Re: OpenBSD on IBM X40 ...
Hi Andreas, Andreas Bihlmaier wrote, Besides the LED it works great and rock solid in DS11 Mode, but not at all in DS54 aka 802.11g mode. I hope this mode will be supported soon as well :) It also works wonderful in monitor mode with kismet! (LED off as well) Oh, I did not get it working. Which source= line you are using? The source line for kismet.conf is: source=radiotap_bsd_b,ath0,ath0 My ath is actually an 802.11a,b,g , but radiotap_bsd_ab didn't work for me. This works great with the kismet from ports/packages on 3.8-current (btw. finally it is in ports :) ) Is 802.11g not working?! At least not for me! I would really like to have a DEFINITE answer on that as well, but so far I only read about people having the same problem (only 802.11b works). As ssh user I did not recognized any performance issues, may be I always have 802.11b ;) But when your home dir is mounted with NFS over IPSEC you will feel the difference, trust me :( p.s. (at least it works solid as opposed to some other Unix-like-OS) Yeah, madwifi on my Netgear WGT634U segfaults very often... ;=) Just one word from the devil ndiswrapper Greetz, ahb
Re: squid mime-type blocking
ok, req_mime_type -- rep_mime_type and it's ok :-) Thanks a lot
Re: PPTP client
On Wed, 5 Oct 2005, Waldemar Brodkorb wrote: Hi, Otto Moerbeek wrote, On Fri, 30 Sep 2005, Peter Bako wrote: I have a situation where I need to connect an OpenBSD box to a MS Windows PPTP server (yep, I know it is not secure, but in this case I have no choice in the matter). After looking around the net I found myself at http://pptpclient.sourceforge.net/. So I downloaded, complied and installed the program and tried to connect to my test box. (Also complied a custom kernel using the GENERIC files with only the pseudo-device GRE line commented out.) There aren't any OpenBSD specific instructions on the site, but reading the generic docs, as well as the docs for NetBSD, the PPTP man pages, etc. I think I have enough to get started. However when I try to connect up I get nothing but a list of errors (connection timed out, could not open connection, etc.) I know the path from my OpenBSD box to the test server is correct, because if I plug my Win2k laptop in it is able to successfully connect to the server. As far as I can tell the problem is a lack of MPPE support either in the Kernel or in PPP. However I cannot find any information on how to get this support onto an OpenBSD system. Has anyone gotten PPTP-client to work on an OpenBSD box and if yes, would you be kind enough to send me some steps or any other info on how you did it? Check the pptp package. It's a port of pptpclient. There used to be a FAQ entry about pptp, but it somehow was reduced to just mention pptp. The most important thing is to put net.inet.gre.allow=1 into your sysctl.conf. Or compile a kernel without gre(4), but why bother? It's a bit strange the pptp man page still contains instructions to recompile the kernel and does not mention the systcl. I'll prod the maintainer. Oh, that's probably me. What I never understood in the past: Do a PPTP user always have to set net.inet.gre.allow=1 ? Yes, I think so. Though you should ask somebody like markus@ to confirm that. -Otto
Re: detect if a flag-day has happened in the meanwhile
On 10/6/05, Antti Nykdnen [EMAIL PROTECTED] wrote: I think he wants to compare already built kernels, from two different snapshots. sorry, how couldn't I think about snapshots... --knitti
OBSD 3.7 @ Samsung P35: Ati powerplay, disable system beeps?
Hi folks, I just installed OpenBSD 3.7 on my Samsung P35 XVM 1600 III. Speedstep works fine, but what about Ati's powerplay? Another problem I have: During system shutdown/reboot the system usually beeps, but on my P35 this beep is very loud, how to disable it? Thanks in advance, Vincent
Two Isp Fault Tollerance Help
Hi to all. One of my clients has got an Internet connection with a no much affidable provider. He reports continual disconnection and so on. I would like to do a second connection with another provider to obtain a sort of redundancy, a fault tollerance. What I have to do to obtain the automatic connection with both of the providers and to shift to the one that is connected when the other is in trouble? ( without problems for the client). Ale
Re: sh-script executing
On Wed, Sep 28, 2005 at 11:53:08AM +0800, Ilya A. Kovalenko wrote: Hello, Greetings, I found out that sh(1) reads file in process of execution (instead of read whole file and execute it from memory image), which makes editing such scripts unreliable and/or dangerous. Is there any existing ways to solve this problem ? just edit a copy, chmod +x and mv(1) it into place. Regards, Thomas
Re: WLAN (Linksys WPC111) + WEP
can you connect with open authentication (-A 1) when you set to open auth. AP too From: Nikolaus Hiebaum [EMAIL PROTECTED] To: OpenBSD mailing list - misc misc@openbsd.org Subject: Re: WLAN (Linksys WPC111) + WEP Date: Wed, 5 Oct 2005 23:34:19 +0200 (CEST) ifconfig wi0 192.168.200.2 255.255.255.0 nwid scyld nwkey BACE8A21EA According to the ifconfig man page, The key can either be a string, a series of hexadecimal digits (preceded by `0x'), or a set of keys... So I would try that. Unfortunately, that didn't help. -- Beste Gr|_e / Best regards , Nikolaus Hiebaum
Re: sh-script executing
TK just edit a copy, chmod +x and mv(1) it into place. Slightly complicated, but works, because mv(1) removes old file, so sh(1) working either old version or new one (no hybrids).
