB 4 way D 16KB 64 way, L2 128KB 8 way clock0 at mainbus0: int 5 octcrypto0 at mainbus0 iobus0 at mainbus0 simplebus0 at iobus0: "soc" octciu0 at simplebus0 octsmi0 at simplebus0 octpip0 at simplebus0 octgmx0 at octpip0 interface 0 cnmac0 at octgmx0: port 0 RGMII, address dc:9f:db:28:14:bd atphy0 at cnmac0 phy 7: AR8035 10/100/1000 PHY, rev. 2 cnmac1 at octgmx0: port 1 RGMII, address dc:9f:db:28:14:be atphy1 at cnmac1 phy 6: AR8035 10/100/1000 PHY, rev. 2 cnmac2 at octgmx0: port 2 RGMII, address dc:9f:db:28:14:bf atphy2 at cnmac2 phy 5: AR8035 10/100/1000 PHY, rev. 2 com0 at simplebus0: ns16550a, 64 byte fifo com0: console dwctwo0 at iobus0 base 0x118006800 irq 56 usb0 at dwctwo0: USB revision 2.0 uhub0 at usb0 configuration 1 interface 0 "Octeon DWC2 root hub" rev 2.00/1.00 addr 1 octrng0 at iobus0 base 0x14000 irq 0 umass0 at uhub0 port 1 configuration 1 interface 0 "Imation Atom USB Device" rev 2.00/1.00 addr 2 umass0: using SCSI over Bulk-Only scsibus0 at umass0: 2 targets, initiator 0 sd0 at scsibus0 targ 1 lun 0: removable serial.071805340503380BB56D sd0: 7644MB, 512 bytes/sector, 15654912 sectors vscsi0 at root scsibus1 at vscsi0: 256 targets softraid0 at root scsibus2 at softraid0: 256 targets root on sd0a (1e748e9c1a25cfa3.a) swap on sd0b dump on sd0b On Wed, May 10, 2023 at 08:09:17AM +0200, Mike Fischer wrote: > What does `# dhcpleasectl -l cnmac2` output on the machine you are using? > > Mine (OpenBSD 7.3 amd64 vm on the LAN) looks like this (anonymised): > root@vm2:~# dhcpleasectl -l vio0 > vio0 [Bound] > inet 192.168.x.220 netmask 255.255.255.0 > default gateway 192.168.x.1 > nameservers 192.168.x.1 > lease 24 hours < what is your lease time? > dhcp server 192.168.x.1 > root@vm2:~# > > I suspect your lease time is much higher than 5 min. An ISP issuing leases as > short as 5 min. would be highly unusual. > > You could try running dhcpleased manually like this to see details about what > is going on: > # dhcpleased -vv -d > > (But you???d need to stop the processes started by rc(8) first. E.g.: `# > rcctl stop dhcpleased`. Don???t forget to `# rcctl start dhcpleased` when you > are done with the testing.) > > > Does the interface go down and up for some reason every 5 minutes? That might > cause dhcpleased(8) to renew the lease. > > > HTH > Mike > > > Am 10.05.2023 um 07:28 schrieb Otto Moerbeek : > > > > On Wed, May 10, 2023 at 01:17:05PM +1000, David Diggles wrote: > > > >> > >> Just to update, I've added the following to dhclient.conf but > >> it's still renewing every 5 minutes (approximately) and the > >> default route is disappearing for a couple of seconds. :( > >> > >> send dhcp-lease-time 86400; > > > > dhcpleased does not use dhclient.conf, it used dhcpleased.conf, which > > does not have a way to influence the lease time requested (if that is a > > thing). > > > > -Otto > >> > >> On Wed, May 10, 2023 at 01:00:00PM +1000, David Diggles wrote: > >>> My ISP provides connection via DHCP. > >>> > >>> Every 5 minutes or so when dhcpleased is renewing the lease, > >>> my default route disappears for a few seconds. > >>
Re: dhcpleased losing route
Just to update, I've added the following to dhclient.conf but it's still renewing every 5 minutes (approximately) and the default route is disappearing for a couple of seconds. :( send dhcp-lease-time 86400; On Wed, May 10, 2023 at 01:00:00PM +1000, David Diggles wrote: > My ISP provides connection via DHCP. > > Every 5 minutes or so when dhcpleased is renewing the lease, > my default route disappears for a few seconds. > > Definitely I'll be looking at requesting a longer lease by > putting a setting in /etc/dhclient.conf but is there any way > I can stop the default route disappearing with each renew event? > > The route didn't disappear when I tested with NetBSD and Linux. > > This seems like I'm missing a setting in dhclient.conf to make > the default route sticky? I can't see any obvious answers in > the man page for dhclient.conf unfortunately. > > (IP fudged log snippet below) > > May 10 12:23:21 openbsd-gateway dhcpleased[77979]: deleting nameservers > x.x.x.x x.x.x.x (lease from x.x.x.1 on cnmac2) > May 10 12:23:21 openbsd-gateway dhcpleased[77979]: deleting x.x.x.30 from > cnmac2 (lease from x.x.x.1) > May 10 12:23:23 openbsd-gateway dhcpleased[77979]: adding x.x.x.30 to cnmac2 > (lease from x.x.x.1) > May 10 12:23:23 openbsd-gateway dhcpleased[77979]: adding nameservers x.x.x.x > x.x.x.x (lease from x.x.x.1 on cnmac2) > May 10 12:28:23 openbsd-gateway dhcpleased[77979]: deleting nameservers > x.x.x.x x.x.x.x (lease from x.x.x.1 on cnmac2) > May 10 12:28:23 openbsd-gateway dhcpleased[77979]: deleting x.x.x.30 from > cnmac2 (lease from x.x.x.1) > May 10 12:28:25 openbsd-gateway dhcpleased[77979]: adding x.x.x.30 to cnmac2 > (lease from x.x.x.1) > May 10 12:28:25 openbsd-gateway dhcpleased[77979]: adding nameservers x.x.x.x > x.x.x.x (lease from x.x.x.1 on cnmac2) > May 10 12:33:26 openbsd-gateway dhcpleased[77979]: deleting nameservers > x.x.x.x x.x.x.x (lease from x.x.x.1 on cnmac2) > May 10 12:33:26 openbsd-gateway dhcpleased[77979]: deleting x.x.x.30 from > cnmac2 (lease from x.x.x.1) > May 10 12:33:28 openbsd-gateway dhcpleased[77979]: adding x.x.x.30 to cnmac2 > (lease from x.x.x.1) > May 10 12:33:28 openbsd-gateway dhcpleased[77979]: adding nameservers x.x.x.x > x.x.x.x (lease from x.x.x.1 on cnmac2) > May 10 12:38:28 openbsd-gateway dhcpleased[77979]: deleting nameservers > x.x.x.x x.x.x.x (lease from x.x.x.1 on cnmac2) > May 10 12:38:28 openbsd-gateway dhcpleased[77979]: deleting x.x.x.30 from > cnmac2 (lease from x.x.x.1) > May 10 12:38:30 openbsd-gateway dhcpleased[77979]: adding x.x.x.30 to cnmac2 > (lease from x.x.x.1) > May 10 12:38:30 openbsd-gateway dhcpleased[77979]: adding nameservers x.x.x.x > x.x.x.x (lease from x.x.x.1 on cnmac2) >
dhcpleased losing route
My ISP provides connection via DHCP. Every 5 minutes or so when dhcpleased is renewing the lease, my default route disappears for a few seconds. Definitely I'll be looking at requesting a longer lease by putting a setting in /etc/dhclient.conf but is there any way I can stop the default route disappearing with each renew event? The route didn't disappear when I tested with NetBSD and Linux. This seems like I'm missing a setting in dhclient.conf to make the default route sticky? I can't see any obvious answers in the man page for dhclient.conf unfortunately. (IP fudged log snippet below) May 10 12:23:21 openbsd-gateway dhcpleased[77979]: deleting nameservers x.x.x.x x.x.x.x (lease from x.x.x.1 on cnmac2) May 10 12:23:21 openbsd-gateway dhcpleased[77979]: deleting x.x.x.30 from cnmac2 (lease from x.x.x.1) May 10 12:23:23 openbsd-gateway dhcpleased[77979]: adding x.x.x.30 to cnmac2 (lease from x.x.x.1) May 10 12:23:23 openbsd-gateway dhcpleased[77979]: adding nameservers x.x.x.x x.x.x.x (lease from x.x.x.1 on cnmac2) May 10 12:28:23 openbsd-gateway dhcpleased[77979]: deleting nameservers x.x.x.x x.x.x.x (lease from x.x.x.1 on cnmac2) May 10 12:28:23 openbsd-gateway dhcpleased[77979]: deleting x.x.x.30 from cnmac2 (lease from x.x.x.1) May 10 12:28:25 openbsd-gateway dhcpleased[77979]: adding x.x.x.30 to cnmac2 (lease from x.x.x.1) May 10 12:28:25 openbsd-gateway dhcpleased[77979]: adding nameservers x.x.x.x x.x.x.x (lease from x.x.x.1 on cnmac2) May 10 12:33:26 openbsd-gateway dhcpleased[77979]: deleting nameservers x.x.x.x x.x.x.x (lease from x.x.x.1 on cnmac2) May 10 12:33:26 openbsd-gateway dhcpleased[77979]: deleting x.x.x.30 from cnmac2 (lease from x.x.x.1) May 10 12:33:28 openbsd-gateway dhcpleased[77979]: adding x.x.x.30 to cnmac2 (lease from x.x.x.1) May 10 12:33:28 openbsd-gateway dhcpleased[77979]: adding nameservers x.x.x.x x.x.x.x (lease from x.x.x.1 on cnmac2) May 10 12:38:28 openbsd-gateway dhcpleased[77979]: deleting nameservers x.x.x.x x.x.x.x (lease from x.x.x.1 on cnmac2) May 10 12:38:28 openbsd-gateway dhcpleased[77979]: deleting x.x.x.30 from cnmac2 (lease from x.x.x.1) May 10 12:38:30 openbsd-gateway dhcpleased[77979]: adding x.x.x.30 to cnmac2 (lease from x.x.x.1) May 10 12:38:30 openbsd-gateway dhcpleased[77979]: adding nameservers x.x.x.x x.x.x.x (lease from x.x.x.1 on cnmac2)
Re: hardware
On 2023-04-19 01:40, folly bololey wrote: It doesn't matter whether the cat is black or white, as long as it catches mice. Black cat is more stealthy just a different hunting strategy and depends on the lighting. white cats would be stealthier in snow, or ambushing from above in the day time.
Re: IPsec and MTU / fragmentation
On Mon, Feb 10, 2020 at 05:15:00PM +, Peter M??ller wrote: > Hello Lucas, > > as far as I understood, setting MTU on encN interfaces is not supported > since it is not mentioned by enc(4) and setting it manually fails: > > > machine# ifconfig enc0 mtu 1500 > > ifconfig: SIOCSIFMTU: Inappropriate ioctl for device > > If you do not want to use GRE tunnels or gif interfaces, I suppose truncating > MSS via pf might be an acceptable but not elegant solution: I have max-mss and reassemble tcp: match in on gre0 scrub (max-mss 1456, reassemble tcp) However still experienced about 5% packet loss when i run speedtest.net through the tunnel. In my instance, the solution for eliminating packet loss over the long distance ipsec/gre tunnel was putting in a queue: queue hfsq-gre0 on gre0 flows 1024 bandwidth $BW_LIMIT max $BW_LIMIT quantum 400 qlimit 1000 default .d.d.
Re: Cannot start conversation using talk
On Wed, Feb 19, 2020 at 09:08:07PM +, b...@0x1bi.net wrote: > I've set my hostname to point to 127.0.0.1 and I still receive the > same error. I tried with and without the domain information. > > Is there a log for talkd or inetd? I've attempted to use the -d > flag for inetd however I receive no error messages or warnings. > > Ben Raskin. I recommend doing this to troubleshoot: tcpdump -n -e -ttt -i pflog0 -p 518 then try talk, see if your pf rules are blocking the udp .d.d.
Re: Automated remote install
>Note that I'm referring to KVM providers (traditional VPS providers), >not >"public cloud". The big boys - AWS, Azure, Google, etc. are not >interested >in OpenBSD. However it's possible to build for AWS. https://github.com/ajacoutot/aws-openbsd
Re: Can't get FTP through pf
Your pf.conf differs from examples in the faq.
I would suggest turn logging on in pf, and do:
tcpdump -n -e -ttt -i pflog0
Then you can see why it's failing.
On Thu, Apr 04, 2013 at 09:38:57AM +1100, John Tate wrote:
I've got a gateway computer I also I want to be an ftp server. I've put
everything through pf as per http://openbsd.org/faq/pf/ftp.html
Can anyone see something I've missed in this config? I can't access it
remotely.
# grep -v -e ^# -e ^$ /etc/vsftpd.conf
anonymous_enable=NO
local_enable=YES
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
nopriv_user=_vsftpd
ftpd_banner=Welcome to Kintaro's home. Where the downstream is small but
the system enourmous.
chroot_list_enable=YES
chroot_list_file=/etc/ftpchroot
userlist_enable=YES
userlist_file=/etc/ftpusers
secure_chroot_dir=/var/vsftpd
pasv_min_port=49152
pasv_max_port=65535
text_userdb_names=YES
listen=YES
background=YES
log_ftp_protocol=YES
xferlog_enable=YES
pasv_enable=YES
pasv_min_port=49151
pasv_max_port=65535
# grep -v -e ^# -e ^$ /etc/pf.conf
int_if=fxp0
ext_if=pppoe0
murphy=10.0.0.2
fekete=10.0.0.3
murphy_ports = { 8333 }
fekete_ports = { 17001, 39191, 5938 }
tcp_services={ 22 }
icmp_types=echoreq
set skip on lo
anchor ftp-proxy/*
pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021
match out on egress inet from !(egress:network) to any nat-to (egress:0)
pass# to establish keep-state
block in on ! lo0 proto tcp to port 6000:6010
block in log
pass out quick
antispoof quick for { lo $int_if }
pass in on egress inet proto tcp from any to (egress) \
port $tcp_services
pass in on $ext_if proto tcp to port 21
pass in on $ext_if proto tcp to port 49151
pass in on egress inet proto tcp to (egress) port $murphy_ports rdr-to
$murphy
pass in on egress inet proto tcp to (egress) port $fekete_ports rdr-to
$fekete
pass in inet proto icmp all icmp-type $icmp_types
pass in on $int_if
--
www.johntate.org
Re: Can't get FTP through pf
Looks like these are your conflicting rules. pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021 pass in on $ext_if proto tcp to port 21 The first rule needs to be on $int_if - you didn't specify an interface so it then defaults to all interfaces.
Re: Squid proxy
I do transparent on mine, to save effort configuring proxies. There is autoconfig, but some clients don't support it. Some clients don't even support entering a proxy server. ... and I don't proxy https. If I want control over who gets out, I use authpf.
Re: Get total size of all files in directory using unit Bytes?
Or with subdirectories
find . -type f -ls | awk '{sum += $7} END {print sum}'
Re: how to use cpu affinity from user space
Then if the scheduler always knows what's best, the backup process will be completely uninhibited, on a system maxed out on all cores. On Tue, Jan 22, 2013 at 09:29:43AM +0100, Peter Hessler wrote: On 2013 Jan 22 (Tue) at 09:25:04 +0500 (+0500), ?? wrote: :Hello! : :I'm investigating how program should set cpu affinity, is there any :examples ? (I didn't find any except the commit that adds cpu affinity :thing, but there's no user space documentation, no utility, no man page). : :cheers, :Ilya Shipitsin : No, this is not possible, and there is no intention to make it possible. The scheduler will know what CPUs are busy and which ones are not and will make apprpriate decisions. -- It seems like the less a statesman amounts to, the more he loves the flag.
Re: how to use cpu affinity from user space
I've seen situations where it has been useful to dedicate a core to a backup process so the nightly backup would complete, on a busy linux machine, with a cpuset. If this isn't a planned feature in the near future it's not bothering me. I'm very happy with what OpenBSD does for me. On Tue, Jan 22, 2013 at 11:55:51AM +0100, Gregor Best wrote: On Tue, Jan 22, 2013 at 07:56:22PM +1000, David Diggles wrote: Then if the scheduler always knows what's best, the backup process will be completely uninhibited, on a system maxed out on all cores. [...] What backup process? And why will it be uninhibited? If the system's maxed out, all processes will neccessarily suffer. -- Gregor Best
Re: pf block unwanted traffic
Hello List,
I just got a similar event in my pflog.
