Re: Intel D945GCLF2
Patrick Hemmen wrote:
No problem. Here the output of 'sysctl -a|grep hw'.
hw.machine=i386
hw.model=Intel(R) Atom(TM) CPU 330 @ 1.60GHz ("GenuineIntel" 686-class)
hw.ncpu=2
hw.byteorder=1234
hw.pagesize=4096
hw.disknames=wd0
hw.diskcount=1
hw.sensors.cpu0.temp0=32.00 degC
hw.sensors.admtm0.temp0=22.00 degC (Internal)
hw.sensors.admtm0.temp1=36.00 degC (External)
hw.sensors.admtm0.temp2=28.00 degC (External)
hw.sensors.admtm0.volt0=2.54 VDC (2.5 V)
hw.sensors.admtm0.volt1=0.00 VDC (Vccp)
hw.sensors.admtm0.volt2=2.44 VDC (3.3 V)
hw.sensors.admtm0.volt3=4.97 VDC (5 V)
hw.sensors.admtm0.volt4=12.12 VDC (12 V)
hw.sensors.admtm0.volt5=3.27 VDC (Vcc)
hw.sensors.admtm0.volt6=1.57 VDC (1.5 V)
hw.sensors.admtm0.volt7=1.78 VDC (1.8 V)
hw.cpuspeed=1613
hw.setperf=100
hw.vendor=Intel Corporation
hw.product=D945GCLF2
hw.uuid=c3d16cf0-8dd7-11dd-b190-00112550a074
hw.physmem=2135662592
hw.usermem=2135646208
Great! Thank you! I'm going to buy one right now from alternate.de
--
Chris
Re: Intel D945GCLF2
Patrick Hemmen wrote: I use a Morex CUBID CP2600 [1] with a Morex 60W Power Kit. In Germany for approximately 110 Euro. I installed a 2.5" hard drive and pinched off the noisy case fans. Also I bought a new north bridge fan [2]. It could be still quieter, but it's much better as before. Thanks for your two replies. I've just got one more question. Can you read the temperatures with sysctl? (I'm thinking about a totally fanless design, since this thing would only route (Gbit LAN+DMZ and DSL) and run pf. So temperature monitoring would be nice) -- Chris
Re: Intel D945GCLF2
Anathae Townsend wrote: checkout http://kerneltrap.org/mailarchive/openbsd-misc/2008/9/30/3457064 -Original Message- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Chris Cohen Sent: Friday, January 02, 2009 12:41 PM To: misc@openbsd.org Subject: Intel D945GCLF2 Has anyone installed openbsd on the Atom board "D945GCLF2"? If so could you post a dmesg and does it run stable? -- Thanks Chris thanks! could someone please share what case he is using? I've found serveral, but they are all either too expensive or for in-car use. -- Thanks Chris
Re: Intel D945GCLF2
Nenhum_de_Nos wrote: On Fri, January 2, 2009 17:40, Chris Cohen wrote: Has anyone installed openbsd on the Atom board "D945GCLF2"? If so could you post a dmesg and does it run stable? -- Thanks Chris has anyone seen any atom dual core with two lan ? I'd like a pf router that would be low energy :) Alix is openbsd friend right ? ( 2d3 in this case ) I did like alix but a mini itx with regular vga is better for me :) http://global.msi.com.tw/index.php?func=proddesc&maincat_no=388&prod_no=1693 ... but it's expensive -- Chris
Intel D945GCLF2
Has anyone installed openbsd on the Atom board "D945GCLF2"? If so could you post a dmesg and does it run stable? -- Thanks Chris
Re: PF + this live messenger webcam stuff
Chris Cohen wrote: Hi all, I wanted to stay in touch with a friend that is currently a few thousand kilometers away from home tomorrow using a webcam on my laptop. Sadly he only has Windows Live Messenger and doesn't want to use soemthing else.. I've tried serveral things now, but couldn't get the webcam to work with msn. (I can see _my_ picture, but he doesn't..) I came across http://openbsd.monkey.org/misc/200302/msg00249.html Is this still true? Or is there any other way to set this up? O.K. found the solution myself: - Add the following rdr-rules to pf rdr on pppoe0 inet proto tcp from any to (pppoe0) port = 5190 -> 10.1.16.11 port 5190 rdr on pppoe0 inet proto tcp from any to (pppoe0) port = 1863 -> 10.1.16.11 port 1863 rdr on pppoe0 inet proto tcp from any to (pppoe0) port 6891:6901 -> 10.1.16.11 rdr on pppoe0 inet proto udp from any to (pppoe0) port = 5190 -> 10.1.16.11 port 5190 rdr on pppoe0 inet proto udp from any to (pppoe0) port = 1863 -> 10.1.16.11 port 1863 rdr on pppoe0 inet proto udp from any to (pppoe0) port 6891:6901 -> 10.1.16.11 - Or install miniupnpd from http://miniupnp.free.fr/ -- Happy New Year Chris
PF + this live messenger webcam stuff
Hi all, I wanted to stay in touch with a friend that is currently a few thousand kilometers away from home tomorrow using a webcam on my laptop. Sadly he only has Windows Live Messenger and doesn't want to use soemthing else.. I've tried serveral things now, but couldn't get the webcam to work with msn. (I can see _my_ picture, but he doesn't..) I came across http://openbsd.monkey.org/misc/200302/msg00249.html Is this still true? Or is there any other way to set this up? -- Thank you Chris
Re: bridge and dhcp
