PF firewall for desktop
Hi, Out of interest, I'd like to let you know a specific use of OpenBSD with PF, in virtualbox, 2 virtual network card Bridged to physical NIC, and building up a subnet with NAT and hence running Packet Filter as the machine's firewall. That's the firewall I use under Win7, OpenBSD running in a VM, out of pure interest into running BSD and let it purify the network access to desktop (without need for additional hardware). Works well, love it. Jean-François
ETE - ETA
Hi, I always wondered what was ETA for during the installation process. As of today, I noticed this should read ETE as for Estimated Time Enroute. ETA stands for Estimated Time of Arrival and is therefore more or less constant. Regards
OpenBSD as primary OS
Hi, I'm moving to OpenBSD for primary use, I'll have to keep a Windows OS for some specific purposes also. Just thanks for the development of OpenBSD, it's very easy to use since logical and well documented, I've been enjoying it for the past years for what it deserved to do. Also looked at the softraid development, just few words to thank the development of the OS and softwares. Jeff
Which hardware to keep the level of trust ?
Dear all, After having read infos about breaking into bios and other type of attacks, has anyone info on which hardware best suits OpenBSD to avoid unpleasanties ? I was thinking of PIC 32 Microchip but surely difficult to implement an OS running into it able to handle normal desktop activities. On the other hand I have absolutely no trust in public brands of motherboards since they allow bios update. If one had to find a hardware most difficult to compromize which one would you take ? J-F
Re: httpd slowcgi notes
Hi All,
With httpd as of 5.6 I do not understand how to make cgi script work eg
just bgokg installed by default at address /cgi-bin/bgplg
==httpd.conf==
prefork 2
server local {
listen on egress port 80
}
server local-fastcgi {
listen on egress port 80
fastcgi
}
==EOF==
/etc/rc.d/httpd start
/etc/rc.d/slowcgi -f start
Resulting in Not Found /cgi-bin/bgplg
Whereas the httpd server normally serves other html files of the htdocs
directlry, except /bgplg
Could you help me with the miss here ?
Regards
J.F.
Re: OpenBSD email provider
Hello Some answers in your mail. Thanks. Just to mention, I'm looking for a more private ESP. As I know that OpenBSD conveys an idea of security, I tend to trust a provider relying on this OS. Regards Le 17/03/2014 02:51, Jean-Philippe Ouellet a écrit : On 3/15/14 12:54 PM, Jean-Francois Simon jfsimon1...@gmail.com wrote: I'm looking for a secure mail provider, i fpossible using OpenBSD, also wondering if OpenBSD itself provides it for interested people. If anybody has informations thanks would be interesting to share. https://github.com/mailserv/mailserv comes to mind, although I've never tried it or read its source. I think a better question might be what qualities you're actually looking for in your mail provider as your question seems to indicate a misguided approach towards some notion of secure email. I'm also using own server today, essentially, I have'nt check deeply, but seems gmail does use automated bots who check the mail content for purpose I don't know about. As far as I'm concerned, the only difference between 3rd party email services is reliability. I wouldn't trust any of them anyway. I see you have a pgp key on the keyservers, but it seems somewhat neglected since all your sigs have expired and dsa/elgamal (especially with 1024 bit keys) hasn't been recommended for quite some time. I think revisiting that would be a more productive use of your time than abandoning your gmail account. Indeed, I'm not using the keys anymore. They're not updated. Although, don't read the above as pgp solves your problems, you haven't explained your problems, and pgp has its issues too, some of which are unavoidable because of problems inherent to email to begin with. If what you're after is something more along the lines of private communication, I'd say email probably isn't what you're looking for to begin with. Maybe something more like OTR [1], or pond once it gets reviewed more. Not so much private as hidden but as private. [1] https://otr.cypherpunks.ca/ [2] https://github.com/agl/pond If you want absolute privacy, don't use computers. If you want to get things done, keep your gmail. If you want to read documentation, become your own mail provider using OpenBSD. No I don't need absolute privacy about this topic, I mean that needs encryption etc ... Yes I want things done, I keep the gmail account, yet I'm interested in a more private solution where I can be absolutely sure that privacy is totally respected. I have tried some time ago third solution, however I think since I have a local dynamic IP, I got soon identified as spam mail server and mails would'nt reach their destination.
OpenBSD email provider
Hello all, I'm looking for a secure mail provider, i fpossible using OpenBSD, also wondering if OpenBSD itself provides it for interested people. If anybody has informations thanks would be interesting to share. Regards Jeff
Re: Why I abandoned OpenBSD, and why you should too...
May I understand you U go for Microsoft instead ? That would be great idea, they are said to be free from backdoors. Sorry Le 05/07/2013 05:56, Thomas Jennings a écrit : Dear OpenBSD developers and users: Regretfully, I have decided to abandon OpenBSD and thought I would share my reasoning with this list. I thought the 4th of July was a good date to do so since my reasons address national security implications. As a group of people who take development, security, and privacy seriously, I know you will want to know why I made the drastic decision to abandon OpenBSD and never look back. I'm sure we've all heard of PRISM by now, the user-friendly name of the United States Federal Government's massive civilian and resident spying program otherwise known as US-984XN. PRISM is certainly bad enough of its own accord, but it's how PRISM works, and the pattern of behavior found in OpenBSD development, that was the tipping point for my use of OpenBSD. And we all know Theo de Raadt, OpenBSD generalissimo of much infamy. After being fired from the NetBSD team, Theo forked the code and started OpenBSD. He's been pretty much solely responsible for development of OpenBSD over the years, taking volunteer code as he sees fit. He also has final say over security audits in the operating system, something that turns out to be very important. I was prepping to migrate the whole of our shop, a regional ISP in the United States of America, to OpenBSD 5.3 when the news broke: CBS News reporter Sharyl Attkisson claimed, during a live radio interview, that she had been dealing with suspicious computer and phone issues. Check out this snippet from the full transcript of the interview. One line in particular trashed my plans for the OpenBSD upgrade: Well, I have been, as I said, pursuing an issue for a long time now — much longer than you’ve been hearing about this in the news — with some compromising of my computer systems in my house — my personal computer systems as well as my work computer systems. I thought they were immune to being compromised — because they all ran OpenBSD — but I guess I was wrong. So, we’re digging into that and just not ready to say much more right now, but I am concerned. Since that interview in May, I've watched story after story of direct server access, PRISM, and NSA spying and connected some dots. For example, consider the accusations that the FBI had been accused of planting backdoors in OpenBSD's IPSEC in December of 2012, and that the accusations later proved true. The two scandals broke 18 only months apart. Consider that PRISM allows the United States Federal Government to directly access the servers of virtually any company doing online business, including tech giants like Apple, Facebook, Google, and Microsoft. But those same tech giants deny complicity. I'm sure we all agree that personal privacy is beyond the scope of private enterprise, but let's assume their denials are true. Then connect more dots: OpenBSD has shipped on over half of all network devices, including things like routers, switches, gateways, and servers, for the last six years. The current estimated number of OpenBSD installations sits at over 350 million devices, comprising an almost ubiquitous presence of OpenBSD in networks worldwide. EVEN IF NO CORPORATION OFFERS THE UNITED STATE FEDERAL GOVERNMENT DIRECT ACCESS TO ITS SERVERS THROUGH PRISM, OPENBSD OFFERS THAT SAME ACCESS THROUGH THE PRESENCE OF ITS BACKDOORS. There it is. Let it sink in. Words like Gestapo and Stasi and KGB come to mind. OpenBSD is part and parcel to the United States Federal Government's program to spy on its own citizens through bodies like the NSA and FBI and has been since the FBI paid for backdoors in IPSEC about a dozen years ago. Yesterday, I told the company that we must migrate all our services from OpenBSD to something else because the risk to our customers' privacy and security is simply unacceptable. Theo de Raadt may seem like some kind of guard dog of security, but he's really just a little bitch bought and sold by the United State Federal Government. The kicker is that Theo denies anything suggesting that OpenBSD is less than perfect at security, as if he's personally offended by the mere suggestion. He routinely attacks developers and enthusiasts for simply asking questions. WHY SO TOUCHY, THEO? COULD IT BE BECAUSE YOU'RE COMPLICIT IN THE BIGGEST CITIZEN SPYING PROGRAM EVER RUN IN THE HISTORY OF THE WORLD?! Today, be a true patriot to the ideals of personal privacy and public liberty: prevent and reject any and all use of OpenBSD. Happy 4th of July.
Re: softraid: adding volumes, CPU requirements, RAID5
Le 20/05/2013 13:46, Nick Holland a écrit : On 05/20/13 00:52, Hugo Osvaldo Barrera wrote: Hi, I'm building myself an openbsd-based fileserver, which will initially have three disks with softraid in RAID5 mode. I've three questions regarding softraid: 1) I intend on using a single-core 1.8Ghz Atom processor I have lying around. Would that limit my performance too much? I'll be using this fileserver mostly for media (movies/series/music) and some ocassional backups. Can anyone share what CPU they've used and their experience? (I'm clarifying my intended usage for the fileserver since I think it's quite relevant to say if the CPU is or isn't enough). Wrong question, I think. More than processor is memory (caching) and disk interface (ahci rocks), network interface, etc. 2) How do I add additional volumes to an already created softraid volume? I intend on adding additional disks as necessary. Is it possible? Not in the way you are likely thinking. Besides, your Atom board probably has a rather finite amount of expandability. 3) The man pages report RAID5 as experimental. I'm curious, why is this so? Is it just not-very-thoroughly tested, or is there some missing feature? I read on a 2010 presentation that rebuild was not implemented yet, is this still so? That's really a question you will need to find out though experimentation before you implement (i.e., you MUST practice this recovery stuff before going into production), but yes, RAID5 rebuild is still not there, so I would NOT recommend going this route. However, a nice little RAID1 system to start, hopefully leaving you two SATA ports for the next generation/upgrade disks. Nick. RAID5 rebuild is still not there Can you please make it more clear what actual state of soft raid can and what it cannot do under RAID 5 ... I'm not so sure to get it, thank you. J.-F.
Re: softraid: adding volumes, CPU requirements, RAID5
Le 03/07/2013 00:53, Nick Holland a écrit : On 07/02/13 17:07, Jean-Francois Simon wrote: Le 20/05/2013 13:46, Nick Holland a écrit : On 05/20/13 00:52, Hugo Osvaldo Barrera wrote: ... 3) The man pages report RAID5 as experimental. I'm curious, why is this so? Is it just not-very-thoroughly tested, or is there some missing feature? I read on a 2010 presentation that rebuild was not implemented yet, is this still so? That's really a question you will need to find out though experimentation before you implement (i.e., you MUST practice this recovery stuff before going into production), but yes, RAID5 rebuild is still not there, so I would NOT recommend going this route. However, a nice little RAID1 system to start, hopefully leaving you two SATA ports for the next generation/upgrade disks. Nick. RAID5 rebuild is still not there Can you please make it more clear what actual state of soft raid can and what it cannot do under RAID 5 ... I'm not so sure to get it, thank you. J.-F. RAID5 rebuild is still not there - there's no RAID5 rebuild. I'm not sure how to make it more clear... Ok, let's try this... Today, you take four 1TB disks, and make a 3TB RAID5 volume. You can do that. Works great. Now, a lot of people might call this Job Done. Not me. The point of RAID isn't to build complicated systems, but to have the system keep your butt out of the fire when things go wrong. Next month, one of those drive fail. That's ok, RAID5 is designed to keep your data usable with one drive down. THAT is the point of RAID. You pat yourself on the back and say, I'm glad I am using RAID5. You replace the failed drive and... ... um... now what? You have a three drive degraded RAID5 system with no remaining redundancy...and a new drive that is currently unused. You have no ability to rebuild the function of the failed drive into the new drive...because the RAID5 rebuild is not there. Oh, poo. Your options? Well, * you can build a NEW array on other disks (hope you have enough ports to plug them into), copy the data from the old one to the new one * you can hope your backup system is perfect, and rebuild the entire array and reload from backup * you can hope a second drive doesn't fail in your array... for the life of the system. Not much else I can think of. If you want to play with softraid and raid5, hey, have a blast. You want to put critical data on it? I'd not suggest that. A job ago, I had some relatively large chunks of data to hash through to find some needles of data in and no disks handy that could do it in one chunk...but I had some big disk array boxes, and a lot of smallish SCSI disks I could stick in them (and the office space was really cold, so a bit of heat under my desk was not unappreciated). I think I did them as softraid RAID0, but I could have done it as RAID5 with this system -- the data is there just for analysis, not storage. RAID5 might give me a few minutes to pull data off that I realized was important only after the drive failed, but otherwise the loss of data on this array would not have been catastrophic at all. Now, anyone who drops important data on any kind of RAID system without figuring out how to deal with disk (and controller) failures deserves what they get. So if I was a nice guy, I'd have said Go try it out on some spare hardware and unimportant data and answer your own question, but being the evil bastard that I am, I'm denying you a very important learning experience. Nick. Great, I did not find this information in the manual in fact ... except considered experimental if that covers this fact. Thanks again, not a bad guy explanation to me, for sure. Regards JF
Question about filesystem
Hello, I just read some extracts of a paper, study from Margo Seltzer Keith A. Smith from Harvard university, a comparison of LFS FFS. It looks like the creation of files in FFS is rather long such as creation of many small files is somewhat not very fast compared to certain other FS. As well, the fragmentation is less optimized on disks handling lots of changes than some other FS. Basic questions from my side, is FFS-2 better than FFS in the sense of dealing with creation of many small files, and is fragmentation less than with FFS ? Are other file systems with some improvement of performance compared to FFS available for OpenBSD ? In other words, I'm not critisizing at all a FFS file system which I do use successfully for few years now, what about optimizing a server by mounting some disks with different types of file systems, is this available at all ? Yes, I read FAQ and I seem to understand that all of it is simply not convenient if possible at all. But the question is worth to me in the sense, there are probably lot of interesting things about file systems use in OpenBSD not yet documented. Thanks, Regard J.-F.
