Re: Cold Boot Attacks on Encryption Keys
On 2/22/08, Siegbert Marschall [EMAIL PROTECTED] wrote: Yes DRAM can preserve data for a while, even after shutting down power. Depending on the type of DRAM it can be milliseconds to days BUT it will only preserve part of the data, so the chance of finding some passwords in there does exist but has very little real world implications. the quickest way of improving security for this particular type of attack, apart from having sensitive data such as keys around only when needed, is ensuring there's no quick way of booting from a different media and ensuring it takes as long as possible to move the RAM (this would be a plus also for the disks) physically. Physical security _is needed_ anyways. Soekris boxes also have soldered RAM. --knitti
Re: What is our ultimate goal??
On 2/19/08, Mayuresh Kathe [EMAIL PROTECTED] wrote: something as good as FireEngine, I'm following this thread with quite some amusement, but one thing is not in the least clear to me: why do you think you want something as good as FireEngine. Heck, even under the assumption FireEngine is Really Good (TM), you should compare it to the *new* stack of FreeBSD, whose marketing blurb has at least a bit more meaty than Sun's. http://www.meetbsd.org/storage/kris.kennaway_meetbsd2007.pdf SO now do you want FireEngine? Or rather SMPng networking? Or would you like ReallyHyperFastZoomStreamCyberWoosh? You can't decide? You have not even shown a corner case, much less in general why it would be desirable to completely throw away the current architecture. I use OpenBSD since 3.0 on very small CPUs and also on rather big ones (all i386 and amd64, though), and I don't remember a single case in which network stack performance wouldn't at least have met my expectations. What performance difference are you expecting? Do you know the implications, which the different approaches impose on the kernel architecture? Even if there would be a developer, who would in principle be open to the idea, you have to show her that it is worth the hassle. But you don't even know what you're talking about. If *I* were a developer, I would be offended by the notion that AnotherSolution is *that* *much* *better* (as you imply) _without_ showing any evidence. --knitti
Re: need some help with base httpd
On 2/18/08, System Administrator [EMAIL PROTECTED] wrote: I need to secure a few distinct directories on this server, and to simplify config file maintenance decided to put the common directives into a file to be 'Include'd - reproduced further below. Here is an example of such an 'Include' in the main httpd.conf: Directory /var/www/cgi-bin AllowOverride None Options None Include conf/admins.conf /Directory [...] My dilemma is that actually including the directives instead of using the 'Include' above works perfectly as expected. I even tried transferring only some of the directives from the include file into the main httpd.conf, and invariably configtest complains about the very first active directive in the include file. Try either putting the whole Directory directive into the conf/admins.conf, thus moving the include statement outside the Directory --knitti
Re: sendmail setup mail server error
On 1/29/08, Chris [EMAIL PROTECTED] wrote: vi mydomain.mc divert(0)dnl VERSIONID(`@(#)mydomain.mc $Revision: 1.11 $')dnl OSTYPE(openbsd)dnl DOMAIN(mydomain.com)dnl FEATURE(`virtusertable', `dbm /etc/mail/virtusertable')dnl MAILER(local)dnl MAILER(smtp)dnl divert(-1) I didn't change anything else in this file. m4 ../m4/cf.m4 mydomain.mc mydomain.cf m4: mydomain.mc at line 11: include(../domain/mydomain.com.m4): No such file or directory Any help would be much appreciated. Thanks. please read about the DOMAIN macro. I don't think I does what you think it does. --knitti
Re: sendmail setup mail server error
On 1/29/08, knitti [EMAIL PROTECTED] wrote: On 1/29/08, Chris [EMAIL PROTECTED] wrote: vi mydomain.mc divert(0)dnl VERSIONID(`@(#)mydomain.mc $Revision: 1.11 $')dnl OSTYPE(openbsd)dnl DOMAIN(mydomain.com)dnl FEATURE(`virtusertable', `dbm /etc/mail/virtusertable')dnl MAILER(local)dnl MAILER(smtp)dnl divert(-1) I didn't change anything else in this file. m4 ../m4/cf.m4 mydomain.mc mydomain.cf m4: mydomain.mc at line 11: include(../domain/mydomain.com.m4): No such file or directory Any help would be much appreciated. Thanks. please read about the DOMAIN macro. I don't think I does what you think it does. sorry, I meant to write I don't think it does what you think it does. Too much blood in my kaffeine. Look also for LOCAL_DOMAIN. --knitti
Re: OpenBSD 4.2 firewall freezing, even after patch 004 and 005
On 1/21/08, Robert Carr [EMAIL PROTECTED] wrote: After a few days of running, the machine becomes totally unresponsive, forcing me to power-cycle the box. I can't find anything relevant about the freeze/crash in any logs. [...] ...and no core dump. What am I doing wrong? [...] OpenBSD 4.2 (NAVARONE-4.2) #0: Wed Jan 16 23:18:21 PST 2008 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/NAVARONE-4.2 http://openbsd.org/faq/faq5.html#Why --knitti
Re: building a kernel for net4801 from dmassage
On 1/16/08, Lars NoodC)n [EMAIL PROTECTED] wrote: 1) Should anything be done to the GENERIC kernel's run time configuration then to improve performance, reduce system requirements or otherwise prevent it from making beer go flat? nope. I've been running a couple of net4501 (100MHz/64MB RAM) since 3.5 which are perfectly fine with GENERIC 2) Under what circumstances (generally) would one encounter a situation where it would strongly desirable to have a custom kernel? RAID? development: break stuff, fix stuff ? --knitti
Re: Suggested PF Setup when using BitTorrent?
On 1/15/08, Chris Kuethe [EMAIL PROTECTED] wrote: i doubt it's your machine not being happy with number of connections - i routinely have hundreds of states. depends on your modem, maybe? or who made the board inside your modems? or what crack-addled rhesus monkey pretended to write the firmware. If several different manufacturers licensed the IP stack or NAT engine from the same vendor, then it's perfectly possible that you both have ill-designed hardware. add me to the crowd. I got curious and tested a bit around and am able up my ping latency up to 9 s (then I got bored :-). I *think* (at least here) incoming connections are more of an issue than outgoing ones, and traffic shaping (as in bandwith limiting) doesn't help much. Not traffic shaping doesn't help either. This is on a 3M/512k ADSL (Arcor/Germany) with a soekris and pppoe. I have not yet looked if its just a pps issue with my soekris (in that case there should be no latency problem at about 1/20th the available bandwith.) I could imagine that some equipment not up to the task at the provider could keep tabs on my states, but I don't see any reason why. (Yes I know, there's this new evil data retention law, but the providers don't even know what exactly they have to log and they are not exactly keen on implementing it). --knitti
Re: Improving disk reliability
On 1/9/08, NetOne - Doichin Dokov [EMAIL PROTECTED] wrote: Bacula (www.bacula.org) is your friend. yes, bacula is great. I just discovered, that it is in ports (even as package available), so I have to use it on OpenBSD yet, but it can't be harder to set up than on other platforms. I prefer it to amanda, because (at least as I had to find a suitable solution 1.5 years ago) it was the only one which could do multi-volume-backups. It also works flawless with disk-based backups, simple tape drive and larger tape libraries. --knitti
Re: Richard Stallman...
On 1/7/08, Steve Shockley [EMAIL PROTECTED] wrote: nicodache wrote: I cannot anything but to appreciate and look how you are able to stay calm and polite when I read some people on this ML talking about crap, fucking duck with tape, shutting up things. If if walks like a duck and talks like a duck an f... - wait a minute. Ouch. I have never seen anyone on this list fuck a duck with a tape. Ever. WARNING. Do not look at the duck with the remaining eye. --knitti
Re: Improving disk reliability
On 1/4/08, Nick Guenther [EMAIL PROTECTED] wrote: On 1/3/08, knitti [EMAIL PROTECTED] wrote: this is becoming OT, but I can't recommend storing HDDs as real backup solution either. HDDs _do_ have bitrot, and one should at least, say, once a year, verify that the *whole* disk is readable, ensuring that sectors which are not yet completely unreadable get remapped. Vaulting a DVD or a HDD for five years or more leaves you in both cases with the real possibility of data loss. How would you verify the whole disk is readable? And if it's all readable, how do you ensure the data is still the same pattern you put on before? the posting von hannah shows what to do. Ths big picture is this: Backup (and/or archiving) is not fire-and-forget. You have to know how long you want to store this data to choose the right technology and media. And you have to have a process to verify that your data is good after this time. If you want backups for five years, and your life/business won't come to an end should you lose some data in spite having backed up, use DVDs or HDDs, verify after backup and just store the media. For more than five years and more-or-less critical data, use tape and verify every x time. If you approach ten years and up, you have to know how you get hardware to read the tapes... At least the LTO spec states that drives of the *current* generation _have to_ read and write also tapes one generation older and read tapes which are two generations older. So if you have LTO-2 tapes around, you will be able to read them with LTO-4 drives (which should be checked, but does actually work in this case). Some companies and universities with huge archives spend large sums just to copy their archived data to the newest technology every couple of years. --knitti
Re: avoiding a mac address filter
On 1/7/08, Targus Neoprene [EMAIL PROTECTED] wrote: is there a way to surpass the mac filter and get an ip? most likely yes and yes. man ifconfig --knitti
Re: Improving disk reliability
On 1/3/08, Marius Hooge [EMAIL PROTECTED] wrote: Doug wrote: 2. I don't know the size of the disk to know the size of the backup media required. However, CD/DVD burners are less than the cost of a hard drive and the media is relatively cheap. I personally don't recommend backups to CD/DVD. They degenerate rather quickly depending on their quality and the storage humidity. Unlike a USB/Firewire harddisk inside your fire-, water-, emp-proof safe/vault. ;-) But make shure to set some kind of reminder to update your backup. this is becoming OT, but I can't recommend storing HDDs as real backup solution either. HDDs _do_ have bitrot, and one should at least, say, once a year, verify that the *whole* disk is readable, ensuring that sectors which are not yet completely unreadable get remapped. Vaulting a DVD or a HDD for five years or more leaves you in both cases with the real possibility of data loss. --knitti
Re: cvsweb browsing out of sync with latest src?
On 12/18/07, Alexander Hall [EMAIL PROTECTED] wrote: [ returning after a long weekend ] Constantine A. Murenin wrote: On 13/12/2007, Nick Guenther [EMAIL PROTECTED] wrote: http://www.openbsd.org/cgi-bin/cvsweb/src/gnu/usr.bin/sudo/sudo/Attic/tgetpass.c?rev=1.15content-type=text/x-cvsweb-markup Error Error: Unexpected output from cvs co pbCheck whether the directory /usr/OpenBSD/cvs/CVSROOT exists and the script has write-access to the CVSROOT/history file if it exists.brThe script needs to place lock files in the directory the file is in as well./b Where did you get that link from? Manually constructed links are, obviously, not guaranteed to work, so what's precisely is the problem? :) Go to http://www.openbsd.org/cgi-bin/cvsweb/src/gnu/usr.bin/sudo/sudo/Attic/ find tgetpass.c click revision number (1.15) ta-daa! :-) this seems to be the case for every file in the Attic throughout the tree. I didn't try _every_ file, but quite some on very different places in the tree. --knitti
Re: Problem with disk Western Digital
On 12/18/07, Stephan Andreas [EMAIL PROTECTED] wrote: The disk is 4 month old. After install of openbsd 4.2 it works. But now there are a lot of errors, while reading blocks. so you mean, first it workd really well? Then the conclusion is obvious: return your disk (after 4 months you should simply get it exchanged with a new one). It is kaputt. --knitti
Re: come, help me with something more productive
On 12/14/07, bofh [EMAIL PROTECTED] wrote: Heh. I think we're having far too much fun in the other threads. I have a serious question. I'm a mangler in a largish company. We have developers, and contractors. No coding standards and all that, so, things are... messy. I'm not in charge of development, but I want to help them develop something useful, and secure. You received some useful answers and certainly will receive more. Very important is, that most if not all developers support this idea, and that almost everyone makes an effort to get used to the new procedures. The best intentions are worthless, if key people don't like it. --knitti
swap encryption Re: Putting partition in RAM
Gilbert, Douglas, swap encryption on OpenBSD is done different than what you advise. just use a sysctl for vm.swapencrypt.enable. Much less maintenance headaches. an yes, don't complain about being reminded that this is not a netbsd / linux support list. --knitti
Re: Monty Python 3000 Thread
== wooosh ===(your humour) O(my head) --knitti
Re: : rouge IPs / user
I have to correct myself a bit: the socket is in CLOSE_WAIT after receiving the clients FIN (and acknowledging it). The server hasn't yet sent its FIN, so the connection is properly half closed, the server _could_ send some data down the line as its part of the connection is still up. Translation: the server didn't close its socket for some reason or non-reason. For that to find out I'll have to read some code, which may or may not turn up something (interesting for me). --knitti
Re: : : rouge IPs / user
On 12/12/07, Raimo Niskanen [EMAIL PROTECTED] wrote: * A httpd server socket enters CLOSE_WAIT when the client closes (or half-closes) its end and sends FIN to the server TCP stack that replies ACK and enters CLOSE_WAIT. The socket proceeds out of CLOSE_WAIT when httpd calls close() on the socket. So, the remaining question is why httpd does not close the socket. Even though KeepAlive is in effect, since the client has closed its end there can come no more request on it, and the server should be able to notice that the client has closed its socket end either by recv() returning 0, or from a poll() return value. The server also should be able to know if it has more data to send to complete the reply. I see no reason to hold the socket in CLOSE_WAIT the whole KeepAliveTimeout time, and am interested to learn why. WARNING: I'm not very experienced reading C code, so take my words with heaps of salt. The interesting code is most probably in http_main.c, http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/httpd/src/main/http_main.c The problem would be to forget calling ap_bclose() after ending a connection, either because all data has been sent or the connection has been aborted. What I can read with some confidence, is that keeping a socket open beyond sending any data is not intentional, and there is nothing (for me) which suggests that it would happen at all. Noob questions/statements ahead: The code, which implications (aside from the clear visible intention what the code *should do) are least clear to me for lingering_close() and lingerout() (is this a signal handler for SIG_ALRM?). I would suspect some kind of (signal?) race (not nessessarily there), in which ap_bclose() gets called on a different socket than intended (thus shutting down another connection as a side effect). BUT since the whole code doesn't run threaded, I can't come up with something which would actually suggest that. I would appreciate if someone told me whether my interpretation is rather wrong or rather right ;) --knitti
Re: : no 4.2-stable package updates??
