Re: Interface modifiers in pf.conf

[Per-Olov Sjöholm]

On Thu, Sep 27, 2018, at 06:16, Theo de Raadt wrote:
> =?utf-8?Q?Per-Olov=20Sj=C3=B6holm?=  wrote:
> 
> > I can in the man page fr PF see:
> > 
> > --snip--
> > Interface names, interface group names, and self can have
> >  modifiers appended:
> > 
> >  :0   Do not include interface aliases.
> >  :broadcast  Translates to the interface's broadcast 
> > address(es).
> >  :networkTranslates to the network(s) attached to the
> >  interface.
> >  :peer   Translates to the point-to-point interface's peer
> >  address(es).
> > --snip--
> > 
> > Is there a special reason syntax like INTERNET_INT:1 wont work if we want 
> > to use the first alias address from the hostname interface file?
> > 
> > As it is now I have to use the base adress by using ":0" or including all 
> > aliases. For me this seems unusable. If I want to nat out on the alias 
> > address from for example the DMZ I would like to use ":1". As this is not 
> > possible I have to hard code the IP:s in pf.conf.
> 
> Yes there is a very good reason.
> 
> Interface aliases are not what you think they.  A mistake was made
> more than two decades ago.  If you reconfigure, they "roll".
> 
> You should avoid use of :0, unless you need it.  But definately you do
> not want :1 or :2 etc


Ahhh I see... Didn't know that. Many thanks for the answer

 I found it very convenient to not add the external IP into pf.conf, but let 
the service itself harvest it from the interface. But it seems it is no longer 
possible when you add more IPs to the external interface (unless you want them 
all in the same rule of course). Not a biggie. Just interested to see if it is 
possible to have more than one IP on the interface and don't have them 
specified in pf.conf...

How would you solve this example below Should I hard code the IPs and only use 
these and skip usage of ":0" in this case?  Is there maybe a way to instead 
create a separate sub interface for the alias IP so the sub interface could be 
used in PF, but the resulting PF behaviour remains? 

cat /etc/hostname.ix3 
inet 192.168.0.100 255.255.255.0 192.168.0.255  description "INTERNET UPLINK 
TEST"
!ifconfig ix3 inet alias 192.168.0.101 netmask 255.255.255.255 broadcast 
192.168.0.255


>From pf.conf example
INTERNET_INT="ix3"
INTERNET_INT_IP1="192.168.0.100" <<< Can this be avoided?
INTERNET_INT_IP2="192.168.0.102"  <<< Can this be avoided?
match out on $INTERNET_INT from $DMZ1_DAEDALUS to any nat-to $INTERNET_INT_IP2
match out on $INTERNET_INT from $LAN_INT:network to any nat-to $INTERNET_INT:0


Tnx
Peo

Re: Virtual interfaces with own MACs

[Per-Olov Sjöholm]

On Wed, Sep 26, 2018, at 15:51, Jarkko Oranen wrote:
> On Wed, 2018-09-26 at 14:45 +0200, Paul de Weerd wrote:
> > 
> > 
> > Note that I haven't tried this .. may need some tweaking.
> 
> 
> I have pretty much exactly this setup except vether1 is in a separate
> rdomain to avoid issues with the default route. And 'dhclient' is
> 'dhcp' instead:
> 
> # cat /etc/hostname.vether1
> rdomain 1
> group dmz
> lladdr ee:64:de:b9:72:87
> dhcp
> 
> I use the extra IP for a 1:1 NAT to a specific host in my local
> network. It works well enough.
> 
> > 
> > Cheers,
> > 
> > Paul 'WEiRD' de Weerd
> > 
> -- 
> Jarkko Oranen 
> 

Thanks for all replies.

But today The ISP has changed their mind and have now reconfigured so non 
business customers that buy more than one fixed IP now are allowed to set them 
without DHCP :)

Peo

Interface modifiers in pf.conf

[Per-Olov Sjöholm]

Hi

I can in the man page för PF see:

--snip--
Interface names, interface group names, and self can have
 modifiers appended:

 :0   Do not include interface aliases.
 :broadcast  Translates to the interface's broadcast address(es).
 :networkTranslates to the network(s) attached to the
 interface.
 :peer   Translates to the point-to-point interface's peer
 address(es).
--snip--

Is there a special reason syntax like INTERNET_INT:1 wont work if we want to 
use the first alias address from the hostname interface file?

As it is now I have to use the base adress by using ":0" or including all 
aliases. For me this seems unusable. If I want to nat out on the alias address 
from for example the DMZ I would like to use ":1". As this is not possible I 
have to hard code the IP:s in pf.conf.


Have I misunderstood something? Please enlighten me.


Tnx
Peo

Virtual interfaces with own MACs

[Per-Olov Sjöholm]

Hi

I want to receive 2 IPs that are mine from the ISP (I have to supply 2 MACs) 
over DHCP. They have a problem letting me add them permanent without dhcp as 
their snooping blocks my connection if not using dhcp. 

I want to use just one physical interface as I do not have more 10Gbit 
interfaces to spare. Also I want to use fake virtual MAC so I can switch 
hardware without contacting the ISP.

Is it possible in OpenBSD to create sub interfaces with different MACs on them 
and use dhcp for both? How?

In linux I think it can be done as:
ip link add link eth0 address 00:11:11:11:11:11 eth0.1 type macvlan
ifconfig eth0.1 up
dhclient -v eth0.1
ip link add link eth0 address 00:11:11:11:11:12 eth0.2 type macvlan
ifconfig eth0.2 up
dhclient -v eth0.2



Is it possible to something similar to

/etc/hostname.ix3
up

/etc/hostname.ix3:1
!ifconfig SUBINT VIRTUAL_NEW_MAC SUBDEV $if Public IP  1”
!dhclient ix3:1


/etc/hostname.ix3:2
!ifconfig SUBINT VIRTUAL_NEW_MAC SUBDEV $if Public IP  2”
!dhclient ix3:2


If so… What should they look like. Note that I want to provide the ISP the 
virtual MACs and not the cards physical MAC… 





Many thanks in advance


Regards
Peo

PF, CPU cores and usage of CPU turbo

[Per-Olov Sjöholm]

Hi you OpenBSD pro:s…


I have question regarding PF and thread use in kernel.

If I got it right PF is single thread. 

Today the firewall  I use uses a Jetway JNF9HG-2930 longlife 4 core N2930 @ 
1.83GHz Celeron mainboard. It runs an OpenBSD 6.2 stable SMP kernel as I have 
not seen a penalty to use it over the uni kernel. The only kernel tuning I have 
done is to set net.inet.ip.ifq.maxlen=4096 to avoid the drops that I could see 
(on IPv6 as well...). I have 1/1 Gbit connection and fill almost the the whole 
pipe (approx 970 Mbit at 0.9 ms ) during speed tests. I am *very* *very* 
satisfied with OpenBSD :) here 970-980 Mbit speed tests load the kernel to 
approx 30% in my case. Yes, we route packet and not mega bytes :) I know...

Now… I will soon have 10/10 GBit (not that I really need it though). For that I 
will switch over to a Xeon D-1521 with a Supermicro 2 x Intel 10 Gbit x540 
PCI-e x8 card. This D-1521 is 2.2 GHz with turbo to 2.7 GHz and has just 2 
cores.

Now to the question…

I have read the turbo is used automatically in CPUs under the right 
circumstances and the frequency increases against the turbo speed if very few 
cores are uses. I could very well test all cases to come to a conclusion. But 
still, I want to ask about your performance thoughts here. What is your opinion 
here if we talk about pure firewalling. Uni or smp? The question is with the 
thoughts in mind to be able to use the extra turbo frequence…

The question is maybe stupid. But then, well, it is because I ask before dig 
deep into docs :)


Tnx
/Peo

Looking for libraries

[Per-Olov Sjöholm]

Hi

I just upgraded to 6.2…

Anyone that knows what packages I can find the following libs in:
libpthread.so.22.0
libc.so.88.0
libm.so.9.0

I used this https://beta1.bredbandskollen.se/download/bbk_cli_openbsd 
 on 6.0, but don’t 
have a copy of the “pkg_info” output from 6.0 that I used.



Tnx in advance
/Peo

Re: Gbit performance parameters

[Per-Olov Sjöholm]

> On 13 Jul 2017, at 12:27, Hrvoje Popovski <hrv...@srce.hr> wrote:
> 
> On 13.7.2017. 0:26, Per-Olov Sjöholm wrote:
>> I increased net.inet.ip.ifq.maxlen  in steps of 256… I had to increase the 
>> net.inet.ip.ifq.maxlen 9 times to 2309 for the net.inet.ip.ifq.drops to stop 
>> increasing. At a maxlen of 2309 the drops stopped completley. But all values 
>> of  net.inet.ip.ifq.maxlen higher than 756 did not give any performance 
>> boost (well… Not that I could see). At maxlen of 756 and over, the below 
>> output represents the average tests very well when testing against the ISP 
>> test servers.  Yes I love my OpenBSD FW :)  :) :)
> 
> 
> maybe this sysctls would give better performance?
> 
> kern.pool_debug=0
> net.inet.ip.ifq.maxlen=8192
> 
> or update to latest current and if you're brave enough compile kernel
> with "option WITH_PF_LOCK"
> 


AMD64 SMP kernel gives better throughput performance than UNI kernel (not much 
though). >>> That I do not understand???  <<<

net.inet.ip.ifq.maxlen=4096 is enough to avoid drops at Gbit speed for me. To 
avoid increased latency, I stop increasing it as the drops has stopped at 4096….

The below very well represent the average performance from my linux server 
behind my OpenBSD 6.0 FW against the internet test servers. I have had even 
betters and a few worse tests.
[root@server2 ~]# bbk_cli --live
Start: 2017-07-16 03:19:10
ISP: Bahnhof Internet AB
Support ID: sth60128e5b7
Latency:  11.291 ms
Download:836.488 Mbit/s
Upload:  947.120 Mbit/s
Subscription: 500-1000 Mbit/s fiber


I have only tuned the net.inet.ip.ifq.maxlen in the OpenBSD FW sysctl.conf due 
to the drops I saw. No other settings in sysctl.conf (well except ip and ipv6 
forwarding…). 

Maybe I should be satisfied with this performance :)

Re: Gbit performance parameters

[Per-Olov Sjöholm]

> On 12 Jul 2017, at 19:25, Claudio Jeker <cje...@diehard.n-r-g.com> wrote:
> 
> On Wed, Jul 12, 2017 at 06:07:28PM +0200, Per-Olov Sjöholm wrote:
>> Hi
>> 
>> I have seen net.inet.ip.ifq.drops on my firewall after upgrading the 
>> internet connection and therefor try to tweak it a little. The FW has 4 (but 
>> only two used) physical Intel Gig interfaces. The internal interface has a 
>> bunch of VLANs on it. IPv6 is enabled.
>> 
>> 
>> I have a linux 8 core Intel atom (C2758  @ 2.40GHz) sitting behind my NAT 
>> OpenBSD 6.0 firewall (CPU N2930 @ 1.83GHz). After increasing 
>> net.inet.ip.ifq.maxlen from default 256 in two steps up to 768 on the 
>> firewall the drops have been less, but still occurs. The performance of the 
>> CentOS 7.3 sitting behind the firewall also have gained approx 150Mbit more 
>> performance in network test against the internet by the 
>> net.inet.ip.ifq.maxlen increase on the OpenBSD firewall. I have now the 
>> linux server sitting behind the fw that gives me the following performance 
>> (I have an 1/1 Gbit fiber in to the house)???
>> 
>> [root@server2 tmp]# bbk_cli --live
>> Start: 2017-07-12 17:35:20
>> ISP: Bahnhof Internet AB
>> Support ID: sth66db38ee9
>> Latency:  4.255 ms
>> Download:803.603 Mbit/s
>> Upload:  949.265 Mbit/s
>> Subscription: 500-1000 Mbit/s fiber
>> [root@server2 tmp]#  
>> 
>> 
>> And "sysctl -a|grep net.inet.ip.ifq??? now shows...
>> net.inet.ip.ifq.len=0
>> net.inet.ip.ifq.maxlen=768
>> net.inet.ip.ifq.drops=1292657
>> 
>> 
>> The performance was pretty good even without tweaks :), but is now, as shown 
>> above, 100-150 Mbit better???.  But I do have a few questions to you pro:s???
>> 
>> # Question
>> Can I have bad drawbacks by the net.inet.ip.ifq.maxlen increase I have done, 
>> and in what way do I notice it if problem occurs? Or can/should the 
>> net.inet.ip.ifq.maxlen be increased more as I still have drops? Or should I 
>> decrease the value to 512 or to default 256 again do avoid any type of 
>> problem?
>> Could the net.inet.ip.ifq.drops ideally be zero? Or is that just an ideal 
>> wish that never is true?
>> Any other parameter to look at at these speeds if I want a well behaved fw 
>> without packet drops and with low latency capable of filling my 1/1 Gbit 
>> pipe?
>> 
> 
> The size of net.inet.ip.ifq.maxlen should be sized by lookin at your drops
> pattern. In general if you have bursty traffic you want a bit more. The
> goal is that the amount of drops are minimal.
> 
> On our busy firewalls pushing 500Mbps I set maxlen to 4096 and even 8192.
> Drawback is of a big queue is an increased latency.
> At the moment having long queues helps when multiple CPUs compete for
> the big lock since it reduces the packet loss and so TCP suffers less.
> The latency increase is something we decided to accept since we're not
> that latency sensitive.
> 
> The long term plan is actually to get rid of this queue and knob but we're
> not right there yet.
> 
> -- 
> :wq Claudio
> 


Ahh

Tnx Claudio



I increased net.inet.ip.ifq.maxlen  in steps of 256… I had to increase the 
net.inet.ip.ifq.maxlen 9 times to 2309 for the net.inet.ip.ifq.drops to stop 
increasing. At a maxlen of 2309 the drops stopped completley. But all values of 
 net.inet.ip.ifq.maxlen higher than 756 did not give any performance boost 
(well… Not that I could see). At maxlen of 756 and over, the below output 
represents the average tests very well when testing against the ISP test 
servers.  Yes I love my OpenBSD FW :)  :) :)

[root@server2 tmp]# bbk_cli --live
Start: 2017-07-12 21:18:01
ISP: Bahnhof Internet AB
Support ID: sth66e6a1038
Latency:  3.905 ms
Download:858.525 Mbit/s
Upload:  970.758 Mbit/s
Subscription: 500-1000 Mbit/s fiber
[root@server2 tmp]# 


So.. Is it ideal to raise it to the level where the drops stops even though I 
see no clear performance gain? If I read you correct, I want to have minimal 
drops and should therefor in my environment probably use a maxlen of 2309… That 
also leads to the next question.. I use ADM64 SMP and then we have the big lock 
discussion….

Can I eventually benefit of changing to uni kernel? I only use PF (with 566 
rules), bind  for local name resolution and dhcpd. So SMP kernel is probably 
not needed. But I did not think I could have a penalty using SMP kernel. Can I 
eventually have a performance penalty using AMD64 SMP instead of AMD64 uni 
kernel? Of course I want an as low latency as possible  :)


So… could, theoretically,  using the uni instead of SMP kernel eventually give 
me zero drops at a lower maxlen and therefor lower latency due to removed SMP?  
I can of course try, but prefer to ask the pros here first :)

Peo

Gbit performance parameters

[Per-Olov Sjöholm]

Hi

I have seen net.inet.ip.ifq.drops on my firewall after upgrading the internet 
connection and therefor try to tweak it a little. The FW has 4 (but only two 
used) physical Intel Gig interfaces. The internal interface has a bunch of 
VLANs on it. IPv6 is enabled.


I have a linux 8 core Intel atom (C2758  @ 2.40GHz) sitting behind my NAT 
OpenBSD 6.0 firewall (CPU N2930 @ 1.83GHz). After increasing 
net.inet.ip.ifq.maxlen from default 256 in two steps up to 768 on the firewall 
the drops have been less, but still occurs. The performance of the CentOS 7.3 
sitting behind the firewall also have gained approx 150Mbit more performance in 
network test against the internet by the net.inet.ip.ifq.maxlen increase on the 
OpenBSD firewall. I have now the linux server sitting behind the fw that gives 
me the following performance (I have an 1/1 Gbit fiber in to the house)…

[root@server2 tmp]# bbk_cli --live
Start: 2017-07-12 17:35:20
ISP: Bahnhof Internet AB
Support ID: sth66db38ee9
Latency:  4.255 ms
Download:803.603 Mbit/s
Upload:  949.265 Mbit/s
Subscription: 500-1000 Mbit/s fiber
[root@server2 tmp]#  


And "sysctl -a|grep net.inet.ip.ifq” now shows...
net.inet.ip.ifq.len=0
net.inet.ip.ifq.maxlen=768
net.inet.ip.ifq.drops=1292657


The performance was pretty good even without tweaks :), but is now, as shown 
above, 100-150 Mbit better….  But I do have a few questions to you pro:s…

# Question
Can I have bad drawbacks by the net.inet.ip.ifq.maxlen increase I have done, 
and in what way do I notice it if problem occurs? Or can/should the 
net.inet.ip.ifq.maxlen be increased more as I still have drops? Or should I 
decrease the value to 512 or to default 256 again do avoid any type of problem?
Could the net.inet.ip.ifq.drops ideally be zero? Or is that just an ideal wish 
that never is true?
Any other parameter to look at at these speeds if I want a well behaved fw 
without packet drops and with low latency capable of filling my 1/1 Gbit pipe?


And yes… I have seen what some people write about Calomel. I cannot tell if 
Calomel tells crap. But I do know that I want to understand why and what I am 
doing myself anyway. That is also why I try to take one thing at a time :) And 
I have started with the net.inet.ip.ifq.maxlen parameter as I have saw massive 
drops looking at net.inet.ip.ifq.drops.

Feedback of how to go on very much appreciated.


Thanks in advance

Peo

Re: Separate VLAN from untagged traffic.

[Per-Olov Sjöholm]

--
GPG keyID: 9429C093
GPG fingerprint: 5F37 4298 A07F C614 647B 458C A756 5C4E 9429 C093




> On 7 Jul 2017, at 16:07, Kapetanakis Giannis <bil...@edu.physics.uoc.gr> 
> wrote:
> 
> On 07/07/17 15:35, Per-Olov Sjöholm wrote:
>> Hi
>> 
>> I have config like this on an internal interface since 5 year back in time 
>> that together with my VLAN enabled Cisco and Zyxel switches route traffic 
>> around in my network. I run OpenBSD 6.0 AMD64 at the moment.
>> 
>> cat /etc/hostname.em0 
>> —snip--
>> up
>> ### VLAN
>> !ifconfig vlan2 inet 192.168.0.1 netmask 255.255.255.0 broadcast 
>> 192.168.0.255 vlan 2 vlandev $if description "IP on FW to the LAN"
>> !ifconfig vlan3 inet 192.168.1.1 netmask 255.255.255.0 broadcast 
>> 192.168.1.255 vlan 3 vlandev $if description "IP on FW to the DMZ1"
>> !ifconfig vlan4 inet 192.168.2.1 netmask 255.255.255.0 broadcast 
>> 192.168.2.255 vlan 4 vlandev $if description "IP on FW to the DMZ2"
>> !ifconfig vlan1003 inet 192.168.42.1 netmask 255.255.255.0 broadcast 
>> 192.168.42.255 vlan 1003 vlandev $if description "IP on FW to the GUEST"
>> ### ROUTES etc
>> #!route add 192.168.200.0/22 193.12.234.141
>> !route add 172.31.128.0/23 192.168.1.25
>> ### IPv6
>> !ifconfig vlan2 inet6 alias 2001:470:dc5d:1::1 prefixlen 64
>> !ifconfig vlan3 inet6 alias 2001:470:dc5d:2::1 prefixlen 64
>> !ifconfig vlan4 inet6 alias 2001:470:dc5d:3::1 prefixlen 64
>> —snip--
>> 
>> On the internet interface (em3) I have only an static IP. Today there is no 
>> VLAN here. Just a plain internet connection and no VLAN tags from the ISP.
>> 
>> 
>> Now…
>> The provider allows me to skip the media hub they supplied in favour for me 
>> taking care of the TV input myself. I have a mentally problem to take 
>> internet directly into my switch and separate the VLAN there  which I know 
>> how to easily do. But one mistake in the conf and, well…
>> 
>> So, in the near future the ISP will add a VLAN tag for TV in parallell to 
>> the untagged internet traffic coming in to em3.
>> 
>> 
>> QUESTION:
>> How would I continue with the config I have and expand it to take the tagged 
>> TV VLAN 845 they soon will add incoming to my em3 and bridge that VLAN 
>> tagged TV traffic out on let say em2. The docs aren't that clear to me. The 
>> TV traffic VLAN has no IP I can set. I just want to filter the TV VLAN out 
>> incoming on em3 and send it to em2.  How would I add a VLAN interface to a 
>> parent em* interface and se no IP on it? After that I assume I can just 
>> create a bridge between that VLAN interface and em2. Or is this a bad idea?
>> 
>> 
>> Thanks in advance.
> 
> First of all, fix your setup to create vlan interfaces the proper way, ie
> /etc/hostname.vlanX
> much more clean setup.
> 
> Do you have a switch right now connected to em3 which can do 802.1Q tagging?
> If yes, then use that for switching. There is not point passing the TV 
> traffic through the OBSD.
> 
> If not then use your OBSD box.
> 
> more details depend on the configuration from your provider.
> I mean if the TV should get an IP address and if it expects tagged/untagged 
> traffic.
> 
> G
> 

I like my setup with the interfaces better and think it’s clearer as all data 
depending on the parent interface is in correct parent hostname.if file. I had 
it like you say before and did not like it due to the fact I had 17 hostname.if 
files. 17 hostname.if:s files is not clean. Now I have 4 and edit and overview 
is much better. And in the same file you can use “$if” as a variable. But I 
guess different people have different preferences... But that was not the 
question here.

I have no switch connected to internet interface em3 and don’t want to unless 
there is a very good reason for it (I have a 24 port I can allocate ports in 
and several smaller ones not used on the shelf). All my switches are VLAN 
capable.

The TV traffic cannot be routable by me (no IP on OpenBSD interface). The TV 
traffic must go directly to the TV box. I.e trough a switch or maybe through a 
vlan interface in OpenBSD that is bridged or so.

Coul something like this work (have not done any config yet except writing 
here)?

## OLD internet interface - hostname.em3 
inet 112.112.112.2 255.255.255.128 112.112.112.127 description "INTERNET UPLINK"

## NEW Modified internet interface with TV VLAN - hostname.em3 
inet 112.112.112.2 255.255.255.128 112.112.112.127 description "INTERNET UPLINK"
!ifconfig vlan845 vlan 845 vlandev $if description "TV from provider"

## NEW bridge - hostname.bridge0
add vland845
add em2


Will it work at all if I just want the tagged traffic coming in on em3 to go to 
em2?
Any side effects? 
Will a bridge eat more CPU as the fw is a Celeron(R) CPU N2930 @ 1.83GHz and I 
have 1/1 Gbit internet ?

Thanks in advance
Peo

Separate VLAN from untagged traffic.

[Per-Olov Sjöholm]

Hi

I have config like this on an internal interface since 5 year back in time that 
together with my VLAN enabled Cisco and Zyxel switches route traffic around in 
my network. I run OpenBSD 6.0 AMD64 at the moment.

cat /etc/hostname.em0 
—snip--
up
### VLAN
!ifconfig vlan2 inet 192.168.0.1 netmask 255.255.255.0 broadcast 192.168.0.255 
vlan 2 vlandev $if description "IP on FW to the LAN"
!ifconfig vlan3 inet 192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255 
vlan 3 vlandev $if description "IP on FW to the DMZ1"
!ifconfig vlan4 inet 192.168.2.1 netmask 255.255.255.0 broadcast 192.168.2.255 
vlan 4 vlandev $if description "IP on FW to the DMZ2"
!ifconfig vlan1003 inet 192.168.42.1 netmask 255.255.255.0 broadcast 
192.168.42.255 vlan 1003 vlandev $if description "IP on FW to the GUEST"
### ROUTES etc
#!route add 192.168.200.0/22 193.12.234.141
!route add 172.31.128.0/23 192.168.1.25
### IPv6
!ifconfig vlan2 inet6 alias 2001:470:dc5d:1::1 prefixlen 64
!ifconfig vlan3 inet6 alias 2001:470:dc5d:2::1 prefixlen 64
!ifconfig vlan4 inet6 alias 2001:470:dc5d:3::1 prefixlen 64
—snip--

On the internet interface (em3) I have only an static IP. Today there is no 
VLAN here. Just a plain internet connection and no VLAN tags from the ISP.


