Re: OpenBSD + isakmpd + VPN concentrator 3060
I finally was able to setup vpn connection. Other side was configured in wrong way and sum of all my ipsec.conf look in this way: -- ipsec.conf -- other_peer = c.c.c.c_public_ip ike esp tunnel from a.a.a.a_net to d.d.d.d_net peer $other_peer \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des group modp1024 \ psk somekey -- ipsec.conf -- But i have another problem, a.a.a.a_net is not configured on my network interface, it's a just net that must be done nat on this. I was reading a bit about doing nat on obsd and ipsec. I've tried to do so: -- conf -- ifconfig lo1 inet a.a.a.a_net route add -net d.d.d.d_net a.a.a.a_host and pf.conf: nat on lo1 from e.e.e.e_net to d.d.d.d_net - a.a.a.a_host -- conf -- But it isn't seem to work. Packets are showing on lo1, but there are not going threw the flow/enc0 interface. -- tcpdump lo1 -- 09:38:20.497416 a.a.a.a_hostb d.d.d.d_host: icmp: echo request 09:38:20.497421 a.a.a.a_hostb d.d.d.d_host: icmp: echo request -- tcpdump lo1 -- flows: flow esp in from d.d.d.d_net to a.a.a.a_net peer c.c.c.c_public_ip srcid b.b.b.b_public_ip dstid c.c.c.c_public_ip type use flow esp out from a.a.a.a_net to d.d.d.d_net peer c.c.c.c_public_ip srcid b.b.b.b_public_ip dstid c.c.c.c_public_ip type require image :): e.e.e.e_net (em0) | a.a.a.a_net (lo1) obsd b.b.b.b_public_ip --- c.c.c.c_public_ip cisco d.d.d.d_net Regard, Mariusz Makowski Mariusz Makowski wrote: Mariusz Makowski wrote: Hello, Firstly i want to mention that it's my begining with ipsec/isakmpd tunneling. My problem is about making connection from OpenBSD 4.3 to Cisco VPN concentrator 3060. Cisco concentrator is out of my range so i can't check log there and i only wish that configuration there is done well. Here it is my example: a.a.a.a_net obsd b.b.b.b_public_ip --- c.c.c.c_public_ip cisco d.d.d.d_net What i wan't to achiev is: - comunication from a.a.a.a_net to d.d.d.d_net What i know about cisco configuration: - VPN concentrator 3060 - c.c.c.c_public_ip - d.d.d.d_net - VPN Method: IPSec - Encryption: 3DES - Key exchange IKE - Pre-Shared Key: somekey - Perfect Forward Secrecy: Yes - Group 2 (1024 bits) - Hashing: SHA-1 - Diffie-Hellman: Yes - Group 2 - Time Lifetime: 28800 seconds - Encapsulation Mode: Tunnel - Negotiation Mode: Main OpenBSD: - clean instalation of 4.3 - no pf yet - em0: a.a.a.a_net - em1: b.b.b.b_public_ip After couple hours of reading stuff on internet and reading some configuration files i achivied this configuration: -- isakmpd.conf -- [General] Listen-on= b.b.b.b_public_ip [Phase 1] c.c.c.c_public_ip= CONN [Phase 2] Connections = LINK [CONN] Phase= 1 Transport= udp Address = c.c.c.c_public_ip Configuration= Default-Main-Mode Authentication = somekey [LINK] Phase= 2 ISAKMP-Peer = HP Configuration= Default-Quick-Mode Local-ID = LAN-1 Remote-ID= LAN-2 [LAN-1] ID-Type = IPV4_ADDR_SUBNET Network = a.a.a.a_net Netmask = a.a.a.a_netmask [LAN-2] ID-Type = IPV4_ADDR_SUBNET Network = d.d.d.d_net Netmask = d.d.d.d_netmask [Default-Main-Mode] DOI = IPSEC Exchange_Type= ID_PROT Transforms = 3DES-SHA [Default-Quick-Mode] DOI = IPSEC Exchange_Type= QUICK_MODE Suites = QM-ESP-3DES-SHA-SUITE [3DES-SHA] ENCRYPTION_ALGORITHM = 3DES_CBC HASH_ALGORITHM = SHA AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_1024 Life = LIFE_3600_SECS [QM-ESP-3DES-SHA-SUITE] Protocols= QM-ESP-3DES-SHA [QM-ESP-3DES-SHA-PFS-SUITE] Protocols= QM-ESP-3DES-SHA-PFS [QM-ESP-3DES-SHA] PROTOCOL_ID = IPSEC_ESP Transforms = QM-ESP-3DES-SHA-XF [QM-ESP-3DES-SHA-PFS] PROTOCOL_ID = IPSEC_ESP Transforms = QM-ESP-3DES-SHA-PFS-XF [QM-ESP-3DES-SHA-TRP] PROTOCOL_ID = IPSEC_ESP Transforms = QM-ESP-3DES-SHA-TRP-XF [QM-ESP-3DES-SHA-XF] TRANSFORM_ID = 3DES ENCAPSULATION_MODE = TUNNEL AUTHENTICATION_ALGORITHM = HMAC_SHA Life = LIFE_28800_SECS [QM-ESP-3DES-SHA-PFS-XF] TRANSFORM_ID = 3DES ENCAPSULATION_MODE = TUNNEL AUTHENTICATION_ALGORITHM = HMAC_SHA GROUP_DESCRIPTION= MODP_1024 Life = LIFE_28800_SECS [QM-ESP-3DES-SHA-TRP-XF] TRANSFORM_ID = 3DES ENCAPSULATION_MODE = TRANSPORT AUTHENTICATION_ALGORITHM = HMAC_SHA Life = LIFE_28800_SECS [LIFE_3600_SECS] LIFE_TYPE= SECONDS LIFE_DURATION= 3600,1800:7200 [LIFE_28800_SECS] LIFE_TYPE = SECONDS LIFE_DURATION = 28800
Re: ral(4) and Gigabyte GN-WI01GS 802.11b/g card
Nick, Good to hear. It's going into a Soekris 4501 for wireless access duty so hostap is necessary but anything got to work better than my current Atheros based card. If anyone else has used this card with success in hostap mode, I'd love to hear about it. -Kevin On Thu, Sep 25, 2008 at 3:55 PM, Nick Templeton [EMAIL PROTECTED] wrote: I have one in my Dell laptop and it works great. Here's how it looks in my dmesg: ral0 at pci2 dev 3 function 0 Ralink RT2561S rev 0x00: irq 11, address 00:1a:4d:33:b6:03 ral0: MAC/BBP RT2561C, RF RT2527 I haven't tried it in hostap mode, but I've had good luck with another Gigabyte ral(4)-based card as an access point. -Nick Kevin Elliott wrote: I am thinking of buying a Gigabyte GN-WI01GS to replace my Wistron CM9. It's listed as supported under the man file. I was curious if anyone has any experience with this card and can confirm that it's FULLY supported under OpenBSD-4.3 (i386). Thank you. Kevin Hope in reality is the worst of all evils because it prolongs the torments of man. -Nietzsche -- Since love and fear can hardly exist together, if we must choose between them, it is far safer to be feared than loved. -Niccolo Machiavelli
