Non-x86 (was: About Xen: maybe a reiterative question but ..)
Theo de Raadt wrote: > x86 virtualization is about basically placing another nearly full > kernel, full of new bugs, on top of a nasty x86 architecture which > barely has correct page protection. He probably meant psychological security, or job security. > ... Then running your operating > system on the other side of this brand new pile of shit. Seriously, what (affordable) non-x86 hardware options are available, especially those without AMT or AMT-like backdoors? http://softwarecommunity.intel.com/articles/eng/1148.htm http://www.intel.com/pressroom/archive/releases/20050301net.htm http://www.intel.com/cd/ids/developer/asmo-na/eng/320959.htm Or is workstation and server hardware covered by CALEA now, too? -Lars
Re: high-end audio drivers [was: OSS audio drivers]
On Wed, Oct 24, 2007 at 12:55:39AM +0200, Jan Stary wrote: > > > What is the relation of OpenBSD's audio drivers to the OSS project? > > > What, if anything, does opensourcing (GPL, I know) their code mean for > > > our audio drivers? In particular, does that mean (future) support for > > > the high-end soundcards such as M-Audio Delta? > > > > There's work in progress on adding support for Delta cards (1010, > > 1010LT, 66, 44), and required features to make them usable (32bit > > encodings, 12 channel capture, higher sample rate, etc...) > > Where can I get in touch with this work and possibly test it? > Is anything commited -> available in curent? > it's not in cvs yet. Below's a diff you can test. It probably only works on delta-1010 and delta-1010LT cards and it's enabled on i386 only. The diff adds support for 32bit samples and 10 channels. Neither capture nor mixer are implemented yet. Feel free to contact me privately if you have questions on that. Anyway if you have any delta card, i'm interested in seeing your card's eeprom contents (in dmesg), the kernel should be compiled on i386 with these options: option ENVY_DEBUG envy* at pci? audio* at envy? Also, let me know if you notice regression with other audio drivers. cheers, -- Alexandre Index: arch/i386/conf/GENERIC === RCS file: /cvs/src/sys/arch/i386/conf/GENERIC,v retrieving revision 1.583 diff -u -p -r1.583 GENERIC --- arch/i386/conf/GENERIC 14 Oct 2007 17:39:46 - 1.583 +++ arch/i386/conf/GENERIC 24 Oct 2007 05:54:38 - @@ -628,6 +628,7 @@ maestro* at pci?# ESS Maestro PCI esa* at pci? # ESS Maestro3 PCI yds* at pci? flags 0x# Yamaha YMF Audio emu* at pci? # SB Live! +#envy* at pci? # VIA Envy24 (aka ICE1712) sb0at isa? port 0x220 irq 5 drq 1 # SoundBlaster sb*at isapnp? ess* at isapnp? # ESS Tech ES188[78], ES888 Index: dev/pci/envy.c === RCS file: dev/pci/envy.c diff -N dev/pci/envy.c --- /dev/null 1 Jan 1970 00:00:00 - +++ dev/pci/envy.c 24 Oct 2007 05:54:38 - @@ -0,0 +1,699 @@ +/* + * Copyright (c) 2007 Alexandre Ratchov <[EMAIL PROTECTED]> + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#ifdef ENVY_DEBUG +#define DPRINTF(...) do { if (envydebug) printf(__VA_ARGS__); } while(0) +#define DPRINTFN(n, ...) do { if (envydebug > (n)) printf(__VA_ARGS__); } while(0) +int envydebug = 1; +#else +#define DPRINTF(...) do {} while(0) +#define DPRINTFN(n, ...) do {} while(0) +#endif +#define DEVNAME(sc) ((sc)->dev.dv_xname) + +int envymatch(struct device *, void *, void *); +void envyattach(struct device *, struct device *, void *); +int envydetach(struct device *, int); + +int envy_ccs_read(struct envy_softc *sc, int reg); +void envy_ccs_write(struct envy_softc *sc, int reg, int val); +int envy_cci_read(struct envy_softc *sc, int index); +void envy_cci_write(struct envy_softc *sc, int index, int data); +void envy_i2c_wait(struct envy_softc *sc); +int envy_i2c_read(struct envy_softc *sc, int dev, int addr); +void envy_i2c_write(struct envy_softc *sc, int dev, int addr, int data); +int envy_gpio_read(struct envy_softc *sc); +void envy_gpio_write(struct envy_softc *sc, int data); +void envy_eeprom_read(struct envy_softc *sc, unsigned char *); +void envy_reset(struct envy_softc *sc); +void envy_ak_write(struct envy_softc *sc, int dev, int addr, int data); +int envy_intr(void *); + +int envy_open(void *, int); +void envy_close(void *); +void *envy_allocm(void *, int, size_t, int, int); +void envy_freem(void *, void *, int); +int envy_query_encoding(void *, struct audio_encoding *); +int envy_set_params(void *, int, int, struct audio_params *, +struct audio_params *); +int envy_round_blocksize(void *, int); +size_t envy_round_buffersize(void *, int, size_t); +int envy_trigger_output(void *, void *, void *, int, +void (*)(void *), void *, struct audio_params *); +int envy_tr
Re: About Xen: maybe a reiterative question but ..
On 10/23/07, Theo de Raadt <[EMAIL PROTECTED]> wrote: > > Virtualization seems to have a lot of security benefits. > > You've been smoking something really mind altering, and I think you > should share it. Sure! Here's some research one of my colleagues (with whom I've discussed this a lot) did on the topic last year. http://shell.cse.ucdavis.edu/~bill/virt/virt.pdf Ormandy's paper sure is interesting, though. Certainly adds new data. Still, it seems that taking checksums from Dom0 against DomU, with other security layers in front of the DomUs (including a good firewall) doesn't hurt. Layers of defense and all that. > x86 virtualization is about basically placing another nearly full > kernel, full of new bugs, on top of a nasty x86 architecture which > barely has correct page protection. Then running your operating > system on the other side of this brand new pile of shit. Security is really hard, no doubt about it. It just takes a bug in SSH or IPv6 and you've got trouble. But in some cases, the issues can be salvaged to some acceptable criterion, for some definition of acceptable for some particular group. Or perhaps not. That's a risk-benefit analysis. > You've seen something on the shelf, and it has all sorts of pretty > colours, and you've bought it. > > That's all x86 virtualization is. Well, I bought it because it's been working for me for the past few years, and virtualization adds useful capabilities, with or without security benefits, for my purposes. You and the other OpenBSD developers have created an operating system that suits your purposes, and you kindly share it with the rest of the world, no strings attached. I'm grateful, and use OpenBSD extensively in ways that work with the purposes you've developed it. (Basically, as much as I can until I encounter some showstopping problem.) But eventually, I find I need other tools for certain things -- parallel scientific programming, SANs, running applications that don't have a snowball's chance in hell of running on OpenBSD, writing applications using runtimes that aren't supported well/at all on OpenBSD, etc. etc. Since I can't run these things on OpenBSD, I will have to run them on someone's buggy, barely correct, proprietary security-hole ridden OS anyways. And if I'm forced to do that, I'm going to use an architecture that at least mitigates the common CIA issues as best as it can, given those circumstances. And of course, continue to use OpenBSD wherever appropriate, buy the OpenBSD project's CDs, encourage others at my University to use it and do the same, and make donations whenever I can. Adam -- "Invincibility is in oneself, vulnerability in the opponent." -- Sun Tzu
Re: max-src-conn-rate rule question
On Tue, Oct 23, 2007 at 05:46:45PM -0400, Calomel wrote: > David, > > Was the offending client completing the 3-way handshake everytime it > connected? > > For stateful TCP connections, limits on established connections (connec- > tions which have completed the TCP 3-way handshake) can also be enforced > per source IP. The max-src-conn-rate / limit the rate of > new connections over a time interval. The connection rate is an > approximation calculated as a moving average. > > You may also want to use synproxy for ssh and take a look at > max-src-states. I have examples here: http://calomel.org/pf_config.html I didn't respond to this until now, because I wanted to do some research first. As the hosts that are being blocked by this aren't hosts I control, I needed to set up some access on the outside. So it looks like i can run 'nmap -sS -p22 25.103.82.80/28' until doomsday and it will always show as a passed connection. But when i start telnetting to port 22 on machines in this subnet, the fourth 'telnet' connection is blocked, no matter which host I hit previously. So I think that you are correct in that the attackers are not initially completing the 3-way handshake, and are thus not tripping the filter. I'll look in to max-src-states, but I think now that I've shown that the actual "attack" (if that's what they are) attempts are blocked properly, I'm not terribly concerned if they can scan the subnet. Thanks, --david > > -- > Calomel @ http://calomel.org > > On Tue, Oct 23, 2007 at 03:58:52PM -0500, david l goodrich wrote: > >Nobody? Sad, it's still doing it. > > > > > >On Sun, Oct 21, 2007 at 02:22:43PM -0500, david l goodrich wrote: > >> I've set up a max-src-conn-rate rule on my gateway router to > >> mitigate brute-force ssh attacks. This router protects a /28 > >> subnet, 25.108.82.80/28. > >> > >> The relevant rules: > >> > >> # pfctl -sr | grep attack > >> block drop in log quick proto tcp from to any > >> pass in log proto tcp from any to any port = ssh keep state > >> (source-track rule, max-src-conn-rate 3/30, overload > >> flush global, src.track 30) > >> # > >> > >> What the three columns of output in the below tcpdump output are: > >> timestamp, rule action, and target host. As you can tell from > >> the tcpdump command, the sending host is the same in all cases, > >> 208.53.147.204 > >> > >> # tcpdump -enr /var/log/pflog host 208.53.147.204 \ > >> > | awk '{print $1,$4,$11}' | sed s/.22:// | head -30 > >> reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file) > >> 12:09:45.849594 pass 25.103.82.80 > >> 12:09:45.850279 pass 25.103.82.82 > >> 12:09:45.850827 pass 25.103.82.83 > >> 12:09:45.851310 pass 25.103.82.84 > >> 12:09:45.852003 pass 25.103.82.85 > >> 12:09:45.852496 pass 25.103.82.86 > >> 12:09:45.853007 pass 25.103.82.87 > >> 12:09:45.866580 pass 25.103.82.88 > >> 12:09:45.867345 pass 25.103.82.89 > >> 12:09:45.868339 pass 25.103.82.92 > >> 12:09:45.902389 pass 25.103.82.95 > >> 12:25:52.632295 pass 25.103.82.80 > >> 12:25:52.632973 pass 25.103.82.82 > >> 12:25:52.648804 pass 25.103.82.83 > >> 12:25:52.684792 pass 25.103.82.84 > >> 12:25:52.687989 pass 25.103.82.85 > >> 12:25:52.688652 pass 25.103.82.86 > >> 12:25:52.690882 pass 25.103.82.87 > >> 12:25:52.691371 pass 25.103.82.88 > >> 12:25:52.692290 pass 25.103.82.89 > >> 12:25:52.695340 pass 25.103.82.92 > >> 12:25:52.698864 pass 25.103.82.95 > >> 13:08:36.949178 pass 25.103.82.87 > >> 13:08:38.864585 pass 25.103.82.87 > >> 13:08:40.452215 pass 25.103.82.87 > >> 13:08:42.038388 pass 25.103.82.87 > >> 13:08:46.923469 block 25.103.82.88 > >> 13:08:49.922116 block 25.103.82.88 > >> 13:08:50.212040 block 25.103.82.87 > >> 13:08:51.099435 block 25.103.82.87 > >> # > >> > >> It seems to me like this host should have been blocked back at > >> 12:09:45, not 13:08:46. Am I misunderstanding the rule? > >> --david > >> > >> [demime 1.01d removed an attachment of type application/pgp-signature which > >had a name of signature.asc] > > > >[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc] [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: About Xen: maybe a reiterative question but ..
On 10/23/07, Ben Goren <[EMAIL PROTECTED]> wrote: > But that's about it. I suppose running Windows virtual machines on > a real OpenBSD machine might ``have a lot of security benefits'' > in some perverted sense of the words, but it's not like the VM is > magically going to protect the virtual machines or anything. And That's why you use a virtual firewall with openbsd in front of it!!! > if the Windows virtual machines can still talk to the outside > world or to each other (via simulated network interfaces, for > example), even those ``security benefits'' won't mean much. Heh. Read any of the recent advisories against vmware? Real world exploits are already out there. AIUI, to fix the current set of problems, you basically have to turn off vmware tools. Right now, you do have to attack the guest before you can get to the host, but I'm sure there's a malicious packet out there, somewhere, that can tickle the system just right, and skip past all that straight into the host. If you do take that as the gospel truth, please, at least, buy the freaking CD, yeah? -- "This officer's men seem to follow him merely out of idle curiosity." -- Sandhurst officer cadet evaluation.
Re: max-src-conn-rate rule question
On Tue, Oct 23, 2007 at 05:59:31PM -0700, Rob wrote: > On 10/23/07, david l goodrich <[EMAIL PROTECTED]> wrote: > > On Tue, Oct 23, 2007 at 02:55:41PM -0700, Rob wrote: > > > Note that I wouldn't use a flush global directive for a rule like > > > this, because it can lead to a neat DoS where somebody can spoof one > > > of your own IP addresses and shut down any ssh sessions you have > > > active. > > > > > > Here's a working sample from my own currently active pf file: > > > > > > pass in on $ext proto tcp to port smtp keep state \ > > >(max-src-conn 15 max-src-conn-rate 10 / 45 overload ) \ > > >queue 6smtp > > > > Mine's pretty similar, if a bit more verbose. And I don't use > > max-src-conn or queueing. > > Huh. > > What's your output from pfctl -s rules -v ? >From my original email... > > > > > # pfctl -sr | grep attack > > > > > block drop in log quick proto tcp from to any > > > > > pass in log proto tcp from any to any port = ssh keep state > > > > > (source-track rule, max-src-conn-rate 3/30, overload > > > > > flush global, src.track 30) > > > > > # > > Also, I should parrot some of the earlier conversations that have been > on this list on this subject (limiting attempts at ssh attacks). Doing > this with a max-src-conn-rate rule probably isn't what you really want > to do anyway; there are some good log file analyzers which would be > better suited to this (see http://www.ossec.net/, > http://www.ossec.net/en/attacking-loganalysis.html, and > http://marc.info/?l=openbsd-misc&m=118660109014882&w=2); strong ssh > passwords are the best defense against dictionary attacks; etc. At > best, all you're really doing is keeping your authlog a bit leaner, > and maybe compiling a list of evildoers. Understood that this is not going to be a be-all end-all from a security perspective, and that it isn't going to save me from being stupid and having weak passwords. It's still a useful mitigating control. That said, my original question wasn't about whether or not this is a good idea, it's about why what PF claims to do and what PF does seem to be different. --david
Re: About Xen: maybe a reiterative question but ..
