Re: Bringing OpenVZ-style capabilities to OpenBSD
Aaron Mason escreveu: Hi, It has also been a vision of mine to run OpenBSD-based VPS, though at this point the only way to achieve that is by true virtualization - hence, I would like to propose that we attempt to bring OpenVZ capabilities to the OpenBSD kernel. The biggest problems lie in allowing the kernel to be forked and virtual devices supplied to it, and allowing new instances of the kernel to be forked under the higher security levels. In fact, even allowing the kernel to be forked at all opens a can of worms security wise (recall the Blue Pill POC?). I think the way to go here would be OpenBSD jails? Its very similar in performance to what OpenVZ in Linux IMHO. But if you are talking about running a OpenBSD VM to provide some comercial jails you will need at least hardware assisted virtualization, and i read a lot of times that virtualizating a OS don't make the host secure, don't know for deep the why's here. My 2 cents, HTH Thanks Regards
Re: snort/bas
Rodolfo Timoteo da Silva escreveu: Has anyone installed snort, base and receive the same error when trying to connect to DB in the first access? [Fri Mar 6 13:13:21 2009] [error] PHP Warning: session_start() [a href='function.session-start'function.session-start/a]: open(/tmp//sess_ignndir3nk8sv4ntdrr05o6at2, O_RDWR) failed: No such file or directory (2) in /htdocs/base/base_conf.php on line 21 Hi Rodolfo, OpenBSD's apache is chroot, so to use PHP with session you need to create the /var/www/tmp directory. That's why you got this open(/tmp//sess_ignndir3nk8sv4ntdrr05o6at2, O_RDWR) failed. Remember that /var/www/tmp will turn into /tmp inside the apache's chroot. HTH, Anything else contact me offlist in portuguese :D THANKS, for now. Regards, Vinicius
Re: OpenBSD
Hi, Couldn't this be related to some setup configuration? Like that options for plug and play OS so the BIOS will map all interrupts and not the OS? Marco Peereboom escreveu: You need to boot with -c and then at the UKC prompt type: disable apm Please send that dmesg. On Fri, Dec 05, 2008 at 08:27:39AM -0800, rizzo0917 wrote: I tried the GENERIC.MP, no good, and I upgraded afterwords, still same problems. Also I looked at the dmesg and it still looks like its still having the interrupt problems current dmesg $ dmesg OpenBSD 4.4-current (RAMDISK_CD) #1004: Thu Dec 4 12:55:59 MST 2008 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/RAMDISK_CD cpu0: AMD Athlon(tm) XP 3000+ (AuthenticAMD 686-class, 512KB L2 cache) 2.18 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE real mem = 536375296 (511MB) avail mem = 512094208 (488MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 08/08/03, BIOS32 rev. 0 @ 0xfbc80, SMBIOS rev. 2.3 @ 0xf (32 entries) bios0: vendor Phoenix Technologies, LTD version TCB418G date 08/08/2003 bios0: First International Computer, Inc. Product Name apm0 at bios0: Power Management spec V1.2 acpi at bios0 function 0x0 not configured pcibios0 at bios0: rev 2.1 @ 0xf/0xdd44 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdcd0/112 (5 entries) pcibios0: PCI Exclusive IRQs: 3 5 10 11 pcibios0: no compatible PCI ICU found pcibios0: Warning, unable to fix up PCI interrupt routing pcibios0: PCI bus #2 is the last bus bios0: ROM list: 0xc/0xf000 0xef000/0x1000! cpu0 at mainbus0: (uniprocessor) pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 NVIDIA nForce2 PCI rev 0xa2 NVIDIA nForce2 rev 0xa2 at pci0 dev 0 function 1 not configured NVIDIA nForce2 rev 0xa2 at pci0 dev 0 function 2 not configured NVIDIA nForce2 rev 0xa2 at pci0 dev 0 function 3 not configured NVIDIA nForce2 rev 0xa2 at pci0 dev 0 function 4 not configured NVIDIA nForce2 rev 0xa2 at pci0 dev 0 function 5 not configured pcib0 at pci0 dev 1 function 0 NVIDIA nForce2 ISA rev 0xa4 NVIDIA nForce2 SMBus rev 0xa2 at pci0 dev 1 function 1 not configured ohci0 at pci0 dev 2 function 0 NVIDIA nForce2 USB rev 0xa4: couldn't map interrupt ohci1 at pci0 dev 2 function 1 NVIDIA nForce2 USB rev 0xa4: couldn't map interrupt ehci0 at pci0 dev 2 function 2 NVIDIA nForce2 USB rev 0xa4: couldn't map interrupt nfe0 at pci0 dev 4 function 