date:20080305

Could Not open some sites from Windows Vista and Server 2008 when using FreeBSD as gw

2008-03-05 Thread Владислав Недосекин

We are using FreeBSD as GateWay with PF.
And the problem is that some web-sites as Gmail.com or Msn.com are
unavailable from machines with Vista or Server 2008 installed.
If use external or internal proxy (Kerio WinRoute, wich also goes through
the same FreeBSD gw) they are opening correctly.
Also in 6.1 version were problems with skype from such machines.
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

swap_pager: indefinite wait buffer

2008-03-05 Thread Michael Grant

My server just literally was brought to it's knees with this message
spewing on the console:

swap_pager: indefinite wait buffer: bufobj: 0, blkno: 1203133, size: 4096

(blkno and size were varying)

Some searching says that this is or was a bug.  Has this been fixed
yet?  If so, what should I upgrade to?  I'm currently running 6.3

Michael Grant
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: INET6 required for SCTP in 7.0?

2008-03-05 Thread Vadim Goncharov

Hi Mark Andrews! 

On Wed, 05 Mar 2008 00:07:56 +1100; Mark Andrews wrote about 'Re: INET6 
required for SCTP in 7.0?':

 I'm not interested in enabling support for IPv6 for now. 
 
 When I remove INET6 from the kernel configuration, I cannot compile the 
 kernel without disabling SCTP. With fresh 7.0-STABLE source, here's the 
 error output (INET6 disabled, but SCTP enabled):
>>> Yes, INET6 is (currently) required if you enable SCTP.
>> 
>> Will it be fixed? Any time soon?
>   It would be better to remove the option all together.  IPv6
>   is no longer a protocol under development.  There is no
>   need to make it optional any more.  Having it there really
>   sends the wrong signal.

I strongly disagree. I want to keep my machines without IPv6 as long as
possible due to protocol (not implementation) architectural bugs.

-- 
WBR, Vadim Goncharov. ICQ#166852181   mailto:[EMAIL PROTECTED]
[Moderator of RU.ANTI-ECOLOGY][FreeBSD][http://antigreen.org][LJ:/nuclight]

___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: INET6 required for SCTP in 7.0?

2008-03-05 Thread Robert Watson



On Tue, 4 Mar 2008, Vadim Goncharov wrote:

On Mon, 03 Mar 2008 16:50:33 -0800; Xin LI wrote about 'Re: INET6 required 
for SCTP in 7.0?':



I'm not interested in enabling support for IPv6 for now.

When I remove INET6 from the kernel configuration, I cannot compile the 
kernel without disabling SCTP. With fresh 7.0-STABLE source, here's the 
error output (INET6 disabled, but SCTP enabled):

Yes, INET6 is (currently) required if you enable SCTP.


Will it be fixed? Any time soon?


It's considered a bug, and hopefully it will be fixed by the SCTP maintainers 
soon.  However, they've been fairly busy with another project so I'm not sure 
there's a specific timeline.  I would like to see it fixed by 7.1.


Robert N M Watson
Computer Laboratory
University of Cambridge
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Could Not open some sites from Windows Vista and Server 2008 when using FreeBSD as gw

2008-03-05 Thread Jeremy Chadwick

On Wed, Mar 05, 2008 at 10:49:09AM +0200, ? ? wrote:
> We are using FreeBSD as GateWay with PF.
> And the problem is that some web-sites as Gmail.com or Msn.com are
> unavailable from machines with Vista or Server 2008 installed.
> If use external or internal proxy (Kerio WinRoute, wich also goes through
> the same FreeBSD gw) they are opening correctly.
> Also in 6.1 version were problems with skype from such machines.

I doubt people will be able to help you without some hard details
provided.  Not that anyone is denying the problem exists, but there's no
details that are helpful in your report.

I'm willing to bet your pf rules are incorrect/broken; is NAT involved?
You could also try turning off RFC1323 extensions, which has helped
some people in the past:

sysctl net.inet.tcp.rfc1323=0

To disable RFC1323 extensions permanently, put this in /etc/rc.conf:

tcp_extensions="no"

-- 
| Jeremy Chadwickjdc at parodius.com |
| Parodius Networking   http://www.parodius.com/ |
| UNIX Systems Administrator  Mountain View, CA, USA |
| Making life hard for others since 1977.  PGP: 4BD6C0CB |

___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

kernel backup on 7.0

2008-03-05 Thread James López (BLuEGoD)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hello,

I have FreeBSD 7.0 on my server but due to troubles with sendfile (I
don't know why, but when I run a configure script checking for that
function it shows a "segmentation fault" and I can't make my web server
run well), also because of some accidentally I will reinstall freebsd.

So I would like to know if I can make some kind of backup to the kernel
because it was modified and recompiled, so perhaps if I backup the boot
files wouldn't need to compile it again... How can I do that? is
possible? Its a matter of time.. I will have a short time to do the
reinstall :S
Thanks!

- --
~ ___  _ ___  ___   ___ _ _  ___
~ | . >| |  _ _ | __>/  _> ___ | . \   | \ | ___|_ _|
~ | . \| |_| | || _> |<_/\/ . \| | | _ |   |/ ._>| |
~ |___/|___|___||___>/\___/|___/<_>|_\_|\___.|_|
~ -- BLuEGoD (James LÛpez) [EMAIL PROTECTED] ---
~ -- Public Key: Search 'BLuEGoD' on www.keyserver.net
~ --- WwW.BLuEGoD.NeT 


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFHzmxrACIwOm/T2YIRAnhBAKCSDZS4yBYNoxwf1nuPfm5Pyn5NpACgoK4l
bF1t7DiS0IJiT7gjNq6BPgM=
=f6DH
-END PGP SIGNATURE-
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Mapping stat(1) device number/name to partition?

2008-03-05 Thread Rick van der Zwet

Hi all,

I am looking for a way to detect the file system a certain file lives
and next whether this file system is mounted/accessible as writable. [1]

As stat(1) is helping me out to found out the proper device name/number
of a certain file with the command `stat -f "%d" /etc/motd`, but next
will be the mapping from this device number (st_dev) to the proper
partion/mount point.

Which handy shell utility program will help me doing this?

Or even better what are the proper search terms to find this answer, as
mine attempts on the mailing archives, man pages and Google where not
very successful

Thanks a lot!
/Rick

[1] Part of getting rid of the annoying motd update failure message,
when /etc is not writable. I know setting update_motd=NO in
/etc/rc.conf will do the trick as well, but I would like to see him
detecting it auto-magically ;-)
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: swap_pager: indefinite wait buffer

2008-03-05 Thread Ruben van Staveren



On 5 Mar 2008, at 10:06, Michael Grant wrote:


My server just literally was brought to it's knees with this message
spewing on the console:

swap_pager: indefinite wait buffer: bufobj: 0, blkno: 1203133, size:  
4096


(blkno and size were varying)

Some searching says that this is or was a bug.  Has this been fixed
yet?  If so, what should I upgrade to?  I'm currently running 6.3


You may consider partition backed swap instead of file backed swap if  
that is the case.





Michael Grant
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED] 
"


- Ruben



PGP.sig
Description: This is a digitally signed message part

Re: Could Not open some sites from Windows Vista and Server 2008 when using FreeBSD as gw

2008-03-05 Thread Dennis Melentyev

Hello Vladislav,

2008/3/5, Владислав Недосекин <[EMAIL PROTECTED]>:
> We are using FreeBSD as GateWay with PF.
>  And the problem is that some web-sites as Gmail.com or Msn.com are
>  unavailable from machines with Vista or Server 2008 installed.
>  If use external or internal proxy (Kerio WinRoute, wich also goes through
>  the same FreeBSD gw) they are opening correctly.
>  Also in 6.1 version were problems with skype from such machines.

As Jeremy stated, it's too little facts to analyse.
What does tcpdump show, what are the PF rules, proxy settings,
authentification, etc.

Just wild guess: is it IPv6 running on MS stations?

PS. You might have more help from Russian/Ukrainian speaking UAFUG maillist.
See http://uafug.org.ua for details.

-- 
Dennis Melentyev
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Mapping stat(1) device number/name to partition?

2008-03-05 Thread Rink Springer

Hi,

On Wed, Mar 05, 2008 at 11:07:28AM +0100, Rick van der Zwet wrote:
> Which handy shell utility program will help me doing this?

I think you can use statfs(2) to look up the f_fsid, this should be
equal to the st_dev, judging from the code in kern/vfs_syscalls.c.
There doesn't appear to be a shell utility to statfs(2), but you may
be able to hack something up in perl or simular.

Regards,
-- 
Rink P.W. Springer- http://rink.nu
"Anyway boys, this is America. Just because you get more votes doesn't
 mean you win." - Fox Mulder
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: 7.0-Release and 3ware 9550SXU w/BBU - horrible write performance

2008-03-05 Thread Erik Stian Tefre


alan bryan wrote:

I've got a new server with a 3ware 9550SXU with the
Battery.  I am using FreeBSD 7.0-Release (tried both
4BSD and ULE) using AMD64 and the 3ware performance
for writes is just plain horrible.  Something is
obviously wrong but I'm not sure what.



Any ideas?  Anybody have one of these that's working
with FreeBSD 7?


Check you controller firmware version. Last time I checked, the current 
"stable" firmware release was 3.08.00.016.


dmesg | grep Firmware
twa0: INFO: (0x15: 0x1300): Controller details:: Model 9550SX-8LP, 8 
ports, Firmware FE9X 3.08.00.016, BIOS BE9X 3.08.00.004


Results from bonnie++ with default settings on my box (7.0-RELEASE, 
amd64, 480 MB system memory, BBU, write cache enabled, 7 drive raid-5, 
storsave = balance, NCQ on):


Version 1.93d   --Sequential Output-- --Sequential Input- 
--Random-
Concurrency   1 -Per Chr- --Block-- -Rewrite- -Per Chr- --Block-- 
--Seeks--
MachineSize K/sec %CP K/sec %CP K/sec %CP K/sec %CP K/sec %CP 
/sec %CP
 1G   275  83 72440  23 24990   6   644  83 76548  15 
460.6   6
Latency 47041us 522ms 559ms 139ms 300ms 
116ms
Version 1.93d   --Sequential Create-- Random 
Create
xxx -Create-- --Read--- -Delete-- -Create-- --Read--- 
-Delete--
  files  /sec %CP  /sec %CP  /sec %CP  /sec %CP  /sec %CP 
/sec %CP
 16  5212  12 + +++ 27581  45  8454  20 + +++ 
+ +++
Latency  1147ms 371us3529us 197ms   15397us 
703us


--
Erik
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Mapping stat(1) device number/name to partition?

