After all these years of trouble-free upgrades, I ran into my first
problem. I used sysupgrade to go from 6.6/amd64 to 6.7. The upgrade
process was successful, but after bsd.upgrade did its thing and
rebooted the system, the new kernel would not boot.
It got to the "boot>" prompt, started loading
On Sat, Jul 16, 2016 at 6:37 AM, Mike Belopuhov wrote:
> On 14 July 2016 at 14:54, Maxim Khitrov wrote:
>> On Wed, Jul 13, 2016 at 11:47 PM, Tinker wrote:
>>> On 2016-07-14 07:27, Maxim Khitrov wrote:
>>> [...]
>>>>
>>>> No, the tests
On Wed, Jul 13, 2016 at 11:47 PM, Tinker wrote:
> On 2016-07-14 07:27, Maxim Khitrov wrote:
> [...]
>>
>> No, the tests are run sequentially. Write performance is measured
>> first (20 MB/s), then rewrite (12 MB/s), then read (37 MB/s), then
>> seeks (95 IOPS).
&g
On Wed, Jul 13, 2016 at 11:10 AM, Tinker wrote:
> On 2016-07-13 22:57, Maxim Khitrov wrote:
>>
>> On Wed, Jul 13, 2016 at 10:53 AM, Tinker wrote:
>>>
>>> On 2016-07-13 20:01, Maxim Khitrov wrote:
>>>>
>>>>
>>>> We're see
On Wed, Jul 13, 2016 at 10:53 AM, Tinker wrote:
> On 2016-07-13 20:01, Maxim Khitrov wrote:
>>
>> We're seeing about 20 MB/s write, 35 MB/s read, and 70 IOPS
>
>
> What do you mean 70, you mean 70 000 IOPS?
Sadly, no. It was actually 95, I looked at the wrong column
Hi all,
We're seeing about 20 MB/s write, 35 MB/s read, and 70 IOPS with
OpenBSD 5.9 amd64 on XenServer 7.0 (tested using bonnie++). The
virtual disks are LVM over iSCSI. Linux hosts get well over 100 MB/s
in both directions.
I'm assuming that this is because there is no disk driver for Xen yet,
On Wed, Feb 24, 2016 at 3:38 AM, lilit-aibolit wrote:
> On 03/22/2015 05:44 PM, T. Ribbrock wrote:
>>
>> Then, I re-applied power, but that, too, was never flagged by sensorsd.
>> For some reason, it looks like sensorsd only ever detects a status change
>> (for these rules) when it gets started -
On Mon, Oct 19, 2015 at 2:31 PM, David Higgs wrote:
> On Mon, Oct 19, 2015 at 11:11 AM, Maxim Khitrov wrote:
>>
>> On Mon, Dec 8, 2014 at 3:45 PM, David Higgs wrote:
>> > On Mon, Dec 8, 2014 at 3:37 PM, trondd wrote:
>> >> On Mon, Dec 8, 2014 at 3:23 PM,
On Mon, Dec 8, 2014 at 3:45 PM, David Higgs wrote:
> On Mon, Dec 8, 2014 at 3:37 PM, trondd wrote:
>> On Mon, Dec 8, 2014 at 3:23 PM, trondd wrote:
>>> On Mon, Dec 8, 2014 at 11:47 AM, David Higgs wrote:
sysctl(8) will display Off if the value is zero, and On for nonzero.
So
On Mon, Jul 27, 2015 at 11:10 AM, Quartz wrote:
>> These days you have "bypass" features in hardware that allow packets
>> to flow from one interface to another even if the firewall is turned
>> off.
>
> Can you elaborate on this?
Search for "intel nic bypass mode" and you'll find lots of details
On Mon, Jul 27, 2015 at 7:37 AM, Christian Weisgerber
wrote:
> On 2015-07-27, Quartz wrote:
>
>> Some years ago I remember reading that when using OpenBSD (or any OS,
>> really) as a router+firewall it was considered inadvisable from a
>> security standpoint to have the different networks all att
On Fri, May 1, 2015 at 4:00 AM, OpenBSD Store Misc
wrote:
> one of the master CD's was damaged in transit to the production facility
The NSA agent needed more time to record an alternate version of the song.
