Re: Cold Boot Attacks on Encryption Keys

[knitti]

On 2/22/08, Siegbert Marschall [EMAIL PROTECTED] wrote:
  Yes DRAM can preserve data for a while, even after shutting down
  power. Depending on the type of DRAM it can be milliseconds to
  days BUT it will only preserve part of the data, so the chance
  of finding some passwords in there does exist but has very little
  real world implications.

the quickest way of improving security for this particular type of attack,
apart from having sensitive data such as keys around only when needed,
is ensuring there's no quick way of booting from a different media and
ensuring it takes as long as possible to move the RAM (this would be
a plus also for the disks) physically. Physical security _is needed_
anyways.

Soekris boxes also have soldered RAM.

--knitti

Re: What is our ultimate goal??

[knitti]

On 2/19/08, Mayuresh Kathe [EMAIL PROTECTED] wrote:
  something as good as FireEngine,

I'm following this thread with quite some amusement, but one thing is
not in the least clear to me: why do you think you want something as
good as FireEngine. Heck, even under the assumption FireEngine is
Really Good (TM), you should compare it to  the *new* stack of FreeBSD,
whose marketing blurb has at least a bit more meaty than Sun's.
http://www.meetbsd.org/storage/kris.kennaway_meetbsd2007.pdf

SO now do you want FireEngine? Or rather SMPng networking? Or
would you like ReallyHyperFastZoomStreamCyberWoosh?
You can't decide?

You have not even shown a corner case, much less in general why
it would be desirable to completely throw away the current
architecture. I use OpenBSD since 3.0 on very small CPUs and also
on rather big ones (all i386 and amd64, though), and I don't remember
a single case in which network stack performance wouldn't at least
have met my expectations.

What performance difference are you expecting? Do you know
the implications, which the different approaches impose on the
kernel architecture? Even if there would be a developer,  who would
in principle be open to the idea, you have to show her that it is worth
the hassle. But you don't even know what you're talking about.

If *I* were a developer, I would be offended by the notion that
AnotherSolution is *that* *much* *better* (as you imply) _without_
showing any evidence.

--knitti

Re: need some help with base httpd

[knitti]

On 2/18/08, System Administrator [EMAIL PROTECTED] wrote:
 I need to secure a few distinct directories on this server, and to
 simplify config file maintenance decided to put the common directives
 into a file to be 'Include'd - reproduced further below. Here is an
 example of such an 'Include' in the main httpd.conf:
 Directory /var/www/cgi-bin
 AllowOverride None
 Options None
 Include conf/admins.conf
 /Directory
[...]
 My dilemma is that actually including the directives instead of using
 the 'Include' above works perfectly as expected. I even tried
 transferring only some of the directives from the include file into the
 main httpd.conf, and invariably configtest complains about the very
 first active directive in the include file.

Try either putting the whole Directory directive into the conf/admins.conf,
thus moving the include statement outside the Directory

--knitti

Re: sendmail setup mail server error

[knitti]

On 1/29/08, Chris [EMAIL PROTECTED] wrote:
 vi mydomain.mc

 divert(0)dnl
 VERSIONID(`@(#)mydomain.mc $Revision: 1.11 $')dnl
 OSTYPE(openbsd)dnl
 DOMAIN(mydomain.com)dnl
 FEATURE(`virtusertable', `dbm /etc/mail/virtusertable')dnl
 MAILER(local)dnl
 MAILER(smtp)dnl

 divert(-1)

 I didn't change anything else in this file.

 m4 ../m4/cf.m4 mydomain.mc  mydomain.cf

 m4: mydomain.mc at line 11: include(../domain/mydomain.com.m4): No
 such file or directory

 Any help would be much appreciated. Thanks.

please read about the DOMAIN macro. I don't think I does what you
think it does.

--knitti

Re: sendmail setup mail server error

[knitti]

On 1/29/08, knitti [EMAIL PROTECTED] wrote:
 On 1/29/08, Chris [EMAIL PROTECTED] wrote:
  vi mydomain.mc
 
  divert(0)dnl
  VERSIONID(`@(#)mydomain.mc $Revision: 1.11 $')dnl
  OSTYPE(openbsd)dnl
  DOMAIN(mydomain.com)dnl
  FEATURE(`virtusertable', `dbm /etc/mail/virtusertable')dnl
  MAILER(local)dnl
  MAILER(smtp)dnl
 
  divert(-1)
 
  I didn't change anything else in this file.
 
  m4 ../m4/cf.m4 mydomain.mc  mydomain.cf
 
  m4: mydomain.mc at line 11: include(../domain/mydomain.com.m4): No
  such file or directory
 
  Any help would be much appreciated. Thanks.

 please read about the DOMAIN macro. I don't think I does what you
 think it does.

sorry, I meant to write I don't think it does what you think it does. Too
much blood in my kaffeine. Look also for LOCAL_DOMAIN.

--knitti

Re: OpenBSD 4.2 firewall freezing, even after patch 004 and 005

[knitti]

On 1/21/08, Robert Carr [EMAIL PROTECTED] wrote:
 After a few days of running, the machine becomes
 totally unresponsive, forcing me to power-cycle the
 box.  I can't find anything relevant about the
 freeze/crash in any logs.
[...]
 ...and no core dump.  What am I doing wrong?
[...]

 OpenBSD 4.2 (NAVARONE-4.2) #0: Wed Jan 16 23:18:21 PST
 2008

 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/NAVARONE-4.2

http://openbsd.org/faq/faq5.html#Why

--knitti

Re: building a kernel for net4801 from dmassage

[knitti]

On 1/16/08, Lars NoodC)n [EMAIL PROTECTED] wrote:
 1) Should anything be done to the GENERIC kernel's run time
 configuration then to improve performance, reduce system requirements or
 otherwise prevent it from making beer go flat?

nope. I've been running a couple of net4501 (100MHz/64MB RAM) since 3.5
which are perfectly fine with GENERIC


 2) Under what circumstances (generally) would one encounter a situation
 where it would strongly desirable to have a custom kernel?

RAID?
development: break stuff, fix stuff ?

--knitti

Re: Suggested PF Setup when using BitTorrent?

[knitti]

On 1/15/08, Chris Kuethe [EMAIL PROTECTED] wrote:
 i doubt it's your machine not being happy with number of connections -
 i routinely have hundreds of states. depends on your modem, maybe? or
 who made the board inside your modems? or what crack-addled rhesus
 monkey pretended to write the firmware. If several different
 manufacturers licensed the IP stack or NAT engine from the same
 vendor, then it's perfectly possible that you both have ill-designed
 hardware.

add me to the crowd. I got curious and tested a bit around and am able
up my ping latency up to 9 s (then I got bored :-). I *think* (at least here)
incoming connections are more of an issue than outgoing ones, and
traffic shaping (as in bandwith limiting) doesn't help much. Not traffic
shaping doesn't help either. This is on a 3M/512k ADSL
(Arcor/Germany) with a soekris and pppoe. I have not yet looked if
its just a pps issue with my soekris (in that case there should be no
latency problem at about 1/20th the available bandwith.)

I could imagine that some equipment not up to the task at the provider
could keep tabs on my states, but I don't see any reason why. (Yes I
know, there's this new evil data retention law, but the providers don't
even know what exactly they have to log and they are not exactly keen
on implementing it).

--knitti

Re: Improving disk reliability

[knitti]

On 1/9/08, NetOne - Doichin Dokov [EMAIL PROTECTED] wrote:
 Bacula (www.bacula.org) is your friend.

yes, bacula is great. I just discovered, that it is in ports (even as
package available), so I have to use it on OpenBSD yet, but it
can't be harder to set up than on other platforms.

I prefer it to amanda, because (at least as I had to find a suitable
solution 1.5 years ago) it was the only one which could do
multi-volume-backups. It also works flawless with disk-based
backups, simple tape drive and larger tape libraries.


--knitti

Re: Richard Stallman...

[knitti]

On 1/7/08, Steve Shockley [EMAIL PROTECTED] wrote:
 nicodache wrote:
  I cannot anything but to appreciate and look how you are able to stay
  calm and polite when I read some people on this ML talking about crap,
  fucking duck with tape, shutting up things.

If if walks like a duck and talks like a duck an f... - wait a minute. Ouch.


 I have never seen anyone on this list fuck a duck with a tape.  Ever.


WARNING. Do not look at the duck with the remaining eye.


--knitti

Re: Improving disk reliability

[knitti]

On 1/4/08, Nick Guenther [EMAIL PROTECTED] wrote:
 On 1/3/08, knitti [EMAIL PROTECTED] wrote:
  this is becoming OT, but I can't recommend storing HDDs as real
  backup solution either. HDDs _do_ have bitrot, and one should at least,
  say, once a year, verify that the *whole* disk is readable, ensuring that
  sectors which are not yet completely unreadable get remapped. Vaulting
  a DVD or a HDD for five years or more leaves you in both cases with the
  real possibility of data loss.

 How would you verify the whole disk is readable? And if it's all
 readable, how do you ensure the data is still the same pattern you put
 on before?

the posting von hannah shows what to do. Ths big picture is this:
Backup (and/or archiving) is not fire-and-forget. You have to know how
long you want to store this data to choose the right technology and
media. And you have to have a process to verify that your data is good
after this time. If you want backups for five years, and your life/business
won't come to an end should you lose some data in spite having backed
up, use DVDs or HDDs, verify after backup and just store the media.
For more than five years and more-or-less critical data, use tape and
verify every x time. If you approach ten years and up, you have to
know how you get hardware to read the tapes...

At least the LTO spec states that drives of the *current* generation
_have to_ read and write also tapes one generation older and
read tapes which are two generations older. So if you have LTO-2
tapes around, you will be able to read them with LTO-4 drives (which
should be checked, but does actually work in this case).

Some companies and universities with huge archives spend
large sums just to copy their archived data to the newest technology
every couple of years.


--knitti

Re: avoiding a mac address filter

[knitti]

On 1/7/08, Targus Neoprene [EMAIL PROTECTED] wrote:
 is there a way to surpass the mac filter and get an ip?
most likely yes and yes. man ifconfig

--knitti

Re: Improving disk reliability

[knitti]

On 1/3/08, Marius Hooge [EMAIL PROTECTED] wrote:
 Doug wrote:

 2. I don't know the size of the disk to know the size of the backup
media required.  However, CD/DVD burners are less than the cost
of a hard drive and the media is relatively cheap.

 I personally don't recommend backups to CD/DVD.
 They degenerate rather quickly depending on their quality and
 the storage humidity.
 Unlike a USB/Firewire harddisk inside your fire-, water-, emp-proof
 safe/vault. ;-)
 But make shure to set some kind of reminder to update your backup.

this is becoming OT, but I can't recommend storing HDDs as real
backup solution either. HDDs _do_ have bitrot, and one should at least,
say, once a year, verify that the *whole* disk is readable, ensuring that
sectors which are not yet completely unreadable get remapped. Vaulting
a DVD or a HDD for five years or more leaves you in both cases with the
real possibility of data loss.

--knitti

Re: cvsweb browsing out of sync with latest src?

[knitti]

On 12/18/07, Alexander Hall [EMAIL PROTECTED] wrote:
 [ returning after a long weekend ]

 Constantine A. Murenin wrote:
  On 13/12/2007, Nick Guenther [EMAIL PROTECTED] wrote:

  http://www.openbsd.org/cgi-bin/cvsweb/src/gnu/usr.bin/sudo/sudo/Attic/tgetpass.c?rev=1.15content-type=text/x-cvsweb-markup
  Error
  Error: Unexpected output from cvs co pbCheck whether the directory
  /usr/OpenBSD/cvs/CVSROOT exists and the script has write-access to the
  CVSROOT/history file if it exists.brThe script needs to place lock
  files in the directory the file is in as well./b
 
  Where did you get that link from? Manually constructed links are,
  obviously, not guaranteed to work, so what's precisely is the problem?
  :)

 Go to
http://www.openbsd.org/cgi-bin/cvsweb/src/gnu/usr.bin/sudo/sudo/Attic/

 find tgetpass.c

 click revision number (1.15)

 ta-daa! :-)

this seems to be the case for every file in the Attic throughout the tree. I
didn't try _every_ file, but quite some on very different places in the tree.

--knitti

Re: Problem with disk Western Digital

[knitti]

On 12/18/07, Stephan Andreas [EMAIL PROTECTED] wrote:
 The disk is 4 month old. After install of openbsd 4.2 it works. But now there
 are a lot of errors, while reading blocks.

so you mean, first it workd really well? Then the conclusion is obvious:
return your disk (after 4 months you should simply get it exchanged
with a new one). It is kaputt.

--knitti

Re: come, help me with something more productive

[knitti]

On 12/14/07, bofh [EMAIL PROTECTED] wrote:
 Heh.  I think we're having far too much fun in the other threads.  I
 have a serious question.  I'm a mangler in a largish company.  We have
 developers, and contractors.  No coding standards and all that, so,
 things are... messy.

 I'm not in charge of development, but I want to help them develop
 something useful, and secure.

You received some useful answers and certainly will receive more.
Very important is, that most if not all developers support this idea,
and that almost everyone makes an effort to get used to the new
procedures. The best intentions are worthless, if key people don't
like it.


--knitti

swap encryption Re: Putting partition in RAM

[knitti]

Gilbert, Douglas,

swap encryption on OpenBSD is done different than what you
advise. just use a sysctl for vm.swapencrypt.enable. Much less
maintenance headaches.

an yes, don't complain about being reminded that this is not a
netbsd / linux support list.

--knitti

Re: Monty Python 3000 Thread

[knitti]

 == wooosh ===(your humour)

   O(my head)


--knitti

Re: : rouge IPs / user

[knitti]

I have to correct myself a bit: the socket is in CLOSE_WAIT after
receiving the clients FIN (and acknowledging it). The server hasn't
yet sent its FIN, so the connection is properly half closed, the server
_could_ send some data down the line as its part of the connection
is still up. Translation: the server didn't close its socket for some
reason or non-reason.

