Re: Pf tables and ruleset optimizations
> On 31. May 2021, at 11:03, Otto Moerbeek <mailto:o...@drijf.net>> wrote: > > On Mon, May 31, 2021 at 10:32:56AM +0200, Heinrich Rebehn wrote: > >> Hi list, >> >> My /etc/pf.conf contains a table which is initialized from a file: >> >> table file "/root/pf/tables/myservers” >> >> This table ist not referred to in pf.conf, but in an anchor which is loaded >> later on. >> I found out that even when the anchor is loaded, the table does not exist. > > See the "persist" keywoard in pf.conf. > > -Otto Thanks, I should have known that. For some reason I figured that initializing from a file would include “persist”, but that is nonsense. -Heinrich > >> >> # pfctl -t myservers -T show >> pfctl: Table does not exist >> # pfctl -sT >> private >> rtun0 >> rtun1 >> trusted >> >> If I load pf with "# pfctl -o none -f /etc/pf.conf", the table appears. If I >> use >> >> set ruleset-optimization none >> >> it doesn’t. >> >> Is this expected behavior? >> >> Also rcctl(8) does not allow eating flags for pf >> >> # rcctl set pf flags "-o none" >> rcctl: "pf" is a special variable, cannot "set flags” >> >> Workaounds would be setting flag in /etc/rc.conf.local or adding "pfctl -o >> none -f /etc/pf.conf” to rc.local >> >> Any thoughts? >> >> -Heinrich
Pf tables and ruleset optimizations
Hi list, My /etc/pf.conf contains a table which is initialized from a file: tablefile "/root/pf/tables/myservers” This table ist not referred to in pf.conf, but in an anchor which is loaded later on. I found out that even when the anchor is loaded, the table does not exist. # pfctl -t myservers -T show pfctl: Table does not exist # pfctl -sT private rtun0 rtun1 trusted If I load pf with "# pfctl -o none -f /etc/pf.conf", the table appears. If I use set ruleset-optimization none it doesn’t. Is this expected behavior? Also rcctl(8) does not allow eating flags for pf # rcctl set pf flags "-o none" rcctl: "pf" is a special variable, cannot "set flags” Workaounds would be setting flag in /etc/rc.conf.local or adding "pfctl -o none -f /etc/pf.conf” to rc.local Any thoughts? -Heinrich
Re: MANPAGER
> On 29. May 2021, at 23:08, Leon Fischer wrote: > >> From: Heinrich Rebehn >> Date: Sat, 29 May 2021 21:37:40 +0200 >> >> Hi all, >> >> I noticed that OpenBSD 6.8 switched to using less(1) for the manager. While >> this seems to offer many new useful options, I really dislike the clrscreen >> upon exit. >> I browsed through the less(1) manage to find an option to disable this >> behavior, but to no avail. >> Can anyone tell me how to restore the old behavior without reverting to >> using more(1)? >> I am really used to still seeing the output of the man command when issuing >> the command that i consulted man for. >> >> Many thanks in advance, >> >> Heinrich >> > > Use the -X option. Add `export MANPAGER="less -X"` to ~/.profile to > enable it for man(1), or `export LESS="-X"` to enable it for everything. Thanks to all who replied! I did see LESS_IS_MORE, but there were probably good reasons for the OpenBSD devs to switch to less(1). 'MANPAGER="less -X”` does the trick, I was not aware that "termcap initialization and deinitialization” is responsible for clrscreen. I hope that disabling it completely will not have any adverse side affects. -Heinrich
MANPAGER
Hi all, I noticed that OpenBSD 6.8 switched to using less(1) for the manager. While this seems to offer many new useful options, I really dislike the clrscreen upon exit. I browsed through the less(1) manage to find an option to disable this behavior, but to no avail. Can anyone tell me how to restore the old behavior without reverting to using more(1)? I am really used to still seeing the output of the man command when issuing the command that i consulted man for. Many thanks in advance, Heinrich
Re: bridge(4) Problems when running under ESXi ?
Hello Tom, Thank you very much for your in-depth explanations. Actually enabling mac changes and forged transmits did the trick. A HUGE trick: While A was pinging R, I tried to look at the icmp requests and replies on B’s vmx1 interface. But they did not show. Neither bridge0 or vmx0 showed anything from or to A. I then blocked all traffic in B’s pf. A still kept on pinging successfully. I then shut down B. A was still happily pinging R. This is really scary! I intended to protect a Linux host whose firewall I don’t trust, but now it seems that I can trust VMware’s vmswitch even less. I also love VMware, it is fine for playing with networks, subnetting, IPSec etc.. but I never used virtual switches before. If there isn’t any way to firewall another host without doing NAT (both in the same subnet’s IP range), then I am afraid the Linux firewall will have to do. With kind greetings, Heinrich > On 29. Nov 2020, at 23:26, Tom Smyth wrote: > > Hello Heinrich, > it is not OpenBSD it is a Vmware issue ... > > virtualnets / vswitches in ESXI are not proper switches... they forward > packets based on static mac- virtual port entries. (they do not do proper > mac learning) > > you can set the vwswitch in the networking configuration section ... there > are 2 places you can set it ... in the vmnet and the vswitch setup in the > vmnet setup config in vsphere > > there are 3 workarounds > > 1) use promiscuous mode (you can set the promiscuous setting on the vswitch) > you will also need to allow mac changes and forged transmits (from memory) > Upside (it works) and is Free > > downside each vm on that vswitch receives a copy of the frames sent and > received ... promiscuous makes a vhub rather than a vswitch > so it is slower than one would like > > 2) there is a lab test switch (it was in vmware labs I think) that does mac > learning however it does not do mac aging > upside it works and is faster than promiscuous > downside not againg out macs is just f**king dumb ... > > 3) get the enterprise enterprise enterprise + licence and they will give you > proper mac learning on the virtual switches > > and that is the reason I migrated to a different Virtual machine solution ... > > I love Vmware but they are optimistic when they call their vswitches > switches ... they are efficeint for non forwarding workloads and I can > understand why they do the static map by default > but for networking (they dont even give you LACP on their enterprise licence > you have to go for their top line license enterprise Plus (last time i > checked) > > it is a pitty because I do like Vmware and moving off it was tough as > breaking an addiction... > > Hope this helps > > Tom Smyth > > > > On Sun, 29 Nov 2020 at 22:10, Heinrich Rebehn <mailto:heinrich.reb...@rebehn.net>> wrote: > Unfortunately, switching to vmx(4) did *not* do the trick > > -Heinrich > > > > On 29. Nov 2020, at 22:38, Heinrich Rebehn > <mailto:heinrich.reb...@rebehn.net>> wrote: > > > > Some things I forgot: > > > > All interfaces are UP > > pf(4) ist disabled > > bridge0 sees a bunch of lladdrs on em0 and one on em1, which is that of “A” > > > > -Heinrich > > > > > >> On 29. Nov 2020, at 22:29, Heinrich Rebehn >> <mailto:heinrich.reb...@rebehn.net> <mailto:heinrich.reb...@rebehn.net > >> <mailto:heinrich.reb...@rebehn.net>>> wrote: > >> > >> Hi all, > >> > >> I am trying to setup an OpenBSD 6.7 virtual machine under VMware ESXi 6.7 > >> to use as a filtering bridge between two virtual networks. I enabled > >> promiscuous mode for both virtual switches. > >> One network is the VMnet network, which is connected to the “outside > >> world”. > >> > >> “A” ——> “B” ——> “R” > >> > >> “A” is a test machine192.168.1.152 > >> “B” is the bridgeNo IP. em0 connects to R, em1 connects to A > >> “R” is the router provided by the hoster 192.168.1.1 > >> > >> The addresses are only examples, the actual addresses a public IPs. > >> > >> When A tries to ping R, ist sends an arp request for R’s lladdr. R > >> responds with its lladdr. Tcpdump on R’s em1 suggests that it is sent out > >> on the virtual network. However, A does not see the arp reply, hence > >> ping(8) fails. > >> > >> What am I missing? While browsing the mailing list archive, I just saw > >> that vmx(4) might be a better choice, but I had not yet time to try it out. > >> > >> > >> Any other known issues around bridge(4) or promiscuous mode under ESXi ? > >> > >> Thanks for any insights, > >> > >> Heinrich > > > > -- > Kindest regards, > Tom Smyth.
bridge(4) Problems when running under ESXi ?
Hi all, I am trying to setup an OpenBSD 6.7 virtual machine under VMware ESXi 6.7 to use as a filtering bridge between two virtual networks. I enabled promiscuous mode for both virtual switches. One network is the VMnet network, which is connected to the “outside world”. “A” ——> “B” ——> “R” “A” is a test machine 192.168.1.152 “B” is the bridge No IP. em0 connects to R, em1 connects to A “R” is the router provided by the hoster192.168.1.1 The addresses are only examples, the actual addresses a public IPs. When A tries to ping R, ist sends an arp request for R’s lladr. R responds with its lladr. Tcpdump on R’s em1 suggests that it is sent out on the virtual network. However, A does not see the arp reply, hence ping(8) fails. What am I missing? While browsing the mailing list archive, I just saw that vmx(4) might be a better choice, but I had not yet time to try it out. Any other known issues around bridge(4) or promiscuous mode under ESXi ? Thanks for any insights, Heinrich
Re: bridge(4) Problems when running under ESXi ?
Some things I forgot: All interfaces are UP pf(4) ist disabled bridge0 sees a bunch of lladdrs on em0 and one on em1, which is that of “A” -Heinrich > On 29. Nov 2020, at 22:29, Heinrich Rebehn wrote: > > Hi all, > > I am trying to setup an OpenBSD 6.7 virtual machine under VMware ESXi 6.7 to > use as a filtering bridge between two virtual networks. I enabled promiscuous > mode for both virtual switches. > One network is the VMnet network, which is connected to the “outside world”. > > “A” ——> “B” ——> “R” > > “A” is a test machine 192.168.1.152 > “B” is the bridge No IP. em0 connects to R, em1 connects to A > “R” is the router provided by the hoster 192.168.1.1 > > The addresses are only examples, the actual addresses a public IPs. > > When A tries to ping R, ist sends an arp request for R’s lladdr. R responds > with its lladdr. Tcpdump on R’s em1 suggests that it is sent out on the > virtual network. However, A does not see the arp reply, hence ping(8) fails. > > What am I missing? While browsing the mailing list archive, I just saw that > vmx(4) might be a better choice, but I had not yet time to try it out. > > > Any other known issues around bridge(4) or promiscuous mode under ESXi ? > > Thanks for any insights, > > Heinrich > > >
Re: bridge(4) Problems when running under ESXi ?
Unfortunately, switching to vmx(4) did *not* do the trick -Heinrich > On 29. Nov 2020, at 22:38, Heinrich Rebehn wrote: > > Some things I forgot: > > All interfaces are UP > pf(4) ist disabled > bridge0 sees a bunch of lladdrs on em0 and one on em1, which is that of “A” > > -Heinrich > > >> On 29. Nov 2020, at 22:29, Heinrich Rebehn > <mailto:heinrich.reb...@rebehn.net>> wrote: >> >> Hi all, >> >> I am trying to setup an OpenBSD 6.7 virtual machine under VMware ESXi 6.7 to >> use as a filtering bridge between two virtual networks. I enabled >> promiscuous mode for both virtual switches. >> One network is the VMnet network, which is connected to the “outside world”. >> >> “A” ——> “B” ——> “R” >> >> “A” is a test machine192.168.1.152 >> “B” is the bridgeNo IP. em0 connects to R, em1 connects to A >> “R” is the router provided by the hoster 192.168.1.1 >> >> The addresses are only examples, the actual addresses a public IPs. >> >> When A tries to ping R, ist sends an arp request for R’s lladdr. R responds >> with its lladdr. Tcpdump on R’s em1 suggests that it is sent out on the >> virtual network. However, A does not see the arp reply, hence ping(8) fails. >> >> What am I missing? While browsing the mailing list archive, I just saw that >> vmx(4) might be a better choice, but I had not yet time to try it out. >> >> >> Any other known issues around bridge(4) or promiscuous mode under ESXi ? >> >> Thanks for any insights, >> >> Heinrich
Re: vpn.rebehn.net upgrade log
Hello list, After upgrading a OpenBSD host running 6.5 to 6.6 using sysupgrade(8), I received the email below. It suggests that the upgrade has been aborted upon failure to upgrade comp66.tgz. This set was not part of the initial installation. Does this mean that the system is ‘half upgraded’? What steps are missing because of the abort? Cheers, Heinrich > On 28. Oct 2019, at 16:31, Charlie Root wrote: > > Choose your keyboard layout ('?' or 'L' for list) [default] default > Available disks are: sd0. > Which disk is the root disk? ('?' for details) [sd0] sd0 > Checking root filesystem (fsck -fp /dev/sd0a)... OK. > Mounting root filesystem (mount -o ro /dev/sd0a /mnt)... OK. > Force checking of clean non-root filesystems? [no] no > /dev/sd0a (331a03408374f07d.a) on /mnt type ffs (rw, local, wxallowed) > > Let's upgrade the sets! > Location of sets? (cd0 disk http nfs or 'done') [http] disk > Is the disk partition already mounted? [yes] yes > Pathname to the sets? (or 'done') [6.6/amd64] /home/_sysupgrade/ > > Select sets by entering a set name, a file name pattern or 'all'. De-select > sets by prepending a '-', e.g.: '-game*'. Selected sets are labelled '[X]'. > [X] bsd [X] comp66.tgz[X] xbase66.tgz [X] xserv66.tgz > [X] bsd.rd[X] man66.tgz [X] xshare66.tgz > [X] base66.tgz[X] game66.tgz[X] xfont66.tgz > Set name(s)? (or 'abort' or 'done') [done] done > Directory does not contain SHA256.sig. Continue without verification? [no] yes > Installing bsd 100% |**| 18250 KB00:00 > > Installing bsd.rd 100% |**| 10058 KB00:00 > > Installing base66.tgz 100% |**| 236 MB00:12 > > Installing comp66.tgz78% | | 56832 KB00:01 > ETAtar: Unable to remove directory ./usr/include/machine: Directory not empty > Installing comp66.tgz 100% |**| 72109 KB00:06 > > Installation of comp66.tgz failed. Continue anyway? [no] no
Re: bad-ip-version 6
> On 9. Jun 2019, at 19:41, Stuart Henderson wrote: > > On 2019/06/07 23:42, Heinrich Rebehn wrote: >> >> >>> On 7. Jun 2019, at 22:38, Stuart Henderson wrote: >>> >>> On 2019-06-07, Heinrich Rebehn wrote: >>>> Hi list, >>>> >>>> Doing tcpdump(8) on a wireguard tunnel yields: >>>> >>>> >>>> # tcpdump -n -i tun0 icmp6 >>>> tcpdump: listening on tun0, link-type LOOP >>>> 18:44:34.742106 2001:470:7653:5::11 > 2001:638:60f:110::1:2: icmp6: echo >>>> request [flowlabel 0xb6f77] >>>> 18:44:34.754246 bad-ip-version 6 >>>> 18:44:35.802498 2001:470:7653:5::11 > 2001:638:60f:110::1:2: icmp6: echo >>>> request [flowlabel 0xb6f77] >>>> 18:44:35.814841 bad-ip-version 6 >>>> 18:44:36.860380 2001:470:7653:5::11 > 2001:638:60f:110::1:2: icmp6: echo >>>> request [flowlabel 0xb6f77] >>>> 18:44:36.872536 bad-ip-version 6 >>>> 18:44:37.917605 2001:470:7653:5::11 > 2001:638:60f:110::1:2: icmp6: echo >>>> request [flowlabel 0xb6f77] >>>> 18:44:37.929694 bad-ip-version 6 >>>> >>>> Huh? I thought that 6 is the current version? ;-) >>> >>> But v4+NAT/CGNAT is the will of the people! >>> >>>> Also, the echo replies are not shown, although I know they exist. Is there >>>> a known problem with tcpdump(8) on wireguard tunnels? >>> >>> The replies are clearly the packets ~120ms after the echo requests >>> that are shown as 'bad-ip-version-6'. >>> >>> It might be something wrong with the parser in tcpdump, or it might be >>> something wrong with wg. Can you put a pcap online somewhere? >>> (tcpdump -itun0 -s2000 -w /tmp/wg.pcap) >>> >>> >> >> Since the file is only 632 bytes big, I chose to simply uuencode and paste >> into this mail: >> >> begin-base64 644 wg.pcap >> 1MOyoQIABNAHAAAMLNf6XKA6CQA8PBhgDGlGABA6QCABBHB2 >> UwAFABEgAQY4Bg8BEQACgAALEz0lAABc+td6AAk6ySzX+lwLagkAPDwA >> AAACYAU4vAAQOjggAQY4Bg8BEQACIAEEcHZTAAUAEYEAChM9JQAAXPrX >> egAJOskt1/pcFU8KADw8GGAMaUYAEDpAIAEEcHZTAAUAESABBjgGDwEQ >> AAABAAKAAAhmPSUAAVz613sACj1zLdf6XAB+CgA8PAJgBTi8ABA6OCABBjgG >> DwEQAAABAAIgAQRwdlMABQARgQAHZj0lAAFc+td7AAo9cy7X+lzMYAsAPDwA >> AAAYYAxpRgAQOkAgAQRwdlMABQARIAEGOAYPAREAAoAABoM9JQACXPrX >> fAALP1Mu1/pczpALADw8AmAFOLwAEDo4IAEGOAYPAREAAiABBHB2UwAF >> ABGBAAWDPSUAAlz613wACz9TL9f6XGRXDAA8PBhgDGlGABA6QCABBHB2 >> UwAFABEgAQY4Bg8BEQACgAAW6T0lAANc+td9AAwu6i/X+lzuhwwAPDwA >> AAACYAU4vAAQOjggAQY4Bg8BEQACIAEEcHZTAAUAEYEAFek9JQADXPrX >> fQAMLuo= >> >> >> MD5 (wg.pcap) = df36e7fa6e7a7d80e9185e96aae51fed >> >> Hope this is ok. Thanks for help! >> >> BTW, the replies are happily accepted by the ping program running on my >> iPhone (HE.NET Network Tools 1.6.5.337) >> >> -Heinrich >> > > Packets captured on "tun" interfaces have an extra header which includes > the address family. In the echo request packets from your capture this > is correctly set to IPv6 which matches the inner IP packet so that's ok. > In the replies (i.e. incoming packets) this is set to IPv4; so in tcpdump > the inner packet is passed to an IPv4 decode routine, the address family > on this inner packet doesn't match, so the bad-ip-version-6 message is > printed. > > I think this version number is something that wireguard is setting. Are > you using wireguard-go or some other implementation? Looking at the code > wireguard-go does look like it's trying to set this correctly but I'm > unsure whether it actually works (and the scaffolding for buildings > go things in ports is a bit of a mess and doesn't work with the > standard methods to rebuild with patches so it's not quick and easy > to test things out..) > Yes, I am using wireguard-go, I was not aware of other implementations. wireguard-go-0.0.20190517 implementation of WireGuard in Go wireguard-tools-0.0.20190406p1 fast and secure VPN If we are unsure wether the error is caused by wireguard, i could do a ktrace to see what it is sending to tun0, but i am neither too familiar with ktrace nor with the packet format. What should I be looking for? send(2)? -Heinrich PS. Might this be what we are looking for? 46.142.231.196:53138 is the iPhone. 71735 wireguard-go STRU struct sockaddr { AF_INET, 46.142.231.196:53138 } 71735 wireguard-go GIO fd 8 wrote 96 bytes "\^D\0\0\0)~>Pd\0\0\0\0\0\0\0\M-9\M^U\M-ljl\M^S4\M^S\M-}\M-N\v\M-I\M^S\M^H\\\M^X\M-{\M-uw\M^X(\ \M-2U\M^Z\M^RK\M-y\M^Y*u\M-:Uw\M-{'\^BH\M-E\M-w)\M-7\M-8\M-,W\M-3\M^W\M-?\M^R}\M-m\M-L\M-r0\^Q\ \M-Z\M-E\^C\M-Bb\M-^m\^[\M-x\M-H\M-'\M^_"\M^O\M-AK\M-HeWg7\M^A\M-;p?\M^T" 7
bad-ip-version 6
Hi list, Doing tcpdump(8) on a wireguard tunnel yields: # tcpdump -n -i tun0 icmp6 tcpdump: listening on tun0, link-type LOOP 18:44:34.742106 2001:470:7653:5::11 > 2001:638:60f:110::1:2: icmp6: echo request [flowlabel 0xb6f77] 18:44:34.754246 bad-ip-version 6 18:44:35.802498 2001:470:7653:5::11 > 2001:638:60f:110::1:2: icmp6: echo request [flowlabel 0xb6f77] 18:44:35.814841 bad-ip-version 6 18:44:36.860380 2001:470:7653:5::11 > 2001:638:60f:110::1:2: icmp6: echo request [flowlabel 0xb6f77] 18:44:36.872536 bad-ip-version 6 18:44:37.917605 2001:470:7653:5::11 > 2001:638:60f:110::1:2: icmp6: echo request [flowlabel 0xb6f77] 18:44:37.929694 bad-ip-version 6 — Huh? I thought that 6 is the current version? ;-) Also, the echo replies are not shown, although I know they exist. Is there a known problem with tcpdump(8) on wireguard tunnels? # uname -a OpenBSD wg.rebehn.net 6.5 GENERIC#2 amd64 dmesg|grep GENERIC OpenBSD 6.5-current (GENERIC) #2: Sun Jun 2 00:21:42 MDT 2019 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC Running under VMware ESXI 6.7 Manpage and mailing list did not give any hints. Cheers, Heinrich
sessioninfo 70b1fa4b721bb9c9332c513227c838a520d2772c
