Re: pkg_create error
On Thu, Sep 22, 2005 at 02:08:39AM +, Edy Purnomo wrote: argh! yes, it's true, i did update the ports by typing cvsup -g -L 2 cvs-supfile with conf: # Defaults that apply to all the collections *default host=cvsup.uk.openbsd.org *default base=/var *default prefix=/usr *default release=cvs *default delete use-rel-suffix compress # Ports Collection. OpenBSD-ports tag=. is there anyway to get the old ports back to its place ? e.g. extract ports.tar.gz from the CD-ROM ? tia. Why don't you simply just bite the bullet and go to current, or 3.7, or 3.8 ? 3.4 is fairly old by now...
Re: pkg_create error
i'm not sure that i can do that smoothly. the server is our firewall and it's running : - mrtg - squid - openntp anyone has a reference site about upgrading 3.4 - current ? i don't confidence after i messed up with FBSD 4.11 tia From: Marc Espie [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: Edy Purnomo [EMAIL PROTECTED] CC: misc@openbsd.org Subject: Re: pkg_create error Date: Thu, 22 Sep 2005 09:23:02 +0200 On Thu, Sep 22, 2005 at 02:08:39AM +, Edy Purnomo wrote: argh! yes, it's true, i did update the ports by typing cvsup -g -L 2 cvs-supfile with conf: # Defaults that apply to all the collections *default host=cvsup.uk.openbsd.org *default base=/var *default prefix=/usr *default release=cvs *default delete use-rel-suffix compress # Ports Collection. OpenBSD-ports tag=. is there anyway to get the old ports back to its place ? e.g. extract ports.tar.gz from the CD-ROM ? tia. Why don't you simply just bite the bullet and go to current, or 3.7, or 3.8 ? 3.4 is fairly old by now...
Re: pkg_create error
On Thu, 22 Sep 2005 07:41:04 + Edy Purnomo [EMAIL PROTECTED] wrote: i'm not sure that i can do that smoothly. the server is our firewall and it's running : - mrtg - squid - openntp anyone has a reference site about upgrading 3.4 - current ? i don't confidence after i messed up with FBSD 4.11 Well, you should update your system at least once a year. Then the possible pain will be the least. So just do what Marc Espie says, and bite the bullet. Good luck. Jasper tia From: Marc Espie [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: Edy Purnomo [EMAIL PROTECTED] CC: misc@openbsd.org Subject: Re: pkg_create error Date: Thu, 22 Sep 2005 09:23:02 +0200 On Thu, Sep 22, 2005 at 02:08:39AM +, Edy Purnomo wrote: argh! yes, it's true, i did update the ports by typing cvsup -g -L 2 cvs-supfile with conf: # Defaults that apply to all the collections *default host=cvsup.uk.openbsd.org *default base=/var *default prefix=/usr *default release=cvs *default delete use-rel-suffix compress # Ports Collection. OpenBSD-ports tag=. is there anyway to get the old ports back to its place ? e.g. extract ports.tar.gz from the CD-ROM ? tia. Why don't you simply just bite the bullet and go to current, or 3.7, or 3.8 ? 3.4 is fairly old by now... -- Security is decided by quality -- Theo de Raadt
Re: pkg_create error
On 9/22/05, Edy Purnomo [EMAIL PROTECTED] wrote: i'm not sure that i can do that smoothly. the server is our firewall and it's running : Use a quiet window on your network to down the machine. Add a new boot drive to the system and install the latest release or -current snapshot. Transfer items as needed. If you can't make it work within your window, switch drives and do some more work later. If you can't afford such a thing, build a new machine altogether and replace the original. Once satisfied, you can always put the original machine to use through CARP/pfsync. Sticking with 3.4 isn't likely to make things easier; it's only likely to get more difficult. Cheers, Rogier -- If you don't know where you're going, any road will get you there.
Re: Live dc
Andreas Bihlmaier wrote: I made bootable cdrom you described. Does it work otherwise ? Yes, it works! This is just what I want - diskless router on CD. With pf rules loaded from floppy disk.
3.7: INVALID PAYLOAD TYPE
Hello, I have three machines: one 3.7, one 3.6, and one Windows 2000 laptop. The client software on the laptop is this: ftp://ftp.funkwerk-ec.com/pub/ipsec_client/bintec_secure_client_v11.zip aka NCP Secure Entry which usually runs very nicely. The two OpenBSD machines are configured identically, except for IP numbers and server certificates. Everything is set up to run with X.509 certificates off of my private CA. Connecting from the windows machine to the 3.6 machine works fine as long as I only use the primary IP number (it has two from different networks), but connecting to the 3.7 machine, which has only one IP number, yields INVALID PAYLOAD TYPE, and nothing works. This is what I get with tcpdump (IP numbers fudged): # /usr/sbin/tcpdump -n -vvv -e -s 1500 -i bge0 \(esp or port 500 or port 4500 \) and host 1.2.3.4 tcpdump: listening on bge0, link-type EN10MB 12:15:35.791290 0:0:c:3e:48:dc 0:e0:81:63:16:d2 0800 294: 1.2.3.4.500 5.6.7.8.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 0c052e9abace2953- msgid: len: 252 payload: SA len: 60 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 48 proposal: 1 proto: ISAKMP spisz: 0 xforms: 1 payload: TRANSFORM len: 40 transform: 1 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = AES_CBC attribute HASH_ALGORITHM = SHA attribute AUTHENTICATION_METHOD = RSA_SIG attribute GROUP_DESCRIPTION = MODP_1536 attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 7080 attribute KEY_LENGTH = 256 payload: VENDOR len: 12 payload: VENDOR len: 12 payload: VENDOR len: 20 (supports v3 NAT-T, draft-ietf-ipsec-nat-t-ike-03) payload: VENDOR len: 20 (supports v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02) payload: VENDOR len: 20 (supports v1 NAT-T, draft-ietf-ipsec-nat-t-ike-00) payload: VENDOR len: 20 (supports NAT-T, RFC 3947) payload: VENDOR len: 20 (supports DPD v1.0) payload: VENDOR len: 20 payload: VENDOR len: 20 (ttl 126, id 1731, len 280) 12:15:35.797183 0:e0:81:63:16:d2 0:0:c:3e:48:dc 0800 210: 5.6.7.8.500 1.2.3.4.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 0c052e9abace2953-6297719b10aab610 msgid: len: 168 payload: SA len: 60 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 48 proposal: 1 proto: ISAKMP spisz: 0 xforms: 1 payload: TRANSFORM len: 40 transform: 1 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = AES_CBC attribute HASH_ALGORITHM = SHA attribute AUTHENTICATION_METHOD = RSA_SIG attribute GROUP_DESCRIPTION = MODP_1536 attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 7080 attribute KEY_LENGTH = 256 payload: VENDOR len: 20 (supports v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02) payload: VENDOR len: 20 (supports v3 NAT-T, draft-ietf-ipsec-nat-t-ike-03) payload: VENDOR len: 20 (supports NAT-T, RFC 3947) payload: VENDOR len: 20 (supports DPD v1.0) (ttl 64, id 13783, len 196) 12:15:36.113303 0:0:c:3e:48:dc 0:e0:81:63:16:d2 0800 358: 1.2.3.4.500 5.6.7.8.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 0c052e9abace2953-6297719b10aab610 msgid: len: 316 payload: KEY_EXCH len: 196 payload: NONCE len: 44 payload: unknown len: 24 payload: unknown len: 24 (ttl 126, id 1732, len 344) 12:15:36.115954 0:e0:81:63:16:d2 0:0:c:3e:48:dc 0800 82: 5.6.7.8.500 1.2.3.4.500: [udp sum ok] isakmp v1.0 exchange INFO cookie: d6da19765da85f25- msgid: len: 40 payload: NOTIFICATION len: 12 notification: INVALID PAYLOAD TYPE (ttl 64, id 29429, len 68) 12:16:05.215393 0:0:c:3e:48:dc 0:e0:81:63:16:d2 0800 358: 1.2.3.4.500 5.6.7.8.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 0c052e9abace2953-6297719b10aab610 msgid: len: 316 payload: KEY_EXCH len: 196 payload: NONCE len: 44 payload: unknown len: 24 payload: unknown len: 24 (ttl 126, id 1733, len 344) 12:16:05.217956 0:e0:81:63:16:d2 0:0:c:3e:48:dc 0800 82: 5.6.7.8.500 1.2.3.4.500: [udp sum ok] isakmp v1.0 exchange INFO cookie: 6af35ef1d456e460- msgid: len: 40 payload: NOTIFICATION len: 12 notification: INVALID PAYLOAD TYPE (ttl 64, id 15575, len 68) 12:16:09.220412 0:0:c:3e:48:dc 0:e0:81:63:16:d2 0800 358: 1.2.3.4.500 5.6.7.8.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 0c052e9abace2953-6297719b10aab610 msgid: len: 316 payload: KEY_EXCH