On 2007 Oct 23, at 5:57 PM, [EMAIL PROTECTED] wrote: > Virtualization seems to have a lot of security benefits. ``Seems'' is the key word, here. On hardware like an IBM mainframe that can acutally support what's necessary for secure virtual machines, sure. On x86? Well, it'll keep your kid sister out Virtualization is wonderful for simultaneously running different operating systems on the same (beefy) computer, especially for development or testing purposes. If you occassionally need to run something on an operating system other than your preferred one, it's great -- saves you the extra hardware or the reboot, lets you do snapshots, etc. For Windows, it's also wonderful. You basically have to be nuts to have a single Windows server* doing more than one thing, but virtualization lets you do exactly that with relative impunity. It's like splinting a broken leg and giving a huge shot of painkillers to the victim -- you'd never know the leg was broken. But that's about it. I suppose running Windows virtual machines on a real OpenBSD machine might ``have a lot of security benefits'' in some perverted sense of the words, but it's not like the VM is magically going to protect the virtual machines or anything. And if the Windows virtual machines can still talk to the outside world or to each other (via simulated network interfaces, for example), even those ``security benefits'' won't mean much. Cheers, b& * Yes, the full stop here is appropriate. [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
Re: max-src-conn-rate rule question
On October 23, 2007 07:30:25 pm david l goodrich wrote: > On Tue, Oct 23, 2007 at 02:55:41PM -0700, Rob wrote: > > On 10/23/07, david l goodrich <[EMAIL PROTECTED]> wrote: > > > Nobody? Sad, it's still doing it. > > > > > > On Sun, Oct 21, 2007 at 02:22:43PM -0500, david l goodrich wrote: > > > > I've set up a max-src-conn-rate rule on my gateway router to > > > > mitigate brute-force ssh attacks. This router protects a /28 > > > > subnet, 25.108.82.80/28. > > > > > > > > The relevant rules: > > > > > > > > # pfctl -sr | grep attack > > > > block drop in log quick proto tcp from to any > > > > pass in log proto tcp from any to any port = ssh keep state > > > > (source-track rule, max-src-conn-rate 3/30, overload > > > > flush global, src.track 30) > > > > # > > > > > > > > What the three columns of output in the below tcpdump output are: > > > > timestamp, rule action, and target host. As you can tell from > > > > the tcpdump command, the sending host is the same in all cases, > > > > 208.53.147.204 > > > > I'm not a pf newbie by any means, but I'm not really qualified to > > answer questions about it either. That said, I don't usually use an > > '=' sign in my pf rules, and the pf faq doesn't list that as one of > > the accepted operators for the port range > > (http://www.openbsd.org/faq/pf/filter.html). If the rule wasn't being > > parsed correctly, it would cause the behavior you're seeing. Try, > > I don't have an = sign in my rule, either, i have it in pf.conf as: > > pass in log proto tcp from any to any port ssh \ > keep state (max-src-conn-rate 3/30, \ > overload flush global) > > but when i look at my rules with pfctl -sr it shows the =. > > > block in log quick proto tcp port ssh keep state \ > >(source-track rule, max-src-conn-rate 3 / 30 overload > > , src.track 30) > > I want to pass ssh traffic by default, so a block rule won't be > terribly helpful. > > > Note that I wouldn't use a flush global directive for a rule like > > this, because it can lead to a neat DoS where somebody can spoof one > > of your own IP addresses and shut down any ssh sessions you have > > active. > > > > Here's a working sample from my own currently active pf file: > > > > pass in on $ext proto tcp to port smtp keep state \ > >(max-src-conn 15 max-src-conn-rate 10 / 45 overload ) \ > >queue 6smtp > > Mine's pretty similar, if a bit more verbose. And I don't use > max-src-conn or queueing. > --david > > > (FYI, the smtp-overload table moves traffic to a queue that simply > > throttles the connections a little.) > > > > - R. > > !DSPAM:1,471e93c5217372013633067! I tried various combinations on my test machine and noticed the following pattern. Setting the max-src-conn to be twice the max-src-conn-rate seems to work better at stopping brute-force SSH attempts. Probably there is no rational basis for this observation and there must be some other explanation. I did try a few combinations and it seemed to have had a positive impact in getting the IP address to the sshd_attackers table at the right max-src-conn-rate. So I am wondering if pass in log proto tcp from any to any port ssh keep state (max-src-conn 6 max-src-conn-rate 3/30, overload flush global) would be an appropriate thing for you to try. Anyways, hope this helps in some way. -- Vijay Sankar, M.Eng., P.Eng. President & CEO ForeTell Technologies Limited 59 Flamingo Avenue, Winnipeg, MB Canada R3J 0X6 Phone: +1 204 885 9535, E-Mail: [EMAIL PROTECTED]
Re: About Xen: maybe a reiterative question but ..
On Tue, 23 Oct 2007, Theo de Raadt wrote: > > Virtualization seems to have a lot of security benefits. > > You've been smoking something really mind altering, and I think you > should share it. > > x86 virtualization is about basically placing another nearly full > kernel, full of new bugs, on top of a nasty x86 architecture which > barely has correct page protection. Then running your operating > system on the other side of this brand new pile of shit. > > You are absolutely deluded, if not stupid, if you think that a > worldwide collection of software engineers who can't write operating > systems or applications without security holes, can then turn around > and suddenly write virtualization layers without security holes. cf. http://taviso.decsystem.org/virtsec.pdf
Re: About Xen: maybe a reiterative question but ..
> Virtualization seems to have a lot of security benefits. You've been smoking something really mind altering, and I think you should share it. x86 virtualization is about basically placing another nearly full kernel, full of new bugs, on top of a nasty x86 architecture which barely has correct page protection. Then running your operating system on the other side of this brand new pile of shit. You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes. You've seen something on the shelf, and it has all sorts of pretty colours, and you've bought it. That's all x86 virtualization is.
Re: max-src-conn-rate rule question
On 10/23/07, david l goodrich <[EMAIL PROTECTED]> wrote: > On Tue, Oct 23, 2007 at 02:55:41PM -0700, Rob wrote: > > > On Sun, Oct 21, 2007 at 02:22:43PM -0500, david l goodrich wrote: > > > > I've set up a max-src-conn-rate rule on my gateway router to > > > > mitigate brute-force ssh attacks. This router protects a /28 > > > > subnet, 25.108.82.80/28. > > > > > > > > The relevant rules: > > > > > > > > # pfctl -sr | grep attack > > > > block drop in log quick proto tcp from to any > > > > pass in log proto tcp from any to any port = ssh keep state > > > > (source-track rule, max-src-conn-rate 3/30, overload > > > > flush global, src.track 30) > > > > # > > > > I'm not a pf newbie by any means, but I'm not really qualified to > > answer questions about it either. That said, I don't usually use an > > '=' sign in my pf rules, and the pf faq doesn't list that as one of > > the accepted operators for the port range > > (http://www.openbsd.org/faq/pf/filter.html). If the rule wasn't being > > parsed correctly, it would cause the behavior you're seeing. Try, > > I don't have an = sign in my rule, either, i have it in pf.conf as: > > pass in log proto tcp from any to any port ssh \ > keep state (max-src-conn-rate 3/30, \ > overload flush global) > > but when i look at my rules with pfctl -sr it shows the =. > > > > > block in log quick proto tcp port ssh keep state \ > >(source-track rule, max-src-conn-rate 3 / 30 overload > > , src.track 30) > > I want to pass ssh traffic by default, so a block rule won't be > terribly helpful. Whoops, that was a big ol' typo. That should've been a pass, sorry. > > Note that I wouldn't use a flush global directive for a rule like > > this, because it can lead to a neat DoS where somebody can spoof one > > of your own IP addresses and shut down any ssh sessions you have > > active. > > > > Here's a working sample from my own currently active pf file: > > > > pass in on $ext proto tcp to port smtp keep state \ > >(max-src-conn 15 max-src-conn-rate 10 / 45 overload ) \ > >queue 6smtp > > Mine's pretty similar, if a bit more verbose. And I don't use > max-src-conn or queueing. Huh. What's your output from pfctl -s rules -v ? Also, I should parrot some of the earlier conversations that have been on this list on this subject (limiting attempts at ssh attacks). Doing this with a max-src-conn-rate rule probably isn't what you really want to do anyway; there are some good log file analyzers which would be better suited to this (see http://www.ossec.net/, http://www.ossec.net/en/attacking-loganalysis.html, and http://marc.info/?l=openbsd-misc&m=118660109014882&w=2); strong ssh passwords are the best defense against dictionary attacks; etc. At best, all you're really doing is keeping your authlog a bit leaner, and maybe compiling a list of evildoers. - R. - R.
Re: About Xen: maybe a reiterative question but ..
Virtualization seems to have a lot of security benefits. Rootkits can lie to DomU but not Dom0, and of course snapshotting, migration etc is *really* nice. Dom0 in OpenBSD in a current Xen implementation (with HVM) would be a dream. I'd switch wholesale, and buy a CD for every server (as I do now). But doubtless there are a whole host of issues, kernel, SMP, bootloaders (I found OpenBSDs bootloader to be superior to grub in Ubuntu 7.10, it detects media bay HDs, and the installer is fast, efficient, and doesn't crap out on certain video cards/monitors), an LVM, iSCSI support -- and I have no code to contribute, so I will merely remain hopeful without expectation. I tried NetBSD Xen, but it seemed the worst of both worlds. Pf circa 3.7, hacks for grub, old version of Xen (2.x series IIRC) without support for the most interesting features, not the same level of security focus, etc. So I just picked the best tool for the job. I'm happier our webservers are now on OpenBSD with CARP failover. -- "Invincibility is in oneself, vulnerability in the opponent." -- Sun Tzu -Original Message- From: Luca Corti <[EMAIL PROTECTED]> Date: Tue, 23 Oct 2007 10:03:42 To:ropers <[EMAIL PROTECTED]> Cc:Jeff Quast <[EMAIL PROTECTED]>, OpenBSD-Misc , Nick Guenther <[EMAIL PROTECTED]> Subject: Re: About Xen: maybe a reiterative question but .. On Tue, 2007-10-23 at 01:11 +0200, ropers wrote: > unavoidable. The question is, is that a worthwhile trade-off? Is this > a reason not to support Xen? Or should the user be given that option > regardless of the inherent limitations and consequences? A proper Dom0 port of XEN to OpenBSD would solve this by removing the linux dependency. However this would probably require a significant effort on OpenBSD side and a XEN Hypervisor code audit. Also from earlier discussion on the list it seems this kind of virtualization may impact on security, which is in direct contrast with OpenBSD goals. Can someone elaborate more on this? ciao Luca
Re: About Xen: maybe a reiterative question but ..
On Tue, Oct 23, 2007 at 03:16:31PM +0300, Lars NoodC)n wrote: > Granted that quote is from a competitor (VMware, which seems to be a > broken linux kernel) but MS has 'partnered' with XenSource and we know > what the ultimate results will be. > > The choices narrow. > Can kqemu be compiled for OBSD? Is virtualbox an option? I have the kqemu module working on OpenBSD. This is OpenBSD-current, qemu from cvs with some changes, and kqemu-1.3.0pre11 + openbsd lkm code. With Windows 2003 as a guest it seems to do -kernel-kqemu too. However, OpenBSD currently does not work as a guest with the kqemu module (with linux or openbsd as the host, it doesn't matter).
Re: max-src-conn-rate rule question
On Tue, Oct 23, 2007 at 02:55:41PM -0700, Rob wrote: > On 10/23/07, david l goodrich <[EMAIL PROTECTED]> wrote: > > Nobody? Sad, it's still doing it. > > > > > > On Sun, Oct 21, 2007 at 02:22:43PM -0500, david l goodrich wrote: > > > I've set up a max-src-conn-rate rule on my gateway router to > > > mitigate brute-force ssh attacks. This router protects a /28 > > > subnet, 25.108.82.80/28. > > > > > > The relevant rules: > > > > > > # pfctl -sr | grep attack > > > block drop in log quick proto tcp from to any > > > pass in log proto tcp from any to any port = ssh keep state > > > (source-track rule, max-src-conn-rate 3/30, overload > > > flush global, src.track 30) > > > # > > > > > > What the three columns of output in the below tcpdump output are: > > > timestamp, rule action, and target host. As you can tell from > > > the tcpdump command, the sending host is the same in all cases, > > > 208.53.147.204 > > I'm not a pf newbie by any means, but I'm not really qualified to > answer questions about it either. That said, I don't usually use an > '=' sign in my pf rules, and the pf faq doesn't list that as one of > the accepted operators for the port range > (http://www.openbsd.org/faq/pf/filter.html). If the rule wasn't being > parsed correctly, it would cause the behavior you're seeing. Try, I don't have an = sign in my rule, either, i have it in pf.conf as: pass in log proto tcp from any to any port ssh \ keep state (max-src-conn-rate 3/30, \ overload flush global) but when i look at my rules with pfctl -sr it shows the =. > > block in log quick proto tcp port ssh keep state \ >(source-track rule, max-src-conn-rate 3 / 30 overload > , src.track 30) I want to pass ssh traffic by default, so a block rule won't be terribly helpful. > > Note that I wouldn't use a flush global directive for a rule like > this, because it can lead to a neat DoS where somebody can spoof one > of your own IP addresses and shut down any ssh sessions you have > active. > > Here's a working sample from my own currently active pf file: > > pass in on $ext proto tcp to port smtp keep state \ >(max-src-conn 15 max-src-conn-rate 10 / 45 overload ) \ >queue 6smtp Mine's pretty similar, if a bit more verbose. And I don't use max-src-conn or queueing. --david > > (FYI, the smtp-overload table moves traffic to a queue that simply > throttles the connections a little.) > > - R.
high-end audio drivers [was: OSS audio drivers]
> > What is the relation of OpenBSD's audio drivers to the OSS project? > > What, if anything, does opensourcing (GPL, I know) their code mean for > > our audio drivers? In particular, does that mean (future) support for > > the high-end soundcards such as M-Audio Delta? > > There's work in progress on adding support for Delta cards (1010, > 1010LT, 66, 44), and required features to make them usable (32bit > encodings, 12 channel capture, higher sample rate, etc...) Where can I get in touch with this work and possibly test it? Is anything commited -> available in curent? Thanks Jan
Re: Network Time Synchronization using timed or ntpd or a Combination?
2007/10/23, Darrin Chandler <[EMAIL PROTECTED]>: > pool.ntp.org and score quite well. In fact, they compare favorably to > servers running the more "heavyweight" ntp daemons. While we are talking about ntpd: Is there hope of an update of the portable version? The debian port is still at 3.9... Best Martin PS: http://www.openntpd.org is also still at 3.9...
Re: Network Time Synchronization using timed or ntpd or a Combination?
Henning Brauer wrote: * Boris Goldberg <[EMAIL PROTECTED]> [2007-10-23 15:50]: CP> One system would get time from the NTP pool and all other servers on CP> the network would sync to the local server. You don't really need ntpd on all systems. One (timeserver) runs ntpd, and others use rdate, called from cron (once a day is usually enough). that is bad advice. it is not only much more work to set up, it also doesn't remotely yield the same results. ntpd is much much better, since it doesn't rely on a single answer from soem server to set the clock, and because it adjusts the clock frequency over time. there is not much point in using rdate at all. From what I have read in this thread, it looks like only one guy prefers the old timed and rdate tools. A few are even telling him he is giving bad advice when promoting the usage of these tools. Henning mentioned that rdate and timed are pretty much useless and others have said that timed is obsolete. So why don't we remove them from the source tree? Last night when I was researching a way to sync my clocks I became confused as to what I should be using. This thread and Henning's OpenNTPD presentation at http://www.openbsd.org/papers/ntpd_sucon04/index.html definitely cleared things up and answered all my questions. Thanks to all that replied and Henning for leading the OpenNTPD project. -pachl
Re: Network Time Synchronization using timed or ntpd or a Combination?