Wine under OpenBSD
Hello, Is wine available for OpenBSD ? I could'nt find it in packages nor ports. If not available, it might be possible to run it under linux emulate ? Thanks for experience. Regards
Re: Question about filesystem
Is this what you ask for ? = 4.4BSD Fast File System http://www.eecs.harvard.edu/~margo/papers/usenix95-lfs/ Le Saturday 05 February 2011 19:21:47, Ben Calvert a icrit : out of curiosity, which FFS were they studying? On Feb 5, 2011, at 6:32 AM, Jean-Francois wrote: Hello, I just read some extracts of a paper, study from Margo Seltzer Keith A. Smith from Harvard university, a comparison of LFS FFS. It looks like the creation of files in FFS is rather long such as creation of many small files is somewhat not very fast compared to certain other FS. As well, the fragmentation is less optimized on disks handling lots of changes than some other FS. Basic questions from my side, is FFS-2 better than FFS in the sense of dealing with creation of many small files, and is fragmentation less than with FFS ? Are other file systems with some improvement of performance compared to FFS available for OpenBSD ? In other words, I'm not critisizing at all a FFS file system which I do use successfully for few years now, what about optimizing a server by mounting some disks with different types of file systems, is this available at all ? Yes, I read FAQ and I seem to understand that all of it is simply not convenient if possible at all. But the question is worth to me in the sense, there are probably lot of interesting things about file systems use in OpenBSD not yet documented. Thanks, Regard J.-F.
Re: Question about filesystem
Hi, Right. Could you please describe in few words whet softdeps is ? Thanks. J-F Le Saturday 05 February 2011 20:11:17, Nick Holland a icrit : On 02/05/11 09:32, Jean-Francois wrote: Hello, I just read some extracts of a paper, study from Margo Seltzer Keith A. Smith from Harvard university, a comparison of LFS FFS. the paper from 1995?? Dude. That's a LONG time ago in the computer world. It is also a very non-specific Log-structured file system, which may or may not have any real-world counterpart here 16 years later (yes, some modern file systems are logging FSs, but...are they descendants of this 1995 LFS? Or was this LFS a dead-end for real-world reasons that never show up in academic papers? (I'm sure I could do some more research on this, but it's your question, not mine :) Basic questions from my side, is FFS-2 better than FFS in the sense of dealing with creation of many small files, and is fragmentation less than with FFS ? Please describe the fragmentation problem you have /observed/... I do a lot to torment file systems, and never seen anything that looked like a PROBLEM caused by fragmentation on OpenBSD. If you aren't seeing a real problem, how can you benefit from optimizing? Are other file systems with some improvement of performance compared to FFS available for OpenBSD ? Short answer: there are two file systems provided for day-to-day use on OpenBSD: FFS and FFS2. FFS is the general purpose OS, FFS2 is for very large file systems which can't be handled by FFS. Nice and simple. Other file systems that OpenBSD supports are for cross-system compatibility, not for better anything on OpenBSD, at least at this time (wouldn't mind seeing a working HAMMER port, of course). And...as FFS2 is used for larger file systems, I think it is safe to say that putting lots of small files on huge file systems is much worse than putting lots of small files on a few (or a lot) of small file systems. However, if you are looking at writing lots of small files, make sure you you are using softdeps, you will get a very large performance gain (I'm not talking 10% -- more like 10x!). You may find you get much better real performance than many logging systems give. Nick.
Re: Question about filesystem
Had not seen it from the FAQ. Thanks for the link. Le Sunday 06 February 2011 00:04:55, Richard Toohey a icrit : On 6/02/2011, at 9:31 AM, Jean-Francois wrote: Hi, Right. Could you please describe in few words whet softdeps is ? http://www.openbsd.org/faq/faq14.html#SoftUpdates Wouldn't you rather let Nick the other OpenBSD developers *WORK* on OpenBSD? I would. Rather than answering questions that are in the docs? Or can be found in Google? Or the code? Or from your own experiments? Thanks. Thanks. J-F Le Saturday 05 February 2011 20:11:17, Nick Holland a icrit : On 02/05/11 09:32, Jean-Francois wrote: Hello, I just read some extracts of a paper, study from Margo Seltzer Keith A. Smith from Harvard university, a comparison of LFS FFS. the paper from 1995?? Dude. That's a LONG time ago in the computer world. It is also a very non-specific Log-structured file system, which may or may not have any real-world counterpart here 16 years later (yes, some modern file systems are logging FSs, but...are they descendants of this 1995 LFS? Or was this LFS a dead-end for real-world reasons that never show up in academic papers? (I'm sure I could do some more research on this, but it's your question, not mine :) Basic questions from my side, is FFS-2 better than FFS in the sense of dealing with creation of many small files, and is fragmentation less than with FFS ? Please describe the fragmentation problem you have /observed/... I do a lot to torment file systems, and never seen anything that looked like a PROBLEM caused by fragmentation on OpenBSD. If you aren't seeing a real problem, how can you benefit from optimizing? Are other file systems with some improvement of performance compared to FFS available for OpenBSD ? Short answer: there are two file systems provided for day-to-day use on OpenBSD: FFS and FFS2. FFS is the general purpose OS, FFS2 is for very large file systems which can't be handled by FFS. Nice and simple. Other file systems that OpenBSD supports are for cross-system compatibility, not for better anything on OpenBSD, at least at this time (wouldn't mind seeing a working HAMMER port, of course). And...as FFS2 is used for larger file systems, I think it is safe to say that putting lots of small files on huge file systems is much worse than putting lots of small files on a few (or a lot) of small file systems. However, if you are looking at writing lots of small files, make sure you you are using softdeps, you will get a very large performance gain (I'm not talking 10% -- more like 10x!). You may find you get much better real performance than many logging systems give. Nick.
chrooted browser
Hello, Is there a way to chroot the web browser for safer internet surfing ? Regards
Re: delete user in group script
On Tuesday 14 December 2010 13:16:59 Markus Hennecke wrote: On Tue, 14 Dec 2010, OpenBSD Geek wrote: I made as I could, since it works, where is the probleme...? ;-) Tomas already pointed out where this will blow up for sure. Hint: Take a look at mktemp(1) and install(1) to weed out the worst issues. Kind regards, Markus ... did'nt know there were such many tools,thanks.
IPSEC leak channel issue
Hi, Regarding the recent issue, I would like to understand what could be potentially the threat, cause to me it's only likely that a crypted channel could leak information if hjowever the sory reveals to have imacted OpenBSD. Thanks for some kind of understanding from those who have that knowledge. Regards
Re: Print server
Le Wednesday 22 December 2010 23:40:03, Jacob Meuser a icrit : On Wed, Dec 22, 2010 at 11:20:47PM +0100, Jean-Francois wrote: Hello, I would like to use a printer on the server and share it like samba supports, have it a shared network printer through openbsd server. The printer is actually a usb one that I would like to connect to the server. Is this basically working ? supported ? usb printers? see ulpt(4). some also work as ugen(4), if the driver supports that. Printer is Brother HL 2030, driver seems available for Linux. Can you recommend the best way to proceed ? It's first time for me, I saw things such as cups, never dive into yet. Thanks. http://www.openprinting.org/printer/Brother/Brother-HL-2030 that gives you some hints. granted, they're talking about linux so not all of that is relevant, but the recommeded driver is hl1250, which is in the 'gs' binary of the ghostscript package. Hi, I'm not used to install printer on Unix, not sure to understand if ulpt / ugen are enough to handle that printer ? Need cups or a printer driver ? I Installed only samba server at the moment.
Print server
Hello, I would like to use a printer on the server and share it like samba supports, have it a shared network printer through openbsd server. The printer is actually a usb one that I would like to connect to the server. Is this basically working ? supported ? Printer is Brother HL 2030, driver seems available for Linux. Can you recommend the best way to proceed ? It's first time for me, I saw things such as cups, never dive into yet. Thanks.
C++ CGI script
Hello,
Sorry for posting basic question here, would you please let me know why such
script does'nt work (error with Premature end of script headers) ?
#include iostream
using namespace std;
int main()
{
cout Content-type: text/plain endl endl Hello, World!;
}
It actually shows flush needed on google but I'm not able to do a hello world
CGI in C++.
Thjanks for your help,
Reagrds
Hard links details
Hi, May someone help me to understand how exactly hard links works ? To some extend U understood that a hard link is indistinguishable from the original yet it must be so that the datas are linked-back to all the hard links pointing on it, correct ? This means that it is safe to a) create file.original b) create a hard link to file.original called file.hardlink c) destroy file.original The datas remains. Whereas if we would do only a) then c), the datas would be destroyed. Is this correct ? Something to change or add ? Tx a lot, JF
hotplugd and auto mount UI
Hello, Has someone already programmed any kind UI or GUI used with hotplugd for auto mounting and user interface to eventually mount or unmount the device ? I am quite doing this for a friend, however if something already exists ... Thanks Jean-Frangois
Lenovo
Hi All, Are Lenovo, say for example T410 or equivalent professional laptops ok with OpeNBSD in terms of compatibility ? Any things to take care about ? Regards JF
Gnome running slow
Hi, I experience a dsktop running quite slow, I have seen it running well sometimes. Gnome is simply slow and I have no idea why, after login, it is not always that slow, sometimes is runs well. Apparently, with top I see Xorg consuming many resources. I have no idea how to solve this. Do you have any experience with this ? Thanks
choice for a ftpd
Hello, I think of installing as a ftp daemon vsftpd or pure-ftpd since both seems to be simple and secure. Would you recommend one or the other in terms of security or scalability ? Regards
Re: Enough is enough!
Le Tuesday 02 November 2010 09:18:08, bsdmas...@hushmail.com a C)crit : FTP server down, amd64 snapshot packages way out of sync with latest libc bump... What the hell! If you guys don't get your sh*t together, I'm done. Yeah, you read that right. If this whole situation is not cleared in the next 24 hours, I'm switching to ArchLinux (www.archlinux.org). You've been warned. Use a mirror. Take some patience. Do you have a real problem ? Then what's your real problem ? Otherwise ask yourself if it is worth sending your mail before posting.
Re: OpenBSD-capable, fanless, diskful computer with ECC RAM
Le Saturday 30 October 2010 02:14:21, Damien Miller a icrit : Hi, Can anyone recommend a small, fanless computer that will accept a HD (perhaps a 2.5 drive) that uses ECC RAM? Needless to say, it must run OpenBSD. Being 64 bit, having accellerated crypto and/or supporting multiple drives would be bonus points, but are not required. -d here ? http://www.logicsupply.com/ Regards
Re: more about softraid
Le Saturday 30 October 2010 04:52:35, Marco Peereboom a icrit : On Thu, Oct 28, 2010 at 10:41:52PM +0200, Jean-Francois wrote: # bioctl -R sd0a sd2 If I understand well the above command kicks off a rebuild on a replacement device. Few questions from my side ... Is it possible to rebuild with another device for example sd0b or sd1a instead of sd0a ? (seems no if I understood properly) Assuming I got the question right, yes. You can rebuild on any appropriately sized chunk. Is the same process as for initialization required for the rebuild ? e.g. # fdisk -iy sd0 # printf a\n\n\n\nRAID\nw\nq\n\n | disklabel -E sd0 Regards Ok, to be more clear, say for example we set a softraid called sd2 with chuncks sd0a and sd1a in raid 1. sd0a becomes faulty/offline, I would like to use an appropriate chunk to relpace it, but say it is not designed sd0a but sd3a, what can we then do ? Could we rebuild on sd3a ? Thanks regards
Re: more about softraid
Le Saturday 30 October 2010 15:22:32, Marco Peereboom a icrit : On Sat, Oct 30, 2010 at 12:18:42PM +0200, Jean-Francois wrote: Le Saturday 30 October 2010 04:52:35, Marco Peereboom a icrit : On Thu, Oct 28, 2010 at 10:41:52PM +0200, Jean-Francois wrote: # bioctl -R sd0a sd2 If I understand well the above command kicks off a rebuild on a replacement device. Few questions from my side ... Is it possible to rebuild with another device for example sd0b or sd1a instead of sd0a ? (seems no if I understood properly) Assuming I got the question right, yes. You can rebuild on any appropriately sized chunk. Is the same process as for initialization required for the rebuild ? e.g. # fdisk -iy sd0 # printf a\n\n\n\nRAID\nw\nq\n\n | disklabel -E sd0 Regards Ok, to be more clear, say for example we set a softraid called sd2 with chuncks sd0a and sd1a in raid 1. sd0a becomes faulty/offline, I would like to use an appropriate chunk to relpace it, but say it is not designed sd0a but sd3a, what can we then do ? Could we rebuild on sd3a ? Lets say you have a raid 1 made out of 3 chunks; sd1a, sd2a and sd3a. Now lets say sd2a breaks and you add a new drive sd4. On that new drive you create a d partition that is of the right size. You could rebuild the softraid volume with sd4d. I left out the drive shuffling that might (will) happen to simplify the example. To prevent shuffling from biting you in the butt read up on the DUID stuff that jsing wrote. It is described in the mount(8) page. Thanks regards Good, it works perfectly. Another question, When I initiate a rebuild, is the operations done at creation needed ? For example : # fdisk -iy wd1 # printf a\n\n\n\nRAID\nw\nq\n\n | disklabel -E wd1 # bioctl -R /dev/wd1a sd0
Re: nfsv4?