sessioninfo 70b1fa4b721bb9c9332c513227c838a520d2772c
Question on queues
Hi all, i am trying to limit bandwidth use on a machine using queues. My pf.conf is: r...@vpngw.rebehn.net [~] # cat /etc/pf.conf # $OpenBSD: pf.conf,v 1.53 2014/01/25 10:28:36 dtucker Exp $ # # See pf.conf(5) for syntax and examples. # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 # in /etc/sysctl.conf if packets are to be forwarded between interfaces. client = 192.168.3.11 # # increase default state limit from 10'000 states on busy systems #set limit states 10 set skip on lo queue rootq on tun0 bandwidth 100M queue std parent rootq bandwidth 95M queue test parent rootq bandwidth 20K, max 20K default block return log# block stateless traffic pass# establish keep-state pass out on tun0 inet proto tcp from any port=5900 to any queue std #block in quick from urpf-failed to any # use with care match out log on tun0 nat-to (tun0) match in on em0 inet proto tcp from any to self port=5900 rdr-to $client match out on em0 inet proto tcp from any to $client port=5900 nat-to (em0) pfctl -sq -vv shows: queue rootq on tun0 bandwidth 100M qlimit 50 [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ measured: 0.0 packets/s, 0 b/s ] queue std parent rootq on tun0 bandwidth 95M qlimit 50 [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ measured: 0.0 packets/s, 0 b/s ] queue test parent rootq on tun0 bandwidth 20K, max 20K default qlimit 50 [ pkts: 5722 bytes:5835854 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ measured: 119.5 packets/s, 1.02Mb/s ] I have 3 questions: - why is queue “test” allowing 1.02Mb/s although the limit is 20K? - is it correct that the parent queue “rootq does not show any usage? - is queueing supposed to work at all on tun(4) devices? # uname -a OpenBSD vpngw.rebehn.net 5.5 GENERIC#68 amd64 System is running under VMware ESXi 5.0 TIA for any help! Heinrich
Re: telnet escape character not working
Am 20.05.2009 um 14:13 schrieb LEVAI Daniel: On Wednesday 20 May 2009 13.53.35 you wrote: LEVAI Daniel escribis: Hi! In console with telnet, when I press the CTRL+] (^]) it should exit to telnet's cli, but when I press it, it does nothing. However it is not working only in text console, under xterm the CTRL+] escorts me to the cli. What could be the problem? Thanks! it may sounds stupid but I thought it was CTRL+[ not CTRL+] $ telnet 10.12.8.1 Trying 10.12.8.1... Connected to 10.12.8.1. Escape character is '^]'. ^ that is what isn't working in console Daniel You *did* set the proper national keyboard translation using kbd(8) ? -Heinrich
Re: IPSEC: certificate ignored
Am 06.03.2009 um 22:56 schrieb Toni Mueller: Hi, I'm trying to get a VPN connection to work which should actually be a no-brainer (and I have quite similar things out there, for years): network 1 | Linux w/ isakmpd (u...@road-warrior) | | Internet | | OpenBSD w/ isakmpd (office-router) | network 2 Authentication should be done with X.509 certificates. I have my small CA that issues these certificates. On startup, OpenBSD reads all required certificates from /etc/isakmpd/{certs,ca} plus its key from /etc/isakmpd/private just fine (I double-checked using openssl and grep), but when it comes to checking the client's incoming cert, it goes like this: 223644.842092 Plcy 30 keynote_cert_obtain: failed to open /etc/ isakmpd/keynote//u...@road-warrior/credentials 223644.842516 Default get_raw_key_from_file: monitor_fopen (/etc/ isakmpd/pubkeys//ufqdn/u...@road-warrior, r) failed: Permission denied ?? Permission denied? Could this be the problem? -Heinrich 223644.842707 Default rsa_sig_decode_hash: no public key found 223644.842903 Default dropped message from 1.2.3.4 port 500 due to notification type INVALID_ID_INFORMATION In isakmpd.policy(5), I read: When X509-based authentication is performed in Main Mode, any X509 cer- tificates received from the remote IKE daemon are converted to very sim- ple KeyNote credentials. The conversion is straightforward: the issuer of the X509 certificate becomes the Authorizer of the KeyNote credential, the subject becomes the only Licensees entry, while the Conditions field simply asserts that the credential is only valid for IPsec policy use (see the app_domain action attribute below). Please note that the Linux box can identify the OpenBSD box just fine, too. It's only that the OpenBSD box (various 4.5 snapshots, actually, the latest being 4.5 GENERIC.MP#63 i386 of Feb 10th, don't seem to do this conversion of certificates to credentials anymore, or I'm making some stupid mistake that I'm too blind to see. Any help is much appreciated! -- Kind regards, --Toni++
Re: I/O redirection
On Dec 3, 2008, at 10:49 AM, Tom Van Looy wrote: No, check the ksh man page. Or, you could use the /usr/bin/time command to just avoid the ksh builtin. /usr/bin/time java helloWorld time.report 21 Which works as expected. Or use $ (time java helloWorld) time.report 21 -Heinrich
Re: nfsroot hangs after reloading pf
Just FYI, The problem still persists on 4.4 On Jul 8, 2008, at 5:13 PM, Heinrich Rebehn wrote: Anyone? Any ideas? IMHO this seems to be a serious issue. -Heinrich Heinrich Rebehn wrote: Hi list, when i do a # pfctl -f /etc/pf.conf on my diskless (nfsroot) 4.3-stable machine, the machine hangs and needs a hard reset. The interface used for nfsroot is xl0 and i have set skip on {lo0 xl0} in my pf.conf. The machine boots and runs fine with the ruleset enabled, but as soon as i reload the ruleset, even without making any change, the machine hangs. If i copy pf.conf to /tmp (which is a ramdisk) and reload the ruleset from there, it works fine. So it *seems* that, when reloading a ruleset, there is a short moment where the packet filter blocks everything before loading the new ruleset, making it impossible to read /etc/pf.conf over NFS. Is my assumption true? Should this be considered a bug? I remember that this worked with an older (maybe 3.9 or 4.0) version of OpenBSD. Kind regards, Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341
Re: Wireless
Paul de Weerd wrote: On Thu, Sep 11, 2008 at 11:59:55AM +0200, Paul de Weerd wrote: | On Thu, Sep 11, 2008 at 11:33:43AM +0200, Heinrich Rebehn wrote: | Paul, | | when you had success with rum(4), did you use wpa? I am having trouble | getting a Hercules HWGUSB2-54 under OpenBSD 4.4 to work with my FritzBox | 7220 using wpa(tkip). At start, the association succeeds, but after some 15 | minutes it disassociates and than fails to reassociate until i either | reboot the AP or the OpenBSD box. The fritzbox reports authentication | errors. If this works for you, then i would suspect that the fritzbox is to | blame. | | No, I did not use rum(4) with wpa. I can try this sometime later this | week, will let you know the results. A bit later than anticipated, but I found a (one of my) rum(4) and tried it with a FON WPA access point. So far, I've transferred 5+GB of data through this NIC without any issues whatsoever, all using WPA. [EMAIL PROTECTED] $ netstat -nb -I rum0 NameMtu Network Address Ibytes Obytes rum0150d Link 00:80:5a:37:c2:f4 5648770470 170570816 I've seen no association errors or anything. Strange. Is your AP also Atheros-based? So far, i had troubles with two APs, both Atheros-based. There's only this : ehci_idone: ex=0x80221600 is done! Which I got a couple of times (mostly during ifconfig). Yes, i have seen that too, looks more like an informational message. Anyway, thank you for your effort! :-) I will try running the WLAN w/o WPA and encrypt traffic with IPSec or OpenVPN. Cheers, Heinrich
Re: Wireless
Paul de Weerd wrote: On Thu, Sep 11, 2008 at 11:33:43AM +0200, Heinrich Rebehn wrote: Paul, when you had success with rum(4), did you use wpa? I am having trouble getting a Hercules HWGUSB2-54 under OpenBSD 4.4 to work with my FritzBox 7220 using wpa(tkip). At start, the association succeeds, but after some 15 minutes it disassociates and than fails to reassociate until i either reboot the AP or the OpenBSD box. The fritzbox reports authentication errors. If this works for you, then i would suspect that the fritzbox is to blame. No, I did not use rum(4) with wpa. I can try this sometime later this week, will let you know the results. I have the same problem with ral(4) using a Ralink RT2561 (see old 4.3 dmesg lines below) ral0 at pci2 dev 9 function 0 Ralink RT2561 rev 0x00: irq 7, address 00:13:d3:83:1a:d2 ral0: MAC/BBP RT2561C, RF RT2527 This one is also unreliable under WinXP, disassociates often and has trouble associating again, with the AP reporting authorization errors. But anyway, under Windows it eventually succeeds whereas with obsd it does not. Cheers, Heinrich
Re: Wireless
OpenBSD wrote: On Mon, 8 Sep 2008 23:24:26 +0200 Paul de Weerd [EMAIL PROTECTED] wrote: On Mon, Sep 08, 2008 at 01:52:43PM -0700, OpenBSD wrote: | BTW, do you know 1 USB wireless card that work without firmware, to be used to install OBSD? I have a wi(4) that attaches to usb and doesn't need firmware. These days, it's hard to find ones that dont require firmware, but if you stick to what comes with freely redistributable firmware files, you should be good. rum(4), ural(4) and zyd(4) come to mind. I've had success with all three. Paul, when you had success with rum(4), did you use wpa? I am having trouble getting a Hercules HWGUSB2-54 under OpenBSD 4.4 to work with my FritzBox 7220 using wpa(tkip). At start, the association succeeds, but after some 15 minutes it disassociates and than fails to reassociate until i either reboot the AP or the OpenBSD box. The fritzbox reports authentication errors. If this works for you, then i would suspect that the fritzbox is to blame. -Heinrich
Re: isakmpd from XX to any; possible to offer choice of algorithm?
jared r r spiegel wrote: On Fri, Aug 29, 2008 at 11:02:18PM +, Stuart Henderson wrote: Now someone would like to add a device which (like some other devices connecting to this machine) is not on a fixed address so it needs to use the to any rule. Though it supports AES in phase 2, only DES or 3DES are permitted in phase 1 (which of course is already set to AES on other devices). just checked isakmpd.conf(5), it says you can have a list of proposed transforms (instead of just one). but i do recall for certain that i NEVER got that to work. any list of anything, i never got to work; transform lists, the thing where you're supposed to be able to specify a range of time/byte durations, etcetc :/ I used the following for phase 1 in my isakmpd.conf: [General] ... Default-phase-1-ID = My-Phase-1-Id [My-Phase-1-Id] Id-Type = FQDN Name= router.ant.uni-bremen.de [Phase 1] Default = Peer-Default [Peer-Default] Phase = 1 Transport = udp Configuration = Default-id-prot [Default-id-prot] DOI = IPSEC EXCHANGE_TYPE = ID_PROT Transforms = 3DES-SHA-RSA_SIG,AES-SHA-RSA_SIG This worked w/o problems. HTH, Heinrich -- Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341
Re: not a tty
Josh Grosse wrote: On Wed, 27 Aug 2008 14:54:06 +0200, Otto Moerbeek wrote Likely /tmp is mounted nodev I don't think so. I can replicate Leo's exact sequence when /tmp is mounted dev. If it is mounted nodev, you get warning messages that there is no controlling tty when you start the shell. With dev, you get no warning message and the chrooted environment works as expected, except for the result from tty(1). # mkdir -p /tmp/root/var/run # cp -p /var/run/dev.db /tmp/root/var/run # chroot /tmp/root sh # tty /dev/ttyp0 found with ktrace(1) Cheers, Heinrich -- Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341
Re: OpenBSD and iSCSI support
Marco Peereboom wrote: Eventually. I started writing the qli driver but have not had time to finish that. I also am planning to do a software initiator/target using softraid however that is further out. *sigh* so much code so little time... So the information under http://en.wikipedia.org/wiki/ISCSI#Operating-system_support about OpenBSD supporting iSCSI is nonsense? On Sun, Jul 06, 2008 at 07:43:09PM +0200, Denis Fondras wrote: Hello, I'm doing some testing with iSCSI and I'd like to know if there is any plan to add iSCSI support to OpenBSD (initiator and/or target) ? Denis -- Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341
Re: Is it necessary to recompile just to apply a security patch?
skogzort wrote: Is it necessary to recompile just to apply a security patch? Hello, I know nothing/very little about OpenBSD or UNIX. I have been tasked with updating our OpenBSD DNS server with a security fix (Vulnerability Note VU#800113- Multiple DNS implementations vulnerable to cache poisoning). In order to do this it appears that I have to download the source code re-compile the entire OS. Recompiling the OS seems to involve a lot of steps. Before I continue to read through them all, I just want to confirm that it is actually necessary to do all of this, simply to apply a security patch: Down load the tree.. Pre load the tree.. Build the Kernel.. Build the userland.. Etc. The only thing we use the server for is DNS. I dont know what Flavor we are running, since its on a production server I assume it will be * release or * stable, either way from what Ive read so far it looks like in order to apply this security patch I will have to update it to * stable. Is it true that the only way to apply this patch is to recompile the entire OS, and go through all the steps above? Im only familiar with Windows, where you just push a button to apply a security patch and you dont even have to reboot the server, so I was thinking that I may be misunderstanding what Im reading. Thanks very much for your time and any info Kyle Hi Kyle, the header of the patch available at ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.3/common/004_bind.patch explains: Apply by doing: cd /usr/src patch -p0 004_bind.patch Then rebuild and install bind: cd usr.sbin/bind make -f Makefile.bsd-wrapper obj make -f Makefile.bsd-wrapper make -f Makefile.bsd-wrapper install that's all you need to do. HTH, Heinrich
named: Binding locally
Hi all, After patching named on 4.3, it throws *lots* of the above syslog messages: Jul 24 14:28:31 frw1 named[32206]: Binding locally Jul 24 14:28:35 frw1 last message repeated 5 times Jul 24 14:28:42 frw1 named[32206]: Binding locally Jul 24 14:29:15 frw1 last message repeated 6 times Jul 24 14:29:19 frw1 last message repeated 2 times Jul 24 14:29:24 frw1 named[32206]: Binding locally Jul 24 14:29:26 frw1 last message repeated 2 times Jul 24 14:29:37 frw1 named[32206]: Binding locally Jul 24 14:29:37 frw1 last message repeated 2 times Jul 24 14:29:42 frw1 named[32206]: Binding locally Jul 24 14:29:48 frw1 last message repeated 4 times Jul 24 14:29:58 frw1 named[32206]: Binding locally Is this an error? Or what does it mean? -- Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341
Re: nfsroot hangs after reloading pf
Anyone? Any ideas? IMHO this seems to be a serious issue. -Heinrich Heinrich Rebehn wrote: Hi list, when i do a # pfctl -f /etc/pf.conf on my diskless (nfsroot) 4.3-stable machine, the machine hangs and needs a hard reset. The interface used for nfsroot is xl0 and i have set skip on {lo0 xl0} in my pf.conf. The machine boots and runs fine with the ruleset enabled, but as soon as i reload the ruleset, even without making any change, the machine hangs. If i copy pf.conf to /tmp (which is a ramdisk) and reload the ruleset from there, it works fine. So it *seems* that, when reloading a ruleset, there is a short moment where the packet filter blocks everything before loading the new ruleset, making it impossible to read /etc/pf.conf over NFS. Is my assumption true? Should this be considered a bug? I remember that this worked with an older (maybe 3.9 or 4.0) version of OpenBSD. Kind regards, Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341
nfsroot hangs after reloading pf
Hi list, when i do a # pfctl -f /etc/pf.conf on my diskless (nfsroot) 4.3-stable machine, the machine hangs and needs a hard reset. The interface used for nfsroot is xl0 and i have set skip on {lo0 xl0} in my pf.conf. The machine boots and runs fine with the ruleset enabled, but as soon as i reload the ruleset, even without making any change, the machine hangs. If i copy pf.conf to /tmp (which is a ramdisk) and reload the ruleset from there, it works fine. So it *seems* that, when reloading a ruleset, there is a short moment where the packet filter blocks everything before loading the new ruleset, making it impossible to read /etc/pf.conf over NFS. Is my assumption true? Should this be considered a bug? I remember that this worked with an older (maybe 3.9 or 4.0) version of OpenBSD. Kind regards, Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341
Re: about dhcpd and carp device
Oops, i forgot to Cc the list! Imre Oolberg wrote: Hi! (private) HKS wrote: Your carp interface won't be doing much for you if it doesn't have an IP address configured. Yes, i think so, too and i have carp device configured ip aadress. To present my case more clearly here is my little experiment. CASE ONE, dhcpd is bound to physical interface, everything works as expected dchpserver# ifconfig rl0 rl0: ... inet 10.0.10.250 netmask 0xff00 broadcast 10.0.10.255 dhcpclient# dhclient -d rl0 DHCPREQUEST on rl0 to 255.255.255.255 port 67 DHCPACK from 10.0.10.250 bound to 10.0.10.32 -- renewal in 21600 seconds. dhcpserver# dhcpd -d rl0 DHCPREQUEST for 10.0.10.32 from 00:c0:26:27:4d:fe via rl0 DHCPACK on 10.0.10.32 to 00:c0:26:27:4d:fe via rl0 dhcpserver# tcpdump -nettti rl0 not proto carp tcpdump: listening on rl0, link-type EN10MB Apr 24 06:35:01.251249 00:c0:26:27:4d:fe ff:ff:ff:ff:ff:ff 0800 342: 10.0.10.32.68 255.255.255.255.67: xid:0x9d19635d [|bootp] [tos 0x10] Apr 24 06:35:01.252596 00:e0:4c:02:89:18 00:c0:26:27:4d:fe 0800 342: 10.0.10.250.67 10.0.10.32.68: xid:0x9d19635d Y:10.0.10.32 S:10.0.10.250 [|bootp] [tos 0x10] Apr 24 06:35:01.267923 00:c0:26:27:4d:fe ff:ff:ff:ff:ff:ff 0806 60: arp who-has 10.0.10.32 tell 10.0.10.32 CASE TWO, dhcpd is bound to carp device (which runs on rl0 which doesnt ip address configured any more), client isnt getting an answer dchpserver# ifconfig carp4 carp4: ... inet 10.0.10.250 netmask 0xff00 broadcast 10.0.10.255 dhcpclient# dhclient -d rl0 DHCPREQUEST on rl0 to 255.255.255.255 port 67 DHCPREQUEST on rl0 to 255.255.255.255 port 67 DHCPDISCOVER on rl0 to 255.255.255.255 port 67 interval 3 DHCPDISCOVER on rl0 to 255.255.255.255 port 67 interval 6 DHCPDISCOVER on rl0 to 255.255.255.255 port 67 interval 13 dhcpserver# dhcpd -d carp4 dhcpserver# tcpdump -nettti rl0 not proto carp tcpdump: listening on rl0, link-type EN10MB Apr 24 06:43:57.758341 00:c0:26:27:4d:fe ff:ff:ff:ff:ff:ff 0800 342: 10.0.10.32.68 255.255.255.255.67: xid:0x7a3c2ff [|bootp] [tos 0x10] Apr 24 06:44:05.764199 00:c0:26:27:4d:fe ff:ff:ff:ff:ff:ff 0800 342: 10.0.10.32.68 255.255.255.255.67: xid:0x7a3c2ff secs:8 [|bootp] [tos 0x10] Apr 24 06:44:13.774456 00:c0:26:27:4d:fe ff:ff:ff:ff:ff:ff 0800 342: 0.0.0.0.68 255.255.255.255.67: xid:0x5e5dc1b3 [|bootp] [tos 0x10] Apr 24 06:44:16.784416 00:c0:26:27:4d:fe ff:ff:ff:ff:ff:ff 0800 342: 0.0.0.0.68 255.255.255.255.67: xid:0x5e5dc1b3 secs:3 [|bootp] [tos 0x10] Apr 24 06:44:22.794616 00:c0:26:27:4d:fe ff:ff:ff:ff:ff:ff 0800 342: 0.0.0.0.68 255.255.255.255.67: xid:0x5e5dc1b3 secs:9 [|bootp] [tos 0x10] # tcpdump -nettti carp4 not proto carp tcpdump: listening on carp4, link-type EN10MB And dhcpserver and dhcpclient both have pf disabled. If somebody could confirm that this is expected behavior with carp device and dhcpd i would be very glad to know! I cannot confirm that this is expected behaviour, but i observed the same. For some reason, carp devices do not see broadcast (255.255.255.255) packets. You have to assign an address to the physical device and have dhcpd(8) work on that one. Regards, Heinrich
