sole instance of a process
Hi, I suspect this may be the wrong list for this question. However although strictly it's a Bourne shell script query, it only seem to act up under OpenBSD (for me). Essentially I have a job which needs to be run periodically. So I have a shell script to do the necessary commands, and this is scheduled via (root's) crontab. It is however very important that multiple instances of the job are not run concurrently (e.g. if an previous invocation hung), and so the script should detect this upon invocation before proceeding. I don't want a single long running job (which could e.g. sleep between loops) for various reasons. And I also don't like PID files and other fragile locking hacks. So down to business, below is the gist of my script. Most of the time it appears to run fine. However occasionally (once every couple of days?) it reports via email that a duplicate process is detected, but the included ps listing shows no other instance. I don't believe that this is just due to an old instance exiting in the small time window between the pgrep, and the ps invocations. So basically I guess there is an error in my script or it's logic, or something else I'm not seeing. Any hit with the clue bat gratefully received. #!/bin/sh # # SHOUT=/usr/bin/logger -i -t MYPERIODICJOB # # # Ensure another instance of this is not running # MYNAME=`basename $0` MYPID=$$ # /usr/bin/pgrep -fu root $MYNAME | /usr/bin/grep -v $MYPID \ { $SHOUT HELP - duplicate process detected $? ; \ ps -axjwww | mail -s HELP MYPERIODICJOB $MYPID $MYNAME $PPID m...@example.com ; \ exit 1 ; } # # # starting doing useful stuff here.. # Disclaimer: I know my scripting is far from optimal... /Pete
Re: 'newer' Qlogic HBA support on amd64
Hi, Sorry for the delay. I finally upgraded the box (very quick and easy process - nice ) and the HBA is now attached by the qle driver. However whilst it 'sees' the SAN disk behind it, it remain unable to talk to it. # uname -mrv 5.5 GENERIC.MP#315 amd64 # dmesg | egrep -i qle|scsibus1 qle0 at pci8 dev 0 function 0 QLogic ISP2432 rev 0x02: msi qle0: bad startup mboxes: 0 0 qle0: firmware rev 4.0.20, attrs 0x2 scsibus1 at qle0: 2048 targets, WWPN 50060b66644e, WWNN 50060b66644f sd1 at scsibus1 targ 130 lun 0: DGC, RAID 5, 0223 SCSI2 0/direct fixed naa.600601601b662700d837603da8efe011 sd2 at scsibus1 targ 131 lun 0: DGC, RAID 5, 0223 SCSI2 0/direct fixed naa.600601601b662700d837603da8efe011 sd1 sd2 : Are these duplicates due to redundant paths in SAN fabric ? # fdisk sd1 fdisk: DIOCGPDINFO: Input/output error fdisk: Can't get disk geometry, please use [-chs] to specify. # pcidump -v 19:0:0 19:0:0: QLogic ISP2432 0x: Vendor ID: 1077 Product ID: 2432 0x0004: Command: 0147 Status: 0010 0x0008: Class: 0c Subclass: 04 Interface: 00 Revision: 02 0x000c: BIST: 00 Header Type: 00 Latency Timer: 00 Cache Line Size: 10 0x0010: BAR io addr: 0x5000/0x0100 0x0014: BAR mem 64bit addr: 0xfdff/0x4000 0x001c: BAR empty () 0x0020: BAR empty () 0x0024: BAR empty () 0x0028: Cardbus CIS: 0x002c: Subsystem Vendor ID: 103c Product ID: 7040 0x0030: Expansion ROM Base Address: 0x0038: 0x003c: Interrupt Pin: 01 Line: 07 Min Gnt: 00 Max Lat: 00 0x0044: Capability 0x01: Power Management 0x004c: Capability 0x10: PCI Express Link Speed: 2.5 / 2.5 GT/s Link Width: x4 / x4 0x0064: Capability 0x05: Message Signaled Interrupts (MSI) 0x0074: Capability 0x03: Vital Product Data (VPD) 0x007c: Capability 0x11: Extended Message Signaled Interrupts (MSI-X) e.g. http://filedownloads.qlogic.com/files/datasheets/32359/83432-580-00D.pdf (let me know if you want list spam with full dmesg). /Pete On 13. mars 2014, at 18:48, Ted Unangst t...@tedunangst.com wrote: On Thu, Mar 13, 2014 at 18:44, Pete Vickers wrote: Hi, I have a an amd64 server (HP DL360 G5), with an Qlogic FC HBA in it. It appears to be based on the ISP2400 series, and isp man page says the driver only supports up to the ISP2300 series. However the driver appears to try to attach the device irrespective (and fail). Does anyone know how different the 2400 series are, or if there is work in progress to support them ? In 5.5 and later, that's supported by the qle driver. The isp driver is being broken into parts (qlw, qla, qle) depending on generation. I'd try a snapshot. It should work better. And if it doesn't work, we'd like to know.
'newer' Qlogic HBA support on amd64
Hi, I have a an amd64 server (HP DL360 G5), with an Qlogic FC HBA in it. It appears to be based on the ISP2400 series, and isp man page says the driver only supports up to the ISP2300 series. However the driver appears to try to attach the device irrespective (and fail). Does anyone know how different the 2400 series are, or if there is work in progress to support them ? thanks /Pete Some relevant info below: $ dmesg | grep isp0 isp0 at pci8 dev 0 function 0 QLogic ISP2432 rev 0x02: apic 8 int 17 isp0: Polled Mailbox Command (0x8) Timeout (10us) isp0: Polled Mailbox Command (0x8) Timeout (10us) isp0: Mailbox Command 'ABOUT FIRMWARE' failed (TIMEOUT) # pcidump -v 19:0:0 19:0:0: QLogic ISP2432 0x: Vendor ID: 1077 Product ID: 2432 0x0004: Command: 0147 Status ID: 0010 0x0008: Class: 0c Subclass: 04 Interface: 00 Revision: 02 0x000c: BIST: 00 Header Type: 00 Latency Timer: 00 Cache Line Size: 10 0x0010: BAR io addr: 0x5000/0x0100 0x0014: BAR mem 64bit addr: 0xfdff/0x4000 0x001c: BAR empty () 0x0020: BAR empty () 0x0024: BAR empty () 0x0028: Cardbus CIS: 0x002c: Subsystem Vendor ID: 103c Product ID: 7040 0x0030: Expansion ROM Base Address: 0x0038: 0x003c: Interrupt Pin: 01 Line: 07 Min Gnt: 00 Max Lat: 00 0x0044: Capability 0x01: Power Management 0x004c: Capability 0x10: PCI Express Link Speed: 2.5 / 2.5 GT/s Link Width: x4 / x4 0x0064: Capability 0x05: Message Signaled Interrupts (MSI) 0x0074: Capability 0x03: Vital Product Data (VPD) 0x007c: Capability 0x11: Extended Message Signaled Interrupts (MSI-X) $ dmesg | head OpenBSD 5.3 (GENERIC.MP) #62: Tue Mar 12 18:21:20 MDT 2013 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP # sysctl hw hw.machine=amd64 hw.model=Intel(R) Xeon(R) CPU E5420 @ 2.50GHz hw.ncpu=4 hw.byteorder=1234 hw.pagesize=4096 hw.disknames=sd0:20008a7ae6c37c52,cd0: hw.diskcount=2 hw.sensors.cpu0.temp0=37.00 degC hw.sensors.cpu1.temp0=37.00 degC hw.sensors.cpu2.temp0=37.00 degC hw.sensors.cpu3.temp0=37.00 degC hw.sensors.acpitz0.temp0=8.30 degC (zone temperature) hw.sensors.ciss0.drive0=online (sd0), OK hw.cpuspeed=2500 hw.setperf=100 hw.vendor=HP hw.product=ProLiant DL360 G5 hw.physmem=4292161536 hw.usermem=4292136960 hw.ncpufound=4 hw.allowpowerdown=1
Re: OpenBSD 5.0-current (GENERIC) #65: Thu Nov 3 00:58:36 MDT 2011
On 20. jan. 2012, at 01.50, Martin Pelikan wrote: ... better alternative: echo 'export PKG_PATH=ftp://ftp.XX.openbsd.org/pub/OpenBSD/`uname -r`/packages/`uname -m`/' ~/.profile for -release and -stable, or echo 'export PKG_PATH=ftp://ftp.XX.openbsd.org/pub/OpenBSD/snapshots/packages/`uname -m`/' ~/.profile Instead, why not solve the general case rather than specific cases. Since the install script now guesses location for nearest mirror for install source ( TZ etc), then I don't see why it couldn't setup a sane default PKG_PATH in /etc/profile (can be easily overidden in ~/.profile if desired) at install time. This should ofcourse use the correct arch version (if it's a snapshot then set the PKG_PATH as such) and be derived from the install source. - I know this breaks for mirrors site which carry only install images not packages, this can be combated with: 'pkg_add -v' should maybe announce which site it's using, to aid debugging (and be referenced in SASQ). - people that install snapshots, and then don't keep up with -current, will possibly (probably) get broken packages. That applies with or without this change. Again 'pkg_add -v' could grep for /snapshot/ in the PKG_PATH, and if present, proceed, but with a one line warning (or alternatively stop unless a new -D keyword to force snapshot packages was supplied). /Pete
Re: Add Route at Boot Time
add a line like !/sbin/route what via where to your /etc/hostname.vr1 file On 20. jan. 2012, at 15.29, Hendrickson, Kenneth wrote: +--+ | Firewall | | | .33.34.35.97 | vr0dhcpd | | | | | Wired Network | 172.24.10.21 |--+--+--+--+- 172.24.10/24 | | | | +-+ | vr1 | | Wireless Router | | 172.24.20.1 |---| 172.24.20.2 |Wireless Network | | | 192.168.2.1 |--- 192.168.2/24 | | | dhcpd | | | +-+ | vr2 | | 172.24.30.1 |- Future Use | | | | +-+ | vr3 dhclient |---| Cable Modem |--- Internet Cloud +--+ +-+ Problem. I need to manually do: route add -inet 192.168.2.0/24 172.24.20.2 How do I get this done automagically at boot time? What man pages do I need to (re-)read? Thanks, Ken
Re: OpenBSDd functionality equal to neighbor allowas-in?
SOO can be used for loop detection, but only if your bgp peerings don't strip extended communities. another dirty hack would be to get the peer to aggregate your 'remote' prefixes towards you (without as-set) to conceal the ASN. beware that ebgp routes are prefered over ibgp by default though - this is a gun and your feet look tempting. /Pete On 6. jan. 2012, at 22:01, Stuart Henderson s...@spacehopper.org wrote: On 2012-01-06, Donald Reichert silvershadow...@gmx.de wrote: Hi list, I'd like to replace some Ciscos by OpenBSD machines. On the routers I have configured the possibility to span networks from our own AS over peerings, Cisco speak: neighbor x.x.x.x allowas-in This is needed for disjunct networks. I didn't find a clue how to do this with OpenBGPd - any hints? Thanks, Donald Not currently possible, it will need code changes. Normally this check is done to prevent route loops. It shouldn't be too hard to naively hack this type of option into place, but I'm not sure what else might need to be done to avoid loops.
BFD (a la. RFC5880/5881)
Hi, Just a quick question to see if anyone's working on implementing the above on OpenBSD, and in particular it's integration with OpenBGPD/OpenOSPF ? Note that this is not a 'please can I have this feature for free' or suchlike, merely a tentative status query. (BFD is appearing more more frequently in the multi-vendor environments some of my OpenBSD boxen reside in). thanks, /Pete
Re: problem running named in non 0 rdomain
On 1. jan. 2012, at 23.40, Stuart Henderson wrote: On 2012-01-01, Pete Vickers p...@systemnet.no wrote: snippet from /etc/named-gn.conf : controls { inet 10.20.30.2 port 954 allow {10.20.30.2;} keys {rndc-key;}; }; then it also fails and complains thus: Jan 1 09:01:49 ns0 named[8504]: [child]: disallowed port 954 Jan 1 09:01:49 ns0 named[8504]: /etc/named-gn.conf:19: couldn't add command channel 10.20.30.2#954: permission denied Jan 1 09:01:49 ns0 named[8504]: running So I guess that named's (unprivileged?) child does not honour (inherit?) the parent's rdomain, and thus cannot bind to either rdomain '0' or '1', succesfully ? The child process only allows binding to ports 53/953/921, see usr.sbin/bind/lib/isc/unix/privsep.c line 190. I'm pretty sure the child will be inheriting the rdomain from the process which forked it. ahh. Indeed. Once I used an approved port, it appear happy even in the non-defualt table: root@ns0 ~ # route -T 1 exec rndc -s 10.20.30.2 status number of zones: 3 debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is ON recursive clients: 0/0/1000 tcp clients: 0/100 server is up and running thanks for the clue. /Pete
problem running named in non 0 rdomain
Hi, I am having difficulty running named in a non-default rdomain, on the following platform: root@ns0 ~ # uname -a OpenBSD ns0.whatever 5.0 GENERIC#36 sparc64 I have an interface in a rdomain '1': root@ns0 ~ # ifconfig bge1 | head -1 bge1: flags=28843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6 rdomain 1 mtu 1500 and happy: root@ns0 ~ # ping -c 1 -V 1 10.20.30.2 PING 10.20.30.2 (10.20.30.2): 56 data bytes 64 bytes from 10.20.30.2: icmp_seq=0 ttl=255 time=0.215 ms However, when I try to start the named daemon in that rdomain with the following command: # route -T 1 exec /usr/sbin/named -4 -i /var/run/named-gn.pid -c /etc/named-gn.conf the daemon starts successfully, but cannot open a control port on the loopback interface, and complains thus: Jan 1 09:12:19 ns0 named[23519]: [child]: disallowed port 954 Jan 1 09:12:19 ns0 named[23519]: /etc/named-gn.conf:21: couldn't add command channel 127.0.0.1#954: address not available This is fair enough I guess since the loopback interface is in the default rdomain, and is thus unavailable to named process. However if I instead explicitly configure the control port to be on the correct interface (IP address), thus: snippet from /etc/named-gn.conf : controls { inet 10.20.30.2 port 954 allow {10.20.30.2;} keys {rndc-key;}; }; then it also fails and complains thus: Jan 1 09:01:49 ns0 named[8504]: [child]: disallowed port 954 Jan 1 09:01:49 ns0 named[8504]: /etc/named-gn.conf:19: couldn't add command channel 10.20.30.2#954: permission denied Jan 1 09:01:49 ns0 named[8504]: running So I guess that named's (unprivileged?) child does not honour (inherit?) the parent's rdomain, and thus cannot bind to either rdomain '0' or '1', succesfully ? To make matters worse, since I can't now use rndc to reload zones on the fly, I tried to HUP the named process, but this also fails miserably (since it appears to re-read the default config file instead) Is this a bug, or am I doing something silly ? (Suggestions regarding using other DNS daemons are not really helpful unless they are 1. in base, 2. can host both recursive master services on the same IP/port) thanks happy new year ! /Pete
Re: Performance problems with OpenBSD 4.9 under ESXi 5
On 1. nov. 2011, at 00.15, carlopmart wrote: On 10/31/2011 10:01 PM, Tyler Morgan wrote: Hi, I setup four 4.9-RELEASE installs under ESXi 5.0.0: amd64 as Other amd64 as FreeBSD i386 as Other i386 as FreeBSD All 4 got 512megs of RAM, unlimited use of the 8 available CPU cores, and totally default installs other than stress from ports. After installing I ran stress --cpu 8 --io 4 --vm 2 --vm-bytes 128M --hdd 4 --hdd-bytes 128M --timeout 60s in an infinite loop for a few hours. Then I let them sit for a couple days. Then I the stress loops again for a few hours with 3 days of uptime. I verified the stress was pegging 95%+ of all CPU, doing about 75% of what the RAID array is capable of in disk read/write, and as much RAM as I'd let it have -- all verified using ESXi's standard host monitoring. At the end of testing, I have no unusual messages in dmesg, a normal 0.5ish load when idle, and no noticed performance issues on all four virtual machines. The ESXi host is a 3.5 year old SuperMicro server from Penguin Linux with 2xXeon X5365s, 32Gigs of ECC DDR3, and an Adaptec RAID controller. I can get a real dmesg out of the ESXi host if anyone wants it, and someone already provided a dmesg of 4.9-RELEASE under VMWare, but I can also provide those if desired. ESXi 3.5?? Can you test with ESXi 4 U2?? I have some OpenBSD AMD64 (as 'other-64bit') VMs running fine for months under ESX 4.1.0 e.g: # sysctl hw hw.machine=amd64 hw.model=Intel(R) Xeon(R) CPU X5650 @ 2.67GHz hw.ncpu=2 hw.byteorder=1234 hw.pagesize=4096 hw.disknames=cd0:,sd0:c71fe08ce57dfde4,sd1:4af057f745d341a4 hw.diskcount=3 hw.sensors.acpiac0.indicator0=On (power supply) hw.sensors.vmt0.timedelta0=-0.001828 secs, OK, Tue Nov 1 11:45:20.995 hw.cpuspeed=2659 hw.vendor=VMware, Inc. hw.product=VMware Virtual Platform hw.version=None hw.serialno=VMware-xx hw.uuid=xx hw.physmem=3220111360 hw.usermem=3220094976 hw.ncpufound=2
Re: [OpenBGPd] - removing private AS from AS path
On 29. aug. 2011, at 12.22, Laurent CARON wrote: Hi, I wonder if it is possible to remove a private AS from the AS path while using OpenBGPd. IOS black magic for this would be: # neighbor $NEIGH remove-private-AS slightly OT, but IIRC that IOS command only strips a _pure_ private AS path. If the AS_PATH is a mixture of private and public ASNs, then it is not modified. (Cisco regard such AS_PATHs as a config error, to be corrected not hidden). /Pete
Sun Ultra45 4.9R crashes loading kernel...
Hi, trying to boot my Sun Ultra45 workstation from install49.iso results in this: ok reset-all Sun Ultra 45 Workstation, No Keyboard Copyright 2006 Sun Microsystems, Inc. All rights reserved. OpenBoot 4.22.19, 8192 MB memory installed, Serial #69377208. Ethernet address 0:14:4f:22:9c:b8, Host ID: 84229cb8. ok boot cdrom Boot device: /pci@1e,60/pci@0/pci@1/pci@0/ide@1f/cdrom@0,0:f File and args: OpenBSD IEEE 1275 Bootblock 1.3 .. OpenBSD BOOT 1.4 Trying bsd... Booting /pci@1e,60/pci@0/pci@1/pci@0/ide@1f/cdrom@0,0:f/bsd 3785400@0x100+7496@0x139c2b8+3255032@0x180+939272@0x1b1aaf8 symbols @ 0xfefbc240 65 start=0x100 console is /ebus@1f,464000/serial@2,80 Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2011 OpenBSD. All rights reserved. http://www.OpenBSD.org OpenBSD 4.9 (RAMDISK) #517: Wed Mar 2 07:49:10 MST 2011 dera...@sparc64.openbsd.org:/usr/src/sys/arch/sparc64/compile/RAMDISK real mem = 8589934592 (8192MB) avail mem = 8447508480 (8056MB) mainbus0 at root: Sun Ultra 45 Workstation cpu0 at mainbus0: SUNW,UltraSPARC-IIIi (rev 3.4) @ 1600 MHz cpu0: physical 32K instruction (32 b/l), 64K data (32 b/l), 1024K external (64 b/l) memory-controller at mainbus0 not configured pyro0 at mainbus0: Fire, rev 3, ign 780, bus A 2 to 12 pyro0: dvma map c000- pci0 at pyro0 ppb0 at pci0 dev 0 function 0 PLX PEX 8532 rev 0xaa pci1 at ppb0 bus 3 ppb1 at pci1 dev 1 function 0 PLX PEX 8532 rev 0xaa pci2 at ppb1 bus 4 ppb2 at pci2 dev 0 function 0 Acer Labs M5249 PCI-PCI rev 0x00 pci3 at ppb2 bus 5 ohci0 at pci3 dev 28 function 0 Acer Labs M5237 USB rev 0x03: ivec 0x780, version 1.0, legacy support ohci1 at pci3 dev 28 function 1 Acer Labs M5237 USB rev 0x03: ivec 0x780, version 1.0, legacy support ohci2 at pci3 dev 28 function 2 Acer Labs M5237 USB rev 0x03: ivec 0x780, version 1.0, legacy support ehci0 at pci3 dev 28 function 3 Acer Labs M5239 USB2 rev 0x01: ivec 0x781 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 Acer Labs EHCI root hub rev 2.00/1.00 addr 1 Acer Labs M5455 Audio rev 0x21 at pci3 dev 29 function 0 not configured Acer Labs M7101 Power rev 0x00 at pci3 dev 30 function 1 not configured pciide0 at pci3 dev 31 function 0 Acer Labs M5229 UDMA IDE rev 0xc8: DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI pciide0: using ivec 0x784 for native-PCI interrupt atapiscsi0 at pciide0 channel 0 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: MATSHITA, DVD-RAM UJ-845S, D100 ATAPI 5/cdrom removable cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 pciide0: channel 1 disabled (no drives) usb1 at ohci0: USB revision 1.0 uhub1 at usb1 Acer Labs OHCI root hub rev 1.00/1.00 addr 1 usb2 at ohci1: USB revision 1.0 uhub2 at usb2 Acer Labs OHCI root hub rev 1.00/1.00 addr 1 usb3 at ohci2: USB revision 1.0 uhub3 at usb3 Acer Labs OHCI root hub rev 1.00/1.00 addr 1 ppb3 at pci1 dev 2 function 0 PLX PEX 8532 rev 0xaa pci4 at ppb3 bus 6 ppb4 at pci4 dev 0 function 0 ServerWorks PCIE-PCIX rev 0xb3 pci5 at ppb4 bus 7 bge0 at pci5 dev 4 function 0 Broadcom BCM5715 rev 0xa2, BCM5715 A1 (0x9001): ivec 0x796, address 00:14:4f:22:9c:b8 brgphy0 at bge0 phy 1: BCM5714 10/100/1000baseT/SX PHY, rev. 0 bge1 at pci5 dev 4 function 1 Broadcom BCM5715 rev 0xa2, BCM5715 A1 (0x9001): ivec 0x797, address 00:14:4f:22:9c:b9 brgphy1 at bge1 phy 1: BCM5714 10/100/1000baseT/SX PHY, rev. 0 ppb5 at pci1 dev 3 function 0 PLX PEX 8532 rev 0xaa: ivec 0x796 pci6 at ppb5 bus 8 ppb6 at pci1 dev 8 function 0 PLX PEX 8532 rev 0xaa: ivec 0x794 pci7 at ppb6 bus 9 ppb7 at pci1 dev 9 function 0 PLX PEX 8532 rev 0xaa pci8 at ppb7 bus 10 ppb8 at pci8 dev 0 function 0 Intel 41210 PCIE-PCIX rev 0x09 pci9 at ppb8 bus 11 mpi0 at pci9 dev 1 function 0 Symbios Logic SAS1064 rev 0x02: ivec 0x78f scsibus1 at mpi0: 63 targets sd0 at scsibus1 targ 0 lun 0: SEAGATE, ST914602SSUN146G, 0603 SCSI3 0/direct fixed sd0: 140009MB, 512 bytes/sec, 286739329 sec total ppb9 at pci8 dev 0 function 2 Intel 41210 PCIE-PCIX rev 0x09 pci10 at ppb9 bus 12 radeonfb0 at pci10 dev 2 function 0 ATI Radeon VE rev 0x00 radeonfb0: SUNW,375-3290, 1152x900 wsdisplay0 at radeonfb0 wsdisplay0: screen 0 added (std, sun emulation) pyro1 at mainbus0: Fire, rev 3, ign 7c0, bus B 2 to 255 pyro1: dvma map c000- pci11 at pyro1 ebus0 at mainbus0: ign 7c0 flashprom at ebus0 addr 0-1f not configured rtc0 at ebus0 addr 10-1f: bq4802 com0 at ebus0 addr 80-87 ivec 0x8: st16650, no working fifo com0: console com1 at ebus0 addr 0-7 ivec 0x8: st16650, no working fifo env-monitor at ebus0 addr 0-41 not configured i2c at ebus0 addr 80-81 ivec 0x1 not configured power at ebus0 addr e0-e1 ivec 0x3 not configured i2c at mainbus0 not configured i2c at mainbus0 not configured i2c at mainbus0 not configured ppm at mainbus0 not configured data error type 32 sfsr=80800c sfva=4004fba0001 afsr=1008000500 afva=7f8100012c0
Re: relayd.conf and multiple webservers on the inside
depending on your dns name flexability, another possible alternative is to use site names like bob.example.com and alice.example.com then you can run both via a single wildcard SSL cert *.example.com on the single IP address. /Pete On 14. apr. 2011, at 20:45, Matthew Dempsky matt...@dempsky.org wrote: On Thu, Apr 14, 2011 at 11:36 AM, Matthew Dempsky matt...@dempsky.org wrote: On Thu, Apr 14, 2011 at 11:09 AM, Kevin Chadwick ma1l1i...@yahoo.co.uk wrote: Are you sure you want to do this. Do you want any ssl on these sites, because you'll need ugly :port on your ssl urls if you do. Using Subject Alternative Names, you can get a single SSL certificate that covers multiple hostnames. Alternatively, if someone adds SNI support to relayd, then you could still use multiple distinct SSL certificates as well. The version of OpenSSL in base already supports SNI. Also, both of these solutions assume relayd is the SSL termination point for both web sites. If instead you want the backends to be responsible for handling SSL, then yeah, you need to use separate IP addresses or ports.