2008-03-05 Thread Jeremy Chadwick

On Wed, Mar 05, 2008 at 11:07:28AM +0100, Rick van der Zwet wrote:
> Hi all,
> 
> I am looking for a way to detect the file system a certain file lives
> and next whether this file system is mounted/accessible as writable. [1]
> 
> As stat(1) is helping me out to found out the proper device name/number
> of a certain file with the command `stat -f "%d" /etc/motd`, but next
> will be the mapping from this device number (st_dev) to the proper
> partion/mount point.
> 
> Which handy shell utility program will help me doing this?

fstat(1) sounds like it might be of help here.  If you're writing a C
program for this, the source code is in src/usr.bin/fstat.

> [1] Part of getting rid of the annoying motd update failure message,
> when /etc is not writable. I know setting update_motd=NO in
> /etc/rc.conf will do the trick as well, but I would like to see him
> detecting it auto-magically ;-)

I haven't seen the "auto-updating motd" feature of FreeBSD since the 3.x
days.  Are you referring to the "annoyance" where during mergemaster(1),
you can nuke your /etc/motd?  If so, try IGNORE_MOTD=yes in
/etc/mergemaster.rc.

-- 
| Jeremy Chadwickjdc at parodius.com |
| Parodius Networking   http://www.parodius.com/ |
| UNIX Systems Administrator  Mountain View, CA, USA |
| Making life hard for others since 1977.  PGP: 4BD6C0CB |

___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Odd file in /lost+found after softupdate inconsistency in fsck

2008-03-05 Thread Tod McQuillin


Hi all,

My server froze up tonight after a 2 month uptime running 6.3-PRERELEASE 
from Dec 28 2007.


I had to fsck /home by hand because of an inconsistency fsck couldn't 
repair automatically -- something to do with an unexpected softupdate 
inconsistency.


After that, I ended up with some files in /home/lost+found, one of which 
is quite interesting:


/home/lost+found# ls -lksh
total 24432
24432 -r  1 root  operator40G Mar  5 20:12 #005

It is 40G in size but only occupies 24432k on disk, so it is a sparse 
file.  I'm not aware of any sparse files of quite that size on my system 
(or relative sparseness) but it's possible i might overlook one.


But the thing that's interesting to me is the inode number (inode 5) and 
the fact that rm doesn't want me to remove it:


/home/lost+found# rm \#005
override r  root/operator snapshot for #005? n

Is there a magic "shapshot" flag on the file?  Have I somehow damaged my 
ufs2+softupdates filesystem by losing its inode #5 containing snapshot 
data?


Any insights appreciated,
--
Tod McQuillin
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: kernel backup on 7.0

2008-03-05 Thread Ivan Voras

James López (BLuEGoD) wrote:
> Hello,
> 
> I have FreeBSD 7.0 on my server but due to troubles with sendfile (I
> don't know why, but when I run a configure script checking for that
> function it shows a "segmentation fault" and I can't make my web server
> run well), also because of some accidentally I will reinstall freebsd.
> 
> So I would like to know if I can make some kind of backup to the kernel
> because it was modified and recompiled, so perhaps if I backup the boot
> files wouldn't need to compile it again... How can I do that? is
> possible? Its a matter of time.. I will have a short time to do the
> reinstall :S

If I understand you correctly, you're asking if you can have a "backup
kernel" when you build a new one?

Yes, and it's the default behaviour. Every time you do a "make
installkernel" (it's integrated into "make kernel"), the old kernel gets
saved in /boot/kernel.old with all its modules. In addition to that, you
can have an arbitrary number of different kernels in the root/boot file
system. To switch between the kernels, escape to loader prompt on the
boot menu, type "help" to see available commands (you'll probably use
"unload", "load" and "boot", in this order).

signature.asc
Description: OpenPGP digital signature

Re: INET6 required for SCTP in 7.0?

2008-03-05 Thread Andy Dills

On Wed, 5 Mar 2008, Mark Andrews wrote:

>   It would be better to remove the option all together.  IPv6
>   is no longer a protocol under development.  There is no
>   need to make it optional any more.  Having it there really
>   sends the wrong signal.

With all due respect, let's face a couple of facts.

IPv4 is going to be the primary protocol for several years to come. There
are a few critical reasons, and few people like to point out just how
naked the emperor is:

- Providing IPv6 currently (and for the forseeable future) provides no
return on investment (ROI). Service Providers can't make more money with
IPv6, businesses do not get any sort of competitive or perceived advantage
from deploying IPv6, and end users certainly don't want to deal with it.

- To route IPv6 with the same features and packet forwarding rate as with 
IPv4, nearly every network will be forced to purchase expensive router 
upgrades with no other real benefit beyond IPv6 connectivity (which again 
provides no ROI to justify the capex). Nobody is going to do forklift 
upgrades just for IPv6, but as routers get normally upgraded IPv6 
functionality will indeed slowly expand.

- IPv6 provides almost no technological upgrades beyond additional address
space. DHCP addressed the auto configuration feature, VPNs addressed
IPsec.

- IPv4 address spaces will eventually transition to a market commodity
model, providing a financial incentive that will encourage significant   
optimization and provide motive for providers to audit their allocations,
and for businesses to part with IP space that they no longer properly 
utilize. The cost of acquiring IPv4 space will be less than the cost of
upgrading to IPv6.

Therefore, given a lack of ROI or sufficient technological motivation, and
given the significant potential for optimization of existing IPv4 space   
both via technology and financial incentive, I see a minimum of five years
before IPv6 is common. 

In the meantime, I'd like to only enable IPv6 on IPv6 enabled networks.

Andy
   

---
Andy Dills
Xecunet, Inc.
www.xecu.net
301-682-9972
---
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: 7.0-Release and 3ware 9550SXU w/BBU - horrible write performance

2008-03-05 Thread Ivan Voras

Erik Stian Tefre wrote:

> Results from bonnie++ with default settings on my box (7.0-RELEASE,
> amd64, 480 MB system memory, BBU, write cache enabled, 7 drive raid-5,
> storsave = balance, NCQ on):
> 
> Version 1.93d   --Sequential Output-- --Sequential Input-
> --Random-
> Concurrency   1 -Per Chr- --Block-- -Rewrite- -Per Chr- --Block--
> --Seeks--
> MachineSize K/sec %CP K/sec %CP K/sec %CP K/sec %CP K/sec %CP
> /sec %CP
>  1G   275  83 72440  23 24990   6   644  83 76548  15
> 460.6   6

Was the array busy when you did the test? 72-76 MB MB/s is very slow for
a 7-drive array in RAID-5. FreeBSD's disk IO can be sluggish but I doubt
it would get that slow. On a RAID10 array with 6 drives I can get ~~ 200
MB/s in both directions (though on a different controller). RAID5 is
basically striped so your setup should on average yield close to 6 times
the single drive performance, something in the area of 350 MB/s.

signature.asc
Description: OpenPGP digital signature

Re: INET6 required for SCTP in 7.0?

2008-03-05 Thread Pete French

O.K., have snipped all the above IPv4 stuff, which actually seems quite
reaosnable (though appears to foorget about STF), but this line...

> In the meantime, I'd like to only enable IPv6 on IPv6 enabled networks.

...I fail to see how not wanting to enable it leads to you wanting
to remove it from the kernel entirely ? That is the bit I don't understand
about all of this discussion. Theres probably hundereds of bits in the kernel
you havent enabled and don't use, why specificly do you want an option
to take IPV6 out ?

I am genuinely piuzzled - why isn't "ipv6_enabled="NO" sufficient ? That's
what I do on IPv4 networks and it works fine for me.

-pete.
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: INET6 required for SCTP in 7.0?

2008-03-05 Thread Andy Dills

On Wed, 5 Mar 2008, Pete French wrote:

> O.K., have snipped all the above IPv4 stuff, which actually seems quite
> reaosnable (though appears to foorget about STF), but this line...
> 
> > In the meantime, I'd like to only enable IPv6 on IPv6 enabled networks.
> 
> ...I fail to see how not wanting to enable it leads to you wanting
> to remove it from the kernel entirely ? That is the bit I don't understand
> about all of this discussion. Theres probably hundereds of bits in the kernel
> you havent enabled and don't use, why specificly do you want an option
> to take IPV6 out ?
> 
> I am genuinely piuzzled - why isn't "ipv6_enabled="NO" sufficient ? That's
> what I do on IPv4 networks and it works fine for me.

That's actually a good point. I've had a hard time shedding my "trim 
everything I don't use out of the kernel" mentality over the years.

Andy

---
Andy Dills
Xecunet, Inc.
www.xecu.net
301-682-9972
---
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Could Not open some sites from Windows Vista and Server 2008 when using FreeBSD as gw

2008-03-05 Thread Dennis Melentyev

Hi!

Well, I'm not a PF professional, and you have rather advanced setup.
So, someone with good PF experience is needed here.

2008/3/5, Владислав Недосекин <[EMAIL PROTECTED]>:
> Hi, i understand that there is too little facts to analyze, but maybe some
> one have the same problem and also i can provide you information.
> TCP dump 192.168.200.11 - ip of PC with vista
>  # tcpdump | grep 192.168.200.11
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>  listening on ste0, link-type EN10MB (Ethernet), capture size 96 bytes
> ^C^C^C^C3 packets captured
>  433 packets received by filter
> 0 packets dropped by kernel
> # tcpdump | grep 192.168.200.111
>  tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on ste0, link-type EN10MB (Ethernet), capture size 96 bytes
...
> 13:51:47.676471 arp who-has 192.168.200.200 (00:1d:60:ce:74:e8 (oui
> Unknown)) tell 192.168.200.111

What's that?
...