On Fri, Feb 27, 2015 at 3:40 PM, Research wrote:
> UDP is meaningless in the context of HTTP.
Well, actually... https://en.wikipedia.org/wiki/QUIC
Not really standard, but still. I now allow UDP on ports 80 and 443 to
make Google Chrome happy.
On Fri, Jan 30, 2015 at 12:54 PM, Ingo Schwarze wrote:
> Hi,
>
> Maxim Khitrov wrote on Fri, Jan 30, 2015 at 10:22:23AM -0500:
>
>> I wrote two simple functions for rc.shutdown and rc.login that
>> save/restore unbound cache when the system is restarted. Since each
>
Hi all,
I wrote two simple functions for rc.shutdown and rc.login that
save/restore unbound cache when the system is restarted. Since each
record has a relative TTL field, the cache can only be restored within
a short time window to avoid serving stale data to clients. I set this
window to 10 minu
On Sun, Dec 28, 2014 at 9:35 AM, Harald Dunkel wrote:
> On 12/28/14 13:51, Maxim Khitrov wrote:
>>
>> These tables are under the hidden "_pf" anchor:
>>
>> pfctl -a _pf -t extern -T show
>>
>
> Thats cool. Where did you find this? Searching
On Sun, Dec 28, 2014 at 6:38 AM, Harald Dunkel wrote:
> Hi folks,
>
> pfctl can give me an extended list of tables showing interface
> group names, "self", etc. Sample:
>
> # pfctl -g -sT
> egress
> egress:0
> extern
> extern:network
> intern:network
On Thu, May 15, 2014 at 8:51 PM, Daniel Ouellet wrote:
> I was also looking at these two if the above one wasn't supported. But
> if I remember the Atom SoC one is not working on OpenBSD yet, but I
> could be wrong.
>
> SuperServer 5038MA-H24TRF
> http://www.supermicro.com/products/system/3U/5038/
I'm about to purchase a new Supermicro Atom board for a firewall. The
decision is between Atom C2750 (Avoton) and C2758 (Rangeley) CPUs. The
latter is marketed as a "communications processor" and exchanges Turbo
Boost for QuickAssist, which seems to be an FPGA-type thing for
accelerating certain cr
On Fri, Dec 20, 2013 at 4:11 PM, Maxim Khitrov wrote:
> I was under the impression that the packet priority was always set to
> 3 prior to the pf ruleset evaluation (ignoring VLAN and CARP for a
> moment), and that 'set prio' on an inbound rule only affected
> returning tr
I was under the impression that the packet priority was always set to
3 prior to the pf ruleset evaluation (ignoring VLAN and CARP for a
moment), and that 'set prio' on an inbound rule only affected
returning traffic that matched the state entry. Here's an artificial
example:
pass out on $wan
pass
On Thu, Dec 19, 2013 at 8:33 AM, Camiel Dobbelaar wrote:
> On 18/12/13 22:32, Camiel Dobbelaar wrote:
>>
>> On 18/12/13 14:50, Maxim Khitrov wrote:
>>>
>>> On Wed, Dec 18, 2013 at 8:42 AM, Camiel Dobbelaar wrote:
>>>>
>>>> On 18/12/13 1
On Thu, Dec 19, 2013 at 7:57 AM, Giancarlo Razzolini
wrote:
> Em 18-12-2013 21:33, Andy Lemin escreveu:
>> Fantastic! Thanks Camiel :)
>>
>> Sent from my iPhone
>>
>>> On 18 Dec 2013, at 21:32, Camiel Dobbelaar wrote:
>>>
>>>> On 18/12/13
On Wed, Dec 18, 2013 at 8:42 AM, Camiel Dobbelaar wrote:
> On 18/12/13 13:53, Maxim Khitrov wrote:
>>
>> When writing outbound rules in pf, is there an accepted best practice
>> for only matching packets that are either forwarded or
>> firewall-generated?
>>
>
When writing outbound rules in pf, is there an accepted best practice
for only matching packets that are either forwarded or
firewall-generated?