Re: Support for Intel X520-T2 10GbaseT cards
. It is based on the 82599 chipset, so why wouldn't it? My mistake, is seems.. I get an unknown product 0x151c error in dmesg (see below). So now we have a pair of these cards and the obvious question is of course, will they be supported? I realize that I should have checked this before I bought it, but as Intel claims in the specs (http://www.intel.com/Assets/PDF/prodbrief/318349-004.pdf) it is supported by FreeBSD and I believe that's from where the driver was ported. I'm very grateful for any input. This is a diff against -current not 4.8 but perhaps it applies there as well: you'll have to apply this from /usr/src/sys/dev/pci and then run 'make' in the directory to regenerate the pcidevs headers Index: pcidevs === RCS file: /cvs/src/sys/dev/pci/pcidevs,v retrieving revision 1.1590 diff -u -p -r1.1590 pcidevs --- pcidevs 26 Jan 2011 07:09:09 - 1.1590 +++ pcidevs 15 Mar 2011 17:31:38 - @@ -2492,6 +2492,7 @@ product INTEL 82580_SGMII 0x1511 82580 S product INTEL 82580_COPPER_DUAL 0x1516 I340-T2 (82580) product INTEL 82599_KX4_MEZZ 0x1514 10GbE KX4 (82599) product INTEL 82576_NS_SERDES 0x1518 82576NS SerDes +product INTEL 82599_T3_LOM 0x151c 82599 T3 product INTEL 82576_QUAD_CU_ET2 0x1526 PRO/1000 QP (82576) product INTEL 80960RP_ATU 0x1960 80960RP ATU product INTEL 82840_HB0x1a21 82840 Host Index: if_ix.c === RCS file: /cvs/src/sys/dev/pci/if_ix.c,v retrieving revision 1.46 diff -u -p -r1.46 if_ix.c --- if_ix.c 10 Nov 2010 15:23:25 - 1.46 +++ if_ix.c 15 Mar 2011 17:31:39 - @@ -68,7 +68,8 @@ const struct pci_matchid ixgbe_devices[] { PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_82599_COMBO_BACKPLANE }, { PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_82599_CX4 }, { PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_82599_SFP }, - { PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_82599_SFP_EM } + { PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_82599_SFP_EM }, + { PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_82599_T3_LOM } }; /* @@ -1251,6 +1252,10 @@ ixgbe_identify_hardware(struct ix_softc case PCI_PRODUCT_INTEL_82598EB_XF_LR: sc-hw.mac.type = ixgbe_mac_82598EB; sc-optics = IFM_10G_LR; + break; + case PCI_PRODUCT_INTEL_82599_T3_LOM: + sc-hw.mac.type = ixgbe_mac_82599EB; + sc-optics = IFM_10G_T; break; case PCI_PRODUCT_INTEL_82598AT_DUAL: case PCI_PRODUCT_INTEL_82598AT: Pete Vickers p...@systemnet.no | +47 48 17 91 00 SystemNet AS
/etc/hosts comments update
Now that the IPv4 address space if fully allocated, perhaps it's time to update the comments in /etc/hosts ? Here is my attempt at a reasonably concise update: # Assignments from RFC5735 (supersedes RFC1918) # # Allocated for use as the Internet host loopback address: # 127.0.0.0/8 # # Allocated for communication between hosts on a single link. Hosts obtain # these addresses by auto-configuration (in the absence of DHCP): # 169.254.0.0/16 # # Addresses within these blocks do not legitimately appear on the public Internet # and can be used without any coordination with IANA or an Internet registry: # 10.0.0.0/8 private networks # 172.16.0.0/12 private networks # 192.168.0.0/16 private networks # 192.0.2.0/24documentation/examples # 198.51.100.0/24 documentation/examples # 203.0.113.0/24 documentation/examples # 198.18.0.0/15 benchmark interconnect testing # # Full assignments details are available here: # http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.txt # More contentiously, this is an IPv6 counterpart: # Allocated for use as the Internet host loopback address: # ::1/128 # # Allocated special purpose address blocks: # fe80::/10 Link local addresses (auto-configured) # fc00::/7 Unique local address (private networks) # 2001:db8::/32 documentation/examples # 2001:2::/48benchmark interconnect testing # # Full assignments details are available here: # http://www.iana.org/assignments/ipv6-unicast-address-assignments/ipv6-unicast -address-assignments.txt Note that I interpret the aim of these comments as an aide-memoire, rather than a tutorial on IP addressing schemes, so it's intentionally brief. /Pete
Re: /etc/hosts comments update
On 22. feb. 2011, at 16.22, Joachim Schipper wrote: On Tue, Feb 22, 2011 at 03:04:25PM +0100, Pete Vickers wrote: Now that the IPv4 address space if fully allocated, perhaps it's time to update the comments in /etc/hosts ? Here is my attempt at a reasonably concise update: # Assignments from RFC5735 (supersedes RFC1918) # # Allocated for use as the Internet host loopback address: # 127.0.0.0/8 # # Allocated for communication between hosts on a single link. Hosts obtain # these addresses by auto-configuration (in the absence of DHCP): # 169.254.0.0/16 # # Addresses within these blocks do not legitimately appear on the public Internet # and can be used without any coordination with IANA or an Internet registry: # 10.0.0.0/8 private networks # 172.16.0.0/12 private networks # 192.168.0.0/16 private networks # 192.0.2.0/24documentation/examples # 198.51.100.0/24 documentation/examples # 203.0.113.0/24 documentation/examples # 198.18.0.0/15 benchmark interconnect testing # # Full assignments details are available here: # http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.txt # More contentiously, this is an IPv6 counterpart: Note that I interpret the aim of these comments as an aide-memoire, rather than a tutorial on IP addressing schemes, so it's intentionally brief. I think your IPv4 text unwisely suggests that using e.g. 192.0.2.0/24 for your own stuff is okay. That's true only until you put a device with an appropriate list of unroutable IPs on your network, etc. All those prefixes are 'unroutable' on the public Internet, and 'routable' on private internetworks at the admin's discretion. 192.0.2.0/24 is no different to the other addresses: RFC5735 says ... do not legitimately appear on the public Internet and can be used without any coordination with IANA or an Internet registry. Also, if you're going to be exhaustive, you missed at least multicast. hence my comment about being intentionally brief. Why do you feel this is useful? It appears to me that the existing 'listing' is half complete, so I proposed a more through version, obviously another alternative would be to remove these bits altogether: # RFC 1918 specifies that these networks are internal. # 10.0.0.0 10.255.255.255 # 172.16.0.0172.31.255.255 # 192.168.0.0 192.168.255.255 Joachim /Pete Pete Vickers p...@systemnet.no | +47 48 17 91 00 SystemNet AS
Re: nat static-port option
On 3. feb. 2011, at 17.37, Bret S. Lambert wrote: On Thu, Feb 03, 2011 at 07:31:01AM -0800, Johan Beisser wrote: On Feb 3, 2011, at 5:17, Martin SchrC6der mar...@oneiros.de wrote: 2011/2/3 Bret Lambert bret.lamb...@gmail.com: Counting my toaster? Your toaster has an IP? Yours doesn't? He's got IPv6! His *cockroaches' toasters* have IPs! He don't appear to 'have' IPv6... http://www.ris.ripe.net/dashboard/24640 /Pete
Options iCON401 USB 'modem' needs umass-umsm tickle ?
Hi, My Option iCON401 (aka GI401) [1], appears to require tickling to re-appear as a umsm instead of the initial umass. Can someone point me at the file/list to add the IDs to, too invoke this ? thanks /Pete $ usbdevs -dv -f /dev/usb0 Controller /dev/usb0: addr 1: high speed, self powered, config 1, EHCI root hub(0x), Intel(0x8086), rev 1.00 uhub0 port 1 addr 2: high speed, power 500 mA, config 1, Globetrotter HSUPA Modem(0x7401), Option N.V.(0x0af0), rev 0.00, iSerialNumber Serial Number umass0 Under Mac OS.X it creates 4 serial lines: mbp:~ pete$ ls- l /dev/tty.GI* crw-rw-rw- 1 root wheel 11, 8 Jan 26 22:35 /dev/tty.GI401 App crw-rw-rw- 1 root wheel 11, 10 Jan 26 22:35 /dev/tty.GI401 Control crw-rw-rw- 1 root wheel 11, 6 Jan 26 22:35 /dev/tty.GI401 Diag crw-rw-rw- 1 root wheel 11, 12 Jan 26 22:35 /dev/tty.GI401 Modem [1] http://www.option.com/en/products/products/usb-modems/icon401
Re: secure popa3d
No problem with inbuilt pop3d. Some hints for you: $ grep pop3 /etc/inetd.conf 127.0.0.1:pop3 stream tcp nowait root/usr/sbin/popa3d popa3d $ pkg_info | grep stunnel stunnel-4.20SSL encryption wrapper for standard network daemons $ grep -A 3 pop3s /etc/stunnel/stunnel.conf [pop3s] accept = 995 connect = 127.0.0.1:110 /Pete On 21. jan. 2011, at 12.49, OpenBSD Geek wrote: Hi, I'm trying to build a mailserver with OpenBSD, Sendmail, cyrus-sasl, and popa3d. All works good. And thank you for all replies (for sendmail question). Is there a way to secure popa3d, except using TCPWrappers (tcpd) ? Thank you for your help. Wesley M.
NAT64 via pf/OpenBSD
Hi, We're currently deploying some IPv6 connectivity (no flame wars please), and need to provide a suitable transition solution for IPv6 only clients to access IPv4 services. At a bare minimum generic TCP/UDP/ICMP services should be supported for large pools of users. I'm aware of Reyk's work here: http://marc.info/?l=openbsd-cvsm=121676868023535w=2 but IFAIKT this doesn't address several of our requirements. The most appropriate solution appears to be stateful NAT64 (with DNS64 to support it), as described in these RFC drafts: http://tools.ietf.org/html/draft-ietf-behave-v6v4-xlate-stateful-12 http://tools.ietf.org/html/draft-ietf-behave-dns64-11 Some time ago a NAT64 implementation employing pf an OpenBSD kernel patch was released by Viagenie, (together with DNS64 patches for bind/unbound) : http://ecdysis.viagenie.ca/download.html However major changes to pf have occurred since 4.6 and thus it has suffered from bit rot. Note however that it is released under a BSD license. So given all of this background are any of the devs interested in bringing these patches up to date, and ideally incorporating them into the tree ? If financial motivation is required, then drop me a note off-list please. Finally I'd just like to say that I (like most other network engineers) dislike IPv6, but am increasingly required to work with it. Therefore I believe that this functionality would be a valuable addition to the swiss army knife of IP networking that OpenBSD has become. thanks, /Pete
Re: IVI support ?
For v6 clients to access v4 services, see this RFC: http://tools.ietf.org/html/draft-ietf-behave-v6v4-xlate-stateful-12 Implemented on OpenBSD via pf BIND patches: http://ecdysis.viagenie.ca/ /Pete On 12. okt. 2010, at 13.01, Xavier Beaudouin wrote: Hello, About IPv6 and IPv4 access, my company want to kill dual stack stuff or limit them to minimum possible if possible and avoid subnetting that loose unfortunatly ips every time. Our idea is to have all our system to be IPv6 only native and when an IPv4 wants to access to an IPv6 service, IVI can do the translation (this is not magic, but the idea is to provide specific IPv6 hosts to be visible outside the IPv6 internet). So I get on IVI : IPv4 - IPv6 mapping : http://www.ivi2.org/ There is draft about that : http://tools.ietf.org/html/draft-xli-behave-ivi-07 Does OpenBSD has somewhat support about this draft ? or can we do that using OpenBSD standard tools (eg pf or relayd ?). I really don't want to us to rely on Linux, so That's why I'm asking question about that... Since OpenBSD is really network toolbox (OpenOSPF/BGP. etc). This can help to get a internet with v6 ready ? Regards, xavier Pete Vickers p...@systemnet.no | +47 48 17 91 00 SystemNet AS
OpenSSHd
Hi, I'm trying to set up a box such that normal users are chroot'd to their home directories, and can only use sftp. I have added this to the config file restarted sshd: r...@container ~ tail /etc/ssh/sshd_config # # # # all non-wheel users should be chrooted to their home and sftp only # Match Group !wheel ForceCommand internal-sftp ChrootDirectory %h AllowTcpForwarding no X11Forwarding no However normal users are still not chrooted, and can still ssh into the box. Any clues what I'm doing wrong ? Google seems to hint that the chroot directory might have to be owned by root, but that seems strange, since users couldn't then write files in their own home ? /Pete
Re: OpenSSHd
On 13. sep. 2010, at 13.17, Joachim Schipper wrote: On Mon, Sep 13, 2010 at 10:59:56AM +0200, Pete Vickers wrote: I'm trying to set up a box such that normal users are chroot'd to their home directories, and can only use sftp. Any clues what I'm doing wrong ? Google seems to hint that the chroot directory might have to be owned by root, but that seems strange, since users couldn't then write files in their own home ? A chroot jail where the new root isn't owned by the root user is effectively impossible to secure. Set the home directories to /home/user/files and chroot to /home/user, or somesuch. Hmm. Messy. But even if I set like this: r...@container ~ tail /etc/ssh/sshd_config # all non-wheel users should be chrooted to home and sftp only # Match Group !wheel ForceCommand internal-sftp ChrootDirectory /home AllowTcpForwarding no X11Forwarding no r...@container ~ ls -la /home total 28 drwxr-xr-x 7 rootwheel 512 Sep 10 12:46 . drwxr-xr-x 14 rootwheel 512 Jul 25 13:43 .. drwxr-xr-x 3 fredfred512 Sep 10 12:05 fred ... normal users can still ssh in, and are not chroot'd. What am I doing wrong ? /Pete
Re: OpenSSHd
ahh. that works perfectly, thanks ! /Pete On 13. sep. 2010, at 18.25, Andy Bradford wrote: Thus said Pete Vickers on Mon, 13 Sep 2010 16:32:08 +0200: Match Group !wheel Forget my last suggestion. :-) Just make a pattern-list and use: Match Group *,!wheel Andy
Re: cardbus on sparc64
: Capability 0x01: Power Management 0x: 04751180 02100047 06070080 00024000 0x0010: 03002000 02dc 2200 f000 0x0020: f000 fffc 0x0030: fffc 07c00100 0x0040: 010114ef 0001 0x0050: 0x0060: 0x0070: 0x0080: 0001 04630463 0x0090: 0x00a0: 0x00b0: 0x00c0: 010114ef 0x00d0: fe0a0001 0x00e0: 24c04000 0x00f0: # inserted card here # data error type 32 sfsr=0 sfva=4fdcc010 afsr=8800 afva=1fe0102 tf=0x4000f9c9800 panic: data fault: pc=1408748 addr=4fdcc010 sfsr=0 kdb breakpoint at 1442b20 Stopped at Debugger+0x4: nop RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC! DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION! ddb trace data_access_error(4000f9c9800, 400, 1fe0102, 8800, 4fdcc010, 0) at data _access_error+0xd8 trapbase_sun4v(0, 2, 0, 1531180, 1, e0018040) at trapbase_sun4v+0x87a8 pci_conf_read(, 0, 0, 0, 1800, 1800) at pci_conf_read+0x28 cardbus_attach_card(0, 40009776000, 0, 1515000, 0, 4e195a0) at cardbus_atta ch_card+0xc0 cardslot_event(1400, 4e3fc80, 18bba00, 1886f88, 0, 0) at cardslot_event+0x2 00 workq_thread(180ff28, 400097be6c0, 1515b20, 1513fb8, 1, e0018040) at workq_thre ad+0x28 proc_trampoline(0, 0, 0, 0, 0, 0) at proc_trampoline+0x4 ddb ps PID PPID PGRPUID S FLAGS WAIT COMMAND 26645 1 26645 0 3 0x4082 ttyin sh 13 0 0 0 30x100200 bored crypto 12 0 0 0 30x100200 aiodoned aiodoned 11 0 0 0 30x100200 syncerupdate 10 0 0 0 30x100200 cleaner cleaner 9 0 0 0 30x100200 reaperreaper 8 0 0 0 30x100200 pgdaemon pagedaemon 7 0 0 0 30x100200 pftm pfpurge 6 0 0 0 30x100200 usbtskusbtask 5 0 0 0 30x100200 usbevtusb0 *4 0 0 0 70x100200syswq 3 0 0 0 3 0x40100200idle0 2 0 0 0 30x100200 kmalloc kmthread 1 0 1 0 3 0x4080 wait init 0 -1 0 0 3 0x80200 scheduler swapper ddb /Pete On 25. aug. 2010, at 20.22, Bret S. Lambert wrote: On Wed, Aug 25, 2010 at 08:12:34PM +0200, Pete Vickers wrote: I have a SunBlade100 running 4.7RELEASE which I stuck a PCI/Cardbus adapter in; and it appears to be recognised in dmesg: . . . cbb0 at pci1 dev 2 function 0 Ricoh 5C475 CardBus rev 0x80: ivec 0x7d5 cardslot0 at cbb0 slot 0 flags 0 cardbus0 at cardslot0: bus 2 device 0 cacheline 0x0, lattimer 0x20 pcmcia0 at cardslot0 . . . (full dmesg at foot) However whenever I insert a card into the adapter the machine panics. The same happen if I insert the card before boot, whereupon it panics midway through booting. I have tried various WLAN and GPRS cards. Before I go collecting ddb trace/ps is this the expected behaviour ( e.g. a known endien issue or suchlike) ? I'm gonna say not. Trace/ps would give me something to do while I ignore packing my apartment. BTW, I notice that PR3871 addressed the adapter itself (at least in i386). /Pete full dmesg: console is keyboard/display Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2010 OpenBSD. All rights reserved. http://www.OpenBSD.org OpenBSD 4.7 (GENERIC) #258: Wed Mar 17 23:40:34 MDT 2010 dera...@sparc64.openbsd.org:/usr/src/sys/arch/sparc64/compile/GENERIC real mem = 805306368 (768MB) avail mem = 767369216 (731MB) mainbus0 at root: Sun Blade 100 (UltraSPARC-IIe) cpu0 at mainbus0: SUNW,UltraSPARC-IIe (rev 1.4) @ 502 MHz cpu0: physical 16K instruction (32 b/l), 16K data (32 b/l), 256K external (64 b/l) psycho0 at mainbus0: pci108e,a001, impl 0, version 0, ign 7c0 psycho0: bus range 0-1, PCI bus 0 psycho0: dvma map c000-dfff pci0 at psycho0 ebus0 at pci0 dev 12 function 0 Sun RIO EBus rev 0x01 flashprom at ebus0 addr 0-f not configured clock1 at ebus0 addr 0-1fff: mk48t59 ebus1 at pci0 dev 7 function 0 Acer Labs M1533 ISA rev 0x00 dma at ebus1 addr 0- ivec 0x2a not configured power0 at ebus1 addr 800-82f ivec 0x20 com0 at ebus1 addr 3f8-3ff ivec 0x2b
Re: Checking Routes/Gateways For Good Connection
On 26. aug. 2010, at 00.18, Don Tek wrote: I've recently implemented a firewall with two internet connections using multipath routing and round-robin outbound load balancing. I am looking for a solution from the shell to detect failure of these two internet gateways so I can force routing and pf changes from a script. I need something more robust than simply checking to see if the interface is up or down. I have managed a solution using traceroute that allows me to accomplish half of my goal. I can detect a failure and down that route, however, once I delete the default route from the routing table for the failed connection, I can no longer test it with traceroute. This is because it doesn't appear to me that OpenBSD's traceroute allows forcing an interface to work on. I am looking for better solutions from some of you more experienced users. Any suggestions are welcome. don.. Taking a look at the bigger picture, the 'correct' way to do this is to have redundancy at the firewall level as well at ISP link level. This gives higher availability, and makes your problem much easier. If you have a single ISP link per firewall then link testing is simple. Redundancy/LB is then managed by CARP between the two firewalls' _inside_ interfaces. /Pete
cardbus on sparc64
I have a SunBlade100 running 4.7RELEASE which I stuck a PCI/Cardbus adapter in; and it appears to be recognised in dmesg: . . . cbb0 at pci1 dev 2 function 0 Ricoh 5C475 CardBus rev 0x80: ivec 0x7d5 cardslot0 at cbb0 slot 0 flags 0 cardbus0 at cardslot0: bus 2 device 0 cacheline 0x0, lattimer 0x20 pcmcia0 at cardslot0 . . . (full dmesg at foot) However whenever I insert a card into the adapter the machine panics. The same happen if I insert the card before boot, whereupon it panics midway through booting. I have tried various WLAN and GPRS cards. Before I go collecting ddb trace/ps is this the expected behaviour ( e.g. a known endien issue or suchlike) ? BTW, I notice that PR3871 addressed the adapter itself (at least in i386). /Pete full dmesg: console is keyboard/display Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2010 OpenBSD. All rights reserved. http://www.OpenBSD.org OpenBSD 4.7 (GENERIC) #258: Wed Mar 17 23:40:34 MDT 2010 dera...@sparc64.openbsd.org:/usr/src/sys/arch/sparc64/compile/GENERIC real mem = 805306368 (768MB) avail mem = 767369216 (731MB) mainbus0 at root: Sun Blade 100 (UltraSPARC-IIe) cpu0 at mainbus0: SUNW,UltraSPARC-IIe (rev 1.4) @ 502 MHz cpu0: physical 16K instruction (32 b/l), 16K data (32 b/l), 256K external (64 b/l) psycho0 at mainbus0: pci108e,a001, impl 0, version 0, ign 7c0 psycho0: bus range 0-1, PCI bus 0 psycho0: dvma map c000-dfff pci0 at psycho0 ebus0 at pci0 dev 12 function 0 Sun RIO EBus rev 0x01 flashprom at ebus0 addr 0-f not configured clock1 at ebus0 addr 0-1fff: mk48t59 ebus1 at pci0 dev 7 function 0 Acer Labs M1533 ISA rev 0x00 dma at ebus1 addr 0- ivec 0x2a not configured power0 at ebus1 addr 800-82f ivec 0x20 com0 at ebus1 addr 3f8-3ff ivec 0x2b: ns16550a, 16 byte fifo com1 at ebus1 addr 2e8-2ef ivec 0x2b: ns16550a, 16 byte fifo gem0 at pci0 dev 12 function 1 Sun ERI Ether rev 0x01: ivec 0x7c6, address 00:03:ba:08:46:e8 ukphy0 at gem0 phy 1: Generic IEEE 802.3u media interface, rev. 1: OUI 0x0010dd, model 0x0002 Sun FireWire rev 0x01 at pci0 dev 12 function 2 not configured ohci0 at pci0 dev 12 function 3 Sun USB rev 0x01: ivec 0x7e4, version 1.0, legacy support alipm0 at pci0 dev 3 function 0 Acer Labs M7101 Power rev 0x00: 223KHz clock iic0 at alipm0 max1617 at alipm0 addr 0x18 skipped due to alipm0 bugs scm001 at alipm0 addr 0x20 skipped due to alipm0 bugs spdmem0 at iic0 addr 0x50: 256MB SDRAM ECC PC133CL2 spdmem1 at iic0 addr 0x51: 256MB SDRAM ECC PC133CL2 spdmem2 at iic0 addr 0x52: 256MB SDRAM ECC PC133CL2 autri0 at pci0 dev 8 function 0 Acer Labs M5451 Audio rev 0x01: ivec 0x7e3 ac97: codec id 0x41445348 (Analog Devices AD1881A) ac97: codec features headphone, Analog Devices Phat Stereo audio0 at autri0 midi0 at autri0: 4DWAVE MIDI UART pciide0 at pci0 dev 13 function 0 Acer Labs M5229 UDMA IDE rev 0xc3: DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI pciide0: using ivec 0x7cc for native-PCI interrupt wd0 at pciide0 channel 0 drive 0: WDC WD200BB-60DGA0 wd0: 16-sector PIO, LBA, 9541MB, 19541088 sectors atapiscsi0 at pciide0 channel 0 drive 1 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: ATAPI, DVD A DH20A4H, QP59 ATAPI 5/cdrom removable wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 cd0(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 4 pciide0: channel 1 disabled (no drives) ppb0 at pci0 dev 5 function 0 DEC 21152 PCI-PCI rev 0x03 pci1 at ppb0 bus 1 ral0 at pci1 dev 1 function 0 Ralink RT2560 rev 0x01: ivec 0x7ca, address 00:11:50:a8:c8:a2 ral0: MAC/BBP RT2560 (rev 0x04), RF RT2525 cbb0 at pci1 dev 2 function 0 Ricoh 5C475 CardBus rev 0x80: ivec 0x7d5 cardslot0 at cbb0 slot 0 flags 0 cardbus0 at cardslot0: bus 2 device 0 cacheline 0x0, lattimer 0x20 pcmcia0 at cardslot0 machfb0 at pci0 dev 19 function 0 ATI Rage XL rev 0x27 machfb0: ATY,RageXL, 1280x1024 wsdisplay0 at machfb0 mux 1: console (std, sun emulation) usb0 at ohci0: USB revision 1.0 uhub0 at usb0 Sun OHCI root hub rev 1.00/1.00 addr 1 uhidev0 at uhub0 port 2 configuration 1 interface 0 Sun Microsystems Type 6 Keyboard rev 1.00/1.01 addr 2 uhidev0: iclass 3/1 ukbd0 at uhidev0: 8 modifier keys, 6 key codes, country code 19 wskbd0 at ukbd0: console keyboard, using wsdisplay0 uhidev1 at uhub0 port 4 configuration 1 interface 0 Sun Microsystems Type 6 Mouse rev 1.00/1.02 addr 3 uhidev1: iclass 3/1 ums0 at uhidev1: 3 buttons wsmouse0 at ums0 mux 0 vscsi0 at root scsibus1 at vscsi0: 256 targets softraid0 at root bootpath: /p...@1f,0/i...@d,0/d...@0,0 root on wd0a swap on wd0b dump on wd0b
Re: X default screen resolution on sparc64
On 27. juli 2010, at 15.09, Pete Vickers wrote: Hi, From dmesg, the graphics card in my Sun blade100 is: machfb0 at pci0 dev 19 function 0 ATI Rage XL rev 0x27 machfb0: ATY,RageXL, 1280x1024 which is connected via DVI cable to a Sun monitor #365-1429. This monitor supports 1280x1...@60hz. However starting X without a config file only run it at 800x600. These line appears relevant in the Xorg log file: (II) MACH64(0): default monitor: Using default hsync range of 31.50-37.90 kHz (II) MACH64(0): default monitor: Using default vrefresh range of 50.00-70.00 Hz ... (II) MACH64(0): Not using default mode 1280x1024 (hsync out of range) I thought that one of the big advantages of DVI was that the card could query the monitor to discover the supported modes automatically ? Is there any commands I can use to enable such probing ? or do I can to create an entire cfg file to manually enable a higher resolution ? Is there any way to automatically generate a basic config file to subsequently edit ? To answer my own question for the sake of the archive, you can ofcourse just write a partial /etc/X11/xorg.conf, and let the defaults provide the rest. This was all that was necessary for me: Section Device Identifier ATI Rage XL Driver ati BusID PCI:0:19:0 Option composite_sync True Option reference_clock 29.5MHz EndSection Section Monitor Identifier Sun L9ZF # 31.5 kHz to 81.1 kHz Horizantal # 56.0 Hz to 76.0 Hz Vertical HorizSync 32-81 VertRefresh 56-76 EndSection Section Screen Identifier Default Screen Device ATI Rage XL Monitor Sun L9ZF DefaultDepth 16 SubSection Display Depth 16 Modes 1280x1024 EndSubSection EndSection ===
X default screen resolution on sparc64
