Re: 7.5: Fatal errors from eigrpd
(Gah! Here's the post again in plaintext. Apologies.)
Hello all,
I'm running eigrpd in a VMWare environment and after upgrading to 7.5 from
7.4 I'm noticing eigrpd is failing with a couple different errors. In 7.4
and prior I never had any problems.
I tried to include everything that I thought might be relevant but if
there's any other information I can provide please let me know.
Has anyone else come across anything similar?
Thanks,
Mark
examples:
test1# eigrpd -dv
startup
eigrp_if_start: lo1 as 1 family ipv4
eigrp_if_start: em0 as 1 family ipv4
if_join_ipv4_group: interface em0 addr 224.0.0.10
rt_new: prefix aa.bb.cc.1/32
route_new: prefix aa.bb.cc.1/32 via connected distance (28160/0)
rt_new: prefix 198.18.101.0/24
route_new: prefix 198.18.101.0/24 via connected distance (28160/0)
fatal in eigrpe: send_packet: get hdr failed
rt_del: prefix aa.bb.cc.1/32
route_del: prefix aa.bb.cc.1/32 via connected
rt_del: prefix 198.18.101.0/24
route_del: prefix 198.18.101.0/24 via connected
route decision engine exiting
kernel routing table decoupled
waiting for children to terminate
terminating
and
RouterTest# eigrpd -dv
startup
eigrp_if_start: em1 as 1 family ipv4
if_join_ipv4_group: interface em1 addr 224.0.0.10
rt_new: prefix 198.18.101.0/24
route_new: prefix 198.18.101.0/24 via connected distance (28160/0)
rt_del: prefix 198.18.101.0/24
route_del: prefix 198.18.101.0/24 via connected
route decision engine exiting
kernel routing table decoupled
waiting for children to terminate
eigrp engine terminated; signal 11
terminating
This is happening on two of two upgraded VMs.
SHA256 (/usr/sbin/eigrpd) =
3b85d7ac155afe4edd355f8b1d8c81f77c6254d96410af8b22f4018b756282a6
(just in case)
I've tried with net.inet.tcp.tso=0 and net.inet.tcp.tso=1. Same result.
test1# uname -a
OpenBSD test1.local 7.5 GENERIC.MP#82 amd64
The configs I'm running are pretty basic:
RouterTest# eigrpd -n
configuration OK
RouterTest# eigrpd -nv
router-id 198.18.101.1
fib-update yes
rdomain 0
fib-priority-internal 28
fib-priority-external 28
fib-priority-summary 28
address-family ipv4 {
autonomous-system 1 {
k-values 1 0 1 0 0 0
active-timeout 3
maximum-hops 100
maximum-paths 4
variance 8
default-metric 10 10 255 1 1500
interface em1 {
hello-interval 5
holdtime 15
delay 10
bandwidth 10
split-horizon yes
}
}
}
address-family ipv6 {
}
7.5: Fatal errors from eigrpd
Hello all,
I'm running eigrpd in a VMWare environment and after upgrading to 7.5 from
7.4 I'm noticing eigrpd is failing with a couple different errors. In 7.4
and prior I never had any problems.
I tried to include everything that I thought might be relevant but if
there's any other information I can provide please let me know.
Has anyone else come across anything similar?
Thanks,
Mark
examples:
test1# eigrpd -dv
startup
eigrp_if_start: lo1 as 1 family ipv4
eigrp_if_start: em0 as 1 family ipv4
if_join_ipv4_group: interface em0 addr 224.0.0.10
rt_new: prefix aa.bb.cc.1/32
route_new: prefix aa.bb.cc.1/32 via connected distance (28160/0)
rt_new: prefix 198.18.101.0/24
route_new: prefix 198.18.101.0/24 via connected distance (28160/0)
fatal in eigrpe: send_packet: get hdr failed
rt_del: prefix aa.bb.cc.1/32
route_del: prefix aa.bb.cc.1/32 via connected
rt_del: prefix 198.18.101.0/24
route_del: prefix 198.18.101.0/24 via connected
route decision engine exiting
kernel routing table decoupled
waiting for children to terminate
terminating
and
RouterTest# eigrpd -dv
startup
eigrp_if_start: em1 as 1 family ipv4
if_join_ipv4_group: interface em1 addr 224.0.0.10
rt_new: prefix 198.18.101.0/24
route_new: prefix 198.18.101.0/24 via connected distance (28160/0)
rt_del: prefix 198.18.101.0/24
route_del: prefix 198.18.101.0/24 via connected
route decision engine exiting
kernel routing table decoupled
waiting for children to terminate
eigrp engine terminated; signal 11
terminating
This is happening on two of two upgraded VMs.