[OT] IronPort mail servers
I know this is not OpenBSD related but I'm just asking for if someone has any first-hand experience with IronPort [1] My company has decided to move away from Solaris 8 mail system (sendmail, clamav, mimedefang, relaydelay and god-knows-what-else) - the reason for the move is that the current system is kind of glued together and no one knows how it all works. People who implemented these have left with no documentation behind. Anyhow, we have acquired one IronPort for free plus free training. After doing the training it looks like an extremely powerful little box that can do the whole lot: mail, spam, virus checking, LDAP lookup, SPF...everything from a nice GUI and also CLI. I just wonder if anyone has any first-hand experience with IronPort and would share their experience. Thanks. -- [1] http://en.wikipedia.org/wiki/IronPort
Re: OpenBSD + isakmpd + VPN concentrator 3060
On Fri, Sep 26 2008 at 45:07, Mariusz Makowski wrote: I finally was able to setup vpn connection. Other side was configured in wrong way and sum of all my ipsec.conf look in this way: -- ipsec.conf -- other_peer = c.c.c.c_public_ip ike esp tunnel from a.a.a.a_net to d.d.d.d_net peer $other_peer \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des group modp1024 \ psk somekey -- ipsec.conf -- In our environnement (we manage openbsd tunnels to cisco 3030 which is out of our scope) we debugged a strange problem when the connection goes down. The tunnels won't come back after a small link shutdown. The problem was Cisco 3030 was doing DPD check and not the OpenBSD. If it's the case for you too, you should add these lines to /etc/isakmpd/isakmpd.conf : --- isakmpd.conf --- [General] DPD-check-interval= 30 --- isakmpd.conf --- But i have another problem, a.a.a.a_net is not configured on my network interface, it's a just net that must be done nat on this. I was reading a bit about doing nat on obsd and ipsec. I've tried to do so: -- conf -- ifconfig lo1 inet a.a.a.a_net route add -net d.d.d.d_net a.a.a.a_host and pf.conf: nat on lo1 from e.e.e.e_net to d.d.d.d_net - a.a.a.a_host -- conf -- But it isn't seem to work. Packets are showing on lo1, but there are not going threw the flow/enc0 interface. The route will not work. Instead, you should use pf and route-to directive. -- tcpdump lo1 -- 09:38:20.497416 a.a.a.a_hostb d.d.d.d_host: icmp: echo request 09:38:20.497421 a.a.a.a_hostb d.d.d.d_host: icmp: echo request -- tcpdump lo1 -- flows: flow esp in from d.d.d.d_net to a.a.a.a_net peer c.c.c.c_public_ip srcid b.b.b.b_public_ip dstid c.c.c.c_public_ip type use flow esp out from a.a.a.a_net to d.d.d.d_net peer c.c.c.c_public_ip srcid b.b.b.b_public_ip dstid c.c.c.c_public_ip type require image :): e.e.e.e_net (em0) | a.a.a.a_net (lo1) obsd b.b.b.b_public_ip --- c.c.c.c_public_ip cisco d.d.d.d_net Regard, Mariusz Makowski Mariusz Makowski wrote: Mariusz Makowski wrote: Hello, Firstly i want to mention that it's my begining with ipsec/isakmpd tunneling. My problem is about making connection from OpenBSD 4.3 to Cisco VPN concentrator 3060. Cisco concentrator is out of my range so i can't check log there and i only wish that configuration there is done well. Here it is my example: a.a.a.a_net obsd b.b.b.b_public_ip --- c.c.c.c_public_ip cisco d.d.d.d_net What i wan't to achiev is: - comunication from a.a.a.a_net to d.d.d.d_net What i know about cisco configuration: - VPN concentrator 3060 - c.c.c.c_public_ip - d.d.d.d_net - VPN Method: IPSec - Encryption: 3DES - Key exchange IKE - Pre-Shared Key: somekey - Perfect Forward Secrecy: Yes - Group 2 (1024 bits) - Hashing: SHA-1 - Diffie-Hellman: Yes - Group 2 - Time Lifetime: 28800 seconds - Encapsulation Mode: Tunnel - Negotiation Mode: Main OpenBSD: - clean instalation of 4.3 - no pf yet - em0: a.a.a.a_net - em1: b.b.b.b_public_ip After couple hours of reading stuff on internet and reading some configuration files i achivied this configuration: -- isakmpd.conf -- [General] Listen-on= b.b.b.b_public_ip [Phase 1] c.c.c.c_public_ip= CONN [Phase 2] Connections = LINK [CONN] Phase= 1 Transport= udp Address = c.c.c.c_public_ip Configuration= Default-Main-Mode Authentication = somekey [LINK] Phase= 2 ISAKMP-Peer = HP Configuration= Default-Quick-Mode Local-ID = LAN-1 Remote-ID= LAN-2 [LAN-1] ID-Type = IPV4_ADDR_SUBNET Network = a.a.a.a_net Netmask = a.a.a.a_netmask [LAN-2] ID-Type = IPV4_ADDR_SUBNET Network = d.d.d.d_net Netmask = d.d.d.d_netmask [Default-Main-Mode] DOI = IPSEC Exchange_Type= ID_PROT Transforms = 3DES-SHA [Default-Quick-Mode] DOI = IPSEC Exchange_Type= QUICK_MODE Suites = QM-ESP-3DES-SHA-SUITE [3DES-SHA] ENCRYPTION_ALGORITHM = 3DES_CBC HASH_ALGORITHM = SHA AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_1024 Life = LIFE_3600_SECS [QM-ESP-3DES-SHA-SUITE] Protocols= QM-ESP-3DES-SHA [QM-ESP-3DES-SHA-PFS-SUITE] Protocols= QM-ESP-3DES-SHA-PFS [QM-ESP-3DES-SHA] PROTOCOL_ID = IPSEC_ESP Transforms = QM-ESP-3DES-SHA-XF [QM-ESP-3DES-SHA-PFS] PROTOCOL_ID = IPSEC_ESP Transforms = QM-ESP-3DES-SHA-PFS-XF [QM-ESP-3DES-SHA-TRP] PROTOCOL_ID = IPSEC_ESP Transforms = QM-ESP-3DES-SHA-TRP-XF [QM-ESP-3DES-SHA-XF] TRANSFORM_ID
Re: how to turn off greylisting?