On Sunday 03 August 2008 22:36:00 you wrote: > On Sun, Aug 03, 2008 at 09:43:15PM +0200, Chris Cohen wrote: > > Paul de Weerd wrote: > >> On Sun, Aug 03, 2008 at 11:07:42AM +0200, Chris Cohen wrote: > >> | Hi, > >> | > >> | | I have a small openbsd router running in my network. > >> | > >> | I have vlan10 (my lan), vlan11 (w-lan) and tun0/1 (openvpn tap > >> | devices). I bridged them all toghether on bridge0. Only vlan10 has an > >> | ip address. (10.1.16.1) > >> | Now I want dhcpd to assign 10.1.16.0/24 on all four interfaces, but it > >> > >> just | does on vlan10. All i get is Can't listen on vlan11/tap0/tap1. It > >> has no IP | Address. > >> > >> | Also.. since all interfaces are bridged, shouldn requests on vlan11 or > >> > >> tun0 | reach vlan10 where dhcpd does listen? They do not... > >> > >> You probably want to configure the IP address on the bridge interface > >> and have dhcpd listen there. > > > > $ sudo ifconfig bridge0 10.1.16.100 > > ifconfig: SIOCAIFADDR: Inappropriate ioctl for device > > > > If I remember right I asked that a few years ago... the answer was: > > assign the IP address to one of the bridged interfaces, a bridge is a > > layer2 device. Isn't this true any longer? > > Ugh, I'm an idiot .. bridge != trunk .. I apologize. :) > Yes, you should configure the IP address on one of the bridge > interfaces, and then dhcpd *should* listen only on that interface. > > Can you tcpdump on some of your interfaces when trying to get a lease > to see what is going on ? $ sudo tcpdump -i vlan11 tcpdump: listening on vlan11, link-type EN10MB 07:12:19.643623 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0x1a656058 flags:0x8000 [|bootp] 07:12:22.643563 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0x1a656058 secs:768 flags:0x8000 [|bootp] 07:12:30.645298 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0x1a656058 secs:2816 flags:0x8000 [|bootp] 07:12:44.884417 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0x1a656058 secs:6656 flags:0x8000 [|bootp] $ sudo tcpdump -i bridge0 tcpdump: listening on bridge0, link-type EN10MB 07:13:50.405377 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0xbe1ac21c flags:0x8000 [|bootp] 07:13:53.413579 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0xbe1ac21c secs:768 flags:0x8000 [|bootp] 07:14:01.404793 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0xbe1ac21c secs:2816 flags:0x8000 [|bootp] 07:14:16.407810 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0xbe1ac21c secs:6656 flags:0x8000 [|bootp] $ sudo tcpdump -i vlan10 [all my lan traffic but not bootpc] If I run dhclient on a pc in vlan10 I get: $ sudo tcpdump -i vlan10 port bootpc tcpdump: listening on vlan10, link-type EN10MB 07:20:24.867674 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0xe29ba5c [| bootp] [tos 0x10] 07:20:24.868464 10.1.16.1.bootps > 10.1.16.10.bootpc: xid:0xe29ba5c Y:10.1.16.10 S: 10.1.16.1 [|bootp] [tos 0x10] -- Thank you Chris
Re: bridge and dhcp
Paul de Weerd wrote: On Sun, Aug 03, 2008 at 11:07:42AM +0200, Chris Cohen wrote: | Hi, | | I have a small openbsd router running in my network. | I have vlan10 (my lan), vlan11 (w-lan) and tun0/1 (openvpn tap devices). | I bridged them all toghether on bridge0. Only vlan10 has an ip address. | (10.1.16.1) | Now I want dhcpd to assign 10.1.16.0/24 on all four interfaces, but it just | does on vlan10. All i get is Can't listen on vlan11/tap0/tap1. It has no IP | Address. | Also.. since all interfaces are bridged, shouldn requests on vlan11 or tun0 | reach vlan10 where dhcpd does listen? They do not... You probably want to configure the IP address on the bridge interface and have dhcpd listen there. $ sudo ifconfig bridge0 10.1.16.100 ifconfig: SIOCAIFADDR: Inappropriate ioctl for device If I remember right I asked that a few years ago... the answer was: assign the IP address to one of the bridged interfaces, a bridge is a layer2 device. Isn't this true any longer? -- Thanks Chris
bridge and dhcp
Hi,
I have a small openbsd router running in my network.
I have vlan10 (my lan), vlan11 (w-lan) and tun0/1 (openvpn tap devices).
I bridged them all toghether on bridge0. Only vlan10 has an ip address.
(10.1.16.1)
Now I want dhcpd to assign 10.1.16.0/24 on all four interfaces, but it just
does on vlan10. All i get is Can't listen on vlan11/tap0/tap1. It has no IP
Address.
Also.. since all interfaces are bridged, shouldn requests on vlan11 or tun0
reach vlan10 where dhcpd does listen? They do not...
Here is what I have in dhcpd.conf:
shared-network LOCAL-NET {
option domain-name "example.org";
option domain-name-servers 10.1.32.2;
option netbios-name-servers 10.1.16.3;
subnet 10.1.16.0 netmask 255.255.255.0 {
option routers 10.1.16.1;
range 10.1.16.128 10.1.16.254;
}
}
and in dhcp.interfaces:
vlan10
vlan11
tun0
tun1
is there something special I have to configure?