Howto route IP Broadcasts (255.255.255.255)
Hi All, We have an OpenBSD 4.2-stable router which routes between 5 subnets. On 2 of those subnets we run an application that does many to many communication using UDP broadcasts to 255.255.255.255. Unfortunately, the router does not seem to forward these packets. They look like: [EMAIL PROTECTED] [~] # tcpdump -n -v -i vlan0 host 255.255.255.255 tcpdump: listening on vlan0, link-type EN10MB 09:55:04.622293 134.102.176.85.33094 255.255.255.255.60001: udp 331 (DF) (ttl 64, id 0, len 359) 09:55:04.696183 134.102.176.52.46247 255.255.255.255.60001: [udp sum ok] udp 29 (DF) (ttl 64, id 0, len 57) 09:55:05.623102 134.102.176.85.33094 255.255.255.255.60001: [udp sum ok] udp 29 (DF) (ttl 64, id 0, len 57) 09:55:05.623302 134.102.176.24.56807 255.255.255.255.60001: [udp sum ok] udp 29 (DF) (ttl 64, id 0, len 57) 09:55:06.627005 134.102.176.24.56807 255.255.255.255.60001: [udp sum ok] udp 29 (DF) (ttl 64, id 0, len 57) 09:55:07.627214 134.102.176.24.56807 255.255.255.255.60001: [udp sum ok] udp 29 (DF) (ttl 64, id 0, len 57) Hosts on other subnets do not see the packets, neither do I see them on pflog0, so it seems the packet filter is not to blame. Do i have to enable broadcasts explicitly ? I could not find anything in the manpages, and googling for routing broadcasts or similar yields only pages dealing with routing protocols. Thanks for any help! -Heinrich Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341
Re: Howto route IP Broadcasts (255.255.255.255)
Paul de Weerd wrote: On Thu, Mar 13, 2008 at 11:55:53PM +1030, Damon McMahon wrote: On 13/03/2008, at 7:32 PM, Heinrich Rebehn wrote: Do i have to enable broadcasts explicitly ? I could not find anything in the manpages, and googling for routing broadcasts or similar yields only pages dealing with routing protocols. Broadcasts can't be routed - it's a violation of the Internet Protocol and so it's the OpenBSD IP stack which is dropping your packets, not pf(4). I guess if you absolutely need to route broadcast packets one option is to use NAT in pf.conf(5), e.g. (not tested) In addition to Damon's remarks, imagine what would happen if broadcasts *were* routed. While imagining this, please remember that a) I'm in no way interested in your (or other peoples) traffic and b) I have limited bandwidth I'd like to use for *MY OWN* traffic. You may want to look into multicast. Paul 'WEiRD' de Weerd Paul, My intention was to route between two *private* subnets, not to weirdnet.nl! No need to worry ;-) I started reading into multicast and found that it is overly complicated and overkill for our purposes. -Heinrich
4.3 freezes + ral(4) / ath(4) troubles on MSI Megabook M-522
Hi All, 4.3 works fine on my Notebook except for the thing mentioned in $subject. These problems also exist with 4.2. The freeze occurs w/ ACPI enabled when bringing up ral0. Disabling ACPI solves the freeze problem, but ral0 has difficulties associating with my Netgear WGT624-v3 WLAN router. It can take 5 minutes or longer to establish a connection with the router. This makes wlan unusable. Enabling debug on ral0 remedies the problem, ral0 associates in less than a minute and is quite usable then. Looks like a race condition or timing problem. ** DMESG with ACPI * OpenBSD 4.3 (GENERIC) #695: Tue Mar 4 14:28:56 MST 2008 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Celeron(R) M processor 1.50GHz (GenuineIntel 686-class) 1.50 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,TM,SBF real mem = 1064726528 (1015MB) avail mem = 1021480960 (974MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 08/10/06, BIOS32 rev. 0 @ 0xf0010, SMBIOS rev. 2.3 @ 0xf9bb0 (15 entries) bios0: vendor American Megatrends Inc. version A1522IMS V1.10 08/10/06 date 08/10/2006 bios0: MICRO-STAR INT'L CO.,LTD. MS-1016 acpi0 at bios0: rev 0 acpi0: tables DSDT FACP APIC MCFG OEMB MCFG SSDT acpi0: wakeup devices LAN_(S0) USB1(S0) USB2(S0) USB3(S0) USB4(S0) EUSB(S0) AUDI(S0) MC97(S0) P0P1(S0) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 3 (P0P3) acpiec0 at acpi0 acpicpu0 at acpi0: C3, C3, C2, C1 acpitz0 at acpi0: critical temperature 99 degC acpiac0 at acpi0: AC unit online acpibat0 at acpi0: BAT1 model MS-1016 serial type LION oem MSI Corp. acpibtn0 at acpi0: PWRB acpibtn1 at acpi0: SLPB acpibtn2 at acpi0: LID0 bios0: ROM list: 0xc/0xf000! 0xcf000/0x1000 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82915GM Host rev 0x04 agp0 at pchb0: aperture at 0xd000, size 0x1000 vga1 at pci0 dev 2 function 0 Intel 82915GM Video rev 0x04 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) Intel 82915GM Video rev 0x04 at pci0 dev 2 function 1 not configured ppb0 at pci0 dev 28 function 0 Intel 82801FB PCIE rev 0x04: irq 10 pci1 at ppb0 bus 1 uhci0 at pci0 dev 29 function 0 Intel 82801FB USB rev 0x04: irq 11 uhci1 at pci0 dev 29 function 1 Intel 82801FB USB rev 0x04: irq 5 uhci2 at pci0 dev 29 function 2 Intel 82801FB USB rev 0x04: irq 15 ehci0 at pci0 dev 29 function 7 Intel 82801FB USB rev 0x04: irq 11 ehci0: reset timeout ehci0: init failed, error=13 ppb1 at pci0 dev 30 function 0 Intel 82801BAM Hub-to-PCI rev 0xd4 pci2 at ppb1 bus 3 rl0 at pci2 dev 3 function 0 Realtek 8139 rev 0x10: irq 6, address 00:16:17:51:e0:5a rlphy0 at rl0 phy 0: RTL internal PHY cbb0 at pci2 dev 5 function 0 O2 Micro OZ711MP1 CardBus rev 0x21: irq 5 sdhc0 at pci2 dev 5 function 2 O2 Micro OZ711MP1 SDHC rev 0x01: irq 5 sdmmc0 at sdhc0 O2 Micro OZ711MP1 XDHC rev 0x01 at pci2 dev 5 function 3 not configured O2 Micro Firewire rev 0x02 at pci2 dev 5 function 4 not configured ral0 at pci2 dev 9 function 0 Ralink RT2561 rev 0x00: irq 7, address 00:13:d3:83:1a:d2 ral0: MAC/BBP RT2561C, RF RT2527 cardslot0 at cbb0 slot 0 flags 0 cardbus0 at cardslot0: bus 4 device 0 cacheline 0x0, lattimer 0x40 pcmcia0 at cardslot0 auich0 at pci0 dev 30 function 2 Intel 82801FB AC97 rev 0x04: irq 7, ICH6 AC97 ac97: codec id not read audio0 at auich0 Intel 82801FB Modem rev 0x04 at pci0 dev 30 function 3 not configured ichpcib0 at pci0 dev 31 function 0 Intel 82801FBM LPC rev 0x04: PM disabled pciide0 at pci0 dev 31 function 1 Intel 82801FB IDE rev 0x04: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: FUJITSU MHV2080AH PL wd0: 16-sector PIO, LBA, 76319MB, 156301488 sectors atapiscsi0 at pciide0 channel 0 drive 1 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: HL-DT-ST, DVD-RW GWA-4082N, CB03 SCSI0 5/cdrom removable wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 cd0(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2 pciide0: channel 1 ignored (disabled) ichiic0 at pci0 dev 31 function 3 Intel 82801FB SMBus rev 0x04: irq 5 iic0 at ichiic0 spdmem0 at iic0 addr 0x50: 512MB DDR2 SDRAM non-parity PC2-4200CL5 SO-DIMM spdmem1 at iic0 addr 0x52: 512MB DDR2 SDRAM non-parity PC2-4200CL5 SO-DIMM uhci0: controller did not reset uhci0: cannot start uhci0: init failed, error=13 uhci1: controller did not reset uhci1: cannot start uhci1: init failed, error=13 uhci2: controller did not reset uhci2: cannot start uhci2: init failed, error=13 isa0 at ichpcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pmsi0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux
Re: hotplugd(8) mount flash drive
Chris wrote: On Jan 29, 2008 12:24 AM, Chris [EMAIL PROTECTED] wrote: I am trying to use hotplugd(8) to mount my USB flash drive (/dev/sd1i) automatically in /mn/flash when I plug it it. I enabled hotplugd in /etc/rc.conf.local and wrote the following script (chmod +x bit set) #!/bin/sh DEVCLASS=$1 DEVNAME=$2 case $DEVCLASS in 2) # disk devices disklabel=`/sbin/disklabel $DEVNAME 21 | \ sed -n '/^label: /s/^label: //p'` case $disklabel in flash) # flash drive mount /dev/$DEVNAMEi /mnt/flash ;; esac ;; 3) # network devices /sbin/dhclient $DEVNAME ;; esac I can mount the flash drive fine with mount /dev/sd1i /mnt/flash Any help would be much appreciated. Thanks. I figured (from /var/log/messages) that the flash drive is mounted as JetFlash so I changed the script to reflect this and still no luck. Following the /var/log/message after the flash drive is plugged in and also the new modified script. Jan 29 19:40:44 red /bsd: sd1 detached Jan 29 19:40:44 red /bsd: scsibus2 detached Jan 29 19:40:44 red /bsd: umass0 detached Jan 29 19:40:47 red /bsd: umass0 at uhub0 port 2 configuration 1 interface 0 Jan 29 19:40:47 red /bsd: Jan 29 19:40:47 red /bsd: umass0: JetFlash Mass Storage Device, rev 2.00/1.41, addr 2 Jan 29 19:40:47 red /bsd: umass0: using SCSI over Bulk-Only Jan 29 19:40:47 red /bsd: scsibus2 at umass0: 2 targets Jan 29 19:40:47 red /bsd: sd1 at scsibus2 targ 1 lun 0: JetFlash, TS8GJFV30, 8.07 SCSI2 0/direct removable Jan 29 19:40:47 red /bsd: sd1: 7799MB, 994 cyl, 255 head, 63 sec, 512 bytes/sec, 15974398 sec total #!/bin/sh # # Maybe some debugging will help: # exec /tmp/logfile 21 set -x # DEVCLASS=$1 DEVNAME=$2 case $DEVCLASS in 2) # disk devices disklabel=`/sbin/disklabel $DEVNAME 21 | \ sed -n '/^label: /s/^label: //p'` case $disklabel in JetFlash) # flash drive mount /dev/$DEVNAMEi /mnt/flash ;; esac ;; 3) # network devices /sbin/dhclient $DEVNAME ;; esac Is there anything I am doing wrong? Thanks for any help. -Heinrich
Re: OpenBSD as DSL Router using hostname.pppoe0?
I forgot to Cc the list, so i resend it: Dieter Rauschenberger wrote: On Sat, Dec 29, 2007 at 05:16:11AM +0100, [EMAIL PROTECTED] wrote: Either no developer uses aDSL at home (with a ISP forcing him to reconnect every 24 hours) or nobody uses OpenBSD as router or nobody uses the connection permanently. :-/ I use the following hostname.pppoe: inet 0.0.0.0 255.255.255.255 NONE \ pppoedev xl0 authproto pap \ authname '[EMAIL PROTECTED]' authkey 'sEcReT' up dest 0.0.0.1 !/sbin/route add default -ifp pppoe0 0.0.0.1 with xl0 as external interface (the one to which the adsl modem is connected) and the following lines in pf.conf to do NAT: ext_if=pppoe0 int_if=rl0 nat on $ext_if from !($ext_if) - ($ext_if:0) It's exact the setup mentioned in the pppoe(4) EXAMPLES and the pf faq http://www.openbsd.org/faq/pf/example1.html#allrules Also my ISP disconnects after 24h, but I have no problem with NAT. It works perfect! OT: You did not ask this, but if someone want's to use dyndns in such a setup ddclient has to run as daemon and do IP detection via pppoe0: daemon=300 # check all 5 minutes use=if # use interface to check for changes (not web, not ip) if=pppoe0 # use pppoe0 interface for this Regards Dieter Or use ifstated(8) and net/ipcheck as an alternative. You can also use it to flush your pf state tables. * /etc/ifstated.conf * init-state auto pppoe_up = pppoe0.link.up pppoe_down = pppoe0.link.down state auto{ if ($pppoe_up) set-state pppoe-up if ($pppoe_down) set-state pppoe-down } state pppoe-up{ init{ run logger pppoe up! run /root/scripts/pppoe-up.sh } if ($pppoe_down) set-state pppoe-down } state pppoe-down{ init{ run logger pppoe down! # run /root/scripts/pppoe-down.sh } if ($pppoe_up) set-state pppoe-up } /root/scripts/pppoe-up.sh * #!/bin/sh # logger -t pppoe-up Updating DynDNS ( cd /root/ipcheck \ /usr/local/bin/ipcheck.py -i pppoe0 username password \ rebserv.dyndns.org ) # 'pfctl -F states' could go here! --- -Heinrich
Re: xorgcfg(1) missing on i386 snapshot 26-NOV-2007
Matthieu Herrb wrote: On Nov 28, 2007 5:16 PM, Heinrich Rebehn [EMAIL PROTECTED] wrote: Hi list, the 26-NOV-2007 snapshot seems to be missing xorgcfg(1). I installed all distribution sets. Has it been deprecated? Yes. It has been deprecated in xserver 1.4. No one has maintained and updated it for the various changes in the X.Org configuration process. Hmm, i don't quite understand: Has it been deprecated by xorg or by OpenBSD? -Heinrich
xorgcfg(1) missing on i386 snapshot 26-NOV-2007
Hi list, the 26-NOV-2007 snapshot seems to be missing xorgcfg(1). I installed all distribution sets. Has it been deprecated? -Heinrich
Re: Hoe to specify multiple transform suites in ipsec.conf(5)
Damon McMahon wrote: From: Heinrich Rebehn [EMAIL PROTECTED] Date: 29 October 2007 9:14:16 PM To: OpenBSD misc@openbsd.org Subject: Hoe to specify multiple transform suites in ipsec.conf(5) Hello list, I am trying to move my IPsec configuration from isakmpd.conf to ipsec.conf. However i cannot find a syntax to specify multiple transform suites with ipsec.conf I tried something like: ike passive esp from any to any quick enc {aes,3des} but it is rejected. I want something like Suites=QM-ESP-AES-SHA2-256-PFS-SUITE,QM-ESP-3DES-PFS-SUITE as a result. As a workaround i can stuff it into the running configuration using isakmpd's fifo, but that is not a very robust solution. Specifying Default-phase-2-suites = QM-ESP-3DES-MD5-PFS-SUITE,QM-ESP-AES-SHA2-256-PFS-SUITE in isakmpd.conf does not help, because ipsecctl overrides it. Is there a way to tell ipsecctl to not specify a suite at all, so that the default is used? BTW, is ipsec.conf meant to ever become a full replacement for isakmpd.conf? Thanks for any hints. -- Heinrich, I've tried to do the same - see http://readlist.com/lists/openbsd.org/misc/12/62613.html - as of 4.1 this is not supported by ipsec.conf(5). Best wishes, Damon Thanks for your reply, Damon. I missed your post when searching the archives. You wrote that isakmpd.conf is deprecated. Obviously this is not (yet) quite so. Kind regards, Heinrich
Hoe to specify multiple transform suites in ipsec.conf(5)
Hello list, I am trying to move my IPsec configuration from isakmpd.conf to ipsec.conf. However i cannot find a syntax to specify multiple transform suites with ipsec.conf I tried something like: ike passive esp from any to any quick enc {aes,3des} but it is rejected. I want something like Suites=QM-ESP-AES-SHA2-256-PFS-SUITE,QM-ESP-3DES-PFS-SUITE as a result. As a workaround i can stuff it into the running configuration using isakmpd's fifo, but that is not a very robust solution. Specifying Default-phase-2-suites = QM-ESP-3DES-MD5-PFS-SUITE,QM-ESP-AES-SHA2-256-PFS-SUITE in isakmpd.conf does not help, because ipsecctl overrides it. Is there a way to tell ipsecctl to not specify a suite at all, so that the default is used? BTW, is ipsec.conf meant to ever become a full replacement for isakmpd.conf? Thanks for any hints. -- Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341
ifstated(8) missing if state changes?
Hi list, it seems that ifstated(8) sometimes does not see all events and thus fails to change state. My setup consists of 2 boxes with 5 carp interfaces. CARP works fine, on box frw1 all are MASTER and on box frw2 all are in BACKUP state. When i bring down all carp interfaces on frw1, all get MASTER on frw2. However, ifstated(8) on frw2 does not change state. [EMAIL PROTECTED] [~] # cat /etc/ifstated.conf init-state auto carp_up = carp0.link.up carp1.link.up carp2.link.up carp3.link.up carp5.link.up carp_down = carp0.link.down || carp1.link.down || carp2.link.down || carp3.link.down || carp5.link.down state auto{ if ($carp_up) set-state master if ($carp_down) set-state slave } state master{ init{ run logger CARP up! # run /root/scripts/carp-up.sh } if ($carp_down) set-state slave } state slave{ init{ run logger CARP down! # run /root/scripts/carp-down.sh } if ($carp_up) set-state master } I did a ktrace on the ifstated(8) process on frw2 and the dump gives: [EMAIL PROTECTED] [~] # kdump -l | grep carp \M^?\M^?\M^?\0\0\0\0\0\0\0\0\0\0\0\0\^T\^R\f\0\M-w\^E\^F\0carp0\0\0^\0\^A \M^?\M^?\M^?\0\0\0\0\0\0\0\0\0\0\0\0\^T\^R\r\0\M-w\^E\^F\0carp1\0\0^\0\^A\v\0\ \M^?\M^?\M^?\M^?\0\0\0\0\0\0\0\0\0\0\0\0\^T\^R\^N\0\M-w\^E\^F\0carp2\0\0^\0\ \0\0\0\0\0\0\0\^T\^R\^N\0\M-w\^E\^F\0carp2\0\0^\0\^A\f\0\^P\^B\0\0\M-,\^U\^A\ \M^?\M^?\M^?\0\0\0\0\0\0\0\0\0\0\0\0\^T\^R\f\0\M-w\^E\^F\0carp0\0\0^\0\^A \M^?\M^?\M^?\0\0\0\0\0\0\0\0\0\0\0\0\^T\^R\r\0\M-w\^E\^F\0carp1\0\0^\0\^A\v\0\ \M^?\M^?\M^?\M^?\0\0\0\0\0\0\0\0\0\0\0\0\^T\^R\^N\0\M-w\^E\^F\0carp2\0\0^\0\ \M^?\M^?\M^?\M^?\0\0\0\0\0\0\0\0\0\0\0\0\^T\^R\^O\0\M-w\^E\^F\0carp3\0\0^\0\ \M^?\M^?\M^?\M^?\0\0\0\0\0\0\0\0\0\0\0\0\^T\^R\^P\0\M-w\^E\^F\0carp5\0\0^\0\ The first 3 lines show the transition from BACKUP to MASTER. carp3 and carp 5 are missing! The other lines show the transition from MASTER to BACKUP. I have verified in both cases that *all* carp devices changed state with ifconfig(8). Are there known issues with ifstated(8) or kevent(2) about lost events? As a workaround i will change my $carp_up definition to test if *any* of the interfaces is up, but that isnot a good solution. Any clues? Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341 OpenBSD 4.2-stable (GENERIC) #2: Wed Oct 17 10:08:11 CEST 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: AMD Athlon(tm) 64 Processor 3000+ (AuthenticAMD 686-class, 512KB L2 cache) 1.81 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3 cpu0: AMD erratum 89 present, BIOS upgrade may be required real mem = 536113152 (511MB) avail mem = 510750720 (487MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 11/03/05, BIOS32 rev. 0 @ 0xf0010, SMBIOS rev. 2.3 @ 0xf0530 (67 entries) bios0: vendor American Megatrends Inc. version 0219 date 11/03/2005 bios0: ASUSTeK Computer Inc. A8V apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 30102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf5980/192 (10 entries) pcibios0: PCI Interrupt Router at 000:17:0 (VIA VT8237 ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0xb000 0xcb000/0x4000! 0xcf000/0x800 0xcf800/0x800 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 VIA K8HTB Host rev 0x00 pchb1 at pci0 dev 0 function 1 VIA K8HTB Host rev 0x00 pchb2 at pci0 dev 0 function 2 VIA K8HTB Host rev 0x00 pchb3 at pci0 dev 0 function 3 VIA K8HTB Host rev 0x00 pchb4 at pci0 dev 0 function 4 VIA K8HTB Host rev 0x00 pchb5 at pci0 dev 0 function 7 VIA K8HTB Host rev 0x00 ppb0 at pci0 dev 1 function 0 VIA K8HTB AGP rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 ATI Rage 128 Pro TF rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) skc0 at pci0 dev 10 function 0 Marvell Yukon 88E8001/8003/8010 rev 0x13, Yukon Lite (0x9): irq 10 sk0 at skc0 port A: address 00:13:d4:de:cf:88 eephy0 at sk0 phy 0: Marvell 88E1011 Gigabit PHY, rev. 5 xl0 at pci0 dev 12 function 0 3Com 3c905C 100Base-TX rev 0x78: irq 10, address 00:0a:5e:61:7a:2d exphy0 at xl0 phy 24: 3Com internal media interface xl1 at pci0 dev 14 function 0 3Com 3c905C 100Base-TX rev 0x78: irq 3, address 00:0a:5e:61:7a:04 exphy1 at xl1 phy 24: 3Com internal media interface pciide0 at pci0 dev 15 function 0 VIA VT6420 SATA rev 0x80: DMA pciide0: using irq 10 for native-PCI interrupt wd0 at pciide0 channel 1 drive 0: Maxtor 6V080E0 wd0: 16-sector PIO, LBA48, 76293MB, 15625 sectors wd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 5
CVS update aborts with No space left on device
Hi list, when i try to update my sources using CVS i get e following error: ### Updating src M usr.sbin/spamdb/spamdb.c Updating ports ? editors/fte cvs [server aborted]: error closing CVS/Entries.Backup: No space left on device Done ### This is the script that is stared by cron: ### #!/bin/sh export [EMAIL PROTECTED]:/cvs # echo Updating src cd /usr/src cvs -q up -rOPENBSD_4_2 -Pd # echo Updating ports cd /usr/ports cvs -q up -rOPENBSD_4_2 -Pd # echo Done ### This is my disk: ### [EMAIL PROTECTED] [~] # df -hi Filesystem SizeUsed Avail Capacity iused ifree %iused Mounted on /dev/wd0a 18.7G6.7G 11.0G38% 363344 215710214% / [EMAIL PROTECTED] [~] # mount /dev/wd0a on / type ffs (local, softdep) ### 11.0G free should be enough? Any ideas? Heinrich
ifstated(8) missing if state changes?