Theo de Raadt wrote: That is a very interesting anecdote. That has got to make Henning proud; hell I'm proud of him. The amazing thing is that the ntpd binary on my i386 is only 34.4K. The ntpd binary (non-OpenNTPD) on my i386 FreeBSD media center is 263K, not to mention all of the other ntp* binaries, which bring total size to 426K. Plus, OpenNTPD has privilege separation! Try statically linking them, and then look at the numbers again. Well, I'm not going to do that, but I think I understand the point that Theo is making. (OpenBSD) [EMAIL PROTECTED] ldd /usr/sbin/ntpd /usr/sbin/ntpd: StartEnd Type Open Ref GrpRef Name exe 10 0 /usr/sbin/ntpd 05c18000 25c4c000 rlib 01 0 /usr/lib/libc.so.40.3 0334b000 0334b000 rtld 01 0 /usr/libexec/ld.so (FreeBSD) [EMAIL PROTECTED] ldd /usr/sbin/ntpd /usr/sbin/ntpd: libm.so.4 => /lib/libm.so.4 (0x280b) libmd.so.3 => /lib/libmd.so.3 (0x280c9000) libcrypto.so.4 => /lib/libcrypto.so.4 (0x280d6000) libc.so.6 => /lib/libc.so.6 (0x281cd000)
Re: writing non-ascii characters via SSH
On Tue, Oct 23, 2007 at 09:40:08AM -0400, Juan Miscaro wrote: > I am currently experiencing difficulty in writing text files containing > French characters on my OpenBSD 4.0 server via SSH. > > On both the FreeBSD client system and on the OpenBSD server system I > have the following: > > ~/.profile: > > export LANG="C" > export LC_CTYPE="fr_CA.ISO8859-1" > export LC_COLLATE="fr_CA.ISO8859-1" Could you try setting LANG to fr_CA.ISO8859-1 (on each box)?
Re: max-src-conn-rate rule question
On 10/23/07, david l goodrich <[EMAIL PROTECTED]> wrote: > Nobody? Sad, it's still doing it. > > > On Sun, Oct 21, 2007 at 02:22:43PM -0500, david l goodrich wrote: > > I've set up a max-src-conn-rate rule on my gateway router to > > mitigate brute-force ssh attacks. This router protects a /28 > > subnet, 25.108.82.80/28. > > > > The relevant rules: > > > > # pfctl -sr | grep attack > > block drop in log quick proto tcp from to any > > pass in log proto tcp from any to any port = ssh keep state > > (source-track rule, max-src-conn-rate 3/30, overload > > flush global, src.track 30) > > # > > > > What the three columns of output in the below tcpdump output are: > > timestamp, rule action, and target host. As you can tell from > > the tcpdump command, the sending host is the same in all cases, > > 208.53.147.204 I'm not a pf newbie by any means, but I'm not really qualified to answer questions about it either. That said, I don't usually use an '=' sign in my pf rules, and the pf faq doesn't list that as one of the accepted operators for the port range (http://www.openbsd.org/faq/pf/filter.html). If the rule wasn't being parsed correctly, it would cause the behavior you're seeing. Try, block in log quick proto tcp port ssh keep state \ (source-track rule, max-src-conn-rate 3 / 30 overload , src.track 30) Note that I wouldn't use a flush global directive for a rule like this, because it can lead to a neat DoS where somebody can spoof one of your own IP addresses and shut down any ssh sessions you have active. Here's a working sample from my own currently active pf file: pass in on $ext proto tcp to port smtp keep state \ (max-src-conn 15 max-src-conn-rate 10 / 45 overload ) \ queue 6smtp (FYI, the smtp-overload table moves traffic to a queue that simply throttles the connections a little.) - R.
Re: max-src-conn-rate rule question
David, Was the offending client completing the 3-way handshake everytime it connected? For stateful TCP connections, limits on established connections (connec- tions which have completed the TCP 3-way handshake) can also be enforced per source IP. The max-src-conn-rate / limit the rate of new connections over a time interval. The connection rate is an approximation calculated as a moving average. You may also want to use synproxy for ssh and take a look at max-src-states. I have examples here: http://calomel.org/pf_config.html -- Calomel @ http://calomel.org On Tue, Oct 23, 2007 at 03:58:52PM -0500, david l goodrich wrote: >Nobody? Sad, it's still doing it. > > >On Sun, Oct 21, 2007 at 02:22:43PM -0500, david l goodrich wrote: >> I've set up a max-src-conn-rate rule on my gateway router to >> mitigate brute-force ssh attacks. This router protects a /28 >> subnet, 25.108.82.80/28. >> >> The relevant rules: >> >> # pfctl -sr | grep attack >> block drop in log quick proto tcp from to any >> pass in log proto tcp from any to any port = ssh keep state >> (source-track rule, max-src-conn-rate 3/30, overload >> flush global, src.track 30) >> # >> >> What the three columns of output in the below tcpdump output are: >> timestamp, rule action, and target host. As you can tell from >> the tcpdump command, the sending host is the same in all cases, >> 208.53.147.204 >> >> # tcpdump -enr /var/log/pflog host 208.53.147.204 \ >> > | awk '{print $1,$4,$11}' | sed s/.22:// | head -30 >> reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file) >> 12:09:45.849594 pass 25.103.82.80 >> 12:09:45.850279 pass 25.103.82.82 >> 12:09:45.850827 pass 25.103.82.83 >> 12:09:45.851310 pass 25.103.82.84 >> 12:09:45.852003 pass 25.103.82.85 >> 12:09:45.852496 pass 25.103.82.86 >> 12:09:45.853007 pass 25.103.82.87 >> 12:09:45.866580 pass 25.103.82.88 >> 12:09:45.867345 pass 25.103.82.89 >> 12:09:45.868339 pass 25.103.82.92 >> 12:09:45.902389 pass 25.103.82.95 >> 12:25:52.632295 pass 25.103.82.80 >> 12:25:52.632973 pass 25.103.82.82 >> 12:25:52.648804 pass 25.103.82.83 >> 12:25:52.684792 pass 25.103.82.84 >> 12:25:52.687989 pass 25.103.82.85 >> 12:25:52.688652 pass 25.103.82.86 >> 12:25:52.690882 pass 25.103.82.87 >> 12:25:52.691371 pass 25.103.82.88 >> 12:25:52.692290 pass 25.103.82.89 >> 12:25:52.695340 pass 25.103.82.92 >> 12:25:52.698864 pass 25.103.82.95 >> 13:08:36.949178 pass 25.103.82.87 >> 13:08:38.864585 pass 25.103.82.87 >> 13:08:40.452215 pass 25.103.82.87 >> 13:08:42.038388 pass 25.103.82.87 >> 13:08:46.923469 block 25.103.82.88 >> 13:08:49.922116 block 25.103.82.88 >> 13:08:50.212040 block 25.103.82.87 >> 13:08:51.099435 block 25.103.82.87 >> # >> >> It seems to me like this host should have been blocked back at >> 12:09:45, not 13:08:46. Am I misunderstanding the rule? >> --david >> >> [demime 1.01d removed an attachment of type application/pgp-signature which >had a name of signature.asc] > >[demime 1.01d removed an attachment of type application/pgp-signature which >had a name of signature.asc]
Re: Network Time Synchronization using timed or ntpd or a Combination?
Chris Kuethe <[EMAIL PROTECTED]> wrote: > If that's not good enough for you, the ntp.org daemon is in ports. Actually, the ntp.org daemon performs poorly on OpenBSD since we don't supply ntp_adjtime(2). -- Christian "naddy" Weisgerber [EMAIL PROTECTED]
Re: Network Time Synchronization using timed or ntpd or a Combination?
> That is a very interesting anecdote. That has got to make Henning proud; > hell I'm proud of him. The amazing thing is that the ntpd binary on my > i386 is only 34.4K. The ntpd binary (non-OpenNTPD) on my i386 FreeBSD > media center is 263K, not to mention all of the other ntp* binaries, > which bring total size to 426K. Plus, OpenNTPD has privilege separation! Try statically linking them, and then look at the numbers again.
Re: max-src-conn-rate rule question
Nobody? Sad, it's still doing it. On Sun, Oct 21, 2007 at 02:22:43PM -0500, david l goodrich wrote: > I've set up a max-src-conn-rate rule on my gateway router to > mitigate brute-force ssh attacks. This router protects a /28 > subnet, 25.108.82.80/28. > > The relevant rules: > > # pfctl -sr | grep attack > block drop in log quick proto tcp from to any > pass in log proto tcp from any to any port = ssh keep state > (source-track rule, max-src-conn-rate 3/30, overload > flush global, src.track 30) > # > > What the three columns of output in the below tcpdump output are: > timestamp, rule action, and target host. As you can tell from > the tcpdump command, the sending host is the same in all cases, > 208.53.147.204 > > # tcpdump -enr /var/log/pflog host 208.53.147.204 \ > > | awk '{print $1,$4,$11}' | sed s/.22:// | head -30 > reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file) > 12:09:45.849594 pass 25.103.82.80 > 12:09:45.850279 pass 25.103.82.82 > 12:09:45.850827 pass 25.103.82.83 > 12:09:45.851310 pass 25.103.82.84 > 12:09:45.852003 pass 25.103.82.85 > 12:09:45.852496 pass 25.103.82.86 > 12:09:45.853007 pass 25.103.82.87 > 12:09:45.866580 pass 25.103.82.88 > 12:09:45.867345 pass 25.103.82.89 > 12:09:45.868339 pass 25.103.82.92 > 12:09:45.902389 pass 25.103.82.95 > 12:25:52.632295 pass 25.103.82.80 > 12:25:52.632973 pass 25.103.82.82 > 12:25:52.648804 pass 25.103.82.83 > 12:25:52.684792 pass 25.103.82.84 > 12:25:52.687989 pass 25.103.82.85 > 12:25:52.688652 pass 25.103.82.86 > 12:25:52.690882 pass 25.103.82.87 > 12:25:52.691371 pass 25.103.82.88 > 12:25:52.692290 pass 25.103.82.89 > 12:25:52.695340 pass 25.103.82.92 > 12:25:52.698864 pass 25.103.82.95 > 13:08:36.949178 pass 25.103.82.87 > 13:08:38.864585 pass 25.103.82.87 > 13:08:40.452215 pass 25.103.82.87 > 13:08:42.038388 pass 25.103.82.87 > 13:08:46.923469 block 25.103.82.88 > 13:08:49.922116 block 25.103.82.88 > 13:08:50.212040 block 25.103.82.87 > 13:08:51.099435 block 25.103.82.87 > # > > It seems to me like this host should have been blocked back at > 12:09:45, not 13:08:46. Am I misunderstanding the rule? > --david > > [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc] [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: Network Time Synchronization using timed or ntpd or a Combination?
Darrin Chandler wrote: On Tue, Oct 23, 2007 at 11:49:57AM -0600, Chris Kuethe wrote: On 10/23/07, Boris Goldberg <[EMAIL PROTECTED]> wrote: The ntpd from OBSD is raw and lame yet. It takes days (!) to really synchronize, adjusting time and clock frequency back and forth (even if you start with -s) so it's too early to say that using it is "right". It will be "right" after it matures, gets more useful synchronization algorithm and it's own ntpdate (or a parameter to synchronize and exit). Blah blah blah. time1 and time2.srv.ualberta.ca are both running openntpd driven by nmea(4) sensors. As is my home workstation. They wibble around within a microsecond or two of the sensor's time, probably due to a) interrupt handling and b) temperature changes caused by the air conditioner or cats sleeping on the case. And my servers are in a windowless room under a lot of concrete and steel, so there's no good way to get GPS or radio data, and I'm using other time servers on the internet to sync. They keep time very well, on sparc64 and amd64, and both are in pool.ntp.org and score quite well. In fact, they compare favorably to servers running the more "heavyweight" ntp daemons. That is a very interesting anecdote. That has got to make Henning proud; hell I'm proud of him. The amazing thing is that the ntpd binary on my i386 is only 34.4K. The ntpd binary (non-OpenNTPD) on my i386 FreeBSD media center is 263K, not to mention all of the other ntp* binaries, which bring total size to 426K. Plus, OpenNTPD has privilege separation!
Re: Is the PF mailinglist still blocking gmail users?
"Siju George" <[EMAIL PROTECTED]> writes: > Just wondering if the PF mailing list is still blocking gmail users. > Can't contact Daniel because his email ID is also on the same mail server. It could be that gmail's pool of possible outgoing servers is a little too big and the retries too random for greylisting to work all by itself and benzedrine.cx isn't willing to whitelist all that much address space. Fortunately gmail's SPF records appear to be up to date, so whitelisting what comes out of there should work, if benzedrine.cx wants to go down that route. - P -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.datadok.no/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Can anyone recommend a cheap and mature, well-supported graphics board for OpenBSD?