2008/9/25 jared r r spiegel [EMAIL PROTECTED]: On Thu, Sep 25, 2008 at 10:25:19PM -0400, Juan Miscaro wrote: I have stopped my spamd on my 4.3 box and went ahead and restarted it with the '-b' switch. However, the output of spamdb tells me that greylisting is still active. What is happening? maybe /home/jrrs $ fgrep grey /etc/rc* /etc/rc.conf:spamd_black=NO # set to YES to run spamd without greylisting Huh thanks but I'm talking real-time. ~juan
Le Guide des salons en France et à l'étranger enfin disponible
Le Guide des salons en France et ` l'itranger est paru. Commmandez votre exemplaire. A partir de 29 ⬠TTC (version PDF) Sur 300 pages, toutes les informations nicessaires pour priparer sa participation ` un salon : a) Des conseils techniques : b) L'agenda des salons Du 1er octobre 2008 au 31 dicembre 2009 (1 500 dates en France et plus de 3 500 ` l'international), en fiches techniques (nom du salon, dates, lieu, nombre d'exposants et de visiteurs, surface brute, date de criation, piriodiciti, coordonnies de l'organisateur). c) Les professionnels de l'installation de stands et d'expositions : Plus d'information A riception de votre rhglement : Vous recevrez le produit commandi dans un dilai maximum de 24 heures en version ilectronique et de 5 jours en diffusion postale. Vous serez automatiquement abonni sur notre site www.expo-news.fr pour consulter en ligne nos bases de donnies sur les salons et les congrhs, avec votre logging et code d'acchs e-mail votre code d'acchs, envoyis par e-mail. Nos autres publications : Le Magazine bimestriel (5 numiros par an) - 64 pages : dossiers de fond, enqujtes, reportages, interviews, portraits de dicideurs Plus d'information La news-letter ilectronique hebdomadaire (42 numiros par an) : 30 pages d'infos sur la toute dernihre actualiti : nominations, criations de salons, risultats, salons et congrhs Plus d'information Choisissez votre formule : Version PDF (cliquable, imprimable mais non modifiable) : 29 ⬠TTC Version imprimie : 69 ⬠TTC Package abonnement (version imprimie + 5 Magazines + 42 news-letter hebdo ilectroniques : 89 ⬠TTC Pour commander : Paiement en ligne (CB) : Cliquez sur ce lien Paiement par chhque ou par virement bancaire : Cliquez sur ce lien pour tilicharger le bon de commande. Editeur du Magazine, de la news-letter et du Guide Evinements d'entreprise : Editions Expo News 61-63 rue Albert Dhalenne - 93400 Saint Ouen - Til : 00 33 (0)1 75 43 45 83 Pour ne plus recevoir de messages, cliquez sur ce lien
Re: OpenBSD + isakmpd + VPN concentrator 3060
Claer wrote: On Fri, Sep 26 2008 at 45:07, Mariusz Makowski wrote: I finally was able to setup vpn connection. Other side was configured in wrong way and sum of all my ipsec.conf look in this way: -- ipsec.conf -- other_peer = c.c.c.c_public_ip ike esp tunnel from a.a.a.a_net to d.d.d.d_net peer $other_peer \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des group modp1024 \ psk somekey -- ipsec.conf -- In our environnement (we manage openbsd tunnels to cisco 3030 which is out of our scope) we debugged a strange problem when the connection goes down. The tunnels won't come back after a small link shutdown. The problem was Cisco 3030 was doing DPD check and not the OpenBSD. If it's the case for you too, you should add these lines to /etc/isakmpd/isakmpd.conf : --- isakmpd.conf --- [General] DPD-check-interval= 30 --- isakmpd.conf --- Thanks for this. But i have another problem, a.a.a.a_net is not configured on my network interface, it's a just net that must be done nat on this. I was reading a bit about doing nat on obsd and ipsec. I've tried to do so: -- conf -- ifconfig lo1 inet a.a.a.a_net route add -net d.d.d.d_net a.a.a.a_host and pf.conf: nat on lo1 from e.e.e.e_net to d.d.d.d_net - a.a.a.a_host -- conf -- But it isn't seem to work. Packets are showing on lo1, but there are not going threw the flow/enc0 interface. The route will not work. Instead, you should use pf and route-to directive. Finally i managed to do nat in correct way, propably i was mistyped some pf.conf configuration. Both ways of adding route are working. route add -net d.d.d.d_net a.a.a.a_host and pf.conf: and pass in quick on $int_if \ route-to (lo1 a.a.a.a_host)\ from e.e.e.e_net to d.d.d.d_net But packets after nat are ignoring encap flows, and they are trying to go out by default gateway. -- tcpdump lo1 -- 09:38:20.497416 a.a.a.a_hostb d.d.d.d_host: icmp: echo request 09:38:20.497421 a.a.a.a_hostb d.d.d.d_host: icmp: echo request -- tcpdump lo1 -- flows: flow esp in from d.d.d.d_net to a.a.a.a_net peer c.c.c.c_public_ip srcid b.b.b.b_public_ip dstid c.c.c.c_public_ip type use flow esp out from a.a.a.a_net to d.d.d.d_net peer c.c.c.c_public_ip srcid b.b.b.b_public_ip dstid c.c.c.c_public_ip type require image :): e.e.e.e_net (em0) | a.a.a.a_net (lo1) obsd b.b.b.b_public_ip --- c.c.c.c_public_ip cisco d.d.d.d_net Regard, Mariusz Makowski Mariusz Makowski wrote: Mariusz Makowski wrote: Hello, Firstly i want to mention that it's my begining with ipsec/isakmpd tunneling. My problem is about making connection from OpenBSD 4.3 to Cisco VPN concentrator 3060. Cisco concentrator is out of my range so i can't check log there and i only wish that configuration there is done well. Here it is my example: a.a.a.a_net obsd b.b.b.b_public_ip --- c.c.c.c_public_ip cisco d.d.d.d_net What i wan't to achiev is: - comunication from a.a.a.a_net to d.d.d.d_net What i know about cisco configuration: - VPN concentrator 3060 - c.c.c.c_public_ip - d.d.d.d_net - VPN Method: IPSec - Encryption: 3DES - Key exchange IKE - Pre-Shared Key: somekey - Perfect Forward Secrecy: Yes - Group 2 (1024 bits) - Hashing: SHA-1 - Diffie-Hellman: Yes - Group 2 - Time Lifetime: 28800 seconds - Encapsulation Mode: Tunnel - Negotiation Mode: Main OpenBSD: - clean instalation of 4.3 - no pf yet - em0: a.a.a.a_net - em1: b.b.b.b_public_ip After couple hours of reading stuff on internet and reading some configuration files i achivied this configuration: -- isakmpd.conf -- [General] Listen-on= b.b.b.b_public_ip [Phase 1] c.c.c.c_public_ip= CONN [Phase 2] Connections = LINK [CONN] Phase= 1 Transport= udp Address = c.c.c.c_public_ip Configuration= Default-Main-Mode Authentication = somekey [LINK] Phase= 2 ISAKMP-Peer = HP Configuration= Default-Quick-Mode Local-ID = LAN-1 Remote-ID= LAN-2 [LAN-1] ID-Type = IPV4_ADDR_SUBNET Network = a.a.a.a_net Netmask = a.a.a.a_netmask [LAN-2] ID-Type = IPV4_ADDR_SUBNET Network = d.d.d.d_net Netmask = d.d.d.d_netmask [Default-Main-Mode] DOI = IPSEC Exchange_Type= ID_PROT Transforms = 3DES-SHA [Default-Quick-Mode] DOI = IPSEC Exchange_Type= QUICK_MODE Suites = QM-ESP-3DES-SHA-SUITE [3DES-SHA] ENCRYPTION_ALGORITHM = 3DES_CBC HASH_ALGORITHM = SHA AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_1024 Life = LIFE_3600_SECS [QM-ESP-3DES-SHA-SUITE] Protocols= QM-ESP-3DES-SHA [QM-ESP-3DES-SHA-PFS-SUITE] Protocols= QM-ESP-3DES-SHA-PFS [QM-ESP-3DES-SHA]
how to turn on em for Intel 1000PT quad port NIC
hi guys I have this device: Intel PRO 1000PT Quad Port 1GbE NIC and OpenBSD 4.3 man em(4) indicate supported device but the device not been created after installation, how can turn on this device? -- Jorge Andris Medina Oliva. Evolve or die!