For that to find out I'll have to read some code, which may or may not
turn up something (interesting for me).

--knitti

Re: : : rouge IPs / user

[knitti]

On 12/12/07, Raimo Niskanen [EMAIL PROTECTED] wrote:
 * A httpd server socket enters CLOSE_WAIT when the client
   closes (or half-closes) its end and sends FIN to the
   server TCP stack that replies ACK and enters CLOSE_WAIT.
   The socket proceeds out of CLOSE_WAIT when httpd calls
   close() on the socket.

 So, the remaining question is why httpd does not close the socket.
 Even though KeepAlive is in effect, since the client has closed its
 end there can come no more request on it, and the server
 should be able to notice that the client has closed its
 socket end either by recv() returning 0, or from a poll()
 return value. The server also should be able to know if
 it has more data to send to complete the reply.
 I see no reason to hold the socket in CLOSE_WAIT the whole
 KeepAliveTimeout time, and am interested to learn why.

WARNING: I'm not very experienced reading C code, so take my words
with heaps of salt.

The interesting code is most probably in http_main.c,
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/httpd/src/main/http_main.c

The problem would be to forget calling ap_bclose() after ending a
connection, either because all data has been sent or the connection has
been aborted. What I can read with some confidence, is that keeping a
socket open beyond sending any data is not intentional, and there is
nothing (for me) which suggests that it would happen at all.

Noob questions/statements ahead:

The code, which implications (aside from the clear visible intention what the
code *should do) are least clear to me for lingering_close() and lingerout()
(is this a signal handler for SIG_ALRM?).

I would suspect some kind of (signal?) race (not nessessarily there), in
which ap_bclose() gets called on a different socket than intended (thus
shutting down another connection as a side effect). BUT since the whole
code doesn't run threaded, I can't come up with something which would
actually suggest that.

I would appreciate if someone told me whether my interpretation is rather
wrong or rather right ;)


--knitti

Re: : no 4.2-stable package updates??

[knitti]

On 12/12/07, Raimo Niskanen [EMAIL PROTECTED] wrote:
 On Wed, Dec 12, 2007 at 08:35:50AM +0100, Antoine Jacoutot wrote:
  On Tue, 11 Dec 2007, Joe wrote:
  So if there are security bugs in a package or port shipped with OpenBSD
  4.2, there will be no updated package or updated port available?
 
  That is correct.
 

 Now, this will prevent me from upgrading to 4.2.


It isn't so that any pre-4.2-stable will be updated, so you lose nothing
by upgrading. very often you can backport from -current ports without
any change.

--knitti

Re: : no 4.2-stable package updates??

[knitti]

On 12/12/07, Darren Spruell [EMAIL PROTECTED] wrote:

 Why -current? I thought what had fallen behind from lack of resources
 was binary packages. Surely OPENBSD_4_2 (stable branch of ports tree)
 still has updated ports.

 Just build -stable packages from ports (like you did in the olden days.)

to quote from the original mail from Nikolay Sturm (thanks to him for doing
this or much of it over some years) to misc:
as you might have noticed, -stable ports have not been properly updated
in the last few months. Due to lack of resources, especially a
responsible maintainer, you cannot expect any updates to -stable for the
foreseeable future. Although some updates might happen, -stable should
be considered unmaintained.


--knitti

Re: : : rouge IPs / user

[knitti]

On 12/12/07, Daniel Ouellet [EMAIL PROTECTED] wrote:
 Raimo Niskanen wrote:
  Interesting for me too, and most probably for others. It became an
  interesting discussion of my CLOSE_WAIT problem after all...
 
  To summarize (as I see it):
 
  * pf synproxy state does not affect these CLOSE_WAIT sockets since
the SYN proxy is only active during connection establishement.
But it is a good to use anyway since it prevents IP spoofing.

 Why not? Just test it out. What happen if you get a DDoS on your httpd
 as an example, or try to connect to it. You send a packet to httpd, it
 will create a socket to reply to your connection request and send the
 source IP ACK and then wait for the reply ACK that will never come. So,
 what does this do to your httpd then??? How many sockets will you have
 pending responses here? You use one socket per user connection to your
 httpd. You have 25 real users accessing your httpd and 1,000 fake users
 without pf in the path. I will aksed you this simple question then.

don't confuse the CLOSE_WAIT with a SYN flood. if httpd doesn't close
its socket, the proxy will neither. And even if it did, this doesn't
close httpd's
socket. I think I'm repeating myself, but the problem is *not* that httpd
waits for any client data. I _has_ seen the clients FIN (or it wouldn't go into
CLOSE_WAIT), but keeps its side open.

 the close process have three stage as well. The client asked to close,
 the server reply and the client confirmed. So, close, ACK and ACK.

not exactly. the long version is: the side which wishes to close sends
FIN, other side sends ACK (4-way-close: each side sends a FIN and an
ACK). If the other side, which receives the first FIN decides to close also
immediately, it can combine the FIN and the ACK (FIN - FIN/ACK - ACK).


 Did you verify that the client sent the last required ACK to the
 original request of the server to close?

If the server closes first and the client doesn't ACK, the socket should be
in TIME_WAIT. After some time, I think, the server may send a RST if
the client doesn't ACK its FIN.

 There is also a keep alive in the tcp stack and if I remember well I
 think it is set by default by the RFC is not a small amount of time.

yes, TCP keep alives are empty ACK packets (or 1 octet payload).
but while the TCP connection is open (while TCP keep alives might
be sent), the socket doesn't go into CLOSE_WAIT. it does when the
client FINs its connection, which should also end the sending of TCP
keep alives

 Again, are you sure all the RFC process was done? Who is waiting on who
 here? Also, I think you may be confusing a few things here. httpd not
 closing a socket and having KeepAlive is in effect are contradictory.

in theory, they are simply not related, because on different protocol layers.
Practically there seems to be a correlation by implementation.

--knitti

Re: : : rouge IPs / user

[knitti]

On 12/12/07, Daniel Ouellet [EMAIL PROTECTED] wrote:
 I am only
 saying that using PF in front of httpd will reduce the possible number
 of httpd close_wait you might see. By default httpd can only support up
 to 256 connections, unless you increase it and compile it again.

I don't understand why pf would reduce this. Every single CLOSE_WAIT
stems from a former established connection, and pf can nothing do
to convince httpd to close its socket. No rogue clients involved here.

 lead you in that path, then I am sorry. What will affect your close_wait
 time (when you reach that point) are the tcp stack value, witch I am
 reluctant to suggest to adjust as they sure can create way more harm
 then goods.

I don't think there is a systl for that. TCP connections don't expire by
default, if you not make them, and the same should go for a half-closed
one. There are perfectly legit reasons for long open half-closed
TCP connections.

 My point with PF here was that it would reduce the possible numbers of
 close_wait state you could possibly see in the first place, witch is one
 of the original goal of the question.

Why?


--knitti

Re: : : rouge IPs / user

[knitti]

On 12/12/07, Daniel Ouellet [EMAIL PROTECTED] wrote:
 knitti wrote:
  The problem would be to forget calling ap_bclose() after ending a
  connection, either because all data has been sent or the connection has
  been aborted. What I can read with some confidence, is that keeping a
  socket open beyond sending any data is not intentional, and there is
  nothing (for me) which suggests that it would happen at all.

 Logically if that was the case, wouldn't you think you would run out of
 sockets in just a few minutes after starting httpd? I am not saying
 there isn't any bugs in httpd, or that there is. Fair to assume there is
 some, but to that extend, I couldn't imagine so. Just think about it for
 a second. What the effect of it would be if that was the case?

I think you misunderstood me. I meant I don't see any obvious occasion
in which the problem I assumed (forgetting ap_bclose() ) would occur.
So I don't see any bug (surpise), but something occurs. So either I don't
see the bug because its not obvious (surprise, again), or my
assumption (ap_bclose() not called) is wrong.

My question: would not calling ap_bclose() show this behaviour ?

 - Application needs sockets and send request to create and destroy them
 and keep using them after they are created. Who does that, kernel or
 application?

I assume the kernel creates the actual socket, but the app keeps it as long
as it wants (or longer ;-)

 - Who receive the sockets creation and destroy requests and will create
 them or destroy them and pass the handle to the application when ready.
 The Kernel, or the applications?

 - Who is handling the signaling, meaning handshake, opening, close_wait,
 retransmitions, etc. Application or kernel?

 - So, in the end, if a socket is in close_wait, is it the application,
 or the kernel at that point? Meaning, was it already requested to be
 close and is now a signaling issue, or an application that hasn't asked
 to close the socket yet? (;

I *assume* that it is the application forgetting to close(), because if the
kernel forgets to close() something what is more or less a file, we would
also have massive stale open files being around.

 - If jam in close_wait state, is it because it hasn't send the ACK on
 the request from the client to close the socket?

 - Or is it that it did send the ACK to the client and is now waiting on
 the final ACK from that client to do it?

 - Or is it that it reach that point because it was an none fully open
 three way handshake establish connection to start with may be?

 - Or it is because the client just open a socket, get what it needed and
   didn't bother to do the proper closing of the sockets as it should be?

_please_, read my last mails, or look at a TCP state diagram.


 - Now, where is the application, in the case httpd involved here?

CLOSE_WAIT is a defined state. The most simple explaination is not
closing the socket even after recognizing there is nothing more to
read from it.

 - Where can keep alive in httpd help, or not?

 - Where pf proxy help or not?

 - Where keep alive in tcp stack (sysctl) help or not?

these three questions I simply don't understand. Please rephrase.


 That's why there isn't a single answer to the questions here and it will
 always depend on your specific setup, traffic patterns and load, etc.

I seems we are here of different opinions. I'm more or less convinced
now, that there is a bug not closing the socket even after httpd has
nothing more to send. Under the assumption my interpretation of the
problem is not fundamentally flawed.


 Example, you could reduce the keep alive in sysctl a lots if you want to
 help the close_wait, but at the same time this will increase all the
 exchange messages between valid connections as well. So, on one hand to
 will affect the delay in closing your sockets sooner, but at the same
 time you will increase the load on other already active connections.

well, I think turnig the wrong knobs will do harm, there you are right.
tuning TCP keep alives would be the wrong knob

 left, unless it does give you a problem, other then a feeling of wanting
 it to look different, you should put it to rest I think.

unless I can reproduce it, I will also let it rest after being convinced
of not finding the bug by reading the code alone ;)

--knitti

Re: : : rouge IPs / user

[knitti]

On 12/12/07, Daniel Ouellet [EMAIL PROTECTED] wrote:
 net.inet.tcp.keepidle
 net.inet.tcp.keepinittime
 net.inet.tcp.keepintvl
 net.inet.tcp.rstppslimit
 net.inet.tcp.synbucketlimit
 net.inet.tcp.syncachelimit

nope, shoudn't apply, unless my TCP knowledge is wrong or there
is a bug, which makes it affecting it unintentional


  My point with PF here was that it would reduce the possible numbers of
  close_wait state you could possibly see in the first place, witch is one
  of the original goal of the question.
 
  Why?

 OK, I could be wrong and I am sure someone with a huge stick will hit me
 with it if I say something stupid, and/or there might be something I am
 overlooking or not understanding fully, witch is sure possible as well. (;

 But if httpd received a fake connection that do not do the full
 handshake, isn't it there a socket open and/or use by httpd for that
 fake connection anyway. Meaning it tries to communicate with that fake
 source and can't and eventually will close and (that's where may be I am
 failing here) will end up in close_wait may be?

no fake connections involved, CLOSE_WAIT is a state _after_ having a
fully established connection

 Or, are you saying that the ONLY possible way a socket end up in
 close_wait state is ONLY when and ONLY possible if it was fully open
 properly in the first place? If so, then I stand corrected and I was/am
 wrong about that part of my suggestions. So, is it the case then?

Yes. Random example:
http://www4.informatik.uni-erlangen.de/Projects/JX/Projects/TCP/tcpstate.html


--knitti

Re: : rouge IPs / user

[knitti]

On 12/11/07, Raimo Niskanen [EMAIL PROTECTED] wrote:
 I want to know if and what I can do (on the server side) about HTTP
 clients that put sockets on my httpd server in state CLOSE_WAIT and
 thereby chew up all sockets for the server causing a kind of
 denial of service state.

 And yes, I have googled for HPPT server socket CLOSE_WAIT and
 did not get much wiser.

If I understand correctly you could try synproxy states with pf and let these
states expire rapidly. If the states expire, I *think* pf should end the
connection completely, so your half-closed sockets don't get stale.
BUT perhaps I didn't get it at all and this makles no sense ;)

--knitti

Re: BIND and the measure of system entropy (randomness?)

[knitti]

On 12/11/07, Andreas Maus [EMAIL PROTECTED] wrote:
 On Wed, Dec 12, 2007 at 01:08:42AM +1100, mufurcz wrote:
   b) lines 34 and 35:  `could not open entropy source /dev/arandom: file not
   found` and `using pre-chroot
   entropy source /dev/arandom` complaining about a missing
   /var/named/dev/arandom device.
 Same as above. /dev/arandom is _REALLY_ /var/named/dev/arandom.
 So just why not creating this device?
 cd /var/named/dev
 mknod arandom c 45 4

   What BIND has to do with the laws of thermo-dynamics?  Can I safely ignore
   the above messages.
 BIND needs /dev/arandom for some stuff like generating random IDs.

on OpenBSD it doesn't. There was a mail from Theo regarding exactly this
error message, stating that on OpenBSD BIND doesn't use (or need) this.
You could search the archives...