--
Thank you
Chris
Re: Tunnel snmp through ssh
On Sunday 30 March 2008 19:15:40 Stijn wrote: > check out ssh-based vpn: ssh (1) > Thanks. That works for me. -- Greetings Chris
Tunnel snmp through ssh
Hello list, is it possible to tunnel snmp through ssh? >From what I've found on the web openssh can't tunnel udp. Just want to collect snmp data from ~10 hosts all over my network without having snmp listen on an public available ip address. -- Thank you Chris
Re: 4.2-current throughput with pf enabled
On Tuesday 15 January 2008 21:06:51 Chris Cohen wrote: > On Tuesday 15 January 2008 18:13:15 Chris Cappuccio wrote: > > Chris Cohen [EMAIL PROTECTED] wrote: > > > I think my CPU is way too slow to be able to handle the GigE link and > > > the filter. Aren't there any tweaks for pf.conf/sysctl? > > > > Your CPU only gets used for packets that you actually receive. Your > > performance between a gig card and a 100m card is probably not going to > > be any different, unless your problem is related to the em driver. It's > > time to figure out what is fucking up your configuration. > > > > Have you tried disabling apm? pcibios? What does your dmesg look like? > > No, I haven't. I can try it at the weekend, but since the "problem" only > appears when I enable pf I am not sure if that will buy me anything? > Nevertheless will try to disable apm and pcibios this weekend. > replying to myself... tried both, but didn't help :( I think I will just upgrade to a new mini-itx system like http://cgi.ebay.de/ws/eBayISAPI.dll?ViewItem&rd=1&item=260202085551&ssPageName=STRK:MEWA:IT&ih=016. Are there any numbers (bps, ~1500byte packets) with this cpu/nic combination? -- Thanks Chris
Re: 4.2-current throughput with pf enabled
On Tuesday 15 January 2008 18:13:15 Chris Cappuccio wrote:
> Chris Cohen [EMAIL PROTECTED] wrote:
> > I think my CPU is way too slow to be able to handle the GigE link and the
> > filter. Aren't there any tweaks for pf.conf/sysctl?
>
> Your CPU only gets used for packets that you actually receive. Your
> performance between a gig card and a 100m card is probably not going to be
> any different, unless your problem is related to the em driver. It's time
> to figure out what is fucking up your configuration.
>
> Have you tried disabling apm? pcibios? What does your dmesg look like?
>
No, I haven't. I can try it at the weekend, but since the "problem" only
appears when I enable pf I am not sure if that will buy me anything?
Nevertheless will try to disable apm and pcibios this weekend.
This is the dmesg with a dual fxp card: (by the way, I can only get 9Mbyte/s
through the trunkport with trunkproto loadbalance or roundrobin)
OpenBSD 4.2-current (GENERIC) #642: Tue Jan 8 17:06:33 MST 2008
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium III ("GenuineIntel" 686-class, 512KB L2 cache) 498 MHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE
real mem = 268005376 (255MB)
avail mem = 251240448 (239MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 02/10/99, BIOS32 rev. 0 @ 0xec700,
SMBIOS rev. 2.1 @ 0xf15e2 (54 entries)
bios0: vendor Compaq version "686T3" date 02/10/99
bios0: Compaq Deskpro EN Series
apm0 at bios0: Power Management spec V1.2 (BIOS managing devices)
apm0: AC on, battery charge unknown
acpi at bios0 function 0x0 not configured
pcibios0 at bios0: rev 2.1 @ 0xec700/0x3900
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf6f30/176 (9 entries)
pcibios0: PCI Interrupt Router at 000:20:0 ("Intel 82371AB PIIX4 ISA" rev
0x00)
pcibios0: PCI bus #2 is the last bus
bios0: ROM list: 0xc/0x8000 0xc8000/0x1000 0xe/0x8000!
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x03
agp0 at pchb0: aperture at 0x4800, size 0x400
ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x03
pci1 at ppb0 bus 1
vga1 at pci0 dev 13 function 0 "S3 Trio64V2/DX" rev 0x14
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
fxp0 at pci0 dev 14 function 0 "Intel 8255x" rev 0x08, i82559: irq 11, address
00:d0:b7:0b:97:6f
inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4
ppb1 at pci0 dev 15 function 0 "DEC 21154 PCI-PCI" rev 0x02
pci2 at ppb1 bus 2
fxp1 at pci2 dev 4 function 0 "Intel 8255x" rev 0x05, i82558: irq 11, address
00:50:8b:95:a4:d2
inphy1 at fxp1 phy 1: i82555 10/100 PHY, rev. 0
fxp2 at pci2 dev 5 function 0 "Intel 8255x" rev 0x05, i82558: irq 11, address
00:50:8b:95:a4:d3
inphy2 at fxp2 phy 1: i82555 10/100 PHY, rev. 0
piixpcib0 at pci0 dev 20 function 0 "Intel 82371AB PIIX4 ISA" rev 0x02
pciide0 at pci0 dev 20 function 1 "Intel 82371AB IDE" rev 0x01: DMA, channel 0
wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0:
wd0: 1-sector PIO, LBA, 976MB, 2000880 sectors
wd0(pciide0:0:0): using PIO mode 4
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: SCSI0 5/cdrom
removable
cd0(pciide0:1:0): using PIO mode 4, DMA mode 2
uhci0 at pci0 dev 20 function 2 "Intel 82371AB USB" rev 0x01: irq 11
piixpm0 at pci0 dev 20 function 3 "Intel 82371AB Power" rev 0x02: SMI
iic0 at piixpm0
spdmem0 at iic0 addr 0x50: 128MB SDRAM non-parity PC133CL2
spdmem1 at iic0 addr 0x51: 128MB SDRAM non-parity PC133CL3
isa0 at piixpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
sb0 at isa0 port 0x220/24 irq 5 drq 1: dsp v3.01
midi0 at sb0:
audio0 at sb0
opl0 at sb0: model OPL3
midi1 at opl0:
pcppi0 at isa0 port 0x61
midi2 at pcppi0:
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
usb0 at uhci0: USB revision 1.0
uhub0 at usb0 "Intel UHCI root hub" rev 1.00/1.00 addr 1
biomask ff45 netmask ff45 ttymask ffc7
mtrr: Pentium Pro MTRR support
softraid0 at root
root on wd0a swap on wd0b dump on wd0b
--
Thanks
Chris
Re: Sendmail smarthost
On Saturday 12 January 2008 17:18:32 Joshua Gimer wrote:
> Are you attempting to force local mail out to a "smart host"?