Re: 3.7: INVALID PAYLOAD TYPE
This is fixed in 3.7-stable and above. HJ. On Thu, Sep 22, 2005 at 12:37:16PM +0200, Toni Mueller wrote: Hello, I have three machines: one 3.7, one 3.6, and one Windows 2000 laptop. The client software on the laptop is this: ftp://ftp.funkwerk-ec.com/pub/ipsec_client/bintec_secure_client_v11.zip aka NCP Secure Entry which usually runs very nicely. The two OpenBSD machines are configured identically, except for IP numbers and server certificates. Everything is set up to run with X.509 certificates off of my private CA. Connecting from the windows machine to the 3.6 machine works fine as long as I only use the primary IP number (it has two from different networks), but connecting to the 3.7 machine, which has only one IP number, yields INVALID PAYLOAD TYPE, and nothing works. This is what I get with tcpdump (IP numbers fudged): # /usr/sbin/tcpdump -n -vvv -e -s 1500 -i bge0 \(esp or port 500 or port 4500 \) and host 1.2.3.4 tcpdump: listening on bge0, link-type EN10MB 12:15:35.791290 0:0:c:3e:48:dc 0:e0:81:63:16:d2 0800 294: 1.2.3.4.500 5.6.7.8.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 0c052e9abace2953- msgid: len: 252 payload: SA len: 60 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 48 proposal: 1 proto: ISAKMP spisz: 0 xforms: 1 payload: TRANSFORM len: 40 transform: 1 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = AES_CBC attribute HASH_ALGORITHM = SHA attribute AUTHENTICATION_METHOD = RSA_SIG attribute GROUP_DESCRIPTION = MODP_1536 attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 7080 attribute KEY_LENGTH = 256 payload: VENDOR len: 12 payload: VENDOR len: 12 payload: VENDOR len: 20 (supports v3 NAT-T, draft-ietf-ipsec-nat-t-ike-03) payload: VENDOR len: 20 (supports v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02) payload: VENDOR len: 20 (supports v1 NAT-T, draft-ietf-ipsec-nat-t-ike-00) payload: VENDOR len: 20 (supports NAT-T, RFC 3947) payload: VENDOR len: 20 (supports DPD v1.0) payload: VENDOR len: 20 payload: VENDOR len: 20 (ttl 126, id 1731, len 280) 12:15:35.797183 0:e0:81:63:16:d2 0:0:c:3e:48:dc 0800 210: 5.6.7.8.500 1.2.3.4.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 0c052e9abace2953-6297719b10aab610 msgid: len: 168 payload: SA len: 60 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 48 proposal: 1 proto: ISAKMP spisz: 0 xforms: 1 payload: TRANSFORM len: 40 transform: 1 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = AES_CBC attribute HASH_ALGORITHM = SHA attribute AUTHENTICATION_METHOD = RSA_SIG attribute GROUP_DESCRIPTION = MODP_1536 attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 7080 attribute KEY_LENGTH = 256 payload: VENDOR len: 20 (supports v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02) payload: VENDOR len: 20 (supports v3 NAT-T, draft-ietf-ipsec-nat-t-ike-03) payload: VENDOR len: 20 (supports NAT-T, RFC 3947) payload: VENDOR len: 20 (supports DPD v1.0) (ttl 64, id 13783, len 196) 12:15:36.113303 0:0:c:3e:48:dc 0:e0:81:63:16:d2 0800 358: 1.2.3.4.500 5.6.7.8.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 0c052e9abace2953-6297719b10aab610 msgid: len: 316 payload: KEY_EXCH len: 196 payload: NONCE len: 44 payload: unknown len: 24 payload: unknown len: 24 (ttl 126, id 1732, len 344) 12:15:36.115954 0:e0:81:63:16:d2 0:0:c:3e:48:dc 0800 82: 5.6.7.8.500 1.2.3.4.500: [udp sum ok] isakmp v1.0 exchange INFO cookie: d6da19765da85f25- msgid: len: 40 payload: NOTIFICATION len: 12 notification: INVALID PAYLOAD TYPE (ttl 64, id 29429, len 68) 12:16:05.215393 0:0:c:3e:48:dc 0:e0:81:63:16:d2 0800 358: 1.2.3.4.500 5.6.7.8.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 0c052e9abace2953-6297719b10aab610 msgid: len: 316 payload: KEY_EXCH len: 196 payload: NONCE len: 44 payload: unknown len: 24 payload: unknown len: 24 (ttl 126, id 1733, len 344) 12:16:05.217956 0:e0:81:63:16:d2 0:0:c:3e:48:dc 0800 82: 5.6.7.8.500 1.2.3.4.500: [udp sum ok] isakmp v1.0 exchange INFO cookie: 6af35ef1d456e460- msgid: len: 40 payload: NOTIFICATION len: 12 notification: INVALID PAYLOAD TYPE (ttl 64, id 15575, len 68) 12:16:09.220412
jot(1) issue
hi there, i have found the following interesting case. is this the intended behaviour? kripel jot -s -b - 72 72-b73-b74-b75-b76-b77-b78-b79-b80-b81-b82-b83-b84-b85-b86-b87-b88-b89-b90-b91-b92-b93-b94-b95-b96-b97-b98-b99-b100-b101-b102-b103-b104-b105-b106-b107-b108-b109-b110-b111-b112-b113-b114-b115-b116-b117-b118-b119-b120-b121-b122-b123-b124-b125-b126-b127-b128-b129-b130-b131-b132-b133-b134-b135-b136-b137-b138-b139-b140-b141-b142-b143-b144-b145-b146-b147-b148-b149-b150-b151-b152-b153-b154-b155-b156-b157-b158-b159-b160-b161-b162-b163-b164-b165-b166-b167-b168-b169-b170-b171 kripel jot -s -b - 72 -- in an atomic war, all men will be cremated equal.
Re: jot(1) issue
On Thu, 22 Sep 2005, frantisek holop wrote:
hi there,
i have found the following interesting case.
is this the intended behaviour?
kripel jot -s -b - 72
72-b73-b74-b75-b76-b77-b78-b79-b80-b81-b82-b83-b84-b85-b86-b87-b88-b89-b90-b91-b92-b93-b94-b95-b96-b97-b98-b99-b100-b101-b102-b103-b104-b105-b106-b107-b108-b109-b110-b111-b112-b113-b114-b115-b116-b117-b118-b119-b120-b121-b122-b123-b124-b125-b126-b127-b128-b129-b130-b131-b132-b133-b134-b135-b136-b137-b138-b139-b140-b141-b142-b143-b144-b145-b146-b147-b148-b149-b150-b151-b152-b153-b154-b155-b156-b157-b158-b159-b160-b161-b162-b163-b164-b165-b166-b167-b168-b169-b170-b171
kripel jot -s -b - 72
Yes, this is expected.
The following program shows how the args are passed in each case:
[EMAIL PROTECTED]:94]$ cat x.c
#include stdio.h
int
main(int argc, char *argv[])
{
int i;
for (i = 0; i argc; i++)
printf(%d = \%s\\n, i, argv[i]);
}
[EMAIL PROTECTED]:95]$ ./a.out -s -b - 72
0 = ./a.out
1 = -s
2 = -b
3 = -
4 = 72
[EMAIL PROTECTED]:96]$ ./a.out -s -b - 72
0 = ./a.out
1 = -s
2 =
3 = -b
4 = -
5 = 72
[EMAIL PROTECTED]:97]$
In the first case, the shell concatenates -s and into a single arg,
and the -b gets interpreted as the separator etc.
-Otto
Max number of states in pf? (100k? 200k? 1M?)
Greetings
I don't have a good way to test generating large numbers
of states so I was wondering for a server with 2GB of memory
which all it does is pf how many states can it handle? I
started with the default of 10k, exausted that pretty quick,
then upped it to 32k about 3 weeks ago then exausted that,
upgraded it to 90k last night, and just now I see it hovering
at around 70k.
OpenBSD 3.7 with Intel Xeon 3.4Ghz CPU 2GB memory, 8 em
interfaces(only 1 of which is being used by pf at this
time for state info)
(though between the time I saw 70k states and about
2 minutes later it seems to have expired all but 3k
of them)
State Table Total Rate
current entries 2786
searches 29837068755 5627.9/s
inserts211072218 39.8/s
removals 211069432 39.8/s
I do have optimization set to conservative, considering
changing it back to normal. I am mostly concerned about
hitting some sort of magic internal kernel memory limit and
crashing the box. I don't know if there is such a limit,
from what I have read I can't find any evidence that there
is.
