Re: Migration to PF - some questions
On 10/3/05, jared r r spiegel <[EMAIL PROTECTED]> wrote: > mathematically, yeah, less rules to evaluate = faster, but > without someone bucking up and making a nice demonstration of why > they needed to do 'quick' a lot, the ~tri-monthly discussion of > someone being upset about the last-match thing (on misc@ or pf@) > is kind of a bit worn out... :/ may be it is not about people taking care about performance, but rather is related to the way most people used to think (from using other equipment or else). consider it as reverse polish notation vs. traditional. when i was a child, i used to program my calculator in reverse polish notation, but i also found that it is really difficult to tech some people to understand it. they just used to do it as on paper, with no stacks etc. with quick/no quick in PF it looks similar. placing block at the beginning and then pass stuff that should pass... it is more convenient to most people i know to write down a rule and be sure that they are done with that, *right at that place*. so they write rules that pass the stuff, and then block everything the fsck else.
Re: detect if a flag-day has happened in the meanwhile
On 10/2/05, Han Boetes <[EMAIL PROTECTED]> wrote: > I am wondering if there is a good way to check if a flag-day has passed if you > have both the new and old kernel. How can I check that? md5 src/sys/*/*.h for both kernels and compare the result.
Re: Migration to PF - some questions
On Sat, Oct 01, 2005 at 04:43:40AM -0500, Travis H. wrote: > > Ah, but the matching engine doesn't have to traverse the whole rule > list that way. Unless pf is doing something really tricky, every > packet will have to traverse every firewall rule without use of > quicks. On a complicated, busy firewall setup, this might have a > noticable performance impact. might might might; but does it? i mean, i'm all about getting a good MPG in my car, but my side-view mirrors *REALLY* aren't hurting the MPG i do get. i might get a better MPG by chopping them off (forget legal crap for a second), and i can just turn and look if i want to make a lane change, sure... but i'm not going to chop them off just because some day i might be really low on gas and might run out but might've been able to make it to the gas station due to having been able to go farther on a tank because i achieved a better MPG because i chopped of my side-view mirrors... > I agree, with the added use of quick on each of the pass rules. > > In fact, you can probably use quick on virtually every rule other than > that default without any loss of expressiveness. if you get in to tagging, you might run into situations where quick would quickly f' your entire situation up. if you want to privately add quick to all your rules, that's what it's there for, naturally; but pf has (in my side-line estimation) been running to the satisfaction of those who contribute code to it for quite some time, so maybe the first-match camp who pops up now and again only really have a chance at changing things when they become valuable to the code-base ? > It's probably not necessary, and I may offend purists by my > performance optimizations probably only offend purists by saying 'performance optimizations' without actually experiencing any suboptimal performance begging to be optimized to begin with. > pass quick on lo0 'set skip on lo0' up top, unless you need to 'rdr on lo0' or other actions which set skip would kill. this gives you one fewer vile "rule" for the PC to spend all of its time evaluating, quick or not. > I also find it useful to use the following rule right after "default deny": > > block return on $lan_if or just set block-policy to return. one less rule. unless you feel better with zonealarm stealth mode :/ > I also don't see why NAT should necessarily occur before the filtering > rules. It makes more sense to my intuition i think this is called barking up the wrong tree. new dude on list + 'my opinion > yours' usually != warm welcome > Also, I find supporting $macros in pf.conf a little crufty. diff(1), sendbug(1) > #! /bin/sh > lan_if=xl1 > wan_if=ex0 > pfctl -f /dev/stdin < pass quick on lo0 > block all > pass quick in on $lan_if all keep state > pass in quick on $wan_if from any to $wan_if proto tcp port = 22 keep state > [...] > EOM omg pf != iptablesnetfilterchains doing something like that is not hard with the rest of the tools you've got in the system, which makes it somewhat of a useless complexity for pf to have it. new packet-filtering features are not bloat, but why make pf call out to the shell when you can just choose to make a script or two to make your shell call out to pf? > But you can easily do > conditional inclusion of rules, and that's useful for cases like DHCP. dhclient listens on BPF. pf has no effect on dhclient. jared -- [ openbsd 3.8 GENERIC ( sep 10 ) // i386 ]
Re: detect if a flag-day has happened in the meanwhile
STeve Andre' wrote: > On Sunday 02 October 2005 20:41, Han Boetes wrote: > > I am wondering if there is a good way to check if a flag-day > > has passed if you have both the new and old kernel. How can I > > check that? > > Um, given that a flag day is a code change, Obviously, but a specific code change. One in the kernel. If I'm not mistaken a syscall has changed, so if you'd attempt to upgrade your system without rebooting you'd get a message like ``invalid syscall'' while untarring. > the only way I know of is to 1) subscribe to the cvs changes > mailing list and read it. I am. > and 2) Look at the upgrade FAQ often. Not necessary since I use 1) But this is not for me. This is to automate a sysadmin task. So I'd like to automate detecting a ``flag day.'' # Han
Re: Load Balancing
I have been through the FAQS and manuals trying to configure load balancing on my 4 DSL connections. The connections are all same from the same ISP, each connection terminates into a ADSL router, which gets the IP from the ISP server, the ADSL routers have the following internal addresses 1. 172.31.1.1 2. 172.31.2.1 3. 172.31.3.1 4. 