Hi, From dmesg, the graphics card in my Sun blade100 is: machfb0 at pci0 dev 19 function 0 ATI Rage XL rev 0x27 machfb0: ATY,RageXL, 1280x1024 which is connected via DVI cable to a Sun monitor #365-1429. This monitor supports 1280x1...@60hz. However starting X without a config file only run it at 800x600. These line appears relevant in the Xorg log file: (II) MACH64(0): default monitor: Using default hsync range of 31.50-37.90 kHz (II) MACH64(0): default monitor: Using default vrefresh range of 50.00-70.00 Hz ... (II) MACH64(0): Not using default mode 1280x1024 (hsync out of range) I thought that one of the big advantages of DVI was that the card could query the monitor to discover the supported modes automatically ? Is there any commands I can use to enable such probing ? or do I can to create an entire cfg file to manually enable a higher resolution ? Is there any way to automatically generate a basic config file to subsequently edit ? thanks, /Pete Xorg.log dmesg follow: r...@blade100 ~ cat /var/log/Xorg.0.log (--) Using wscons driver X.Org X Server 1.6.5 Release Date: 2009-10-11 X Protocol Version 11, Revision 0 Build Operating System: OpenBSD 4.7 sparc64 Current Operating System: OpenBSD blade100.my.domain 4.7 GENERIC#258 sparc64 Build Date: 15 March 2010 06:22:14PM Before reporting problems, check http://wiki.x.org to make sure that you have the latest version. Markers: (--) probed, (**) from config file, (==) default setting, (++) from command line, (!!) notice, (II) informational, (WW) warning, (EE) error, (NI) not implemented, (??) unknown. (==) Log file: /var/log/Xorg.0.log, Time: Tue Jul 27 14:37:09 2010 (II) Loader magic: 0x1b20 (II) Module ABI versions: X.Org ANSI C Emulation: 0.4 X.Org Video Driver: 5.0 X.Org XInput driver : 4.0 X.Org Server Extension : 2.0 (II) Loader running on openbsd (--) PCI: (0:0:3:0) 10b9:7101:: Acer Labs M7101 Power rev 0 (--) PCI:*(0:0:19:0) 1002:4752:: ATI Rage XL rev 39, Mem @ 0x0400/16777216, 0x00426000/4096, I/O @ 0x0b00/256, BIOS @ 0x/131072 (==) Using default built-in configuration (12 lines) (==) --- Start of built-in configuration --- Section Device Identifier Builtin Default ati Device 0 Driver ati EndSection Section Screen Identifier Builtin Default ati Screen 0 Device Builtin Default ati Device 0 EndSection Section ServerLayout Identifier Builtin Default Layout Screen Builtin Default ati Screen 0 EndSection (==) --- End of built-in configuration --- (==) ServerLayout Builtin Default Layout (**) |--Screen Builtin Default ati Screen 0 (0) (**) | |--Monitor default monitor (**) | |--Device Builtin Default ati Device 0 (==) No monitor specified for screen Builtin Default ati Screen 0. Using a default monitor configuration. (==) Not automatically adding devices (==) Not automatically enabling devices (==) FontPath set to: /usr/X11R6/lib/X11/fonts/misc/, /usr/X11R6/lib/X11/fonts/TTF/, /usr/X11R6/lib/X11/fonts/OTF, /usr/X11R6/lib/X11/fonts/Type1/, /usr/X11R6/lib/X11/fonts/100dpi/, /usr/X11R6/lib/X11/fonts/75dpi/ (==) ModulePath set to /usr/X11R6/lib/modules (==) |--Input Device default pointer (==) |--Input Device default keyboard (==) The core pointer device wasn't specified explicitly in the layout. Using the default mouse configuration. (==) The core keyboard device wasn't specified explicitly in the layout. Using the default keyboard configuration. (II) System resource ranges: (II) LoadModule: extmod (II) Loading /usr/X11R6/lib/modules/extensions//libextmod.so (II) Module extmod: vendor=X.Org Foundation compiled for 1.6.5, module version = 1.0.0 Module class: X.Org Server Extension ABI class: X.Org Server Extension, version 2.0 (II) Loading extension MIT-SCREEN-SAVER (II) Loading extension XFree86-VidModeExtension (II) Loading extension XFree86-DGA (II) Loading extension DPMS (II) Loading extension XVideo (II) Loading extension XVideo-MotionCompensation (II) Loading extension X-Resource (II) LoadModule: dbe (II) Loading /usr/X11R6/lib/modules/extensions//libdbe.so (II) Module dbe: vendor=X.Org Foundation compiled for 1.6.5, module version = 1.0.0 Module class: X.Org Server Extension ABI class: X.Org Server Extension, version 2.0 (II) Loading extension DOUBLE-BUFFER (II) LoadModule: glx (II) Loading /usr/X11R6/lib/modules/extensions//libglx.so (II) Module glx: vendor=X.Org Foundation compiled for 1.6.5, module version = 1.0.0 ABI class: X.Org Server Extension, version 2.0 (==) AIGLX enabled (II) Loading extension GLX (II) LoadModule: dri (II) Loading /usr/X11R6/lib/modules/extensions//libdri.so (II) Module dri: vendor=X.Org Foundation
Re: Multiple VLANs in the same subnet on different Routing Domains
It only affect traffic via that next hop, but yes. Without a more complete description from the OP it's tricky to say weather that's acceptable or not. However attaching the problem from a different angle, if all that is needed is a measure of connectivity to the example remote host, then maybe he could use traceroute instead to gather the statistics from. The advantage here is that he could employ traceroute's '-g' option to specify which gateway to use for that probe. /Pete On 24. juli 2010, at 23.14, Philip Guenther wrote: On Sat, Jul 24, 2010 at 5:30 AM, Pete Vickers peter.vick...@gmail.com wrote: if your testing host is in the same subnet as the 3 gateways' inside interfaces, then your probe script can just overwrite the ARP entry for the next hop to each of the gateways in turn. no need to do any layer 3 changes at all. So you're suggesting that he do it so that each change affects all the processes on the system and all network connections instead of limiting it to the pings that need the change? Umm, kay... Philip Guenther
h/w accelerated packet forwarding/filtering
Hi, I seem to recall that there was some discussion (in a Claudio presentation IIRC) about OBSD potentially supporting h/w based forwarding at some time in the distant future. At a first glance, this (NetFPGA) project appears to be the kind of thing that's needed to kick start such an activity: http://netfpga.org/foswiki/bin/view/NetFPGA/OneGig/LearnMore And the license appears to be appropriate (BSD style) at least for the exisiting code, not sure about the h/w docs. http://netfpga.org/foswiki/bin/view/NetFPGA/OneGig/License So, my question is, if there is currently any interest by any of the devs, such that it would be worth my while to try organise a donation pot ( ~1k USD) and ordering/transporting a couple to them ? http://www.digilentinc.com/Products/Detail.cfm?Prod=NETFPGANav1=ProductsNav 2=Programmable (Alternatively this email can rot in the misc@ archive, so that next time someone wonders, the answer will be ready google'able) /Pete
Re: Multiple VLANs in the same subnet on different Routing Domains
if your testing host is in the same subnet as the 3 gateways' inside interfaces, then your probe script can just overwrite the ARP entry for the next hop to each of the gateways in turn. no need to do any layer 3 changes at all. /Pete Den 24. juli 2010 kl. 12:56 skrev Philip Guenther guent...@gmail.com: On Thu, Jul 22, 2010 at 9:15 AM, sslay...@iom.com wrote: ... Ok so my problem is this. We have a single monitoring host that needs to send outbound traffic (ICMP) via the 4 different Firewalls to the _SAME_ remote address. e.g. Send ICMP to www.apple.com via FW1 then send ICMP via FW2 to www.apple.com, FW3 etc. The idea is to check the Firewalls and their upstream connectivity not the end host per se. To achieve this I've tried the following: Create 4 VLAN interfaces all on the same VLAN as the shared subnet using alternate IP's but on different routing domains. Hmm. I don't think you need different routing domain, but rather only different routing tables. You only need to override the outbound routing and not create a separation behind interfaces. i.e. Vlan no. 10 : hostname.vlan101 - inet 10.11.12.1 255.255.255.0 NONE vlan 10 vlandev bge0 rdomain 1 hostname.vlan102 - inet 10.11.12.2 255.255.255.0 NONE vlan 10 vlandev bge0 rdomain 2 Umm, what? Put yourself in the kernel's position. A packet with vlan tag of 10 is received on the bge0 physical interface: what interface and routing domain should it show up in? That's a layer 2 decision that the kernel has to make _without_ considering the src or dest IP addresses. Given that, do you see why your interface definitions there are in conflict? ... If I create the 1st VLAN/rdomain everything works perfectly however as soon as I add the 2nd vlan interface traffic on both vlans stops. Destroying the 2nd vlan instance restores traffic. Yeah, that meets my expectations. The host is running OpenBSD i386 Generic 4.7 (release). Sorry no DMESG as yet but I can get this and anything else if need be tomorrow. Is what I'm trying to do possible? Any help is much appreciated. Let me make sure I understand the problem. You have a system where you sometimes want to route packets out an interface according to rules other than the normal rules, but you don't need to do any separation of interfaces as far as forwarding or binding of addresses goes? If so, then I believe you only need to create distinct routing tables and not actual routing domains. To do that, you need 1) *one* interface bound to the correct physical device and vlan, *in the default routing domain*, 2) the 'route -T' commands from your message (to create the alternative routing tables), and 3) the 'ping -V' commands from your original message (to use those alternatives). I also strongly advise you to upgrade to -current. No, really. Claudio spent a chunk of time at c2k10 helping Peter and I understand the distinction between rtables and rdomains...and in the process of explaining and then fixing the naming in the source tree, he found some issues in the implementation. (If you really want to understand something, explain it to someone else) Here's the action shot of that explanation from jcr's article at undeadly.org: http://www.designtools.org/OpenBSD/c2k10/debate3-l.jpg You're using with something that's being actively updated by the developer; staying current is staying sane. Philip Guenther
Re: Sierra Wireless MC5720 Modem
the full AT command sets are available somewhere here: http://www.google.com/search?q=at.commands+site:3gpp.org Note that a large number of the 'modems' these days, expose two serial interfaces, and only one will listen for AT commands, until correct initialisation is done... /Pete On 16. juni 2010, at 07.25, Dunceor wrote: On Wed, Jun 16, 2010 at 5:56 AM, J.C. Roberts list-...@designtools.org wrote: On Mon, 14 Jun 2010 20:17:44 -0500 Marco Peereboom sl...@peereboom.us wrote: Anyone got: umsm0 at uhub7 port 2 configuration 1 interface 0 Sierra Wireless Sierra Wireless MC5720 Modem rev 1.10/0.01 addr 2 ucom0 at umsm0 To work on OpenBSD? I get basically no output from the modem using this in /etc/remote: mobile:\ B B B B :at=hayes:dv=/dev/cuaU0:dv=/dev/ttya:tc=direct:tc=unixhost: # sudo tip remote connected And then I can type AT all day long and get no response. B The modem isn't activated but I don't want to go spend money on activating it unless I know if that is what is causing it to not respond. Something else weird is that if I fart enough with tip and stuff to get to the modem and reboot with it on it hangs the IO subsytem. B Not sure why a serial port is sitting on IPL_BIO but that is a different story. As mentioned off list, a vast number of the early data card designs actually have *multiple* serial ports, but only one of them is usable as a typical AT-Command modem. The other serial ports on the device(s) can only speak proprietary protocols and are used for BS Management and Monitoring functions (e.g. constantly checking/reporting signal strength). The umsm man page clearly mentions these other unusable ports since there's no definitive way to tell which port is usable as a modem. If a serial port on the device does not respond to AT commands, you have the wrong port. If it's the only available port on the device, then you need to tweak the umsm sources to make it look for multiple ports on your device. If after finding all the available ports on a device, you cannot find a port that talks AT commands, then either the device is broken or you need some secret sauce to make the device go back to speaking normal AT commands (rather being in proprietary mode). Additionally, many modems support profiles which is a fancy way to say the firmware in the device remembers the settings you previously gave it. Clearing the various types of profiles/settings is often vendor/device specific. Some of the more common AT commands for resetting a device are: B B B B ATZ B B B B ATF B B B B AT+CFUN=1 Since you will need access to a MS-windows system to do the required activation nonsense before the device will work with a given providers network, you should look at the device to see what *.inf file is being used to define how the device is controlled. For example, the Pantech (ZTC) UMW190 I have here uses the C:\windows\inf\oem33.inf file as its definition (seeable through device properties or Modem/PPP logging if enabled). Look in said file for the Reset entry to figure out the proper AT command.. By comparison, Sierra Wireless is one of the most open source friendly of all the data card vendors so digging around for their docs or looking how the specific device shows up (number/type of ports) in linux might be real helpful. Dan Williams has done a lot of work on the various data card devices in linux, including some degree of reverse engineering of the proprietary protocols which the unusable ports typically speak. http://blogs.gnome.org/dcbw/ Ya, ya, I know... (insert linux rant), but they do have some good info and it may be helpful. B B B B jcr -- The OpenBSD Journal - http://www.undeadly.org All Ericsson based modems can be reseted with AT+CFUN=1 (or if you want you can AT+CFUN=0 to turn it off and then AT+CFUN=4 to turn it on in UMTS mode). A lot of other cards support this also. BR Dunceor
Re: OpenBSD 4.7 as VPN Gateway for Road Warriors, Preferred Configuration
Hi, Transport mode IPSec has many legit uses. The first one which springs to mind is gateway-gateway encryption, over which you can use your favourite tunneling protocol e.g. L2TP or GRE. Especially useful if you're transporting multicast traffic over the VPN. Also one of the most popular remote access VPN solutions (works 'out of the box' on Windows, OS.X Cisco routers) is L2TP over IPSec. This provides both static dynamically addressed clients with an IPSec tunnel back to the VPN server, over which L2TP is tunneled, providing DHCP for tunnel IP addressing, and multi-protocol (IPX or IPv6 anyone ?) support. It's also ideal for ubiquitous IP level any to any encryption if you spend the effort on key management issues. /Pete On 31. mai 2010, at 18.56, Toni Mueller wrote: I'd say that transport mode is a design error in IPSEC and should be avoided at all costs. It also complicates network setup quite a bit, imho. Kind regards, --Toni++
Re:
This works for me with kernel ppp: http://archive.psg.com/gprs-vickers.txt /Pete On 23. mai 2010, at 02.52, J.C. Roberts wrote: On Sat, 22 May 2010 22:08:57 +0200 patrick kristensen kristensenpatri...@gmail.com wrote: Thanks for taking the time to answer and your fast replies. Actually, ppp and TDMA/CDMA are nice break from the other headaches I've been trying to solve. ;) First of all, you either haven't mentioned the name of your service provider, or I forgot what it was. Either way, it matters. From what I can tell, you're in Spain, and I'm not familiar with the providers there. Ted Roby recently posted his config for Virgin Mobile: http://marc.info/?l=openbsd-techm=127285929411780w=2 The above may not help, but it's nice to see working examples. In absence of cdce (using ue0 as ethernet interface (and minicom) to connect to isp) i have tried several ppp and pppd configurations to get a working internet connection on -release with no success. The following is my ppp (# ppp -auto movistar) and pppd (# pppd call movistar) attempts. Since pppd(8) is in the kernel, it can be faster, but since ppp(8) is in userland, it can be much easier to work with when figuring things out. Once you figure out how to make things work with ppp(8), you can easily write a new config for pppd(8). /etc/ppp/ppp.conf (appended to ppp.conf.sample) movistar: set device /dev/cuaU0 set speed 460800 set timeout 0 set dial ABORT BUSY TIMEOUT 5 \ \\ \ AT OK-AT-OK \ AT+CFUN=1 OK-AT-OK \ AT+CPIN? +CPIN:\\sREADY-AT+CPIN\\\\\\-OK \ The above looks wrong. Not all wireless service providers and not all cellular wireless devices require using the Personal Identification Number (PIN) when making a connection. And worse, the responses you can get varies from device to device. (see below) Also, it is unwise to post your PIN to a public mailing list. It's not too dangerous without the IMEI and MEID device, but it's still not a good idea. AT+CGDCONT=1,\\\IP\\\,\\\movistar.es\\\ OK \ The above is most likely wrong. The AT+CGDCONT= command sets the primary CONText of the device and the network it is attaching to. The first value argument states whether or not the device can be reconfigured (1), or cannot be reconfigured (3). The second argument is a string which defines the protocol used on the network. The third argument is also a string and it defines the Packet Data Network (PDN) name or Access Point Name (APN). As far as I know movistar.es is not the proper name of any Packet Data Network (PDN) or Access Point Name (APN). For example Virgin Mobile uses VDATA as the APN/PDN name, while AirTel uses airtelgprs.com as the name and of course, what your provider uses is unknown. You need to be careful with this setting since many providers have multiple data networks. With Verizon here in the silicon valley, I can choose from three different data networks (actually four if you count EVDO Rel. 0 as a different network than EVDO Rev. A). ATDT*99***1# The above is wrong because it has no timeout or 'CONNECT'. Also, you should have noticed the leading double quote () which is prematurely ending your chat script *BEFORE* the required number is dialed. The above should be: \\dATDT*99***1# TIMEOUT 30 CONNECT The leading \\d gives a two second delay before calling. It may or may not be necessary with your hardware/provider. set mtu maximum 750 The above is most likely wrong. resolv rewrite The above is often unnecessary to get things working, but rewriting /etc/resolv.conf is mostly a matter of personal choice/needs. The command you have below, namely `enable dns` should suffice. set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0. add default HISADDR enable dns #./. /var/log/ppp.log May 22 17:57:51 x200s ppp[8742]: Phase: Using interface: tun0 May 22 17:57:51 x200s ppp[8742]: Phase: deflink: Created in closed state May 22 17:57:51 x200s ppp[8742]: tun0: Command: default: set device /dev/cuaU0 May 22 17:57:51 x200s ppp[8742]: tun0: Command: default: set speed 460800 May 22 17:57:51 x200s ppp[8742]: tun0: Command: default: set dial ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 AT OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT May 22 17:57:51 x200s ppp[8742]: tun0: Command: movistar: set device /dev/cuaU0 May 22 17:57:51 x200s ppp[8742]: tun0: Command: movistar: set speed 460800 May 22 17:57:51 x200s ppp[8742]: tun0: Command: movistar: set timeout 0 May 22 17:57:51 x200s ppp[8742]: tun0: Command: movistar: set dial ABORT BUSY TIMEOUT 5 AT OK-AT-OK AT +CFUN=1 OK-AT-OK AT+CPIN? +CPIN:\\sREADY-AT+CPIN\\7291\\-OK AT +CGDCONT=1,\\IP\\,\\movistar.es\\ OK ATDT*99***1# May 22 17:57:51 x200s ppp[8742]: tun0: Command: movistar: set mtu maximum 750 May 22 17:57:51 x200s
Re: nested vlans: safe to use?
something like this: http://www.openbsd.org/papers/asiabsdcon2010_vether/index.html especially page 6/7... /Pete On 11. mai 2010, at 13.45, Toni Mueller wrote: Hi, I've been trying to figure out whether I can use OpenBSD in a nested vlan scenario. I'm looking at a data centre where I want to get two wires, each carrying several vlans, and funneling them home across a WAN link. Various switch vendors claim to be able to do it, but I couldn't really figure out what the current state of affairs wrt. OpenBSD is. On the other side of the wires or fibres, I'll be talking to Junipers, Ciscos (6509), and/or Foundy switches and/or routers on the other side(s). The desired setup looks like this: data centre LAN --- switch --- WAN --- home (OpenBSD) I want to run at least three vlans across the WAN link, and need to keep the vlans strictly separated. I also need to do traffic shaping on a per-vlan basis. :/ TIA! Kind regards, --Toni++
Re: Source Overview
In keeping with your 'lets get something up on there to point the whiners at', how about adding this: * Add support for RFC5837 to OpenBSD's IP stack. This could be suitable task since it presumably has 'cool factor' is an easily definable task, and is not trivial to write. /Pete On 22. apr. 2010, at 01.51, Daniel Ouellet wrote: I simply requested the account on that persons system because I offered to help maintain the task list. I've not been contacted so I assume they're not interested. You are not the only one with limited time. Sorry for the late reply, but also I wanted to provide details as to why. Your text was: If you provide me an account and if everyone is OK sending me minimally formatted TODO lists I will gladly be the point of contact and maintain that list. What qualifies as minimally formatted? 1) Each item on a separate line prepended with a *. 2) (OPTIONAL) If you want, order them by importance. I will attempt to clean-up grammar and spelling. The short of it is that in it if you look at it. It add more work to the developers by asking them to send in stuff. They already have it done for some. So, why duplicate the list. It will just get out of sync and obsolete very soon. Plus they have a list, so I think the most logical and efficient way to do it would be just like this: 1. Name 2. Very short blurb for area the todo cover 3. URL to the developers list. And that's it. Nothing more is needed. Frankly if a developer spend time making a todo list and publish it, then it must be some what maintain when ever they have time. Asking to add more management to track it and maintain yet an additional list is wrong in my book. Plus I am still not convince it's helpful, but never the less I would sure be welcome to be proven wrong. The only think that this gives me as an idea that may have some merit is that a list of user group might be good to have and I can add that to the site. But again, that should be as minimal as possible. City, state or province, country, language and URL to the site for the group. If no URL, then some details could be added and that may actually get some usage may be. But keeping the time needed to maintain anything like this is a plus and not required any more from the developers have to be the goal. But again, I am not sure it's even good, but like I said, I am not oppose to. Like everyone else I have very little time and I didn't reply before, nor this morning to your email at 5:32AM when I saw it at 7:30 AM EST as I just finish an other project and I do need to get some sleep sometime as little as it might be and I have some kind of a life too and kids to take care of as well. So, sorry for the delay. Like I said, I am not doing a perfect job and I will admit that, but I try. Better then most anyway that asked and do nothing. I will continue off list for the rest as there is no point on doing it here. I already saved the email from Alexandre Ratchov for his list that he sent to m...@. Just didn't have time to post it yet, but it will. Now I need to go feed the kids, so more delay on my part. Best, Daniel
Re: PF: antispoof vs URPF
On 31. mars 2010, at 20.01, Claudio Jeker wrote: On Wed, Mar 31, 2010 at 08:08:01PM +0300, Eugene Yunak wrote: On 31 March 2010 19:27, N. Arley Dealey arley.dea...@gmail.com wrote: It would appear to me that antispoof and URPF achieve similar results. Is there a reason to prefer one over the other? Not at all. antispoof blocks ip packets that came in from the wrong interface, while URPF blocks packets from aliens (no entry in routing table for the source address). Just look at the output of pfctl -sr Not at all. URPF does not only check if a route exists it also checks that the route is pointing to the interface the packet came in. Antispoof is only for the LAN while URPF is actually capable of tracking stuff further down. This is at the same time the problem of URPF if you have asymetric routing URPF fails. Antispoof works in this case since it is hard to get asymetric routing on the LAN. -- :wq Claudio uRPF (at least recent incarnations of it) can be /configured/ to drop packets based of presence of /either/ : - a matching FIB prefix outbound on the same interface the packet arrived on (strict mode) - a matching FIB prefix outbound on any interface (loose mode) you can also mask uRPF effect to only a subset of packets/prefixes with an ACL. pretty extensive explanation here: http://www.cisco.com/web/about/security/intelligence/urpf.pdf /Pete
Re: A small research paper - Thoughts about Cisco.