On 12/12/07, Raimo Niskanen [EMAIL PROTECTED] wrote: On Wed, Dec 12, 2007 at 08:35:50AM +0100, Antoine Jacoutot wrote: On Tue, 11 Dec 2007, Joe wrote: So if there are security bugs in a package or port shipped with OpenBSD 4.2, there will be no updated package or updated port available? That is correct. Now, this will prevent me from upgrading to 4.2. It isn't so that any pre-4.2-stable will be updated, so you lose nothing by upgrading. very often you can backport from -current ports without any change. --knitti
Re: : no 4.2-stable package updates??
On 12/12/07, Darren Spruell [EMAIL PROTECTED] wrote: Why -current? I thought what had fallen behind from lack of resources was binary packages. Surely OPENBSD_4_2 (stable branch of ports tree) still has updated ports. Just build -stable packages from ports (like you did in the olden days.) to quote from the original mail from Nikolay Sturm (thanks to him for doing this or much of it over some years) to misc: as you might have noticed, -stable ports have not been properly updated in the last few months. Due to lack of resources, especially a responsible maintainer, you cannot expect any updates to -stable for the foreseeable future. Although some updates might happen, -stable should be considered unmaintained. --knitti
Re: : : rouge IPs / user
On 12/12/07, Daniel Ouellet [EMAIL PROTECTED] wrote: Raimo Niskanen wrote: Interesting for me too, and most probably for others. It became an interesting discussion of my CLOSE_WAIT problem after all... To summarize (as I see it): * pf synproxy state does not affect these CLOSE_WAIT sockets since the SYN proxy is only active during connection establishement. But it is a good to use anyway since it prevents IP spoofing. Why not? Just test it out. What happen if you get a DDoS on your httpd as an example, or try to connect to it. You send a packet to httpd, it will create a socket to reply to your connection request and send the source IP ACK and then wait for the reply ACK that will never come. So, what does this do to your httpd then??? How many sockets will you have pending responses here? You use one socket per user connection to your httpd. You have 25 real users accessing your httpd and 1,000 fake users without pf in the path. I will aksed you this simple question then. don't confuse the CLOSE_WAIT with a SYN flood. if httpd doesn't close its socket, the proxy will neither. And even if it did, this doesn't close httpd's socket. I think I'm repeating myself, but the problem is *not* that httpd waits for any client data. I _has_ seen the clients FIN (or it wouldn't go into CLOSE_WAIT), but keeps its side open. the close process have three stage as well. The client asked to close, the server reply and the client confirmed. So, close, ACK and ACK. not exactly. the long version is: the side which wishes to close sends FIN, other side sends ACK (4-way-close: each side sends a FIN and an ACK). If the other side, which receives the first FIN decides to close also immediately, it can combine the FIN and the ACK (FIN - FIN/ACK - ACK). Did you verify that the client sent the last required ACK to the original request of the server to close? If the server closes first and the client doesn't ACK, the socket should be in TIME_WAIT. After some time, I think, the server may send a RST if the client doesn't ACK its FIN. There is also a keep alive in the tcp stack and if I remember well I think it is set by default by the RFC is not a small amount of time. yes, TCP keep alives are empty ACK packets (or 1 octet payload). but while the TCP connection is open (while TCP keep alives might be sent), the socket doesn't go into CLOSE_WAIT. it does when the client FINs its connection, which should also end the sending of TCP keep alives Again, are you sure all the RFC process was done? Who is waiting on who here? Also, I think you may be confusing a few things here. httpd not closing a socket and having KeepAlive is in effect are contradictory. in theory, they are simply not related, because on different protocol layers. Practically there seems to be a correlation by implementation. --knitti
Re: : : rouge IPs / user
On 12/12/07, Daniel Ouellet [EMAIL PROTECTED] wrote: I am only saying that using PF in front of httpd will reduce the possible number of httpd close_wait you might see. By default httpd can only support up to 256 connections, unless you increase it and compile it again. I don't understand why pf would reduce this. Every single CLOSE_WAIT stems from a former established connection, and pf can nothing do to convince httpd to close its socket. No rogue clients involved here. lead you in that path, then I am sorry. What will affect your close_wait time (when you reach that point) are the tcp stack value, witch I am reluctant to suggest to adjust as they sure can create way more harm then goods. I don't think there is a systl for that. TCP connections don't expire by default, if you not make them, and the same should go for a half-closed one. There are perfectly legit reasons for long open half-closed TCP connections. My point with PF here was that it would reduce the possible numbers of close_wait state you could possibly see in the first place, witch is one of the original goal of the question. Why? --knitti
Re: : : rouge IPs / user
On 12/12/07, Daniel Ouellet [EMAIL PROTECTED] wrote: knitti wrote: The problem would be to forget calling ap_bclose() after ending a connection, either because all data has been sent or the connection has been aborted. What I can read with some confidence, is that keeping a socket open beyond sending any data is not intentional, and there is nothing (for me) which suggests that it would happen at all. Logically if that was the case, wouldn't you think you would run out of sockets in just a few minutes after starting httpd? I am not saying there isn't any bugs in httpd, or that there is. Fair to assume there is some, but to that extend, I couldn't imagine so. Just think about it for a second. What the effect of it would be if that was the case? I think you misunderstood me. I meant I don't see any obvious occasion in which the problem I assumed (forgetting ap_bclose() ) would occur. So I don't see any bug (surpise), but something occurs. So either I don't see the bug because its not obvious (surprise, again), or my assumption (ap_bclose() not called) is wrong. My question: would not calling ap_bclose() show this behaviour ? - Application needs sockets and send request to create and destroy them and keep using them after they are created. Who does that, kernel or application? I assume the kernel creates the actual socket, but the app keeps it as long as it wants (or longer ;-) - Who receive the sockets creation and destroy requests and will create them or destroy them and pass the handle to the application when ready. The Kernel, or the applications? - Who is handling the signaling, meaning handshake, opening, close_wait, retransmitions, etc. Application or kernel? - So, in the end, if a socket is in close_wait, is it the application, or the kernel at that point? Meaning, was it already requested to be close and is now a signaling issue, or an application that hasn't asked to close the socket yet? (; I *assume* that it is the application forgetting to close(), because if the kernel forgets to close() something what is more or less a file, we would also have massive stale open files being around. - If jam in close_wait state, is it because it hasn't send the ACK on the request from the client to close the socket? - Or is it that it did send the ACK to the client and is now waiting on the final ACK from that client to do it? - Or is it that it reach that point because it was an none fully open three way handshake establish connection to start with may be? - Or it is because the client just open a socket, get what it needed and didn't bother to do the proper closing of the sockets as it should be? _please_, read my last mails, or look at a TCP state diagram. - Now, where is the application, in the case httpd involved here? CLOSE_WAIT is a defined state. The most simple explaination is not closing the socket even after recognizing there is nothing more to read from it. - Where can keep alive in httpd help, or not? - Where pf proxy help or not? - Where keep alive in tcp stack (sysctl) help or not? these three questions I simply don't understand. Please rephrase. That's why there isn't a single answer to the questions here and it will always depend on your specific setup, traffic patterns and load, etc. I seems we are here of different opinions. I'm more or less convinced now, that there is a bug not closing the socket even after httpd has nothing more to send. Under the assumption my interpretation of the problem is not fundamentally flawed. Example, you could reduce the keep alive in sysctl a lots if you want to help the close_wait, but at the same time this will increase all the exchange messages between valid connections as well. So, on one hand to will affect the delay in closing your sockets sooner, but at the same time you will increase the load on other already active connections. well, I think turnig the wrong knobs will do harm, there you are right. tuning TCP keep alives would be the wrong knob left, unless it does give you a problem, other then a feeling of wanting it to look different, you should put it to rest I think. unless I can reproduce it, I will also let it rest after being convinced of not finding the bug by reading the code alone ;) --knitti
Re: : : rouge IPs / user
On 12/12/07, Daniel Ouellet [EMAIL PROTECTED] wrote: net.inet.tcp.keepidle net.inet.tcp.keepinittime net.inet.tcp.keepintvl net.inet.tcp.rstppslimit net.inet.tcp.synbucketlimit net.inet.tcp.syncachelimit nope, shoudn't apply, unless my TCP knowledge is wrong or there is a bug, which makes it affecting it unintentional My point with PF here was that it would reduce the possible numbers of close_wait state you could possibly see in the first place, witch is one of the original goal of the question. Why? OK, I could be wrong and I am sure someone with a huge stick will hit me with it if I say something stupid, and/or there might be something I am overlooking or not understanding fully, witch is sure possible as well. (; But if httpd received a fake connection that do not do the full handshake, isn't it there a socket open and/or use by httpd for that fake connection anyway. Meaning it tries to communicate with that fake source and can't and eventually will close and (that's where may be I am failing here) will end up in close_wait may be? no fake connections involved, CLOSE_WAIT is a state _after_ having a fully established connection Or, are you saying that the ONLY possible way a socket end up in close_wait state is ONLY when and ONLY possible if it was fully open properly in the first place? If so, then I stand corrected and I was/am wrong about that part of my suggestions. So, is it the case then? Yes. Random example: http://www4.informatik.uni-erlangen.de/Projects/JX/Projects/TCP/tcpstate.html --knitti
Re: : rouge IPs / user
On 12/11/07, Raimo Niskanen [EMAIL PROTECTED] wrote: I want to know if and what I can do (on the server side) about HTTP clients that put sockets on my httpd server in state CLOSE_WAIT and thereby chew up all sockets for the server causing a kind of denial of service state. And yes, I have googled for HPPT server socket CLOSE_WAIT and did not get much wiser. If I understand correctly you could try synproxy states with pf and let these states expire rapidly. If the states expire, I *think* pf should end the connection completely, so your half-closed sockets don't get stale. BUT perhaps I didn't get it at all and this makles no sense ;) --knitti
Re: BIND and the measure of system entropy (randomness?)