Re: how to turn on em for Intel 1000PT quad port NIC
Send dmesg. On 2008-09-26, Jorge Medina [EMAIL PROTECTED] wrote: hi guys I have this device: Intel PRO 1000PT Quad Port 1GbE NIC and OpenBSD 4.3 man em(4) indicate supported device but the device not been created after installation, how can turn on this device? -- Jorge Andris Medina Oliva. Evolve or die!
PR4 link exchange request
Hello! My name is Rose Brady. I have just visited your website (pkre.com.pl) and I was wondering if you'd be interested in exchanging links with my website. Currently I have real estate website and I'm looking to get other related pages to link to it. Of course, in exchange I can provide you an interesting link from my Otainno Real State website with pr4. Your link will be exactly here: http://www.otainno.com/ page rank 4 (your link will be in the home page and not at the links page!) If you are interested please add to your site the following information and let me know when it4s ready and I will do the same for you in less than 24 hours, otherwise you can delete my link from your site. Title: Makelaars Groningen Description:Experienced and modern estate broker in Groningen. URL: http://www.ben-s.nl Please let me know once my link is ready on your site and dont forget to send me your site details for do the same for you. Best Regards Rose Brady Webmaster PD: In order to follow anti-spam regulations, please be so kind of filling in the following form if you don't want to receive any more messages from this address. http://www.goodeyeforlinks.com/Contact_Us.html
Re: Sendmail issue with sparc/ALOM mails
On 2008-09-25, Michael [EMAIL PROTECTED] wrote: Hi, I've got a Sun v440 with OpenBSD running with an ALOM card configured to send out mails on events. However, since the hostname can not be read it is set to unknown in the ALOM. It also is not possible to manually set the hostname. Now, when sendmail receives the mail it does not accept it because the sender [EMAIL PROTECTED] doesn't exist. Is there any way to accept mails from [EMAIL PROTECTED] to local adresses anyway? Sep 23 07:12:21 warden sm-mta-mailx[22453]: m8N5CJMP022453: ruleset=check_mail, arg1=[EMAIL PROTECTED], relay=cl-412.chi-02.us.sixxs .net [IPv6:2001:4978:f:19b::2], reject=553 5.1.8 [EMAIL PROTECTED]... Domain of sender address [EMAIL PROTECTED] does not exist You need a new sendmail cf file built from an mc file with FEATURE(accept_unresolvable_domains) added. Look in /usr/share/sendmail/cf, hopefully you'll be able to work out the rest from there. The normal one in /etc/mail gets built from openbsd-proto.mc. Copy rather than just editing, and use a different name for the installed cf file so upgrades don't overwrite it. Second question... is there any way to set the hostname of the ALOM? ;-) *shrug* you could try looking in eeprom(8), but I don't know if ALOM has anything to do with that.
Help with pf
# pfctl -e pf enabled # ping www.terra.com.br PING www.terra.com.br (200.176.3.142): 56 data bytes ping: sendto: No route to host ping: wrote www.terra.com.br 64 chars, ret=-1 ping: sendto: No route to host ping: wrote www.terra.com.br 64 chars, ret=-1 --- www.terra.com.br ping statistics --- 2 packets transmitted, 0 packets received, 100.0% packet loss # cat /etc/pf.conf # interface externa WAN ext_if=xl1 # interface interna LAN int_if=xl0 # interface MPLS mpls_if =bge0 #Default GW gw=200.162.41.33 # Variaveis ## # #1 - Redirecionamento ambiente de homologocao ### ws_ip = { 10.10.100.21 } ws_ports = { 8101, 8102, 8103 } #2- Variaveis uteis lan = { 10.10.0.0/16 } rede_mpls = { 10.100.0.0/26 } ip_admin = { 10.10.0.135 } portas_saida_tcp = {25, 80, 110 } portas_saida_udp = { 53 } portas_entrada_tcp = { 22} ### set skip on lo scrub in # redirecionamento para lan, foi necessario fazer nat tb. rdr pass on xl1 inet proto tcp from any to xl1 port $ws_ports - $ws_ip nat on $int_if from any to $ws_ip - $int_if # # NAT ## # #nat para dar acesso a internet para a lan #nat on bge0 from $lan to $rede_mpls - 10.100.1.1# MPLS nat on $ext_if from $lan to !($ext_if) - $ext_if # bloqueia a entrada de tudo e saida de tudo block in all block out all #regras de entrada # libera entrada de tudo na interface interna pass in quick on $int_if proto udp from $lan to $int_if port 53 pass in quick on $int_if from $lan to any keep state # libera a entrada na interface externa pass in quick on $ext_if proto tcp from any to $ext_if port $portas_entrada_tcp keep state pass in quick on $ext_if proto tcp from any to $ext_if port $ws_ports keep state # regras de saida pass out on $int_if pass out on $mpls_if pass out on lo pass out on $ext_if from any to $gw pass out on $ext_if proto tcp from $lan to any port $portas_saida_tcp pass out on $ext_if from $ip_admin to any Question 1 ) What I am doing wrong, cause when I turn pf on I am not able to connect the internet. # pfctl -d pf disabled # ping www.terra.com.br PING www.terra.com.br (200.176.3.142): 56 data bytes 64 bytes from 200.176.3.142: icmp_seq=0 ttl=250 time=33.663 ms 64 bytes from 200.176.3.142: icmp_seq=1 ttl=250 time=33.943 ms --- www.terra.com.br ping statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 33.663/33.803/33.943/0.140 ms Question 2) How do I set correct route to mpls network to my clients ( 10.10.0.0/24 ) ? # ping 10.100.1.1 PING 10.100.1.1 (10.100.1.1): 56 data bytes 64 bytes from 10.100.1.1: icmp_seq=0 ttl=255 time=2.980 ms 64 bytes from 10.100.1.1: icmp_seq=1 ttl=255 time=1.570 ms --- 10.100.1.1 ping statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 1.570/2.275/2.980/0.705 ms # Thanks
Re: [OT] IronPort mail servers
We have been using Ironport for about a year now as our email security appliance. We have roughly 60,000 addresses that we route mail for and take in about 16 million messages a day. We went from a total of 16 systems running just about everything imaginable including email encryption, to 2 Ironport C650 appliances. We have been very happy with Ironport up to this point, the boxes are very low maintenace and they have given us the ability to perform some more advance mail routing functions that were not supported in our old system. The support and response from Ironport has also been exceptional. They have processed feature requests, and depending on the contract that you have they can provide 24-hour on-site support. Josh On Fri, Sep 26, 2008 at 12:50 AM, Chris [EMAIL PROTECTED] wrote: I know this is not OpenBSD related but I'm just asking for if someone has any first-hand experience with IronPort [1] My company has decided to move away from Solaris 8 mail system (sendmail, clamav, mimedefang, relaydelay and god-knows-what-else) - the reason for the move is that the current system is kind of glued together and no one knows how it all works. People who implemented these have left with no documentation behind. Anyhow, we have acquired one IronPort for free plus free training. After doing the training it looks like an extremely powerful little box that can do the whole lot: mail, spam, virus checking, LDAP lookup, SPF...everything from a nice GUI and also CLI. I just wonder if anyone has any first-hand experience with IronPort and would share their experience. Thanks. -- [1] http://en.wikipedia.org/wiki/IronPort -- Thx Joshua Gimer