On 11. mars 2010, at 12.13, TS Lura wrote: Dear OpenBSD community, I'm doing a small research paper on Cisco and try to find out if they are evil or not in relative to open/free source/standards, and business practice. Eg. locking people to their product line aka the MS way. I'm sending this mail to you guys because I think many of you know allot about networking, and the networking industry. I'm hoping that someone would be kind and share some of their impressions of Cisco with me. My hypothesis is that Cisco is following the best business practice in relation to proprietary and open/free source. To answer this hypothesis I'm trying to find out if Cisco is using their proprietary solution when there is a better open/free alternative. My preliminary thoughts is taken from what I have perceived, that Cisco makes a proprietary solution to give them a edge and uniqueness in the marked which they can harvest capital from. And when that solution has become commonplace they switch over to non-proprietary solutions to become more interoperable and thus stay competitive. First, Is this reasonable observation? Second, Are there any deviations from this trend? If so, why? I'm very grateful for any reply I get. Kind regards, TSLura. Hi, Lots of flame-bait in there, which at least I am happily ignoring. Couple of interesting points though: 1. Time to market, it's normally 'do it yourself' in private first, then open source later. E.g. Cisco did ISL first until 802.1Q was later established as the standard, and adopted by them. 2. Throughbred solutions, e.g. some (most?) products are a mix match of proprietary open source, e.g. see this link for open source software incorporated into a particular Cisco product: http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/license/fwsmoslic.html /Pete
Re: any known working configuration of OpenBGPd and CARP ?
On 7. mars 2010, at 00.07, Claudio Jeker wrote: On Sat, Mar 06, 2010 at 06:52:24PM +0100, Rogier Krieger wrote: On Sat, Mar 6, 2010 at 17:26, PP;QQ P(P8P?P8QP8P= chipits...@gmail.com wrote: no, I want routes exactly to carp. That sounds odd. Routes are something different than what particular host responds to frames directed to a specific hardware address. If I understand the rest of your description correctly, you want only the master bgpd to have sessions and to somehow distribute its routes to the backup(s), with the backups starting with that 'state' and initiate connections to your BGP peers whenever a master goes down. I doubt that'll work. In your scenario, if your master goes down, there are no longer any BGP sessions up with any of your peers. If I'm not mistaken, that will cause them to withdraw the prefixes you previously advertised from their tables and no longer forward traffic to you. Right, as soon as the master dies the routes will be withdrawn (there may be some overlap since it is possible that carp switches before bgpd realizes the loss). At the moment it is not possible to have a real backup router running. I have some ideas and partial diffs that will allow backup CARP nodes to preload tables. Main problem is that we need graceful restart for this but most peers (as in cizzzcoee) are not able to assist graceful restart. Btw. I'm looking for a device that is capable of doing graceful restarts (as for example some foundry) to test my diff against. Would be great if I could get access to a lab router to play with. When your new master is promoted, it will set up a new session with your peers. This is probably not the sort of failover you want to see happening in production. That's why you have multiple bgpd routers with redundant pathes. -- :wq Claudio Not 100% sure what you mean by ...are not able to assist..., but IOS supports BGP graceful restart as per RFC4724. e.g.: http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ftbgpnsf.html #wp1049642 /Pete
Re: kern.maxclusters: 6144 - ?
On 26. feb. 2010, at 11.58, Claudio Jeker wrote: On Fri, Feb 26, 2010 at 11:30:30AM +0100, Pete Vickers wrote: On 26. feb. 2010, at 03.01, Aaron Mason wrote: On Thu, Feb 25, 2010 at 10:04 AM, Pete Vickers p...@systemnet.no wrote: Hi, A proxy (squid) server running i368/4.6RELEASE with around 800 users, what would be a reasonable value to increase kern.maxclusters too, to cure this : r...@proxy-s ~ grep mcl /var/log/messages Dec 10 10:13:43 proxy-s /bsd: WARNING: mclpools limit reached; increase kern.maxclusters Dec 10 11:06:07 proxy-s /bsd: WARNING: mclpools limit reached; increase kern.maxclusters Dec 15 13:41:48 proxy-s /bsd: WARNING: mclpools limit reached; increase kern.maxclusters r...@proxy-s ~ sysctl kern.maxclusters kern.maxclusters=6144 r...@proxy-s ~ netstat -m 4098 mbufs in use: 1131 mbufs allocated to data 2962 mbufs allocated to packet headers 5 mbufs allocated to socket names and addresses 1084/6152/6144 mbuf 2048 byte clusters in use (current/peak/max) 0/8/6144 mbuf 4096 byte clusters in use (current/peak/max) 0/8/6144 mbuf 8192 byte clusters in use (current/peak/max) 0/8/6144 mbuf 9216 byte clusters in use (current/peak/max) 0/8/6144 mbuf 12288 byte clusters in use (current/peak/max) 0/8/6144 mbuf 16384 byte clusters in use (current/peak/max) 0/8/6144 mbuf 65536 byte clusters in use (current/peak/max) 14176 Kbytes allocated to network (22% in use) 0 requests for memory denied 0 requests for memory delayed 0 calls to protocol drain routines something like kern.maxclusters=1 or ? /Pete Only you can answer that, Pete. Try increasing it gradually until the errors go away. And if the error returns, increase it again. If it makes your system unstable, lower it until it returns to stability. Increments (and decrements, if necessary) of 256 would probably be wise. Getting the right balance with any system is all about trial and error - trying different things until things are running smoothly - or acceptably so in some situations. It's also about the balance between workability and stability. Sometimes you just can't have your cake and eat it too - stability must be the priority. My $0.02 there. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse Hi, Indeed, the only problem is that if it's too low, then the system hangs. I guess only the network hangs. Since there is no clusters available to be used by drivers or other sockets. Normaly the system should not hangup itself because of that. Presumably if it's too high, then the 'system instability' manifests itself has hanging too, so it's tricky to tell which way to go, once you deviate from the norm ... Yes, if set too high you can run out the kernel of memory (physical or virtual) which is normaly causing a panic or freze. Anyway for the archives I'm trying 8192 currently, hopefully that will reduce the crashes... 6016 mbufs in use: 2151 mbufs allocated to data 3860 mbufs allocated to packet headers 5 mbufs allocated to socket names and addresses 1979/5664/8192 mbuf 2048 byte clusters in use (current/peak/max) 0/8/8192 mbuf 4096 byte clusters in use (current/peak/max) 0/8/8192 mbuf 8192 byte clusters in use (current/peak/max) 0/8/8192 mbuf 9216 byte clusters in use (current/peak/max) 0/8/8192 mbuf 12288 byte clusters in use (current/peak/max) 0/8/8192 mbuf 16384 byte clusters in use (current/peak/max) 0/8/8192 mbuf 65536 byte clusters in use (current/peak/max) 14048 Kbytes allocated to network (38% in use) Your allocationg a max of 8192 2k buffers or 4096 4k pages or 16MB of memory. On a modern system with 1GB of memory everything below 64MB or 128k clusters should work if you don't fiddle with other knobs that rob all memory from the kernel. -- :wq Claudio okay, sounds reasonable. I've also 'fiddled with other knobs' too, so I hope my kern.maxclusters at 8192 should not cause exhaustion conjunction with: net.inet.ip.ifq.maxlen=512 net.inet.tcp.recvspace=262144 net.inet.tcp.sendspace=262144 kern.maxfiles=8192 kern.maxclusters=8192 BTW, when the system runs out of (these?) resources, it sometimes prevents SSH access or squid use, but still keeps a CARP peering alive, preventing failover to it's backup partner, which is somewhat frustrating (I know I could script around this). On other occasions, it drops into ddb , which at least allows the CARP backup to take over duties. (I know I should file a bug report for this) /Pete
Sun Fire 880 phantom disks
Hei, Upon booting either 4.6-RELEASE or 4.7-BETA on my SunFire 880 causes the kernel it to 'see' twice the correct number of physical disk. Further if I install the o/s using bsd.rd on to sd0, then upon reboot the kernel can't find the root disk. However if I install on sd12 then booting etc is fine. the machine has physically 12 disks (36GB FC-AL), which appear to be duplicated as sd0-sd11 and sd12-23. r...@sf880 ~sysctl hw.disknames hw.disknames=cd0,sd0,sd1,sd2,sd3,sd4,sd5,sd6,sd7,sd8,sd9,sd10,sd11,sd12,sd13, sd14,sd15,sd16,sd17,sd18,sd19,sd20,sd21,sd22,sd23 compare disk serial numbers : r...@sf880 ~bioctl sd0 sd0: SEAGATE, ST336605FSUN36G, 0438, serial 3FP0N1K67214DE8J r...@sf880 ~bioctl sd1 sd1: SEAGATE, ST336605FSUN36G, 0438, serial 3FP0JHHX7214DDNK r...@sf880 ~bioctl sd12 sd12: SEAGATE, ST336605FSUN36G, 0438, serial 3FP0N1K67214DE8J r...@sf880 ~bioctl sd13 sd13: SEAGATE, ST336605FSUN36G, 0438, serial 3FP0JHHX7214DDNK full dmesg: console is /p...@9,70/e...@1/ser...@1,40:a Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2009 OpenBSD. All rights reserved. http://www.OpenBSD.org OpenBSD 4.6 (GENERIC.MP) #53: Thu Jul 9 21:50:16 MDT 2009 dera...@sparc64.openbsd.org:/usr/src/sys/arch/sparc64/compile/GENERIC.MP real mem = 4294967296 (4096MB) avail mem = 4140875776 (3949MB) mainbus0 at root: Sun Fire 880 cpu0 at mainbus0: SUNW,UltraSPARC-III (rev 5.4) @ 750 MHz cpu0: physical 32K instruction (32 b/l), 64K data (32 b/l), 8192K external (512 b/l) cpu1 at mainbus0: SUNW,UltraSPARC-III (rev 5.4) @ 750 MHz cpu1: physical 32K instruction (32 b/l), 64K data (32 b/l), 8192K external (512 b/l) memory-controller at mainbus0 not configured memory-controller at mainbus0 not configured schizo0 at mainbus0: Schizo, version 4, ign 200, bus B 0 to 1 schizo0: dvma map c000- pci0 at schizo0 siop0 at pci0 dev 1 function 0 Symbios Logic 53c875 rev 0x04: ivec 0x21c, using 4K of on-board RAM scsibus0 at siop0: 16 targets, initiator 7 cd0 at scsibus0 targ 6 lun 0: TOSHIBA, DVD-ROM SD-M1401, 1009 SCSI2 5/cdrom removable ppb0 at pci0 dev 5 function 0 DEC 21154 PCI-PCI rev 0x05 pci1 at ppb0 bus 1 isp0 at pci1 dev 4 function 0 QLogic ISP2200 rev 0x05: ivec 0x218 isp0: Board Type 2200, Chip Revision 0x5, loaded F/W Revision 2.2.6 scsibus1 at isp0: 512 targets sd0 at scsibus1 targ 0 lun 0: SEAGATE, ST336605FSUN36G, 0438 SCSI3 0/direct fixed sd0: 34732MB, 512 bytes/sec, 71132959 sec total sd1 at scsibus1 targ 1 lun 0: SEAGATE, ST336605FSUN36G, 0438 SCSI3 0/direct fixed sd1: 34732MB, 512 bytes/sec, 71132959 sec total sd2 at scsibus1 targ 2 lun 0: SEAGATE, ST336605FSUN36G, 0438 SCSI3 0/direct fixed sd2: 34732MB, 512 bytes/sec, 71132959 sec total sd3 at scsibus1 targ 3 lun 0: SEAGATE, ST336605FSUN36G, 0438 SCSI3 0/direct fixed sd3: 34732MB, 512 bytes/sec, 71132959 sec total sd4 at scsibus1 targ 4 lun 0: SEAGATE, ST336605FSUN36G, 0438 SCSI3 0/direct fixed sd4: 34732MB, 512 bytes/sec, 71132959 sec total sd5 at scsibus1 targ 5 lun 0: SEAGATE, ST336605FSUN36G, 0438 SCSI3 0/direct fixed sd5: 34732MB, 512 bytes/sec, 71132959 sec total ses0 at scsibus1 targ 6 lun 0: SUNW, SUNWGS INT FCBPL, 9222 SCSI3 13/enclosure services fixed sd6 at scsibus1 targ 7 lun 0: SEAGATE, ST336605FSUN36G, 0438 SCSI3 0/direct fixed sd6: 34732MB, 512 bytes/sec, 71132959 sec total sd7 at scsibus1 targ 8 lun 0: SEAGATE, ST336605FSUN36G, 0438 SCSI3 0/direct fixed sd7: 34732MB, 512 bytes/sec, 71132959 sec total sd8 at scsibus1 targ 9 lun 0: SEAGATE, ST336605FSUN36G, 0438 SCSI3 0/direct fixed sd8: 34732MB, 512 bytes/sec, 71132959 sec total sd9 at scsibus1 targ 10 lun 0: SEAGATE, ST336605FSUN36G, 0438 SCSI3 0/direct fixed sd9: 34732MB, 512 bytes/sec, 71132959 sec total sd10 at scsibus1 targ 11 lun 0: SEAGATE, ST336605FSUN36G, 0438 SCSI3 0/direct fixed sd10: 34732MB, 512 bytes/sec, 71132959 sec total sd11 at scsibus1 targ 12 lun 0: SEAGATE, ST336605FSUN36G, 0438 SCSI3 0/direct fixed sd11: 34732MB, 512 bytes/sec, 71132959 sec total isp1 at pci1 dev 5 function 0 QLogic ISP2200 rev 0x05: ivec 0x219 isp1: Board Type 2200, Chip Revision 0x5, loaded F/W Revision 2.2.6 scsibus2 at isp1: 512 targets schizo1 at mainbus0: Schizo, version 4, ign 200, bus A 0 to 0 schizo1: dvma map c000- pci2 at schizo1 gem0 at pci2 dev 1 function 0 Sun GEM rev 0x01: ivec 0x200, address 00:03:ba:08:de:01 gentbi0 at gem0 phy 0: Generic ten-bit interface, rev. 0 isp2 at pci2 dev 2 function 0 QLogic ISP2200 rev 0x05: ivec 0x204 isp2: Board Type 2200, Chip Revision 0x5, loaded F/W Revision 2.2.6 scsibus3 at isp2: 512 targets sd12 at scsibus3 targ 0 lun 0: SEAGATE, ST336605FSUN36G, 0438 SCSI3 0/direct fixed sd12: 34732MB, 512 bytes/sec, 71132959 sec total sd13 at scsibus3 targ 1 lun 0: SEAGATE, ST336605FSUN36G, 0438 SCSI3 0/direct fixed sd13: 34732MB, 512 bytes/sec, 71132959 sec total sd14 at scsibus3 targ 2 lun 0: SEAGATE, ST336605FSUN36G, 0438
Re: Sun Fire 880 phantom disks
Hi, The 880 is stock from Sun. I've done no hardware plumbing on it. According to http://docs.sun.com/app/docs/doc/806-7338-10/6jg7hm79b?a=view You can use multipathing software to switch I/O operations from one I/O controller to another to prepare for DR operations. With a combination of DR and multipathing software, you can remove, replace, or deactivate a PCI controller card with no interruption to system operation. Note that this requires redundant hardware; that is, the system must contain an alternate I/O controller that is connected to the same device(s) as the card being removed or replaced So the disk bus is connected to two controllers for redundancy, and Solaris obviously deals with this accordingly. I guess I should config a controller away to stop OpenBSD seeing it ? In the longer term perhaps OpenBSD scsi layer could examine disk serial numbers, and avoid assigning device IDs to subsequent disks with the same serial number ? {2} ok devalias cdrom/p...@8,70/s...@1/d...@6,0:f tape /p...@8,70/s...@1/t...@4,0 scsix/p...@8,70/s...@1 disk /p...@8,60/SUNW,q...@2/f...@0,0/d...@0,0 disk0/p...@8,60/SUNW,q...@2/f...@0,0/d...@0,0 disk1/p...@8,60/SUNW,q...@2/f...@0,0/d...@1,0 disk2/p...@8,60/SUNW,q...@2/f...@0,0/d...@2,0 disk3/p...@8,60/SUNW,q...@2/f...@0,0/d...@3,0 disk4/p...@8,60/SUNW,q...@2/f...@0,0/d...@4,0 disk5/p...@8,60/SUNW,q...@2/f...@0,0/d...@5,0 disk6/p...@8,60/SUNW,q...@2/f...@0,0/d...@8,0 disk7/p...@8,60/SUNW,q...@2/f...@0,0/d...@9,0 disk8/p...@8,60/SUNW,q...@2/f...@0,0/d...@a,0 disk9/p...@8,60/SUNW,q...@2/f...@0,0/d...@b,0 disk10 /p...@8,60/SUNW,q...@2/f...@0,0/d...@c,0 disk11 /p...@8,60/SUNW,q...@2/f...@0,0/d...@d,0 scsi /p...@8,60/SUNW,q...@2 net /p...@9,70/netw...@1,1 gem /p...@8,60/netw...@1 flash/p...@9,70/e...@1/flashp...@0,0 idprom /p...@9,70/e...@1/i...@1,500030/idp...@0,a0 nvram/p...@9,70/e...@1/i...@1,500030/nv...@0,a0 i2c3 /p...@9,70/e...@1/i...@1,500030 i2c2 /p...@9,70/e...@1/i...@1,50002e bbc1 /p...@9,70/e...@1/b...@1,50 i2c1 /p...@9,70/e...@1/i...@1,30 i2c0 /p...@9,70/e...@1/i...@1,2e bbc0 /p...@9,70/e...@1/b...@1,0 rsc-console /p...@9,70/e...@1/rsc-cons...@1,3083f8 rsc-control /p...@9,70/e...@1/rsc-cont...@1,3062f8 ttyb /p...@9,70/e...@1/ser...@1,40:b ttya /p...@9,70/e...@1/ser...@1,40:a pci9b/p...@9,70 pci9a/p...@9,60 pci8b/p...@8,70 pci8a/p...@8,60 ebus /p...@9,70/e...@1 name aliases /Pete On 1. mars 2010, at 19.40, Kenneth R Westerback wrote: On Mon, Mar 01, 2010 at 03:56:22PM +0100, Pete Vickers wrote: Hei, Upon booting either 4.6-RELEASE or 4.7-BETA on my SunFire 880 causes the kernel it to 'see' twice the correct number of physical disk. Further if I install the o/s using bsd.rd on to sd0, then upon reboot the kernel can't find the root disk. However if I install on sd12 then booting etc is fine. the machine has physically 12 disks (36GB FC-AL), which appear to be duplicated as sd0-sd11 and sd12-23. Do you have the disk in a loop that includes both ports on the 2200? That could explain why the disks are seen twice. And I believe only one WWN is saved from the boot so if it sees the same disk on the other port it may be lost. Ken r...@sf880 ~sysctl hw.disknames hw.disknames=cd0,sd0,sd1,sd2,sd3,sd4,sd5,sd6,sd7,sd8,sd9,sd10,sd11,sd12,sd13, sd14,sd15,sd16,sd17,sd18,sd19,sd20,sd21,sd22,sd23 compare disk serial numbers : r...@sf880 ~bioctl sd0 sd0: SEAGATE, ST336605FSUN36G, 0438, serial 3FP0N1K67214DE8J r...@sf880 ~bioctl sd1 sd1: SEAGATE, ST336605FSUN36G, 0438, serial 3FP0JHHX7214DDNK r...@sf880 ~bioctl sd12 sd12: SEAGATE, ST336605FSUN36G, 0438, serial 3FP0N1K67214DE8J r...@sf880 ~bioctl sd13 sd13: SEAGATE, ST336605FSUN36G, 0438, serial 3FP0JHHX7214DDNK full dmesg: console is /p...@9,70/e...@1/ser...@1,40:a Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2009 OpenBSD. All rights reserved. http://www.OpenBSD.org OpenBSD 4.6 (GENERIC.MP) #53: Thu Jul 9 21:50:16 MDT 2009 dera...@sparc64.openbsd.org:/usr
Re: Sun Fire 880 phantom disks
Hi, Just FYI: {2} ok setenv boot-device disk0 disk1 boot-device = disk0 disk1 this boots disk0 or fails over to disk1. /Pete On 1. mars 2010, at 20.14, philippe aubry wrote: In the openfirmware env you can save only one device to boot if I remember correctly.
Re: kern.maxclusters: 6144 - ?
On 26. feb. 2010, at 03.01, Aaron Mason wrote: On Thu, Feb 25, 2010 at 10:04 AM, Pete Vickers p...@systemnet.no wrote: Hi, A proxy (squid) server running i368/4.6RELEASE with around 800 users, what would be a reasonable value to increase kern.maxclusters too, to cure this : r...@proxy-s ~ grep mcl /var/log/messages Dec 10 10:13:43 proxy-s /bsd: WARNING: mclpools limit reached; increase kern.maxclusters Dec 10 11:06:07 proxy-s /bsd: WARNING: mclpools limit reached; increase kern.maxclusters Dec 15 13:41:48 proxy-s /bsd: WARNING: mclpools limit reached; increase kern.maxclusters r...@proxy-s ~ sysctl kern.maxclusters kern.maxclusters=6144 r...@proxy-s ~ netstat -m 4098 mbufs in use: 1131 mbufs allocated to data 2962 mbufs allocated to packet headers 5 mbufs allocated to socket names and addresses 1084/6152/6144 mbuf 2048 byte clusters in use (current/peak/max) 0/8/6144 mbuf 4096 byte clusters in use (current/peak/max) 0/8/6144 mbuf 8192 byte clusters in use (current/peak/max) 0/8/6144 mbuf 9216 byte clusters in use (current/peak/max) 0/8/6144 mbuf 12288 byte clusters in use (current/peak/max) 0/8/6144 mbuf 16384 byte clusters in use (current/peak/max) 0/8/6144 mbuf 65536 byte clusters in use (current/peak/max) 14176 Kbytes allocated to network (22% in use) 0 requests for memory denied 0 requests for memory delayed 0 calls to protocol drain routines something like kern.maxclusters=1 or ? /Pete Only you can answer that, Pete. Try increasing it gradually until the errors go away. And if the error returns, increase it again. If it makes your system unstable, lower it until it returns to stability. Increments (and decrements, if necessary) of 256 would probably be wise. Getting the right balance with any system is all about trial and error - trying different things until things are running smoothly - or acceptably so in some situations. It's also about the balance between workability and stability. Sometimes you just can't have your cake and eat it too - stability must be the priority. My $0.02 there. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse Hi, Indeed, the only problem is that if it's too low, then the system hangs. Presumably if it's too high, then the 'system instability' manifests itself has hanging too, so it's tricky to tell which way to go, once you deviate from the norm ... Anyway for the archives I'm trying 8192 currently, hopefully that will reduce the crashes... 6016 mbufs in use: 2151 mbufs allocated to data 3860 mbufs allocated to packet headers 5 mbufs allocated to socket names and addresses 1979/5664/8192 mbuf 2048 byte clusters in use (current/peak/max) 0/8/8192 mbuf 4096 byte clusters in use (current/peak/max) 0/8/8192 mbuf 8192 byte clusters in use (current/peak/max) 0/8/8192 mbuf 9216 byte clusters in use (current/peak/max) 0/8/8192 mbuf 12288 byte clusters in use (current/peak/max) 0/8/8192 mbuf 16384 byte clusters in use (current/peak/max) 0/8/8192 mbuf 65536 byte clusters in use (current/peak/max) 14048 Kbytes allocated to network (38% in use) /Pete
kern.maxclusters: 6144 - ?