--knitti

Re: : rouge IPs / user

[knitti]

On 12/11/07, Stuart Henderson [EMAIL PROTECTED] wrote:
 On 2007/12/11 09:40, Marti Martinez wrote:
  Yep, synproxy in your answer for OpenBSD. For linux or freebsd, try
  enabling syn cookies.

 synproxy works at the start of the connection, not the end.

 CLOSE_WAIT is the state where the network stack waits for
 the application (httpd) to close the connection after receiving
 the client's FIN.

oh sorry, then I was wrong. So when client's FIN is already in, then
(depending on how long it takes), is it normal behaviour of httpd
or could it be considered a bug?


--knitti

Re: : rouge IPs / user

[knitti]

On 12/11/07, Daniel Ouellet [EMAIL PROTECTED] wrote:
[... snipped away a lot ...]
 There is a lots that can be done, however, when you reach this level, an
 answer doesn't fit all and is really dependent on your setup.

 Hope this help answering your question.

It's not me having the problem, but I desire to understand it. AFAIK
HTTP keep alives have nothing to do with it. If the socket is in
CLOSE_WAIT, the TCP connection can't be reused, the server
has sent its FIN and the client its FIN/ACK, but the server doesn't
have yet sent its final ACK.
I can imagine some possibilites why this happens (some might
not be valid due to my lack of knowledge):
- the server didn't clean up its socket, so it stays there until the
process dies eventually
- the server does this to keep its socket (that I don't know: can
a socket be reused on any state?)


btw: I might be going off topic here, but I think it applies to
OpenBSDs httpd. I won't sent any further mail to this thread
you tell me to shut up.

--knitti

Re: : rouge IPs / user

[knitti]

On 12/12/07, Daniel Ouellet [EMAIL PROTECTED] wrote:
 knitti wrote:
  HTTP keep alives have nothing to do with it. If the socket is in
  CLOSE_WAIT, the TCP connection can't be reused, the server
  has sent its FIN and the client its FIN/ACK, but the server doesn't
  have yet sent its final ACK.

 Well actually it does under normal operation. See, if you get a
 connection from a user and have keep alive setup. The socket will stay
 open to speed up the next request from the same users without having to
 establish a new connection, reusing the same socket for speed, but at
 the same time keeping that socket open and not ready to close yet for
 the next users. So, you see, if you have longer keep alive setup in
 httpd, you will reach the CLOSE_WAIT later on instead of sooner if you
 have shorter keep alive setup. See what I explain, may be not as well as
 I would like is the impact of PF and httpd together as well as the
 net.inet.tcp.xxx in sysctl setup. They all interact together in some
 ways and as such I also said it wasn't something to take isolated of one
 an other.
[...]
 I think the CLOSE_WAIT state and time is a function of the OS stack, not
 the application itself, in this case httpd. I could be wrong here and I
 would love for someone to correct that for me if I do not understand
 that properly. But my understanding is this is control by the OS, not
 the application itself, other then the keep alive obviously in this case.


you tell me that there is some correlation between HTTP keep alives and
a socket ending up in CLOSE_WAIT for some time. That is the practical
observation. But I'm interested in whether this is by design or not.
RFC 2616 doesn't mention implementation details, and I can't see why
the socket implementation (OS) would want to keep a socket in
CLOSE_WAIT for some time (not sending a final ACK).

  btw: I might be going off topic here, but I think it applies to
  OpenBSDs httpd. I won't sent any further mail to this thread
  you tell me to shut up.

 I didn't do such thing. The original poster however should/may take the
 advice, or drop it. (;

sorry for the confusion, I forgot to write an if after thread

--knitti

Re: Configuring sendmail openbsd 4.2

[knitti]

On 11/29/07, Khalid Schofield [EMAIL PROTECTED] wrote:
 ok it's still not working. I'm posting my configs here. It's not
 accepting incoming mail. Sendmail is set to use /etc/mail/sendmail.cf
 in rc.conf

- when it's not accepting, what is the error? does it locally?
- try putting the MAILER lines last.
- Why would you accept mail to unresolvable domains?
- consider adding a define(`confPRIVACY_FLAGS', . )

--knitti

Re: Configuring sendmail openbsd 4.2

[knitti]

On 11/27/07, Khalid Schofield [EMAIL PROTECTED] wrote:
 I'm configuring sendmail on openbsd 4.2. Trying to get sendmail to
 send all mail via my smart host. What do I edit since there is no /
 etc/mail/sendmail.mc and in /usr/share/sendmail/cf there are lots of
 configs.

 The docs look pretty major reading so I thought I'd just ask people
 that have done this before.

 So I'm trying to send all outgoing mail via my smart host on my
 network and not set this up as a smart host.

Nothing beats reading the docs. It's there for a reason, and you *have*
to know what you are doing, because some day something goes wrong,
and *you* will have to troubleshoot it. And in this very (possible trivial)
moment it pays having read the docs at least *once* before, just to
roughly know where you can find which information.

--knitti

Re: how best to handle DNS on firewalled home network?

[knitti]

On 11/15/07, Jonathan Thornburg [EMAIL PROTECTED] wrote:
 I'm setting up a home firewall, intended to (try to) protect client
 machines (mostly family members' MS-Windoze laptops) from misc internet
 threats.  I have a couple of questions about how best to handle DNS
 on/through the firewall:

just use named in caching mode (should work out of the box) and forget
your isp's name servers. it costs next to nothing performance-wise and
works relly well. a soekris 4501 firewall (100MHz/ 64 MB RAM) does handle
a DSL-type connection (4 MBit) including dhcpd, named and ntpd very
well.

--knitti

Re: Slow Performance on Encrypted svnd

[knitti]

Instead of e.g. /dev/sd0a try /dev/rsd0a. I didn't try with svnd, but
when copying partitions with dd I use this.

--knitti

Re: Slow Performance on Encrypted svnd

[knitti]

On 11/14/07, Clint Pachl [EMAIL PROTECTED] wrote:
 knitti wrote:
  Instead of e.g. /dev/sd0a try /dev/rsd0a. I didn't try with svnd, but
  when copying partitions with dd I use this.
 

 I tried that, but like I said fdisk complained when the svnd device is
 associated with the raw direct access disk device. For example

 # vnconfig -k svnd0 /dev/rwd1c

 # fdisk -c 19457 -h 255 -s 63 -i svnd0  # disk CHS
 fdisk: error initializing MBR: bad address

 # fdisk -c 19456 -h 254 -s 63 -i svnd0  # OpenBSD partition CHS
 fdisk: error initializing MBR: bad address

 # fdisk -i svnd0
 Warning CHS values out of bounds only saving LBA values
 fdisk: error initializing MBR: bad address


well, the 'c' slice is a bit 'special', perhaps try an 'a' slice filling the
whole disk but the first track? After all, I think its weird not to have
an MBR etc. on the real disk. (Which doesn't mean that I couldn't
imagine that).

--knitti

Re: HP Procurve or Soekris w. OpenBSD ?

[knitti]

On 11/12/07, Matt [EMAIL PROTECTED] wrote:
 Goodday,

 Looking to manage several webservers I am wondering if anybody uses
 something like this: http://soekris.kd85.com/images/tn/dsc03600.med.jpg ?
 (That image shows Wim's net4801-50 plus quadport lan1641 firewall box,
 giving 7 ports with low powerconsumption - on OpenBSD)

 The standard choice in my datacenter (linux users mostly) seems to be HP
 Procurve but I'd prefer the power of PF.

 I have no idea how rigid /stable/fast the Soekris machines are, I've
 never used one.
 I'm wondering if a setup as mentioned could (speedwise) compete and if
 it is a sane idea to deploy something like this in the DC.

 Any advise is appreciated. Thanks.

If you are looking for raw networking performance, don't go for soekris.
I don't know exactly the 4801, but I use a couple of 4501 as firewalls and
IPSec-Routers for connections of up to 5 MBit/sec. Seeing the specs of
the 4801 and knowing the 4501, I wouldn't use them for more than about
40-50 Mbit/sec. There are people on this list, who have more experience
with the 4801. BUT you have to test for yourself if it fits your needs, and
your performance depends a lot on your setting.


--knitti

Re: identifying sparse files and get ride of them trick available?

[knitti]

On 11/11/07, Daniel Ouellet [EMAIL PROTECTED] wrote:
 2.3 ==
 Now using scp as many times it's can also be use for quick sync of
 changed files. Here however, we are up for a big surprise as well for
 sure. Here we can't even do it as the sparse file like in rsync example
 #1 will stop as it is to big in size, even if the data however is not.
 And we will also waist way more bandwidth trying to do it in the process
 as well. If the file was smaller in sparse size, then the copy process
 would work, however the waisted bandwidth would be present anyway making
 the point of trying to avoid the problem in the first place of
 transferring sparse files across file systems. Or at best trying to use
 something that would minimize the problem.


if I'm not completely wrong, you could always tar -czf the sparse file, scp the
archive and then tar -xzf the file in place in the other side. this should also
create a new sparse file. of course, you lose the rsyncabilty and you have to
identify your sparse file in advance. But 16GB of nothing should compress
very well  ;)


--knitti

Re: Security Comparisons

[knitti]

On 11/10/07, Douglas A. Tutty [EMAIL PROTECTED] wrote:

 of philosophy.  Linux is about making all kinds of toys work in a
 hot-plug way and allow people to boast about their uptime.  OpenBSD is
 about security.

I would add usability (conciseness, least surprise and coherency) and
thus maintainability to the list. I end up having less to do for OpenBSD
Servers to keep them happy running than for some Debian boxes, and
Debian _is_ damn well maintainable.

--knitti

Re: Trouble ftp'ing out of network, already running ftpproxy for internal ftp server, need to ftp out

[knitti]

On 11/9/07, Jake Conk [EMAIL PROTECTED] wrote:
 My question though is why did you give this rdr rule?

 rdr pass on $int_if proto tcp from any to !$ftp_server port ftp -
 127.0.0.1 port 8022

 What special feature does switching any to !$ftp_server add to the
 pf rules? Should I modify mine to also say that?

no, I *think* I made some wrong assumptions about your network
(obviously didn't read your first mail carefully enough) and I can't figure
out now why I suggested that. Sorry about that.

--knitti

Re: Trouble ftp'ing out of network, already running ftpproxy for internal ftp server, need to ftp out

[knitti]

On 11/8/07, Jake Conk [EMAIL PROTECTED] wrote:
 Hello,

 I have a computer running OpenBSD 4.2 which is acting as my router.
 Behind it I have a a ftp-server which is working fine thanks to
 ftp-proxy but one of the problems I am having is ftp'ing out of my
 network. I am able to connect and establish connections to outside
 servers but I am not able to run normal commands on them like ls, cd,
 get, etc. Any command I try running after I connect just hangs and
 fails.

of course, since your are using NAT. starting a second instance of
ftp-proxy on a different port should work, just look at the manpages

pf.conf(5)
ftp-proxy(8)

--knitti

Re: Trouble ftp'ing out of network, already running ftpproxy for internal ftp server, need to ftp out

[knitti]

On 11/8/07, Jake Conk [EMAIL PROTECTED] wrote:
 Ok I understand I'm supposed to have another instance of ftp-proxy
 running so that it can open up ports on my router to allow data
 connections to be established from remote hosts but I'm not sure how I
 should configured ftp-proxy for that and my pf... Lets start with
 ftp-proxy first then handle pf...

 Since I got 1 instance of ftp-proxy already running to redirect
 incominng ftp traffic to a local server in my network I must have
 another one on a different port so for that I'm starting with...

 `ftp-proxy -p 8022`

 Ok and I think I have to tell ftp-proxy to only listen on its local IP
 because we are trying to connect our local servers to public servers
 so I would add that to the command:

 `ftp-proxy -p 8022 -a 192.168.10.1`

you need 127.0.0.1 in any case, because of the rdr in pf.conf


 I wasn't sure to use -a or -b so if I'm doing this wrong someone
 please correct me.

 1) So now on the ftp-proxy configuration is there anything else I need
 to add? 2) Where's a good place to look on how to configure my packet
 filtering (pf) to work with the second instance of ftp-proxy and allow
 me to connect to outside (public) ftp servers

look at your pf.conf, you have commented out the line. you should change
it to about this:

rdr pass on $int_if proto tcp from any to !$ftp_server port ftp -
127.0.0.1 port 8022

of course i didn#t test this, but you get the idea

--knitti

Re: Building a custom kernel error

[knitti]

On 11/8/07, 23e7 [EMAIL PROTECTED] wrote:
 I missing some option?

did you read the FAQ?
do you know what you are doing?
why do you need a custom kernel?

--knitti

Re: Building a custom kernel error

[knitti]

On 11/8/07, 23e7 [EMAIL PROTECTED] wrote:
 yes, I know.

 On 11/8/07, knitti [EMAIL PROTECTED] wrote:
 
  On 11/8/07, 23 $B9f (B [EMAIL PROTECTED] wrote:
   I missing some option?
 
  did you read the FAQ?
  do you know what you are doing?
  why do you need a custom kernel?

the error message tells you to find the code which defines 'comsoft' and
enable it.

--knitti

Re: detecting bad disks

[knitti]

On 11/8/07, Derick Siddoway [EMAIL PROTECTED] wrote:
 Trying to copy a file from one filesystem to another, I kept getting
 input/output errors.  I noticed these messages in the logs:

 wd1a:  uncorrectable data error reading fsbn 768416 of 768384-0 (wd1 bn 
 768416; cn 762 tn 5 sn 5), retrying
 wd1a:  uncorrectable data error reading fsbn 768416 of 768384-0 (wd1 bn 
 768416; cn 762 tn 5 sn 5), retrying
...

 However, when I run this by hand, I get

 [EMAIL PROTECTED]:$ sudo /sbin/atactl /dev/wd1 smartstatus
 No SMART threshold exceeded

 So clearly, the SMART stuff wasn't going to tell me about this.