0 NVIDIA nForce2 LAN rev 0xa1: irq 11, address 00:40:ca:6d:9c:3c rlphy0 at nfe0 phy 1: RTL8201L 10/100 PHY, rev. 1 NVIDIA nForce2 AC97 rev 0xa1 at pci0 dev 6 function 0 not configured ppb0 at pci0 dev 8 function 0 NVIDIA nForce2 PCI-PCI rev 0xa3 pci1 at ppb0 bus 1 bwi0 at pci1 dev 7 function 0 Broadcom BCM4306 rev 0x03: irq 10, address 00:0c:41:63:2a:ad vendor Acer Labs, unknown product 0x5459 (class communications subclass modem, rev 0x00) at pci1 dev 8 function 0 not configured pciide0 at pci0 dev 9 function 0 NVIDIA nForce2 IDE rev 0xa2: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: WDC WD1600AB-00DYA0 wd0: 16-sector PIO, LBA48, 152627MB, 312581808 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets, initiator 7 cd0 at scsibus0 targ 0 lun 0: SAMSUNG, DVD-ROM SD-816B, H000 ATAPI 5/cdrom removable atapiscsi1 at pciide0 channel 1 drive 1 scsibus1 at atapiscsi1: 2 targets, initiator 7 cd1 at scsibus1 targ 0 lun 0: LITE-ON, LTR-48327S, PTS1 ATAPI 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 cd1(pciide0:1:1): using PIO mode 4, Ultra-DMA mode 2 ppb1 at pci0 dev 30 function 0 NVIDIA nForce2 AGP rev 0xa2 pci2 at ppb1 bus 2 vga1 at pci2 dev 0 function 0 NVIDIA GeForce FX 5200 rev 0xa1 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) isa0 at pcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec biomask f3ed netmask ffed ttymask rd0: fixed, 3800 blocks softraid0 at root root on rd0a swap on rd0b dump on rd0b cd0(atapiscsi0:0:0): Check Condition (error 0x70) on opcode 0x28 SENSE KEY: Media Error ASC/ASCQ: ASC 0x11 ASCQ 0x00 cd0(atapiscsi0:0:0): Check Condition (error 0x70) on opcode 0x28 SENSE KEY: Media Error ASC/ASCQ: ASC 0x11 ASCQ 0x00 cd0(atapiscsi0:0:0): Check Condition (error 0x70) on opcode 0x28 SENSE KEY: Media Error ASC/ASCQ: ASC 0x11 ASCQ 0x00 cd0(atapiscsi0:0:0): Check Condition (error 0x70) on opcode 0x28 SENSE KEY: Media Error ASC/ASCQ: ASC 0x11 ASCQ 0x00 syncing disks... OpenBSD 4.4-current (GENERIC.MP) #1186: Thu Dec 4 12:48:38 MST 2008 [EMAIL
Re: OpenBSD and XenSource
tico escreveu: Stephan A. Rickauer wrote: Those of you interested in running OpenBSD as a Xen guest in XenEnterprise might want to use this opportunity to raise their voice: http://forums.citrix.com/thread.jspa?threadID=151525 Stephan, thanks for the notice -- I just posted my $0.02 on that board as well. If you manage to make any progress in your efforts (or any one else's) to run OpenBSD under Xen with any amount of usefulness, I'd be interested to hear about it. Feel free to contact me off-list. Cheers! -Tico Don't know if it fits your project, but have you tried KVM? Read at least Ubuntu is moving to it since some issues with licenses and code with Xen, don't know in depth what was. I have some OpenBSD's installed in KVM with no issues using the e1000 emulated nic (em0 in OpenBSD) for some network test setups. HTH, DS
Re: PF blocking outbound packets that don't have S/SA flags
Joe S escreveu: OS: OpenBSD 4.4 RELEASE i386 PF is blocking traffic that I want it to pass. I notice this when I run nmap 4.76 (compiled from source). It appears that my packets are being dropped because they don't match the pass out quick rule in my pf.conf. I noticed this rule is modified due to the default setting to match on flags S/SA. How do I create a rule to ignore the flags S/SA so that my scans can complete? You need to user something like flags any so any flags on the TCP will be allowed. HTH, Vinicius
Re: openbsd fail2ban
One more vote for sshguard, I use it here with success, just need to create a rule like: block in on $ext_if proto tcp from sshguard to any port ssh And run sshguard, it will get any host trying random passwords with no success to the sshguard table. Don't know it there are any alternative more openbsd focused. Alexander Polakov escreveu: 2008/11/6, Charlie Clark [EMAIL PROTECTED]: Hi, I have noticed that people constantly try to brute force sshd on my openbsd box, on my server I use fail2ban to prevent this and wondered if there is a similar solution for openbsd. Have you tried sshguard?
Re: OpenBSD 4.3 running in VirtualBox? Anyone have it working properly?