Currently the boxes(running pfsync) are running at around
3-4% cpu usage.
running:
set optimization conservative
set timeout { adaptive.start 5, adaptive.end 92000 }
set limit states 9
Can I run with 200k states? 500k ? 1M states? 'top' reads
1833MB of memory is available. The docs say that 32MB
is enough for ~30k states. so in theory memory wise at
least this box should be able to handle at least
1.6M states. Not that I plan to keep that much!
there are about 100 servers on the inside of the firewall and
about 250 on the outside(probably will double that in the
next 6 months or less).
thanks
nate
Re: Storage Server
On Wed, Sep 21, 2005 at 02:05:31PM -0600, Tom Geman wrote: I was hoping someone here could answer a few questions. Can I install OpenBSD on this PV 220, or is it just a bunch of disks with no processor? This question is very ambiguous. You can't install OpenBSD on the PV220S itself however you can install OpenBSD on a machine that uses the PV220S as its disk storage device. To add more confusion the box does have a SCSI processor device thats supported by ses(4). If so, does that mean I need another computer to install OpenBSD on, that will use the PV 220 as it's storage? Yes. Can this be any computer (what requirements, any recommended brands), or does it have to be this Dell PowerVault 745N (which seems to come pre-install with some Windows Storage Server OS)? It can be virtually any computer. Beck@ uses IBM amd64 boxes for this with a Dell PERC4 HBA. Some examples of well supported HBAs are PERC3/4, ahc/ahd and mpt. The 745N is a NAS box; don't get that.
Re: CARP/PFSYNC over USB is possible?
On Mon, 29 Aug 2005, Vinicius Pavanelli Vianna wrote: I'm currently using an OpenBSD 3.7 as a firewall for my network, since this machines is a 1U rack I can't add an extra ethernet card to it, so I was looking for an alternative solution to use redundancy, since there are plenty of usb ports free can i use an usb-to-usb link over two No one ever answered you, but I'm assuming that you discovered: $ apropos usb|grep -i ether aue (4) - ADMtek AN986 / ADM8511 Pegasus family USB Ethernet driver axe (4) - ASIX Electronics AX88172 USB Ethernet driver cdce (4) - USB Communication Device Class Ethernet driver cue (4) - CATC USB-EL1201A USB Ethernet driver kue (4) - Kawasaki LSI KL5KUSB101B USB Ethernet driver udav (4) - Davicom DM9601 USB Ethernet driver url (4) - Realtek RTL8150L USB Ethernet driver ~BAS
Dell 2650, Stupid Adaptec Controller, and Daily Crashes
I have a Dell 2650 with an Adaptec controller. This machine is constantly crashing due to either a high load or some sort of a kernel panic. I submitted the following bug report a while ago... http://cvs.openbsd.org/cgi-bin/query-pr-wrapper?full=yesnumbers=4494 I know that Adaptec support was dropped in 3.7, and I wish I didn't have this piece of shit to deal with. Unfortunately there's no replacement hardware right now. Can I do a update to -CURRENT and expect the controller to be supported? How painful would this be? I'd be coming from 3.6 with patches. Any thoughts are appreciated. Thanks. - eric dmesg follows... OpenBSD 3.6 (GENERIC.MP) #173: Fri Sep 17 12:52:31 MDT 2004 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel(R) XEON(TM) CPU 2.40GHz (GenuineIntel 686-class) 2.39 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM real mem = 1073262592 (1048108K) avail mem = 972668928 (949872K) using 4278 buffers containing 53764096 bytes (52504K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 06/10/02, BIOS32 rev. 0 @ 0xffe90 pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfc490/176 (9 entries) pcibios0: PCI Interrupt Router at 000:15:0 (ServerWorks CSB5 SouthBridge rev 0x00) pcibios0: PCI bus #0 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x4000! 0xcc000/0x600 0xec000/0x4000! mainbus0: Intel MP Specification (Version 1.4) (DELL PE 0121 ) cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 99 MHz cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) XEON(TM) CPU 2.40GHz (GenuineIntel 686-class) 2.39 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM mainbus0: bus 0 is type PCI mainbus0: bus 1 is type PCI mainbus0: bus 2 is type PCI mainbus0: bus 3 is type PCI mainbus0: bus 4 is type PCI mainbus0: bus 5 is type PCI mainbus0: bus 6 is type ISA ioapic0 at mainbus0: apid 4 pa 0xfec0, version 11, 16 pins ioapic0: misconfigured as apic 0, remapped to apic 4 ioapic1 at mainbus0: apid 5 pa 0xfec01000, version 11, 16 pins ioapic1: misconfigured as apic 0, remapped to apic 5 ioapic2 at mainbus0: apid 6 pa 0xfec02000, version 11, 16 pins ioapic2: misconfigured as apic 0, remapped to apic 6 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 ServerWorks CMIC_LE Host rev 0x13 pchb1 at pci0 dev 0 function 1 ServerWorks CMIC_LE Host rev 0x00 pci1 at pchb1 bus 3 bge0 at pci1 dev 6 function 0 Broadcom BCM5701 rev 0x15: apic 5 int 12 (irq 7) address 00:06:5b:3f:f5:9f brgphy0 at bge0 phy 1: BCM5701 10/100/1000baseT PHY, rev. 0 bge1 at pci1 dev 8 function 0 Broadcom BCM5701 rev 0x15: apic 5 int 13 (irq 11) address 00:06:5b:3f:f5:a0 brgphy1 at bge1 phy 1: BCM5701 10/100/1000baseT PHY, rev. 0 pchb2 at pci0 dev 0 function 2 vendor ServerWorks, unknown product 0x0 rev 0x00 pci2 at pchb2 bus 1 em0 at pci2 dev 6 function 0 Intel PRO/1000XF (82544EI) rev 0x02: apic 5 int 0 (irq 11), address: 00:02:b3:9a:ed:b9 em1 at pci2 dev 8 function 0 Intel PRO/1000XF (82544EI) rev 0x02: apic 5 int 4 (irq 10), address: 00:02:b3:9a:f0:fc vendor Dell, unknown product 0xc (class undefined unknown subclass 0x00, rev 0x00) at pci0 dev 4 function 0 not configured Dell PERC 3/Di rev 0x00 at pci0 dev 4 function 1 not configured vendor Dell, unknown product 0xd (class serial bus subclass IPMI, rev 0x00) at pci0 dev 4 function 2 not configured vga1 at pci0 dev 14 function 0 ATI Rage XL rev 0x27 wsdisplay0 at vga1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pchb3 at pci0 dev 15 function 0 ServerWorks CSB5 SouthBridge rev 0x93 pciide0 at pci0 dev 15 function 1 ServerWorks CSB5 IDE rev 0x93: DMA atapiscsi0 at pciide0 channel 0 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: SAMSUNG, CD-ROM SN-124, N102 SCSI0 5/cdrom removable cd0(pciide0:0:0): using PIO mode 4, DMA mode 2, Ultra-DMA mode 2 ohci0 at pci0 dev 15 function 2 ServerWorks OSB4/CSB5 USB rev 0x05: apic 4 int 5 (irq 5), version 1.0, legacy support ohci0: SMM does not respond, resetting usb0 at ohci0: USB revision 1.0 uhub0 at usb0 uhub0: ServerWorks OHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub0: 4 ports with 4 removable, self powered pcib0 at pci0 dev 15 function 3 ServerWorks CSB5 PCI rev 0x00 pchb4 at pci0 dev 16 function 0 ServerWorks CIOBX2 rev 0x03 pchb5 at pci0 dev 16 function 2 ServerWorks CIOBX2 rev 0x03 pci3 at pchb5 bus 4 ppb0 at pci3 dev 8 function 0 vendor Intel, unknown product 0x309 rev 0x01 pci4 at ppb0 bus 5 Adaptec AIC-7899F rev 0x01 at pci4 dev 6 function 0 not configured Adaptec AIC-7899F rev 0x01 at pci4 dev 6 function 1 not configured aac0 at pci3 dev 8 function 1 Dell PERC 3/Di rev 0x01: apic 5 int 14 (irq 10) aac0: i960RX 100MHz, 126MB, optional battery
Re: Portmap non-local set / unset attempt
I'm receiving the following messages from portmap when starting Legato Networker's nsrexecd. The nsrexecd I'm running is the Linux version under emulation: portmap[16083]: non-local unset attempt (might be from 127.0.0.1) portmap[16083]: non-local set attempt (might be from 127.0.0.1) The program (number 390113) does not successfully register with the portmapper: # rpcinfo -p localhost program vers proto port 102 tcp111 portmapper 102 udp111 portmapper Is this a security feature? Yes, most definately. Changes made years ago slightly changed the communications API between libc/rpc and the portmap daemon, to make it much harder to generate spoofed RPC mappings. An attacker would make such mappings point one RPC service at another RPC service, and with the right forwarding games you can get mis-interpretation by an end point reulting in some risks. Therefore our portmap sets up special 127.0.0.1 local bound sockets, and only accepts set/unset operations on those sockets. The *:111 sockets can still be used to make other requests, but not deal with binding establishment. The program you are using is linked against a RPC library that is using your external address to change the mappings, ie. perhaps your external IP address. That is the old legacy way that the Sun code used to do it, and it was a bug, and it is full of risk. It's astounding that other people have not fixed this yet, considering that I did the work on that nearly 10 years ago. revision 1.3 date: 1996/06/29 19:03:50; author: deraadt; state: Exp; lines: +135 -64 multiple receivers, port checking. testing help from bitblt People keep yammering this bullshit about Security is a process. Bullshit! Lies! It's about paying attention to the frigging details when they are right in front of your face. And it is very clear other vendors do not pay attention to the details, considering the work I did here was talked about all over BUGTRAQ back in that month. No wonder these vendors and their blogboys have to have this Security is a process mantra to protect themselves from looking bad. Is there a way to get nrsexecd to register with the portmapper? You cannot get a Linux binary to talk to our portmap, without modifying our portmap code to not have this security check. And that would be a shame. Sorry...