 ...

 I see a number of values that exceed the preset threshholds.
 But I see the same kinds of values on the other three drives:

not all SMART thresholds define an upper value, some values
are a sort of quality measurement and go downwards. Indeed
indicate your SMART values no error. Two possibilites:

- SMART didn't catch the errors. no monitoring is perfect,
but it seems unlikely that it won't notice read errors

- there is everything OK with the disk, but something else
is not. Try a different cable, look for faulty RAM or a
dying PSU. Put the disk into another machine and look
whether you can read everything fine.

--knitti

Re: Custom Kernel for 4.2 upgrade

[knitti]

On 11/2/07, Jason Murray [EMAIL PROTECTED] wrote:
 It's not a shortcut. It is documented, just not supported.

 On 2-Nov-07, at 6:23 PM, Stuart Henderson wrote:

  On 2007/11/02 18:03, Jason Murray wrote:
  On the 4.1 box. As I've said I've done this since 3.6 with no
  problems.
 
  If you were able to take a shortcut for the last 3 years or so,
  take that as a bonus, but don't expect it to always work (-:
  You were lucky those times.


This is interesting. Please, tell me where it is documented how to
source-upgrade from release to release? I've done so too, several
times in the past, but I thought (knew) I would do a binary reinstall
if I botch the thing.

It didn't happen and after I tried binary upgrades, I don't miss trying
and sweating through a source upgrade (OK, I wasn't *that* hard).
Upgrading by source is like going from -release to -current (just
not to _current_ -current ;-) - you have to expect to deal with the
unforeseen.

--knitti

Re: RAIDFrame inconsistancy and server will not boot!

[knitti]

On 10/26/07, Jake Conk [EMAIL PROTECTED] wrote:
 On 10/25/07, Francesco Toscan [EMAIL PROTECTED] wrote:
  2007/10/26, Jake Conk [EMAIL PROTECTED]:
   Hello,
  
   I was trying to restart my server and noticed it wasn't coming back
   online so when I went down to go take a look at it I was having a RAID
   problem. This is what was showing on the screen:
  
   ...
   PARTIALLY TRUNCATED INODE I=720
   THE FOLLOWING SYSTEM HAD AN UNEXPECTED INCONSISTENCY:
   [...]
   My question is what causes this? How can I be warned before a problem
   like this happens and what's the best way to prevent this from coming
   up? And lastly, is it possible in the worst case scenario if one of my
   disks is completely fsck'ed up is it possible to run the system on 1
   of the raid 1 disks until a second comes?
 
  Your problem is related to filesystem, not disks. For some reasons
  your filesystem (on top of raid) was not properly unmounted: assuming
  you didn't hard-reboot your server, this happened to me whith some IDE
  devices which lied about commit of write operations. Even if my server
  was rebooted normally, filesystem and disks were left in an
  inconsistent state. Better SCSI disks solved the problem. Hardware has
  become more crappy day by day.

 Thanks for your reply Francisco.

  RAID in general keeps your system up if a disk fails, not if
  filesystem on top of it screws up.

 If the filesystem is screwed up then shouldn't the raid just ignore it
 and run on 1 disk until I fix  the problem? That seems like the
 logical thing it should do unless all my mirrors of /var are messed
 up.


as Francesco said, this is not a RAID issue, and the above error is
not originated nor reported by RAIDFrame. If only mentions the
device on which the filesystem is: rraid0f. So it isn't clear why raid
should (could!) prevent that.


 Well anyways since it doesn't do that, some of my original questions
 still stand. How can I be warned before a problem like this happens?

you can't be warned. Do fsck more often. You didn't mount your
filesystem async, did you?

 And lastly, is it possible in the worst case scenario if one of my
 disks is completely fsck'ed up is it possible to run the system on 1
 of the raid 1 disks until a second comes?

yes. as long as this one doesn't break ;-)

BTW: if you use RAID to keep your system up, get familiar with what it
does and doesn't. Most problems arise not from hardware or system
failure, but from admin failure. Do backups.


--knitti

Re: OpenBSD 4.2 RAIDFrame mirror

[knitti]

On 10/25/07, Dominik Zalewski [EMAIL PROTECTED] wrote:
 How to enable RAID 1 and sync first disk with second one without installing
 everthing from scratch like in those howtos?

well, apart from the fact, that these howtos are a bit outdated, as usual,
they do more or less describe what to do. just skip the installation, you've
done this already.

did you read the raidctl manpage? In the examples section is a part
beginning with
   Under certain circumstances (e.g. the additional component has not ar-
 rived, or data is being migrated off of a disk destined to become a com-
 ponent) it may be desirable to configure a RAID 1 set with only a single
 component.
this applies to you, I think. read it. the whole manpage.

Additionaly, the fifth hit on google with the search terms OpenBSD raid
was this:
http://www.linux.com/articles/52713

it also describes (a bit newer than the other two howtos) a raid 1 setup,
and how to transfer the system from non-raid to raid.

It is very important that you understand what you do. If you follow a howto,
and you don't know why you are doing something, read the manpages
of the tools and files involved. If you want to depend on this setup, you have
to know what you are doing. Also, if you have already some important data
on the system, do a backup now.

And good luck with your Maxtor disks, I hope you have good cooling for
them (I've seen more Maxtor (IDE, SATA) disks dead since after getting
burned multiple times from the infamous IBM deathstar series than from
all other vendors combined, and they are usually hotter than from other
vendors )

--knitti

Re: A (pf?) puzzler -- a single device invisible on the other side of an IPsec tunnel

[knitti]

On 10/19/07, Stephen Bosch [EMAIL PROTECTED] wrote:
 Other things I've tried:

 - moving the Jetdirect to a different port on the same physical switch
 - a variety of static and dynamic IPs in the subnet

 I also forwarded the external port 9100 to this print server and tried
 to access it from a public host, but this didn't work either.

 This leads me to suspect a peculiar interaction between OpenBSD 4.1 and
 this particular print server. Of course, it might well be the fault of
 HP's IP stack, but I've already talked to them at great length and got
 pretty much nowhere: We don't support JetDirect over WAN connections.

look with tcpdump, whether the packets of the printserver look like you expect.
perhaps it only has a ttl of 1 or 2 ;-)

--knitti

Re: RaidFrame woes on 4.2 (RAIDFRAME: failed rf_ConfigureDisks with 2)

[knitti]

Hi Boris,

On 10/14/07, Boris Goldberg [EMAIL PROTECTED] wrote:
   You've  said  that  you'd tried different configurations, but the one you
 are showing here just can't work, because you don't have wd3.

I wrote:  I tried both with wd0d, wd1d (both exist) and with wd1d,wd3d
(latter doesn't physically exist), none of these is mounted or in use, in
fact nothing of wd1 is currently used.

thats because there are tutorials on the web which create a degraded
raid forcefully with one missing component. I gave this a shot. I also
tried with wd0d, wd1d, which both exist and were not in use.

--knitti

SOLVED Re: RaidFrame woes on 4.2 (RAIDFRAME: failed rf_ConfigureDisks with 2)

[knitti]

On 10/14/07, Greg Oster [EMAIL PROTECTED] wrote:
 knitti writes:
  raidlookup on device: /dev/wd3d  failed !
  ^
 I suspect you have an extra space after wd3d in the config file...
 And, unfortunately, that annoying little non-feature is enough to
 stop RAIDframe in its tracks... :(

Thanks a lot, I tried to be as minimal in creating the config
file as it could get, but I failed. Sure enough it was an additional
space.

--knitti

RaidFrame woes on 4.2 (RAIDFRAME: failed rf_ConfigureDisks with 2)

[knitti]

 present, speed: 1.5Gb/s
wd0 at pciide0 channel 0 drive 0: ST3320620AS
wd0: 16-sector PIO, LBA48, 305245MB, 625142448 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
pciide0: port 1: device present, speed: 1.5Gb/s
wd1 at pciide0 channel 1 drive 0: ST3320620AS
wd1: 16-sector PIO, LBA48, 305245MB, 625142448 sectors
wd1(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 5
pciide0: port 2: PHY offline
pciide0: port 3: PHY offline
pciide1 at pci1 dev 14 function 1 ServerWorks HT-1000 SATA rev 0x00
piixpm0 at pci0 dev 2 function 0 ServerWorks HT-1000 rev 0x00: polling
iic0 at piixpm0
iic0: addr 0x2f 00=80 05=a0 06=ff 07=a0 08=ff 09=64 0a=64 0b=5e 0c=73
0d=5c 0e=7b 0f=12 10=b2 11=2f 13=ff 14=22 15=6f 16=d0 17=7b 18=d0
19=d0 1a=c0 1c=22 1d=9d 1e=80 1f=80 20=1d 21=51 22=01 23=0f 25=0f
27=0f 29=0f 2b=0f 3b=ff 3c=ff 3d=ff 3e=ff 3f=ff 40=09 44=40 46=f7
47=ff 48=ff 49=7f 4a=3f 4b=02 4d=7c 50=1e 51=02 52=01 58=80 59=01
5c=03 5e=55 5f=03 60=ca 61=87 62=ca 63=87 64=ff 66=ff 67=ff 68=3f
6a=2b 6b=18 6c=7c 6d=65 6e=e3 6f=b9 70=8a 71=70 72=e5 73=bb 74=e5
75=bb 76=e3 77=b9 78=48 79=43 7a=48 7b=43 7c=48 7d=5f 7e=55 7f=50
80=64 81=5f 82=55 83=50 84=64 85=5f 86=55 87=50 88=46 89=41 8a=55
8b=50 8c=64 8d=5f 8e=55 8f=50 90=07 91=68 92=07 93=68 94=07 95=68
96=07 97=68 98=07 99=68 9a=07 9b=68 9c=07 9d=68 9e=ff 9f=ff a0=ff
a1=ff a2=ff a3=ff a4=ff a5=ff a6=ff a7=ff a8=f5 ae=ff af=ff b1=04
b2=30 b3=30 b4=30 b5=30 b6=30 b7=30 b8=30 b9=30 ba=30 bb=89 bc=89
bd=89 be=89 bf=89 c0=89 c1=89 c2=89 c3=01 c4=01 c5=7f c6=ff c9=ff
ca=ff cb=ff cc=ff cd=ff ce=ff cf=ff d1=46 d2=46 d3=46 d4=46 d6=f0
d7=ff d8=80 d9=01 da=80 db=01 dc=80 dd=01 de=80 df=01 e0=bb e1=c0
e2=82 e3=ff e4=80 e5=06 e6=fe e7=12 e8=12 e9=12 ea=c8 eb=60 ec=ff
ed=ff ee=ff ef=ff f6=60 f7=80 f8=1b fa=ff fd=10
piixpm0: exec: op 1, addr 0x4b, cmdlen 1, len 1, flags 0x08: timeout,
status 0x9BUSY,BUSERR
pciide2 at pci0 dev 2 function 1 ServerWorks HT-1000 IDE rev 0x00: DMA
atapiscsi0 at pciide2 channel 0 drive 1
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: TEAC, DV-28E-R, 1.8A SCSI0 5/cdrom removable
cd0(pciide2:0:1): using PIO mode 4, DMA mode 2, Ultra-DMA mode 0
pcib0 at pci0 dev 2 function 2 ServerWorks HT-1000 LPC rev 0x00
ohci0 at pci0 dev 3 function 0 ServerWorks HT-1000 USB rev 0x01:
apic 2 int 10 (irq 10), version 1.0, legacy support
ohci1 at pci0 dev 3 function 1 ServerWorks HT-1000 USB rev 0x01:
apic 2 int 10 (irq 10), version 1.0, legacy support
ehci0 at pci0 dev 3 function 2 ServerWorks HT-1000 USB rev 0x01:
apic 2 int 10 (irq 10)
usb0 at ehci0: USB revision 2.0
uhub0 at usb0: ServerWorks EHCI root hub, rev 2.00/1.00, addr 1
vga1 at pci0 dev 5 function 0 ATI ES1000 rev 0x02
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
pchb0 at pci0 dev 24 function 0 AMD AMD64 HyperTransport rev 0x00
pchb1 at pci0 dev 24 function 1 AMD AMD64 Address Map rev 0x00
pchb2 at pci0 dev 24 function 2 AMD AMD64 DRAM Cfg rev 0x00
pchb3 at pci0 dev 24 function 3 AMD AMD64 Misc Cfg rev 0x00
isa0 at pcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: PC speaker
spkr0 at pcppi0
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
usb1 at ohci0: USB revision 1.0
uhub1 at usb1: ServerWorks OHCI root hub, rev 1.00/1.00, addr 1
usb2 at ohci1: USB revision 1.0
uhub2 at usb2: ServerWorks OHCI root hub, rev 1.00/1.00, addr 1
Kernelized RAIDframe activated
dkcsum: wd0 matches BIOS drive 0x80
dkcsum: wd1 matches BIOS drive 0x81
root on wd0a swap on wd0b dump on wd0b

--knitti

Re: Server just freeze with no reason

[knitti]

On 10/12/07, Edgars MakEa [EMAIL PROTECTED] wrote:
 Once per week it just freezes and thats all, nothing in logs. It freezes
 also when it's idling.
 Strange is taht, i can ping it still, but nothing more, noone service is
 responding.

How idle is idling? Have you any processes which can explode in
RAM usage or massive forks? I saw once a system run out of mem,
with no swap space exhibiting the same beviour. I could imagine
(disclaimer: _didn't_ see that one) a system behave similiar after
not being aber to fork anymore.

--knitti

Re: all kernels except i386 MP high cpu in interrupt -- was: 4.2 on H8SSL-I2: acpi at mainbus0 not configured

[knitti]

aarrgh. sorry I ment to post this:

Hi,

I was asked off-list to gather some more data, which I now present to anyone
who's interested. Disclaimer: there is no acute problem to fix, but something
is odd.