Jordi Beltran Creix escreveu: I tried to run a recent i386 4.4 beta on a KVM/QEMU virtual machine under Ubuntu and there are some problems with the emulated network. The driver constantly reports timeouts. re0: watchdog timeout It's much better to use the e1000 network driver into KVM/QEMU, that will translate to the intel em driver into OpenBSD, witch runs much better without watchdogs warnings. Vinicius Vianna
Re: NEED A CLUSTER W/ MORE THAN 2 SERVERS
Jason Dixon escreveu: On Thu, Aug 07, 2008 at 06:19:55AM -0700, Thomaz Portella wrote: Please, Now I am using 2 servers with CARP load balance. But I need to increase this system to more than 2 servers. How can I do it ? Thanks in advance, RTFM, KTHXBYE! http://www.openbsd.org/cgi-bin/man.cgi?query=carpsektion=0 Maybe this from ifconfig(8) - http://www.openbsd.org/cgi-bin/man.cgi?query=ifconfigsektion=8 *carpnodes* /vhid:advskew,vhid:advskew,.../ If the driver is a carp(4) http://www.openbsd.org/cgi-bin/man.cgi?query=carpsektion=4arch=apropos=0manpath=OpenBSD+Current pseudo-device, create a load balancing group consisting of up to 32 nodes. Each node is specified as a /vhid:advskew/ tuple in a comma separated list. HTH, DS
Re: Is this a bug in PFCTL?
Maybe the only value would be to merge a new rule without returning all tables to default as in the situation that you have changed a table and if you run pfctl -f /etc/pf.conf the table will get back to original values? Never had to use it too, but someone may need it sometime? Henning Brauer escreveu: hmm that is broken. not that i really see value in -m
Re: cronjob -l option assume and only use 1 minute load average?
Hi Daniel, I was thinking about your question and at first I was sure that the man page was right, the only thing is that you didn't think about how is the better way to calculate the current load. If you think about it, when you get a high load on your system the first sign of it will be in the 1 minute average, the others two averages will take some time to increase showing this high load. But later I thinked about it, when you say current load, you mean the instantaneous load (in a academic way), and that's not what cron is looking here. I know it's the best we can get for current load but it's really the 1 minute average load, so maybe it would be better to change the manpage to something like If the 1 minute average load is greater Sorry my english too, since i'm not native also, hope you all can understand my point, Regards, Vinicius Daniel Ouellet escreveu: Hi, I couldn't find witch of the three possible value the -l option of the cron refer to in the man page and look at the code in /src/usr.sbin/cron/atrun.c that use the getloadavg(la, 1) to get that value, the first of 3 if I am not mistaken. I had to look at the man page for getloadavg to know that as well. So, am I correct to think that the load average in cronjob ONLY use the 1 minute average, always? It 1 minute average is always assume by default every time load average is used system wide? May be if I may suggest to to have the man page changed from -l load_avg If the current load average is greater to -l load_avg If the current (1 minute) load average is greater That's fine if that's just me that didn't get it. I just thought that it would be nice not to have to dig to find what I think it the right answer assuming I find it correctly.? I can send a diff if that's not stupid to do, but I really had to dig this one up to know. Google and the man page didn't provide the answer to me right away anyway, but the code did. (; I was hoping to have the possibility to use the 15 minutes average here in cronjob. Not the end of the world and I can live without it. But I didn't get the answer from the man page however in term of what the load average was. I guess most likely it's always assume to be the case system wide? Could also be my English as if I was native, may be the current load average always refer to the smallest of the three possible values that are all current moving load average anyway. Just a thought. Thanks Daniel
Re: CARP not leaving backup state
Hi William, I don't know for sure, but I remember dealing with this kind of problem and setting preempt did work, maybe worth a try: /etc/sysctl.conf: net.inet.carp.preempt=1 Anyone else? HTH, Vinicius William Stuart escreveu: (Sorry if this is a dupe, not sure if you had to be a subscriber to send to the list) Hello all, I am a new to OpenBSD but not *nix in general... I have two systems running OpenBSD 4.2. It has 9 carp interfaces, and has been running fine for months. All of a sudden, both systems are in BACKUP state. I halted one of the systems then on the remaining system rebooted, shut down and restarted, run ifconfig carp1 state master, changed the sysctls, removed the hostname files, rebooted, then replaced the hostname files, fiddled with the advskew and lots of other things. Even with no other system running, carp will not go into MASTER state, period, no errors, no logs. I tried setting net.inet.carp.log=1 and 2 and 1000, I see no logs anywhere in /var/log. Anything else I can look at? William
Re: bundling the speed of two ADSL lines with OpenBSD