Jan 16 16:08:02.435283 rule def/(short) pass in on pppoe0: 50.112.59.10.0
59.167.212.41.0: SFRWE [bad hdr length]
I don't know what this is, or why it is passed.
Can someone explain or attempt a guess at what this is?
The intention of my pf.conf is to block all incoming
by default on pppoe0.
Am I doing something really stupid here?
/etc/hostname.carp1
inet 172.75.100.1 255.255.255.0 172.25.101.255 balancing ip-stealth carpnodes
1:0,2:100 pass secret1
group dmz
/etc/hostname.carp2
inet 172.25.100.1 255.255.255.0 172.25.100.255 balancing ip-stealth carpnodes
4:0,5:100 pass secret2
group lan
/etc/hostname.em0
up mtu 1508
/etc/hostname.em1
inet 172.75.100.4 255.255.255.0
group dmz
/etc/hostname.em2
inet 172.25.100.4 255.255.255.0
group lan
/etc/hostname.pppoe0
inet 59.167.212.41 255.255.255.255 NONE mtu 1500 \
pppoedev em0 authproto pap \
authname pppoeuser authkey pppoepass up
dest 0.0.0.1
!/sbin/route add default -ifp pppoe0 0.0.0.1
!/sbin/route add -inet6 default -ifp pppoe0 ::1
/etc/pf.conf
#---
# defaults
#---
table rfc1918 const { 192.168/16 172.16/12 10/8 }
table dmz const { dmz:network }
table lan const { lan:network }
set loginterface egress
set skip on lo
block in quick on egress from rfc1918
antispoof log quick for { pppoe0 em0 }
pass
block quick on egress proto carp
block quick on { egress dmz } inet6
block in log on { egress dmz }
#---
# ack priority
#---
match on egress inet proto tcp prio(1,7)
#---
# sand blasting
#---
match in on egress scrub (reassemble tcp)
#match in on { egress dmz } scrub (reassemble tcp)
#match on egress scrub (max-mss 1440)
#---
# translation and redirections
#---
match out on egress nat-to (egress)
match in on { lan dmz } inet proto tcp to ! bincrow.net \
port www rdr-to localhost port 8080
match in on { lan dmz } inet proto tcp to bincrow.net \
port www rdr-to localhost
match in on { lan dmz } inet to bincrow.net rdr-to localhost
#---
# incoming port forwards
#---
# torrent
pass in on egress inet proto tcp to egress port 6881 rdr-to meile \
modulate state
pass in on egress inet proto udp to egress port 6881 rdr-to meile \
keep state
#---
# allow anyone to this
#---
pass in on egress inet proto tcp from any to egress port www \
modulate state
#---
# dns
#---
table dns-white persist file /etc/pf/dns-white
pass in on egress inet proto { tcp udp } from \
dns-white to egress port domain
pass in on dmz inet proto { tcp udp } from \
dmz to dmz port domain
#---
# ntp
#---
pass in on dmz inet proto { tcp udp } from dmz \
to dmz port { daytime time ntp }
#---
# ssh - whitelist, and rate limit overflows into blacklist
#---
table ssh-black persist file /etc/pf/ssh-black
table ssh-white persist file /etc/pf/ssh-white
pass in log on { egress dmz } inet proto tcp from ssh-white to \
port ssh rdr-to localhost
pass in log on { egress dmz } inet proto tcp from !ssh-black to \
port ssh rdr-to localhost keep state \
(max-src-conn-rate 1/30, overload ssh-black flush)
#---
# imaps - whitelist, and rate limit overflows into blacklist
#---
table imaps-black persist file /etc/pf/imaps-black
table imaps-white persist file /etc/pf/imaps-white
pass in log on { egress dmz } inet proto tcp from imaps-white to \
port imaps rdr-to localhost
pass in log on { egress dmz } inet proto tcp from !imaps-black to \
port imaps rdr-to localhost keep state \
(max-src-conn-rate 2/1, overload imaps-black flush)
#---
# squid - whitelist
Re: Disk accesses freeze for a lot of seconds
Maybe the following will help. See Tuning for More http://wiki.squid-cache.org/BestOsForSquid I use mount options: noatime and async. I don't use softdep for squid cache either. I found aufs worked best for storage scheme (in squid.conf). I am curious. Anyone out there using diskd? On Sun, Jan 06, 2013 at 07:49:27PM +0100, Lo?c BLOT wrote: I got same problem with squid when squid exit normally (/etc/rc.d/squid stop), when mass squid disk cache is written, there is a one min freeze on the server. (OpenBSD 5.2). The problem was also here under OpenBSD 5.1. CPU is also OK (10% of a big xeon quad). But for me softdeps aren't activated. The temporary solution i used, kill -9 squid process when stop/restart is done. -- Cordialement, Lo??c BLOT, UNIX systems, security and network expert http://www.unix-experience.fr Le dimanche 06 janvier 2013 ?? 16:08 +0100, Federico Giannici a ??crit : You was right: turning off softdep made the freezes much shorter. Thanks. On 01/06/13 13:49, Stefan Sperling wrote: On Sun, Jan 06, 2013 at 12:22:44PM +0100, Federico Giannici wrote: We have an OpenBSD 5.2 amd64 where every 5 minutes a few thousand of .rrd files from MRTG are written (actually, updated) to disk. The problem is that for a few seconds (15-20) every other access to the disk is totally blocked. So during those 15-20 seconds the access to the graphs is freezed! And this is really annoying for a graphs server... It's not a problem of CPU load (it's a quadruple core AMD Athlon II X4 630 Processor). Processes run smoothly, they freeze only when they try to access the disk. Disk is a normal SATA, and the partition is FFS with softdep. It's probably the bug in the buffer cache where the kernel would allow userland to queue up so many writes that eventually the kernel is starved out of buffers. Everything else (for example, read operations on your graph files) then sleeps until enough writes have been spilled out to disk. Is there anything (some system tuning?) I can do to get rid of the freezes, or at least to mitigate them? The best solution is an upgrade to -current where this has been fixed. See http://marc.info/?l=openbsd-cvsm=135231065926430w=2 and other related commits by Bob Beck. If you'd rather stick to 5.2 you can try turning off softdep. softdep delays some write operations so turning it off might help somewhat by allowing more read operations to interleave with write operations. While the bug was affecting -current I found that my systems where much more responsive with softdep turned off.
Re: Disk accesses freeze for a lot of seconds
Maybe the following will help. See Tuning for More http://wiki.squid-cache.org/BestOsForSquid I use mount options: noatime and async. I don't use softdep for squid cache either. that is not good policy. you are asking for trouble. Thanks for the opinion. Yeah I read the disclaimer about async in mount(8) and don't mind taking the risk. As for noatime. Are you kidding me? I forgot tuning = idiot to some on this list. .d.d.
Re: Best postscript printer with network support?
I want to avoid HP. Why? I got a Jaserjet 8150DN second hand for $50. Works perfectly.
Re: openbsd clusters
On Sat, Dec 22, 2012 at 09:12:27AM -0500, Jiri B wrote: On Sat, Dec 22, 2012 at 01:23:12PM +, Stuart Henderson wrote: But for other services i don't have now what i could use. A example: i need a file system that must expand by adding more machine in the network in a simple way. I was studying OpenAFS, but OBSD 5.1 only support it for i386, not amd64. Is there any alternative to it ? Does anybody here use OpenAFS on OpenBSD ? Does it scale well ? What about GlusterFS ? What would it be a better choice ? I'm not sure if there's anything really good in this area for OpenBSD. GlusterFS requires FUSE. ...or accessed via gfapi client library. So if you app would be able to use this library you could use glusterfs directly without native posix-like filesystem. Still, how would you make backup of glusterfs on OpenBSD...? The same applies to HDFS (Hadoo), doesn't it? oVirt uses NFS as storage for virtualization hosts and implements its own logic checking availability between hosts - SPM. Maybe you could use NFS and write some stuff around it to guarantee integrity and availability, in oVirt a hosts which looses NFS storage is fenced... IIRC somebody on the list described a NFS-based clustered filesystem using vnd images on NFS cross mounted and RAID on top of it. jirib Something like pNFS would be ideal http://www.pnfs.com/
Re: how to make power off button work like halt -p
You could try uncommenting one of these in /etc/sysctl.conf #machdep.apmhalt=1 # 1=powerdown hack, try if halt -p doesn't work #machdep.kbdreset=1 # permit console CTRL-ALT-DEL to do a nice halt Also, check your BIOS settings. On OnThu, Nov 22, 2012 at 11:13:26PM +0800, ?? wrote: i need to install openbsd on a blind computer(without monitor).so i need to press power off button to shutdown the computer.i know that use ssh is a right way. but press power off is more effective way. in the version 5.2, i just press power off, and the computer shutdown directly without clean the file system. i think this would do harm to the database server. i want to know how to make power off button work link halt -p command.
Re: xfsdump INTERRUPT
http://lmgtfy.com/?q=xfs+mailing+list On Tue, Nov 20, 2012 at 01:08:03PM -0800, rlinsurf wrote: Can you tell me which list it belongs in? Best, J. On Nov 20, 2012, at 3:59 PM, Jiri B-2 [via OpenBSD] ml-node+s7691n219270...@n7.nabble.com wrote: On Mon, Nov 19, 2012 at 02:10:09PM -0800, rlinsurf wrote: I'm trying to use xfsdump to copy all the files from my home DVR to a bigger hard drive. You sent probably to bad list, this is linux stuff. jirib If you reply to this email, your message will be added to the discussion below: http://openbsd.7691.n7.nabble.com/xfsdump-INTERRUPT-tp219224p219270.html To unsubscribe from xfsdump INTERRUPT, click here. NAML -- View this message in context: http://openbsd.7691.n7.nabble.com/xfsdump-INTERRUPT-tp219224p219271.html Sent from the openbsd user - misc mailing list archive at Nabble.com.
Re: OpenBSD hangs when i unplug USB disk
did you unmount it first? Marcos Laufer mar...@ipv4networks.com wrote: Hello, i'd like to inform a problem when dettaching an external 1TB USB disk drive , the system just freezes, i can't type anything. Also It stops responding to ping. If i don't unplug it then i can use the disk normally, i can copy and delete files with no problem. But as soon as i unplug the USB cord, the machine freezes. I've tested it on several machines, different OpenBSD versions starting from 4.3, i'm not asking for support, i know old OpenBSD versions are no longer supported, but this seemed pretty odd, i suppose that plugging and unplugging a USB disk should not cause any problems on any OS version. These are the lines on dmesg about this disk: Nov 14 16:00:31 hq /bsd: umass0 at uhub0 Nov 14 16:00:31 hq /bsd: port 5 configuration 1 interface 0 Western Digital My Passport 0748 rev 2.10/10.15 addr 2 Nov 14 16:00:31 hq /bsd: umass0: using SCSI over Bulk-Only Nov 14 16:00:31 hq /bsd: scsibus0 at umass0: 2 targets, initiator 0 Nov 14 16:00:31 hq /bsd: sd0 at scsibus0 targ 1 lun 0: WD, My Passport 0748, 1015 SCSI4 0/direct fixed Nov 14 16:00:38 hq /bsd: sd0: 953837MB, 512 bytes/sec, 1953458176 sec total Nov 14 16:00:38 hq /bsd: ses0 at scsibus0 targ 1 lun 1: WD, SES Device, 1015 SCSI4 13/enclosure services fixed Nov 14 16:00:38 hq /bsd: ses0: unable to read enclosure configuration Best regards, Marcos -- Sent from my Android phone with K-9 Mail. Please excuse my brevity.
Re: a pf ruleset 5.2
On Tue, Nov 06, 2012 at 08:04:42PM +0059, Norman Golisz wrote: match on egress inet proto tcp set prio(1, 7) And on 5.1 it was slightly different syntax; match on egress inet proto tcp prio(1, 7) Don't get caught :-)
Re: spam filtering misc spams
On Mon, Oct 08, 2012 at 12:11:43PM -0400, Ted Unangst wrote: On Tue, Oct 09, 2012 at 00:40, David Diggles wrote: I'm interested in hearing about peoples experiences with spam filtering the spam emails that make it through to misc. Mostly non-english. I have been using SpamAssassin and training it, yet the bayes in default weightings are not enough to get the misc spams into my spam box... in fact many still autolearn as ham. I adjusted the scores so that anything with bayes probability greater than 50 is spam. That works pretty well. Not really any reason to go past 5, but I figured if I ever changed the minimum I'd be ready. score BAYES_50 5 score BAYES_60 6 score BAYES_80 8 score BAYES_95 9 score BAYES_99 10 Thanks Ted, I am now trialing adjustment of bayes. I had hoped something like this would have been possible in config. if (header MAILING_LIST exists:list-id) score BAYES_50 5 score BAYES_60 6 score BAYES_80 8 score BAYES_95 9 score BAYES_99 10 endif So it only adjusts the bayes for mailing lists. Apparently need to write a plugin to do that. .d.d.
spam filtering misc spams
I'm interested in hearing about peoples experiences with spam filtering the spam emails that make it through to misc. Mostly non-english. I have been using SpamAssassin and training it, yet the bayes in default weightings are not enough to get the misc spams into my spam box... in fact many still autolearn as ham. Email coming from the list server boosts the ham score. The locale plugin for SA doesnt help at all. I started working on something to check for word count % of words in an email, from /usr/share/dict/words to detect english-ness. It does work well but has it already been one elsewhere?
minipci wifi card for an ap, suggestions?
I am looking for a minipci wifi card I can use to run as Host AP. After reading ath(4) man page I bought a: Wistron CM9 AR5212 Mini PCI a/b/g Unfortunately the machine will not boot with it plugged in. Can anyone suggest a minipci wifi card that will work as Host AP?
Re: minipci wifi card for an ap, suggestions?
On Wed, Oct 03, 2012 at 07:29:42AM +0059, Jason McIntyre wrote: On Wed, Oct 03, 2012 at 04:04:14PM +1000, David Diggles wrote: I am looking for a minipci wifi card I can use to run as Host AP. After reading ath(4) man page I bought a: Wistron CM9 AR5212 Mini PCI a/b/g Unfortunately the machine will not boot with it plugged in. Can anyone suggest a minipci wifi card that will work as Host AP? or if someone else has the card, confirm whether it has issues (and we can take it out the man page). but your machine not booting with it is strange. maybe there's something in your bios you can enable/disable? or try it in another machine. jmc Unfortunately it is the only machine I have with minipci currently. I have ordered a 2nd test machine, and will soon be able to do some double checking, with current. If I can prove it's a faulty card and get it replaced, that would be fantastic :)
Re: minipci wifi card for an ap, suggestions?
On Wed, Oct 03, 2012 at 04:50:57PM +1000, Aaron Mason wrote: On Wed, Oct 3, 2012 at 4:43 PM, David Diggles da...@elven.com.au wrote: On Wed, Oct 03, 2012 at 07:29:42AM +0059, Jason McIntyre wrote: On Wed, Oct 03, 2012 at 04:04:14PM +1000, David Diggles wrote: I am looking for a minipci wifi card I can use to run as Host AP. After reading ath(4) man page I bought a: Wistron CM9 AR5212 Mini PCI a/b/g Unfortunately the machine will not boot with it plugged in. Can anyone suggest a minipci wifi card that will work as Host AP? or if someone else has the card, confirm whether it has issues (and we can take it out the man page). but your machine not booting with it is strange. maybe there's something in your bios you can enable/disable? or try it in another machine. jmc Unfortunately it is the only machine I have with minipci currently. I have ordered a 2nd test machine, and will soon be able to do some double checking, with current. If I can prove it's a faulty card and get it replaced, that would be fantastic :) ALiX? Oh, the board is a Commell LE-376C. Phoenix bios.