Re: Portmap non-local set / unset attempt
That's what I thought. I have no idea why Legato continues to use portmapper
at all. They've been telling me they're going to stop using it since at
least 1999.
I actually came up with a workaround that I think might expose a potential
issue in rpcinfo.
Since I couldn't get nsrexecd to automatically register with the portmapper,
I tried to register it manually using rpcinfo -s. An entry was added, but it
made the protocol number 2 instead of tcp (6), which is what I need.
# rpcinfo -s 390113 1 7937
# rpcinfo -p localhost
program vers proto port
102 tcp111 portmapper
102 udp111 portmapper
3901131 2 7937
# rpcinfo -t localhost 390113
rpcinfo: RPC: Program not registered
program 390113 is not available
I looked and couldn't find any way to set the protocol to TCP (6). Looking
at the source for rpcinfo, I found the following:
if ((pmap_set(prog_num, version_num, PF_INET,
(u_short)port_num)) == 0) {
fprintf(stderr, rpcinfo: Could not set registration
for prog %s version %s port %s\n,
argv[0], argv[1], argv[2]);
exit(1);
}
Seems like rpcinfo will always set the protocol to the constant PF_INET,
which is actually AF_INET, which is actually 2.
In order to work around this, I created the following short program:
#include rpc/rpc.h
main()
{
pmap_set(390113, 1, 6, 7937);
}
Notice the 6 in the 3rd argument to pmap_set, rather than the constant
PF_INET (2).
After deleting the previous portmapper entry and running my little kludge, I
get the following:
# rpcinfo -p localhost
program vers proto port
102 tcp111 portmapper
102 udp111 portmapper
3901131 tcp 7937
# rpcinfo -t localhost 390113
program 390113 version 1 ready and waiting
Which brings me to ask: Should an additional argument be added to rpcinfo -s
to specify a protocol, rather than forcing the constant PF_INET?
-Original Message-
From: Theo de Raadt [mailto:[EMAIL PROTECTED]
Sent: Thursday, September 22, 2005 1:02 PM
To: Michael Favinsky
Cc: 'misc@openbsd.org'
Subject: Re: Portmap non-local set / unset attempt
I'm receiving the following messages from portmap when starting Legato
Networker's nsrexecd. The nsrexecd I'm running is the Linux version
under
emulation:
portmap[16083]: non-local unset attempt (might be from 127.0.0.1)
portmap[16083]: non-local set attempt (might be from 127.0.0.1)
The program (number 390113) does not successfully register with the
portmapper:
# rpcinfo -p localhost
program vers proto port
102 tcp111 portmapper
102 udp111 portmapper
Is this a security feature?
Yes, most definately.
Changes made years ago slightly changed the communications API between
libc/rpc and the portmap daemon, to make it much harder to generate spoofed
RPC mappings. An attacker would make such mappings point one RPC service at
another RPC service, and with the right forwarding games you can get
mis-interpretation by an end point reulting in some risks.
Therefore our portmap sets up special 127.0.0.1 local bound sockets, and
only accepts set/unset operations on those sockets. The *:111 sockets can
still be used to make other requests, but not deal with binding
establishment.
The program you are using is linked against a RPC library that is using your
external address to change the mappings, ie. perhaps your external IP
address. That is the old legacy way that the Sun code used to do it, and it
was a bug, and it is full of risk.
It's astounding that other people have not fixed this yet, considering that
I did the work on that nearly 10 years ago.
revision 1.3
date: 1996/06/29 19:03:50; author: deraadt; state: Exp; lines: +135 -64
multiple receivers, port checking. testing help from bitblt
People keep yammering this bullshit about Security is a process.
Bullshit! Lies! It's about paying attention to the frigging details when
they are right in front of your face. And it is very clear other vendors do
not pay attention to the details, considering the work I did here was talked
about all over BUGTRAQ back in that month. No wonder these vendors and
their blogboys have to have this Security is a process mantra to protect
themselves from looking bad.
Is there a way to get nrsexecd to register with the portmapper?
You cannot get a Linux binary to talk to our portmap, without modifying our
portmap code to not have this security check. And that would be a shame.
Sorry...
This message may contain information that is privileged, confidential and
exempt from disclosure under applicable law. If you are not the intended
recipient of this message you may not store, disclose, copy, forward,
distribute or use this message or its contents for any purpose. If you have
received this communication in error, please notify us immediately by return
e-mail and delete
Userland Compilation Dies
Hello. I had an OBSD system, 3.6. I went to update it the other day to 3.7, and everything seemed to work swell. I followed the instructions from the upgrade faq, and things seemed to work without a hitch. I am trying to follow the stable branch, so updated my CVS for src, ports and X like so: # cd /usr #cvs -d$CVSROOT up -Pd* *It took its time, but it updated everything without complaint. I then recompiled the kernel (GENERIC). This also seemed to go without a hitch -- almost. The only thing that seemed to contradict the documentation was that it said: # *cd /usr/src/sys/arch/i386/conf* # *config GENERIC* # *cd ../compile/GENERIC* # *make clean make depend make* /[...lots of output...]/ # *make install* Replace i386 in the first line with your machine name. Well, my machine name was nowhere to be found in /usr/src/sys/arch (or anywhere under /usr/src at all), so I had to use i386. I don't know if this is an error in the docs or if something else somewhere got botched. I do know that there were no complaints from the system what-so-ever. It rebooted very nicely. Then I went to recompile the userland utilities. I followed the documentation: # *rm -rf /usr/obj/** # *cd /usr/src* # *make obj* # *cd /usr/src/etc env DESTDIR=/ make distrib-dirs \\Now I am not certain if is an error in the docs. Should it be setenv DESTIR=/? (I tried both ways..) * # *cd /usr/src* # *make build* The compile goes for about 1 hour and 48 minutes, then it crashes: c++ -O2-fno-implicit-templates -idirafter /=/usr/include/g++ -I/usr/src/gnu/e gcs/libio -I/usr/src/gnu/egcs/libio/obj -nostdinc -idirafter /=/usr/include -c /usr /src/gnu/egcs/libio/editbuf.cc -o editbuf.o In file included from /usr/src/gnu/egcs/libio/editbuf.cc:31: /usr/src/gnu/egcs/libio/editbuf.h:79: error: friend declaration requires class-key, i.e. `friend struct edit_buffer' /usr/src/gnu/egcs/libio/editbuf.cc: In member function `edit_buffer* edit_mark::buffer()': /usr/src/gnu/egcs/libio/editbuf.cc:648: warning: invalid access to non-static data member `edit_buffer::end_mark' of NULL object /usr/src/gnu/egcs/libio/editbuf.cc:648: warning: (perhaps the `offsetof' macro was used incorrectly) *** Error code 1 Stop in /usr/src/gnu/egcs/libio. *** Error code 1 Stop in /usr/src/gnu/egcs/libio (line 48 of /usr/src/gnu/egcs/libio/Makefile.bsd-wrapper). *** Error code 1 Stop in /usr/src/gnu/egcs. *** Error code 1 Stop in /usr/src/gnu/lib. *** Error code 1 Stop in /usr/src (line 72 of Makefile). === I have gone through these steps repeatedly, and I get the same results every time. Can someone please give me a hand? Thanks! Chris My system: IBM thinkpad 390e 