On Tue, 23 Oct 2007, ropers wrote: In case I end up making a (small) new purchase: Are there any vendors who have been behaving well documentation-wise, and whom I should reward with my custom? In my opinion: ATI. Has anyone been a dick who should be avoided? Nvidia. -- Antti Harri
Problem with raid 1 in server dell
Hi list, My system was freeze and when reboot show: /dev/rsd0a: file system is clean;not checking /dev/rsd0d: file system is clean;not checking /dev/rsd0e: file system is clean;not checking /dev/rsd0g: INCORRECT BLOCK COUNT I=2699655 (20 should be 16) (CORRECTED) PARTIALLY TRUNCATED INODE I=19268881 /dev/rsd0g:UNEXPECTED INCONSISTENCY; RUN fsck_ffs MANUALLY. THE FOLLOWING FILE SYSTEN HAD AN UNEXPECTED INCOSISTENCY: ffs: /dev/rsd0g(/var) Automatic File system check failed: help! Enter pathname of shell or RETURN for sh: I think this problem is for incompatibility with raid controler SAS5IR, but in the openbsd page say this hardware is support. I have two harddisk SATA Raid 1 dmesg OpenBSD 4.1-stable (GENERIC.MP) #0: Wed Oct 10 10:43:00 MDT 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel(R) Xeon(R) CPU 3050 @ 2.13GHz ("GenuineIntel" 686-class) 2.14 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16, xTPR real mem = 2146795520 (2096480K) avail mem = 1952034816 (1906284K) using 4278 buffers containing 107462656 bytes (104944K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+ BIOS, date 04/04/07, BIOS32 rev. 0 @ 0xffe90, SMBIOS rev. 2.4 @ 0xfa5b0 (48 entries) bios0: Dell Computer Corporation PowerEdge 860 pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfba60/176 (9 entries) pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82801GB LPC" rev 0x00) pcibios0: PCI bus #7 is the last bus bios0: ROM list: 0xc/0x9000 0xc9000/0x1000 0xca000/0x5c00 0xd/0x1800 0xec000/0x4000! acpi at mainbus0 not configured ipmi0 at mainbus0: version 1.5 interface KCS iobase 0xca8/8 spacing 4 mainbus0: Intel MP Specification (Version 1.4) cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 266 MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Xeon(R) CPU 3050 @ 2.13GHz ("GenuineIntel" 686-class) 2.14 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16, xTPR mainbus0: bus 0 is type PCI mainbus0: bus 1 is type PCI mainbus0: bus 2 is type PCI mainbus0: bus 3 is type PCI mainbus0: bus 4 is type PCI mainbus0: bus 5 is type PCI mainbus0: bus 6 is type PCI mainbus0: bus 7 is type PCI mainbus0: bus 8 is type ISA ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins ioapic0: misconfigured as apic 0, remapped to apid 2 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 "Intel E7230 MCH" rev 0x00 ppb0 at pci0 dev 1 function 0 "Intel E7230 PCIE" rev 0x00 pci1 at ppb0 bus 1 ppb1 at pci1 dev 0 function 0 "Intel PCIE-PCIE" rev 0x09 pci2 at ppb1 bus 2 mpi0 at pci2 dev 8 function 0 "Symbios Logic SAS1068" rev 0x01: apic 2 int 16 (irq 5) scsibus0 at mpi0: 112 targets sd0 at scsibus0 targ 0 lun 0: SCSI3 0/direct fixed sd0: 237464MB, 237464 cyl, 16 head, 128 sec, 512 bytes/sec, 486326272 sec total "Intel IOxAPIC" rev 0x09 at pci1 dev 0 function 1 not configured ppb2 at pci0 dev 28 function 0 "Intel 82801GB PCIE" rev 0x01 pci3 at ppb2 bus 3 ppb3 at pci3 dev 0 function 0 "ServerWorks PCIE-PCIX" rev 0xc3 pci4 at ppb3 bus 4 bnx0 at pci4 dev 0 function 0 "Broadcom BCM5708" rev 0x12: apic 2 int 16 (irq 5) ppb4 at pci0 dev 28 function 4 "Intel 82801G PCIE" rev 0x01 pci5 at ppb4 bus 5 bge0 at pci5 dev 0 function 0 "Broadcom BCM5721" rev 0x11, BCM5750 B1 (0x4101): apic 2 int 16 (irq 5), address 00:19:b9:f7:a7:0a brgphy0 at bge0 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0 ppb5 at pci0 dev 28 function 5 "Intel 82801G PCIE" rev 0x01 pci6 at ppb5 bus 6 bge1 at pci6 dev 0 function 0 "Broadcom BCM5721" rev 0x11, BCM5750 B1 (0x4101): apic 2 int 17 (irq 3), address 00:19:b9:f7:a7:0b brgphy1 at bge1 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0 uhci0 at pci0 dev 29 function 0 "Intel 82801GB USB" rev 0x01: apic 2 int 20 (irq 11) usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 29 function 1 "Intel 82801GB USB" rev 0x01: apic 2 int 21 (irq 10) usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered uhci2 at pci0 dev 29 function 2 "Intel 82801GB USB" rev 0x01: apic 2 int 22 (irq 6) usb2 at uhci2: USB revision 1.0 uhub2 at usb2 uhub2: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub2: 2 ports with 2 removable, self powered ehci0 at pci0 dev 29 function 7 "Intel 82801GB USB" rev 0x01: apic 2 int 20 (irq 11) usb3 at ehci0: USB revision 2.0 uhub3 at usb3 uhub3: Intel EHCI root hub, rev 2.00/1.00, addr 1 uhub3: 6 ports with 6 removable, self powered ppb6 at pci0 dev 30 function 0 "Intel 82801BA AGP" rev 0xe1 pci7 at ppb6 bus 7 vga1 at pci7 dev 5 function 0 "ATI ES1000" rev 0x02 wsdisplay0 at v
Is the PF mailinglist still blocking gmail users?
Hi, Just wondering if the PF mailing list is still blocking gmail users. Can't contact Daniel because his email ID is also on the same mail server. Any Idea which all domains are blocked in the PF mailing list so that I can subscribe to a free email service that is not blocked? Thank you so much Kind Regards Siju
Re: Can anyone recommend a cheap and mature, well-supported graphics board for OpenBSD?
On 23/10/2007, Chris Kuethe <[EMAIL PROTECTED]> wrote: > check the xorg supported hardware list... or the "SEE ALSO" section of Xorg(1) (...) Thank you. (Thanks to Dmitrij as well.) I gather ATI and NVIDIA appear to be better supported than most others. Is that true? In case I end up making a (small) new purchase: Are there any vendors who have been behaving well documentation-wise, and whom I should reward with my custom? Has anyone been a dick who should be avoided?
Can anyone recommend a cheap and mature, well-supported graphics board for OpenBSD?
I may be able to inherit an ASROCK 775Dual-VSTA mainboard. The board does not have on-board graphics, so I would need to buy a graphics card. The board supports AGP, PCI, and PCI Express Graphics slots. Can anyone recommend a graphics card? I am looking for a mature graphics solution that's well supported on OpenBSD, and that I should preferably be able to obtain on a shoestring. I am not looking for shitloads of FPS. Any comments would be welcome. In case anyone can comment on using the aforementioned mainboard with OpenBSD, that would be very welcome as well. Thanks and regards, --ropers
Re: Network Time Synchronization using timed or ntpd or a Combination?
On Tue, Oct 23, 2007 at 11:49:57AM -0600, Chris Kuethe wrote: > On 10/23/07, Boris Goldberg <[EMAIL PROTECTED]> wrote: > > The ntpd from OBSD is raw and lame yet. It takes days (!) to really > > synchronize, adjusting time and clock frequency back and forth (even if you > > start with -s) so it's too early to say that using it is "right". It will > > be "right" after it matures, gets more useful synchronization algorithm and > > it's own ntpdate (or a parameter to synchronize and exit). > > Blah blah blah. > > time1 and time2.srv.ualberta.ca are both running openntpd driven by > nmea(4) sensors. As is my home workstation. They wibble around within > a microsecond or two of the sensor's time, probably due to a) > interrupt handling and b) temperature changes caused by the air > conditioner or cats sleeping on the case. And my servers are in a windowless room under a lot of concrete and steel, so there's no good way to get GPS or radio data, and I'm using other time servers on the internet to sync. They keep time very well, on sparc64 and amd64, and both are in pool.ntp.org and score quite well. In fact, they compare favorably to servers running the more "heavyweight" ntp daemons. -- Darrin Chandler| Phoenix BSD User Group | MetaBUG [EMAIL PROTECTED] | http://phxbug.org/ | http://metabug.org/ http://www.stilyagin.com/ | Daemons in the Desert | Global BUG Federation
Re: About Xen: maybe a reiterative question but ..
On 10/23/07, Lars Noodin <[EMAIL PROTECTED]> wrote: > Per-Erik Persson wrote: > > To get the best performance out of qemu you need to run linux. > > The choices narrow. > Can kqemu be compiled for OBSD? Is virtualbox an option? I had this thought a couple of weeks ago and started looking through the kqemu code but got totally lost. There's a NetBSD kqemu, so it's certainly possible.. but someone just has to do it... and unfortunately I'm no help. -Nick
Re: About Xen: maybe a reiterative question but ..
On 10/23/07, Lars NoodC)n <[EMAIL PROTECTED]> wrote: > Per-Erik Persson wrote: > > ... not being able to run inside a > > virtualized environment is not an option in the future. > > Virtualization is available already. See the package qemu. > http://www.openbsd.org/4.1_packages/ > > Or are you aiming for Xen specifically? > fwiw, kvm works well too if Xen isn't a hard requirement http://kvm.qumranet.com/kvmwiki
MegaRAID SAS 8204ELP not working ?
Hi, just installed a MegaRAID SAS 8204ELP Controller and according to the BIOS: LSI MegaRAID Software RAID BIOS Version M1068e.01.01021804R LSI Logic MPT RAID Found at PCI Bus No:04 Dev No:00 SAS/SATA RAID key is Detected. Bringing up the Controller. Please wait... Scanning for Port 00... Responding. WDC WD800JD-75MS 75781MB Scanning for Port 01... Responding. WDC WD800AAJS-00 75807MB Scanning for Port 02... Not Responding. Scanning for Port 03... Not Responding. Scanning for Port 04... Not Responding. Scanning for Port 05... Not Responding. Scanning for Port 06... Not Responding. Scanning for Port 07... Not Responding. 01 Logical drive(s) Configured. Array# ModeStripe Size No.Of Stripes DriveSize Status 00 RAID1 64KB 02 75340MBOnline Press CTRL-M or Enter to run LSI Logic Software RAID Setup Utility. all goes well so far. But: Normally, if a logical drive is recognized by OpenBSD, there are NO two sd (sd0, sd1) drives at scsibus0. At this installation i had sd0 and sd1 for root disk choice at scsibus0. Also there is no mention of a logical drive in the dmesg. After the installation OpenBSD 4.2 booted from sd0. >From the manpage mfi(4) the MegaRAID SAS 820'8'ELP should be recognized as mfi0, so i thought the MegaRAID SAS 820'4'ELP should be recognized as mfi0 too. No, the MegaRAID SAS 8204ELP is recognized as mpi0 as the following dmesg shows. bioctl mpi0 gives: bioctl: Can't locate mpi0 device via /dev/bio bioctl mfi0 gives: bioctl: Can't locate mfi0 device via /dev/bio So I think, I do not have a functioning RAID. Why is the MegaRAID SAS 8204ELP recognized as mpi0 ? Is there a patch to correct the assignment of MegaRAID SAS 8204ELP to mfi0 ? (If the Controller could made to be recognized as mfi0, then I could use bioctl :-)) What method exists to let me know if Raid works, without bioctl ? Thanks, Walter. dmesg: OpenBSD 4.2-current (GENERIC) #405: Thu Sep 13 16:06:09 MDT 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Core(TM)2 CPU 6320 @ 1.86GHz ("GenuineIntel" 686-class) 1.87 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16, xTPR real mem = 1064464384 (1015MB) avail mem = 1021571072 (974MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 06/05/07, BIOS32 rev. 0 @ 0xf0010, SMBIOS rev. 2.4 @ 0xf04e0 (56 entries) bios0: vendor American Megatrends Inc. version "1004 " date 06/05/2007 bios0: ASUSTek Computer INC. P5L-MX apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 30102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf7a50/240 (13 entries) pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82801GB LPC" rev 0x00) pcibios0: PCI bus #4 is the last bus bios0: ROM list: 0xc/0xae00! 0xcb000/0x1800 0xcc800/0x5000! cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 "Intel 82945GP" rev 0x02: rng active, 800Kb/sec ppb0 at pci0 dev 1 function 0 "Intel 82945GP PCIE" rev 0x02 pci1 at ppb0 bus 4 mpi0 at pci1 dev 0 function 0 "Symbios Logic SAS1068E" rev 0x04: irq 11 scsibus0 at mpi0: 173 targets sd0 at scsibus0 targ 0 lun 0: SCSI3 0/direct fixed sd0: 76293MB, 76294 cyl, 16 head, 127 sec, 512 bytes/sec, 15625 sec total sd1 at scsibus0 targ 1 lun 0: SCSI3 0/direct fixed sd1: 76319MB, 76320 cyl, 16 head, 127 sec, 512 bytes/sec, 156301488 sec total vga1 at pci0 dev 2 function 0 "Intel 82945G Video" rev 0x02: aperture at 0xe000, size 0x1000 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) ppb1 at pci0 dev 28 function 0 "Intel 82801GB PCIE" rev 0x01 pci2 at ppb1 bus 3 ppb2 at pci0 dev 28 function 1 "Intel 82801GB PCIE" rev 0x01 pci3 at ppb2 bus 2 "Attansic Technology L1" rev 0xb0 at pci3 dev 0 function 0 not configured uhci0 at pci0 dev 29 function 0 "Intel 82801GB USB" rev 0x01: irq 5 uhci1 at pci0 dev 29 function 1 "Intel 82801GB USB" rev 0x01: irq 10 uhci2 at pci0 dev 29 function 2 "Intel 82801GB USB" rev 0x01: irq 14 uhci3 at pci0 dev 29 function 3 "Intel 82801GB USB" rev 0x01: irq 15 ehci0 at pci0 dev 29 function 7 "Intel 82801GB USB" rev 0x01: irq 5 usb0 at ehci0: USB revision 2.0 uhub0 at usb0: "Intel EHCI root hub", rev 2.00/1.00, addr 1 ppb3 at pci0 dev 30 function 0 "Intel 82801BA AGP" rev 0xe1 pci4 at ppb3 bus 1 re0 at pci4 dev 0 function 0 "D-Link Systems DGE-528T" rev 0x10: RTL8169S (0x0400), irq 10, address 00:11:95:1c:86:e1 rgephy0 at re0 phy 7: RTL8169S/8110S PHY, rev. 0 em0 at pci4 dev 1 function 0 "Intel PRO/1000MT (82540EM)" rev 0x02: irq 3, address 00:0e:0c:72:79:37 ichpcib0 at pci0 dev 31 function 0 "Intel 82801GB LPC" rev 0x01: PM disabled ichiic0 at pci0 dev 31 function 3 "Intel 82801GB SMBus" rev 0x01: irq 10 iic0
Re: Network Time Synchronization using timed or ntpd or a Combination?
Hello Paul, Tuesday, October 23, 2007, 12:38:43 PM, you wrote: PdW> ... run rdate, it has the -n switch. Here we go! :D -- Best regards, Borismailto:[EMAIL PROTECTED]
Re: Network Time Synchronization using timed or ntpd or a Combination?
On 10/23/07, Boris Goldberg <[EMAIL PROTECTED]> wrote: > The ntpd from OBSD is raw and lame yet. It takes days (!) to really > synchronize, adjusting time and clock frequency back and forth (even if you > start with -s) so it's too early to say that using it is "right". It will > be "right" after it matures, gets more useful synchronization algorithm and > it's own ntpdate (or a parameter to synchronize and exit). Blah blah blah. time1 and time2.srv.ualberta.ca are both running openntpd driven by nmea(4) sensors. As is my home workstation. They wibble around within a microsecond or two of the sensor's time, probably due to a) interrupt handling and b) temperature changes caused by the air conditioner or cats sleeping on the case. If you have some reasonable, well-designed suggestions on how to better discipline the clock, we're all ears. Other wise, quit babbling - openntpd is doing exactly what it's supposed to: be a simple, lightweight daemon for keeping your clocks "close enough". If that's not good enough for you, the ntp.org daemon is in ports. CK -- GDB has a 'break' feature; why doesn't it have 'fix' too?
Re: Network Time Synchronization using timed or ntpd or a Combination?
On Tue, Oct 23, 2007 at 12:05:58PM -0500, Boris Goldberg wrote: | The ntpd from OBSD is raw and lame yet. It takes days (!) to really | synchronize, adjusting time and clock frequency back and forth (even if you | start with -s) so it's too early to say that using it is "right". It will | be "right" after it matures, gets more useful synchronization algorithm and | it's own ntpdate (or a parameter to synchronize and exit). Without -s, you are right. Adjusting time will take a long time if your clock is off by a large margin. Luckily, OpenNTPD starts if that is the case, unlike some other ntp daemon. The adjusting of time and clock frequency is to be somewhat expected with todays low quality clockchips on peecee motherboards. However, I've found my clocks to sync up pretty fast, no problems there as far as I can see. And we dont need 'ntpdate'. Why would you synchronize and exit ? An important thing about timekeeping is to provide monotonuously incrementing time, making sure not to skip timepoints and even more importantly, not to jump back in time. If there is a large adjustment to be made, ntpd has -s which will sync it at boot (before other, time sensitive, programs are run). This is the most important argument against running rdate from a cron. And if you really, really need the sync-and-exit behaviour of ntpdate, run rdate, it has the -n switch. I think the synchronization algorithm in ntpd is pretty good as it is. All my machines are in sync, they all agree on the same time when I compare it. This is within second boundaries, yes. It has been said before that if you need picosecond precision, then perhaps OpenNTPD is maybe not for you (although I believe that using one of the newer time sensors available in OpenBSD can bring pretty accurate time to your machine too). Cheers, Paul 'WEiRD' de Weerd -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/ [demime 1.01d removed an attachment of type application/pgp-signature]
Re: em(4) - IFCAP_VLAN_MTU & IFCAP_VLAN_HWTAGGING ?