172.31.4.1 The routers cannot be configured in bridge mode. so its not an option to get the IP address on the machine. behind the 5th card is my internal network 192.168.1.0/24. Now I want to configure the 4 connections to load balance. DHCP --R1|172.31.1.2 | rl0 | | | | DHCP| | --R2|172.31.2.2 | rl1 | |LAN |192.168.1.3|--- DHCP| | --R3|172.31.3.2 | rl2 | | | | DHCP| | --R4|172.31.4.2 | rl3 |___| The routers are getting Dynamic IPs from the ISP the firewall also gets dynamic IPs from the ADSL routers (can be changed to static) the local lan is connected at 192.168.1.3 at rl4. Here is my pf.conf ## #Macros ## ext_if1="rl0" ext_if2="rl1" ext_if3='rl2' #ext_if4="rl3" int_if="rl4" ext_gw1="172.31.1.1" ext_gw2="172.31.2.1" ext_gw3="172.31.3.1" #ext_gw4="172.31.4.1" lan_ip="192.168.1.3" lan_net = "192.168.1.0/24" #NAT Rules #Local Lan to Internet nat on $ext_if1 from $lan_net to any -> ($ext_if1) nat on $ext_if2 from $lan_net to any -> ($ext_if2) nat on $ext_if3 from $lan_net to any -> ($ext_if3) nat on $ext_if4 from $lan_net to any -> ($ext_if4) #DMZ To Internet #nat on $ext_if1 from $dmz_net to any -> ($ext_if1) #Local Lan to DMZ #nat on $dmz_if from $lan_net to $dmz_net -> ($dmz_if) # #Redirection Rules # #rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port 8080 # #Load Balancing # pass in on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2), ($ext_if3 $ext_gw3), ($ext_if4 $ext_gw4) } round-robin from $lan_net to any keep state pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any pass out on $ext_if1 reply-to ($ext_if2 $ext_gw2) from $ext_if2 to any pass out on $ext_if1 route-to ($ext_if3 $ext_gw3) from $ext_if3 to any pass out on $ext_if1 reply-to ($ext_if3 $ext_gw3) from $ext_if3 to any pass out on $ext_if1 route-to ($ext_if4 $ext_gw4) from $ext_if4 to any pass out on $ext_if1 reply-to ($ext_if4 $ext_gw4) from $ext_if4 to any pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any pass out on $ext_if2 reply-to ($ext_if1 $ext_gw1) from $ext_if1 to any pass out on $ext_if2 route-to ($ext_if3 $ext_gw3) from $ext_if3 to any pass out on $ext_if2 reply-to ($ext_if3 $ext_gw3) from $ext_if3 to any pass out on $ext_if2 route-to ($ext_if4 $ext_gw4) from $ext_if4 to any pass out on $ext_if2 reply-to ($ext_if4 $ext_gw4) from $ext_if4 to any pass out on $ext_if3 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any pass out on $ext_if3 reply-to ($ext_if1 $ext_gw1) from $ext_if1 to any pass out on $ext_if3 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any pass out on $ext_if3 reply-to ($ext_if2 $ext_gw2) from $ext_if2 to any pass out on $ext_if3 route-to ($ext_if4 $ext_gw4) from $ext_if4 to any pass out on $ext_if3 reply-to ($ext_if4 $ext_gw4) from $ext_if4 to any pass out on $ext_if4 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any pass out on $ext_if4 reply-to ($ext_if1 $ext_gw1) from $ext_if1 to any pass out on $ext_if4 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any pass out on $ext_if4 reply-to ($ext_if2 $ext_gw2) from $ext_if2 to any pass out on $ext_if4 route-to ($ext_if4 $ext_gw3) from $ext_if3 to any pass out on $ext_if4 reply-to ($ext_if4 $ext_gw3) from $ext_if3 to any # #Firewall Rules # #SSH Rules pass in on $int_if proto tcp to ($int_if) port ssh keep state pass in on $ext_if1 proto tcp to ($ext_if1) port ssh keep state pass in on $ext_if2 proto tcp to ($ext_if2) port ssh keep state pass in on $ext_if3 proto tcp to ($ext_if3) port ssh keep state pass out on $int_if proto tcp to ($int_if) port ssh keep state pass out on $ext_if1 proto tcp to ($ext_if1) port ssh keep state pass out on $ext_if2 proto tcp to ($ext_if2) port ssh keep state pass out on $ext_if3 proto tcp to ($ext_if3) port ssh keep st
Re: Migration to PF - some questions
On Sat, Oct 01, 2005 at 08:50:13AM -0500, Travis H. wrote: > > Yeah, I neglected stateful matching. I should have said that every > packet that has to run the gauntlet of rules, has to run all of them. > Subsequent reading of the PF FAQ confirms that there's no deep > evaluation-reordering magic going on, that quick rules really are > faster. i'd VERY much like to see someone put up a short little www-type ( or whatever ) illustration of how they were really experiencing a service-affecting performance degredation which was solved by the use of 'quick' in their ruleset. mathematically, yeah, less rules to evaluate = faster, but without someone bucking up and making a nice demonstration of why they needed to do 'quick' a lot, the ~tri-monthly discussion of someone being upset about the last-match thing (on misc@ or pf@) is kind of a bit worn out... :/ most times people say that they have some $BIGNUM line ruleset and so they think they need to use quick even if they're keeping state, but outside of the human shock value of $BIGNUM, there's not much in the way of proof that people show (unless i'm being an archive amnesiac) for needing to go 'quick'ing everything, or otherwise making a case that 'quick' should be the implicit default and 'slow' be added to take its place after the pf-first-match conversion, or people wanting a 'set evaluation [first|last]' knob. even little soekrises are really hurting for speed some times, but from my small experience with them one would probably end up gagging on interrupts before one would run into a brick wall due to not using 'quick' a lot. jared -- [ openbsd 3.8 GENERIC ( sep 10 ) // i386 ]
Re: in-kernel PPPoE (resolved but related issue)
I finally got in-kernel PPPoE to work after fixing the hostname.pppoe0 file up a bit. Now I'm new to this so I have a few questions. I can get the OpenBSD box to access the internet fine, but am a bit confused about getting the rest of the network connected to the net. I have multiple Static IP addresses. This is what I've tried so far. I have 4 ethernet interfaces, em0~em3, Static IP address XXX.XXX.XXX. 80/29 pppoe0 is connected to em0, pppo0 has a static IP of X.X.X.80 bridge0 is created with em0 and em1, both interfaces are up em1 has no IP address, and is connected to a ethernet switch for servers that need static ips the servers are manually assigned static IPs X.X.X.81~86 This has not worked for me, I'm sure I'm doing something wrong. The servers can ping X.X.X.80, but cant connect beyond the openbsd box. Am I missing something? I'm basically trying to make a OpenBSD network bridge that will act as a PPPoE client (and do some filtering and NAT later on). Any help will be appreciated. Kory T
Re: clamav 0.87 build error on 3.7
> Yeah - I would've expected problems at the 'make install' step, but > thought 'make' would've gone OK?? No, because linking is done in the 'make' step. It was finding the old libs during that step, and crapping out. Benny -- "Now, that next spring you find in your garage a creature that looks like a cross-bred badger and anaconda. A badgerconda." -- bash.org
Re: clamav 0.87 build error on 3.7
On Sun, Oct 02, 2005 at 09:08:02PM -0500, the unit calling itself C. Bensend wrote: > > I would have thought the Makefile would have taken care of this; i.e. > > deleted (or mv'd) the clamav libs... was I expecting too much, or is > > something missing from the port? > > I would recommend pkg_delete'ing the prior version, and then > installing the new one. That's what I do, and I don't end up > with weird problems like this one. > > Keep the old one around in case you have to roll back, of > course. ;) > Yeah - I would've expected problems at the 'make install' step, but thought 'make' would've gone OK?? Jay
Re: clamav 0.87 build error on 3.7
> I would have thought the Makefile would have taken care of this; i.e. > deleted (or mv'd) the clamav libs... was I expecting too much, or is > something missing from the port? I would recommend pkg_delete'ing the prior version, and then installing the new one. That's what I do, and I don't end up with weird problems like this one. Keep the old one around in case you have to roll back, of course. ;) Benny -- "Now, that next spring you find in your garage a creature that looks like a cross-bred badger and anaconda. A badgerconda." -- bash.org
system hangs during reboot on `syncing disks...'