Now…
The provider allows me to skip the media hub they supplied in favour for me 
taking care of the TV input myself. I have a mentally problem to take internet 
directly into my switch and separate the VLAN there  which I know how to easily 
do. But one mistake in the conf and, well…

So, in the near future the ISP will add a VLAN tag for TV in parallell to the 
untagged internet traffic coming in to em3.


QUESTION:
How would I continue with the config I have and expand it to take the tagged TV 
VLAN 845 they soon will add incoming to my em3 and bridge that VLAN tagged TV 
traffic out on let say em2. The docs aren't that clear to me. The TV traffic 
VLAN has no IP I can set. I just want to filter the TV VLAN out incoming on em3 
and send it to em2.  How would I add a VLAN interface to a parent em* interface 
and se no IP on it? After that I assume I can just create a bridge between that 
VLAN interface and em2. Or is this a bad idea?


Thanks in advance.

Peo
--
GPG keyID: 9429C093
GPG fingerprint: 5F37 4298 A07F C614 647B 458C A756 5C4E 9429 C093

Re: Watchdog timeout reset in 5.1 on intel nic:s

[Per-Olov Sjöholm]

On 23 maj 2012, at 10:14, Mark Kettenis wrote:

 Problem seems to be found

 A change of  int   intr_shared_edge; to int   intr_shared_edge = 1; in
 i386/machdep.c  plus kernel recompile solves the problem.

 Can you post the dmesg of this fixed kernel?



Hi

Of course

The hardware is all cases are exactly the same.

This is from the working 4.9 stable:
http://www.incedo.eu/~sjoholmp/misc_internet_links/timer_problem_openbsd/dmes
g-4.9i386-stable+patches-to-20110819_running_in_KVM.txt

This is from the new 5.1 stable that is NOT working:
http://www.incedo.eu/~sjoholmp/misc_internet_links/timer_problem_openbsd/dmes
g-5.1i386-stable-patches-to-20120510-not-working_running_in_KVM.txt
http://www.incedo.eu/~sjoholmp/misc_internet_links/timer_problem_openbsd/KVM_
Screenshot_5.1_stable+patches-to-may-8-2012.png

This is from the fixed 5.1 that is working:
http://www.incedo.eu/~sjoholmp/misc_internet_links/timer_problem_openbsd/dmes
g-bsd-5.1-stable_plus_if_em.c-1.252_plus_machdep.c-mod
(Note that this works with the 5.1 stable if_em.c as wel (i.e 1.261).)


Per-Olov

Re: Watchdog timeout reset in 5.1 on intel nic:s

[Per-Olov Sjöholm]

On 23 maj 2012, at 16:29, Mark Kettenis wrote:

 From: =?iso-8859-1?Q?Per-Olov_Sj=F6holm?= p...@incedo.org
 Date: Wed, 23 May 2012 11:27:34 +0200

 On 23 maj 2012, at 10:14, Mark Kettenis wrote:

 Problem seems to be found

 A change of  int   intr_shared_edge; to int   intr_shared_edge = 1;
in
 i386/machdep.c  plus kernel recompile solves the problem.

 Can you post the dmesg of this fixed kernel?



 Hi

 Of course

 The hardware is all cases are exactly the same.

 This is from the working 4.9 stable:

http://www.incedo.eu/~sjoholmp/misc_internet_links/timer_problem_openbsd/dmes
g-4.9i386-stable+patches-to-20110819_running_in_KVM.txt

 This is from the new 5.1 stable that is NOT working:

http://www.incedo.eu/~sjoholmp/misc_internet_links/timer_problem_openbsd/dmes
g-5.1i386-stable-patches-to-20120510-not-working_running_in_KVM.txt

http://www.incedo.eu/~sjoholmp/misc_internet_links/timer_problem_openbsd/KVM_
Screenshot_5.1_stable+patches-to-may-8-2012.png

 This is from the fixed 5.1 that is working:

http://www.incedo.eu/~sjoholmp/misc_internet_links/timer_problem_openbsd/dmes
g-bsd-5.1-stable_plus_if_em.c-1.252_plus_machdep.c-mod
 (Note that this works with the 5.1 stable if_em.c as wel (i.e 1.261).)

 What happens if you disable uhci in a unmodified 5.1 kernel?


Both interfaces stopped working! But that was tried before I made this change
in machdep.c

Per-Olov
--
GPG keyID: 5231C0C4
GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4

Re: Watchdog timeout reset in 5.1 on intel nic:s

[Per-Olov Sjöholm]

On 19 maj 2012, at 20:09, Per-Olov Sjvholm wrote:

 On 19 maj 2012, at 17:58, Garry Dolley gdol...@arpnetworks.com wrote:

 On Sat, May 19, 2012 at 04:40:08PM +0200, Per-Olov SjC6holm wrote:


 On 19 maj 2012, at 08:11, Garry Dolley gdol...@arpnetworks.com wrote:

 On Sat, May 19, 2012 at 01:54:54AM +0200, Per-Olov Sjvholm wrote:
 On 17 maj 2012, at 12:53, Garry Dolley wrote:

 On Thu, May 17, 2012 at 03:19:07AM -0700, Garry Dolley wrote:
 On Fri, May 11, 2012 at 09:13:30AM -0400, Simon Perreault wrote:
 On 2012-05-11 04:15, Garry Dolley wrote:
 I now have an amd64 test VM set up, where I installed stock 5.0.

 I ran a lot of traffic over em0 without any timeouts.

 That's expected. 5.0 has been running without issue for me for a
long
 time.

 I also have been trying several -current kernels.

 As of:

 OpenBSD 5.1-current (GENERIC) #205: Wed Mar 28 21:40:45 MDT 2012

 I don't see any em0 timeouts.

 I will continue to try newer ones and report back here...

 Why not just test 5.1? Problems have been reported against 5.1, not
 -current.

 I now have a stock 5.1 test VM set up.

 OpenBSD 5.1 (GENERIC) #181: Sun Feb 12 09:35:53 MST 2012
   dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC

 I don't see any timeouts.  I grabbed the ports tree via curl several
 times and have been slaving away at it over SSH.  I don't notice
 anything wrong.

 So, perhaps this issue does not appear in stock 5.1, but in a newer
 kernel.  I'll try something newer soon...

 I have tried the following newer kernels:

 bsd.20120330
 bsd.20120419
 bsd.20120427
 bsd.20120516

 I still can't reproduce the problem.

 I have disabled mpbios on all these kernels, forgot to mention that.

 I will leave this be for now; will pick it up again if any new
 information should arise.

 --
 Garry Dolley
 ARP Networks, Inc. | http://www.arpnetworks.com | (818) 206-0181
 Data center, VPS, and IP Transit solutions
 Member Los Angeles County REACT, Unit 336 | WQGK336
 Blog http://scie.nti.st



 I have a running 4.9 release + patches ( i.e 4.9 stable) working
perfect.
 When
 Updated to 5.1 release + patches I have real problems with watchdog
 timeout
 resets on my intel nic:s. Same hardware, but just different OpenBSD
 version.

 I have tried a bunch of kernels from Stuart Henderson (Broken after
 4.9.).
 I have also recompiled the 5.1 stable kernel with most  versions of the
 if_em.c driver. I have compiled and tried the following...
 (note that the userland was 5.1 stable with all kernel tests)

 bsd-5.1-stable
 bsd-5.1-stable_plus_if_em.c-1.249
 bsd-5.1-stable_plus_if_em.c-1.250
 bsd-5.1-stable_plus_if_em.c-1.251
 bsd-5.1-stable_plus_if_em.c-1.252
 bsd-5.1-stable_plus_if_em.c-1.253
 bsd-5.1-stable_plus_if_em.c-1.254
 bsd-5.1-stable_plus_if_em.c-1.263

 Watchdog timeout resets on all versions.

 NOTE that the Watchdog timeout reset appears in version 1.249 of
if_em.c
 as
 well. And that version is default in 4.9 stable which works fantastic.
So
 if I
 haven't done anything totally wrong it must be related to something
else
 in
 the kernel. So my nic hardware and the kvm bios is the same. And an
 if_em.c version that works in 4.9 is tried. 


 I can see above that you got rid of the problem by testing the same
 version as
 me.. But you use AMD and I use i386.
 Also... I have a firewall with 2 nic:s. Often ONE nic works but the
 other
 gives watchdog timeout resets and wont work.

 Any clues?

 I don't have any clues.  I wasn't able to reproduce the problem,
 even though one customer I have who also upgraded experienced this
 behavior.  They did not do a fresh install (that I'm aware), but
 upgraded (similar to you).  I'm not sure what the previous version
 was.  They have one NIC and I believe run amd64.

 The only difference that I can see is that on a fresh 5.1 install,
 there is no issue.  But if you upgrade from a previous release, then
 the issue *might* appear.

 --
 Garry Dolley
 ARP Networks, Inc. | http://www.arpnetworks.com | (818) 206-0181
 Data center, VPS, and IP Transit solutions
 Member Los Angeles County REACT, Unit 336 | WQGK336
 Blog http://scie.nti.st


 I have a fresh 5.1 rel plus stable patches. No upgrade...

 What happened before you applied the stable patches?  On the fresh
 5.1 release without any changes, that is...

 --
 Garry Dolley
 ARP Networks, Inc. | http://www.arpnetworks.com | (818) 206-0181
 Data center, VPS, and IP Transit solutions
 Member Los Angeles County REACT, Unit 336 | WQGK336
 Blog http://scie.nti.st

 That i have not tried..

 Per-Olov



Problem seems to be found

A change of  int   intr_shared_edge; to int   intr_shared_edge = 1; in
i386/machdep.c  plus kernel recompile solves the problem.

This seems to have changed between the working and non working kernels...
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/arch/i386/i386/machdep.c.diff?f
=hr1=texttr1=1.487r2=texttr2=1.506




Per-Olov

Re: Watchdog timeout reset in 5.1 on intel nic:s

[Per-Olov Sjöholm]

On 19 maj 2012, at 16:31, Kenneth R Westerback kwesterb...@rogers.com
wrote:

 On Fri, May 18, 2012 at 11:11:07PM -0700, Garry Dolley wrote:
 On Sat, May 19, 2012 at 01:54:54AM +0200, Per-Olov Sjvholm wrote:

 I don't have any clues.  I wasn't able to reproduce the problem,
 even though one customer I have who also upgraded experienced this
 behavior.  They did not do a fresh install (that I'm aware), but
 upgraded (similar to you).  I'm not sure what the previous version
 was.  They have one NIC and I believe run amd64.

 The only difference that I can see is that on a fresh 5.1 install,
 there is no issue.  But if you upgrade from a previous release, then
 the issue *might* appear.

 --
 Garry Dolley
 ARP Networks, Inc. | http://www.arpnetworks.com | (818) 206-0181
 Data center, VPS, and IP Transit solutions
 Member Los Angeles County REACT, Unit 336 | WQGK336
 Blog http://scie.nti.st


 I find it very hard to credit that the network card would behave
 differently in the upgrade and install cases. Both install the
 exact same new kernel, wherein the drivers reside.

  Ken


+1

Per-Olov

Re: Watchdog timeout reset in 5.1 on intel nic:s

[Per-Olov Sjöholm]

On 19 maj 2012, at 08:11, Garry Dolley gdol...@arpnetworks.com wrote:

 On Sat, May 19, 2012 at 01:54:54AM +0200, Per-Olov Sjvholm wrote:
 On 17 maj 2012, at 12:53, Garry Dolley wrote:

 On Thu, May 17, 2012 at 03:19:07AM -0700, Garry Dolley wrote:
 On Fri, May 11, 2012 at 09:13:30AM -0400, Simon Perreault wrote:
 On 2012-05-11 04:15, Garry Dolley wrote:
 I now have an amd64 test VM set up, where I installed stock 5.0.

 I ran a lot of traffic over em0 without any timeouts.

 That's expected. 5.0 has been running without issue for me for a long
 time.

 I also have been trying several -current kernels.

 As of:

  OpenBSD 5.1-current (GENERIC) #205: Wed Mar 28 21:40:45 MDT 2012

 I don't see any em0 timeouts.

 I will continue to try newer ones and report back here...

 Why not just test 5.1? Problems have been reported against 5.1, not
 -current.

 I now have a stock 5.1 test VM set up.

 OpenBSD 5.1 (GENERIC) #181: Sun Feb 12 09:35:53 MST 2012
 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC

 I don't see any timeouts.  I grabbed the ports tree via curl several
 times and have been slaving away at it over SSH.  I don't notice
 anything wrong.

 So, perhaps this issue does not appear in stock 5.1, but in a newer
 kernel.  I'll try something newer soon...

 I have tried the following newer kernels:

 bsd.20120330
 bsd.20120419
 bsd.20120427
 bsd.20120516

 I still can't reproduce the problem.

 I have disabled mpbios on all these kernels, forgot to mention that.

 I will leave this be for now; will pick it up again if any new
 information should arise.

 --
 Garry Dolley
 ARP Networks, Inc. | http://www.arpnetworks.com | (818) 206-0181
 Data center, VPS, and IP Transit solutions
 Member Los Angeles County REACT, Unit 336 | WQGK336
 Blog http://scie.nti.st



 I have a running 4.9 release + patches ( i.e 4.9 stable) working perfect.
When
 Updated to 5.1 release + patches I have real problems with watchdog
timeout
 resets on my intel nic:s. Same hardware, but just different OpenBSD
version.

 I have tried a bunch of kernels from Stuart Henderson (Broken after
4.9.).
 I have also recompiled the 5.1 stable kernel with most  versions of the
 if_em.c driver. I have compiled and tried the following...
 (note that the userland was 5.1 stable with all kernel tests)

 bsd-5.1-stable
 bsd-5.1-stable_plus_if_em.c-1.249
 bsd-5.1-stable_plus_if_em.c-1.250
 bsd-5.1-stable_plus_if_em.c-1.251
 bsd-5.1-stable_plus_if_em.c-1.252
 bsd-5.1-stable_plus_if_em.c-1.253
 bsd-5.1-stable_plus_if_em.c-1.254
 bsd-5.1-stable_plus_if_em.c-1.263

 Watchdog timeout resets on all versions.

 NOTE that the Watchdog timeout reset appears in version 1.249 of if_em.c
as
 well. And that version is default in 4.9 stable which works fantastic. So
if I
 haven't done anything totally wrong it must be related to something else
in
 the kernel. So my nic hardware and the kvm bios is the same. And an
 if_em.c version that works in 4.9 is tried. 


 I can see above that you got rid of the problem by testing the same version
as
 me.. But you use AMD and I use i386.
 Also... I have a firewall with 2 nic:s. Often ONE nic works but the other
 gives watchdog timeout resets and wont work.

 Any clues?

 I don't have any clues.  I wasn't able to reproduce the problem,
 even though one customer I have who also upgraded experienced this
 behavior.  They did not do a fresh install (that I'm aware), but
 upgraded (similar to you).  I'm not sure what the previous version
 was.  They have one NIC and I believe run amd64.

 The only difference that I can see is that on a fresh 5.1 install,
 there is no issue.  But if you upgrade from a previous release, then
 the issue *might* appear.

 --
 Garry Dolley
 ARP Networks, Inc. | http://www.arpnetworks.com | (818) 206-0181
 Data center, VPS, and IP Transit solutions
 Member Los Angeles County REACT, Unit 336 | WQGK336
 Blog http://scie.nti.st


I have a fresh 5.1 rel plus stable patches. No upgrade...

Per-Olov

Re: Watchdog timeout reset in 5.1 on intel nic:s

[Per-Olov Sjöholm]

On 19 maj 2012, at 17:58, Garry Dolley gdol...@arpnetworks.com wrote:

 On Sat, May 19, 2012 at 04:40:08PM +0200, Per-Olov SjC6holm wrote:


 On 19 maj 2012, at 08:11, Garry Dolley gdol...@arpnetworks.com wrote:

 On Sat, May 19, 2012 at 01:54:54AM +0200, Per-Olov Sjvholm wrote:
 On 17 maj 2012, at 12:53, Garry Dolley wrote:

 On Thu, May 17, 2012 at 03:19:07AM -0700, Garry Dolley wrote:
 On Fri, May 11, 2012 at 09:13:30AM -0400, Simon Perreault wrote:
 On 2012-05-11 04:15, Garry Dolley wrote:
 I now have an amd64 test VM set up, where I installed stock 5.0.

 I ran a lot of traffic over em0 without any timeouts.

 That's expected. 5.0 has been running without issue for me for a long
 time.

 I also have been trying several -current kernels.

 As of:

 OpenBSD 5.1-current (GENERIC) #205: Wed Mar 28 21:40:45 MDT 2012

 I don't see any em0 timeouts.

 I will continue to try newer ones and report back here...

 Why not just test 5.1? Problems have been reported against 5.1, not
 -current.

 I now have a stock 5.1 test VM set up.

 OpenBSD 5.1 (GENERIC) #181: Sun Feb 12 09:35:53 MST 2012
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC

 I don't see any timeouts.  I grabbed the ports tree via curl several
 times and have been slaving away at it over SSH.  I don't notice
 anything wrong.

 So, perhaps this issue does not appear in stock 5.1, but in a newer
 kernel.  I'll try something newer soon...

 I have tried the following newer kernels:

 bsd.20120330
 bsd.20120419
 bsd.20120427
 bsd.20120516

 I still can't reproduce the problem.

 I have disabled mpbios on all these kernels, forgot to mention that.

 I will leave this be for now; will pick it up again if any new
 information should arise.

 --
 Garry Dolley
 ARP Networks, Inc. | http://www.arpnetworks.com | (818) 206-0181
 Data center, VPS, and IP Transit solutions
 Member Los Angeles County REACT, Unit 336 | WQGK336
 Blog http://scie.nti.st



 I have a running 4.9 release + patches ( i.e 4.9 stable) working perfect.
When
 Updated to 5.1 release + patches I have real problems with watchdog
timeout
 resets on my intel nic:s. Same hardware, but just different OpenBSD
version.

 I have tried a bunch of kernels from Stuart Henderson (Broken after
4.9.).
 I have also recompiled the 5.1 stable kernel with most  versions of the
 if_em.c driver. I have compiled and tried the following...
 (note that the userland was 5.1 stable with all kernel tests)

 bsd-5.1-stable
 bsd-5.1-stable_plus_if_em.c-1.249
 bsd-5.1-stable_plus_if_em.c-1.250
 bsd-5.1-stable_plus_if_em.c-1.251
 bsd-5.1-stable_plus_if_em.c-1.252
 bsd-5.1-stable_plus_if_em.c-1.253
 bsd-5.1-stable_plus_if_em.c-1.254
 bsd-5.1-stable_plus_if_em.c-1.263

 Watchdog timeout resets on all versions.

 NOTE that the Watchdog timeout reset appears in version 1.249 of if_em.c
as
 well. And that version is default in 4.9 stable which works fantastic. So
if I
 haven't done anything totally wrong it must be related to something else
in
 the kernel. So my nic hardware and the kvm bios is the same. And an
 if_em.c version that works in 4.9 is tried. 


 I can see above that you got rid of the problem by testing the same
version as
 me.. But you use AMD and I use i386.
 Also... I have a firewall with 2 nic:s. Often ONE nic works but the
other
 gives watchdog timeout resets and wont work.

 Any clues?

 I don't have any clues.  I wasn't able to reproduce the problem,
 even though one customer I have who also upgraded experienced this
 behavior.  They did not do a fresh install (that I'm aware), but
 upgraded (similar to you).  I'm not sure what the previous version
 was.  They have one NIC and I believe run amd64.

 The only difference that I can see is that on a fresh 5.1 install,
 there is no issue.  But if you upgrade from a previous release, then
 the issue *might* appear.

 --
 Garry Dolley
 ARP Networks, Inc. | http://www.arpnetworks.com | (818) 206-0181
 Data center, VPS, and IP Transit solutions
 Member Los Angeles County REACT, Unit 336 | WQGK336
 Blog http://scie.nti.st


 I have a fresh 5.1 rel plus stable patches. No upgrade...

 What happened before you applied the stable patches?  On the fresh
 5.1 release without any changes, that is...

 --
 Garry Dolley
 ARP Networks, Inc. | http://www.arpnetworks.com | (818) 206-0181
 Data center, VPS, and IP Transit solutions
 Member Los Angeles County REACT, Unit 336 | WQGK336
 Blog http://scie.nti.st

That i have not tried..

Per-Olov

Re: Watchdog timeout reset in 5.1 on intel nic:s

[Per-Olov Sjöholm]

On 17 maj 2012, at 12:53, Garry Dolley wrote:

 On Thu, May 17, 2012 at 03:19:07AM -0700, Garry Dolley wrote:
 On Fri, May 11, 2012 at 09:13:30AM -0400, Simon Perreault wrote:
 On 2012-05-11 04:15, Garry Dolley wrote:
 I now have an amd64 test VM set up, where I installed stock 5.0.

 I ran a lot of traffic over em0 without any timeouts.

 That's expected. 5.0 has been running without issue for me for a long
time.

 I also have been trying several -current kernels.

 As of:

   OpenBSD 5.1-current (GENERIC) #205: Wed Mar 28 21:40:45 MDT 2012

 I don't see any em0 timeouts.

 I will continue to try newer ones and report back here...

 Why not just test 5.1? Problems have been reported against 5.1, not
 -current.

 I now have a stock 5.1 test VM set up.

  OpenBSD 5.1 (GENERIC) #181: Sun Feb 12 09:35:53 MST 2012
  dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC

 I don't see any timeouts.  I grabbed the ports tree via curl several
 times and have been slaving away at it over SSH.  I don't notice
 anything wrong.

 So, perhaps this issue does not appear in stock 5.1, but in a newer
 kernel.  I'll try something newer soon...

 I have tried the following newer kernels:

 bsd.20120330
 bsd.20120419
 bsd.20120427
 bsd.20120516

 I still can't reproduce the problem.

 I have disabled mpbios on all these kernels, forgot to mention that.

 I will leave this be for now; will pick it up again if any new
 information should arise.

 --
 Garry Dolley
 ARP Networks, Inc. | http://www.arpnetworks.com | (818) 206-0181
 Data center, VPS, and IP Transit solutions
 Member Los Angeles County REACT, Unit 336 | WQGK336
 Blog http://scie.nti.st



I have a running 4.9 release + patches ( i.e 4.9 stable) working perfect. When
Updated to 5.1 release + patches I have real problems with watchdog timeout
resets on my intel nic:s. Same hardware, but just different OpenBSD version.

I have tried a bunch of kernels from Stuart Henderson (Broken after 4.9.).
I have also recompiled the 5.1 stable kernel with most  versions of the
if_em.c driver. I have compiled and tried the following...
(note that the userland was 5.1 stable with all kernel tests)

bsd-5.1-stable
bsd-5.1-stable_plus_if_em.c-1.249
bsd-5.1-stable_plus_if_em.c-1.250
bsd-5.1-stable_plus_if_em.c-1.251
bsd-5.1-stable_plus_if_em.c-1.252
bsd-5.1-stable_plus_if_em.c-1.253
bsd-5.1-stable_plus_if_em.c-1.254
bsd-5.1-stable_plus_if_em.c-1.263

Watchdog timeout resets on all versions.

NOTE that the Watchdog timeout reset appears in version 1.249 of if_em.c as
well. And that version is default in 4.9 stable which works fantastic. So if I
haven't done anything totally wrong it must be related to something else in
the kernel. So my nic hardware and the kvm bios is the same. And an
if_em.c version that works in 4.9 is tried. 


I can see above that you got rid of the problem by testing the same version as
me.. But you use AMD and I use i386.
Also... I have a firewall with 2 nic:s. Often ONE nic works but the other
gives watchdog timeout resets and wont work.

Any clues?


Tnx

Per-Olov

Re: bnx support

[Per-Olov Sjöholm]

On 16 maj 2012, at 01:42, Brad Smith wrote:

 On 15/05/12 5:44 PM, Per-Olov Sjvholm wrote:
 Hi

 Looking at the man page for em and bnx drivers

 On em I can read it supports jumbo frames. But bnx man page says
nothing
 about this. Does it mean it's just missing in the man page or is it the
fact
 that bnx wont support jumbo frames?

 The hardware is capable. The driver currently does not have support.

 A diff was posted but it has not been commited yet. Any further testing
 would be useful.

 http://marc.info/?l=openbsd-techm=133160147815932w=2

 --
 This message has been scanned for viruses and
 dangerous content by MailScanner, and is
 believed to be clean.