Re: kern.maxclusters vs syn proxy
but is this clear for newbies who read all the faqs? On Tue, Oct 02, 2012 at 01:17:03PM +0200, Henning Brauer wrote: * ?? chipits...@gmail.com [2012-08-23 08:44]: 2012/8/23 Claudio Jeker cje...@diehard.n-r-g.com On Thu, Aug 23, 2012 at 12:17:04AM +0600, ??? wrote: why syn proxy is not enabled by default ? Because it has bad side-effects. Like accepting a connection before the actual server accepted it. So it is hard to signal closed ports back. any other side-effect ? claudio stated this way too nice. let me be super clear here: if you are running synproxy permamnently, you are an idiot. why is synproxy there? if you are under a synflood-style attack and need to protect a backend server, it can save your a**. running synproxy to protect an OpenBSD machine, more so the local host, is retarded and counterproductive. think through how synproxy works. it accepts a connection on behalf of the destination server. once the 3whs is complete, it tries to open a connection to the backend. now if the backend doesn't take that connection, the pf synproxy box can only drop the already established connection. the semantics of establishing and dropping a connection vs ot taking it from the beginning DO have different semantics. for example, if you use round-robin dns, the client will NOT move on to the next IP address if the connection had been accepted and dropped later. moreover, you are drawing deliberate decisions by the actual daemon, like the listen backlog, close to pointless. it gets worse when some form of loadbalancing is in the picture. synproxy is there because it ca save your a** WHEN YOU ARE UNDER ATTACK. it is not suitable for all-time all-case use, and can't be. it once again comes down to think before pushing random buttons. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: kern.maxclusters vs syn proxy
I think when a lot of newbies read the pf manual, they think oh... synproxy looks like it does good things, and without really understanding it, enable it by default? On Tue, Oct 02, 2012 at 02:33:11PM +0200, Henning Brauer wrote: * David Diggles da...@elven.com.au [2012-10-02 13:51]: but is this clear for newbies who read all the faqs? On Tue, Oct 02, 2012 at 01:17:03PM +0200, Henning Brauer wrote: it once again comes down to think before pushing random buttons. this basic principle SHOULD not need documentation :) quite seriously, this goes deep into the workings of tcp. OpenBSD documentation cannot and does not document the details of the implemented protocols. There are entire books about tcp. Read them to understand tcp, and read the OpenBSD documentation for the OpenBSD specific bits. There isn't much we can do to prevent people from pushing buttons they don't understand but not providing them - which is what we do where possible. But by not providing synproxy we'd steal an important tool for fighting attacks from those who understand what they're doing. We're not saving you from stabbing your eye with the spoon left in your coffee mug either. We can't. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: terminal q
Mud clients can be good for this, but I don't know of one that supports ssh. I use tintin. There is also tinyfugue in ports. On Thu, Sep 20, 2012 at 02:25:25PM +0300, Gregory Edigarov wrote: Hi everybody. I am not very sure if that was asked before, and may be I was the person who asked. For one of my everyday tasks I need an application like xterm, that will be able to reserve some lines in the bottom or top of current window solely for user input and the other place for output. I.e. something like old IBM 3270 style terminal. what are my options beside of writing it myself? -- With best regards, Gregory Edigarov
Re: i want emulate middle button back
man mouse Option Emulate3Buttons boolean Enable/disable the emulation of the third (middle) mouse button for mice which only have two physical buttons. The third button is emulated by pressing both buttons simultaneously. Default: on, until a press of a physical button 3 is detected. On Thu, Aug 23, 2012 at 12:08:20AM -0400, Ted Unangst wrote: I have a laptop with two buttons. To middle click, I click both at the same time. Until, in a fit of stupidity, I plugged in a USB mouse and clicked the real middle button. Now, the middle button emulation has oh so helpfully disabled itself. Except I'm no longer using the mouse. I'm not sure if I should file a bug report or just ask for help. I think it's kind of stupid to disable emulation, precisely because of the situation I find myself in. But never mind that, how do I turn emulation back on?
Re: OpenBSD Captive Portal
On Mon, Aug 20, 2012 at 12:42:16PM -0700, Byron Klippert wrote: The web interfaces interact with the system through CGI scripts, httpd is run chroot disabled (httpd_flags=-u). Just one comment for now. You can run it as chroot if you copy any dependancies into the chroot, including binaries, libraries. ...and be sure to update them if patches come out. .d.d.
Re: Shellscript escaping problem
On Fri, Aug 03, 2012 at 10:41:09PM -0700, Philip Guenther wrote: On Fri, Aug 3, 2012 at 9:35 PM, David Diggles da...@elven.com.au wrote: ... here's an example of how not to script rsync, when just starting to learn how to script it got over complicated over time. i should rewrite it sometime :) ... I guess I don't understand the point of sending that out. It's like a generic ghost story: ...and the code walks the corridors of the office building to this day! There it is! Ah! If the goal is to help the inexperienced shell script writer avoid that fate, you must provide instruction and suggestions, not just set up your prior works up as warning. The beginner will be dazzled by the mess-o'-punctuation, but that doesn't help them see what they should do instead when they, in turn, find their own scripts crawling into the morass. Philip Guenther There were already excellent examples of what to do provided by others. What is wrong with an example of how bad spaghetti scripting looks like? I think there can be value in seeing an exagerrated example of what not to do. Furthermore, I provided my own script, not someone elses, because I am happy to own my own mistakes. Another good thing to teach. IMO, a teaching method that only ever teaches what to do, and never what not to do, and only ever provides instructions and guidance, risks creating the kind of box that breeds idiots with no ability to think for themselves.
Re: kill a stale user session?
Try this? ps aux|fgrep acheng@ttyp3 On Mon, Aug 06, 2012 at 10:56:00AM +0800, Alan Cheng wrote: Hello all, I'd like to kill an stale user session, but could not find a way to do that. Seems like there is no process attached to that ttyp4 any more. It's an OpenBSD 5.1 on i386, by the way. Any advice appreciated. some output, more will be provided if necessary. #w 7:44PM up 12 days, 23:19, 2 users, load averages: 0.10, 0.14, 0.18 USERTTY FROM LOGIN@ IDLE WHAT acheng p0 180.116.63.38 6:00PM 0 w acheng p4 114.227.123.110 27Jul12 9days - -- the one I'd like to kill #ps -t p4 PID TT STAT TIME COMMAND thanks. acheng
Re: kill a stale user session?
On Mon, Aug 06, 2012 at 01:38:27PM +1000, David Diggles wrote: Try this? ps aux|fgrep acheng@ttyp3 ps aux|fgrep acheng@ttyp4 do you get the sshd process id you can kill? On Mon, Aug 06, 2012 at 10:56:00AM +0800, Alan Cheng wrote: Hello all, I'd like to kill an stale user session, but could not find a way to do that. Seems like there is no process attached to that ttyp4 any more. It's an OpenBSD 5.1 on i386, by the way. Any advice appreciated. some output, more will be provided if necessary. #w 7:44PM up 12 days, 23:19, 2 users, load averages: 0.10, 0.14, 0.18 USERTTY FROM LOGIN@ IDLE WHAT acheng p0 180.116.63.38 6:00PM 0 w acheng p4 114.227.123.110 27Jul12 9days - -- the one I'd like to kill #ps -t p4 PID TT STAT TIME COMMAND thanks. acheng
Re: kill a stale user session?
http://marc.info/?l=openbsd-miscm=104862612011751w=2 --- List: openbsd-misc Subject:Re: Can't disconnect ghost SSH session from days ago From: Mathieu Sauve-Frankel m.sauve () secureops ! com Date: 2003-03-25 20:59:44 man utmp This ghost user is merely a stale entry in /var/run/utmp that has not been removed because your ssh session died uncleanly. Reboot your server cleanly and the ghost utmp entry will disappear. On Mon, Aug 06, 2012 at 01:00:15PM +0800, Alan Cheng wrote: Got nothing from ps aux|fgrep acheng@ttyp4. No SSHD process to kill either. The problem for me is that no process belongs to ttyp4, but w still reports an idle session. FYI: $ ps aux|fgrep acheng@ttyp4 $ w 9:57PM up 13 days, 1:31, 3 users, load averages: 0.16, 0.18, 0.23 USERTTY FROM LOGIN@ IDLE WHAT acheng p0 180.116.63.38 6:00PM 1:50 -ksh acheng p1 114.227.120.208:06PM 0 w acheng p4 114.227.123.110 27Jul12 9days - $ ps aux | grep ksh acheng 13452 0.0 0.1 548 500 p0 Is 6:00PM0:00.02 -ksh (ksh) root 25705 0.0 0.1 632 528 p0 I+ 6:07PM0:00.07 -ksh (ksh) acheng 30721 0.0 0.1 480 488 p1 Ss 8:06PM0:00.02 -ksh (ksh) acheng 28924 0.0 0.0 480 4 p1 R+ 9:57PM0:00.00 -ksh (ksh) $ ps aux | grep sshd root 16212 0.0 0.2 656 1208 ?? Is23Jul120:04.01 /usr/sbin/sshd root 30292 0.0 0.5 3456 2812 ?? Is 6:00PM0:00.07 sshd: acheng [priv] (sshd) acheng9594 0.0 0.7 4724 3612 ?? I 6:00PM0:02.20 sshd: acheng@ttyp0 (sshd) root 22538 0.0 0.5 3428 2828 ?? Is 8:06PM0:00.06 sshd: acheng [priv] (sshd) acheng 18141 0.0 0.6 3880 2920 ?? S 8:06PM0:02.19 sshd: acheng@ttyp1 (sshd) Thanks for the response. acheng On Mon, Aug 6, 2012 at 11:42 AM, David Diggles da...@elven.com.au wrote: On Mon, Aug 06, 2012 at 01:38:27PM +1000, David Diggles wrote: Try this? ps aux|fgrep acheng@ttyp3 ps aux|fgrep acheng@ttyp4 do you get the sshd process id you can kill? On Mon, Aug 06, 2012 at 10:56:00AM +0800, Alan Cheng wrote: Hello all, I'd like to kill an stale user session, but could not find a way to do that. Seems like there is no process attached to that ttyp4 any more. It's an OpenBSD 5.1 on i386, by the way. Any advice appreciated. some output, more will be provided if necessary. #w 7:44PM up 12 days, 23:19, 2 users, load averages: 0.10, 0.14, 0.18 USERTTY FROM LOGIN@ IDLE WHAT acheng p0 180.116.63.38 6:00PM 0 w acheng p4 114.227.123.110 27Jul12 9days - -- the one I'd like to kill #ps -t p4 PID TT STAT TIME COMMAND thanks. acheng
Re: Shellscript escaping problem
On Thu, Aug 02, 2012 at 11:21:01PM +0200, Martijn Rijkeboer wrote:
Hi,
here's an example of how not to script rsync, when just starting
to learn how to script
it got over complicated over time. i should rewrite it sometime :)
#!/bin/bash
SCRIPT=${0##*/}
BASE=/archive0/_backup
SSHOPTS=-q -o Ciphers=arcfour256 -o MACs=umac...@openssh.com
RSYNCOPTS=--delete -avxlr
CONF=/etc/$SCRIPT
f_f() {
[ -d $1 ] \
for SRC in $(ls $1|grep -v ^\.); do
echo \# $SRC \#
if [ $# -ge 3 ]; then
eval $(echo eval $3)
DST=$2/$REV/${HOST%%.*}
local i=4;while [ $i -le $# ]; do
eval $(echo eval $$i)
((i++));done
fi
done
}
f_f $CONF/rsyncd $BASE local HOST=\${SRC##*@} local PKG=\$(ssh \$SSHOPTS
\$SRC \uname -nr;pkg_info -t 2/dev/null|cut -f1 -d ' '\) local
REV=\$(echo \$PKG|cut -f2 -d ' ') mkdir -p \$DST;cd \$DST;[[ -n \$PKG ]]
echo \$PKGpkg_info rsync \$RSYNCOPTS --files-from=\$CONF/rsyncd/\$SRC
\$HOST::rsk \$DST
f_f $CONF/rsh $BASE local HOST=\${SRC##*@} local PKG=\$(rsh -l \$SCRIPT
\$HOST \uname -nr;pkg_info -t 2/dev/null|cut -f1 -d ' '\) local
REV=\$(echo \$PKG|cut -f2 -d ' ') mkdir -p \$DST;cd \$DST;[[ -n \$PKG ]]
echo \$PKGpkg_info rsync \$RSYNCOPTS --files-from=\$CONF/rsh/\$SRC
\$HOST::rsk \$DST
f_f $CONF/rsync $BASE local HOST=\${SRC##*@} local PKG=\$(ssh \$SSHOPTS
\$SRC \uname -nr;pkg_info -t 2/dev/null|cut -f1 -d ' '\) local
REV=\$(echo \$PKG|cut -f2 -d ' ') mkdir -p \$DST;cd \$DST;[[ -n \$PKG ]]
echo \$PKGpkg_info rsync -e \ssh \$SSHOPTS\ \$RSYNCOPTS
--files-from=\$CONF/rsync/\$SRC \$SRC:/ \$DST
f_f $CONF/ssh $BASE local HOST=\${SRC##*@} local PKG=\$(ssh \$SSHOPTS \$SRC
\uname -nr;pkg_info -t 2/dev/null|cut -f1 -d ' '\) local REV=\$(echo
\$PKG|cut -f2 -d ' ') mkdir -p \$DST;cd \$DST;[[ -n \$PKG ]] echo
\$PKGpkg_info ssh \$SSHOPTS \$SRC \tar cpf - 2/dev/null \$(echo \$(
\$CONF/ssh/\$SRC))\|tar xpf - rm -rf \$DST mv \$DST.tmp \$DST
Re: Calomel.org
The calomel phenomenon is fascinating! I was calomeled. Those who have been calomeled have done the following: 1. lazily google: openbsd tuning (or similar) 2. click on: Network Tuning and Performance Guide (OpenBSD) - Calomel (currently ranked 2 on google) 3. lazy and in a hurry to get it working, apply stuff from calomel 4. lazily email misc without first searching marc.info, referring to the calomel recipe and asking further questions While calomel has the high rank in google, this keeps repeating.
Re: Calomel.org
In some ways, it is almost fortunate the calomel meme exists to keep reminding newcomers, as annoying as repetition is. It's the nature of things. I fell for it in the past. Others will in the future. On Thu, Jul 26, 2012 at 11:01:41AM +0200, Wojciech Puchar wrote: I first read the documentation, the do everything properly and after that i f..k it all up because some trendy webpages says i should. On Thu, 26 Jul 2012, Joakim Dellrud wrote: To my defense I use the FAQ and MAN first then I used Calomel for example configs of more obscure things :). On Thu, Jul 26, 2012 at 9:09 AM, Gilles Chehade gil...@poolp.org wrote: On Thu, Jul 26, 2012 at 06:55:54AM +0200, Shaka NKofo wrote: [blabla] *facepalm* -- Gilles Chehade https://www.poolp.org @poolpOrg
Re: Any recommendation for WAN optimization?