>
> If so you can make this change in your submit.cf; Change the following:
>
> D{MTAHost}[127.0.0.1]
> to
> D{MTAHost}[Address of Smart Host]
>
Thank you, that does exactly what I wanted to do!
--
Greetings
Chris
Re: Sendmail smarthost [Solved]
Someone privately gave me the tip to just forward mails to the adress I want them to be delivered to by my smarthost. That does it for me. -- Greetings Chris
Re: Sendmail smarthost
On Saturday 12 January 2008 16:21:29 Vijay Sankar wrote: > On January 12, 2008 07:51:24 am Chris Cohen wrote: > > Hi again, > > > > just wanted to configure 4.2's sendmail to use my smarthost to send > > status mails. I went to /usr/share/sendmail, edited cf/openbsd-localhost > > and cd/submit and created the cf files by typing m4 m4/cf.m4 > > cf/openbsd-localhost.m4 > localhost.cf according > > to /usr/share/sendmail/README. > > > > Now I have this in my /etc/mail/localhost.cf and submit.cf: > > # "Smart" relay host (may be null) > > DSmysmarthost.example.com > > > > I also pkill -HUP'ed sendmail but mails just don't pass my smarthost, > > they are just delivered locally and I can't find anything special in my > > maillog. > > > > Is there anything else I have to do? > > Probably a silly question, but did you copy the localhost.cf to /etc/mail? > Yes, I did :) What I forgot to mention: Mails for localhost and myhostname are delivered locally, mails for other domains do pass my smarthost. -- Greetings Chris
Sendmail smarthost
Hi again, just wanted to configure 4.2's sendmail to use my smarthost to send status mails. I went to /usr/share/sendmail, edited cf/openbsd-localhost and cd/submit and created the cf files by typing m4 m4/cf.m4 cf/openbsd-localhost.m4 > localhost.cf according to /usr/share/sendmail/README. Now I have this in my /etc/mail/localhost.cf and submit.cf: # "Smart" relay host (may be null) DSmysmarthost.example.com I also pkill -HUP'ed sendmail but mails just don't pass my smarthost, they are just delivered locally and I can't find anything special in my maillog. Is there anything else I have to do? -- Greetings Chris
Re: 4.2-current throughput with pf enabled
On Saturday 12 January 2008 03:44:48 scott wrote:
> I use both fxp and em NICs and have great throughput. You may want to
> check the full-half duplex settings/agreements -- configured and
> actual-operation -- with the pf box AND EACH adjacent device.
> Disagreements can provoke a lot of re-sends.
>
Did that, all fine :)
> Also, with the slower link, you may want to try implementing queuing so
> that --at a minimum-- the tos lowlatency packets are prioritized over
> the bulk large packet traffic. Queue is assigned on the PASS OUT
> rule(s).
>
> Something like...
>
> ---pf.conf frag---
> altq on priq bandwidth 640Kb queue { Q1, Q7 }
> queue Q7 priority 7
> queue Q1 priority 1 priq(default)
> #
> #...