Hi, A proxy (squid) server running i368/4.6RELEASE with around 800 users, what would be a reasonable value to increase kern.maxclusters too, to cure this : r...@proxy-s ~ grep mcl /var/log/messages Dec 10 10:13:43 proxy-s /bsd: WARNING: mclpools limit reached; increase kern.maxclusters Dec 10 11:06:07 proxy-s /bsd: WARNING: mclpools limit reached; increase kern.maxclusters Dec 15 13:41:48 proxy-s /bsd: WARNING: mclpools limit reached; increase kern.maxclusters r...@proxy-s ~ sysctl kern.maxclusters kern.maxclusters=6144 r...@proxy-s ~ netstat -m 4098 mbufs in use: 1131 mbufs allocated to data 2962 mbufs allocated to packet headers 5 mbufs allocated to socket names and addresses 1084/6152/6144 mbuf 2048 byte clusters in use (current/peak/max) 0/8/6144 mbuf 4096 byte clusters in use (current/peak/max) 0/8/6144 mbuf 8192 byte clusters in use (current/peak/max) 0/8/6144 mbuf 9216 byte clusters in use (current/peak/max) 0/8/6144 mbuf 12288 byte clusters in use (current/peak/max) 0/8/6144 mbuf 16384 byte clusters in use (current/peak/max) 0/8/6144 mbuf 65536 byte clusters in use (current/peak/max) 14176 Kbytes allocated to network (22% in use) 0 requests for memory denied 0 requests for memory delayed 0 calls to protocol drain routines something like kern.maxclusters=1 or ? /Pete
Re: network performance problems
Hi, I think you misunderstand me, I was not trying to argue that Cisco's firewall offerings are any better or worse than OpenBSD based solutions. I was merely pointing out that: - A _correctly_configured_ Cisco 6500/7600 SUP is not vulnerable to a few Mbps of multicast traffic as alleged by claudio. (unless someone has a new non-disclosed attack). - 6500/7600 can do HW stateful FWing, e.g. FWSM (which is not a line card) , but which is obviously a different budget the a PC running OpenBSD. /Pete On 18. feb. 2010, at 05.18, David Gwynne wrote: a lot of the features you list below are only useful or usable at the switching layer, and therefore not really fair when compared to what openbsd can do. eg, the dhcp snooping is done on the switches at the client access layer to prevent rouge dhcp servers on an l2 network. unless you put openbsd bridges between each of your client machines and the switch then you cant do that on openbsd. the feature you do list that is worth comparing is the acl stuff. it is true that on cisco gear you can filter packets (emphasis on packets) in hardware, which is extremely fast, however, you can only filter on attributes of each individual packet. if you want to do stateful filtering though (ie, filter streams/flows of packets), then its a completely different story. personally the decision between openbsd and cisco for stateful filtering comes down to three factors: speed, cost, and the quality/usability of the implementation. i find it far easier to manage openbsd boxes, and i really love the features available to me in pf. i guess im biased since i have some code in there now. i havent had the opportunity to do a speed test between a cisco and my current openbsd firewalls, but i would be extremely surprised if the performance of the cisco scaled at the same rate as the price when compared to the openbsd boxes. so to me openbsd wins based on cost vs performance, and on usability and features. i can do 200 or 300k pps on openbsd systems we bought 2 or 3 years ago for about 5 grand. im not sure cisco sell a stateful firewall module for 5 grand. dlg On 18/02/2010, at 12:05 AM, Tomas Bodzar wrote: I'm not an expert in this area, but it looks like OpenBSD can do some parts too and for much more lower price. DHCP snooping From info on Cisco page it looks like simple combination of lists/macros for blocking/allowing certain ports. Tables are possible with OpenBSD too and you can limit flow rate of packets too Dynamic ARP Inspection If I'm not wrong then pf(4) don't operate on this layer, but then good, secure and simple design come to game IP Source Guard sounds like antispoof quick for Unicast Reverse Path Forwarding (URPF) sounds like block in quick from urpf-failed to any # use with care Access Control Lists something like SELinux and similar? It's first thing which every good sysadmin turn off because of unneeded complexity and often bugs too. If I read this : More generally, security ACLs can be used to protect against source address spoofing or to restrict network access to only legitimate sources, networks, and applications. For example, ACLs should be used to deny private address space at the ingress of the Internet and perform some filtering in the campus such that packets can only originate from customer-assigned addresses. ACLs should also be used to deny unused multicast addresses, to prevent multicast DoS attacks. Another interesting example is that of MAC ACLs which could be used to deny packets with invalid IP versions. then I can say that all of this is possible with pf(4) without need for ACL Quality of Service don't know much about this in OpenBSD, but sounds like at least something similar is possible with this http://www.openbsd.org/faq/pf/queueing.html Port security buy HW which is capable to avoid CAM overflow CONTROL PLANE AND MANAGEMENT PLANE PROTECTION some parts looks like possible with pf(4) some not, but as I said this must be confirmed by someone who knows much more Built-In Special-Case CPU Rate Limiters read users' stories and try pf(4) you will see that it can handle DoS very well It's quite long reading, but for me it looks like it's not needed to spend so much money in most cases. On Wed, Feb 17, 2010 at 2:21 PM, Pete Vickers p...@systemnet.no wrote: On 17. feb. 2010, at 08.47, Claudio Jeker wrote: On Wed, Feb 17, 2010 at 03:35:24AM +0200, Kapetanakis Giannis wrote: On 17/02/10 03:16, FRLinux wrote: Mmmh, you picked my interest here. You mentioned your cisco 6500 but I guess you are going to use only gigabit NICs, so you have no need on the 10gb range? Just asking, not trying to start a war :) Cheers, Steph ps. the cisco crawled when I enabled IOS firewall features (statefull). Firewall interface == $35K come one now... Too much money! The 6500 and 7600 cisco systems are not able to do stateful firewalling in HW
Re: network performance problems
On 17. feb. 2010, at 08.47, Claudio Jeker wrote: On Wed, Feb 17, 2010 at 03:35:24AM +0200, Kapetanakis Giannis wrote: On 17/02/10 03:16, FRLinux wrote: Mmmh, you picked my interest here. You mentioned your cisco 6500 but I guess you are going to use only gigabit NICs, so you have no need on the 10gb range? Just asking, not trying to start a war :) Cheers, Steph ps. the cisco crawled when I enabled IOS firewall features (statefull). Firewall interface == $35K come one now... Too much money! The 6500 and 7600 cisco systems are not able to do stateful firewalling in HW and have also issues with stuff like netflow exports. Unless you buy the super expensive line cards. Even the big SUP boards come with a tiny CPU running at the speed of a loongson -- those can be killed with a few Mbps of multicast traffic. -- :wq Claudio Just to balance the anti-cisco viewpoint: If you want to do deep packet stuff in HW, then Cisco offer the FWSM ACE NAM modules for 6500/7600. The SUPs (meant for switching/routing, not FWing) support CoPP (control-plane policing) in HW, which should be configured to prevent abusive traffic hitting the CPU, this (amongst a large list of others) includes high PPS multicast. For example see: http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_p aper0900aecd802ca5d6.html /Pete
Re: is the Lemote Yeeloong available in the US?
presumably this is no worse than any other firmware, just that since it's open source you can actually see it ? is it just me or does the Fuloong (http://www.lemote.com/english/fuloong.html) look like a perfect car-puter, since it has 12V power requirements, S-video audio output, and IR receiver ? /Pete On 5. feb. 2010, at 00.49, Aaron Mason wrote: On Fri, Feb 5, 2010 at 3:42 AM, Miod Vallat m...@online.fr wrote: .. You do not want to tinker with the firmware. The stock PMON2000 does not support these machines, so you'll need to start with the pmon code provided by Lemote, and saying that it is in a dire need of cleaning is an understatement.
Re: MacBook Air SSD not found
Hi, Thanks for the patch - good idea. However Since the firmware on the MacBook Air in question does not recognise non-OSX (HFS+) USB memory sticks, I could only test this patch by applying it on another machine's tree, then 'make release' and burning the created cd47.iso to a CDROM. Upon booting from the CDROM on the 'Air, it just hangs at the SSD disk detection line in dmesg. Further if I 'boot -c' to try to enable verbose booting in UKC, then it just sits at the UKC prompt, due to the fact that neither the internal or a USB keyboard work at that point. any ideas ? /Pete On 29. jan. 2010, at 20.15, Brynet wrote: Hi, Perhaps it's unrelated to your problem, but you could try forcing your SATA controller into AHCI mode.. maybe you'll see your drive then. -Bryan. Index: dev/pci/ahci.c === RCS file: /cvs/src/sys/dev/pci/ahci.c,v retrieving revision 1.158 diff -N -u dev/pci/ahci.c --- dev/pci/ahci.c21 Jan 2010 10:16:44 - 1.158 +++ dev/pci/ahci.c29 Jan 2010 19:11:12 - @@ -442,6 +442,8 @@ { PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_82801H_RAID, NULL, NULL }, + { PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_82801HBM_SATA, + NULL, NULL }, { PCI_VENDOR_NVIDIA,PCI_PRODUCT_NVIDIA_MCP65_AHCI_2, NULL, ahci_nvidia_mcp_attach },
MacBook Air SSD not found
Hi, neither 4.6 or 4.7snapshot find the SSD HDD in my macbook air. These dmesg entries are about as far as it gets: pciide0 at pci0 dev 31 function 1 Intel 82801HBM IDE rev 0x03: DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI pciide0: channel 0 disabled (no drives) pciide0: channel 1 disabled (no drives) pciide1 at pci0 dev 31 function 2 Intel 82801HBM SATA rev 0x03: DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI pciide1: using apic 1 int 18 (irq 5) for native-PCI interrupt anyone any ideas ? full dmesg below /Pete OpenBSD 4.7-beta (RAMDISK_CD) #314: Wed Jan 27 19:36:45 MST 2010 t...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/RAMDISK_CD cpu0: Intel(R) Core(TM)2 Duo CPU P7700 @ 1.80GHz (GenuineIntel 686-class) 1.80 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16, xTPR real mem = 2104373248 (2006MB) avail mem = 2032103424 (1937MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 07/29/05, SMBIOS rev. 2.4 @ 0xe (39 entries) bios0: vendor Apple Inc. version MBA11.88Z.00BB.B03.0803171226 date 03/17/08 bios0: Apple Inc. MacBookAir1,1 acpi0 at bios0: rev 2 acpi0: tables DSDT FACP HPET APIC MCFG ASF! SBST ECDT SSDT SSDT SSDT SSDT SSDT acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 199MHz cpu at mainbus0: not configured ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins ioapic0: misconfigured as apic 0, remapped to apid 1 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 2 (RP05) acpiprt2 at acpi0: bus 3 (PCIB) bios0: ROM list: 0xc/0xee00! memory map conflict 0xf00f8000/0x1000 memory map conflict 0xfed1c000/0x4000 memory map conflict 0xfffa/0x3 pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel GM965 Host rev 0x03 vga1 at pci0 dev 2 function 0 Intel GM965 Video rev 0x03 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) Intel GM965 Video rev 0x03 at pci0 dev 2 function 1 not configured uhci0 at pci0 dev 26 function 0 Intel 82801H USB rev 0x03: apic 1 int 20 (irq 10) uhci1 at pci0 dev 26 function 1 Intel 82801H USB rev 0x03: apic 1 int 16 (irq 11) ehci0 at pci0 dev 26 function 7 Intel 82801H USB rev 0x03: apic 1 int 21 (irq 9) usb0 at ehci0: USB revision 2.0 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1 Intel 82801H HD Audio rev 0x03 at pci0 dev 27 function 0 not configured ppb0 at pci0 dev 28 function 0 Intel 82801H PCIE rev 0x03: apic 1 int 16 (irq 255) pci1 at ppb0 bus 1 ppb1 at pci0 dev 28 function 4 Intel 82801H PCIE rev 0x03: apic 1 int 16 (irq 255) pci2 at ppb1 bus 2 Broadcom BCM4321 rev 0x05 at pci2 dev 0 function 0 not configured uhci2 at pci0 dev 29 function 0 Intel 82801H USB rev 0x03: apic 1 int 16 (irq 11) uhci3 at pci0 dev 29 function 1 Intel 82801H USB rev 0x03: apic 1 int 18 (irq 5) uhci4 at pci0 dev 29 function 2 Intel 82801H USB rev 0x03: apic 1 int 21 (irq 9) ehci1 at pci0 dev 29 function 7 Intel 82801H USB rev 0x03: apic 1 int 20 (irq 10) usb1 at ehci1: USB revision 2.0 uhub1 at usb1 Intel EHCI root hub rev 2.00/1.00 addr 1 ppb2 at pci0 dev 30 function 0 Intel 82801BAM Hub-to-PCI rev 0xf3 pci3 at ppb2 bus 3 ichpcib0 at pci0 dev 31 function 0 Intel 82801HBM LPC rev 0x03: PM disabled pciide0 at pci0 dev 31 function 1 Intel 82801HBM IDE rev 0x03: DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI pciide0: channel 0 disabled (no drives) pciide0: channel 1 disabled (no drives) pciide1 at pci0 dev 31 function 2 Intel 82801HBM SATA rev 0x03: DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI pciide1: using apic 1 int 18 (irq 5) for native-PCI interrupt Intel 82801H SMBus rev 0x03 at pci0 dev 31 function 3 not configured usb2 at uhci0: USB revision 1.0 uhub2 at usb2 Intel UHCI root hub rev 1.00/1.00 addr 1 usb3 at uhci1: USB revision 1.0 uhub3 at usb3 Intel UHCI root hub rev 1.00/1.00 addr 1 usb4 at uhci2: USB revision 1.0 uhub4 at usb4 Intel UHCI root hub rev 1.00/1.00 addr 1 usb5 at uhci3: USB revision 1.0 uhub5 at usb5 Intel UHCI root hub rev 1.00/1.00 addr 1 usb6 at uhci4: USB revision 1.0 uhub6 at usb6 Intel UHCI root hub rev 1.00/1.00 addr 1 isa0 at ichpcib0 isadma0 at isa0 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 rd0: fixed, 3800 blocks umass0 at uhub1 port 1 configuration 1 interface 0 Apple Inc. MacBook Air SuperDrive rev 2.00/12.21 addr 2 umass0: using SCSI over Bulk-Only scsibus0 at umass0: 2 targets, initiator 0 cd0 at scsibus0 targ 1 lun 0: OPTIARC, DVD RW AD-5630A, 1CHQ SCSI0 5/cdrom removable Apple Inc. Built-in iSight rev 2.00/1.89 addr 3 at uhub1 port 4 not configured uhub7 at uhub4 port 2 Apple Inc. BRCM2046 Hub rev 2.00/1.00 addr 2 uhidev0 at uhub6 port 1 configuration 1 interface 0 Apple Computer, Inc. IR Receiver rev 2.00/0.16 addr 2 uhidev0: iclass 3/0,
Re: Which laptops do the developers use?
My MacBookPro with a recent snapshot works pretty good: # sysctl hw.product hw.product=MacBookPro2,2 # ifconfig athn0 athn0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:19:e3:d9:96:9b priority: 4 groups: wlan egress media: IEEE802.11 autoselect (OFDM54 mode 11g) status: active ieee80211: nwid chan 10 bssid 00:23:04:c9:7f:60 41dB wpapsk 0x wpaprotos wpa1,wpa2 wpaakms psk wpaciphers tkip,ccmp wpagroupcipher tkip inet6 fe80::219:e3ff:fed9:969b%athn0 prefixlen 64 scopeid 0x2 inet 192.0.2.160 netmask 0xff00 broadcast 192.0.2.255 (sometimes takes a couple of ifconfig up/down to wake up) startx works perfectly at full resolution: # grep -i xres /var/log/Xorg.0.log XRes: 1440, YRes: 900, DotClock: 96310 /Pete # cat /var/run/dmesg.boot OpenBSD 4.6-current (GENERIC.MP) #391: Fri Jan 15 14:55:45 MST 2010 t...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel(R) Core(TM)2 CPU T7600 @ 2.33GHz (GenuineIntel 686-class) 2.33 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16, xTPR real mem = 2131234816 (2032MB) avail mem = 2056310784 (1961MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 07/29/05, SMBIOS rev. 2.4 @ 0xe (40 entries) bios0: vendor Apple Inc. version MBP22.88Z.00A5.B07.0708131242 date 08/13/07 bios0: Apple Computer, Inc. MacBookPro2,2 acpi0 at bios0: rev 2 acpi0: tables DSDT FACP HPET APIC MCFG ASF! SBST ECDT SSDT SSDT SSDT acpi0: wakeup devices ADP1(S3) LID0(S3) PXS1(S4) PXS2(S4) USB1(S3) USB2(S3) USB3(S3) USB4(S3) USB7(S3) EC__(S3) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 14318179 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 166MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Core(TM)2 CPU T7600 @ 2.33GHz (GenuineIntel 686-class) 2.33 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16, xTPR ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins ioapic0: misconfigured as apic 0, remapped to apid 1 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (PEGP) acpiprt2 at acpi0: bus 2 (RP01) acpiprt3 at acpi0: bus 3 (RP02) acpiprt4 at acpi0: bus 4 (RP03) acpiprt5 at acpi0: bus 12 (PCIB) acpiec0 at acpi0 acpicpu0 at acpi0: C3, C2, C1, PSS acpicpu1 at acpi0: C3, C2, C1, PSS acpiac0 at acpi0: AC unit online acpibtn0 at acpi0: LID0 acpibtn1 at acpi0: PWRB acpibtn2 at acpi0: SLPB acpibat0 at acpi0: BAT0 model 14127832176087873 type 14127832377542988 oem 14127833101004627 acpivideo0 at acpi0: GFX0 acpivout0 at acpivideo0: DD01 acpivout1 at acpivideo0: DD02 acpivout2 at acpivideo0: DD03 acpivout3 at acpivideo0: DD04 acpivout4 at acpivideo0: DD05 bios0: ROM list: 0xc/0xfa00 cpu0: Enhanced SpeedStep 2328 MHz: speeds: 2333, 2167, 2000, 1833, 1667, 1500, 1333, 1000 MHz memory map conflict 0x7ff0/0x10 memory map conflict 0xf00f8000/0x1000 memory map conflict 0xfed1c000/0x4000 memory map conflict 0xfffb/0x3 pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel 82945GM Host rev 0x03 ppb0 at pci0 dev 1 function 0 Intel 82945GM PCIE rev 0x03: apic 1 int 16 (irq 11) pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 ATI Radeon Mobility X1600 rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) radeondrm0 at vga1: apic 1 int 16 (irq 11) drm0 at radeondrm0 vendor Intel, unknown product 0x27a3 (class DASP subclass Time and Frequency, rev 0x03) at pci0 dev 7 function 0 not configured azalia0 at pci0 dev 27 function 0 Intel 82801GB HD Audio rev 0x02: apic 1 int 22 (irq 10) azalia0: codecs: Sigmatel STAC9220/1 audio0 at azalia0 ppb1 at pci0 dev 28 function 0 Intel 82801GB PCIE rev 0x02: apic 1 int 17 (irq 11) pci2 at ppb1 bus 2 mskc0 at pci2 dev 0 function 0 Marvell Yukon 88E8053 rev 0x22, Yukon-2 EC rev. A3 (0x2): apic 1 int 16 (irq 11) msk0 at mskc0 port A: address 00:17:f2:d8:f0:8d eephy0 at msk0 phy 0: 88E Gigabit PHY, rev. 2 ppb2 at pci0 dev 28 function 1 Intel 82801GB PCIE rev 0x02: apic 1 int 16 (irq 11) pci3 at ppb2 bus 3 athn0 at pci3 dev 0 function 0 Atheros AR5418 rev 0x01: apic 1 int 17 (irq 10), address 00:19:e3:d9:96:9b athn0: MAC AR5418 rev 2, RF AR5133 (2T3R), ROM rev 4 ppb3 at pci0 dev 28 function 2 Intel 82801GB PCIE rev 0x02: apic 1 int 18 (irq 11) pci4 at ppb3 bus 4 uhci0 at pci0 dev 29 function 0 Intel 82801GB USB rev 0x02: apic 1 int 23 (irq 11) uhci1 at pci0 dev 29 function 1 Intel 82801GB USB rev 0x02: apic 1 int 19 (irq 11) uhci2 at pci0 dev 29 function 2 Intel 82801GB USB rev 0x02: apic 1 int 18 (irq 11) uhci3 at pci0 dev 29 function 3 Intel 82801GB USB rev 0x02: apic 1 int 16 (irq
mute CARP with i368/4.6 on HP ProLiant DL380 G5
Hi, Whilst setting up a H/A service on a pair of RELEASE4.6/i386 (+ bind/ssl patches) machines, I observe that both become carp master concurrently. Debugging shows that the carp master does not appear to transmit carp announcements: r...@gins0 ~tcpdump -i bnx0 -n proto carp tcpdump: listening on bnx0, link-type EN10MB ^C [after 30 seconds] 16 packets received by filter 0 packets dropped by kernel r...@gins0 ~ anyone any ideas ? (all other comms work fine over the link e.g. SSH, DNS, ping etc.) relevant config dmesg follows: s/123.456/my.correct.prefix/ r...@gins0 ~cat /etc/hostname.bnx0 inet 123.456.250.16 255.255.255.128 r...@gins0 ~cat /etc/hostname.carp0 inet 123.456.250.18 255.255.255.128 vhid 1 advskew 100 carpdev bnx0 description *** Gi NS H/A *** r...@gins0 ~ifconfig bnx0 bnx0: flags=8b43UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu 1500 lladdr 00:1e:0b:bd:fa:12 priority: 0 groups: egress media: Ethernet autoselect (1000baseT full-duplex) status: active inet 123.456.250.16 netmask 0xff80 broadcast 123.456.250.127 inet6 fe80::21e:bff:febd:fa12%bnx0 prefixlen 64 scopeid 0x3 r...@gins0 ~ifconfig carp0 carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5e:00:01:01 description: *** Gi NS H/A *** priority: 0 carp: MASTER carpdev bnx0 vhid 1 advbase 1 advskew 100 groups: carp inet 123.456.250.18 netmask 0xff80 broadcast 123.456.250.127 inet6 fe80::200:5eff:fe00:101%carp0 prefixlen 64 scopeid 0x5 dmesg: r...@gins0 ~cat /var/run/dmesg.boot OpenBSD 4.6 (GENERIC) #0: Thu Jan 24 03:03:58 CET 2008 r...@gins0:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Xeon(R) CPU E5440 @ 2.83GHz (GenuineIntel 686-class) 2.84 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16, xTPR real mem = 3487485952 (3325MB) avail mem = 3382898688 (3226MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 12/31/99, BIOS32 rev. 0 @ 0xf, SMBIOS rev. 2.4 @ 0xee000 (71 entries) bios0: vendor HP version P56 date 01/24/2008 bios0: HP ProLiant DL380 G5 acpi0 at bios0: rev 2 acpi0: tables DSDT FACP SPCR MCFG HPET SPMI ERST APIC BERT HEST acpi0: wakeup devices acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 14318179 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 333MHz cpu at mainbus0: not configured cpu at mainbus0: not configured cpu at mainbus0: not configured ioapic0 at mainbus0: apid 8 pa 0xfec0, version 20, 24 pins acpimadt0: unknown apic structure type ff acpiprt0 at acpi0: bus 1 (IP2P) acpiprt1 at acpi0: bus 2 (IPTA) acpiprt2 at acpi0: bus 4 (IPTB) acpiprt3 at acpi0: bus 11 (IPE1) acpiprt4 at acpi0: bus 14 (IPE2) acpiprt5 at acpi0: bus 17 (IPE3) acpiprt6 at acpi0: bus 10 (IPE4) acpiprt7 at acpi0: bus 9 (PT02) acpiprt8 at acpi0: bus 6 (PT03) acpiprt9 at acpi0: bus 19 (PT04) acpiprt10 at acpi0: bus 23 (PT06) acpiprt11 at acpi0: bus 0 (PCI0) acpicpu0 at acpi0 acpitz0 at acpi0: critical temperature 31 degC bios0: ROM list: 0xc/0xb000 0xcc400/0x4000! 0xd0400/0x1800 0xe6000/0x2000! ipmi at mainbus0 not configured pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel 5000P Host rev 0xb1 ppb0 at pci0 dev 2 function 0 Intel 5000 PCIE rev 0xb1 pci1 at ppb0 bus 9 ppb1 at pci1 dev 0 function 0 Intel 6321ESB PCIE rev 0x01 pci2 at ppb1 bus 10 ppb2 at pci2 dev 0 function 0 Intel 6321ESB PCIE rev 0x01 pci3 at ppb2 bus 11 ppb3 at pci2 dev 1 function 0 Intel 6321ESB PCIE rev 0x01 pci4 at ppb3 bus 14 ppb4 at pci2 dev 2 function 0 Intel 6321ESB PCIE rev 0x01 pci5 at ppb4 bus 17 ppb5 at pci1 dev 0 function 3 Intel 6321ESB PCIE-PCIX rev 0x01 pci6 at ppb5 bus 18 ppb6 at pci0 dev 3 function 0 Intel 5000 PCIE rev 0xb1 pci7 at ppb6 bus 6 ciss0 at pci7 dev 0 function 0 Hewlett-Packard Smart Array rev 0x03: apic 8 int 18 (irq 10) ciss0: 1 LD, HW rev 3, FW 4.12/4.12, 64bit fifo scsibus0 at ciss0: 1 targets sd0 at scsibus0 targ 0 lun 0: HP, LOGICAL VOLUME, 4.12 SCSI3 0/direct fixed sd0: 139979MB, 512 bytes/sec, 286677120 sec total ppb7 at pci0 dev 4 function 0 Intel 5000 PCIE x8 rev 0xb1 pci8 at ppb7 bus 19 ppb8 at pci0 dev 5 function 0 Intel 5000 PCIE rev 0xb1 pci9 at ppb8 bus 22 ppb9 at pci0 dev 6 function 0 Intel 5000 PCIE x8 rev 0xb1 pci10 at ppb9 bus 23 ppb10 at pci0 dev 7 function 0 Intel 5000 PCIE rev 0xb1 pci11 at ppb10 bus 26 pchb1 at pci0 dev 16 function 0 Intel 5000 Error Reporting rev 0xb1 pchb2 at pci0 dev 16 function 1 Intel 5000 Error Reporting rev 0xb1 pchb3 at pci0 dev 16 function 2 Intel 5000 Error Reporting rev 0xb1 pchb4 at pci0 dev 17 function 0 Intel 5000 Reserved rev 0xb1 pchb5 at pci0 dev 19 function 0 Intel 5000 Reserved rev 0xb1 pchb6 at pci0 dev 21 function 0 Intel 5000 FBD rev 0xb1 pchb7 at pci0
Re: mute CARP with i368/4.6 on HP ProLiant DL380 G5
Hi, r...@gins0 ~grep pf /etc/rc.conf.local pf=NO # Packet filter / NAT switches are fine, and couldn't affect outgoing packets anyway. /Pete On 12. jan. 2010, at 12.55, Rogier Krieger wrote: On Tue, Jan 12, 2010 at 12:14, Pete Vickers p...@systemnet.no wrote: Debugging shows that the carp master does not appear to transmit carp announcements: Neither does it seem to receive any announcements. A silly question, are you blocking CARP advertisements on the interfaces? Since a pf.conf output appears to be missing, that may be the issue. Another cause may be present in switches; on some of our older Cisco equipment a configuration with port security (if memory serves) caused us trouble. Try if a direct cable or dumb switch/hub lets packets flow if PF is not the source of the problem. All that is assuming that the basics were set up properly. Hope that helps, Rogier -- If you don't know where you're going, any road will get you there.