You need to ask a better quality question? It is not clear what you mean, or what you are trying to do. On Thu, Jul 26, 2012 at 08:48:42AM +0530, Girish Venkatachalam wrote: bump On Tue, Jul 24, 2012 at 10:10 PM, Girish Venkatachalam girishvenkatacha...@gmail.com wrote: Particularly for MS SQL kind of stuff? Do we have anything interesting in ports? Using ssh with -C flag? -Girish -- Gayatri Hitech http://gayatri-hitech.com -- Gayatri Hitech http://gayatri-hitech.com
Re: sshguard
How secure is the principle of log sucking for anything more than stats? The inherent assumptions are risky I would think. I mean, if someone could deliberately craft certain strings with spaces or tabs that get passed, then they could subvert the sucking script. There is an absolute reliance on the syslog behaving in a certain way under all conditions! On Wed, Jul 25, 2012 at 09:50:40AM -0600, Chris Lobkowicz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 sshguard prefers to use the log-sucker way of parsing authlog. I don't even have a mention of sshguard in syslog.conf. the rc script just basically daemonises sshguard, and points it at /var/log/authlog # /etc/rc.d/sshguard daemon=/usr/local/sbin/sshguard # REALLY Touchy version daemon_flags=-a 3 -l /var/log/authlog -w /var/db/sshguard/friends.db - -b 5:/var/db/sshguard/blacklist.db # Less Touchy Version #daemon_flags=-l /var/log/authlog -w /var/db/sshguard/friends.db -b 5:/var/db/sshguard/blacklist.db . /etc/rc.d/rc.subr rc_bg=YES rc_reload=NO rc_cmd $1 sshguard documentation on their website is quite thorough on how to install/use. The documentation on how to tweak is a little lacking though. All that is missing from an install of sshguard is the required entries into pf.conf, and which log files to monitor in the rc script. Works very, very well I might add. Good luck! Cheers Chris On 25/07/2012 08:04, Otto Moerbeek wrote: On Wed, Jul 25, 2012 at 02:25:44PM +0200, Hasse Hansson wrote: Hello all. # uname -a OpenBSD odin.thorshammare.org 5.2 GENERIC#13 i386 sshguard-1.5 Are we not supposed to use the entry in /etc/syslog.conf any more ? auth.info;authpriv.info |/usr/local/sbin/sshguard I get a message on my console saying: syslogd: unknown priority name info |/usr/local/sbin/sshguard The info about the syslog.conf entry seems to be gone in the install message too. All the best Hasse syslog is very picky about the difference between spaces and tabs. Always use one or more tabs. -Otto Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJQEBXQAAoJEFxdNdJhPdR3NK4IALCdIRU3ffb5W7l8rA1coIRR 6/UNM3IfOyBa1mO9750oiMzOCPS8qyGQ/93nt9xt8TcQC2XYV0gGhGBa0jDLXLNe ujRXBFHXoSmd4DZ60WaZ6Ej9+TNV3rN2WZRZRjXHWWtEm1dacTWhNDakBp3pCtY3 GYfFLWTQe5wSHVxrI/yB9eiCz6dCdwcL1xewTsQrTYtahtT46uPweCqjUCtx5pFv SogLHiWvA9qiUHhiPAoh/79KM11QDQGPpX+agm+LVA9/qkMuglAMhhaBM8IzXIIN qkJiz4KNGQuqLh2BfEetIr6bM44W3G3QTy+z+N1HEdRH3jayC+wkvb7TT91zEbk= =+k75 -END PGP SIGNATURE-
Re: Calomel.org
Apparently calomel is full of bad and/or outdated advice for openbsd, especially the sysctl tuning stuff. Your best advice is to follow the official FAQ's on openbsd.org, and read openbsd man pages to learn your techniques. Maybe there needs to be a calomel faq on openbsd.org. On Thu, Jul 26, 2012 at 06:55:54AM +0200, Shaka NKofo wrote: I'm new to Open BSD but no stranger to *nix OSs. My question here is simple. I have been reading the man pages and documentation and have installed and setup a 5.1 box on my lan. Now after understanding its basic inner workings I wish to put it to heavy and good use. All I'm asking is that is it advisable to use some of the tutorials found on https://calomel.org/ as a sort of map to setup basic services like DNS and pf? I'm used to learning tech from scratch and mastering then using it but my work load is punishing and I would like to clean up DNS on my lan since the devices are just adding up too fast... Please I would appreciate your individual approaches and viewpoints on this matter. Thanks Shaka
Re: switching between ethernet and wifi
I have the same interfaces on my netbook. I use trunk in the following way. root@varis:etc:0# cat hostname.re0 up root@varis:etc:0# cat hostname.urtwn0 nwid De Gaulles \ wpakey hackme up root@varis:etc:0# cat hostname.trunk0 trunkproto failover trunkport re0 trunkport urtwn0 dhcp !/sbin/pfctl -f /etc/pf.conf The wifi and wired are different subnets, so I am reloading the pf rules with: sh /etc/netstart trunk0 It could be possible to write pf rules that do not need reloading. On Tue, Jul 24, 2012 at 01:13:29AM +0200, frantisek holop wrote: hi there, consider a notebook with two nic's: re0 (ethernet) and urtwn0 (usb wifi). let's say, at boot time there is ethernet connection and /etc/hostname.re0 contains dhcp. urtwn0 is not plugged in. later, i want to switch to wifi. what i do: insert the usb wifi (/etc/hostname.urtwn0 contains the correct network data), i disconnect the ethernet cable, route -n flush, ifconfig re0 down, sh /etc/netstart. what i expect: network is now through wifi. what i get: urtwn0 gets an IP, but route shows that the default route is still trying to go through re0, even if i comment out dhcp from /etc/hostname.re0 how can i persuade the system to forget about re0? how is this situation different for /etc/netstart than booting up with the usb wifi inserted and an empty /etc/hostname.re0? what is the correct procedure in a case like this? $ sudo route -n flush default 10.10.10.1 done default 10.10.10.1 done 10.10.10.135 127.0.0.1done 127/0127.0.0.1done 224/0127.0.0.1done ::/128 ::1 done ::/128 ::1 done ::127.0.0.0/128 ::1 done ::224.0.0.0/128 ::1 done ::255.0.0.0/128 ::1 done :::0.0.0.0/128 ::1 done 2002::/128 ::1 done 2002:7f00::/128 ::1 done 2002:e000::/128 ::1 done 2002:ff00::/128 ::1 done fe80::/128 ::1 done fec0::/128 ::1 done ff01::/128 ::1 done ff02::/128 ::1 done $ route -n show Routing tables Internet: DestinationGatewayFlags Refs Use Mtu Prio Iface 127.0.0.1 127.0.0.1 UH 00 33196 4 lo0 Internet6: DestinationGatewayFlags Refs Use Mtu Prio Iface ::1::1UH 00 33196 4 lo0 fe80::%re0/64 link#1 C 00 - 4 re0 fe80::%lo0/64 fe80::1%lo0U 00 - 4 lo0 fe80::%urtwn0/64 link#5 UC 00 - 4 urtwn0 ff01::%re0/32 link#1 C 00 - 4 re0 ff01::%lo0/32 fe80::1%lo0UC 00 - 4 lo0 ff01::%urtwn0/32 link#5 UC 00 - 4 urtwn0 ff02::%re0/32 link#1 C 00 - 4 re0 ff02::%lo0/32 fe80::1%lo0UC 00 - 4 lo0 ff02::%urtwn0/32 link#5 UC 00 - 4 urtwn0 question: why don't the re0 lines disappear from the inet6 lines after ifconfig re0 down? $ sudo sh /etc/netstart DHCPREQUEST on urtwn0 to 255.255.255.255 port 67 DHCPREQUEST on urtwn0 to 255.255.255.255 port 67 DHCPACK from 10.10.10.1 (00:22:bb:aa:aa:cc) bound to 10.10.10.136 -- renewal in 604780 seconds. $ route -n show Routing tables Internet: DestinationGatewayFlags Refs Use Mtu Prio Iface default10.10.10.1 GSP46 - 8 re0 ^^^ default10.10.10.1 GS 00 - 8 re0 ^^^ 10.10.10.136 127.0.0.1 UGHS 00 33196 8 lo0 127/8 127.0.0.1 UGRS 00 33196 8 lo0 127.0.0.1 127.0.0.1 UH 10 33196 4 lo0 224/4 127.0.0.1 URS00 33196 8 lo0 Internet6: DestinationGatewayFlags Refs Use Mtu Prio Iface ::/104
Re: Speeding up scp over 10GigE, suggestions?
Thanks Christian Specifying the MAC you suggested makes a big jump in performance. SSH Options: [-o Ciphers=arcfour128 -o MACs=umac...@openssh.com] 98.65026953028924143858 MB/s 94.75118186708754888342 MB/s 93.67964795503113387533 MB/s 77.35326700132979443792 MB/s SSH Options: [-o Ciphers=arcfour128] 63.50306913748638001067 MB/s 63.09124016939771183475 MB/s 61.51859822693993063534 MB/s 52.67600175573777350882 MB/s On Thu, Jul 19, 2012 at 11:51:50AM +, Christian Weisgerber wrote: David Diggles da...@elven.com.au wrote: I am looking for ways to speed up scp over 10GigE. With parallel transfer of 4x 8GB files, I get the following test results with various ciphers. These tests maxed out 4 cores with encryption overhead. Assuming that crypto actually is your bottleneck, here are a few hints: First, use a faster MAC: -m umac...@openssh.com SSH Options: [-o Cipher=arcfour] SSH Options: [-o Cipher=blowfish] These only apply to the SSH1 protocol and are ignored otherwise. SSH Options: [-o Ciphers=arcfour] SSH Options: [-o Ciphers=blowfish-cbc] SSH Options: [-o Ciphers=aes256-ctr] SSH Options: [-o Ciphers=3des-cbc] There are really three interesting ciphers: aes128-ctr, aes128-cbc, and arcfour128. aes128-ctr is the default and already plenty fast. aes128-cbc used to be the default until a security problem with the way CBC mode is used in the SSH2 protocol was discovered. In principle it isn't any faster than aes128-ctr, but in practice it may be since it uses OpenSSL's optimized EVP_aes_128_cbc() function while aes128-ctr relies on calls to the low-level AES_encrypt() primitive. arcfour128 is the fastest cipher supported. (Plain arcfour may be a tad faster, but has known security problems.) -- Christian naddy Weisgerber na...@mips.inka.de
Re: Speeding up scp over 10GigE, suggestions?
The previous tests were reading from striped disks 4 spindles, writing to /dev/null This is the best so far, with fetching 4 compressed 500MB files on a remote ramdisk, local output going to /dev/null All on 10GigE in the same room. OUTDIR: [/dev/null] SSH Options: [-o Ciphers=arcfour128 -o MACs=umac...@openssh.com] 254.72636815920398009950 MB/s 225.55066079295154185022 MB/s 222.60869565217391304347 MB/s 237.03703703703703703703 MB/s Here is a test scp read from remote ramdisk, write to mounted cluster filesystem (over the same 10GigE link). OUTDIR: [/scatch/tmp] SSH Options: [-o Ciphers=arcfour128 -o MACs=umac...@openssh.com] 73.03851640513552068473 MB/s 72.72727272727272727272 MB/s 68.63270777479892761394 MB/s 68.35781041388518024032 MB/s I have compiled hpn-ssh but not yet tested it locally or over the wan. On Fri, Jul 20, 2012 at 05:33:33PM +1000, David Diggles wrote: Thanks Christian Specifying the MAC you suggested makes a big jump in performance. SSH Options: [-o Ciphers=arcfour128 -o MACs=umac...@openssh.com] 98.65026953028924143858 MB/s 94.75118186708754888342 MB/s 93.67964795503113387533 MB/s 77.35326700132979443792 MB/s SSH Options: [-o Ciphers=arcfour128] 63.50306913748638001067 MB/s 63.09124016939771183475 MB/s 61.51859822693993063534 MB/s 52.67600175573777350882 MB/s On Thu, Jul 19, 2012 at 11:51:50AM +, Christian Weisgerber wrote: David Diggles da...@elven.com.au wrote: I am looking for ways to speed up scp over 10GigE. With parallel transfer of 4x 8GB files, I get the following test results with various ciphers. These tests maxed out 4 cores with encryption overhead. Assuming that crypto actually is your bottleneck, here are a few hints: First, use a faster MAC: -m umac...@openssh.com SSH Options: [-o Cipher=arcfour] SSH Options: [-o Cipher=blowfish] These only apply to the SSH1 protocol and are ignored otherwise. SSH Options: [-o Ciphers=arcfour] SSH Options: [-o Ciphers=blowfish-cbc] SSH Options: [-o Ciphers=aes256-ctr] SSH Options: [-o Ciphers=3des-cbc] There are really three interesting ciphers: aes128-ctr, aes128-cbc, and arcfour128. aes128-ctr is the default and already plenty fast. aes128-cbc used to be the default until a security problem with the way CBC mode is used in the SSH2 protocol was discovered. In principle it isn't any faster than aes128-ctr, but in practice it may be since it uses OpenSSL's optimized EVP_aes_128_cbc() function while aes128-ctr relies on calls to the low-level AES_encrypt() primitive. arcfour128 is the fastest cipher supported. (Plain arcfour may be a tad faster, but has known security problems.) -- Christian naddy Weisgerber na...@mips.inka.de
Re: Re : Apache won't start after pecl-imagick installation
Maybe a stupid question, but did you create the certificate the steps in the FAQ? http://www.openbsd.org/faq/faq10.html#HTTPS On Fri, Jul 20, 2012 at 09:23:53AM +0100, Mik J wrote: Hello, I'm coming back with this Apache startup that works fine but yesterday I added the -DSSL option in /etc/rc.conf but Apache won't start # /etc/rc.d/httpd start httpd(failed) I've looked at all the logs I could find but couldn't see why it failed. Is Apache SSL with lpthread supposed to work ? - Mail original - De?: Mik J mikyde...@yahoo.fr ??: misc@openbsd.org misc@openbsd.org Cc?: Envoy? le : Mardi 8 mai 2012 22h08 Objet?: Re : Apache won't start after pecl-imagick installation Thank you for your answer. I did use apachectl but after your email I followed your suggestions and it works. I have notice now that the command apachectl doesn't work at all now, when I read your email I thought that it wouldn't work for the first time only. I'm wondering if the apachectl command will end being deprecated if it doesn't allow apache to restart without us wondering if it has to pre load some libraries or not. Have a good day - Mail original - De : Stuart Henderson s...@spacehopper.org @ : misc@openbsd.org Cc : Envoyi le : Mardi 8 mai 2012 16h06 Objet : Re: Apache won't start after pecl-imagick installation On 2012-05-08, Mik J mikyde...@yahoo.fr wrote: ? Hello, ? I'm reinstalling my system from 4.9 to 5.1 ? I have installed ? pecl-imagick and stopped/started Apache but I have a seg fault (core dumped). ? If I uninstall this package Apache stops/starts nicely. ? I have read this page http://www.openbsd.org/faq/upgrade50.html#Pkgup ? The last point talks about my ? problem and advices to add in /etc/login.conf ? httpd:\ :setenv=LD_PRELOAD=/usr/lib/libpthread.so:\ ? :tc=daemon: ? This doesn't help, ? I still have the same problem with Apache. How did you start Apache? You will need to use /etc/rc.d/httpd restart (or reboot) so it's started from the system rc scripts for this to take effect, apachectl does not handle this. ? Also /usr/lib/libpthread.so doesn't ? exist so I replaced it with /usr/lib/libpthread.so.13.3 but still no success. No the instructions are correct, use /usr/lib/libpthread.so
Re: Speeding up scp over 10GigE, suggestions?
On Thu, Jul 19, 2012 at 08:08:26AM +0200, Jan Stary wrote: have you also tried -o 'Compression no'? I have now. No real difference; SSH Options: [-o Ciphers=arcfour -o Compression=no] 64.68132476895114469583 MB/s 63.56096147431307883010 MB/s 61.69097005503488103824 MB/s 61.41473507203868873527 MB/s Data in the range of many terabytes, possibly up to petabytes are expected to go over the link, so the hpn-ssh patch used by HPC sites looks like the most viable for this - thanks, Michael. Dan, yes the 4 ssh processes were at 100% cpu, I guess with the encryption overhead. Both client and server are 8 core. There was no other load at the time of testing, so half cores are available to service disk and network load.
Speeding up scp over 10GigE, suggestions?
I am looking for ways to speed up scp over 10GigE. With parallel transfer of 4x 8GB files, I get the following test results with various ciphers. These tests maxed out 4 cores with encryption overhead. SSH Options: [] 42.19127261151704773780 MB/s 41.32435720074992870891 MB/s 41.22255300977449037448 MB/s 35.14314848096707088842 MB/s SSH Options: [-o Cipher=arcfour] 42.29364755264296110810 MB/s 41.33048144476525498397 MB/s 40.66949911950141243635 MB/s 34.96835809940579522864 MB/s SSH Options: [-o Cipher=blowfish] 41.31823477141503563833 MB/s 41.17589132764324310451 MB/s 40.60436476031948831063 MB/s 37.9382821256503154 MB/s SSH Options: [-o Ciphers=arcfour] 63.46934728314239543624 MB/s 63.12456133140056259549 MB/s 60.76352210664413222751 MB/s 58.96905384031456559350 MB/s SSH Options: [-o Ciphers=blowfish-cbc] 41.30803475295660396171 MB/s 41.07683306590647371566 MB/s 41.01843094015703567390 MB/s 37.04298839486332491988 MB/s SSH Options: [-o Ciphers=aes256-ctr] 35.52817257150550157716 MB/s 35.12986798313667520325 MB/s 34.83586359188837309574 MB/s 33.97713352365103381419 MB/s SSH Options: [-o Ciphers=3des-cbc] 14.26907486929738814750 MB/s 14.23944679498915951801 MB/s 14.12143966591359995680 MB/s 13.70012503702996703140 MB/s The data itself is not sensitive and does not really need to be encrypted, although security policy between the organisations involved may prohibit disabling of encryption. :-/ Any suggestions? I have searched the list for scp 10gigE and only found the following post in 2004. On Thu, 18 Nov 2004, Jonathan Weiss wrote: Hi folks, Somebody had a look at http://www.psc.edu/networking/projects/hpn-ssh/ ? Greets, Jonathan Lessee, pulling Chris Rapier's card out of my pocket. I read the poster presentation at SuperComputing04 last week in Pittsburgh. Looks interesting but I'm not so sure how useful it would be in real world commodity networks. I'm planning on setting up some boxen with the patched ssh when I get back from next week's US Holiday, but I work in a world where 10GigE is already installed to selected servers and workstations. diana Is there any interest or further development with high bandwidth scp since 2004?