Ok thanks for the info

I4ll download and hopefully can test it


/Per-Olov

bnx support

[Per-Olov Sjöholm]

Hi

Looking at the man page for em and bnx drivers

On em I can read it supports jumbo frames. But bnx man page says nothing
about this. Does it mean it's just missing in the man page or is it the fact
that bnx wont support jumbo frames?



Tnx
Per-Olov

Re: Watchdog timeout reset in 5.1 on intel nic:s

[Per-Olov Sjöholm]

On 11 maj 2012, at 11:16, Stuart Henderson wrote:

 On 2012/05/11 01:15, Garry Dolley wrote:
 On Thu, May 10, 2012 at 03:31:27PM +0100, Stuart Henderson wrote:
 In gmane.os.openbsd.misc, Garry Dolley wrote:
 On Tue, May 08, 2012 at 07:58:30PM -0400, Simon Perreault wrote:
 On 2012-05-08 19:08, Per-Olov Sjvholm wrote:
 It says em1: watchdog timeout -- resetting

 aol
 I saw the same on an amd64 VPS from arpnetworks.com. Network was not
 functional. Backed out. Did not investigate further.
 /aol

 Simon

 I had another customer on amd64 report this problem today.  Not sure
 what the solution is.  I'm recommending either downgrade to 5.0 or
 use i386 arch for now.

 If possible, tracking down the commit which broke it, or at least
 narrow it to a reasonably small date range, would help. I have
 an archive of snapshot kernels if you want to work through them
 rather than cvs checkouts, contact me if you'd like access to them.

 Guys,

 I now have an amd64 test VM set up, where I installed stock 5.0.

 I ran a lot of traffic over em0 without any timeouts.

 I also have been trying several -current kernels.

 As of:

  OpenBSD 5.1-current (GENERIC) #205: Wed Mar 28 21:40:45 MDT 2012

 I don't see any em0 timeouts.

 I will continue to try newer ones and report back here...

 Hmm - Mar 28 is already after 5.1 was released.

 Could somebody seeing the problem (sperreault?) please send a
 dmesg from a kernel showing the problem?



Hi Stuart

Here is a dmesg on 4.9 where it's working and on 5.1 when it's not working.

http://www.incedo.eu/~sjoholmp/misc_internet_links/timer_problem_openbsd/

Note that both are virtual OpenBSDs running on the exact same KVM host version
and use the same bios etc.

Regards
P-O
--
GPG keyID: 5231C0C4
GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4

Re: Watchdog timeout reset in 5.1 on intel nic:s

[Per-Olov Sjöholm]

On 10 maj 2012, at 19:18, mxb wrote:

 On 05/10/2012 09:14 AM, Garry Dolley wrote:

 On Tue, May 08, 2012 at 07:58:30PM -0400, Simon Perreault wrote:
 On 2012-05-08 19:08, Per-Olov Sjvholm wrote:
 It says em1: watchdog timeout -- resetting

 aol
 I saw the same on an amd64 VPS from arpnetworks.com. Network was not
 functional. Backed out. Did not investigate further.
 /aol

 Simon

 I had another customer on amd64 report this problem today.  Not sure
 what the solution is.  I'm recommending either downgrade to 5.0 or
 use i386 arch for now.



 I see this on 5.0-stable as well (one so far).

 //maxim



Ok something must have happen since 4.9.

My virtual OpenBSD 4.9 run perfect. When trying 5.1 I use the same physical
nics and the same KVM host and version (i.e same bios etc).

Could it be the em driver or kernel itself ?

I will go through the em  cvs Hm. Could version 1.262 from
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/dev/pci/if_em.c be related to
this issue?


Tnx
Peo

--
GPG keyID: 5231C0C4
GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Watchdog timeout reset in 5.1 on intel nic:s

[Per-Olov Sjöholm]

Hi

I have an OpenBSD 4.9 i386 stable (patched to aug 19 2011) running as virtual
in KVM with VTd  (PCI passthrough by using pci-stub) for two intel NICs. It's
running flawless. The KVM host (fully patched Redhat 6.2) have two extra
Intel PRO/1000 MT (82574L) that is given out to the OpenBSD virtual host.
The OpenBSD virtual host sees and uses the physical nic:s directly. As said,
it run flawless

The working solution dmesg can be seen here
http://www.incedo.eu/~sjoholmp/misc_internet_links/timer_problem_openbsd/dmes
g-4.9i386-stable+patches-to-20110819_running_in_KVM.txt



Now... I wanted to upgrade to OpenBSD 5.1. I installed a new virtual OpenBSD
5.1 i386 stable. I patched it to may 8 2012. When I run it, I cannot get any
traffic through it and the console says what can be seen here in this png
screenshot...
http://www.incedo.eu/~sjoholmp/misc_internet_links/timer_problem_openbsd/KVM_
Screenshot_5.1_stable+patches-to-may-8-2012.png

It says em1: watchdog timeout -- resetting

more info...
- mpbios is disabled on both OpenBSD installations as the KVM shutdown wont
work on the virtual host otherwise...
- Uses uniprocessor kernel as I have measured it gives better throughput than
MP



Any suggestions of where to look for a possible solution would be very much
appreciated.


Tnx in advance
P-O

Re: Expected throughput in an OpenBSD virtual server

[Per-Olov Sjöholm]

On 24 aug 2011, at 12:01, Patrick Lamaiziere wrote:
 Le Tue, 23 Aug 2011 19:21:32 +0200,
 Per-Olov SjC6holm p...@incedo.org a C)crit :

 Hello,

 Here we reach 400 MBits/s with a CPU rate ~70% but we
 run OpenBSD 4.9.

 How fast is your CPU ?

 cpu0: Intel(R) Xeon(R) CPU E5520 @ 2.27GHz, 2261.30 MHz
 It's a Dell R610 with 4Go RAM.



Maybe that is normal then (if we have similar quality on NICs, tuning and RAM)
that I reach 400Mbit at 100% with one dedicated Xeon 5504 2GHz core.
(I have two Intel(R) Xeon(R) CPU  E5504  @ 2.00GHz stepping 05)

You run on a physical server, right? As I run on a virtual server with near
similar performance and a slower CPU it seems I have very good performance.
It's hard for me to try faster CPUs just for fun as they are VERY expensive
with faster ones...

/Per-Olov

Re: Expected throughput in an OpenBSD virtual server

[Per-Olov Sjöholm]

On 23 aug 2011, at 19:30, Tomas Bodzar wrote:
 On Tue, Aug 23, 2011 at 7:21 PM, Per-Olov Sjvholm p...@incedo.org wrote:
 On 23 aug 2011, at 10:54, Patrick Lamaiziere wrote:
 Le Mon, 22 Aug 2011 22:49:47 +0200,
 Per-Olov SjC6holm p...@incedo.org a C)crit :

 Hello,
 Have not tried current, but will try current as soon as I can.
 Also... I will try to do some laborations with CPU speed of the core
 the OpenBSD virtual machine has. This to see how the interrupts and
 throughput is related to the CPU speed of the allocated core.

 It would be nice to know if current is better with Intel em(4) cards.
 because of this commit : http://freshbsd.org/2011/04/13/00/19/01

 Here we reach 400 MBits/s with a CPU rate ~70% but we
 run OpenBSD 4.9.

 Regards.



 How fast is your CPU ?

 Yes I can see the 1.254 commit with this came in after the 4.9 release that
I
 use. I can try to see if I can measure any performance gain with this
update.

 I will try this from aug 17...
 http://ftp.sunet.se/pub/os/OpenBSD/snapshots/i386/install50.iso

 Can't see that mirror here http://www.openbsd.org/ftp.html , it's
 better to use something more official


 I4ll get back

 [ YES !! More fun tests :D ]

 Regards
 Per-Olov





Have tried it now... I tried the 5.0 snapshot from aug 17 with the improved em
driver. Also tested with more allocated cores and the SMP kernel.

Result on 5.0 snapshot with improved em driver:

- SMP
worse. Really sucks! _Dramatically_ reduced throughput.

- One processor core (as most of my tests have used)
An improvement, but very little. Maybe 10% better


/Per-Olov

check status of mpbios

[Per-Olov Sjöholm]

Hi

Is there a way to check status if the mpbios is enabled or disabled ? I
Checked man config, tried find and list in UKC
This is seen in a dmesg, but doesn't say if it's enabled or not...

--snip--
root@xanadu:~#dmesg |grep -i mpbios
mpbios0 at bios0: Intel MP Specification 1.4
mpbios0: bus 0 is type PCI
mpbios0: bus 1 is type ISA
root@xanadu:~#
--snip--


Can mpbios on or off affect network performance as mpbios play with
interrupts. Or is it only related to the assignment? If so... If the system
works without it (i.e mpbios disabled) are there any drawbacks to have it
disabled if the system works ok with AND without it?



/Per-Olov

Re: Expected throughput in an OpenBSD virtual server

[Per-Olov Sjöholm]

On 24 aug 2011, at 19:13, Tomas Bodzar wrote:
 On Wed, Aug 24, 2011 at 7:00 PM, Per-Olov Sjvholm p...@incedo.org wrote:
 On 23 aug 2011, at 19:30, Tomas Bodzar wrote:
 On Tue, Aug 23, 2011 at 7:21 PM, Per-Olov Sjvholm p...@incedo.org wrote:
 On 23 aug 2011, at 10:54, Patrick Lamaiziere wrote:
 Le Mon, 22 Aug 2011 22:49:47 +0200,
 Per-Olov SjC6holm p...@incedo.org a C)crit :

 Hello,
 Have not tried current, but will try current as soon as I can.
 Also... I will try to do some laborations with CPU speed of the core
 the OpenBSD virtual machine has. This to see how the interrupts and
 throughput is related to the CPU speed of the allocated core.

 It would be nice to know if current is better with Intel em(4) cards.
 because of this commit : http://freshbsd.org/2011/04/13/00/19/01

 Here we reach 400 MBits/s with a CPU rate ~70% but we
 run OpenBSD 4.9.

 Regards.



 How fast is your CPU ?

 Yes I can see the 1.254 commit with this came in after the 4.9 release
that
 I
 use. I can try to see if I can measure any performance gain with this
 update.

 I will try this from aug 17...
 http://ftp.sunet.se/pub/os/OpenBSD/snapshots/i386/install50.iso

 Can't see that mirror here http://www.openbsd.org/ftp.html , it's
 better to use something more official


 I4ll get back

 [ YES !! More fun tests :D ]

 Regards
 Per-Olov





 Have tried it now... I tried the 5.0 snapshot from aug 17 with the improved
em
 driver. Also tested with more allocated cores and the SMP kernel.

 Result on 5.0 snapshot with improved em driver:

 - SMP
 worse. Really sucks! _Dramatically_ reduced throughput.

 Will be fine to see systat ; systat mbufs ; netstat -m ; vmstat -i and
 compare them with previous version. Including dmesg (if something
 changed in dmesg)


 - One processor core (as most of my tests have used)
 An improvement, but very little. Maybe 10% better

 As stated in some of links and posts sent to you - SMP doesn't offer
 better throughput/sped automatically. You need to test on i386
 non-SMP/SMP and amd64 non-SMP/SMP to see what's best.



 /Per-Olov





YES, YES and YES again !!!

I have done  a huge mistake during my tests. To much kernel copying... The
result was that the kernel with disabled mpbios was /bsd.old. Very
embarrassing.

I have now a throughput of no less than 560Mbit / s. And that is through the
VIRTUAL firewall with more than 50% IDLE CPU. Y e e e e e e s s ! How is
really possible. But it is...

### Summary: ###
- KVM virtualized STOCK OpenBSD 4.9 + Stable updates + sysctl.conf tuning +
disabled mpbios. running uniprocesor kernel
- 324 rows PF ruleset
- 2 Intel PRO/1000 MT (82574L) desktop NICs used through PCI passthrough
from the KVM virtualization host
- OpenBSD have got 512MB RAM, One CPU core from host (Xeon 5504 2.0Ghz)

Test:
An SCP with the crypto overhead (default crypto) you get from A 64 bit
SuseLinux through the firewall to  my Macbook pro (quadcore i7 2.2GHz 8GM RAM,
OCZ-Vertex 3 SSD disk). Several tests with DVD ISO files between 3-6 GB i
size. 540Mbit was the _lowest_ average speed in the test and 560 Mbit / s was
the highest
#


I am really satisfied with this. I was going to test FreeBSD beta 9 with its
PF 4.5 just for fun. But I will skip that when the results ended up this
good.


OpenBSD really indeed perform V E R Y well in this area.


Per-Olov

Re: Expected throughput in an OpenBSD virtual server

[Per-Olov Sjöholm]

On 23 aug 2011, at 01:32, john slee wrote:
 On 22 August 2011 23:45, Per-Olov Sjvholm p...@incedo.org wrote:
 As http://www.openbsd.org/faq/faq6.html states, there's little you can
 tweak
 to improve your numbers; just get a nice-clocked, good cache-sized CPU and
 give it some loving.

 The FAQ you refer to seems to be of no use at all and is totally unrelated
 to
 this post.

 It is quite pertinent, actually. See the beginning of section 6.6;

 http://www.openbsd.org/faq/faq6.html#Tuning

 John



If you please will explain how baddynamic and avoiding certain ports will
affect what we are talking about...

Naaahh lets forget that section

/Per-Olov

Re: Expected throughput in an OpenBSD virtual server

[Per-Olov Sjöholm]

On 23 aug 2011, at 10:54, Patrick Lamaiziere wrote:
 Le Mon, 22 Aug 2011 22:49:47 +0200,
 Per-Olov SjC6holm p...@incedo.org a C)crit :

 Hello,
 Have not tried current, but will try current as soon as I can.
 Also... I will try to do some laborations with CPU speed of the core
 the OpenBSD virtual machine has. This to see how the interrupts and
 throughput is related to the CPU speed of the allocated core.

 It would be nice to know if current is better with Intel em(4) cards.
 because of this commit : http://freshbsd.org/2011/04/13/00/19/01

 Here we reach 400 MBits/s with a CPU rate ~70% but we
 run OpenBSD 4.9.

 Regards.



How fast is your CPU ?

Yes I can see the 1.254 commit with this came in after the 4.9 release that I
use. I can try to see if I can measure any performance gain with this update.

I will try this from aug 17...
http://ftp.sunet.se/pub/os/OpenBSD/snapshots/i386/install50.iso

I4ll get back

[ YES !! More fun tests :D ]

Regards
Per-Olov

Re: Expected throughput in an OpenBSD virtual server

[Per-Olov Sjöholm]

On 22 aug 2011, at 07:45, Tomas Bodzar wrote:
 Try OpenBSD outside of KVM on real HW and you will see where's the
 bottleneck. Anyway getting 400Mbit/s under virtualization seems pretty
 fine or try to compare with OpenBSD running in VMware as there's fine
 support for that use.

 Of course security is around zero in this scenario, but as you said
 you're doing it for fun :-)

 On Mon, Aug 22, 2011 at 2:03 AM, Per-Olov Sjvholm p...@incedo.org wrote:
 Hi Misc

 # Background #

 I have done som fun laborations with a virtual fully patched OpenBSD 4.9
 firewall on top of SuSE Enterprise Linux 11 SP1 running KVM. The Virtual
 OpenBSD got 512MB RAM and one core from a system with two quadcore Xeon
5504
 (2Ghz) sitting in a Dell T410 Tower Server. I have given the OpenBSD FW 2
 dedicated Intel PRO/1000 MT (82574L) physical nic:s via PCI passthorugh.
So
 OpenBSD sees and uses the real nic:s (they are then unusable to Linux as
they
 are unbound).

 I have not measured packets per second which of course is more relevant.
But
 as I try to tweak the speed I don't care if I measure packets or Mbits as
long
 as my tweaks give a higher value during the next test. Going in on one
 physcial nic and out on the other with my small ruleset that uses keep
state
 everywhere give me about 400 Mbit. AFP, SMB, SCP or NFS give similar
results
 (I copy large files, a few Gig each). I started with a lower value and
after a
 few tweaks in sysctl.conf  ended up with this speed of 400 Mbit. At this
speed
 I can see that the interrupts in the firewall simply eat all resources.
Have
 no ip.ifq.drops or any other drops that I am aware of...


 # Question #

 I now simply wonder if I can increase this speed I did one test and
 replaced these two physical desktop Intel Nics with a dual port server
adapter
 (also Intel, 82546GB). I was interested to see if a dual port, more
expensive,
 server adapter could lower my interrupt load. However... OpenBSD yelled
 something about unable to reset PCI device. So I went back to these two
 desktop adapters. These low price dektop adapters however in a intel i7
 desktop workstation download over SMB from my server at 119 Mbyte/s and
fill
 up the Gig pipe. So they cannot be to bad...


 As PF cannot use SMP, is the only way to bump up the firewall throughput
(in
 this scenario) to increase the speed of the processor core (i.e change
 server)? Or are there any other interesting configs to try ?


 Regards

 /Per-Olov
 --
 GPG keyID: 5231C0C4
 GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4
 GPG key:
 http://wwwkeys.eu.pgp.net/pks/lookup?op=getsearch=0x766ED29D5231C0C4





Plz, don't top post

Vmware is commercial software = avoid if I can. Also Linux guests with virtio
drivers gives much better performance on the same hardware if using KVM
instead of Vmware. Also, no need for vmware tools as everything is in stock
Linux kernel.

I cannot at this time give a fair test running it on the same hardware but as
a physical server instead of a virtual one. This as the KVM host runs 10 other
servers. I have however tested the OpenBSD on another hardware which ended up
with similar performance. That was on a physical box with Gig Intel Nics
(82541 cards) but on a weak Quad core Intel Atom 1.6GHz processor running the
SMP kernel. At the bottle neck speed there was 100% interrupts at around
400Mbit (same tested files and protocols to be able to give a fair
comparison). Maybe the Intel atom 1.6 can be compared to a Xeon 5504 core on
2GHz ??? I am not a processor guru. Anyone??


regarding security which you say is around zero. Yes this is a laboration.
But maybe you should say increased risk which is a more fair statement. I have
not heard of anyone that managed to hack a scenario like this in VMware or
KVM. Also note that the host OS itself in my case cannot even see these
devices as they are unbound. From my point of view it's like the race on WiFi
where people say you should use WPA2 with AES to be secure. But the real fact
is that standard old WPA without AES and with a reasonable key length (20+
chars) have not been broken by anyone in the world yet (what we know). One
person claims he manage to break a part of it in a lab. So... WPA = secure,
better performance and better compatibility. If I was Nasa or DoD I would
probable avoid WPA as someone someday of course will break it, otherwise
not...



So the question remains. Is it likely that a faster cpu core will give better
performance (not that I need it. Just doing some laborations here). Is a
faster CPU the best / only way to increase throughput. Of course we assume the
OS tweak is ok and that reasonable NIC:s are used. Is there a plan to change
the  interrupt handling model in OpenBSD to device polling in future releases
?




plz don't make this thread a security one from now on as this is not the main
purpose.


/Per-Olov

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

Re: Expected throughput in an OpenBSD virtual server

[Per-Olov Sjöholm]

On 22 aug 2011, at 12:09, Daniel Gracia wrote:
 AFAIK, OpenBSD kernel is not designed accounting for any form of
virtualization toy, so don't even try figuring performance numbers out of it.
These will be plain wrong.

 As http://www.openbsd.org/faq/faq6.html states, there's little you can tweak
to improve your numbers; just get a nice-clocked, good cache-sized CPU and
give it some loving.

 If OBSD doesn't satisfies you as is, recode it or stay appart, as you like.

 Good luck!

 El 22/08/2011 2:03, Per-Olov Sjvholm escribis:
 Hi Misc

 # Background #

 I have done som fun laborations with a virtual fully patched OpenBSD 4.9
 firewall on top of SuSE Enterprise Linux 11 SP1 running KVM. The Virtual
 OpenBSD got 512MB RAM and one core from a system with two quadcore Xeon
5504
 (2Ghz) sitting in a Dell T410 Tower Server. I have given the OpenBSD FW 2
 dedicated Intel PRO/1000 MT (82574L) physical nic:s via PCI passthorugh.
So
 OpenBSD sees and uses the real nic:s (they are then unusable to Linux as
they
 are unbound).

 I have not measured packets per second which of course is more relevant.
But
 as I try to tweak the speed I don't care if I measure packets or Mbits as
long
 as my tweaks give a higher value during the next test. Going in on one
 physcial nic and out on the other with my small ruleset that uses keep
state
 everywhere give me about 400 Mbit. AFP, SMB, SCP or NFS give similar
results
 (I copy large files, a few Gig each). I started with a lower value and
after a
 few tweaks in sysctl.conf  ended up with this speed of 400 Mbit. At this
speed
 I can see that the interrupts in the firewall simply eat all resources.
Have
 no ip.ifq.drops or any other drops that I am aware of...


 # Question #

 I now simply wonder if I can increase this speed I did one test and
 replaced these two physical desktop Intel Nics with a dual port server
adapter
 (also Intel, 82546GB). I was interested to see if a dual port, more
expensive,
 server adapter could lower my interrupt load. However... OpenBSD yelled
 something about unable to reset PCI device. So I went back to these two
 desktop adapters. These low price dektop adapters however in a intel i7
 desktop workstation download over SMB from my server at 119 Mbyte/s and
fill
 up the Gig pipe. So they cannot be to bad...


 As PF cannot use SMP, is the only way to bump up the firewall throughput
(in
 this scenario) to increase the speed of the processor core (i.e change
 server)? Or are there any other interesting configs to try ?


 Regards

 /Per-Olov
 --
 GPG keyID: 5231C0C4
 GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4
 GPG key:
 http://wwwkeys.eu.pgp.net/pks/lookup?op=getsearch=0x766ED29D5231C0C4




  AFAIK, OpenBSD kernel is not designed accounting for any form of
virtualization toy, so don't even try figuring performance numbers out of it.
These will be plain wrong.

Why is that? The speed so far seems good enough for a virtual fw with this
2Ghz CPU core. No matter if you use a virtual of physical server, you always
want to get the most out of it. I do NOT compare with a physical server at
all. I want to try to maximize the throughput and se what I can get out of it
as a virtual FW test. The same applies if you use a physical server. You can
hit the limit and get 100% interrupts with both a physical and virtual server,
right? I didn't ask for a comparison with a physical server... I asked what I
can do more with it under these circumstances...


 As http://www.openbsd.org/faq/faq6.html states, there's little you can tweak
to improve your numbers; just get a nice-clocked, good cache-sized CPU and
give it some loving.

The FAQ you refer to seems to be of no use at all and is totally unrelated to
this post.



But if you can give hints of how to decrease the interrupt load I am all ears.
As I see it, if the interrupt handling model i OpenBSD would change to a
polling one u could maybe increase the throughput at the same processor speed
(just me guessing though). But now the fact is that it is not polling. So what
can I do with what we have

Is pure cpu speed the only way? Or is it possible to decrease the interrupt
load with even better NIC:s?


Regards
/Per-Olov

Re: Expected throughput in an OpenBSD virtual server

[Per-Olov Sjöholm]

On 22 aug 2011, at 22:04, Stuart Henderson wrote:
 But if you can give hints of how to decrease the interrupt load I am all
ears.
 As I see it, if the interrupt handling model i OpenBSD would change to a
 polling one u could maybe increase the throughput at the same processor
speed
 (just me guessing though). But now the fact is that it is not polling. So
what
 can I do with what we have

 polling is one mechanism to ensure you aren't handling interrupts all the
 time, so you can ensure userland remains responsive even when the machine
is
 under heavy network load. OpenBSD has another way to handle this, MCLGETI.


 With polling if I get it right the context switch overhead is mostly avoided
because the system can choose to look at the device when it is already in the
right context. The drawback could be increased latency in processsing events
in a polling model. But according to what I have read, the latency is reduced
to a very low low values by raising the clock interrupt frequency. They say
polling is better  from a OS time spent on device control perspective. Note
that I am not a pro in this area, but will for sure look deeper...

MCLGETI ?? Is it in if_em.c if I want to see how it is implemented?


 Is pure cpu speed the only way? Or is it possible to decrease the
interrupt
 load with even better NIC:s?

 here are some things that might help:

 - faster cpu
 - larger cpu cache
 - faster ram
 - reduce overheads (things like switching VM context while handling
 packets is not going to help matters)
 - improving code efficiency

 have you tried -current?




I tried to share and use the same interrupt for my network ports as I have a
guess it could be a boost, but the bios did not want what I wanted
Interrupts could be shared, but not between the ports I wanted. I simple did
not understand the interrupt allocation scheme in my Dell T410 tower server.