On 10/23/07, ropers <[EMAIL PROTECTED]> wrote: > > On 23/10/2007, Tony Sarendal <[EMAIL PROTECTED]> wrote: > > On 10/23/07, Henning Brauer <[EMAIL PROTECTED]> wrote: > > > > > > * Tony Sarendal <[EMAIL PROTECTED]> [2007-10-22 18:33]: > > > > I didn't get that opinion from marketing. > > > > No matter, we disagree, lets leave it at that. > > > > > > well, yeah, nontheless, I wanna point out the essence why stateful is > > > better (the way we do it in OpenBSD): > > > > > > 1) it moves the limit where the box starts to suffer from overload > quite > > >far, or, in other words, the box can handle a much larger amount of > > >traffic before it starts to drop stuff. thus it can withstand > bigger > > >amounts of (D)DoS too. > > > 2) once it gets to that point, it is more selective in dropping > packets > > >than a stateless box, as it prefers established connections. this > > >behaviour cannot be valued enough in (D)DoS type of situations. > > > > > > I wish to implement things in a way where the link is the limitation, > > not the box. But there is no point in re-doing that discussion. > > > > When I have some time free I'll test it in the lab to see that > difference in > > behaviour. > > I know very little, but I would like to note that some providers ( > http://www.rayservers.com/ddos-protection ) deploy OpenBSD with the > express purpose of offering dDoS protection. That has to count for > something. > > OTOH, Henning's word alone would be enough for me, because AFAIK > Henning wrote actual pertinent code and knows darn friggin well what > he's talking about. Did you contribute as much code to OpenBSD/pf as > Henning? Are you sure your understanding is deeper than his? (No > offense, by the way, all in good humour.) Henning has committed more code than me. If you count in percent infinetly more. Does that mean that I don't know what I'm talking about ? I use OpenBSD because I like it, I think it is the best project I can find on the net. I don't belive a fan-boy attitude is an asset to the project, that is what you are contributing right now. This is a view of the a external peering link where I work now: 5 minute input rate 6165205000 bits/sec, 1036946 packets/sec 5 minute output rate 3134466000 bits/sec, 1000242 packets/sec One link out of many, no DDOS going on. Maybe I should stick a rayserver on it. Correct me if I'm wrong, but Henning needs someone to argue with him and pester him. /Tony
Re: Network Time Synchronization using timed or ntpd or a Combination?
Hello Pierre-Yves, Tuesday, October 23, 2007, 11:39:10 AM, you wrote: >> You don't really need ntpd on all systems. One (timeserver) >> runs ntpd, and others use rdate, called from cron (once a day is >> usually enough). PYR> I hope nobody takes what you say seriously. Running rdate instead of PYR> ntpd like you describe is wrong for many reasons which have been stated PYR> over and over in the last few years. Please do not spread wrong PYR> information around, and do your homework before giving others advice PYR> on what you think is good sysadmin practice. The ntpd from OBSD is raw and lame yet. It takes days (!) to really synchronize, adjusting time and clock frequency back and forth (even if you start with -s) so it's too early to say that using it is "right". It will be "right" after it matures, gets more useful synchronization algorithm and it's own ntpdate (or a parameter to synchronize and exit). -- Best regards, Borismailto:[EMAIL PROTECTED]
Re: About Xen: maybe a reiterative question but ..
On 23/10/2007, Jeff Quast <[EMAIL PROTECTED]> wrote: > > > On 22/10/2007, carlopmart <[EMAIL PROTECTED]> wrote: > > > > Hi all, > > > > > > > > I know that time to time somebody do the same question, but I need to > > > > know it: is it planned at some point to release a paravirtualized xen > > > > kernel > > > > for OpenBSD 4.3 or 4.4??? > > yum Sorry Jeff, I missed the above earlier on. Is that a yes? Does that mean that Christoph's code has gone or is going into OpenBSD current? Thanks and regards, --ropers
Re: OSS audio drivers
On Tue, Oct 23, 2007 at 12:25:03PM +0200, Jan Stary wrote: > > What is the relation of OpenBSD's audio drivers to the OSS project? > What, if anything, does opensourcing (GPL, I know) their code mean for > our audio drivers? In particular, does that mean (future) support for > the high-end soundcards such as M-Audio Delta? > There's work in progress on adding support for Delta cards (1010, 1010LT, 66, 44), and required features to make them usable (32bit encodings, 12 channel capture, higher sample rate, etc...) -- Alexandre
Re: em(4) - IFCAP_VLAN_MTU & IFCAP_VLAN_HWTAGGING ?
On 23/10/2007, Tony Sarendal <[EMAIL PROTECTED]> wrote: > On 10/23/07, Henning Brauer <[EMAIL PROTECTED]> wrote: > > > > * Tony Sarendal <[EMAIL PROTECTED]> [2007-10-22 18:33]: > > > I didn't get that opinion from marketing. > > > No matter, we disagree, lets leave it at that. > > > > well, yeah, nontheless, I wanna point out the essence why stateful is > > better (the way we do it in OpenBSD): > > > > 1) it moves the limit where the box starts to suffer from overload quite > >far, or, in other words, the box can handle a much larger amount of > >traffic before it starts to drop stuff. thus it can withstand bigger > >amounts of (D)DoS too. > > 2) once it gets to that point, it is more selective in dropping packets > >than a stateless box, as it prefers established connections. this > >behaviour cannot be valued enough in (D)DoS type of situations. > > > I wish to implement things in a way where the link is the limitation, > not the box. But there is no point in re-doing that discussion. > > When I have some time free I'll test it in the lab to see that difference in > behaviour. I know very little, but I would like to note that some providers ( http://www.rayservers.com/ddos-protection ) deploy OpenBSD with the express purpose of offering dDoS protection. That has to count for something. OTOH, Henning's word alone would be enough for me, because AFAIK Henning wrote actual pertinent code and knows darn friggin well what he's talking about. Did you contribute as much code to OpenBSD/pf as Henning? Are you sure your understanding is deeper than his? (No offense, by the way, all in good humour.) Cheerio, --ropers
Re: Network Time Synchronization using timed or ntpd or a Combination?
Boris Goldberg <[EMAIL PROTECTED]> wrote: > Hello Rogier, > > Tuesday, October 23, 2007, 9:01:32 AM, you wrote: > > RK> On 10/23/07, Boris Goldberg <[EMAIL PROTECTED]> wrote: > >> You don't really need ntpd on all systems. One (timeserver) > >> runs ntpd, and others use rdate, called from cron (once a day is > >> usually enough). > > RK> While your suggestion would work, it would also entail more work > RK> without adding benefit. Upon install, you get the question of > RK> whether you want to use ntpd. Starting with 4.2, it even asks for > RK> a specific NTP server. > > It's always better to don't run a demon if you don't have to. :) > Talking about a "more work" - I don't think that someone avoiding > small "after install" tuning like this should be taking care of > any network besides his home one. ;) Anyway, for the last five years > no version of OBSD (including 4.2) worked for me without tuning a > kernel, so an extra line in a crontab is nothing. :) > I hope nobody takes what you say seriously. Running rdate instead of ntpd like you describe is wrong for many reasons which have been stated over and over in the last few years. Please do not spread wrong information around, and do your homework before giving others advice on what you think is good sysadmin practice.
Re: Network Time Synchronization using timed or ntpd or a Combination?
On 10/23/07, Boris Goldberg <[EMAIL PROTECTED]> wrote: > It's always better to don't run a demon if you don't have to. :) That sort of remark has often started endless debates. :) For me, trusting rdate to provide time or using ntpd for it is pretty much the same, but feel free to disagree. There are no risk-free activities. In my book, ntpd gets the job done with less administrative work and it's made by the same people I trust to provide me with a sensible and secure system. > Talking about a "more work" If using site.tgz this sort of thing is rather a moot point. > Anyway, for the last five years no version of OBSD (including 4.2) worked for > me without tuning a kernel, so an extra line in a crontab is nothing. :) If you haven't already, it might be wise to track the issue and report it. Most of my things requiring post-install kernel config got fixed over the next release, so I'm a happy camper. Cheers, Rogier -- If you don't know where you're going, any road will get you there.
Re: About Xen: maybe a reiterative question but ..
On 10/23/07, Per-Erik Persson <[EMAIL PROTECTED]> wrote: > If OpenBSD doesn't adopt to the virtualization trend it will used only > as an obscure firewall box. people have been saying "if openbsd doesn't it will only be used as an obscure firewall box" for years. what else is new?
Re: Network Time Synchronization using timed or ntpd or a Combination?
On 10/23/07, Chris Kuethe <[EMAIL PROTECTED]> wrote: > Rdate provides a single valuable service: the ability to poll a device > to see what time it thinks it is (ie. probing the health of my time servers). Good point; I should probably add that to my monitoring setup. Thanks for the suggestion, Rogier. -- If you don't know where you're going, any road will get you there.
Re: OSS audio drivers
On Tue, Oct 23, 2007 at 03:32:07PM +0200, Jan Stary wrote: > > > What is the relation of OpenBSD's audio drivers to the OSS project? > > > What, if anything, does opensourcing (GPL, I know) their code mean for > > > our audio drivers? In particular, does that mean (future) support for > > > the high-end soundcards such as M-Audio Delta? > > > > OpenBSD uses an implementation of the Sun audio system, which is a > > different system to OSS alltogether. I don't know where it came from, > > it is probably not based upon any of sun's code due to licensing. > > Thanks, that explains it for me. OpenBSD's audio system originaly came from NetBSD. > > As for the M-audio Delta, not sure about that particular card, but I > > have a M-audio mobile pre (usb), which works fine under OpenBSD. > > Which underlying hardware driver does it use? uaudio. the nice thing about uaudio, is that's it's based on a standard. uaudio is not a 100% complete implementation of USB audio, but it is still being worked on. > > I'm not sure if that's an indication that M-audio aim to support UNIX, > > or just a coinsidence. Try dropping them an email? > > Looks like the only "UNIX support" they do is have an NDA with OSS, who > have drivers for the better M-Audio cards (and RME Hammerfall) in > their binary, nonfree drivers ... > > > In all fairness, you would be better off using a nice piece of kit > > like that on Windows or MacOSX (/me ducks), > > (take off your glasses and step outside, hombre) > > > because the audio editors for NIX are slightly limited > > in comparison to say Cubase or Pro-tools. > > True, but that's way over the level I need. Nowadays, I do my audio > work on FreeBSD using sox, ecasound, snd, and ardour - just curious > about migrating this to OpenBSD. there is no Jack port for audio(4), so ardour is out. I have a partially working snd port, and ecasound looks doable. you may want to consider using audacity. I also have a partly working pd port, if anyone is interested in that. note, OpenBSD does have an OSS compatability library. but until recently, it (and audio(4) too, really) suffered from bugs that made it less than ideal (practically unusable) for recording/audio production. -- [EMAIL PROTECTED] SDF Public Access UNIX System - http://sdf.lonestar.org
Re: About Xen: maybe a reiterative question but ..
Hi Christoph, Right now, on the OpenBSD misc mailing list, there is this discussion: http://www.sigmasoft.com/~openbsd/archives/html/openbsd-misc/2007-10/threads.html#01149 about OpenBSD/Xen. We last spoke last year, when I put your BSDtalk interview transcript online at http://ropersonline.com/openbsd/xen . It seems to me that most people on the misc mailing list currently are not very aware of your OpenBSD Xen port. Could I possibly ask you to participate in the discussion? I feel that you (and Theo) are the only guys who can provide authoritative answers on the issue. Some of the questions that I feel are unclear are: - Was your porting work fully completed? IIRC it was, but please clarify. - Is your port still being maintained? Can it be run with OpenBSD -current or 4.2? - It seems to me that your port didn't achieve wide recognition and acclaim because of a lack of publicity. - AFAIK your OpenBSD/Xen port code hasn't found its way into the official OpenBSD distribution. Is this correct? - Are there any reasons why your code didn't go into the official OpenBSD distro? Was it lack of awareness? Have you ever talked to Theo and/or other central OpenBSD people? - Is there any hope that your port might still become part of the official OpenBSD distribution? (Theo: Could you possibly comment as well?) I'd personally be very interested to see your port become part of the official distribution, but I sadly can't code myself, so all I can do is ask and hope. :) Once again, thanks for your hard work. :) Many thanks in advance and kind regards, Jens Ropers
Re: em(4) - IFCAP_VLAN_MTU & IFCAP_VLAN_HWTAGGING ?
* Tony Sarendal <[EMAIL PROTECTED]> [2007-10-23 17:06]: > I wish to implement things in a way where the link is the limitation, > not the box. as I said before, you cannot buy a box that can handle 100M under all circumstances. > When I have some time free I'll test it in the lab to see that difference in > behaviour. Any ideas of when you will get around to handling assymetric > traffic in a stateful way ? if you keep pestering me, quickly, i keep forgetting it :) lose (or loose? i keep mixing up) it'll be -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: Network Time Synchronization using timed or ntpd or a Combination?