256 megs of ram 30 gb hard drive (21gb free) pentium II processor dmesg: == OpenBSD 3.7 (RAMDISK_CD) #573: Sun Mar 20 00:27:05 MST 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/RAMDISK_CD cpu0: Intel Celeron (GenuineIntel 686-class, 256KB L2 cache) 299 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR real mem = 267952128 (261672K) avail mem = 238706688 (233112K) using 3296 buffers containing 13500416 bytes (13184K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(7c) BIOS, date 11/17/99, BIOS32 rev. 0 @ 0xfd7a0 apm0 at bios0: Power Management spec V1.2 pcibios0 at bios0: rev 2.1 @ 0xfd7a0/0x860 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf40/160 (8 entries) pcibios0: PCI Interrupt Router at 000:02:0 (Intel 82371FB ISA rev 0x00) pcibios0: PCI bus #3 is the last bus bios0: ROM list: 0xc/0xc000 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82443BX AGP rev 0x03 ppb0 at pci0 dev 1 function 0 Intel 82443BX AGP rev 0x03 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 Neomagic Magicgraph NM2200 rev 0x20 wsdisplay0 at vga1: console (80x25, vt100 emulation) pcib0 at pci0 dev 2 function 0 Intel 82371AB PIIX4 ISA rev 0x02 pciide0 at pci0 dev 2 function 1 Intel 82371AB IDE rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: TOSHIBA MK3021GAS wd0: 16-sector PIO, LBA, 28615MB, 58605120 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: LG, CD-ROM CRN-8241B, 1.16 SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, DMA mode 2 uhci0 at pci0 dev 2 function 2 Intel 82371AB USB rev 0x01: irq 11 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered Intel 82371AB Power Mgmt
Re: Dell 2650, Stupid Adaptec Controller, and Daily Crashes
What do the crashes look like? Fell free to contact Adaptec and let them know that you are having issues with their raid card. On Thu, Sep 22, 2005 at 01:10:30PM -0500, eric wrote: I have a Dell 2650 with an Adaptec controller. This machine is constantly crashing due to either a high load or some sort of a kernel panic. I submitted the following bug report a while ago... http://cvs.openbsd.org/cgi-bin/query-pr-wrapper?full=yesnumbers=4494 I know that Adaptec support was dropped in 3.7, and I wish I didn't have this piece of shit to deal with. Unfortunately there's no replacement hardware right now. Can I do a update to -CURRENT and expect the controller to be supported? How painful would this be? I'd be coming from 3.6 with patches. Any thoughts are appreciated. Thanks. - eric dmesg follows... OpenBSD 3.6 (GENERIC.MP) #173: Fri Sep 17 12:52:31 MDT 2004 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel(R) XEON(TM) CPU 2.40GHz (GenuineIntel 686-class) 2.39 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM real mem = 1073262592 (1048108K) avail mem = 972668928 (949872K) using 4278 buffers containing 53764096 bytes (52504K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 06/10/02, BIOS32 rev. 0 @ 0xffe90 pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfc490/176 (9 entries) pcibios0: PCI Interrupt Router at 000:15:0 (ServerWorks CSB5 SouthBridge rev 0x00) pcibios0: PCI bus #0 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x4000! 0xcc000/0x600 0xec000/0x4000! mainbus0: Intel MP Specification (Version 1.4) (DELL PE 0121 ) cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 99 MHz cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) XEON(TM) CPU 2.40GHz (GenuineIntel 686-class) 2.39 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM mainbus0: bus 0 is type PCI mainbus0: bus 1 is type PCI mainbus0: bus 2 is type PCI mainbus0: bus 3 is type PCI mainbus0: bus 4 is type PCI mainbus0: bus 5 is type PCI mainbus0: bus 6 is type ISA ioapic0 at mainbus0: apid 4 pa 0xfec0, version 11, 16 pins ioapic0: misconfigured as apic 0, remapped to apic 4 ioapic1 at mainbus0: apid 5 pa 0xfec01000, version 11, 16 pins ioapic1: misconfigured as apic 0, remapped to apic 5 ioapic2 at mainbus0: apid 6 pa 0xfec02000, version 11, 16 pins ioapic2: misconfigured as apic 0, remapped to apic 6 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 ServerWorks CMIC_LE Host rev 0x13 pchb1 at pci0 dev 0 function 1 ServerWorks CMIC_LE Host rev 0x00 pci1 at pchb1 bus 3 bge0 at pci1 dev 6 function 0 Broadcom BCM5701 rev 0x15: apic 5 int 12 (irq 7) address 00:06:5b:3f:f5:9f brgphy0 at bge0 phy 1: BCM5701 10/100/1000baseT PHY, rev. 0 bge1 at pci1 dev 8 function 0 Broadcom BCM5701 rev 0x15: apic 5 int 13 (irq 11) address 00:06:5b:3f:f5:a0 brgphy1 at bge1 phy 1: BCM5701 10/100/1000baseT PHY, rev. 0 pchb2 at pci0 dev 0 function 2 vendor ServerWorks, unknown product 0x0 rev 0x00 pci2 at pchb2 bus 1 em0 at pci2 dev 6 function 0 Intel PRO/1000XF (82544EI) rev 0x02: apic 5 int 0 (irq 11), address: 00:02:b3:9a:ed:b9 em1 at pci2 dev 8 function 0 Intel PRO/1000XF (82544EI) rev 0x02: apic 5 int 4 (irq 10), address: 00:02:b3:9a:f0:fc vendor Dell, unknown product 0xc (class undefined unknown subclass 0x00, rev 0x00) at pci0 dev 4 function 0 not configured Dell PERC 3/Di rev 0x00 at pci0 dev 4 function 1 not configured vendor Dell, unknown product 0xd (class serial bus subclass IPMI, rev 0x00) at pci0 dev 4 function 2 not configured vga1 at pci0 dev 14 function 0 ATI Rage XL rev 0x27 wsdisplay0 at vga1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pchb3 at pci0 dev 15 function 0 ServerWorks CSB5 SouthBridge rev 0x93 pciide0 at pci0 dev 15 function 1 ServerWorks CSB5 IDE rev 0x93: DMA atapiscsi0 at pciide0 channel 0 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: SAMSUNG, CD-ROM SN-124, N102 SCSI0 5/cdrom removable cd0(pciide0:0:0): using PIO mode 4, DMA mode 2, Ultra-DMA mode 2 ohci0 at pci0 dev 15 function 2 ServerWorks OSB4/CSB5 USB rev 0x05: apic 4 int 5 (irq 5), version 1.0, legacy support ohci0: SMM does not respond, resetting usb0 at ohci0: USB revision 1.0 uhub0 at usb0 uhub0: ServerWorks OHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub0: 4 ports with 4 removable, self powered pcib0 at pci0 dev 15 function 3 ServerWorks CSB5 PCI rev 0x00 pchb4 at pci0 dev 16 function 0 ServerWorks CIOBX2 rev 0x03 pchb5 at pci0 dev 16 function 2 ServerWorks CIOBX2 rev 0x03 pci3 at pchb5 bus 4 ppb0 at pci3 dev 8 function 0 vendor Intel, unknown product 0x309
Re: Userland Compilation Dies
On 9/22/05, Chris [EMAIL PROTECTED] wrote: Hello. I had an OBSD system, 3.6. I went to update it the other day to 3.7, and everything seemed to work swell. I followed the instructions from the upgrade faq, and things seemed to work without a hitch. I am trying to follow the stable branch, so updated my CVS for src, ports and X like so: # cd /usr #cvs -d$CVSROOT up -Pd* *It took its time, but it updated everything without complaint. That's -current, not -stable. Greg
Re: Userland Compilation Dies
--On 22 September 2005 16:52 -0400, Chris wrote: I am trying to follow the stable branch, so updated my CVS for src, ports and X like so: # cd /usr # cvs -d$CVSROOT up -Pd* That's -current. Add -rOPENBSD_3_7 for 3.7-stable, or follow http://www.openbsd.org/faq/current.html updating beyond 3.7-stable (recompile C compiler, libstdc++, etc). Replace i386 in the first line with your machine name. That's 'machine' as in 'what uname -m tells you' (i386, sparc64, macppc, hppa, [...]), not hostname.
Re: Dell 2650, Stupid Adaptec Controller, and Daily Crashes
On Thu, 2005-09-22 at 16:06:39 -0500, Marco Peereboom proclaimed...