Le Thursday 28 October 2010 03:34:15, Theo de Raadt a icrit : On Wed, Oct 27, 2010 at 5:26 PM, FRLinux frli...@gmail.com wrote: On Wed, Oct 27, 2010 at 9:45 PM, Theo de Raadt dera...@cvs.openbsd.org wrote: The design process followed by the NFSv4 team members matches the methodology taken by the IPV6 people. =A0(As in, once a mistake is made, Sorry, I'll bite. What exactly is wrong with IPv6 here? I gathered from this list not a lot of developers here like it, but I still don't get it. Please educate me (this should be enlightening). Instead of fixing the one problem with v4, they decided to fix a thousand additional problems that nobody really cares about. in that regard i disagree, but perhaps only in tone. With ipv6, they decided to create a bunch of new problems that people now find they care deeply about - they created a totally new problem by avoiding arp. the benefit of their layer-2 discovery mechanism has been absolutely zero; the best unit of measure for the cost of that decision is decades. - they created a new problem by punting global routing to further study (in this, they showed that they had deep familiarity with appletalk and ipx). - they created an entirely new and huge problem (destroying SIOCGIFCONF backwards compat hurt IPV6 deployment in operating systems on a massive scale) by not making their sockaddr be a power of 2 in size. it sounds silly, but it turns out it is the kind of thing which matters. when they were told of this problem (very early on) they said something like oh, but we already have 3 engineers in the world running their own ipv6 test code, so it is too late to change that. this is the specific mindset which results in layers of bad decisions papered over top of each other. shit which comes out of research organizations all tends to suck these days, doesn't it. or perhaps it always did (OSI networking, ipv6, same same). i have theorized in the past that the problem we face is that an insufficient number of axe murderers are attending those kinds of research meetings. Why not taking part of intl. engineering ? Thus you could act upon worldwide decisions.
Re: more about softraid
# bioctl -R sd0a sd2 If I understand well the above command kicks off a rebuild on a replacement device. Few questions from my side ... Is it possible to rebuild with another device for example sd0b or sd1a instead of sd0a ? (seems no if I understood properly) Is the same process as for initialization required for the rebuild ? e.g. # fdisk -iy sd0 # printf a\n\n\n\nRAID\nw\nq\n\n | disklabel -E sd0 Regards
Re: Linux or OpenBSD
Le Wednesday 22 September 2010 21:29:31, Rikky Taylor a icrit : I was after some general advice. I need to setup a routing firewall with 3 interfaces, moderate traffic and a fair amount of NAT'ing in the rules. Given identical modern server hardware would I expect a performance difference between an OpenBSD/PF setup and a Linux/IPTables one? Rikky Hello, The question mentioned before is right, a little more description is helping regarding your infrastructure. I'm loving OpenBSD as firewall, it performs well enough and is secure by default, so if you get rules right, you have very quickly something very good for an affordable effort. Most importantly, you have a very well documented firewall through man pages and faq, therefore a very small probability of human error, the ever persisting root of imperfection if I could say. Regards, Jean-Frangois
more about softraid
Hi, I'm having difficulty to understand how softraid works ie. how to add chunks, remove chunks, change and rebuild, add/remove hotspares. The manpages bioctl softraid only mention basic configuration, but once the raid is working ... any other related docs or man ? Thanks, J-F
Re: more about softraid
Le Sunday 24 October 2010 00:34:53, Tomas Bodzar a C)crit : I think that this will solve your hunt for informations ;-) http://www.openbsd.org/papers/asiabsdcon2010_softraid/softraid.pdf On Sun, Oct 24, 2010 at 1:21 AM, Jean-Francois jfsimon1...@gmail.com wrote: Hi, I'm having difficulty to understand how softraid works ie. how to add chunks, remove chunks, change and rebuild, add/remove hotspares. The manpages bioctl softraid only mention basic configuration, but once the raid is working ... any other related docs or man ? Thanks, J-F Thanks, it effectively helps to understand how it works, but not yet the command lines used to add-change-remove-rename chuncks or hotspares. At least, I can't figure out how to do it, I just could understand how to basically set it up, or let say initialize a softraid. I'm limited to basics, I could'nt yet do advanced configuration of an already built raid, I could not figure out with available docs (including above mentionned one) and the man pages. Regards
Re: insecure scheduler in OpenBSD 4.7
I've been convinced not to biy NVidia anymore. Le Tuesday 12 October 2010 06:04:27, Tomas Bodzar a C)crit : First of all people don't use NVIDIA crap for hosting platform (or any other use). Or at least they try to avoid it as much as possible. As you can see in your dmesg you have quite a lot of unsupported parts of HW (or badly working/set). It's fault of other OSs' that NVIDIA plays game about available open source drivers and that they want to play it. Couple of NVIDIA developers said during interviews that they don't care about open source systems, they develop only for payed systems. And not only SW part is crap in their case ;-) Anyway bigger problem is on your side as you don't want to learn or see differences in OpenBSD design and why is that and more specifically why it's better. You're looking at it from the point of view of Linux and other systems because you think that there is everything fine in them and that it's secure. On Mon, Oct 11, 2010 at 10:41 PM, Dmitry-T dmitr...@yandex.ru wrote: I'm install OpenBSD 4.7 (dmesg attached) uname -a OpenBSD d1.my.domain 4.7 GENERIC#112 amd64 Run as root: dd if=/dev/wd0c of=/dev/null bs=1m dd if=/dev/wd0c of=/dev/null bs=1m dd if=/dev/wd0c of=/dev/null bs=1m top load averages: B 3.12, B 2.50, B 1.49 B B 16:54:08 37 processes: B 36 idle, 1 on processor CPU states: B 0.1% user, B 0.0% nice, B 7.3% system, B 3.6% interrupt, 89.1% idle Memory: Real: 35M/339M act/tot B Free: 2393M B Swap: 0K/3071M used/tot B PID USERNAME PRI NICE B SIZE B RES STATE B B WAIT B B B TIME B B CPU COMMAND B 754 root B B -14 B B 0 2232K 1228K sleep B B inode B B 0:24 B 6.10% dd 25914 root B B B -5 B B 0 2216K 1224K sleep B B getblk B B 0:24 B 6.05% dd 21919 root B B -14 B B 0 2204K 1224K sleep B B inode B B 2:08 B 5.96% dd iostat wd0 1 B B B tty B B B B B B wd0 B B B B B B cpu B tin tout B KB/t t/s MB/s B us ni sy in id B 0 B B 0 B 2.00 5141 10.04 B 0 B 0 23 13 64 B 0 B B 0 B 2.00 5021 9.81 B 0 B 0 16 10 74 B 0 B 299 B 2.00 5206 10.17 B 0 B 0 21 B 8 71 B 0 B B 0 B 2.00 5066 9.90 B 0 B 0 15 B 8 77 Run as _normal user_: dd if=/dev/urandom of=/dev/null Try to recover ballance: renice 20 -p 30996 renice -20 -p 21919 25914 754 top load averages: B 3.53, B 3.55, B 3.00 B B 17:12:19 38 processes: B 1 running, 36 idle, 1 on processor CPU states: B 0.0% user, B 0.0% nice, 98.4% system, B 1.6% interrupt, B 0.0% idle Memory: Real: 36M/339M act/tot B Free: 2394M B Swap: 0K/3071M used/tot B PID USERNAME PRI NICE B SIZE B RES STATE B B WAIT B B B TIME B B CPU COMMAND 30996 teldi B B 104 B 20 B 216K B 200K run B B B - B B B B 4:48 97.95% dd 21919 root B B -14 B -20 2204K 1224K sleep B B inode B B 2:15 B 0.15% dd 25914 root B B -14 B -20 2216K 1224K sleep B B inode B B 0:31 B 0.00% dd B 754 root B B B -5 B -20 2232K 1228K sleep B B getblk B B 0:31 B 0.00% dd iostat wd0 1 B B B tty B B B B B B wd0 B B B B B B cpu B tin tout B KB/t t/s MB/s B us ni sy in id B 1 B 283 B 2.00 375 0.73 B 0 B 0 99 B 1 B 0 B 0 B B 0 B 2.00 374 0.73 B 0 B 0100 B 0 B 0 B 0 B B 0 B 2.00 375 0.73 B 0 B 0 98 B 2 B 0 B 0 B B 0 B 2.00 382 0.75 B 0 B 0 99 B 1 B 0 Disk read speed fell from 10 Mb/s to 0.8 Mb/s B (22 Mb/s to 0.9 Mb/s in test with livecd). CPU for first three dd (root processes!) fell from 18.1% to 0.2%. renice not work in this situation. It is not secure. One user script or program may load CPU and database or another servers lost speed in disk operations. This is hole for DOS attacks in OpenBSD design. How you use the OpenBSD as web servers and hosting platform? Permanently catch and kill processes? -- Dmitry Telegin OpenBSD 4.7 (GENERIC) #112: Wed Mar 17 20:43:49 MDT 2010 B B dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC real mem = 2951479296 (2814MB) avail mem = 2864992256 (2732MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.3 @ 0xf06d0 (66 entries) bios0: vendor American Megatrends Inc. version 1001 date 04/19/2006 bios0: ASUSTeK Computer INC. A8N-VM CSM acpi0 at bios0: rev 2 acpi0: tables DSDT FACP APIC MCFG OEMB acpi0: wakeup devices PCE0(S4) PCE1(S4) PCE2(S4) PS2K(S4) PS2M(S4) UAR1(S4) NSMB(S4) USB0(S4) USB2(S4) NMAC(S5) P0P1(S4) HDAC(S4) MC97(S4) SLPB(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: AMD Athlon(tm) 64 Processor 3000+, 2169.41 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFL US H,MMX,FXSR,SSE,SSE2,SSE3,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache cpu0: ITLB 32 4KB entries fully
Re: RAID support
Le Thursday 07 October 2010 13:22:01, g.du...@otasc.org a icrit : Hello, Is soft RAID currently a work in progress, I remember some important features were still added release after release recently. Will it be the case for forthcoming 4.8 ? Regards Jean-Frangois Hi, is already working I guess : http://www.openbsd.org/cgi-bin/man.cgi?query=softraidsektion=4 http://www.openbsd.org/cgi-bin/man.cgi?query=bioctlsektion=8 Why raidctl and bioctl ? What differences, why both are here ? Regards
Re: RAID support
Hi, Doing tests, I could not always do properly the kick off of a rebuild. What is exactly the procedure for doing a rebuild with bioctl -R ? In particular I don't understand, when you have say a build with chunks sd0a and sd1a, then remove one chunk, plug a new one, if it doe'nt appear as sd1 but sd2 or whatever, then how do you attach it to the raid device - which is waiting for a sd1a (the offline device) ? Regards
Re: FreeBSD isn't Free
Le Wednesday 06 October 2010 12:10:53, Oliver Peter a icrit : On Tue, 05 Oct 2010 23:22:03 -0600 Theo de Raadt dera...@cvs.openbsd.org wrote: Just for fun. Stop wasting your time reading people's licenses., http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/mg/theo.c.diff?r1=1.77;r2 =1.78 Eh? :) Sense for the content of ? static const char *talk[]
RAID support
Hello, Is soft RAID currently a work in progress, I remember some important features were still added release after release recently. Will it be the case for forthcoming 4.8 ? Regards Jean-Frangois
Re: Is GeForce 8200 supported ?
Le Thursday 30 September 2010 22:45:02, Chris Cappuccio a icrit : Not supported Jean-Francois [jfsimon1...@gmail.com] wrote: Hello, I have a problem starting X and in Xorg.0.log there is the following lines. Is it a driver error ? It's an integrated graphic card on the MB providing both vesa/hdmi outputs. Could you please help ? (II) VESA: driver for VESA chipsets: vesa (II) Primary Device is: PCI 0...@00:00.0 (WW) NV: Ignoring unsupported device 0x10de0849 (GeForce 8200) at 0...@00:00.0 (WW) Falling back to old probe method for vesa (EE) No devices detected. Fatal server error: no screens found Is there noway to solve this with existing software, such as a compatible but limited driver ? Regards
Re: Is GeForce 8200 supported ?