Re: mute CARP with i368/4.6 on HP ProLiant DL380 G5
this is with the other machine powered off, so it's config is irrelevant. Den 12. jan. 2010 kl. 17.08 skrev Ben Calvert b...@flyingwalrus.net: pete - pls send /etc/hostname.carp0 from the other machine. On Jan 12, 2010, at 3:14 AM, Pete Vickers wrote: Hi, Whilst setting up a H/A service on a pair of RELEASE4.6/i386 (+ bind/ssl patches) machines, I observe that both become carp master concurrently. Debugging shows that the carp master does not appear to transmit carp announcements: r...@gins0 ~tcpdump -i bnx0 -n proto carp tcpdump: listening on bnx0, link-type EN10MB ^C [after 30 seconds] 16 packets received by filter 0 packets dropped by kernel r...@gins0 ~ anyone any ideas ? (all other comms work fine over the link e.g. SSH, DNS, ping etc.) relevant config dmesg follows: s/123.456/my.correct.prefix/ r...@gins0 ~cat /etc/hostname.bnx0 inet 123.456.250.16 255.255.255.128 r...@gins0 ~cat /etc/hostname.carp0 inet 123.456.250.18 255.255.255.128 vhid 1 advskew 100 carpdev bnx0 description *** Gi NS H/A *** r...@gins0 ~ifconfig bnx0 bnx0: flags=8b43UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu 1500 lladdr 00:1e:0b:bd:fa:12 priority: 0 groups: egress media: Ethernet autoselect (1000baseT full-duplex) status: active inet 123.456.250.16 netmask 0xff80 broadcast 123.456.250.127 inet6 fe80::21e:bff:febd:fa12%bnx0 prefixlen 64 scopeid 0x3 r...@gins0 ~ifconfig carp0 carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5e:00:01:01 description: *** Gi NS H/A *** priority: 0 carp: MASTER carpdev bnx0 vhid 1 advbase 1 advskew 100 groups: carp inet 123.456.250.18 netmask 0xff80 broadcast 123.456.250.127 inet6 fe80::200:5eff:fe00:101%carp0 prefixlen 64 scopeid 0x5 dmesg: r...@gins0 ~cat /var/run/dmesg.boot OpenBSD 4.6 (GENERIC) #0: Thu Jan 24 03:03:58 CET 2008 r...@gins0:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Xeon(R) CPU E5440 @ 2.83GHz (GenuineIntel 686- class) 2.84 GHz cpu0: FPU, V86, DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS- CPL,VMX,EST,TM2,CX16, xTPR real mem = 3487485952 (3325MB) avail mem = 3382898688 (3226MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 12/31/99, BIOS32 rev. 0 @ 0xf, SMBIOS rev. 2.4 @ 0xee000 (71 entries) bios0: vendor HP version P56 date 01/24/2008 bios0: HP ProLiant DL380 G5 acpi0 at bios0: rev 2 acpi0: tables DSDT FACP SPCR MCFG HPET SPMI ERST APIC BERT HEST acpi0: wakeup devices acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 14318179 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 333MHz cpu at mainbus0: not configured cpu at mainbus0: not configured cpu at mainbus0: not configured ioapic0 at mainbus0: apid 8 pa 0xfec0, version 20, 24 pins acpimadt0: unknown apic structure type ff acpiprt0 at acpi0: bus 1 (IP2P) acpiprt1 at acpi0: bus 2 (IPTA) acpiprt2 at acpi0: bus 4 (IPTB) acpiprt3 at acpi0: bus 11 (IPE1) acpiprt4 at acpi0: bus 14 (IPE2) acpiprt5 at acpi0: bus 17 (IPE3) acpiprt6 at acpi0: bus 10 (IPE4) acpiprt7 at acpi0: bus 9 (PT02) acpiprt8 at acpi0: bus 6 (PT03) acpiprt9 at acpi0: bus 19 (PT04) acpiprt10 at acpi0: bus 23 (PT06) acpiprt11 at acpi0: bus 0 (PCI0) acpicpu0 at acpi0 acpitz0 at acpi0: critical temperature 31 degC bios0: ROM list: 0xc/0xb000 0xcc400/0x4000! 0xd0400/0x1800 0xe6000/0x2000! ipmi at mainbus0 not configured pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel 5000P Host rev 0xb1 ppb0 at pci0 dev 2 function 0 Intel 5000 PCIE rev 0xb1 pci1 at ppb0 bus 9 ppb1 at pci1 dev 0 function 0 Intel 6321ESB PCIE rev 0x01 pci2 at ppb1 bus 10 ppb2 at pci2 dev 0 function 0 Intel 6321ESB PCIE rev 0x01 pci3 at ppb2 bus 11 ppb3 at pci2 dev 1 function 0 Intel 6321ESB PCIE rev 0x01 pci4 at ppb3 bus 14 ppb4 at pci2 dev 2 function 0 Intel 6321ESB PCIE rev 0x01 pci5 at ppb4 bus 17 ppb5 at pci1 dev 0 function 3 Intel 6321ESB PCIE-PCIX rev 0x01 pci6 at ppb5 bus 18 ppb6 at pci0 dev 3 function 0 Intel 5000 PCIE rev 0xb1 pci7 at ppb6 bus 6 ciss0 at pci7 dev 0 function 0 Hewlett-Packard Smart Array rev 0x03: apic 8 int 18 (irq 10) ciss0: 1 LD, HW rev 3, FW 4.12/4.12, 64bit fifo scsibus0 at ciss0: 1 targets sd0 at scsibus0 targ 0 lun 0: HP, LOGICAL VOLUME, 4.12 SCSI3 0/ direct fixed sd0: 139979MB, 512 bytes/sec, 286677120 sec total ppb7 at pci0 dev 4 function 0 Intel 5000 PCIE x8 rev 0xb1 pci8 at ppb7 bus 19 ppb8 at pci0 dev 5 function 0 Intel 5000 PCIE rev 0xb1 pci9 at ppb8 bus 22 ppb9 at pci0 dev 6 function 0 Intel 5000 PCIE x8 rev 0xb1 pci10 at ppb9 bus 23 ppb10 at pci0 dev 7 function 0 Intel 5000 PCIE rev 0xb1 pci11 at ppb10 bus 26 pchb1 at pci0 dev 16 function 0 Intel 5000 Error Reporting rev 0xb1 pchb2 at pci0 dev 16 function 1 Intel 5000 Error
Re: how to fresh raidframe install on an already raidframe system?
you don't really need to soft raid the boot partition, since you can just put it on both physical disk, and set the system to boot from either, with something like this: ok setenv boot-device disk0 disk1 /pete On 3. jan. 2010, at 18.03, Kent Watsen wrote: Hi, I have a Netra T1 (sparc64) running 3.9 with raidframe on root. Being such an old system, I decided to do a fresh install, so I boot the 4.6 cdrom and install the system on the first disk (sd0). Rebooting again brings the 4.6 up fine so I compile and install a new raidframe-enabled kernel. Rebooting again produces many core dumps - `uname -a` says 4.6, but the filesystem is from the old 3.9 raid - the new raidframe kernel must have found the raid set on the 2nd disk. Physically ejecting the second disk (sd1) and rebooting gives a clean boot, but now, of course, I don't have the second disk to install the raid set on... What do other people do? - rewrite the disklabel on the second disk so raidframe won't try to use the 2nd disk? - put a new/temporary /etc/raid0.conf file to configure raidframe to ignore the 2nd disk? Is it even possible to compile/install 4.6 on top of a raidframe set avoiding the need to reconfigure it at all? PS: I looked into softraid for a while, as its recommended in FAQ 14, before realizing that it didn't support raid on the root disk. This was especially confusing as its man page lists softraid0 at root while not specifically saying that it doesn't support raiding the /root disk. Maybe the FAQ and man page could be more clear on these points? Thanks, Kent
HP IPMI
Hi, I have a HP (Compaq) ProLiant DL380 G5 which, according to dmesg, incorporates IPMI. # grep IPMI /var/run/dmesg.boot Hewlett-Packard IPMI rev 0x00 at pci16 dev 4 function 6 not configured # pcidump -v 1:4:6 Domain /dev/pci: 1:4:6: Hewlett-Packard IPMI 0x: Vendor ID: 103c Product ID: 3302 0x0004: Command: 0002 Status ID: 0290 0x0008: Class: 0c Subclass: 07 Interface: 01 Revision: 00 0x000c: BIST: 00 Header Type: 80 Latency Timer: 00 Cache Line Size: 00 0x0010: BAR mem 32bit addr: 0xf7ef 0x0014: BAR empty () 0x0018: BAR empty () 0x001c: BAR empty () 0x0020: BAR empty () 0x0024: BAR empty () 0x0028: Cardbus CIS: 0x002c: Subsystem Vendor ID: 103c Product ID: 3305 0x0030: Expansion ROM Base Address: 0x0038: 0x003c: Interrupt Pin: 01 Line: 05 Min Gnt: 00 Max Lat: 00 0x00f0: Capability 0x01: Power Management Is the IPMI abstraction (mentioned in ipmi(4)) such that support for additional devices is little more than adding PCI vendor/product id to the attach code? or is a proprietary interface ? /Pete # sysctl hw hw.machine=i386 hw.model=Intel(R) Xeon(R) CPU E5440 @ 2.83GHz (GenuineIntel 686-class) hw.ncpu=1 hw.byteorder=1234 hw.pagesize=4096 hw.disknames=sd0,cd0 hw.diskcount=2 hw.sensors.acpitz0.temp0=8.30 degC (zone temperature) hw.sensors.cpu0.temp0=38.00 degC hw.sensors.ciss0.drive0=online (sd0), OK hw.cpuspeed=2834 hw.vendor=HP hw.product=ProLiant DL380 G5 hw.serialno=CZC8100BSS hw.uuid=34353835-3633-435a-4338-313030425353 hw.physmem=3487485952 hw.usermem=3487473664 (entire dmesg already forwarded to dmesg@ )
Re: bgpd help!!
How about aggregation? That's a nice knob to have (I use it quite often). The atomic-aggregate option cold be used legitimately (see RFC4271) to hide an (RFC1918) AS in some circumstances. /Pete On 16. des.. 2009, at 10.29, Claudio Jeker wrote: On Wed, Dec 16, 2009 at 09:55:40AM +0100, Henning Brauer wrote: * Stuart Henderson s...@spacehopper.org [2009-12-16 02:31]: On 2009-12-16, Doran Mori dhm...@gmail.com wrote: Have you tried looking at the filter rules in bgpd.conf(5)? Off the top of my head something like: deny to isp ip { AS 65xxx } the OP is probably looking for something that strips private AS out of the path, but still advertises them, which isn't supported. we really gotta fix that. I'm not a big fan of molesting AS pathes. This cries for doom in a way only Bob may find the right words for. Blocking sure, reannouncing with a new path maybe but just removing AS from pathes is evil and the routing loop fairy will come to you and sprinkle your network with its magic powder. Do we need to add every stupid button a cizzcoee has? -- :wq Claudio
Re: bgpd help!!
On 16. des.. 2009, at 22.36, Martin Hein wrote: On Wed, 16 Dec 2009 11:19:33 -0700 Andy Nguyen andy.ngu...@cityofthornton.net wrote: If I configure community as Martin suggested this will also take out the path to my network. Thanks. If your real AS is transit only for your prefix it wont work. Your real AS should announce your prefix. The private AS should announce subnets of the prefix. I do it all the time. /Martin doing that may black hole traffic upon public AS -- private AS connectivity issues. I prefer conditional advertisement achieved by aggregation. /Pete
X default setting
Hi, Having just installed 4.6 on my sunblade100 I'm truly very impressed by the recent advances in OpenBSD's X implementation - after a very rapid run through the improved install script, X started flawlessly with a usable (and accelerated) session. The automatic correct keyboard layout is just the icing on the cake :-) There is just one thing I did to sanitise the config, however. I realise everyone has their own preferences, and don't want to start a religious X war, but how about adding the following: in /etc/X11/xdm/Xsetup_0 a line xsetroot -solid gray above the xconsole entry ? ( or is there a better place or way to prevent the eye ache of the default X background ? ) /Pete
Re: X default setting
someone else also just pointed out the diagnostic properties of eye ache pattern off-list too. So I guess it's ~/.xinitrc in site.tgz for me then. /Pete On 19. nov.. 2009, at 21.24, J.C. Roberts wrote: As long as you promise not to hate me for taking the other side of things, the default background in X is actually important. It's called the root weave and there are a few similar important backgrounds which are at least equally displeasing, if not more so. The reason why they are important is because they make it extremely easy for you to visually detect problems in your screen output. --It might be ugly, but regularly appreciating ugly has many benefits. Let's say you fumble-finger an xrandr(1) command and change your display settings to something that might damage your display. Having the root weave visible might just save you the expense of replacing your monitor. If you do insist on changing it, use the ~/.xinitrc for your user rather than making a system-wide change. -- J.C. Roberts
Re: help please, my real memory is disappearing
alternatively you could run/spawn ftpd from inetd, which will presumably mean that all the resources will be 'returned' as soon as the connection closes. However significant performance hit on a busy ftp server. /Pete On 17. nov.. 2009, at 10.25, Artur Grabowski wrote: MK pub...@kubikcz.net writes: 1. Is it normal that memory is not freed after I kill ftpd daemon? yes. because the ftp daemon didn't allocate it. 2. Is it normal ftpd can take about 800MB of real memory while serving GET requests? (only 1 client is able to consume that portion of memory) If you serve 800MB of file data through ftpd then yes. 3. Is it normal that this memory seems to be lost from the system? yes. The keyword here is seems. The memory is used for caching the file contents in case you decide to read those files again. It's reused for more useful things when it's needed. //art Pete Vickers p...@systemnet.no | +47 48 17 91 00 SystemNet AS
Re: help please, my real memory is disappearing
You're right, I should have read the email more carefully / drank more coffee. /Pete On 17. nov.. 2009, at 13.11, Artur Grabowski wrote: No. It will not solve any problem (ignoring that there was no problem in the first place). //art Pete Vickers p...@systemnet.no writes: alternatively you could run/spawn ftpd from inetd, which will presumably mean that all the resources will be 'returned' as soon as the connection closes. However significant performance hit on a busy ftp server. /Pete On 17. nov.. 2009, at 10.25, Artur Grabowski wrote: MK pub...@kubikcz.net writes: 1. Is it normal that memory is not freed after I kill ftpd daemon? yes. because the ftp daemon didn't allocate it. 2. Is it normal ftpd can take about 800MB of real memory while serving GET requests? (only 1 client is able to consume that portion of memory) If you serve 800MB of file data through ftpd then yes. 3. Is it normal that this memory seems to be lost from the system? yes. The keyword here is seems. The memory is used for caching the file contents in case you decide to read those files again. It's reused for more useful things when it's needed. //art Pete Vickers p...@systemnet.no | +47 48 17 91 00 SystemNet AS
perf problems with 4.6/i386 bsd.sp squid-2.7.STABLE6 from packages
Hi, I have performance problems on the above platform. After some time the proxy runs very slowly, and console becomes slow to respond. No observable difference between bsd.sp or bsd.mp See tweaks applied below. Since I've tried without them first, but e.g. squid exhausted filedescriptors, replies with 'don't do that', are not as useful as 'try this instead' or 'debugging suggestions...' ;-) Appears to be neither disk I/O or CPU bound, and buffer utilisation appear normal too. H/W: HP DL360 G4p with a single fibre NIC (em) in use. S/W OpenBSD 4.6/i386 bsd.sp from CD, squid-2.7.STABLE6 from packages. r...@proxy-s ~tail /etc/sysctl.conf ... net.inet.tcp.ecn=1 net.inet.ip.ifq.maxlen=512 net.inet.tcp.ackonpush=1 net.inet.tcp.recvspace=262144 net.inet.tcp.sendspace=262144 net.inet.udp.recvspace=262144 net.inet.udp.sendspace=262144 kern.maxfiles=8192 r...@proxy-s ~more /etc/login.conf ... daemon:\ :ignorenologin:\ :datasize=infinity:\ :maxproc=infinity:\ :openfiles=2448:\ :stacksize=8M:\ :localcipher=blowfish,8:\ :tc=default: ... r...@proxy-s ~head /etc/squid/squid.conf ... max_filedescriptors 2048 cache_mem 384 MB cache_dir ufs /var/squid/cache 12048 16 256 ... r...@proxy-s ~netstat -m 4172 mbufs in use: 1201 mbufs allocated to data 2966 mbufs allocated to packet headers 5 mbufs allocated to socket names and addresses 915/2266/6144 mbuf 2048 byte clusters in use (current/peak/max) 0/8/6144 mbuf 4096 byte clusters in use (current/peak/max) 0/8/6144 mbuf 8192 byte clusters in use (current/peak/max) 0/8/6144 mbuf 9216 byte clusters in use (current/peak/max) 0/8/6144 mbuf 12288 byte clusters in use (current/peak/max) 0/8/6144 mbuf 16384 byte clusters in use (current/peak/max) 0/8/6144 mbuf 65536 byte clusters in use (current/peak/max) 6208 Kbytes allocated to network (46% in use) 0 requests for memory denied 0 requests for memory delayed 0 calls to protocol drain routines r...@proxy-s ~top | head load averages: 1.10, 1.55, 1.6610:58:24 38 processes: 37 idle, 1 on processor CPU states: 1.0% user, 0.0% nice, 1.3% system, 1.1% interrupt, 96.6% idle Memory: Real: 960M/1214M act/tot Free: 794M Swap: 0K/2052M used/tot PID USERNAME PRI NICE SIZE RES STATE WAIT TIMECPU COMMAND 20479 _squid-50 950M 949M sleep biowait 20:11 6.30% squid 5193 _squid-60 228K 540K sleep piperd0:12 0.00% unlinkd 11123 _snmpd 20 548K 1008K sleep kqread0:00 0.00% snmpd 276 root 20 984K 1728K sleep select0:00 0.00% sendmail r...@proxy-s ~systat vmstat 1 usersLoad 1.50 1.88 1.78 Thu Nov 12 10:55:40 2009 memory totals (in KB)PAGING SWAPPING Interrupts real virtual free in out in out 2013 total Active 982620982620 809216 ops 100 clock All 1247164 1247164 2910412 pages 1856 em0 57 ciss0 Proc:r d s wCsw Trp Sys Int Sof Flt forks 1 18 1025 5 8876 1913 102 36 fkppw fksvm 3.4%Int 4.0%Sys 3.0%Usr 0.0%Nic 89.6%Idle pwait ||||||||||| relck ||== rlkok noram Namei Sys-cacheProc-cacheNo-cache 1 ndcpy Calls hits%hits %miss % fltcp 399 341 8556 14 2 zfod cow Disks sd0 cd0 fd0 17136 fmin seeks 22848 ftarg xfers57 itarg speed 579K 1 wired sec 0.3 pdfre pdscn pzidle 112 kmapent r...@proxy-s ~netstat -iI em0 | egrep Name|Link NameMtu Network Address Ipkts IerrsOpkts Oerrs Colls em0 1500 Link 00:11:0a:57:0f:4c 33078650 0 40412499 0 0 ### Squid stats (after 8 hours of traffic) : Squid Object Cache: Version 2.7.STABLE6 Start Time: Wed, 11 Nov 2009 19:38:48 GMT Current Time: Thu, 12 Nov 2009 09:45:28 GMT Connection information for squid: Number of clients accessing cache: 495 Number of HTTP requests received:
Re: perf problems with 4.6/i386 bsd.sp squid-2.7.STABLE6 from packages
Hi, Well earlier I got the filedescriptor shortage squid warning, so I progressively increased it the max_filedescriptors to 2048, and the warning no longer occurs, also I can see in the squid diagnostics that it's not using more than 1700. So I'm pretty sure it's not that. However I upped it to 4096 just incase. but still very slow response :-( r...@proxy-p ~grep WARN /var/squid/logs/cache.log 2009/11/02 14:00:10| WARNING! Your cache is running out of filedescriptors 2009/11/02 14:00:26| WARNING! Your cache is running out of filedescriptors /Pete On 12. nov.. 2009, at 12.16, Comete wrote: Hi, i had a similar problem with our configuration, and i resolved this by setting this in /etc/squid/squid.conf max_filedescriptors 4096 Very good performances now ;) Pete Vickers a icrit : Hi, I have performance problems on the above platform. After some time the proxy runs very slowly, and console becomes slow to respond. No observable difference between bsd.sp or bsd.mp See tweaks applied below. Since I've tried without them first, but e.g. squid exhausted filedescriptors, replies with 'don't do that', are not as useful as 'try this instead' or 'debugging suggestions...' ;-) Appears to be neither disk I/O or CPU bound, and buffer utilisation appear normal too. H/W: HP DL360 G4p with a single fibre NIC (em) in use. S/W OpenBSD 4.6/i386 bsd.sp from CD, squid-2.7.STABLE6 from packages. r...@proxy-s ~tail /etc/sysctl.conf ... net.inet.tcp.ecn=1 net.inet.ip.ifq.maxlen=512 net.inet.tcp.ackonpush=1 net.inet.tcp.recvspace=262144 net.inet.tcp.sendspace=262144 net.inet.udp.recvspace=262144 net.inet.udp.sendspace=262144 kern.maxfiles=8192 r...@proxy-s ~more /etc/login.conf ... daemon:\ :ignorenologin:\ :datasize=infinity:\ :maxproc=infinity:\ :openfiles=2448:\ :stacksize=8M:\ :localcipher=blowfish,8:\ :tc=default: ... r...@proxy-s ~head /etc/squid/squid.conf ... max_filedescriptors 2048 cache_mem 384 MB cache_dir ufs /var/squid/cache 12048 16 256 ... r...@proxy-s ~netstat -m 4172 mbufs in use: 1201 mbufs allocated to data 2966 mbufs allocated to packet headers 5 mbufs allocated to socket names and addresses 915/2266/6144 mbuf 2048 byte clusters in use (current/peak/max) 0/8/6144 mbuf 4096 byte clusters in use (current/peak/max) 0/8/6144 mbuf 8192 byte clusters in use (current/peak/max) 0/8/6144 mbuf 9216 byte clusters in use (current/peak/max) 0/8/6144 mbuf 12288 byte clusters in use (current/peak/max) 0/8/6144 mbuf 16384 byte clusters in use (current/peak/max) 0/8/6144 mbuf 65536 byte clusters in use (current/peak/max) 6208 Kbytes allocated to network (46% in use) 0 requests for memory denied 0 requests for memory delayed 0 calls to protocol drain routines r...@proxy-s ~top | head load averages: 1.10, 1.55, 1.6610:58:24 38 processes: 37 idle, 1 on processor CPU states: 1.0% user, 0.0% nice, 1.3% system, 1.1% interrupt, 96.6% idle Memory: Real: 960M/1214M act/tot Free: 794M Swap: 0K/2052M used/tot PID USERNAME PRI NICE SIZE RES STATE WAIT TIMECPU COMMAND 20479 _squid-50 950M 949M sleep biowait 20:11 6.30% squid 5193 _squid-60 228K 540K sleep piperd0:12 0.00% unlinkd 11123 _snmpd 20 548K 1008K sleep kqread0:00 0.00% snmpd 276 root 20 984K 1728K sleep select0:00 0.00% sendmail r...@proxy-s ~systat vmstat 1 usersLoad 1.50 1.88 1.78 Thu Nov 12 10:55:40 2009 memory totals (in KB)PAGING SWAPPING Interrupts real virtual free in out in out 2013 total Active 982620982620 809216 ops 100 clock All 1247164 1247164 2910412 pages 1856 em0 57 ciss0 Proc:r d s wCsw Trp Sys Int Sof Flt forks 1 18 1025 5 8876 1913 102 36 fkppw fksvm 3.4%Int 4.0%Sys 3.0%Usr 0.0%Nic 89.6%Idle pwait ||||||||||| relck ||== rlkok noram Namei Sys-cacheProc-cacheNo-cache 1 ndcpy Calls hits%hits %miss % fltcp 399 341 8556 14 2 zfod cow Disks sd0 cd0 fd0 17136 fmin seeks 22848 ftarg xfers57 itarg speed 579K 1 wired sec 0.3 pdfre
Re: Monitoring DHCP pool state
I've used this before with good results: http://dhcpstatus.sourceforge.net/install.html /Pete On 8. okt.. 2009, at 15.06, Ian Chard wrote: Hi, I'm using the stock OpenBSD dhcpd, and I'd like to monitor the state of the pool (how many addresses in use/available). Is there any way of doing this without writing a parser for /var/db/dhcpd.leases? Would I be better off using a different dhcpd? Thanks - Ian -- Ian Chard, Senior Unix and Network Gorilla | E: ian.ch...@sers.ox.ac.uk Systems and Electronic Resources Service | T: 80587 / (01865) 280587 Oxford University Library Services | F: (01865) 242287
Re: Sendmail and SMTPAuth
I had trouble with the getpwent flag, so since the same box also does IMAP* this works for me: $ cat /usr/local/lib/sasl2/Sendmail.conf pwcheck_method: saslauthd $ grep sas /etc/rc.local if [ -x /usr/local/sbin/saslauthd ]; then echo -n ' saslauthd'; /usr/local/sbin/saslauthd -a rimap -O 127.0.0.1 -V $ pkg_info | grep -e sas -e imap cyrus-sasl-2.1.22p2-db4 RFC SASL (Simple Authentication and Security Layer) imap-uw-2007-plaintext University of Washington IMAP4rev1/POP2/POP3 mail servers (old versions I know...) [*] actually IMAP listens on loopback (for squirrelmail), and IMAPS on external i/fs via stunnel. just to save you hours of sendmail joy, excerpt from: /usr/share/ sendmail/cf/myserver.mc dnl ## disable default listeners ## FEATURE(`no_default_msa')dnl dnl dnl ## port25 v4 loopback listener for local submission, and inbound passed spamd ## DAEMON_OPTIONS(`Family=inet, Address=127.0.0.1, Name=MTA, M=EA')dnl dnl dnl ## port587 for roaming submission with a=auth E=disable ETRN ## DAEMON_OPTIONS(`Family=inet, Address=0.0.0.0, Port=587, Name=MSA, M=Ea')dnl dnl dnl ## port 465 for SMTP o/SSL for MS clients - s=SSL DAEMON_OPTIONS(`Family=inet, Address=0.0.0.0, Port=465, Name=MSCRAP, M=Eas')dnl dnl dnl ## SASL AUTH ## OS.X++ use PLAIN, MSOE uses LOGIN TRUST_AUTH_MECH(`PLAIN LOGIN')dnl define(`confAUTH_MECHANISMS', `PLAIN LOGIN')dnl define(`confAUTH_OPTIONS', `p')dnl dnl dnl debug with: define(`confLOG_LEVEL', `63')dnl /Pete On 27. aug.. 2009, at 21.48, stupidmail4me wrote: I know this topic has been touched on before but I have what I believe is a simple question. Instead of creating a SASL password db and having to keep two password databases in check I want SASL to use OpenBSD's password file. There's no definitive answer so I want to try and put it out there. In /usr/local/lib/sasl2/Sendmail.conf I would have pwcheck_method: saslauthd. This would tell Sendmail to use saslauthd to authenticate SMTP connections. I would start saslauthd with the -a getpwent flag to have it check not against a SASL password database but against the system database. Are my assumptions correct?