Hi, It's possible using multipath, take a look at http://www.openbsd.org/faq/faq6.html#Multipath please. But I needed to use some pf route-to rules to re-route the packets between the multiple gateways. It takes some work to make right, but i know it works if done correctly. Remember that you will be splitting the outgoing connections between the two gateways (adsl lines in your case), so a single connection will have the bandwidth of only one of the adsl, in this case the speed advantage will be on multiple connections (like multiple users behind a NAT, or download managers to split a downloading in multiple simultaneous parts). HTH, Vinicius Sebastian Reitenbach wrote: Hi, I'd like to know, whether it is possible to bundle two ADSL interfaces, just like trunking ethernet cards. I know it is not that hard to use two or more lines for outgoing traffic, and just route source or destination based via pf. I'd need to the doubled speed for incoming traffic. The ADSL lines would be from the same ISP, and the IP addresses will be static. The two DSL modems would be connected to one host via ethernet cables, so the OpenBSD host does not need to care about PPPOE. I don't know, whether carp arpbalance would work here on such interfaces? while researching, I found this interesting article about wanpipe and using sangoma cards. But the changelog of the wanpipe driver ends in 2006, and in the documentation, they only talk about some older and slower cards. Is there sth. more modern like this available, but for 2x16MBit ADSL? kind regards Sebastian
Re: web development on OpenBSD
bofh wrote: On language - remember, PHP's design goal (as late as v3) was for complete non-programmers to be able to pick it up and write programs immediately. You can imagine how that can cause issues for security. Most libraries or add-ons you install for PHP require you to run in insecure mode. PHP is the opensource answer to visual basic, in the yes, we can create absolute insecure crap too sense. If you want to do something similar to what openbsd is doing, use C In my opinion it's not impossible/hard to write secure code in PHP, don't compare it to Visual Basic please :) And to do some web development in C it's a little insane, except when you need some resources/speed other languages don't provide. Maybe the best languages for start web development would be PHP and Perl, i don't know about ruby since i've never used it, but a lot of people talks nicely about it ;) HTH, Vinicius
Re: pf rewriting outgoing traffic
You can rewrite that way using NAT rules, like the ones you're using on iptables, I remember having to rewrite some packets this way for tunneling on a VPN. Mark Felder wrote: Iptables allows me to rewrite the address of outgoing traffic. PF does not allow this functionality. Is this a missing/broken feature, or is there a reason why this is not allowed? Example: I absolutely need traffic sent to 10.10.10.10 to be rewritten to 192.168.1.1. There is no way around it, it just needs to be done to solve my problem. I had a long discussion with some people in #pf, and after they got the whole story, it made sense to them, but they agreed it was a pretty dirty solution... but it works with iptables. iptables -A OUTPUT -t nat -d 10.10.10.10 -j DNAT --to 192.168.1.1 I can now ping 10.10.10.10 and like magic it send the traffic to 192.168.1.1 without my machine knowing. rdr inet proto tcp from self to 10.10.10.10 - 192.168.1.1 Doesnt work. Tried binat too. Tried many variations. PF just doesn't allow this. Could someone elaborate on why this is not implemented or why PF doesn't allow this behavior? Thanks, Mark
Re: STP / redundant network paths
If you wanna route packets from the internet to the SW's, you need some IP on the OpenBSD's interfaces to the switches. I remember being able to set IP addresses on bridged interfaces with ifconfig, don't know if this is a good approach but was usable in the time. Maybe your best approach is to set a trunk between the switches, if you wanna redundancy, maybe there's a need for two openbsd firewalls, one on each switch? Or are you using different subnet's in the switches, and the openbsd try to decide who is up to forward the packets (like some rdr rules on pf?). Well.. maybe this helps you in anyway, if not please send more details for the list, or maybe someone else can help on this also. Regards Arjen Van Drie wrote: Hi list, (sorry for the possible resend, I used the wrong from address) I am trying to get STP to work with (to start with) one openbsd firewall / gateway and two switches to the same subnet for failover. Let me draw: --- | Internet | --- | --- | | | OpenBSD GW | | | --- / \ -- -- | SW 1 | | SW 2 | |(stp root) | | (stp fallback) | -- -- \ / \ / | subnet | The openbsd box should act as an IP gateway for the subnet. I bridged two NICS, one goes into sw1, the other into sw2. I also want to give this bridge an IP address, but that is not possible. So I - tried to set a vlan on the bridge, (vlandev bridge0), but this is not possible ( SIOCSETVLAN: Protocol not supported). The switches see each other and root sw is elected. - tried to set a failover trunk on the bridge member interfaces and set the vlan on that. Packets are being forwarded then, but STP does not work (switches don't see each other) How should I go about this? Thanks, Arjen.