Re: Speeding up scp over 10GigE, suggestions?
Hmmm, ok... hpn-ssh looks like the go. http://www.psc.edu/index.php/hpn-ssh http://www.nren.nasa.gov/hpn_ssh.html http://www.hpsc.csiro.au/userguides/faq/ssh.php#hpn-ssh
Re: bsd.rd anonymous ftp login broken?
Use http then? To get you out of trouble. Since other people dont have the problem, something fishy going on at your ISP? I was once with an ISP that had a transparent proxy for http. I noticed because it was serving dated content, and the IP address on my remote server logs were not my own. Maybe your ISP is transparent proxying ftp? My current ISP blocks a lot of ports by default. I needed to login and disable their firewall in my customer profile. On Wed, Jul 11, 2012 at 09:55:35PM +0200, Jan Stary wrote: Trying to reinstall with the current i386/bsd.rd. All goes well until I actually select a ftp mirror, and asked for the ftp login, I accept the default of 'anonymous'. It keeps asking: ftp login ? anonymous [enter] ftp login ? anonymous [enter] ftp login ? anonymous [enter] and never gets past this. Tried with different ftp mirrors, so it's not that the one mirror is broken. Jan
Re: dmesg reporting different clock speeds on different cores
On Mon, Jul 09, 2012 at 10:22:34AM +0200, Peter Hessler wrote: On 2012 Jul 09 (Mon) at 15:20:19 +1000 (+1000), David Diggles wrote: :dmesg|grep ^cpu[0-9]*: Every time I see this, I stop reading the mail. Please, for the love of everything (un)holy, stop doing this. -- An Englishman never enjoys himself, except for a noble purpose. -- A. P. Herbert My apologies, annoyance was not my intention. Apparently I wrongly made a judgement call that the entire dmesg is not neccessary for the question I am asking. Of course you do realise there will *always* be such posts. There really is nothing gained by being annoyed. Cheer up! Now the world has gone to bed Darkness won't engulf my head I can see by infra-red How I hate the night Now I lay me down to sleep Try to count electric sheep Sweet dream wishes you can keep How I hate the night OpenBSD 5.1 (GENERIC.MP) #188: Sun Feb 12 09:55:11 MST 2012 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel(R) Atom(TM) CPU D525 @ 1.80GHz (GenuineIntel 686-class) 1.81 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,NXE,LONG,SSE3,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,LAHF real mem = 2136076288 (2037MB) avail mem = 2091008000 (1994MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 10/26/10, BIOS32 rev. 0 @ 0xf9830, SMBIOS rev. 2.5 @ 0xf (39 entries) bios0: vendor Phoenix Technologies, LTD version 6.00 PG date 10/26/2010 bios0: OEM OEM acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP HPET MCFG APIC acpi0: wakeup devices PEX0(S5) PEX1(S5) PEX2(S5) PEX3(S5) PEX4(S5) PEX5(S5) HUB0(S5) UAR1(S5) UAR2(S5) IGBE(S5) USB0(S3) USB1(S3) USB2(S3) USB3(S3) USB4(S3) EHC1(S3) EHC2(S3) AZAL(S5) PCI0(S5) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 14318179 Hz acpimcfg0 at acpi0 addr 0xe000, bus 0-255 acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 389MHz cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Atom(TM) CPU D525 @ 1.80GHz (GenuineIntel 686-class) 3.51 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,NXE,LONG,SSE3,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,LAHF ioapic0 at mainbus0: apid 4 pa 0xfec0, version 20, 24 pins ioapic0: misconfigured as apic 0, remapped to apid 4 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (PEX0) acpiprt2 at acpi0: bus 2 (PEX1) acpiprt3 at acpi0: bus 3 (PEX2) acpiprt4 at acpi0: bus -1 (PEX3) acpiprt5 at acpi0: bus -1 (PEX4) acpiprt6 at acpi0: bus -1 (PEX5) acpiprt7 at acpi0: bus 4 (HUB0) acpicpu0 at acpi0 acpicpu1 at acpi0 acpitz0 at acpi0: critical temperature is 98 degC acpibtn0 at acpi0: PWRB bios0: ROM list: 0xc/0xda00! pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel Pineview DMI rev 0x02 vga1 at pci0 dev 2 function 0 Intel Pineview Video rev 0x02 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) intagp0 at vga1 agp0 at intagp0: aperture at 0xd000, size 0x1000 inteldrm0 at vga1: apic 4 int 16 drm0 at inteldrm0 Intel Pineview Video rev 0x02 at pci0 dev 2 function 1 not configured uhci0 at pci0 dev 26 function 0 Intel 82801H USB rev 0x04: apic 4 int 16 uhci1 at pci0 dev 26 function 1 Intel 82801H USB rev 0x04: apic 4 int 21 ehci0 at pci0 dev 26 function 7 Intel 82801H USB rev 0x04: apic 4 int 18 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1 azalia0 at pci0 dev 27 function 0 Intel 82801H HD Audio rev 0x04: msi azalia0: codecs: Realtek ALC888 audio0 at azalia0 ppb0 at pci0 dev 28 function 0 Intel 82801H PCIE rev 0x04: apic 4 int 16 pci1 at ppb0 bus 1 em0 at pci1 dev 0 function 0 Intel PRO/1000 (82583V) rev 0x00: msi, address 00:03:1d:0b:49:01 ppb1 at pci0 dev 28 function 1 Intel 82801H PCIE rev 0x04: apic 4 int 17 pci2 at ppb1 bus 2 em1 at pci2 dev 0 function 0 Intel PRO/1000 (82583V) rev 0x00: msi, address 00:03:1d:0b:49:02 ppb2 at pci0 dev 28 function 2 Intel 82801H PCIE rev 0x04: apic 4 int 18 pci3 at ppb2 bus 3 em2 at pci3 dev 0 function 0 Intel PRO/1000 (82583V) rev 0x00: msi, address 00:03:1d:0b:49:03 uhci2 at pci0 dev 29 function 0 Intel 82801H USB rev 0x04: apic 4 int 23 uhci3 at pci0 dev 29 function 1 Intel 82801H USB rev 0x04: apic 4 int 19 uhci4 at pci0 dev 29 function 2 Intel 82801H USB rev 0x04: apic 4 int 18 ehci1 at pci0 dev 29 function 7 Intel 82801H USB rev 0x04: apic 4 int 23 usb1 at ehci1: USB revision 2.0 uhub1 at usb1 Intel EHCI root hub rev 2.00/1.00 addr 1 ppb3 at pci0 dev 30 function 0 Intel 82801BAM Hub-to-PCI rev 0xf4 pci4 at ppb3 bus 4 ichpcib0 at pci0 dev 31 function 0 Intel 82801HBM LPC rev 0x04: PM disabled pciide0 at pci0 dev 31 function 1 Intel
dmesg reporting different clock speeds on different cores
I am just curious. Would someone mind explaining why the clock speed reports as different for cpu1? Both cores are on the same cpu. dmesg|grep ^cpu[0-9]*: cpu0: Intel(R) Atom(TM) CPU D525 @ 1.80GHz (GenuineIntel 686-class) 1.81 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,NXE,LONG,SSE3,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,LAHF cpu0: apic clock running at 389MHz cpu1: Intel(R) Atom(TM) CPU D525 @ 1.80GHz (GenuineIntel 686-class) 3.51 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,NXE,LONG,SSE3,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,LAHF
Re: dmesg reporting different clock speeds on different cores
Sorry, OpenBSD generic , 5.1 release. On Mon, Jul 09, 2012 at 03:20:19PM +1000, David Diggles wrote: I am just curious. Would someone mind explaining why the clock speed reports as different for cpu1? Both cores are on the same cpu. dmesg|grep ^cpu[0-9]*: cpu0: Intel(R) Atom(TM) CPU D525 @ 1.80GHz (GenuineIntel 686-class) 1.81 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,NXE,LONG,SSE3,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,LAHF cpu0: apic clock running at 389MHz cpu1: Intel(R) Atom(TM) CPU D525 @ 1.80GHz (GenuineIntel 686-class) 3.51 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,NXE,LONG,SSE3,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,LAHF
Re: OpenBSD - UEFI Secure Boot
With all the investment in non MS, mission critical / non portable apps, in the proprietry world alone, do you really think Microsoft can ever take over all of i386? Surely they can only try, and keep on trying, but it is an unwinnable arms race, and someone is going to be willing to pay for a back door each time, regardless of what lock downs occur. On Sat, Jul 07, 2012 at 03:46:50PM +0100, llemike...@aol.com wrote: Dear Your name should be here ;-) , I have been considering the implications for BSD and Linux and any non-MS O/S of the implementation of UEFI Secure Boot (SB). As I understand it, ARM devices wishing to receive Win8 cert are required to enable SB by default and prevent the disabling of SB. Meanwhile, x86 devices are supposed to ship with SB enabled but allow disabling... For some commentators, the x86 situation has been presented as MS leaving a back-door for other OSes such as BSD or Linux etc. i.e. Don't worry about it I think it is, in fact, that MS is seeking to temporarily provide a back-door for Win XP, Vista and Win7. As each MS OS reaches end-of-paid-for-support (e.g. XP in 2014) MS will slowly relax the UEFI SB specification such that the ability to disable SB will gradually disappear from x86-based devices. I am surprised that there is so little discussion of this developing situation on BSD and/or Linux lists because for me, the red lights are flashing, all bells and hooters are sounding, We gotta get out of here!! We are potentially talking about the end of BSD (or Linux...) on x86 hardware. Am I overly pessimistic? Have I missed something? OR Am I Jeremiah shouting There's a flood coming! There's a f** flood coming, PEOPLE! while everybody else is roasting sausages on their barbecues? Mike
Re: masive problems with bind, need secondaty advice...
Put these in your options.
forward first;
forwarders { Your-ISP-DNS-server0; Your-ISP-DNS-server1; }
On Fri, Jun 29, 2012 at 07:30:31AM +0200, Ton Muller wrote:
ok, this is the situation.
i have setup named for caching entries ,and local DNS serving.
normaly i have nameserver 192.168.1.254 in my resolv.conf
so DNS requests go true ISP dns
below is my named.conf ,as far it is, it is correct.
named.conf.
//
acl clients {
127.0.0.1;
192.168.0.0/24;
192.168.1.0/24;
192.168.2.0/24;
};
options {
version ; // Remove this to allow version queries
max-cache-size 1 ;
listen-on { any; };
empty-zones-enable yes;
allow-recursion { clients; };
};
logging {
category lame-servers { null; };
};
// Standard zones
//
zone . {
type hint;
//file master/named.root;
file master/root.zone;
};
zone zone.localhost {
type master;
file /master/zone.localhost;
allow-transfer { localhost;};
};
zone revp.localhost {
type master;
file /master/revp.localhost;
allow-transfer { localhost;};
};
// Master zones
//
zone xs4non.nl {
type master;
file master/xs4non.nl;
allow-transfer { clients;};
};
zone 0.168.192.in-addr.arpa {
type master;
file /master/0.168.192.in-addr.arpa;
allow-transfer { clients;};
};
my dhcpd.conf is also correct, all my lan machine do a lookup to
192.168.0.240 what my LAN ETH is, request are ok, i got all replies.
even my webserver on the box is available,
on the box ,when i do a ping, i got a reply,even dig works as it should be.
now..
when i change resolv.conf to 192.168.1.240 (inbound ETH what is
connected from modem) i can go shop, make coffee, make breakfast...
having 2 entries works, but..its so massive slow..
so, what the heck is going on.
i want to serve local dns entries ,and caching for WAN.
oris it perhaps a pf isues...
Re: how to configure DHCP on trunk interfaces ?
Here is an example from my netbook. # cat hostname.re0 up # cat hostname.urtwn0 nwid myAP \ wpakey myPassword up # cat hostname.trunk0 trunkproto failover trunkport re0 trunkport urtwn0 dhcp On Wed, Jun 27, 2012 at 05:04:26PM +0600, ??? wrote: Hello! it works for em0, if I put DHCP in hostname.em0 is it possible to do with trunk0 ? can anybody give working example ? Cheers, Ilya Shipitsin
Re: Something other than getty/login on console?
Thanks Marcus! I have been sidetracked with a few things, but will give this technique a try soon. I take it dostuff.sh is where I could put something like #!/bin/sh while [ ! ]; do /usr/local/bin/ttyplay kickassci.demo done ? On Fri, Jun 15, 2012 at 09:36:43AM +0200, MERIGHI Marcus wrote: da...@elven.com.au (David Diggles), 2012.06.15 (Fri) 00:20 (CEST): I want the default login console to run something like /usr/games/worms -n100 or rsh host /opt/local/bin/xaos -driver aa -autopilot the way I do it... $ grep ttyC0 /etc/ttys ttyC0 /usr/local/libexec/getty.sh vt220 on $ ls -al /usr/local/libexec/getty.sh -rwxr-xr-x 1 root wheel 210 Feb 15 19:01 /usr/local/libexec/getty.sh $ cat /usr/local/libexec/getty.sh #!/bin/ksh -e TERM=vt220 /usr/local/sbin/dostuff.sh /dev/$1 /dev/$1 $ ls -la /usr/local/sbin/dostuff.sh -rwxr-xr-x 1 root wheel - 2.2K Feb 18 11:28 /usr/local/sbin/dostuff.sh dostuff.sh has stdin/stdout connected to console, now. Bye, Marcus (nice project, btw!) !DSPAM:4fda64d4121516375431200!