What do the crashes look like?
Sometimes I can get to DDB, other times it will just crash so bad I can't
even get console.
I could get this much out of it when I did the PR report.
uvm_fault(0xd7e12a20, 0xcffa5000, 0, 1) - e
kernel: page fault trap, code=0
Stopped at pmap_enter+0xdd:movl0(%edx,%eax,4),%edx
ddb{1}
Entering Direct mode...Server = foo
ddb{1} trace
pmap_enter(d05ff6c0,e973b000,36ce8000,7,23,e973b000,e9e7dc78,d7e00cd4)
at pmap_
enter+0xdd
uvm_fault(d05c3e60,e973b000,0,3,80) at uvm_fault+0x1165
trap() at trap+0x5ef
--- trap (number 6) ---
em_encap(d1895800,d7da6200,0,0) at em_encap+0x3cd
em_start_locked(d1895830,d7b9c01a,4a8,d7b9c010,d1895830,d19a3000,d004,d02453fe,
e9e7de90,d7b9c002,e9e7de40,d02457f6,d1895830,d7da6200,e9e7de90,d024428e,30,d7da
6200,e9e7de90,0,d1952180,d7da000b,e9e7dea0,d0243780,d19a3000,d1895830,d7da6200,
d024376d,80,e9e7de90,d7da6200,e9e7de9e,d7da6200,d19a3000,2000,d01dab41,e9e7
de98,e9e7de9c,d01ebcba,b0,d1895830,d1895030,66699000,6a4,fc7f35d6,a0008,e9e
7ded0,d024342a,d19a3000,d7da6200,d7e04000,d01ec011,0,d01020c6,e9e7deb8,1,d05e6d
20,d7e00cd4,e9e7def0,d01021f5,c) at em_start_locked+0x6e
em_start(d1895830,d7da6200,e9e7de90,d024428e,30) at em_start+0x20
bridge_ifenqueue(d19a3000,d1895830,d7da6200,d024376d,80) at
bridge_ifenqueue+0x
ce
bridgeintr_frame(d19a3000,d7da6200,d7e04000,d01ec011) at
bridgeintr_frame+0x2f0
bridgeintr(c,d7e00cd4,d05e2880,d03146cd,e9e7df18) at bridgeintr+0x1e
Xsoftnet() at Xsoftnet+0x59
--- interrupt ---
end(4,9,3c0f6bc8,64,d0102100) at 0xe9e7df80
ddb{1} ps
PID PPID PGRPUID S FLAGS WAIT COMMAND
255 21564 21564 32767 3 0x2004186 bpfngrep
21564 19514 21564 0 3 0x2004087 pause sh
19514 7545 19514 1002 3 0x2004086 pause ksh
7545 21602 21602 1002 3 0x2000184 select sshd
21602 13521 21602 0 3 0x2004084 netio sshd
6527 23131 6527 1002 3 0x2004086 ttyin ksh
23131 2010 2010 1002 3 0x2000184 select sshd
2010 13521 2010 0 3 0x2004084 netio sshd
13521 1 13521 0 3 0x284 select sshd
1092 2849 29166 0 3 0x284 select ntam
22697 1 22697 0 3 0x2004086 ttyin getty
30168 1 30168 0 3 0x2004086 ttyin getty
11773 1 11773 0 3 0x284 select cron
31414 1 31414 0 3 0x287 nanosleep barnyard
27805 1 27805 65532 2 0x104 snort
* 2849 29166 29166 0 7 0x4 ntam
29166 1 29166 0 7 0x4 ntam
10053 1 10053 0 3 0x2040184 select sendmail
26108 0 0 0 3 0x2100204 acct acct
14928 1 14928 0 3 0x284 poll ntpd
15437 1 7617 83 3 0x2000186 poll ntpd
5646 31689 31689 74 3 0x2000184 bpfpflogd
31689 1 31689 0 3 0x284 netio pflogd
17322 6669 6669 73 2 0x2000184 syslogd
6669 1 6669 0 3 0x284 netio syslogd
10 0 0 0 3 0x2100204 usbtsk usbtask
9 0 0 0 3 0x2100204 usbevt usb0
8 0 0 0 3 0x2100204 kmallockmthread
7 0 0 0 3 0x2100204 crypto_wa crypto
6 0 0 0 3 0x2100204 aiodoned aiodoned
5 0 0 0 3 0x2100204 syncer update
4 0 0 0 3 0x2100204 cleanercleaner
3 0 0 0 30x100204 reaper reaper
2 0 0 0 3 0x2100204 pgdaemon pagedaemon
1 0 1 0 3 0x2004084 wait init
0 -1 0 0 3 0x2080204 scheduler swapper
Fell free to contact Adaptec and let them know that you are having issues
with their raid card.
Last time I did that, I got the standard Open wha?
They're idiots, and we don't buy their stuff anymoer. Unfortunately, I'm an
idiot for still having to run one of them :)
Thanks.
- Eric
can't recognize my cdrom, here is my dmesg
Hi all it boots from an unofficial cdrom, but it doesn't find my cdrom here is my dmesg: OpenBSD 3.7 (RAMDISK_CD) #573: Sun Mar 20 00:27:05 MST 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/RAMDISK_CD cpu0: Intel Celeron (GenuineIntel 686-class, 128KB L2 cache) 301 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR real mem = 133734400 (130600K) avail mem = 116506624 (113776K) using 1658 buffers containing 6791168 bytes (6632K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(12) BIOS, date 03/02/99, BIOS32 rev. 0 @ 0xfb370 apm0 at bios0: Power Management spec V1.2 pcibios0 at bios0: rev 2.1 @ 0xf/0xb7ec pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfde40/128 (6 entries) pcibios0: PCI Exclusive IRQs: 5 10 11 12 pcibios0: PCI Interrupt Router at 000:07:0 (VIA VT82C596A ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0x1 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 VIA VT82C691 PCI rev 0x06 ppb0 at pci0 dev 1 function 0 VIA VT82C598 AGP rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 Nvidia Riva TNT2 Ultra rev 0x11 wsdisplay0 at vga1: console (80x25, vt100 emulation) pcib0 at pci0 dev 7 function 0 VIA VT82C596A ISA rev 0x07 pciide0 at pci0 dev 7 function 1 VIA VT82C571 IDE rev 0x06: ATA33, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: ST34310A wd0: 16-sector PIO, LBA, 4111MB, 8420832 sectors atapiscsi0 at pciide0 channel 0 drive 1 scsibus0 at atapiscsi0: 2 targets pciide0:0:1: device timeout waiting to send SCSI packet pciide0:0:1: device timeout waiting to send SCSI packet pciide0:0:1: device timeout waiting to send SCSI packet wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 atapiscsi0(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2 pciide0: channel 1 disabled (no drives) uhci0 at pci0 dev 7 function 2 VIA VT83C572 USB rev 0x02: irq 10 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: VIA UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered VIA VT82C596 Power Mgmt rev 0x00 at pci0 dev 7 function 3 not configured sis0 at pci0 dev 10 function 0 SIS 900 10/100BaseTX rev 0x02: irq 12, address 00:06:4f:07:5b:59 ukphy0 at sis0 phy 0: Generic IEEE 802.3u media interface ukphy0: OUI 0x000760, model 0x, rev. 0 Aureal Vortex 1 rev 0x02 at pci0 dev 11 function 0 not configured isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0 (mux 1 ignored for console): console keyboard, using wsdisplay0 npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 1: 1.44MB 80 cyl, 2 head, 18 sec biomask efe5 netmask ffe5 ttymask ffe7 rd0: fixed, 3800 blocks root on rd0a rootdev=0x1100 rrootdev=0x2f00 rawdev=0x2f02 I've found a very similar post at: http://monkey.org/openbsd/archive/misc/0201/msg00678.html but i am not sure what to do? any suggestion is appreciated eg. is it the same problem? how can i disable pciide at a cd install? Is there any other solution? Where is the mistake? cdrom? chip? where can i find more infos, i've seen pciide, but it didn't tell me much. thanks csab. -- Milan, bocsass meg. (Cs. Nemes)
Re: Dell 2650, Stupid Adaptec Controller, and Daily Crashes
--On 22 September 2005 13:10 -0500, eric wrote:
I have a Dell 2650 with an Adaptec controller. This machine is
constantly crashing due to either a high load or some sort of a
kernel panic.
I know that Adaptec support was dropped in 3.7, and I wish I didn't
have this piece of shit to deal with. Unfortunately there's no
replacement hardware right now.