Le Saturday 02 October 2010 17:37:59, Ted Unangst a icrit : On Sat, Oct 2, 2010 at 4:55 AM, Jean-Francois jfsimon1...@gmail.com wrote: Is there noway to solve this with existing software, such as a compatible but limited driver ? Have you called up nvidia? You have a support contract, right? Not yet, I decided to do something else to solve my problem actually. However it's more interesting, but there's not so much details to say here at the moment. I dive into OpenBSD and find out how much work there was done on it. Thanks to all developpers.
Re: project : openbsd as nas
Hi,
I understood that this list is not meant for me to show off what I did with
this nas stuff.
I'll just post once the work is done so it may be of interest to some.
At the moment I'm doing a custom install cd, not sure how long it will take if
I ever outcome all difficulties but I'll bet.
Here's the first hack, I am working on the install.sh install.sub files.
In the install process /src/distrib/miniroot/install.{sh,sub}, replaced
Available disks are: wd0 wd1 wd2.
Which one do you wish to initialize? (or 'done') [done]
by
disk : wd0
label: Veritech SSD 200
total sectors: 63078400 # total bytes: 30.1G
disk : wd1
label: SAMSUNG HD103UJ
total sectors: 1953525168 # total bytes: 931.5G
disk : wd2
label: MAXTOR STM316021
total sectors: 312581808 # total bytes: 149.1G
Available disks are: wd0 wd1 wd2.
Which one will the operating system be installed on? (or 'done') [done]
e.g.
# Force the user to think and type in a disk name by
# making 'done' the default choice.
# Jean-Francois Simon, ADD start
echo
for _n in $(get_dkdevs); do
echo disk : $_n
disklabel -h $_n | grep label;
disklabel -h $_n | grep total;
echo
done
# Jean-Francois Simon, ADD end
ask_which disk will the operating system be installed on \
'$(l=$(get_dkdevs); for a in $DISKS_DONE; do
l=$(rmel $a $l); done; bsort $l)' \
done
Le Monday 30 August 2010 14:51:56, IC1igo Ortiz de Urbina a C)crit :
I have been following misc long enough to say, without any fear, that
OpenBSD community likes hacking rather than talking. Work on it and
then show some results for feedback, if it is interesting enough.
Also, misc is for openbsd, strictly, not related projects. Sometimes
marco's scrotwm bugs appear on the list and are discussed, till its
sure its a scrotwm, and not an openbsd, bug. Of course, marco is marco
:-)
On 8/30/10, Jean-Francois jfsimon1...@gmail.com wrote:
Hello,
I was thinking about how to help openbsd project, and since I am not able
to help in programming, I'm thinking about starting something aroung
openbsd such
as a layer making it an easy enough to manage home nas server of good
quality.
I have not yet the whole picture of how to do it but maybe a project that
will
take quite sometime and whose goal is to transform a standard install
into a ready to run nas server with few efforts.
I don't know yet what it will be like, probably it needs to be package or
something else, I need to study it more in details so far.
I hope that you will receive well this idea I have and maybe if you do
wish, support if it is needed.
I will then open something on my own wiki to prepare and work on the
complete
project, describe it in detail and start to implement things.
Again thanks for the quality of that os and its documentation which makes
it very interesting to work on.
Regards
JF
Is GeForce 8200 supported ?
Hello, I have a problem starting X and in Xorg.0.log there is the following lines. Is it a driver error ? It's an integrated graphic card on the MB providing both vesa/hdmi outputs. Could you please help ? (II) VESA: driver for VESA chipsets: vesa (II) Primary Device is: PCI 0...@00:00.0 (WW) NV: Ignoring unsupported device 0x10de0849 (GeForce 8200) at 0...@00:00.0 (WW) Falling back to old probe method for vesa (EE) No devices detected. Fatal server error: no screens found
Samba security hole chain_reply
Hello, I am reading an article about Samba chain_reply vulnerability called CVE-2010-2063, where one can execute root shell on the server as far as I understand with all smb server up to 3.3.13 (excluded). One basic question, is this having the desired effect under OpenBSD as well or any mechanism of randomization makes the exploit leading to uncontrolled effects ? Regards
Re: pf.conf : rdr-to IF rather than IP
Hello,
Well I am not sure dup-to is really suitable, I would like to redirect ports
to multiple ip as following example :
match in on $ext_if proto tcp from any to any port 1050 rdr-to
192.168.1.10:50
Regards
Le dimanche 29 ao{t 2010 15:15:28, Bret S. Lambert a icrit :
On Sun, Aug 29, 2010 at 02:05:40PM +0200, Jean-Francois wrote:
Hello,
I would like to redirect particular ports on the sub-network, not only on
one ip adress of the subnetwork.
Taking an example, I would like some software that listen to ports on
different machines with different ip adress without having to change the
pf.conf rules each time it is needed.
So...you want traffic matching certain criteria duplicated to multiple
IP addresses on your network? Did you try to search for duplicate
in the pf.conf man page?
I'm not sure what your ultimate goal is (or how you won't have to do
something when it is needed), but, hey; whatever lifts your luggage.
Regards
If you can explain what you're actually trying to do, rather
than talk about how you're thinking of accomplishing it, maybe
someone can suggest a way.
On 2010-08-28, Jean-Francois jfsimon1...@gmail.com wrote:
Good evening,
Is it possible to redirect to an IF or at least an IP range such as
following rules ?
match in on $ext_if proto tcp from any to any port 1024:32768 \
rdr-to $int_if
match in on $ext_if proto tcp from any to any port 1024:32768 \
rdr-to 192.168.100.0/16
I am not sure it even makes sense in regard of a redirection in a
network topology but I'll try the question, since it can help to
understand.
I am thinking the probability is very high that a redirection of
above kind needs to copy as many times the packets as wide as the
range of ip is.
Thanks to help me to understand this point.
Jean-Frangois
automounter
Hello, Do you have an idea where to look for an auto mounter in openbsd ? I installed gnome as a server for a friend and would like that his fat32 usb disks are auto mounted ... It might be useful to auto mount also other kind of file systems. And for esata, is it possible to mount without reboot, is this called a hot plug ? I eared that it's not possible yet ... is this correct ? Thanks regards
Re: problem with samba / broadcastClosed, it was an IF misconfiguration.
Solved, was an IF misconfiguration only.
Sorry
Le jeudi 09 septembre 2010 03:48:59, Jean-Frangois SIMON a icrit :
Hello,
I have tonight a small problem, if you could please check and see if
something is wrong here.
The samba share seems blocked, the packets are not broadcasted.
Thanks.
# tcpdump -eni pflog0
03:41:26.500159 rule 30/(match) block in on re1: 192.168.0.195.138
192.168.0.255.138: udp 207
03:41:49.296060 rule 30/(match) block in on re1: 192.168.1.186.137
192.168.1.255.137: udp 50
re1: flags=8b43UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST
mtu 1500
lladdr 00:08:64:a9:51:81
priority: 0
media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause)
status: active
inet6 fe80::208:54ff:fea8:5181%re1 prefixlen 64 scopeid 0x2
inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255
ext_if=re0
int_if=re1
set skip on lo
match in all scrub (no-df max-mss 1440)
match out on $ext_if from 192.168.1.0/24 to any nat-to ($ext_if)
match in on $ext_if proto tcp from any to any port 4466 rdr-to
192.168.100.196
match in on $ext_if proto tcp from any to any port 3729 rdr-to
192.168.100.195
match in on $ext_if proto tcp from any to any port 3730 rdr-to
192.168.100.192
match in on $ext_if proto tcp from any to any port 3731 rdr-to
192.168.100.193
match in on $ext_if proto tcp from any to any port 3733 rdr-to
192.168.100.190
match in on $ext_if proto tcp from any to any port 3728 rdr-to
192.168.100.4 match in on $ext_if proto udp from any to any port 3740
rdr-to
192.168.100.187
match in on $ext_if proto udp from any to any port 46655 rdr-to
192.168.100.4
match in on $ext_if proto tcp from any to any port 3734 rdr-to
192.168.100.186
match in on $ext_if proto tcp from any to any port 3727 rdr-to
192.168.100.183
match in on $ext_if proto tcp from any to any port 3735 rdr-to
192.168.100.181
match in on $ext_if proto {tcp,udp} from any to any port 3389 rdr-to
192.168.100.186
match in on $ext_if proto tcp from any to any port 5800 rdr-to
192.168.100.186
match in on $ext_if proto tcp from any to any port 5900 rdr-to
192.168.100.186
match in on $ext_if proto tcp from any to any port 5801 rdr-to
192.168.100.181
match in on $ext_if proto tcp from any to any port 5901 rdr-to
192.168.100.181
match in on $ext_if proto tcp from any to any port 5902 rdr-to
192.168.100.193
match in on $ext_if proto tcp from any to any port 5903 rdr-to
192.168.100.183
match in on $ext_if proto {tcp,udp} from any to any port 80 rdr-to
192.168.100.184
match in on $ext_if proto {tcp,udp} from any to any port 20 rdr-to
192.168.100.184
match in on $ext_if proto tcp from any to any port 16022 rdr-to
192.168.100.186
match in on $ext_if proto udp from any to any port 63112 rdr-to
192.168.100.186
match in on $ext_if proto udp from any to any port 3726 rdr-to
192.168.100.3 match in on $ext_if proto udp from any to any port
31336:31341 rdr-to 192.168.100.186
pass out# connexions sortantes passantes
block in log all# connexions entrantes bloqueees par defaut
antispoof for $ext_if
pass in on $int_if proto icmp to any tagged macok
pass in on $int_if proto tcp to any tagged macok
pass in on $int_if proto udp to any tagged macok
pass in on $ext_if proto icmp to any
pass in on $ext_if proto {tcp,udp} to any port 3389
pass in on $ext_if proto udp to any port 3726
pass in on $ext_if proto tcp to any port 3727:3731
pass in on $ext_if proto tcp to any port 3733:3735
pass in on $ext_if proto udp to any port 3740
pass in on $ext_if proto tcp to any port 4466
pass in on $ext_if proto tcp to any port 5800:5801
pass in on $ext_if proto tcp to any port 5900:5903
pass in on $ext_if proto tcp to any port 16022
pass in on $ext_if proto udp to any port 63112
pass in on $ext_if proto udp to any port 46655
pass in on $ext_if proto {tcp,udp} to any port 20
pass in on $ext_if proto {tcp,udp} to any port 80
pass in on bridge1
# cat
/etc/hostname.bridge0
# **
# * Pour modifier les adresses adresses MAC, modifier la section I *
# **
# On cree un pont filtrant
add re1 -learn re1
# *
# * Section I (debut) *
# *
# DEBUT DES REGLES DE FILTRAGE MAC
# Adresses MAC des postes clients connus
rule pass in on re1 src c8:0a:a9:20:02:44 tag macok # PC portable JB
rule pass in on re1 src F0:DE:F1:07:56:77 tag macok # PC portable J-F
# FIN DES REGLES DE FILTRAGE MAC
# ***
# * Section I (fin) *
# ***
# activation du pont filtrant
up
How MAC address is incorporated in packets
Hi, Might you please indicate how in the construction of an IP packet the mac address in incorporated into it. Is the job of the OS or of the IF ? If the OS is responsible for it, how is it processed and is it possible to change the physical address in the packets sent for an address of our choice ? Thanks JF
project : openbsd as nas
Hello, I was thinking about how to help openbsd project, and since I am not able to help in programming, I'm thinking about starting something aroung openbsd such as a layer making it an easy enough to manage home nas server of good quality. I have not yet the whole picture of how to do it but maybe a project that will take quite sometime and whose goal is to transform a standard install into a ready to run nas server with few efforts. I don't know yet what it will be like, probably it needs to be package or something else, I need to study it more in details so far. I hope that you will receive well this idea I have and maybe if you do wish, support if it is needed. I will then open something on my own wiki to prepare and work on the complete project, describe it in detail and start to implement things. Again thanks for the quality of that os and its documentation which makes it very interesting to work on. Regards JF
Re: pf.conf : rdr-to IF rather than IP
Hello, I would like to redirect particular ports on the sub-network, not only on one ip adress of the subnetwork. Taking an example, I would like some software that listen to ports on different machines with different ip adress without having to change the pf.conf rules each time it is needed. Regards If you can explain what you're actually trying to do, rather than talk about how you're thinking of accomplishing it, maybe someone can suggest a way. On 2010-08-28, Jean-Francois jfsimon1...@gmail.com wrote: Good evening, Is it possible to redirect to an IF or at least an IP range such as following rules ? match in on $ext_if proto tcp from any to any port 1024:32768 \ rdr-to $int_if match in on $ext_if proto tcp from any to any port 1024:32768 \ rdr-to 192.168.100.0/16 I am not sure it even makes sense in regard of a redirection in a network topology but I'll try the question, since it can help to understand. I am thinking the probability is very high that a redirection of above kind needs to copy as many times the packets as wide as the range of ip is. Thanks to help me to understand this point. Jean-Frangois
Safely removing the rule blocking 6000:6010 in pf.conf
Hi, One question, I run gnome on openbsd 4.7 and apparently there is no reason to keep the following rule since nothing listens to those ports on my machine. block in on ! lo0 proto tcp to port 6000:6010 I verified with netstat that there is nothing listening to any of tcp ports in the range 6000-6010. May you please confirm that there is no security issue with removing this rule ? Regards
Re: Safely removing the rule blocking 6000:6010 in pf.conf
I made a mistake, in fact I deny access by default even to those ports that
are normally available from localhost.