> #
> pass out on ... queue(Q1, Q7)
> #
Thank you scott, I already set up queuing fC
Re: 4.2-current throughput with pf enabled
On Friday 11 January 2008 18:36:54 scott wrote: > re-test and post with in your ruleset > > pass in quick on fxp0 inet from any to any keep state > pass out quick on $ext_if inet from any to any keep state > Did that, didn't change anything. Maybe I should add some details: I generated the traffic by simply dding from /dev/zero from one machine in my lan to a machine in my dmz (but i got almost the same results with ftp/http). They are in two different vlans which are both attached to em0. fxp0 is the interface to my adsl modem. -- Thanks Chris
4.2-current throughput with pf enabled
Hi, I just upgraded my home firewall/router from 4.1 to a current snapshot from 9th January. I also changed the NIC which is connected to my core switch from fxp to em and upgraded the memory from 128Mb to 256Mb. With PF disabled I can route about 40Mbyte/s (sorry, don't have pps but the traffic should mostly be large packets) and the system still responds very well. (To get some numbers I just pinged the machine...): PING 10.1.0.254 (10.1.0.254) 56(84) bytes of data. 64 bytes from 10.1.0.254: icmp_seq=1 ttl=255 time=2.39 ms 64 bytes from 10.1.0.254: icmp_seq=2 ttl=255 time=0.078 ms 64 bytes from 10.1.0.254: icmp_seq=3 ttl=255 time=0.077 ms 64 bytes from 10.1.0.254: icmp_seq=4 ttl=255 time=0.258 ms 64 bytes from 10.1.0.254: icmp_seq=5 ttl=255 time=1.63 ms 64 bytes from 10.1.0.254: icmp_seq=6 ttl=255 time=2.03 ms 64 bytes from 10.1.0.254: icmp_seq=7 ttl=255 time=1.87 ms 64 bytes from 10.1.0.254: icmp_seq=8 ttl=255 time=0.954 ms 64 bytes from 10.1.0.254: icmp_seq=9 ttl=255 time=2.65 ms 64 bytes from 10.1.0.254: icmp_seq=10 ttl=255 time=0.315 ms --- 10.1.0.254 ping statistics --- 10 packets transmitted, 10 received, 0% packet loss, time 9007ms rtt min/avg/max/mdev = 0.077/1.228/2.657/0.955 ms With pf enabled and a very short ruleset (see pf.conf below) the system doesn't respond to many of the dns queries (bind9 is also enabled on this system) and the throughput is decreased to about 10Mbyte/s with the same kind of traffic as above. See my stupid pingtest: PING 10.1.0.254 56(84) bytes of data. 64 bytes from 10.1.0.254: icmp_seq=2 ttl=255 time=5.39 ms 64 bytes from 10.1.0.254: icmp_seq=3 ttl=255 time=0.206 ms 64 bytes from 10.1.0.254: icmp_seq=4 ttl=255 time=9.87 ms 64 bytes from 10.1.0.254: icmp_seq=5 ttl=255 time=1.35 ms 64 bytes from 10.1.0.254: icmp_seq=6 ttl=255 time=10.1 ms 64 bytes from 10.1.0.254: icmp_seq=7 ttl=255 time=1.47 ms 64 bytes from 10.1.0.254: icmp_seq=8 ttl=255 time=11.1 ms 64 bytes from 10.1.0.254: icmp_seq=9 ttl=255 time=11.8 ms 64 bytes from 10.1.0.254: icmp_seq=10 ttl=255 time=12.1 ms 64 bytes from 10.1.0.254: icmp_seq=11 ttl=255 time=11.7 ms 64 bytes from 10.1.0.254: icmp_seq=12 ttl=255 time=12.7 ms 64 bytes from 10.1.0.254: icmp_seq=13 ttl=255 time=11.3 ms 64 bytes from 10.1.0.254: icmp_seq=14 ttl=255 time=14.0 ms 64 bytes from 10.1.0.254: icmp_seq=15 ttl=255 time=12.2 ms 64 bytes from 10.1.0.254: icmp_seq=16 ttl=255 time=11.7 ms 64 bytes from 10.1.0.254: icmp_seq=17 ttl=255 time=14.7 ms 64 bytes from 10.1.0.254: icmp_seq=18 ttl=255 time=11.1 ms 64 bytes from 10.1.0.254: icmp_seq=19 ttl=255 time=3.01 ms --- 10.1.0.254 ping statistics --- 19 packets transmitted, 18 received, 5% packet loss, time 18026ms rtt min/avg/max/mdev = 0.206/9.239/14.713/4.549 ms With openbsd 4.1 and an fxp NIC instead of the em one the system was able to handle full 12Mbyte/s with a pretty complex pf.conf (more than 200 lines). The system is an old Compaq Deskpro EN with a P3/500 and 256Mb of ram. pf.conf (already played with scrub, skip and pass with no success...) - ext_if="pppoe0" set skip on lo set skip on em0 #scrub in scrub out on pppoe0 max-mss 1440 no-df random-id fragment reassemble nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" nat on $ext_if from !($ext_if) -> ($ext_if:0) nat on fxp0 from any to 10.1.0.253 -> 10.1.0.254 rdr pass on vlan10 proto tcp to port ftp -> 127.0.0.1 port 8021 anchor "ftp-proxy/*" #block in on pppoe0 #pass out Is there anything I can tune in pf? Should I provide a dmesg? -- Thanks Chris
Re: Queuing for my homelan (which scheduler to use?)
On Tuesday 13 November 2007 19:08:27 Calomel wrote: > Chris, > > It looks like you have quite a few questions. Yep. > The obsd list will not write your firewall for you, Of course not. > but this should get you > started in the right direction. > > Hierarchical Fair Service Curve (HFSC) of OpenBSD > http://calomel.org/pf_hfsc.html Thanks, will read that tomorrow. -- Greetings Chris
Queuing for my homelan (which scheduler to use?)