SHA256 (/usr/sbin/eigrpd) =
3b85d7ac155afe4edd355f8b1d8c81f77c6254d96410af8b22f4018b756282a6
(just in case)
I've tried with net.inet.tcp.tso=0 and net.inet.tcp.tso=1. Same result.
test1# uname -a
OpenBSD test1.local 7.5 GENERIC.MP#82 amd64
The configs I'm running are pretty basic:
RouterTest# eigrpd -n
configuration OK
RouterTest# eigrpd -nv
router-id 198.18.101.1
fib-update yes
rdomain 0
fib-priority-internal 28
fib-priority-external 28
fib-priority-summary 28
address-family ipv4 {
autonomous-system 1 {
k-values 1 0 1 0 0 0
active-timeout 3
maximum-hops 100
maximum-paths 4
variance 8
default-metric 10 10 255 1 1500
interface em1 {
hello-interval 5
holdtime 15
delay 10
bandwidth 10
split-horizon yes
}
}
}
address-family ipv6 {
}
Re: CARP Cold Spare
What is the power draw? I use a 1500 VA apc backups with 6 outlets on ups and 5 on surge protection. As long as your total draw is less than 1200 VA, for < $200 canadian you have a cheap simple solution. Just put on on the ups side and the other on the surge suppressor side. Or buy 2.leonard@on the road Original message From: Don Tek Date: 2021-09-25 11:40 (GMT-05:00) To: jslee Cc: misc@openbsd.org Subject: Re: CARP Cold Spare I'm not sure why the hardware matters, but the two machines are a couple HP 1U Gen 8 Xeon servers. Suffice to say, they are identical and have supported hardware configurations for OpenBSD.Of course I _could_ run one off direct power, but it would be a terrible idea. The location is notorious for power surges, blips that are enough to reboot servers and several-second brown-outs. So, not connected to the UPS is just asking for damages.They experience multi-hour blackouts what seems like once a month; this is where the desire to limit the draw on the UPS's comes from. To ensure we make it through without having to shut down.Remote access is of primary concern, both for me for support, since I'm geographically far enough away that being on-site is not feasible, and to the customer, who just wants to stay home and work on systems in the office.Configurations on the servers almost never change (simple firwall), so besides having to run a quick syspatch and reboot once at time of failover, I don't see maintenance being so bad. I keep config files backed-up otherwise centrally for quick restore to the running box as well.My primary concern here is if CARP / pfsync will have issues with the one machine being down a majority of the time. Based on the FAQ, I think not, but have no practical experience.> On Sep 25, 2021, at 3:00 AM, jslee wrote:> > Hi,> > You haven’t said anything about your hardware platform, but could you run one of them on non-UPS power? Then you’d still have one online when (*not* if) the UPS fails, and also they’ll both normally be online for maintenance, syspatch, config changes etc> > I do recall installing a pair of identical servers at the same time and having them both fail a year later within an hour of each other, both with seized CPU fans, so I am somewhat sympathetic to your idea. But I think the practical cost of maintenance may be rather high> > John> > >> On Sat, 25 Sep 2021, at 08:13, Don Tek wrote:>> Would there be any ‘problem’ with configuring a 2-machine CARP setup >> and then just keeping one machine powered-off until needed?>> >> I realize this defeats live failover, but this is not a requirement for >> my customer.>> >> I just want them to be able to, in the event of a primary machine >> failure, power-on the secondary and have it take over. Logic here is >> to otherwise not have the secondary sucking power off the UPS’s in the >> event of a power failure, or in general.>> >> Legit?