The best that I could come up with is 'received-on all' as a way of
identifying forwarded packets, but that option can't be negated to
match packets that
On Wed, Aug 7, 2013 at 12:10 PM, Henning Brauer wrote:
> * Михаил Швецов [2013-08-07 14:55]:
>> How can i see that "set prio" works?
>
> it just does.
Sometimes it doesn't:
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf.c#rev1.862
I got into a habit of separating prioritization from filt
On Wed, Aug 14, 2013 at 7:09 PM, Diana Eichert wrote:
> What I want to do.
>
> create a netflow collector using OpenBSD by looking at
> data fed from a tap
>
> I know which 10G NICs are supported by OpenBSD, what I'd
> like to hear is a recommendation on which one of the
> following to use.
>
> $
On Fri, Aug 9, 2013 at 11:52 AM, Henning Brauer wrote:
> * Maxim Khitrov [2013-08-09 17:47]:
>> and ran iperf
>> # s1: iperf -s
>> # c1: iperf -c s1 -t 60 -m
>> # s1: iperf -s
>> # s2: iperf -s
>> # c1: nc gw 1234 ; iperf -c s1 -t 60
>> # c2: nc g
40% CPU0 usage).
> On 08/08/2013 08:26 PM, Maxim Khitrov wrote:
>> Active Processor Cores: All
>
> I would turn that off, or at least make it only dual core.
No effect, results are also below.
>> That's... a bit faster. The CPU in the desktops is Intel i7-3770,
>> wh
Thanks to everyone for your advice! I'll try to respond to all the
questions at once and provide some more information about the testing
that I did today.
The BIOS on these firewalls is current. For power-saving options, when
I first configured these systems I tried turning Intel EIST
(SpeedStep)
On Wed, Aug 7, 2013 at 11:44 AM, Florian Obser wrote:
> On Wed, Aug 07, 2013 at 10:26:22AM -0400, Maxim Khitrov wrote:
>> Hi all,
>>
>> I'm looking for performance measuring and tuning advice for 10 gigabit
>> Ethernet. I have a pair of Lanner FW-8865 systems that
On Wed, Aug 7, 2013 at 10:31 AM, Martin Schröder wrote:
> 2013/8/7 Maxim Khitrov :
>> I've read the "Network Tuning and Performance Guide" @ calomel.org,
>
> Ignore that site and search the list archives.
Understood :)
I found a number of recommendations for the
Hi all,
I'm looking for performance measuring and tuning advice for 10 gigabit
Ethernet. I have a pair of Lanner FW-8865 systems that will be used as
firewalls for the local network. Each one has a Xeon E3-1270v2 CPU,
Intel X540 10GbE NIC (PCIe 3.0 8x), and 8GB DDR3-1600 ECC RAM. Before
putting th
Hi,
The no-df flag can be specified in the "set reassemble" option or a
"scrub" rule. From looking at the source, I don't think "scrub
(no-df)" does what the man page says it does. To reassemble fragmented
packets with the DF flag set, one has to use "set reassemble yes
no-df" option. By the time
Hi all,
A few questions about the operation of pf scrub options in OpenBSD 5.3:
1. In 2010 Henning advised against the use of "reassemble tcp" (link
below). Is this advice still applicable and what are the known issues
that this option may cause in the current implementation?
http://marc.info/?l
On Wed, Mar 13, 2013 at 1:59 PM, Michel Blais wrote:
> I think you must specify the anchor first. Something like :
>
> pfctl -a ix1 -t admins -T show
That doesn't work. First, it's an unnamed anchor, so I don't think you
can specify it with the -a option. Second, inbound connections to port
22 ar
Hello,
I was a bit surprised by the following behavior when configuring pf on
OpenBSD 5.2. Non-persistent tables that are only referenced by inline
anchor rules, as in the following example, are removed from memory
when pf.conf is loaded.
# Doesn't work (ssh connections are blocked):
table {10.0
On Thu, Dec 27, 2012 at 10:10 AM, Live user wrote:
> I think 15.2.2 should go before 15.1.1, since if there's no point in running
> pkg_* when the PKG_PATH is empty, which is after installing using the
> interactive method.
>
> Furthermore, using 'export PKG_PATH=' sets a volatile variable, which
38 matches
Mail list logo