Have not tried current, but will try current as soon as I can. Also... I will
try to do some laborations with CPU speed of the core the OpenBSD virtual
machine has. This to see how the interrupts and throughput is related to the
CPU speed of the allocated core.


Tnx

/Per-Olov


GPG keyID: 5231C0C4
GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4
GPG key:
http://wwwkeys.eu.pgp.net/pks/lookup?op=getsearch=0x766ED29D5231C0C4

Re: Expected throughput in an OpenBSD virtual server

[Per-Olov Sjöholm]

On 22 aug 2011, at 23:28, Claudio Jeker wrote:
 On Mon, Aug 22, 2011 at 10:49:47PM +0200, Per-Olov Sjvholm wrote:
 On 22 aug 2011, at 22:04, Stuart Henderson wrote:
 But if you can give hints of how to decrease the interrupt load I am all
 ears.
 As I see it, if the interrupt handling model i OpenBSD would change to a
 polling one u could maybe increase the throughput at the same processor
 speed
 (just me guessing though). But now the fact is that it is not polling.
So
 what
 can I do with what we have

 polling is one mechanism to ensure you aren't handling interrupts all the
 time, so you can ensure userland remains responsive even when the machine
 is
 under heavy network load. OpenBSD has another way to handle this,
MCLGETI.


 With polling if I get it right the context switch overhead is mostly
avoided
 because the system can choose to look at the device when it is already in
the
 right context. The drawback could be increased latency in processsing
events
 in a polling model. But according to what I have read, the latency is
reduced
 to a very low low values by raising the clock interrupt frequency. They
say
 polling is better  from a OS time spent on device control perspective.
Note
 that I am not a pro in this area, but will for sure look deeper...

 Polling only works reliably at insane HZ settings which will cause other
 issues at other places (some obvious some not so obvious). In the end
 polling is a poor mans interrupt mitigation (which is also enabled on
 em(4) btw.) since instead of using the interrupt of the network card you
 use the interrupt of the clock to process the DMA rings. Polling does not
 gain you much on good modern HW.

 MCLGETI ?? Is it in if_em.c if I want to see how it is implemented?


 Yes. em(4) has MCLGETI().


 Is pure cpu speed the only way? Or is it possible to decrease the
 interrupt
 load with even better NIC:s?

 here are some things that might help:

 - faster cpu
 - larger cpu cache
 - faster ram
 - reduce overheads (things like switching VM context while handling
 packets is not going to help matters)
 - improving code efficiency

 have you tried -current?




 I tried to share and use the same interrupt for my network ports as I have
a
 guess it could be a boost, but the bios did not want what I wanted
 Interrupts could be shared, but not between the ports I wanted. I simple
did
 not understand the interrupt allocation scheme in my Dell T410 tower
server.

 Have not tried current, but will try current as soon as I can. Also... I
will
 try to do some laborations with CPU speed of the core the OpenBSD virtual
 machine has. This to see how the interrupts and throughput is related to
the
 CPU speed of the allocated core.


 Also make sure that the guest can actually access the physical HW directly
 without any virtualisation in between. In the end real HW is going to have
 less overhead and will be faster then a VM solution.



--snip--
The KVM hypervisor supports attaching PCI devices on the host system to
virtualized guests. PCI passthrough allows guests to have exclusive access to
PCI devices for a range of tasks. PCI passthrough allows PCI devices to appear
and behave as if they were physically attached to the guest operating system.
--snip--
From:
http://docs.fedoraproject.org/en-US/Fedora/13/html/Virtualization_Guide/chap-
Virtualization-PCI_passthrough.html


The link above doesn't say anything about performance loss though of doing PCI
pass through. But the OpenBSD indeed sees and uses the correct real physical
NIC:s . I am of course _very_ interested in testing by installing OpenBSD
directly on the hardware. But I cannot do that at this time. This is what the
OpenBSD sees..
--snip--
em0 at pci0 dev 4 function 0 Intel PRO/1000 MT (82574L) rev 0x00: apic 1 int
11 (irq 11), address 00:1b:21:c2:8a:b0
em1 at pci0 dev 5 function 0 Intel PRO/1000 MT (82574L) rev 0x00: apic 1 int
10 (irq 10), address 00:1b:21:bf:76:77
--snip--
The MAC:s are these adapters real MAC:s. When used in OpenBSD these adapters
are totally unbound in Linux and cannot be seen or used.

This virtual fully patched OpenBSD 4.9 has got one (of total eight) Xeon 5504
2Ghz core, 512MB RAM and the above NIC:s and some raised values in sysctl. It
(as said earlier) gives about max 400Mbit throughput with a small ruleset will
keep state everywhere. Have tested with NFS, AFP, SCP, SMB and with different
created 2GB ISO:s. All protocols gives near the same result (AFP performs
best). Another physical server with a 1.6 Ghz Intel Atom with Intel Gig cards
(not the same cards) performs similar (a little lower though) and max out at
near the same speed. When these systems (both the physical and the virtual)
max out, the interrupts eat 100%. Removing the firewall the file transfer give
119 Mbyte/s and max out the Gigabit pipe.

These measurements (i.e comparison with the physical server) make me believe
that the virtualization is not that bad. At least not from a performance
perspective. A 

Expected throughput in an OpenBSD virtual server

[Per-Olov Sjöholm]

Hi Misc

# Background #

I have done som fun laborations with a virtual fully patched OpenBSD 4.9
firewall on top of SuSE Enterprise Linux 11 SP1 running KVM. The Virtual
OpenBSD got 512MB RAM and one core from a system with two quadcore Xeon 5504
(2Ghz) sitting in a Dell T410 Tower Server. I have given the OpenBSD FW 2
dedicated Intel PRO/1000 MT (82574L) physical nic:s via PCI passthorugh. So
OpenBSD sees and uses the real nic:s (they are then unusable to Linux as they
are unbound).

I have not measured packets per second which of course is more relevant. But
as I try to tweak the speed I don't care if I measure packets or Mbits as long
as my tweaks give a higher value during the next test. Going in on one
physcial nic and out on the other with my small ruleset that uses keep state
everywhere give me about 400 Mbit. AFP, SMB, SCP or NFS give similar results
(I copy large files, a few Gig each). I started with a lower value and after a
few tweaks in sysctl.conf  ended up with this speed of 400 Mbit. At this speed
I can see that the interrupts in the firewall simply eat all resources. Have
no ip.ifq.drops or any other drops that I am aware of...


# Question #

I now simply wonder if I can increase this speed I did one test and
replaced these two physical desktop Intel Nics with a dual port server adapter
(also Intel, 82546GB). I was interested to see if a dual port, more expensive,
server adapter could lower my interrupt load. However... OpenBSD yelled
something about unable to reset PCI device. So I went back to these two
desktop adapters. These low price dektop adapters however in a intel i7
desktop workstation download over SMB from my server at 119 Mbyte/s and fill
up the Gig pipe. So they cannot be to bad...


As PF cannot use SMP, is the only way to bump up the firewall throughput (in
this scenario) to increase the speed of the processor core (i.e change
server)? Or are there any other interesting configs to try ?


Regards

/Per-Olov
--
GPG keyID: 5231C0C4
GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4
GPG key:
http://wwwkeys.eu.pgp.net/pks/lookup?op=getsearch=0x766ED29D5231C0C4

DHCP client question. bug ?

[Per-Olov Sjöholm]

Hi misc

I think there maybe is a bug in the dhcp client. I am not sure but will ask
the list...

I have have had the following:
em0: lan static IP
em1: internet interface with static IP
a default route to the isp is in mygate

I had to add a dhcp interface to this
This means I added dhcp to the hostname.bge0 interface

When I got the IP from the dhcp config on the bge0 interface it destroyed the
mygate and resolv.conf files and the default gateway was now going over to the
bge0 instead (expected though)...

I then changed the dhclient.conf to just contain the bge0 interface and the
row:
request subnet-mask;

This looks good as I want ONLY the IP and MASK from the DHCP-server and not
the gw and dns servers. However with this config the default gateway is
removed but not replaced with the gateway from the dhcp.


Question:
Why is the default gateway destroyed by the dhcp config?

This system uses OpenBSD 4.6 stable

Tnx in advance

/Per-Olov
--
GPG keyID: 5231C0C4
GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4
GPG key:
http://wwwkeys.eu.pgp.net/pks/lookup?op=getsearch=0x766ED29D5231C0C4

Re: 4.7 PF match problem

[Per-Olov Sjöholm]

On 12 sep 2010, at 00.39, Per-Olov Sjvholm wrote:

 On 11 sep 2010, at 23.49, Per-Olov Sjvholm wrote:


 On 10 sep 2010, at 21.24, Peter N. M. Hansteen wrote:

 Per-Olov Sjvholm p...@incedo.org writes:

 It seems the first one is unable to convert as is seems no match in
 on...
 does not work.

 Off the top of my head, move the rdr-to bits to your pass rules, make
 sure the pass rule without the rdr-to is either the last or a
 quick. Or use a negation in the criteria for your match rule.  Hard to
 be more specific without the full rule set.

 - P
 --
 Peter N. M. Hansteen, member of the first RFC 1149 implementation team
 http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
 Remember to set the evil bit on all malicious network traffic
 delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.



 Here is some more info from the rule set...

 I for sure try to find the easiest no rdr statement replacement to what
I
 had in 4.6. Maybe a mix of sticky match rules in match statements and
pass
 statements with rdr-to in them will do the trick. However. I try to
replace
 the earlier no rdr with a negated match rule. It seem I miss something
here
 or it's simply not possible to achieve anymore. At least it seems to be a
 problem to replace the earlier rdr rules from 4.6 with just drop in
match
 statments. Am I *forced* to mix also pass rules with rdr-to in them?
 Below is the spec of the problem Switch directly to 4.7 break FTP if I
 cannot easily solve the no rdr problem




 ---#--- This is what I have in rc.conf.local ---#---
 r...@xanadu:~#more /etc/rc.conf.local
 named_flags=  # for normal use: 
 pf=YES  # Packet filter / NAT
 sshd_flags=-4 # for normal use: 
 dhcpd_flags=vlan2 # for normal use: 
 ntpd_flags=   # for normal use: 
 ftpproxy_flags=-R 192.168.2.35 -p 21 -b 82.82.222.222# for
normal
 use: 



 ---#--- For the case relevant stuff cut out from pf.conf in 4.6
---#---

 nat-anchor ftp-proxy/*
 nat on $INTERNET_INT inet from $DMZ1_ORIGO - $INTERNET_INT_IP2
 rdr-anchor ftp-proxy/*

 nat on $INTERNET_INT from $DMZ1_ORIGO to any - $INTERNET_INT_IP2
 nat on $INTERNET_INT from $LAN_INT:network to any - $INTERNET_INT_IP1
 nat on $INTERNET_INT from $DMZ1_INT:network to any - $INTERNET_INT_IP1

 no rdr on $INTERNET_INT proto tcp from any to $INTERNET_INT_IP2 port 21
 rdr on $INTERNET_INT proto { tcp udp } from any to $INTERNET_INT_IP2 -
 $DMZ1_ORIGO

 pass out on $ALL_INTERFACES inet proto {tcp gre esp udp icmp} all keep
 state

 pass in log quick on $DMZ1_INT inet proto tcp  from $DMZ1_ORIGO to any
flags
 S/SA keep state
 pass in log quick on $DMZ1_INT inet proto { icmp udp } from $DMZ1_ORIGO to
 any keep state

 pass in log quick on $INTERNET_INT inet proto tcp  from any  to
$DMZ1_ORIGO
 port { 21 143 993 } flags S/SA keep state (max-src-nodes 50, max-src-states
 70, max-src-conn 70, max-src-conn-rate 20/30, overload bad_hosts flush
 global)


 ---#--- I translated this to the following in 4.7---#---

 anchor ftp-proxy/*
 match out on $INTERNET_INT inet from $DMZ1_ORIGO nat-to $INTERNET_INT_IP2
 #rdr-anchor ftp-proxy/*

 match out on $INTERNET_INT from $DMZ1_ORIGO to any nat-to
$INTERNET_INT_IP2
 match out on $INTERNET_INT from $LAN_INT:network to any nat-to
 $INTERNET_INT_IP1
 match out on $INTERNET_INT from $DMZ1_INT:network to any nat-to
 $INTERNET_INT_IP1

 # no rdr on $INTERNET_INT proto tcp from any to $INTERNET_INT_IP2 port 21
 # PROBLEM TO TRANSLATE THE ABOVE ROW

 # rdr on $INTERNET_INT proto { tcp udp } from any to $INTERNET_INT_IP2 -
 $DMZ1_ORIGO
 match in on $INTERNET_INT proto { tcp udp } from any to $INTERNET_INT_IP2
 rdr-to $DMZ1_ORIGO

 pass out on $ALL_INTERFACES inet proto {tcp gre esp udp icmp} all keep
 state

 pass in log quick on $DMZ1_INT inet proto tcp  from $DMZ1_ORIGO to any
flags
 S/SA keep state
 pass in log quick on $DMZ1_INT inet proto { icmp udp } from $DMZ1_ORIGO to
 any keep state

 pass in log quick on $INTERNET_INT inet proto tcp  from any  to
$DMZ1_ORIGO
 port { 21 143 993 } flags S/SA keep state (max-src-nodes 50, max-src-states
 70, max-src-conn 70, max-src-conn-rate 20/30, overload bad_hosts flush
 global)




 Everything works except the FTP service on my RFC1918 DMZ.


 Suggestions very much appreciated.
 (Using just match rules instead of pass rules with rdr-to if possible)


 /Peo
 --
 GPG keyID: 5231C0C4
 GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4
 GPG key:
 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x766ED29D5231C0C4



 Sorry... Forgot that I had this rule as well that is involved...

 pass in log quick on $INTERNET_INT inet proto tcp  from any  to
 $INTERNET_INT_IP2 port { 21 } flags S/SA keep state (max-src-nodes 50,
 max-src-states 70, max-s
 rc-conn 70, max-src-conn-rate 20/30, overload bad_hosts flush global)


 That is the reason I don't want a no-rdr for port 21 to INTERNET_IP2 so
it
 terminates in the firewall with the 

Re: 4.7 PF match problem

[Per-Olov Sjöholm]

On 10 sep 2010, at 21.24, Peter N. M. Hansteen wrote:

 Per-Olov Sjvholm p...@incedo.org writes:

 It seems the first one is unable to convert as is seems no match in
on...
 does not work.

 Off the top of my head, move the rdr-to bits to your pass rules, make
 sure the pass rule without the rdr-to is either the last or a
 quick. Or use a negation in the criteria for your match rule.  Hard to
 be more specific without the full rule set.

 - P
 --
 Peter N. M. Hansteen, member of the first RFC 1149 implementation team
 http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
 Remember to set the evil bit on all malicious network traffic
 delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.



Here is some more info from the rule set...

I for sure try to find the easiest no rdr statement replacement to what I
had in 4.6. Maybe a mix of sticky match rules in match statements and pass
statements with rdr-to in them will do the trick. However. I try to replace
the earlier no rdr with a negated match rule. It seem I miss something here
or it's simply not possible to achieve anymore. At least it seems to be a
problem to replace the earlier rdr rules from 4.6 with just drop in match
statments. Am I *forced* to mix also pass rules with rdr-to in them?
Below is the spec of the problem Switch directly to 4.7 break FTP if I
cannot easily solve the no rdr problem




---#--- This is what I have in rc.conf.local ---#---
r...@xanadu:~#more /etc/rc.conf.local
named_flags=  # for normal use: 
pf=YES  # Packet filter / NAT
sshd_flags=-4 # for normal use: 
dhcpd_flags=vlan2 # for normal use: 
ntpd_flags=   # for normal use: 
ftpproxy_flags=-R 192.168.2.35 -p 21 -b 82.82.222.222# for normal
use: 



---#--- For the case relevant stuff cut out from pf.conf in 4.6 ---#---

nat-anchor ftp-proxy/*
nat on $INTERNET_INT inet from $DMZ1_ORIGO - $INTERNET_INT_IP2
rdr-anchor ftp-proxy/*

nat on $INTERNET_INT from $DMZ1_ORIGO to any - $INTERNET_INT_IP2
nat on $INTERNET_INT from $LAN_INT:network to any - $INTERNET_INT_IP1
nat on $INTERNET_INT from $DMZ1_INT:network to any - $INTERNET_INT_IP1

no rdr on $INTERNET_INT proto tcp from any to $INTERNET_INT_IP2 port 21
rdr on $INTERNET_INT proto { tcp udp } from any to $INTERNET_INT_IP2 -
$DMZ1_ORIGO

pass out on $ALL_INTERFACES inet proto {tcp gre esp udp icmp} all keep state

pass in log quick on $DMZ1_INT inet proto tcp  from $DMZ1_ORIGO to any flags
S/SA keep state
pass in log quick on $DMZ1_INT inet proto { icmp udp } from $DMZ1_ORIGO to any
keep state

pass in log quick on $INTERNET_INT inet proto tcp  from any  to $DMZ1_ORIGO
port { 21 143 993 } flags S/SA keep state (max-src-nodes 50, max-src-states
70, max-src-conn 70, max-src-conn-rate 20/30, overload bad_hosts flush
global)


---#--- I translated this to the following in 4.7---#---

anchor ftp-proxy/*
match out on $INTERNET_INT inet from $DMZ1_ORIGO nat-to $INTERNET_INT_IP2
#rdr-anchor ftp-proxy/*

match out on $INTERNET_INT from $DMZ1_ORIGO to any nat-to $INTERNET_INT_IP2
match out on $INTERNET_INT from $LAN_INT:network to any nat-to
$INTERNET_INT_IP1
match out on $INTERNET_INT from $DMZ1_INT:network to any nat-to
$INTERNET_INT_IP1

# no rdr on $INTERNET_INT proto tcp from any to $INTERNET_INT_IP2 port 21
# PROBLEM TO TRANSLATE THE ABOVE ROW

# rdr on $INTERNET_INT proto { tcp udp } from any to $INTERNET_INT_IP2 -
$DMZ1_ORIGO
match in on $INTERNET_INT proto { tcp udp } from any to $INTERNET_INT_IP2
rdr-to $DMZ1_ORIGO

pass out on $ALL_INTERFACES inet proto {tcp gre esp udp icmp} all keep state

pass in log quick on $DMZ1_INT inet proto tcp  from $DMZ1_ORIGO to any flags
S/SA keep state
pass in log quick on $DMZ1_INT inet proto { icmp udp } from $DMZ1_ORIGO to any
keep state

pass in log quick on $INTERNET_INT inet proto tcp  from any  to $DMZ1_ORIGO
port { 21 143 993 } flags S/SA keep state (max-src-nodes 50, max-src-states
70, max-src-conn 70, max-src-conn-rate 20/30, overload bad_hosts flush
global)




Everything works except the FTP service on my RFC1918 DMZ.


Suggestions very much appreciated.
(Using just match rules instead of pass rules with rdr-to if possible)


/Peo
--
GPG keyID: 5231C0C4
GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4
GPG key: http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x766ED29D5231C0C4

Re: 4.7 PF match problem

[Per-Olov Sjöholm]

On 11 sep 2010, at 23.49, Per-Olov Sjvholm wrote:


 On 10 sep 2010, at 21.24, Peter N. M. Hansteen wrote:

 Per-Olov Sjvholm p...@incedo.org writes:

 It seems the first one is unable to convert as is seems no match in
on...
 does not work.

 Off the top of my head, move the rdr-to bits to your pass rules, make
 sure the pass rule without the rdr-to is either the last or a
 quick. Or use a negation in the criteria for your match rule.  Hard to
 be more specific without the full rule set.

 - P
 --
 Peter N. M. Hansteen, member of the first RFC 1149 implementation team
 http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
 Remember to set the evil bit on all malicious network traffic
 delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.



 Here is some more info from the rule set...

 I for sure try to find the easiest no rdr statement replacement to what I
had in 4.6. Maybe a mix of sticky match rules in match statements and pass
statements with rdr-to in them will do the trick. However. I try to replace
the earlier no rdr with a negated match rule. It seem I miss something here
or it's simply not possible to achieve anymore. At least it seems to be a
problem to replace the earlier rdr rules from 4.6 with just drop in match
statments. Am I *forced* to mix also pass rules with rdr-to in them?
Below is the spec of the problem Switch directly to 4.7 break FTP if I
cannot easily solve the no rdr problem




 ---#--- This is what I have in rc.conf.local ---#---
 r...@xanadu:~#more /etc/rc.conf.local
 named_flags=  # for normal use: 
 pf=YES  # Packet filter / NAT
 sshd_flags=-4 # for normal use: 
 dhcpd_flags=vlan2 # for normal use: 
 ntpd_flags=   # for normal use: 
 ftpproxy_flags=-R 192.168.2.35 -p 21 -b 82.82.222.222# for normal
use: 



 ---#--- For the case relevant stuff cut out from pf.conf in 4.6 ---#---

 nat-anchor ftp-proxy/*
 nat on $INTERNET_INT inet from $DMZ1_ORIGO - $INTERNET_INT_IP2
 rdr-anchor ftp-proxy/*

 nat on $INTERNET_INT from $DMZ1_ORIGO to any - $INTERNET_INT_IP2
 nat on $INTERNET_INT from $LAN_INT:network to any - $INTERNET_INT_IP1
 nat on $INTERNET_INT from $DMZ1_INT:network to any - $INTERNET_INT_IP1

 no rdr on $INTERNET_INT proto tcp from any to $INTERNET_INT_IP2 port 21
 rdr on $INTERNET_INT proto { tcp udp } from any to $INTERNET_INT_IP2 -
$DMZ1_ORIGO

 pass out on $ALL_INTERFACES inet proto {tcp gre esp udp icmp} all keep
state

 pass in log quick on $DMZ1_INT inet proto tcp  from $DMZ1_ORIGO to any flags
S/SA keep state
 pass in log quick on $DMZ1_INT inet proto { icmp udp } from $DMZ1_ORIGO to
any keep state

 pass in log quick on $INTERNET_INT inet proto tcp  from any  to $DMZ1_ORIGO
port { 21 143 993 } flags S/SA keep state (max-src-nodes 50, max-src-states
70, max-src-conn 70, max-src-conn-rate 20/30, overload bad_hosts flush
global)


 ---#--- I translated this to the following in 4.7---#---

 anchor ftp-proxy/*
 match out on $INTERNET_INT inet from $DMZ1_ORIGO nat-to $INTERNET_INT_IP2
 #rdr-anchor ftp-proxy/*

 match out on $INTERNET_INT from $DMZ1_ORIGO to any nat-to $INTERNET_INT_IP2
 match out on $INTERNET_INT from $LAN_INT:network to any nat-to
$INTERNET_INT_IP1
 match out on $INTERNET_INT from $DMZ1_INT:network to any nat-to
$INTERNET_INT_IP1

 # no rdr on $INTERNET_INT proto tcp from any to $INTERNET_INT_IP2 port 21
 # PROBLEM TO TRANSLATE THE ABOVE ROW

 # rdr on $INTERNET_INT proto { tcp udp } from any to $INTERNET_INT_IP2 -
$DMZ1_ORIGO
 match in on $INTERNET_INT proto { tcp udp } from any to $INTERNET_INT_IP2
rdr-to $DMZ1_ORIGO

 pass out on $ALL_INTERFACES inet proto {tcp gre esp udp icmp} all keep
state

 pass in log quick on $DMZ1_INT inet proto tcp  from $DMZ1_ORIGO to any flags
S/SA keep state
 pass in log quick on $DMZ1_INT inet proto { icmp udp } from $DMZ1_ORIGO to
any keep state

 pass in log quick on $INTERNET_INT inet proto tcp  from any  to $DMZ1_ORIGO
port { 21 143 993 } flags S/SA keep state (max-src-nodes 50, max-src-states
70, max-src-conn 70, max-src-conn-rate 20/30, overload bad_hosts flush
global)




 Everything works except the FTP service on my RFC1918 DMZ.


 Suggestions very much appreciated.
 (Using just match rules instead of pass rules with rdr-to if possible)


 /Peo
 --
 GPG keyID: 5231C0C4
 GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4
 GPG key:
http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x766ED29D5231C0C4



Sorry... Forgot that I had this rule as well that is involved...

pass in log quick on $INTERNET_INT inet proto tcp  from any  to
$INTERNET_INT_IP2 port { 21 } flags S/SA keep state (max-src-nodes 50,
max-src-states 70, max-s
rc-conn 70, max-src-conn-rate 20/30, overload bad_hosts flush global)


That is the reason I don't want a no-rdr for port 21 to INTERNET_IP2 so it
terminates in the firewall with the ftp-proxy and not in the DMZ server.