Hello Rogier, Tuesday, October 23, 2007, 9:01:32 AM, you wrote: RK> On 10/23/07, Boris Goldberg <[EMAIL PROTECTED]> wrote: >> You don't really need ntpd on all systems. One (timeserver) runs ntpd, >> and others use rdate, called from cron (once a day is usually enough). RK> While your suggestion would work, it would also entail more work RK> without adding benefit. Upon install, you get the question of whether RK> you want to use ntpd. Starting with 4.2, it even asks for a specific RK> NTP server. It's always better to don't run a demon if you don't have to. :) Talking about a "more work" - I don't think that someone avoiding small "after install" tuning like this should be taking care of any network besides his home one. ;) Anyway, for the last five years no version of OBSD (including 4.2) worked for me without tuning a kernel, so an extra line in a crontab is nothing. :) -- Best regards, Borismailto:[EMAIL PROTECTED]
Re: Installing the latest snapshot freezes on i386
On Tue, 2007-10-23 at 01:42 -0700, Reza Muhammad wrote: > Hi all, > > I just recently purchased a brand new HP Pavilion > G3035L Desktop PC (spec: > http://www.anugrahpratama.com/product/21/1092/HP-Pavilion-G3035L-Desktop-PC). > It's using Intel Core Duo processor. I tried to > install OpenBSD's latest snapshot to this machine last > night. The thing is it freezes and it wouldn't > install. Here's the messages I got from my screen: Try interrupting boot and booting into the real-time kernel config [OpenBSD banner] boot> boot -c ukc> verbose ukc> enable apci0 ukc> disable apm0 ukc> exit ~BAS > ehci0: timed out waiting for BIOS > usb0 at ehci0: USB revision 2.0 > > Does anyone know what the problem is? Are some of the > hardware aren't supported by OpenBSD? What should I do > so this machine can run OpenBSD? > > Thanks for the help. I appreciate it. > > -Reza > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com
gpio support on ALIX board
Hello list, Is anyone working on getting the gpio pins supported on the PCEngines ALIX boards? I'd like to be able to control the LEDs using gpioctl, just like on the WRAP. -martin
Re: NextG networking
On Wed, Oct 24, 2007 at 12:18:36AM +1000, Andrew Dalgleish wrote: > I've put up some notes about NextG networking on OpenBSD at > http://www.ajd.net.au/nextg/openbsd.html > including a kernel patch to suit ZTE handsets which will probably work > with other Qualcomm-based handsets. > > Regards, > Andrew Dalgleish Do the ZTE phones need both device additions to umsm? You should not mix vendor/product like that, edit usbdevs not a generated file, like below. And these quirks are for umodem not umsm, which device is being attached? Index: usbdevs === RCS file: /cvs/src/sys/dev/usb/usbdevs,v retrieving revision 1.305 diff -u -p -r1.305 usbdevs --- usbdevs 22 Oct 2007 19:37:28 - 1.305 +++ usbdevs 23 Oct 2007 14:44:58 - @@ -1935,6 +1935,7 @@ product QTRONIX 980N 0x2011 Scorpion-98 /* Qualcomm products */ product QUALCOMM MSM_MODEM 0x3196 CDMA MSM modem +product QUALCOMM MSM_PHONE_2 0x6000 CDMA MSM phone product QUALCOMM2 MSM_PHONE0x6000 CDMA MSM phone product QUALCOMM MSM_HSDPA 0x6613 HSDPA MSM Index: umsm.c === RCS file: /cvs/src/sys/dev/usb/umsm.c,v retrieving revision 1.17 diff -u -p -r1.17 umsm.c --- umsm.c 11 Oct 2007 18:33:15 - 1.17 +++ umsm.c 23 Oct 2007 14:44:58 - @@ -65,6 +65,7 @@ static const struct usb_devno umsm_devs[ { USB_VENDOR_NOVATEL, USB_PRODUCT_NOVATEL_XU870 }, { USB_VENDOR_NOVATEL, USB_PRODUCT_NOVATEL_ES620 }, { USB_VENDOR_QUALCOMM, USB_PRODUCT_QUALCOMM_MSM_HSDPA }, + { USB_VENDOR_QUALCOMM, USB_PRODUCT_QUALCOMM_MSM_PHONE_2 }, { USB_VENDOR_SIERRA,USB_PRODUCT_SIERRA_EM5625 }, { USB_VENDOR_SIERRA,USB_PRODUCT_SIERRA_AIRCARD_580 }, { USB_VENDOR_SIERRA,USB_PRODUCT_SIERRA_AIRCARD_595 }, Index: usb_quirks.c === RCS file: /cvs/src/sys/dev/usb/usb_quirks.c,v retrieving revision 1.30 diff -u -p -r1.30 usb_quirks.c --- usb_quirks.c28 Aug 2007 09:45:46 - 1.30 +++ usb_quirks.c23 Oct 2007 14:44:58 - @@ -97,6 +97,8 @@ const struct usbd_quirk_entry { ANY, { UQ_ASSUME_CM_OVER_DATA }}, { USB_VENDOR_QUALCOMM, USB_PRODUCT_QUALCOMM_MSM_MODEM, ANY, { UQ_ASSUME_CM_OVER_DATA }}, + { USB_VENDOR_QUALCOMM, USB_PRODUCT_QUALCOMM_MSM_PHONE_2, + ANY, { UQ_ASSUME_CM_OVER_DATA }}, { USB_VENDOR_QUALCOMM2, USB_PRODUCT_QUALCOMM2_MSM_PHONE, ANY, { UQ_ASSUME_CM_OVER_DATA }}, { USB_VENDOR_SUNTAC, USB_PRODUCT_SUNTAC_AS64LX,
Kernel crash after connecting NIC
This happend after connecting an network interface! It was previously connected to a HP SWitch, I moved the cable to a lan port on a Cisco PIX 501. The crash was almost instant I Think. It happend in a test lab I am setting up. So probably some config error on my side, but still I typed the ddb trace over from the screen, dont hold me too it. kernel: page fault trap, code =0 STopped at bge_encap+0xfd: movw 0x21e(%edx),%ax ddb> bge_encap(d190d000,d7aa0800,d08d5dcc,0) at bge_encap+0xfd bge_encap(d190d030,d08d5df4,d02023c9,30) at bge_start+0x81 bgep_initr(d190d000) at bge_intr+0xe1 Xrecurse_legacy5() at Xrecurse_legacy5+0xad --- interrupt --- amp_cpu_idle(c0,d0799260,7fff,d033641b) at amp_cpu_idle+0x42 idle_loop(d08d5f00,4,d08d5f18,d0333706,d08d5f00) sleep_finish(d08d5f00,1,4,d06a1b8c,0) at sleep_finish+0x4d tsleep(d0799260,4,d06a1b8c,0) at tsleep+0x7a uvm_scheduler(d079923c,3,0,d0658570,2) at uvm_scheduler+0x1b main(0,0,0,0,0) at main+0x70f bgp02# cat aftercrash.dmesg OpenBSD 4.2-current (GENERIC) #405: Thu Sep 13 16:06:09 MDT 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Xeon(TM) CPU 3.00GHz ("GenuineIntel" 686-class) 3.01 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,CX16,xTPR real mem = 1073258496 (1023MB) avail mem = 1030098944 (982MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 12/31/99, BIOS32 rev. 0 @ 0xf, SMBIOS rev. 2.3 @ 0xec000 (73 entries) bios0: vendor HP version "P54" date 02/14/2006 bios0: HP ProLiant DL360 G4p pcibios0 at bios0: rev 2.1 @ 0xf/0x2000 pcibios0: PCI BIOS has 7 Interrupt Routing table entries pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 6300ESB LPC" rev 0x00) pcibios0: PCI bus #13 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x3600! 0xcb600/0x1600 0xee000/0x2000! acpi at mainbus0 not configured cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 "Intel E7520 MCH" rev 0x0c ppb0 at pci0 dev 2 function 0 "Intel MCH PCIE" rev 0x0c pci1 at ppb0 bus 13 ppb1 at pci0 dev 4 function 0 "Intel MCH PCIE" rev 0x0c pci2 at ppb1 bus 6 ppb2 at pci2 dev 0 function 0 "Intel PCIE-PCIE" rev 0x09 pci3 at ppb2 bus 7 ppb3 at pci2 dev 0 function 2 "Intel PCIE-PCIE" rev 0x09 pci4 at ppb3 bus 10 ppb4 at pci0 dev 6 function 0 "Intel MCH PCIE" rev 0x0c pci5 at ppb4 bus 3 ppb5 at pci0 dev 28 function 0 "Intel 6300ESB PCIX" rev 0x02 pci6 at ppb5 bus 2 bge0 at pci6 dev 2 function 0 "Broadcom BCM5704C" rev 0x10, BCM5704 B0 (0x2100): irq 5, address 00:18:fe:30:f7:08 brgphy0 at bge0 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0 bge1 at pci6 dev 2 function 1 "Broadcom BCM5704C" rev 0x10, BCM5704 B0 (0x2100): irq 5, address 00:18:fe:30:f7:07 brgphy1 at bge1 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0 uhci0 at pci0 dev 29 function 0 "Intel 6300ESB USB" rev 0x02: irq 5 uhci1 at pci0 dev 29 function 1 "Intel 6300ESB USB" rev 0x02: irq 5 "Intel 6300ESB WDT" rev 0x02 at pci0 dev 29 function 4 not configured "Intel 6300ESB APIC" rev 0x02 at pci0 dev 29 function 5 not configured ehci0 at pci0 dev 29 function 7 "Intel 6300ESB USB" rev 0x02: irq 5 usb0 at ehci0: USB revision 2.0 uhub0 at usb0: "Intel EHCI root hub", rev 2.00/1.00, addr 1 ppb6 at pci0 dev 30 function 0 "Intel 82801BA AGP" rev 0x0a pci7 at ppb6 bus 1 vga1 at pci7 dev 3 function 0 "ATI Rage XL" rev 0x27 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) "Compaq iLO" rev 0x01 at pci7 dev 4 function 0 not configured "Compaq iLO" rev 0x01 at pci7 dev 4 function 2 not configured ichpcib0 at pci0 dev 31 function 0 "Intel 6300ESB LPC" rev 0x02: 24-bit timer at 3579545Hz pciide0 at pci0 dev 31 function 1 "Intel 6300ESB IDE" rev 0x02: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility pciide0: channel 0 disabled (no drives) pciide0: channel 1 disabled (no drives) pciide1 at pci0 dev 31 function 2 "Intel 6300ESB SATA" rev 0x02: DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI pciide1: using irq 7 for native-PCI interrupt wd0 at pciide1 channel 0 drive 0: wd0: 16-sector PIO, LBA48, 238475MB, 488397168 sectors wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5 wd1 at pciide1 channel 1 drive 0: wd1: 16-sector PIO, LBA48, 238475MB, 488397168 sectors wd1(pciide1:1:0): using PIO mode 4, Ultra-DMA mode 5 usb1 at uhci0: USB revision 1.0 uhub1 at usb1: "Intel UHCI root hub", rev 1.00/1.00, addr 1 usb2 at uhci1: USB revision 1.0 uhub2 at usb2: "Intel UHCI root hub", rev 1.00/1.00, addr 1 isa0 at ichpcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pms0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pms0 mux 0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: spkr0 at pcppi0 npx0 at isa0 port
Re: Network Time Synchronization using timed or ntpd or a Combination?
Christian Weisgerber wrote: > Clint Pachl <[EMAIL PROTECTED]> wrote: > >> I was thinking about using ntpd only on all systems. One system would get >> time from the NTP pool > > ... or from a time signal sensor... > >> and all other servers on the network would sync >> to the local server. Is this the best way? > > Yes. Depending on how many machines you have and how much you care about your time, best practice is more likely to be to have 2 or 3 servers likely to be up 7x24 use outside time sources and then have all internal machines use those 2 or 3 servers as their source. It's so easy to remove single points of failure in this case that you might as well do so. --Jon Radel [demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]
Re: em(4) - IFCAP_VLAN_MTU & IFCAP_VLAN_HWTAGGING ?
On 10/23/07, Henning Brauer <[EMAIL PROTECTED]> wrote: > > * Tony Sarendal <[EMAIL PROTECTED]> [2007-10-22 18:33]: > > I didn't get that opinion from marketing. > > No matter, we disagree, lets leave it at that. > > well, yeah, nontheless, I wanna point out the essence why stateful is > better (the way we do it in OpenBSD): > > 1) it moves the limit where the box starts to suffer from overload quite >far, or, in other words, the box can handle a much larger amount of >traffic before it starts to drop stuff. thus it can withstand bigger >amounts of (D)DoS too. > 2) once it gets to that point, it is more selective in dropping packets >than a stateless box, as it prefers established connections. this >behaviour cannot be valued enough in (D)DoS type of situations. I wish to implement things in a way where the link is the limitation, not the box. But there is no point in re-doing that discussion. When I have some time free I'll test it in the lab to see that difference in behaviour. Any ideas of when you will get around to handling assymetric traffic in a stateful way ? /Tony
Re: Network Time Synchronization using timed or ntpd or a Combination?
* Boris Goldberg <[EMAIL PROTECTED]> [2007-10-23 15:50]: > CP> One system would get time from the NTP pool and all other servers on > CP> the network would sync to the local server. > You don't really need ntpd on all systems. One (timeserver) runs ntpd, > and others use rdate, called from cron (once a day is usually enough). that is bad advice. it is not only much more work to set up, it also doesn't remotely yield the same results. ntpd is much much better, since it doesn't rely on a single answer from soem server to set the clock, and because it adjusts the clock frequency over time. there is not much point in using rdate at all. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: Network Time Synchronization using timed or ntpd or a Combination?
On 10/23/07, Rogier Krieger <[EMAIL PROTECTED]> wrote: > Using ntpd gets you better synchronisation without the need of setting > something up with cron. Rdate will work, but the work developers put > into (further integrating) ntpd makes rdate appear rather ... > outdated. Rdate provides a single valuable service: the ability to poll a device to see what time it thinks it is (ie. probing the health of my time servers). For everything else, i just let openntpd take care of it. -- GDB has a 'break' feature; why doesn't it have 'fix' too?
NextG networking
I've put up some notes about NextG networking on OpenBSD at http://www.ajd.net.au/nextg/openbsd.html including a kernel patch to suit ZTE handsets which will probably work with other Qualcomm-based handsets. Regards, Andrew Dalgleish
Re: Network Time Synchronization using timed or ntpd or a Combination?
On 10/23/07, Boris Goldberg <[EMAIL PROTECTED]> wrote: > You don't really need ntpd on all systems. One (timeserver) runs ntpd, > and others use rdate, called from cron (once a day is usually enough). While your suggestion would work, it would also entail more work without adding benefit. Upon install, you get the question of whether you want to use ntpd. Starting with 4.2, it even asks for a specific NTP server. Using ntpd gets you better synchronisation without the need of setting something up with cron. Rdate will work, but the work developers put into (further integrating) ntpd makes rdate appear rather ... outdated. Cheers, Rogier -- If you don't know where you're going, any road will get you there.
Re: OSS audio drivers
On 23/10/2007, Jan Stary <[EMAIL PROTECTED]> wrote: > Which underlying hardware driver does it use? uaudio -- Best Regards Edd --- http://students.dec.bournemouth.ac.uk/ebarrett
writing non-ascii characters via SSH
{ this is a resend } I am currently experiencing difficulty in writing text files containing French characters on my OpenBSD 4.0 server via SSH. On both the FreeBSD client system and on the OpenBSD server system I have the following: ~/.profile: export LANG="C" export LC_CTYPE="fr_CA.ISO8859-1" export LC_COLLATE="fr_CA.ISO8859-1" ~/.inputrc: set convert-meta Off set editing-mode emacs set input-meta On set output-meta On Note that I am contacting the FreeBSD system from a Ubuntu Linux box. On that system I have the same ~/.inputrc file but instead of ~/.profile I am using ~/.bashrc: export LANG="C" export LC_CTYPE="fr_CA.ISO8859-1" export LC_COLLATE="fr_CA.ISO8859-1" All three users are using the bash shell. The accented characters (ex: i) end up as question marks. // juan Be smarter than spam. See how smart SpamGuard is at giving junk email the boot with the All-new Yahoo! Mail at http://mrd.mail.yahoo.com/try_beta?.intl=ca
Re: OSS audio drivers
> > What is the relation of OpenBSD's audio drivers to the OSS project? > > What, if anything, does opensourcing (GPL, I know) their code mean for > > our audio drivers? In particular, does that mean (future) support for > > the high-end soundcards such as M-Audio Delta? > > OpenBSD uses an implementation of the Sun audio system, which is a > different system to OSS alltogether. I don't know where it came from, > it is probably not based upon any of sun's code due to licensing. Thanks, that explains it for me. > As for the M-audio Delta, not sure about that particular card, but I > have a M-audio mobile pre (usb), which works fine under OpenBSD. Which underlying hardware driver does it use? > I'm not sure if that's an indication that M-audio aim to support UNIX, > or just a coinsidence. Try dropping them an email? Looks like the only "UNIX support" they do is have an NDA with OSS, who have drivers for the better M-Audio cards (and RME Hammerfall) in their binary, nonfree drivers ... > In all fairness, you would be better off using a nice piece of kit > like that on Windows or MacOSX (/me ducks), (take off your glasses and step outside, hombre) > because the audio editors for NIX are slightly limited > in comparison to say Cubase or Pro-tools. True, but that's way over the level I need. Nowadays, I do my audio work on FreeBSD using sox, ecasound, snd, and ardour - just curious about migrating this to OpenBSD. Thanks Jan
Re: Network Time Synchronization using timed or ntpd or a Combination?