Support was removed from GENERIC as there's not enough freely available
information to work around the hardware and firmware's problems, but
the driver's still there if you feel like building your own kernel. I
don't expect it would be worse than what you have now, at least, and
3.6 is nearly unsupported anyway, so you might as well at least have
up-to-date OS code. Who knows, if you don't write much to disk, you
might be alright for weeks at a time.
Probably won't make a difference, but can't that em0 be shuffled to
it's own irq, maybe by turning off something unused in the bios (fdc0?
pccom1?) in one of your enforced-unscheduled-downtime windows?
Can I do a update to -CURRENT and expect the controller to be
supported? How painful would this be? I'd be coming from 3.6 with
patches.
Easiest is probably to roll your own release on another box, edit one
of the ramdisk kernels to include aac (likely removing something else
to make space), then do a standard CD/PXE/floppy upgrade. This might be
familiar if you've experimented with raidframe.. This way, you get
bootable media images for when it breaks.
If you don't do the build on another box, you'll be building an OS
release on a box which you know is unstable - not really a recipe for
producing binaries you can trust.
There's the easier but more expensive way which you already know about,
plug in a perc3sc/dc, perc4, etc.
Any thoughts are appreciated. Thanks.
Adaptec have taken the SCSI sacrifices up a notch, goats won't appease
them any more, it's free management utilities or nothing.. (the freebsd
driver for it is the only one I've seen survive untarring 5-10 OS
source trees at once, though it's rumoured there's some linux driver
which works ok with some firmware version but I couldn't find it when
someone wanted me to make a 2650 work with the onboard raid).
If it does still happen on 3.{7?,8,current} you might want to try the
system on a non-RAID drive with GENERIC or GENERIC.MP to help pinpoint
the problem.
But, of course the problem might not be aac-related.
Re: Dell 2650, Stupid Adaptec Controller, and Daily Crashes
Have you tried by any chance tried a 3.8 with aac enabled?
This seems to go wrong in em and not aac.
On Thu, Sep 22, 2005 at 04:49:14PM -0500, eric wrote:
On Thu, 2005-09-22 at 16:06:39 -0500, Marco Peereboom proclaimed...
What do the crashes look like?
Sometimes I can get to DDB, other times it will just crash so bad I can't
even get console.
I could get this much out of it when I did the PR report.
uvm_fault(0xd7e12a20, 0xcffa5000, 0, 1) - e
kernel: page fault trap, code=0
Stopped at pmap_enter+0xdd:movl0(%edx,%eax,4),%edx
ddb{1}
Entering Direct mode...Server = foo
ddb{1} trace
pmap_enter(d05ff6c0,e973b000,36ce8000,7,23,e973b000,e9e7dc78,d7e00cd4)
at pmap_
enter+0xdd
uvm_fault(d05c3e60,e973b000,0,3,80) at uvm_fault+0x1165
trap() at trap+0x5ef
--- trap (number 6) ---
em_encap(d1895800,d7da6200,0,0) at em_encap+0x3cd
em_start_locked(d1895830,d7b9c01a,4a8,d7b9c010,d1895830,d19a3000,d004,d02453fe,
e9e7de90,d7b9c002,e9e7de40,d02457f6,d1895830,d7da6200,e9e7de90,d024428e,30,d7da
6200,e9e7de90,0,d1952180,d7da000b,e9e7dea0,d0243780,d19a3000,d1895830,d7da6200,
d024376d,80,e9e7de90,d7da6200,e9e7de9e,d7da6200,d19a3000,2000,d01dab41,e9e7
de98,e9e7de9c,d01ebcba,b0,d1895830,d1895030,66699000,6a4,fc7f35d6,a0008,e9e
7ded0,d024342a,d19a3000,d7da6200,d7e04000,d01ec011,0,d01020c6,e9e7deb8,1,d05e6d
20,d7e00cd4,e9e7def0,d01021f5,c) at em_start_locked+0x6e
em_start(d1895830,d7da6200,e9e7de90,d024428e,30) at em_start+0x20
bridge_ifenqueue(d19a3000,d1895830,d7da6200,d024376d,80) at
bridge_ifenqueue+0x
ce
bridgeintr_frame(d19a3000,d7da6200,d7e04000,d01ec011) at
bridgeintr_frame+0x2f0
bridgeintr(c,d7e00cd4,d05e2880,d03146cd,e9e7df18) at bridgeintr+0x1e
Xsoftnet() at Xsoftnet+0x59
--- interrupt ---
end(4,9,3c0f6bc8,64,d0102100) at 0xe9e7df80
ddb{1} ps
PID PPID PGRPUID S FLAGS WAIT COMMAND
255 21564 21564 32767 3 0x2004186 bpfngrep
21564 19514 21564 0 3 0x2004087 pause sh
19514 7545 19514 1002 3 0x2004086 pause ksh
7545 21602 21602 1002 3 0x2000184 select sshd
21602 13521 21602 0 3 0x2004084 netio sshd
6527 23131 6527 1002 3 0x2004086 ttyin ksh
23131 2010 2010 1002 3 0x2000184 select sshd
2010 13521 2010 0 3 0x2004084 netio sshd
13521 1 13521 0 3 0x284 select sshd
1092 2849 29166 0 3 0x284 select ntam
22697 1 22697 0 3 0x2004086 ttyin getty
30168 1 30168 0 3 0x2004086 ttyin getty
11773 1 11773 0 3 0x284 select cron
31414 1 31414 0 3 0x287 nanosleep barnyard
27805 1 27805 65532 2 0x104 snort
* 2849 29166 29166 0 7 0x4 ntam
29166 1 29166 0 7 0x4 ntam
10053 1 10053 0 3 0x2040184 select sendmail
26108 0 0 0 3 0x2100204 acct acct
14928 1 14928 0 3 0x284 poll ntpd
15437 1 7617 83 3 0x2000186 poll ntpd
5646 31689 31689 74 3 0x2000184 bpfpflogd
31689 1 31689 0 3 0x284 netio pflogd
17322 6669 6669 73 2 0x2000184 syslogd
6669 1 6669 0 3 0x284 netio syslogd
10 0 0 0 3 0x2100204 usbtsk usbtask
9 0 0 0 3 0x2100204 usbevt usb0
8 0 0 0 3 0x2100204 kmallockmthread
7 0 0 0 3 0x2100204 crypto_wa crypto
6 0 0 0 3 0x2100204 aiodoned aiodoned
5 0 0 0 3 0x2100204 syncer update
4 0 0 0 3 0x2100204 cleanercleaner
3 0 0 0 30x100204 reaper reaper
2 0 0 0 3 0x2100204 pgdaemon pagedaemon
1 0 1 0 3 0x2004084 wait init
0 -1 0 0 3 0x2080204 scheduler swapper
Fell free to contact Adaptec and let them know that you are having issues
with their raid card.
Last time I did that, I got the standard Open wha?
They're idiots, and we don't buy their stuff anymoer. Unfortunately, I'm an
idiot for still having to run one of them :)
Thanks.
- Eric
Re: Userland Compilation Dies
Stuart Henderson wrote: --On 22 September 2005 16:52 -0400, Chris wrote: ... Replace i386 in the first line with your machine name. That's 'machine' as in 'what uname -m tells you' (i386, sparc64, macppc, hppa, [...]), not hostname. That was somewhat unclear on my part. Fixed now. Nick.
APM configuration question
Hi everybody I've found out that OBSD supports APM; but googling around I haven't found how to enable this feature. Is there any option to enable in the kernel with config or recompiling the kernel? Sorry if it's a dumb question :P (By the way, is APM supported on AMD64?)
Re: Portmap non-local set / unset attempt
On Thu, Sep 22, 2005 at 02:02:13PM -0600, Theo de Raadt wrote: snip People keep yammering this bullshit about Security is a process. Bullshit! Lies! It's about paying attention to the frigging details when they are right in front of your face. And it is very clear other vendors do not pay attention to the details, considering the work I did here was talked about all over BUGTRAQ back in that month. No wonder these vendors and their blogboys have to have this Security is a process mantra to protect themselves from looking bad. Security is a process is intended to mean 2 things. One is that the idea that you can set and forget anything and think it's somehow secure is a joke. To secure a network includes at a minimum, keeping up with vendor patches for example. Processes like patch management help keep systems secure. It does not say Security is ONLY a process. Secondly, it is meant to refute the moronic idea that some admins seem to have is that buying any product makes you secure. Prevelant is the idea for example that if you have a firewall then you are now secure. Or, I have Norton AntiVirus so now my PC is secured.