Summary:
- the location of a tgz which includes an acpidump and some dmesgs is:
  http://stuff.ghweb.de/h8ssli2/stuff.tgz
- I tested the following kernels on a Supermicro H8SSL-i2 with an Athlon64 X2:
  amd64: GENERIC, GENERIC.MP, i386: GENERIC, GENERIC.MP
- all except the i386/MP kernel have about 70% cpu load on interrupts (the mp
  kernels on one core), regardless whether acpi is enabled or not on an
  otherwise idle standard installation (up to 2 ssh-sessions active), and up to
  90% interrupt load, if they've got something to do.
- the i386/MP kernel has about 0.0% interrupt load, also regardless whether
  acpi is enabled
- I did the following to put some load on I/O:
  a) ping -f from another machine to this (only 100 MBit-Network), with no
  packet loss in every case
  b) dd if=/dev/zero of=/tmp/stuff bs=1m count=2000
- the interrupt count monitored through systat vm 1 is roughly comparatively
  on all kernels, with and without acpi, except for pciide, which comes
  short on UP kernels (both count and transfer rate)


Some data (interrupt count with systat vm 1):
 idle:
 amd64/MPamd64/UPi386/MPi386/UP
 clock   200 100 200100
 ipi 100
 rtc 128128
 bge05+/-3   5+/-3   5+/-3  5+/-3

 a) (ping-f) (clock, ipi and rtc same as above)
 bge03.4k3.3k3.3k   3.4k
 +/-100  +/-50   +/-50  +/-50

 a) + b) (ping and dd) (clock, ipi and rtc same as above)
 bge03.4k3.3k3.3k   3.4k
 +/-100  +/-50   +/-50  +/-50
 peaks ofpeaks of
 up to +2k   up to +2k
 pciide  3.7k850 3.4k   530
 +/-150  +/-50   +/-500 +/-20

overall data transfer with dd:
 amd64/MP: 53-58 MB/s
 amd64/UP: 11-12 MB/s (about 19MB/s without ping -f)
 i386/MP:  52-56 MB/s
 i386/UP:   8- 9 MB/s

--knitti

Re: making a release with 4.1 Sept 24 snapshot

[knitti]

On 10/12/07, Toni Mueller [EMAIL PROTECTED] wrote:
 Hi,

 On Mon, 08.10.2007 at 16:17:35 -0400, Juan Miscaro [EMAIL PROTECTED] wrote:
  I am running the Sept 24 snapshot.  I've never tried to make a release
  with a snapshot before and so I wonder whether it's possible.  I
  updated my sources with cvsup (tag=OPENBSD_42) and keep getting a
  crash:
 
  install: addftinfo/addftinfo.cat1: No such file or directory
  *** Error code 71
 
  Stop in /usr/src/gnu/usr.bin/groff (line 88 or
  /usr/share/mk/bsd.man.mk).
  *** Error code 1
 
  and so on.

 good question. I also get a crash while trying to compile groff, but
 mine (i386 snapshot from September 25th) looks a bit different. It
 complains that there is no valid C (or C++) compiler. Wish I had my
 CDs, too...

I replied to Juan off-list, my bad. Read this:

http://www.openbsd.org/faq/faq5.html

snapshot is not release, but some point in time of -currrent. 4.2 and
current diverged in august. What you have to do is in the FAQ.

--knitti

all kernels except i386 MP high cpu in interrupt -- was: 4.2 on H8SSL-I2: acpi at mainbus0 not configured

[knitti]

On 10/11/07, knitti [EMAIL PROTECTED] wrote:
 Hi,

 after some sleep and coffee I am embarrassed to realize I made two mistakes:
 - I didn't provide a GENERIC(.MP) dmesg
 - I booted off the non-acpi-enabled kernel
 Sorry for that. Below you can see two GENERIC.MP dmesgs (i386/amd64)
 which clearly show that acpi is enabled and detected. However, one Problem
 remains: The interrupt load is very high on GENERIC/amd64 (with and without
 MP, with and without acpi) - about 70% of one cpu core on the idle machine.
 Different is GENERIC.MP/i386, which has low (normal) interrupt load.

 Shall I ditch amd64 and run i386 on the machine, or is there anything I can 
 try?

 OpenBSD 4.2 (GENERIC.MP) #252: Tue Aug 28 10:53:04 MDT 2007
 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP
 cpu0: AMD Athlon(tm) 64 X2 Dual Core Processor 6000+ (AuthenticAMD
 686-class, 1024KB L2 cache) 3 GHz
 cpu0: 
 FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,CX16
 real mem  = 3220729856 (3071MB)
 avail mem = 3121356800 (2976MB)
 mainbus0 at root
 bios0 at mainbus0: AT/286+ BIOS, date 03/01/07, BIOS32 rev. 0 @
 0xf0010, SMBIOS rev. 2.4 @ 0xfbcf0 (50 entries)
 bios0: vendor American Megatrends Inc. version 080011  date 03/01/2007
 bios0: Supermicro H8SSL-I2
 pcibios0 at bios0: rev 2.1 @ 0xf/0x1
 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf4d40/176 (9 entries)
 pcibios0: no compatible PCI ICU found: ICU vendor 0x1166 product 0x0205
 pcibios0: PCI bus #2 is the last bus
 bios0: ROM list: 0xc/0xb000 0xcb000/0x2000!
 acpi0 at mainbus0: rev 0
 acpi0: tables DSDT FACP APIC OEMB
 acpitimer at acpi0 not configured
 acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
 cpu0 at mainbus0: apid 0 (boot processor)
 cpu0: apic clock running at 199 MHz
 cpu1 at mainbus0: apid 1 (application processor)
 cpu1: AMD Athlon(tm) 64 X2 Dual Core Processor 6000+ (AuthenticAMD
 686-class, 1024KB L2 cache) 3 GHz
 cpu1: 
 FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,CX16
 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 11, 16 pins
 ioapic1 at mainbus0: apid 3 pa 0xfec01000, version 11, 16 pins
 ioapic2 at mainbus0: apid 4 pa 0xfec02000, version 11, 16 pins
 acpiprt0 at acpi0: bus 0 (PCI0)
 acpiprt1 at acpi0: bus 1 (P0P1)
 acpiprt2 at acpi0: bus 2 (P1P2)
 acpicpu at acpi0 not configured
 acpicpu at acpi0 not configured
 acpibtn at acpi0 not configured
 acpibtn at acpi0 not configured
 pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
 ppb0 at pci0 dev 1 function 0 ServerWorks HT-1000 PCI rev 0x00
 pci1 at ppb0 bus 1
 ppb1 at pci1 dev 13 function 0 ServerWorks HT-1000 PCIX rev 0xb2
 pci2 at ppb1 bus 2
 bge0 at pci2 dev 3 function 0 Broadcom BCM5704C rev 0x10, BCM5704 B0
 (0x2100): apic 3 int 8 (irq 9), address 00:30:48:5e:6d:f6
 brgphy0 at bge0 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0
 bge1 at pci2 dev 3 function 1 Broadcom BCM5704C rev 0x10, BCM5704 B0
 (0x2100): apic 3 int 9 (irq 5), address 00:30:48:5e:6d:f7
 brgphy1 at bge1 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0
 pciide0 at pci1 dev 14 function 0 ServerWorks HT-1000 SATA rev 0x00: DMA
 pciide0: using apic 2 int 11 (irq 11) for native-PCI interrupt
 pciide0: port 0: device present, speed: 1.5Gb/s
 wd0 at pciide0 channel 0 drive 0: ST3320620AS
 wd0: 16-sector PIO, LBA48, 305245MB, 625142448 sectors
 wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
 pciide0: port 1: device present, speed: 1.5Gb/s
 wd1 at pciide0 channel 1 drive 0: ST3320620AS
 wd1: 16-sector PIO, LBA48, 305245MB, 625142448 sectors
 wd1(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 5
 pciide0: port 2: PHY offline
 pciide0: port 3: PHY offline
 pciide1 at pci1 dev 14 function 1 ServerWorks HT-1000 SATA rev 0x00
 piixpm0 at pci0 dev 2 function 0 ServerWorks HT-1000 rev 0x00: polling
 iic0 at piixpm0
 iic0: addr 0x2f 00=80 05=a8 06=ff 07=a8 08=ff 09=64 0a=64 0b=5e 0c=73
 0d=5c 0e=7b 0f=12 10=b0 11=2e 13=ff 14=22 15=6f 16=d0 17=7b 18=d0
 19=d0 1a=bf 1b=0f 1c=1f 1d=9c 1e=80 1f=80 20=1d 21=51 22=03 23=0f
 25=0f 27=0f 29=0f 2b=0f 3b=ff 3c=ff 3d=ff 3e=ff 3f=ff 40=09 44=40
 46=f7 47=ff 48=ff 49=7f 4a=3f 4b=02 4d=7c 50=1e 51=02 52=01 58=80
 59=01 5c=03 5e=55 5f=03 60=ca 61=87 62=ca 63=87 64=ff 66=ff 67=ff
 68=3f 6a=2b 6b=18 6c=7c 6d=65 6e=e3 6f=b9 70=8a 71=70 72=e5 73=bb
 74=e5 75=bb 76=e3 77=b9 78=48 79=43 7a=48 7b=43 7c=48 7d=5f 7e=55
 7f=50 80=64 81=5f 82=55 83=50 84=64 85=5f 86=55 87=50 88=46 89=41
 8a=55 8b=50 8c=64 8d=5f 8e=55 8f=50 90=07 91=68 92=07 93=68 94=07
 95=68 96=07 97=68 98=07 99=68 9a=07 9b=68 9c=07 9d=68 9e=ff 9f=ff
 a0=ff a1=ff a2=ff a3=ff a4=ff a5=ff a6=ff a7=ff a8=f5 ae=ff af=ff
 b1=04 b2=30 b3=30 b4=30 b5=30 b6=30 b7=30 b8=30 b9=30 ba=30 bb=89
 bc=89 bd=89 be=89 bf=89 c0=89 c1=89 c2=89 c3=01 c4=01 c5=7f c6=ff
 c9=ff ca=ff cb=ff cc=ff cd=ff ce=ff cf=ff d1=46 d2=46 d3=46 d4=46
 d6=f0 d7=ff d8=80 d9=01 da=80 db=01 dc=80 dd=01 de=80 df=01 e0=bb
 e1=c0 e2=82 e3=ff e4=80 e5=06 e6=fe

Re: 4.2 on H8SSL-I2: acpi at mainbus0 not configured

[knitti]

pciide0: port 1: device present, speed: 1.5Gb/s
wd1 at pciide0 channel 1 drive 0: ST3320620AS
wd1: 16-sector PIO, LBA48, 305245MB, 625142448 sectors
wd1(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 5
pciide0: port 2: PHY offline
pciide0: port 3: PHY offline
pciide1 at pci1 dev 14 function 1 ServerWorks HT-1000 SATA rev 0x00
piixpm0 at pci0 dev 2 function 0 ServerWorks HT-1000 rev 0x00: polling
iic0 at piixpm0
iic0: addr 0x2f 00=80 05=a8 06=ff 07=a0 08=ff 09=64 0a=64 0b=5e 0c=73
0d=5c 0e=7b 0f=12 10=b1 11=2f 13=ff 14=22 15=6f 16=d0 17=7a 18=d0
19=d0 1a=bf 1b=03 1c=21 1d=9b 1e=80 1f=80 20=1d 21=51 22=01 23=0f
25=0f 27=0f 29=0f 2b=0f 3b=ff 3c=ff 3d=ff 3e=ff 3f=ff 40=09 44=40
46=f7 47=ff 48=ff 49=7f 4a=3f 4b=02 4d=7c 50=1e 51=02 52=01 58=80
59=01 5c=03 5e=55 5f=03 60=ca 61=87 62=ca 63=87 64=ff 66=ff 67=ff
68=3f 6a=2b 6b=18 6c=7c 6d=65 6e=e3 6f=b9 70=8a 71=70 72=e5 73=bb
74=e5 75=bb 76=e3 77=b9 78=48 79=43 7a=48 7b=43 7c=48 7d=5f 7e=55
7f=50 80=64 81=5f 82=55 83=50 84=64 85=5f 86=55 87=50 88=46 89=41
8a=55 8b=50 8c=64 8d=5f 8e=55 8f=50 90=07 91=68 92=07 93=68 94=07
95=68 96=07 97=68 98=07 99=68 9a=07 9b=68 9c=07 9d=68 9e=ff 9f=ff
a0=ff a1=ff a2=ff a3=ff a4=ff a5=ff a6=ff a7=ff a8=f5 ae=ff af=ff
b1=04 b2=30 b3=30 b4=30 b5=30 b6=30 b7=30 b8=30 b9=30 ba=30 bb=89
bc=89 bd=89 be=89 bf=89 c0=89 c1=89 c2=89 c3=01 c4=01 c5=7f c6=ff
c9=ff ca=ff cb=ff cc=ff cd=ff ce=ff cf=ff d1=46 d2=46 d3=46 d4=46
d6=f0 d7=ff d8=80 d9=01 da=80 db=01 dc=80 dd=01 de=80 df=01 e0=bb
e1=c0 e2=82 e3=ff e4=80 e5=06 e6=fe e7=12 e8=12 e9=12 ea=c8 eb=60
ec=ff ed=ff ee=ff ef=ff f6=60 f7=80 f8=1b fa=ff fd=10
piixpm0: exec: op 1, addr 0x4b, cmdlen 1, len 1, flags 0x08: timeout,
status 0x9BUSY,BUSERR
pciide2 at pci0 dev 2 function 1 ServerWorks HT-1000 IDE rev 0x00: DMA
atapiscsi0 at pciide2 channel 0 drive 1
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: TEAC, DV-28E-R, 1.8A SCSI0 5/cdrom removable
cd0(pciide2:0:1): using PIO mode 4, DMA mode 2, Ultra-DMA mode 0
pcib0 at pci0 dev 2 function 2 ServerWorks HT-1000 LPC rev 0x00
ohci0 at pci0 dev 3 function 0 ServerWorks HT-1000 USB rev 0x01:
apic 2 int 10 (irq 10), version 1.0, legacy support
ohci1 at pci0 dev 3 function 1 ServerWorks HT-1000 USB rev 0x01:
apic 2 int 10 (irq 10), version 1.0, legacy support
ehci0 at pci0 dev 3 function 2 ServerWorks HT-1000 USB rev 0x01:
apic 2 int 10 (irq 10)
usb0 at ehci0: USB revision 2.0
uhub0 at usb0: ServerWorks EHCI root hub, rev 2.00/1.00, addr 1
vga1 at pci0 dev 5 function 0 ATI ES1000 rev 0x02
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
pchb0 at pci0 dev 24 function 0 AMD AMD64 HyperTransport rev 0x00
pchb1 at pci0 dev 24 function 1 AMD AMD64 Address Map rev 0x00
pchb2 at pci0 dev 24 function 2 AMD AMD64 DRAM Cfg rev 0x00
pchb3 at pci0 dev 24 function 3 AMD AMD64 Misc Cfg rev 0x00
isa0 at pcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: PC speaker
spkr0 at pcppi0
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
usb1 at ohci0: USB revision 1.0
uhub1 at usb1: ServerWorks OHCI root hub, rev 1.00/1.00, addr 1
usb2 at ohci1: USB revision 1.0
uhub2 at usb2: ServerWorks OHCI root hub, rev 1.00/1.00, addr 1
dkcsum: wd0 matches BIOS drive 0x80
dkcsum: wd1 matches BIOS drive 0x81
root on wd0a swap on wd0b dump on wd0b


greetings,
knitti

4.2 on H8SSL-I2: acpi at mainbus0 not configured

[knitti]