I did this because I see nothing listening to those ports, and gnome is
running through sockets.
I just don't understand why the range tcp 6000:6010 shall be available from
localhost.
Everything runs perfectly with the rule
block in all instead of block in on ! lo0 proto tcp to port 6000:6010
Necessary ports are opened individually, of course.
Rgd
JF
Le dimanche 29 ao{t 2010 20:59:11, TeXitoi a icrit :
ropers rop...@gmail.com writes:
I don't understand. Why are you not running a default deny setup?
Maybe because this pf.conf is the default one.
On 29 August 2010 14:45, Jean-Francois jfsimon1...@gmail.com wrote:
Hi,
One question, I run gnome on openbsd 4.7 and apparently there is
no reason to keep the following rule since nothing listens to
those ports on my machine.
block in on ! lo0 proto tcp to port 6000:6010
I verified with netstat that there is nothing listening to any of
tcp ports in the range 6000-6010.
May you please confirm that there is no security issue with
removing this rule ?
Why do you want to remove it? If you don't need, don't remove it. If
You want to modify pf.conf, better to use a default block and allow
only the necessary.
Re: MTA choice
Le mercredi 18 ao{t 2010 11:10:47, Gregory Edigarov a icrit :
On Wed, 18 Aug 2010 10:07:58 +0200
Henning Brauer lists-open...@bsws.de wrote:
* Gregory Edigarov g...@bestnet.kharkov.ua [2010-08-17 09:29]:
Qmail??? Postfix??? easiest to use Oh, please don't... I would
even not give a dime to exim, which of the big guys I love the
most, in the terms of ease of configure. So now I definitelly see
OpenSMTPD as a very viable alternative.
exim is also the one with 80s design (even sendmail abandoned that)
and shit code.
pretty much ANYTHING else is a better choice.
Agreed. That left us to only the choice between sendmail/OpenSMTPD :)
I would definitelly advise for Opensmtpd, but not yet, at least not
before the 4.8 rel will be rolled, though in 4.7 it is quite stable,
and runs perfectly on a handful of my places.
Meta1, which is viewed by some as a sendmail made right is still in
very deep pre-alpha state... what a pity.
Have we yet an idea when it is planned for opensmtp to replace sendmail in the
default install ?
thanks,
J-F
pf.conf : rdr-to IF rather than IP
Good evening, Is it possible to redirect to an IF or at least an IP range such as following rules ? match in on $ext_if proto tcp from any to any port 1024:32768 \ rdr-to $int_if match in on $ext_if proto tcp from any to any port 1024:32768 \ rdr-to 192.168.100.0/16 I am not sure it even makes sense in regard of a redirection in a network topology but I'll try the question, since it can help to understand. I am thinking the probability is very high that a redirection of above kind needs to copy as many times the packets as wide as the range of ip is. Thanks to help me to understand this point. Jean-Frangois
pf.conf : rule tagged x OR y ?
Hello,
Is it ever possible to have a rule in pf.conf such as :
pass in on $int_if proto tcp to any tagged client or admin
I think not, is the following a correct alternate ?
pass in on $int_if proto tcp to any tagged client
pass in on $int_if proto tcp to any tagged admin
In my opinion the OR is not implemented at least it seems not documented,
maybe the folowing is also possible ?
pass in on $int_if proto tcp to any tagged {client,admin}
Thanks for clarifications
Remotely connect to gnome
Hi All, I've set up an OpenBSD server running gnome and administered locally or remotely for home use. I've understood that unixes are made to work as workstations and that gnome and kde could handle that. Could you please help me to get on the way to make remote connections possible to gnome for session login and desktop use ? Thanks for help, Regards J-F
Re: Secret key in the packet filter.
Le mardi 13 juillet 2010 17:50:04, Christian Weisgerber a icrit : Bryan bra...@gmail.com wrote: really? the devs have a backdoor in PF? you're an idiot... Of course we do. Don't try to find it. We have implemented a Langford hack. If you read the source, the backdoor will jump over and inscribe itself directly into your brain, and people will be able to take over your mind directly. You have been warned. Actually, just reading the above mail already gives the required effect, it is the trick.
Re: OpenBSD Makes Other Things Better (Advocacy)
Le jeudi 24 juin 2010 00:56:09, Daniel Melameth a icrit : While most of us already know how the subject rings true, I still found the following from REBOL's CTO's public blog post interesting nonetheless (I've never used REBOL): This was an interesting build, because it exposed a unique bug due to the more secure methods of memory allocation on OpenBSD. Debugging it took some time but was worth the effort. The bug has now been fixed and will be part of the A100 releases for all platforms. The minor blog post is available at http://www.rebol.net/r3blogs/0321.html. By the way, thanks a lot for higlighting this wonderful language. And it is very likely that I use it in the future for creating some utilities. I confirm small and lightweight needs to keep existing in this world where the rule is : growth(time) = a_constant x exponential(time) Thanks.
Re: opensmtpd
Le samedi 22 mai 2010 15:03:50, Gilles Chehade a icrit : On Sat, May 22, 2010 at 06:49:54AM -0600, Alvaro Mantilla Gimenez wrote: Hello, Is anyone using OpenSMTPD in production already? If the answer is yes..which numbers are handling by OPenSMTPD? (email average by day, etc...) Regards, Alvaro don't. there are heavy changes under the works by both Jacek and I, if you run it in production you will be sorry. Gilles Hello, Can we have an idea about the actual status of this project ? Is there a website or documentation for it ? Thanks Regards J-F
OpenBSD as a laptop OS
Hello All, I am thinking about changing my OS to OpenBSD on my laptop, which is standard x86. It would be used as internet browser, mail client, multimedia, pciture video , etc ... My question is simple, is OpenBSD convenient enough for a daily usage ? What are the experiences about that ? Just to be sure, as of today, is ntfs experimental or working, or not ? for read ? for r/w ? I will certainly do with gnome wm. I know such question might not be very convenient to answer, this is just to be sure I can peacefully back-up my data and reinstall freshly without worrying about anything but being using a great os. Thanks
sftp chroot does'nt pass the login
Hi, I am using sftp server with a chroot with following lines in sshd configuration file. The same works for my actual server in 4.4 OpenBSD but I just freshly installed a 4.7 one and on it the sftp login fails (it works without chroot). Match group web ChrootDirectory /var/www/htdocs ForceCommand internal-sftp Any idea what I get wrong ? Thanks
Re: sftp chroot does'nt pass the login
Le dimanche 30 mai 2010 17:39:36, Bret S. Lambert a icrit : On Sun, May 30, 2010 at 05:22:22PM +0200, Jean-Francois wrote: Hi, I am using sftp server with a chroot with following lines in sshd configuration file. The same works for my actual server in 4.4 OpenBSD but I just freshly installed a 4.7 one and on it the sftp login fails (it works without chroot). Match group web ChrootDirectory /var/www/htdocs ForceCommand internal-sftp Any idea what I get wrong ? $ grep web /etc/group $ grep www /etc/group www:*:67: $ web is a group and also a user in my OS. # grep web /etc/group wheel:*:0:root,admin,web web:*:1001:web
Consideration before installling on SSD hard drive
Good afternoon gents, I am building up a server with basically a solid state drive for the OS and a 1 TB hard drive for the datas. In order to maximize the life time of the SSD, I will avoir mounting slides that sustain continuous or sparsed write access. Could you briefly let me know the do's and don't ? Thanks. Jean-FranC'ois
ok for softraid in production (v4.7) ?
Hello, May I use with peace of mind the softraid device of OpenBSD 4.7 in 'small production' (personal servers for home use actually) ? I had understood that as of 4.5 and before the softraid was still under lot of development, so my question. Thanks Regards Jean-FranC'ois
Re: ok for softraid in production (v4.7) ?
Le samedi 22 mai 2010 C 21:38 +0200, Robert a C)crit : On Sat, 22 May 2010 21:12:00 +0200 jean-francois jfsimon1...@gmail.com wrote: Hello, May I use with peace of mind the softraid device of OpenBSD 4.7 in 'small production' (personal servers for home use actually) ? I had understood that as of 4.5 and before the softraid was still under lot of development, so my question. Thanks Regards Jean-FranC'ois Yes, softraid works fine, haven't had any problems so far. But be aware that afaik the metadata might still be changed again in the future. In that case a full dump/upgrade/restore cycle is nessasary. Should not be an issue if you can deal with the extended downtime on upgrade. Your data should be backed up anyway. (Note, if that is related to your question about ssd's, atm data in softraid partitions will not align with the eraseblocks, because of the metadata block size; Also an issue on 4k sector drives.) It's not SSDs that I'd like to RAID. Thanks. BTW I have an error with the following command bioctl -H 0:0.0 sd0 bioctl: BIOCSETSTATE: Invalid argument Is it normal ?
Re: nmbd does not listen
[...] As for answering requests, how do you know it isn't? Did you trace the process? Did you use tcpdump to confirm that the packets were being received? Have you confirmed that your pf config isn't blocking them? I did'nt trace the process, but tcpdump show the packets, pflog confirms that the rule pass in pf.conf lets correctly passing the packets. [...] Philip Guenther I used the info from Christiano Haesbaert and achieved to make it work correctly with pf and multi-cast packets forwarding by setting mfordarding=1 in sysctl and host=re0 in rc.conf. I also traced the process nmbd and found this problem, which is also logged in the log file smb.nmbd in /var/log 27Mar 13 16:55:15 nmbd[7796]: Packet send failed to 10.0.1.255(138) ERRNO=Host is down I can't find out deeper the problem in this case. Any help from you please ? Thanks a lot regards. JF
Re: Filtering based on MAC adress
All, As suggested. Just to confirm that it perfectly works. I made a NAT on ext_if from int_if In principle : - create a bridge, add the int_if to the bridge - add a rule filtering and tagging based on MAC address ex : brconfig bridge0 rule pass in on fxp0 src 9:8:7:6:5:4 tag boss - filter with pf based on the tag of the packets Thanks for pointing this out.