> PF.CONF
>
...

> #   Block Policy
> block in log all
> block in log quick from no-route to any
> block in log quick on $ext_if from 
>  block return-icmp out log quick on $ext_if to 
> antispoof quick for $int_if
> antispoof quick for $ext_if
> block out from 192.168.0.146 to any

Does log shows anything interesting? I mean dropped packets.

What about SQUID's log? Some special auth? Client's insisting on
HTTP/1.1? Some glitches with transparent proxying (if I get it right
from your PF config)?

> i've tried
>  sysctl net.inet.tcp.rfc1323=0
> but it does't help.
>
> And about ip6 it is disabled, but in enabled state it does't help.

Dropped by PF?

-- 
Dennis Melentyev
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Could Not open some sites from Windows Vista and Server 2008 when using FreeBSD as gw

2008-03-05 Thread Matthew Seaman

-BEGIN PGP SIGNED MESSAGE-
Hash: RIPEMD160

Dennis Melentyev wrote:
> Hi!
> 
> Well, I'm not a PF professional, and you have rather advanced setup.
> So, someone with good PF experience is needed here.
> 
> 2008/3/5, Владислав Недосекин <[EMAIL PROTECTED]>:
>> Hi, i understand that there is too little facts to analyze, but maybe some
>> one have the same problem and also i can provide you information.
>> TCP dump 192.168.200.11 - ip of PC with vista
>>  # tcpdump | grep 192.168.200.11
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>>  listening on ste0, link-type EN10MB (Ethernet), capture size 96 bytes
>> ^C^C^C^C3 packets captured
>>  433 packets received by filter
>> 0 packets dropped by kernel
>> # tcpdump | grep 192.168.200.111
>>  tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>> listening on ste0, link-type EN10MB (Ethernet), capture size 96 bytes
> ...
>> 13:51:47.676471 arp who-has 192.168.200.200 (00:1d:60:ce:74:e8 (oui
>> Unknown)) tell 192.168.200.111
> 
> What's that?
> ...
> 
> 
>> PF.CONF
>>
> ...
> 
>> #   Block Policy
>> block in log all
>> block in log quick from no-route to any
>> block in log quick on $ext_if from 
>>  block return-icmp out log quick on $ext_if to 
>> antispoof quick for $int_if
>> antispoof quick for $ext_if
>> block out from 192.168.0.146 to any
> 
> Does log shows anything interesting? I mean dropped packets.
> 
> What about SQUID's log? Some special auth? Client's insisting on
> HTTP/1.1? Some glitches with transparent proxying (if I get it right
> from your PF config)?
> 
>> i've tried
>>  sysctl net.inet.tcp.rfc1323=0
>> but it does't help.
>>
>> And about ip6 it is disabled, but in enabled state it does't help.
> 
> Dropped by PF?
> 

A very good trick when debugging pf rulesets is to make sure that any
block rules also log the blocked packets -- in this case that should
include the antispoofing rules "antispoof log quick for { $int_if $extif }"

Then you can use tcpdump on the firewall against the pflog0 pseudo interface
to see what traffic is being blocked as it happens:

   # tcpdump -vv -i pflog0 

Cheers,

Matthew

- -- 
Dr Matthew J Seaman MA, D.Phil.   Flat 3
  7 Priory Courtyard
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
  Kent, CT11 9PW, UK
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.4 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHzq363jDkPpsZ+VYRAzBuAJ4/Cy9GA+m8iDv1jeYPeCM/xOFOvQCfc6XB
yOqR3qTYmijkFA9fVygqH80=
=apq8
-END PGP SIGNATURE-
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: INET6 required for SCTP in 7.0?

2008-03-05 Thread Mark Andrews

> On Wed, 5 Mar 2008, Mark Andrews wrote:
> 
> > It would be better to remove the option all together.  IPv6
> > is no longer a protocol under development.  There is no
> > need to make it optional any more.  Having it there really
> > sends the wrong signal.
> 
> With all due respect, let's face a couple of facts.
> 
> IPv4 is going to be the primary protocol for several years to come. There
> are a few critical reasons, and few people like to point out just how
> naked the emperor is:
> 
> - Providing IPv6 currently (and for the forseeable future) provides no
> return on investment (ROI). Service Providers can't make more money with
> IPv6, businesses do not get any sort of competitive or perceived advantage
> from deploying IPv6, and end users certainly don't want to deal with it.

Service providers get paid to push IP packets.  They shouldn't
care which protocol version is in the header.  What they
should be worried about is ensuring that they are here in
4 years time.

It actually takes time to fill in the missing pieces and
the only way to find the missing pieces is to bring up IPv6
networks.

Most end users won't even know that they are running IPv6
connections.  I had to look at netstat to see which protocol
was being choosen on my father's box.  I'm sure he had zero
knowledge that he was using IPv6 (6-to-4).

An IPv6 network really is as easy if not easier to run than
a IPv4 network.

> - To route IPv6 with the same features and packet forwarding rate as with 
> IPv4, nearly every network will be forced to purchase expensive router 
> upgrades with no other real benefit beyond IPv6 connectivity (which again 
> provides no ROI to justify the capex). Nobody is going to do forklift 
> upgrades just for IPv6, but as routers get normally upgraded IPv6 
> functionality will indeed slowly expand.

And the same arguement was put out 6 years ago.  The backbone
really has gone dual stack while you wern't paying attention.

What's needed now is the SOHO CPE equipment sold to the non
Asian market to catch up.

> - IPv6 provides almost no technological upgrades beyond additional address
> space. DHCP addressed the auto configuration feature, VPNs addressed
> IPsec.

That extra address space really is a big advantage.  It
really is so much better to be able to get to machines you
need to without have to manually setup application relays
because you couldn't get enough address space to be able
to globally address everything want to.

> - IPv4 address spaces will eventually transition to a market commodity
> model, providing a financial incentive that will encourage significant   
> optimization and provide motive for providers to audit their allocations,
> and for businesses to part with IP space that they no longer properly 
> utilize. The cost of acquiring IPv4 space will be less than the cost of
> upgrading to IPv6.
>
> Therefore, given a lack of ROI or sufficient technological motivation, and
> given the significant potential for optimization of existing IPv4 space   
> both via technology and financial incentive, I see a minimum of five years
> before IPv6 is common. 
> 
> In the meantime, I'd like to only enable IPv6 on IPv6 enabled networks.

So make the network IPv6 enabled.  Both my home network and
the office networks have bee IPv6 enabled for years now.
My ISP doesn't support IPv6 yet though I know that have
IPv6 netbocks for themselves now if not for the customers
at this stage.

There is a reasonable chance that this mail will leave here
over IPv6 for some of the recipients.  It will almost
certainly travel over IPv6 for at least one hop.

Mark

> Andy
>
> 
> ---
> Andy Dills
> Xecunet, Inc.
> www.xecu.net
> 301-682-9972
> ---
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED]
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: INET6 required for SCTP in 7.0?

2008-03-05 Thread Vadim Goncharov

Hi Andy Dills! 

On Wed, 5 Mar 2008 08:40:20 -0500 (EST); Andy Dills wrote about 'Re: INET6 
required for SCTP in 7.0?':

>> O.K., have snipped all the above IPv4 stuff, which actually seems quite
>> reaosnable (though appears to foorget about STF), but this line...
>> 
>>> In the meantime, I'd like to only enable IPv6 on IPv6 enabled networks.
>> 
>> ...I fail to see how not wanting to enable it leads to you wanting
>> to remove it from the kernel entirely ? That is the bit I don't understand
>> about all of this discussion. Theres probably hundereds of bits in the kernel
>> you havent enabled and don't use, why specificly do you want an option
>> to take IPV6 out ?
>> 
>> I am genuinely piuzzled - why isn't "ipv6_enabled="NO" sufficient ? That's
>> what I do on IPv4 networks and it works fine for me.
> That's actually a good point. I've had a hard time shedding my "trim 
> everything I don't use out of the kernel" mentality over the years.

Makes it harder to debug, etc. Don't want to see anything IPv6 related in
command output, to let programs to bind on IPv6 addresses, etc.

-- 
WBR, Vadim Goncharov. ICQ#166852181   mailto:[EMAIL PROTECTED]
[Moderator of RU.ANTI-ECOLOGY][FreeBSD][http://antigreen.org][LJ:/nuclight]

___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: INET6 required for SCTP in 7.0?

2008-03-05 Thread Ruben van Staveren



On 5 Mar 2008, at 15:32, Mark Andrews wrote:

- IPv6 provides almost no technological upgrades beyond additional  
address

space. DHCP addressed the auto configuration feature, VPNs addressed
IPsec.


That extra address space really is a big advantage.  It
really is so much better to be able to get to machines you
need to without have to manually setup application relays
because you couldn't get enough address space to be able
to globally address everything want to.


Please see http://www.youtube.com/watch?v=_y36fG2Oba0

This song exactly explains why you should care about IPv6 :)

I don't get this "anti IPv6" behaviour. If people are not willing to  
adopt it, it will not get tested which in turn will make other people  
hesitating to jump on the bandwagon. Having it compiled in your system  
does not cause harm if you don't configure it and for everything else  
there are traffic filters. Just like IPv4.


- Ruben


PGP.sig
Description: This is a digitally signed message part

Re: 7.0-Release and 3ware 9550SXU w/BBU - horrible write performance

2008-03-05 Thread Erik Stian Tefre


Ivan Voras wrote:

Erik Stian Tefre wrote:


Results from bonnie++ with default settings on my box (7.0-RELEASE,
amd64, 480 MB system memory, BBU, write cache enabled, 7 drive raid-5,
storsave = balance, NCQ on):

Version 1.93d   --Sequential Output-- --Sequential Input-
--Random-
Concurrency   1 -Per Chr- --Block-- -Rewrite- -Per Chr- --Block--
--Seeks--
MachineSize K/sec %CP K/sec %CP K/sec %CP K/sec %CP K/sec %CP
/sec %CP
 1G   275  83 72440  23 24990   6   644  83 76548  15
460.6   6


Was the array busy when you did the test? 72-76 MB MB/s is very slow for
a 7-drive array in RAID-5. FreeBSD's disk IO can be sluggish but I doubt
it would get that slow. On a RAID10 array with 6 drives I can get ~~ 200
MB/s in both directions (though on a different controller). RAID5 is
basically striped so your setup should on average yield close to 6 times
the single drive performance, something in the area of 350 MB/s.