Re: OpenBSD + isakmpd + VPN concentrator 3060
This is interesting. We suffer from spurious connection losses since we started with OBSD ipsec. Do you have any details what caused your problem, and why setting DPD-check-interval helped? In our environnement (we manage openbsd tunnels to cisco 3030 which is out of our scope) we debugged a strange problem when the connection goes down. The tunnels won't come back after a small link shutdown. The problem was Cisco 3030 was doing DPD check and not the OpenBSD. If it's the case for you too, you should add these lines to /etc/isakmpd/isakmpd.conf : --- isakmpd.conf --- [General] DPD-check-interval= 30 --- isakmpd.conf ---
Odd spamd-white update issues
Good Day, We have an OpenBSD 4.3 machine that is acting as a firewall for our scanning service and has spamd employed (which we've been using ever since hearing Bob talk about it at BSDCan 2005). Yesterday though, we had our first issue with it, for some reason about 4pm yesterday all of our entries in the spamd-white table disappeared? I suspected that it may have had something to do with the sync as I had spamd running with the -Y and -y flags, yet there is currently no other host on the network for it to sync with (though a redundant machine is in the works to be deployed very soon). When we uncovered the issue this morning, I removed the -Y and -y flags and restarted the machine and it is now working correctly again, however I'm a little puzzled as to the source of this problem as I've scoured our log files and do not see any errors or alerts that I can attribute to this situation. Any suggestions or advice would be greatly appreciated. Our spamd_flags were as follows (It is currently running without the - Y and -y): -h 'scanner.netguardsolutions.net' -n 'netGUARD: Mail Protection Service' -G 15:4:864 -Y em0 -y em0 -M 66.159.122.14 Thank you -- Regards, Derek Buttineau Internet Systems Developer Compu-SOLVE Internet Services Compu-SOLVE Technologies, Inc Phone: 705-725-1212 x255 E-Mail: [EMAIL PROTECTED]
How do I add nat to other subnet in pf
I have already have nat configured in pf.conf. It4s working good and all my clients are connected to the internet. I need to tell to openBSD route when my clients try to access subnet 10.100.0.0/26. From openbsd I can access this network. I think when I add other nat rule in pf its missing something. Nat rule is commented and has a mark called MPLS. I have this: # ifconfig lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33208 groups: lo inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 em0: flags=8802BROADCAST,SIMPLEX,MULTICAST mtu 1500 lladdr 00:11:25:7f:86:28 media: Ethernet autoselect (none) status: no carrier bge0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:10:18:16:14:1b media: Ethernet autoselect (1000baseT full-duplex,master) status: active inet6 fe80::210:18ff:fe16:141b%bge0 prefixlen 64 scopeid 0x2 inet 10.100.1.3 netmask 0xff00 broadcast 255.255.255.192 bge1: flags=8802BROADCAST,SIMPLEX,MULTICAST mtu 1500 lladdr 00:10:18:16:0e:8a media: Ethernet autoselect (none) status: no carrier xl0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 lladdr 00:0a:5e:63:7e:2e media: Ethernet autoselect (100baseTX full-duplex) status: active inet 10.10.100.254 netmask 0x broadcast 10.10.255.255 inet6 fe80::20a:5eff:fe63:7e2e%xl0 prefixlen 64 scopeid 0x4 xl1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:0a:5e:63:7d:72 groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet 200.162.41.XX netmask 0xfff8 broadcast 200.162.41.39 inet6 fe80::20a:5eff:fe63:7d72%xl1 prefixlen 64 scopeid 0x5 enc0: flags=0 mtu 1536 pflog0: flags=141UP,RUNNING,PROMISC mtu 33208 groups: pflog # # cat /etc/pf.conf # interface externa WAN ext_if=xl1 # interface interna LAN int_if=xl0 # interface MPLS mpls_if =bge0 #Default GW gw=200.162.41.1 # Variaveis ## # #1 - Redirecionamento ambiente de homologocao ### ws_ip = { 10.10.100.21 } ws_ports = { 8101, 8102, 8103 } #2- Variaveis uteis lan = { 10.10.0.0/16 } rede_mpls = { 10.100.0.0/26 } ip_admin = { 10.10.0.135 } portas_saida_tcp = {25, 80, 110 } portas_saida_udp = { 53 } portas_entrada_tcp = { 22} ### #options set block-policy return set loginterface $ext_if set skip on lo scrub in # redirecionamento para lan, foi necessario fazer nat tb. rdr pass on $int_if inet proto tcp from $lan to any port 80 - $int_if port 3128 rdr pass on $ext_if inet proto tcp from any to $ext_if port $ws_ports - $ws_ip nat on $int_if from any to $ws_ip - $int_if # # NAT ## # #nat para dar acesso a internet para a lan nat on $ext_if from $lan to !($ext_if) - $ext_if #nat on $ext_if from $lan to $rede_mpls - 10.100.1.1 #MPLS # bloqueia a entrada de tudo e saida de tudo block in on $ext_if #regras de entrada # libera entrada de tudo na interface interna pass in quick on $int_if proto udp from $lan to $int_if port 53 pass in quick on $int_if from $lan to any keep state # libera a entrada na interface externa pass in quick on $ext_if proto tcp from any to $ext_if port $portas_entrada_tcp keep state pass in quick on $ext_if proto tcp from any to $ext_if port $ws_ports keep state # regras de saida antispoof quick for { lo $int_if } pass out on $int_if keep state # # proibe todo o trafego de saida block out on $ext_if pass out on $ext_if from $ext_if to any pass out quick on $ext_if proto tcp from $lan to any port $portas_saida_tcp #libera acesso total para os administradores pass out on $ext_if from $ip_admin to any # Dmesg: # dmesg OpenBSD 4.3 (CMT) #0: Wed Sep 24 09:52:31 BRT 2008 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/CMT cpu0: Intel(R) Pentium(R) 4 CPU 2.13GHz (GenuineIntel 686-class) 2.13 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,CX16,xTPR real mem = 1072697344 (1023MB) avail mem = 1032876032 (985MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 06/16/05, BIOS32 rev. 0 @ 0xfd5b6, SMBIOS rev. 2.33 @ 0x3ff77000 (46 entries) bios0: vendor IBM version -[KEE134AUS-1.34]- date 06/16/2005 bios0: IBM CORPORATION -[84824RU]- bios0: ROM list: 0xc/0x9000 0xc9000/0x1000 0xca000/0x1000 0xcb000/0x9c00 0xd5000/0x2000 0xd7000/0x2000 0xd9000/0x800 0xd9800/0x800 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82875P Host rev 0x02