Hi, I just had a my system hang while rebooting for the second time. When I looked in the console I saw the last kernelmessage was: `syncing disks...' After pressing alt-ctrl-esc and typing `boot reboot' I got the system to reboot. How should I proceed from here? Is this a sign the HD is getting flakey and needs replacement or should I do some debugging and try to get the most information possible? I'd like to prepare that and since that machine is the connection to internet I'll have to prepare and writing down the instructions. # Han
Re: Help creating a port
On Mon, Oct 03, 2005 at 12:44:26AM +0200, viq wrote: > I saw this once, when trying to create an updated port, and now it happened > again, as I'm trying to get a newer version of snownews. I am trying to > modify the existing port to work with newer version, I modified also patches > that are in the tree, I hope correctly, but what happens is when I 'make > fake', the files instead of landing > in /usr/ports/www/snownews-test/w-snownews-1.5.7/fake-i386 end up > in > /usr/ports/www/snownews-test/w-snownews-1.5.7/fake-i386/usr/ports/www/snownews-test/w-snownews-1.5.7/fake-i386 > > - what am I doing wrong? > > The differences from the original files attached below: (diff -u orig mod) > --- ../snownews/patches/patch-Makefile Wed Oct 13 05:58:42 2004 > +++ patches/patch-Makefile Sun Oct 2 18:06:01 2005 > @@ -1,13 +1,13 @@ > -$OpenBSD: patch-Makefile,v 1.7 2004/10/13 03:58:42 jolan Exp $ > Makefile.orig Wed Sep 29 11:28:31 2004 > -+++ Makefile Tue Oct 12 22:52:36 2004 > +$OpenBSD: patch-Makefile,v 1.8 2005/10/02 18:03:58 viq Exp $ > +--- Makefile.orig Sun Oct 2 18:03:01 2005 > Makefile Sun Oct 2 18:04:14 2005 > @@ -1,4 +1,4 @@ > -CC= gcc > +#CC= gcc > MAKE= make > INSTALL=install > LOCALEPATH= $(PREFIX)/share/locale > -@@ -42,11 +42,11 @@ locales: > +@@ -42,11 +42,11 @@ > done > > manpages: > @@ -21,12 +21,12 @@ > sed s/VERSION/$(VERSION)/ > $(MAN)/$$L/snownews.1; \ > done > > -@@ -60,7 +60,7 @@ install-bin: snownews > - if [ ! -d "$(PREFIX)/bin" ]; then \ > - mkdir -p $(PREFIX)/bin; \ > +@@ -59,7 +59,7 @@ > + if [ ! -d "$(DESTDIR)$(PREFIX)/bin" ]; then \ > + mkdir -p $(DESTDIR)$(PREFIX)/bin; \ > fi > -- $(INSTALL) -s snownews $(PREFIX)/bin > -+ $(INSTALL) snownews $(PREFIX)/bin > - $(INSTALL) opml2snow $(PREFIX)/bin > - > - install-locales: locales > +- $(INSTALL) -s snownews $(DESTDIR)$(PREFIX)/bin > ++ $(INSTALL) snownews $(DESTDIR)$(PREFIX)/bin > + $(INSTALL) opml2snow $(DESTDIR)$(PREFIX)/bin > + if [ ! -f "$(DESTDIR)$(PREFIX)/bin/snow2opml" ]; then \ > + ln -sf $(DESTDIR)$(PREFIX)/bin/opml2snow > $(DESTDIR)$(PREFIX)/bin/snow2opml; \ maybe adding DESTDIR in patches isn't needed anymore? -- <[EMAIL PROTECTED]>
detect if a flag-day has happened in the meanwhile
Hi, I am wondering if there is a good way to check if a flag-day has passed if you have both the new and old kernel. How can I check that? # Han
RE: Netgear WG311 v3
Quoth [EMAIL PROTECTED] >These cards don't seem to be ath anymore. > >The relevant bits from my dmesg. > >rl0 at pci1 dev 0 function 0 "D-Link Systems >530TX+" rev 0x10: irq 11 address 00:11:95:24:6a:0d >rlphy0 at rl0 phy 0: RTL internal phy >rl1 at pci1 dev 1 function 0 "D-Link Systems >530TX+" rev 0x10: irq 5 address 00:11:95:24:6a:0c >rlphy1 at rl1 phy 0: RTL internal phy >vendor "Marvell", unknown product 0x1faa (class >network subclass ethernet, rev 0x03) at pci1 dev 2 >function 0 not configured > >Thought you all might like to know. Thrice cursed >vendors. Lucky for me it was an incredibly cheap >impulse buy. > >Ray >-- >BOFH excuse #326: > >We need a licensed electrician to replace the light >bulbs in the computer room. First "Thanks", which you don't hear very often. Second, it seems that this list is the best (best that I know of) available intelligence about the state of hardware. Not as an OpenBSD user, but as a user of most everything else. Anything that gives OpenBSD trouble, it's just a matter of time before it gives me trouble where I care about it. I doubt that I am alone, and most of us tend to keep our yaps shut. I would love to have the information organized and digensted for me, hardware compatibility lists make some attempt to do this, but the intelligence value comes from reading betwen the lines and is based on human reaction and opinion. Anything "organized" is too easily astroturfed. My experience with OpenBSD is limited, however. 3Com NIC on NT Server suddenly decided to work very poorly. Best help I could find was OpenBSD archives. Intel Pro NIC and problems went away. Actually did a repeat performance. Consensus seems to be Peculiar Adaptec SCSI controller (I understand Adaptec used to make good products) card would work with Linux only with SCSI BIOS disabled. Worked with OpenBSD with BIOS enabled. OpenBSD has an attitude, knows quite a bit about hardware, and is probably well worthwhile listening to regardless of OS. There is of course much more that I do not know than I do know, but in a few cases I do know enough that OpenBSD and expecially Theo seems to have a knack for being dead accurate. If security matters, OpenBSD "gets it". If security matters, you do NOT get compromised machines at a nickle each. If security does not matter, there are a number of stupidities which are very ill advised. [ ] Always trust OpenBSD.