Hi list, it seems that ifstated(8) sometimes does not see all events and thus fails to change state. My setup consists of 2 boxes with 5 carp interfaces. CARP works fine, on box frw1 all are MASTER and on box frw2 all are in BACKUP state. When i bring down all carp interfaces on frw1, all get MASTER on frw2. However, ifstated(8) on frw2 does not change state. [EMAIL PROTECTED] [~] # cat /etc/ifstated.conf init-state auto carp_up = carp0.link.up carp1.link.up carp2.link.up carp3.link.up carp5.link.up carp_down = carp0.link.down || carp1.link.down || carp2.link.down || carp3.link.down || carp5.link.down state auto{ if ($carp_up) set-state master if ($carp_down) set-state slave } state master{ init{ run logger CARP up! # run /root/scripts/carp-up.sh } if ($carp_down) set-state slave } state slave{ init{ run logger CARP down! # run /root/scripts/carp-down.sh } if ($carp_up) set-state master } I did a ktrace on the ifstated(8) process on frw2 and the dump gives: [EMAIL PROTECTED] [~] # kdump -l | grep carp \M^?\M^?\M^?\0\0\0\0\0\0\0\0\0\0\0\0\^T\^R\f\0\M-w\^E\^F\0carp0\0\0^\0\^A \M^?\M^?\M^?\0\0\0\0\0\0\0\0\0\0\0\0\^T\^R\r\0\M-w\^E\^F\0carp1\0\0^\0\^A\v\0\ \M^?\M^?\M^?\M^?\0\0\0\0\0\0\0\0\0\0\0\0\^T\^R\^N\0\M-w\^E\^F\0carp2\0\0^\0\ \0\0\0\0\0\0\0\^T\^R\^N\0\M-w\^E\^F\0carp2\0\0^\0\^A\f\0\^P\^B\0\0\M-,\^U\^A\ \M^?\M^?\M^?\0\0\0\0\0\0\0\0\0\0\0\0\^T\^R\f\0\M-w\^E\^F\0carp0\0\0^\0\^A \M^?\M^?\M^?\0\0\0\0\0\0\0\0\0\0\0\0\^T\^R\r\0\M-w\^E\^F\0carp1\0\0^\0\^A\v\0\ \M^?\M^?\M^?\M^?\0\0\0\0\0\0\0\0\0\0\0\0\^T\^R\^N\0\M-w\^E\^F\0carp2\0\0^\0\ \M^?\M^?\M^?\M^?\0\0\0\0\0\0\0\0\0\0\0\0\^T\^R\^O\0\M-w\^E\^F\0carp3\0\0^\0\ \M^?\M^?\M^?\M^?\0\0\0\0\0\0\0\0\0\0\0\0\^T\^R\^P\0\M-w\^E\^F\0carp5\0\0^\0\ The first 3 lines show the transition from BACKUP to MASTER. carp3 and carp 5 are missing! The other lines show the transition from MASTER to BACKUP. I have verified in both cases that *all* carp devices changed state with ifconfig(8). Are there known issues with ifstated(8) or kevent(2) about lost events? As a workaround i will change my $carp_up definition to test if *any* of the interfaces is up, but that isnot a good solution. Any clues? Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341 OpenBSD 4.2-stable (GENERIC) #2: Wed Oct 17 10:08:11 CEST 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: AMD Athlon(tm) 64 Processor 3000+ (AuthenticAMD 686-class, 512KB L2 cache) 1.81 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3 cpu0: AMD erratum 89 present, BIOS upgrade may be required real mem = 536113152 (511MB) avail mem = 510750720 (487MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 11/03/05, BIOS32 rev. 0 @ 0xf0010, SMBIOS rev. 2.3 @ 0xf0530 (67 entries) bios0: vendor American Megatrends Inc. version 0219 date 11/03/2005 bios0: ASUSTeK Computer Inc. A8V apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 30102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf5980/192 (10 entries) pcibios0: PCI Interrupt Router at 000:17:0 (VIA VT8237 ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0xb000 0xcb000/0x4000! 0xcf000/0x800 0xcf800/0x800 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 VIA K8HTB Host rev 0x00 pchb1 at pci0 dev 0 function 1 VIA K8HTB Host rev 0x00 pchb2 at pci0 dev 0 function 2 VIA K8HTB Host rev 0x00 pchb3 at pci0 dev 0 function 3 VIA K8HTB Host rev 0x00 pchb4 at pci0 dev 0 function 4 VIA K8HTB Host rev 0x00 pchb5 at pci0 dev 0 function 7 VIA K8HTB Host rev 0x00 ppb0 at pci0 dev 1 function 0 VIA K8HTB AGP rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 ATI Rage 128 Pro TF rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) skc0 at pci0 dev 10 function 0 Marvell Yukon 88E8001/8003/8010 rev 0x13, Yukon Lite (0x9): irq 10 sk0 at skc0 port A: address 00:13:d4:de:cf:88 eephy0 at sk0 phy 0: Marvell 88E1011 Gigabit PHY, rev. 5 xl0 at pci0 dev 12 function 0 3Com 3c905C 100Base-TX rev 0x78: irq 10, address 00:0a:5e:61:7a:2d exphy0 at xl0 phy 24: 3Com internal media interface xl1 at pci0 dev 14 function 0 3Com 3c905C 100Base-TX rev 0x78: irq 3, address 00:0a:5e:61:7a:04 exphy1 at xl1 phy 24: 3Com internal media interface pciide0 at pci0 dev 15 function 0 VIA VT6420 SATA rev 0x80: DMA pciide0: using irq 10 for native-PCI interrupt wd0 at pciide0 channel 1 drive 0: Maxtor 6V080E0 wd0: 16-sector PIO, LBA48, 76293MB, 15625 sectors wd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 5
CARP problem
Hi All, i am trying to setup a carp'ed pair of firewalls and am fighting with strange CARP behavior. frw1 is i386, frw2 is amd64, but both run i386 OpenBSD 4.2 On each machine i have configured 4 vlans on the sk0 interface. The carp interfaces are configured on top of the vlan interfaces (see attachments). Note: i had to bring down carp0 manually on frw2 to keep it from confusing our network. Therefore it is shown in INIT state. What happens: 1. I boot frw1, it becomes MASTER on all carps - good. 2. I boot frw2, it becomes BACKUP on all carps except carp0, which becomes MASTER - bad. Both machines think they're MASTER on carp0. Since both are complaining about carp0: incorrect hash i have double checked the passwords on both machines, no diff! I brought carp2 down on frw1 and it immediately failed over to frw2, so CARP in general does work. Since all traffic is running through the same physical device and the problem is only on one carp interface i tend to rule out hardware problems. Googling showed up quite a few posts of people having problems with CARP and the incorrect hash message, but none really helped me. [EMAIL PROTECTED] [/etc] # pfctl -sr | grep carp pass quick proto carp all no state [EMAIL PROTECTED] [~] # pfctl -sr | grep carp pass quick proto carp all no state Any ideas? -- Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341 OpenBSD 4.2 (GENERIC) #1: Fri Sep 14 12:22:31 CEST 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) 4 CPU 2.60GHz (GenuineIntel 686-class) 2.60 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID,xTPR real mem = 1072459776 (1022MB) avail mem = 1029386240 (981MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 12/12/03, BIOS32 rev. 0 @ 0xf0010, SMBIOS rev. 2.3 @ 0xf04a0 (68 entries) bios0: vendor American Megatrends Inc. version 080009 date 12/12/2003 bios0: ASUSTeK Computer Inc. P4P800 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 30102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf5100/256 (14 entries) pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82801EB/ER LPC rev 0x00) pcibios0: PCI bus #2 is the last bus bios0: ROM list: 0xc/0xc000 0xcc000/0x800 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82865G/PE/P CPU-I/0-1 rev 0x02 ppb0 at pci0 dev 1 function 0 Intel 82865G/PE/P CPU-AGP rev 0x02 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 ATI Rage 128 Pro TF rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) uhci0 at pci0 dev 29 function 0 Intel 82801EB/ER USB rev 0x02: irq 10 uhci1 at pci0 dev 29 function 1 Intel 82801EB/ER USB rev 0x02: irq 5 uhci2 at pci0 dev 29 function 2 Intel 82801EB/ER USB rev 0x02: irq 5 uhci3 at pci0 dev 29 function 3 Intel 82801EB/ER USB rev 0x02: irq 10 ehci0 at pci0 dev 29 function 7 Intel 82801EB/ER USB2 rev 0x02: irq 11 usb0 at ehci0: USB revision 2.0 uhub0 at usb0: Intel EHCI root hub, rev 2.00/1.00, addr 1 ppb1 at pci0 dev 30 function 0 Intel 82801BA AGP rev 0xc2 pci2 at ppb1 bus 2 skc0 at pci2 dev 5 function 0 3Com 3c940 rev 0x12, Yukon (0x1): irq 11 sk0 at skc0 port A: address 00:0c:6e:d8:b0:d8 eephy0 at sk0 phy 0: Marvell 88E1011 Gigabit PHY, rev. 3 xl0 at pci2 dev 10 function 0 3Com 3c905C 100Base-TX rev 0x74: irq 11, address 00:04:76:a0:43:bd bmtphy0 at xl0 phy 24: Broadcom 3C905C internal PHY, rev. 6 ichpcib0 at pci0 dev 31 function 0 Intel 82801EB/ER LPC rev 0x02: 24-bit timer at 3579545Hz pciide0 at pci0 dev 31 function 1 Intel 82801EB/ER IDE rev 0x02: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility atapiscsi0 at pciide0 channel 0 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: HL-DT-ST, DVD-ROM GDR8162B, 0015 SCSI0 5/cdrom removable cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 pciide0: channel 1 disabled (no drives) pciide1 at pci0 dev 31 function 2 Intel 82801EB SATA rev 0x02: DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI pciide1: using irq 5 for native-PCI interrupt wd0 at pciide1 channel 1 drive 0: ST3320620AS wd0: 16-sector PIO, LBA48, 305245MB, 625142448 sectors wd0(pciide1:1:0): using PIO mode 4, Ultra-DMA mode 5 ichiic0 at pci0 dev 31 function 3 Intel 82801EB/ER SMBus rev 0x02: irq 11 iic0 at ichiic0 auich0 at pci0 dev 31 function 5 Intel 82801EB/ER AC97 rev 0x02: irq 11, ICH5 AC97 ac97: codec id 0x41445375 (Analog Devices AD1985) ac97: codec features headphone, 20 bit DAC, No 3D Stereo audio0 at auich0 usb1 at uhci0: USB revision 1.0 uhub1 at usb1: Intel UHCI root hub, rev 1.00/1.00, addr 1 usb2
Solved: CARP problem
Heinrich Rebehn wrote: Hi All, i am trying to setup a carp'ed pair of firewalls and am fighting with strange CARP behavior. frw1 is i386, frw2 is amd64, but both run i386 OpenBSD 4.2 On each machine i have configured 4 vlans on the sk0 interface. The carp interfaces are configured on top of the vlan interfaces (see attachments). Note: i had to bring down carp0 manually on frw2 to keep it from confusing our network. Therefore it is shown in INIT state. What happens: 1. I boot frw1, it becomes MASTER on all carps - good. 2. I boot frw2, it becomes BACKUP on all carps except carp0, which becomes MASTER - bad. Both machines think they're MASTER on carp0. Since both are complaining about carp0: incorrect hash i have double checked the passwords on both machines, no diff! I brought carp2 down on frw1 and it immediately failed over to frw2, so CARP in general does work. Since all traffic is running through the same physical device and the problem is only on one carp interface i tend to rule out hardware problems. Googling showed up quite a few posts of people having problems with CARP and the incorrect hash message, but none really helped me. [EMAIL PROTECTED] [/etc] # pfctl -sr | grep carp pass quick proto carp all no state [EMAIL PROTECTED] [~] # pfctl -sr | grep carp pass quick proto carp all no state Any ideas? It is really strange: As soon as i have posted the problem to the list, i seem to be able to relax and think better :-) The solution: On frw1: carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5e:00:01:0a carp: MASTER carpdev vlan0 vhid 10 advbase 1 advskew 0 groups: carp inet6 fe80::200:5eff:fe00:10a%carp0 prefixlen 64 scopeid 0xa inet 134.102.176.250 netmask 0xff00 broadcast 134.102.176.255 inet 134.102.176.202 netmask 0xff00 broadcast 134.102.176.255 On frw2: carp0: flags=8802BROADCAST,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5e:00:01:0a carp: INIT carpdev vlan0 vhid 10 advbase 1 advskew 100 groups: carp inet6 fe80::200:5eff:fe00:10a%carp0 prefixlen 64 scopeid 0xb inet 134.102.176.250 netmask 0xff00 broadcast 134.102.176.255 The alias made the difference! On frw1 i had added it /etc/rc.conf.local because i had difficulties defining in in /etc/hostname.carp0. This was missing on frw2! Now it works. Apologies for the noise! --Heinrich
Re: NFS exporting /usr/ports and -maproot=root
Landry Breuil wrote: On 10/19/07, Jan Stary [EMAIL PROTECTED] wrote: Again: set WRKOBJDIR on the client side and you don't need to be writing in the remotely mounted tree at all. I'm already setting WRKOBJDIR outside nfs-dir, the problem is more for /usr/ports/packages .. i'd like it to be shared too, to install the same package on various sparc64 for example. And this dir needs to be root-writable, as it uses sudo.. You also need to set DISTDIR and PKGREPOSITORYBASE - see examples in the FAQ. I now several workarounds and tweaks like this exists :) I just want to understand why this setup doesn't work. I'd put it outside nfs if i don't find a solution, but btw i'm more interested in understanding why -maproot=root doesn't work in my case Send your complete server:/etc/exports, client:/etc/fstab, verbose log of server:mountd, server:nfsd, and a full (-s 65000) tcpdump of the communication. server is spud, client for tests is renton (10.246.200.10). server:/etc/exports: /nfsroot/net_sparc64 -ro allison /nfsroot/open_sparc64 -ro swanney /usr/ports -maproot=0:0 renton swanney lizzy Since you only have one filesystem ( / ), you are exporting this very same filesystem -ro and -rw to swanney. I am not sure this will work, and may have funny side effects. Try removing swanney from the /usr/ports line. Just an idea at 22:50 local time :-) --Heinrich client fstab: spud:/usr/ports /usr/ports nfs rw,nosuid 0 0 mountd -d output: Got line /nfsroot/net_sparc64 -ro allison Making new ep fs=0x0,0xfc214a5e doing opt -ro allison got host allison exporting /nfsroot/net_sparc64 Got line /nfsroot/open_sparc64 -ro swanney Found ep fs=0x0,0xfc214a5e doing opt -ro swanney got host swanney.fr.homeunix.org exporting /nfsroot/open_sparc64 Got line /usr/ports -maproot=0:0 renton swanney lizzy Found ep fs=0x0,0xfc214a5e doing opt -maproot=0:0 renton swanney lizzy got host renton.fr.homeunix.org got host swanney.fr.homeunix.org got host lizzy.fr.homeunix.org exporting /usr/ports exporting /usr/ports exporting /usr/ports unexporting / / Getting mount list. Here we go. Got mount request from 10.246.200.10 rpcpath: /usr/ports Mount successful for /usr/ports by 10.246.200.10. (here i've ran sudo mount /usr/ports on the client) renton:~/ $ls -ld /usr/ports drwxrwxr-x 47 root wsrc 1024 Oct 19 19:12 /usr/ports (same on client and server) renton:~/ $id uid=1000(landry) gid=1000(landry) groups=1000(landry), 0(wheel), 9(wsrc) renton:~/ $touch /usr/ports/test renton:~/ Here i have tcpdump output (same for server and client) for this sucessful file creation : 19:56:29.030254 renton.695 spud.nfsd: xid 0xbb06905b (NFSv3) 112 lookup fh 33,252/664798720 test 19:56:29.030771 spud.nfsd renton.695: xid 0xbb06905b reply ok 116 lookup ERROR: No such file or directory 19:56:29.030843 renton.695 spud.nfsd: xid 0xbb069116 (NFSv3) 112 lookup fh 33,252/664798720 test 19:56:29.031099 spud.nfsd renton.695: xid 0xbb069116 reply ok 116 lookup ERROR: No such file or directory 19:56:29.031131 renton.695 spud.nfsd: xid 0xbb069170 (NFSv3) 144 create fh 33,252/664798720 test 19:56:29.033013 spud.nfsd renton.695: xid 0xbb069170 reply ok 268 create fh 33,252/3064333824 19:56:29.033097 renton.695 spud.nfsd: xid 0xbb069202 (NFSv3) 104 getattr fh 33,252/3064333824 19:56:29.033363 spud.nfsd renton.695: xid 0xbb069202 reply ok 112 getattr REG 644 ids 1000/9 sz 0x0 Now i try to update attrs, it fails : renton:~/ $sudo touch /usr/ports/test touch: /usr/ports/test: Permission denied 19:57:52.066602 renton.695 spud.nfsd: xid 0xbb0692d4 (NFSv3) 128 lookup fh 33,252/664798720 test 19:57:52.067288 spud.nfsd renton.695: xid 0xbb0692d4 reply ok 236 lookup fh 33,252/3064333824 19:57:52.067380 renton.695 spud.nfsd: xid 0xbb069303 (NFSv3) 124 access fh 33,252/664798720 0002 19:57:52.067688 spud.nfsd renton.695: xid 0xbb069303 reply ok 120 access c 0002 19:57:52.067725 renton.695 spud.nfsd: xid 0xbb0693f4 (NFSv3) 148 setattr fh 33,252/3064333824 19:57:52.068015 spud.nfsd renton.695: xid 0xbb0693f4 reply ok 144 setattr ERROR: Permission denied 19:57:52.068051 renton.695 spud.nfsd: xid 0xbb06947e (NFSv3) 124 access fh 33,252/664798720 0002 19:57:52.068299 spud.nfsd renton.695: xid 0xbb06947e reply ok 120 access c 0002 19:57:52.068326 renton.695 spud.nfsd: xid 0xbb06952e (NFSv3) 148 setattr fh 33,252/3064333824 19:57:52.068605 spud.nfsd renton.695: xid 0xbb06952e reply ok 144 setattr ERROR: Permission denied Now i try to create another file, it fails : renton:~/ $sudo touch /usr/ports/test2 touch: /usr/ports/test2: Permission denied 19:58:24.546477 renton.695 spud.nfsd: xid 0xbb0695bf (NFSv3) 132 lookup fh 33,252/664798720 test2 19:58:24.547033 spud.nfsd renton.695: xid 0xbb0695bf reply ok 116 lookup ERROR: No such file or directory 19:58:24.547166 renton.695 spud.nfsd: xid 0xbb06960d (NFSv3) 132 lookup fh 33,252/664798720 test2 19:58:24.547430 spud.nfsd renton.695: xid 0xbb06960d reply ok 116 lookup ERROR: No such file or directory
CARP devices do not see IP broadcasts #2
I tried this again on real hardware - same result. Is this expected behavior? Hi list, In order to get familiar with CARP, i have set up a playground with 3 machines under vmware. I noticed that the CARP devices do not see any IP broadcasts, so this would make CARP unusable for a DHCP server or anything else that needs to respond to IP broadcasts. Is this expected behavior or may this be just a vmware anomaly? (Yes, i did chmod 666 /dev/vmnet*) I did not see anything about this in the docs. Attached is the ifconfig output of one CARP machine plus its dmesg. -- Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33208 groups: lo inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 pcn0: flags=8b43UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu 1500 lladdr 00:0c:29:b9:64:69 media: Ethernet autoselect (autoselect) inet6 fe80::20c:29ff:feb9:6469%pcn0 prefixlen 64 scopeid 0x1 enc0: flags=0 mtu 1536 vlan0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1496 lladdr 00:0c:29:b9:64:69 vlan: 10 priority: 0 parent interface: pcn0 groups: vlan inet6 fe80::20c:29ff:feb9:6469%vlan0 prefixlen 64 scopeid 0x4 vlan1: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1496 lladdr 00:0c:29:b9:64:69 vlan: 11 priority: 0 parent interface: pcn0 groups: vlan inet6 fe80::20c:29ff:feb9:6469%vlan1 prefixlen 64 scopeid 0x5 carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5e:00:01:0a carp: MASTER carpdev vlan0 vhid 10 advbase 1 advskew 1 groups: carp inet6 fe80::200:5eff:fe00:10a%carp0 prefixlen 64 scopeid 0x6 inet 134.102.176.170 netmask 0xff00 broadcast 134.102.176.255 carp1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5e:00:01:0b carp: MASTER carpdev vlan1 vhid 11 advbase 1 advskew 1 groups: carp inet6 fe80::200:5eff:fe00:10b%carp1 prefixlen 64 scopeid 0x7 inet 192.168.1.100 netmask 0xff00 broadcast 192.168.1.255 OpenBSD 4.2 (GENERIC) #1: Fri Sep 14 12:22:31 CEST 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: AMD Athlon(tm) 64 X2 Dual Core Processor 4400+ (AuthenticAMD 686-class, 1024KB L2 cache) 2.32 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3 cpu0: AMD erratum 89 present, BIOS upgrade may be required real mem = 267939840 (255MB) avail mem = 251437056 (239MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 04/17/06, BIOS32 rev. 0 @ 0xfd880, SMBIOS rev. 2.31 @ 0xe0010 (45 entries) bios0: vendor Phoenix Technologies LTD version 6.00 date 04/17/2006 bios0: VMware, Inc. VMware Virtual Platform apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 30102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xfd880/0x780 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf30/176 (9 entries) pcibios0: PCI Interrupt Router at 000:07:0 (Intel 82371FB ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x1000 0xdc000/0x4000! 0xe/0x4000! cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82443BX AGP rev 0x01 ppb0 at pci0 dev 1 function 0 Intel 82443BX AGP rev 0x01 pci1 at ppb0 bus 1 piixpcib0 at pci0 dev 7 function 0 Intel 82371AB PIIX4 ISA rev 0x08 pciide0 at pci0 dev 7 function 1 Intel 82371AB IDE rev 0x01: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: VMware Virtual IDE Hard Drive wd0: 64-sector PIO, LBA, 1024MB, 2097152 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: NECVMWar, VMware IDE CDR10, 1.00 SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 piixpm0 at pci0 dev 7 function 3 Intel 82371AB Power rev 0x08: SMBus disabled vga1 at pci0 dev 15 function 0 VMware Virtual SVGA II rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) bha3 at pci0 dev 16 function 0 BusLogic MultiMaster rev 0x01: irq 11, BusLogic 9xxC SCSI bha3: model BT-958, firmware 5.07B bha3: sync, parity scsibus1 at bha3: 8 targets pcn0 at pci0 dev 17 function 0 AMD 79c970 PCnet-PCI rev 0x10, Am79c970A, rev 0: irq 9, address 00:0c:29:b9:64:69 isa0 at piixpcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pmsi0 at pckbc0 (aux slot
Re: spamd: sync and db backup/restore
Olli Hauer wrote: Jacob Yocom-Piatt wrote: swapped out a spamd host last night and ended up doing some ksh scripting to get the spamdb up to date on the new machine. also have connected the old host with the new one using the sync (-y -Y) options for spamd and spamlogd, and these options are working fine and are quite neat. a couple of questions come to mind after having done this: - is there a better way to migrate a spamd database from one machine to the other without using scripts like pfctl -t spamd-white -T show | sed s/ //g spamd-white.clean.txt (on old host) for i in `cat spamd-white.clean.txt`; do spamd -a $i; done; (on new host) to do the job? - is it feasible or desirable to have a merge on start switch for spamd/spamlogd synced hosts? i'm thinking something like the -s switch in ntpd so that you can fully sync-up two spamd hosts in the following situations: (1) one host starts from scratch and pulls the entire database from the other one (2) one host goes down for a while and needs to catch-up with its fellow synced spamd hosts once restored it's not clear to me whether case (2) is already taken care of. also noticed that there was no mention of what port the synchronization uses between machines, but tcpdump-ing makes it clear that it occurs on the usual spamd port, 8025 UDP. cheers, jake Just copy /var/db/spamd from the old to the new host, so you get all other information as well (WHITE, SPAMTRAP, GREY, expire records). Can i reliably copy /var/db/spamd while spamd/spamlogd are still running or must they be stopped first? -- Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341
CARP devices do not see IP broadcasts