It was completely idle. Changing vfs.read_max to 80 triples the 
sequential read performance, see bonnie++ output below (run on the same 
box, nothing changed except vfs.read_max). I tried setting it to 256 as 
recommended by 3ware, but 80 seems to be the sweet spot.
3ware performance tips for FreeBSD: 
http://www.3ware.com/KB/article.aspx?id=14852


I have measured similar write performance on 2 other servers with the 
same controller model and the same number of disks.


By the way, the newer 9650SE controllers seem to be a lot faster, I 
remember getting around 350 MB/s of sequential reads/writes from an idle 
16 drive raid-6 array. (Sorry, I have no idle 9650SE to run bonnie++ on 
at the moment.)


bonnie++ with vfs_max=80:
Version 1.93d   --Sequential Output-- --Sequential Input- 
--Random-
Concurrency   1 -Per Chr- --Block-- -Rewrite- -Per Chr- --Block-- 
--Seeks--
MachineSize K/sec %CP K/sec %CP K/sec %CP K/sec %CP K/sec %CP 
/sec %CP
 1G   285  83 88193  28 26858   6   690  89 218642  59 
406.5   5
Latency 44353us 557ms 542ms   90795us 209ms 
361ms
Version 1.93d   --Sequential Create-- Random 
Create
xxx -Create-- --Read--- -Delete-- -Create-- --Read--- 
-Delete--
  files  /sec %CP  /sec %CP  /sec %CP  /sec %CP  /sec %CP 
/sec %CP
 16  8204  19 + +++ 22163  36  9925  25 + +++ 
+ +++
Latency   585ms 571us3844us 257ms   24015us 
768us


--
Erik
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: 7.0-Release and 3ware 9550SXU w/BBU - horrible write performance

2008-03-05 Thread Ivan Voras

Erik Stian Tefre wrote:

> It was completely idle. Changing vfs.read_max to 80 triples the
> sequential read performance, see bonnie++ output below (run on the same
> box, nothing changed except vfs.read_max).

It might be that 3ware is specially pessimized by FreeBSD chopping IO
into 64K blocks. But vfs.read_max doesn't change that so it's maybe not it.

> bonnie++ with vfs_max=80:
> Version 1.93d   --Sequential Output-- --Sequential Input-
> --Random-
> Concurrency   1 -Per Chr- --Block-- -Rewrite- -Per Chr- --Block--
> --Seeks--
> MachineSize K/sec %CP K/sec %CP K/sec %CP K/sec %CP K/sec %CP
> /sec %CP
>  1G   285  83 88193  28 26858   6   690  89 218642  59
> 406.5   5
> Latency 44353us 557ms 542ms   90795us 209ms 361ms
> Version 1.93d   --Sequential Create-- Random
> Create
> xxx -Create-- --Read--- -Delete-- -Create-- --Read---
> -Delete--
>   files  /sec %CP  /sec %CP  /sec %CP  /sec %CP  /sec %CP
> /sec %CP
>  16  8204  19 + +++ 22163  36  9925  25 + +++
> + +++
> Latency   585ms 571us3844us 257ms   24015us 768us


Are these numbers typical for 3ware's controllers? I still think
something's bad about your setup, see the following performance results
on a 3-drive RAID5 on Dell PERC5:

Version 1.93d   --Sequential Output-- --Sequential Input-
--Random-
Concurrency   1 -Per Chr- --Block-- -Rewrite- -Per Chr- --Block--
--Seeks--
MachineSize K/sec %CP K/sec %CP K/sec %CP K/sec %CP K/sec %CP
/sec %CP
x.xxx.xx  4000M   298  99 92319  25 30729  13   440  88 121370  25
533.1  29
Latency 28140us 711ms 430ms 528ms   74013us
225ms
Version 1.93d   --Sequential Create-- Random
Create
x.xxx.xx-Create-- --Read--- -Delete-- -Create-- --Read---
-Delete--
  files  /sec %CP  /sec %CP  /sec %CP  /sec %CP  /sec %CP
/sec %CP
 30 18782  85 50106  99 45405  99 16481  58 60185  99
49638  99
Latency   259ms   21091us 130us   27529us  50us
 75us

I consider this ok, since (for the simple case of READing) the 3-drive
RAID5 array has the performance of a 2-drive striped array.

Your CPU usage is quite high (59% on sequential block input, if I'm
reading it correctly) - are you limited by your CPU?





signature.asc
Description: OpenPGP digital signature

Re: INET6 -- and why I don't use it

2008-03-05 Thread Jeremy Chadwick

On Wed, Mar 05, 2008 at 03:00:29PM +, Vadim Goncharov wrote:
> Makes it harder to debug, etc. Don't want to see anything IPv6 related in
> command output, to let programs to bind on IPv6 addresses, etc.

Changing the Subject (but keeping the thread ID reference), since the
original topic of discussion has now been skewed.

I have the same attitude Vadim does.  Actually, most of my IPv6 fear
isn't so much fear as much as it is annoyance and confusion.  Here's
my list of things, as trivial as they may sound (and I guarantee they
will):

* I'm not familiar with the intricacies of the protocol.  This is
partially my own fault (lack of interest mainly, combined with lack of
need), while I am very familiar with IPv4.

* The last I read about IPv6 in mainstream news, there were major
concerns cited over some of the security aspects of the protocol.  I
also remember reading somewhere that IPv6 was supposed to address issues
like packet spoofing and DoS -- what became of this?

* I have never liked how IPv6 denotes its addresses by using colon-
delimited hexadecimal strings.  I can expand on this if asked, but it's
more than just "they're MAC-like" (which is also true, even though
they're grouped by 16-bit values and not octets).  Reading off an IPv4
address over the phone is bad enough, and typos are even worse.  IPv6?
Good grief.

* Consumer ISPs here in the States do not "pass packets" -- you aren't
given a raw pipe; you're given a physical transport with IPv4 service.
The reality here is that the vast majority will not embrace IPv6 until
there's an actual market/need for it.  No consumer ISP I know of
delegates a customer an IPv6 IP address or netblock.  Backbone providers
support IPv6 now, yup -- and even some peering providers and
datacenter/co-location facilities do.  But they're all in the minority.

* The "we're running out of address space" argument doesn't hold
much ground with me.  Yes, it's getting tight, but it's not THAT tight.
ARIN very regularly returns large amounts of IPv4 space to the world for
use (I used to be subscribed to NANOG, so I'm aware of this).  Want to
do something useful?  Start campaigns to get General Electric and MIT to
give up huge portions of 3/8 and 18/8, respectively.  This is ARIN's
job, and I sure wouldn't want it.

* NAT with IPv4 appears to be "solving" most of the address space issues
in this day and age.  I use quotes because it adds extra complexities
at the same time (port forwarding, for example, is an annoying
requirement, mainly because so many protocols were written during the
days when NAT didn't exist, or are simply badly-written protocols (I'm
looking at you, Microsoft)).  Only once in my life have I seen a single
network so large that it required use of 192.168/16, 172.16/12, and 10/8
all at once.  Another fact is that NAT is **incredibly** integrated in
consumer society now.  The attitude given is "NAT suffices, use it".
Until we can teach people "no, it doesn't suffice, and here's why" and
get people to believe and accept that, it isn't going to change.

* None of my employers (sans my current, Microsoft) have ever bothered
implementing IPv6 on their networks.  What this means for me: I have no
personal *nor professional* reason to advocate or learn about IPv6.
Microsoft, on the other hand, is taking initiative.  But it's been
anything but smooth; the amount of breakage it's caused so far is...
shall I say, very disappointing.  That doesn't mean "IPv6 sucks", but it
does mean "integrating IPv6 into a production network appears to be
painful".  Hence, more animosity towards it by those who don't
understand it.

And last but not least:

* I don't like incorporating "stuff" into my kernel, my utilities, or
my systems in general which I do not use.  I don't want to see an IPv6
address on my machines or my network.  Why?  It's about minimalism.  I
would gladly "embrace" IPv6 if I had reasons to, but I've none,
therefore I do not.

Sufficient?

-- 
| Jeremy Chadwickjdc at parodius.com |
| Parodius Networking   http://www.parodius.com/ |
| UNIX Systems Administrator  Mountain View, CA, USA |
| Making life hard for others since 1977.  PGP: 4BD6C0CB |

___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: FreeBSD 7.9-stable: weird messages in /var/log/messages?

2008-03-05 Thread Torfinn Ingolfsen

On Tue, 04 Mar 2008 20:52:23 +0100
Kris Kennaway <[EMAIL PROTECTED]> wrote:

> It is reporting large variations in the rate of your time clock (see 
> kern_tc.c).

Aha, I see. Thanks for explaining that.

> Also, you appear to be emailing from the distant future.  Please
> reply with stock tips :)

distant future, even? :-)
The two things share a common symptom; the nic on that particular
machine is a ral(4) one, and I am having connectivity problems
(connections from other machines to this particular machine drops).
That's why I booted the machine with verbose messages, and got those
messages in the first place.
It looks like network connectivity going away without the network
interface going down / up has confused ntpd, I had to restart it just
now.
-- 
Regards,
Torfinn Ingolfsen

___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Could Not open some sites from Windows Vista and Server 2008 when using FreeBSD as gw

2008-03-05 Thread Mike Tancsa


At 03:49 AM 3/5/2008, =?KOI8-R?B?98zBxMnTzMHXIO7FxM/TxcvJzg==?= wrote:

We are using FreeBSD as GateWay with PF.
And the problem is that some web-sites as Gmail.com or Msn.com are
unavailable from machines with Vista or Server 2008 installed.
If use external or internal proxy (Kerio WinRoute, wich also goes through
the same FreeBSD gw) they are opening correctly.
Also in 6.1 version were problems with skype from such machines.