Re: clamav 0.87 build error on 3.7
On Sun, Oct 02, 2005 at 06:28:53PM -0400, the unit calling itself MH wrote: > > I get the following errors when trying to make clamav v0.87 from the > > -stable ports tree: > > > > server-th.o(.text+0x98a): In function `acceptloop_th': > > : undefined reference to `cl_dup' > > collect2: ld returned 1 exit status > > *** Error code 1 << SNIP, SNIP >> > > How to fix? > > > It sounds like you have an older version of clamav already installed. > Your linker is bonking when its searching the older clamlibs looking > for cl_dup. > Fix: > cd to /usr/local/lib and move your current clamav libs (libclamav.*) to a > location > not in your linker path. Then recompile. Thanks, Mike... that did it! I would have thought the Makefile would have taken care of this; i.e. deleted (or mv'd) the clamav libs... was I expecting too much, or is something missing from the port? Thanks Again, Jay
Help creating a port
I saw this once, when trying to create an updated port, and now it happened again, as I'm trying to get a newer version of snownews. I am trying to modify the existing port to work with newer version, I modified also patches that are in the tree, I hope correctly, but what happens is when I 'make fake', the files instead of landing in /usr/ports/www/snownews-test/w-snownews-1.5.7/fake-i386 end up in /usr/ports/www/snownews-test/w-snownews-1.5.7/fake-i386/usr/ports/www/snownews-test/w-snownews-1.5.7/fake-i386 - what am I doing wrong? The differences from the original files attached below: (diff -u orig mod) --- ../snownews/MakefileSat Dec 11 14:29:22 2004 +++ MakefileSun Oct 2 20:18:00 2005 @@ -1,7 +1,7 @@ # $OpenBSD: Makefile,v 1.9 2004/12/11 13:29:22 alek Exp $ COMMENT= "text mode rss newsreader" -DISTNAME= snownews-1.5.4 +DISTNAME= snownews-1.5.7 CATEGORIES=www MASTER_SITES= ${HOMEPAGE}download/ @@ -26,7 +26,7 @@ post-install: ${INSTALL_DATA_DIR} ${PREFIX}/share/doc/snownews - ${INSTALL_DATA} ${WRKSRC}/README{,.colors,.de} \ + ${INSTALL_DATA} ${WRKSRC}/README{,.de} \ ${PREFIX}/share/doc/snownews .include --- ../snownews/patches/patch-Makefile Wed Oct 13 05:58:42 2004 +++ patches/patch-Makefile Sun Oct 2 18:06:01 2005 @@ -1,13 +1,13 @@ -$OpenBSD: patch-Makefile,v 1.7 2004/10/13 03:58:42 jolan Exp $ Makefile.orig Wed Sep 29 11:28:31 2004 -+++ Makefile Tue Oct 12 22:52:36 2004 +$OpenBSD: patch-Makefile,v 1.8 2005/10/02 18:03:58 viq Exp $ +--- Makefile.orig Sun Oct 2 18:03:01 2005 Makefile Sun Oct 2 18:04:14 2005 @@ -1,4 +1,4 @@ -CC= gcc +#CC= gcc MAKE= make INSTALL=install LOCALEPATH= $(PREFIX)/share/locale -@@ -42,11 +42,11 @@ locales: +@@ -42,11 +42,11 @@ done manpages: @@ -21,12 +21,12 @@ sed s/VERSION/$(VERSION)/ > $(MAN)/$$L/snownews.1; \ done -@@ -60,7 +60,7 @@ install-bin: snownews - if [ ! -d "$(PREFIX)/bin" ]; then \ - mkdir -p $(PREFIX)/bin; \ +@@ -59,7 +59,7 @@ + if [ ! -d "$(DESTDIR)$(PREFIX)/bin" ]; then \ + mkdir -p $(DESTDIR)$(PREFIX)/bin; \ fi -- $(INSTALL) -s snownews $(PREFIX)/bin -+ $(INSTALL) snownews $(PREFIX)/bin - $(INSTALL) opml2snow $(PREFIX)/bin - - install-locales: locales +- $(INSTALL) -s snownews $(DESTDIR)$(PREFIX)/bin ++ $(INSTALL) snownews $(DESTDIR)$(PREFIX)/bin + $(INSTALL) opml2snow $(DESTDIR)$(PREFIX)/bin + if [ ! -f "$(DESTDIR)$(PREFIX)/bin/snow2opml" ]; then \ + ln -sf $(DESTDIR)$(PREFIX)/bin/opml2snow $(DESTDIR)$(PREFIX)/bin/snow2opml; \ --- ../snownews/patches/patch-platform_settings Wed Oct 13 05:58:42 2004 +++ patches/patch-platform_settings Sun Oct 2 18:01:58 2005 @@ -1,7 +1,7 @@ -$OpenBSD: patch-platform_settings,v 1.1 2004/10/13 03:58:42 jolan Exp $ platform_settings.orig Wed Sep 29 11:28:31 2004 -+++ platform_settings Tue Oct 12 22:27:01 2004 +$OpenBSD: patch-platform_settings,v 1.2 2005/10/02 18:03:58 viq Exp $ +--- platform_settings.orig Sun Oct 2 18:00:14 2005 platform_settings Sun Oct 2 18:00:20 2005 @@ -1,3 +1,2 @@ -PREFIX= /usr/local - CFLAGS= -Wall -g -DLOCALEPATH="\"$(LOCALEPATH)\"" -DOS=\"$(shell uname)\" `xml2-config --cflags` $(EXTRA_CFLAGS) - LDFLAGS= -lncurses `xml2-config --libs` $(EXTRA_LDFLAGS) + CFLAGS= -Wall -Wno-format-y2k -O2 -DLOCALEPATH="\"$(LOCALEPATH)\"" -DOS=\"$(shell uname)\" `xml2-config --cflags` $(EXTRA_CFLAGS) -DSTATIC_CONST_ICONV -I/usr/local/include + LDFLAGS= -lncurses `xml2-config --libs` $(EXTRA_LDFLAGS) -lintl -liconv Thanks in advance for help, pointers, and kicks in right direction ;) -- viq -- Tak niesamowity CZAT... >>> http://link.interia.pl/f18ba
Re: clamav 0.87 build error on 3.7
On Sun, Oct 02, 2005 at 11:35:48AM -0500, J Moore wrote: > I get the following errors when trying to make clamav v0.87 from the > -stable ports tree: > > server-th.o(.text+0x98a): In function `acceptloop_th': > : undefined reference to `cl_dup' > collect2: ld returned 1 exit status > *** Error code 1 > > Stop in /usr/ports/security/clamav/w-clamav-0.87/clamav-0.87/clamd (line > 322 of Makefile). > *** Error code 1 > > Stop in /usr/ports/security/clamav/w-clamav-0.87/clamav-0.87 (line 368 > of Makefile). > *** Error code 1 > > Stop in /usr/ports/security/clamav/w-clamav-0.87/clamav-0.87 (line 227 > of Makefile). > *** Error code 1 > > Stop in /usr/ports/security/clamav (line 1769 of > /usr/ports/infrastructure/mk/bsd.port.mk). > > How to fix? > > Thnx, > Jay > Hi Jay, It sounds like you have an older version of clamav already installed. Your linker is bonking when its searching the older clamlibs looking for cl_dup. Fix: cd to /usr/local/lib and move your current clamav libs (libclamav.*) to a location not in your linker path. Then recompile. Hope this helps, Mike
Re: Java with mozilla-firefox
Hi pirge and thanks! pirge wrote: set ulimit before running firefox: $ ulimit -d 262144 $ firefox Works!