Re: sh-script executing
On 06/10/05, Ilya A. Kovalenko [EMAIL PROTECTED] wrote: TK just edit a copy, chmod +x and mv(1) it into place. Slightly complicated, but works, because mv(1) removes old file, so sh(1) working either old version or new one (no hybrids). Yes, sh(1) will probably keep a descriptor to the old file and keep using it until done. However, does this have any kind of other implications? The behaviour that Ilya pointed out would not occur to me to be expected... -- Andreas Kahari
Re: sh-script executing
On Thu, 6 Oct 2005, Andreas Kahari wrote: On 06/10/05, Ilya A. Kovalenko [EMAIL PROTECTED] wrote: TK just edit a copy, chmod +x and mv(1) it into place. Slightly complicated, but works, because mv(1) removes old file, so sh(1) working either old version or new one (no hybrids). Yes, sh(1) will probably keep a descriptor to the old file and keep using it until done. However, does this have any kind of other implications? The behaviour that Ilya pointed out would not occur to me to be expected... I know this behaviour form every Unix system I've worked on. Besides, the nice thing about the current way of doing things is that you can read a script form a pipe and have the desired behaviour without any special case code. -Otto
Transit with OpenBGPd... How to allow only on or two as neighbor only ?
Hello, I'd like to find the good working solution when sending AS announces to our peering / transit neigbor. In fact on bgpd.conf man page we have : neighbor $peer1 { remote-as 65001 announce foo } With foo : announce (all|none|self|default-route) Problem is that I need to announce for example a pair of AS number.. How can I do that with openbgpd ? Thanks ! /Xavier -- Quand on essaye continuellement, on finit par y arriver. Donc, plus ca rate, plus on a de chance que ca marche... (Proverbe Shadok)
Re: sh-script executing
Andreas Kahari wrote: Yes, sh(1) will probably keep a descriptor to the old file and keep using it until done. However, does this have any kind of other implications? The behaviour that Ilya pointed out would not occur to me to be expected... In the meanwhile this behaviour has been changed in CVS. Perhaps this will get backported as well. And if not it's pretty easy to backport I'd guess. # Han
Re: sh-script executing
On Thu, 6 Oct 2005, Han Boetes wrote: Andreas Kahari wrote: Yes, sh(1) will probably keep a descriptor to the old file and keep using it until done. However, does this have any kind of other implications? The behaviour that Ilya pointed out would not occur to me to be expected... In the meanwhile this behaviour has been changed in CVS. Perhaps this will get backported as well. And if not it's pretty easy to backport I'd guess. What commit are you referring to? You can say that I'm closely involved, but I have no idea which commit you are referring to. -Otto
Re: Transit with OpenBGPd... How to allow only on or two as neighbor only ?
On Thu, Oct 06, 2005 at 03:18:41PM +0200, Xavier Beaudouin wrote: Hello, I'd like to find the good working solution when sending AS announces to our peering / transit neigbor. In fact on bgpd.conf man page we have : neighbor $peer1 { remote-as 65001 announce foo } With foo : announce (all|none|self|default-route) Problem is that I need to announce for example a pair of AS number.. How can I do that with openbgpd ? The announce keyword is mostly for simple setups. For transit providers announce should be set to all and real bgp filtering should be used. The idea of announce is that small multihomed setups with e.g. two uplinks just work in a save manner (defaulting to self and so not the full table is reexported). -- :wq Claudio
Re: Fwd: ntop
Ntop has a built in webserver that displays data in html that can be viewed from any workstation. Shane - Original Message - From: Andreas Bihlmaier [EMAIL PROTECTED] To: misc@openbsd.org Sent: Thursday, October 06, 2005 1:30 AM Subject: Re: Fwd: ntop I think he wants to compile version 3.1 - in ports tree there is version 1.1. Are there any plans yes about porting newer version of ntop in next versions of obsd? Just as a question: In what way is ntop superior to pftop -v speed -o rate ? Sure it perhaps is a matter of preference, but I just wan't to know :) Jernej On 10/1/05, Brian A. Seklecki [EMAIL PROTECTED] wrote: What platform are you on? Are you compiling it from source? It works just fine in 3.7/i386. Just: bash-3.00# cd /usr/ports/net/ntop make install clean If you insist on source, try looking at /usr/ports/net/ntop/patches/* Try reading about Ports in the FAQ. ~BAS Greetz, ahb
openbgpd server hardware
Hello - We are planning to build an OpenBSD server to be our edge router. We are terminating 5 DS3's into two Cisco routers and using bridge-groups and vlans to separate the connections. This works very well in our test setup. We plan on building two servers and using carp for redundancy. Our initial setup includes AMD Opterons with 1GB RAM. We will need PCI-X, or at least PCI/66Mhz NIC's for this project. I have been told SysKonnect is the way to go, but to wait on support for their new SK-9SXX series cards. We need 2 dual-port gigabit cards. The time is approaching where we need to implement this. Do any of the developers know the status of the support for the SysKonnect SK-9SXX series? What gigabit chipsets should be my second choice? Thanks David
Re: BGP session clear by remote end when MD5 is configure AND the session was initiate from OpenBSD side failed and do not recover.