Its hard to say without seeing your pf rules.  But I seem to recall 
issues with Vista where pf rules did not have keep state enabled.


---Mike 


___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Usb problems on 7.0 RELEASE

2008-03-05 Thread Paul Schmehl

--On Wednesday, March 05, 2008 18:09:16 +1100 Peter Jeremy 
<[EMAIL PROTECTED]> wrote:



On Tue, Mar 04, 2008 at 09:16:25PM -0600, Paul Schmehl wrote:

Earlier I reported usb problems on this list.  Since then I have recompiled
the kernel and world three times, each time including the latest changes in
src.


Just to humour me, can you try using a UP kernel and see if the problem
still occurs.  I have bumped into problems with umass on my son's SMP
laptop which don't show up on my UP laptop.


HmmmI might be willing to try that toward the end of the week.  Since this 
is my main workstation, I hestitate to take if offline during the week.  (Just 
in case something goes horribly wrong.)


--
Paul Schmehl ([EMAIL PROTECTED])
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: FreeBSD 7.9-stable: weird messages in /var/log/messages?

2008-03-05 Thread Michael Proto



Torfinn Ingolfsen wrote:
> On Tue, 04 Mar 2008 20:52:23 +0100
> Kris Kennaway <[EMAIL PROTECTED]> wrote:
> 
>> It is reporting large variations in the rate of your time clock (see 
>> kern_tc.c).
> 
> Aha, I see. Thanks for explaining that.
> 
>> Also, you appear to be emailing from the distant future.  Please
>> reply with stock tips :)
> 
> distant future, even? :-)
> The two things share a common symptom; the nic on that particular
> machine is a ral(4) one, and I am having connectivity problems
> (connections from other machines to this particular machine drops).
> That's why I booted the machine with verbose messages, and got those
> messages in the first place.
> It looks like network connectivity going away without the network
> interface going down / up has confused ntpd, I had to restart it just
> now.

I've noticed this with ntpd myself in various scenarios, mainly when
using MPD (via a ng_pppoe tunnel) and the tunnel drops-out from
underneath ntpd. Normally when this happens I see two instances of ntpd
running instead of one, and it doesn't respond to a normal kill signal.
I've written the following quick-hack script to restart it (running
every 5 minutes from cron):

#!/bin/sh -e

for conf in /etc/defaults/rc.conf /etc/rc.conf /etc/rc.conf.local; do
  [ -f "$conf" ] && . "$conf"
done

if [ $ntpd_enable = "YES" ]; then
  PROGNUM=`ps xww | grep "$ntpd_program .* $ntpd_flags" | grep -v grep |
wc -l`
  if [ "$PROGNUM" -gt 1 ]; then
/etc/rc.d/ntpd stop
sleep 10; killall -9 ntpd
/etc/rc.d/ntpd start
  fi
fi



-Proto
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: swap_pager: indefinite wait buffer

2008-03-05 Thread Michael Grant

On Wed, Mar 5, 2008 at 11:08 AM, Ruben van Staveren <[EMAIL PROTECTED]> wrote:
>  On 5 Mar 2008, at 10:06, Michael Grant wrote:
>
>  > My server just literally was brought to it's knees with this message
>  > spewing on the console:
>  >
>  > swap_pager: indefinite wait buffer: bufobj: 0, blkno: 1203133, size:
>  > 4096
>  >
>  > (blkno and size were varying)
>  >
>  > Some searching says that this is or was a bug.  Has this been fixed
>  > yet?  If so, what should I upgrade to?  I'm currently running 6.3
>
>  You may consider partition backed swap instead of file backed swap if
>  that is the case.

Hmm, I can't easily do that, I didn't leave any empty partitions
around as I never considered swapping to a file to be a so bad.

Is swapping to a file so bad under normal conditions?

Does this mean that this bug is still not fixed in 7.0?

Is there any way to do anything akin to Partition Magic on ufs to
shrink the fs?  (not sure if it's ufs1 or ufs2, mount reports it as
'ufs').

Michael Grant
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Odd file in /lost+found after softupdate inconsistency in fsck

2008-03-05 Thread Peter Jeremy

On Wed, Mar 05, 2008 at 09:43:15PM +0900, Tod McQuillin wrote:
>/home/lost+found# ls -lksh
>total 24432
>24432 -r  1 root  operator40G Mar  5 20:12 #005
>
>It is 40G in size but only occupies 24432k on disk, so it is a sparse file. 

The file permissions and sparseness matches a snapshot.  If your FS
is 40GB then it is a snapshot.

>/home/lost+found# rm \#005
>override r  root/operator snapshot for #005? n

The file itself is not writable so rm prompts.  This is normal.

>Is there a magic "shapshot" flag on the file?  Have I somehow damaged my 
>ufs2+softupdates filesystem by losing its inode #5 containing snapshot 
>data?

No and no.  You can have multiple snapshots in a filesystem.

-- 
Peter Jeremy
Please excuse any delays as the result of my ISP's inability to implement
an MTA that is either RFC2821-compliant or matches their claimed behaviour.


pgpiNEWDsFeBa.pgp
Description: PGP signature

Re: INET6 required for SCTP in 7.0?

2008-03-05 Thread Andy Dills

On Thu, 6 Mar 2008, Mark Andrews wrote:

>   Service providers get paid to push IP packets.  They shouldn't
>   care which protocol version is in the header.  What they
>   should be worried about is ensuring that they are here in
>   4 years time.

Sure they should. The ASICs in the vast majority of production routers are 
setup for IPv4. Add in the fact that you can get very capable routers 
reasonably cheap on the secondary market and compound it with the lack of 
revenue driven demand, and economics overwhelms.

Very precisely because we are worried about being here in four years time, 
we spend our money wisely. We spend today's money today. Throwing money at 
something with no demonstrable or projectable ROI is exactly how you wind 
up gone in four years.

>   Most end users won't even know that they are running IPv6
>   connections.  I had to look at netstat to see which protocol
>   was being choosen on my father's box.  I'm sure he had zero
>   knowledge that he was using IPv6 (6-to-4).

This is true, but illustrates my point. If users had to be dragged kicking 
and screaming into using digital television, which is obviously a huge 
upgrade that provides a significantly enhanced experience, why would they 
want to pay for a new CPE that works fine and will work fine for many 
years? Which also in turn provides them with more IP addresses than they 
can use via NAT? 

> > - To route IPv6 with the same features and packet forwarding rate as with 
> > IPv4, nearly every network will be forced to purchase expensive router 
> > upgrades with no other real benefit beyond IPv6 connectivity (which again 
> > provides no ROI to justify the capex). Nobody is going to do forklift 
> > upgrades just for IPv6, but as routers get normally upgraded IPv6 
> > functionality will indeed slowly expand.
> 
>   And the same arguement was put out 6 years ago.  The backbone
>   really has gone dual stack while you wern't paying attention.

Portions of it, yes. But this is expected; "the backbone" frequently has 
to upgrade for a variety of reasons, ranging from new and valuable 
technology (MPLS, DWDM, etc) to shady behavior by Cisco (forcing people to 
get the SUP720-3BXL to handle >255k prefixes).

Every step you take away from public corporations who are spending 
stockholder money and have revenue driven infrastructure upgrades, you 
move toward companies who have a much slower growth rate with much fewer 
changes in network requirements, and who have to get capex approved by the 
person who's money is actually being spent on the improvements.

> > - IPv6 provides almost no technological upgrades beyond additional address
> > space. DHCP addressed the auto configuration feature, VPNs addressed
> > IPsec.
> 
>   That extra address space really is a big advantage.  It
>   really is so much better to be able to get to machines you
>   need to without have to manually setup application relays
>   because you couldn't get enough address space to be able
>   to globally address everything want to.

So much better? Sure. Does it justify IPv6? I'm not convinced. 

I'm hoping some genius devises a new protocol that solves the growing 
issue of inter-domain routing scalability by eliminating the need for 
forwarding paths for every prefix in the global routing table, while also 
creating true network portability, allowing individuals to obtain personal 
IP space which they can utilize independant of their service provider, 
without requiring any knowledge of routing protocol.

THAT is worth a forklift upgrade. THAT would be rapidly adopted. 

IPv6 at this point looks very poorly thought out in the face of such 
obviously incremental solutions such as:

- Utilizing the rarely used 16 bit Identification field or the useless 32 
bit Options field in the existing IPv4 header to include a private routing 
identifier.
- Existing routers are compatibile, as they merely route the /32 to the 
NAT device, don't care about those fields.
- The NAT device rewrites the packet based on the private routing 
identifier, without user intervention in configuring mapped addresses or 
ports.
- The private routing identifier can either be a new DNS record or stuffed 
into TXT records.

Initially, "important" devices would not rely on the private routing 
identifier, enabling fringe users to use as a "best effort" upgrade while 
network stacks and resolver libraries get upgraded. All software upgrades, 
all leaving the core untouched.

That's just something I threw together while responding. Imagine what 
could happen if somebody smart focused on it.

>   So make the network IPv6 enabled.  Both my home network and
>   the office networks have bee IPv6 enabled for years now.
>   My ISP doesn't support IPv6 yet though I know that have
>   IPv6 netbocks for themselves now if not for the customers
>   at this stage.

Oh, they have them for the customers. They just don't wan

Re: linked ssl libraries to binary

2008-03-05 Thread Simon L. Nielsen

On 2008.03.04 12:05:22 +, Chris wrote:

> On freebsd 6 it picks up /usr/local ssl libaries no problem and in
> fact uses them without even haveing to specify the directory it auto
> detects them over the base ssl.  On freebsd 7 it uses the base
> libraries even when telling it to search in /usr/local.

That sounds either like there is a bug in the program build
system... it might also happen if the base system and and ports
libraries have the same version number... I never tried that as I
always use base system OpenSSL.