Hello Clint, Tuesday, October 23, 2007, 5:42:47 AM, you wrote: CP> One system would get time from the NTP pool and all other servers on CP> the network would sync to the local server. You don't really need ntpd on all systems. One (timeserver) runs ntpd, and others use rdate, called from cron (once a day is usually enough). -- Best regards, Borismailto:[EMAIL PROTECTED]
Re: OSS audio drivers
That code is not free enough for us to use, and therefore we don't use it. that's the whole story. > this is to clarify (for me, anyway) the status of > audio drivers present in the (recently GPLed) OSS. > http://www.opensound.com/osshw.html > > What is the relation of OpenBSD's audio drivers to the OSS project? > What, if anything, does opensourcing (GPL, I know) their code mean for > our audio drivers? In particular, does that mean (future) support for > the high-end soundcards such as M-Audio Delta? > > Thanks > > Jan
Systems, Oct 23 - 26, 2007, Munich, Germany
Hey, as a reminder, you can visit the Systems expo this week in Munchen, there is an OpenBSD/OpenSSH booth in Halle B2 110-2, run by DaN, Nikolay Sturm and Marco Pfatschbacher There are of course 4.2 CDs and Tshirts, so if you did not pre-order, this is the quickest way to get one this month. Also, we need some helping hands for tomorrow, if somebody wants to help out at the booth, mail me. I'll not be able to attend Wim. -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= https://kd85.com/notforsale.html --
Re: Update features on PF(OpenBSD4.2)
Henning Brauer <[EMAIL PROTECTED]> writes: > doing teh boring, pretty riskless 10 minutes taking 4.2 upgrade everybody > could easily do, for some combinations of crappy old hardware, too small memory size and nonsensically large filesystems it might stretch into 20-odd minutes, but otherwise my sentiments exactly in the parts I've snipped. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.datadok.no/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: OSS audio drivers
Hi, On 23/10/2007, Jan Stary <[EMAIL PROTECTED]> wrote: > Hi all, > > this is to clarify (for me, anyway) the status of > audio drivers present in the (recently GPLed) OSS. > http://www.opensound.com/osshw.html > > What is the relation of OpenBSD's audio drivers to the OSS project? > What, if anything, does opensourcing (GPL, I know) their code mean for > our audio drivers? In particular, does that mean (future) support for > the high-end soundcards such as M-Audio Delta? OpenBSD uses an implementation of the Sun audio system, which is a different system to OSS alltogether. I don't know where it came from, it is probably not based upon any of sun's code due to licensing. As for the M-audio Delta, not sure about that particular card, but I have a M-audio mobile pre (usb), which works fine under OpenBSD. I'm not sure if that's an indication that M-audio aim to support UNIX, or just a coinsidence. Try dropping them an email? In all fairness, you would be better off using a nice piece of kit like that on Windows or MacOSX (/me ducks), because the audio editors for NIX are slightly limited in comparison to say Cubase or Pro-tools. Thanks -- Best Regards Edd --- http://students.dec.bournemouth.ac.uk/ebarrett
Re: Help! I'm having Linux foisted on me! (PF queuing woes)
On Tue, Oct 23, 2007 at 02:10:43PM +0200, Henning Brauer wrote: > * Brian <[EMAIL PROTECTED]> [2007-10-22 20:39]: > > Joshua Smith wrote: > > > Out of curiosity what are these two extremely rare cases? > > [snip] > > > > One example off the top of my head (and ipsec.conf(5)) is the enc0 > > interface. You wouldn't set your state-policy to this, but each > > individual rule would use if-bound to prevent traffic from going out > > your egress when an IPsec SA is removed/expires before the state is > > removed/expires (think isakmpd and the various reasons an SA can disappear). > > that is indeed one case. wether you really want ifbound for ipsec or not > depends on teh setup, you have to think it through on a case-by-case > basis. > > the otehr case is so bizarre that I forgot the details. basically a > case where a packet goes thru the stack 3 times instead of 2 with the > normal forwarding. I think you could trigger that with very very very > very very strange use of the evil route-to (which should be avoided > wherever possible in the first place). > Everything that moves through your stack multiple times need if-bound states or no statesi at all. I use multiple qemus with bridge(4) that show the same problem and yes, this is a very bizarre setup. The other case where you may need if-bound states is when doing NAT in a multipath setup. This is another uncommon setup and you may get away with non if-bound states. -- :wq Claudio
Re: Network Time Synchronization using timed or ntpd or a Combination?
* Clint Pachl <[EMAIL PROTECTED]> [2007-10-23 12:55]: > Because OpenNTPD was designed with security in mind from the start, I was > thinking about using ntpd only on all systems. One system would get time > from the NTP pool and all other servers on the network would sync to the > local server. Is this the best way? yep. > Then I discovered timed. Does anybody use it? Is it as secure? What are the > (dis)advantages/differences compared to ntpd? I don't have the time or electrons to compile that list :) in short, there is about zero value in timed for new installs. It is pretty much obsolete. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: Update features on PF(OpenBSD4.2)
* Beavis <[EMAIL PROTECTED]> [2007-10-22 18:29]: > hi folks, > >I saw this performance issue with pf on a AMD64firewall: below is the link > > http://www.nabble.com/firewall-is-very-slow%2C-something%27s-wrong-t4572653i20.html > > it states that pf on 4.2 performs much better than in 4.1. having said > this, is it possible to be able to just update pf's feature instead of > going through the entire OS upgrade? since im really going after the > features of pf, and happy with how 4.1 is. > > > any comments are awesomely appreciated. yes, excellent idea, that is exactly what you should do! Instead of doing teh boring, pretty riskless 10 minutes taking 4.2 upgrade everybody could easily do, you should figure out which files are pf, update them, figure out that the kernel doesn't build because of changes through the network stack, patch for a week or two until you have a kernel that builds, figure out pfctl, netstat and friends don't work, another week... a bit (about when these boring wackos that just upgrade install 4.3) later when you have a kernel that boots and a userland that seems to work with it, you have a totally unique system! nobody else is running that! ok, nobody else sees the crashes you do, but hey, they're all boring wackos. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: About Xen: maybe a reiterative question but ..
Per-Erik Persson wrote: > To get the best performance out of qemu you need to run linux. I'm no expert in virtualization, but may I ask if you are remembering to use kqemu ? There is also virtual box. http://www.virtualbox.org/ It may or may not run on an OpenBSD host, but does run OpenBSD as a guest according to the web site. > At least on my machines qemu is dead slow. > I was hoping xen would perform better together with openbsd, however I > get a little bit worried when I google openbsd+xen > Mostly get dead links. Furthermore, it seems that XenSource has been sold off to Citrix, makers of that steaming pile of crap known as Citrix: http://www.citrixxenserver.com/Pages/default.aspx That bodes very, very, very ill for the product. Citrix, IMHO, will make sure that Xen will be poor at hosting non-MS tools and will be unported from OSS hosts. If we are lucky, the developers will leave / have left and will fork the code. > Xen seems to be leading the virtualization trend right now, If you had written that a year and a half ago, I would have agreed. Xen was good a while back. However, here is another article on the same topic: http://www.theregister.co.uk/2006/07/20/ms_xen_love/page2.html "Itbs a one-way street that favors Microsoft and Windows running Linux. The arrangement will allow Linux to run on future Microsoft hypervisors through translated calls to the hypervisor when Windows is controlling the hardware, but not the other way around; i.e. there is no mention of Longhorn optimizations or 'enlightenments being ported to Xen or licensed to XenSource to enable a Xen hypervisor to run full optimizations with Longhorn OS." Granted that quote is from a competitor (VMware, which seems to be a broken linux kernel) but MS has 'partnered' with XenSource and we know what the ultimate results will be. The choices narrow. Can kqemu be compiled for OBSD? Is virtualbox an option? Regards -Lars
Re: About Xen: maybe a reiterative question but ..
* carlopmart <[EMAIL PROTECTED]> [2007-10-23 09:13]: > IMHO I think that OpenBSD needs to capable to install and run as a > paravirtualized domU guest, with some limitations if you like. > > Last year I have do the same question. Then it was said that only needed > NetBSD do the xen port, and from there just enough to carry to OpenBSD. The > reality is that NetBSD long ago that can be installed and run as domU and > OpenBSD not. > > And my question is why?? easy: nobody has done the work. I don't know how far Christoph's efforts went really - but it really comes down to somebody sitting down, doing teh porting work in a clean manner, showing dedication, willingness and ability to keep supporting it in future. that simple. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: Help! I'm having Linux foisted on me! (PF queuing woes)
* Brian <[EMAIL PROTECTED]> [2007-10-22 20:39]: > Joshua Smith wrote: > > Out of curiosity what are these two extremely rare cases? > [snip] > > One example off the top of my head (and ipsec.conf(5)) is the enc0 > interface. You wouldn't set your state-policy to this, but each > individual rule would use if-bound to prevent traffic from going out > your egress when an IPsec SA is removed/expires before the state is > removed/expires (think isakmpd and the various reasons an SA can disappear). that is indeed one case. wether you really want ifbound for ipsec or not depends on teh setup, you have to think it through on a case-by-case basis. the otehr case is so bizarre that I forgot the details. basically a case where a packet goes thru the stack 3 times instead of 2 with the normal forwarding. I think you could trigger that with very very very very very strange use of the evil route-to (which should be avoided wherever possible in the first place). -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: em(4) - IFCAP_VLAN_MTU & IFCAP_VLAN_HWTAGGING ?
* Tony Sarendal <[EMAIL PROTECTED]> [2007-10-22 18:33]: > I didn't get that opinion from marketing. > No matter, we disagree, lets leave it at that. well, yeah, nontheless, I wanna point out the essence why stateful is better (the way we do it in OpenBSD): 1) it moves the limit where the box starts to suffer from overload quite far, or, in other words, the box can handle a much larger amount of traffic before it starts to drop stuff. thus it can withstand bigger amounts of (D)DoS too. 2) once it gets to that point, it is more selective in dropping packets than a stateless box, as it prefers established connections. this behaviour cannot be valued enough in (D)DoS type of situations. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: Network Time Synchronization using timed or ntpd or a Combination?
Clint Pachl <[EMAIL PROTECTED]> wrote: > I was thinking about using ntpd only on all systems. One system would get > time from the NTP pool ... or from a time signal sensor... > and all other servers on the network would sync > to the local server. Is this the best way? Yes. > Then I discovered timed. Ancient cruft. It will be deleted from the tree eventually. -- Christian "naddy" Weisgerber [EMAIL PROTECTED]
Re: About Xen: maybe a reiterative question but ..
On 10/23/07, Per-Erik Persson <[EMAIL PROTECTED]> wrote: > I might be flamed for this statement but not being able to run inside a > virtualized environment is not an option in the future. The future is not now, no-one is saying openBSD will never run in a virtualized environment. > Most servers you can buy today are to powerful for only taking care of > one task. You know that one machine can performs more than one task even without virtualization, right? > If OpenBSD doesn't adopt to the virtualization trend it will used only > as an obscure firewall box. Or perhaps future (bette) virtualizations won't require special OS support. Xen is not a be-all-end-all. --- Lars Hansson
Network Time Synchronization using timed or ntpd or a Combination?
What is the most "efficient" and "secure" way to keep the clocks of servers on a network in sync? Because OpenNTPD was designed with security in mind from the start, I was thinking about using ntpd only on all systems. One system would get time from the NTP pool and all other servers on the network would sync to the local server. Is this the best way? Then I discovered timed. Does anybody use it? Is it as secure? What are the (dis)advantages/differences compared to ntpd? I was was reading timed(8) and it states the following: "One way to synchronize a group of machines is to use an NTP daemon to synchronize the clock of one machine to a distant standard or a radio receiver and -F hostname to tell its timed daemon to trust only itself." I assume that all the other machines on the network would run timed only? How do you guys keep your clocks in-sync? -pachl
Re: About Xen: maybe a reiterative question but ..
Per-Erik Persson wrote: > ... not being able to run inside a > virtualized environment is not an option in the future. Virtualization is available already. See the package qemu. http://www.openbsd.org/4.1_packages/ Or are you aiming for Xen specifically? Keep in mind that the most significant opponent to OpenBSD has now influence if not control over Xen: http://www.theregister.co.uk/2006/07/18/ms_xen_partner/ Xen's developer and management time will be burned up with no result. No business that I am aware of has yet survived such a "partnership" It'd be a first if XenSource were to break the record. -Lars
Re: CARP problem
Marco Pfatschbacher wrote: On Tue, Oct 23, 2007 at 11:10:32AM +0200, Heinrich Rebehn wrote: Googling showed up quite a few posts of people having problems with CARP and the "incorrect hash" message, but none really helped me. the most common reason for "incorrect hash" messages is that your configuration isn't in sync. That includes all IP addresses and the password. Seems like that's the case in your setup: carp0: flags=8843 mtu 1500 lladdr 00:00:5e:00:01:0a carp: MASTER carpdev vlan0 vhid 10 advbase 1 advskew 0 groups: carp inet6 fe80::200:5eff:fe00:10a%carp0 prefixlen 64 scopeid 0xa inet 134.102.176.250 netmask 0xff00 broadcast 134.102.176.255 inet 134.102.176.202 netmask 0xff00 broadcast 134.102.176.255 vs. carp0: flags=8802 mtu 1500 lladdr 00:00:5e:00:01:0a carp: INIT carpdev vlan0 vhid 10 advbase 1 advskew 100 groups: carp inet6 fe80::200:5eff:fe00:10a%carp0 prefixlen 64 scopeid 0xb inet 134.102.176.250 netmask 0xff00 broadcast 134.102.176.255 dunno where you got 134.102.176.202 from, though... hostname.carp0: inet 134.102.176.250 255.255.255.0 134.102.176.255 vhid 10 pass xxx10 carpdev vlan0 advskew 100 state backup You shouldn't use "state backup" here. The higher advskew is sufficient. "state" is only needed for manual intervention. Have removed "state backup", and it is still working. Also fixed my hostname.carp0. Thanks for your help --Heinrich
OSS audio drivers
Hi all, this is to clarify (for me, anyway) the status of audio drivers present in the (recently GPLed) OSS. http://www.opensound.com/osshw.html What is the relation of OpenBSD's audio drivers to the OSS project? What, if anything, does opensourcing (GPL, I know) their code mean for our audio drivers? In particular, does that mean (future) support for the high-end soundcards such as M-Audio Delta? Thanks Jan
Re: About Xen: maybe a reiterative question but ..