-R, 1.8A SCSI0 5/cdrom removable
cd0(pciide2:0:1): using PIO mode 4, DMA mode 2, Ultra-DMA mode 0
pcib0 at pci0 dev 2 function 2 ServerWorks HT-1000 LPC rev 0x00
ohci0 at pci0 dev 3 function 0 ServerWorks HT-1000 USB rev 0x01:
apic 2 int 10 (irq 10), version 1.0, legacy support
ohci1 at pci0 dev 3 function 1 ServerWorks HT-1000 USB rev 0x01:
apic 2 int 10 (irq 10), version 1.0, legacy support
ehci0 at pci0 dev 3 function 2 ServerWorks HT-1000 USB rev 0x01:
apic 2 int 10 (irq 10)
usb0 at ehci0: USB revision 2.0
uhub0 at usb0: ServerWorks EHCI root hub, rev 2.00/1.00, addr 1
vga1 at pci0 dev 5 function 0 ATI ES1000 rev 0x02
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
pchb0 at pci0 dev 24 function 0 AMD AMD64 HyperTransport rev 0x00
pchb1 at pci0 dev 24 function 1 AMD AMD64 Address Map rev 0x00
pchb2 at pci0 dev 24 function 2 AMD AMD64 DRAM Cfg rev 0x00
pchb3 at pci0 dev 24 function 3 AMD AMD64 Misc Cfg rev 0x00
isa0 at pcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: PC speaker
spkr0 at pcppi0
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
usb1 at ohci0: USB revision 1.0
uhub1 at usb1: ServerWorks OHCI root hub, rev 1.00/1.00, addr 1
usb2 at ohci1: USB revision 1.0
uhub2 at usb2: ServerWorks OHCI root hub, rev 1.00/1.00, addr 1
dkcsum: wd0 matches BIOS drive 0x80
dkcsum: wd1 matches BIOS drive 0x81
root on wd0a swap on wd0b dump on wd0b


greeting,
knitti

Re: firewall is very slow, something's wrong

[knitti]

On 10/8/07, Florin Andrei [EMAIL PROTECTED] wrote:
 I still can't match the performance I get from Linux. Any suggestion is
 appreciated.

there were in the past postings on this list about problems with quad-port
em NICs. I am absolutely not in a position to tell whether they are relevant
for this situation.  If I remember correctly, there was a problem with TCP
checksum offloading, and a suggested fix in one instance was jumpering
the card down to 66 MHz. I can't tell if this is related in *any* way.

I think there are some people here who *could* tell if you'd post a dmesg.

gretings,
knitti

Re: ms exchange replacement

[knitti]

On 10/2/07, Karsten McMinn [EMAIL PROTECTED] wrote:
 On 10/2/07, Lord Sporkton [EMAIL PROTECTED] wrote:
  i am looking into an exchange replacement, im looking to have use of
  calender appointments, tasks and mail all through a central server,
  also i have multiple windows based mobile devices syncing with this
  server, i wasnt able to find anything that looked like a exchange
  replacement in ports or pkgs

 quite a few options these days- kolab, horde (ports), mozilla +friends 
 (ports),
 scalix, zimba, open-xchange, and opengroupware. sorts depends
 on how you define groupware. Not all of these in ports of course.

opengroupware is not fun. i have to maintain (keep running) an
ogo-installation (on linux), the inner workings are rather opaque, the
documentation is sparse and it leaks memory and performance left and
right. but if you have mail trouble, you can look at the underlaying smtp
and imap servers and actually fix things, much more transparent than
exchange (of which i also have some instances to look after)


greetings,
knitti

Re: Tool for HD analyzing

[knitti]

Hi,

On 9/28/07, Leonardo Marques [EMAIL PROTECTED] wrote:
 Hey guys,

 I've a HD which are returning a lot of errors. Someone know some good
 tool to analyze this disk and tell me if i've to replace it or if
 exist some way to repair it?

I don't know, which tools exist for OpenBSD, but if you're on x86/AMD64
and are OK with a DOS bootdisk, search for MHDD. This is a really nice
tool.

Or just burn yourself an ultimate boot cd (ultimatebootcd.com), which also
includes MHDD and a ton of other diagnosis and repair tools.

greetings,
knitti

9GB Wide SCSI HDDs useful?

[knitti]

Hi,

we have here six 9GB Wide SCSI HDDs (68 pin), which are of no
use to us anymore. Each has been surface-scanned, so (at the moment)
they are working well.

Details:

4  IBM DDRS-39130 manufactured in October 1998
2 Quantum Atlas IV (should also be from the last century)

*If* someone from the OpenBSD developer community can use them,
I would ship them anywhere in the EU, preferrably in Germany.


greetings,
knitti

Re: java on openbsd

[knitti]

On 11/14/06, Marc Ravensbergen [EMAIL PROTECTED] wrote:

I am having a hard time getting java to work on openbsd. Java is a
deal-breaker for me as I use it all day every day for work. What I've
done is taken a tar of the linux version, and untarred it in openbsd. I
have turned on linux emulation by modifying the variable in
/etc/sysctl.conf, and I've mounted the /proc filesystem. I have also
pkg_added redhat-base8.xxx.

However, whenever I run java, I get a Can't detect initial thread stack
location - find_vma failed error. This is for sun's jdk 1.5.06 as well
as one of the newer 1.6 versions. IBM's jdk1.4 says it cannot read or
write (not sure exactly anymore) to /proc/. I've tried running all
three versions as root to check for permission errors, but it makes no
difference. I've googled for hours trying to find a solution, but can't
seem to fix it.

I really don't want to download the source for java and compile... I am
on dialup so every byte counts. A little while ago I tried java on
netbsd and got it working through linux emulation as well. I had
problems with netbsd so it didn't stick around, but I believe that java
on bsd through emulation should be possible; probably just an oversight
somwhere on my part.


I didn't try any linux 1.5/1.6 jdk, but perhaps you missed something
for your linux emulation? read man compat_linux, perhaps it helps.

the other options you have is having someone mail you the source on
cd, or use kaffe (don't know how useful it is for your purposes).

--knitti

Re: OpenBSD AJAX

[knitti]

On 10/25/06, ropers [EMAIL PROTECTED] wrote:

Ryan, Joachim (, others):

You mentioned that you dislike PHP.
I would be curious to learn your reasons for this.
I'm not trying to instigate religious wars or the like, it's just that
my programming skills are mostly nonexistant coughGW BASIC  shell
scripts/cough and I'm thinking of properly learning PHP, kind of as
an evolutionary step, up from XHTML.

Should a coding n00b like myself avoid PHP like the plague, or do your
reasons only come into play once a certain level of programming
proficiency is attained?


run like hell, this stuff is cursed. not that you wouldn't be able to write
(more or less) correct code, but once you have to work in a team, there's
a 90% chance it is dominated by braindead code monkeys who work
with php since The Early Days(tm) which means a) all-global vars b) not the
faintest idea of object orientation c) nor sense for code maintenance and d)
really good stuff spaghetti style

--knitti

Re: OpenBSD AJAX

[knitti]

On 10/25/06, knitti [EMAIL PROTECTED] wrote:
[OT comment]

sorry for this, it was off topic and slightly offensive

--knitti

Re: pppoe slow on openbsd

[knitti]

first, I do understand your frustration. however, none of the
developers has the obligation to change the situation, and _maybe_
there is simply not enough manpower/access to some strange
combination of haradware and a specific dsl service. if you
followed the list in these years you surely will understand this.


On 10/20/06, Chris [EMAIL PROTECTED] wrote:

The pppoe dial error (userland) cant assign requsted address after
4 major OpenBsd releases didnt go away. Noone cared to address the situation
and of course the same old answer diferent isps use diferent pppoe
implementations was the easy answer to leave the question unanswered.

this answer is true nevertheless



The 90% of home office internet conections are have to do with pppoe crapy dsl
implementetions at least here in Europe.

I'm in europe too, and connected openbsd routers to a broad variety
of dsl services since OpenBSD 3.1.



So from the openbsd 3.4 release I have instaled Openbsd as a router
(suggested by me)
to different small offices succesfully and  despite the Openbsd pppoe
risk that these boxes will never see the Internet world.

which could've several reasons, _one_ of them openbsd's pppoe not
supporting this special implementation. there are cheap devices out there
capable of that, which could be plugged in front of the router. it costs
slightly more than whithout, but saves a lot of frustration compared to
not being able to connect the router to the internet.



So 3.5 - 3.6 - 3.7 - 3.8 and now I am afraid to tell my clients to update.
No matter what usefull things the new releases have if I can not
conect them to the Internet the only option is to call microsoft to
apply for the licencing program...

if you think thats your solution, off you go!



I am so disappointed with this,  as every now and then in these years
I read posts in the list, from the newbie trying to install an openbsd
box for the first time, as users that are very familiar with openbsd
like myself, crying out the pppoe implementation in openbsd is
broken.

why would you come to this conclusion? because you are one of the
few which have either a really crappy dsl service or are incapable
reading the man pages?



An answer to all these people:
IS PPP OPENBSD IMPLEMENTATION BROKEN?

YES IT IS NO MATTER WHAT YOU READ IN THE LIST.
YES IT IS AND NO ONE CARES.
YES YOU HAVE DONE NOTHING WRONG IN YOUR CONFIGURATION,
THE ERRORS ARE NOT THERE FOR DEBUGGING JUST FOR SEEING THEM.


this is downright wrong. and rude.



On openbsd 3.9 I can conect through pppoe(userland) to my ISP
everything works fine
but I can not download more than 250KB/s despite that my line is
capable of 2000KB/s.
In a 3.5 box same configuration same ISP I am capable of 2000KB/s. May
I must downgrade?


so actually it works? have you worked out the differences?



I myself want to ask whats the meaning of an os secure and capable of tasks if
I can not conect to an ISP using the way that 90% of Inernet users use
in this world.


does it connect or doesn't it?



I needed to write this after 5 years of seeing the community to ignore
the needs of its users. We have donated, support it and continue to do
so. We have no right to demand things but I think we have the right to
alert the community as definitily with this matter something IS
DEFINITELY wrong.


this is the best bug report of all times.




I think that the 50% of Openbsd users use pppoe conections and I thing
that the 10%
of us use for example IPSEC. Despite that IPSEC works far better than
establishing a dsl conection and download at proper rates.


for me, it both pppoe and ipsec do work. a well as the other things i use:
pf, apache, sendmail, ccd and a bunch of ports



Will be a way to establish a dsl broadband conection from an openbsd gateway
to an ISP without errors and problems ever in the future like the 99%
of all other OSes
(even those that are not deticated to networking as OpenBsd) CAN? OR NOT?


your question is pointless, as openbsd does this already


--knitti

Re: Version 4.0 release

[knitti]

On 10/9/06, David B. [EMAIL PROTECTED] wrote:

This is a $125,000 machine 5 years ago, and I treat it no better than some
crappy i686 box
because security is my primary issue.  If I went with another OS, I could
get a lot of the
functionality I want, but what good is it, if some 12 y/o kid in pakistan
can hack my box.

I just can't see why SMP and hardware raid aren't supported on sparc64/II.


if you regret it that much running openbsd on this machine, you should
learn how to use one of the other os'. keeping them secure would of course
require you to do a bit more, but _come on_ i just can't see why you can
whine that much about a status quo, yet not making any effort to use the
better part of your hardware. otoh if your company can spend that much
on hardware idling for years without it being a problem, why don't just
fund one or two of the developers to do the task?


--knitti

Re: Version 4.0 release

[knitti]

On 10/10/06, RedShift [EMAIL PROTECTED] wrote:

If a 5 year old RAID controller is not supported, what can
be expected in the future? Yes I'm sure there isn't enough documentation
available, license disagreements, etc... but come on, it's 5 years old!


it is that easy: if you can't use the os, don't use it. at least as long as you
aren't able to change to situation by either coding it, or donathing hardware
or $$$ to raise the developers interest in the particular device or issue



  You would think _somebody_ would at least make an attempt at it.


famous last words.