On 12/11/07, Andreas Maus [EMAIL PROTECTED] wrote: On Wed, Dec 12, 2007 at 01:08:42AM +1100, mufurcz wrote: b) lines 34 and 35: `could not open entropy source /dev/arandom: file not found` and `using pre-chroot entropy source /dev/arandom` complaining about a missing /var/named/dev/arandom device. Same as above. /dev/arandom is _REALLY_ /var/named/dev/arandom. So just why not creating this device? cd /var/named/dev mknod arandom c 45 4 What BIND has to do with the laws of thermo-dynamics? Can I safely ignore the above messages. BIND needs /dev/arandom for some stuff like generating random IDs. on OpenBSD it doesn't. There was a mail from Theo regarding exactly this error message, stating that on OpenBSD BIND doesn't use (or need) this. You could search the archives... --knitti
Re: : rouge IPs / user
On 12/11/07, Stuart Henderson [EMAIL PROTECTED] wrote: On 2007/12/11 09:40, Marti Martinez wrote: Yep, synproxy in your answer for OpenBSD. For linux or freebsd, try enabling syn cookies. synproxy works at the start of the connection, not the end. CLOSE_WAIT is the state where the network stack waits for the application (httpd) to close the connection after receiving the client's FIN. oh sorry, then I was wrong. So when client's FIN is already in, then (depending on how long it takes), is it normal behaviour of httpd or could it be considered a bug? --knitti
Re: : rouge IPs / user
On 12/11/07, Daniel Ouellet [EMAIL PROTECTED] wrote: [... snipped away a lot ...] There is a lots that can be done, however, when you reach this level, an answer doesn't fit all and is really dependent on your setup. Hope this help answering your question. It's not me having the problem, but I desire to understand it. AFAIK HTTP keep alives have nothing to do with it. If the socket is in CLOSE_WAIT, the TCP connection can't be reused, the server has sent its FIN and the client its FIN/ACK, but the server doesn't have yet sent its final ACK. I can imagine some possibilites why this happens (some might not be valid due to my lack of knowledge): - the server didn't clean up its socket, so it stays there until the process dies eventually - the server does this to keep its socket (that I don't know: can a socket be reused on any state?) btw: I might be going off topic here, but I think it applies to OpenBSDs httpd. I won't sent any further mail to this thread you tell me to shut up. --knitti
Re: : rouge IPs / user
On 12/12/07, Daniel Ouellet [EMAIL PROTECTED] wrote: knitti wrote: HTTP keep alives have nothing to do with it. If the socket is in CLOSE_WAIT, the TCP connection can't be reused, the server has sent its FIN and the client its FIN/ACK, but the server doesn't have yet sent its final ACK. Well actually it does under normal operation. See, if you get a connection from a user and have keep alive setup. The socket will stay open to speed up the next request from the same users without having to establish a new connection, reusing the same socket for speed, but at the same time keeping that socket open and not ready to close yet for the next users. So, you see, if you have longer keep alive setup in httpd, you will reach the CLOSE_WAIT later on instead of sooner if you have shorter keep alive setup. See what I explain, may be not as well as I would like is the impact of PF and httpd together as well as the net.inet.tcp.xxx in sysctl setup. They all interact together in some ways and as such I also said it wasn't something to take isolated of one an other. [...] I think the CLOSE_WAIT state and time is a function of the OS stack, not the application itself, in this case httpd. I could be wrong here and I would love for someone to correct that for me if I do not understand that properly. But my understanding is this is control by the OS, not the application itself, other then the keep alive obviously in this case. you tell me that there is some correlation between HTTP keep alives and a socket ending up in CLOSE_WAIT for some time. That is the practical observation. But I'm interested in whether this is by design or not. RFC 2616 doesn't mention implementation details, and I can't see why the socket implementation (OS) would want to keep a socket in CLOSE_WAIT for some time (not sending a final ACK). btw: I might be going off topic here, but I think it applies to OpenBSDs httpd. I won't sent any further mail to this thread you tell me to shut up. I didn't do such thing. The original poster however should/may take the advice, or drop it. (; sorry for the confusion, I forgot to write an if after thread --knitti
Re: Configuring sendmail openbsd 4.2
On 11/29/07, Khalid Schofield [EMAIL PROTECTED] wrote: ok it's still not working. I'm posting my configs here. It's not accepting incoming mail. Sendmail is set to use /etc/mail/sendmail.cf in rc.conf - when it's not accepting, what is the error? does it locally? - try putting the MAILER lines last. - Why would you accept mail to unresolvable domains? - consider adding a define(`confPRIVACY_FLAGS', . ) --knitti
Re: Configuring sendmail openbsd 4.2
On 11/27/07, Khalid Schofield [EMAIL PROTECTED] wrote: I'm configuring sendmail on openbsd 4.2. Trying to get sendmail to send all mail via my smart host. What do I edit since there is no / etc/mail/sendmail.mc and in /usr/share/sendmail/cf there are lots of configs. The docs look pretty major reading so I thought I'd just ask people that have done this before. So I'm trying to send all outgoing mail via my smart host on my network and not set this up as a smart host. Nothing beats reading the docs. It's there for a reason, and you *have* to know what you are doing, because some day something goes wrong, and *you* will have to troubleshoot it. And in this very (possible trivial) moment it pays having read the docs at least *once* before, just to roughly know where you can find which information. --knitti
Re: how best to handle DNS on firewalled home network?
On 11/15/07, Jonathan Thornburg [EMAIL PROTECTED] wrote: I'm setting up a home firewall, intended to (try to) protect client machines (mostly family members' MS-Windoze laptops) from misc internet threats. I have a couple of questions about how best to handle DNS on/through the firewall: just use named in caching mode (should work out of the box) and forget your isp's name servers. it costs next to nothing performance-wise and works relly well. a soekris 4501 firewall (100MHz/ 64 MB RAM) does handle a DSL-type connection (4 MBit) including dhcpd, named and ntpd very well. --knitti
Re: Slow Performance on Encrypted svnd
Instead of e.g. /dev/sd0a try /dev/rsd0a. I didn't try with svnd, but when copying partitions with dd I use this. --knitti
Re: Slow Performance on Encrypted svnd
On 11/14/07, Clint Pachl [EMAIL PROTECTED] wrote: knitti wrote: Instead of e.g. /dev/sd0a try /dev/rsd0a. I didn't try with svnd, but when copying partitions with dd I use this. I tried that, but like I said fdisk complained when the svnd device is associated with the raw direct access disk device. For example # vnconfig -k svnd0 /dev/rwd1c # fdisk -c 19457 -h 255 -s 63 -i svnd0 # disk CHS fdisk: error initializing MBR: bad address # fdisk -c 19456 -h 254 -s 63 -i svnd0 # OpenBSD partition CHS fdisk: error initializing MBR: bad address # fdisk -i svnd0 Warning CHS values out of bounds only saving LBA values fdisk: error initializing MBR: bad address well, the 'c' slice is a bit 'special', perhaps try an 'a' slice filling the whole disk but the first track? After all, I think its weird not to have an MBR etc. on the real disk. (Which doesn't mean that I couldn't imagine that). --knitti
Re: HP Procurve or Soekris w. OpenBSD ?
On 11/12/07, Matt [EMAIL PROTECTED] wrote: Goodday, Looking to manage several webservers I am wondering if anybody uses something like this: http://soekris.kd85.com/images/tn/dsc03600.med.jpg ? (That image shows Wim's net4801-50 plus quadport lan1641 firewall box, giving 7 ports with low powerconsumption - on OpenBSD) The standard choice in my datacenter (linux users mostly) seems to be HP Procurve but I'd prefer the power of PF. I have no idea how rigid /stable/fast the Soekris machines are, I've never used one. I'm wondering if a setup as mentioned could (speedwise) compete and if it is a sane idea to deploy something like this in the DC. Any advise is appreciated. Thanks. If you are looking for raw networking performance, don't go for soekris. I don't know exactly the 4801, but I use a couple of 4501 as firewalls and IPSec-Routers for connections of up to 5 MBit/sec. Seeing the specs of the 4801 and knowing the 4501, I wouldn't use them for more than about 40-50 Mbit/sec. There are people on this list, who have more experience with the 4801. BUT you have to test for yourself if it fits your needs, and your performance depends a lot on your setting. --knitti
Re: identifying sparse files and get ride of them trick available?
On 11/11/07, Daniel Ouellet [EMAIL PROTECTED] wrote: 2.3 == Now using scp as many times it's can also be use for quick sync of changed files. Here however, we are up for a big surprise as well for sure. Here we can't even do it as the sparse file like in rsync example #1 will stop as it is to big in size, even if the data however is not. And we will also waist way more bandwidth trying to do it in the process as well. If the file was smaller in sparse size, then the copy process would work, however the waisted bandwidth would be present anyway making the point of trying to avoid the problem in the first place of transferring sparse files across file systems. Or at best trying to use something that would minimize the problem. if I'm not completely wrong, you could always tar -czf the sparse file, scp the archive and then tar -xzf the file in place in the other side. this should also create a new sparse file. of course, you lose the rsyncabilty and you have to identify your sparse file in advance. But 16GB of nothing should compress very well ;) --knitti
Re: Security Comparisons
On 11/10/07, Douglas A. Tutty [EMAIL PROTECTED] wrote: of philosophy. Linux is about making all kinds of toys work in a hot-plug way and allow people to boast about their uptime. OpenBSD is about security. I would add usability (conciseness, least surprise and coherency) and thus maintainability to the list. I end up having less to do for OpenBSD Servers to keep them happy running than for some Debian boxes, and Debian _is_ damn well maintainable. --knitti
Re: Trouble ftp'ing out of network, already running ftpproxy for internal ftp server, need to ftp out
On 11/9/07, Jake Conk [EMAIL PROTECTED] wrote: My question though is why did you give this rdr rule? rdr pass on $int_if proto tcp from any to !$ftp_server port ftp - 127.0.0.1 port 8022 What special feature does switching any to !$ftp_server add to the pf rules? Should I modify mine to also say that? no, I *think* I made some wrong assumptions about your network (obviously didn't read your first mail carefully enough) and I can't figure out now why I suggested that. Sorry about that. --knitti
Re: Trouble ftp'ing out of network, already running ftpproxy for internal ftp server, need to ftp out
On 11/8/07, Jake Conk [EMAIL PROTECTED] wrote: Hello, I have a computer running OpenBSD 4.2 which is acting as my router. Behind it I have a a ftp-server which is working fine thanks to ftp-proxy but one of the problems I am having is ftp'ing out of my network. I am able to connect and establish connections to outside servers but I am not able to run normal commands on them like ls, cd, get, etc. Any command I try running after I connect just hangs and fails. of course, since your are using NAT. starting a second instance of ftp-proxy on a different port should work, just look at the manpages pf.conf(5) ftp-proxy(8) --knitti
Re: Trouble ftp'ing out of network, already running ftpproxy for internal ftp server, need to ftp out
On 11/8/07, Jake Conk [EMAIL PROTECTED] wrote: Ok I understand I'm supposed to have another instance of ftp-proxy running so that it can open up ports on my router to allow data connections to be established from remote hosts but I'm not sure how I should configured ftp-proxy for that and my pf... Lets start with ftp-proxy first then handle pf... Since I got 1 instance of ftp-proxy already running to redirect incominng ftp traffic to a local server in my network I must have another one on a different port so for that I'm starting with... `ftp-proxy -p 8022` Ok and I think I have to tell ftp-proxy to only listen on its local IP because we are trying to connect our local servers to public servers so I would add that to the command: `ftp-proxy -p 8022 -a 192.168.10.1` you need 127.0.0.1 in any case, because of the rdr in pf.conf I wasn't sure to use -a or -b so if I'm doing this wrong someone please correct me. 1) So now on the ftp-proxy configuration is there anything else I need to add? 2) Where's a good place to look on how to configure my packet filtering (pf) to work with the second instance of ftp-proxy and allow me to connect to outside (public) ftp servers look at your pf.conf, you have commented out the line. you should change it to about this: rdr pass on $int_if proto tcp from any to !$ftp_server port ftp - 127.0.0.1 port 8022 of course i didn#t test this, but you get the idea --knitti
Re: Building a custom kernel error
On 11/8/07, 23e7 [EMAIL PROTECTED] wrote: I missing some option? did you read the FAQ? do you know what you are doing? why do you need a custom kernel? --knitti
Re: Building a custom kernel error
On 11/8/07, 23e7 [EMAIL PROTECTED] wrote: yes, I know. On 11/8/07, knitti [EMAIL PROTECTED] wrote: On 11/8/07, 23 $B9f (B [EMAIL PROTECTED] wrote: I missing some option? did you read the FAQ? do you know what you are doing? why do you need a custom kernel? the error message tells you to find the code which defines 'comsoft' and enable it. --knitti
Re: detecting bad disks
On 11/8/07, Derick Siddoway [EMAIL PROTECTED] wrote: Trying to copy a file from one filesystem to another, I kept getting input/output errors. I noticed these messages in the logs: wd1a: uncorrectable data error reading fsbn 768416 of 768384-0 (wd1 bn 768416; cn 762 tn 5 sn 5), retrying wd1a: uncorrectable data error reading fsbn 768416 of 768384-0 (wd1 bn 768416; cn 762 tn 5 sn 5), retrying ... However, when I run this by hand, I get [EMAIL PROTECTED]:$ sudo /sbin/atactl /dev/wd1 smartstatus No SMART threshold exceeded So clearly, the SMART stuff wasn't going to tell me about this. ... I see a number of values that exceed the preset threshholds. But I see the same kinds of values on the other three drives: not all SMART thresholds define an upper value, some values are a sort of quality measurement and go downwards. Indeed indicate your SMART values no error. Two possibilites: - SMART didn't catch the errors. no monitoring is perfect, but it seems unlikely that it won't notice read errors - there is everything OK with the disk, but something else is not. Try a different cable, look for faulty RAM or a dying PSU. Put the disk into another machine and look whether you can read everything fine. --knitti
Re: Custom Kernel for 4.2 upgrade
On 11/2/07, Jason Murray [EMAIL PROTECTED] wrote: It's not a shortcut. It is documented, just not supported. On 2-Nov-07, at 6:23 PM, Stuart Henderson wrote: On 2007/11/02 18:03, Jason Murray wrote: On the 4.1 box. As I've said I've done this since 3.6 with no problems. If you were able to take a shortcut for the last 3 years or so, take that as a bonus, but don't expect it to always work (-: You were lucky those times. This is interesting. Please, tell me where it is documented how to source-upgrade from release to release? I've done so too, several times in the past, but I thought (knew) I would do a binary reinstall if I botch the thing. It didn't happen and after I tried binary upgrades, I don't miss trying and sweating through a source upgrade (OK, I wasn't *that* hard). Upgrading by source is like going from -release to -current (just not to _current_ -current ;-) - you have to expect to deal with the unforeseen. --knitti
Re: RAIDFrame inconsistancy and server will not boot!