Re: BGP and NATting to multiple ISPs
On 19. juni. 2009, at 00.10, Henning Brauer wrote: * Pete Vickers p...@systemnet.no [2009-06-19 00:02]: Actually, the sooner the IPv4 space gets used up the better, then everyone will have to migrate to IPvShit, and be done with it. that doesn't solve a single problem. in return, you get a plethora of new ones on top. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam Once 'everyone' is solely 'on' v6, then v4 space not a concern. As lots of folks (and I'm one of them) here point out v6 has many many issues, but premature v4 exhaustion / v6 migration, would force these issues to be resolved a lot quicker. /Pete
Re: BGP and NATting to multiple ISPs
On 19. juni. 2009, at 00.40, Ted Unangst wrote: On Thu, Jun 18, 2009 at 5:54 PM, Pete Vickersp...@systemnet.no wrote: nah, you maybe right technically with the data-center argument, but not politically. Everyone has the 'right' to proper redundancy for H/A if they want/need it. Actually, the sooner the IPv4 space gets used up the better, then everyone will have to migrate to IPvShit, and be done with it. oh really? people are going to start carrying /48s in a world where they don't even carry anything more than a /24 for ipv4? admins who filter = /24 and don't set a default to upsteam [1], generally get what they deserve - since they are blackholing potential customers. If their employer is so cash strapped they can't afford the ASIC space for a full table, then presumably their market share b/w usage are such that they can hold the table in software instead. (dumb north american routing policies excepted) [1] Or 0.0.0.0/1 and 128.0.0.0/1 across links, or somesuch. /Pete
Re: BGP and NATting to multiple ISPs
On 18. juni. 2009, at 19.45, Karl O. Pinc wrote: What's the best way to solve this problem? stop trying to bodge it, and get some PI space. /Pete
Re: BGP and NATting to multiple ISPs
nah, you maybe right technically with the data-center argument, but not politically. Everyone has the 'right' to proper redundancy for H/A if they want/need it. Actually, the sooner the IPv4 space gets used up the better, then everyone will have to migrate to IPvShit, and be done with it. /Pete On 18. juni. 2009, at 22.49, tico wrote: Karl O. Pinc wrote: On 06/18/2009 01:50:17 PM, Pete Vickers wrote: On 18. juni. 2009, at 19.45, Karl O. Pinc wrote: What's the best way to solve this problem? stop trying to bodge it, and get some PI space. I'd love but, how can I justify to ARIN a large enough address block that it won't be dropped by BGP administrators? The only reason we'd need the addresses is to muti-home. ARIN says you can get a /22 for multihoming if you can justify their 25% / 50% usage as spelled out in their numbering policy. https://www.arin.net/policy/nrpm.html#four322 If you can't justify that, then get a /24 of PA space from a provider that *will* allow you to reannounce that /24 via an additional transit and *will* provide you with an LOA that you can provide to that additional transit operator. The number of networks that filter prefixes smaller than /22 don't appear to be that numerous IMHO, but if they do, your /24 will still be reachable as they'll see the larger /19 or whatever from your provider that it's carved out of. I am under the impression this is not reason enough for ARIN, that they are in a rationing mood when it comes to handing out IPv4 address blocks. As well they should be. IP resources are scarce and people are wasteful and greedy. Most offices don't need BGP multihoming, or any sort of inbound multihoming at all-- just outbound which is easily done without the assistance of the ISPs themselves or ARIN by using NAT and upstream- failover features commonly found in most routers. Most world-accessible servers that are important enough to need inbound multihoming should be sitting in a datacenter which has significantly more professionally-managed multihoming than small offices. And before the flaming starts, remember that I said most. Cheers, Tico Karl k...@meme.com Free Software: You don't pay back, you pay forward. -- Robert A. Heinlein
Re: IMPORTANT, DO THIS OR YOUR E-MAIL WON'T WORK
On 27 May 2009, at 10:01, Otto Moerbeek wrote: On Wed, May 27, 2009 at 09:43:18AM +0200, Otto Moerbeek wrote: On Wed, May 27, 2009 at 10:29:10AM +0300, Gregory Edigarov wrote: Bob Beck wrote: * Chris Harries ch...@sharescope.co.uk [2009-05-26 10:48]: it sure beats everyone moaning at me as they cannot read e-mails clearly marked IMPORTANT, DO THIS OR YOUR E-MAIL WONT WORK, then moaning when their email doesn't work IMPORTANT, DO THIS OR YOUR E-MAIL WON'T WORK We are refreshing our openbsd mailing lists to ensure that the list memberships correctly match our business process and security roles. In order to ensure your list memberships and email continue to work without interruption, please reply to this email with the following information: Name : ___ Email ID: Password: Thanks for helping to ensure the integrity of our email system. Pardon? I do not understand what is this for explanation will follow once you provide the neccesary provide of ehhh s/provide/proof authentication. -Otto I seriously thought you'd done the typo deliberately to mimic the poor english typically found in such fraud emails. LoL. /Pete
Re: MPLS status questions.
On 30 Apr 2009, at 00:14, Daniel Ouellet wrote: Joe S wrote: What's really frustrating here are the network admins I work with that are trying to migrate from ipsec vpns to MPLS because it's easier and just as secure. Well, I am not sure that it would be very convincing to them, but I guess a somewhat good argument to use might be as simple as asking them if they would replace IPSec tunnel/VPN on a big switch WAN/LAN network with only VLan tag instead? That's about what they say isn't it? Scary. May not be a very good example, but I think the analogy between them is somewhat valuable in idea and concept anyway. But again, the norm looks like these days is to only consider security after the fact and react to it instead of being proactive on it. See what they say. Best, Daniel you don't use telnet even over an IPSec WAN do you ? end-to-end security (e.g. TLS/SSL) is your friend here. It's the only way to actively verify link security and once you're in an SSH session (with properly verified keys), you don't care who's watching the stream /Pete
Re: correction to gre(4) man page
On 12 Apr 2009, at 23:47, Jason McIntyre wrote: On Sun, Apr 12, 2009 at 10:40:08PM +0200, Pete Vickers wrote: SEE ALSO section, entry for Web Cache Coordination Protocol V1.0, link is broken. A suitable replacement is: http://www.ietf.org/proceedings/99jul/I-D/draft-ietf-wrec-web-pro-00.txt /Pete that link works fine here. jmc ahh, indeed. The culprit was the man-html conversion for this: http://www.openbsd.org/cgi-bin/man.cgi?query=gre where the URL is line wrapped, but the html does not take it into account. thanks for pointing it out. /Pete
correction to gre(4) man page
SEE ALSO section, entry for Web Cache Coordination Protocol V1.0, link is broken. A suitable replacement is: http://www.ietf.org/proceedings/99jul/I-D/draft-ietf-wrec-web-pro-00.txt /Pete
Re: European orders
A public statement from him (Wim) would be appropriate now I believe. Especially informing all of us who have pre-ordered the latest release via him what will happen with our orders, and importantly when he will forward the proceeds to Theo et al. /Pete On 25 Mar 2009, at 01:16, Floor Terra wrote: On Wed, Mar 25, 2009 at 12:34 AM, Theo de Raadt dera...@cvs.openbsd.org wrote: Do you have any advice for those who allready ordered? Or should we contact the distributor? Sorry, but I don't know that yet. B We'll see, I suppose. Wim called me 20 minutes ago and explained the situation to me. If you have any questions just mail him or give him a call. -- Floor Terra flo...@gmail.com www: http://brobding.mine.nu/
Re: feature request OpenBGPD: route server ability to disable best path selection
The 'standard' (for at least one vendor's definition of standard) way to get around this, is to slap a different route distinguisher (RD) on each of the desired 'duplicate' paths. BGP then sees these as individual paths and will happily communicate both concurrently. Separate but related, is the ability to import both RD's into the same VRF on the recipient of the BGP peering, and thus into the routing table (FIB) to use multiple paths (load balancing) etc. /Pete On 18 Mar 2009, at 11:32, Claudio Jeker wrote: On Wed, Mar 18, 2009 at 11:00:32AM +0100, Arnoud Vermeer wrote: I have a problem with filtering on the current route server implementation. I currently have the following setup: * 10.0.1.0/24 10.0.1.0/24 +---+ +---+ |AS1| |AS2| | 10.0.0.50 | | 10.0.0.51 | +---+ +---+ | | | | +---+---+---+ | RS| | 10.0.0.49 | +-+-+ | |deny to { 10.0.0.52 } AS 1 | +-+-+ |AS3| | 10.0.0.52 | +---+ (or http://www.freshway.biz/files/20090318-problem-filter.txt for the correct ASCII) Both AS1 and AS2 announce the same prefix, but the route server selects the AS1 path because of the lower nexthop value. Now I add a filter to AS3. I deny to send any prefixes to AS3 that match AS1. Now AS3 doesn't receive the 10.0.1.0/24 prefix at all. It should however receive it from AS2. Quagga overcomes this problem by making a per-filtered-peer RIB and then do best path selection (http://www.quagga.net/docs/docs-multi/Description-of-the-Route-Server-model.html ). I think this is just an ugly and complicated work-around as it doesn't solve the core of the problem. In my eyes the best solution will be to disable the best-path- selection on the route server altogether, and send all routes (except the filtered) to the peer. Arguments to do this: - As shown above, the best path selection breaks on the route server when applying filters. - A route server should not make any best-path selection, because the peers criteria could be completely different than the route server. - The function of the route server is to 'collect' all the routes and send them to all of the peers, not to 'collect a subset' of the routes and send that to its peers. I would love to hear your thoughts on this subject. Would it be hard to implement this feature? BGP only supports one path per prefix and peer. If you send multiple ones as you propose the later ones will overwrite the first one no matter what. To support your idea we would need a per-filtered-peer local-RIB because the route-server needs to do the best path selection for the peer. -- :wq Claudio
Re: Ramifications of blocking SYN+FIN TCP packets
Hi, What about Postel's 'be liberal in what you accept' ? What about peers/intermediate system that have for example bugs which accidentally set FIN flags (ISP's broken traffic shaping/limiting device anyone ?). If pf can safely cleanse such legitimate traffic, then why block it ? Blindly implementing 'orders' from PCI etc is just wrong - to do so is only encouraging such bad practices. Instead reject their demands, using whatever appeals process is available. Only when enough technical staff do so will it be fixed. All such regulations should be of the style where both of these are permitted: - I am a stupid admin, so I'll just blindly follow them and - I am a competent admin, so I'll use my judgement to best protect my net How about this, for a fun response: We don't want to drop such 'special' traffic, since if we do so, then an attacker can deduce that we have implemented PCI guidelines, which in turn implies we have CC details online, and thus are a more attractive target' ... /Pete On 12 Mar 2009, at 10:22, J.C. Roberts wrote: On Wed, 11 Mar 2009 13:07:22 -0400 Jason Dixon ja...@dixongroup.net wrote: On Wed, Mar 11, 2009 at 01:04:34PM -0400, David Goldsmith wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jason Dixon wrote: S/SAFR I just had to deal with this on our customer's PCI scan. Don't argue with the logic, just do it. :) Let me guess -- TrustKeeper? We just had to deal with this as well. Submit an appeal and they should accept it. Yup. The flags S/SAFR will work unless you are being a good little pf admin and also scrubbing all the traffic. The problem is pf considers SYN-RST packets to be illegal and drops them (good) but only considers SYN-FIN packets to be ambiguous and so it normalizes them and clears the FIN bit (in this case for the PCI scan - bad) Then your server behind the firewall received what it thinks is a nice clean SYN packet and it sends back SYN-ACK. Yes, we have our own reasons not to scrub there. Well, *someone* has their reasons. I have to deal with those reasons. ;) Ahhh my least favorite acronym name space conflict: PCI == Payment Card Industry Their security through ignorance practices are nearly as illustrious as their business through abusive lending practices. The thing to remember is the security facade they require is almost entirely for the sake of public confidence and litigation defense. --hmmm... I should probably save the rest of this rant for a far more appropriate mailing list, like /dev/null Anyhow, back to the original question, are there any ramifications to blocking SYN+FIN completely? Some (Darren Reed, ipf author) think that pf unconditionally clearing the FIN flag on scrub is a bug, And no, we don't need a flame war about whether or not Darren is right, but none the less, it's still good to see how the RFC's and ideas about correct filtering are both subject to lots of interpretation. http://www.derkeiler.com/Mailing-Lists/FreeBSD-Security/2005-07/0011.html I know SYN+FIN is a valid packet according to RFC 793 and 1644 (T/ TCP), but the more important question is, what are the valuable *uses* for SYN+FIN packets? Personally, I can't think of any valuable uses. Can you? Just because SYN+FIN is a technically valid packet according to the various RFC's doesn't mean we want or need such traffic, and doesn't mean we consider it valuable and useful. Can you think of any RFC valid traffic you're dropping when the RFC's tell you that you're supposed to respond to it? --Ya, I thought so. Spammers? --Yep, RFC valid traffic. DDOS? --Yep, RFC valid traffic. Brute Force? --Yep, RFC valid traffic. port scans --A lot of it is RFC valid traffic. Though 'scrub' will drop the FIN flag off the SYN+FIN packets, the bofhish instinct says without a proven and valuable *use* for SYN+FIN, then just block it. If anyone complains about breakage, then just point your (middle) finger at PCI/TrustKeeper compliance requirements, and tell the user to take it up with them. Call me overly pragmatic, but if something in a standard is not providing valuable use (i.e. reward) and poses *any* type of risk or cost (including the risk and cost of wasting my time filing and maintaining some appeal), then the answer is painfully simple. -- J.C. Roberts
Re: HP Proliant DL385 with Squid at a Gigabit-switch - bad network performance
The bge driver sucks for these cards - just chuck in an em(4) NIC and you should see instant improvement. 'netstat -I bge0' will confirm the packet errors /Pete On 27 Feb 2009, at 14:33, Alexander Farber wrote: bge0 at pci3 dev 6 function 0 Broadcom BCM5704C rev 0x10, BCM5704 B0 (0x2100): apic 6 int 0 (irq 7), address 00:16:35:5b:39:ae brgphy0 at bge0 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0 bge1 at pci3 dev 6 function 1 Broadcom BCM5704C rev 0x10, BCM5704 B0 (0x2100): apic 6 int 1 (irq 10), address 00:16:35:5b:39:ad
Re: relayd: rdr instead of proxy mode?