Re: hacked for the second time
This seems relevant: https://blog.netspi.com/stealing-unencrypted-ssh-agent-keys-from-memory/ On Wed, Apr 3, 2019 at 2:33 PM R0me0 *** wrote: > you can block connections from tor, the ssh keys must be replaced and of > course, are you using a passphrase for them? > > Regards, > > > Em qua, 3 de abr de 2019 às 16:12, Zeb Packard > escreveu: > > > If you've got money go here: https://www.openbsd.org/support.html > > > > If you don't have money go ask here: http://daemonforums.org/ > > > > Generally, msp, isp, it requests don't go on this list. You've posted no > > evidence - a big no no. You need a high level of forensic verification > > before you bring this problem to the list. > > > > Good luck, > > > > Zeb > > > > On Wed, Apr 3, 2019 at 11:59 AM Cord wrote: > > > > > Hi, > > > I have some heavy suspect that my openbsd box was been hacked for the > > > second time in few weeks. The first time was been some weeks ago, I > have > > > got some suspects and after few checks I have found that someone was > been > > > connected to my vps via ssh on a non-standard port using my ssh key. > The > > > connection came from a tor exit node. There were been 2 connections and > > up > > > since 5 days. Now I have some other new suspects because some private > > email > > > seems knew from others. Also I have found other open sessions on the > web > > > gui of my email provider, but I am abolutely sure I have done the > logout > > > always. > > > I am using just chrome+unveil and I haven't used any other script or > > > opened pdf (maybe I have opened 1 or 2 pdf from inside of chrome). I > have > > > used epiphany *only* to open the webmail because chrome crash. My email > > > provider support html (obviously) but generally photo are not loaded. > > > Ofcourse I have pf enable and few service. > > > I also use a vpn and I visit very few web site with chrome.. maybe 20 > or > > > 25 website just to read news. Sometimes I search things about openbsd. > > > Anyone could help me ? > > > Cord. > > > > > > > > > > > > > > >
Re: routing traffic to transparent squid cluster
On Thu, Aug 9, 2018 at 7:59 AM, Joerg Streckfuss wrote: > Dear list, > > i'm playing around with a squid setup, where the http traffic from a > client is transparently routed from the gateway (openbsd 6.3) to two squid > caches (squid 3.5.28). This means the caches are _not_ placed on the > gateway. > I'm not sure if it meets your requirements, but you may wish to consider using the Web Proxy Auto-Discovery Protocol (WPAD) to tell clients which proxy to use. It's not bump-in-the-wire transparent, but it may be an option.
Re: Netatalk (Apple Filing Protocol) daemon replies Something wrong with the volume's CNID DB
On May 1, 2013 5:54:32 AM EDT, Yoshihisa Matsushita y...@m8a.org said: From: Tim Leonard tim.leon...@charter.net Subject: Netatalk (Apple Filing Protocol) daemon replies Something wrong with the volume's CNID DB Date: Tue, 30 Apr 2013 22:36:40 -0400 I'm having a problem using Apple Filing Protocol (AFP) services provided by netatalk on OpenBSD, from an OS X Mountain Lion client. I have OpenBSD 5.2 running on an old iMac, with the netatalk-2.2.3p0 package. I made no changes to the default configuration beyond editing /etc/netatalk/afpd.conf to assign the server its name and IP address. I started afpd (the AFP daemon provided by netatalk). My guess is you forgot starting cnid_metad with afpd. Try: $ sudo /etc/rc.d/cnid_metad start $ sudo /etc/rc.d/afpd start and see if this solves the problem. Basically afpd and cnid_metad are meant to be used together. Try 'man cnid_metad' for more details. Yes, that solved the problem. (Though I first had to stop an instance of afpd that was already running.) By the way, pkg_scripts=afpd cnid_metad is what you want in your rc.conf.local. 'man rc.conf.local' and 'man rc.d' are your friends. The man pages were a great help. In order to make sure that cnid_metad gets started first during system startup, I instead listed the two daemons in the other order in /etc/rc.conf.local: pkg_scripts=cnid_metad afpd
Netatalk (Apple Filing Protocol) daemon replies Something wrong with the volume's CNID DB
I'm having a problem using Apple Filing Protocol (AFP) services provided by netatalk on OpenBSD, from an OS X Mountain Lion client. I have OpenBSD 5.2 running on an old iMac, with the netatalk-2.2.3p0 package. I made no changes to the default configuration beyond editing /etc/netatalk/afpd.conf to assign the server its name and IP address. I started afpd (the AFP daemon provided by netatalk). From another Mac, I can connect to the resulting server, but get: Message from server oldMac Something wrong with the volume's CNID DB, using temporary CNID DB instead.Check server messages for details. Switching to read-only mode. I looked for help on the web and found [Solved] [netatalk] Something wrong with CNID DB - The FreeBSD Forums (http://forums.freebsd.org/showthread.php?t=20324) which suggested 1. Stop netatalk. 2. Delete the .AppleDB cnid db in the root of your share(s). 3. Make sure that the cnidscheme is set to dbd in AppleVolumes.default 4. Crucially, make sure that the cnid_metad daemon has been started, by adding the following line to /etc/rc.conf: cnid_metad_enable=YES 5. Start netatalk. Following that suggestion, I stopped afpd, enabled cnid_metad_enable in /etc/rc.conf.local, and restarted afpd. I did not change AppleVolumes.default because the cnidscheme is already dbd by default. I did not delete an .AppleDB folder or its contents because none exists (though there is a .AppleDouble folder). The changes did not solve the problem. I also found 609: Mac OS X Mountain Lion Lion clients receive CNID DB error when connecting to OMV AFP shares - MantisBT (http://bugtracker.openmediavault.org/print_bug_page.php?bug_id=609) which suggested Edit /etc/netatalk/afpd.conf and change the entry to: - -tcp -noddp -uamlist uams_dhx.so,uams_dhx2_passwd.so Edit /etc/default/netatalk and add this line at the end: AFPD_UAMLIST=-U uams_dhx.so,uams_dhx2_passwd.so I added the suggested switches to the configuration line in afpd.conf. I did not add anything to a /etc/default/netatalk because I don't have such a file. Other web pages imply that that file is Debian-ish rather than OpenBSD-ish. I stopped and restarted afpd. The changes did not solve the problem. Do any of you have other suggestions?