Hi all, sadly I can't get more than ADSL3000 (3072kbit dl/384kbit ul) at home therefore I want to use queues on my 4.2 gateway. I seperated my lan into clients (10.1.0.0/24), wlan (10.1.16.0/24), servers (10.1.3.0/24) and some other, but they don't need internet access... I read http://www.openbsd.org/faq/pf/queueing.html and want to seperate traffic by: client_in (downloads originated by my own clients) client_out (uploads originated by my own clients) wlan_in (downloads originated by my and some others laptops) wlan_out (uploads originated by my and some others laptops) server_in (downloads originated by my servers) server_out (upload originated by my servers) icmp_out (don't disturb my pings...) mail_out (large mails sent by my mailrelay in the servers subnet shouldn't disturb eg. the one hit my website recieves a day ;) ) ssh_out (...) tcp_ack_out (...) I think the protocol specific queues should have a higher priority than the subnet specific ones. (?) What would be the "best" way to archive this? I am not sure which scheduler I should use in which combinations of priority and bandwidth. Any tips are really appreciated. -- Greetings Chris
Re: 4.2 and compactflash
On Wednesday 26 September 2007 21:17:00 Chris Kuethe wrote: > On 9/26/07, Chris Cohen <[EMAIL PROTECTED]> wrote: > > Question is: do I still need to mount / ro on current cf cards or do they > > have enough write cycles? > > Go ahead and mount rw. I've put a couple of terabytes through a 256M > card with iogen, and it's doing fine. The wear-leveling mechanisms on > the cards work quite well, and I've had cards in production for years > with no ill effect. > Thanks you Chris ;) and the guys who replied off-list. -- Greetings Chris
4.2 and compactflash
Hi, maybe this is a bit off-topic, but: I'm planning to upgrade my firewall box which is running 4.1-STABLE on a 512Mb Kingston compactflash card to 4.2 on a 1-2gb (also Kingston) cf card. Currently I have / mounted ro and /var and /etc on an mfs which can be tricky... Question is: do I still need to mount / ro on current cf cards or do they have enough write cycles? The box doesn't run anything but pf, named and ntpd. -- Thanks Chris
Re: kernel pppoe issues
On Friday 03 August 2007 10:10:35 you wrote: > Hi, > > I've got some trouble with in-kernel pppoe and adsl. > > >From time to time the connection just "hangs up": > > # grep pppoe /var/log/messages > [...] > Jul 26 09:41:21 dslgw /bsd: pppoe0: LCP keepalive timeout > Jul 26 10:34:51 dslgw /bsd: pppoe0: LCP keepalive timeout > Jul 26 10:34:57 dslgw /bsd: pppoe0: pap failure > Jul 26 10:35:07 dslgw /bsd: pppoe0: pap failure > Jul 26 10:35:17 dslgw /bsd: pppoe0: pap failure > Jul 26 10:35:28 dslgw /bsd: pppoe0: pap failure > Jul 27 11:05:27 dslgw /bsd: pppoe0: LCP keepalive timeout > Jul 28 03:09:01 dslgw /bsd: pppoe0: LCP keepalive timeout > Jul 29 14:35:39 dslgw /bsd: pppoe0: LCP keepalive timeout > Jul 29 15:01:20 dslgw /bsd: pppoe0: LCP keepalive timeout > Jul 30 07:33:53 dslgw /bsd: pppoe0: LCP keepalive timeout > Jul 30 07:43:23 dslgw /bsd: pppoe0: LCP keepalive timeout > Jul 30 07:46:33 dslgw /bsd: pppoe0: LCP keepalive timeout > Jul 30 08:01:34 dslgw /bsd: pppoe0: LCP keepalive timeout > Jul 30 18:23:16 dslgw /bsd: pppoe0: LCP keepalive timeout > Jul 31 10:34:30 dslgw /bsd: pppoe0: LCP keepalive timeout > Jul 31 11:04:20 dslgw /bsd: pppoe0: LCP keepalive timeout > Jul 31 14:31:21 dslgw /bsd: pppoe0: LCP keepalive timeout > Aug 1 10:31:56 dslgw /bsd: pppoe0: LCP keepalive timeout > Aug 1 11:09:36 dslgw /bsd: pppoe0: LCP keepalive timeout > Aug 2 09:45:42 dslgw /bsd: pppoe0: LCP keepalive timeout > Aug 2 10:13:02 dslgw /bsd: pppoe0: LCP keepalive timeout > Aug 2 10:13:07 dslgw /bsd: pppoe0: pap failure > Aug 3 07:31:15 dslgw /bsd: pppoe0: pap failure > Aug 3 07:31:25 dslgw /bsd: pppoe0: pap failure > Aug 3 07:31:35 dslgw /bsd: pppoe0: pap failure > Aug 3 09:34:08 dslgw /bsd: pppoe0: LCP keepalive timeout > Aug 3 09:34:13 dslgw /bsd: pppoe0: pap failure > Aug 3 09:50:08 dslgw /bsd: pppoe0: LCP keepalive timeout > Aug 3 09:50:28 dslgw /bsd: pppoe0: pap failure > Aug 3 09:50:38 dslgw /bsd: pppoe0: pap failure > > /etc/hostname.pppoe0 > inet 0.0.0.0 255.255.255.255 0.0.0.1 pppoedev fxp0 authproto pap > authname "@t-online.de" authkey up > !/sbin/route add default 0.0.0.1 > > /etc/hostname.fxp0 > up > > fxp0 is connected to my providers stupid (no webinterface) dsl-modem. The > modems diode shows that there still is a connection to my providers dslam. > Would really like to provide a dmesg but the pppoe messages flooded away > the boot messages. > > So the question is, is this a provider issue or is it hardware/openbsd > related? > replying to myself again... turned out that it was (and still is) a provider issue. -- Greetings Chris