Hi list, In order to get familiar with CARP, i have set up a playground with 3 machines under vmware. I noticed that the CARP devices do not see any IP broadcasts, so this would make CARP unusable for a DHCP server or anything else that needs to respond to IP broadcasts. Is this expected behavior or may this be just a vmware anomaly? (Yes, i did chmod 666 /dev/vmnet*) I did not see anything about this in the docs. Attached is the ifconfig output of one CARP machine plus its dmesg. -- Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33208 groups: lo inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 pcn0: flags=8b43UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu 1500 lladdr 00:0c:29:b9:64:69 media: Ethernet autoselect (autoselect) inet6 fe80::20c:29ff:feb9:6469%pcn0 prefixlen 64 scopeid 0x1 enc0: flags=0 mtu 1536 vlan0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1496 lladdr 00:0c:29:b9:64:69 vlan: 10 priority: 0 parent interface: pcn0 groups: vlan inet6 fe80::20c:29ff:feb9:6469%vlan0 prefixlen 64 scopeid 0x4 vlan1: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1496 lladdr 00:0c:29:b9:64:69 vlan: 11 priority: 0 parent interface: pcn0 groups: vlan inet6 fe80::20c:29ff:feb9:6469%vlan1 prefixlen 64 scopeid 0x5 carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5e:00:01:0a carp: MASTER carpdev vlan0 vhid 10 advbase 1 advskew 1 groups: carp inet6 fe80::200:5eff:fe00:10a%carp0 prefixlen 64 scopeid 0x6 inet 134.102.176.170 netmask 0xff00 broadcast 134.102.176.255 carp1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5e:00:01:0b carp: MASTER carpdev vlan1 vhid 11 advbase 1 advskew 1 groups: carp inet6 fe80::200:5eff:fe00:10b%carp1 prefixlen 64 scopeid 0x7 inet 192.168.1.100 netmask 0xff00 broadcast 192.168.1.255 OpenBSD 4.2 (GENERIC) #1: Fri Sep 14 12:22:31 CEST 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: AMD Athlon(tm) 64 X2 Dual Core Processor 4400+ (AuthenticAMD 686-class, 1024KB L2 cache) 2.32 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3 cpu0: AMD erratum 89 present, BIOS upgrade may be required real mem = 267939840 (255MB) avail mem = 251437056 (239MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 04/17/06, BIOS32 rev. 0 @ 0xfd880, SMBIOS rev. 2.31 @ 0xe0010 (45 entries) bios0: vendor Phoenix Technologies LTD version 6.00 date 04/17/2006 bios0: VMware, Inc. VMware Virtual Platform apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 30102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xfd880/0x780 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf30/176 (9 entries) pcibios0: PCI Interrupt Router at 000:07:0 (Intel 82371FB ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x1000 0xdc000/0x4000! 0xe/0x4000! cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82443BX AGP rev 0x01 ppb0 at pci0 dev 1 function 0 Intel 82443BX AGP rev 0x01 pci1 at ppb0 bus 1 piixpcib0 at pci0 dev 7 function 0 Intel 82371AB PIIX4 ISA rev 0x08 pciide0 at pci0 dev 7 function 1 Intel 82371AB IDE rev 0x01: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: VMware Virtual IDE Hard Drive wd0: 64-sector PIO, LBA, 1024MB, 2097152 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: NECVMWar, VMware IDE CDR10, 1.00 SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 piixpm0 at pci0 dev 7 function 3 Intel 82371AB Power rev 0x08: SMBus disabled vga1 at pci0 dev 15 function 0 VMware Virtual SVGA II rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) bha3 at pci0 dev 16 function 0 BusLogic MultiMaster rev 0x01: irq 11, BusLogic 9xxC SCSI bha3: model BT-958, firmware 5.07B bha3: sync, parity scsibus1 at bha3: 8 targets pcn0 at pci0 dev 17 function 0 AMD 79c970 PCnet-PCI rev 0x10, Am79c970A, rev 0: irq 9, address 00:0c:29:b9:64:69 isa0 at piixpcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pmsi0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pmsi0 mux 0 pcppi0 at isa0 port 0x61
Re: ipsec with carp
Patrick Hemmen wrote: Ok. Before using carp/sasyncd the IPSEC tunnel had worked. The isakmpd daemon listen on all interfaces/ip addresses. I am illustrating my set up vpngw01: 10.10.10.101 carp: 10.10.10.1 -- INTERNET -- remote gateway: 192.168.1.1 vpngw02: 10.10.10.102 Remove the IP addresses from the physical interfaces. The master will then use 10.10.10.1 as source address. Use the carpdev clause in ifconfig to specify the physical interface used for carp. Note however that the machine will no longer respond to broadcast packets. -- Heinrich My machines are vpngw01 and 02. The IPSEC tunnel is negotiated between the addresses 10.10.10.1 and 192.168.1.1. But my master (vpngw01) tries to establish the IPSEC connection with the non-carp address 10.10.10.101. The other side is in passive mode. Thanks for the replies. Patrick Brian A. Seklecki schrieb: Also: 1) Does the documentation in ipsec(4) / isakmpd.conf(5) / sasyncd.conf(5) imply that all policies / security associations should be between the CARP HA L3 address? 2) Is your isakmpd(8) binding to wildcard address? 3) Did this problem evolve with the implementation of sasyncd(8) or did your IPSEC never work? ~BAS On Mon, 2007-10-01 at 08:16 -0700, Dag Richards wrote: Patrick Hemmen wrote: Hello all, I have two OpenBSD machines for a redundancy VPN-Gateway. They use carp to share one IP-Address and sasyncd to synchronize SAs and SPDs. I setup a ipsec-tunnel in /etc/ipsec.conf. The tunnel isn't established and the error PAYLOAD_MALFORMED appears in the logs. With tcpdump I can see that the initial packet (isakmp v1.0 exchange ID_PROT) to establish the tunnel come from the host IP-Address and not from the carp address. Thanks in advance. Patrick Maybe it's the humidity. Maybe it's something in your ipsec.conf file. Based on the info you have provided so far, both seem to be about as like as each other ;) ipsec.conf ifconfig -A maybe a quote from your dumps and perhaps a bit of logging info -- Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341
Re: redirecting output to a file in the remote machine while executing command on the remote machine using ssh
Siju George wrote: Hi I wrote a script and am trying to run this command /usr/bin/ssh 172.16.2.26 -l root diff /usr/logs/fw/squid/access.log /usr/logs/fw/squid/access.log.bak /usr/logs/fw/squid/access.log.`date +%Y%m%d` on 172.16.2.26 from another machine 172.17.2.0 However the file ( access.log.`date +%Y%m%d` ) gets created on the machine where the script is executed ( i.e 172.17.2.0 ) and not on the machine where the command is executed using ssh ( i.e 172.16.2.26 ) What should I do to get the redirected output to be got in a file on 172.16.2.26 ? Thank you so much Kind Regards Siju $ ssh [EMAIL PROTECTED] 'remote_command remote_logfile' Note the single ticks, without them redirection is done by the local shell. --Heinrich
Re: Missing x*42.tgz installation file sets from i386 binary snapshots
Adriaan wrote: On 8/1/07, Peter N. M. Hansteen [EMAIL PROTECTED] wrote: Adriaan [EMAIL PROTECTED] writes: There are no X installation file sets for i386 snapshots. Don't slashdot it just yet. I think we can be reasonably sure that even on i386, OpenBSD 4.2 will ship with installable X binaries. For one reason or the other the x* parts did not get built or at least did not make it onto the FTP servers. I'd wait a few days and enjoy the new, improved ones when they do appear. I regulary test binary snapshots and packages. I just wanted to report something like I did with http://marc.info/?l=openbsd-miscm=118550373919943w=2 .Just wondered if they could be related, or whether it was a mirroring issue. With the dependency of some packages on the expat XML parser f in xbase42.tgz, you really cannot some install somel binary snaphots packages when xbase42.tgz isn't there =Adriaan= Aaahhh! That's why i cannot install bash under snapshot! --Heinrich
SOLVED? Re: 4.0 - 4.1 broke ipsec
Heinrich Rebehn wrote: Hello list, after using ipsec for some years now, i never experienced an upgrade breaking it. But after after moving to 4.1 (new install) i can not get it to work anymore. I have copied the complete /etc/isakmpd directory from the 4.0 installation to the new one and also copied /etc/imakmpd/private/local.pub to /etc/isakmpd Below is a snippet from the output of isakmpd -d -DA=70 on my gateway: The peer antbook3 is trying to establish a connection, but the local isakmpd cannot validate antbook3's cert. antbook3's installation has not changed at all. I have never seen the message unable to get local issuer certificate before. 111621.667743 Mesg 50 message_parse_payloads: offset 28 payload ID 111621.667812 Mesg 50 message_parse_payloads: offset 62 payload CERT 111621.667852 Mesg 50 message_parse_payloads: offset 799 payload SIG 111621.667924 Mesg 60 message_validate_payloads: payload ID at 0x8810241c of message 0x88f39500 111621.668011 Mesg 70 TYPE: 2 111621.668052 Mesg 70 DOI_DATA: 00 111621.668128 Mesg 70 DATA: 111621.668210 Mesg 40 ipsec_validate_id_information: proto 0 port 0 type 2 111621.668251 Mesg 60 message_validate_payloads: payload CERT at 0x8810243e of message 0x88f39500 111621.668313 Mesg 70 ENCODING: X509_SIG 111621.668348 Mesg 70 DATA: 111621.668431 Mesg 60 message_validate_payloads: payload SIG at 0x8810271f of message 0x88f39500 111621.668503 Mesg 70 DATA: 111621.668542 Trpt 70 transport_release: freeing 0x813c5c40 111621.668617 Misc 30 ipsec_responder: phase 1 exchange 2 step 4 111621.668707 Negt 40 ike_phase_1_recv_ID: FQDN: 111621.668755 Negt 40 616e7462 6f6f6b33 2e616e74 2e756e69 2d627265 6d656e2e 6465 111621.668827 Cryp 70 x509_hash_find: no certificate matched query 111621.669061 Default x509_cert_validate: unable to get local issuer certificate 111621.669224 Default rsa_sig_decode_hash: received CERT can't be validated 111621.672638 Negt 50 get_raw_key_from_file: file /etc/isakmpd/pubkeys//fqdn/antbook3.ant.uni-bremen.de not found 111621.672685 Default rsa_sig_decode_hash: no public key found 111621.672731 Default dropped message from 172.21.113.59 port 500 due to notification type INVALID_ID_INFORMATION Verifying the cert by hand: [EMAIL PROTECTED] [/etc/isakmpd/certs] # openssl verify -CAfile ../ca/ca.crt antbook3.crt antbook3.crt: OK [EMAIL PROTECTED] [/etc/isakmpd/certs] # md5 ../ca/ca.crt MD5 (../ca/ca.crt) = e83c31211832100dcd79ae6f4612cf00 Making sure that the gateway uses the same ca crt: [EMAIL PROTECTED] [~] # md5 /etc/isakmpd/ca/ca.crt MD5 (/etc/isakmpd/ca/ca.crt) = e83c31211832100dcd79ae6f4612cf00 I will happily post more information if needed, but i am unsure if i can post the output of openssl x509 -text ... of a cert. Would this enable someone else to use it? Thanks for any hints Heinrich Ok, it's running now. The cause was not the move from 4.0 - 4.1, but the move from a diskful to a diskless setup: The machine mounts its root fs via nfs. This runs just fine, except for isakmpd: It silently does not read any certificates from a NFS mounted directory. After moving /etc/isakmpd to a ramdisk, ipsec runs fine as well. Question: Is this a bug or a feature? If it is a feature, it really should be documented. If it is a bug, i am unable to fix it. I started digging into isakmpd's sources, but failed to further trace things in monitor.c's forking and privilege separation. Regards, Heinrich
Re: 4.0 - 4.1 broke ipsec
Almir Karic wrote: pf is probably the problem, 'keep state' is assumed unless explicitelly stated otherwise. On 7/6/07, Heinrich Rebehn [EMAIL PROTECTED] wrote: Hello list, after using ipsec for some years now, i never experienced an upgrade breaking it. But after after moving to 4.1 (new install) i can not get it to work anymore. I have copied the complete /etc/isakmpd directory from the 4.0 installation to the new one and also copied /etc/imakmpd/private/local.pub to /etc/isakmpd Below is a snippet from the output of isakmpd -d -DA=70 on my gateway: The peer antbook3 is trying to establish a connection, but the local isakmpd cannot validate antbook3's cert. antbook3's installation has not changed at all. I have never seen the message unable to get local issuer certificate before. 111621.667743 Mesg 50 message_parse_payloads: offset 28 payload ID 111621.667812 Mesg 50 message_parse_payloads: offset 62 payload CERT 111621.667852 Mesg 50 message_parse_payloads: offset 799 payload SIG 111621.667924 Mesg 60 message_validate_payloads: payload ID at 0x8810241c of message 0x88f39500 111621.668011 Mesg 70 TYPE: 2 111621.668052 Mesg 70 DOI_DATA: 00 111621.668128 Mesg 70 DATA: 111621.668210 Mesg 40 ipsec_validate_id_information: proto 0 port 0 type 2 111621.668251 Mesg 60 message_validate_payloads: payload CERT at 0x8810243e of message 0x88f39500 111621.668313 Mesg 70 ENCODING: X509_SIG 111621.668348 Mesg 70 DATA: 111621.668431 Mesg 60 message_validate_payloads: payload SIG at 0x8810271f of message 0x88f39500 111621.668503 Mesg 70 DATA: 111621.668542 Trpt 70 transport_release: freeing 0x813c5c40 111621.668617 Misc 30 ipsec_responder: phase 1 exchange 2 step 4 111621.668707 Negt 40 ike_phase_1_recv_ID: FQDN: 111621.668755 Negt 40 616e7462 6f6f6b33 2e616e74 2e756e69 2d627265 6d656e2e 6465 111621.668827 Cryp 70 x509_hash_find: no certificate matched query 111621.669061 Default x509_cert_validate: unable to get local issuer certificate 111621.669224 Default rsa_sig_decode_hash: received CERT can't be validated 111621.672638 Negt 50 get_raw_key_from_file: file /etc/isakmpd/pubkeys//fqdn/antbook3.ant.uni-bremen.de not found 111621.672685 Default rsa_sig_decode_hash: no public key found 111621.672731 Default dropped message from 172.21.113.59 port 500 due to notification type INVALID_ID_INFORMATION Verifying the cert by hand: [EMAIL PROTECTED] [/etc/isakmpd/certs] # openssl verify -CAfile ../ca/ca.crt antbook3.crt antbook3.crt: OK [EMAIL PROTECTED] [/etc/isakmpd/certs] # md5 ../ca/ca.crt MD5 (../ca/ca.crt) = e83c31211832100dcd79ae6f4612cf00 Making sure that the gateway uses the same ca crt: [EMAIL PROTECTED] [~] # md5 /etc/isakmpd/ca/ca.crt MD5 (/etc/isakmpd/ca/ca.crt) = e83c31211832100dcd79ae6f4612cf00 I will happily post more information if needed, but i am unsure if i can post the output of openssl x509 -text ... of a cert. Would this enable someone else to use it? Thanks for any hints Heinrich -- Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341 But how should keep state be harmfull for ipsec? Why would it cause verification of the certs to fail? Just tried passing port 500 and 4500 with no state. Does not help. --Heinrich
4.0 - 4.1 broke ipsec
Hello list, after using ipsec for some years now, i never experienced an upgrade breaking it. But after after moving to 4.1 (new install) i can not get it to work anymore. I have copied the complete /etc/isakmpd directory from the 4.0 installation to the new one and also copied /etc/imakmpd/private/local.pub to /etc/isakmpd Below is a snippet from the output of isakmpd -d -DA=70 on my gateway: The peer antbook3 is trying to establish a connection, but the local isakmpd cannot validate antbook3's cert. antbook3's installation has not changed at all. I have never seen the message unable to get local issuer certificate before. 111621.667743 Mesg 50 message_parse_payloads: offset 28 payload ID 111621.667812 Mesg 50 message_parse_payloads: offset 62 payload CERT 111621.667852 Mesg 50 message_parse_payloads: offset 799 payload SIG 111621.667924 Mesg 60 message_validate_payloads: payload ID at 0x8810241c of message 0x88f39500 111621.668011 Mesg 70 TYPE: 2 111621.668052 Mesg 70 DOI_DATA: 00 111621.668128 Mesg 70 DATA: 111621.668210 Mesg 40 ipsec_validate_id_information: proto 0 port 0 type 2 111621.668251 Mesg 60 message_validate_payloads: payload CERT at 0x8810243e of message 0x88f39500 111621.668313 Mesg 70 ENCODING: X509_SIG 111621.668348 Mesg 70 DATA: 111621.668431 Mesg 60 message_validate_payloads: payload SIG at 0x8810271f of message 0x88f39500 111621.668503 Mesg 70 DATA: 111621.668542 Trpt 70 transport_release: freeing 0x813c5c40 111621.668617 Misc 30 ipsec_responder: phase 1 exchange 2 step 4 111621.668707 Negt 40 ike_phase_1_recv_ID: FQDN: 111621.668755 Negt 40 616e7462 6f6f6b33 2e616e74 2e756e69 2d627265 6d656e2e 6465 111621.668827 Cryp 70 x509_hash_find: no certificate matched query 111621.669061 Default x509_cert_validate: unable to get local issuer certificate 111621.669224 Default rsa_sig_decode_hash: received CERT can't be validated 111621.672638 Negt 50 get_raw_key_from_file: file /etc/isakmpd/pubkeys//fqdn/antbook3.ant.uni-bremen.de not found 111621.672685 Default rsa_sig_decode_hash: no public key found 111621.672731 Default dropped message from 172.21.113.59 port 500 due to notification type INVALID_ID_INFORMATION Verifying the cert by hand: [EMAIL PROTECTED] [/etc/isakmpd/certs] # openssl verify -CAfile ../ca/ca.crt antbook3.crt antbook3.crt: OK [EMAIL PROTECTED] [/etc/isakmpd/certs] # md5 ../ca/ca.crt MD5 (../ca/ca.crt) = e83c31211832100dcd79ae6f4612cf00 Making sure that the gateway uses the same ca crt: [EMAIL PROTECTED] [~] # md5 /etc/isakmpd/ca/ca.crt MD5 (/etc/isakmpd/ca/ca.crt) = e83c31211832100dcd79ae6f4612cf00 I will happily post more information if needed, but i am unsure if i can post the output of openssl x509 -text ... of a cert. Would this enable someone else to use it? Thanks for any hints Heinrich -- Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341
sk(4): Marvell 88E1011 not working with 4.1
, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered uhci2 at pci0 dev 29 function 2 Intel 82801EB/ER USB rev 0x02: irq 5 usb2 at uhci2: USB revision 1.0 uhub2 at usb2 uhub2: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub2: 2 ports with 2 removable, self powered uhci3 at pci0 dev 29 function 3 Intel 82801EB/ER USB rev 0x02: irq 10 usb3 at uhci3: USB revision 1.0 uhub3 at usb3 uhub3: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub3: 2 ports with 2 removable, self powered ehci0 at pci0 dev 29 function 7 Intel 82801EB/ER USB2 rev 0x02: irq 11 usb4 at ehci0: USB revision 2.0 uhub4 at usb4 uhub4: Intel EHCI root hub, rev 2.00/1.00, addr 1 uhub4: 8 ports with 8 removable, self powered ppb1 at pci0 dev 30 function 0 Intel 82801BA AGP rev 0xc2 pci2 at ppb1 bus 2 skc0 at pci2 dev 5 function 0 3Com 3c940 rev 0x12, Yukon (0x1): irq 11 sk0 at skc0 port A, address 00:0c:6e:d8:b0:d8 eephy0 at sk0 phy 0: Marvell 88E1011 Gigabit PHY, rev. 3 xl0 at pci2 dev 10 function 0 3Com 3c905C 100Base-TX rev 0x74: irq 11, address 00:04:76:a0:43:bd bmtphy0 at xl0 phy 24: Broadcom 3C905C internal PHY, rev. 6 ichpcib0 at pci0 dev 31 function 0 Intel 82801EB/ER LPC rev 0x02 pciide0 at pci0 dev 31 function 1 Intel 82801EB/ER IDE rev 0x02: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: DMA FD wd0: 1-sector PIO, LBA, 495MB, 1014048 sectors wd0(pciide0:0:0): using PIO mode 4, DMA mode 2 pciide0: channel 1 disabled (no drives) ichiic0 at pci0 dev 31 function 3 Intel 82801EB/ER SMBus rev 0x02: irq 11 iic0 at ichiic0 auich0 at pci0 dev 31 function 5 Intel 82801EB/ER AC97 rev 0x02: irq 11, ICH5 AC97 ac97: codec id 0x41445375 (Analog Devices AD1985) ac97: codec features headphone, 20 bit DAC, No 3D Stereo audio0 at auich0 isa0 at ichpcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 lm0 at isa0 port 0x290/8: W83627THF npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec biomask ff65 netmask ff65 ttymask ffe7 pctr: user-level cycle counter enabled dkcsum: wd0 matches BIOS drive 0x80 PXE boot MAC address 00:04:76:a0:43:bd, interface xl0 nfs_boot: using interface xl0, with revarp bootparams nfs_boot: client_addr=192.168.34.100 nfs_boot: server_addr=192.168.34.1 hostname=frw1 root on 192.168.34.1:/data/root/frw1 nfs_boot: mountd swap, error=13 WARNING: no swap swapmount: no device -- Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341
Which address is used when sending via CARP?
Hi all, using the following setup: # ifconfig vlan0 vlan0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 lladdr 00:13:d4:de:cf:88 vlan: 16 priority: 0 parent interface: sk0 groups: vlan inet6 fe80::213:d4ff:fede:cf88%vlan0 prefixlen 64 scopeid 0x7 inet 134.102.176.251 netmask 0xff00 broadcast 134.102.176.255 # ifconfig carp0 carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5e:00:01:0a carp: MASTER carpdev vlan0 vhid 10 advbase 1 advskew 0 groups: carp inet6 fe80::200:5eff:fe00:10a%carp0 prefixlen 64 scopeid 0xc inet 134.102.176.250 netmask 0xff00 broadcast 134.102.176.255 - When the machine sends packets out, the carry 134.102.176.251 as source address, not 134.102.176.250. Is this expected behavior? How can i change that? I noticed that the route to the 134.102.176.0/24 network points to vlan0, not carp0. Is this correct? Thanks for any info, Heinrich -- Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341
Re: pxeboot hanging on WRAP board
Stuart Henderson wrote: On 2007/06/22 12:15, Heinrich Rebehn wrote: Stuart Henderson wrote: On 2007/06/22 09:59, Heinrich Rebehn wrote: i am trying to get my new WRAP board to boot via pxe. pxeboot loads fine but seems to stall at the point where memory should be probed. enable the serial console in $TFTPROOT/etc/boot.conf. I tried that, but the WRAP does not even try to access etc/boot.conf at this time (according to tcpdump(1) on the server). Also, pxeboot hangs in the middle of the probing:... line. Try a new etherboot from rom-o-matic.net then, you'll need to piece it together with the files from wbios11.zip on pcengines.ch and xmodem it across. You'll need to use the options detailed in README.TXT in rom-o-matic (they're in a different order to listed now, the console ones are at the bottom of the web page). I have successfully booted pxeboot from 4.1 on a WRAP.1E with Etherboot 5.4.3 I have updated Etherboot to 5.4.3 and i can now boot bsd.rd, but only after appending 2 dummy bytes to pxeboot (saw this somewhere on the net). Thanks to all who helped! --Heinrich
Re: howto set nfsbootdevname for nfsroot?