> So I then decided to move the binary I compiled on freebsd 6 over to
> the freebsd 7 box and when I ran ldd on the binary to my surprise it
> is using the base libraries on freebsd 7.

Note that we do not guarentee at all that you can do that.  I'm not
even sure that the .so version number in the port and in the base
system match.

> ldd on binary on freebsd 6
> 
> libssl.so.5 => /usr/local/lib/libssl.so.5 (0x48102000)
> libcrypto.so.5 => /usr/local/lib/libcrypto.so.5 (0x48143000)
> libcrypt.so.3 => /lib/libcrypt.so.3 (0x4829f000)
> libboost_iostreams.so => /usr/local/lib/libboost_iostreams.so
> (0x482b8000)
> libstdc++.so.5 => /usr/lib/libstdc++.so.5 (0x482c)
> libm.so.4 => /lib/libm.so.4 (0x48396000)
> libpthread.so.2 => /lib/libpthread.so.2 (0x483ac000)
> libc.so.6 => /lib/libc.so.6 (0x483d3000)
> libbz2.so.2 => /usr/lib/libbz2.so.2 (0x484cb000)
> libz.so.3 => /lib/libz.so.3 (0x484dc000)
> 
> ldd on same binary on freebsd 7
> 
> libssl.so.5 => /usr/lib/libssl.so.5 (0x28101000)
> libcrypto.so.5 => /lib/libcrypto.so.5 (0x28142000)
> libcrypt.so.3 => /usr/local/lib/compat/libcrypt.so.3 (0x2829a000)
> libboost_iostreams.so => /usr/local/lib/libboost_iostreams.so
> (0x282b2000)
> libstdc++.so.5 => /usr/local/lib/compat/libstdc++.so.5 (0x282bd000)
> libm.so.4 => /usr/local/lib/compat/libm.so.4 (0x28388000)
> libpthread.so.2 => /usr/local/lib/compat/libpthread.so.2 (0x2839e000)
> libc.so.6 => /usr/local/lib/compat/libc.so.6 (0x283c3000)
> libc.so.7 => /lib/libc.so.7 (0x284a9000)

Uhh, not good.  If you link against two versions of libc bad things
are bound to happen.  That can happen if you have a old binary which
links against a new lib... or something like that.

If you want to this to work aither compile the binary statically or
get all the 6.x libs and do some LDCONFIGPATH (or whatever the env var
is called) to make sure those libs override the 7.x libs.

> libboost_iostreams.so => /usr/local/lib/libboost_iostreams.so 
> (0x282c1000)
> libbz2.so.3 => /usr/lib/libbz2.so.3 (0x284ee000)
> libc.so.7 => /lib/libc.so.7 (0x283f3000)
> libcrypt.so.4 => /lib/libcrypt.so.4 (0x282a8000)
> libcrypto.so.5 => /lib/libcrypto.so.5 (0x2815)
> libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x283d5000)
> libm.so.5 => /lib/libm.so.5 (0x283c)
> libssl.so.5 => /usr/lib/libssl.so.5 (0x2810f000)
> libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x282cc000)
> libthr.so.3 => /lib/libthr.so.3 (0x283e)
> libz.so.4 => /lib/libz.so.4 (0x284fe000)

That looks correct (at least no duplicate libs).

Unfortunatly I have no idea why it crashes on 7 naively compiled.

-- 
Simon L. Nielsen
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: swap_pager: indefinite wait buffer

2008-03-05 Thread Kris Kennaway

Michael Grant wrote:

On Wed, Mar 5, 2008 at 11:08 AM, Ruben van Staveren <[EMAIL PROTECTED]> wrote:

 On 5 Mar 2008, at 10:06, Michael Grant wrote:

 > My server just literally was brought to it's knees with this message
 > spewing on the console:
 >
 > swap_pager: indefinite wait buffer: bufobj: 0, blkno: 1203133, size:
 > 4096
 >
 > (blkno and size were varying)
 >
 > Some searching says that this is or was a bug.  Has this been fixed
 > yet?  If so, what should I upgrade to?  I'm currently running 6.3

 You may consider partition backed swap instead of file backed swap if
 that is the case.

Hmm, I can't easily do that, I didn't leave any empty partitions
around as I never considered swapping to a file to be a so bad.

Is swapping to a file so bad under normal conditions?

The message indicates that it took >30 seconds to complete an operation, 
so it was timed out assuming the I/O was lost by the device.

In your case it was probably not lost, just delayed for more than 30 
seconds by an overloaded filesystem.

Does this mean that this bug is still not fixed in 7.0?

It's not clear whether it's a bug or your disk is just too overloaded to 
complete the filesystem operation in a reasonable time period (swapping 
to a file is slower than swapping to a partition, which is already 
something you never want to do in normal operation).  You can increase 
the timeout by editing the kernel.

Kris

___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: 7.0-Release and 3ware 9550SXU w/BBU - horrible write performance

2008-03-05 Thread Andrew L. Davydov


alan bryan пишет:

Hi,

I've got a new server with a 3ware 9550SXU with the
Battery.  I am using FreeBSD 7.0-Release (tried both
4BSD and ULE) using AMD64 and the 3ware performance
for writes is just plain horrible.  Something is
obviously wrong but I'm not sure what.


  

Hi!

Try to add the following variable in your /etc/sysctl.conf

#Disk TWA
vfs.hirunningspace=5242880
vfs.read_max=256

reboot or execute /etc/rc.d/sysctl start
and try your test again


My results

Seeker 1...Seeker 2...Seeker 3...start 'em...done...done...done...
---Sequential Output ---Sequential Input-- --Random--
-Per Char- --Block--- -Rewrite-- -Per Char- --Block--- --Seeks---
Machine MB K/sec %CPU K/sec %CPU K/sec %CPU K/sec %CPU K/sec %CPU /sec %CPU
1024 80443 80.6 104481 45.2 43386 19.1 84372 80.4 507936 98.6 19422.9 192.7

Machine MB K/sec %CPU K/sec %CPU K/sec %CPU K/sec %CPU K/sec %CPU /sec %CPU
100 51012 46.6 103153 38.0 27272 7.4 116210 98.7 989831 99.3 72496.6 183.3



--
Best regards
Mr Andrew L. Davydov
+7 985 773 8819

___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: INET6 required for SCTP in 7.0?

2008-03-05 Thread Peter Wemm

On Wed, Mar 5, 2008 at 6:32 AM, Mark Andrews <[EMAIL PROTECTED]> wrote:
> There is a reasonable chance that this mail will leave here
> over IPv6 for some of the recipients.  It will almost
> certainly travel over IPv6 for at least one hop.
>
> Mark

It did:
drugs.dv.isc.org -> IPv6 -> mx1.freebsd.org -> IPv6 -> hub.freebsd.org
-> Mailman -> localhost -> hub.freebsd.org -> IPv6 -> mx2.freebsd.org
-> IPv6 -> me

The only IPv4 hop in this path was when Mailman connected to localhost
(127.0.0.1) to reinject the email.  And that is because I had
127.0.0.1 hard coded in a config file.

-- 
Peter Wemm - [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]
"All of this is for nothing if we don't go to the stars" - JMS/B5
"If Java had true garbage collection, most programs would delete
themselves upon execution." -- Robert Sewell
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: INET6 required for SCTP in 7.0?

2008-03-05 Thread Peter Wemm

On Wed, Mar 5, 2008 at 1:39 PM, Peter Wemm <[EMAIL PROTECTED]> wrote:
> On Wed, Mar 5, 2008 at 6:32 AM, Mark Andrews <[EMAIL PROTECTED]> wrote:
>  > There is a reasonable chance that this mail will leave here
>  > over IPv6 for some of the recipients.  It will almost
>  > certainly travel over IPv6 for at least one hop.
>  >
>  > Mark
>
>  It did:
>  drugs.dv.isc.org -> IPv6 -> mx1.freebsd.org -> IPv6 -> hub.freebsd.org
>  -> Mailman -> localhost -> hub.freebsd.org -> IPv6 -> mx2.freebsd.org
>  -> IPv6 -> me
>
>  The only IPv4 hop in this path was when Mailman connected to localhost
>  (127.0.0.1) to reinject the email.  And that is because I had
>  127.0.0.1 hard coded in a config file.

Oh, one more thing.  If you are IPv6-enabled, you get to bypass the 10
minute greylisting delay on mx1.freebsd.org.  Your email goes through
instantly instead of potentially being delayed by 10-30 minutes.

-- 
Peter Wemm - [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]
"All of this is for nothing if we don't go to the stars" - JMS/B5
"If Java had true garbage collection, most programs would delete
themselves upon execution." -- Robert Sewell
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: INET6 required for SCTP in 7.0?

2008-03-05 Thread Dimitry Andric

On 2008-03-05 22:42, Peter Wemm wrote:
> Oh, one more thing.  If you are IPv6-enabled, you get to bypass the 10
> minute greylisting delay on mx1.freebsd.org.  Your email goes through
> instantly instead of potentially being delayed by 10-30 minutes.

Until the spammers start using IPv6... Then we'll know it's gone
mainstream. :/
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: INET6 required for SCTP in 7.0?

2008-03-05 Thread Peter Wemm

On Wed, Mar 5, 2008 at 1:44 PM, Dimitry Andric <[EMAIL PROTECTED]> wrote:
> On 2008-03-05 22:42, Peter Wemm wrote:
>  > Oh, one more thing.  If you are IPv6-enabled, you get to bypass the 10
>  > minute greylisting delay on mx1.freebsd.org.  Your email goes through
>  > instantly instead of potentially being delayed by 10-30 minutes.
>
>  Until the spammers start using IPv6... Then we'll know it's gone
>  mainstream. :/

In the meantime, enjoy the peace and quiet...