On 10/26/07, Jake Conk [EMAIL PROTECTED] wrote: On 10/25/07, Francesco Toscan [EMAIL PROTECTED] wrote: 2007/10/26, Jake Conk [EMAIL PROTECTED]: Hello, I was trying to restart my server and noticed it wasn't coming back online so when I went down to go take a look at it I was having a RAID problem. This is what was showing on the screen: ... PARTIALLY TRUNCATED INODE I=720 THE FOLLOWING SYSTEM HAD AN UNEXPECTED INCONSISTENCY: [...] My question is what causes this? How can I be warned before a problem like this happens and what's the best way to prevent this from coming up? And lastly, is it possible in the worst case scenario if one of my disks is completely fsck'ed up is it possible to run the system on 1 of the raid 1 disks until a second comes? Your problem is related to filesystem, not disks. For some reasons your filesystem (on top of raid) was not properly unmounted: assuming you didn't hard-reboot your server, this happened to me whith some IDE devices which lied about commit of write operations. Even if my server was rebooted normally, filesystem and disks were left in an inconsistent state. Better SCSI disks solved the problem. Hardware has become more crappy day by day. Thanks for your reply Francisco. RAID in general keeps your system up if a disk fails, not if filesystem on top of it screws up. If the filesystem is screwed up then shouldn't the raid just ignore it and run on 1 disk until I fix the problem? That seems like the logical thing it should do unless all my mirrors of /var are messed up. as Francesco said, this is not a RAID issue, and the above error is not originated nor reported by RAIDFrame. If only mentions the device on which the filesystem is: rraid0f. So it isn't clear why raid should (could!) prevent that. Well anyways since it doesn't do that, some of my original questions still stand. How can I be warned before a problem like this happens? you can't be warned. Do fsck more often. You didn't mount your filesystem async, did you? And lastly, is it possible in the worst case scenario if one of my disks is completely fsck'ed up is it possible to run the system on 1 of the raid 1 disks until a second comes? yes. as long as this one doesn't break ;-) BTW: if you use RAID to keep your system up, get familiar with what it does and doesn't. Most problems arise not from hardware or system failure, but from admin failure. Do backups. --knitti
Re: OpenBSD 4.2 RAIDFrame mirror
On 10/25/07, Dominik Zalewski [EMAIL PROTECTED] wrote: How to enable RAID 1 and sync first disk with second one without installing everthing from scratch like in those howtos? well, apart from the fact, that these howtos are a bit outdated, as usual, they do more or less describe what to do. just skip the installation, you've done this already. did you read the raidctl manpage? In the examples section is a part beginning with Under certain circumstances (e.g. the additional component has not ar- rived, or data is being migrated off of a disk destined to become a com- ponent) it may be desirable to configure a RAID 1 set with only a single component. this applies to you, I think. read it. the whole manpage. Additionaly, the fifth hit on google with the search terms OpenBSD raid was this: http://www.linux.com/articles/52713 it also describes (a bit newer than the other two howtos) a raid 1 setup, and how to transfer the system from non-raid to raid. It is very important that you understand what you do. If you follow a howto, and you don't know why you are doing something, read the manpages of the tools and files involved. If you want to depend on this setup, you have to know what you are doing. Also, if you have already some important data on the system, do a backup now. And good luck with your Maxtor disks, I hope you have good cooling for them (I've seen more Maxtor (IDE, SATA) disks dead since after getting burned multiple times from the infamous IBM deathstar series than from all other vendors combined, and they are usually hotter than from other vendors ) --knitti
Re: A (pf?) puzzler -- a single device invisible on the other side of an IPsec tunnel
On 10/19/07, Stephen Bosch [EMAIL PROTECTED] wrote: Other things I've tried: - moving the Jetdirect to a different port on the same physical switch - a variety of static and dynamic IPs in the subnet I also forwarded the external port 9100 to this print server and tried to access it from a public host, but this didn't work either. This leads me to suspect a peculiar interaction between OpenBSD 4.1 and this particular print server. Of course, it might well be the fault of HP's IP stack, but I've already talked to them at great length and got pretty much nowhere: We don't support JetDirect over WAN connections. look with tcpdump, whether the packets of the printserver look like you expect. perhaps it only has a ttl of 1 or 2 ;-) --knitti
Re: RaidFrame woes on 4.2 (RAIDFRAME: failed rf_ConfigureDisks with 2)
Hi Boris, On 10/14/07, Boris Goldberg [EMAIL PROTECTED] wrote: You've said that you'd tried different configurations, but the one you are showing here just can't work, because you don't have wd3. I wrote: I tried both with wd0d, wd1d (both exist) and with wd1d,wd3d (latter doesn't physically exist), none of these is mounted or in use, in fact nothing of wd1 is currently used. thats because there are tutorials on the web which create a degraded raid forcefully with one missing component. I gave this a shot. I also tried with wd0d, wd1d, which both exist and were not in use. --knitti
SOLVED Re: RaidFrame woes on 4.2 (RAIDFRAME: failed rf_ConfigureDisks with 2)
On 10/14/07, Greg Oster [EMAIL PROTECTED] wrote: knitti writes: raidlookup on device: /dev/wd3d failed ! ^ I suspect you have an extra space after wd3d in the config file... And, unfortunately, that annoying little non-feature is enough to stop RAIDframe in its tracks... :( Thanks a lot, I tried to be as minimal in creating the config file as it could get, but I failed. Sure enough it was an additional space. --knitti
RaidFrame woes on 4.2 (RAIDFRAME: failed rf_ConfigureDisks with 2)
present, speed: 1.5Gb/s wd0 at pciide0 channel 0 drive 0: ST3320620AS wd0: 16-sector PIO, LBA48, 305245MB, 625142448 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 pciide0: port 1: device present, speed: 1.5Gb/s wd1 at pciide0 channel 1 drive 0: ST3320620AS wd1: 16-sector PIO, LBA48, 305245MB, 625142448 sectors wd1(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 5 pciide0: port 2: PHY offline pciide0: port 3: PHY offline pciide1 at pci1 dev 14 function 1 ServerWorks HT-1000 SATA rev 0x00 piixpm0 at pci0 dev 2 function 0 ServerWorks HT-1000 rev 0x00: polling iic0 at piixpm0 iic0: addr 0x2f 00=80 05=a0 06=ff 07=a0 08=ff 09=64 0a=64 0b=5e 0c=73 0d=5c 0e=7b 0f=12 10=b2 11=2f 13=ff 14=22 15=6f 16=d0 17=7b 18=d0 19=d0 1a=c0 1c=22 1d=9d 1e=80 1f=80 20=1d 21=51 22=01 23=0f 25=0f 27=0f 29=0f 2b=0f 3b=ff 3c=ff 3d=ff 3e=ff 3f=ff 40=09 44=40 46=f7 47=ff 48=ff 49=7f 4a=3f 4b=02 4d=7c 50=1e 51=02 52=01 58=80 59=01 5c=03 5e=55 5f=03 60=ca 61=87 62=ca 63=87 64=ff 66=ff 67=ff 68=3f 6a=2b 6b=18 6c=7c 6d=65 6e=e3 6f=b9 70=8a 71=70 72=e5 73=bb 74=e5 75=bb 76=e3 77=b9 78=48 79=43 7a=48 7b=43 7c=48 7d=5f 7e=55 7f=50 80=64 81=5f 82=55 83=50 84=64 85=5f 86=55 87=50 88=46 89=41 8a=55 8b=50 8c=64 8d=5f 8e=55 8f=50 90=07 91=68 92=07 93=68 94=07 95=68 96=07 97=68 98=07 99=68 9a=07 9b=68 9c=07 9d=68 9e=ff 9f=ff a0=ff a1=ff a2=ff a3=ff a4=ff a5=ff a6=ff a7=ff a8=f5 ae=ff af=ff b1=04 b2=30 b3=30 b4=30 b5=30 b6=30 b7=30 b8=30 b9=30 ba=30 bb=89 bc=89 bd=89 be=89 bf=89 c0=89 c1=89 c2=89 c3=01 c4=01 c5=7f c6=ff c9=ff ca=ff cb=ff cc=ff cd=ff ce=ff cf=ff d1=46 d2=46 d3=46 d4=46 d6=f0 d7=ff d8=80 d9=01 da=80 db=01 dc=80 dd=01 de=80 df=01 e0=bb e1=c0 e2=82 e3=ff e4=80 e5=06 e6=fe e7=12 e8=12 e9=12 ea=c8 eb=60 ec=ff ed=ff ee=ff ef=ff f6=60 f7=80 f8=1b fa=ff fd=10 piixpm0: exec: op 1, addr 0x4b, cmdlen 1, len 1, flags 0x08: timeout, status 0x9BUSY,BUSERR pciide2 at pci0 dev 2 function 1 ServerWorks HT-1000 IDE rev 0x00: DMA atapiscsi0 at pciide2 channel 0 drive 1 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: TEAC, DV-28E-R, 1.8A SCSI0 5/cdrom removable cd0(pciide2:0:1): using PIO mode 4, DMA mode 2, Ultra-DMA mode 0 pcib0 at pci0 dev 2 function 2 ServerWorks HT-1000 LPC rev 0x00 ohci0 at pci0 dev 3 function 0 ServerWorks HT-1000 USB rev 0x01: apic 2 int 10 (irq 10), version 1.0, legacy support ohci1 at pci0 dev 3 function 1 ServerWorks HT-1000 USB rev 0x01: apic 2 int 10 (irq 10), version 1.0, legacy support ehci0 at pci0 dev 3 function 2 ServerWorks HT-1000 USB rev 0x01: apic 2 int 10 (irq 10) usb0 at ehci0: USB revision 2.0 uhub0 at usb0: ServerWorks EHCI root hub, rev 2.00/1.00, addr 1 vga1 at pci0 dev 5 function 0 ATI ES1000 rev 0x02 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pchb0 at pci0 dev 24 function 0 AMD AMD64 HyperTransport rev 0x00 pchb1 at pci0 dev 24 function 1 AMD AMD64 Address Map rev 0x00 pchb2 at pci0 dev 24 function 2 AMD AMD64 DRAM Cfg rev 0x00 pchb3 at pci0 dev 24 function 3 AMD AMD64 Misc Cfg rev 0x00 isa0 at pcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec usb1 at ohci0: USB revision 1.0 uhub1 at usb1: ServerWorks OHCI root hub, rev 1.00/1.00, addr 1 usb2 at ohci1: USB revision 1.0 uhub2 at usb2: ServerWorks OHCI root hub, rev 1.00/1.00, addr 1 Kernelized RAIDframe activated dkcsum: wd0 matches BIOS drive 0x80 dkcsum: wd1 matches BIOS drive 0x81 root on wd0a swap on wd0b dump on wd0b --knitti
Re: Server just freeze with no reason
On 10/12/07, Edgars MakEa [EMAIL PROTECTED] wrote: Once per week it just freezes and thats all, nothing in logs. It freezes also when it's idling. Strange is taht, i can ping it still, but nothing more, noone service is responding. How idle is idling? Have you any processes which can explode in RAM usage or massive forks? I saw once a system run out of mem, with no swap space exhibiting the same beviour. I could imagine (disclaimer: _didn't_ see that one) a system behave similiar after not being aber to fork anymore. --knitti
Re: all kernels except i386 MP high cpu in interrupt -- was: 4.2 on H8SSL-I2: acpi at mainbus0 not configured
aarrgh. sorry I ment to post this: Hi, I was asked off-list to gather some more data, which I now present to anyone who's interested. Disclaimer: there is no acute problem to fix, but something is odd. Summary: - the location of a tgz which includes an acpidump and some dmesgs is: http://stuff.ghweb.de/h8ssli2/stuff.tgz - I tested the following kernels on a Supermicro H8SSL-i2 with an Athlon64 X2: amd64: GENERIC, GENERIC.MP, i386: GENERIC, GENERIC.MP - all except the i386/MP kernel have about 70% cpu load on interrupts (the mp kernels on one core), regardless whether acpi is enabled or not on an otherwise idle standard installation (up to 2 ssh-sessions active), and up to 90% interrupt load, if they've got something to do. - the i386/MP kernel has about 0.0% interrupt load, also regardless whether acpi is enabled - I did the following to put some load on I/O: a) ping -f from another machine to this (only 100 MBit-Network), with no packet loss in every case b) dd if=/dev/zero of=/tmp/stuff bs=1m count=2000 - the interrupt count monitored through systat vm 1 is roughly comparatively on all kernels, with and without acpi, except for pciide, which comes short on UP kernels (both count and transfer rate) Some data (interrupt count with systat vm 1): idle: amd64/MPamd64/UPi386/MPi386/UP clock 200 100 200100 ipi 100 rtc 128128 bge05+/-3 5+/-3 5+/-3 5+/-3 a) (ping-f) (clock, ipi and rtc same as above) bge03.4k3.3k3.3k 3.4k +/-100 +/-50 +/-50 +/-50 a) + b) (ping and dd) (clock, ipi and rtc same as above) bge03.4k3.3k3.3k 3.4k +/-100 +/-50 +/-50 +/-50 peaks ofpeaks of up to +2k up to +2k pciide 3.7k850 3.4k 530 +/-150 +/-50 +/-500 +/-20 overall data transfer with dd: amd64/MP: 53-58 MB/s amd64/UP: 11-12 MB/s (about 19MB/s without ping -f) i386/MP: 52-56 MB/s i386/UP: 8- 9 MB/s --knitti