/Peo
--
GPG keyID: 5231C0C4
GPG fingerprint: B232 

4.7 PF match problem

[Per-Olov Sjöholm]

Hi

I have an ongoing upgrade from 4.6 to 4.7...

I have two rules like this in pf.conf :
# To ORIGO
no rdr on $INTERNET_INT proto tcp from any to $INTERNET_INT_IP2 port 21
rdr on $INTERNET_INT proto { tcp udp } from any to $INTERNET_INT_IP2 -
$DMZ1_ORIGO


It seems the first one is unable to convert as is seems no match in on...
does not work.

Cannot find any info in the man page regarding this.

What am I missing here?


Thanks
/Per-Olov
--
GPG keyID: 5231C0C4
GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4
GPG key: http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x766ED29D5231C0C4

VIA Gigabit driver

[Per-Olov Sjöholm]

Hi

I think of buy a mini-itx motherboard containing two VIA VT6130 Gigabit
ethernet cards.

I have checked the hardware compatibility list, latest commits in the CVS tree
and the latest current man page... Cannot find that this should work in
OpenBSD as it seems that only 6122 chip is supported.
(Ok I have not checked PCI id:s in the source yet)

But I could at least ask the list...

Anybody that knows if VIA VT6130 works in OpenBSD 4.7?


Thanks
/P-O
--
GPG keyID: 5231C0C4
GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4
GPG key: http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x766ED29D5231C0C4

Re: PF log parser and dynamic PF rules...

[Per-Olov Sjöholm]

On 17 feb 2010, at 12.38, Peter Hessler wrote:

 On 2010 Feb 17 (Wed) at 07:51:03 +0100 (+0100), Per-Olov Sjvholm wrote:
 :Answer correctly or don't answer at all.

 It seems to me that people *did* answer correctly.  But, their answer
 was not what you wanted to hear.

 The answer: don't use port knocking, use a randomized url.


https://example.com/64482a3717737695e4dd254a4d57da4f6c0795f3e811e8b12347625fb
285.rss

 Google, Apple, etc use this scheme for webcal access.  I strongly doubt
 your rss feed requires more privacy than people's private calendars.


 --
 Beware of altruism.  It is based on self-deception, the root of all
 evil.



I know what I am doing and it's a simple test. A production environment will
for sure be more secured. As said. I _very_ much appreciate if people give
their opinion _and_ an answer to the actual question if the person know how to
do what I ask for. But what  I don't like about it is that some just reply to
tell it's done wrong, even though they don not know the context and the
tradeoffs that have been made and why. Professional people could nicely tell
their opinion and a hint to my question IF they have any clue. If they think I
should have provided more info, they could say so I am a member of a few
helicopter forums, some Dreambox HTPC forums (TuxBOX), a bunch of Linux forums
(i.e many different kind of forums). Nowehere they hack at each other like
they do at the OpenBSD lists. This is the only sad thing about OpenBSD, the
mailinglist. Therefor I don't use it as much as before. A few of my developer
friends share this sadness with me.

You are right, Peter.  My rss feed does not require more privacy (at this
stage) than private google calendars. However there are a few problems with
randomized urls that I simply want to spend time on later. This as I at this
stage just want to sell in the idea with a test containing less important data
and therefor use less work. A prod environment will be more secured to fulfill
the security policies etc.


Tnx to the people who contributed with something.

This thread is closed for me now

/Per-Olov
--
GPG keyID: 5231C0C4
GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4
GPG key: http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x766ED29D5231C0C4

PF log parser and dynamic PF rules...

[Per-Olov Sjöholm]

Hi misc

I am looking for a tool to use as a trigger for dynamically open PF ports from
certain IP:s.

I will access non critical info but want at least a port knocker as security.

If I access an IP on my DMZ that is not in use on a port that is fake I want
to dynamically add a PF rule for a totally different purpose. Let's say I
access http://1.2.3.4:45321 which is blocked and logged in PF, what is the
easiest way to create a trigger from the PF log or the PF log device?

A cron job with grep in the PF log and then run pfctl to add the rule is from
many points of view a bad choice... I don't want to dig through the PF log as
it can be huge, and I don't want to use a cron job as it takes to long..

Any suggestions appreciated.


Thanks in advance
/Per-Olov

Re: PF log parser and dynamic PF rules...

[Per-Olov Sjöholm]

On 16 feb 2010, at 10.40, Claudio Jeker wrote:

 On Tue, Feb 16, 2010 at 10:22:04AM +0100, Per-Olov Sjvholm wrote:
 Hi misc

 I am looking for a tool to use as a trigger for dynamically open PF ports
from
 certain IP:s.

 I will access non critical info but want at least a port knocker as
security.

 If I access an IP on my DMZ that is not in use on a port that is fake I
want
 to dynamically add a PF rule for a totally different purpose. Let's say I
 access http://1.2.3.4:45321 which is blocked and logged in PF, what is the
 easiest way to create a trigger from the PF log or the PF log device?

 A cron job with grep in the PF log and then run pfctl to add the rule is
from
 many points of view a bad choice... I don't want to dig through the PF log
as
 it can be huge, and I don't want to use a cron job as it takes to long..


 There is a way to do port knocking in pf without any external help. Maybe
 you can figure it out. I will not give more hints since port knocking is a
 dumb idea better spend your time reading on authpf(8).

 --
 :wq Claudio


How do you use authpf from a IPhone or similar...

The reason is to use and RSS reader that cannot autenticate. I want some sort
of security for it even though it's not critical. Therefor I want to just have
trigger in the PF log. To try to find an SSH client to use authpf for all RSS
client capable phones is not an option.


/Per-Olov

Re: PF log parser and dynamic PF rules...

[Per-Olov Sjöholm]

On 16 feb 2010, at 11.04, Floor Terra wrote:

 Why not require a authentication token in the url?

 On 16 Feb 2010 10:59, Per-Olov SjC6holm pe...@incedo.org wrote:

 On 16 feb 2010, at 10.40, Claudio Jeker wrote:

 On Tue, Feb 16, 2010 at 10:22:04AM +0100, Per-Olov...
 How do you use authpf from a IPhone or similar...

 The reason is to use and RSS reader that cannot autenticate. I want some
 sort
 of security for it even though it's not critical. Therefor I want to just
 have
 trigger in the PF log. To try to find an SSH client to use authpf for all
 RSS
 client capable phones is not an option.


 /Per-Olov


Yes that is better, but then I have to check web server logs, enable relayd or
so. Maybe that will be the next step after this. But still... as I _test_ I
just want to check PF blocks as a port knocker.


/Per-Olov

Re: PF log parser and dynamic PF rules...

[Per-Olov Sjöholm]

On 16 feb 2010, at 11.11, Lars Nooden wrote:

 http://rsug.itd.umich.edu/software/fugu/


Noop. Can't see that these will work and all phones and computers seamlessly
with ease of use for the users.

The reason for the post was just to see if there is already any tools for this
purpose, which is to have log trigger in PF logfile or its pflog0 device.


/Per-Olov

Re: PF log parser and dynamic PF rules...

[Per-Olov Sjöholm]

On 16 feb 2010, at 11.17, Bret S. Lambert wrote:

 There is a way to do port knocking in pf without any external help. Maybe
 you can figure it out. I will not give more hints since port knocking is
a
 dumb idea better spend your time reading on authpf(8).

 --
 :wq Claudio


 How do you use authpf from a IPhone or similar...

 The reason is to use and RSS reader that cannot autenticate. I want some
sort

 An RSS reader that can't authenticate, but can ping a series of TCP/IP
ports?

Where did you get that from? I didn't say it could... No but all devices with
an RSS client, even phones, have a web browser that can have a bookmarked IP
and obscure port.

 of security for it even though it's not critical. Therefor I want to just
have
 
 That word you keep using...I don't think it means what you think it means.
 Unless you've got a mechanism to randomize the ports on every port-knocking
 attempt, you're essentially using a plaintext password on the internet.


None said anything about a password.. From where did you get that? I don't
have a plain text password. I don't even have a password at all as RSS readers
with auth in not widely spread at all. So I don't have any auth... Just access
through IP. My data is not that critical, but as said I want to limit access a
little bit by forcing the clients to first open their browser and access a
specific IP and a specific port. Then the PF should trig on that block in PF
and open from the client IP to the RSS server. Of course a client can sit
behind NAT and therefor give access to many computers. But again, the data is
not that critical. And it's not likely they will guess the link.


/Per-Olov
--
GPG keyID: 5231C0C4
GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4
GPG key: http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x766ED29D5231C0C4

Re: PF log parser and dynamic PF rules...

[Per-Olov Sjöholm]

On 16 feb 2010, at 11.17, Peter N. M. Hansteen wrote:

 Per-Olov Sjvholm pe...@incedo.org writes:

 How do you use authpf from a IPhone or similar...

 There are ssh clients for iphones, just look in the app store.  The
 one i ended up installing has gone up in price it seems to (shock,
 horror) NOK 35 (about USD 6), but I see one at NOK 6 (about a dollar).

 And of course for obscurity, you can set up the sshd on a non-standard
 port.

 Then again, Claudio's comment happens to be true, and now I guess some
 kid will actually figure it out, implement and write a HOWTO.  Good
 thing I wasn't eating or drinking anything.

Writing a HOWTO for what? Don't get it...

I have been working with security on several platforms since 1990. Have been
on OpenBSD since 2.6. You of all Peter should know that it's always a tradeoff
between security, ease of use and the importance of the content. I have done
that tradeoff and therefor come up with this solution.

I can build my own code for this, but posted to see if there was already
something built.

Claudios comment is not relevant. See reply to Bret S Lambert


/Per-Olov


 grmpf,
 Peter
 --
 Peter N. M. Hansteen, member of the first RFC 1149 implementation team
 http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
 Remember to set the evil bit on all malicious network traffic
 delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: PF log parser and dynamic PF rules...

[Per-Olov Sjöholm]

On 16 feb 2010, at 11.44, Lars Nooden wrote:

 Per-Olov Sjvholm wrote:
 On 16 feb 2010, at 11.11, Lars Nooden wrote:

 http://rsug.itd.umich.edu/software/fugu/


 Noop. Can't see that these will work and all phones and computers
 seamlessly with ease of use for the users.

 You appear to have asked about clients for the iphone, not all phones.
 Fugu and cyberduck are very easy to use.

My mistake. Sorry!

It must be a solution for _any_ RSS client and a web browser.


 The reason for the post was just to see if there is already any tools
 for this purpose, which is to have log trigger in PF logfile or its
 pflog0 device.

 authpf then.

 Note pf.conf allows you to apply filters to groups of users.  See the
 'group' parameter about 17% of the way down through pf.conf(5)

 Something like this:
   pass in log (to pflog2) group phoners

 /Lars



Yes, I have used that a few years ago. It's nice but is not doable on all
clients. But maybe I could set an SSH capable client as a company requirement.
Of course I agree it's a better solution if I only could limit the phones to
the ones that can use an SSH client.



/Per-Olov
--
GPG keyID: 5231C0C4
GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4
GPG key: http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x766ED29D5231C0C4

Re: PF log parser and dynamic PF rules...

[Per-Olov Sjöholm]

On 16 feb 2010, at 11.35, Bret S. Lambert wrote:

 On Tue, Feb 16, 2010 at 11:28:28AM +0100, Per-Olov Sj?holm wrote:

 On 16 feb 2010, at 11.17, Bret S. Lambert wrote:

 There is a way to do port knocking in pf without any external help.
Maybe
 you can figure it out. I will not give more hints since port knocking is
a
 dumb idea better spend your time reading on authpf(8).

 --
 :wq Claudio


 How do you use authpf from a IPhone or similar...

 The reason is to use and RSS reader that cannot autenticate. I want some
sort

 An RSS reader that can't authenticate, but can ping a series of TCP/IP
ports?

 Where did you get that from? I didn't say it could... No but all devices
with an RSS client, even phones, have a web browser that can have a bookmarked
IP and obscure port.

 of security for it even though it's not critical. Therefor I want to just
have

 That word you keep using...I don't think it means what you think it
means.
 Unless you've got a mechanism to randomize the ports on every
port-knocking
 attempt, you're essentially using a plaintext password on the internet.


 None said anything about a password.. From where did you get that?

 I said that you're *essentially* using a plaintext password, not that
 you're *actually* using a plaintext password. My meaning was that you're
 effectively using a security model that's been known to be bad for as
 long as I've been in the tech industry.

 forcing the clients to first open their browser and access a
 specific IP and a specific port.

 Yes, because those are impossible for an attacker to guess.

 But again, the data is not that critical.

 Then why care about security at all?

 And it's not likely they will guess the link.

 Congratulations; I'm actually at a loss for words after reading that.


See my post to Peter H. You obviously have not worked with security and the
tradeoffs you _always_ have to make.

If you don't have anything to come up with, don't bother to post.


/Per-Olov

Re: PF log parser and dynamic PF rules...

[Per-Olov Sjöholm]

Hi again Lars...

And important addition below


On 16 feb 2010, at 11.44, Lars Nooden wrote:

 Per-Olov Sjvholm wrote:
 On 16 feb 2010, at 11.11, Lars Nooden wrote:

 http://rsug.itd.umich.edu/software/fugu/


 Noop. Can't see that these will work and all phones and computers
 seamlessly with ease of use for the users.

 You appear to have asked about clients for the iphone, not all phones.
 Fugu and cyberduck are very easy to use.


But the SSH session will freeze when you switch to the RSS client that is the
main purpose to use, right? This as the Iphone is not multi tasking with third
party applications.

Then it's not usable without a jail brake of all company IPhones... Or did
miss something here?

/Per-Olov



 The reason for the post was just to see if there is already any tools
 for this purpose, which is to have log trigger in PF logfile or its
 pflog0 device.

 authpf then.

 Note pf.conf allows you to apply filters to groups of users.  See the
 'group' parameter about 17% of the way down through pf.conf(5)

 Something like this:
   pass in log (to pflog2) group phoners

 /Lars

Re: PF log parser and dynamic PF rules...

[Per-Olov Sjöholm]

On 16 feb 2010, at 12.06, Lars Nooden wrote:

 Per-Olov Sjvholm wrote:
 ...Or did miss something here?

 You missed quite a lot.  I would recommend looking up the following
 before aggravating a larger public:
   client - server architecture
   client application
   server (daemon)
   rss
   ssh
   http, https
   mod_auth_*


 Write back in a few days after you have more details about your project.
 Speculation is not fun.

 Regards,
 /Lars


You did now answer how to use authpf from an Iphone as you suggested as the
process will freeze when going into background.
It will freeze or not freeze. It's not any speculation, right?

I assume fugu or cyberduck as you suggested are dead ends with authpf


/Per-Olov

Re: PF log parser and dynamic PF rules...

[Per-Olov Sjöholm]

On 16 feb 2010, at 11.57, Stuart Henderson wrote:

 On 2010-02-16, Per-Olov Sj?holm pe...@incedo.org wrote:
 The reason is to use and RSS reader that cannot autenticate. I want some
sort
 of security for it even though it's not critical.

 https://some.host/super-sekrit-password-here/feed.rss gives more
 security than trying to use a web browser (which is highly likely
 to be proxied and logged by the carrier) as a port-knocking client.

that could be better... right..


 And with port-knocking, how do you even know the subsequent
 connection will be (natted to the same source address || coming
 from the same http proxy)?



I know it does from phones connecting thought the operators own network (at
least in sweden) and home broadband connected computers. But i don't from
stationary computers not sitting at home.

/Per-Olov

--
GPG keyID: 5231C0C4
GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4
GPG key: http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x766ED29D5231C0C4

Re: PF log parser and dynamic PF rules...

[Per-Olov Sjöholm]

On 16 feb 2010, at 12.07, Bret S. Lambert wrote:

 On Tue, Feb 16, 2010 at 11:44:12AM +0100, Per-Olov Sj?holm wrote:
 See my post to Peter H. You obviously have not worked with security

 Why? Because I'm unwilling to endorse your preferred approach?

 and the tradeoffs you _always_ have to make.

 Yes, you make tradeoffs, but you're asking for obscurity, not security.
 It's a very important distinction to make, which you don't seem to be
 doing.

 If you don't have anything to come up with, don't bother to post.

 Okay, I'll bite:

 You're trying to solve this at the wrong layer.

 You're trying to use IP obfuscation.

 You should be looking for HTTP authentication instead.


There is no authentication available in most RSS clients. If it was, i would
of course prefer or at least consider that. I am not that stupid you know.

/Per-Olov
--
GPG keyID: 5231C0C4
GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4
GPG key: http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x766ED29D5231C0C4

Re: PF log parser and dynamic PF rules...

[Per-Olov Sjöholm]

On 16 feb 2010, at 12.06, Peter N. M. Hansteen wrote:

 Per-Olov Sjvholm p...@incedo.org writes:

 None said anything about a password.. From where did you get that? I don't
 have a plain text password.

 A port knocking sequence is for most purposes a password, encoded in a
 16 bit alphabet.  That's it - port numbers run from 0 through 64k,
 although the practical range for portknocking purposes would likely
 exclude the more commonly used ones, mainly in the lower parts.

 I've been in the process of almost getting around to writing an
 article about how this limits the usefulness of portknocking as a
 security measure, there's always the question of round tuits.
 keywords: is your password more secure if it's stored as unicode?, the
 well known password guessing botnets, and so forth.

 The question of proporitonality, as in the importance of your data vs
 the strength of your security measures is certainly relevant, but you
 should also take into consideration how much complexity any given
 security measure adds to your setup versus the actual gain in security.
 Hm. There might actually be an article in there.

 - P
 --
 Peter N. M. Hansteen, member of the first RFC 1149 implementation team
 http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
 Remember to set the evil bit on all malicious network traffic
 delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.


We want to lock RSS to our own clients floating around in cyberspace. As there
is not widely spread with authentication in RSS clients, authentication is not
usable. Therefor we have to come up with a different approach. As we want you
use Igoogle and phones etc we have to use something that works from all
places. The content is not a secret, but something you have to pay a little
for. So... not critical. Or course you could authenticate with a web browser
and then trigger to open in PF. Probably a little better than just the access
to a dummy IP on a dummy port. But still not as good as I would like.

SSH and authpf is as far as I know now not possible as the SSH client will
freeze in the Iphone (which is widely used here) when going into background
and swtiching to the RSS client.

So if anybody can come up with a better approach I will be very happy.
Otherwise I have to create my pflog device parser myself as obviously none in
this forum have seen anything similar.

Thanks
Per-Olov

--
GPG keyID: 5231C0C4
GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4
GPG key: http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x766ED29D5231C0C4

Re: PF log parser and dynamic PF rules...

[Per-Olov Sjöholm]

On 16 feb 2010, at 17.17, Eugene Yunak wrote:

 2010/2/16 Per-Olov Sjvholm p...@incedo.org:
 Hi misc

 I am looking for a tool  use as a trigger for dynamically open PF ports
from
 certain IP:s.

 I will access non critical info but want at least a port knocker as
security.

 If I access an IP on my DMZ that is not in use on a port that is fake I
want
 to dynamically add a PF rule for a totally different purpose. Let's say I
 access http://1.2.3.4:45321 which is blocked and logged in PF, what is the
 easiest way to create a trigger from the PF log or the PF log device?

 A cron job with grep in the PF log and then run pfctl to add the rule is
from
 many points of view a bad choice... I don't want to dig through the PF log
as
 it can be huge, and I don't want to use a cron job as it takes to long..

 Any suggestions appreciated.


 Thanks in advance
 /Per-Olov


 As many people have already suggested to you in this thread, you are
 doing it wrong. But if you _really_ want to do it that way, then
 probably you can simplify your configuration a bit.

 You can use log (to pflog10) to have a separate pflog device with
 only log entries about port-knocking attempts. Then you can have a
 small shellscript reading from tcpdump pflog10 in a cycle and adding
 IP addresses to a table of hosts with permitted access to your rss
 feed. This is much simpler and quicker than a cron job with full pflog
 parser.

 I would strongly encourage you to use per-user http authentication
 instead. Most rss readers i encountered actually _do_ support it, as
 they are all based on standard libraries, so you can just give them
 http://user:p...@host/path/file.rss url if they don't have a separate
 authentication field.

 --
 The best the little guy can do is what
 the little guy does right


Hi Eugene

Thanks.  As this is a test shoot only I will go for something home made in C
to feed a table for now. And I _really_ want to do it this way as it's a test.
a future production environment could maybe be totally different, who
knows I  have done security analysis since early -90 and asked a simple
question to this forum. When people does not know, they just mess up the
thread with garbage. If only more people were like you Eugene. That is point
out your opinion AND a way to do it. Not just the first. The opinion can be
right, but also wrong as everything must be set in its correct context. Also,
a security tradeoff can be rated differently by different people.

Amazing that so many people in this forum cannot read and therefor answer to B
when I ask for A.


/Per-Olov
--
GPG keyID: 5231C0C4
GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4
GPG key: http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x766ED29D5231C0C4

Re: PF log parser and dynamic PF rules...

[Per-Olov Sjöholm]

On 17 feb 2010, at 02.07, Randal L. Schwartz wrote:

 Paul == Paul de Weerd we...@weirdnet.nl writes:

 Paul Jeez... As an asker, you don't really get to decide how or what other
 Paul people answer, or if they even answer at all.

 As I snipped off a Usenet group once:

Get real!  This is a discussion group, not a helpdesk.  You post
something -- we discuss its implications.  If the discussion happens
to answer a question you've asked, that's incidental.  If you post a
question that implies that you've got a problem finding answers to
trivial questions in the manual, then it is perfectly reasonable for
us to discuss how to do that.

 --
 Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
 mer...@stonehenge.com URL:http://www.stonehenge.com/merlyn/
 Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc.
 See http://methodsandmessages.vox.com/ for Smalltalk and Seaside discussion

I have been on this list for many years. Sometimes asking and sometimes
helping others.

you are wrong

http://www.openbsd.org/mail.html
--snip--
User questions and answers, general questions
--snip--


Answer correctly or don't answer at all. A winning concept in real life as
well.

^d

Regards
/Per-Olov
--
GPG keyID: 5231C0C4
GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4
GPG key: http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x766ED29D5231C0C4

Re: spamd and /etc/mail/spamd.alloweddomains

[Per-Olov Sjöholm]

On 26 maj 2009, at 11.05, Raimo Niskanen wrote:

 On Mon, May 25, 2009 at 10:45:03PM +0200, Per-Olov Sjvholm wrote:
 On 25 maj 2009, at 17.50, patrick keshishian wrote:

 On Mon, May 25, 2009 at 4:03 AM, Per-Olov Sjvholm p...@incedo.org
 wrote:
 Hi misc

 I was trying to add:
 se or *.se to /etc/mail/spamd.alloweddomains which obviously
 wont
 work...

 But adding xxx.se works


 l really want to add the whole SE domain as we do not get that much
 spam
 from SE and will have a lot less administration.

 I think you don't understand the purpose of spamd.alloweddomains
 file.
 re-reading spamd(8) might be helpful. hint: pay close attention to
 the
 phrase destination address

 --patrick


 Yes

 you are right.

 I removed the spamd.alloweddomains file and all blacklisted headache
 disappeared... :-) I was actually looking for a OpenBSD built in
 replacement for milter-greylist where you could specify regular
 expressions for white listed senders. But it seems you could not
 white
 list senders e-mail adresses, domains or regular expression
 combinations with spamd. Or could I ???

 Not as it is.

 But senders addresses are in spam faked. MTA domain
 could be an useful whitelisting criteria.
 There is a famous script by Bob Beck called greyscanner
 that parses the spamdb database and traps hosts that
 are on the grey list. That script calls spamdb -t -a ...
 but could maybe be modified to also whitelist
 MTA hosts based on their HELO name (after checking
 reverse DNS lookup).

 Otherwise a common solution is to have another pf table
 in addition to spamd-white (I called it spamd-gold) to
 give permanent whitelisting based on IP address by
 pf rules such as:
  table spamd-gold persist file /etc/mail/spamd-gold
  :
  no rdr inet proto tcp from spamd-gold to any port smtp

 And then manually add your friendly IP ranges...


I do not see what the MTA:s domain name have to do with the senders
domain? Not useful...