Re: Portmap non-local set / unset attempt
People keep yammering this bullshit about Security is a process. Bullshit! Lies! It's about paying attention to the frigging details when they are right in front of your face. And it is very clear other vendors do not pay attention to the details, considering the work I did here was talked about all over BUGTRAQ back in that month. No wonder these vendors and their blogboys have to have this Security is a process mantra to protect themselves from looking bad. Security is a process is intended to mean 2 things. One is that the idea that you can set and forget anything and think it's somehow secure is a joke. To secure a network includes at a minimum, keeping up with vendor patches for example. Processes like patch management help keep systems secure. It does not say Security is ONLY a process. Secondly, it is meant to refute the moronic idea that some admins seem to have is that buying any product makes you secure. Prevelant is the idea for example that if you have a firewall then you are now secure. Or, I have Norton AntiVirus so now my PC is secured. No, no no. You are playing the same semantic games that avoid responsibility at the ENGINEERING and PRODUCT DEVELOPMENT STAGES. It's so very very Microsoft. Just like the air-conditioning technicians I keep firing because they can't read schematics and charts. Which is why I now know MORE about air-conditioners than most of the technicians who come here. The phrase, and everything you said, is all excuses for the vendors. It IS POSSIBLE to set something up and have it be secure and NOT TOUCH IT, because many people have OpenBSD machines running older releases running without any modification for YEARS now, RISK FREE, without having to update ANY THING.
Re: APM configuration question
On Fri, Sep 23, 2005 at 02:34:18AM +0200, Emil Khatib wrote: Hi everybody I've found out that OBSD supports APM; but googling around I haven't found how to enable this feature. Is there any option to enable in the kernel with config or recompiling the kernel? Its enabled by default on i386. OpenBSD is not Linux; there is no reason to not enable this so it isn't even a knob. Sorry if it's a dumb question :P It sort of is. (By the way, is APM supported on AMD64?) [EMAIL PROTECTED] ~]# cd /sys/arch/amd64/conf/ [EMAIL PROTECTED] conf]# grep apm * crickets So, no. It'll require ACPI instead which is still heavily under development.
Re: Portmap non-local set / unset attempt
Which is why I now know MORE about air-conditioners than most of the technicians who come here. The phrase, and everything you said, is all excuses for the vendors. I bet that the air-conditoner technicians believe that Air-conditioner maintainance is a process. Which is why they can never do a proper job. It is a cop-out when they say it, it is a cop-out when a unix vendor says it, and it is a copout whenever ANYONE SAYS IT.
Re: Portmap non-local set / unset attempt
On Thu, Sep 22, 2005 at 07:09:12PM -0600, Theo de Raadt wrote: People keep yammering this bullshit about Security is a process. Bullshit! Lies! It's about paying attention to the frigging details when they are right in front of your face. And it is very clear other vendors do not pay attention to the details, considering the work I did here was talked about all over BUGTRAQ back in that month. No wonder these vendors and their blogboys have to have this Security is a process mantra to protect themselves from looking bad. Security is a process is intended to mean 2 things. One is that the idea that you can set and forget anything and think it's somehow secure is a joke. To secure a network includes at a minimum, keeping up with vendor patches for example. Processes like patch management help keep systems secure. It does not say Security is ONLY a process. Secondly, it is meant to refute the moronic idea that some admins seem to have is that buying any product makes you secure. Prevelant is the idea for example that if you have a firewall then you are now secure. Or, I have Norton AntiVirus so now my PC is secured. No, no no. You are playing the same semantic games that avoid responsibility at the ENGINEERING and PRODUCT DEVELOPMENT STAGES. It's so very very Microsoft. Just like the air-conditioning technicians I keep firing because they can't read schematics and charts. Which is why I now know MORE about air-conditioners than most of the technicians who come here. The phrase, and everything you said, is all excuses for the vendors. It IS POSSIBLE to set something up and have it be secure and NOT TOUCH IT, because many people have OpenBSD machines running older releases running without any modification for YEARS now, RISK FREE, without having to update ANY THING. No, you can put an openbsd box up and leave it for years with root login enabled and password for a password. It takes more than correct code. It's correct code plus correct usage. I think the GOBBLES sshd exploit is proof enough that set and forget is not risk free. Security is everything you've ever said, plus a process.
Re: Max number of states in pf? (100k? 200k? 1M?)
On Thu, 22 Sep 2005, nate wrote: Can I run with 200k states? 500k ? 1M states? 'top' reads 1833MB of memory is available. The docs say that 32MB is enough for ~30k states. so in theory memory wise at least this box should be able to handle at least 1.6M states. Not that I plan to keep that much! if it's 1k states per MB RAM, you're into trouble at 300k. the kernel only has so much space to play in. -- And that's why I always keep a bottle of acid handy at my bedside.
RE: Re: Portmap non-local set / unset attempt
Security is everything you've ever said, plus a process. No. security does not require the process. Attempted security (that doesn't quite work) requires a process. Like the difference between does work and should work.
Re: Max number of states in pf? (100k? 200k? 1M?)
Well,
I'm running a similar setup, only Xeon 2.4 dual and running with 300k
states, the info so far is:
State Table Total Rate
current entries89976
searches 2049646948754332.6/s
inserts 98362130 260.7/s
removals98272154 260.5/s
load averages: 0.87, 0.64,
0.52 00:22:32
39 processes: 38 idle, 1 on processor
CPU states: 0.0% user, 0.0% nice, 0.0% system, 0.0% interrupt, 100%
idle
Memory: Real: 19M/234M act/tot Free: 1780M Swap: 0K/2048M used/tot
That load seems to be coming from some cron jobs, since it was around
0.2/0.3 some days ago.
HTH,
Vinicius
nate wrote:
Greetings
I don't have a good way to test generating large numbers
of states so I was wondering for a server with 2GB of memory
which all it does is pf how many states can it handle? I
started with the default of 10k, exausted that pretty quick,
then upped it to 32k about 3 weeks ago then exausted that,
upgraded it to 90k last night, and just now I see it hovering
at around 70k.
OpenBSD 3.7 with Intel Xeon 3.4Ghz CPU 2GB memory, 8 em
interfaces(only 1 of which is being used by pf at this
time for state info)
(though between the time I saw 70k states and about
2 minutes later it seems to have expired all but 3k
of them)
State Table Total Rate
current entries 2786
searches 29837068755 5627.9/s
inserts211072218 39.8/s
removals 211069432 39.8/s
I do have optimization set to conservative, considering
changing it back to normal. I am mostly concerned about
hitting some sort of magic internal kernel memory limit and
crashing the box. I don't know if there is such a limit,
from what I have read I can't find any evidence that there
is.
Currently the boxes(running pfsync) are running at around
3-4% cpu usage.
running:
set optimization conservative
set timeout { adaptive.start 5, adaptive.end 92000 }
set limit states 9
Can I run with 200k states? 500k ? 1M states? 'top' reads
1833MB of memory is available. The docs say that 32MB
is enough for ~30k states. so in theory memory wise at
least this box should be able to handle at least
1.6M states. Not that I plan to keep that much!
there are about 100 servers on the inside of the firewall and
about 250 on the outside(probably will double that in the
next 6 months or less).
thanks
nate
Re: Max number of states in pf? (100k? 200k? 1M?)
On 9/22/05, nate [EMAIL PROTECTED] wrote: Greetings I don't have a good way to test generating large numbers of states so I was wondering for a server with 2GB of memory which all it does is pf how many states can it handle? I started with the default of 10k, exausted that pretty quick, then upped it to 32k about 3 weeks ago then exausted that, upgraded it to 90k last night, and just now I see it hovering at around 70k. OpenBSD 3.7 with Intel Xeon 3.4Ghz CPU 2GB memory, 8 em interfaces(only 1 of which is being used by pf at this time for state info) Been wondering what the max states are myself. I've got a 3.7 firewall box set up that's currently routing around 20-30Mb/s (with a pps rate of round 2.5 -3k), and I've seen state table entries over 100k a couple of times. I went ahead and set my limit at 200k, and we've not yet approached that, so I'm just watching it to see if I need to up it some more. As far as general resources, the box itself is bored silly. I especially like that the interrupts have consistently stayed at zero (though I'll admit it's got good I/O - Gigabit Ethernet cards installed in 133Mhz PCI-X slots, which is really the only way to go). State Table Total Rate current entries85143 searches 23873195139 6541.3/s inserts393193087 107.7/s removals 393107944 107.7/s load averages: 0.09, 0.11, 0.08 22:54:30 36 processes: 35 idle, 1 on processor CPU states: 0.0% user, 0.0% nice, 0.2% system, 0.0% interrupt, 99.8% idle Memory: Real: 17M/151M act/tot Free: 853M Swap: 0K/2048M used/tot No worries so far.