Re: making a release with 4.1 Sept 24 snapshot
On 10/12/07, Toni Mueller [EMAIL PROTECTED] wrote: Hi, On Mon, 08.10.2007 at 16:17:35 -0400, Juan Miscaro [EMAIL PROTECTED] wrote: I am running the Sept 24 snapshot. I've never tried to make a release with a snapshot before and so I wonder whether it's possible. I updated my sources with cvsup (tag=OPENBSD_42) and keep getting a crash: install: addftinfo/addftinfo.cat1: No such file or directory *** Error code 71 Stop in /usr/src/gnu/usr.bin/groff (line 88 or /usr/share/mk/bsd.man.mk). *** Error code 1 and so on. good question. I also get a crash while trying to compile groff, but mine (i386 snapshot from September 25th) looks a bit different. It complains that there is no valid C (or C++) compiler. Wish I had my CDs, too... I replied to Juan off-list, my bad. Read this: http://www.openbsd.org/faq/faq5.html snapshot is not release, but some point in time of -currrent. 4.2 and current diverged in august. What you have to do is in the FAQ. --knitti
all kernels except i386 MP high cpu in interrupt -- was: 4.2 on H8SSL-I2: acpi at mainbus0 not configured
On 10/11/07, knitti [EMAIL PROTECTED] wrote: Hi, after some sleep and coffee I am embarrassed to realize I made two mistakes: - I didn't provide a GENERIC(.MP) dmesg - I booted off the non-acpi-enabled kernel Sorry for that. Below you can see two GENERIC.MP dmesgs (i386/amd64) which clearly show that acpi is enabled and detected. However, one Problem remains: The interrupt load is very high on GENERIC/amd64 (with and without MP, with and without acpi) - about 70% of one cpu core on the idle machine. Different is GENERIC.MP/i386, which has low (normal) interrupt load. Shall I ditch amd64 and run i386 on the machine, or is there anything I can try? OpenBSD 4.2 (GENERIC.MP) #252: Tue Aug 28 10:53:04 MDT 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: AMD Athlon(tm) 64 X2 Dual Core Processor 6000+ (AuthenticAMD 686-class, 1024KB L2 cache) 3 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,CX16 real mem = 3220729856 (3071MB) avail mem = 3121356800 (2976MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 03/01/07, BIOS32 rev. 0 @ 0xf0010, SMBIOS rev. 2.4 @ 0xfbcf0 (50 entries) bios0: vendor American Megatrends Inc. version 080011 date 03/01/2007 bios0: Supermicro H8SSL-I2 pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf4d40/176 (9 entries) pcibios0: no compatible PCI ICU found: ICU vendor 0x1166 product 0x0205 pcibios0: PCI bus #2 is the last bus bios0: ROM list: 0xc/0xb000 0xcb000/0x2000! acpi0 at mainbus0: rev 0 acpi0: tables DSDT FACP APIC OEMB acpitimer at acpi0 not configured acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 199 MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: AMD Athlon(tm) 64 X2 Dual Core Processor 6000+ (AuthenticAMD 686-class, 1024KB L2 cache) 3 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,CX16 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 11, 16 pins ioapic1 at mainbus0: apid 3 pa 0xfec01000, version 11, 16 pins ioapic2 at mainbus0: apid 4 pa 0xfec02000, version 11, 16 pins acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (P0P1) acpiprt2 at acpi0: bus 2 (P1P2) acpicpu at acpi0 not configured acpicpu at acpi0 not configured acpibtn at acpi0 not configured acpibtn at acpi0 not configured pci0 at mainbus0 bus 0: configuration mode 1 (no bios) ppb0 at pci0 dev 1 function 0 ServerWorks HT-1000 PCI rev 0x00 pci1 at ppb0 bus 1 ppb1 at pci1 dev 13 function 0 ServerWorks HT-1000 PCIX rev 0xb2 pci2 at ppb1 bus 2 bge0 at pci2 dev 3 function 0 Broadcom BCM5704C rev 0x10, BCM5704 B0 (0x2100): apic 3 int 8 (irq 9), address 00:30:48:5e:6d:f6 brgphy0 at bge0 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0 bge1 at pci2 dev 3 function 1 Broadcom BCM5704C rev 0x10, BCM5704 B0 (0x2100): apic 3 int 9 (irq 5), address 00:30:48:5e:6d:f7 brgphy1 at bge1 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0 pciide0 at pci1 dev 14 function 0 ServerWorks HT-1000 SATA rev 0x00: DMA pciide0: using apic 2 int 11 (irq 11) for native-PCI interrupt pciide0: port 0: device present, speed: 1.5Gb/s wd0 at pciide0 channel 0 drive 0: ST3320620AS wd0: 16-sector PIO, LBA48, 305245MB, 625142448 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 pciide0: port 1: device present, speed: 1.5Gb/s wd1 at pciide0 channel 1 drive 0: ST3320620AS wd1: 16-sector PIO, LBA48, 305245MB, 625142448 sectors wd1(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 5 pciide0: port 2: PHY offline pciide0: port 3: PHY offline pciide1 at pci1 dev 14 function 1 ServerWorks HT-1000 SATA rev 0x00 piixpm0 at pci0 dev 2 function 0 ServerWorks HT-1000 rev 0x00: polling iic0 at piixpm0 iic0: addr 0x2f 00=80 05=a8 06=ff 07=a8 08=ff 09=64 0a=64 0b=5e 0c=73 0d=5c 0e=7b 0f=12 10=b0 11=2e 13=ff 14=22 15=6f 16=d0 17=7b 18=d0 19=d0 1a=bf 1b=0f 1c=1f 1d=9c 1e=80 1f=80 20=1d 21=51 22=03 23=0f 25=0f 27=0f 29=0f 2b=0f 3b=ff 3c=ff 3d=ff 3e=ff 3f=ff 40=09 44=40 46=f7 47=ff 48=ff 49=7f 4a=3f 4b=02 4d=7c 50=1e 51=02 52=01 58=80 59=01 5c=03 5e=55 5f=03 60=ca 61=87 62=ca 63=87 64=ff 66=ff 67=ff 68=3f 6a=2b 6b=18 6c=7c 6d=65 6e=e3 6f=b9 70=8a 71=70 72=e5 73=bb 74=e5 75=bb 76=e3 77=b9 78=48 79=43 7a=48 7b=43 7c=48 7d=5f 7e=55 7f=50 80=64 81=5f 82=55 83=50 84=64 85=5f 86=55 87=50 88=46 89=41 8a=55 8b=50 8c=64 8d=5f 8e=55 8f=50 90=07 91=68 92=07 93=68 94=07 95=68 96=07 97=68 98=07 99=68 9a=07 9b=68 9c=07 9d=68 9e=ff 9f=ff a0=ff a1=ff a2=ff a3=ff a4=ff a5=ff a6=ff a7=ff a8=f5 ae=ff af=ff b1=04 b2=30 b3=30 b4=30 b5=30 b6=30 b7=30 b8=30 b9=30 ba=30 bb=89 bc=89 bd=89 be=89 bf=89 c0=89 c1=89 c2=89 c3=01 c4=01 c5=7f c6=ff c9=ff ca=ff cb=ff cc=ff cd=ff ce=ff cf=ff d1=46 d2=46 d3=46 d4=46 d6=f0 d7=ff d8=80 d9=01 da=80 db=01 dc=80 dd=01 de=80 df=01 e0=bb e1=c0 e2=82 e3=ff e4=80 e5=06 e6=fe
Re: 4.2 on H8SSL-I2: acpi at mainbus0 not configured
pciide0: port 1: device present, speed: 1.5Gb/s wd1 at pciide0 channel 1 drive 0: ST3320620AS wd1: 16-sector PIO, LBA48, 305245MB, 625142448 sectors wd1(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 5 pciide0: port 2: PHY offline pciide0: port 3: PHY offline pciide1 at pci1 dev 14 function 1 ServerWorks HT-1000 SATA rev 0x00 piixpm0 at pci0 dev 2 function 0 ServerWorks HT-1000 rev 0x00: polling iic0 at piixpm0 iic0: addr 0x2f 00=80 05=a8 06=ff 07=a0 08=ff 09=64 0a=64 0b=5e 0c=73 0d=5c 0e=7b 0f=12 10=b1 11=2f 13=ff 14=22 15=6f 16=d0 17=7a 18=d0 19=d0 1a=bf 1b=03 1c=21 1d=9b 1e=80 1f=80 20=1d 21=51 22=01 23=0f 25=0f 27=0f 29=0f 2b=0f 3b=ff 3c=ff 3d=ff 3e=ff 3f=ff 40=09 44=40 46=f7 47=ff 48=ff 49=7f 4a=3f 4b=02 4d=7c 50=1e 51=02 52=01 58=80 59=01 5c=03 5e=55 5f=03 60=ca 61=87 62=ca 63=87 64=ff 66=ff 67=ff 68=3f 6a=2b 6b=18 6c=7c 6d=65 6e=e3 6f=b9 70=8a 71=70 72=e5 73=bb 74=e5 75=bb 76=e3 77=b9 78=48 79=43 7a=48 7b=43 7c=48 7d=5f 7e=55 7f=50 80=64 81=5f 82=55 83=50 84=64 85=5f 86=55 87=50 88=46 89=41 8a=55 8b=50 8c=64 8d=5f 8e=55 8f=50 90=07 91=68 92=07 93=68 94=07 95=68 96=07 97=68 98=07 99=68 9a=07 9b=68 9c=07 9d=68 9e=ff 9f=ff a0=ff a1=ff a2=ff a3=ff a4=ff a5=ff a6=ff a7=ff a8=f5 ae=ff af=ff b1=04 b2=30 b3=30 b4=30 b5=30 b6=30 b7=30 b8=30 b9=30 ba=30 bb=89 bc=89 bd=89 be=89 bf=89 c0=89 c1=89 c2=89 c3=01 c4=01 c5=7f c6=ff c9=ff ca=ff cb=ff cc=ff cd=ff ce=ff cf=ff d1=46 d2=46 d3=46 d4=46 d6=f0 d7=ff d8=80 d9=01 da=80 db=01 dc=80 dd=01 de=80 df=01 e0=bb e1=c0 e2=82 e3=ff e4=80 e5=06 e6=fe e7=12 e8=12 e9=12 ea=c8 eb=60 ec=ff ed=ff ee=ff ef=ff f6=60 f7=80 f8=1b fa=ff fd=10 piixpm0: exec: op 1, addr 0x4b, cmdlen 1, len 1, flags 0x08: timeout, status 0x9BUSY,BUSERR pciide2 at pci0 dev 2 function 1 ServerWorks HT-1000 IDE rev 0x00: DMA atapiscsi0 at pciide2 channel 0 drive 1 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: TEAC, DV-28E-R, 1.8A SCSI0 5/cdrom removable cd0(pciide2:0:1): using PIO mode 4, DMA mode 2, Ultra-DMA mode 0 pcib0 at pci0 dev 2 function 2 ServerWorks HT-1000 LPC rev 0x00 ohci0 at pci0 dev 3 function 0 ServerWorks HT-1000 USB rev 0x01: apic 2 int 10 (irq 10), version 1.0, legacy support ohci1 at pci0 dev 3 function 1 ServerWorks HT-1000 USB rev 0x01: apic 2 int 10 (irq 10), version 1.0, legacy support ehci0 at pci0 dev 3 function 2 ServerWorks HT-1000 USB rev 0x01: apic 2 int 10 (irq 10) usb0 at ehci0: USB revision 2.0 uhub0 at usb0: ServerWorks EHCI root hub, rev 2.00/1.00, addr 1 vga1 at pci0 dev 5 function 0 ATI ES1000 rev 0x02 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pchb0 at pci0 dev 24 function 0 AMD AMD64 HyperTransport rev 0x00 pchb1 at pci0 dev 24 function 1 AMD AMD64 Address Map rev 0x00 pchb2 at pci0 dev 24 function 2 AMD AMD64 DRAM Cfg rev 0x00 pchb3 at pci0 dev 24 function 3 AMD AMD64 Misc Cfg rev 0x00 isa0 at pcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec usb1 at ohci0: USB revision 1.0 uhub1 at usb1: ServerWorks OHCI root hub, rev 1.00/1.00, addr 1 usb2 at ohci1: USB revision 1.0 uhub2 at usb2: ServerWorks OHCI root hub, rev 1.00/1.00, addr 1 dkcsum: wd0 matches BIOS drive 0x80 dkcsum: wd1 matches BIOS drive 0x81 root on wd0a swap on wd0b dump on wd0b greetings, knitti
4.2 on H8SSL-I2: acpi at mainbus0 not configured
-R, 1.8A SCSI0 5/cdrom removable cd0(pciide2:0:1): using PIO mode 4, DMA mode 2, Ultra-DMA mode 0 pcib0 at pci0 dev 2 function 2 ServerWorks HT-1000 LPC rev 0x00 ohci0 at pci0 dev 3 function 0 ServerWorks HT-1000 USB rev 0x01: apic 2 int 10 (irq 10), version 1.0, legacy support ohci1 at pci0 dev 3 function 1 ServerWorks HT-1000 USB rev 0x01: apic 2 int 10 (irq 10), version 1.0, legacy support ehci0 at pci0 dev 3 function 2 ServerWorks HT-1000 USB rev 0x01: apic 2 int 10 (irq 10) usb0 at ehci0: USB revision 2.0 uhub0 at usb0: ServerWorks EHCI root hub, rev 2.00/1.00, addr 1 vga1 at pci0 dev 5 function 0 ATI ES1000 rev 0x02 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pchb0 at pci0 dev 24 function 0 AMD AMD64 HyperTransport rev 0x00 pchb1 at pci0 dev 24 function 1 AMD AMD64 Address Map rev 0x00 pchb2 at pci0 dev 24 function 2 AMD AMD64 DRAM Cfg rev 0x00 pchb3 at pci0 dev 24 function 3 AMD AMD64 Misc Cfg rev 0x00 isa0 at pcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec usb1 at ohci0: USB revision 1.0 uhub1 at usb1: ServerWorks OHCI root hub, rev 1.00/1.00, addr 1 usb2 at ohci1: USB revision 1.0 uhub2 at usb2: ServerWorks OHCI root hub, rev 1.00/1.00, addr 1 dkcsum: wd0 matches BIOS drive 0x80 dkcsum: wd1 matches BIOS drive 0x81 root on wd0a swap on wd0b dump on wd0b greeting, knitti