Seagate Expansion 3T disk works via USB but not via SATA
Could this USB disk have been crippled by Seagate to not work as a SATA device? The disk I am trying to mount is pulled out of an external Seagate Expansion USB drive, PN 9SE2N9-500, and plugged directly into the SATA on an motherboard. I have a single ffs2 2.8T partition. It works and mounts fine as a USB device: umass0 at uhub1 port 1 configuration 1 interface 0 Seagate Desktop rev 2.00/1.46 addr 4 umass0: using SCSI over Bulk-Only scsibus2 at umass0: 2 targets, initiator 0 sd0 at scsibus2 targ 1 lun 0: Seagate, Desktop, 0146 SCSI2 0/direct fixed sd0: 2861588MB, 4096 bytes/sector, 732566644 sectors I have quite a lot of data on it already. It has proven to be reliable. root@tara:~:0# df -k /mnt Filesystem 1K-blocks Used Avail Capacity Mounted on /dev/sd0a 2907224112 1239228824 152263408845%/mnt As a SATA device, on the other hand, when I try to mount, I get this in the dmesg: root@tara:log:0# mount /dev/wd0a /mnt mount_ffs: /dev/wd0a on /mnt: Invalid argument Jun 21 18:19:18 tara /bsd: wd0a: DMA error reading fsbn 128 of 128-143 (wd0 bn 128; cn 0 tn 2 sn 2), retrying Jun 21 18:19:21 tara /bsd: wd0: transfer error, downgrading to Ultra-DMA mode 5 Jun 21 18:19:21 tara /bsd: wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5 Jun 21 18:19:21 tara /bsd: wd0a: DMA error reading fsbn 128 of 128-143 (wd0 bn 128; cn 0 tn 2 sn 2), retrying Jun 21 18:19:25 tara /bsd: wd0: transfer error, downgrading to Ultra-DMA mode 4 Jun 21 18:19:25 tara /bsd: wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 4 Jun 21 18:19:25 tara /bsd: wd0a: DMA error reading fsbn 128 of 128-143 (wd0 bn 128; cn 0 tn 2 sn 2), retrying Jun 21 18:19:29 tara /bsd: wd0: transfer error, downgrading to Ultra-DMA mode 3 Jun 21 18:19:29 tara /bsd: wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 3 Jun 21 18:19:29 tara /bsd: wd0a: DMA error reading fsbn 128 of 128-143 (wd0 bn 128; cn 0 tn 2 sn 2), retrying Jun 21 18:19:32 tara /bsd: wd0: soft error (corrected) Jun 21 18:19:32 tara /bsd: wd0: transfer error, downgrading to Ultra-DMA mode 2 Jun 21 18:19:32 tara /bsd: wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 2 Jun 21 18:19:32 tara /bsd: wd0a: DMA error reading fsbn 16 of 16-31 (wd0 bn 16; cn 0 tn 0 sn 16), retrying Jun 21 18:19:36 tara /bsd: wd0: transfer error, downgrading to Ultra-DMA mode 1 Jun 21 18:19:36 tara /bsd: wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 1 Jun 21 18:19:36 tara /bsd: wd0a: DMA error reading fsbn 16 of 16-31 (wd0 bn 16; cn 0 tn 0 sn 16), retrying Jun 21 18:19:40 tara /bsd: wd0: transfer error, downgrading to Ultra-DMA mode 0 Jun 21 18:19:40 tara /bsd: wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 0 Jun 21 18:19:40 tara /bsd: wd0a: DMA error reading fsbn 16 of 16-31 (wd0 bn 16; cn 0 tn 0 sn 16), retrying Jun 21 18:19:43 tara /bsd: wd0: transfer error, downgrading to DMA mode 2 Jun 21 18:19:43 tara /bsd: wd0(pciide1:0:0): using PIO mode 4, DMA mode 2 Jun 21 18:19:43 tara /bsd: wd0a: DMA error reading fsbn 16 of 16-31 (wd0 bn 16; cn 0 tn 0 sn 16), retrying Jun 21 18:19:47 tara /bsd: wd0: soft error (corrected) Jun 21 18:19:47 tara /bsd: wd0: transfer error, downgrading to PIO mode 4 Jun 21 18:19:47 tara /bsd: wd0(pciide1:0:0): using PIO mode 4 Jun 21 18:19:47 tara /bsd: wd0a: DMA error reading fsbn 512 of 512-527 (wd0 bn 512; cn 0 tn 8 sn 8), retrying Jun 21 18:19:50 tara /bsd: wd0: soft error (corrected) The fdisk command is having trouble too. root@tara:log:1# fdisk -u wd0 Do you wish to write new MBR? [n] y Writing MBR at offset 0. fdisk: error writing MBR: Invalid argument root@tara:log:0# fdisk -i wd0 Do you wish to write new MBR and partition table? [n] y Writing MBR at offset 0. fdisk: error writing MBR: Invalid argument Disklabel output is different... As a USB device ... root@tara:log:0# disklabel wd0 # /dev/rwd0c: type: SCSI disk: SCSI disk label: Desktop duid: 15aa58bb3c195357 flags: bytes/sector: 4096 sectors/track: 63 tracks/cylinder: 255 sectors/cylinder: 16065 cylinders: 45600 total sectors: 5860533168 boundstart: 0 boundend: 5860533168 drivedata: 0 16 partitions: #size offset fstype [fsize bsize cpg] a:7325666400 4.2BSD 8192 655361 c: 58605331680 unused As a SATA device ... root@tara:~:0# disklabel sd0 # /dev/rsd0c: type: SCSI disk: SCSI disk label: Desktop duid: 15aa58bb3c195357 flags: bytes/sector: 4096 sectors/track: 63 tracks/cylinder: 255 sectors/cylinder: 16065 cylinders: 45600 total sectors: 732566644 boundstart: 0 boundend: 732566644 drivedata: 0 16 partitions: #size offset fstype [fsize bsize cpg] a:7325666400 4.2BSD 8192 655361 c:7325666440 unused OpenBSD 5.1 (GENERIC.MP) #207: Sun Feb 12 09:42:14 MST 2012 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 2135490560 (2036MB) avail mem = 2064539648
Re: Seagate Expansion 3T disk works via USB but not via SATA
I have not tried this with the a latest snapshot, or with i386 yet. Should I? On Thu, Jun 21, 2012 at 09:52:41PM +1000, David Diggles wrote: [SNIP] As a USB device ... Oops, this is the SATA. root@tara:log:0# disklabel wd0 # /dev/rwd0c: type: SCSI disk: SCSI disk label: Desktop duid: 15aa58bb3c195357 flags: bytes/sector: 4096 sectors/track: 63 tracks/cylinder: 255 sectors/cylinder: 16065 cylinders: 45600 total sectors: 5860533168 boundstart: 0 boundend: 5860533168 drivedata: 0 16 partitions: #size offset fstype [fsize bsize cpg] a:7325666400 4.2BSD 8192 655361 c: 58605331680 unused As a SATA device ... This is the USB. root@tara:~:0# disklabel sd0 # /dev/rsd0c: type: SCSI disk: SCSI disk label: Desktop duid: 15aa58bb3c195357 flags: bytes/sector: 4096 sectors/track: 63 tracks/cylinder: 255 sectors/cylinder: 16065 cylinders: 45600 total sectors: 732566644 boundstart: 0 boundend: 732566644 drivedata: 0 16 partitions: #size offset fstype [fsize bsize cpg] a:7325666400 4.2BSD 8192 655361 c:7325666440 unused OpenBSD 5.1 (GENERIC.MP) #207: Sun Feb 12 09:42:14 MST 2012 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 2135490560 (2036MB) avail mem = 2064539648 (1968MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xf (39 entries) bios0: vendor Phoenix Technologies, LTD version 6.00 PG date 10/26/2010 bios0: OEM OEM acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP HPET MCFG APIC acpi0: wakeup devices PEX0(S5) PEX1(S5) PEX2(S5) PEX3(S5) PEX4(S5) PEX5(S5) HUB0(S5) UAR1(S5) UAR2(S5) IGBE(S5) USB0(S3) USB1(S3) USB2(S3) USB3(S3) USB4(S3) EHC1(S3) EHC2(S3) AZAL(S5) PCI0(S5) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 14318179 Hz acpimcfg0 at acpi0 addr 0xe000, bus 0-255 acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Atom(TM) CPU D525 @ 1.80GHz, 1800.24 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,NXE,LONG,LAHF cpu0: 512KB 64b/line 8-way L2 cache cpu0: apic clock running at 1333MHz cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Atom(TM) CPU D525 @ 1.80GHz, 12005.94 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,NXE,LONG,LAHF cpu1: 512KB 64b/line 8-way L2 cache cpu2 at mainbus0: apid 3 (application processor) cpu2: Intel(R) Atom(TM) CPU D525 @ 1.80GHz, 12005.94 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,NXE,LONG,LAHF cpu2: 512KB 64b/line 8-way L2 cache cpu3 at mainbus0: apid 1 (application processor) cpu3: Intel(R) Atom(TM) CPU D525 @ 1.80GHz, 12005.94 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,NXE,LONG,LAHF cpu3: 512KB 64b/line 8-way L2 cache ioapic0 at mainbus0: apid 4 pa 0xfec0, version 20, 24 pins ioapic0: misconfigured as apic 0, remapped to apid 4 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (PEX0) acpiprt2 at acpi0: bus 2 (PEX1) acpiprt3 at acpi0: bus 3 (PEX2) acpiprt4 at acpi0: bus -1 (PEX3) acpiprt5 at acpi0: bus -1 (PEX4) acpiprt6 at acpi0: bus -1 (PEX5) acpiprt7 at acpi0: bus 4 (HUB0) acpicpu0 at acpi0 acpicpu1 at acpi0 acpicpu2 at acpi0 acpicpu3 at acpi0 acpitz0 at acpi0: critical temperature is 98 degC acpibtn0 at acpi0: PWRB pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 Intel Pineview DMI rev 0x02 vga1 at pci0 dev 2 function 0 Intel Pineview Video rev 0x02 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) intagp0 at vga1 agp0 at intagp0: aperture at 0xd000, size 0x1000 inteldrm0 at vga1: apic 4 int 16 drm0 at inteldrm0 Intel Pineview Video rev 0x02 at pci0 dev 2 function 1 not configured uhci0 at pci0 dev 26 function 0 Intel 82801H USB rev 0x04: apic 4 int 16 uhci1 at pci0 dev 26 function 1 Intel 82801H USB rev 0x04: apic 4 int 21 ehci0 at pci0 dev 26 function 7 Intel 82801H USB rev 0x04: apic 4 int 18 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1 azalia0 at pci0 dev 27 function 0 Intel 82801H HD Audio rev 0x04: msi azalia0: codecs: Realtek ALC888 audio0 at azalia0 ppb0 at pci0 dev 28 function 0 Intel 82801H PCIE rev 0x04: msi pci1 at ppb0 bus 1 em0 at pci1
Re: Seagate Expansion 3T disk works via USB but not via SATA
Oh ok, then I am out of luck on this. This BIOS does not have an ahci mode for sata. Thanks for the info. On Fri, Jun 22, 2012 at 12:26:23AM +1000, Jonathan Gray wrote: On Thu, Jun 21, 2012 at 11:54:55PM +1000, Jonathan Gray wrote: It seems the lba48 capacity values being pulled out aren't sane for whatever reason. Can you try switch the controller into ahci mode via the bios? Looking at this again, it seems there is no support for 4k sectors with wd(4) only sd(4). So until someone with a 4k sector disk can change that code you'll have to switch the controller to ahci mode.
Re: Seagate Expansion 3T disk works via USB but not via SATA
That is my plan b for down the track. I will live with it on USB for now. Pretty happy with this new Atom so far, on the whole. It had a noticable performance improvement after switching from amd64 to i386. On Thu, Jun 21, 2012 at 04:13:15PM +, Stuart Henderson wrote: On 2012-06-21, David Diggles da...@elven.com.au wrote: Oh ok, then I am out of luck on this. This BIOS does not have an ahci mode for sata. plug-in sili(4)?
Re: Seagate Expansion 3T disk works via USB but not via SATA
I would be happy to test it out. On Thu, Jun 21, 2012 at 04:40:20PM -0700, Matthew Dempsky wrote: On Thu, Jun 21, 2012 at 9:38 AM, David Diggles da...@elven.com.au wrote: That is my plan b for down the track. ?I will live with it on USB for now. Pretty happy with this new Atom so far, on the whole. It had a noticable performance improvement after switching from amd64 to i386. FWIW, I have a somewhat old diff that switches wdc(4) and pciide(4) to use atascsi and sd(4) instead of the legacy wd(4) stuff. If you're interested, I can dig it up and try to polish it off so it's testworthy. From what I recall, I think sd(4) was working fine, but cd(4) was still iffy.
Re: acpitz critical temperature is too high
I think one problem with using syslog triggers is opening op the risk for DOS attack if someuser or some internet connection into a service finds a way to trick syslog to print strings, to.. shutdown a server. On Mon, Jun 18, 2012 at 11:36:46PM -0700, Robert Connolly wrote: Another idea I forgot to mention is to use syslog, and pipe to scripts. This would pretty much solve any issues with temperature and battery monitoring... run every syslog of sensorsd and apmd through a script, and forget using sensorsd for event commands.
Re: Can someone describe these possible long term effects and provide an explicit description of these kernel parameters?
On Fri, Jun 15, 2012 at 07:02:07AM +0200, Otto Moerbeek wrote: On Thu, Jun 14, 2012 at 01:54:33PM -0500, Tristin Davis wrote: Upgrading is simply not an option. It all comes down to having the engineering staff, money, and downtime available. Unfortunatly, we have none of the above right now. I realize we *need* to upgrade, but right now, tuning the kernel is the only option. You could have minimal downtime if you had a spare machine to install 5.1 on and set everything up the same, then do something like this: 1. 4.3 machine: kill sshd 2. (optional) wait for existing ssh connections to 4.3 machine to drain 3. unplug ethernet cable from 4.3 machine 4. bring up CARP interface with the old 4.3 IP address, on 5.1 machine Now you have it running on CARP, you can setup a failover system as should have been done originally. Your limited time is probably better spent doing this, rather than messing around with archaic tuning options.
Re: let user can only run one command (passwd)?
One easy way is to do this. Make their login shell /bin/rksh Make their login PATH /somepath and cp /usr/bin/passwd /somepath You can take it a lot further, but this is an easy start. On Thu, Jun 14, 2012 at 06:01:14PM +0800, f5b wrote: I have setup OpenSMTPD + dovecot + roundcube simple mail server. People can ssh log in to the OpenBSD box, change their password using command passwd, the system account password is also the mail account password. So, for security reason, how to let the user can only run one command(passwd) when they login? or are there any other methods to let mail account user change their password by themself easily? sshd_config ChrootDirectory not suit our needs. 1. administrator login OpenBSD box, adduser user. 2. the user ssh log in OpenBSD box, run passwd to change their password assign by administrator.
Something other than getty/login on console?
I want the default login console to run something like /usr/games/worms -n100 or rsh host /opt/local/bin/xaos -driver aa -autopilot Instead of /usr/libexec/getty std.9600 I have tried changing it in /etc/ttys but this is not working. How can I go about doing this? It's for a mac68k ascii art lava lamp. The host it would rsh to is on a crossover cable, so it does not need to slow down by using ssh.