nmbd does not listen
Hi, After installing the default system + installing samba I am in front on a system now working but not replyying to windows port 137 requests to nmbd for mapping the server, the windows neighboor function. After checking netstat I see that nmbd is not in listen on this port however running. Is there some basic configuration I missed to do ? Regards
Re: nmbd does not listen
Le Dimanche 07 Mars 2010 15:18:49, Rogier Krieger a icrit : On Sun, Mar 7, 2010 at 14:31, jean-francois jfsimon1...@gmail.com wrote: Is there some basic configuration I missed to do ? As a quick check, did you start both smbd and nmbd components (ps ax is your friend here) and did you place the necessary lines in /etc/rc.local as per the message you received upon install? If you missed that, see pkg_info(1) and its -M option. Alternatively, review the log files for samba to see what's (not) happening. Regards, Rogier Yes, daemons are loaded. # ps -ax | grep mbd 5434 ?? Is 0:00.01 /usr/local/libexec/smbd 28545 ?? I 0:00.00 /usr/local/libexec/smbd 19915 ?? Ss 0:00.03 /usr/local/libexec/nmbd 2725 ?? I 0:00.11 /usr/local/libexec/smbd In rc.local I don't have the -M option, what is this for ? if [ -x /usr/local/libexec/smbd ]; then echo -n ' smbd' /usr/local/libexec/smbd fi if [ -x /usr/local/libexec/nmbd ]; then echo -n ' nmbd' /usr/local/libexec/nmbd I have a process relative to nmbd binding to UDP 137 in the systat net page - but it's not mentionned LISTEN or ESTABLISHED, it's just empty as if the process was not listening. It's nmbd. This process does'nt listen actually apprearently. In log it says the following which seems understanble since nmbd does not listen on UDP 137. Mar 7 19:03:04 serveur nmbd[19915]: [2010/03/07 19:03:04, 0] /usr/obj/ports/samba-3.0.34/samba-3.0.34/source/libsmb/nmblib.c:send_udp(793) Mar 7 19:03:04 serveur nmbd[19915]: Packet send failed to 10.0.1.255(138) ERRNO=Host is down
Re: nmbd does not listen
Le Dimanche 07 Mars 2010 21:15:24, J.C. Roberts a icrit : On Sun, 7 Mar 2010 19:10:20 +0100 jean-francois jfsimon1...@gmail.com wrote: Le Dimanche 07 Mars 2010 15:18:49, Rogier Krieger a icrit : On Sun, Mar 7, 2010 at 14:31, jean-francois jfsimon1...@gmail.com wrote: Is there some basic configuration I missed to do ? As a quick check, did you start both smbd and nmbd components (ps ax is your friend here) and did you place the necessary lines in /etc/rc.local as per the message you received upon install? If you missed that, see pkg_info(1) and its -M option. Alternatively, review the log files for samba to see what's (not) happening. Regards, Rogier Yes, daemons are loaded. # ps -ax | grep mbd 5434 ?? Is 0:00.01 /usr/local/libexec/smbd 28545 ?? I 0:00.00 /usr/local/libexec/smbd 19915 ?? Ss 0:00.03 /usr/local/libexec/nmbd 2725 ?? I 0:00.11 /usr/local/libexec/smbd In rc.local I don't have the -M option, what is this for ? He was speaking of the package tools and how to get the install message again if you missed it the first time. For example: $ pkg_info -M samba For more information: $ man pkg_info if [ -x /usr/local/libexec/smbd ]; then echo -n ' smbd' /usr/local/libexec/smbd fi if [ -x /usr/local/libexec/nmbd ]; then echo -n ' nmbd' /usr/local/libexec/nmbd I have a process relative to nmbd binding to UDP 137 in the systat net page - but it's not mentionned LISTEN or ESTABLISHED, it's just empty as if the process was not listening. It's nmbd. This process does'nt listen actually apprearently. In log it says the following which seems understanble since nmbd does not listen on UDP 137. Mar 7 19:03:04 serveur nmbd[19915]: [2010/03/07 19:03:04, 0] /usr/obj/ports/samba-3.0.34/samba-3.0.34/source/libsmb/nmblib.c:send_udp (793) Mar 7 19:03:04 serveur nmbd[19915]: Packet send failed to 10.0.1.255(138) ERRNO=Host is down Are you sure the desired processes have opened the desired ports? $ fstat | grep -E 'USER|internet' Are you sure your /etc/pf.conf is allowing connections? -jon I am not sure but believe the problem is in smb.conf I tried to change many parameters to make nmbd LISTEN and answer UDP/137 requests without success. root nmbd 185817* internet dgram udp *:137 root nmbd 185818* internet dgram udp *:138 root nmbd 185819* internet dgram udp 10.0.1.1:137 root nmbd 18581 10* internet dgram udp 10.0.1.1:138 root smbd 23715 19* internet stream tcp 0xd78abc84 *:445 root smbd 23715 20* internet stream tcp 0xd78abe14 *:139 root sshd 240994* internet6 stream tcp 0xd78ab644 *:6 root sshd 240995* internet stream tcp 0xd78ab7d4 *:6 Thank you
Re: nmbd does not listen
Hello, Le Lundi 08 Mars 2010 05:13:34, vous avez icrit : On Sun, Mar 7, 2010 at 1:37 PM, Jean-Francois jfsimon1...@gmail.com wrote: ... I am not sure but believe the problem is in smb.conf ...but you'll not actually show the contents of that file. I take it you're taking the problem to the samba mailing lists then? I used the default file, with security user and two mount points shared as user. I then tried to change the paramters as local master and domain master as explained in the mal and examples. I did not ask to samba mailing list simply because I did not yet suggested it came from smb.conf - I am not sure about this. I tried to change many parameters to make nmbd LISTEN and answer UDP/137 requests without success. Repeat after me: UDP IS STATELESS. Thanks for the reminder. Yet I did not know that for this reason, LISTEN was'nt mentionned. Indeed, a quick examination of the output of netstat on any OpenBSD system shows that the state column is *always* empty for UDP sockets. As for answering requests, how do you know it isn't? Did you trace the process? Did you use tcpdump to confirm that the packets were being received? Have you confirmed that your pf config isn't blocking them? I did'nt trace the process, but tcpdump show the packets, pflog confirms that the rule pass in pf.conf lets correctly passing the packets. It's been years since I've had to deal with samba, so I can't really help you further...other than to point out that you failed to provide any information about your system or the samba you're running. What version of OpenBSD? Did you install the samba package from the ftp site, or did you build the port yourself, or did you download the source and build it yourself without using the ports framework? It's 4.6 default + samba 3 default from packages. I did not copy all informations such as content of smb.conf and pf.conf as I did not feel it necessary - for the first, it is close enough from default and for the second it's perfectly patching what is needed for process to work. Philip Guenther
Re: Filtering based on MAC adress
What is the reason why some packets passing on re0 will not be seen on bridge0 given I set up the following configuration : bridgename.bridge0 add re0 up I expected to see all the packets passing on re0 on bridge0 too which is obviously not the case. That would be wrong. The bridge is a bridge, not a virtual software switch. It decides not to forward packets which don't need to hit the other segments. This is described very well in the manual page. # brconfig bridge0: flags=141UP,RUNNING,PROMISC priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp re0 flags=3LEARNING,DISCOVER port 2 ifpriority 0 ifcost 0 Addresses (max cache: 100, timeout: 240): 00:1f:d0:d0:db:59 re0 1 flags=0 00:22:b0:de:32:60 re0 1 flags=0 # ifconfig re0: flags=8b43UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu 1500 lladdr 00:09:55:a9:72:81 priority: 0 groups: egress media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause) status: active inet6 fe80::208:55ff:aea8:7281%re0 prefixlen 64 scopeid 0x2 inet 10.0.1.44 netmask 0xff00 broadcast 10.0.1.255 enc0: flags=0 mtu 1536 priority: 0 bridge0: flags=141UP,RUNNING,PROMISC mtu 1500 priority: 0 groups: bridge pflog0: flags=141UP,RUNNING,PROMISC mtu 33200 priority: 0 groups: pflog Regards. I think it's just my mistake, I used to listen to bridge0 and therefore could see only broadcast packets. #tcpdump -i bridge0 Is the rule : #brconfig bridge0 rule pass in on fxp0 src 9:8:7:6:5:4 tag boss working in case bridge0 has only one member which means packets have nowhere to be forwarded ? Or do I need to make a virtual device in order that packets will be forwarded to it for the taggin rule to work ? Regards
Re: Filtering based on MAC adress
Hello All, I do not want to insist too muich further about this problem, but I need to find an issue in order to implement that feature properly. I can't resolve how to do it considering I am looking to do a NAT and not a bridged connection. For this reason the bridge drops packets. If you have any idea in order to help me to try something new it would be helpful. Thanks. Le Jeudi 04 Mars 2010 19:17:00, Jean-Francois a icrit : Le Mercredi 03 Mars 2010 21:38:18, vous avez icrit : What is the reason why some packets passing on re0 will not be seen on bridge0 given I set up the following configuration : bridgename.bridge0 add re0 up I expected to see all the packets passing on re0 on bridge0 too which is obviously not the case. That would be wrong. The bridge is a bridge, not a virtual software switch. It decides not to forward packets which don't need to hit the other segments. This is described very well in the manual page. Yet I expected that provided interfaces are marked with -learn and the bridge is flushed, the following behaviour would happen, which is'nt. From bridge(4) If the bridge has no knowledge about where the destination is to be found, the bridge will forward he frame to all attached segments. # brconfig bridge0 addr # brconfig bridge0: flags=141UP,RUNNING,PROMISC priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp sis0 flags=2DISCOVER port 1 ifpriority 0 ifcost 0 gif0 flags=3LEARNING,DISCOVER port 7 ifpriority 0 ifcost 0 re0 flags=2DISCOVER port 2 ifpriority 0 ifcost 0 pass in on re0 src 00:22:b0:bd:32:61 tag server pass in on re0 src 00:1f:d0:a0:db:49 tag client Addresses (max cache: 100, timeout: 240):
Re: Filtering based on MAC adress
I work on two ideas, The first is to bridge gif0 and int_if and nat gif0 and ext_if. The second is to find a tricke in order to filter mac on bridge and tag. Could you help me to find a solution preferably for the second one which I can't figure out how to implement. Thanks regards Le Mercredi 03 Mars 2010 22:39:59, Jean-Francois a icrit : Thank you for your help in understanding. I want to configure a NAT between int_if and ext_if and filter based on MAC address. I was going to proceed as follows, but after reading bridge(4) man page I understand that the following won't work. If the bridge0 has only one member, int_if, it will never accept the packets but broadcast, in this case it will not tag them either. Is it correct and how to proceed in that case ? I would like to tag packets based on their MAC address. re0 : int_if sis0 : ext_if nat on ext_if from int_if - ext_if int_if member of bridge0 brconfig bridge0 rule pass in on re0 src 1:2:3:4:5:6 tag allowed Regards.
Re: Filtering based on MAC adress
Le Mercredi 03 Mars 2010 21:38:18, vous avez icrit : What is the reason why some packets passing on re0 will not be seen on bridge0 given I set up the following configuration : bridgename.bridge0 add re0 up I expected to see all the packets passing on re0 on bridge0 too which is obviously not the case. That would be wrong. The bridge is a bridge, not a virtual software switch. It decides not to forward packets which don't need to hit the other segments. This is described very well in the manual page. Yet I expected that provided interfaces are marked with -learn and the bridge is flushed, the following behaviour would happen, which is'nt. From bridge(4) If the bridge has no knowledge about where the destination is to be found, the bridge will forward he frame to all attached segments. # brconfig bridge0 addr # brconfig bridge0: flags=141UP,RUNNING,PROMISC priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp sis0 flags=2DISCOVER port 1 ifpriority 0 ifcost 0 gif0 flags=3LEARNING,DISCOVER port 7 ifpriority 0 ifcost 0 re0 flags=2DISCOVER port 2 ifpriority 0 ifcost 0 pass in on re0 src 00:22:b0:bd:32:61 tag server pass in on re0 src 00:1f:d0:a0:db:49 tag client Addresses (max cache: 100, timeout: 240):
Re: Filtering based on MAC adress
Hi, What is the reason why some packets passing on re0 will not be seen on bridge0 given I set up the following configuration : bridgename.bridge0 add re0 up I expected to see all the packets passing on re0 on bridge0 too which is obviously not the case. # brconfig bridge0: flags=141UP,RUNNING,PROMISC priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp re0 flags=3LEARNING,DISCOVER port 2 ifpriority 0 ifcost 0 Addresses (max cache: 100, timeout: 240): 00:1f:d0:d0:db:59 re0 1 flags=0 00:22:b0:de:32:60 re0 1 flags=0 # ifconfig re0: flags=8b43UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu 1500 lladdr 00:09:55:a9:72:81 priority: 0 groups: egress media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause) status: active inet6 fe80::208:55ff:aea8:7281%re0 prefixlen 64 scopeid 0x2 inet 10.0.1.44 netmask 0xff00 broadcast 10.0.1.255 enc0: flags=0 mtu 1536 priority: 0 bridge0: flags=141UP,RUNNING,PROMISC mtu 1500 priority: 0 groups: bridge pflog0: flags=141UP,RUNNING,PROMISC mtu 33200 priority: 0 groups: pflog Regards.
Re: Filtering based on MAC adress
Thank you for your help in understanding. I want to configure a NAT between int_if and ext_if and filter based on MAC address. I was going to proceed as follows, but after reading bridge(4) man page I understand that the following won't work. If the bridge0 has only one member, int_if, it will never accept the packets but broadcast, in this case it will not tag them either. Is it correct and how to proceed in that case ? I would like to tag packets based on their MAC address. re0 : int_if sis0 : ext_if nat on ext_if from int_if - ext_if int_if member of bridge0 brconfig bridge0 rule pass in on re0 src 1:2:3:4:5:6 tag allowed Regards.
Re: Dump levels ?
Le Jeudi 18 Fivrier 2010 23:02:38, Otto Moerbeek a icrit : On Thu, Feb 18, 2010 at 10:54:55PM +0100, Jean-Francois wrote: Hi, Is it possible to clarify what resides behind the concept of levels regarding dump(8) ? For me the level 0 is understood to be a complete dump of all files on at a given mount point and all subdirectories. But I can't figure out what upper levels are. Regards A level 0 dumps includes all files. A level n dump are all the files that have changed or were added since the last level n - 1 dump. -Otto Are all dump levels packed into the same one file like I seem to understand ? As far as I am concerned I dump in this way : dump -0u -f /mnt/backup/backup /mnt/donnees/ dump -1u -f /mnt/backup/backup /mnt/donnees/ ... This is correct, is'nt it ? Regards.