Re: making man(1) to open a file
Dnia czwartek, 25 wrze6nia 2008, Bryan Irvine napisa3: Next to the useful suggestions you've received so far, you can try groff -man -Tascii /path/to/manpage.X | less man -a is easier though. -B -a Display all of the manual pages for a specified section and name combination. Normally, only the first manual page found is dis- played. You're sure that's the one? -- Cezary Morga A real administrator is always logged in as root - it's CRAP administrators that aren't! (BOFH @theregister.co.uk)
Re: [OT] IronPort mail servers
Joshua Gimer wrote: We have been using Ironport for about a year now as our email security appliance. We have roughly 60,000 addresses that we route mail for and take in about 16 million messages a day. We went from a total of 16 systems running just about everything imaginable including email encryption, to 2 Ironport C650 appliances. We have been very happy with Ironport up to this point, the boxes are very low maintenace and they have given us the ability to perform some more advance mail routing functions that were not supported in our old system. The support and response from Ironport has also been exceptional. They have processed feature requests, and depending on the contract that you have they can provide 24-hour on-site support. Josh On Fri, Sep 26, 2008 at 12:50 AM, Chris [EMAIL PROTECTED] wrote: I know this is not OpenBSD related but I'm just asking for if someone has any first-hand experience with IronPort [1] My company has decided to move away from Solaris 8 mail system (sendmail, clamav, mimedefang, relaydelay and god-knows-what-else) - the reason for the move is that the current system is kind of glued together and no one knows how it all works. People who implemented these have left with no documentation behind. Anyhow, we have acquired one IronPort for free plus free training. After doing the training it looks like an extremely powerful little box that can do the whole lot: mail, spam, virus checking, LDAP lookup, SPF...everything from a nice GUI and also CLI. I just wonder if anyone has any first-hand experience with IronPort and would share their experience. Thanks. -- [1] http://en.wikipedia.org/wiki/IronPort I can only second that. I implemented a couple of systems at big customers and they never looked back. Easy to configure, low maintenance, very high catch rate. When customers ask me what to do about spam, my answer is simple: IronPort. Have fun (doing something else than cleaning up spam messages), Stijn
Re: how to turn on em for Intel 1000PT quad port NIC
On Fri, Sep 26, 2008 at 11:54 AM, Stuart Henderson [EMAIL PROTECTED] wrote: On 2008/09/26 11:28, Jorge Medina wrote: On Fri, Sep 26, 2008 at 10:37 AM, Stuart Henderson [EMAIL PROTECTED] wrote: Send dmesg. to the list, not to me personally please. (CC'd). sorry Intel PRO/1000 QP (82575GB) rev 0x02 at pci5 dev 0 function 0 not configured Intel PRO/1000 QP (82575GB) rev 0x02 at pci5 dev 0 function 1 not configured Intel PRO/1000 QP (82575GB) rev 0x02 at pci6 dev 0 function 0 not configured Intel PRO/1000 QP (82575GB) rev 0x02 at pci6 dev 0 function 1 not configured those aren't supported, even in current.. ok, I so hope! OpenBSD 4.3 (GENERIC) #1368: Wed Mar 12 11:05:31 MDT 2008 [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC real mem = 3483631616 (3322MB) avail mem = 3368439808 (3212MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xcfb9c000 (55 entries) bios0: vendor Dell Inc. version 1.2.0 date 04/07/2008 bios0: Dell Inc. PowerEdge R300 acpi0 at bios0: rev 2 acpi0: tables DSDT FACP APIC SPCR HPET MCFG WD__ SLIC ERST HEST BERT EINJ TCPA SSDT SSDT SSDT acpi0: wakeup devices PCI0(S5) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 5 (PEX4) acpiprt2 at acpi0: bus 10 (PEX6) acpiprt3 at acpi0: bus 1 (SBE4) acpiprt4 at acpi0: bus 2 (SBE5) acpiprt5 at acpi0: bus 13 (COMP) acpicpu0 at acpi0: C1, FVS, 1867, 1600 MHz ipmi at mainbus0 not configured cpu0 at mainbus0: (uniprocessor) cpu0: Intel(R) Core(TM)2 Duo CPU E6305 @ 1.86GHz, 1866.89 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16, xTPR,NXE,LONG cpu0: 2MB 64b/line 8-way L2 cache pci0 at mainbus0 bus 0: configuration mode 1 pchb0 at pci0 dev 0 function 0 vendor Intel, unknown product 0x65c0 rev 0x90 ppb0 at pci0 dev 2 function 0 vendor Intel, unknown product 0x65f7 rev 0x90 pci1 at ppb0 bus 3 ppb1 at pci0 dev 3 function 0 vendor Intel, unknown product 0x65e3 rev 0x90 pci2 at ppb1 bus 4 ppb2 at pci0 dev 4 function 0 vendor Intel, unknown product 0x65f8 rev 0x90 pci3 at ppb2 bus 5 ppb3 at pci3 dev 0 function 0 vendor IDT, unknown product 0x8018 rev 0x0e pci4 at ppb3 bus 6 ppb4 at pci4 dev 2 function 0 vendor IDT, unknown product 0x8018 rev 0x0e pci5 at ppb4 bus 7 Intel PRO/1000 QP (82575GB) rev 0x02 at pci5 dev 0 function 0 not configured Intel PRO/1000 QP (82575GB) rev 0x02 at pci5 dev 0 function 1 not configured ppb5 at pci4 dev 4 function 0 vendor IDT, unknown product 0x8018 rev 0x0e pci6 at ppb5 bus 8 Intel PRO/1000 QP (82575GB) rev 0x02 at pci6 dev 0 function 0 not configured Intel PRO/1000 QP (82575GB) rev 0x02 at pci6 dev 0 function 1 not configured ppb6 at pci0 dev 5 function 0 vendor Intel, unknown product 0x65e5 rev 0x90 pci7 at ppb6 bus 9 ppb7 at pci0 dev 6 function 0 vendor Intel, unknown product 0x65f9 rev 0x90 pci8 at ppb7 bus 10 ppb8 at pci0 dev 7 function 0 vendor Intel, unknown product 0x65e7 rev 0x90 pci9 at ppb8 bus 11 pchb1 at pci0 dev 16 function 0 vendor Intel, unknown product 0x65f0 rev 0x90 pchb2 at pci0 dev 16 function 1 vendor Intel, unknown product 0x65f0 rev 0x90 pchb3 at pci0 dev 16 function 2 vendor Intel, unknown product 0x65f0 rev 0x90 pchb4 at pci0 dev 17 function 0 vendor Intel, unknown product 0x65f1 rev 0x90 pchb5 at pci0 dev 19 function 0 vendor Intel, unknown product 0x65f3 rev 0x90 pchb6 at pci0 dev 21 function 0 vendor Intel, unknown product 