Re: Large (3TB) HDD support
On Sat, Jun 02, 2012 at 09:44:35AM +1000, David Diggles wrote: On Fri, Jun 01, 2012 at 04:32:19PM -0700, Chris Cappuccio wrote: Nick Holland [n...@holland-consulting.net] wrote: * you don't want to fsck a 3TB file system, 'specially if it is rebuilding the mirror at the same time, though with 12G RAM, you might be able to do it. Isn't this situation seriously improved with fsck in 5.1 ? I fsck'd two 3TB filesystems yesterday with 512MB ram, on 5.1... it took a while, but worked. What a bummer, the Dell Precision 690 I am currently trying does not support 2TB on its SAS or SATA controller. Oddly, the SATA controller presents it correctly as 2.8T, but it will not mount. The SAS controller on the other hand, presents it 2T. Latest BIOS firmwares for it are 2007, so figures. The 3TB disk is fine mounted over USB: OpenBSD 5.1 (GENERIC.MP) #207: Sun Feb 12 09:42:14 MST 2012 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 4291862528 (4093MB) avail mem = 4163448832 (3970MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.3 @ 0xf0450 (122 entries) bios0: vendor Dell Inc. version A08 date 04/25/2008 bios0: Dell Inc. Precision WorkStation 690 acpi0 at bios0: rev 2 acpi0: sleep states S0 S1 S3 S4 S5 acpi0: tables DSDT FACP SSDT APIC BOOT ASF! MCFG HPET SLIC acpi0: wakeup devices VBTN(S4) PCI0(S5) PCI2(S5) PCI3(S5) PCIF(S5) PCIG(S5) PCI5(S5) PCI6(S5) PCI7(S5) PCI8(S5) PCI9(S5) MOU_(S3) USB0(S3) USB1(S3) USB2(S3) USB3(S3) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Xeon(R) CPU 5140 @ 2.33GHz, 2327.80 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,NXE,LONG,LAHF cpu0: 4MB 64b/line 16-way L2 cache cpu0: apic clock running at 332MHz cpu1 at mainbus0: apid 6 (application processor) cpu1: Intel(R) Xeon(R) CPU 5140 @ 2.33GHz, 2327.50 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,NXE,LONG,LAHF cpu1: 4MB 64b/line 16-way L2 cache cpu2 at mainbus0: apid 1 (application processor) cpu2: Intel(R) Xeon(R) CPU 5140 @ 2.33GHz, 2327.50 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,NXE,LONG,LAHF cpu2: 4MB 64b/line 16-way L2 cache cpu3 at mainbus0: apid 7 (application processor) cpu3: Intel(R) Xeon(R) CPU 5140 @ 2.33GHz, 2327.50 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,NXE,LONG,LAHF cpu3: 4MB 64b/line 16-way L2 cache ioapic0 at mainbus0: apid 8 pa 0xfec0, version 20, 24 pins ioapic0: misconfigured as apic 0, remapped to apid 8 ioapic1 at mainbus0: apid 9 pa 0xfec8, version 20, 24 pins ioapic1: misconfigured as apic 0, remapped to apid 9 acpimcfg0 at acpi0 addr 0xe000, bus 0-255 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 1 (PCI2) acpiprt1 at acpi0: bus 2 (PCI3) acpiprt2 at acpi0: bus 3 (PCIF) acpiprt3 at acpi0: bus 4 (PCIG) acpiprt4 at acpi0: bus 5 (PCI5) acpiprt5 at acpi0: bus 6 (PCI6) acpiprt6 at acpi0: bus 7 (PCI7) acpiprt7 at acpi0: bus 11 (PCI8) acpiprt8 at acpi0: bus 12 (PCI9) acpiprt9 at acpi0: bus 0 (PCI0) acpicpu0 at acpi0 acpicpu1 at acpi0 acpicpu2 at acpi0 acpicpu3 at acpi0 acpibtn0 at acpi0: VBTN memory map conflict 0xcfe0ec00/0x1f1400 memory map conflict 0xfec9/0x17 pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 Intel 5000X Host rev 0x12 ppb0 at pci0 dev 2 function 0 Intel 5000 PCIE rev 0x12 pci1 at ppb0 bus 1 ppb1 at pci1 dev 0 function 0 Intel 6321ESB PCIE rev 0x01 pci2 at ppb1 bus 2 ppb2 at pci2 dev 0 function 0 Intel 6321ESB PCIE rev 0x01: msi pci3 at ppb2 bus 3 ppb3 at pci2 dev 1 function 0 Intel 6321ESB PCIE rev 0x01: msi pci4 at ppb3 bus 4 ppb4 at pci1 dev 0 function 3 Intel 6321ESB PCIE-PCIX rev 0x01 pci5 at ppb4 bus 5 mpi0 at pci5 dev 11 function 0 Symbios Logic SAS1068 rev 0x01: msi scsibus0 at mpi0: 112 targets sd0 at scsibus0 targ 0 lun 0: ATA, WDC WD1500HLFS-0, 4V01 SCSI3 0/direct fixed naa.50014ee0562fc45b sd0: 143089MB, 512 bytes/sector, 293046768 sectors ppb5 at pci0 dev 3 function 0 Intel 5000 PCIE rev 0x12: msi pci6 at ppb5 bus 6 ppb6 at pci0 dev 4 function 0 Intel 5000 PCIE x16 rev 0x12: msi pci7 at ppb6 bus 7 vga1 at pci7 dev 0 function 0 NVIDIA Quadro FX 3500 rev 0xa1 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) ppb7 at pci0 dev 5 function 0 Intel 5000 PCIE rev 0x12 pci8 at ppb7 bus 8 ppb8 at pci0 dev 6 function 0 Intel 5000 PCIE rev 0x12 pci9 at ppb8 bus 9 ppb9 at pci0 dev 7
Re: Large (3TB) HDD support
On Tue, Jun 05, 2012 at 09:40:15AM -0400, Nick Holland wrote: On 06/05/2012 07:40 AM, David Diggles wrote: ... What a bummer, the Dell Precision 690 I am currently trying does not support 2TB on its SAS or SATA controller. Oddly, the SATA controller presents it correctly as 2.8T, but it will not mount. The SAS controller on the other hand, presents it 2T. will not mount -- what does that mean? What did you do, what did you see happen? Nick. Sorry Nick, I lost the record I made, of what I tried and what happened. I will gather this information again and provide it tomorrow, including firmware versions, dmesg, fdisk and disklabel outputs, mount error and fsck error message. One thing is certain - fsck complained of bad magic number and couldn't find a superblock, with both the SAS and SATA controller.
Re: spamd-setup fails from cron
Ok;
After running that a few days, it works fine, but... the interval between
updates
is all over the place.
I rewrote it, to only change the sleep value under 2 circumstances:
First time run, or after a failure.
Now it's updating hourly again.
I will not make the same mistake of posting it to the list, because archiving a
possibly buggy script that someone may copy someday is not a great idea.
However I think the methodology is now sound, so write your own or mail me
directly
if you want a copy of it to adopt.
On Fri, Jun 01, 2012 at 04:45:24PM +1000, David Diggles wrote:
#!/bin/sh
remaining=$1;shift
cmd=$@
lock=/var/run/$(basename $1).lock
[ -f $lock ] || {
touch $lock
while [ $remaining -gt 0 ]; do
seconds=$(($RANDOM % $remaining))
echo $(date) $seconds $lock
sleep $seconds
$cmd return || remaining=$(($remaining - $seconds))
done
rm $lock
}
*groan*.. another mistake.. I'm such an idiot sometimes ;-)
I don't recommend running this without checking it first.
#!/bin/sh
remaining=$1;shift
cmd=$@
lock=/var/run/$(basename $1).lock
[ -f $lock ] || {
touch $lock
while [ $remaining -gt 0 ]; do
seconds=$(($RANDOM % $remaining))
echo $(date) $seconds $lock
sleep $seconds
$cmd break || remaining=$(($remaining - $seconds))
done
rm $lock
}
SMTP server pools at odds with the RFC?
I was just thinking surely resending from a different IP breaks the RFC for SMTP? Then I did some googling, and found this. http://bsdly.blogspot.com.au/2008/10/ietf-failed-to-account-for-greylisting.html Thanks, Peter. So now it is 4 years later, has anything happened?
Re: SMTP server pools at odds with the RFC?
On Mon, Jun 04, 2012 at 12:34:04PM +, Stuart Henderson wrote: On 2012-06-04, David Diggles da...@elven.com.au wrote: I was just thinking surely resending from a different IP breaks the RFC for SMTP? Then I did some googling, and found this. http://bsdly.blogspot.com.au/2008/10/ietf-failed-to-account-for-greylisting.html Thanks, Peter. So now it is 4 years later, has anything happened? No. It is perfectly valid, and even somewhat normal, to resend from different addresses. Whether this is by pools of senders with shared queues, or whether it's by pools of internal MXes behind NAT boxes, it definitely happens. The majority of such senders try and keep within the same /24. The greylisting.org/puremagic.com whitelist was specifically only for senders which did not follow this (they refused to add sender pools to the list if they stuck within /24). Though that's largely irrelevant as their list hasn't been updated in 6 years.. So I guess this Wikipedia entry is incorrect, Re: breaks SMTP protocol rules? http://en.wikipedia.org/wiki/Greylisting Greylisting will cause longer delivery delays if the sender has a large infrastructure and is sending from a different IP when it retries. However this technically breaks SMTP protocol rules, since delivery is the responsibility of the sending server and its associated IP address, and tossing it back into a pool for retry by a different server in the group breaks this continuity, and will quite correctly and legitimately restart the greylisting process over again, since delivery is being retried from a different server. A past battle lost by greylisters, and the world has since moved on, or something?
Re: spamd-setup fails from cron
On Fri, Jun 01, 2012 at 03:47:21PM +1000, David Diggles wrote:
[ snip ]
sleep $s
[ snip ]
Arghh.. ;-) sleep $seconds here
Anyway, you get the idea.
#!/bin/sh
remaining=$1;shift
cmd=$@
lock=/var/run/$(basename $1).lock
[ -f $lock ] || {
touch $lock
while [ $remaining -gt 0 ]; do
seconds=$(($RANDOM % $remaining))
echo $(date) $seconds $lock
sleep $seconds
$cmd return || remaining=$(($remaining - $seconds))
done
rm $lock
}
Re: spamd-setup fails from cron
#!/bin/sh
remaining=$1;shift
cmd=$@
lock=/var/run/$(basename $1).lock
[ -f $lock ] || {
touch $lock
while [ $remaining -gt 0 ]; do
seconds=$(($RANDOM % $remaining))
echo $(date) $seconds $lock
sleep $seconds
$cmd return || remaining=$(($remaining - $seconds))
done
rm $lock
}
*groan*.. another mistake.. I'm such an idiot sometimes ;-)
I don't recommend running this without checking it first.
#!/bin/sh
remaining=$1;shift
cmd=$@
lock=/var/run/$(basename $1).lock
[ -f $lock ] || {
touch $lock
while [ $remaining -gt 0 ]; do
seconds=$(($RANDOM % $remaining))
echo $(date) $seconds $lock
sleep $seconds
$cmd break || remaining=$(($remaining - $seconds))
done
rm $lock
}
Re: Large (3TB) HDD support
On Fri, Jun 01, 2012 at 04:32:19PM -0700, Chris Cappuccio wrote: Nick Holland [n...@holland-consulting.net] wrote: * you don't want to fsck a 3TB file system, 'specially if it is rebuilding the mirror at the same time, though with 12G RAM, you might be able to do it. Isn't this situation seriously improved with fsck in 5.1 ? I fsck'd two 3TB filesystems yesterday with 512MB ram, on 5.1... it took a while, but worked.
Re: Tuning for pppoe over fibre 30M/1M link
FYI I have now run the same pppoe(4) download test on core2duo with OpenBSD 5.1, on em0 interface. It beats the Mac. Mac G5 dual core 2GHz 3MB/s Intel core2duo 3GHz OpenBSD i386 3.44MB/s I have found on the Geode 300MHz, cleaning up the pf.conf, removing modulate state, and no-df from scrub improves the throughput to: 1.8MB/s. I ordered an Atom with 3 Intel NICs, just arrived! Looking forward to testing it out. The test I am doing is ftp -o /dev/null http://mirror.internode.on.net/pub/OpenBSD/5.1/src.tar.gz Internode is my ISP. On Mon, May 28, 2012 at 05:07:01PM +0200, Andre Keller wrote: Am 28.05.2012 15:26, schrieb David Diggles: Maybe I should try some of the kernel tuning suggested on calomel. I would not even visit that site... It's mostly a waste of time as most of the tunings are not up-to-date or just plain wrong. OpenBSD ships with pretty sane defaults that normally do not need any tweaking unless you run some unorthodox configuration. If you need to tweak something look into the faq and the sysctl(3) man page and not to calomel.org Could you please be a bit more specific about your setup? Are you using pppoe(4) or pppoe(8)? Do you see maxed out mbufs (netstat -m), a very high interrupt load (top / vmstat -i), ifq drops (sysctl net.inet.ip.ifq.drops), interface errors (netstat -i)? I'm running pppoe(4) on a lot of Geode 500MHz powered boxes and have no problem getting 30Mbit/s throughput of unencrypted traffic... g Andri
Re: spamd-setup fails from cron
On Tue, May 29, 2012 at 09:51:54AM +0200, Bret Lambert wrote:
Please avoid 15 minutes past the hour ;-)
sleep $(($RANDOM % 2048)) /usr/libexec/spamd-setup -d
Tried something like the above, and found it still
fails at peak times, so I am trying something else:
I made a wrapper called ss (spamd sync), to keep
retrying within a diminishing timeframe.
#!/bin/sh
remaining=$1;shift
cmd=$@
lock=/var/run/$(basename $1).lock
[ -f $lock ] || {
touch $lock
while [ $remaining -gt 0 ]; do
seconds=$(($RANDOM % $remaining))
echo $(date) $seconds $lock
sleep $s
$cmd return || remaining=$(($remaining - $seconds))
done
rm $lock
}
0 * * * * ss 3600 /usr/libexec/spamd-setup -d
The time overhead of running the command creates a small
possibility for overlapping of cron events, so I created
a lock file. This also seemed a good place to store the
sleep value(s).
/var/run/spamd-setup.lock
spamd-setup(8) does not say how it behaves when daemonized.
Maybe this is a better option than running from the cron?
.d.d.
Re: OpenBSD in April's issue of the CACM
On Wed, May 30, 2012 at 12:10:34PM +0200, Nomen Nescio wrote: Unfortunately the A in ACM should really mean Academic instead of Association. Heh, I was going to say it reminds me of the efforts of the Unseen University, to eradicate Sourcery from the Discworld.
Re: Tuning for pppoe over fibre 30M/1M link
On Tue, May 29, 2012 at 07:23:32PM +1000, David Diggles wrote: [ snip ] http://bincrow.net/test.log [ snip ] Interesting, this single post got http://bincrow.net added to the Websense blocklist. Category: This Websense category is filtered: Potentially Damaging Content. Sites in this category may pose a security threat to the Departments network and are blocked as per the Departments 'Use of Internet, Email Other ICT Facilities Devices' policy. All it serves is an index.html, basic html no javascript, and the log I posted. I guess this list gets trawled for bad urls by content filtering providers.
Re: Large scale DNS anycast setup: OpenBSD performance issues
On Tue, May 29, 2012 at 01:44:51PM +0300, Kostas Zorbadelos wrote: Henning Brauer lists-open...@bsws.de writes: if it is really thread related and not sth small stupid - try it. For testing purposes, do you have pf turned off, or a 1 line pf.conf, like: pass ?
Re: spamd-setup fails from cron
Change it to this: insert non zero number here * * * * /usr/libexec/spamd-setup -d It will probably fix the problem. On Tue, May 29, 2012 at 08:24:07AM +0200, Jan Stary wrote: Pretty current 5.1-current/amd64. This is what happens with the following line in root's crontab 0 * * * * /usr/libexec/spamd-setup -d On May 29 03:00:02, Cron Daemon wrote: Getting http://www.openbsd.org/spamd/traplist.gz spamd-setup: Could not add blacklist uatraps: Illegal seek Getting http://www.openbsd.org/spamd/nixspam.gz ftp: Writing -: Broken pipe blacklist nixspam 4 entries What is the 'illegal seek' spamd-setup reports? What is the ftp's broken pipe? When I run the same command from the command line, everything goes fine. Is the cron job run in a more restricted environment? Jan
Re: spamd-setup fails from cron
A random sleep between 0 and 3599 prior to running spamd-setup in cron would not go astray. On Tue, May 29, 2012 at 09:23:43AM +0200, Gilles Chehade wrote: On Tue, May 29, 2012 at 09:14:29AM +0200, Peter N. M. Hansteen wrote: On Tue, May 29, 2012 at 08:24:07AM +0200, Jan Stary wrote: When I run the same command from the command line, everything goes fine. Is the cron job run in a more restricted environment? you could be hitting the 'zero minute rush', where world+dog tries to connect simultaneously. try shifting to a few minutes past the hour and see if that helps. Please avoid 15 minutes past the hour ;-) -- Gilles Chehade https://www.poolp.org | http://pool.ps @poolpOrg
Re: Tuning for pppoe over fibre 30M/1M link
Andre, as promised; Here are the outputs you have asked for, but on the Geode 300MHz. Throughputs, http downloading src.tar.gz from my ISP mirror in a loop: Tue May 29 16:33:45 EST 2012 1.84 MB/s Tue May 29 16:35:01 EST 2012 1.86 MB/s Tue May 29 16:36:17 EST 2012 1.87 MB/s The same test when I do pppoe on the Mac gets 3 MB/s. Outputs of various stat commands while this was happening: http://bincrow.net/test.log Note: net.inet.ip.ifq.drops=193 does not change. I think this was from when I unplugged the cable earlier. .d.d. On Tue, May 29, 2012 at 03:12:03PM +1000, David Diggles wrote: Could you please be a bit more specific about your setup? Sure. Are you using pppoe(4) or pppoe(8)? pppoe(4) Do you see maxed out mbufs (netstat -m), a very high interrupt load (top / vmstat -i), ifq drops (sysctl net.inet.ip.ifq.drops), interface errors (netstat -i)? None of the above were maxed out on the P4. It was only a quick test, as this is the production spamd server. I'm running pppoe(4) on a lot of Geode 500MHz powered boxes and have no problem getting 30Mbit/s throughput of unencrypted traffic... I plugged it back into the gw, Geode 300MHz with 100MBit Realtek. I made the pf.conf as default as possible (to look like the example pf.conf provided in /etc), I removed all the modulate and synproxy state options that calomel suggested putting in pf.conf. The performance improved from 1MB/s to 1.8MB/s. I would love to get 3MB/s, but maybe 1.8MB/s is the limit of the realtek NIC. I have just ordered an Atom 1.8GHz with Gigabit Intel NICs, should be more than good enough as an upgrade? I may upgrade my link from 30Mbit to 100Mbit in future, I would expect the Atom to handle this. .d.d.