On Wed, Oct 05, 2005 at 06:33:05PM -0400, Daniel Ouellet wrote: More on this with test results, example, setup use, and more details. == Without MD5 configure. With bgpd master Clear session from bgpd side, session comes back up right away. Clear session from remote side, session comes back up with delay. With bgpd slave Clear session from bgpd side, session comes back up with delay. Clear session from remote side, session comes back up with possible very long delay. Much bigger then when master. I see similar delays with my test setup. Most of the time it takes longer for a session to come back up because of different timers that are run. After a clear a reopen is tried immediately and that is most often blocked. In my case the cisco seems to be to slow to close the session in time for the reopen. It also matters where you close the connection because in one case the idle timer is run (30s) instead of the connect retry timer (120s). Also the idle timer has starts to grow if you flap the session often. Now with MD5 configure. We only add tcp md5sig password test on bgpd side and neighbor 66.63.12.108 password test on the Cisco side. With bgpd master Clear session from bgpd side, session comes back up right away. Clear session from remote side, session comes back up with possible very long delay. With bgpd slave Just can't establish a session what so ever! The Cisco side will get stuck in the OpenSent mode and cycle a few times all without success. 66.63.12.1084 65001 0 1000 neverOpenSent I can't reproduce this. On my test setup all session come back up. ... Now looking at the logs from each side. OpenBSD try to use the port tcp/56923 and from the Cisco side we see this error: 35: *Oct 5 13:38:43.503 EDT: %TCP-6-BADAUTH: No MD5 digest from 66.63.12.108(179) to 66.63.12.107(56923) (RST) 36: *Oct 5 13:38:44.503 EDT: %TCP-6-BADAUTH: No MD5 digest from 66.63.12.108(179) to 66.63.12.107(56923) (RST) This is a Cizzz-coee / RFC feature. They enforce a TCP MD5 digest on TCP RST packets. Now that's just stupid because it is not possible to do that in some cases because the other side does not know the key at that time (e.g. to signalize that the port is unavailable). In your case this means that somehow the connection from the cisco to your OpenBSD box is blocked or there is nothing listening on port 179. Looks like the OpenBSD side do not provide the MD5 to the Cisco to establish the session. OpenBSD only misses the MD5 digest on the RST packets and that is actually OK. RFC 2385 actually mentions this special case in 4.1: A connectionless reset will be ignored by the receiver of the reset, since the originator of that reset does not know the key, and so cannot generate the proper signature for the segment. This means, for example, that connection attempts by a TCP which is generating signatures to a port with no listener will time out instead of being refused. Similarly, resets generated by a TCP in response to segments sent on a stale connection will also be ignored. Operationally this can be a problem since resets help BGP recover quickly from peer crashes. It doesn't matter if I clean the session from the Cisco side, or the bgpd side, order, etc. Both side, many times, what ever. It will simply not come up! Even reloading the Cisco router and killing the bpgd and starting new, it will not come up! Always the same errors in the logs. No MD5 digest received from the OpenBSD side looks like. Does it initially come up? As I said I can not reproduce it. === Why is bgpd will not establish a session as slave when MD5 is configure even if the RFC said both sides should be allow to do so? bgpd wants to be the master every time? Something sure looks weird here. Are you running pf? Perhaps the packet get blocked or modified on the way in and so the session is reset. Check with netstat -sptcp for the md5 counters. BTW. I mostly reused your config. I just disabled soft-reconfig inbound because my 2500 testbox would probably not survive that. -- :wq Claudio
Re: Transit with OpenBGPd... How to allow only on or two as neighbor only ?