Even the most basic servers nowadays are equipped with a dual
core processor.


well, the most basic (new) servers are i386/amd64, which has quite
usable smp support



Yes I'm pretty sure that OpenBSD features a lot of proper, decent and
intuitive code, but performance in some areas lacks tremendously.


i'm sure the developers will gladly accept your proper bug reports



I'm not saying OpenBSD is a bad operating system. Far from it. However I
would only use it for routers, firewalls, bridges, etc... Anything that
has to do with networking because after all, OpenBSD's networking is
great. Outside these areas OpenBSD is just too slow and doesn't support
enough hardware.


sez who? a troll


--knitti

Re: Hacking a mail server

[knitti]

On 9/27/06, Carlos A. Garcia G. [EMAIL PROTECTED] wrote:

;)
Sorry ok the problem it is this someone told my boss that the email
messages has been readed by someone else this information came from our
isp we have a e1 connection its like a t1 connection so with that
information they said that the hacker redirect the messages before
they get to the mail server and after being read it the massage hit the
mail server, so the question that if someone can do that its becose this
information.


redirecting before it hits the mail server would be probably either at the
senders network or at your isp. which *should* be able to defend its
network. of course, if the isp is *required* to be comprimised (law
enforcement), you would probably want end-to-end encryption.

sendmail as well as many pop/imap servers do support ssl/tls.
of course, you must trust that your server is not compromised.



now what i think its that it is probably that the hacker its inside my
local network but if this was the case how it is that my isp now that i
have a hacker inside my network getting a copy of the mails, send the
mails to his destination ?


there are a couple of techniques for (maliciously) rerouting
traffic, which aren't exactly on topic (start with googling dns poisoning,
and arp poisoning, go from there).



ill give more information for the time beign i have just installed the
stunnel and activate it for the pop3 and smtp, im thinking in auditing
the my mail server and auditing my network, do you know of tools that
help to check the information above?


look whether your server behaves strangely, e.g. look at the logs,
load patterns etc. and look at it from the outside, boot a cdrom or
a ramdisk-kernel and check, whether the binaries are those which you
expect. sniff your servers traffic.

finding whether a box was compromised ist not trivial, especially if you
don't find any evidence. if you can afford to do it, better reinstall from
scratch and look where you can tighten up the security.


--knitti

Re: Hacking a mail server

[knitti]

On 9/26/06, Carlos A. Garcia G. [EMAIL PROTECTED] wrote:

can someone external to the network get a copy of all the mail that are
getting to a mail server???
??


short answer: no
long answer: yes

please clarify your question. also, why sould this be related to openbsd?

--knitti

Re: Hacking a mail server

[knitti]

[I reordered the text, so your answer is below my question, I think this
is more readable]

On 9/26/06, Carlos A. Garcia G. [EMAIL PROTECTED] wrote:

knitti escribis:
 On 9/26/06, Carlos A. Garcia G. [EMAIL PROTECTED] wrote:
 can someone external to the network get a copy of all the mail that are
 getting to a mail server???
 ??

 short answer: no
 long answer: yes

 please clarify your question. also, why sould this be related to openbsd?

becose i use an obsd server and i need for help


I you need help, *please* take some minutes and describe your problem.
AFAIK there's no one on this list who has truly telepathic abilities, so
you have to *tell* whats wrong. Based upon everything you said so far
I can only suggest you grab a local copy of yellow pages (or equivalent)
and hire a unix consultant. but that's probably not what you wanted by asking
here.

--knitti

Re: spamd and TLS on port 25

[knitti]

On 8/10/06, Will H. Backman [EMAIL PROTECTED] wrote:

Darrin Chandler wrote:
 However, if the connecting party *requires* TLS then it would have a
 problem with spamd. Is that the trouble you're having?


Yes.  I'm protecting a Microsoft Exchange server with spamd on an
openbsd bridge.  Because Microsoft Outlook uses Microsoft's way of
having MUAs talk to MTAs, there is no problem there.
I also enabled IMAPS (port 993) and SMTP-TLS (port 25) on the Exchange
Server so that normal mail clients like Thunderbird can play along.
Because I require TLS and SMTP-AUTH for relaying purposes, I'm in a
bind.
My real problem is getting Exchange to do SMTP-TLS on a different
port, so this is really a non-openbsd issue.  I guess I was just asking
to make sure, and also to see if people had dealt with situation like
this.  I can imagine that openbsd and spamd are used to protect all
kinds of pesky MTAs.


if you just wan't to have MUAs talk to your exchange, and don't want to use
STARTTLS, rdr the Exchange server to port 587 or 465 with pf. If you *want*
to have a server on port 25, the correct way would be to use STARTTLS,
which is supported by exchange, should work with spamd and all sane
MUAs or MTAs.


--knitti

Re: Tuning OpenBSD network throughput

[knitti]

On 8/8/06, Matthew R. Dempsky [EMAIL PROTECTED] wrote:

First, I connected the two Linux boxes with an Ethernet cable and ran
``iperf -s'' on the 2.0GHz machine and ``iperf -c 192.168.10.1'' on the
266MHz machine, and iperf reported a bandwidth of about 224 Mbits/sec.

Then, I substituted out the 266MHz machine and replaced it with the
600MHz machine (i.e., faster processor, more ram, and better software),
but running ``iperf -c 192.168.10.1'' under OpenBSD reported a mere
3.8 Mbits/sec---nearly two orders of magnitude less!

Can anyone explain the huge discrepancy here?  Can I do anything to get
OpenBSD to achieve at least 150 Mbits/sec?


first look for duplex mismatch, bad cabling etc.
then look for high interrupt load, change hardware etc.
then read about iperf, and think whether it applies to your problem.
then think about your goal. do you want 150 mbit with tiny 40 bytes packets
or with jumbo frames (huge difference)
and, in any case, search the archives about tuning openbsd.

--knitti

Re: OpenBSD and high availability

[knitti]

On 8/7/06, Jens Mayer [EMAIL PROTECTED] wrote:

While the networking part can be handled by carp, I'm collecting ideas on how
to keep the local file systems in synch - especially for ftp users and the
mailinglist archives. The synchronization will be done via a dedicated cross
coonect cable directly between the boxes.


while I would do it with rsync (I know, depends on what you want to do),
I don't see any reason why ccd'ing two large nfs-exposed files shouldn't
work. But I think this would be more ugly and complicated than rsyncing
every x minutes...

--knitti

Re: sendmail

[knitti]

On 7/27/06, David B. [EMAIL PROTECTED] wrote:

sorry to bother, can anyone suggest a definitive book I should buy on how to
set up Sendmail on Openbsd 3.8?

I have looked all over the net for a HOWTO or an article that steps me
through how to set up a user account and password, and then how to retrieve
it (look at it on the server), but all the articles go on and on on how to
download it, compile it and install it; none of them tell me how to use it.
The articles talk about just every possible subject except how to simply
create a user/password account, and then tell you where the email is
supposed to be on the server, and then how to look at it.


read and understand in this order:
man afterboot
/usr/share/sendmail/README
documentation on sendmail.org

this _will_ serve you far better than any step-through-howto

--knitti

Re: sokeris output

[knitti]

On 7/24/06, Gustavo Rios [EMAIL PROTECTED] wrote:

Could some, send me a dmesg from a soekris net4801 machine running openbsd?

Thanks in advance?

PS: If you have a kernel configuration file for exact that hardware, i
would enjoy too.


Is there anything wrong with a vanilla GENERIC kernel? I have a couple
of net4501 running with some slightly older OpenBSDs (3.4, 3.5, 3.7)
which Just Work (TM). Is the net4801 that different?

--knitti

Re: problem with sendmail on obsd. .com.au turned into com.au.com.au

[knitti]

On 7/24/06, Craig Hammond [EMAIL PROTECTED] wrote:

What ever I've done wrong, I've done wrong in a consistent way as about
5 of
my other obsd boxes (both 3.8-stable  3.9-stable) in other locations
all did
a similar thing at the same time.


I'd rather suspect soem DNS screw up, check whether the intended
name resolves on this box. (check twice ;-), check the bind instance
which should be queried by sendmail and check the name servers
configured in resolv.conf. sometimes this is not the same)



I couldn't figure out what I did wrong, so just to get things working
again,
it tried adding in an entry to /etc/hosts pointing
int-firewall.sbisolutions.com.au.com.au to 127.0.0.1

This didn't work as I guess sendmail doesn't use /etc/hosts.


I _think_ this depends on your resolv.conf


--knitti

Re: How to make fsck run faster?

[knitti]

On 7/16/06, Antti Harri [EMAIL PROTECTED] wrote:

Kernel is 3.8 GENERIC and there is one large ffs partition
on the SATA disc, roughly the size of 180G. Most of the files

make smaller slices and mount only the ones r/w which you
absolutely need. the bigger a fs is, the longer it takes, and the
more memory is consumed by the fsck

--knitti

Re: Kernel pppoe (and the german ISP Hansenet)

[knitti]

On 7/6/06, knitti [EMAIL PROTECTED] wrote:

I'd suspect some different issues than just blaming the implementation
of the daemon

sorry, this is of course not about the daemon, but the rest still applies


--knitti

Re: Kernel pppoe (and the german ISP Hansenet)

[knitti]

On 7/6/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:

For now I can and will point out the followring:
The userland pppd simply just sucks.
Sorry but it becomes realy kind of unuseable if you`ve a... faster line.

I had a 2MBit ADSL-Connection (192kbit/s upload) and had no problem.
Now I`ve a 18Mbit line (max, mostly 6-9) and 100kb/s (not kbit) up.

What did I noticed?
I used the binary-stuff for the only Windows-Mashine I4ve and got: ~8mbit
and ~102kb up. With OpenBSD and userland pppoe I just get ~4-5Mbit and max
~12kb upload.
I think it`s a huge difference between ~100kb and 12kb and I didn`t know
that the userland pppoe sucks so badly.


well, perhaps you check the rest of your configuration. unless you are trying
to do 18Mbit via userland ppp an a real low tech box (e.g. soekris 4501), I'd
suspect some different issues than just blaming the implementation of the
daemon. check for auto-negotiation mismatches between your NICs /
switches, MTU-Problems etc. Is there *any* indication on the box that it
can't handle the bandwith? as I understand it, userland ppp _is_ less
efficient than kernel ppp, but I will only matter _practically_ if your CPU is
maxed out.

also sometimes ISPs sell you some gigantic *theoretical maximum* adsl,
which doesn't work of because of poor line quality etc. also, I think an
up/down ratio of about 1:22 does sound like you'll only max out your
downstream on some special applications, e.g. udp-streams (video)


--knitti

Re: hints for scanning msdosfs patters?

[knitti]

On 7/6/06, vladas [EMAIL PROTECTED] wrote:

I have fd up the first 10Mb of the 3Gb fat disk
(not partition, the whole 3Gb disk) full of windoze
shit. Then, due to time limits, made some of sort
of backup of the mess with dd and put Puffy into
that disk (dedicated install). The problem is that
management needs some of that stuff back ...


if there was only one partion with FAT, you#re out
of luck with any standard tool because the
fat is within the first 10 mb.

the are tools out there (google something like 'file
recovery FAT'), but I don't know whether such exist for
OpenBSD: In any case, the more fragmented the
FAT was, the less is the chance of reviving something
meaningful.

--knitti

Re: Kernel pppoe (and the german ISP Hansenet)

[knitti]

On 7/6/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:

My hardware is a Duron 900Mhz with 3x128MB SD100 and a 6GB HDD.
The NICs are 2x xl (3Com) and one time Ath0 (wlan).

which should be more than enough


It seams to be realy a problem with the userland pppd wich limits the
upload/download so dramaticly.

why?


The Duron 1800Mhz (wich is my only WIndows Box) has also a 3Com NIC
The only difference it: The little Workstation uses Windows and the
ppoe-Drivers from hansenet+DialIn Application.

so whats the difference? there are a lot of things you can screw up, and
the isp won't hand-hold you with any of the connections parameters.
spend some hours (yes, this is a long manpage, but it is, as usual, really
helpful) with ppp(8) _after_ you checked for MTU problems,  autoneg
mismatches etc. did you do that?


And nope it`s not related to UDP.. I ment I`ve ~100kb upload (even via sftp).

I just meant, that your upstream will already be pretty clogged from all those
tiny little ack packets of the various tcp streams. a problem (and
feature) which
doesn't exist  with upd.


With the Router I just got...~12? So the difference is realy not related
to the Hardware (no the CPu is not used completly (100%)).

thats what i said. I don't believe there's an arbitrary limitation of userppp,
if your system is almost idle.


A Soekris-Box could maybe help but to be truthly: i wont spend ~150EUR for
a home-Router. So if somebody has a low-buget-solution I would be happy.
:-))

don't take a soekris net 4501 for anything above 3-4mbit (maybe it'll also
do 6 mbit)


p.s.
Userland pppDs in NetBSB and Linux should perform a lot better (I found
some benchmarks via google but there where just outdated OSs (OpenBSD
3.2 was tested there)).

well, unless you serve a ppp access point, there's no point in looking into
the performance of ppp_d_

--knitti

Re: Crashes and HDD params

[knitti]

On 6/23/06, Tobias Ulmer [EMAIL PROTECTED] wrote:


Looks like this is an older box (no dmesg, so it's just a guess). I have
a board ('96) that doesn't do any dma, but accepts to be set to pio 4,
dma 2. This results in several crashes per day, corrupt data on ro
filesystems and so on. Changing wd to 0xffc (pio 4) does fix it.


this doesn't neccessarily mean the controller or disk is buggy, it could
just be a bad cable, which works, if not used at top speed (or, more correctly,
frequency). I have seen this multiple times with almost any os (that supports
udma)

--knitti

Re: mounting two times

[knitti]

On 6/19/06, Lars Hansson [EMAIL PROTECTED] wrote:

On Monday 19 June 2006 18:12, Martynas Venckus wrote:
 I want to chroot mysql. So i chrooted it in /var/mysql (mysqld --chroot),
 but web applications could access mysql server only by network, which is
 not the most secure and fast way.