Re: firewall is very slow, something's wrong
On 10/8/07, Florin Andrei [EMAIL PROTECTED] wrote: I still can't match the performance I get from Linux. Any suggestion is appreciated. there were in the past postings on this list about problems with quad-port em NICs. I am absolutely not in a position to tell whether they are relevant for this situation. If I remember correctly, there was a problem with TCP checksum offloading, and a suggested fix in one instance was jumpering the card down to 66 MHz. I can't tell if this is related in *any* way. I think there are some people here who *could* tell if you'd post a dmesg. gretings, knitti
Re: ms exchange replacement
On 10/2/07, Karsten McMinn [EMAIL PROTECTED] wrote: On 10/2/07, Lord Sporkton [EMAIL PROTECTED] wrote: i am looking into an exchange replacement, im looking to have use of calender appointments, tasks and mail all through a central server, also i have multiple windows based mobile devices syncing with this server, i wasnt able to find anything that looked like a exchange replacement in ports or pkgs quite a few options these days- kolab, horde (ports), mozilla +friends (ports), scalix, zimba, open-xchange, and opengroupware. sorts depends on how you define groupware. Not all of these in ports of course. opengroupware is not fun. i have to maintain (keep running) an ogo-installation (on linux), the inner workings are rather opaque, the documentation is sparse and it leaks memory and performance left and right. but if you have mail trouble, you can look at the underlaying smtp and imap servers and actually fix things, much more transparent than exchange (of which i also have some instances to look after) greetings, knitti
Re: Tool for HD analyzing
Hi, On 9/28/07, Leonardo Marques [EMAIL PROTECTED] wrote: Hey guys, I've a HD which are returning a lot of errors. Someone know some good tool to analyze this disk and tell me if i've to replace it or if exist some way to repair it? I don't know, which tools exist for OpenBSD, but if you're on x86/AMD64 and are OK with a DOS bootdisk, search for MHDD. This is a really nice tool. Or just burn yourself an ultimate boot cd (ultimatebootcd.com), which also includes MHDD and a ton of other diagnosis and repair tools. greetings, knitti
9GB Wide SCSI HDDs useful?
Hi, we have here six 9GB Wide SCSI HDDs (68 pin), which are of no use to us anymore. Each has been surface-scanned, so (at the moment) they are working well. Details: 4 IBM DDRS-39130 manufactured in October 1998 2 Quantum Atlas IV (should also be from the last century) *If* someone from the OpenBSD developer community can use them, I would ship them anywhere in the EU, preferrably in Germany. greetings, knitti
Re: java on openbsd
On 11/14/06, Marc Ravensbergen [EMAIL PROTECTED] wrote: I am having a hard time getting java to work on openbsd. Java is a deal-breaker for me as I use it all day every day for work. What I've done is taken a tar of the linux version, and untarred it in openbsd. I have turned on linux emulation by modifying the variable in /etc/sysctl.conf, and I've mounted the /proc filesystem. I have also pkg_added redhat-base8.xxx. However, whenever I run java, I get a Can't detect initial thread stack location - find_vma failed error. This is for sun's jdk 1.5.06 as well as one of the newer 1.6 versions. IBM's jdk1.4 says it cannot read or write (not sure exactly anymore) to /proc/. I've tried running all three versions as root to check for permission errors, but it makes no difference. I've googled for hours trying to find a solution, but can't seem to fix it. I really don't want to download the source for java and compile... I am on dialup so every byte counts. A little while ago I tried java on netbsd and got it working through linux emulation as well. I had problems with netbsd so it didn't stick around, but I believe that java on bsd through emulation should be possible; probably just an oversight somwhere on my part. I didn't try any linux 1.5/1.6 jdk, but perhaps you missed something for your linux emulation? read man compat_linux, perhaps it helps. the other options you have is having someone mail you the source on cd, or use kaffe (don't know how useful it is for your purposes). --knitti
Re: OpenBSD AJAX
On 10/25/06, ropers [EMAIL PROTECTED] wrote: Ryan, Joachim (, others): You mentioned that you dislike PHP. I would be curious to learn your reasons for this. I'm not trying to instigate religious wars or the like, it's just that my programming skills are mostly nonexistant coughGW BASIC shell scripts/cough and I'm thinking of properly learning PHP, kind of as an evolutionary step, up from XHTML. Should a coding n00b like myself avoid PHP like the plague, or do your reasons only come into play once a certain level of programming proficiency is attained? run like hell, this stuff is cursed. not that you wouldn't be able to write (more or less) correct code, but once you have to work in a team, there's a 90% chance it is dominated by braindead code monkeys who work with php since The Early Days(tm) which means a) all-global vars b) not the faintest idea of object orientation c) nor sense for code maintenance and d) really good stuff spaghetti style --knitti
Re: OpenBSD AJAX
On 10/25/06, knitti [EMAIL PROTECTED] wrote: [OT comment] sorry for this, it was off topic and slightly offensive --knitti
Re: pppoe slow on openbsd
first, I do understand your frustration. however, none of the developers has the obligation to change the situation, and _maybe_ there is simply not enough manpower/access to some strange combination of haradware and a specific dsl service. if you followed the list in these years you surely will understand this. On 10/20/06, Chris [EMAIL PROTECTED] wrote: The pppoe dial error (userland) cant assign requsted address after 4 major OpenBsd releases didnt go away. Noone cared to address the situation and of course the same old answer diferent isps use diferent pppoe implementations was the easy answer to leave the question unanswered. this answer is true nevertheless The 90% of home office internet conections are have to do with pppoe crapy dsl implementetions at least here in Europe. I'm in europe too, and connected openbsd routers to a broad variety of dsl services since OpenBSD 3.1. So from the openbsd 3.4 release I have instaled Openbsd as a router (suggested by me) to different small offices succesfully and despite the Openbsd pppoe risk that these boxes will never see the Internet world. which could've several reasons, _one_ of them openbsd's pppoe not supporting this special implementation. there are cheap devices out there capable of that, which could be plugged in front of the router. it costs slightly more than whithout, but saves a lot of frustration compared to not being able to connect the router to the internet. So 3.5 - 3.6 - 3.7 - 3.8 and now I am afraid to tell my clients to update. No matter what usefull things the new releases have if I can not conect them to the Internet the only option is to call microsoft to apply for the licencing program... if you think thats your solution, off you go! I am so disappointed with this, as every now and then in these years I read posts in the list, from the newbie trying to install an openbsd box for the first time, as users that are very familiar with openbsd like myself, crying out the pppoe implementation in openbsd is broken. why would you come to this conclusion? because you are one of the few which have either a really crappy dsl service or are incapable reading the man pages? An answer to all these people: IS PPP OPENBSD IMPLEMENTATION BROKEN? YES IT IS NO MATTER WHAT YOU READ IN THE LIST. YES IT IS AND NO ONE CARES. YES YOU HAVE DONE NOTHING WRONG IN YOUR CONFIGURATION, THE ERRORS ARE NOT THERE FOR DEBUGGING JUST FOR SEEING THEM. this is downright wrong. and rude. On openbsd 3.9 I can conect through pppoe(userland) to my ISP everything works fine but I can not download more than 250KB/s despite that my line is capable of 2000KB/s. In a 3.5 box same configuration same ISP I am capable of 2000KB/s. May I must downgrade? so actually it works? have you worked out the differences? I myself want to ask whats the meaning of an os secure and capable of tasks if I can not conect to an ISP using the way that 90% of Inernet users use in this world. does it connect or doesn't it? I needed to write this after 5 years of seeing the community to ignore the needs of its users. We have donated, support it and continue to do so. We have no right to demand things but I think we have the right to alert the community as definitily with this matter something IS DEFINITELY wrong. this is the best bug report of all times. I think that the 50% of Openbsd users use pppoe conections and I thing that the 10% of us use for example IPSEC. Despite that IPSEC works far better than establishing a dsl conection and download at proper rates. for me, it both pppoe and ipsec do work. a well as the other things i use: pf, apache, sendmail, ccd and a bunch of ports Will be a way to establish a dsl broadband conection from an openbsd gateway to an ISP without errors and problems ever in the future like the 99% of all other OSes (even those that are not deticated to networking as OpenBsd) CAN? OR NOT? your question is pointless, as openbsd does this already --knitti
Re: Version 4.0 release
On 10/9/06, David B. [EMAIL PROTECTED] wrote: This is a $125,000 machine 5 years ago, and I treat it no better than some crappy i686 box because security is my primary issue. If I went with another OS, I could get a lot of the functionality I want, but what good is it, if some 12 y/o kid in pakistan can hack my box. I just can't see why SMP and hardware raid aren't supported on sparc64/II. if you regret it that much running openbsd on this machine, you should learn how to use one of the other os'. keeping them secure would of course require you to do a bit more, but _come on_ i just can't see why you can whine that much about a status quo, yet not making any effort to use the better part of your hardware. otoh if your company can spend that much on hardware idling for years without it being a problem, why don't just fund one or two of the developers to do the task? --knitti
Re: Version 4.0 release