Tom Cosgrove wrote: Heinrich Rebehn 25-Jun-07 13:57 Tom Cosgrove wrote: Sorry, one last thing: I find a dmesg from a (presumably unsuccessful) boot via xl0. Could you post that, too? So far it looks like the xl0 boot is correctly getting the right MAC address, so we need to find why it's not getting through to the NFS code. Thanks Tom The dmesg that i sent was from a successful boot via sk0. To post an unsuccessful boot's dmesg , i would have to type everything from the screen. What exactly do you want to know? Do you not have a serial console on this box? I'd like to double-check the NIC lines and the lines around the point it fails. It really should be printing out PXE boot MAC address ..., even on 4.1. Could you also post your exact kernel config file? And finally: it's worth trying this with GENERIC, too, particularly from -current (i.e. a snapshot) since that should be able to do this automatically. I was not aware that GENERIC can also deal with nfsroot. In fact, it works perfect with -stable! The problem shows when i change GENERIC to include root on nfs swap on nfs: [EMAIL PROTECTED] [~/src/sys/arch/i386/conf] # diff DISKLESS GENERIC 42,43c42 #config bsd swap generic configbsd root on nfs swap on nfs --- configbsd swap generic The dmesgs for both cases are attached (installed a serial console :-) ) --Heinrich [demime 1.01d removed an attachment of type application/octet-stream which had a name of xl0-GENERIC-stable] [demime 1.01d removed an attachment of type application/octet-stream which had a name of xl0-DISKLESS-stable]
howto set nfsbootdevname for nfsroot?
Hi list, I have successfully set up a client for diskless(8) booting. However, this works only when booting from the first (onboard) nic. When i use another nic, the kernel still tries to do revarp from the first nic, which fails. sys/nfs/nfs_boot.c offers a possibility to override the default search: /* * Find a network interface. */ if (nfsbootdevname) ifp = ifunit(nfsbootdevname); else search loop ... but where/how can i set nfsbootdevname? The boot.conf(8) manpage talks about passing options to the kernel via set howto. Could i use that? -- Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341
Re: howto set nfsbootdevname for nfsroot?
Reyk Floeter wrote: hi! On Mon, Jun 25, 2007 at 11:50:03AM +0200, Heinrich Rebehn wrote: I have successfully set up a client for diskless(8) booting. However, this works only when booting from the first (onboard) nic. When i use another nic, the kernel still tries to do revarp from the first nic, which fails. sys/nfs/nfs_boot.c offers a possibility to override the default search: /* * Find a network interface. */ if (nfsbootdevname) ifp = ifunit(nfsbootdevname); else search loop ... but where/how can i set nfsbootdevname? The boot.conf(8) manpage talks about passing options to the kernel via set howto. Could i use that? you cannot set the nfsbootdevname as a kernel option. it is filled in by autoconf. for example, pxeboot passes the mac address of its boot interface and autoconf looks up the matching network interface in sys/arch/i386/i386/autoconf.c ---snip--- #if defined(NFSCLIENT) if (bios_bootmac) { extern char *nfsbootdevname; struct ifnet *ifp; mountroot = nfs_mountroot; printf(PXE boot MAC address %s, , ether_sprintf(bios_bootmac-mac)); for (ifp = TAILQ_FIRST(ifnet); ifp != NULL; ifp = TAILQ_NEXT(ifp, if_list)) { if ((ifp-if_type == IFT_ETHER || ifp-if_type == IFT_FDDI) bcmp(bios_bootmac-mac, ((struct arpcom *)ifp)-ac_enaddr, ETHER_ADDR_LEN) == 0) break; } if (ifp) { nfsbootdevname = ifp-if_xname; printf(interface %s\n, nfsbootdevname); } else printf(no interface selected\n); return; } #endif ---snap--- reyk Hmm, at least in my case this does not seem to work. I have not much C experience, but should nfsbootdevname not be declared extern in sys/nfs/nfs_boot.c as well? --Heinrich
Re: howto set nfsbootdevname for nfsroot?
Heinrich Rebehn wrote: Reyk Floeter wrote: hi! On Mon, Jun 25, 2007 at 11:50:03AM +0200, Heinrich Rebehn wrote: I have successfully set up a client for diskless(8) booting. However, this works only when booting from the first (onboard) nic. When i use another nic, the kernel still tries to do revarp from the first nic, which fails. sys/nfs/nfs_boot.c offers a possibility to override the default search: /* * Find a network interface. */ if (nfsbootdevname) ifp = ifunit(nfsbootdevname); else search loop ... but where/how can i set nfsbootdevname? The boot.conf(8) manpage talks about passing options to the kernel via set howto. Could i use that? you cannot set the nfsbootdevname as a kernel option. it is filled in by autoconf. for example, pxeboot passes the mac address of its boot interface and autoconf looks up the matching network interface in sys/arch/i386/i386/autoconf.c ---snip--- #if defined(NFSCLIENT) if (bios_bootmac) { extern char *nfsbootdevname; struct ifnet *ifp; mountroot = nfs_mountroot; printf(PXE boot MAC address %s, , ether_sprintf(bios_bootmac-mac)); for (ifp = TAILQ_FIRST(ifnet); ifp != NULL; ifp = TAILQ_NEXT(ifp, if_list)) { if ((ifp-if_type == IFT_ETHER || ifp-if_type == IFT_FDDI) bcmp(bios_bootmac-mac, ((struct arpcom *)ifp)-ac_enaddr, ETHER_ADDR_LEN) == 0) break; } if (ifp) { nfsbootdevname = ifp-if_xname; printf(interface %s\n, nfsbootdevname); } else printf(no interface selected\n); return; } #endif ---snap--- reyk Hmm, at least in my case this does not seem to work. I have not much C experience, but should nfsbootdevname not be declared extern in sys/nfs/nfs_boot.c as well? I also do not see any output from the printf's above. Maybe bios_bootmac is not true? NFSCLIENT *is* defined. Config is GENERIC with root on nfs swap on nfs. I am attaching a dmesg from a successfull boot from the onboard nic. --Heinrich OpenBSD 4.1-stable (DISKLESS) #0: Fri Jun 22 10:41:43 CEST 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/DISKLESS cpu0: AMD Athlon(tm) 64 Processor 3000+ (AuthenticAMD 686-class, 512KB L2 cache) 1.81 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3 cpu0: AMD erratum 89 present, BIOS upgrade may be required real mem = 536113152 (523548K) avail mem = 481468416 (470184K) using 4278 buffers containing 26931200 bytes (26300K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+ BIOS, date 11/03/05, BIOS32 rev. 0 @ 0xf0010, SMBIOS rev. 2.3 @ 0xf0530 (67 entries) bios0: ASUSTeK Computer Inc. A8V apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 30102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf5980/192 (10 entries) pcibios0: PCI Interrupt Router at 000:17:0 (VIA VT8237 ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0xb000 0xcb000/0x800 0xcb800/0x800 0xcc000/0x1000 acpi at mainbus0 not configured cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 VIA K8HTB Host rev 0x00 pchb1 at pci0 dev 0 function 1 VIA K8HTB Host rev 0x00 pchb2 at pci0 dev 0 function 2 VIA K8HTB Host rev 0x00 pchb3 at pci0 dev 0 function 3 VIA K8HTB Host rev 0x00 pchb4 at pci0 dev 0 function 4 VIA K8HTB Host rev 0x00 pchb5 at pci0 dev 0 function 7 VIA K8HTB Host rev 0x00 ppb0 at pci0 dev 1 function 0 VIA K8HTB AGP rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 ATI Rage 128 Pro TF rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) skc0 at pci0 dev 10 function 0 Marvell Yukon 88E8001/8003/8010 rev 0x13, Yukon Lite (0x9): irq 10 sk0 at skc0 port A, address 00:13:d4:de:cf:88 eephy0 at sk0 phy 0: Marvell 88E1011 Gigabit PHY, rev. 5 xl0 at pci0 dev 12 function 0 3Com 3c905C 100Base-TX rev 0x78: irq 10, address 00:0a:5e:61:7a:2d exphy0 at xl0 phy 24: 3Com internal media interface xl1 at pci0 dev 14 function 0 3Com 3c905C 100Base-TX rev 0x78: irq 3, address 00:0a:5e:61:7a:04 exphy1 at xl1 phy 24: 3Com internal media interface pciide0 at pci0 dev 15 function 0 VIA VT6420 SATA rev 0x80: DMA pciide0: using irq 10 for native-PCI interrupt wd0 at pciide0 channel 1 drive 0: Maxtor 6V080E0 wd0: 16-sector PIO, LBA48, 76293MB, 15625 sectors wd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 5 pciide1 at pci0 dev 15 function 1 VIA VT82C571 IDE rev 0x06: ATA133
pxeboot hanging on WRAP board
Hi list, i am trying to get my new WRAP board to boot via pxe. pxeboot loads fine but seems to stall at the point where memory should be probed. I use pxeboot 4.1. Adding two bytes to it as suggested in http://marc.info/?l=openbsd-miscm=117978591113386w=2 did not help. Any idea what's wrong? Thank you for your time, Heinrich PC Engines WRAP.1C/1D/1E v1.11 640 KB Base Memory 130048 KB Extended Memory 01F0 - no drive found ! ROM segment 0xe000 length 0x8000 reloc 0x0002 Etherboot 5.3.12 (GPL) http://etherboot.org Drivers: NATSEMI Images: NBI PXE Exports: PXE Relocating _text from: [00089370,0009b230) to [07eee140,07f0) Boot from (N)etwork (D)isk or (Q)uit? N Probing pci nic... [dp83815] natsemi_probe: MAC addr 00:0D:B9:07:90:E0 at ioaddr 0X1000 natsemi_probe: Vendor:0X100B Device:0X0020 dp83815: Transceiver default autoneg. enabled, advertise 100 full duplex. dp83815: Transceiver status 7869 advertising 05E1 dp83815: Setting full-duplex based on negotiated link capability. Searching for server (DHCP)... Me: 134.102.176.51, Server: 134.102.176.16, Gateway 134.102.176.250 Loading 134.102.176.16:/pxeboot (PXE)done probing: pc0 com0 pci pxe![2.1] == stalls here! -- Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341
Re: pxeboot hanging on WRAP board
Stuart Henderson wrote: On 2007/06/22 09:59, Heinrich Rebehn wrote: i am trying to get my new WRAP board to boot via pxe. pxeboot loads fine but seems to stall at the point where memory should be probed. enable the serial console in $TFTPROOT/etc/boot.conf. I tried that, but the WRAP does not even try to access etc/boot.conf at this time (according to tcpdump(1) on the server). Also, pxeboot hangs in the middle of the probing:... line. --Heinrich
Re: Problems with vpn roadwarriors using the same public ip
carlopmart wrote: Matthias Bertschy wrote: carlopmart wrote: Hi all, I have a very strange problem. I am using an OpenBSD 4.1 with isakmpd config (isakmpd.conf and isakmpd.policy) to establish vpn connections for my roadwarriors clients. When two roadwarriors clients that use the same public ip, only one client can connect, the other no. Roadwarriors use the greenbow client. Somebody knows how can I fix this??? Many thanks. Hello, I have the same problem with racoon on Linux 2.6, when a second client connects to IPSEC thru NAT, the first one loses his connection. I don't know if it is related to IPSEC, or a bug in both isakmpd and racoon; but I haven't found a fix yet. Matthias Bertschy I think that I found a solution. I have put Share-SADB = Define on General config on isakmpd.conf, and seems that now works ... But, is this ok? somebody knows if using this option can produce a security hole?? I believe that share SAs between clients could not be a good solution Thanks. Where did you get this Share-SADB = Define from? I have not found it in the manpage --Heinrich
Re: Problems with vpn roadwarriors using the same public ip
carlopmart wrote: Heinrich Rebehn wrote: carlopmart wrote: Matthias Bertschy wrote: carlopmart wrote: Hi all, I have a very strange problem. I am using an OpenBSD 4.1 with isakmpd config (isakmpd.conf and isakmpd.policy) to establish vpn connections for my roadwarriors clients. When two roadwarriors clients that use the same public ip, only one client can connect, the other no. Roadwarriors use the greenbow client. Somebody knows how can I fix this??? Many thanks. Hello, I have the same problem with racoon on Linux 2.6, when a second client connects to IPSEC thru NAT, the first one loses his connection. I don't know if it is related to IPSEC, or a bug in both isakmpd and racoon; but I haven't found a fix yet. Matthias Bertschy I think that I found a solution. I have put Share-SADB = Define on General config on isakmpd.conf, and seems that now works ... But, is this ok? somebody knows if using this option can produce a security hole?? I believe that share SAs between clients could not be a good solution Thanks. Where did you get this Share-SADB = Define from? I have not found it in the manpage --Heinrich Sorry I would like to say Shared-SADB ... Yes, i see it in src/sys/sbin/isakmpd/pf_key_v2.c, but where is it documented? What exactly does it do? I am asking because i have a similar problem: 2 peers behind a NAT firewall connecting to an outside IPSec Gateway, one sometimes throwing out the other one. --Heinrich
Re: Sound not working on VIA EPIA-CN 10000EG
Heinrich Rebehn wrote: Heinrich Rebehn wrote: Hi list, I have a VIA EPIA-CN 1EG board with a C7 CPU and i cannot get sound to work. Doing a # cat anyFile /dev/audio only produces a high sounding beep, the length of which depends on the size of the file. Using /dev/sound produces the same. I can control the volume via /dev/mixer, though it is *very* low. System beeps however come loud and clear. [EMAIL PROTECTED] [~] # mixerctl -a outputs.master=255,231 outputs.master.mute=off outputs.mono=255 outputs.mono.mute=off outputs.mono.source=mixerout outputs.headphones=255,255 outputs.headphones.mute=off outputs.bass=255 outputs.treble=255 inputs.speaker=175 inputs.speaker.mute=off inputs.phone=191 inputs.phone.mute=on inputs.mic=191 inputs.mic.mute=on inputs.mic.preamp=off inputs.mic.source=mic0 inputs.line=215,215 inputs.line.mute=on inputs.cd=191,191 inputs.cd.mute=off inputs.video=255,255 inputs.video.mute=off inputs.aux=119,119 inputs.aux.mute=on inputs.dac=223,223 inputs.dac.mute=off record.source=mic record.volume=255,255 record.volume.mute=off record.mic=0 record.mic.mute=off outputs.loudness=off outputs.spatial=off outputs.spatial.center=0 outputs.spatial.depth=0 outputs.surround=255,255 outputs.surround.mute=off outputs.center=255 outputs.center.mute=off outputs.lfe=255 outputs.lfe.mute=off outputs.extamp=off The kernel is GENERIC w/ ACPI enabled. Using GENERIC makes no difference. Any ideas? Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341 OpenBSD 4.0-stable (ACPI) #0: Tue Mar 6 10:56:08 CET 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/ACPI cpu0: VIA Esther processor 1000MHz (CentaurHauls 686-class) 1 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,SEP,MTRR,PGE,CMOV,PAT,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,TM,SBF,SSE3,EST,TM2 cpu0: unknown Enhanced SpeedStep CPU, msr 0x08100a1308000a13 cpu0: using only highest and lowest power states cpu0: Enhanced SpeedStep 1000 MHz (1004 mV): speeds: 1000, 800 MHz cpu0: RNG AES AES-CTR SHA1 SHA256 RSA real mem = 1006137344 (982556K) avail mem = 909615104 (888296K) using 4256 buffers containing 50409472 bytes (49228K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(c7) BIOS, date 06/16/06, BIOS32 rev. 0 @ 0xfa960, SMBIOS rev. 2.3 @ 0xf0800 (26 entries) apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 70102 dobusy 1 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0xdd14 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdc60/176 (9 entries) pcibios0: bad IRQ table checksum pcibios0: PCI BIOS has 9 Interrupt Routing table entries pcibios0: PCI Exclusive IRQs: 5 10 11 pcibios0: PCI Interrupt Router at 000:17:0 (VIA VT8237 ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0xf200 0xd/0x8000! 0xd8000/0x2800 acpi0 at mainbus0: rev 0 acpi0: tables DSDT FACP acpitimer0 at acpi0: 3579545 Hz, 24 bits acpibtn0 at acpi0: PWRB acpibtn1 at acpi0: SLPB acpicpu0 at acpi0: CPU0: 1000, 800 MHz cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 VIA CN700 Host rev 0x00 pchb1 at pci0 dev 0 function 1 VIA CN700 Host rev 0x00 pchb2 at pci0 dev 0 function 2 VIA CN700 Host rev 0x00 pchb3 at pci0 dev 0 function 3 VIA PT890 Host rev 0x00 pchb4 at pci0 dev 0 function 4 VIA CN700 Host rev 0x00 pchb5 at pci0 dev 0 function 7 VIA CN700 Host rev 0x00 ppb0 at pci0 dev 1 function 0 VIA VT8377 AGP rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 VIA S3 Unichrome PRO IGP rev 0x01: aperture at 0xf400, size 0x1000 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pciide0 at pci0 dev 15 function 0 VIA VT82C571 IDE rev 0x06: ATA133, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: FUJITSU MHV2120AT wd0: 16-sector PIO, LBA, 114473MB, 234441648 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 pciide0: channel 1 disabled (no drives) uhci0 at pci0 dev 16 function 0 VIA VT83C572 USB rev 0x81: irq 10 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 16 function 1 VIA VT83C572 USB rev 0x81: irq 10 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered uhci2 at pci0 dev 16 function 2 VIA VT83C572 USB rev 0x81: irq 11 usb2 at uhci2: USB revision 1.0 uhub2 at usb2 uhub2: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub2: 2 ports with 2 removable, self powered uhci3 at pci0 dev 16 function 3 VIA VT83C572 USB rev 0x81: irq 11 usb3 at uhci3: USB revision 1.0 uhub3 at usb3 uhub3: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub3: 2 ports with 2 removable, self powered ehci0 at pci0 dev 16 function 4 VIA VT6202 USB
Sound not working on VIA EPIA-CN 10000EG
Hi list, I have a VIA EPIA-CN 1EG board with a C7 CPU and i cannot get sound to work. Doing a # cat anyFile /dev/audio only produces a high sounding beep, the length of which depends on the size of the file. Using /dev/sound produces the same. I can control the volume via /dev/mixer, though it is *very* low. System beeps however come loud and clear. [EMAIL PROTECTED] [~] # mixerctl -a outputs.master=255,231 outputs.master.mute=off outputs.mono=255 outputs.mono.mute=off outputs.mono.source=mixerout outputs.headphones=255,255 outputs.headphones.mute=off outputs.bass=255 outputs.treble=255 inputs.speaker=175 inputs.speaker.mute=off inputs.phone=191 inputs.phone.mute=on inputs.mic=191 inputs.mic.mute=on inputs.mic.preamp=off inputs.mic.source=mic0 inputs.line=215,215 inputs.line.mute=on inputs.cd=191,191 inputs.cd.mute=off inputs.video=255,255 inputs.video.mute=off inputs.aux=119,119 inputs.aux.mute=on inputs.dac=223,223 inputs.dac.mute=off record.source=mic record.volume=255,255 record.volume.mute=off record.mic=0 record.mic.mute=off outputs.loudness=off outputs.spatial=off outputs.spatial.center=0 outputs.spatial.depth=0 outputs.surround=255,255 outputs.surround.mute=off outputs.center=255 outputs.center.mute=off outputs.lfe=255 outputs.lfe.mute=off outputs.extamp=off The kernel is GENERIC w/ ACPI enabled. Using GENERIC makes no difference. Any ideas? Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341 OpenBSD 4.0-stable (ACPI) #0: Tue Mar 6 10:56:08 CET 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/ACPI cpu0: VIA Esther processor 1000MHz (CentaurHauls 686-class) 1 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,SEP,MTRR,PGE,CMOV,PAT,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,TM,SBF,SSE3,EST,TM2 cpu0: unknown Enhanced SpeedStep CPU, msr 0x08100a1308000a13 cpu0: using only highest and lowest power states cpu0: Enhanced SpeedStep 1000 MHz (1004 mV): speeds: 1000, 800 MHz cpu0: RNG AES AES-CTR SHA1 SHA256 RSA real mem = 1006137344 (982556K) avail mem = 909615104 (888296K) using 4256 buffers containing 50409472 bytes (49228K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(c7) BIOS, date 06/16/06, BIOS32 rev. 0 @ 0xfa960, SMBIOS rev. 2.3 @ 0xf0800 (26 entries) apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 70102 dobusy 1 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0xdd14 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdc60/176 (9 entries) pcibios0: bad IRQ table checksum pcibios0: PCI BIOS has 9 Interrupt Routing table entries pcibios0: PCI Exclusive IRQs: 5 10 11 pcibios0: PCI Interrupt Router at 000:17:0 (VIA VT8237 ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0xf200 0xd/0x8000! 0xd8000/0x2800 acpi0 at mainbus0: rev 0 acpi0: tables DSDT FACP acpitimer0 at acpi0: 3579545 Hz, 24 bits acpibtn0 at acpi0: PWRB acpibtn1 at acpi0: SLPB acpicpu0 at acpi0: CPU0: 1000, 800 MHz cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 VIA CN700 Host rev 0x00 pchb1 at pci0 dev 0 function 1 VIA CN700 Host rev 0x00 pchb2 at pci0 dev 0 function 2 VIA CN700 Host rev 0x00 pchb3 at pci0 dev 0 function 3 VIA PT890 Host rev 0x00 pchb4 at pci0 dev 0 function 4 VIA CN700 Host rev 0x00 pchb5 at pci0 dev 0 function 7 VIA CN700 Host rev 0x00 ppb0 at pci0 dev 1 function 0 VIA VT8377 AGP rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 VIA S3 Unichrome PRO IGP rev 0x01: aperture at 0xf400, size 0x1000 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pciide0 at pci0 dev 15 function 0 VIA VT82C571 IDE rev 0x06: ATA133, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: FUJITSU MHV2120AT wd0: 16-sector PIO, LBA, 114473MB, 234441648 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 pciide0: channel 1 disabled (no drives) uhci0 at pci0 dev 16 function 0 VIA VT83C572 USB rev 0x81: irq 10 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 16 function 1 VIA VT83C572 USB rev 0x81: irq 10 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered uhci2 at pci0 dev 16 function 2 VIA VT83C572 USB rev 0x81: irq 11 usb2 at uhci2: USB revision 1.0 uhub2 at usb2 uhub2: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub2: 2 ports with 2 removable, self powered uhci3 at pci0 dev 16 function 3 VIA VT83C572 USB rev 0x81: irq 11 usb3 at uhci3: USB revision 1.0 uhub3 at usb3 uhub3: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub3: 2 ports with 2 removable, self powered ehci0 at pci0 dev 16 function 4 VIA VT6202 USB rev 0x86: irq 5 usb4 at ehci0: USB revision 2.0 uhub4