I do not want to white list all ISP IP:s in Sweden. I want to white
list sender domains (partners, customers etc,) or parts of it. A table
is useless here as it whitelist IP:s .
I will find another solution. for it



Regarding HELO checking. I have milter-regex and a few other nice
tools here :-)

Thanks
/Per-Olov



 /Per-Olov

 --
 GPG keyID: 5231C0C4
 GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4
 GPG key:
http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x766ED29D5231C0C4

 --

 / Raimo Niskanen, Erlang/OTP, Ericsson AB

--
GPG keyID: 5231C0C4
GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4
GPG key: http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x766ED29D5231C0C4

spamd and /etc/mail/spamd.alloweddomains

[Per-Olov Sjöholm]

Hi misc

I was trying to add:
se or *.se to /etc/mail/spamd.alloweddomains which obviously wont  
work...


But adding xxx.se works


l really want to add the whole SE domain as we do not get that much  
spam from SE and will have a lot less administration.


Anybody with a clue why none of the first statements wont work?


Thanks
Per-Olov

Re: spamd and /etc/mail/spamd.alloweddomains

[Per-Olov Sjöholm]

On 25 maj 2009, at 17.50, patrick keshishian wrote:

 On Mon, May 25, 2009 at 4:03 AM, Per-Olov Sjvholm p...@incedo.org
 wrote:
 Hi misc

 I was trying to add:
 se or *.se to /etc/mail/spamd.alloweddomains which obviously wont
 work...

 But adding xxx.se works


 l really want to add the whole SE domain as we do not get that much
 spam
 from SE and will have a lot less administration.

 I think you don't understand the purpose of spamd.alloweddomains file.
 re-reading spamd(8) might be helpful. hint: pay close attention to the
 phrase destination address

 --patrick


Yes

you are right.

I removed the spamd.alloweddomains file and all blacklisted headache
disappeared... :-) I was actually looking for a OpenBSD built in
replacement for milter-greylist where you could specify regular
expressions for white listed senders. But it seems you could not white
list senders e-mail adresses, domains or regular expression
combinations with spamd. Or could I ???

/Per-Olov

--
GPG keyID: 5231C0C4
GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4
GPG key: http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x766ED29D5231C0C4

Re: Lost sensors info when upgraded from 4.2 to 4.3

[Per-Olov Sjöholm]

On Thursday 05 June 2008 15.42.37 you wrote:
 On 2008-06-05, Per-Olov Sjvholm [EMAIL PROTECTED] wrote:
  I did an upgrade (read reinstall) last week on a Dell PE830 server from
  OpenBSD 4.2 to 4.3. It is a 4.3 RELEASE std install, but a stable update
  of kernel and userland from May 29.
 
  The sensors worked ok in 4.2. In 4.3 it looks like this where the sensor
  info is null..

 They were probably from ipmi before, this was knocked out of
 GENERIC until bad interactions with acpi on some machine are fixed.
 See http://www.openbsd.org/cgi-bin/cvsweb/src/sys/arch/i386/conf/GENERIC
 r1.589.

A, I see...

dmesg says..
ipmi at mainbus0 not configured
and..
adt0 at iic0 addr 0x2e: lm96000 rev 0x68


So the sensors show up but are unusable and shows zero? So I should not expect 
these to be usable in 4.3 even with a stable update? Do I have to track the 
cvs tree and go to current when fixed if I want these sensors?

Or fix the problem myself ;-)


Did not see any problem with them on 4.2. Are there any more info than what 
can be seen on r1.589 of GENERIC? If they worked perfect on 4.2. Is it likely 
they will cause trouble now on the same hardware? (I think of enabling this 
in GENERIC)


Thanks
/Per-Olov


-- 
GPG keyID: 4DB283CE
GPG fingerprint: 45E8 3D0E DE05 B714 D549 45BC CFB4 BBE9 4DB2 83CE
GPG key: 
http://keyserv.nic-se.se:11371/pks/lookup?op=getsearch=0xCFB4BBE94DB283CE

Lost sensors info when upgraded from 4.2 to 4.3

[Per-Olov Sjöholm]

Hi

I did an upgrade (read reinstall) last week on a Dell PE830 server from 
OpenBSD 4.2 to 4.3. It is a 4.3 RELEASE std install, but a stable update of 
kernel and userland from May 29.

The sensors worked ok in 4.2. In 4.3 it looks like this where the sensor info 
is null..

[EMAIL PROTECTED]:~#sysctl -a|grep sens
hw.sensors.ami0.drive0=online (sd0), OK
hw.sensors.adt0.temp0=0.00 degC (Remote)
hw.sensors.adt0.temp1=0.00 degC (Internal)
hw.sensors.adt0.temp2=0.00 degC (Remote)
hw.sensors.adt0.volt0=0.00 VDC (+2.5Vin)
hw.sensors.adt0.volt1=0.00 VDC (Vccp)
hw.sensors.adt0.volt2=0.00 VDC (Vcc)
hw.sensors.adt0.volt3=0.00 VDC (+5V)
hw.sensors.adt0.volt4=0.00 VDC (+12V)

dmesg...
http://www.incedo.eu/~sjoholmp/830/dm830

(Btw... I do not remember that the the sensors name was adt as above on 4.2. 
I can however not verify that)


Did I miss anything in the docs or list searches? Bug? Suggestions 
appreciated...

Thanks in advance
Per-Olov
-- 
GPG keyID: 4DB283CE
GPG fingerprint: 45E8 3D0E DE05 B714 D549 45BC CFB4 BBE9 4DB2 83CE
GPG key: 
http://keyserv.nic-se.se:11371/pks/lookup?op=getsearch=0xCFB4BBE94DB283CE

relayd and src track

[Per-Olov Sjöholm]

Hi

Is it possible to handle PF src track from relayd. If I use sticky 
connections in relayd (NOT layer 7) and one target host dissappear, then it 
seems like src track comes into play.

When one target host (for example 10.0.0.1 below) goes down I want to clear 
all src track info from PF related to the target host.


Am I missing something in the man pages? suggestions appreciated. If I 
remember it right such thing could be done in ifstated where a pfctl -K 
could be done...


TESTfile follows:
[EMAIL PROTECTED]:~#more /etc/relayd.conf
EXT_IP=200.200.200.200
interval 5
timeout 1000
table webhosts { 10.0.0.1 , 10.0.0.2 }

redirect www {
listen on $EXT_IP port 80
listen on $EXT_IP port 443
tag RELAYD
sticky-address
forward to webhosts timeout 500 port 22 check icmp
}




Thanks in advance

Regards
Per-Olov
--
GPG keyID: 4DB283CE
GPG fingerprint: 45E8 3D0E DE05 B714 D549 45BC CFB4 BBE9 4DB2 83CE
GPG key: 
http://keyserv.nic-se.se:11371/pks/lookup?op=getsearch=0xCFB4BBE94DB283CE

System update errors

[Per-Olov Sjöholm]

Hi

I have today updated (well tried) two OpenBSD -STABLE systems. One 4.0 and one 
4.1.

First the kernel update and a reboot... No problem
Then a make obj  make build of the userland. This gave me the following 
error after a while...

--snip--
cc -c -O2 -pipe   -I. -I/usr/src/gnu/usr.bin/binutils/gdb 
-I/usr/src/gnu/usr.bin/binutils/gdb
/config -DLOCALEDIR=\/usr/share/locale\ -DHAVE_CONFIG_H 
-I/usr/src/gnu/usr.bin/binutils/gdb/.
./include/opcode   -I../bfd -I/usr/src/gnu/usr.bin/binutils/gdb/../bfd 
-I/usr/src/gnu/usr.bin/bin
utils/gdb/../include  -I../intl -I/usr/src/gnu/usr.bin/binutils/gdb/../intl  
-DMI_OUT=1 -DTUI=1
-Wimplicit -Wreturn-type -Wcomment -Wtrigraphs -Wformat -Wparentheses 
-Wpointer-arith -Wuninitial
ized -Wformat-nonliteral -Wunused-label -Wunused-function  
/usr/src/gnu/usr.bin/binutils/gdb/i386
bsd-tdep.c
cc -c -O2 -pipe   -I. -I/usr/src/gnu/usr.bin/binutils/gdb 
-I/usr/src/gnu/usr.bin/binutils/gdb/config 
-DLOCALEDIR=\/usr/share/locale\ -DHAVE_CONFIG_H 
-I/usr/src/gnu/usr.bin/binutils/gdb/.
./include/opcode   -I../bfd -I/usr/src/gnu/usr.bin/binutils/gdb/../bfd 
-I/usr/src/gnu/usr.bin/bin
utils/gdb/../include  -I../intl -I/usr/src/gnu/usr.bin/binutils/gdb/../intl  
-DMI_OUT=1 -DTUI=1  -Wimplicit -Wreturn-type 
-Wcomment -Wtrigraphs -Wformat -Wparentheses -Wpointer-arith -Wuninitial

ized -Wformat-nonliteral -Wunused-label -Wunused-function  
/usr/src/gnu/usr.bin/binutils/gdb/i386
obsd-tdep.c
/usr/src/gnu/usr.bin/binutils/gdb/observer.sh 
h /usr/src/gnu/usr.bin/binutils/gdb/doc/observer.te
xi observer.h
/usr/src/gnu/usr.bin/binutils/gdb/observer.sh: Permission denied
*** Error code 1

Stop in /usr/src/gnu/usr.bin/binutils/obj/gdb (line 1333 of Makefile).
*** Error code 1

Stop in /usr/src/gnu/usr.bin/binutils/obj (line 21479 of Makefile).
*** Error code 1

Stop in /usr/src/gnu/usr.bin/binutils (line 80 
of /usr/src/gnu/usr.bin/binutils/Makefile.bsd-wrap
per).
*** Error code 1

Stop in /usr/src/gnu/usr.bin.
*** Error code 1

Stop in /usr/src/gnu.
*** Error code 1

Stop in /usr/src.
*** Error code 1

Stop in /usr/src (line 73 of Makefile).
[EMAIL PROTECTED]:/usr/src#
--snip--



I have never ever seen an error like this during a userland upgrade. It had 
always worked perfect. Could this be the cause of a non complete mirror? I 
did a:
cd /usr
rm -rf src
export CVSROOT=[EMAIL PROTECTED]:/cvs
cvs -z5 -q get -rOPENBSD_4_1 -P src

and saw no problem with the fetch.

Should I try another mirror? I got the same error on both the 4.0 and the 4.1 
system. Both systems did a cvs get from anoncvs1.ca.openbsd.org. And as said, 
I have never seen this error before during my hundreds of upgrades...


Any clues?

Thanks in advance
Per-Olov
-- 
GPG keyID: 4DB283CE
GPG fingerprint: 45E8 3D0E DE05 B714 D549 45BC CFB4 BBE9 4DB2 83CE

Re: System update errors

[Per-Olov Sjöholm]

On Sunday 16 December 2007 19.02.46 Hannah Schroeter wrote:
 Hi!

 On Sun, Dec 16, 2007 at 05:45:05PM +0100, Firas Kraiem wrote:
 On Sunday 16 December 2007 17:13:49 Per-Olov SjC6holm wrote:
  I have today updated (well tried) two OpenBSD -STABLE systems. One
  4.0 and one 4.1.
 
  First the kernel update and a reboot... No problem
  Then a make obj  make build of the userland. This gave me the
  following error after a while...
 
 http://openbsd.org/faq/faq5.html#BldBinary
 
 The FAQ says that if you want to upgrade a -stable system to the
 newest -stable, you should first do a binary upgrade to the latest
 release, and then build -stable from there. I guess it will get rid of
 such errors.
 
 Firas

 I haven't read the original mail as upgrading to a *different* stable,
 but as update from release to *matching* stable (or from stable to
 another update of the *same* stable).

 In that case, it could be that for some reason, an earlier CVS checkout
 misses the execute permission of some script, and then, IIRC, cvs update
 doesn't (re-)add the execute flag on it. I.e. remove the directory and
 re-get it (cvs -q update -Pd -rOPENBSD_4_[01] on the parent dir) could
 perhaps fix that. If you can flag the exact problem, it can also be
 enough to remove the specific file (script) and cvs ... update ... on
 the directory containing the file, or even specifying the file itself.

 Kind regards,

 Hannah.


I always do an rm -rf of the src directory and then doing an cvs get. This 
to avoid potential problems, but to the cost of transferring more data.

If the CVS checkout missed the execute permission it's strange. It is because 
two different servers at two different locations with two different OpenBSD 
versions (4.0 and 4.1) got the same problem updating their respective 
versions to latest stable. On top of that... It was one hour between the 
updates of the servers.

However... It seems to work as it should from the anoncvs1.usa.openbsd.org 
mirror but *NOT* from my most used mirror which is anoncvs1.ca.openbsd.org.

Seems the anoncvs1.ca.openbsd.org is broken... At least temporary. 


Regards
/Per-Olov
-- 
GPG keyID: 4DB283CE
GPG fingerprint: 45E8 3D0E DE05 B714 D549 45BC CFB4 BBE9 4DB2 83CE

Re: smarthost and sendmail on 4.2

[Per-Olov Sjöholm]

On Thursday 29 November 2007 23.54.37 Moe Sizlak wrote:
 Hi,

  I have a problem on 4.2 when sending mail via a smarthost.

 Basically the DS host is not being used.

 From the modified cf file
 -
 dnl mail.myisp.net with the hostname of your ISP's mail server.
 dnl
 define(`SMART_HOST', `smtp.moeisp.net')dnl
 dnl
 -


 From the resulting cf file

 --
 # Smart relay host (may be null)
 DSsmtp.moeisp.net
 --


 I modified the rc.conf file and restarted sendmail. No luck.


 My ISP allows dns mx queries but blocks outgoing port 25 connections
 to anything other than its smarthost.

 With modified DS sendmail still tries to send mail out directly
 --
 Nov 30 07:46:50 blazer2 sm-mta[2891]: lATCuBb8022345:
 [EMAIL PROTECTED], ctladdr=[EMAIL PROTECTED] (0/0),
 delay=09:50:39, xdelay=00:00:00, mailer=relay, pri=1920573,
 relay=smtp.work.com, dsn=4.0.0, stat=Deferred: smtp.work.com.: No route to
 host
 --


 Can someone please assist?


 thanks.

If you use the default entry in rc.conf (edit rc.conf.local instead) I assume 
the sendmail cf file is copied to /etc/mail/localhost.cf? If not, you have to 
modify the rc.conf sendmall entry to point to the correct sendmail.cf file..

If that wont work, send more config info...


/Per-Olov



-- 
GPG keyID: 4DB283CE
GPG fingerprint: 45E8 3D0E DE05 B714 D549 45BC CFB4 BBE9 4DB2 83CE

Re: sensorsd says the sensor is within limit, but it's not...

[Per-Olov Sjöholm]

On Wednesdayen den 4 July 2007 04.17.30 you wrote:
 On 03/07/07, Per-Olov Sjvholm [EMAIL PROTECTED] wrote:
  Hi Misc
 
 
  I am probably missing something, but what..
 
 
  sensorsd says in the syslog that the sensor is within limits even
  though a sysctl -a|grep sensor shows that it is not.
 
 
  Are there any known bugs? I have checked the list and cannot find
  anything related to this... I run a Dell PE830 on OpenBSD 4.0 stable
  (latest update in May 25:th). I have these sensors which appears to
  always show the correct values running a sysctl -a|grep sensor.
  hw.sensors.0=ipmi0, Temp, 43.00 degC, OK
  hw.sensors.1=ipmi0, Planar Temp, 38.00 degC, OK
  hw.sensors.2=ipmi0, CMOS Battery, 3.13 V DC, OK
  hw.sensors.3=ipmi0, Back Fan, 2204 RPM, OK
  hw.sensors.4=ipmi0, Intrusion, Off, OK
  hw.sensors.5=ami0, sd0, drive online, OK
 
 
 
  From sensords.conf
  hw.sensors.0:high=42C:command=/bin/echo test test|/usr/bin/mailx -s
  Sensor warning: CPU temp over %2 bla bla bla MYEMAIL
  hw.sensors.1:high=39C:command=/bin/echo test test|/usr/bin/mailx -s
  Sensor warning: Chassie temp over %2 bla bla bla MYEMAIL
 
 
  Starting sensorsd and look at /var/log/daemon
  Jul  3 16:12:22 xanadu sensorsd[14634]: hw.sensors.0: within limits,
  value: 43.00 degC
  Jul  3 16:12:22 xanadu sensorsd[14634]: hw.sensors.1: within limits,
  value: 38.00 degC
 
 
  I assume I receive no reports as the daemon say the sensor wrongly is
  within the limits

 Please, check the manual page for your system [0], specifically, the
 following:

  Sensors that provide status (such as from bio(4), esm(4), or ipmi(4))
 do not require boundary values specified (that otherwise will be ignored)
 and simply trigger on status transitions.

 In other words, for those sensors that provide the status themselves,
 the keywords high and low in sensorsd.conf have no effect. This
 limitation was removed at c2k7 [1], and the newest sensorsd in OpenBSD
 4.1-current allows you to set your own limits for any sensor, and
 ignore the status that the sensor device itself provides.

 So if you need this functionality, you may wish to upgrade to OpenBSD
 4.1-current.

 Alternatively, you may upgrade to OpenBSD 4.1-stable that has the new
 two-level sensor framework, and then manually update sensorsd to
 4.1-current (files /usr/src/{etc/sensorsd.conf,usr.sbin/sensorsd/*}),
 compiling and installing it afterwards  -- sensorsd in 4.1-current as
 of today is source-code-compatible with 4.1-stable (note that it is
 not binary compatible). However, please be warned that mixing
 4.1-stable and 4.1-current is not officially supported, so use it at
 your own risk! (Even though it works for me in this specific case with
 sensorsd.)

 Cheers,
 Constantine. :)

 [0]
 http://www.openbsd.org/cgi-bin/man.cgi?query=sensorsd.confsektion=5manpat
h=OpenBSD+4.0

 [1]
 http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/sensorsd/sensorsd.c#rev1
.32


Thanks for the answer

So I only need the command with %1-%4 and no low/high specs in
sensorsd.conf? The trigger will come when Dell think the temp i to low or
high? If so... Is there a way of knowing at what temperature this happends. I
mean, could you ask the hardware itself with any software, or do I have to
dig into some of Dell:s docs? That is not super important, but it would be
nice to know at what value it happends, and if possible test it.

Also, isn't it possible then to have different commands for low and high if
low and high has no meanings? I mean, do I have to take care of if it's a low
or a high warning in the command script. If low and high have meanings (as in
OBSD 4.1-current) I could have one sensor row in sensorsd.conf for high and
one for low with different commands. Right?


You said that:
Alternatively, you may upgrade to OpenBSD 4.1-stable that has the new
two-level sensor framework Why do I need to go to -CURRENT if it's included
in 4.1-STABLE? Isn't 4.1-STABLE ok? I want to avoid -current on production
servers. But after looking at
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/sensorsd/sensorsd.c it
seems I am *not* OK with just 4.1 STABLE, and that I need -CURRENT if I want
this functionality...



Per-Olov
--
GPG keyID: 4DB283CE
GPG fingerprint: 45E8 3D0E DE05 B714 D549 45BC CFB4 BBE9 4DB2 83CE
GPG key:
http://keyserv.nic-se.se:11371/pks/lookup?op=getsearch=0xCFB4BBE94DB283CE

sensorsd says the sensor is within limit, but it's not...

[Per-Olov Sjöholm]

Hi Misc


I am probably missing something, but what..


sensorsd says in the syslog that the sensor is within limits even though
a sysctl -a|grep sensor shows that it is not.


Are there any known bugs? I have checked the list and cannot find anything
related to this... I run a Dell PE830 on OpenBSD 4.0 stable (latest update in
May 25:th). I have these sensors which appears to always show the correct
values running a sysctl -a|grep sensor.
hw.sensors.0=ipmi0, Temp, 43.00 degC, OK
hw.sensors.1=ipmi0, Planar Temp, 38.00 degC, OK
hw.sensors.2=ipmi0, CMOS Battery, 3.13 V DC, OK
hw.sensors.3=ipmi0, Back Fan, 2204 RPM, OK
hw.sensors.4=ipmi0, Intrusion, Off, OK
hw.sensors.5=ami0, sd0, drive online, OK



From sensords.conf
hw.sensors.0:high=42C:command=/bin/echo test test|/usr/bin/mailx -s Sensor
warning: CPU temp over %2 bla bla bla MYEMAIL
hw.sensors.1:high=39C:command=/bin/echo test test|/usr/bin/mailx -s Sensor
warning: Chassie temp over %2 bla bla bla MYEMAIL


Starting sensorsd and look at /var/log/daemon
Jul  3 16:12:22 xanadu sensorsd[14634]: hw.sensors.0: within limits, value:
43.00 degC
Jul  3 16:12:22 xanadu sensorsd[14634]: hw.sensors.1: within limits, value:
38.00 degC


I assume I receive no reports as the daemon say the sensor wrongly is within
the limits


A dmesg follows below my autosignature

Thanks in advance
Per-Olov
--
GPG keyID: 4DB283CE
GPG fingerprint: 45E8 3D0E DE05 B714 D549 45BC CFB4 BBE9 4DB2 83CE
GPG key:
http://keyserv.nic-se.se:11371/pks/lookup?op=getsearch=0xCFB4BBE94DB283CE


OpenBSD 4.0-stable (GENERIC) #0: Fri May 25 21:07:24 CEST 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Pentium(R) 4 CPU 2.80GHz (GenuineIntel 686-class) 2.81 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,CX16
real mem  = 536182784 (523616K)
avail mem = 481148928 (469872K)
using 4256 buffers containing 26910720 bytes (26280K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(00) BIOS, date 08/22/06, BIOS32 rev. 0 @ 0xffe90,
SMBIOS rev. 2.3 @ 0xfa3d0 (48 entries)
bios0: Dell Computer Corporation PowerEdge 830
pcibios0 at bios0: rev 2.1 @ 0xf/0x1
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfb900/208 (11 entries)
pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82801GB LPC rev 0x00)
pcibios0: PCI bus #8 is the last bus
bios0: ROM list: 0xc/0x8000 0xc8000/0x1000 0xc9000/0x1600 0xca800/0x2600
0xec000/0x4000!
ipmi0 at mainbus0: version 1.5 interface KCS iobase 0xca8/8 spacing 4
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel E7230 MCH rev 0x00
ppb0 at pci0 dev 1 function 0 Intel E7230 PCIE rev 0x00
pci1 at ppb0 bus 1
ppb1 at pci1 dev 0 function 0 Intel 41210 PCIE-PCIX rev 0x09
pci2 at ppb1 bus 2
em0 at pci2 dev 4 function 0 Intel PRO/1000MT (82546GB) rev 0x03: irq 3,
address 00:0e:0c:72:4b:a2
em1 at pci2 dev 4 function 1 Intel PRO/1000MT (82546GB) rev 0x03: irq 11,
address 00:0e:0c:72:4b:a3
ppb2 at pci1 dev 0 function 2 Intel 41210 PCIE-PCIX rev 0x09
pci3 at ppb2 bus 3
ppb3 at pci0 dev 28 function 0 Intel 82801GB PCIE rev 0x01
pci4 at ppb3 bus 4
ppb4 at pci4 dev 0 function 0 Intel PCIE-PCIE rev 0x09
pci5 at ppb4 bus 5
ami0 at pci5 dev 2 function 0 Symbios Logic MegaRAID rev 0x01: irq 10
ami0: LSI 523, 32b, FW 713R, BIOS vG121, 64MB RAM
ami0: 1 channels, 0 FC loops, 1 logical drives
scsibus0 at ami0: 40 targets
sd0 at scsibus0 targ 0 lun 0: AMI, Host drive #00,  SCSI2 0/direct fixed
sd0: 476935MB, 476935 cyl, 64 head, 32 sec, 512 bytes/sec, 976762880 sec
total
scsibus1 at ami0: 16 targets
ppb5 at pci0 dev 28 function 4 Intel 82801G PCIE rev 0x01
pci6 at ppb5 bus 6
bge0 at pci6 dev 0 function 0 Broadcom BCM5721 rev 0x11, BCM5750 B1
(0x4101): irq 3, address 00:12:3f:2a:3e:b8
brgphy0 at bge0 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0
ppb6 at pci0 dev 28 function 5 Intel 82801G PCIE rev 0x01
pci7 at ppb6 bus 7
uhci0 at pci0 dev 29 function 0 Intel 82801GB USB rev 0x01: irq 11
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1 at pci0 dev 29 function 1 Intel 82801GB USB rev 0x01: irq 10
usb1 at uhci1: USB revision 1.0
uhub1 at usb1
uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
uhci2 at pci0 dev 29 function 2 Intel 82801GB USB rev 0x01: irq 5
usb2 at uhci2: USB revision 1.0
uhub2 at usb2
uhub2: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub2: 2 ports with 2 removable, self powered
ehci0 at pci0 dev 29 function 7 Intel 82801GB USB rev 0x01: irq 11
usb3 at ehci0: USB revision 2.0
uhub3 at usb3
uhub3: Intel EHCI root hub, rev 2.00/1.00, addr 1
uhub3: 6 ports with 6 removable, self powered
ppb7 at pci0 dev 30 function 0 Intel 82801BA AGP rev 0xe1
pci8 at ppb7 bus 8
vga1 at pci8 dev 5 function 0 XGI Technology Volari Z7 rev 0x00
wsdisplay0 at vga1 mux 

Re: ifstated wont work if started at boot. Only from command line

[Per-Olov Sjöholm]

On Thu, November 30, 2006 17:19, Per-Olov Sjoholm wrote:
 Hi


 I run ifstated on command line without any flags and everything works
 prefect

 But when I add a statement to rc.local and a variable in rc.conf.local it
  starts at boot but simply refuse to work correctly.

 rc.local if [ X${ifstated} == XYES -a -x /usr/sbin/ifstated \ -a -e
 /etc/ifstated.conf ]; then
 echo -n ' ifstated';   /usr/sbin/ifstated fi

 rc.conf.local ifstated=YES  # YES or NO

 After it started at boot it simply refuse to do the 10 sec poll that I
 have in the ifstated.conf. If I kill ifstated that was started at boot and
 start it from command line with the same statement as from rc.local it
 works as it should.