Re: kernel pppoe issues
On Friday 03 August 2007 10:38, you wrote: > Hi Chris, > > * Chris Cohen wrote/schrieb: > > Would really like to provide a dmesg but the pppoe messages flooded away > > the boot messages. > > I can't really answer your question, but you can find the boot dmesg > in /var/run/dmesg.boot Nope, It's also full of pppoe errors and uid 0 on /dev: out of inodes (which happened because I did something wrong with my cf-card and mfs, but that is fixed now...). > > Good luck, Thanks
Re: kernel pppoe issues
Sorry, I'm Running 4.1 (-STABLE from 1. March) on i386. On Friday 03 August 2007 10:10, Chris Cohen wrote: > Hi, > > I've got some trouble with in-kernel pppoe and adsl. > > >From time to time the connection just "hangs up": > > # grep pppoe /var/log/messages > [...] > Jul 26 09:41:21 dslgw /bsd: pppoe0: LCP keepalive timeout > Jul 26 10:34:51 dslgw /bsd: pppoe0: LCP keepalive timeout > Jul 26 10:34:57 dslgw /bsd: pppoe0: pap failure > Jul 26 10:35:07 dslgw /bsd: pppoe0: pap failure > Jul 26 10:35:17 dslgw /bsd: pppoe0: pap failure > Jul 26 10:35:28 dslgw /bsd: pppoe0: pap failure > Jul 27 11:05:27 dslgw /bsd: pppoe0: LCP keepalive timeout > Jul 28 03:09:01 dslgw /bsd: pppoe0: LCP keepalive timeout > Jul 29 14:35:39 dslgw /bsd: pppoe0: LCP keepalive timeout > Jul 29 15:01:20 dslgw /bsd: pppoe0: LCP keepalive timeout > Jul 30 07:33:53 dslgw /bsd: pppoe0: LCP keepalive timeout > Jul 30 07:43:23 dslgw /bsd: pppoe0: LCP keepalive timeout > Jul 30 07:46:33 dslgw /bsd: pppoe0: LCP keepalive timeout > Jul 30 08:01:34 dslgw /bsd: pppoe0: LCP keepalive timeout > Jul 30 18:23:16 dslgw /bsd: pppoe0: LCP keepalive timeout > Jul 31 10:34:30 dslgw /bsd: pppoe0: LCP keepalive timeout > Jul 31 11:04:20 dslgw /bsd: pppoe0: LCP keepalive timeout > Jul 31 14:31:21 dslgw /bsd: pppoe0: LCP keepalive timeout > Aug 1 10:31:56 dslgw /bsd: pppoe0: LCP keepalive timeout > Aug 1 11:09:36 dslgw /bsd: pppoe0: LCP keepalive timeout > Aug 2 09:45:42 dslgw /bsd: pppoe0: LCP keepalive timeout > Aug 2 10:13:02 dslgw /bsd: pppoe0: LCP keepalive timeout > Aug 2 10:13:07 dslgw /bsd: pppoe0: pap failure > Aug 3 07:31:15 dslgw /bsd: pppoe0: pap failure > Aug 3 07:31:25 dslgw /bsd: pppoe0: pap failure > Aug 3 07:31:35 dslgw /bsd: pppoe0: pap failure > Aug 3 09:34:08 dslgw /bsd: pppoe0: LCP keepalive timeout > Aug 3 09:34:13 dslgw /bsd: pppoe0: pap failure > Aug 3 09:50:08 dslgw /bsd: pppoe0: LCP keepalive timeout > Aug 3 09:50:28 dslgw /bsd: pppoe0: pap failure > Aug 3 09:50:38 dslgw /bsd: pppoe0: pap failure > > /etc/hostname.pppoe0 > inet 0.0.0.0 255.255.255.255 0.0.0.1 pppoedev fxp0 authproto pap > authname "@t-online.de" authkey up > !/sbin/route add default 0.0.0.1 > > /etc/hostname.fxp0 > up > > fxp0 is connected to my providers stupid (no webinterface) dsl-modem. The > modems diode shows that there still is a connection to my providers dslam. > Would really like to provide a dmesg but the pppoe messages flooded away > the boot messages. > > So the question is, is this a provider issue or is it hardware/openbsd > related? > > -- > thanks > Chris
kernel pppoe issues
Hi, I've got some trouble with in-kernel pppoe and adsl. >From time to time the connection just "hangs up": # grep pppoe /var/log/messages [...] Jul 26 09:41:21 dslgw /bsd: pppoe0: LCP keepalive timeout Jul 26 10:34:51 dslgw /bsd: pppoe0: LCP keepalive timeout Jul 26 10:34:57 dslgw /bsd: pppoe0: pap failure Jul 26 10:35:07 dslgw /bsd: pppoe0: pap failure Jul 26 10:35:17 dslgw /bsd: pppoe0: pap failure Jul 26 10:35:28 dslgw /bsd: pppoe0: pap failure Jul 27 11:05:27 dslgw /bsd: pppoe0: LCP keepalive timeout Jul 28 03:09:01 dslgw /bsd: pppoe0: LCP keepalive timeout Jul 29 14:35:39 dslgw /bsd: pppoe0: LCP keepalive timeout Jul 29 15:01:20 dslgw /bsd: pppoe0: LCP keepalive timeout Jul 30 07:33:53 dslgw /bsd: pppoe0: LCP keepalive timeout Jul 30 07:43:23 dslgw /bsd: pppoe0: LCP keepalive timeout Jul 30 07:46:33 dslgw /bsd: pppoe0: LCP keepalive timeout Jul 30 08:01:34 dslgw /bsd: pppoe0: LCP keepalive timeout Jul 30 18:23:16 dslgw /bsd: pppoe0: LCP keepalive timeout Jul 31 10:34:30 dslgw /bsd: pppoe0: LCP keepalive timeout Jul 31 11:04:20 dslgw /bsd: pppoe0: LCP keepalive timeout Jul 31 14:31:21 dslgw /bsd: pppoe0: LCP keepalive timeout Aug 1 10:31:56 dslgw /bsd: pppoe0: LCP keepalive timeout Aug 1 11:09:36 dslgw /bsd: pppoe0: LCP keepalive timeout Aug 2 09:45:42 dslgw /bsd: pppoe0: LCP keepalive timeout Aug 2 10:13:02 dslgw /bsd: pppoe0: LCP keepalive timeout Aug 2 10:13:07 dslgw /bsd: pppoe0: pap failure Aug 3 07:31:15 dslgw /bsd: pppoe0: pap failure Aug 3 07:31:25 dslgw /bsd: pppoe0: pap failure Aug 3 07:31:35 dslgw /bsd: pppoe0: pap failure Aug 3 09:34:08 dslgw /bsd: pppoe0: LCP keepalive timeout Aug 3 09:34:13 dslgw /bsd: pppoe0: pap failure Aug 3 09:50:08 dslgw /bsd: pppoe0: LCP keepalive timeout Aug 3 09:50:28 dslgw /bsd: pppoe0: pap failure Aug 3 09:50:38 dslgw /bsd: pppoe0: pap failure /etc/hostname.pppoe0 inet 0.0.0.0 255.255.255.255 0.0.0.1 pppoedev fxp0 authproto pap authname "@t-online.de" authkey up !