Re: Tuning for pppoe over fibre 30M/1M link
I have got it to do 10Mbps now, by ditching the 85Mbps ethernet over power adaptors, in favor of a cable. I get 12Mbps if I run it to the 2.4GHz Pentium 4 xl0 100Mbps port. No idea what is slowing it down here yet. It should be getting 30Mbps, like it does on the Mac. Maybe I should try some of the kernel tuning suggested on calomel. On Mon, May 21, 2012 at 11:00:22AM -0600, Daniel Melameth wrote: On Mon, May 21, 2012 at 9:35 AM, David Diggles da...@elven.com.au wrote: I am still getting 300 kilobytes/second download speed with OpenBSD pppoe, however when I plug directly into a Mac and run pppoe on it, 3 megabytes/second. What should I look at for tuning this to get 3MB/s through OpenBSD? Connection: pppoe, over fibre, 30M downlink, 1M uplink The OpenBSD gateway is using the kernel pppoe driver. ... OpenBSD 5.1 (GENERIC) #160: Sun Feb 12 09:46:33 MST 2012 ? ?dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Geode(TM) Integrated Processor by National Semi (CyrixInstead 586-class) 301 MHz cpu0: FPU,TSC,MSR,CX8,CMOV,MMX real mem ?= 132182016 (126MB) avail mem = 119992320 (114MB) ... rl0 at pci0 dev 14 function 0 Realtek 8139 rev 0x10: irq 12, address 00:90:0b:04:bb:f1 rlphy0 at rl0 phy 0: RTL internal PHY rl1 at pci0 dev 15 function 0 Realtek 8139 rev 0x10: irq 10, address 00:90:0b:04:bb:f2 rlphy1 at rl1 phy 0: RTL internal PHY rl2 at pci0 dev 16 function 0 Realtek 8139 rev 0x10: irq 11, address 00:90:0b:04:bb:f3 rlphy2 at rl2 phy 0: RTL internal PHY FWIW, I have 20M/5M VDSL service at home and have zero issue doing 20Mbps with OpenBSD as my pppoe-based firewall. That said, while I wouldn't expect a 300MHz machine to limit you to 2.4Mbps, it is a bit weak--and rl NICs are some of the worst out there. Curiously, when doing 2.4Mbps, what does top show for interrupts? For comparison, when I'm doing 20Mbps, my interrupts are at 5-6% using em and fxp NICs.
Re: Tuning for pppoe over fibre 30M/1M link
Could you please be a bit more specific about your setup? Sure. Are you using pppoe(4) or pppoe(8)? pppoe(4) Do you see maxed out mbufs (netstat -m), a very high interrupt load (top / vmstat -i), ifq drops (sysctl net.inet.ip.ifq.drops), interface errors (netstat -i)? None of the above were maxed out on the P4. It was only a quick test, as this is the production spamd server. I'm running pppoe(4) on a lot of Geode 500MHz powered boxes and have no problem getting 30Mbit/s throughput of unencrypted traffic... I plugged it back into the gw, Geode 300MHz with 100MBit Realtek. I made the pf.conf as default as possible (to look like the example pf.conf provided in /etc), I removed all the modulate and synproxy state options that calomel suggested putting in pf.conf. The performance improved from 1MB/s to 1.8MB/s. I would love to get 3MB/s, but maybe 1.8MB/s is the limit of the realtek NIC. I have just ordered an Atom 1.8GHz with Gigabit Intel NICs, should be more than good enough as an upgrade? I may upgrade my link from 30Mbit to 100Mbit in future, I would expect the Atom to handle this. .d.d.
Re: spamd greylisting: false positives
Hi again David. If all the spamd settings are back to default, I would recommend trying to pinpoint where the problem is. Just to check if it could be something wrong with the syntax of your pf rules regarding spamd, just comment them out. pfctl -f /etc/pf.conf and run for a while and see if you receive any mails. /Hasse I am running spamd in blacklist mode now, so I am once again receiving the mailing list. I think the default spamd timings do not give lists.openbsd.org enough time to retransmit in the whitelist window. It would be nice if someone else had the time to attempt reproducing this. This one you sent me earlier has some advice about tuning the timings, https://calomel.org/spamd_config.html In this section: We suggest setting the pass time to as high as you are comfortable with. Use a time between 10 and 55 minutes. You are welcome to set it as low as 2 minutes, but it is possible that some spammers might get white listed. After setting up spamd take some time, go through the logs and look for patterns. Adjust the pass time as necessary. ... I realise I have been advised in the list here not to mess around with the timings :P
Re: spamd greylisting: false positives
What do you mean by running in blacklist mode ? Which settings are different from Grey trapping ? Are Openbsd mailing list the only list or mail you have problems with ? /Hasse By blacklist mode, I mean this: spamd -b spamd-setup -b pf.conf: table spamd persist pass in on egress proto tcp from spamd to any port smtp \ rdr-to 127.0.0.1 port spamd The OpenBSD mailing list was not the only smtp server I was having problems with. Others included: 1. test email from my work account 2. business email from a wholesaler I have been organising purchase with For sake of 2. I need to play safe for the time being, and suffer a few extra incoming spams a day. Once I have that sorted out, I will be ready to try greylisting again.
Re: spamd greylisting: false positives
Hi everyone, sorry about the whiney tone. I am really appreciating all the help. On Sunday 27 May 2012, David Diggles wrote: This may seem like a dead horse to some by now, but I am disappointed
Re: Testmail from Thorshammare.org
Hi Hasse others, I am now running in greylist mode again, to test this. Also running spamd in verbose logging mode. spamd -v spamlogd -i egress Sorry for only providing pf.conf snippets previously. My previous pf.conf was a hierarchical one using anchors, not suitable for posting. Here is a complete copy of a simple test pf.conf I have made for this, and now have running. #--- # defaults #--- set loginterface egress match in all scrub (no-df max-mss 1440) antispoof quick for egress pass all block log on egress pass out on egress #--- # ssh #--- table ssh-black persist file /etc/pf/ssh-black table ssh-white persist file /etc/pf/ssh-white pass in on egress inet proto tcp from ssh-white to egress port ssh pass in on egress inet proto tcp from !ssh-black to egress port ssh \ flags S/SA modulate state \ (max-src-conn-rate 1/30, overload ssh-black flush) #--- # authpf #--- table authpf_users persist pass in on egress from authpf_users #--- # spamd - greylist mode #--- table spamd-white persist table nospamd persist file /etc/mail/nospamd pass in on egress proto tcp from any to egress port smtp \ rdr-to 127.0.0.1 port spamd pass in on egress proto tcp from nospamd to egress port smtp pass in log on egress proto tcp from spamd-white to egress port smtp pass out log on egress proto tcp to any port smtp #--- The nospamd file does not have lists.openbsd.org in it. I will see if it gets whitelisted. It should, as I have received an off-list email from someone who has confirmed it does, with OpenBSD 5.1. .d.d. On Sun, May 27, 2012 at 11:14:11AM +0200, Geir Svalland wrote: Hello Just made a reply to the list of your last posting, but I will give it here to, just in case. If all the spamd settings are back to default, I would recommend trying to pinpoint where the problem is. Just to check if it could be something wrong with the syntax of your pf rules regarding spamd, just comment them out. pfctl -f /etc/pf.conf and run for a while and see if you receive any mails. /Hasse -Ursprungligt meddelande- Fr?n: David Diggles [mailto:da...@elven.com.au] Skickat: den 27 maj 2012 11:07 Till: Geir Svalland ?mne: Re: Testmail from Thorshammare.org Hi Hasse, Thanks for the test email. I gave up on greylist for now and running in blacklist mode. Will wait and see if anyone else has useful ideas before trying again. The last few days has been a rapid learning curve that's for sure. .d.d. On Sun, May 27, 2012 at 10:43:39AM +0200, Geir Svalland wrote: Hi David Just sending this test mail directly to your mail address to see if it's getting through, Or what kind of error message I will receive. /Hasse
Re: spamd greylisting: false positives
Just made a minor change to pf.conf, to modulate state all tcp and keep state all udp: I am getting tired, it is late here. Hope I have not made any silly mistakes in this :D #--- # defaults #--- set loginterface egress match in all scrub (no-df max-mss 1440) antispoof quick for egress pass pass proto tcp modulate state pass proto udp keep state block in log on egress #--- # ssh #--- table ssh-black persist file /etc/pf/ssh-black table ssh-white persist file /etc/pf/ssh-white pass in on egress inet proto tcp from ssh-white to egress port ssh \ modulate state pass in on egress inet proto tcp from !ssh-black to egress port ssh \ modulate state \ (max-src-conn-rate 1/30, overload ssh-black flush) #--- # authpf #--- table authpf_users persist pass in on egress from authpf_users pass in on egress proto tcp from authpf_users modulate state pass in on egress proto udp from authpf_users keep state #--- # spamd - greylist mode #--- table spamd-white persist table nospamd persist file /etc/mail/nospamd pass in on egress proto tcp from any to egress port smtp \ rdr-to 127.0.0.1 port spamd pass in on egress proto tcp from nospamd to egress port smtp \ modulate state pass in log on egress proto tcp from spamd-white to egress port smtp \ modulate state pass out log on egress proto tcp to any port smtp modulate state #--- There is one GREY entry from lists.openbsd.org so far. root@skitL:~:0# spamdb|fgrep 192.43.244.163 GREY|192.43.244.163|shear.ucar.edu|owner-misc+M122933=david=elven.com...@openbsd.org|da...@elven.com.au|1338127686|1338142086|1338142086|1|0 root@skitL:~:0# date Mon May 28 00:44:18 EST 2012 root@skitL:~:0# date -r 1338127686 Mon May 28 00:08:06 EST 2012 I need to go sleep now, so I will check again in the morning before I go to work. Cheers, .d.d.
Re: spamd greylisting: false positives
After sleeping on it 6 hours, this is what I can report from the logs. root@skitL:log:0# cat spamd|fgrep 192.43.244.163|fgrep May 28 May 28 00:07:55 skitL spamd[21325]: 192.43.244.163: connected (1/0) May 28 00:08:06 skitL spamd[21325]: (GREY) 192.43.244.163: owner-misc+M122933=david=elven.com...@openbsd.org - da...@elven.com.au May 28 00:08:07 skitL spamd[21325]: 192.43.244.163: disconnected after 12 seconds. May 28 00:49:51 skitL spamd[20306]: 192.43.244.163: connected (1/0) May 28 00:50:03 skitL spamd[20306]: (GREY) 192.43.244.163: owner-misc+M122934=david=elven.com...@openbsd.org - da...@elven.com.au May 28 00:50:03 skitL spamd[20306]: 192.43.244.163: disconnected after 12 seconds. root@skitL:log:0# spamdb WHITE|202.58.38.80|||1338136570|1338140183|1341250605|2|0 TRAPPED|106.79.132.74|1338226638 TRAPPED|180.215.141.229|1338226988 GREY|186.206.211.111|baced36f.virtua.com.br|packer8...@reb.com|d...@elven.com.au|1338143338|1338157738|1338157738|1|0 GREY|95.180.252.146|59.167.212.41|and...@bb-dsh.org|d...@elven.com.au|1338152111|1338166511|1338166511|1|0 TRAPPED|64.20.227.133|1338241213 TRAPPED|217.149.28.204|1338241498 TRAPPED|174.123.14.196|1338232031 TRAPPED|83.169.61.34|1338235874 TRAPPED|95.180.252.146|1338238511 Bummer, I have forgotten to pflog the spamd connections to lo0 root@skitL:log:0# tcpdump -n -e -r /var/log/pflog port spamd tcpdump: WARNING: snaplen raised from 116 to 160 root@skitL:log:0# tcpdump -n -e -r /var/log/pflog port smtp tcpdump: WARNING: snaplen raised from 116 to 160 01:00:38.572058 rule 16/(match) pass out on xl0: 172.25.101.7.33057 66.49.254.25.25: S 3802061083:3802061083(0) win 16384 mss 1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 2973717195[|tcp] (DF) 01:30:37.983151 rule 17/(match) pass out on xl0: 172.25.101.7.23127 66.49.254.25.25: S 3663599646:3663599646(0) win 16384 mss 1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 862970203[|tcp] (DF) 04:36:24.378104 rule 16/(match) pass in on xl0: 202.58.38.80.25350 172.25.101.7.25: S 1021603063:1021603063(0) win 16384 mss 1420,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop 04:36:31.105838 rule 17/(match) pass out on xl0: 172.25.101.7.3605 173.194.79.27.25: S 2304184706:2304184706(0) win 16384 mss 1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 451645464[|tcp] (DF) So I have just loaded a new pf.conf with logging turned on for spamd, this is what I have running now. #--- # defaults #--- set loginterface egress set skip on lo match in all scrub (no-df max-mss 1440) antispoof quick for egress pass pass proto tcp modulate state pass proto udp keep state block in log on egress #--- # ssh #--- table ssh-black persist file /etc/pf/ssh-black table ssh-white persist file /etc/pf/ssh-white pass in on egress inet proto tcp from ssh-white to egress \ port ssh modulate state pass in on egress inet proto tcp from !ssh-black to egress \ port ssh modulate state \ (max-src-conn-rate 1/30, overload ssh-black flush) #--- # squid #--- table squid-white persist file /etc/pf/squid-white pass in on egress inet proto tcp from squid-white to egress \ port 3128 modulate state #--- # authpf #--- table authpf_users persist pass in on egress from authpf_users pass in on egress proto tcp from authpf_users modulate state pass in on egress proto udp from authpf_users keep state #--- # spamd - greylist mode #--- table spamd-white persist table nospamd persist file /etc/mail/nospamd pass in log on egress proto tcp from any to egress \ port smtp rdr-to 127.0.0.1 port spamd synproxy state pass in on egress proto tcp from nospamd to egress \ port smtp synproxy state pass in log on egress proto tcp from spamd-white to egress \ port smtp synproxy state pass out log on egress proto tcp to any port smtp modulate state #---
Re: spamd greylisting: false positives
From: Stuart Henderson stu () spacehopper ! org Date: 2012-05-27 22:29:50 On 2012-05-27, David Diggles da...@elven.com.au wrote: Bummer, I have forgotten to pflog the spamd connections to lo0 So this breaks spamlogd which means servers will expire from the greylist even if they mail you regularly.. Do you mean this pf rule pass in log on egress proto tcp from any to egress \ port smtp rdr-to 127.0.0.1 port spamd synproxy state breaks spamlogd? Would you mind explaining why, and how I can un-break it?
Re: spamd greylisting: false positives
Or did you mean, this breaks spamlogd, rather? pass in on egress proto tcp from any to egress \ port smtp rdr-to 127.0.0.1 port spamd synproxy state This is what it was. The logging is on now. On Mon, May 28, 2012 at 08:53:09AM +1000, David Diggles wrote: From: Stuart Henderson stu () spacehopper ! org Date: 2012-05-27 22:29:50 On 2012-05-27, David Diggles da...@elven.com.au wrote: Bummer, I have forgotten to pflog the spamd connections to lo0 So this breaks spamlogd which means servers will expire from the greylist even if they mail you regularly.. Do you mean this pf rule pass in log on egress proto tcp from any to egress \ port smtp rdr-to 127.0.0.1 port spamd synproxy state breaks spamlogd? Would you mind explaining why, and how I can un-break it?
Re: spamd greylisting: false positives
List: openbsd-misc Subject:Re: spamd greylisting: false positives From: peter () bsdly ! net (Peter N ! M ! Hansteen) Date: 2012-05-27 23:19:47 Message-ID: 87sjel43fw.fsf () deeperthought ! bsdly ! net [Download message RAW] Or did you mean, this breaks spamlogd, rather? pass in on egress proto tcp from any to egress \ port smtp rdr-to 127.0.0.1 port spamd synproxy state This is what it was. The logging is on now. The important ones to log are the rules that pass smtp traffic from the members of the spamd-white table (and nospamd if you're using that) plus the one that passes smtp traffic from your real mail server to elsewhere. See the spamd and spamlogd man pages, it's explained there. Ok, I was doing this. I just started logging the rdr-to spamd rule too. But why are you synproxying for spamd? Why shouldn't I? These guys do in their example. https://calomel.org/spamd_config.html delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. It's cool to see an on-topic sig. .d.d.