 



 Anybody with a clue about what is going on here?
 Do I have to use a sleep statement at startup so it will wait for
 everything else (have 10 carps, 3 vlans and 6 physical nics + pfsync etc)?
 I have tried
 with a 30 sec sleep in rc.local before starting it without success

 Thanks in advance
 Per-Olov
 --
 GPG keyID: 4DB283CE
 GPG fingerprint: 45E8 3D0E DE05 B714 D549 45BC CFB4 BBE9 4DB2 83CE






Really embarrassing...

wget was specified in ifstated.conf without a full path and therefor
ifstated refused to work at boot but later at manual start


/P

Re: pf load balancing and failover

[Per-Olov Sjöholm]

On Thursday 26 October 2006 22:28, Kevin Reay wrote:
 Hey,

 On 10/26/06, Pete Vickers [EMAIL PROTECTED] wrote:
  If I recall correctly,

 You don't. :o)

  slbd adds new rules to pf for each incoming
  tcp session. Since I couldn't get it to work (old version) I do not
  know what the session and Sources tables will look like, but I
  suspect there will be no problems with them in slbd. Client-server
  association is maintained by slbd and implemented with separate rules
  for each tcp session.

 slbd doesn't maintain separate rules for each tcp session. Client-server
 association is NOT maintained by slbd.

  This seems a bit ineffective and rather pointless since pf has the
  load balancing functionality built in.

 Which slbd relies on. Slbd just inserts the load balancing rules into
 pf based on it's own config. Then it does the job of health-checking
 the servers listed in it's config file, and removing them from the
 server list if they go down.

  The problems with using pf and a health checking script is related to
  removal of failed backends. There are two separate issues:
 
1) When using sticky-address in the rdr rules client-server
   associations are added to the internal Sources table.
   It is impossible to remove entries for a single backend from this
   table. If a backend fails and is removed from the rdr destination
   table this table will have to be flushed, making all clients end
  up on
   new backends, wich is unacceptable in many configurations.
   If this table is not cleared then the rdr destination table is not
   inspected for client IP's found in the Sources table. These clients
   will still be sent to the failed and removed backend.
   Preferably entries could be removed from this table based on
   source-IP and backend-IP:backend-port, and maybe even the virtual
   service IP:port or a pf rule number.

 Which is what slbd avoids. slbd doesn't use sticky-address for this reason.
 slbd seems mostly geared for web servers where the web application
 is written well enough to not need each request to go back to the same
 server.

 Kevin

Hi Kevin

I can come up with 100 reasons for using the same web target server over a 
whole session and very few for not doing it. Can't see we can use slbd for 
the ordering system as intended if requests goes to just any server in the 
pool.

Or did I miss anything?

Regards
/Per-Olov

Re: Dell 2650 with unsupported Adaptec PERC 3/Di RAID controller?

[Per-Olov Sjöholm]

On Tuesday 24 October 2006 03:47, K Kadow wrote:
 I've inherited a half dozen Dell PowerEdge 2650s with the PERC 3/Di
 Adaptec RAID controllers, mostly running old OpenBSD with the 'aac'
 RAID controller enabled.

 I'd like to put as little money (and time) into these as possible
 while still bringing them up to the latest supported OpenBSD release,
 and keeping the Dell support contracts in place.  I'm willing to
 consider trading these in, but I don't see affordable rackmount
 servers from Dell or Sun with redundant power and hardware RAID.

 These servers have been up and running for years (as in 1000 day
 uptimes) without major issues, and with no complaints about
 performance or corruption.  How big a risk am I taking by reinstalling
 these machines with 4.0 and a custom 'aac' kernel?

 Has anybody successfully paid or pressured Dell to swap the PE2650
 'aac' motherboards for a revision with the AMI MegaRAID embedded RAID
 chipset?  Or added a PCI card for RAID using the split backplane
 feature of the PE2650?

 If the latter is the best option, any recommendation for an
 OpenBSD-friendly maker of standalone U160/U320 hardware RAID
 controllers for PCI?  Something orderable from CDW or another major
 retailer would be a plus.


 Thanks,

 Kevin

 (P.S. One reason for specifying hardware RAID is to have a system with
 a strong chance of surviving (and/or rebooting after) a single failed
 drive.  Other reasons are primarily political, same reasons we have
 only Sun and Dell hardware, and Dell Gold service contracts.)

As you have built in PERC 3/Di controllers.. use it! Otherwise buy anything 
else but adaptec (like LSI Megaraid).. The big aac update 1.16 of aac_pci.c  
just before OpenBSD 3.9 actually made aac usable. I have an old Dell 2450 
with a built in PERC 3/Di running perfect since 3.9 release. 

I haven't read Ingo:s post reply yet that I have seen on the list. But I think 
we share the same opinion about adaptec as we are two out of many with 
earlier adaptec problems.

Regards
/Per-Olov

Re: pf load balancing and failover

[Per-Olov Sjöholm]

On Sunday 22 October 2006 01:44, Kevin Reay wrote:
  Point of correction, slbd didn't have the ability to ping IP addresses.

 Good call.

  You might check the code in CVS, it should compile and work on 3.9.

 Your right, I didn't notice it was being maintained. Thanks for the
 pointer, and thanks so much for keeping it maintained (I just noticed
 you were the one who updated it in CVS).

 Back to the original question; it looks slbd would be a good and
 elegant way to achieve what your looking to do. Just grab it from the
 sourceforge CVS repository.

 Kevin

Hi

I have followed this thread. Can anyone point out a working download link? 
Sourceforge does not have any working mirrors for this slbd-1.3.tar.gz file.. 
Probably a misconfiguration somewhere.

Thanks
Per-Olov

Re: Solution to - Re: SSH upgrade to ver 4.4 on OBSD 3.9 stable broke key auth

[Per-Olov Sjöholm]

On Sunday 22 October 2006 15:48, Girish Venkatachalam wrote:
 On Sat, Oct 21, 2006 at 10:04:19PM +0200, Per-Olov Sj??holm wrote:
  Here is a post with info that solves and explain the case if someone else
  get stuck in the problem.
 
   This problem was actually caused by an updated OpenSSL. I have had 2048
  and 4096 SSH keys that have worked perfect until my last complete 3-9
  -stable update.
 
  In OpenSSL  the limit is 3kbit for DSA keys and 16k for RSA keys.  These
  days ssh-keygen won't let you generate DSA keys other than 1024 bit ones
  (which is all the FIPS-186-2 spec allows) so if you want larger keys then
  you should use RSA. The thing that actually caused the problem was an
  openssl update earlier (013_openssl2.patch or its equivalent in -stable),
  but it didn't become apparent until sshd was rebuilt with the new
  openssl.
 
 
  Thanks you *very* much for the help Darren Tucker!

 This is excellent news for me since I was investigating an ssh breakage
 problem in FreeBSD and I could point my finger at OpenSSL but not proceed
 further since I had other things to do in life. :-)

 But there are some things not clear to me from what you are saying. It will
 be great if you can help.

 You mean to say that newer versions of OpenSSL do not allow you to create
 DSA keys longer than 1024 bits, but then isn't there an export and a non
 export version?

 I am assuming that all this FIPS/export etc. are some political crap that
 gets in the way of people wanting to use strong crypto.

 Now, the problem with RSA is that it used to be patent encumbered (well)
 and even now I prefer DSA over RSA for whatever reason.

 Now what?

 Looks to me there are some holes in your analysis.

 Thanks.

 regards,
 Girish

Well... I solved it thanks to Darren Tucker. So positive feedback should go to 
him... I haven't done any deeper analysis of it as it solved my problem. And 
I don't have the time to dig...

Then you say Darren Tucker maybe has a hole in the analysis Well, ask him! 
maybe he read this post and can answer directly.

Regards
Per-Olov

Re: pf load balancing and failover

[Per-Olov Sjöholm]

On Sunday 22 October 2006 17:29, Bill Marquette wrote:
 On 10/22/06, Per-Olov Sjvholm [EMAIL PROTECTED] wrote:
  Hi
 
  I have followed this thread. Can anyone point out a working download
  link? Sourceforge does not have any working mirrors for this
  slbd-1.3.tar.gz file.. Probably a misconfiguration somewhere.

 Hmm, didn't notice that they didn't mirror it properly when I posted
 it last night.  You can try pulling it down from CVS @
 http://sourceforge.net/cvs/?group_id=96331
 I'll see what I can do to whip sourceforge into shape and get the
 mirroring fixed.  Thanks

 --Bill

Hi again

I am looking at the CVS. I can't see its possible to out of the box remove 
addresses from  a round robin scheme in PF against a faulty web server. Am I 
missing something?

But I maybe misunderstood Kevin Reay that in this thread said: and it would 
automatically remove the address from a pf poll (and optionality run a 
command) when a host failed..

Maybe I have to do some scripting after all...

Regards
/Per-Olov

Re: pf load balancing and failover

[Per-Olov Sjöholm]

On Sunday 22 October 2006 21:13, Kevin Reay wrote:
 On 10/22/06, Per-Olov Sjvholm [EMAIL PROTECTED] wrote:
  Hi again
 
  I am looking at the CVS. I can't see its possible to out of the box
  remove addresses from  a round robin scheme in PF against a faulty web
  server. Am I missing something?
 
  But I maybe misunderstood Kevin Reay that in this thread said: and it
  would automatically remove the address from a pf poll (and optionality
  run a command) when a host failed..
 
  Maybe I have to do some scripting after all...

 It can be a little confusing at first, but it makes a lot of sense
 once you understand it. The way I remember it, a person creates a
 config file for slbd that defines the various pools and their polling
 methods, and slbd creates the load balancing pools in pf at start-up
 automatically (in an anchored ruleset). Then it removes entries from
 those pools when a server goes down. So... no scripting required.

 Of course, Bill Marquette will probably have more knowledge/details
 about this then me...

 Kevin

REALLY nice ;-)

Just have to wait for the download site to be ok then...

Thanks
/Per-Olov

Solution to - Re: SSH upgrade to ver 4.4 on OBSD 3.9 stable broke key auth

[Per-Olov Sjöholm]

On Tuesday 17 October 2006 12:08, Per-Olov SjC6holm wrote:
 On Tuesdayen den 17 October 2006 11:17, you wrote:
  On Tue, 17 Oct 2006, Per-Olov SjCB6holm wrote:
   What should I clean when I totaly wiped out /usr/src and /usr/obj
   before the cvs update.
  
   The build is done as follows...
   --snip--
   cd /usr
   export CVSROOT=[EMAIL PROTECTED]:/cvs
   cvs -z5 -q get -rOPENBSD_3_9 -P src
   cd /usr/src/sys/arch/i386/conf
   config GENERIC
   cd ../compile/GENERIC
   make clean  make depend  make
   mv /bsd /bsd.old
   cp bsd /
   reboot
   cd /usr/src
   rm -r /usr/obj/*
   make obj  make build
   reboot
 
  Hmm, that looks allright. One possibility might be that anoncvs1 was
  not up-to-date, but that's unlikely, since the stable update was some
  time ago. If updating doesn't show any new files, try to run the sshd
  in debug mode (on another port), that might give a clue.
 
  -Otto

 I just run a debug /usr/sbin/sshd -ddde -p 2022 as  Darren Tucker asked
 me for it.  And I just sent the debug output to him

 A key login works from a patched (now ssh 4.4) to a non patched (ssh 4.3)
 system. but it wont work between two ssh 4.4 updated systems. Between these
 only password login works.



 Regards
 Per-Olov

Hi misc

For the archives...

Here is a post with info that solves and explain the case if someone else get 
stuck in the problem.

 This problem was actually caused by an updated OpenSSL. I have had 2048 and 
4096 SSH keys that have worked perfect until my last complete 3-9 -stable 
update.

In OpenSSL  the limit is 3kbit for DSA keys and 16k for RSA keys.  These days 
ssh-keygen won't let you generate DSA keys other than 1024 bit ones (which is 
all the FIPS-186-2 spec allows) so if you want larger keys then you should 
use RSA. The thing that actually caused the problem was an openssl update 
earlier (013_openssl2.patch or its equivalent in -stable), but it didn't 
become apparent until sshd was rebuilt with the new openssl.


Thanks you *very* much for the help Darren Tucker!

Regards
/Per-Olov SjC6holm

Re: SSH upgrade to ver 4.4 on OBSD 3.9 stable broke key auth

[Per-Olov Sjöholm]

On Tuesdayen den 17 October 2006 09:19, you wrote:
 On Tue, 17 Oct 2006, Per-Olov SjC6holm wrote:
  On Tuesday 17 October 2006 01:07, you wrote:
   After I upgraded to 3.9 stable from Oct 10 SSH key login no longer
   work.
  
   All my servers stopped working with SSH key logins with the result that
   all my rsync automated backups gave up. This happened after my last
   upgrade October 10, where I did a full source update of my 3.9 stable.
   I could however still login with any account where I use passwords.
   Both source and target SSH was OpenBSD and 3.9 from October 10. And as
   said it happened on six server at the same time. The only thing that
   could have caused this is that this update contained the new OpenSSH
   4.4.
  
   I think the thread 
   Cannot login into OpenSSH after applying patch 020_ssh2.patch to
   OpenBSD 3.8 stable is not the same problem. Or is it? Well... the fix
   for that thread problem was cd /usr/src/usr.bin/ssh  make obj depend
make  make install. And that does not help here Apart from
   that, the result is EXACTLY the same as the referenced thread.
  
   Login with keys from a patched 3.9 system to a non patched system (ssh
   4.4 against 4.3) still works...
  
   Any clues?
  
   Thanks in advance
   Per-Olov
 
  Will add some output of a verbose login as well.
  (name and IP changed)
 
  This worked on all six servers before the 3.9 STABLE update that changed
  OpenSSH to 4.4. And after the stable update all key logins are broken and
  only password login works.

 It could be you forgat the make depend.
 To rule out bad dependencies. run make cleandir first and then try again.

   -Otto

What should I clean when I totaly wiped out /usr/src and /usr/obj before the 
cvs update.

The build is done as follows...
--snip--
cd /usr
export CVSROOT=[EMAIL PROTECTED]:/cvs
cvs -z5 -q get -rOPENBSD_3_9 -P src
cd /usr/src/sys/arch/i386/conf
config GENERIC
cd ../compile/GENERIC
make clean  make depend  make
mv /bsd /bsd.old
cp bsd /
reboot
cd /usr/src
rm -r /usr/obj/*
make obj  make build
reboot
--snip--


Am I missing something? If so. What? 
The above has worked every time on every release for many years

Regards and thanks in advance
/Per-Olov


  [EMAIL PROTECTED]:~#ssh -v [EMAIL PROTECTED]
 
  OpenSSH_4.4, OpenSSL 0.9.7g 11 Apr 2005
  debug1: Reading configuration data /etc/ssh/ssh_config
  debug1: Connecting to MYSERVER.MYDOMAIN.COM [1.1.1.1] port 22.
  debug1: Connection established.
  debug1: permanently_set_uid: 0/0
  debug1: identity file /root/.ssh/identity type -1
  debug1: identity file /root/.ssh/id_rsa type -1
  debug1: identity file /root/.ssh/id_dsa type 2
  debug1: Remote protocol version 1.99, remote software version OpenSSH_4.4
  debug1: match: OpenSSH_4.4 pat OpenSSH*
  debug1: Enabling compatibility mode for protocol 2.0
  debug1: Local version string SSH-2.0-OpenSSH_4.4
  debug1: SSH2_MSG_KEXINIT sent
  debug1: SSH2_MSG_KEXINIT received
  debug1: kex: server-client aes128-cbc hmac-md5 none
  debug1: kex: client-server aes128-cbc hmac-md5 none
  debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(102410248192) sent
  debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
  debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
  debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
  debug1: Host 'MYSERVER.MYDOMAIN.COM' is known and matches the RSA host
  key. debug1: Found key in /root/.ssh/known_hosts:3
  debug1: ssh_rsa_verify: signature correct
  debug1: SSH2_MSG_NEWKEYS sent
  debug1: expecting SSH2_MSG_NEWKEYS
  debug1: SSH2_MSG_NEWKEYS received
  debug1: SSH2_MSG_SERVICE_REQUEST sent
  debug1: SSH2_MSG_SERVICE_ACCEPT received
  debug1: Authentications that can continue:
  publickey,password,keyboard-interactive
  debug1: Next authentication method: publickey
  debug1: Trying private key: /root/.ssh/identity
  debug1: Trying private key: /root/.ssh/id_rsa
  debug1: Offering public key: /root/.ssh/id_dsa
  debug1: Server accepts key: pkalg ssh-dss blen 1585
  debug1: read PEM private key done: type DSA
  debug1: Authentications that can continue:
  publickey,password,keyboard-interactive
  debug1: Next authentication method: keyboard-interactive
  Connection closed by 1.1.1.1
 
 
  /Per-Olov

Re: SSH upgrade to ver 4.4 on OBSD 3.9 stable broke key auth

[Per-Olov Sjöholm]

On Tuesdayen den 17 October 2006 11:17, you wrote:
 On Tue, 17 Oct 2006, Per-Olov SjCB6holm wrote:
  What should I clean when I totaly wiped out /usr/src and /usr/obj before
  the cvs update.
 
  The build is done as follows...
  --snip--
  cd /usr
  export CVSROOT=[EMAIL PROTECTED]:/cvs
  cvs -z5 -q get -rOPENBSD_3_9 -P src
  cd /usr/src/sys/arch/i386/conf
  config GENERIC
  cd ../compile/GENERIC
  make clean  make depend  make
  mv /bsd /bsd.old
  cp bsd /
  reboot
  cd /usr/src
  rm -r /usr/obj/*
  make obj  make build
  reboot

 Hmm, that looks allright. One possibility might be that anoncvs1 was
 not up-to-date, but that's unlikely, since the stable update was some
 time ago. If updating doesn't show any new files, try to run the sshd
 in debug mode (on another port), that might give a clue.

   -Otto

I just run a debug /usr/sbin/sshd -ddde -p 2022 as  Darren Tucker asked me 
for it.  And I just sent the debug output to him

A key login works from a patched (now ssh 4.4) to a non patched (ssh 4.3) 
system. but it wont work between two ssh 4.4 updated systems. Between these 
only password login works.



Regards
Per-Olov

-- 
GPG keyID: 4DB283CE
GPG fingerprint: 45E8 3D0E DE05 B714 D549 45BC CFB4 BBE9 4DB2 83CE

Re: Cannot login into OpenSSH after applying patch 020_ssh2.patch to OpenBSD 3.8 stable

[Per-Olov Sjöholm]

On Monday 16 October 2006 16:40, you wrote:
 Hi everybody,

 Darren has just become my hero of the day.

 Rebuilding OpenSSH like Darren described earlier works on my OpenBSD
 3.8 box. No more problems. Happiness.

 thanks a lot Darren!

 regards,
 Tobias W
 . 

I was just about to start to looking for the problem when I saw this post.

Seems I have the same problems with key logins on six different 3.9 boxes 
after patching STABLE Oct 10...

cd /usr/src/sys/arch/i386/conf
config GENERIC
cd ../compile/GENERIC
make clean  make depend  make
mv /bsd /bsd.old
cp bsd /
reboot
cd /usr/src
rm -r /usr/obj/*
make obj  make build
reboot


But man release doesn't say make obj depend  make build is needed 
instead of make obj  make build for the source. Should depend be there 
in the source build as well?

/Per-Olov

Re: Cannot login into OpenSSH after applying patch 020_ssh2.patch to OpenBSD 3.8 stable

[Per-Olov Sjöholm]

On Monday 16 October 2006 23:44, Stuart Henderson wrote:
 On 2006/10/16 23:14, Per-Olov Sjvholm wrote:
  But man release doesn't say make obj depend  make build is needed
  instead of make obj  make build for the source. Should depend be
  there in the source build as well?

 make build does even more than that:
 $ vi -c/^build: /usr/src/Makefile

So make obj  make build should be sufficient for the source build? Or did 
I get it wrong? But I do have problems with SSH and key login. Ok I have not 
used the ssh2 patch, but the whole source update...
--snip--
cd /usr
export CVSROOT=[EMAIL PROTECTED]:/cvs
cvs -z5 -q get -rOPENBSD_3_9 -P src
--snip--

And the resolved ssh issue from this thread do indicate a build issue
Am I missing something? I have done a billion of source updates over the years 
on many releases but have not seen any problem like this...

/Per-Olov

SSH upgrade to ver 4.4 on OBSD 3.9 stable broke key auth

[Per-Olov Sjöholm]

After I upgraded to 3.9 stable from Oct 10 SSH key login no longer work.

All my servers stopped working with SSH key logins with the result that all my 
rsync automated backups gave up. This happened after my last upgrade October 
10, where I did a full source update of my 3.9 stable. I could however still 
login with any account where I use passwords. Both source and target SSH was 
OpenBSD and 3.9 from October 10. And as said it happened on six server at the 
same time. The only thing that could have caused this is that this update 
contained the new OpenSSH 4.4.

I think the thread 
Cannot login into OpenSSH after applying patch 020_ssh2.patch to OpenBSD 3.8 
stable is not the same problem. Or is it? Well... the fix for that thread 
problem was cd /usr/src/usr.bin/ssh  make obj depend  make  make 
install. And that does not help here Apart from that, the result is 
EXACTLY the same as the referenced thread.

Login with keys from a patched 3.9 system to a non patched system (ssh 4.4 
against 4.3) still works...

Any clues?

Thanks in advance
Per-Olov

Re: SSH upgrade to ver 4.4 on OBSD 3.9 stable broke key auth

[Per-Olov Sjöholm]

On Tuesday 17 October 2006 01:07, you wrote:
 After I upgraded to 3.9 stable from Oct 10 SSH key login no longer work.

 All my servers stopped working with SSH key logins with the result that all
 my rsync automated backups gave up. This happened after my last upgrade
 October 10, where I did a full source update of my 3.9 stable. I could
 however still login with any account where I use passwords. Both source and
 target SSH was OpenBSD and 3.9 from October 10. And as said it happened on
 six server at the same time. The only thing that could have caused this is
 that this update contained the new OpenSSH 4.4.

 I think the thread 
 Cannot login into OpenSSH after applying patch 020_ssh2.patch to OpenBSD
 3.8 stable is not the same problem. Or is it? Well... the fix for that
 thread problem was cd /usr/src/usr.bin/ssh  make obj depend  make 
 make install. And that does not help here Apart from that, the result
 is EXACTLY the same as the referenced thread.

 Login with keys from a patched 3.9 system to a non patched system (ssh 4.4
 against 4.3) still works...

 Any clues?

 Thanks in advance
 Per-Olov

Will add some output of a verbose login as well.
(name and IP changed)

This worked on all six servers before the 3.9 STABLE update that changed 
OpenSSH to 4.4. And after the stable update all key logins are broken and 
only password login works.