Re: Sound not working on VIA EPIA-CN 10000EG
Heinrich Rebehn wrote: Hi list, I have a VIA EPIA-CN 1EG board with a C7 CPU and i cannot get sound to work. Doing a # cat anyFile /dev/audio only produces a high sounding beep, the length of which depends on the size of the file. Using /dev/sound produces the same. I can control the volume via /dev/mixer, though it is *very* low. System beeps however come loud and clear. [EMAIL PROTECTED] [~] # mixerctl -a outputs.master=255,231 outputs.master.mute=off outputs.mono=255 outputs.mono.mute=off outputs.mono.source=mixerout outputs.headphones=255,255 outputs.headphones.mute=off outputs.bass=255 outputs.treble=255 inputs.speaker=175 inputs.speaker.mute=off inputs.phone=191 inputs.phone.mute=on inputs.mic=191 inputs.mic.mute=on inputs.mic.preamp=off inputs.mic.source=mic0 inputs.line=215,215 inputs.line.mute=on inputs.cd=191,191 inputs.cd.mute=off inputs.video=255,255 inputs.video.mute=off inputs.aux=119,119 inputs.aux.mute=on inputs.dac=223,223 inputs.dac.mute=off record.source=mic record.volume=255,255 record.volume.mute=off record.mic=0 record.mic.mute=off outputs.loudness=off outputs.spatial=off outputs.spatial.center=0 outputs.spatial.depth=0 outputs.surround=255,255 outputs.surround.mute=off outputs.center=255 outputs.center.mute=off outputs.lfe=255 outputs.lfe.mute=off outputs.extamp=off The kernel is GENERIC w/ ACPI enabled. Using GENERIC makes no difference. Any ideas? Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341 OpenBSD 4.0-stable (ACPI) #0: Tue Mar 6 10:56:08 CET 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/ACPI cpu0: VIA Esther processor 1000MHz (CentaurHauls 686-class) 1 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,SEP,MTRR,PGE,CMOV,PAT,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,TM,SBF,SSE3,EST,TM2 cpu0: unknown Enhanced SpeedStep CPU, msr 0x08100a1308000a13 cpu0: using only highest and lowest power states cpu0: Enhanced SpeedStep 1000 MHz (1004 mV): speeds: 1000, 800 MHz cpu0: RNG AES AES-CTR SHA1 SHA256 RSA real mem = 1006137344 (982556K) avail mem = 909615104 (888296K) using 4256 buffers containing 50409472 bytes (49228K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(c7) BIOS, date 06/16/06, BIOS32 rev. 0 @ 0xfa960, SMBIOS rev. 2.3 @ 0xf0800 (26 entries) apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 70102 dobusy 1 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0xdd14 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdc60/176 (9 entries) pcibios0: bad IRQ table checksum pcibios0: PCI BIOS has 9 Interrupt Routing table entries pcibios0: PCI Exclusive IRQs: 5 10 11 pcibios0: PCI Interrupt Router at 000:17:0 (VIA VT8237 ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0xf200 0xd/0x8000! 0xd8000/0x2800 acpi0 at mainbus0: rev 0 acpi0: tables DSDT FACP acpitimer0 at acpi0: 3579545 Hz, 24 bits acpibtn0 at acpi0: PWRB acpibtn1 at acpi0: SLPB acpicpu0 at acpi0: CPU0: 1000, 800 MHz cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 VIA CN700 Host rev 0x00 pchb1 at pci0 dev 0 function 1 VIA CN700 Host rev 0x00 pchb2 at pci0 dev 0 function 2 VIA CN700 Host rev 0x00 pchb3 at pci0 dev 0 function 3 VIA PT890 Host rev 0x00 pchb4 at pci0 dev 0 function 4 VIA CN700 Host rev 0x00 pchb5 at pci0 dev 0 function 7 VIA CN700 Host rev 0x00 ppb0 at pci0 dev 1 function 0 VIA VT8377 AGP rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 VIA S3 Unichrome PRO IGP rev 0x01: aperture at 0xf400, size 0x1000 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pciide0 at pci0 dev 15 function 0 VIA VT82C571 IDE rev 0x06: ATA133, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: FUJITSU MHV2120AT wd0: 16-sector PIO, LBA, 114473MB, 234441648 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 pciide0: channel 1 disabled (no drives) uhci0 at pci0 dev 16 function 0 VIA VT83C572 USB rev 0x81: irq 10 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 16 function 1 VIA VT83C572 USB rev 0x81: irq 10 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered uhci2 at pci0 dev 16 function 2 VIA VT83C572 USB rev 0x81: irq 11 usb2 at uhci2: USB revision 1.0 uhub2 at usb2 uhub2: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub2: 2 ports with 2 removable, self powered uhci3 at pci0 dev 16 function 3 VIA VT83C572 USB rev 0x81: irq 11 usb3 at uhci3: USB revision 1.0 uhub3 at usb3 uhub3: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub3: 2 ports with 2 removable, self powered ehci0 at pci0 dev 16 function 4 VIA VT6202 USB rev 0x86: irq 5 usb4 at ehci0
VIA-CPUs crypto support for IPSec
Hi list, i plan to by a a SBC for a small home server which should support IPSec encryption. I would like to get at least 5MB/s samba/nfs via IPSec from local disk and the system should be low power ( 20W) and fanless. I read that the VIA CPUs have crypto support built in. I am a bit unsure however, which CPU is actually supported by OpenBSD and which ones support the different ciphers used by IPSec. All i know so far is that C3 stepping = 8 is fully supported. But what about the other CPUs? C7: Work in progress? Core Fusion: ? Eden: ? Another question: some VIA CPUs only show RNG AES in dmesg, SHA and RSA are missing. Are these CPUs able to accelerate IPsec at all? This is quite a few questions, but i have not yet found a comparison of the CPUs w/r to encryption support :-) Thanks for any infos or pointers. -- Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341
Harddisk slow
Hi list, on my Soekris 4801-60 i have a FUJITSU MHV2120AT running as slave. The performance is poor: [EMAIL PROTECTED] [/data] # time dd if=100Mb.dat of=/dev/null 204800+0 records in 204800+0 records out 104857600 bytes transferred in 11.980 secs (8752083 bytes/sec) real0m12.042s user0m0.789s sys 0m10.383s 8.7 MB/Sec really is not much. What worries me more, is that vmstat shows ~90% sys for the cpu while reading from the disk. This suggests that the disk is not accessed in DMA mode, although dmesg talks about UDMA2. How can i verify that the disk is running in DMA mode? Config: # comBIOS ver. 1.28 20050529 Copyright (C) 2000-2005 Soekris Engineering. net4801 0256 Mbyte MemoryCPU Geode 266 Mhz Pri Mas SanDisk SDCFH-512 LBA 993-16-63 500 Mbyte Pri Sla FUJITSU MHV2120AT LBA Xlt 1024-255-63 51684 Mbyte Slot Vend Dev ClassRev Cmd Stat CL LT HT Base1Base2 Int --- 0:00:0 1078 0001 0600 0107 0280 00 00 00 0:06:0 100B 0020 0200 0107 0290 00 3F 00 E101 A000 10 0:07:0 100B 0020 0200 0107 0290 00 3F 00 E201 A0001000 10 0:08:0 100B 0020 0200 0107 0290 00 3F 00 E301 A0002000 10 0:10:0 13A3 0020 0B40 0116 0280 08 3C 00 A0003000 A0004000 11 0:18:2 100B 0502 01018001 0005 0280 00 00 00 0:19:0 0E11 A0F8 0C031008 0117 0280 08 38 00 A001 05 1 Seconds to automatic boot. Press Ctrl-P for entering Monitor. # dmesg: # OpenBSD 4.0-stable (GENERIC) #1: Mon Nov 6 17:19:58 CET 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Geode(TM) Integrated Processor by National Semi (Geode by NSC 586-class) 267 MH z cpu0: FPU,TSC,MSR,CX8,CMOV,MMX cpu0: TSC disabled real mem = 268005376 (261724K) avail mem = 236724224 (231176K) using 3297 buffers containing 13504512 bytes (13188K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 20/50/29, BIOS32 rev. 0 @ 0xf7840 pcibios0 at bios0: rev 2.0 @ 0xf/0x1 pcibios0: pcibios_get_intr_routing - function not supported pcibios0: PCI IRQ Routing information unavailable. pcibios0: PCI bus #0 is the last bus bios0: ROM list: 0xc8000/0x9000 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Cyrix GXm PCI rev 0x00 sis0 at pci0 dev 6 function 0 NS DP83815 10/100 rev 0x00, DP83816A: irq 10, address 0 0:00:24:c7:34:00 nsphyter0 at sis0 phy 0: DP83815 10/100 PHY, rev. 1 sis1 at pci0 dev 7 function 0 NS DP83815 10/100 rev 0x00, DP83816A: irq 10, address 0 0:00:24:c7:34:01 nsphyter1 at sis1 phy 0: DP83815 10/100 PHY, rev. 1 sis2 at pci0 dev 8 function 0 NS DP83815 10/100 rev 0x00, DP83816A: irq 10, address 0 0:00:24:c7:34:02 nsphyter2 at sis2 phy 0: DP83815 10/100 PHY, rev. 1 hifn0 at pci0 dev 10 function 0 Hifn 7955/7954 rev 0x00: LZS 3DES ARC4 MD5 SHA1 RNG A ES PK, 32KB dram, irq 11 gscpcib0 at pci0 dev 18 function 0 NS SC1100 ISA rev 0x00 gpio0 at gscpcib0: 64 pins NS SC1100 SMI rev 0x00 at pci0 dev 18 function 1 not configured pciide0 at pci0 dev 18 function 2 NS SCx200 IDE rev 0x01: DMA, channel 0 wired to com patibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: SanDisk SDCFH-512 wd0: 1-sector PIO, LBA, 488MB, 1000944 sectors wd1 at pciide0 channel 0 drive 1: FUJITSU MHV2120AT wd1: 16-sector PIO, LBA, 114473MB, 234441648 sectors wd0(pciide0:0:0): using PIO mode 4, DMA mode 2 wd1(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2 geodesc0 at pci0 dev 18 function 5 NS SC1100 X-Bus rev 0x00: iid 6 revision 3 wdstatu s 0 ohci0 at pci0 dev 19 function 0 Compaq USB OpenHost rev 0x08: irq 5, version 1.0, leg acy support usb0 at ohci0: USB revision 1.0 uhub0 at usb0 uhub0: Compaq OHCI root hub, rev 1.00/1.00, addr 1 uhub0: 3 ports with 3 removable, self powered isa0 at gscpcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 nsclpcsio0 at isa0 port 0x2e/2: NSC PC87366 rev 9: GPIO VLM TMS gpio1 at nsclpcsio0: 29 pins gscsio0 at isa0 port 0x15c/2: SC1100 SIO rev 1: npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom0: console pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo biomask f3e5 netmask ffe5 ttymask ffe7 pctr: no performance counters in CPU dkcsum: wd0 matches BIOS drive 0x80 dkcsum: wd1 matches BIOS drive 0x81 root on wd0a rootdev=0x0 rrootdev=0x300 rawdev=0x302 ## Thanks for any help :-) -- Heinrich Rebehn University of Bremen Physics / Electrical
No HD DMA? (Was: Harddisk slow)
Szentivanyi Matyas wrote: Hi Heinrich! I think it's almost the best speed you can achieve from the device. I've got the same type of Soekris with a SAMSUNG HM080HC HDD (which is the slave). This HDD supports perpendicular recording (http://en.wikipedia.org/wiki/Perpendicular_recording). Higher data recording density means bigger transfer speeds. I'm running Gentoo Linux with kernel version 2.6.18 on the Soekris. Here are the results: soekris ~ # dd if=/home/100mb.dat of=/dev/null 204800+0 records in 204800+0 records out 104857600 bytes (105 MB) copied, 7.7067 seconds, 13.6 MB/s (The CPU usage is also 100% here while the reading is done. I've been using ext3 filesystem.) Cheers, Matyas Hi Matyas, attaching the drive to a notebook via a IDE/USB converter easily yields 20 MB/s. So the drive *is* faster. While i could live with 8 MB/s i cannot accept the high CPU usage. It seems to make the installed crypto accelerator almost ineffective because the interrupts cannot be served fast enough. I suspect that the disk is not running in DMA mode. Is there any tool to verify that (like Linux's hdparm)? Cheers, Heinrich
Re: USB printer not working
Heinrich Rebehn wrote: Hi all, i just received a Soekris 4801 which i want to use as a file and print server. However, i cannot get the printer to work. For testing purposes i am using a HP Deskjet 600 connected via a USB/Parallel cable. When i connect the printer it shows up as: ulpt0 at uhub0 port 1 configuration 1 interface 0 ulpt0: Prolific Technology Inc. IEEE-1284 Controller, rev 1.00/2.02, addr 2, iclass 7/1 ulpt0: using bi-directional mode Trying to access the printer: # echo Hello World /dev/ulpt0 -bash: /dev/ulpt0: Resource temporarily unavailable # echo Hello World /dev/ulpt0 -bash: /dev/ulpt0: Device busy Further attempts always yield Device busy. The printer is working fine on another machine under Windows and Linux. The soekris' USB port seems to be ok too, since i can access a USB stick. Browsing the web only showed some old posts saying that this used to work with 2.8 :-(. The FAQ says nothing about printing at all. Am i missing something? Anything to configure? dmesg is attached. Thanks for any help :-) For the records: Connecting the USB/Parallel adapter cable via a USB HUB works. So does using a real USB printer. So it seemed to be a USB power problem. --Heinrich
Which crypto card for Soekris 4801?
Hi all, which crypto cards actually work in a soekris 4801 under OpenBSD? I thought about bying a vpn1411, but have read about problems with corrupted mac, which don't seem to be resolved so far. This is a bit confusing: http://www.openbsd.org/i386.html states that the board is supported, so does the soekris website. However: http://archives.neohapsis.com/archives/openbsd/2006-06/0825.html suggests that it's not. So my question: Which PCI/MiniPCI card does actually work? I want to use it to accelerate IPSec. Thank you very much for any info. Without hardware encryption this box is too slow for my use and i will have to return it to my dealer. Regards, Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341
Re: Which crypto card for Soekris 4801?
Christian Ney wrote: Hi Heinrich, I thought about bying a vpn1411, but have read about problems with corrupted mac, which don't seem to be resolved so far. This is a bit confusing: http://www.openbsd.org/i386.html states that the board is supported, so does the soekris website. However: http://archives.neohapsis.com/archives/openbsd/2006-06/0825.html suggests that it's not. Although I can't tell you which card actually works, I can (partly) confirm the corrupted mac-thingie: My WRAP-firewall is running 4.0-stable and a VPN1411. From time to time, running ssh-sessions will simply die and spit out Disconnecting: Corrupted MAC on input. Everything else works, but it's rather confusing editing pf.conf and seing your connecting dying. If you don't have to configure your device every 5 minutes or so, this shouldn't be a showstopper. No, i don't. I want to use the box as a fileserver at home and have the WLAN traffic encrypted with IPsec or OpenVPN. I do not know how robust both of them are w.r.t to intermittent corrupted mac errors. Unrecoverable hangs during file transfers would of course be quite annyoing. Maybe i will simply give it a try.. Hope that helps... Yes, thanks very much. Chris Heinrich
Re: Which crypto card for Soekris 4801?
Christopher Snell wrote: On 1/15/07, Heinrich Rebehn [EMAIL PROTECTED] wrote: Hi all, which crypto cards actually work in a soekris 4801 under OpenBSD? You're going to have a hard time finding supported Mini-PCI cards, other than the HiFn stuff. Instead, check out the Commel motherboards: http://www.commell-sys.com/Product/SBC/ITX-662.HTM This one has the C3 chip which is listed as supported here: http://www.openbsd.org/crypto.html#hardware If it's performance that you're after, you're going to have a struggle with that Soekris. Chris Thanks for your reply. Performance is of course relative. ATM i am getting 7 Mbit/s via OpenVPN measured with iperf. This is somewhat less than my WLAN can handle (54 Mbit/s) and also less than the speed of the HDD (~70 Mbit/s). So a working VPN1411 would really help. I will see if i can get more from IPsec. This one has the C3 chip which is listed as supported here: The Hi/fn 7955 is also listed as supported.. ;-) Cheers, Heinrich
USB printer not working
Hi all, i just received a Soekris 4801 which i want to use as a file and print server. However, i cannot get the printer to work. For testing purposes i am using a HP Deskjet 600 connected via a USB/Parallel cable. When i connect the printer it shows up as: ulpt0 at uhub0 port 1 configuration 1 interface 0 ulpt0: Prolific Technology Inc. IEEE-1284 Controller, rev 1.00/2.02, addr 2, iclass 7/1 ulpt0: using bi-directional mode Trying to access the printer: # echo Hello World /dev/ulpt0 -bash: /dev/ulpt0: Resource temporarily unavailable # echo Hello World /dev/ulpt0 -bash: /dev/ulpt0: Device busy Further attempts always yield Device busy. The printer is working fine on another machine under Windows and Linux. The soekris' USB port seems to be ok too, since i can access a USB stick. Browsing the web only showed some old posts saying that this used to work with 2.8 :-(. The FAQ says nothing about printing at all. Am i missing something? Anything to configure? dmesg is attached. Thanks for any help :-) Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341 OpenBSD 4.0-stable (GENERIC) #1: Mon Nov 6 17:19:58 CET 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Geode(TM) Integrated Processor by National Semi (Geode by NSC 586-class) 267 MHz cpu0: FPU,TSC,MSR,CX8,CMOV,MMX cpu0: TSC disabled real mem = 268005376 (261724K) avail mem = 236724224 (231176K) using 3297 buffers containing 13504512 bytes (13188K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 20/50/29, BIOS32 rev. 0 @ 0xf7840 pcibios0 at bios0: rev 2.0 @ 0xf/0x1 pcibios0: pcibios_get_intr_routing - function not supported pcibios0: PCI IRQ Routing information unavailable. pcibios0: PCI bus #0 is the last bus bios0: ROM list: 0xc8000/0x9000 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Cyrix GXm PCI rev 0x00 sis0 at pci0 dev 6 function 0 NS DP83815 10/100 rev 0x00, DP83816A: irq 10, address 00:00:24:c7:34:00 nsphyter0 at sis0 phy 0: DP83815 10/100 PHY, rev. 1 sis1 at pci0 dev 7 function 0 NS DP83815 10/100 rev 0x00, DP83816A: irq 10, address 00:00:24:c7:34:01 nsphyter1 at sis1 phy 0: DP83815 10/100 PHY, rev. 1 sis2 at pci0 dev 8 function 0 NS DP83815 10/100 rev 0x00, DP83816A: irq 10, address 00:00:24:c7:34:02 nsphyter2 at sis2 phy 0: DP83815 10/100 PHY, rev. 1 gscpcib0 at pci0 dev 18 function 0 NS SC1100 ISA rev 0x00 gpio0 at gscpcib0: 64 pins NS SC1100 SMI rev 0x00 at pci0 dev 18 function 1 not configured pciide0 at pci0 dev 18 function 2 NS SCx200 IDE rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: HITACHI_DK23EA-20 wd0: 16-sector PIO, LBA, 19077MB, 39070080 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 geodesc0 at pci0 dev 18 function 5 NS SC1100 X-Bus rev 0x00: iid 6 revision 3 wdstatus 0 ohci0 at pci0 dev 19 function 0 Compaq USB OpenHost rev 0x08: irq 11, version 1.0, legacy support usb0 at ohci0: USB revision 1.0 uhub0 at usb0 uhub0: Compaq OHCI root hub, rev 1.00/1.00, addr 1 uhub0: 3 ports with 3 removable, self powered isa0 at gscpcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 nsclpcsio0 at isa0 port 0x2e/2: NSC PC87366 rev 9: GPIO VLM TMS gpio1 at nsclpcsio0: 29 pins gscsio0 at isa0 port 0x15c/2: SC1100 SIO rev 1: npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom0: console pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo biomask fbe5 netmask ffe5 ttymask ffe7 pctr: no performance counters in CPU dkcsum: wd0 matches BIOS drive 0x80 root on wd0a rootdev=0x0 rrootdev=0x300 rawdev=0x302 umass0 at uhub0 port 1 configuration 1 interface 0 umass0: vendor 0x USB Flash Drive, rev 2.00/1.00, addr 2 umass0: using SCSI over Bulk-Only scsibus0 at umass0: 2 targets sd0 at scsibus0 targ 1 lun 0: USB, Flash Drive, 1.12 SCSI0 0/direct removable sd0: 247MB, 247 cyl, 64 head, 32 sec, 512 bytes/sec, 507901 sec total umass0: at uhub0 port 1 (addr 2) disconnected sd0 detached scsibus0 detached umass0 detached ulpt0 at uhub0 port 1 configuration 1 interface 0 ulpt0: Prolific Technology Inc. IEEE-1284 Controller, rev 1.00/2.02, addr 2, iclass 7/1 ulpt0: using bi-directional mode
Re: Symbolic link insecure?
Prabhu Gurumurthy wrote: Heinrich Rebehn wrote: Hi list, i am getting a daily insecurity report from my system system saying: ## Checking special files and directories. Output format is: filename: criteria (shouldbe, reallyis) etc/pf.conf: type (file, link) permissions (0600, 0755) ## I am actually using a symbolic link for /etc/pf.conf: ls -l /etc/pf.conf* lrwxr-xr-x 1 root wheel 11 Nov 30 17:04 /etc/pf.conf - pf.conf.001 -rw--- 1 root wheel 10529 Nov 14 10:18 /etc/pf.conf.000 -rw--- 1 root wheel 10582 Nov 30 18:12 /etc/pf.conf.001 I do this in order to save different versions of the file. My question: Is a symbolic link really insecure? Or is this just a deficiency of /etc/security? I could use hard links instead of soft links as a workaround, but then one cannot as easily see where the link points to. Sorry if this might sound like nitpicking, but i do not want to get used to ignoring security warnings. Thanks for any help, Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341 Two things, use rcs.. that save you headaches, instead of multiple versions of file, use one file, with multiple diffs.. Other the email is really about the sym link as others pointed out. If you use RCS you can have the versioning system in place as you already have it, although in a scalable way IMO, and no /etc/security email about shouldbe, reallyis HTH Prabhu - Thanks for mentioning rcs. I have given it a try and it seems to be what i was looking for. I had heard about rcs before and thought that it would be overkill for managing config files, but i obviously mixed it up with cvs(1) --Heinrich
Symbolic link insecure?