poor setwork performance on gigabit link
Hi All, I can reach only approx. 8 Mbyte/s on a LAN between the server and the client. The complete network is capable of gigabit yet the speed reaches 15Mb/s then starts to trigger high/low and stabilyses at 8000kb/s. I tried the 2 interfaces of the server (running OpenBSD) with similar results. The client is at 10.0.1.32 the server at 10.0.1.1 - this is the LAN on gigabit link. Could you please see if there are any troubles in those informations below ttha explains this ? After several check of the physics and the software, I run out of idea about this problem and where to look for. Thank you dmesg LBA, 30800MB, 63078400 sectors wd1 at pciide1 channel 1 drive 0: WDC WD10EADS-00L5B1 wd1: 16-sector PIO, LBA48, 953869MB, 1953525168 sectors nfe0 at pci0 dev 10 function 0 NVIDIA MCP77 LAN rev 0xa2: apic 4 int 15 (irq 15), address 00:30:1c:24:e3:ea eephy0 at nfe0 phy 19: 88E1116 Gigabit PHY, rev. 1 ppb1 at pci0 dev 11 function 0 NVIDIA MCP77 PCIE rev 0xa1 pci2 at ppb1 bus 2 vga1 at pci2 dev 0 function 0 vendor NVIDIA, unknown product 0x0849 rev 0xa2 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) ppb2 at pci0 dev 16 function 0 NVIDIA MCP77 PCIE rev 0xa1: apic 4 int 16 (irq 255) pci3 at ppb2 bus 3 ppb3 at pci0 dev 18 function 0 NVIDIA MCP77 PCIE rev 0xa1: apic 4 int 16 (irq 255) pci4 at ppb3 bus 4 pchb0 at pci0 dev 24 function 0 AMD AMD64 0Fh HyperTransport rev 0x00 pchb1 at pci0 dev 24 function 1 AMD AMD64 0Fh Address Map rev 0x00 pchb2 at pci0 dev 24 function 2 AMD AMD64 0Fh DRAM Cfg rev 0x00 kate0 at pci0 dev 24 function 3 AMD AMD64 0Fh Misc Cfg rev 0x00: core rev BH-F2 isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 it0 at isa0 port 0x2e/2: IT8716F rev 3, EC port 0x290 fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 usb2 at ohci0: USB revision 1.0 uhub2 at usb2 NVIDIA OHCI root hub rev 1.00/1.00 addr 1 usb3 at ohci1: USB revision 1.0 uhub3 at usb3 NVIDIA OHCI root hub rev 1.00/1.00 addr 1 mtrr: Pentium Pro MTRR support uhub4 at uhub3 port 5 BTC USB Keyboard rev 1.10/0.03 addr 2 uhidev0 at uhub4 port 1 configuration 1 interface 0 BTC USB Keyboard rev 1.10/0.03 addr 3 uhidev0: iclass 3/1 ukbd0 at uhidev0: 8 modifier keys, 6 key codes wskbd1 at ukbd0 mux 1 wskbd1: connecting to wsdisplay0 uhidev1 at uhub4 port 1 configuration 1 interface 1 BTC USB Keyboard rev 1.10/0.03 addr 3 uhidev1: iclass 3/0, 7 report ids uhid0 at uhidev1 reportid 1: input=1, output=0, feature=0 uhid1 at uhidev1 reportid 2: input=1, output=0, feature=0 uhid2 at uhidev1 reportid 3: input=2, output=0, feature=0 uhid3 at uhidev1 reportid 7: input=3, output=0, feature=0 softraid0 at root root on wd0a swap on wd0b dump on wd0b syncing disks... OpenBSD 4.6 (GENERIC.MP) #81: Thu Jul 9 21:26:19 MDT 2009 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 1004470272 (957MB) avail mem = 962330624 (917MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xf (38 entries) bios0: vendor Phoenix Technologies, LTD version 6.00 PG date 08/11/2008 bios0: Shuttle Inc SN78S acpi0 at bios0: rev 0 acpi0: tables DSDT FACP SSDT HPET MCFG SLIC APIC acpi0: wakeup devices HUB0(S5) XVR0(S5) XVR1(S5) XVR2(S5) XVR3(S5) XVR4(S5) XVR5(S5) XVR6(S5) XVR7(S5) USB0(S3) USB1(S3) USBB(S3) USB2(S3) AZAD(S5) MMAC(S5) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 2500 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: AMD Athlon(tm) 64 X2 Dual Core Processor 3800+, 2000.28 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,CX16,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: apic clock running at 200MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: AMD Athlon(tm) 64 X2 Dual Core Processor 3800+, 2000.00 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,CX16,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW cpu1: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache cpu1: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu1: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative ioapic0 at mainbus0 apid 4 pa 0xfec0, version 11, 24 pins ioapic0: misconfigured as apic 0, remapped to apid 4 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (HUB0) acpicpu0 at acpi0: PSS acpicpu1 at acpi0: PSS acpitz0 at acpi0: critical temperature 75
Re: poor network performance on gigabit link
Le Vendredi 26 Fivrier 2010 19:48:55, Christiano F. Haesbaert a icrit : Sorry but I'm dieing of curiosity, how the heck did you swap a n by a s in your subject ? I can't say. Thanks for the few answers, however I already tried such things as turning the net.inet.tcp.recvspace and net.inet.tcp.sendspace to higher values, yet the result is still the same. I also check the past informations of the list but without finding an answer to my problem yet. I tried from various clients as well, the result is still the same. Regards.
Re: poor setwork performance on gigabit link
I think topic is closed. Thanks for notice PIO mode. Network is ok but disk mode is not. Here is the limit, not the network. Regards. Le Vendredi 26 Fivrier 2010 21:04:04, Peter Strvmberg a icrit : On 2/26/2010 5:27 PM, jean-francois wrote: pciide1 at pci0 dev 9 function 0 NVIDIA MCP77 AHCI rev 0xa2: DMA (unsupported), channel 0 wired to native-PCI, channel 1 wired to native-PCI pciide1: using apic 4 int 11 (irq 11) for native-PCI interrupt wd0 at pciide1 channel 0 drive 0:OCZ SOLID_SSD wd0: 1-sector PIO, LBA, 30800MB, 63078400 sectors wd1 at pciide1 channel 1 drive 0:WDC WD10EADS-00L5B1 wd1: 16-sector PIO, LBA48, 953869MB, 1953525168 sectors Eh, running in pio-mode won't help your performance ... I copied 36.1 GB of data in slightly less than 9 minutes for 71 MB/S client: windows vista 64 server: openbsd amd64 kern.bufcachepercent=40 samba socket options = SO_RCVBUF=65536 SO_SNDBUF=65536 em nic, 4K jumbo frames ahci0 at pci0 dev 17 function 0 ATI SBx00 SATA rev 0x00: apic 4 int 22 (irq 10), AHCI 1.1 sd0 at scsibus0 targ 1 lun 0: ATA, WDC WD10EADS-00L, 01.0 SCSI3 0/direct fixed switch: hp ProCurve 1800-24G
Re: Filtering based on MAC adress
I am not completely sure to understand, is it possible to make a pseudo device bridged to an interface and marking the packets with a tag according to rules based on MAC adress and then to take account of the tag in pf while doing NAT translation to a second interface ? In my opinion, this might be possible. Reagrds
Re: Filtering based on MAC adress
Le Dimanche 21 FC)vrier 2010 11:07:28, Tomas Bodzar a C)crit : Yep, see snippet from man page for brconfig(8) The following commands will tag packets from and to 9:8:7:6:5:4 on fxp0 so that pf(4) can refer to them using the tagged directive: # brconfig bridge0 rule pass in on fxp0 src 9:8:7:6:5:4 tag boss # brconfig bridge0 rule pass out on fxp0 dst 9:8:7:6:5:4 tag boss An example pf.conf(5) rule using this tag is: pass tagged boss queue q_med You created bridge device for your NIC and then you can use tag boss in pf rules. The change in future will be that there will be no brconfig(8) command, but it will be included in ifconfig(8). On Sun, Feb 21, 2010 at 10:52 AM, Jean-Francois jfsimon1...@gmail.com wrote: I am not completely sure to understand, is it possible to make a pseudo device bridged to an interface and marking the packets with a tag according to rules based on MAC adress and then to take account of the tag in pf while doing NAT translation to a second interface ? In my opinion, this might be possible. Reagrds All, I tried out to do the below but for the moment, I have basic problems, however the principle shall work in my understanding of the system. Internal network with a switch, several machines wired to re0 on OpenBSD re0 IF will be natted to re1, the Internet connexion. re0 will be member of bridge0. bridge0 will tag the packets according to their MAC address. pf rules regarding the NAT translation and RDR rules will be based on the tag AVAIL coming from the bridge rule. Internal network / OpenBSD box re0 - bridge0 + rule tag AVAIL based on MAC address of the packets | DHCP + NAT on re1 provided packets are tagged AVAIL | re1 / End of OpenBSD box | Internet Regards
another filesystem as backup
Hi All, Do you believe it is not a bad idea to use ext2 as a file system for the regular back-up (dumps) of the filesystem ? Actually, I would like to be able to read from a simple Linux the disk that contents the dumps - reaon why. Are there any constraints in doing so ? May you strongly recommand to keep ffs as file system on the backup disk for relevant reasons ? Regards
Re: another filesystem as backup
Hello, Le Dimanche 21 FC)vrier 2010 16:11:20, vous avez C)crit : For storage/backup you may find much more better Hammer FS or ZFS I can't find out how to make a newfs with HFS or ZFS. Are there any additional packages to install ?
RAID1 : offline - online (how to?)
Hi All, Sorry for the so many questions but still manual may not always answer to them. I actually mounted 2 usb pens in RAID 1 in order to understand how it works. When one is removed the RAID device properly works. When remounted I keep having the device offline. $ sudo bioctl -i sd2 Volume Status Size Device softraid0 0 Degraded509894144 sd2 RAID1 0 Offline 509894144 0:0.0 noencl sd0a 1 Online 1011636224 0:1.0 noencl sd1a How do we make the device become online again ? BTW does the same apply for physical drives instead of usb pens ? Thank you.
Re: RAID1 : offline - online (how to?)
Le Dimanche 21 Fivrier 2010 18:56:32, Rogier Krieger a icrit : On Sun, Feb 21, 2010 at 17:51, Jean-Francois jfsimon1...@gmail.com wrote: Sorry for the so many questions but still manual may not always answer to them. Did you read bioctl(8) and did you try the -R option that man page mentions? It would seem appropriate for your question. Yes I did. Seems appropriate in the latest man, but did not appear in my man page. The -R is'nt available in version 4.4 ? any way to proceed ?
Re: another filesystem as backup
Hello, Thanks I will read. My problem is that the disks will be available in RAID1 for system to dump upon, and in case the system itself is not responsive anymore or fails to boot for a hardware reason, I need the external hard drives to be readable by a Linux system. But they will be mounted and used in the OpenBSD by default. I first wanted to use a file system usable by both OpenBSD and Linux however it looks not very much appropriate. ZFS and HFS seems not very easy to mount on OpenBSD, am I right ? I also could not easily use EXT2 with both Linux and OpenBSD, either one can see and mount not cannot, either the other can do but the first cannot. I might end with the FFS for the backup drive in the end. Regards Le Dimanche 21 FC)vrier 2010 18:23:09, Tomas Bodzar a C)crit : Anyway it's quite OT :-) Here two stories http://leaf.dragonflybsd.org/mailarchive/users/2009-02/msg00090.html http://blogs.smugmug.com/don/2008/10/10/success-with-opensolaris-zfs-mysql- in-production/ We are still talking just about backup/storage. ZFS has a lot of features and it's used for about 4 years or so in production. Hammer FS don't have so much features and is stable for about year. btrfs is for those who want to experiment. Some cons - OpenSolaris has terrible dev process, but you must use dev if you want update and security updates, but there is a lot of bugs in those versions. Solaris is not free anymore including security updates after change in rules before one week. Support for ZFS in FreeBSD is marked as experimental, but it depends. So Hammer FS looks like most promising regarding feature on other BSD systems (just my personal tip) On Sun, Feb 21, 2010 at 5:59 PM, Jean-Francois jfsimon1...@gmail.com wrote: Hello, Le Dimanche 21 FC)vrier 2010 16:11:20, vous avez C)crit : For storage/backup you may find much more better Hammer FS or ZFS I can't find out how to make a newfs with HFS or ZFS. Are there any additional packages to install ?
Re: RAID1 : offline - online (how to?)
Making again the test on 4.6 Now I have bioctl: BIOCCREATERAID: Invalid argument however on a another machine. Am I wrong in any point ? Is there any need to compile raid into the kernel as I saw here ? http://www.argon18.com/raid_openbsd.html Following example (same method as I first used) EXAMPLES An example to create a 3 chunk RAID 1 from scratch is as follows: Initialize the partition tables of all disks: # fdisk -iy wd1 # fdisk -iy wd2 # fdisk -iy wd3 Now create RAID partitions on all disks: # printf a\n\n\n\nRAID\nw\nq\n\n | disklabel -E wd1 # printf a\n\n\n\nRAID\nw\nq\n\n | disklabel -E wd2 # printf a\n\n\n\nRAID\nw\nq\n\n | disklabel -E wd3 Assemble the RAID volume: # bioctl -c 1 -l /dev/wd1a,/dev/wd2a,/dev/wd3a softraid0 And here I end up with the following error bioctl: BIOCCREATERAID: Invalid argument Here's dmesg : OpenBSD 4.6 (GENERIC) #58: Thu Jul 9 21:24:42 MDT 2009 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: AMD Athlon(tm) XP 2800+ (AuthenticAMD 686-class, 512KB L2 cache) 2.09 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE real mem = 771256320 (735MB) avail mem = 736366592 (702MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 08/19/04, BIOS32 rev. 0 @ 0xfac00, SMBIOS rev. 2.3 @ 0xf0100 (33 entries) bios0: vendor Award Software International, Inc. version R01-A2 date 08/19/2004 bios0: Acer AcerPower M2 apm0 at bios0: Power Management spec V1.2 (slowidle) apm0: AC on, battery charge unknown acpi at bios0 function 0x0 not configured pcibios0 at bios0: rev 2.1 @ 0xf/0xd074 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfd000/112 (5 entries) pcibios0: PCI Exclusive IRQs: 5 9 10 11 pcibios0: no compatible PCI ICU found: ICU vendor 0x1039 product 0x0964 pcibios0: Warning, unable to fix up PCI interrupt routing pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x8000! 0xd/0xa000 cpu0 at mainbus0: (uniprocessor) pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 SiS 741 PCI rev 0x03 sisagp0 at pchb0 agp0 at sisagp0: aperture at 0xe800, size 0x400
Re: Dump levels dump(8) man page clarification
Le Vendredi 19 Fivrier 2010 22:04:00, Philip Guenther a icrit : On Fri, Feb 19, 2010 at 12:49 PM, Jean-Francois jfsimon1...@gmail.com wrote: ... Not sure to understand the subtle of the man page explanations regarding the dump of different nature of mount points. Just one additional information, the dump of higher levels work when I dump /var but not /var/htdocs. The key is the last sentence of this paragraph from the dump(8) manpage: files-to-dump is either a mountpoint of a filesystem or a list of files and directories on a single filesystem to be backed up as a subset of the filesystem. In the former case, either the path to a mounted filesystem or the device of an unmounted filesystem can be used. In the latter case, certain restrictions are placed on the backup: -u is ignored, the only dump level that is supported is -0, and all of the files must reside on the same filesystem. So, if you're not dumping an entire filesystem, then you always get a full (level 0) dump. (Why? At least part of the reason is that if you're not doing the full filesystem, inode ctime isn't sufficient to determine whether a file would be new to the dump.) Philip Guenther Is it possible to clarify further this particular para of dump(8), I cant understand the differences that are explained here between the nature of the mount points and file systems and the relationship to what is prohibited (L+1 dumps are). Thanks. Regards
Re: Dump levels ?