On 10/10/06, RedShift [EMAIL PROTECTED] wrote: If a 5 year old RAID controller is not supported, what can be expected in the future? Yes I'm sure there isn't enough documentation available, license disagreements, etc... but come on, it's 5 years old! it is that easy: if you can't use the os, don't use it. at least as long as you aren't able to change to situation by either coding it, or donathing hardware or $$$ to raise the developers interest in the particular device or issue You would think _somebody_ would at least make an attempt at it. famous last words. Even the most basic servers nowadays are equipped with a dual core processor. well, the most basic (new) servers are i386/amd64, which has quite usable smp support Yes I'm pretty sure that OpenBSD features a lot of proper, decent and intuitive code, but performance in some areas lacks tremendously. i'm sure the developers will gladly accept your proper bug reports I'm not saying OpenBSD is a bad operating system. Far from it. However I would only use it for routers, firewalls, bridges, etc... Anything that has to do with networking because after all, OpenBSD's networking is great. Outside these areas OpenBSD is just too slow and doesn't support enough hardware. sez who? a troll --knitti
Re: Hacking a mail server
On 9/27/06, Carlos A. Garcia G. [EMAIL PROTECTED] wrote: ;) Sorry ok the problem it is this someone told my boss that the email messages has been readed by someone else this information came from our isp we have a e1 connection its like a t1 connection so with that information they said that the hacker redirect the messages before they get to the mail server and after being read it the massage hit the mail server, so the question that if someone can do that its becose this information. redirecting before it hits the mail server would be probably either at the senders network or at your isp. which *should* be able to defend its network. of course, if the isp is *required* to be comprimised (law enforcement), you would probably want end-to-end encryption. sendmail as well as many pop/imap servers do support ssl/tls. of course, you must trust that your server is not compromised. now what i think its that it is probably that the hacker its inside my local network but if this was the case how it is that my isp now that i have a hacker inside my network getting a copy of the mails, send the mails to his destination ? there are a couple of techniques for (maliciously) rerouting traffic, which aren't exactly on topic (start with googling dns poisoning, and arp poisoning, go from there). ill give more information for the time beign i have just installed the stunnel and activate it for the pop3 and smtp, im thinking in auditing the my mail server and auditing my network, do you know of tools that help to check the information above? look whether your server behaves strangely, e.g. look at the logs, load patterns etc. and look at it from the outside, boot a cdrom or a ramdisk-kernel and check, whether the binaries are those which you expect. sniff your servers traffic. finding whether a box was compromised ist not trivial, especially if you don't find any evidence. if you can afford to do it, better reinstall from scratch and look where you can tighten up the security. --knitti
Re: Hacking a mail server
On 9/26/06, Carlos A. Garcia G. [EMAIL PROTECTED] wrote: can someone external to the network get a copy of all the mail that are getting to a mail server??? ?? short answer: no long answer: yes please clarify your question. also, why sould this be related to openbsd? --knitti
Re: Hacking a mail server
[I reordered the text, so your answer is below my question, I think this is more readable] On 9/26/06, Carlos A. Garcia G. [EMAIL PROTECTED] wrote: knitti escribis: On 9/26/06, Carlos A. Garcia G. [EMAIL PROTECTED] wrote: can someone external to the network get a copy of all the mail that are getting to a mail server??? ?? short answer: no long answer: yes please clarify your question. also, why sould this be related to openbsd? becose i use an obsd server and i need for help I you need help, *please* take some minutes and describe your problem. AFAIK there's no one on this list who has truly telepathic abilities, so you have to *tell* whats wrong. Based upon everything you said so far I can only suggest you grab a local copy of yellow pages (or equivalent) and hire a unix consultant. but that's probably not what you wanted by asking here. --knitti
Re: spamd and TLS on port 25
On 8/10/06, Will H. Backman [EMAIL PROTECTED] wrote: Darrin Chandler wrote: However, if the connecting party *requires* TLS then it would have a problem with spamd. Is that the trouble you're having? Yes. I'm protecting a Microsoft Exchange server with spamd on an openbsd bridge. Because Microsoft Outlook uses Microsoft's way of having MUAs talk to MTAs, there is no problem there. I also enabled IMAPS (port 993) and SMTP-TLS (port 25) on the Exchange Server so that normal mail clients like Thunderbird can play along. Because I require TLS and SMTP-AUTH for relaying purposes, I'm in a bind. My real problem is getting Exchange to do SMTP-TLS on a different port, so this is really a non-openbsd issue. I guess I was just asking to make sure, and also to see if people had dealt with situation like this. I can imagine that openbsd and spamd are used to protect all kinds of pesky MTAs. if you just wan't to have MUAs talk to your exchange, and don't want to use STARTTLS, rdr the Exchange server to port 587 or 465 with pf. If you *want* to have a server on port 25, the correct way would be to use STARTTLS, which is supported by exchange, should work with spamd and all sane MUAs or MTAs. --knitti
Re: Tuning OpenBSD network throughput
On 8/8/06, Matthew R. Dempsky [EMAIL PROTECTED] wrote: First, I connected the two Linux boxes with an Ethernet cable and ran ``iperf -s'' on the 2.0GHz machine and ``iperf -c 192.168.10.1'' on the 266MHz machine, and iperf reported a bandwidth of about 224 Mbits/sec. Then, I substituted out the 266MHz machine and replaced it with the 600MHz machine (i.e., faster processor, more ram, and better software), but running ``iperf -c 192.168.10.1'' under OpenBSD reported a mere 3.8 Mbits/sec---nearly two orders of magnitude less! Can anyone explain the huge discrepancy here? Can I do anything to get OpenBSD to achieve at least 150 Mbits/sec? first look for duplex mismatch, bad cabling etc. then look for high interrupt load, change hardware etc. then read about iperf, and think whether it applies to your problem. then think about your goal. do you want 150 mbit with tiny 40 bytes packets or with jumbo frames (huge difference) and, in any case, search the archives about tuning openbsd. --knitti
Re: OpenBSD and high availability
On 8/7/06, Jens Mayer [EMAIL PROTECTED] wrote: While the networking part can be handled by carp, I'm collecting ideas on how to keep the local file systems in synch - especially for ftp users and the mailinglist archives. The synchronization will be done via a dedicated cross coonect cable directly between the boxes. while I would do it with rsync (I know, depends on what you want to do), I don't see any reason why ccd'ing two large nfs-exposed files shouldn't work. But I think this would be more ugly and complicated than rsyncing every x minutes... --knitti
Re: sendmail
On 7/27/06, David B. [EMAIL PROTECTED] wrote: sorry to bother, can anyone suggest a definitive book I should buy on how to set up Sendmail on Openbsd 3.8? I have looked all over the net for a HOWTO or an article that steps me through how to set up a user account and password, and then how to retrieve it (look at it on the server), but all the articles go on and on on how to download it, compile it and install it; none of them tell me how to use it. The articles talk about just every possible subject except how to simply create a user/password account, and then tell you where the email is supposed to be on the server, and then how to look at it. read and understand in this order: man afterboot /usr/share/sendmail/README documentation on sendmail.org this _will_ serve you far better than any step-through-howto --knitti
Re: sokeris output
On 7/24/06, Gustavo Rios [EMAIL PROTECTED] wrote: Could some, send me a dmesg from a soekris net4801 machine running openbsd? Thanks in advance? PS: If you have a kernel configuration file for exact that hardware, i would enjoy too. Is there anything wrong with a vanilla GENERIC kernel? I have a couple of net4501 running with some slightly older OpenBSDs (3.4, 3.5, 3.7) which Just Work (TM). Is the net4801 that different? --knitti
Re: problem with sendmail on obsd. .com.au turned into com.au.com.au
On 7/24/06, Craig Hammond [EMAIL PROTECTED] wrote: What ever I've done wrong, I've done wrong in a consistent way as about 5 of my other obsd boxes (both 3.8-stable 3.9-stable) in other locations all did a similar thing at the same time. I'd rather suspect soem DNS screw up, check whether the intended name resolves on this box. (check twice ;-), check the bind instance which should be queried by sendmail and check the name servers configured in resolv.conf. sometimes this is not the same) I couldn't figure out what I did wrong, so just to get things working again, it tried adding in an entry to /etc/hosts pointing int-firewall.sbisolutions.com.au.com.au to 127.0.0.1 This didn't work as I guess sendmail doesn't use /etc/hosts. I _think_ this depends on your resolv.conf --knitti
Re: How to make fsck run faster?
On 7/16/06, Antti Harri [EMAIL PROTECTED] wrote: Kernel is 3.8 GENERIC and there is one large ffs partition on the SATA disc, roughly the size of 180G. Most of the files make smaller slices and mount only the ones r/w which you absolutely need. the bigger a fs is, the longer it takes, and the more memory is consumed by the fsck --knitti
Re: Kernel pppoe (and the german ISP Hansenet)
On 7/6/06, knitti [EMAIL PROTECTED] wrote: I'd suspect some different issues than just blaming the implementation of the daemon sorry, this is of course not about the daemon, but the rest still applies --knitti
Re: Kernel pppoe (and the german ISP Hansenet)
On 7/6/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: For now I can and will point out the followring: The userland pppd simply just sucks. Sorry but it becomes realy kind of unuseable if you`ve a... faster line. I had a 2MBit ADSL-Connection (192kbit/s upload) and had no problem. Now I`ve a 18Mbit line (max, mostly 6-9) and 100kb/s (not kbit) up. What did I noticed? I used the binary-stuff for the only Windows-Mashine I4ve and got: ~8mbit and ~102kb up. With OpenBSD and userland pppoe I just get ~4-5Mbit and max ~12kb upload. I think it`s a huge difference between ~100kb and 12kb and I didn`t know that the userland pppoe sucks so badly. well, perhaps you check the rest of your configuration. unless you are trying to do 18Mbit via userland ppp an a real low tech box (e.g. soekris 4501), I'd suspect some different issues than just blaming the implementation of the daemon. check for auto-negotiation mismatches between your NICs / switches, MTU-Problems etc. Is there *any* indication on the box that it can't handle the bandwith? as I understand it, userland ppp _is_ less efficient than kernel ppp, but I will only matter _practically_ if your CPU is maxed out. also sometimes ISPs sell you some gigantic *theoretical maximum* adsl, which doesn't work of because of poor line quality etc. also, I think an up/down ratio of about 1:22 does sound like you'll only max out your downstream on some special applications, e.g. udp-streams (video) --knitti
Re: hints for scanning msdosfs patters?