Re: 3.6 -> 3.7 make build problem
eric wrote: > [ Note: I don't like doing this. I would rather use a snapshot and ] > [ just get -current, but I have the Adaptec bullshit on this machine ] > [ and need a kernel that support aac(4). ] > > I'm going from 3.6 to 3.7, and just trying to get the fscking adaptec > controller working. [snip the start of a long and ugly process] Bah. too much like work. Just do this... Grab ANOTHER computer. Pentium 75, 32M RAM or better. IDE disk system. WHATEVER. Load that up with 3.7-release. Turn on softdeps. Install the system source code (/usr/src/sys). Build yourself a 3.7 kernel with that source on the 3.7 system, but with your aac driver in place. Even on a Pentium 75, should only take a few hours. Now..use that kernel instead of the GENERIC kernel to do a "remote install" on your problem machine as detailed in upgrade37.html. done! better idea: go get a standard SCSI adapter to plug your drives into if you can't afford a good RAID card. Granted, you lose RAID, but you will probably GAIN reliabilty. Remember: RAID isn't your goal. Reliability is. Running an unreliable RAID controller driver is probably worse than having non-RAIDed disks. I've been doing some stuff recently with two disks in a single machine to accomplish the goals of rapid repair (these are DNS resolvers and servers, very important, but also highly redundant by nature, so 100% uptime isn't an issue, but rapid repair is). I stuck a second disk in the machines. I use ALTROOT to duplicate the boot partition (including the /etc directory and its configs), and daily.local also dumps important information as well, and weekly, I dump/restore the rest of the partitions from wd0 to wd1. If I lose the boot drive, unplug the bad drive, and boot off the remaining one. Beats the heck out of most RAID systems I've seen for this application, and in fact, it provides a (lame) kind of backup, as if I manage to rm -r * from the wrong directory, I can still recover nicely. Nick.
Re: asus wl-138g
--On 02 October 2005 20:38 +0200, Jernej Vodopivec wrote: Does anyone have any experience with asus wl-138g wlan pci card? I've only found model 130g at supported hardware.. Google: "wl-138g chipset". First few hits say 'Marvell' - this is undocumented/unsupported (but increasingly common).
Netgear WG311 v3
These cards don't seem to be ath anymore. The relevant bits from my dmesg. rl0 at pci1 dev 0 function 0 "D-Link Systems 530TX+" rev 0x10: irq 11 address 00:11:95:24:6a:0d rlphy0 at rl0 phy 0: RTL internal phy rl1 at pci1 dev 1 function 0 "D-Link Systems 530TX+" rev 0x10: irq 5 address 00:11:95:24:6a:0c rlphy1 at rl1 phy 0: RTL internal phy vendor "Marvell", unknown product 0x1faa (class network subclass ethernet, rev 0x03) at pci1 dev 2 function 0 not configured Thought you all might like to know. Thrice cursed vendors. Lucky for me it was an incredibly cheap impulse buy. Ray -- BOFH excuse #326: We need a licensed electrician to replace the light bulbs in the computer room.
asus wl-138g
Does anyone have any experience with asus wl-138g wlan pci card? I've only found model 130g at supported hardware.. Jernej
Re: looking for reliable USB printer
On 10/1/05, Marc Espie <[EMAIL PROTECTED]> wrote: > > Just wanted to know what people currently use for an usb printer under > OpenBSD. I'm looking for rather cheap hardware that's currently sold > in europe as brand new, and guaranteed to work (through experience) > by people... Last year I bought a HP Deskjet 3820, but I don't think it is really a current model anymore. It has USB as well as a parallel port Because I don't use color I take advantage of the PCL support of the printer and simply configure it as a Laserjet. I use apsfilter . With "hpijs" it also prints color. =Adriaan=
Re: clamav 0.87 build error on 3.7
C. Bensend wrote: I get the following errors when trying to make clamav v0.87 from the -stable ports tree: You sure you're using -STABLE? I mean, are you absolutely sure that your source tree is what you _think_ it is? I built 0.87 on 3.7-STABLE just last night, flawlessly. I don't think your checkout is what you think it is. Use a -current source tree when using a -current ports tree.
Re: clamav 0.87 build error on 3.7
On Sun, Oct 02, 2005 at 11:52:40AM -0500, the unit calling itself C. Bensend wrote: > > I get the following errors when trying to make clamav v0.87 from the > > -stable ports tree: > > You sure you're using -STABLE? I mean, are you absolutely sure that > your source tree is what you _think_ it is? > > I built 0.87 on 3.7-STABLE just last night, flawlessly. I don't think > your checkout is what you think it is. Good thought - here's what I've got... any ideas? Here's how I've updated my ports tree: # setenv CVSROOT [EMAIL PROTECTED]:/cvs # cd /usr/ports # cvs -d $CVSROOT -q up -rOPENBSD_3_7 -Pd Here's how I've updated my source tree: # setenv CVSROOT [EMAIL PROTECTED]:/cvs # cd /usr/src # cvs -d $CVSROOT -q up -rOPENBSD_3_7 -Pd I verified I've got a 3.7 ports tree by: # cd /usr/ports/CVS # cat Tag TOPENBSD_3_7 & in the source tree: # cd /usr/src/CVS # cat Tag TOPENBSD_3_7 & in clamav: # cd /usr/ports/security/clamav/CVS # cat Tag TOPENBSD_3_7 & in /usr/ports/security/clamav/Makefile: # cat Makefile # $OpenBSD: Makefile,v 1.3.2.3 2005/09/28 17:37:57 sturm Exp $ COMMENT="free virus scanner" DISTNAME= clamav-0.87 ... When I build clamav: # cd /usr/ports/security/clamav # make ===> Building for clamav-0.87 make all-recursive Making all in libclamav Making all in clamscan Making all in clamd /bin/sh ../libtool --mode=link cc -O2 -pipe -L/usr/lib -L/usr/local/lib -o clamd output.o cfgparser.o getopt.o memory.o misc.o options.o clamd.o tcpserver.o localserver.o session.o thrmgr.o server-th.o scanner.o others.o clamuko.o dazukoio_compat12.o dazukoio.o ../libclamav/libclamav.la -pthread -pthread cc -O2 -pipe -o .libs/clamd output.o cfgparser.o getopt.o memory.o misc.o options.o clamd.o tcpserver.o localserver.o session.o thrmgr.o server-th.o scanner.o others.o clamuko.o dazukoio_compat12.o dazukoio.o -pthread -pthread -L/usr/lib -L/usr/local/lib -L../libclamav/.libs -lclamav -lbz2 -lgmp -lcurl -lssl -lcrypto -lz -Wl,-rpath,/usr/local/lib misc.o(.text+0xcb): In function `freshdbdir': : warning: sprintf() is often misused, please use snprintf() /usr/local/lib/libgmp.so.6.3: warning: vsprintf() is often misused, please use vsnprintf() server-th.o(.text+0x98a): In function `acceptloop_th': : undefined reference to `cl_dup' collect2: ld returned 1 exit status *** Error code 1 Stop in /usr/ports/security/clamav/w-clamav-0.87/clamav-0.87/clamd (line 322 of Makefile). *** Error code 1 Stop in /usr/ports/security/clamav/w-clamav-0.87/clamav-0.87 (line 368 of Makefile). *** Error code 1 Stop in /usr/ports/security/clamav/w-clamav-0.87/clamav-0.87 (line 227 of Makefile). *** Error code 1 Stop in /usr/ports/security/clamav (line 1769 of /usr/ports/infrastructure/mk/bsd.port.mk).