0x65f5 rev 0x90 pchb7 at pci0 dev 22 function 0 vendor Intel, unknown product 0x65f6 rev 0x90 ppb9 at pci0 dev 28 function 0 Intel 82801I PCIE rev 0x02 pci10 at ppb9 bus 12 ppb10 at pci0 dev 28 function 4 Intel 82801I PCIE rev 0x02 pci11 at ppb10 bus 1 bge0 at pci11 dev 0 function 0 Broadcom BCM5722 rev 0x00, BCM5755 C0 (0xa200): irq 15, address 00:1e:4f:3f:21:32 brgphy0 at bge0 phy 1: BCM5722 10/100/1000baseT PHY, rev. 0 ppb11 at pci0 dev 28 function 5 Intel 82801I PCIE rev 0x02 pci12 at ppb11 bus 2 bge1 at pci12 dev 0 function 0 Broadcom BCM5722 rev 0x00, BCM5755 C0 (0xa200): irq 14, address 00:1e:4f:3f:21:33 brgphy1 at bge1 phy 1: BCM5722 10/100/1000baseT PHY, rev. 0 uhci0 at pci0 dev 29 function 0 Intel 82801I USB rev 0x02: irq 11 uhci1 at pci0 dev 29 function 1 Intel 82801I USB rev 0x02: irq 10 uhci2 at pci0 dev 29 function 2 Intel 82801I USB rev 0x02: irq 11 ehci0 at pci0 dev 29 function 7 Intel 82801I USB rev 0x02: irq 11 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1 ppb12 at pci0 dev 30 function 0 Intel 82801BA Hub-to-PCI rev 0x92 pci13 at ppb12 bus 13 vga1 at pci13 dev 7 function 0 ATI ES1000 rev 0x02 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pcib0 at pci0 dev 31 function 0 Intel 82801IR LPC rev 0x02 pciide0 at pci0 dev 31 function 2 Intel 82801I SATA rev 0x02:
OT: elliptic curve crypto
Dear list members, i am searching for a tutorial on this regards that explain howto implement it using ANSI C (I don't really care about the math background abot this subject). May some one point me the URL for a tutorial on this regard? Thanks a lot for your time and cooperation. Best regards.
Re: making man(1) to open a file
On 2008-09-26, Cezary Morga [EMAIL PROTECTED] wrote: Dnia czwartek, 25 wrze6nia 2008, Bryan Irvine napisa3: Next to the useful suggestions you've received so far, you can try groff -man -Tascii /path/to/manpage.X | less man -a is easier though. -B -a Display all of the manual pages for a specified section and name combination. Normally, only the first manual page found is dis- played. You're sure that's the one? Given the original problem, I'm in trouble opening net-snmp package's snmpd(8) or snmpd.conf(5) man page, because it conflicts with the base's snmpd's man pages, that's quite appropriate and easy-to-use. Thanks Bryan :) As you see here, when asking on mailing lists, you'll get more useful answers if you give an explanation of what you want to do, rather than just think of one way to do it and ask how to do that.
Re: OT: elliptic curve crypto
On Fri, Sep 26, 2008 at 4:02 PM, John Nietzsche [EMAIL PROTECTED] wrote: i am searching for a tutorial on this regards that explain howto implement it using ANSI C (I don't really care about the math background abot this subject). The people who are qualified to do this work generally just do it and provide you with source, instead of encouraging the people who don't care about getting right to do it. The world is safer this way.
Re: making man(1) to open a file
On Fri, Sep 26, 2008 at 11:43 AM, Cezary Morga [EMAIL PROTECTED] wrote: Dnia czwartek, 25 wrze6nia 2008, Bryan Irvine napisa3: Next to the useful suggestions you've received so far, you can try groff -man -Tascii /path/to/manpage.X | less man -a is easier though. -B -a Display all of the manual pages for a specified section and name combination. Normally, only the first manual page found is dis- played. You're sure that's the one? Yeah that's the one. Instead of halting at the first page it finds (the openbsd native) it then brings you to the next page found once you've scrolled through the first. -B
Re: OT: elliptic curve crypto
On 26-Sep-08, at 14:43, Ted Unangst [EMAIL PROTECTED] wrote: On Fri, Sep 26, 2008 at 4:02 PM, John Nietzsche [EMAIL PROTECTED] wrote: i am searching for a tutorial on this regards that explain howto implement it using ANSI C (I don't really care about the math background abot this subject). The people who are qualified to do this work generally just do it and provide you with source, instead of encouraging the people who don't care about getting right to do it. The world is safer this way. Although it makes it harder to get solutions to your university assignments mailed to you courtesy [EMAIL PROTECTED]
Re: making man(1) to open a file
Cezary Morga [EMAIL PROTECTED] writes: Dnia czwartek, 25 wrze6nia 2008, Bryan Irvine napisa3: Next to the useful suggestions you've received so far, you can try groff -man -Tascii /path/to/manpage.X | less man -a is easier though. -B -a Display all of the manual pages for a specified section and name combination. Normally, only the first manual page found is dis- played. You're sure that's the one? -- Cezary Morga A real administrator is always logged in as root - it's CRAP administrators that aren't! (BOFH @theregister.co.uk) If the PAGER variable is set to less, you can examine the next manual page with :n, the previous manual page with :p and the first manual page again with :x. Tested with man -a disklabel: /usr/share/man/cat8/disklabel.0 (file 1 of 3) (END) - Next: /usr/share/man/cat5/disklabel.0 /usr/share/man/cat5/disklabel.0 (file 2 of 3) (END) - Next: /usr/share/man/cat9/disklabel.0 /usr/share/man/cat9/disklabel.0 (file 3 of 3) (END) $ uname -srm OpenBSD 4.3 i386 -- Francois Chambaud http://www.chambaud.org
relayd: does timeout-directive limits time for SSL-handshake?
Hi, I have a pretty normal loadbalancing setup (2 relayd-loadbalancer, 2 backend hosts). The loadbalancer accepts ssl-encrypted sessions and forwards them unencrypted to the backend-hosts. Because all the hosts are on the same LAN I set the global timeout-directive to 200ms. When now connecting from a slow internet-connection to my service, I often receive a SSL accept timeout. After changing the global timeout to 2000ms the problem disappears. The man-pages only says timeout limits the time for the checks of the backend-hosts but nothing about the SSL-handshake from clients. Can someone agree or disgree to my guess that timeout also limits the time for the SSL-handshake? Thanks, Till
Re: Sendmail issue with sparc/ALOM mails
On Fri, Sep 26, 2008 at 7:43 AM, Stuart Henderson [EMAIL PROTECTED] wrote: snipped... Second question... is there any way to set the hostname of the ALOM? ;-) *shrug* you could try looking in eeprom(8), but I don't know if ALOM has anything to do with that. According to this (http://forums.sun.com/thread.jspa?threadID=5113585tstart=0), you cannot.