Re: STP / redundant network paths
Arjen Van Drie wrote: Vinicius Vianna wrote: If you wanna route packets from the internet to the SW's, you need some IP on the OpenBSD's interfaces to the switches. I remember being able to set IP addresses on bridged interfaces with ifconfig, don't know if this is a good approach but was usable in the time. I also did that, set IP addresses on the physical interfaces. I gave them both the same IP address (since the subnet behind it needs that as default gateway), but when I pulled out the cable to the master switch the inet routing table kept pointing towards the NIC that just went down, and I haven't figured out a way to set the same route on two different interfaces. If you need to change routing on the event of a NIC going down you need to use ifstated(8), check the man page for it on your system or the website. Maybe your best approach is to set a trunk between the switches, if you wanna redundancy, maybe there's a need for two openbsd firewalls, one on each switch? I also tried a trunk on both nics. STP went away and the switches did not see each other (as said below). Adding a second firewall is in the planning, but I first want to get it to work with one firewall. The trunk would be between the switches, not involving the openbsd fw at all, so all your switches will appear as one, but i don't know the details of your network to setup to know if it's the right thing to do, you have to do some research for it. Or are you using different subnet's in the switches, and the openbsd try to decide who is up to forward the packets (like some rdr rules on pf?). I would like to set it up as transparant as possible, redirecting packages in case of path failover is the last thing I want to do. In Linux (and a friend of mine was nearly certain to have also done it with freebsd) I can set an IP on an ehternet bridge. I chose openbsd for carp and pfsync which I use on the external interface (no STP here) for failover with the to-be-added second firewall. I did it on OpenBSD, had the internet coming on an em0, the switch on the em1, a bridge with em0 and em1 with no IP setup on it, and put an subnet address on em1, so the synproxy rules could route and work on a transparent bridge firewall, and it did work very well :) But i think you need some network knowledge, do some research on your routing table on the firewall, some route get commands to check how the server would route some packets on it, don't know how carp could help in this setup since it was designed to work on different servers, not on the same server with different NIC's (am i right here?), but mixing bridges with IP address, gateway and pf can be difficult sometimes. Thanks, Arjen. You're welcome :) Vinicius
Re: Do I need to switch to MP system?
Maybe it would be easier to just upgrade your NIC's to some intel em ones, it have low interrupt usage, don't know about bge on high usage. Stuart Henderson wrote: On 2008-04-01, B A [EMAIL PROTECTED] wrote: We have OpenBSD acting as router+IPsec vpn concentrator. Our company expanding, so I noticed what interrupt in top sometimes jumps to 30-40%, and always about ~25% in average. Server is DL360 server with bge0 and bge1. So I want to upgrade to newer multicore system. Can it help? Is it possible to assigne one NIC to one core, and other to another? It isn't possible. Look for the fastest CPUs, not the highest number of cores, and run a uniprocessor kernel. I'm not sure if they're valid, but I've read suggestions that amd64 CPUs may be better for this type of workload due to the larger L1 (not L2) cache. If you feel like testing, compare i386 and amd64 kernels and post the results, there are people who would be interested to know... If you currently run a pre-4.2 OS, upgrade it, you should see improved performance just by doing this.
Re: File System Corrupted Due to didn't Umount cause by power failure
Hi, I didn't get this right.. Have you got to the shell prompt after the crash? If so, did you tried to run fsck /dev/rwd0a? Try it, it may show some problems, or in the boot after the crash the system will show you what partition have been compromised. Just run the fsck /dev/rwd0X for all partitions, if there's many errors and you wanna to take some risks, try fsck -y /dev/rwd0a or any other dev, this will answer yes on all question on fsck, but be careful. Send more information so we can help you, Regards, Vinicius Peter_APIIT wrote: Hello all expect openbsd user, i have encountered this incident before where previously i can solve it easily but not this time. My openbsd is running for 24 X 7 but my mother going off the power and i didn't know about that for few times. After that, file is not properly unmount. OpeBSD asked me to check fschk_ffs manually but i cannot read man pages anymore but before i can. It just stop scrolling at 13%. Enter shell path name or return to sh : I press enter Terminal type ? i enter tty220 Return me unknow terminal type, i tried it with tty00 and others No use. Then i ctrl + c to force it to terminal. After that, i try ffschk_ffs and ffschk but still cannot solve it. OpenBSD drop me to single user and kernel security level is . I think is just for read and not for write. I need your help. Your help is greatly appreciated by me and others. A billion thanks for your help.