On 7/6/06, vladas [EMAIL PROTECTED] wrote: I have fd up the first 10Mb of the 3Gb fat disk (not partition, the whole 3Gb disk) full of windoze shit. Then, due to time limits, made some of sort of backup of the mess with dd and put Puffy into that disk (dedicated install). The problem is that management needs some of that stuff back ... if there was only one partion with FAT, you#re out of luck with any standard tool because the fat is within the first 10 mb. the are tools out there (google something like 'file recovery FAT'), but I don't know whether such exist for OpenBSD: In any case, the more fragmented the FAT was, the less is the chance of reviving something meaningful. --knitti
Re: Kernel pppoe (and the german ISP Hansenet)
On 7/6/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: My hardware is a Duron 900Mhz with 3x128MB SD100 and a 6GB HDD. The NICs are 2x xl (3Com) and one time Ath0 (wlan). which should be more than enough It seams to be realy a problem with the userland pppd wich limits the upload/download so dramaticly. why? The Duron 1800Mhz (wich is my only WIndows Box) has also a 3Com NIC The only difference it: The little Workstation uses Windows and the ppoe-Drivers from hansenet+DialIn Application. so whats the difference? there are a lot of things you can screw up, and the isp won't hand-hold you with any of the connections parameters. spend some hours (yes, this is a long manpage, but it is, as usual, really helpful) with ppp(8) _after_ you checked for MTU problems, autoneg mismatches etc. did you do that? And nope it`s not related to UDP.. I ment I`ve ~100kb upload (even via sftp). I just meant, that your upstream will already be pretty clogged from all those tiny little ack packets of the various tcp streams. a problem (and feature) which doesn't exist with upd. With the Router I just got...~12? So the difference is realy not related to the Hardware (no the CPu is not used completly (100%)). thats what i said. I don't believe there's an arbitrary limitation of userppp, if your system is almost idle. A Soekris-Box could maybe help but to be truthly: i wont spend ~150EUR for a home-Router. So if somebody has a low-buget-solution I would be happy. :-)) don't take a soekris net 4501 for anything above 3-4mbit (maybe it'll also do 6 mbit) p.s. Userland pppDs in NetBSB and Linux should perform a lot better (I found some benchmarks via google but there where just outdated OSs (OpenBSD 3.2 was tested there)). well, unless you serve a ppp access point, there's no point in looking into the performance of ppp_d_ --knitti
Re: Crashes and HDD params
On 6/23/06, Tobias Ulmer [EMAIL PROTECTED] wrote: Looks like this is an older box (no dmesg, so it's just a guess). I have a board ('96) that doesn't do any dma, but accepts to be set to pio 4, dma 2. This results in several crashes per day, corrupt data on ro filesystems and so on. Changing wd to 0xffc (pio 4) does fix it. this doesn't neccessarily mean the controller or disk is buggy, it could just be a bad cable, which works, if not used at top speed (or, more correctly, frequency). I have seen this multiple times with almost any os (that supports udma) --knitti
Re: mounting two times
On 6/19/06, Lars Hansson [EMAIL PROTECTED] wrote: On Monday 19 June 2006 18:12, Martynas Venckus wrote: I want to chroot mysql. So i chrooted it in /var/mysql (mysqld --chroot), but web applications could access mysql server only by network, which is not the most secure and fast way. What's not secure about binding to localhost only? protocol attacks on the application which talks to mysql? if you use some php stuff (any php sutff ;) and talk to mysql, you can manipulate the db by sql injection. if _then_ mysql has e.g. a hole which allows it to be manipulated or broken out into a shell, a chroot would help al lot ;) --knitti
Re: mounting two times
On 6/19/06, Lars Hansson [EMAIL PROTECTED] wrote: On Monday 19 June 2006 19:09, knitti wrote: protocol attacks on the application which talks to mysql? Uhm, and using a domain socket is different how? ouch, snafu. sorry, I misunderstood. I don't think there's any practical security difference betwenn running chrooted with a domain socket vs. a local tcp socket --knitti
Re: Hifn policy on documentation
On 6/15/06, Wolfgang S. Rupprecht [EMAIL PROTECTED] wrote: Ditto for the card intentionally leaking the keying data into the cipher stream? oh come on, this discussion is already as off topic as it can be, no need to add FUD to it. any algorithm the cards claim to implement _is_ fully documented, so you can test any output except that of the RNG against a 'known good' implementation --knitti
Re: wikipedia article
On 6/11/06, Hamorszky Balazs [EMAIL PROTECTED] wrote: I'm looking for some help on an article on wikipedia. http://en.wikipedia.org/wiki/Comparison_of_open_source_operating_systems I think this is an exercise in futility, for staying up-to-date, for trying to be unbiased and non-arbitrary. what qualifies a driver to be called official? i'd say, it should _at least_ be supportable by the system developers. also there are other companies who produce binary blobs, which aren't listened. and there is a multitude of drivers for most of the os' which aren't listed. what entitles an architecture to deserve a row in the table? e.g. cell clearly qualifies as other in my book, being only supported by linux, but vax should deserve a row, both because more than one os support it and there exist quite some instllations around, more than a few dev-kits. the same with file systems (e.g. zfs, reiser4) (...rest of rant deleted, it's already off topic...) oh, and don't tell me i shall participate. --knitti
Re: ntp on soekris
On 6/8/06, Peter [EMAIL PROTECTED] wrote: --- knitti [EMAIL PROTECTED] wrote: the soekris are not very good at time keeping, in my experience. whether this is a problem is something you have to decide, do you need more precision? if yes, change the hardware, else don't worry What is your experience and what did you observe? I have two 4801 units and they have no problem keeping time. I have a couple of 4501, and they _do_ keep the time, with the help of ntpd, random sample: Dec 21 03:33:45 fg-router ntpd[14941]: adjusting local clock by 0.893647s Dec 21 03:37:45 fg-router ntpd[14941]: adjusting local clock by 0.859043s Dec 21 03:41:43 fg-router ntpd[14941]: adjusting local clock by 0.788777s Dec 21 03:44:49 fg-router ntpd[14941]: adjusting local clock by 0.740139s Dec 21 03:48:49 fg-router ntpd[14941]: adjusting local clock by 0.645784s Dec 21 03:52:22 fg-router ntpd[14941]: adjusting local clock by 0.761796s Dec 21 03:56:20 fg-router ntpd[14941]: adjusting local clock by 0.822203s Dec 21 03:59:59 fg-router ntpd[14941]: adjusting local clock by 0.890898s Dec 21 04:04:03 fg-router ntpd[14941]: adjusting local clock by 0.796980s Dec 21 04:07:44 fg-router ntpd[14941]: adjusting local clock by 0.740668s Dec 21 04:11:45 fg-router ntpd[14941]: adjusting local clock by 0.726457s Dec 21 04:15:45 fg-router ntpd[14941]: adjusting local clock by 0.817878s Dec 21 04:19:45 fg-router ntpd[14941]: adjusting local clock by 0.917739s which is similiar on all of the soekris boxes another sample from another box, not a soekris: Jun 5 22:21:38 cvs ntpd[2002]: adjusting local clock by -0.194812s Jun 5 23:25:42 cvs ntpd[2002]: adjusting local clock by -0.170715s Jun 6 00:38:50 cvs ntpd[2002]: adjusting local clock by -0.131455s Jun 6 00:50:41 cvs ntpd[2002]: adjusting local clock by -0.156146s Jun 6 00:55:39 cvs ntpd[10045]: peer 82.133.58.132 now invalid Jun 6 01:09:08 cvs ntpd[10045]: peer 82.133.58.132 now valid Jun 6 01:54:22 cvs ntpd[2002]: adjusting local clock by -0.142031s Jun 6 02:06:02 cvs ntpd[2002]: adjusting local clock by -0.153419s Jun 6 02:14:49 cvs ntpd[2002]: adjusting local clock by -0.181421s Jun 6 03:10:24 cvs ntpd[2002]: adjusting local clock by -0.176803s Jun 6 04:17:09 cvs ntpd[2002]: adjusting local clock by -0.142914s Jun 6 04:25:24 cvs ntpd[2002]: adjusting local clock by -0.131678s which leads me to the assumption, that the soekris boxes have drift a bit more in time. thats all. --knitti
Re: ssh attacks
On 6/7/06, Peter Fraser [EMAIL PROTECTED] wrote: My actual problem is less with ssh then the Microsoft vpn. I trust the people who have ssh connections to have good passwords, It the people with vpn connections that I don't trust. And I of course would do the same trick with the vpn port. for users of micosoft vpn or similiar, we have them authenticate first against authpf, so the port is not available to anon users. and using authpf can be as simple a one click on a link using putty (or similiar) with the right ssh key. --knitti
Re: openbsd on virtual machine
On 6/5/06, knitti [EMAIL PROTECTED] wrote: - 2nd partition ffs sorry, thats slightly wrong, this partition held openbsd, which had a single disk slice with a ffs. But I didn't see any limitation that there could be more than one. knitti
Re: openbsd on virtual machine
hi, I moved your reply under my statement for readability I wrote: booting openbsd on a real partition both from bios and from vmware worked without flaw in my tests. why shouldn't it? it's a dual-boot situation, but you just have to make sure, the bootloader hits the right pbr. no magic. On 6/5/06, akonsu [EMAIL PROTECTED] wrote: thanks. how did you achieve this? i downloaded an evaluation copy of vmware workstation, created a machine with a raw disk pointing to my openbsd partition but it won't boot. it says that there were no bootable drives found. Ok, I didn't test with vmware player, but with vmware 4. Setup was like: - dual-boot situation with win2k, 1harddisk - 1st and 3rd partition NTFS - 2nd partition ffs - the mbr had the nt boot loader, copy the pbr of the openbsd partition to a file on the windows system partition, point an entry in boot.ini to it (google will help you) - while making your openbsd disk slices, you have to make sure to stay away from the areas of the other partition - when both systems boot fine, just use the openbsd partition as raw disk (disable any options and helpers) I understand that vmware player is not as configurable through the gui, but the configuration is a text file, so it should be possible to achieve this (as in vmware created volumes are compatible with vmware player) hth, knitti
Re: openbsd on virtual machine
On 6/4/06, akonsu [EMAIL PROTECTED] wrote: also, i think there is a way to run this machine from a raw disk instead of a virtual disk. there is a discussion about using raw disks on the vmware.com site. but as they say booting a VM from a raw disk and also being able to boot your physical machine from this same disk might be technically difficult because this is like moving your disk to another machine and trying to boot it on both machines. booting openbsd on a real partition both from bios and from vmware worked without flaw in my tests. why shouldn't it? it's a dual-boot situation, but you just have to make sure, the bootloader hits the right pbr. no magic. --knitti
Re: [OpenCVS] what does soon mean?
On 4/9/06, Stefan [EMAIL PROTECTED] wrote: It would be nice to know about when it's to be released so I can decide if I should use the old GNU CVS or if I should wait for a public stable release. Everything one could read in the past time about the project suggests you can start out with GNU CVS and easily switch later to OpenCVS. --knitti
Re: pf.conf to log specific but block all
On 2/25/06, Harry Putnam [EMAIL PROTECTED] wrote: Melameth, Daniel D. [EMAIL PROTECTED] writes: On a consumer-class Internet connection, I don't expect too much. However, the following should only log ssh: That is what got me going on this... By negligence I'd left ssh open after coming home from a trip where I had it open for connectiong to home machine. Normally I turn it back off when I'm home. I saw over a 5 day period some 13,000 hits on ssh port. Apparently some half configured dictionary attacks. I say half configured because the attemted user names don't seem to be in any recognizable order. My passwords are good so I didn't get too worried but it did cause me to wonder what is going on that my ssh port got so interesting suddenly. you worry too much. either choose good passwords, or better, setup login with ssh-keys only. its worth reading and googling for maybe an hour or two, if you're not familiar with it. if this is in place, you don't have to worry, and you also don't have to log connections to your ssh port. --knitti
Re: boot.conf
On 2/24/06, Michael Schmidt [EMAIL PROTECTED] wrote: Hello, I would like to run an OpenBSD machine where I want that the boot prompt disappears, reason is that I do not want others having access to the boot prompt. In case you put a boot into boot.conf or set timeout to zero then you do not have the opportunity to boot in single user when it may be necessary. Are there ways to circumvent the latter? what problem are you trying to solve? --knitti
Re: spamd-setup doesn't return
On 2/22/06, Bob Beck [EMAIL PROTECTED] wrote: I think this was because you had two spamd-setups running. spamd will only service once configuration connection at a time. -Bob well I run spamd-setup only daily, and of course I assume that at any particular point in time there should be only one instance running. so what you saw was just the state of the server after two days without removing the stale spamd-setup instances. as I said, after killing and restarting spamd, everything is fine now. before this, I could kill all instances of spamd-setup and it wouldn't help. --knitti
Re: Pf questions for larger implementation
On 2/23/06, Steve D. [EMAIL PROTECTED] wrote: I'm setting up a gateway (1.7 Ghz machine with 1 Gig of ram) for 700+ users using pf with NAT and BINAT's (90% NAT).I would like to know if anyone has any recommendations on tweaking the runtime options in PF. This box will pretty much just be handling the natting with a bare minimum of filtering, just enough to keep the box secure. Nat statement: ($src_nat is a public /25) nat on $public_if inet from client_subs to any - $src_nat source-hash Binat statement: (which isn't working for some reason but I'll figure that out) binat-anchor one2ones load anchor one2ones from /etc/one2ones If anyone has some experience with a similar sized setup, I'd really appreciate hearing from you. If there's any other adjustments I can make to keep the performance up, I'd be interested in those also. try it, deploy it. your cpu/mem should handle it easily. the only thing I can imagine is running into the default state limit. see man pf.conf the part about set limit. --knitti
Re: spamd-setup doesn't return
On 2/21/06, Bob Beck [EMAIL PROTECTED] wrote: Is spamd running on this system? sorry for not trying this earlier: I just killed restarted spamd, and spamd-setup now behaves as expected. (It just didn't occur to me...) --knitti
Re: SCSI tape drive hanging
On 2/21/06, Marcus Barczak [EMAIL PROTECTED] wrote: --- dmesg --- OpenBSD 3.8 (NERF) #0: Fri Jan 20 13:35:16 EST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/NERF uh oh. http://openbsd.org/faq/faq5.html#Why --knitti
spamd-setup doesn't return
Hi, on a server which run fine for a long time spamd-setup doesn't return anymore (at least for a couple of days until I kill it). Does have anyone an idea how to troubleshoot this? spamd-setup seems to update the tables and then simply wait forever. spamd.conf hasn't been altered since spamhaus has gone paid-for. first occurance of this proble was on feb 10 or 11. # uname -a OpenBSD [cut] 3.7 GENERIC#0 i386 # /usr/libexec/spamd-setup -d Getting http://www.openbsd.org/spamd/spews_list_level1.txt.gz blacklist spews1 15353 entries whitelist mywhite 15358 entries blacklist myblack 0 entries ^C # cat /etc/spamd.conf all:\ :spews1:mywhite:myblack: # Mirrored from http://www.spews.org/spews_list_level1.txt spews1:\ :black:\ :msg=SPAM. Your address %A is in the spews level 1 database\n\ See http://www.spews.org/ask.cgi?x=%A for more details:\ :method=http:\ :file=www.openbsd.org/spamd/spews_list_level1.txt.gz: mywhite:\ :white:\ :method=file:\ :file=/etc/spamdwhite.txt: myblack:\ :black:\ :msg=SPAM. Your address %A is in my blacklist.\n Contact ++xx \ xxx xxx for details.:\ :method=file:\ :file=/etc/spamdblack.txt: thanks for reading, knitti