Intel Atom and D945GCLF2
Is anyone running OpenBSD on one of these boards? The supported platform page does not list either the chipset or the CPU so I'm guesing it is not supported at this time. Steve
Dell SC440 hangs
I'm running -current from September 9 on a Dell SC440. When I try to do a bulk ports build using dpb, it runs for a couple of hours and hangs. The console screen is blank and doesn't respond to keyboard, but I can still ping the machine. If I try to ssh in, I get a connection but no logon prompt. I've run the Dell hardware tests for what they're worth, and found no errors. Any ideas? Dmesg below. OpenBSD 4.4-current (GENERIC.MP) #1838: Tue Sep 9 16:35:25 MDT 2008 [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 521924608 (497MB) avail mem = 506335232 (482MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.3 @ 0xf0450 (63 entries) bios0: vendor Dell Inc. version 1.5.0 date 09/04/2007 bios0: Dell Inc. PowerEdge SC440 acpi0 at bios0: rev 2 acpi0: tables DSDT FACP SSDT APIC BOOT ASF! MCFG HPET SSDT SSDT SSDT acpi0: wakeup devices VBTN(S4) PCI0(S5) PCI4(S5) PCI2(S5) PCI3(S5) PCI1(S5) PCI5(S5) PCI6(S5) MOU_(S1) USB0(S1) USB1(S1) USB2(S1) USB3(S1) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Xeon(R) CPU 3040 @ 1.86GHz, 1862.26 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR,NXE,LONG cpu0: 2MB 64b/line 8-way L2 cache cpu0: apic clock running at 265MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Xeon(R) CPU 3040 @ 1.86GHz, 1862.00 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR,NXE,LONG cpu1: 2MB 64b/line 8-way L2 cache ioapic0 at mainbus0 apid 8 pa 0xfec0, version 20, 24 pins ioapic0: misconfigured as apic 0, remapped to apid 8 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 5 (PCI4) acpiprt1 at acpi0: bus 2 (PCI2) acpiprt2 at acpi0: bus -1 (PCI3) acpiprt3 at acpi0: bus 1 (PCI1) acpiprt4 at acpi0: bus 3 (PCI5) acpiprt5 at acpi0: bus 4 (PCI6) acpiprt6 at acpi0: bus 0 (PCI0) acpicpu0 at acpi0: FVS, 1867, 1600 MHz acpicpu1 at acpi0: FVS, 1867, 1600 MHz acpibtn0 at acpi0: VBTN pci0 at mainbus0 bus 0: configuration mode 1 pchb0 at pci0 dev 0 function 0 Intel E7230 Host rev 0x00 ppb0 at pci0 dev 1 function 0 Intel E7230 PCIE rev 0x00: apic 8 int 16 (irq 11) pci1 at ppb0 bus 1 ppb1 at pci0 dev 28 function 0 Intel 82801GB PCIE rev 0x01: apic 8 int 16 (irq 11) pci2 at ppb1 bus 2 ppb2 at pci0 dev 28 function 4 Intel 82801G PCIE rev 0x01: apic 8 int 16 (irq 11) pci3 at ppb2 bus 3 ppb3 at pci0 dev 28 function 5 Intel 82801G PCIE rev 0x01: apic 8 int 17 (irq 10) pci4 at ppb3 bus 4 bge0 at pci4 dev 0 function 0 Broadcom BCM5754 rev 0x02, BCM5754/5787 A2 (0xb002): apic 8 int 17 (irq 10), address 00:1e:c9:2e:3f:7d brgphy0 at bge0 phy 1: BCM5787 10/100/1000baseT PHY, rev. 0 uhci0 at pci0 dev 29 function 0 Intel 82801GB USB rev 0x01: apic 8 int 21 (irq 9) uhci1 at pci0 dev 29 function 1 Intel 82801GB USB rev 0x01: apic 8 int 22 (irq 5) uhci2 at pci0 dev 29 function 2 Intel 82801GB USB rev 0x01: apic 8 int 18 (irq 3) uhci3 at pci0 dev 29 function 3 Intel 82801GB USB rev 0x01: apic 8 int 23 (irq 10) ehci0 at pci0 dev 29 function 7 Intel 82801GB USB rev 0x01: apic 8 int 21 (irq 9) usb0 at ehci0: USB revision 2.0 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1 ppb4 at pci0 dev 30 function 0 Intel 82801BA Hub-to-PCI rev 0xe1 pci5 at ppb4 bus 5 vga1 at pci5 dev 7 function 0 ATI ES1000 rev 0x02 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pcib0 at pci0 dev 31 function 0 Intel 82801GB LPC rev 0x01 pciide0 at pci0 dev 31 function 1 Intel 82801GB IDE rev 0x01: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility atapiscsi0 at pciide0 channel 0 drive 0 scsibus0 at atapiscsi0: 2 targets, initiator 7 cd0 at scsibus0 targ 0 lun 0: PBDS, CD-ROM DH-48N1P, AD11 ATAPI 5/cdrom removable cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 pciide0: channel 1 ignored (disabled) pciide1 at pci0 dev 31 function 2 Intel 82801GB SATA rev 0x01: DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI pciide1: using apic 8 int 20 (irq 5) for native-PCI interrupt wd0 at pciide1 channel 0 drive 0: SAMSUNG HE160HJ wd0: 16-sector PIO, LBA48, 152587MB, 31250 sectors wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5 ichiic0 at pci0 dev 31 function 3 Intel 82801GB SMBus rev 0x01: apic 8 int 17 (irq 10) iic0 at ichiic0 spdmem0 at iic0 addr 0x50: 512MB DDR2 SDRAM ECC PC2-5300CL5 usb1 at uhci0: USB revision 1.0 uhub1 at usb1 Intel UHCI root hub rev 1.00/1.00 addr 1 usb2 at uhci1: USB revision 1.0 uhub2 at usb2 Intel UHCI root hub rev 1.00/1.00 addr 1 usb3 at uhci2: USB revision 1.0 uhub3 at usb3 Intel UHCI root hub rev 1.00/1.00 addr 1 usb4 at uhci3: USB revision 1.0 uhub4 at usb4 Intel UHCI root hub rev 1.00/1.00 addr 1 isa0 at pcib0
Re: Dell SC440 hangs
On Sep 26, 2008, at 9:16 PM, Steve Shockley wrote: I'm running -current from September 9 on a Dell SC440. When I try to do a bulk ports build using dpb, it runs for a couple of hours and hangs. The console screen is blank and doesn't respond to keyboard, but I can still ping the machine. If I try to ssh in, I get a connection but no logon prompt. I've run the Dell hardware tests for what they're worth, and found no errors. Any ideas? Dmesg below. anything in /var/log/messages?
Re: Dell SC440 hangs
On 9/27/2008 12:44 AM, johan beisser wrote: anything in /var/log/messages? No, just the usual syslogd: restart followed by syslogd: start and the dmesg. I did notice the log file for gcc 4.2 had a bunch of garbage (^@) at the end, and I think maybe it died on gcc in previous runs as well. I'm re-running the build without gcc now to see if it makes a difference.