Re: Large file freezes with 4.2, Samba, and XP64
Chris Zakelj wrote: I posted this to the samba list about a week ago and received no responses, so I'm hoping someone here can tell me what I'm missing. If I'm forgetting to add some piece of important info, prod as necessary. I've been struggling with this for a while, and though it worked for about five minutes Sunday night, it's been a no-go ever since I built my server last summer. What I've got: Samba (samba): OpenBSD 4.2-STABLE, samba-3.0.25b (from packages) Laptop (osiris): WinXP SP2 Desktop (isis): WinXP x64 SP2 I can copy/move anything and everything between samba and laptop. I can copy/move anything between laptop and desktop. I can *usually* copy small (less than 100M or so) between samba and desktop, and large files FROM samba TO desktop as well. However, when I try to copy large files FROM desktop TO samba, desktop freezes. There are no log messages being generated on the oBSD side (simultaneous tails on /var/log/daemon, messages, smbd.isis, smbd.smbd, and smbd.nmbd all remain silent). The Windows event viewer likewise does not contain any obvious errors upon reboot. Also of note, if I use laptop to move directly between desktop and samba, it always works (though more slowly, since its link is only 100Mbit instead of 1Gbit, and is essentially performing every operation twice). /etc/samba/smb.conf [global] workgroup = ASGARD server string = Samba security = share hosts allow = 192.168.1. 127. load printers = no log file = /var/log/smbd.%m max log size = 50 dns proxy = no # Share Definitions == [homes] comment = Home Directories browseable = no writable = yes [printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = no writable = no printable = yes [storage] path = /samba public = yes only guest = yes writable = yes printable = no case sensitive = no oplocks = no create mode = 0777 use client driver = yes /var/run/dmesg.boot # dmesg OpenBSD 4.2-stable (GENERIC) #0: Sat Mar 8 22:58:07 EST 2008 [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC real mem = 535293952 (510MB) avail mem = 508379136 (484MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.2 @ 0xf (39 entries) bios0: vendor Phoenix Technologies, LTD version 6.00 PG date 05/30/2006 bios0: http://www.abit.com.tw/ KN8 Series(NF-CK804) acpi at mainbus0 not configured cpu0 at mainbus0: (uniprocessor) cpu0: AMD Opteron(tm) Processor 154 , 2813.27 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 64b/line 16-way L2 cache cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: AMD erratum 89 present, BIOS upgrade may be required cpu0: Cool'n'Quiet K8 2813 MHz: speeds: 2800 2600 2400 2200 2000 1800 1000 MHz pci0 at mainbus0 bus 0: configuration mode 1 NVIDIA nForce4 DDR rev 0xa3 at pci0 dev 0 function 0 not configured pcib0 at pci0 dev 1 function 0 NVIDIA nForce4 ISA rev 0xa3 nviic0 at pci0 dev 1 function 1 NVIDIA nForce4 SMBus rev 0xa2 iic0 at nviic0 iic0: addr 0x2e 00=00 01=00 02=00 03=00 04=a1 05=07 06=00 07=00 iic1 at nviic0 ohci0 at pci0 dev 2 function 0 NVIDIA nForce4 USB rev 0xa2: irq 11, version 1.0, legacy support ehci0 at pci0 dev 2 function 1 NVIDIA nForce4 USB rev 0xa3: irq 3 usb0 at ehci0: USB revision 2.0 uhub0 at usb0: NVIDIA EHCI root hub, rev 2.00/1.00, addr 1 pciide0 at pci0 dev 6 function 0 NVIDIA nForce4 IDE rev 0xf2: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility atapiscsi0 at pciide0 channel 0 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: SONY, DVD-ROM DDU1615, GYS4 SCSI0 5/cdrom removable cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 4 pciide0: channel 1 ignored (disabled) ppb0 at pci0 dev 9 function 0 NVIDIA nForce4 PCI-PCI rev 0xa2 pci1 at ppb0 bus 1 vga1 at pci1 dev 6 function 0 S3 ViRGE DX/GX rev 0x01 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) nfe0 at pci0 dev 10 function 0 NVIDIA CK804 LAN rev 0xa3: irq 5, address 00:50:8d:83:09:e7 ciphy0 at nfe0 phy 1: Cicada CS8201 10/100/1000TX PHY, rev. 3 ppb1 at pci0 dev 11 function 0 NVIDIA nForce4 PCIE rev 0xa3 pci2 at ppb1 bus 2 ppb2 at pci0 dev 12 function 0 NVIDIA nForce4 PCIE rev 0xa3 pci3 at ppb2 bus 3 ppb3 at pci0 dev 13 function 0 NVIDIA nForce4 PCIE rev 0xa3 pci4 at ppb3 bus 4 ppb4 at pci0 dev 14 function 0 NVIDIA nForce4 PCIE rev 0xa3 pci5 at ppb4 bus 5 ppb5 at pci5 dev 0 function 0 Intel IOP333 PCIE-PCIX rev 0x00 pci6 at ppb5 bus 6 arc0 at pci6 dev 14 function 0 Areca ARC-1220 rev 0x00: irq 11 arc0: 8 SATA Ports, 256MB SDRAM,
Re: ksh set -o pipefail