OT: Help wanted in Caracas, Venezuela
Hi misc, I need help in Caracas, Venezuela. We have a remote location, that doesn't have tech on stuff. They just lost there Firewall. I guess it was some kind of power faulier. We will have to reinstall the box. They will pay you for your help. Please contact me off the list. It's emergency. Thank you, Rosen Iliev IT Department Manager www.betcris.com San Jose, Costa Rica Direct: + (506) 242-4927 Fax: + (506) 210.7828
Re: Webmail recommendations?
On 10/01, Chris wrote: > Hello > > I want to setup a OBSD box for my email server. It will service > probably about 2 dozen people, but It could conceivably double or more > over the next year or two. > > I was wondering if anyone had any recommendations for an mta, and for a > webmail program that is easy to use and fully featured for users who are > not so computer savvy. > > I am pretty comfortable with Sendmail, but I hear a lot of people are > moving more toward postfix (which I know nothing about). > > I am at a loss for a good web interface. > > Anyone care to make any recommendations? > > Thank you. > > > Chris Hi My personal favorite is: postfix + courier-imap + sqwebmail. (You will need maildrop too between postfix and courier-imap.) SqWebMail is a simple cgi written in c++ so it is really fast. http://www.postfix.org http://www.courier-mta.org/imap http://www.courier-mta.org/sqwebmail -- cstamas
Re: clamav 0.87 build error on 3.7
> I get the following errors when trying to make clamav v0.87 from the > -stable ports tree: You sure you're using -STABLE? I mean, are you absolutely sure that your source tree is what you _think_ it is? I built 0.87 on 3.7-STABLE just last night, flawlessly. I don't think your checkout is what you think it is. Benny -- "Now, that next spring you find in your garage a creature that looks like a cross-bred badger and anaconda. A badgerconda." -- bash.org
clamav 0.87 build error on 3.7
I get the following errors when trying to make clamav v0.87 from the -stable ports tree: server-th.o(.text+0x98a): In function `acceptloop_th': : undefined reference to `cl_dup' collect2: ld returned 1 exit status *** Error code 1 Stop in /usr/ports/security/clamav/w-clamav-0.87/clamav-0.87/clamd (line 322 of Makefile). *** Error code 1 Stop in /usr/ports/security/clamav/w-clamav-0.87/clamav-0.87 (line 368 of Makefile). *** Error code 1 Stop in /usr/ports/security/clamav/w-clamav-0.87/clamav-0.87 (line 227 of Makefile). *** Error code 1 Stop in /usr/ports/security/clamav (line 1769 of /usr/ports/infrastructure/mk/bsd.port.mk). How to fix? Thnx, Jay
Re: 3.8 Snapshot with 'ath' based card.
Reyk Floeter <[EMAIL PROTECTED]> writes: > what a mess! My sentiments exactly. I wasn't particularly happy when I found out, but then the the guys at the store let me hand the card back for a refund with no problems. > d-link uses additional H/W revision numbers (like A1, B2, ...) to > inidicate the chipset, at least smc and neatgear have something > similar. In my case I think it is easier than that, in fact. The DWL-G520 is Atheros based and works (and IIRC the package was clearly marked with an Atheros emblem), while the DWL-G520+ is TI ACX111, which is undocumented, unsupported and should be avoided. Funny, this came up just as I was writing up some wireless stuff to include in my PF tutorial for AUUG2005. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"
Re: Serial Weather Station
Thanks for your response, I red the tty(4) manpage, and a part of the tip(1) manpage Now I know the difference between tty and cua devices. I changed the configuration to tell open3600 to use /dev/cua00 instead of /dev/tty00. Unfortunately, the problem is still the same. Marc MAURICE man 4 cua or man 4 tty Then see the section about cua(4) devices. And don't use tty's like that. That is what cua devices are for. Connecting out. I have a laptop at home which is an old dell latitude xpi p133 st. I use it as a small server, running OpenBSD 3.7. I would like to have my weather station connected to the laptop, serving the weather via http. The weather station is a WS3600, racorded to the server via a serial cable. The program I use to retrieve the info from the station is open3600 (http://open3600.fast-mail.nl). To make it work under openbsd, I edited /etc/ttys and changed the line : tty00 "/usr/libexec/getty std.9600" unknown off to : tty00 nonenetwork on local As open3600 is not available in binary form for OpenBSD, I compiled it. I then configured it to retrieve the info from /dev/tty00. Now when I launch the retrieval of the information, the command takes 30 seconds before outputing the result. Each time I execute the command, it takes about 30 seconds, and sometimes the output is right, sometimes it is totally wrong, indicating 0 values. I would say I have 50% chance to get the good parameters. The problem is not hardware, because I tried the command under Debian on the same machine, and it retrieves the information with no problem, in less than 2 seconds. I think the problem is the configuration of the serial port under OpenBSD, but my knowledge in serial devices is rather limited. I ran 'stty -af /dev/tty00' under OpenBSD and 'stty -aF /dev/ttyS0' under Debian and see the modes are a bit differents, but I did not manage to change modes under OpenBSD. 'stty -af /dev/tty00' under OpenBSD: speed 9600 baud; 0 rows; 0 columns; lflags: icanon isig iexten echo echoe -echok echoke -echonl echoctl -echoprt -altwerase -noflsh -tostop -flusho -pendin -nokerninfo -extproc -xcase iflags: -istrip icrnl -inlcr -igncr -iuclc ixon -ixoff ixany imaxbel -ignbrk brkint -inpck -ignpar -parmrk oflags: opost onlcr -ocrnl -onocr -onlret -olcuc oxtabs -onoeot cflags: cread cs8 -parenb -parodd hupcl clocal -cstopb -crtscts -mdmbuf cchars: discard = ^O; dsusp = ^Y; eof = ^D; eol = ; eol2 = ; erase = ^?; intr = ^C; kill = ^U; lnext = ^V; min = 1; quit = ^\; reprint = ^R; start = ^Q; status = ; stop = ^S; susp = ^Z; time = 0; werase = ^W; 'stty -aF /dev/ttyS0' under Debian: speed 9600 baud; rows 0; columns 0; line = 0; intr = ^C; quit = ^\; erase = ^?; kill = ^U; eof = ^D; eol = ; eol2 = ; start = ^Q; stop = ^S; susp = ^Z; rprnt = ^R; werase = ^W; lnext = ^V; flush = ^O; min = 1; time = 0; -parenb -parodd cs8 hupcl -cstopb cread clocal -crtscts -ignbrk -brkint -ignpar -parmrk -inpck -istrip -inlcr -igncr icrnl ixon -ixoff -iuclc -ixany -imaxbel opost -olcuc -ocrnl onlcr -onocr -onlret -ofill -ofdel nl0 cr0 tab0 bs0 vt0 ff0 isig icanon iexten echo echoe echok -echonl -noflsh -xcase -tostop -echoprt echoctl echoke I don't even know if the problem comes from here. Any help, any reference, any advice is welcomed. Thanks in advance and sorry for my english Marc MAURICE
Re: Webmail recommendations?
you could try horde - it's pretty full-featured. Mta, i would recommend qmail, but YMMV... The setup will be pretty tedious if u go this way, but once setup, everything will run very nicely. -jf
Re: 3.8 Snapshot with 'ath' based card.