How can I turn off the LCD console backlight on an iMac?
Is there any way of turning off an iMac's LCD console backlight, with OpenBSD 5.2 running on an iMac (2006)? (The video card died so the machine is running as a server in console mode, and I don't want the backlight to burn out.) If this were a PowerPC Mac, OpenBSD/macppc could do it, with wsconsctl -w display.backlight=0 but the iMac (2006) has an Intel Core 2 Duo. I was able to use wsconsctl display.kbdact=on to blank the screen so to avoid burn-in, but the backlight is still lit. If there's no current method, what would it take to port the macppc solution to Intel Macs?
Oxford PCI-e serial card support?
Hi, I've recently purchased a 16-port PCI-e serial card with Oxford UARTs. OpenBSD 4.8 detects the Oxford chips, but doesn't seem to be able to use the 'unknown product 0xc308'. This thread http://www.mail-archive.com/misc@openbsd.org/msg100575.html implies that most of the steps to support this card may have already been taken. What would be required to get official support for this card on OpenBSD? I'm open to allowing access to a machine with it installed. Other relevant information: Chip Number: OXPCIe958 Chip Description: Octo UARTs (as per http://www.pcidatabase.com/vendor_details.php?id=674 ) Thanks!
Re: ssh problem
Well I wish it were this easy, or perhaps I am still missing something. I added AllowUsers username in the sshd_config file and changed the drive to read/write and here's the results: [EMAIL PROTECTED]:~# mount -o rw /dev/wd0a / [EMAIL PROTECTED]:~# ssh -p 222 [EMAIL PROTECTED] [EMAIL PROTECTED]'s password: Permission denied, please try again. [EMAIL PROTECTED]'s password: Permission denied, please try again. [EMAIL PROTECTED]'s password: Permission denied (publickey,password,keyboard-interactive). Sep 5 18:31:23 shakti-taos sshd[10335]: Failed none for invalid user lj from ::1 port 15320 ssh2 Sep 5 18:31:26 shakti-taos sshd[10335]: Failed password for invalid user lj from ::1 port 15320 ssh2 Sep 5 18:31:31 shakti-taos last message repeated 2 times Of course I would love to disallow Root logins but will await the resolution of allowing regular users to connect via ssh first. Any suggestions would be greatly appreciated. Thordur I. Bjornsson wrote: Leonard Jacobs [EMAIL PROTECTED] wrote on Mon 4.Sep'06 at 22:22:30 -0400 I've configured a Soekris running OpenBSD 3.9 pf as a firewall, with a read only CF. I am using the default sshd_config file except to run sshd on port 222. /dev mounted read only ? If so, then thats your proplem. Load it as an mfs on boot. (image + vnd ? maybe or sth) My problem is that I cannot connect remotely to this box via ssh except as root. When a legit user who has an account on that box attempts connection, I get Failed password for invalid user lj from 192.168.1.13 port 10962 ssh2. Is there anything obvious that you can suggest that might be causing this problem? I did try changing the file system to read/write, but it did not resolve the problem. Thanks.
ssh problem
I've configured a Soekris running OpenBSD 3.9 pf as a firewall, with a read only CF. I am using the default sshd_config file except to run sshd on port 222. My problem is that I cannot connect remotely to this box via ssh except as root. When a legit user who has an account on that box attempts connection, I get Failed password for invalid user lj from 192.168.1.13 port 10962 ssh2. Is there anything obvious that you can suggest that might be causing this problem? I did try changing the file system to read/write, but it did not resolve the problem. Thanks.