Hi, I don't see pipefail on the ksh man page, maybe you should ask for some developer add it to openbsd source, or compile/install another shell to use this, maybe even ksh. Anyone else? Piotrek Kapczuk wrote: $ set -o pipefail /bin/ksh: set: pipefail: bad option $ echo $KSH_VERSION @(#)PD KSH v5.2.14 99/07/13.2 Is there another way to get what I want ? Are there any plans to implement this option
best way to block flood attacks on pf
Hi misc, I got a firewall with openbsd 4.1 and pf and it's receiving a lot of syn floods attacks and even udp floods, since this is common I think someone could have developed something on this, so why to reinvent the wheel? The scenario is this: block in log block in quick inet from badip to any ... pass rules ... So when I got this attacks, my pflog shows a lot of packets blocked by the block in log rule, or sometimes by the scrub in, these packets are even from ports i'm not listening. What I want is someway to set like the max-src-conn-rate in the pass rule, something that will put the hosts that send more than 50pkts/s blocked to the badip table, I don't know if this can be done in pf.conf or some script to work on pflog? I don't wanna pf having to see all the rules from this attackers, so if the packet is comming from badip it will drop it quickly and go to the next packet. Anyone have worked on something like this? Thanks, Vinicius
Re: best way to block flood attacks on pf
The problem is that these attacks aren't on any pass rule, they are on ports that my firewall doesn't permit, so the packet will go to the block rule, and i can't use these overload rules with block can I? Lars NoodC)n wrote: Vinicius Vianna wrote: I got a firewall with openbsd 4.1 and pf and it's receiving a lot of syn floods attacks and even udp floods,... pass in on $ext_if proto tcp to ($ext_if) port ssh \ flags S/SA keep state \ (max-src-conn 3, max-src-conn-rate 3/60, overload \ ssh-bruteforce flush global) \ label BLOCKBRUTES Regards, -Lars
Re: best way to block flood attacks on pf
Since I have a lot of rules, if I get the attackers into a table and use a block quick on it, pf won't have to run through all the rules for it. Now for every packet the attacker sends, pf have to run it through all the rules. The main difference is to be able to use a quick rule, i don't know for sure how much resources pf uses to fit a packet on all rules, but maybe a 10k pkts/s attack will drain some resources if pf needs to see all those rules, if i can get this attack into a table on the first 1k packets, a quick rule will apply to it, lowering the load on the firewall (maybe?). Stefan Schulze Frielinghaus wrote: But what benefit do you expect to get when you block it via a max-src-conn-rate/overload rule or directly via a (default) block rule? In either way you will block the packet. On Fri, 2008-02-29 at 16:49 -0300, Vinicius Vianna wrote: The problem is that these attacks aren't on any pass rule, they are on ports that my firewall doesn't permit, so the packet will go to the block rule, and i can't use these overload rules with block can I?
Re: good video adapter for OpenBSD and X
Stuart Henderson wrote: On 2008/02/13 23:32, Owain Ainsworth wrote: (I'm someone who actually works on this) RadeonHD hasn't even started 3d acceleration yet. Intel is a good bet if you don't want anything that powerful. Older radeons are alright, (check for support for specific cards on the web first). Radeonhd is ok for the future, but don't expect anything DRI-wise for a while. Do you happen to know of any Intel display adapters in card form, or reverse-engineering efforts for mga_hal? I was going to say that, only knew of Intel display adapter in chips into the motherboards of i386/amd64. By the way I didn't ask very nicely, what I was supposed to ask is what vendors have better support on OpenBSD, I think the best bet is ATI by now. Thanks for all that replied my mail.
packet loss and intel dual nic
Hi all, I'm getting some packet loss on our firewall here (4.1 GENERIC), after changing the old nic (msk0) we are still getting some packet loss but very little. Can be any improvement from changing the external nic from em2 to em0 in our case? Can this packet loss be sure coming from cable problems or is something with interrupts? Changing from bsd.mp to bsd will improve? Systat show me 14k interrupts in total, but the cpu is 99% idle. Thanks in advance for all help, bellow is some info about the fw, anything more just tell me. netstat -nid: NameMtu Network Address Ipkts IerrsOpkts Oerrs Colls Drop em1 1500 Link 00:04:23:df:7c:e1 199851517 1294 191814637 0 00 em2 1500 Link 00:04:23:b2:ea:b8 19179893898 199071744 0 00 em1 is the internal nic, em2 the external, this info is from about 10h of uptime. dmesg: OpenBSD 4.1 (GENERIC.MP) #1225: Sat Mar 10 19:23:18 MST 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel(R) Xeon(TM) CPU 3.20GHz (GenuineIntel 686-class) 3.20 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF LUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,CX16,xTPR real mem = 1073180672 (1048028K) avail mem = 971771904 (948996K) using 4278 buffers containing 53784576 bytes (52524K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+ BIOS, date 06/28/05, BIOS32 rev. 0 @ 0xf0010, SMBIOS rev. 2.3 @ 0xfcf10 (69 entries) bios0: Intel SE7520BD2S pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf55c0/352 (20 entries) pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82801EB/ER LPC rev 0x00) pcibios0: PCI bus #7 is the last bus bios0: ROM list: 0xc/0xa800 0xca800/0x4000 0xce800/0x1000 0xcf800/0x1000 acpi at mainbus0 not configured ipmi at mainbus0 not configured mainbus0: Intel MP Specification (Version 1.4) cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 199 MHz cpu1 at mainbus0: apid 6 (application processor) cpu1: Intel(R) Xeon(TM) CPU 3.20GHz (GenuineIntel 686-class) 3.20 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF LUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,CX16,xTPR mainbus0: bus 0 is type PCI mainbus0: bus 1 is type PCI mainbus0: bus 2 is type PCI mainbus0: bus 3 is type PCI mainbus0: bus 4 is type PCI mainbus0: bus 5 is type PCI mainbus0: bus 6 is type PCI mainbus0: bus 7 is type PCI mainbus0: bus 8 is type ISA ioapic0 at mainbus0: apid 8 pa 0xfec0, version 20, 24 pins ioapic1 at mainbus0: apid 9 pa 0xfec8, version 20, 24 pins ioapic2 at mainbus0: apid 10 pa 0xfec80400, version 20, 24 pins pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel E7520 MCH rev 0x0c Intel E7520 MCH ERR rev 0x0c at pci0 dev 0 function 1 not configured Intel E7520 MCH DMA rev 0x0c at pci0 dev 1 function 0 not configured ppb0 at pci0 dev 2 function 0 Intel MCH PCIE rev 0x0c pci1 at ppb0 bus 1 ppb1 at pci1 dev 0 function 0 Intel PCIE-PCIE rev 0x09 pci2 at ppb1 bus 2 em0 at pci2 dev 3 function 0 Intel PRO/1000MT (82546EB) rev 0x01: apic 9 int 0 (irq 10), address 00:04:23:df:7c:e0 em1 at pci2 dev 3 function 1 Intel PRO/1000MT (82546EB) rev 0x01: apic 9 int 3 (irq 7), address 00:04:23:df:7c:e1 mpi0 at pci2 dev 5 function 0 Symbios Logic 53c1030 rev 0x08: apic 9 int 2 (ir q 15) scsibus0 at mpi0: 16 targets sd0 at scsibus0 targ 0 lun 0: SEAGATE, ST336607LC, 0007 SCSI3 0/direct fixed sd0: 35003MB, 49855 cyl, 2 head, 718 sec, 512 bytes/sec, 71687372 sec total mpi0: target 0 Sync at 160MHz width 16bit offset 63 QAS 1 DT 1 IU 1 Intel IOxAPIC rev 0x09 at pci1 dev 0 function 1 not configured ppb2 at pci1 dev 0 function 2 Intel PCIE-PCIE rev 0x09 pci3 at ppb2 bus 3 Intel IOxAPIC rev 0x09 at pci1 dev 0 function 3 not configured ppb3 at pci0 dev 4 function 0 Intel MCH PCIE rev 0x0c pci4 at ppb3 bus 4 ppb4 at pci0 dev 5 function 0 Intel MCH PCIE rev 0x0c pci5 at ppb4 bus 5 mskc0 at pci5 dev 0 function 0 Marvell Yukon 88E8050 rev 0x17, Yukon-2 EC rev. A2 (0x1): apic 8 int 16 (irq 10) msk0 at mskc0 port A, address 00:04:23:b2:ea:b9 eephy0 at msk0 phy 0: Marvell 88E Gigabit PHY, rev. 2 ppb5 at pci0 dev 6 function 0 Intel MCH PCIE rev 0x0c pci6 at ppb5 bus 6 uhci0 at pci0 dev 29 function 0 Intel 82801EB/ER USB rev 0x02: apic 8 int 16 ( irq 10) usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 29 function 1 Intel 82801EB/ER USB rev 0x02: apic 8 int 19 ( irq 7) usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered uhci2 at pci0 dev 29 function 2 Intel 82801EB/ER USB rev 0x02: apic 8 int 18 ( irq 15) usb2 at uhci2: USB revision 1.0 uhub2 at usb2 uhub2: Intel UHCI root hub, rev
NIC not working on 4.1
Hi folks, I got a strange problem with the sk device, two machines i own the NIC's only work on 4.0, on 4.1 or snapshot it will display no carrier on the ifconfig status. The dmesg for this device is: skc0 at pci5 dev 2 function 0 3Com 3c940 rev 0x10, Marvell Yukon (0x1): apic 2 int 17 (irq 9) sk0 at skc0 port A, address 00:0a:5e:24:1e:e4 eephy0 at sk0 phy 0: Marvell 88E1011 Gigabit PHY, rev. 3 I have the same problem on this hardware too: skc0 at pci0 dev 10 function 0 Marvell Yukon 88E8001/8003/8010 rev 0x13, Marvell Yukon Lite (0x9): irq 10 sk0 at skc0 port A, address 00:13:d4:0d:26:09 eephy0 at sk0 phy 0: Marvell 88E1011 Gigabit PHY, rev. 5 Am I missing something? Thanks in advance, Vinicius
Mounting UFS2 (FreeBSD) partition?
Hi, I'm using 3.8 GENERIC kernel, and having problems mounting a FreeBSD UFS2 harddisk, is there a way to mount it in OpenBSD or the only way is to backup data, reformat in FFS and restore? Thanks in advance, DS