Le Vendredi 19 Fivrier 2010 21:15:46, Otto Moerbeek a icrit : On Thu, Feb 18, 2010 at 11:51:23PM +0100, Jean-Francois wrote: Le Jeudi 18 Fivrier 2010 23:43:38, Adriaan a icrit : On Thu, Feb 18, 2010 at 11:21 PM, Jean-Francois jfsimon1...@gmail.com wrote: [snip] My dump level 1 dumps all the files again. How to let it dump based on the lower level ? I did as follows : sudo dump -0ua -f /mnt/tera/backup/2010.02.18_www.0 /var/www/htdocs/ sudo dump -0ua -f /mnt/tera/backup/2010.02.18_www.1 /var/www/htdocs/ You did two level 0 dumps, so what else you expect ?;) Mistyped the mail. I proceed in this way and get two times the same dump. Is it normal ? sudo dump -0ua -f /mnt/tera/backup/2010.02.18_www.0 /var/www/htdocs/ sudo dump -1ua -f /mnt/tera/backup/2010.02.18_www.1 /var/www/htdocs/ Show your dump output. Of both runs. -Otto Not sure to understand the subtle of the man page explanations regarding the dump of different nature of mount points. Just one additional information, the dump of higher levels work when I dump /var but not /var/htdocs. $ sudo dump -0ua -f /mnt/tera/backup/2010.02.18_www.0 /var/www/htdocs/ DUMP: Ignoring u flag for subdir dump DUMP: Dumping sub files/directories from /var DUMP: Dumping file/directory /var/www/htdocs/ DUMP: Date of this level 0 dump: Fri Feb 19 21:47:18 2010 DUMP: Date of last level 0 dump: the epoch DUMP: Dumping /dev/rwd0g (/var) to /mnt/tera/backup/2010.02.18_www.0 DUMP: mapping (Pass I) [regular files] DUMP: mapping (Pass II) [directories] DUMP: estimated 188530 tape blocks. DUMP: Volume 1 started at: Fri Feb 19 21:47:21 2010 DUMP: dumping (Pass III) [directories] DUMP: dumping (Pass IV) [regular files] DUMP: 196284 tape blocks on 1 volume DUMP: Date of this level 0 dump: Fri Feb 19 21:47:18 2010 DUMP: Volume 1 completed at: Fri Feb 19 21:47:33 2010 DUMP: Volume 1 took 0:00:12 DUMP: Volume 1 transfer rate: 16357 KB/s DUMP: Date this dump completed: Fri Feb 19 21:47:33 2010 DUMP: Average transfer rate: 16357 KB/s DUMP: Closing /mnt/tera/backup/2010.02.18_www.0 DUMP: DUMP IS DONE $ sudo dump -1ua -f /mnt/tera/backup/2010.02.18_www.1 /var/www/htdocs/ DUMP: Ignoring u flag for subdir dump DUMP: Subdir dump is done at level 0 DUMP: Dumping sub files/directories from /var DUMP: Dumping file/directory /var/www/htdocs/ DUMP: Date of this level 0 dump: Fri Feb 19 21:47:36 2010 DUMP: Date of last level 0 dump: the epoch DUMP: Dumping /dev/rwd0g (/var) to /mnt/tera/backup/2010.02.18_www.1 DUMP: mapping (Pass I) [regular files] DUMP: mapping (Pass II) [directories] DUMP: estimated 188530 tape blocks. DUMP: Volume 1 started at: Fri Feb 19 21:47:39 2010 DUMP: dumping (Pass III) [directories] DUMP: dumping (Pass IV) [regular files] DUMP: 196284 tape blocks on 1 volume DUMP: Date of this level 0 dump: Fri Feb 19 21:47:36 2010 DUMP: Volume 1 completed at: Fri Feb 19 21:47:51 2010 DUMP: Volume 1 took 0:00:12 DUMP: Volume 1 transfer rate: 16357 KB/s DUMP: Date this dump completed: Fri Feb 19 21:47:51 2010 DUMP: Average transfer rate: 16357 KB/s DUMP: Closing /mnt/tera/backup/2010.02.18_www.1 DUMP: DUMP IS DONE $ sudo dump -0ua -f /mnt/tera/backup/2010.02.18_www.0 /var DUMP: Date of this level 0 dump: Fri Feb 19 21:47:58 2010 DUMP: Date of last level 0 dump: the epoch DUMP: Dumping /dev/rwd0g (/var) to /mnt/tera/backup/2010.02.18_www.0 DUMP: mapping (Pass I) [regular files] DUMP: mapping (Pass II) [directories] DUMP: estimated 313894 tape blocks. DUMP: Volume 1 started at: Fri Feb 19 21:48:01 2010 DUMP: dumping (Pass III) [directories] DUMP: dumping (Pass IV) [regular files] DUMP: 334448 tape blocks on 1 volume DUMP: Date of this level 0 dump: Fri Feb 19 21:47:58 2010 DUMP: Volume 1 completed at: Fri Feb 19 21:48:22 2010 DUMP: Volume 1 took 0:00:21 DUMP: Volume 1 transfer rate: 15926 KB/s DUMP: Date this dump completed: Fri Feb 19 21:48:22 2010 DUMP: Average transfer rate: 15926 KB/s DUMP: level 0 dump on Fri Feb 19 21:47:58 2010 DUMP: Closing /mnt/tera/backup/2010.02.18_www.0 DUMP: DUMP IS DONE $ sudo dump -1ua -f /mnt/tera/backup/2010.02.18_www.1 /var DUMP: Date of this level 1 dump: Fri Feb 19 21:48:29 2010 DUMP: Date of last level 0 dump: Fri Feb 19 21:47:58 2010 DUMP: Dumping /dev/rwd0g (/var) to /mnt/tera/backup/2010.02.18_www.1 DUMP: mapping (Pass I) [regular files] DUMP: mapping (Pass II) [directories] DUMP: estimated 601 tape blocks. DUMP: Volume 1 started at: Fri Feb 19 21:48:33 2010 DUMP: dumping (Pass III) [directories] DUMP: dumping (Pass IV) [regular files] DUMP: 413 tape blocks on 1 volume DUMP: Date of this level 1 dump: Fri Feb 19 21:48:29 2010 DUMP: Volume 1 completed at: Fri Feb 19 21:48:33 2010 DUMP: Date this dump completed: Fri Feb 19 21:48:33 2010 DUMP: Average transfer rate: 0 KB/s DUMP: level 1 dump on Fri Feb 19 21:48:29 2010 DUMP
Dump levels ?
Hi, Is it possible to clarify what resides behind the concept of levels regarding dump(8) ? For me the level 0 is understood to be a complete dump of all files on at a given mount point and all subdirectories. But I can't figure out what upper levels are. Regards
Re: Dump levels ?
Le Jeudi 18 Fivrier 2010 23:02:38, Otto Moerbeek a icrit : On Thu, Feb 18, 2010 at 10:54:55PM +0100, Jean-Francois wrote: Hi, Is it possible to clarify what resides behind the concept of levels regarding dump(8) ? For me the level 0 is understood to be a complete dump of all files on at a given mount point and all subdirectories. But I can't figure out what upper levels are. Regards A level 0 dumps includes all files. A level n dump are all the files that have changed or were added since the last level n - 1 dump. -Otto My dump level 1 dumps all the files again. How to let it dump based on the lower level ? I did as follows : sudo dump -0ua -f /mnt/tera/backup/2010.02.18_www.0 /var/www/htdocs/ sudo dump -0ua -f /mnt/tera/backup/2010.02.18_www.1 /var/www/htdocs/ Regards
Re: Dump levels ?
Le Jeudi 18 Fivrier 2010 23:43:38, Adriaan a icrit : On Thu, Feb 18, 2010 at 11:21 PM, Jean-Francois jfsimon1...@gmail.com wrote: [snip] My dump level 1 dumps all the files again. How to let it dump based on the lower level ? I did as follows : sudo dump -0ua -f /mnt/tera/backup/2010.02.18_www.0 /var/www/htdocs/ sudo dump -0ua -f /mnt/tera/backup/2010.02.18_www.1 /var/www/htdocs/ You did two level 0 dumps, so what else you expect ?;) Mistyped the mail. I proceed in this way and get two times the same dump. Is it normal ? sudo dump -0ua -f /mnt/tera/backup/2010.02.18_www.0 /var/www/htdocs/ sudo dump -1ua -f /mnt/tera/backup/2010.02.18_www.1 /var/www/htdocs/
Security feed
Hello All, I am a little bit out of subject but please allow me to ask you about feeds of security issues. Thank you
Re: pf rdr to multiple machines in the subnet
Le mardi 09 fivrier 2010 08:44:14, Bret S. Lambert a icrit :
On Tue, Feb 09, 2010 at 08:19:14AM +0100, Joakim Aronius wrote:
* Jean-Frangois SIMON (jfsimon1...@gmail.com) wrote:
2010/2/7 Bret S. Lambert bret.lamb...@gmail.com
No, you'd have to so a seperate rdr line for each backend host.
Would a rule like this one work (2 lines).
rdr pass on $ext_if proto tcp from any to any port 1024:65535 -
10.0.1.32 rdr pass on $ext_if proto tcp from any to any port 1024:65535
- 10.0.1.33
You can't redirect one port to multiple machines, your options are:
1) redirect different ports to different machines, i.e.:
rdr pass on $ext_if proto tcp from any to any port 1024:5000 - 10.0.1.32
rdr pass on $ext_if proto tcp from any to any port 5001:65535 -
10.0.1.33
2) get more external IP addresses.
Or use tables:
table foo = { $list_of_ips }
rdr pass on $ext_if proto tcp from any to any port 1024:65535 - foo
or run relayd
The OP would do well to read the PF guide on openbsd.org.
Is it possible to use the rule given by Stuart Henderson as follows ?
rdr pass on $ext_if proto tcp to port 1024:65535 - 10.0.1/24
I will try this for real later on, for now I don't have access to this
machine.
Re: AMD power reduction
Le lundi 08 fivrier 2010 04:10:22, Nick Holland a icrit : With all this talk about power reduction...I'm going to toss out one small suggestion: Get a Wattmeter, and measure... Don't waste your time speculating. Hello, I did. It's consuming some 90 Watts at idle. Actually, it's an Athlon but the latest Sempron has an even reduced TDP. My next server will be based on it. Actually even 70 Watts is a little bit high for my next server given the fact it will be in an autonomous environment (small wind/solar generators). Regards
Re: AMD power reduction
Le lundi 08 fivrier 2010 10:41:18, Daniel Gracia Garallar a icrit : If absolute raw power is not mandatory, you may have a look at Atom-based servers -like http://www.supermicro.es/?opcion=contenidoplt=notasid=137 for example-. This servers consumption should make a difference when working on renovable energy sources. Regards! Jean-Francois escribis: Le lundi 08 fivrier 2010 04:10:22, Nick Holland a icrit : With all this talk about power reduction...I'm going to toss out one small suggestion: Get a Wattmeter, and measure... Don't waste your time speculating. Hello, I did. It's consuming some 90 Watts at idle. Actually, it's an Athlon but the latest Sempron has an even reduced TDP. My next server will be based on it. Actually even 70 Watts is a little bit high for my next server given the fact it will be in an autonomous environment (small wind/solar generators). Regards Thank you for this information. Is it working ok with OpenBSD ? Standard x86 is suitable ? Regards.
route default
Hello, Since sometime, I need to add default route as route add default 192.168.1.1 in order to be able to reach internet, otherwise I have (no route to host). I would like to automate this in a proper way as it should be. Regards