I might be flamed for this statement but not being able to run inside a virtualized environment is not an option in the future. Most servers you can buy today are to powerful for only taking care of one task. It is really handy to be able to "shuffle" around the cpu:s to the virtual machine that needs it at the moment. OpenBSD is much to powerful to be used only on soekris and wrap boxes as a firewall for the homeuser. If OpenBSD doesn't adopt to the virtualization trend it will used only as an obscure firewall box. If I need to run linux as Dom0 to be able to put most of my OpenBSD machines into one single box(well two actually if you want failover, and that you probably want) The security sacrifice is OK to me, at least knowing that the option is to not run OpenBSD at all since I would need too many machines and to much electricity and force me to build a new serverroom. The firewall and the KDC will probably not be virtualized yet, but everything else will soon be. Luca Corti wrote: On Tue, 2007-10-23 at 01:11 +0200, ropers wrote: unavoidable. The question is, is that a worthwhile trade-off? Is this a reason not to support Xen? Or should the user be given that option regardless of the inherent limitations and consequences? A proper Dom0 port of XEN to OpenBSD would solve this by removing the linux dependency. However this would probably require a significant effort on OpenBSD side and a XEN Hypervisor code audit. Also from earlier discussion on the list it seems this kind of virtualization may impact on security, which is in direct contrast with OpenBSD goals. Can someone elaborate more on this? ciao Luca
Installing the latest snapshot freezes on i386
Hi all, I just recently purchased a brand new HP Pavilion G3035L Desktop PC (spec: http://www.anugrahpratama.com/product/21/1092/HP-Pavilion-G3035L-Desktop-PC). It's using Intel Core Duo processor. I tried to install OpenBSD's latest snapshot to this machine last night. The thing is it freezes and it wouldn't install. Here's the messages I got from my screen: pcibios0 at bios0: rev 3.0 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf5590/192 (10 entries) pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82801GH LPC" rev 0x00) pcibios0: PCI bus #2 is the last bus bios0: ROM list: 0xc/0xae00! cpu0 at mainbus0 pci0 at mainbus0 bus0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 "Intel 82945GP" rev 0x02: rng active, 800Kb/sec vga1 at pci0 dev 2 function 0 "Intel 82945G Video" rev 0x02 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) "Intel 82801GB HD Audio" rev 0x01 at pci0 dev 27 function 0 not configured ppb0 at pci0 dev 28 function 0 "Intel 82801GB PCIE" rev 0x01 pci1 at ppb0 bus 1 re0 at pci1 dev 0 function 0 "Realtek 8101E" rev 0x01: RTL8101E (0x3400), irq 19, address 00:1b:b9:85:6c:b8 rlphy0 at re0 phy 7: RTL8201L 10/100 PHY, rev 1 uhci0 at pci0 dev 29 function 0 "Intel 82801GB USB" rev 0x01: irq 11 uhci1 at pci0 dev 29 function 1 "Intel 82801GB USB" rev 0x01: irq 5 uhci2 at pci0 dev 29 function 2 "Intel 82801GB USB" rev 0x01: irq 3 uhci3 at pci0 dev 29 function 3 "Intel 82801GB USB" rev 0x01: irq 10 ehci0 at pci0 dev 29 function 7 "Intel 82801GB USB" rev 0x01: irq 11 ehci0: timed out waiting for BIOS usb0 at ehci0: USB revision 2.0 Does anyone know what the problem is? Are some of the hardware aren't supported by OpenBSD? What should I do so this machine can run OpenBSD? Thanks for the help. I appreciate it. -Reza Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: CARP problem
On Tue, Oct 23, 2007 at 11:10:32AM +0200, Heinrich Rebehn wrote: > > Googling showed up quite a few posts of people having problems with CARP > and the "incorrect hash" message, but none really helped me. the most common reason for "incorrect hash" messages is that your configuration isn't in sync. That includes all IP addresses and the password. Seems like that's the case in your setup: > carp0: flags=8843 mtu 1500 > lladdr 00:00:5e:00:01:0a > carp: MASTER carpdev vlan0 vhid 10 advbase 1 advskew 0 > groups: carp > inet6 fe80::200:5eff:fe00:10a%carp0 prefixlen 64 scopeid 0xa > inet 134.102.176.250 netmask 0xff00 broadcast 134.102.176.255 > inet 134.102.176.202 netmask 0xff00 broadcast 134.102.176.255 vs. > carp0: flags=8802 mtu 1500 > lladdr 00:00:5e:00:01:0a > carp: INIT carpdev vlan0 vhid 10 advbase 1 advskew 100 > groups: carp > inet6 fe80::200:5eff:fe00:10a%carp0 prefixlen 64 scopeid 0xb > inet 134.102.176.250 netmask 0xff00 broadcast 134.102.176.255 dunno where you got 134.102.176.202 from, though... > hostname.carp0: > inet 134.102.176.250 255.255.255.0 134.102.176.255 vhid 10 pass xxx10 carpdev > vlan0 advskew 100 state backup > You shouldn't use "state backup" here. The higher advskew is sufficient. "state" is only needed for manual intervention.
Re: daap/mdns multicast problems
Jonathan Kent <[EMAIL PROTECTED]> wrote: > Been trying in vain to get daap/mdns traffic through my OpenBSD 4.1 > firewall to talk to my mt-daap server. > > >From tcpdumping I can see the multicast traffic coming into sis1 > interface but not coming out of the sis0 interface so I can only assume > that I have missed something. As Brian already pointed out, you need to enable multicast routing. You also need a multicast routing daemon to perform the actual forwarding. mrouted(8) will do for simple purposes. I haven't tried dvmrpd(8). However, the first thing you want to check is the TTL of these mdns packets. I suspect it's 1 and they are intended as local broadcasts, not as routable traffic. -- Christian "naddy" Weisgerber [EMAIL PROTECTED]
Solved: CARP problem
Heinrich Rebehn wrote: Hi All, i am trying to setup a carp'ed pair of firewalls and am fighting with strange CARP behavior. "frw1" is i386, "frw2" is amd64, but both run i386 OpenBSD 4.2 On each machine i have configured 4 vlans on the sk0 interface. The carp interfaces are configured on top of the vlan interfaces (see attachments). Note: i had to bring down carp0 manually on frw2 to keep it from confusing our network. Therefore it is shown in INIT state. What happens: 1. I boot frw1, it becomes MASTER on all carps -> good. 2. I boot frw2, it becomes BACKUP on all carps except carp0, which becomes MASTER -> bad. Both machines think they're MASTER on carp0. Since both are complaining about "carp0: incorrect hash" i have double checked the passwords on both machines, no diff! I brought carp2 down on frw1 and it immediately failed over to frw2, so CARP in general does work. Since all traffic is running through the same physical device and the problem is only on one carp interface i tend to rule out hardware problems. Googling showed up quite a few posts of people having problems with CARP and the "incorrect hash" message, but none really helped me. [EMAIL PROTECTED] [/etc] # pfctl -sr | grep carp pass quick proto carp all no state [EMAIL PROTECTED] [~] # pfctl -sr | grep carp pass quick proto carp all no state Any ideas? It is really strange: As soon as i have posted the problem to the list, i seem to be able to relax and think better :-) The solution: On frw1: carp0: flags=8843 mtu 1500 lladdr 00:00:5e:00:01:0a carp: MASTER carpdev vlan0 vhid 10 advbase 1 advskew 0 groups: carp inet6 fe80::200:5eff:fe00:10a%carp0 prefixlen 64 scopeid 0xa inet 134.102.176.250 netmask 0xff00 broadcast 134.102.176.255 inet 134.102.176.202 netmask 0xff00 broadcast 134.102.176.255 On frw2: carp0: flags=8802 mtu 1500 lladdr 00:00:5e:00:01:0a carp: INIT carpdev vlan0 vhid 10 advbase 1 advskew 100 groups: carp inet6 fe80::200:5eff:fe00:10a%carp0 prefixlen 64 scopeid 0xb inet 134.102.176.250 netmask 0xff00 broadcast 134.102.176.255 The alias made the difference! On frw1 i had added it /etc/rc.conf.local because i had difficulties defining in in /etc/hostname.carp0. This was missing on frw2! Now it works. Apologies for the noise! --Heinrich
Re: CARP problem
On Tue, Oct 23, 2007 at 11:10:32AM +0200, Heinrich Rebehn wrote: > What happens: > 1. I boot frw1, it becomes MASTER on all carps -> good. > 2. I boot frw2, it becomes BACKUP on all carps except carp0, which > becomes MASTER -> bad. > > Any ideas? Do you have pass quick for carp and pfsync *before* antispoof and block rules, and on *all* carp interfaces? Rui -- Grudnuk demand sustenance! Today is Sweetmorn, the 4th day of The Aftermath in the YOLD 3173 + No matter how much you do, you never do enough -- unknown + Whatever you do will be insignificant, | but it is very important that you do it -- Gandhi + So let's do it...?
CARP problem
Hi All, i am trying to setup a carp'ed pair of firewalls and am fighting with strange CARP behavior. "frw1" is i386, "frw2" is amd64, but both run i386 OpenBSD 4.2 On each machine i have configured 4 vlans on the sk0 interface. The carp interfaces are configured on top of the vlan interfaces (see attachments). Note: i had to bring down carp0 manually on frw2 to keep it from confusing our network. Therefore it is shown in INIT state. What happens: 1. I boot frw1, it becomes MASTER on all carps -> good. 2. I boot frw2, it becomes BACKUP on all carps except carp0, which becomes MASTER -> bad. Both machines think they're MASTER on carp0. Since both are complaining about "carp0: incorrect hash" i have double checked the passwords on both machines, no diff! I brought carp2 down on frw1 and it immediately failed over to frw2, so CARP in general does work. Since all traffic is running through the same physical device and the problem is only on one carp interface i tend to rule out hardware problems. Googling showed up quite a few posts of people having problems with CARP and the "incorrect hash" message, but none really helped me. [EMAIL PROTECTED] [/etc] # pfctl -sr | grep carp pass quick proto carp all no state [EMAIL PROTECTED] [~] # pfctl -sr | grep carp pass quick proto carp all no state Any ideas? -- Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341 OpenBSD 4.2 (GENERIC) #1: Fri Sep 14 12:22:31 CEST 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) 4 CPU 2.60GHz ("GenuineIntel" 686-class) 2.60 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID,xTPR real mem = 1072459776 (1022MB) avail mem = 1029386240 (981MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 12/12/03, BIOS32 rev. 0 @ 0xf0010, SMBIOS rev. 2.3 @ 0xf04a0 (68 entries) bios0: vendor American Megatrends Inc. version "080009 " date 12/12/2003 bios0: ASUSTeK Computer Inc. P4P800 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 30102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf5100/256 (14 entries) pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82801EB/ER LPC" rev 0x00) pcibios0: PCI bus #2 is the last bus bios0: ROM list: 0xc/0xc000 0xcc000/0x800 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 "Intel 82865G/PE/P CPU-I/0-1" rev 0x02 ppb0 at pci0 dev 1 function 0 "Intel 82865G/PE/P CPU-AGP" rev 0x02 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 "ATI Rage 128 Pro TF" rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) uhci0 at pci0 dev 29 function 0 "Intel 82801EB/ER USB" rev 0x02: irq 10 uhci1 at pci0 dev 29 function 1 "Intel 82801EB/ER USB" rev 0x02: irq 5 uhci2 at pci0 dev 29 function 2 "Intel 82801EB/ER USB" rev 0x02: irq 5 uhci3 at pci0 dev 29 function 3 "Intel 82801EB/ER USB" rev 0x02: irq 10 ehci0 at pci0 dev 29 function 7 "Intel 82801EB/ER USB2" rev 0x02: irq 11 usb0 at ehci0: USB revision 2.0 uhub0 at usb0: Intel EHCI root hub, rev 2.00/1.00, addr 1 ppb1 at pci0 dev 30 function 0 "Intel 82801BA AGP" rev 0xc2 pci2 at ppb1 bus 2 skc0 at pci2 dev 5 function 0 "3Com 3c940" rev 0x12, Yukon (0x1): irq 11 sk0 at skc0 port A: address 00:0c:6e:d8:b0:d8 eephy0 at sk0 phy 0: Marvell 88E1011 Gigabit PHY, rev. 3 xl0 at pci2 dev 10 function 0 "3Com 3c905C 100Base-TX" rev 0x74: irq 11, address 00:04:76:a0:43:bd bmtphy0 at xl0 phy 24: Broadcom 3C905C internal PHY, rev. 6 ichpcib0 at pci0 dev 31 function 0 "Intel 82801EB/ER LPC" rev 0x02: 24-bit timer at 3579545Hz pciide0 at pci0 dev 31 function 1 "Intel 82801EB/ER IDE" rev 0x02: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility atapiscsi0 at pciide0 channel 0 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: SCSI0 5/cdrom removable cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 pciide0: channel 1 disabled (no drives) pciide1 at pci0 dev 31 function 2 "Intel 82801EB SATA" rev 0x02: DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI pciide1: using irq 5 for native-PCI interrupt wd0 at pciide1 channel 1 drive 0: wd0: 16-sector PIO, LBA48, 305245MB, 625142448 sectors wd0(pciide1:1:0): using PIO mode 4, Ultra-DMA mode 5 ichiic0 at pci0 dev 31 function 3 "Intel 82801EB/ER SMBus" rev 0x02: irq 11 iic0 at ichiic0 auich0 at pci0 dev 31 function 5 "Intel 82801EB/ER AC97" rev 0x02: irq 11, ICH5 AC97 ac97: codec id 0x41445375 (Analog Devices AD1985) ac97: codec features headphone, 20 bit DAC, No 3D Stereo audio0 at auich0 usb1 at uhci0: USB revision 1.0 uhub1 at usb1: Intel UHCI root hub, rev 1.00/1.00, addr 1 usb2
Re: Biometrics
On Mon, 22 Oct 2007, Cyrus wrote: I've been looking for some time now for biometric software for openbsd, to work in XDM or KDM. I need it to support Keytronic F-SCAN-K001US, if nothing exists, I guess its back to a regular keyboard. I dont think I can run Bio-Logon 3.0 through wine as a system proccess like that, so Im just looking for some kind of biometric software, suite, or project that supports my keyboard/scanner. Hi, I found a web page of a project which has been (unfortunately) abandoned recently. Don't know anything more about it. http://biomark.org.ru/en/ Regards, David
Re: About Xen: maybe a reiterative question but ..
On Tue, 2007-10-23 at 01:11 +0200, ropers wrote: > unavoidable. The question is, is that a worthwhile trade-off? Is this > a reason not to support Xen? Or should the user be given that option > regardless of the inherent limitations and consequences? A proper Dom0 port of XEN to OpenBSD would solve this by removing the linux dependency. However this would probably require a significant effort on OpenBSD side and a XEN Hypervisor code audit. Also from earlier discussion on the list it seems this kind of virtualization may impact on security, which is in direct contrast with OpenBSD goals. Can someone elaborate more on this? ciao Luca
Re: About Xen: maybe a reiterative question but ..
ropers wrote: On 23/10/2007, Jeff Quast <[EMAIL PROTECTED]> wrote: I would like to vouch for openbsd working great as a guest, but my guest has crashed a dozen times. However I think this is due to the debian linux dom0 having broken sata code for the controller in use. dom0's dmesg is filled with debug statements from sata related places in the kernel that should never be printed. We're in a messy de-centralized linux development world trying to get a stable dom0 patched together. It sucks. This is what I meant to hint at earlier: Running an OpenBSD DomU in connection with, say, a Linux Xen Dom0 possibly makes that OpenBSD installation subject to bugs in the hypervisor/Dom0, and that may be unavoidable. The question is, is that a worthwhile trade-off? Is this a reason not to support Xen? Or should the user be given that option regardless of the inherent limitations and consequences? --ropers IMHO I think that OpenBSD needs to capable to install and run as a paravirtualized domU guest, with some limitations if you like. Last year I have do the same question. Then it was said that only needed NetBSD do the xen port, and from there just enough to carry to OpenBSD. The reality is that NetBSD long ago that can be installed and run as domU and OpenBSD not. And my question is why?? i think that only one developer can't maintain this type of code ... needs more help. I am not developer but i can do tests if you needed -- CL Martinez carlopmart {at} gmail {d0t} com