/sbin/route add default 0.0.0.1 /etc/hostname.fxp0 up fxp0 is connected to my providers stupid (no webinterface) dsl-modem. The modems diode shows that there still is a connection to my providers dslam. Would really like to provide a dmesg but the pppoe messages flooded away the boot messages. So the question is, is this a provider issue or is it hardware/openbsd related? -- thanks Chris
Re: ftp-proxy fxp transfers
On Sunday 01 July 2007 19:58, Camiel Dobbelaar wrote: > On Sun, 1 Jul 2007, Chris Cohen wrote: > > according to http://www.openbsd.org/faq/pf/ftp.html i've setup ftp-proxy > > and changed my pf.conf. A client on the extern interface of the firewall > > can upload files, use passive and active mode. But fxp transfers (server > > to server) doesn't work. My ftpserver (vsftpd) on the host behind the > > firewall doesn't tell me anything but: > > Sun Jul 1 18:11:27 2007 [pid 3929] [chris] FAIL UPLOAD: > > Client "10.1.3.1", "/home/chris/README.MIRRORING-US", 0.00Kbyte/sec > > Doesn't ftp-proxy support fxp transvers in reverse mode? > > No, this entry in the manpage CAVEAT section applies: > > The negotiated IP address for active modes is ignored for security > reasons. This makes third party file transfers impossible. > > I do have plans to make ftp-proxy optionally allow negotiated IP > addresses, but I'm a bit busy at the moment, so don't hold your breath. > I read the manpage but as it seems a bit too fast... Is there a workarround (without ftp-proxy)? If I just rdr the ports I will run into trouble with passive mode I think as I'm doing nat. -- Greetings Chris
Re: ftp-proxy fxp transfers
On Sunday 01 July 2007 18:14, Chris Cohen wrote: > Hi, > > according to http://www.openbsd.org/faq/pf/ftp.html i've setup ftp-proxy > and changed my pf.conf. A client on the extern interface of the firewall > can upload files, use passive and active mode. But fxp transfers (server to > server) doesn't work. My ftpserver (vsftpd) on the host behind the firewall > doesn't tell me anything but: > Sun Jul 1 18:11:27 2007 [pid 3929] [chris] FAIL UPLOAD: > Client "10.1.3.1", "/home/chris/README.MIRRORING-US", 0.00Kbyte/sec > Doesn't ftp-proxy support fxp transvers in reverse mode? > Or do I need to not keep state/set flags in pf.conf? One thing I should add: the file is created but with zero size. The only note the client gets is: 425 Failed to establish connection. Transfer Failed! -- Greetings Chris
ftp-proxy fxp transfers
Hi, according to http://www.openbsd.org/faq/pf/ftp.html i've setup ftp-proxy and changed my pf.conf. A client on the extern interface of the firewall can upload files, use passive and active mode. But fxp transfers (server to server) doesn't work. My ftpserver (vsftpd) on the host behind the firewall doesn't tell me anything but: Sun Jul 1 18:11:27 2007 [pid 3929] [chris] FAIL UPLOAD: Client "10.1.3.1", "/home/chris/README.MIRRORING-US", 0.00Kbyte/sec Doesn't ftp-proxy support fxp transvers in reverse mode? Or do I need to not keep state/set flags in pf.conf? -- Greetings Chris
Re: ssh and sudo, password not hidden
On Saturday 30 June 2007 19:31, Tom Van Looy wrote: > Hi > > Today I used sudo as command to ssh and it echoed my sudo password. > > [EMAIL PROTECTED] ~] > $ ssh soekris sudo pfctl -s state > [EMAIL PROTECTED]'s password: > Password:secret_in_echo > > [EMAIL PROTECTED] ~] > $ > > I don't see anything about this in the manpage so I think this not > expected behaviour. Normally I ssh from an Ubuntu box to the firewall, > but to be sure, I ssh-ed to localhost on the openbsd box and I got the > same result. What's wrong? Add -t to your ssh command: -t Force pseudo-tty allocation. This can be used to execute arbi- trary screen-based programs on a remote machine, which can be very useful, e.g. when implementing menu services. Multiple -t options force tty allocation, even if ssh has no local tty. -- Greetings Chris