If you are doing web traffic, then relayd can insert a HTTP header into the inbound request, which is then visible to the backend webserver. For vanilla tcp connections, verbose logging on relay box and backend together with ntp time syncing and some scripting foo should permit reconstruction of the end-to-end connection. No pretty but should work. /pete On 24 Feb 2009, at 18:57, Falk Brockerhoff - smartTERRA GmbH wrote: Hi, I'm using relayd for loadbalancing incoming tcp traffic, works fine like a charme :-) But as relayd works like a proxy, in the log files of my applications, there is always the ip address of the load balancing node and not of the real client. Is there a way to have relayd have all packets redirect like pf's rdr function instead of working like a classical proxy? Another way to reach the final goal is touse pf with rdr statements, but in this case I haven't any check if the target node is available or not. Both solutions only make half of the way I want to go - any idea, hints, suggestions? Regards, Falk
Re: SOCKS proxy
As I put in my initial email, the key is the -o option ProxyCommand http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config and search for it, there is even a similar example included. /Pete On 16 Feb 2009, at 17:28, Tony Berth wrote: The order is the following: A(ssh client) - C(http proxy server) - Internet - B(ssh server with static IP) Now A can't access the Internet. I can only run a browser on that machine which includes the details from C and only then I can surf/have access to the Internet only on ports 80 and 443! As a result ssh from A to B doesn't work. If I use putty on A and define the details of C in the putty proxy dialog box, I can open a ssh session to B. So the question is, how does this action of putty gets translated into an ssh command? Which flag should I use from the ssh command line in order to achieve the same result? Thanks Tony On Fri, Feb 13, 2009 at 2:05 PM, Pete Vickers p...@systemnet.no wrote: Hmm, I can't grok you problem description, since it's ambiguous. there are serveral devices here: A. ssh client B. ssh server C. http(s) proxy server D. http(s) proxy client (web browser) I thought you mean A+D were one device, C was an interim device, and B was the remote device. Do you instead mean A+C are the same device ? or that B+C are the same device ? B+C on the same device seems to make the most sense, I guess. - eg. you want the tunnel your http sessions over your ssh sessions, and use a proxy server (e.g. squid) on your ssh server device. in which case a line like this in the relevant line in your client's ~/.ssh/config would do it: LocalForward 8080 127.0.0.1:8080 and then set your web browser to use a proxy at 127.0.0.1:8080 /Pete On 13 Feb 2009, at 13:45, Tony Berth wrote: Hi Pete, by http proxy you mean your proxy sitting in your machine where you do the ssh to? In my case I want to include the proxy which allows Internet access sitting on the clients terminal and not in the remore machine. Thanks Tony On Fri, Feb 13, 2009 at 1:31 PM, Pete Vickers p...@systemnet.no wrote: Hi, If your just trying to do an SSH connect via a http proxy, then I do something like this: [p...@air] ~ cat ~/.ssh/pconn.sh #!/bin/bash # pconn.sh LF=$'\015' CMD=CONNECT $1:$2 HTTP/1.0 echo yyy${CMD}yyy 2 (echo $CMD$LF echo cat ) | nc proxy_server_ip_address 8080 | ( while read L [ ! -z ${L%$LF} ]; do echo xxx${L%$LF}xxx 2; done cat ) [p...@air] ~ cat ~/.ssh/config # # Host my-server-via-proxy Hostname my-server.com ProxyCommand ~/.ssh/pconn.sh %h %p TCPKeepAlive yes ServerAliveInterval 30 # # and then just [p...@air] ~ ssh my-server-via-proxy to connect but be aware it only works if the proxy admin has not restricted the proxy to prevent CONNECT method to ports other than 443. /Pete On 13 Feb 2009, at 12:34, Tony Berth wrote: On Wed, Feb 11, 2009 at 9:16 PM, Diana Eichert deich...@wrench.com wrote: On Wed, 11 Feb 2009, Tony Berth wrote: Hi Diana, this is a 'dumb' proxy and allows http/https traffic only. So ports 80 and 443! What I'm after is the ssh command I have to issue in order to open a connection from 'a1' to 'a3'! If I read correctly, in case I would have used putty on 'a1' I should do the following: http://meinit.nl/using-putty-and-an-http-proxy-to-ssh-anywhere-through-firewalls I was wondering if ssh flag '-L' is doing the same job. By 'httptunnel' you mean the following: http://www.jumperz.net/index.php?i=2a=0b=0 Thanks Tony httptunnel nows refers to more than one software project to tunnel tcp traffic via an http proxy. take a look at SSH(1) -C and SSH_CONFIG(5) LocalCommand if I'm reading correctly, ssh -C requests compression of the data and ssh_config LocalCommand specifies a command AFTER I was able to make the connection! Sorry, but I don't understand how this 2 things are related to my problem! The proxy is blocking me before any connection can be stablished. I want to include the data of that proxy in my ssh command in order to make the connection but how can I achieve that? Thanks for your help Tony
Re: SOCKS proxy
Hi, If your just trying to do an SSH connect via a http proxy, then I do something like this: [p...@air] ~ cat ~/.ssh/pconn.sh #!/bin/bash # pconn.sh LF=$'\015' CMD=CONNECT $1:$2 HTTP/1.0 echo yyy${CMD}yyy 2 (echo $CMD$LF echo cat ) | nc proxy_server_ip_address 8080 | ( while read L [ ! -z ${L%$LF} ]; do echo xxx${L%$LF}xxx 2; done cat ) [p...@air] ~ cat ~/.ssh/config # # Host my-server-via-proxy Hostname my-server.com ProxyCommand ~/.ssh/pconn.sh %h %p TCPKeepAlive yes ServerAliveInterval 30 # # and then just [p...@air] ~ ssh my-server-via-proxy to connect but be aware it only works if the proxy admin has not restricted the proxy to prevent CONNECT method to ports other than 443. /Pete On 13 Feb 2009, at 12:34, Tony Berth wrote: On Wed, Feb 11, 2009 at 9:16 PM, Diana Eichert deich...@wrench.com wrote: On Wed, 11 Feb 2009, Tony Berth wrote: Hi Diana, this is a 'dumb' proxy and allows http/https traffic only. So ports 80 and 443! What I'm after is the ssh command I have to issue in order to open a connection from 'a1' to 'a3'! If I read correctly, in case I would have used putty on 'a1' I should do the following: http://meinit.nl/using-putty-and-an-http-proxy-to-ssh-anywhere-through-firewalls I was wondering if ssh flag '-L' is doing the same job. By 'httptunnel' you mean the following: http://www.jumperz.net/index.php?i=2a=0b=0 Thanks Tony httptunnel nows refers to more than one software project to tunnel tcp traffic via an http proxy. take a look at SSH(1) -C and SSH_CONFIG(5) LocalCommand if I'm reading correctly, ssh -C requests compression of the data and ssh_config LocalCommand specifies a command AFTER I was able to make the connection! Sorry, but I don't understand how this 2 things are related to my problem! The proxy is blocking me before any connection can be stablished. I want to include the data of that proxy in my ssh command in order to make the connection but how can I achieve that? Thanks for your help Tony
Re: SOCKS proxy
Hmm, I can't grok you problem description, since it's ambiguous. there are serveral devices here: A. ssh client B. ssh server C. http(s) proxy server D. http(s) proxy client (web browser) I thought you mean A+D were one device, C was an interim device, and B was the remote device. Do you instead mean A+C are the same device ? or that B+C are the same device ? B+C on the same device seems to make the most sense, I guess. - eg. you want the tunnel your http sessions over your ssh sessions, and use a proxy server (e.g. squid) on your ssh server device. in which case a line like this in the relevant line in your client's ~/.ssh/config would do it: LocalForward 8080 127.0.0.1:8080 and then set your web browser to use a proxy at 127.0.0.1:8080 /Pete On 13 Feb 2009, at 13:45, Tony Berth wrote: Hi Pete, by http proxy you mean your proxy sitting in your machine where you do the ssh to? In my case I want to include the proxy which allows Internet access sitting on the clients terminal and not in the remore machine. Thanks Tony On Fri, Feb 13, 2009 at 1:31 PM, Pete Vickers p...@systemnet.no wrote: Hi, If your just trying to do an SSH connect via a http proxy, then I do something like this: [p...@air] ~ cat ~/.ssh/pconn.sh #!/bin/bash # pconn.sh LF=$'\015' CMD=CONNECT $1:$2 HTTP/1.0 echo yyy${CMD}yyy 2 (echo $CMD$LF echo cat ) | nc proxy_server_ip_address 8080 | ( while read L [ ! -z ${L%$LF} ]; do echo xxx${L%$LF}xxx 2; done cat ) [p...@air] ~ cat ~/.ssh/config # # Host my-server-via-proxy Hostname my-server.com ProxyCommand ~/.ssh/pconn.sh %h %p TCPKeepAlive yes ServerAliveInterval 30 # # and then just [p...@air] ~ ssh my-server-via-proxy to connect but be aware it only works if the proxy admin has not restricted the proxy to prevent CONNECT method to ports other than 443. /Pete On 13 Feb 2009, at 12:34, Tony Berth wrote: On Wed, Feb 11, 2009 at 9:16 PM, Diana Eichert deich...@wrench.com wrote: On Wed, 11 Feb 2009, Tony Berth wrote: Hi Diana, this is a 'dumb' proxy and allows http/https traffic only. So ports 80 and 443! What I'm after is the ssh command I have to issue in order to open a connection from 'a1' to 'a3'! If I read correctly, in case I would have used putty on 'a1' I should do the following: http://meinit.nl/using-putty-and-an-http-proxy-to-ssh-anywhere-through-firewalls I was wondering if ssh flag '-L' is doing the same job. By 'httptunnel' you mean the following: http://www.jumperz.net/index.php?i=2a=0b=0 Thanks Tony httptunnel nows refers to more than one software project to tunnel tcp traffic via an http proxy. take a look at SSH(1) -C and SSH_CONFIG(5) LocalCommand if I'm reading correctly, ssh -C requests compression of the data and ssh_config LocalCommand specifies a command AFTER I was able to make the connection! Sorry, but I don't understand how this 2 things are related to my problem! The proxy is blocking me before any connection can be stablished. I want to include the data of that proxy in my ssh command in order to make the connection but how can I achieve that? Thanks for your help Tony
tcpdump additions : paid work
Hi, We're interested in getting GTP protocol [1,2] support into OpenBSD's tcpdump, however there doesn't appear to be any upstream support for it [0]. So, if any of the devs are interested in paid work to add this then please drop me a line. This would ideally be someone with CVS write access, so that we're supporting the project more directly. Ethereal/wireshark, already has some support [4] so that could be of assistance, but appears to be GPL. The official protocol specs are freely available from [3] [0] http://github.com/mcr/tcpdump/tree/master [1] http://en.wikipedia.org/wiki/GPRS_Tunnelling_Protocol [2] http://en.wikipedia.org/wiki/GTP%27 [3] http://www.3gpp.org/ftp/Specs/ [4] http://anonsvn.wireshark.org/wireshark/trunk/epan/dissectors/packet-gtp.c /Pete
Re: Failover bridge(4) with RSTP
5 minutes smells like an ARP cache timeout, so I'd start by watching arp caches and mac-address tables, for clues. make sure you are running the Foundry equivalent of PVST+ ( i.e. a separate instance of STP per vlan, not a single common instance. Probably MSTP ?) tcpdump should tell you what is eventually triggering the changeover event, and then you can work back from there. Some bedtime reading suggestions: (Cisco, but theory is the same.) http://www.cisco.com/application/pdf/paws/24062/146.pdf http://www.cisco.com/application/pdf/paws/28943/170.pdf http://www.cisco.com/en/US/tech/tk389/tk621/tsd_technology_support_troubleshooting_technotes_list.html /Pete On 26 Jan 2009, at 16:40, Jason Dixon wrote: I'm attempting to setup a failover bridge(4) configuration with RSTP for rapid failover. At this point I'm still tweaking the bridges and switches. We're using a Foundry LS648 for this test, so we don't have Cisco's uplinkFast extension at our disposal. We have two VLANs configured on the switch, each with 802.1w enabled and functioning normally. Plugged into each VLAN is a single client and one interface from each firewall. 10.20.0.2 - vlan200 - bridge0 - vlan300 - 10.20.0.3 Regardless of whether I use rstp (default) or stp (+ ifpriority/ ifcost) on the bridges, it always takes ~5 minutes to failover. I noticed that with stp enabled on the physical interfaces, the switch would immediately show the correct bridge as the forwarding root. With the default rstp, the switch shows all ports as designated forwarding. I've also tried disabling learning on the internal interfaces and adding static entries for 10.20.0.3, but this has no effect on the recovery time. Any suggestions on getting a rapid failover working? Thanks, -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: Etherchannel OpenBSD?
From: http://www.cisco.com/en/US/products/hw/switches/ps607/products_configuration_example09186a0080094789.shtml Note: Catalyst 2900XL/3500XL switches do not support LACP. Catalyst 2950/2955 switches support LACP for channel negotiation with Cisco IOS Software Release 12.1(6)EA2 or later. Cisco IOS Software Release 12.0 supports only static configuration. Catalyst 2940 and 2970 support LACP in all Cisco IOS Software releases. /Pete On 23 Dec 2008, at 08:07, Claudio Jeker wrote: On Tue, Dec 23, 2008 at 12:45:23AM +, Stuart Morgan wrote: Hi Nigel and all, Thanks very much for the suggestion, unfortunately my 3500XL doesn't support LACP - perhaps I need a firmware upgrade? *sw1a#sh ver IOS (tm) C3500XL Software (C3500XL-C3H2S-M), Version 12.0(5)WC16, RELEASE SOFTWARE (fc1) System image file is flash:c3500xl-c3h2s-mz.120-5.WC16.bin The 3500XL are end of life for a good reason. Those switches are so limited they're not even fun for a lab. Even if you get a newer IOS image for them I doubt they will support LACP. -- :wq Claudio
Re: Per User Bandwidth Limiting
Indeed, I believe whilst c3750 support traffic-shaping, the c3550 does not. BTW, instead of assigning a /30 per user as wasting 75% of your IP address space, try looking that the 'private vlan' IOS command, which should allow you to use much bigger subnets and still control the user- user traffic. /Pete On 14 Dec 2008, at 13:10, Marco Matarazzo wrote: Hi Justin, I have an ISP situation where there is about 1000 users sitting behind Cisco 3550 switches. Each port is 1 user and is configured with an individual VLAN where each VLAN is assigned a small network subnet and corresponding DHCP scope. The problem is that it seems (so I have been told) is these 3550's will not effectively bandwidth limit at the port level. Incoming bandwith is limited as configured, but outgoing is not. So, I am looking at a pf solution but google is not turning up any specific information for such a situation. This is not true. It's more tricky, but you can actually limit both inbound and outbound at the port level, and it's quite effective too. Of course OpenBSD is capable of that too, but for 1000 vlans you'll have to split the load across multiple firewalls (or multiple cluster of firewalls) since there're hardcoded limits on the number of queues you can create (256 cbqs and 64 hfsc if I remember well, it's been discussed in the past however!) The config for the 3550 is something like this: Define the class-maps (all-in and all-out are different because of hardware limitations) class-map match-any all-out match ip dscp default class-map match-any all-in match access-group 100 Define the policy maps: policy-map 1mbit-in class all-in police 1024000 192000 exceed-action drop policy-map 1mbit-out class all-out police 1024000 192000 exceed-action drop And apply the policies to the interfaces: interface FastEthernet0/4 description CustomerX no switchport ip address 1.2.3.4 255.255.255.x (or if it's a switchport, just switchport mode access and then switchport access vlan x) ip rip advertise 3 no cdp enable service-policy input 1mbit-in service-policy output 1mbit-out Also note that this is rate-limiting, not bandwidth shaping, but it may fit your requirements! Cheers, ]\/[arco
Re: Longest Uptime?
Okai, here's my $0.02 on the subject: http://systemnet.no/ios-uptime.jpg /Pete On 29 Oct 2008, at 18:49, guilherme m. schroeder wrote: Hi, Uptimes sucks. Here's the biggest i've ever seen in the company i work: [EMAIL PROTECTED] ~]$ uname -a SunOS optg998 5.6 Generic_105181-26 sun4u sparc SUNW,UltraSPARC-IIi- cEngine [EMAIL PROTECTED] ~]$ uptime 3:40pm up 2639 day(s), 13:50, 1 user, load average: 0.08, 0.07, 0.06 [EMAIL PROTECTED] ~]$ date Wed Oct 29 15:45:24 BRST 2008 [EMAIL PROTECTED] ~]$ psrinfo -v Status of processor 0 as of: 10/29/08 15:41:07 Processor has been on-line since 08/08/01 00:50:54. The sparc processor operates at 440 MHz, and has a sparc floating point processor. [EMAIL PROTECTED] ~]$ dmesg | tail -5 SUNW,hme0: Using External Transceiver SUNW,hme0: 100 Mbps half-duplex Link Up dump on /dev/md/dsk/d50 size 2042608K SUNW,hme0: Using External Transceiver SUNW,hme0: full-duplex Link Up Ok it's not OpenBSD, blame on me. But what i liked is that this machine is working for 2639 days and it stills blink green leds. The harddisk never gave up too. No errors on dmesg. It's a Netra T1 machine, running our internal DNS server. I think we'll replace it when it dies ;) On Wed, Oct 29, 2008 at 7:15 AM, Gilles Chehade [EMAIL PROTECTED] wrote: new_guy a icrit : I know. Longest uptime is silly, macho, pointless stuff... but I ran across an old SunOS 2.6 box that had been up for 387 days. It had been hacked. The only reason it was not an open mail relay is that /var was full. So, I thought to myself, I bet I could run an OpenBSD box for that amount of time or longer without getting hacked and without doing much to it. Just wondering what's the longest OpenBSD uptime some folks on misc have seen? Thanks It is not the size of your uptime that matters, it is what you do with it. Gilles
Re: BSD Port from OpenJDK
Hi, Whilst I fully acknowledge the stigmatism that goes with java, I'm very grateful to Kurt et. al. for making it run under OpenBSD. It has saved me from having to admin extra linux/solaris boxes many times, when customers insist on java. I'm also looking forward to merely pkg_add'ing it instead of the playing hunt the patch after license clicking that was previously necessary. Nice work ! Appreciated. /Pete On 15 Oct 2008, at 02:06, Kurt Miller wrote: On Tuesday 14 October 2008 11:13:41 am new_guy wrote: Ben Adams-3 wrote: Just wondering if this will effect OpenBSD with java: Per the interim governance guidelines for Projects [1] I'm pleased to announce the creation of the BSD Port Project Java is nasty. There... I said it and it is true. The goopy OOP of Java will tarnish anything it touches. Personally, I hope Java (in all of its virtual glory) never makes it into OpenBSD at all. Real men will cry man tears when OpenBSD ships with Java. Uninformed. We've had Java for years and now we have packages: ftp://ftp.openbsd.org/pub/OpenBSD/snapshots/packages/i386/jdk-1.7.0.00b24p2.tgz 4.4 will have packages also. Your negativity sucks. Porting Java to OpenBSD was and is not a trivial effort. It also serves as an excellent test bed for threads, the runtime linker and large memory applications. Porting Java to OpenBSD enabled the LOCKSS project to use it for its noble goals. It uncovered deadlocks in our pthread lib that resulted in large improvements to libpthread. Its use of dlopen() and friends resulted in significant improvements in our runtime linker. Oh and who made those improvements??? The same person who took the time to port Java to OpenBSD!! Me and other OpenBSD developers who saw the need to improve things. BTW, all those system level improvements have made significant stability gains for applications like firefox, KDE, OpenOffice, Asterisk, etc, etc which all use threads and dlopen() alot. Quite frankly I'm pretty upset at all the 'Java sucks' banter on misc. If you and the other naysayers don't realize that porting Java to OpenBSD was a 'Good-Thing' then you are just UNINFORMED! -Kurt
Re: Using trunk(4) to put a router in a switch ring
well i think you could insert your dual NIC openbsd host into the switch 'ring' physically, then bridging between the 2 NICs and firing up STP, but be aware that every time you up/down an interface or reboot your openbsd box, you'll trigger an STP recalc - which is around 45sec outage across entire switch infrastructure. (This can be mitigated with PVST and RSTP somewhat). /Pete On 23 Sep 2008, at 14:51, Dave Wilson wrote: Pete Vickers wrote: 1. create a layer 2 (switched) ring, using spanning tree. - completely independent of openbsd box 2. connect your (dual NIC) openbsd box to 2 separate switches for redundancy, and add both NICs to a trunk group. - redundancy of switch, cabling and NICs. Pete, thanks for your useful and informative reply. A decent example is worth a paragraph of explanation to me :-) Whilst I would love to do as you suggest, unfortunately my switches only have 2 GbE ports each. My hope was to put the routers in the GbE ring, as otherwise my routers will be bottlenecked by plugging into 100M ports on the switches. As most of my traffic goes through the routers this would be a big issue. I suspect the only way I will really nail down what I can and cannot do will be to get some new switches and build a router and start playing around. The thing that I think is most likely to break is that I already use vlans and carp, and so I will have to work out the proper way to layer physical, bridge, vlan and carp whilst still making sure that packets keep going round the ring. Unless reyk@, porter of the rstp code for bridge, can tell me different...? SD
Re: Using trunk(4) to put a router in a switch ring
1. create a layer 2 (switched) ring, using spanning tree. - completely independent of openbsd box 2. connect your (dual NIC) openbsd box to 2 separate switches for redundancy, and add both NICs to a trunk group. - redundancy of switch, cabling and NICs. [EMAIL PROTECTED] ~ifconfig bge0 bge0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 lladdr 00:18:fe:32:1e:08 trunk: trunkdev trunk0 media: Ethernet autoselect (1000baseT full-duplex) status: active [EMAIL PROTECTED] ~ifconfig bge1 bge1: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 lladdr 00:18:fe:32:1e:08 trunk: trunkdev trunk0 media: Ethernet autoselect (1000baseT full-duplex) status: active [EMAIL PROTECTED] ~ifconfig trunk0 trunk0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:18:fe:32:1e:08 trunk: trunkproto failover trunkport bge1 active trunkport bge0 master,active groups: trunk egress media: Ethernet autoselect status: active inet 1.2.3.4 netmask 0xff00 broadcast 255.255.255.0 been using it for years: [EMAIL PROTECTED] ~uname -a OpenBSD tug 4.0 GENERIC#1107 i386 /Pete On 22 Sep 2008, at 22:03, Stuart Henderson wrote: On 2008-09-22, Dave Wilson [EMAIL PROTECTED] wrote: I'm not sure if trunk or bridge are more appropriate in this case I think probably bridge with RSTP, but I'm not sure how that will play with vlans (if you use them). I'd like to do something similar, but I have vlans, and as an added twist my interconnects are over third-party vlans, and I'm not especially keen on breaking the third party's switch fabric, so I haven't risked experimenting much with this yet :)
nagios check_via_ssh on (chroot) OpenBSD
Does anyone have it running in nagios chroot environment ? [EMAIL PROTECTED] / ldd /usr/local/libexec/nagios/check_by_ssh /usr/local/libexec/nagios/check_by_ssh: StartEnd Type Open Ref GrpRef Name exe 10 0 /usr/local/libexec/ nagios/check_by_ssh 052b6000 252ba000 rlib 01 0 /usr/local/lib/ libintl.so.4.0 0e276000 2e352000 rlib 01 0 /usr/local/lib/ libiconv.so.4.0 0e739000 2e76d000 rlib 01 0 /usr/lib/libc.so.43.0 0fc4 0fc4 rtld 01 0 /usr/libexec/ld.so perhaps like the ssh libraries are not needed, but where should the ssh keys be put ? [EMAIL PROTECTED] /grep nagios /etc/passwd _nagios:*:550:550:Nagios user:/var/www/nagios:/sbin/nologin in /var/www/nagios/.ssh/ ? TiA, Pete Vickers [EMAIL PROTECTED] | +47 48 17 91 00 SystemNet AS
Re: Is it necessary to recompile OS to apply security patch?
Hi, Assuming the box is only a DNS server, then the simplest easiest (in my option) is to take a copy of the DNS related files: - /etc/rc.conf.local - /var/named/* - noting also IP address, hostname etc etc and then reinstall the o/s from a recent snapshot (downloaded here ftp://ftp.openbsd.org/pub/OpenBSD/snapshots/ or mirror), which has all the patches pre-applied. Then restore the above files. job done. if you're paranoid and unexperienced in unix, then grab a spare machine to do a dry run on that. /Pete On 29 Jul 2008, at 18:16, skogzort wrote: Hello, I know nothing/very little about OpenBSD or UNIX. I have been tasked with updating our OpenBSD DNS server with a security fix (Vulnerability Note VU#800113- Multiple DNS implementations vulnerable to cache poisoning). In order to do this it appears that I have to download the source code re-compile the entire OS. Recompiling the OS seems to involve a lot of steps. Before I continue to read through them all, I just want to confirm that it is actually necessary to do all of this, simply to apply a security patch: Down load the tree.. Pre load the tree.. Build the Kernel.. Build the userland.. Etc. The only thing we use the server for is DNS. I dont know what flavor we are running, since its on a production server I assume it will be * release or * stable, either way from what Ive read so far it looks like in order to apply this security patch I will have to update it to * stable, which seems to require that the entire OS be recompiled. Is this correct? Is it true that the only way to apply this patch is to recompile the entire OS, and go through all the steps above? I dont mind doing all this since it will give me a chance to learn, its just that the more steps I have to take, the more chances there are for mistakes. I want to be sure that the way I plan to do the update is the simplest. Im only familiar with Windows, where you just push a button to apply a security patch and you dont even have to reboot the server, so I was thinking that I may be misunderstanding what Im reading. Thanks very much for your time and any info Kyle
Re: eeepc via usb pen
1. enable netboot in eee's BIOS settings 2. man 8 pxeboot /Pete On 23 Jul 2008, at 16:33, [EMAIL PROTECTED] wrote: Hi Sorry for the noise but I am trying to install openbsd an an eeepc via a usb pen. I have managed to install 4.(1 or 2) in the past but do not seem to be able to get the 4.3 install to boot off a pen. I know I could (hopefully) un-tar the files from the install4.3.iso mounted with loopback on another *nix and copy the fs then configure everything and dd the mbr (or something like that); the closest i have got is a kernel panic saying boot too old upgrade when I try to boot bsd.rd via grub. But is there an easier way (without buying a usb cdrom) to boot the usb pen as a install source or take any action in reliance on its content. *** *** This email has been checked for known viruses. ***
Re: Vulnerability Note VU#800113 - Multiple DNS implementations vulnerable to cache poisoning
looks like there is some work in progress to update the in-tree BIND to 9.4.2-P1 + local tweaking, for example: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/bind/lib/dns/dispatch.c?r1=1.8 As Theo points out, patience is a virtue, and it's the + local tweaking above that is the reason I gratefully use OpenBSD. /Pete On 9 Jul 2008, at 16:45, Zamri Besar wrote: Good morning, Today, I'm received alert from one of my friends regarding to Vulnerability Note VU#800113 - Multiple DNS implementations vulnerable to cache poisoning. http://www.kb.cert.org/vuls/id/800113 I checked the above site, and found that most of the *BSD status are unknown. Is this bug affected OpenBSD default bind dns? I'm don't know either the above bug is similar to this thread or not. http://marc.info/?l=openbsd-miscm=118539211412877w=2 -- Thank you. Yours truly, Zamri Besar
DNS patch
Does this mean we should expect one soon ? http://securosis.com/publications/CERT%20Advisory.doc /Pete
Re: OpenBSD project goals
nah, real men wrote a program to write their thesis for them ;-) /Pete On 24 Jun 2008, at 22:29, Martin Schrvder wrote: 2008/6/24 Pierre Riteau [EMAIL PROTECTED]: As someone already said earlier, you can write your letter in troff with mg or vi and create a postscript file from that. Real Men wrote their thesis directly in PostScript using ed. :-) Best Martin
Re: pass pasword to ssh
perhaps you could write your script in perl ? http://www.openbsd.org/4.3_packages/i386/p5-Net-SSH-Perl-1.30.tgz-long.html /Pete On 19 Jun 2008, at 16:31, Stuart Henderson wrote: On 2008-06-19, Richard Storm [EMAIL PROTECTED] wrote: I am writing script, that would ssh to switch and dump configuration in file. 1) Since it is switch, i have no way to make use of public key authentication, because I have no way to store pubkey on switch. Which switch? On my HP switches I can just sftp the public keys in (and fetch the config back out the same way...) What is the cleanest way to pass password to ssh? Not sure about cleanest, but expect (in packages/ports) works ok. You can generate a script with autoexpect and manually edit it.
Re: OT: App to get detailed http measurements
I've had good results with SIEGE http://www.joedog.org/ /Pete On 14 Jun 2008, at 12:55, Mikolaj Kucharski wrote: Hi, This is off topic, but does anyone know preferably commandline utility with which I could test HTTP server? What interests me is repeated connections and stats how long it took dns resolv, tcp connect, send request and finaly download of data. Really appreciate any tips. Thanks. -- best regards q#
nagios monitoring of a remote openntp service
Hi, Has anybody gotten Nagois' check_ntp_* to play nicely with a remote openntp service ? It appears to rely upon services not implemented in openntp ? /Pete