[EMAIL PROTECTED]:~#ssh -v [EMAIL PROTECTED]

OpenSSH_4.4, OpenSSL 0.9.7g 11 Apr 2005
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to MYSERVER.MYDOMAIN.COM [1.1.1.1] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_dsa type 2
debug1: Remote protocol version 1.99, remote software version OpenSSH_4.4
debug1: match: OpenSSH_4.4 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.4
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server-client aes128-cbc hmac-md5 none
debug1: kex: client-server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(102410248192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'MYSERVER.MYDOMAIN.COM' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:3
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: 
publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Offering public key: /root/.ssh/id_dsa
debug1: Server accepts key: pkalg ssh-dss blen 1585
debug1: read PEM private key done: type DSA
debug1: Authentications that can continue: 
publickey,password,keyboard-interactive
debug1: Next authentication method: keyboard-interactive
Connection closed by 1.1.1.1


/Per-Olov

Redundant over two ethernet switches

[Per-Olov Sjöholm]

Hi

Let's say we have two switches on the same subnet with RSTP (Rapid Spanning 
Tree) on. If I want to connect an OpenBSD server 3.9 or 4.0 (with TWO intel 
NIC:s and ONE IP address) two both these switches (redundancy purpose not 
speed) I think I need some extra features on the NIC driver. 

According to http://www.intel.com/support/network/sb/cs-009747.htm there are a 
few different ways of doing this.

Are any om them supported in OpenBSD? I think I would prefer what Intel 
call Switch Fault Tolerance (SFT). If not supported... Anybody with a 
clever idea of solving the two switch connection redundancy issue? Can I use 
the trunk feature in any way? If I can use a trunk in any way... will it have 
any negative impact of CARP that I will use on it?


Thanks in advance
Per-Olov

if_em.c and rev 1.131

[Per-Olov Sjöholm]

Hi misc

I am looking at http://www.openbsd.org/cgi-bin/cvsweb/src/sys/dev/pci/if_em.c 
and can see the following...
--snip--
revert revision 1.131, the code in question was later found to not ensure
the proper alignment requirement for the VLAN layer on strict alignment
architectures. This would result in Jumbo's working fine as long as VLANs
were not in use. If VLANs were in use and a packet comes in with a size
of 2046 bytes or larger, it would be corrupted as it came up through the
VLAN layer. Also check the hw max frame size, instead of the MTU, so the
alignment fixup is done as appropriate.
--snip--

As I use VLANs alot I therefor have a question as this is not 100% clear to 
me...

This was reverted in OBSD 3.8 and 3.9 but not in 4.0. As this according to cvs 
was reverted after OpenBSD 4.0 was tagged I therefor wonder if the problem 
exist in the 4.0 release.

Excuse me if I missed something important I can't see...

Thanks in advance
Per-Olov Sjvholm

Perc 5/i

[Per-Olov Sjöholm]

Hi Misc

Will the new built in SAS controller Perc 5/i in the Dell servers (LSI SAS 
megaraid driver) work in OpenBSD 3.9? Will it work in the upcoming 4.0 
release? We will eventually buy a bunch of Dell 1950 servers. And of course 
we will have the firewalls on OpenBSD

Tried to search for some info about it but couldn't find any.


Thanks in advance
Per-Olov Sjvholm

-- 
GPG keyID: 4DB283CE
GPG fingerprint: 45E8 3D0E DE05 B714 D549 45BC CFB4 BBE9 4DB2 83CE

Re: Sendmail access question

[Per-Olov Sjöholm]

On Thursday 25 May 2006 23.36, you wrote:
 I would like to accept mail from only one specified SMTP server
 and reject all others. I tried '*.*REJECT' in /etc/mail/access
 but that doesn't seem to work.

 Mike Spenard

Change to...
X.Y.Z.W  RELAY
in /etc/mail/access and rebuild the access.db (where X.Y.Z.W is the good IP). 
This means this IP is the only one that can relay anything through you. All 
other IP:s can mail to your domains in /etc/mail/local-host-names if you have 
any. If they connect and try anything else than your local domain they will 
se relaying denied.

If you have a pretty default sendmail config (except for the enabling of 
access) you can consider the mission completed.


Or did you mean that only one external IP should be able to send e-mail to 
your own local domain??? That would sound a little bit strange. So I do not 
assume that..

If I missunderstood you, you maybe have to give out some more info...

Regards
/Per-Olov
-- 
GPG keyID: 4DB283CE
GPG fingerprint: 45E8 3D0E DE05 B714 D549 45BC CFB4 BBE9 4DB2 83CE

Re: traffic shaping question.

[Per-Olov Sjöholm]

On Tuesday 23 May 2006 12.56, S t i n g r a y wrote:
 I want to do traffic shaping as per protocol basis so
 if i give a certian bandwith to HTTP protocole , isnt
 there any way i can diffrenciate between HTTP webpages
  HTTP downloads of huge .iso files ?
 i dont want users who are downloading huge files
 effect userrs who are only checking their webmails.

 is there any way ?

 *:$., 88,.$:*(((*$ Stingray *:$., 88,.$:*((*$
 Tired of spam?  Yahoo! Mail has the best spam protection around
 http://mail.yahoo.com

Correct me if I am wrong.. But you can differentiate shaping of traffic of the 
same protocol if it has different Type Of Service. You can for example give 
higher priority to SSH shell and lower the priority of scp bulk file 
transfers as they have different TOS. Don't know if there exist anything like 
it for HTTP (don't think so). If it doesn't exist you probably have to find 
another way (not in PF).

Or you could have the ISO downloads from a different IP.


/Per-Olov
-- 
GPG keyID: 4DB283CE
GPG fingerprint: 45E8 3D0E DE05 B714 D549 45BC CFB4 BBE9 4DB2 83CE

Re: SunFire x4100

[Per-Olov Sjöholm]

On Monday 15 May 2006 17.07, Peter Huncar wrote:
 Hi misc

 I got this: http://www.sun.com/servers/entry/x4100 from SUN to test it,
 tried to install 3.9release a minute ago without success, the disks (SAS
 - LSI adapter) were not detected. Unfortunately, I'm not able to donate
 this HW :(

 It detects the scsibus and device sd0 (as offline)

 I'll try to play with this a bit more, it has an IDE adapter, so I'm
 gonna install OBSD again tommorow and send dmesg.

 Will be the SAS drives supported in near future?

 Thanks

 Hunci

For the interested

X4100 and X4200 have  LSI SAS 1064 controllers.



Regards
Per-Olov
-- 
GPG keyID: 4DB283CE
GPG fingerprint: 45E8 3D0E DE05 B714 D549 45BC CFB4 BBE9 4DB2 83CE

Re: cyrus, sasl and /etc/passwd

[Per-Olov Sjöholm]

On Saturday 29 April 2006 02.00, John Brahy wrote:
 How do I configure cyrus imapd to retrieve mail from normal unix mailboxes
 and validate against the unix password? I have been trying to find info on
 it and I can't find anything that works with v2.2.12 from 3.8 ports. Can
 someone point me in the right direction?

 Thanks,

 John

To authenticate against OpenBSD unix password login you can do

From /etc/imapd.conf:
--snip--
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN LOGIN
allowanonymouslogin: no
--snip--

And probably something like this in /etc/rc.local:

if [ X${saslauthd} == XYES -a -x /usr/local/sbin/saslauthd ]; then
   echo -n  saslauthd; /usr/local/sbin/saslauthd -a getpwent
fi


But the mailstore is a sealed store that has nothing to do with what you have 
in the unix OS. And I can't see the connection to your mbox mailboxes in the 
OS at all.

To retrieve mail from your ordinary mbox files in the OS you could use imap-uw 
Dovecot or similar instead. But personally I think Cyrus is way better. I 
retrieve my mail to Cyrus imap through sendmail with the cyrus mailer 
enabled.


Hope this helps...

Regards
Per-Olov
--
GPG keyID: 5231C0C4
GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4

mclpool limits

[Per-Olov Sjöholm]

Hi

#Setup:#
A redundant firewall pair (two HP DL380G4) with 3 em dual gig nics (plus 2 
unused bge), 6 vlans, pfsync and 1500 rows of pf.conf. OpenBSD 3.8 STABLE 
(updated two weeks ago). The generic kernel is used + backported SACK patch 
so we could use synproxy correctly.

#Problem:#
This redundantfirewall pair just died after a couple of weeks good work. All 
interfaces use carp. During the last 24 hours before the problem they have 
had a constant 25-30% higher  average load of outgoing traffic 100 to 110 
Mbit, and incoming traffic of 80-90 Mbit. A pfstat graph show a packet rate 
that is not over 15000 in any direction.

Apr 11 09:32:16 XX /bsd: WARNING: mclpool limit reached; increase 
kern.maxclusters

On the list we have seen people raised kern.maxclusters values to over 65000 
without success (the fw just lasts longer) and later got info that they had a 
driver bug (xl for example). I unfortunately don't have a netstat-m or 
vmstat -m|grep mcl but assume I would not be happy to see the result of the 
output.


#Question:#
This problem is *hopefully* caused by a high network load and therefor only 
needs tuning rather than an os problem. A sysctl -a | grep kern.maxclusters 
shows the default:
kern.maxclusters=6144
What is a reasonable value for kern.maxclusters in a situation like this?
(We ask as we don't want to raise it to high as we also are afraid of eventual 
side effects)


Thanks
Per-Olov
-- 
GPG keyID: 4DB283CE
GPG fingerprint: 45E8 3D0E DE05 B714 D549 45BC CFB4 BBE9 4DB2 83CE

Re: 10k pps

[Per-Olov Sjöholm]

On Friday 07 April 2006 10.25, Claudio Jeker wrote:
 On Fri, Apr 07, 2006 at 12:17:58AM +0200, Per-Olov Sjvholm wrote:
  On Thursday 06 April 2006 23.08, Claudio Jeker wrote:
   On Thu, Apr 06, 2006 at 11:47:16PM +0300, Claudiu Pruna wrote:
Hi there list,
   
I got to a situation at work where I have an OpenBSD 3.9 amd64
router acting as bgp and ospf router, and it has to coupe with
100Mbps and approx 15.000 packets per second, but it can't at about
10k pps, I have like 70% cpu utilisation on iterrupt, and all the
traffic becomes an extreme sport, it is an Intel P4 3GHz em64 with
512MB of ram and 2 Intel Pro100 (fxp) network cards.
   
Any ideea if/how can I jump over the 10k barrier ?
   
   
   
P.S.: Claudio thanks for the advice about 3.9 bgpd version and
additive communities, I works smooth.
   
Thanks for any sugestion or advice.
  
   Switch to i386. amd64 has some interrupt problems, the amd64 I tested
   once maxed at 80kpps but did 450kpps in i386 mode.
 
  Hi Claudio
 
  What cpu, network cards and pf ruleset size did you use during the test
  when the server handled 450kpps ?

 CPU (actually two CPUs on the board):
 cpu0 at mainbus0: (uniprocessor)
 cpu0: AMD Engineering Sample, 2592.68 MHz
 cpu0:
 FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF
 LUSH,MMX,FXSR,SSE,SSE2,SSE3,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW
 cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB
 64b/line 16-way L2 cache cpu0: ITLB 32 4KB entries fully associative, 8 4MB
 entries fully associative cpu0: DTLB 32 4KB entries fully associative, 8
 4MB entries fully associative

 Network cards:
 bge0 at pci2 dev 9 function 0 Broadcom BCM5704C rev 0x03, BCM5704 A3
 (0x2003): irq 10, address 00:e0:81:27:e0:a9
 brgphy0 at bge0 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0
 bge1 at pci2 dev 9 function 1 Broadcom BCM5704C rev 0x03, BCM5704 A3
 (0x2003): irq 5, address 00:e0:81:27:e0:aa
 brgphy1 at bge1 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0

 PF was disabled (enabling PF with 10 or 20 rules (no states) resulted in a
 20-30% drop)

 At the time we measured it em(4) was slower (300-350kpps) but fixes went in
 to remove the bottlenecks in the em(4) driver.


Thanks for the info...

Do you know when these fixes for em went into cvs? After 3.8 ?

Tnx in advance
/Per-Olov
-- 
GPG keyID: 4DB283CE
GPG fingerprint: 45E8 3D0E DE05 B714 D549 45BC CFB4 BBE9 4DB2 83CE

Re: SpamAssassin autolearn problem

[Per-Olov Sjöholm]

On Thursday 06 April 2006 16.15, Gabriel George POPA wrote:
 Some e-mails I receive have autolearn=no and others have
 autolearn=failed. I use the classic combination of spamd/spamc and the
 OpenBSD 3.8 provided p5-SpamAssassin package, installed as OpenBSD
 recommends. I tried to follow the instructions at
 spamassassin.apache.org (to use for example /var/spamassassin (0777
 mode) in order to store learnt data, bayes_path and bayes_file_mode,
 restarted spamd etc., nothing worked). What should I do next? I must
 create all those files by hand (the files in /var/spamassassin). I must
 mention that when I was using spamassassin alone (not spamc/spamd) for
 my account autolearn worked correctly.


 Respectfully yours,

 Gabriel George POPA

This is what I have got (On 3.8 stable with spamassassin 3.0.4)
[EMAIL PROTECTED]:/tmp#ls -al /var/spamassassin
total 20
drwxr-x---   5 _spamass  _spamass   512 Jan 31 15:42 .
drwxr-xr-x  32 root  wheel 1024 Feb 26 18:45 ..
drwxr-x---   2 _spamass  _spamass   512 Apr  5 16:42 .razor
drwx--   2 _spamass  _spamass   512 Apr  6 23:49 .spamassassin

The files and directories in /var/spamassassin will be automatically created
Note that the  _spamass users home directory is /var/spamassassin


In /etc/rc.local I have...
if [ X${spamassassin_spamd} == XYES -a -x /usr/local/bin/spamd \
-a -e /etc/mail/spamassassin/local.cf ]; then
   echo -n ' Spamassassin spamd'; /usr/local/bin/spamd -d -p 3312 
-u _spamass --max-children=5 --max-conn-per-child=2000 -x
fi

It's called from sendmail through the smtp-vilter connector and it just works.  
smtp-vilter talks to spamd.

The only thing you need in /etc/mail/spamassassin/local.cf is... nothing. Well 
you should probably to some tuning. You should probably have:
--snip--
required_score   5.0
report_safe 1
use_bayes   1
skip_rbl_checks 0
--snip--

No path statement is needed in local.cf if you have the correct path for the 
Bayesian db as stated above.

Hope it could be of any use.

Regards
/Per-Olov
-- 
GPG keyID: 4DB283CE
GPG fingerprint: 45E8 3D0E DE05 B714 D549 45BC CFB4 BBE9 4DB2 83CE

Re: 10k pps

[Per-Olov Sjöholm]

On Thursday 06 April 2006 23.08, Claudio Jeker wrote:
 On Thu, Apr 06, 2006 at 11:47:16PM +0300, Claudiu Pruna wrote:
  Hi there list,
 
  I got to a situation at work where I have an OpenBSD 3.9 amd64 router
  acting as bgp and ospf router, and it has to coupe with 100Mbps and
  approx 15.000 packets per second, but it can't at about 10k pps, I have
  like 70% cpu utilisation on iterrupt, and all the traffic becomes an
  extreme sport, it is an Intel P4 3GHz em64 with 512MB of ram and 2 Intel
  Pro100 (fxp) network cards.
 
  Any ideea if/how can I jump over the 10k barrier ?
 
 
 
  P.S.: Claudio thanks for the advice about 3.9 bgpd version and additive
  communities, I works smooth.
 
  Thanks for any sugestion or advice.

 Switch to i386. amd64 has some interrupt problems, the amd64 I tested once
 maxed at 80kpps but did 450kpps in i386 mode.

Hi Claudio

What cpu, network cards and pf ruleset size did you use during the test when 
the server handled 450kpps ? 

Just interested...

Regards
/Per-Olov

Re: Firefox with Java and Flash

[Per-Olov Sjöholm]

On Friday 31 March 2006 03.05, you wrote:
 Hi all,

 I have installed in my machine both firefox web browser and java
 plugin (compiled on my own machine). The java plugin works fine with
 opera, but I'd like to use it with firefox, but I don't know where to
 put it. Does anyone here from list know where to place the plugins?
 I've seen the FAQ before, but it only reports about Opera.

 Thanks

 --
 Joco Salvatti
 Undergraduating in Computer Science
 Federal University of Para - UFPA
 web: http://salvatti.expert.com.br
 e-mail: [EMAIL PROTECTED]


Is this a question for OpenBSD misc? 
But how about the plugins directory below the firefox installdir? Or your own 
plugin dir below ~/.mozilla

Check in firefox by typing about:plugins in the url field.

/Per-Olov
-- 
GPG keyID: 4DB283CE
GPG fingerprint: 45E8 3D0E DE05 B714 D549 45BC CFB4 BBE9 4DB2 83CE

Re: rotating apache logs

[Per-Olov Sjöholm]

On Friday 31 March 2006 09.05, you wrote:
 Hi.  What is the best way to rotate apache logs on OpenBSD?  Ideally I
 would like to create a new one at the beginning of each month.  I
 searched my system for logrotate and could not find it.
 Tired of spam?  Yahoo! Mail has the best spam protection around
 http://mail.yahoo.com

/etc/newsyslog.conf

Like
/var/www/logs/access_log644  60*$D0   
Z /var/www/logs/httpd.pid SIGUSR1


One log per month sounds like they could grow a bit... I rotate every 
midnight.


/Per-Olov
-- 
GPG keyID: 4DB283CE
GPG fingerprint: 45E8 3D0E DE05 B714 D549 45BC CFB4 BBE9 4DB2 83CE

Re: LSI Raid Card

[Per-Olov Sjöholm]

On Wednesday 29 March 2006 16.27, Gaby vanhegan wrote:
 Hi,

 If I got one of these:

 http://www.lsilogic.com/products/megaraid/sata_150_4.html

 Which is supported under the ami driver, and that I'll have four
 drives in RAID 5, each in these:

 http://www.ebuyer.com/customer/products/index.html?
 action=c2hvd19wcm9kdWN0X292ZXJ2aWV3product_uid=99222

 Am I still going to be able to use the nice blink functions in
 bioctl?  I'd like to know which drive my RAID card thinks has died...

 Gaby

 --
 Junkets for bunterish lickspittles since 1998!
 http://www.playr.co.uk/sudoku/
 http://weblog.vanhegan.net/

I think it should work with a command like bioctl -b channel:target.lun 
ami0.  If its not in an enclosure it will tell...

Try man bioctl


/Per-Olov
-- 
GPG keyID: 4DB283CE
GPG fingerprint: 45E8 3D0E DE05 B714 D549 45BC CFB4 BBE9 4DB2 83CE

Re: pf and passive (ftp) port tricks

[Per-Olov Sjöholm]

On Tuesday 28 March 2006 14.09, Michael Schmidt wrote:
 Hello,

 did anyone setup helpful tricks in pf concerning passive ports for ftp?

 Why I am asking has the following reason:
 In general you have to open ports for incoming passive ftp requests on a
 wide range, but that4s a point I don4t like as I want to make life as
 hard as possible for intruders/hackers which may try ah, let4s see
 what4s all open on that machine.

 So what I want to setup is pf and the ftp-daemon in that way that the
 ftp-daemon offers only a very small range of passive ports (or perhaps
 only one single passive port?) and that pf opens only the same small
 range of ports (or the same single port).
 As it would be the best to not reinvent the wheel I would like to know:
 Did anyone such a setup and could share ideas?

 Have a nice day
 Michael


[EMAIL PROTECTED]:~#grep porthilast  /etc/sysctl.conf
net.inet.ip.porthilast=49191# Gives a port range from 49152 to 49191


And then handle the above range for passive ports that are used by the ftpd.


/Per-Olov
-- 
GPG keyID: 4DB283CE
GPG fingerprint: 45E8 3D0E DE05 B714 D549 45BC CFB4 BBE9 4DB2 83CE

Re: Support the project by buying from store or make donations

[Per-Olov Sjöholm]

Yes

I see three or four things at this http://images.kd85.com/notforsale/ page 
that could be candidates for giveaways to customers. I did almost forgot this 
link. Did I get it during the last CD buy? I have forgotten... 

However. To bad it's not on the official page... I really wonder why it can't 
be there.


/Per-Olov

On Monday 27 March 2006 00.55, Stuart Henderson wrote:
 On 2006/03/27 00:32, Per-Olov Sjvholm wrote:
  If there were more option in the web store I could sell more stuff (or
  buy giveaways) to my customers.

 There's always the polo shirt, or since you're in Europe, some of the gear
 on https://kd85.com/notforsale.html perhaps.

Re: NIC:s, interrupts and performance in High load environment

[Per-Olov Sjöholm]

On Monday 27 March 2006 05.10, you wrote:
 On 3/26/06, Per-Olov Sjvholm [EMAIL PROTECTED] wrote:
  My questions are:
  Is it normal for the above server to idle for 50-70% when there is 50Mbit
  network load and 25000 states?
  Is there a way to make it idle even more and lower the interrups? How?
  If the average network load increases to let's say 100Mbit, is the
  interrupt and cpu consumption linear?
  We do not want to have any production stops.. So are there any kernel
  knobs we should touch in this environment?
  Can PF make use of SMP? If so... How efficient is it?

 Why is it that network usage is still popularized by artificial
 measures, i.e. mbit/s?

you are right... I mentioned mbit/s and what type of data instead of pps. But 
see below...

 What kind of pps rates do you see per interface?

This is to/from the internet (the external interface). Not much traffic goes 
between internal interfaces. pfstat2.jpg contains pps...
http://www.flowsystems.se/~sjoholmp/




/Per-Olov

NIC:s, interrupts and performance in High load environment

[Per-Olov Sjöholm]

Hi misc


If I got it right, an interrupt requires a context switch which cost
resources. And if we have a firewall with many NIC:s and high load,
interrrupt sharing and high quality NIC:s could make the situation better.
 At one customer we have between 40-80 Mbit average traffic to and 15-35
Mbit average from the Internet on a redundant firewall pair with CARP.
This is run on two redundant servers with one 3GHz Xeon processor and 2Gb
RAM each. There are 3 dual port high quality Intel Gig ethernet NICs in
each server. There are 15 carps, and 6 VLAN:s. There are between 16000 to
4 states at all times. The traffic pattern is web, pop, imap, ftp, ssh
and others that is normal for a hosting company. The kernel is untouched
so far. And all run on OpenBSD 3.8 STABLE+backported SACK patch.  pfctl
-s rules|wc -l gives about 1600. One server is master for it all.


I have read Henning Brauers tuning guide Running and tuning OpenBSD
network servers in a production environment which is really great (Thanks
Henning). The only problem with it is that I wanted it to contain even
more and to be updated  for later OpenBSD releases ;-)



My questions are:
Is it normal for the above server to idle for 50-70% when there is 50Mbit
network load and 25000 states?
Is there a way to make it idle even more and lower the interrups? How?
If the average network load increases to let's say 100Mbit, is the
interrupt and cpu consumption linear?
We do not want to have any production stops.. So are there any kernel
knobs we should touch in this environment?
Can PF make use of SMP? If so... How efficient is it?


Many thanks in advance
Per-Olov

Support the project by buying from store or make donations

[Per-Olov Sjöholm]

Hi

This mail should maybe have been sent to Theo or Wim. Let's hope Theo wont
verbal kill me as this is *another* suggestion. But it is also fact from
the field...


We have about 15 customers running OpenBSD (growing). Web hosting
companies, ISP:s, the government and some smaller companies. For all
costomers we in our offer include a mandatory CD and a PF book. We will
try to make them buy newer releases of the CD:s as well as we recommend
them to upgrade OpenBSD ever 12 month. This so they run releases that are
security patched.

However... My customers don't use OpenBSD because it's free. They use it
because I say it's the best for their task. For a huge installation 45
Euro for an OpenBSD CD or much more for another OS is not a big issue.

So... To get to the point:
This is from a business perspective and not private.
If there were more option in the web store I could sell more stuff (or buy
giveaways) to my customers. This as the cost for this stuff is so low
compared to the rest of the project. A CD and a book are always sold (the
customer pay for it). But it wont give OpenBSD that much money. You can't
buy and giveaway a Stop Blob shirt to a CIO. But giving a discrete shirt
with a text on the front only would work (like my favorite front from
3.3). Other simple stuff could be a childrens bib with puffy. Childrens
shirts. A mug will also work. Most stuff found in the web shop are for
technicians or nerds like myself. I simply want to see more giveaway stuff
that can be used as giveaways to other groups of people at the customer. I
could buy a lot of giveaways without problems but donations is very hard
to arrange even though I am trying.

But I assume this is not new input...

Thanks
/Per-Olov