What's not secure about binding to localhost only?


protocol attacks on the application which talks to mysql?
if you use some php stuff (any php sutff ;) and talk to mysql,  you can
manipulate the db by sql injection. if _then_ mysql has e.g. a hole
which allows it to be manipulated or broken out into a shell, a chroot
would help al lot ;)

--knitti

Re: mounting two times

[knitti]

On 6/19/06, Lars Hansson [EMAIL PROTECTED] wrote:

On Monday 19 June 2006 19:09, knitti wrote:
 protocol attacks on the application which talks to mysql?

Uhm, and using a domain socket is different how?


ouch, snafu. sorry, I misunderstood. I don't think there's
any practical security difference betwenn running chrooted
with a domain socket vs. a local tcp socket

--knitti

Re: Hifn policy on documentation

[knitti]

On 6/15/06, Wolfgang S. Rupprecht
[EMAIL PROTECTED] wrote:

 Ditto for the card intentionally leaking the keying data
into the cipher stream?

oh come on, this discussion is already as off topic as it can be, no need
to add FUD to it. any algorithm the cards claim to implement _is_ fully
documented, so you can test any output except that of the RNG against a
'known good' implementation

--knitti

Re: wikipedia article

[knitti]

On 6/11/06, Hamorszky Balazs [EMAIL PROTECTED] wrote:

I'm looking for some help on an article on wikipedia.
http://en.wikipedia.org/wiki/Comparison_of_open_source_operating_systems


I think this is an exercise in futility, for staying up-to-date, for
trying to be
unbiased and non-arbitrary.
what qualifies a driver to be called official? i'd say, it should
_at least_ be
supportable by the system developers. also there are other companies
who produce binary blobs, which aren't listened. and there is a multitude
of drivers for most of the os' which aren't listed.
what entitles an architecture to deserve a row in the table? e.g. cell
clearly qualifies as other in my book, being only supported by linux, but
vax should deserve a row, both because more than one os support it
and there exist quite some instllations around, more than a few dev-kits.
the same with file systems (e.g. zfs, reiser4)

(...rest of rant deleted, it's already off topic...)

oh, and don't tell me i shall participate.


--knitti

Re: ntp on soekris

[knitti]

On 6/8/06, Peter [EMAIL PROTECTED] wrote:


--- knitti [EMAIL PROTECTED] wrote:
 the soekris are not very good at time keeping, in my experience.
 whether this is a problem is something you have to decide, do
 you need more precision? if yes, change the hardware, else
 don't worry

What is your experience and what did you observe?  I have two 4801
units and they have no problem keeping time.


I have a couple of 4501, and they _do_ keep the time, with the help
of ntpd, random sample:
Dec 21 03:33:45 fg-router ntpd[14941]: adjusting local clock by 0.893647s
Dec 21 03:37:45 fg-router ntpd[14941]: adjusting local clock by 0.859043s
Dec 21 03:41:43 fg-router ntpd[14941]: adjusting local clock by 0.788777s
Dec 21 03:44:49 fg-router ntpd[14941]: adjusting local clock by 0.740139s
Dec 21 03:48:49 fg-router ntpd[14941]: adjusting local clock by 0.645784s
Dec 21 03:52:22 fg-router ntpd[14941]: adjusting local clock by 0.761796s
Dec 21 03:56:20 fg-router ntpd[14941]: adjusting local clock by 0.822203s
Dec 21 03:59:59 fg-router ntpd[14941]: adjusting local clock by 0.890898s
Dec 21 04:04:03 fg-router ntpd[14941]: adjusting local clock by 0.796980s
Dec 21 04:07:44 fg-router ntpd[14941]: adjusting local clock by 0.740668s
Dec 21 04:11:45 fg-router ntpd[14941]: adjusting local clock by 0.726457s
Dec 21 04:15:45 fg-router ntpd[14941]: adjusting local clock by 0.817878s
Dec 21 04:19:45 fg-router ntpd[14941]: adjusting local clock by 0.917739s
which is similiar on all of the soekris boxes

another sample from another box, not a soekris:
Jun  5 22:21:38 cvs ntpd[2002]: adjusting local clock by -0.194812s
Jun  5 23:25:42 cvs ntpd[2002]: adjusting local clock by -0.170715s
Jun  6 00:38:50 cvs ntpd[2002]: adjusting local clock by -0.131455s
Jun  6 00:50:41 cvs ntpd[2002]: adjusting local clock by -0.156146s
Jun  6 00:55:39 cvs ntpd[10045]: peer 82.133.58.132 now invalid
Jun  6 01:09:08 cvs ntpd[10045]: peer 82.133.58.132 now valid
Jun  6 01:54:22 cvs ntpd[2002]: adjusting local clock by -0.142031s
Jun  6 02:06:02 cvs ntpd[2002]: adjusting local clock by -0.153419s
Jun  6 02:14:49 cvs ntpd[2002]: adjusting local clock by -0.181421s
Jun  6 03:10:24 cvs ntpd[2002]: adjusting local clock by -0.176803s
Jun  6 04:17:09 cvs ntpd[2002]: adjusting local clock by -0.142914s
Jun  6 04:25:24 cvs ntpd[2002]: adjusting local clock by -0.131678s

which leads me to the assumption, that the soekris boxes have
drift a bit more in time. thats all.


--knitti

Re: ssh attacks

[knitti]

On 6/7/06, Peter Fraser [EMAIL PROTECTED] wrote:

My actual problem is less with ssh then the
Microsoft vpn. I trust the people who have
ssh connections to have good passwords,
It the people with vpn connections that
I don't trust. And I of course would do
the same trick with the vpn port.


for users of micosoft vpn or similiar, we have them
authenticate first against authpf, so the port is not available
to anon users. and using authpf can be as simple a one
click on a link using putty (or similiar) with the right ssh key.


--knitti

Re: openbsd on virtual machine

[knitti]

On 6/5/06, knitti [EMAIL PROTECTED] wrote:

- 2nd partition ffs


sorry, thats slightly wrong, this partition held openbsd, which had
a single disk slice with a ffs. But I didn't see any limitation that there
could be more than one.

knitti

Re: openbsd on virtual machine

[knitti]

hi,

I moved your reply under my statement for readability


I wrote:

 booting openbsd on a real partition both from bios and from vmware worked
 without flaw in my tests. why shouldn't it? it's a dual-boot situation,
but you
 just have to make sure, the bootloader hits the right pbr. no magic.



On 6/5/06, akonsu [EMAIL PROTECTED] wrote:

thanks. how did you achieve this? i downloaded an evaluation copy of vmware
workstation, created a machine with a raw disk pointing to my openbsd
partition but it won't boot. it says that there were no bootable drives
found.


Ok, I didn't test with vmware player, but with vmware 4. Setup was like:
- dual-boot situation with win2k, 1harddisk
- 1st and 3rd partition NTFS
- 2nd partition ffs
- the mbr had the nt boot loader, copy the pbr of the openbsd partition to a
file on the windows system partition, point an entry in boot.ini to it (google
will help you)
- while making your openbsd disk slices, you have to make sure to stay
away from the areas of the other partition
- when both systems boot fine, just use the openbsd partition as raw disk
(disable any options and helpers)

I understand that vmware player is not as configurable through the gui,
but the configuration is a text file, so it should be possible to achieve this
(as in vmware created volumes are compatible with vmware player)

hth, knitti

Re: openbsd on virtual machine

[knitti]

On 6/4/06, akonsu [EMAIL PROTECTED] wrote:

also, i think there is a way to run this machine from a raw disk instead
of a virtual disk. there is a discussion about using raw disks on the
vmware.com site. but as they say booting a VM from a raw disk and also being
able to boot your physical machine from this same disk might be technically
difficult because this is like moving your disk to another machine and
trying to boot it on both machines.


booting openbsd on a real partition both from bios and from vmware worked
without flaw in my tests. why shouldn't it? it's a dual-boot situation, but you
just have to make sure, the bootloader hits the right pbr. no magic.

--knitti

Re: [OpenCVS] what does soon mean?

[knitti]

On 4/9/06, Stefan [EMAIL PROTECTED] wrote:
 It would be nice to know about when it's to be released so I can
 decide if I should use the old GNU CVS or if I should wait for a
 public stable release.

Everything one could read in the past time about the project suggests
you can start out with GNU CVS and easily switch later to OpenCVS.

--knitti

Re: pf.conf to log specific but block all

[knitti]

On 2/25/06, Harry Putnam [EMAIL PROTECTED] wrote:
 Melameth, Daniel D. [EMAIL PROTECTED] writes:

  On a consumer-class Internet connection, I don't expect too much.
  However, the following should only log ssh:

 That is what got me going on this... By negligence I'd left ssh open
 after coming home from a trip where I had it open for connectiong to
 home machine.  Normally I turn it back off when I'm home.

 I saw over a 5 day period some 13,000 hits on ssh port.  Apparently
 some half configured dictionary attacks.  I say half configured
 because the attemted user names don't seem to be in any recognizable
 order.  My passwords are good so I didn't get too worried but it did
 cause me to wonder what is going on that my ssh port got so
 interesting suddenly.

you worry too much. either choose good passwords, or better, setup
login with ssh-keys only. its worth reading and googling for maybe
an hour or two, if you're not familiar with it. if this is in place, you don't
have to worry, and you also don't have to log connections to your ssh
port.


--knitti

Re: boot.conf

[knitti]

On 2/24/06, Michael Schmidt [EMAIL PROTECTED] wrote:
 Hello,

 I would like to run an OpenBSD machine where I want that the boot prompt
 disappears, reason is that I do not want others having access to the
 boot prompt.
 In case you put a boot into boot.conf or set timeout to zero then you
 do not have the opportunity to boot in single user when it may be
 necessary.

 Are there ways to circumvent the latter?

what problem are you trying to solve?

--knitti

Re: spamd-setup doesn't return

[knitti]

On 2/22/06, Bob Beck [EMAIL PROTECTED] wrote:
 I think this was because you had two spamd-setups running.

 spamd will only service once configuration connection at
 a time.

 -Bob

well I run spamd-setup only daily, and of course I assume that at any
particular point in time there should be only one instance running. so
what you saw was just the state of the server after two days without
removing the stale spamd-setup instances. as I said, after killing and
restarting spamd, everything is fine now. before this, I could kill all
instances of spamd-setup and it wouldn't help.


--knitti

Re: Pf questions for larger implementation

[knitti]

On 2/23/06, Steve D. [EMAIL PROTECTED] wrote:
 I'm setting up a gateway (1.7 Ghz machine with 1 Gig of ram) for 700+
 users using pf with NAT and BINAT's (90% NAT).I would like to know
 if anyone has any recommendations on tweaking the runtime options in
 PF.  This box will pretty much just be handling the natting with a bare
 minimum of filtering, just enough to keep the box secure.

 Nat statement: ($src_nat is a public /25)
 nat on $public_if inet from client_subs to any - $src_nat source-hash

 Binat statement: (which isn't working for some reason but I'll figure
 that out)
 binat-anchor  one2ones
 load anchor one2ones from /etc/one2ones

 If anyone has some experience with a similar sized setup, I'd really
 appreciate hearing from you.  If there's any other adjustments I can
 make to keep the performance up, I'd be interested in those also.

try it, deploy it. your cpu/mem should handle it easily. the only thing
I can imagine is running into the default state limit. see man pf.conf
the part about set limit.

--knitti

Re: spamd-setup doesn't return

[knitti]

On 2/21/06, Bob Beck [EMAIL PROTECTED] wrote:

 Is spamd running on this system?

sorry for not trying this earlier: I just killed  restarted spamd,
and spamd-setup now behaves as expected. (It just didn't
occur to me...)

--knitti

Re: SCSI tape drive hanging

[knitti]

On 2/21/06, Marcus Barczak [EMAIL PROTECTED] wrote:
 --- dmesg ---

 OpenBSD 3.8 (NERF) #0: Fri Jan 20 13:35:16 EST 2006
  [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/NERF

uh oh. http://openbsd.org/faq/faq5.html#Why


--knitti

spamd-setup doesn't return

[knitti]

Hi,

on a server which run fine for a long time spamd-setup
doesn't return anymore (at least for a couple of days until
I kill it). Does have anyone an idea how to troubleshoot
this?
spamd-setup seems to update the tables and then
simply wait forever. spamd.conf hasn't been altered
since spamhaus has gone paid-for. first occurance of
this proble was on feb 10 or 11.


# uname -a
OpenBSD [cut] 3.7 GENERIC#0 i386
# /usr/libexec/spamd-setup -d
Getting http://www.openbsd.org/spamd/spews_list_level1.txt.gz
blacklist spews1 15353 entries
whitelist mywhite 15358 entries
blacklist myblack 0 entries
^C
# cat /etc/spamd.conf
all:\
:spews1:mywhite:myblack:

# Mirrored from http://www.spews.org/spews_list_level1.txt
spews1:\
:black:\
:msg=SPAM. Your address %A is in the spews level 1 database\n\
See http://www.spews.org/ask.cgi?x=%A for more details:\
:method=http:\
:file=www.openbsd.org/spamd/spews_list_level1.txt.gz:

mywhite:\
:white:\
:method=file:\
:file=/etc/spamdwhite.txt:

myblack:\
:black:\
:msg=SPAM. Your address %A is in my blacklist.\n Contact ++xx \
xxx xxx for details.:\
:method=file:\
:file=/etc/spamdblack.txt:

thanks for reading,
knitti