On Sun, Oct 02, 2005 at 04:02:25PM +0200, Peter N. M. Hansteen wrote: > > "Texas Instruments ACX111" rev 0x00 at pci0 dev 12 function 0 not > > configured > > it looks like netgear changed chipsets without telling anybody about it. > I had a similar experience with a of D-Link card. D-Link have several > ath based cards, among them DWL-G520. On the other hand the DWL-G520+ what a mess! d-link uses additional H/W revision numbers (like A1, B2, ...) to inidicate the chipset, at least smc and neatgear have something similar. please tell us all the product revision numbers for this device and we'll think about mentioning it in the documentation. reyk
Re: Geode GX1
On 10/2/05, Marc Balmer <[EMAIL PROTECTED]> wrote: > Bachman Kharazmi wrote: > > > I tried a linux kernel and it did boot the kernel at least. > > I might be missing something for the Geode GX1 in my GENERIC kernel? > > geode gx1 is the geode sc-1100 right? I use such a computer here > with the GENERIC kernel. So you have the rarpd and bootconfig server setup? I've the terminal server running and working, its from it the term loads "pxeboot" and then tries to load bsd.rd kernel using tftp. /bkw > -- ## BKW - Bachman Kharazmi bahkha AT gmail DOT com uin: #24089491 SWEDEN ##
Re: 3.8 Snapshot with 'ath' based card.
OpenBSD Admin <[EMAIL PROTECTED]> writes: > I went and bought a netgear WG311 PCI 54g (Wg311GE) card the other > day to put in my firewall. I intended to use this is as an access > point for a WLAN. This card is listed in the support hardware section > on the openbsd website under i386 but not amd64. Well, from the dmesg > "Texas Instruments ACX111" rev 0x00 at pci0 dev 12 function 0 not > configured it looks like netgear changed chipsets without telling anybody about it. I had a similar experience with a of D-Link card. D-Link have several ath based cards, among them DWL-G520. On the other hand the DWL-G520+ is based on TI ACX111, which for some reason TI does not want to release documentation for. As a consequence, support for ACX111 cards on free operating systems is almost non-existent. On Linux and FreeBSD you might be able to use an ndis loader workaround (loading the Windows binary via a wrapper), but for very understandable reasons OpenBSD does not support this. Take a look at http://customerproducts.atheros.com/customerproducts (as mentioned in the ath man page) and see if you can have the dealer agree to have the card exchanged for a supported one. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"
Geode GX1
On 10/2/05, Marc Balmer <[EMAIL PROTECTED]> wrote: > Bachman Kharazmi wrote: > > On 10/2/05, Marc Balmer <[EMAIL PROTECTED]> wrote: > > > >>Bachman Kharazmi wrote: > >> > >>>When I try to boot a Geode GX1 with generic kernel it freeze here: > >>> > >>> > >OpenBSD/i386 PXEBOOT 1.02 > >>> > >>>booting tftp:/bsd 4807268- (and here it freeze) > >>> > >>>I've tried bsd.rd both from the 3.7 and 3.8 dir without any luck, am I > >>>missing any support in kernel? > >> > >>have you the consol to the serial port in boot.conf? See boot.conf(8) > >>for details, the file must be on you tftp server under etc/. > > > > It's a thin desktop (compaq evo t20) without any com-port. It has four > > usb ports,nic, vga,ac and sound. > > > > maybe that's why it's freezing... would it help to build a kernel > > without com-port support? > > Ok. Boot bsd.rd, if you boot bsd, you must provide a complete root > filesystem on nfs environment. Essentially you have to use rarpd, > bootcnfigd and nfsd. See the respective manual pages and read diskless(8). I already have diskless working out of the box with obsd as term-server and a generic PC as term. but this thin diskless workstation is something I've borrow from school because they are unused and I would like it to boot with bsd kernel. As described in my first post I've already tested with bsd.rd from 3.7/3.8 dir on the mirrors. What really confuses me is that it's freezing, >>OpenBSD/i386 PXEBOOT 1.02 booting tftp:/bsd 4807268- right here. I tried a linux kernel and it did boot the kernel at least. I might be missing something for the Geode GX1 in my GENERIC kernel? /bkw > > - Marc Balmer > -- ## BKW - Bachman Kharazmi bahkha AT gmail DOT com uin: #24089491 SWEDEN ## -- ## BKW - Bachman Kharazmi bahkha AT gmail DOT com uin: #24089491 SWEDEN ##
Re: Java with mozilla-firefox
Running firefox from the shell gives me this: $ firefox INTERNAL ERROR on Browser End: Exec of "java_vm" failed: 2 < System error?:: No such file or directory Gdk-ERROR **: Fatal IO error 9 (Bad file descriptor) on X server :0.0. INTERNAL ERROR on Browser End: Could not read ack from child process System error?:: Resource temporarily unavailable It doesn't drop a .core file though. Is this information enough? Friendly, Rico. Applets worked for me after installing java 1.4.2 via the ports tree, mozilla-firefox through the packages tree and changing my settings in login.conf. Going off your error message above, I would guess you are missing a file in your java/firefox installation or the permissions are wrong. Here is my file count: $ find /usr/local/jdk* | wc -l 2719 $ find /usr/local/mozilla-firefox/ | wc -l 632 You can find to look for files missing world-read permission. See the man pages for more details. If all else fails, follow up on Josh's advice on using gdb Good luck, Keith Richardson
Re: Geode GX1
On 10/2/05, Marc Balmer <[EMAIL PROTECTED]> wrote: > Bachman Kharazmi wrote: > > When I try to boot a Geode GX1 with generic kernel it freeze here: > > > >>>OpenBSD/i386 PXEBOOT 1.02 > > > > booting tftp:/bsd 4807268- (and here it freeze) > > > > I've tried bsd.rd both from the 3.7 and 3.8 dir without any luck, am I > > missing any support in kernel? > > have you the consol to the serial port in boot.conf? See boot.conf(8) > for details, the file must be on you tftp server under etc/. It's a thin desktop (compaq evo t20) without any com-port. It has four usb ports,nic, vga,ac and sound. maybe that's why it's freezing... would it help to build a kernel without com-port support? /bkw > > - Marc Balmer > -- ## BKW - Bachman Kharazmi bahkha AT gmail DOT com uin: #24089491 SWEDEN ##
Unsubscription Confirmation
You have been successfully removed and will not receive any more messages.
Re: Webmail recommendations?