-- 
Peter Wemm - [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]
"All of this is for nothing if we don't go to the stars" - JMS/B5
"If Java had true garbage collection, most programs would delete
themselves upon execution." -- Robert Sewell
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Odd file in /lost+found after softupdate inconsistency in fsck

2008-03-05 Thread Andriy Gapon

on 05/03/2008 14:43 Tod McQuillin said the following:
> Hi all,
> 
> My server froze up tonight after a 2 month uptime running 6.3-PRERELEASE 
> from Dec 28 2007.
> 
> I had to fsck /home by hand because of an inconsistency fsck couldn't 
> repair automatically -- something to do with an unexpected softupdate 
> inconsistency.
> 
> After that, I ended up with some files in /home/lost+found, one of which 
> is quite interesting:
> 
> /home/lost+found# ls -lksh
> total 24432
> 24432 -r  1 root  operator40G Mar  5 20:12 #005
> 
> It is 40G in size but only occupies 24432k on disk, so it is a sparse 
> file.  I'm not aware of any sparse files of quite that size on my system 
> (or relative sparseness) but it's possible i might overlook one.
> 
> But the thing that's interesting to me is the inode number (inode 5) and 
> the fact that rm doesn't want me to remove it:
> 
> /home/lost+found# rm \#005
> override r  root/operator snapshot for #005? n

Are you sure that it doesn't want to remove it? It's just asking you the
question (maybe because you executed rm  as non-root or maybe because of
the mode of the file); you can answer 'yes', you know.

> Is there a magic "shapshot" flag on the file?  Have I somehow damaged my 
> ufs2+softupdates filesystem by losing its inode #5 containing snapshot 
> data?
> 
> Any insights appreciated,

You can try stat(1) on it to see all the details, that could help with
further conclusions.

-- 
Andriy Gapon
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: INET6 -- and why I don't use it

2008-03-05 Thread Mark Andrews


> On Wed, Mar 05, 2008 at 03:00:29PM +, Vadim Goncharov wrote:
> > Makes it harder to debug, etc. Don't want to see anything IPv6 related in
> > command output, to let programs to bind on IPv6 addresses, etc.
> 
> Changing the Subject (but keeping the thread ID reference), since the
> original topic of discussion has now been skewed.
> 
> I have the same attitude Vadim does.  Actually, most of my IPv6 fear
> isn't so much fear as much as it is annoyance and confusion.  Here's
> my list of things, as trivial as they may sound (and I guarantee they
> will):
> 
> * I'm not familiar with the intricacies of the protocol.  This is
> partially my own fault (lack of interest mainly, combined with lack of
> need), while I am very familiar with IPv4.

And you never will be familiar unless you use it.

> * The last I read about IPv6 in mainstream news, there were major
> concerns cited over some of the security aspects of the protocol.  I
> also remember reading somewhere that IPv6 was supposed to address issues
> like packet spoofing and DoS -- what became of this?

Someone was feeding you a load of horse @$$!.
 
> * I have never liked how IPv6 denotes its addresses by using colon-
> delimited hexadecimal strings.  I can expand on this if asked, but it's
> more than just "they're MAC-like" (which is also true, even though
> they're grouped by 16-bit values and not octets).  Reading off an IPv4
> address over the phone is bad enough, and typos are even worse.  IPv6?
> Good grief.

128 bit numbers are big in whatever presentation format you
choose.  Groups of 4 digits are one much easier for a human
to copy and enter correctly than longer strings.  Did you
ever wonder why Mastecard and Visa use groups of 4 digits
on their cards? 
 
> * Consumer ISPs here in the States do not "pass packets" -- you aren't
> given a raw pipe; you're given a physical transport with IPv4 service.
> The reality here is that the vast majority will not embrace IPv6 until
> there's an actual market/need for it.  No consumer ISP I know of
> delegates a customer an IPv6 IP address or netblock.  Backbone providers
> support IPv6 now, yup -- and even some peering providers and
> datacenter/co-location facilities do.  But they're all in the minority.

Consumer ISP's in the US are actively getting ready to turn
on IPv6.  Some already have.
 
> * The "we're running out of address space" argument doesn't hold
> much ground with me.  Yes, it's getting tight, but it's not THAT tight.
> ARIN very regularly returns large amounts of IPv4 space to the world for
> use (I used to be subscribed to NANOG, so I'm aware of this).  Want to
> do something useful?  Start campaigns to get General Electric and MIT to
> give up huge portions of 3/8 and 18/8, respectively.  This is ARIN's
> job, and I sure wouldn't want it.

Which would buy a few extra months if the wern't already
using the address space.

> * NAT with IPv4 appears to be "solving" most of the address space issues
> in this day and age.  I use quotes because it adds extra complexities
> at the same time (port forwarding, for example, is an annoying
> requirement, mainly because so many protocols were written during the
> days when NAT didn't exist, or are simply badly-written protocols (I'm
> looking at you, Microsoft)).  Only once in my life have I seen a single
> network so large that it required use of 192.168/16, 172.16/12, and 10/8
> all at once.  Another fact is that NAT is **incredibly** integrated in
> consumer society now.  The attitude given is "NAT suffices, use it".
> Until we can teach people "no, it doesn't suffice, and here's why" and
> get people to believe and accept that, it isn't going to change.

NAT just introduces additional problems.  Double NAT
introduces even more problems and is will end up being
laughed off the planet as a joke when ISP's attempt it.
In otherwords we have already made as much saving as we
can with NAT.

We would have run out of addresses years ago without the
NAT's that are currently deployed.
 
> * None of my employers (sans my current, Microsoft) have ever bothered
> implementing IPv6 on their networks.  What this means for me: I have no
> personal *nor professional* reason to advocate or learn about IPv6.
> Microsoft, on the other hand, is taking initiative.  But it's been
> anything but smooth; the amount of breakage it's caused so far is...
> shall I say, very disappointing.  That doesn't mean "IPv6 sucks", but it
> does mean "integrating IPv6 into a production network appears to be
> painful".  Hence, more animosity towards it by those who don't
> understand it.

What can I say, short sighted employers.
 
> And last but not least:
> 
> * I don't like incorporating "stuff" into my kernel, my utilities, or
> my systems in general which I do not use.  I don't want to see an IPv6
> address on my m

Re: INET6 -- and why I don't use it

2008-03-05 Thread Brandon S. Allbery KF8NH



On Mar 5, 2008, at 17:31 , Mark Andrews wrote:




On Wed, Mar 05, 2008 at 03:00:29PM +, Vadim Goncharov wrote:

* The last I read about IPv6 in mainstream news, there were major

concerns cited over some of the security aspects of the protocol.  I
also remember reading somewhere that IPv6 was supposed to address  
issues

like packet spoofing and DoS -- what became of this?


Someone was feeding you a load of horse @$$!.


When Marcus Ranum is one of those questioning its security, I'm  
inclined to believe him.  (Google "mjr ipv6 security" --- his point  
in a nutshell is that we're going to be fixing old IPv4 holes in new  
guises for a while.)


--
brandon s. allbery [solaris,freebsd,perl,pugs,haskell] [EMAIL PROTECTED]
system administrator [openafs,heimdal,too many hats] [EMAIL PROTECTED]
electrical and computer engineering, carnegie mellon universityKF8NH


___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: INET6 -- and why I don't use it

2008-03-05 Thread Peter Wemm

On Wed, Mar 5, 2008 at 2:44 PM, Brandon S. Allbery KF8NH
<[EMAIL PROTECTED]> wrote:
>
>  On Mar 5, 2008, at 17:31 , Mark Andrews wrote:
>  >
>  >> On Wed, Mar 05, 2008 at 03:00:29PM +, Vadim Goncharov wrote:
>
> >>> * The last I read about IPv6 in mainstream news, there were major
>  >> concerns cited over some of the security aspects of the protocol.  I
>  >> also remember reading somewhere that IPv6 was supposed to address
>  >> issues
>  >> like packet spoofing and DoS -- what became of this?
>  >
>  >   Someone was feeding you a load of horse @$$!.
>
>  When Marcus Ranum is one of those questioning its security, I'm
>  inclined to believe him.  (Google "mjr ipv6 security" --- his point
>  in a nutshell is that we're going to be fixing old IPv4 holes in new
>  guises for a while.)

IPv6 has got enough rope (features) that you can hang yourself in most
of the same ways as ipv4.  If anything, these 'enhanced' versions of
ipv4 features give you new and exquisitely delicious ways of screwing
yourself.

eg: You can do the same kinds of damage with source routing in both
ipv4 and ipv6 when it is enabled.  OS developers can make the same
mistakes parsing options in both.  And so on.  (Who remembers the ipv4
'ping of death' in the early 90's?  you could send a packet with a
zero-length option to random hosts and instantly kill them)
-- 
Peter Wemm - [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]
"All of this is for nothing if we don't go to the stars" - JMS/B5
"If Java had true garbage collection, most programs would delete
themselves upon execution." -- Robert Sewell
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: INET6 required for SCTP in 7.0?

2008-03-05 Thread Mark Andrews


> On 2008-03-05 22:42, Peter Wemm wrote:
> > Oh, one more thing.  If you are IPv6-enabled, you get to bypass the 10
> > minute greylisting delay on mx1.freebsd.org.  Your email goes through
> > instantly instead of potentially being delayed by 10-30 minutes.
> 
> Until the spammers start using IPv6... Then we'll know it's gone
> mainstream. :/

They do it now. :-)

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED]
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: INET6 -- and why I don't use it

2008-03-05 Thread Mark Andrews

> On Mar 5, 2008, at 17:31 , Mark Andrews wrote:
> 
> >
> >> On Wed, Mar 05, 2008 at 03:00:29PM +, Vadim Goncharov wrote:
> >>> * The last I read about IPv6 in mainstream news, there were major
> >> concerns cited over some of the security aspects of the protocol.  I
> >> also remember reading somewhere that IPv6 was supposed to address  
> >> issues
> >> like packet spoofing and DoS -- what became of this?
> >
> > Someone was feeding you a load of horse @$$!.
> 
> When Marcus Ranum is one of those questioning its security, I'm  
> inclined to believe him.  (Google "mjr ipv6 security" --- his point  
> in a nutshell is that we're going to be fixing old IPv4 holes in new  
> guises for a while.)

Unless you implement BCP 38 you won't prevent spoofed packets
leaving your network.  Nothing prevents someone injecting
spoofed packets.  It's just a matter of how far they travel.