Hi list, i am getting a daily insecurity report from my system system saying: ## Checking special files and directories. Output format is: filename: criteria (shouldbe, reallyis) etc/pf.conf: type (file, link) permissions (0600, 0755) ## I am actually using a symbolic link for /etc/pf.conf: ls -l /etc/pf.conf* lrwxr-xr-x 1 root wheel 11 Nov 30 17:04 /etc/pf.conf - pf.conf.001 -rw--- 1 root wheel 10529 Nov 14 10:18 /etc/pf.conf.000 -rw--- 1 root wheel 10582 Nov 30 18:12 /etc/pf.conf.001 I do this in order to save different versions of the file. My question: Is a symbolic link really insecure? Or is this just a deficiency of /etc/security? I could use hard links instead of soft links as a workaround, but then one cannot as easily see where the link points to. Sorry if this might sound like nitpicking, but i do not want to get used to ignoring security warnings. Thanks for any help, Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341
OpenVPN server writes to /etc
Hi list, I have openvpn-2.0.6 running as server on OpenBSD-current as of 9-OCT-2006. I noticed that it is creating files in /etc/openvpn: [EMAIL PROTECTED] [~] # ls -l /etc/openvpn total 48 -rw-r--r-- 1 root wheel 3820 Oct 11 14:27 antvpn.crt -rw--- 1 root wheel891 Oct 11 14:27 antvpn.key -rw-r--r-- 1 root wheel 1184 Oct 11 14:27 ca.crt -rw-r--r-- 1 root wheel245 Oct 11 14:45 dh1024.pem -rw--- 1 root daemon16 Oct 23 16:22 ipp.txt -rw--- 1 root daemon 232 Oct 23 16:26 openvpn-status.log -r--r--r-- 1 root bin 9976 Oct 11 15:51 server.conf It is the files ipp.txt and openvpn-status.log. My question: is it good habit at all to write to /etc? Since my router is running from USB-flash i normally have the root fs readonly and only /var, /tmp and /dev on a ramdisk. Shouldn't openvpn write to /var/db or /var/log? Greetings, Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341
Re: OpenVPN server writes to /etc
Martin Gignac wrote: On 10/23/06, Heinrich Rebehn [EMAIL PROTECTED] wrote: Shouldn't openvpn write to /var/db or /var/log? I don't know if these locations can be hardcoded at compile time, but from the stock OpenBSD OpenVPN package that I use (2.0.6) it seems that files will be read/written relative to the CWD when the process was started. I usually specify an absolute path for the 'ifconfig-pool-persist' and 'status' parameters so that files are written to /var/db and /var/log. -Martin Thanks for your reply, Martin. Seems it is time to have a closer look at the 100 cmdline switches of openvpn ;-) --Heinrich
Solved: IPSec traffic stalls with large chunks of data
Matthew Closson wrote: On Tue, 25 Jul 2006, Heinrich Rebehn wrote: Matthew Closson wrote: On Mon, 24 Jul 2006, Heinrich Rebehn wrote: Hi list, I am running into a strange problem with IPSec, MTU? fragmentation? which i am unable to resolve. My Setup: @home i have one PC which connects to our institute network with IPSec. The PC connects to the internet via a DSL modem using Linux/PPPoE or Windows XP/SP2. This has been running fine for years now. Last week i bought a Netgear WTG624V3 WLAN router in order to allow our notebook to connect to the internet too. This router is now connected between the PC and the DSL modem and does the job of bringing up the internet connection with PPPoE. IPSec from my PC still works, but the symptoms are as follows: - The tunnel is brought up and i can use it to ssh to our institute's firewall/ipsec gateway. On the gateway (OpenBSD 3.8), i can work in the shell as long as i want, but as soon as i do a ls -lR / or something else that produces large output, the connection is stalled. However,the tunnel is still usable, i can do a 2nd ssh and continue working. This leads me to the conclusion that it cannot be a rekeying issue. Under the second login, i can see both connections: [EMAIL PROTECTED] [~]# netstat -anptcp | grep 192.168.1.2 tcp0 48 134.102.176.250.22 192.168.1.2.40010 ESTABLISHED tcp0 16304 134.102.176.250.22 192.168.1.2.40009 ESTABLISHED All MTUs (PC, WLAN router, firewall) are set to 1500. I played with max-mss in pf.conf, as was suggested on the misc@ ML: scrub in on enc0 all max-mss 1318 but it did not help. Parallel to the ls -lR / mentioned above, i did a tcpdump on the firewall's external if, which can be found at: http://www.ant.uni-bremen.de/~rebehn/vlan1.dump The dump shows that fragmentation does occur. The same symptom can also be observed when connecting to our www server behind the firewall, very small pages are displayed, bigger ones get stalled. Can anyone help me on this? I am not familiar with the internals of TCP/IP, especially MTUs and fragmentation. If you need isakmpd.conf, pf.conf or anything else, please let me know. Thanks for any help, Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341 http://archives.neohapsis.com/archives/openbsd/2006-06/1666.html Thanks to all who replied, but i am still having the problem. While i will be looking at the MTU's on the path, can someone help me understand what what's up in the above mentioned dump at http://www.ant.uni-bremen.de/~rebehn/vlan1.dump ? 134.102.176.250 213.172.119.236: icmp: 134.102.176.250 protocol 4 unreachable What does protocol 4 unreachable mean? According to /etc/protocols, 4 is IP encapsulated in IP (officially ``IP'') ??? As one can see at the end of the dump, fragmentation does occur. Is this absolutely lethal for IPSec? --Heinrich I believe what you are seeing is Path MTU discovery failing. When the IPSEC router sees a packet which is too large for it to route it is sending back an ICMP Unreachable packet (because it is too large) but, if some intermediary device on the way back is over-zealously filtering ICMP this ICMP unreachable packet will never get back to the sender, instead it will timeout and keep sending packets which are too large and thus you will never be able to view the webpage or other resource. A good test would be if you had root access on one of the remote locations which is giving you a problem, you could run tcpdump and see if those ICMP packets are reaching that location or not. If there is some router in the middle filtering this type of ICMP and the administrator is unwilling to change it then that is going to pose a real problem to your connectivity to those sites. Maybe someone else who has expertise with this issue can confirm that is what might be going on. Good luck! -Matt- You are right, Matt. While i was doing experiments with pings of various sizes, i saw that pings were echoed by the gateway, but blocked by my netgear WLAN router for no apparent reason. I then decided to try a newer firmware version of the router and voila: the pings got through and all the ipsec problems had gone! :-) From the change log of the firmware: Improves LAN to WAN throughput. (That is, throughput from your network to the Internet.) Obviously they fixed Path MTU discovery. I still need to find the optimal max-mss to avoid fragmentation, but even with fragmentation, IPSec works! :-) Thanks for all your help! Heinrich
IPSec traffic stalls with large chunks of data
Hi list, I am running into a strange problem with IPSec, MTU? fragmentation? which i am unable to resolve. My Setup: @home i have one PC which connects to our institute network with IPSec. The PC connects to the internet via a DSL modem using Linux/PPPoE or Windows XP/SP2. This has been running fine for years now. Last week i bought a Netgear WTG624V3 WLAN router in order to allow our notebook to connect to the internet too. This router is now connected between the PC and the DSL modem and does the job of bringing up the internet connection with PPPoE. IPSec from my PC still works, but the symptoms are as follows: - The tunnel is brought up and i can use it to ssh to our institute's firewall/ipsec gateway. On the gateway (OpenBSD 3.8), i can work in the shell as long as i want, but as soon as i do a ls -lR / or something else that produces large output, the connection is stalled. However,the tunnel is still usable, i can do a 2nd ssh and continue working. This leads me to the conclusion that it cannot be a rekeying issue. Under the second login, i can see both connections: [EMAIL PROTECTED] [~]# netstat -anptcp | grep 192.168.1.2 tcp0 48 134.102.176.250.22 192.168.1.2.40010 ESTABLISHED tcp0 16304 134.102.176.250.22 192.168.1.2.40009 ESTABLISHED All MTUs (PC, WLAN router, firewall) are set to 1500. I played with max-mss in pf.conf, as was suggested on the misc@ ML: scrub in on enc0 all max-mss 1318 but it did not help. Parallel to the ls -lR / mentioned above, i did a tcpdump on the firewall's external if, which can be found at: http://www.ant.uni-bremen.de/~rebehn/vlan1.dump The dump shows that fragmentation does occur. The same symptom can also be observed when connecting to our www server behind the firewall, very small pages are displayed, bigger ones get stalled. Can anyone help me on this? I am not familiar with the internals of TCP/IP, especially MTUs and fragmentation. If you need isakmpd.conf, pf.conf or anything else, please let me know. Thanks for any help, Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341
Which WLAN mini PCI card to use?
Hi list, I want to build a WLAN router using a WRAP board running OpenBSD. I am still unsure which wlan interface to use. I considered the CM9 (ath(4)). My question: are there still problems with the 802.11g (54 Mbit) mode? http://archives.neohapsis.com/archives/openbsd/2005-12/0192.html Also, the CM9 seems to use the 5213 chipset, which the manpage does not mention. Is it also supported? Or are there better choices? Thanks for any info, Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341
Re: VLAN-Problems
Heinrich Rebehn wrote: [EMAIL PROTECTED]@mgEDV.net wrote: some hints: - the other switch seems to be cisco, too. (catalyst series, IOS) - if the trunk contains more lines, check them for physical damage (maybe 1 fails sometimes, 2 is ok) - try to setup the cisco-switches for nonegotiate-trunking to your box - setup the interfaces from autoselect to fixed rates (speed/duplex) on both sides (switches, box) - enable debugging on the switch and read what happens for the ports (maybe on/off events) - check for portfast/CDP settings on the cisco, maybe interferring w. your config - check with a packet-analyzer if the dot1q tags are ok within the packets - dump transparently with a bridge before and after your box (network monitoring port on switch may help you) - set the NICs on your box to the same interrupts (if possible) - check for a driver replacement for the marvell card provided by marvell (if you use it for trunking) good luck! Many thanks for the many responses :-) Most of them dealt with sk0 not being in full duplex mode. When plugged in, sk0 does negotiate full duplex, though. I also tried using one the the xl interfaces to rule out a problem with the sk(4) driver, still no luck. I still have difficulties to believe that this might be a full/half duplex problem, because things work fine if i use non-dot1q mode (using a different switch port though) Anyway, i will be on leave next week, and for the week after, i already arranged with the admin of the switch to hunt down this bug together. I will sure report back then. --Heinrich So here is my report: 1. Problem is solved :-) 2. The cause was more complicated than duplex mode or driver issues. Let me try to explain: The original firewall which i was about to replace, had 4 physical interfaces. Interfaces 2 and 4 were bridged with a filtering bridge(4). During my experiments i bypassed the bridge with a cable, so the lans stayed connected when the firewall was down. At that time i already realized that id *had* to unplug one of the interfaces or otherwise i observed the phenomena described in my OP. Obviously obsd does not like seeing packets with the same MAC on different interfaces. In my new setup i replaced the 4 phys. interfaces with a trunk carrying 4 vlans. In order to avoid the problems i left one of the bridged vlans unconfigured (should have been equivalent to an unplugged cable on the setup described before). But it was not! I had to remove one of the vlans from the trunk on the cisco side for the problems to go away. I am not sure if this is expected behaviour, but anyway, the setup is running fine now! --Heinrich
Re: VLAN-Problems
[EMAIL PROTECTED]@mgEDV.net wrote: some hints: - the other switch seems to be cisco, too. (catalyst series, IOS) - if the trunk contains more lines, check them for physical damage (maybe 1 fails sometimes, 2 is ok) - try to setup the cisco-switches for nonegotiate-trunking to your box - setup the interfaces from autoselect to fixed rates (speed/duplex) on both sides (switches, box) - enable debugging on the switch and read what happens for the ports (maybe on/off events) - check for portfast/CDP settings on the cisco, maybe interferring w. your config - check with a packet-analyzer if the dot1q tags are ok within the packets - dump transparently with a bridge before and after your box (network monitoring port on switch may help you) - set the NICs on your box to the same interrupts (if possible) - check for a driver replacement for the marvell card provided by marvell (if you use it for trunking) good luck! Many thanks for the many responses :-) Most of them dealt with sk0 not being in full duplex mode. When plugged in, sk0 does negotiate full duplex, though. I also tried using one the the xl interfaces to rule out a problem with the sk(4) driver, still no luck. I still have difficulties to believe that this might be a full/half duplex problem, because things work fine if i use non-dot1q mode (using a different switch port though) Anyway, i will be on leave next week, and for the week after, i already arranged with the admin of the switch to hunt down this bug together. I will sure report back then. --Heinrich
VLAN-Problems
Hi all, i am currently setting up a new firewall for our department. I already set up an OpenBSD Firewall and i am very satisfied with it :-) The new machine is set up to use dot1q vlans in order to save on interfaces and ports in our Cisco switch. This is the first time i am using dot1q and i am experiencing strange problems, which are not easy to describe, but i will try: Generally, operation is *very* slow, if i try to ping one of the machine's interfaces, one ping is echoed, then it pauses for a minute, then another ping comes though. ssh'ing into the box is possible after some 20 seconds delay (no, it is not reserve dns lookup), i can type commands and see the outputs, interspersed with occasional delays. As soon as i do a tcpdump on the interface that i used to login, the connection is dead. Logging in and working locally works w/o problems. Routing is very sluggish, close to unusable. Some questions (could not find answers with google or mailinglist): - Do the physical interfaces need an ip address (i guess not) - Can i filter on the physical interfaces in pf / do i have to explicitly pass them (does not seem to make a difference) If i change the configuration to non-vlan operation everything runs fine :-) I am attaching ifconfig and dmesg output. The physical interface, sk0 is shown as having no carrier, this is because i had to pull the plug while taking the information because another machine (our old firewall) was running with the same address. I have googled and looked in the mailing list, but did not find such problems mentioned. Does anybody have an idea? If i cannot get this to work, someone else will probably set up a linux firewall, which i would rather try to avoid.. I am not sure what type of switch is on the other end, here is some output that the admin mailed me: vlan 86 name WLAN ! vlan 182 name BackBone ! interface FastEthernet6/19 description k307 n2340-19a switchport trunk encapsulation dot1q switchport trunk allowed vlan 16,86,182,231,232 switchport mode trunk duplex full Thanks for any hints, Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33224 groups: lo inet 127.0.0.1 netmask 0xff00 sk0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:13:d4:de:cf:88 media: Ethernet autoselect (1000baseT half-duplex) status: no carrier xl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:0a:5e:61:7a:2d media: Ethernet autoselect (none) status: no carrier xl1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:0a:5e:61:7a:04 media: Ethernet autoselect (none) status: no carrier pflog0: flags=0 mtu 33224 pfsync0: flags=0 mtu 1348 enc0: flags=0 mtu 1536 vlan0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:13:d4:de:cf:88 vlan: 16 parent interface: sk0 groups: vlan inet 134.102.176.250 netmask 0xff00 broadcast 134.102.176.255 vlan1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:13:d4:de:cf:88 vlan: 231 parent interface: sk0 groups: vlan vlan4: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:13:d4:de:cf:88 vlan: 182 parent interface: sk0 groups: vlan egress inet 134.102.186.20 netmask 0xff00 broadcast 134.102.186.255 vlan5: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:13:d4:de:cf:88 vlan: 86 parent interface: sk0 groups: vlan inet 172.21.1.8 netmask 0x broadcast 172.21.255.255 OpenBSD 3.8-stable (ANT) #2: Thu Mar 30 16:59:00 CEST 2006 [EMAIL PROTECTED]:/root/flashboot-0.9beta1/obj/ANT cpu0: AMD Athlon(tm) 64 Processor 3000+ (AuthenticAMD 686-class, 512KB L2 cache) 1.81 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3 cpu0: AMD Powernow: FID VID TTP TM STC real mem = 536125440 (523560K) avail mem = 459415552 (448648K) using 4278 buffers containing 26910720 bytes (26280K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 11/03/05, BIOS32 rev. 0 @ 0xf0010 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 30102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf5980/192 (10 entries) pcibios0: no compatible PCI ICU found: ICU vendor 0x1106 product 0x3227 pcibios0: Warning, unable to fix up PCI interrupt routing pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0xb000 0xcb000/0x800 0xcb800/0x800 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 VIA K8HTB Host rev 0x00 pchb1 at pci0
Re: VLAN-Problems
Stuart Henderson wrote: On 2006/04/04 13:24, Rob Gault wrote: The first thing I noticed is that SK0 is only at half duplex OP says the cable is out. However auto and duplex full are likely to not be compatible (they aren't for 10/100, though I'm not sure about gig). I will double check that when i'm at work again tomorrow. The switch port is set to 10/100. I am attaching ifconfig and dmesg output. The physical interface, sk0 is shown as having no carrier, this is because i had to pull the plug while taking the information because another machine (our old firewall) was running with the same address. What steps are taken to clear ARP caches, etc? I did an arp -d ip_of_firewall on the accessing host. However, the setup worked perfectly, when i switched to non-vlan mode, so i do not think it is an arp problem. I did have to select different port switches for non-vlan mode, though. So i cannot rule out a problem with the switch port. I will ask the switch admin for help, maybe there is some debugging facility on the cisco. Any other ideas? Heinrich
Re: VPN: solutions that interoperate with win xp
[EMAIL PROTECTED] wrote: heya, i've been grinding away to get a VPN setup where i can have win xp clients connect to my openbsd firewall and access the network behind it. i have tried a number of things, none of which have yet worked for all my users. i am very much interested in hearing from other admins who have currently working solutions along these lines. i have setup isakmpd between my home and my business location, so i know i am not a complete idiot when it comes to this stuff ;). when i tried to use the native windows IPsec implementation, both as described in http://openbsd.cz/~pruzicka/vpn.html and through the confusing GUI, i was not able to get anywhere. when i used ipseccmd.exe, it would not give me any useful debugging outputs and crashed a couple times while i was trying to set this up. i would very much like to have a setup using the native IPsec in win xp, but am utterly in the dark as to the win xp configuration side of things. i have also setup openvpn, which works great for me from home, and i have been able to successfully get this working. however, one of the users that connects to my VPN is having problems making openvpn and his kerio firewall play nice, and a working openvpn configuration cannot survive a reboot due to win xp being such a great OS. i am also aware of the green bow VPN client that is known to interoperate with isakmpd. i have avoided using this solution since i know it to be a resource hog on win xp. anybody else's views on this software would be nice. anything that you think could help me get a VPN with win xp talking to my openbsd firewall would be awesome. i would love a howto for the win xp boxes, but a smack with the cluestick is likely all i need. it would be nice for this to NOT use certificates, as i'd like to get a shared secret setup working first, then switch to certs later. cheers, jake Hi jake, I have been successfully using the Windows XP native IPSec client for some 2 years now. There is a good configuration tool at http://vpn.ebootis.de/ which reads a configuration file and executes the ipseccmd commands needed for setting up the tunnel. Latest version is 2.2, i am using 2.1.4. You do need XP Service Pack 2. Also you must install the windows support tools as mentioned on Marcus' web page. Note that if you already installed them before installing SP2, you must also upgrade the support tools after installing SP2. As for windows debug output, look for oakley log in http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_ipsec_tools.mspx This works with certificates (somewhat tricky to setup) as well as with preshared secret. HTH, Heinrich -- Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341
isakmpd: rsa_sig_decode_hash: RSA_public_decrypt () failed
Hi all, We have a VPN Gateway to allow road warriors to securely access our network from anywhere (home,wlan). It runs OpenBSD 3.7 and the clients are WinXPSP2 machines using the built-in IPSec. Authentication is done with X.509 certificates which are distributed as PKCS#12 files. This has been running fine for over a year now. Some days ago i had to reinstall a client beacuse of a disk problem, and i cannot get IPSec to work anymore. isakmpd keeps reporting: rsa_sig_decode_hash: RSA_public_decrypt () failed dropped message from 134.102.176.91 port 500 due to notification type INVALID_ID_INFORMATION The other clients are still working fine. I have been double checking the config files (which i did not change) and created new certificates more than ones, but cannot find anything. My question: What requirements must ne met so that the certificate can be decrypted? Which public key is used? Is it sent along with the certificate? I can post my config and logfiles if required Thanks for your help, Heinrich -- Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341
Re: spamd greylisting and server pools
Many helpful people wrote: [snip] Thanks to all for so many replies :-) You have convinced me that relying only on Sender/Recipient is really a bad idea. I will try the mentioned patch(es) that whitelist a complete /24 subnet. Regards, Heinrich
Re: spamd greylisting and server pools
eric wrote: On Tue, 2005-06-21 at 15:17:14 +0200, Heinrich Rebehn proclaimed... I have configured spamd with greylisting on our OpenBSD Firewall and it works very well, spam went close to zero :-). There is one issue though that can cause long delay of mails: If a mail is sent via a server pool, it can take quite long until it happens to be sent 3 times from the same ip address and thus get whitelisted and delivered. With a big server pool this can take hours. Would it be possible to change this behaviour so that the whitelisting is done as soon as the same sender/receiver pair is seen again, ignoring the ip address? This could speed up things a bit. You can read the man page and see how to decrease the spamd timer; however, you will not be able to change every mailserver on the Internet. How can timer settings help, if a server pool makes 5 delivery attempts within 2 hours using 5 different ip-addresses? It won't get white, no matter what the timers are. --Heinrich
Problem with disklabel during install of a 2nd OpenBSD
Hi list, i am trying to install 2 instances of OpenBSD that i can boot alternatively. I installed the first one from the install CD on partitions a (/) and b (swap), which worked fine. Then i booted the install CD again and tried to install the 2nd instance on partition d (/). However, fdisk keeps me from specifying / as mountpoint for partition d. In disklabel, i issue: n a mount point: [none] /x n d mount point: [none] / p ... a: . /x d: . / So, disklabel pretends to use / as mountpoint for d. But when i quit with q, disklabel still asks me for a mountpoint for d, and if i specify /, it complains that a is already being mounted on /. AFAIK, using a as root partition is not a requirement for installing OpenBSD. So disklabel seems to be a bit too smart here. Is this a bug in disklabel? I don't want to use the alternative of untarring the install sets by hand, because this gives me an unconfigured system with no root pw, no devices, no whatnot... -- Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341