On Sat, 1 Oct 2005 18:19:17 -0500 (CDT) "C. Bensend" <[EMAIL PROTECTED]> wrote: > > I am at a loss for a good web interface. > > > > Anyone care to make any recommendations? > > I'm a pretty big fan of SquirrelMail. It's a web-based IMAP client, > so you'd need an IMAP server as well (I use Courier). It works just > fine with OpenBSD's chrooted Apache, which is a big plus. > > Benny > > > -- > "Now, that next spring you find in your garage a creature that > looks like a cross-bred badger and anaconda. A badgerconda." > -- bash.org > Yes, that's very nice WebMail software indeed. And it's quite light. Jasper -- "Security is decided by quality" -- Theo de Raadt
Re: PF story, happy ending.
On Sunday 02 October 2005 00:08, ed wrote: > On Sat, 1 Oct 2005 12:27:56 -0600 (MDT) > > Diana Eichert <[EMAIL PROTECTED]> wrote: > > So Dweeb, what you recommend is upping the state table so we can > > increase the amount of crap that's leaking out from the Windows > > system? Brilliant, next time there's a Windows worm polluting the > > network I'll just think "Wow, it's not a Windows problem, I just need > > to buy hardware that can handle greater traffic." > > Then by this token we should all set a state limit of 1 state per host, > correct, if there's something using more states it must be compromised. > Nice theory. Why not just block the single host causing the problem, > when you have a high state limit, try shell commands to count the states > used every few minutes and then add the excessive hosts to a table, > rather than choke the network. Oh and don't resort to name calling, it > makes the rest of the post look childish, even if there is content of > technical merit. Well, if you bothered to read and understand Diana's posts, you'd realise that the firewall had enough states for normal operation of the network. When a faulty host was added, it overloaded the firewall. Now, which is a better response? Leave the faulty host running (a Windows domain controller shouldn't be sending stuff through the firewall in the first place, and shouldn't be sending lots of fragments), and open up the firewall to hide the fault? Or, diagnose the fault, realise that the firewall failing is a symptom of a bad host behind the firewall, and fix the bad host? I'd do what Diana did; diagnose the fault, discover a faulty host, and get it fixed, rather than cover over the fault by changing the firewall configuration. Or are you suggesting that (e.g.) if one of your non-mail sending hosts overloads the firewall with connections to port 25 on lots of different MXs, the solution is to have the firewall allow more outgoing connections, not to work out why that host has suddenly started sending mail? -- Simon Farnsworth [demime 1.01d removed an attachment of type application/pgp-signature]
Re: WLAN (Linksys WPC111) + WEP
On Sun, Oct 02, 2005 at 09:01:19AM +0200, Nikolaus Hiebaum wrote: > ifconfig wi0 192.168.200.2 255.255.255.0 nwid "scyld" nwkey "BACE8A21EA" According to the ifconfig man page, "The key can either be a string, a series of hexadecimal digits (preceded by `0x'), or a set of keys..." So I would try that. -j
WLAN (Linksys WPC111) + WEP
Hello, I have a problem with OpenBSD 3.7 (GENERIC) on my laptop, Acer TravelMate 243LC, and WLAN with WEP. Since my laptop doesn't have a built in WLAN card, I bought a Linksys WPC111v3 which, according to http://www.openbsd.org/i386.html#hardware, is supported. Connecting to an open and unsecured Access Point (AP) works fine, but it fails to work with an AP that is protected by WEP (64bits, shared key). WLAN card: Linksys WPC11v3 AP: Netgear WG602 (WEP 64bits, shared key) All right, first when I plug the WLAN card in, I get this: Oct 2 07:37:39 hrodulf /bsd: wi0: PRISM3 ISL37300P, Firmware 1.1.0 (primary), 1.4.2 (station), address 00:06:25:2b:55:5c It seem the card is recognized, and I have tried both ifconfig and wicontrol to make a connection to my AP, but to no avail. ---BOF--- ifconfig wi0 192.168.200.2 255.255.255.0 nwid "scyld" nwkey "BACE8A21EA" [EMAIL PROTECTED]: /usr/ports (7:42:29)> ifconfig wi0 wi0: flags=8843 mtu 1500 address: 00:06:25:2b:55:5c ieee80211: nwid scyld nwkey BACE8A21EA 5dBm (auto) media: IEEE802.11 autoselect (DS2) status: no network inet6 fe80::206:25ff:fe2b:555c%wi0 prefixlen 64 scopeid 0x7 inet 192.168.200.2 netmask 0xff00 broadcast 255.255.255.0 ---EOF--- It appears there is no connection to the AP. When I try wicontrol, I still don't get a connection. ---BOF--- wicontrol wi0 -e 1 -k BACE8A21EA -t 3 -n scyld -s scyld -p 1 -A 2 -f 11 [EMAIL PROTECTED]: /usr/ports (7:43:01)> wicontrol wi0 -L AP Information ap[0]: netname (SSID): [ scyld ] BSSID: [ 00:09:5b:67:71:a5 ] Channel:[ 11 ] Beacon Interval:[ 100 ] Quality/Signal/Noise [signal]: [ 50 / 59 / 9 ] Capinfo:[ ESS PRIV ] DataRate [Mbps]:[ 1.0 ] AvailableRates [Mbps]: [ 1.0 2.0 5.5 11.0 ] [EMAIL PROTECTED]: /usr/ports (7:43:23)> wicontrol wi0 NIC serial number: [ 99SA0100 ] Station name: [ scyld ] SSID for IBSS creation: [ IBSS ] Current netname (SSID): [ IBSS ] Desired netname (SSID): [ scyld ] Current BSSID: [ 44:44:44:44:44:44 ] Channel list: [ 8191 ] IBSS channel: [ 11 ] Current channel:[ 11 ] Comms quality/signal/noise: [ 0 81 27 ] Promiscuous mode: [ Off ] Process 802.11b Frame: [ Off ] Port type (1=BSS, 3=ad-hoc, 6=Host AP): [ 1 ] MAC address:[ 00:06:25:2b:55:5c ] TX rate (selection):[ 3 ] TX rate (actual speed): [ 2 ] Maximum data length:[ 2304 ] RTS/CTS handshake threshold:[ 2347 ] Create IBSS:[ Off ] Antenna diversity (0=auto,1=pri,2=aux): [ ] Microwave oven robustness: [ On ] Roaming mode(1=firm,3=disable): [ 1 ] Access point density: [ 1 ] Power Management: [ Off ] Max sleep time: [ 100 ] Enhanced Security mode: [ ] Intersil Prism2-based card: [ 1 ] Card info: [ PRISM3 ISL37300P, Firmware 1.4.2 ] Encryption: [ On ] Encryption algorithm: [ Firmware WEP ] Authentication type (1=OpenSys, 2=Shared Key): [ 2 ] TX encryption key: [ 1 ] Encryption keys:[ BACE8A21EA ][ ][ ][ ] ---EOF--- Is WEP just not supported or is my syntax wrong? Do you have any idea how to get this to work? -- Beste Gr|_e / Best regards , Nikolaus Hiebaum
Re: Linux expo - London
On Sat, Oct 01, 2005 at 11:34:00PM +0100, ed wrote: > Is OpenBSD doing anything at the linux conference and expo this week at > the London Olympia? http://www.openbsd.org/events.html