Unless you enable IPSEC for all your communication partners
you won't be able to detect spoofed packets arriving.

There is nothing anyone can really do to prevent a DoS attack.

These statements are as true for IPv4 as they are for IPv6.

IPv6 still has a MUST against IPSEC against this though people
are arguing that it should become a SHOULD.  That MUST indicates
code support not enabling.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED]
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: INET6 -- and why I don't use it

2008-03-05 Thread Michael Gratton

Hi Jeremy,

On Wed, 2008-03-05 at 08:01 -0800, Jeremy Chadwick wrote:
> * I'm not familiar with the intricacies of the protocol. 

No better time (or way) to learn! Get going!

> * The last I read about IPv6 in mainstream news, there were major
> concerns cited over some of the security aspects of the protocol.

When was the last time you heard anything about IPv4 in the mainstream
news (that wasn't related the approaching address space armageddon)?

> * I have never liked how IPv6 denotes its addresses by using colon-
> delimited hexadecimal strings.

The glib answer would be "and this is why we have the DNS". Yes it is
more typing and/or talking, but that's the price to pay for a larger
address space. Anyway, just do what we do when relating v4 addresses:
don't pronounce the delimiter.

Bonus points to the first person who coins the name of the double-colon.
I vote for "bam":

  "What's that address again?"
  "Err, two oh oh one, aye bee oh nine, bam oh oh oh five."

> * Consumer ISPs here in the States do not "pass packets" -- you aren't
> given a raw pipe; you're given a physical transport with IPv4 service.

As others have pointed out, ISPs over there are staring to get in on the
act, behind Asia. As I said, no better time to learn! 

> * The "we're running out of address space" argument doesn't hold
> much ground with me.  Yes, it's getting tight, but it's not THAT tight.

Only because of NAT, and...

> * NAT with IPv4 appears to be "solving" most of the address space issues
> in this day and age.

No. NAT is evil. If you have ever been at a site that uses the same
private range as on the other side of the VPN you're using, you know
what I mean. There's plenty of other reasons why NAT is a terrible kluge
that needs to go away ASAP. I think you mentioned many of them.

> * None of my employers (sans my current, Microsoft) have ever bothered
> implementing IPv6 on their networks.

For many, many reasons, which are slowly going away.

> Sufficient?

I'd argue otherwise. :)

/Mike

-- 
Michael Gratton <[EMAIL PROTECTED]> 
Quuxo Software 

signature.asc
Description: This is a digitally signed message part

URGENCY help install error on DELL R900

2008-03-05 Thread wsk

hello list,
get "Can't load kernel" error while trying to install FBSD_7.0R on DELL
R900.
/
lsdev
/cd devices:/
/cd0: Device 0x0/
/disk devices:/
disk0: Bios drive C:

ls /
get bad path

and it can load kernel successly
load cd0:/boot/kernel/kernel
boot -v get progressbar "| / \" and stopped

btw:
install SuSE linux or DragonflyBSD successly and check that it it nothing
to do with bios

help... and thanks with any reply.
/
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: INET6 required for SCTP in 7.0?

2008-03-05 Thread Kevin Oberman

> Date: Wed, 5 Mar 2008 13:42:25 -0800
> From: "Peter Wemm" <[EMAIL PROTECTED]>
> Sender: [EMAIL PROTECTED]
> 
> On Wed, Mar 5, 2008 at 1:39 PM, Peter Wemm <[EMAIL PROTECTED]> wrote:
> > On Wed, Mar 5, 2008 at 6:32 AM, Mark Andrews <[EMAIL PROTECTED]> wrote:
> >  > There is a reasonable chance that this mail will leave here
> >  > over IPv6 for some of the recipients.  It will almost
> >  > certainly travel over IPv6 for at least one hop.
> >  >
> >  > Mark
> >
> >  It did:
> >  drugs.dv.isc.org -> IPv6 -> mx1.freebsd.org -> IPv6 -> hub.freebsd.org
> >  -> Mailman -> localhost -> hub.freebsd.org -> IPv6 -> mx2.freebsd.org
> >  -> IPv6 -> me
> >
> >  The only IPv4 hop in this path was when Mailman connected to localhost
> >  (127.0.0.1) to reinject the email.  And that is because I had
> >  127.0.0.1 hard coded in a config file.
> 
> Oh, one more thing.  If you are IPv6-enabled, you get to bypass the 10
> minute greylisting delay on mx1.freebsd.org.  Your email goes through
> instantly instead of potentially being delayed by 10-30 minutes.

Cool! That explains why most postings seem to take so long.

Hopefully this message made it through with no IPv4 hops.
-- 
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: [EMAIL PROTECTED]   Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751


pgpHdkTH7GQt1.pgp
Description: PGP signature

Can NOT boot FreeBSD on Dell R900

2008-03-05 Thread Huang wen hui

hi,
I boot FreeBSD 7.0R on R900, it stops with an error message:
can't load 'kernel'

Output from lsdev:

cd devices:
cd0: Device 0x0
disk devices:
disk0: Bios drive C:

ls cd0:/ can find files on CD.

load cd0:/boot/kernel/kernel works, but boot -v stop |\ status.

also "show" command does not show message, just blank.

Does any hints can solve this problem ?

thanks

--hwh

___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Can NOT boot FreeBSD on Dell R900

2008-03-05 Thread Huang wen hui

hi,
I boot FreeBSD 7.0R on R900, it stops with an error message:
can't load 'kernel'

Output from lsdev:

cd devices:
cd0: Device 0x0
disk devices:
disk0: Bios drive C:

ls cd0:/ can find files on CD.

load cd0:/boot/kernel/kernel works, but boot -v stop |\ status.

also "show" command does not show message, just blank.

And I try to boot DragonFlyBSD 1.12, it works!

Does any hints can solve this problem ?

thanks

--hwh


___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Can NOT boot FreeBSD on Dell R900

2008-03-05 Thread Philip M. Gollucci

Huang wen hui wrote:
> hi,
> I boot FreeBSD 7.0R on R900, it stops with an error message:
> can't load 'kernel'

It might be chipset related, I know the R860 is only like 2-4 months in
the field, so I doubt FreeBSD developers have one yet.

___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Odd file in /lost+found after softupdate inconsistency in fsck

2008-03-05 Thread Tod McQuillin


On Thu, 6 Mar 2008, Peter Jeremy wrote:


On Wed, Mar 05, 2008 at 09:43:15PM +0900, Tod McQuillin wrote:

/home/lost+found# ls -lksh
total 24432
24432 -r  1 root  operator40G Mar  5 20:12 #005

It is 40G in size but only occupies 24432k on disk, so it is a sparse file.


The file permissions and sparseness matches a snapshot.  If your FS
is 40GB then it is a snapshot.


Thanks Peter.

So, it's a shapshot -- is it still usable?  Is it safe to delete it?

snapinfo doesn't know about it:

# snapinfo -v /home
/dev/ad4s2e mounted on /home
no snapshots found

I'm not in the habit of making snapshots ... but it might have come from a 
dump -L.


Anyway, I think the conclusion is that it's a snapshot, of mysterious 
origin, and it's probably not useful.


Thanks again,
--
Tod MCQuillin

___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Can NOT boot FreeBSD on Dell R900

2008-03-05 Thread Nicky Bulthuis

Hello,

I'm having the same problem with an R900. Doesn't matter if you choose
6.2 or 6.3 either. I've also tried booting from USB Pen Drive, USB
CD-Rom Drive and booting with PXE, all give the same 'can't load kernel'
error.

I haven't been able to get it FreeBSD on it. Nor FreeNAS. DragonFly BSD
does work.

Greetz.

Huang wen hui wrote:
> hi,
> I boot FreeBSD 7.0R on R900, it stops with an error message:
> can't load 'kernel'
>
> Output from lsdev:
>
> cd devices:
> cd0: Device 0x0
> disk devices:
> disk0: Bios drive C:
>
> ls cd0:/ can find files on CD.
>
> load cd0:/boot/kernel/kernel works, but boot -v stop |\ status.
>
> also "show" command does not show message, just blank.
>
> And I try to boot DragonFlyBSD 1.12, it works!
>
> Does any hints can solve this problem ?
>
> thanks
>
> --hwh
>
>
> ___
> freebsd-stable@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "[EMAIL PROTECTED]"
>
>
>   

___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Can NOT boot FreeBSD on Dell R900

2008-03-05 Thread Jeremy Chadwick

On Thu, Mar 06, 2008 at 08:13:35AM +0100, Nicky Bulthuis wrote:
> I'm having the same problem with an R900. Doesn't matter if you choose
> 6.2 or 6.3 either. I've also tried booting from USB Pen Drive, USB
> CD-Rom Drive and booting with PXE, all give the same 'can't load kernel'
> error.

Re: unable to boot FreeBSD off of USB: this is a known
problem/limitation with BTX.  GRUB does not have this problem, so if you
can install GRUB on said medium, it should work.

-- 
| Jeremy Chadwickjdc at parodius.com |
| Parodius Networking   http://www.parodius.com/ |
| UNIX Systems Administrator  Mountain View, CA, USA |
| Making life hard for others since 1977.  PGP: 4BD6C0CB |

___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: URGENCY help install error on DELL R900

2008-03-05 Thread jose ycogo

Try downloading the ISO again. 

- Original Message 
From: wsk <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Sent: Thursday, March 6, 2008 13:30:55
Subject: URGENCY help install error on DELL R900

hello list,
get "Can't load kernel" error while trying to install FBSD_7.0R on DELL
R900.
/
lsdev
/cd devices:/
/cd0: Device 0x0/
/disk devices:/
disk0: Bios drive C:

ls /
get bad path

and it can load kernel successly
load cd0:/boot/kernel/kernel
boot -v get progressbar "| / \" and stopped

btw:
install SuSE linux or DragonflyBSD successly and check that it it nothing
to do with bios

help... and thanks with any reply.
/
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Send instant messages to your online friends http://uk.messenger.yahoo.com
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

56 matches

Mail list logo