[...] The announce keyword is mostly for simple setups. For transit providers announce should be set to all and real bgp filtering should be used. The idea of announce is that small multihomed setups with e.g. two uplinks just work in a save manner (defaulting to self and so not the full table is reexported). Thanks Claudio, But can you provide me a more detailed example. Because I have some difficulies to make a filter for such setup... /Xavier -- Quand on essaye continuellement, on finit par y arriver. Donc, plus ca rate, plus on a de chance que ca marche... (Proverbe Shadok)
unsuscribe
unsuscribe Ricardo german Kdrcher [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] ___ 1GB gratis, Antivirus y Antispam Correo Yahoo!, el mejor correo web del mundo http://correo.yahoo.com.ar
Fwd: Fwd: ntop
Again forgot to cc: -- Forwarded message -- From: Jernej Vodopivec [EMAIL PROTECTED] Date: Oct 6, 2005 5:22 PM Subject: Re: Fwd: ntop To: Andreas Bihlmaier [EMAIL PROTECTED] ntop - displays data in html - can be viewed from any workstation withoud installing additional products so - it is easier to use - displays traffic statistics - stores statistics data... Jernej On 10/6/05, Andreas Bihlmaier [EMAIL PROTECTED] wrote: Just as a question: In what way is ntop superior to pftop -v speed -o rate ? Sure it perhaps is a matter of preference, but I just wan't to know :)
Re: sh-script executing
Otto Moerbeek wrote: On Thu, 6 Oct 2005, Han Boetes wrote: In the meanwhile this behaviour has been changed in CVS. Perhaps this will get backported as well. And if not it's pretty easy to backport I'd guess. What commit are you referring to? You can say that I'm closely involved, but I have no idea which commit you are referring to. Oops I completely misread this message. My bad. - Synopsis: sh executing extra lines, if script file was changed (grown) during execution State-Changed-From-To: open-closed State-Changed-By: tom State-Changed-When: Thu Oct 6 05:16:19 MDT 2005 State-Changed-Why: Don't edit shell scripts while they are running. This is standard UNIX behaviour. Sorry. -- # Han
Error on pkg_add on openbsd 3.8
Hello I have smaller server with openbsd 3.8 on it. It all doing greate, exept the finction pgk_add. I get: bash-3.00# pkg_add -v ftp://ftp.openbsd.org/pub/OpenBSD/s.../symon-2.71.tgz Can't locate object method add_size via package OpenBSD::PackingElement::FDESC at /usr/libdata/perl5/OpenBSD/PackingElement.pm line 545, $fh line 8. How to fix that? thanks
Re: Transit with OpenBGPd... How to allow only on or two as neighbor only ?
On 06/10/05, Xavier Beaudouin [EMAIL PROTECTED] wrote: [...] The announce keyword is mostly for simple setups. For transit providers announce should be set to all and real bgp filtering should be used. The idea of announce is that small multihomed setups with e.g. two uplinks just work in a save manner (defaulting to self and so not the full table is reexported). Thanks Claudio, But can you provide me a more detailed example. Because I have some difficulies to make a filter for such setup... The best way to make a scalable setup is by using bgp communities. That way your transit/peering routers advertise based on information you can set on origin or ingress into your network, not depending on the prefix/as itself. I have not checked how bgpd and community support looks in -current, but when experimenting a few months back I had some problems with setting multiple communities and I was also forced to use an external route-server to see what was happening in my test network. I intend to give this a new try when I have finished the project I'm currently working on. /Tony -- Tony Sarendal - [EMAIL PROTECTED] IP/Unix -= The scorpion replied, I couldn't help it, it's my nature =-
kernel pppoe problem : pppoe0 : timeout
Hello, (sorry for the long post!) I used the ppp pppoe (for my dsl connection) for some while and decided to switch to the kernel implementation. I'm actually having a problem with kernel pppoe, after a reboot or when I try to connect/reconnect it takes about 1 minute before it is able to connect. While running ifconfig pppoe0 debug (see below) I noticed a few pppoe0: timeout When I used the ppp's pppoe implementation the connection and reconnection were almost instant. For information, here is my old ppp.conf: default: set log Phase tun command set redial 7 0 set reconnect 7 1 provider: set device !/usr/sbin/pppoe -i sis2 disable acfcomp iface-alias deflate protocomp vjcomp pred1 ipv6cp deny acfcomp set mtu max 1454 set mru max 1454 set speed sync enable lqr set lqrperiod 5 set dial set login set timeout 0 set authname xyz set authkey xyz add default HISADDR enable mssfixup set server /var/run/internet 0177 Now, here is my new hostname.pppoe0 pppoedev sis2 !/sbin/ifconfig sis2 up media 10baseT !/usr/sbin/spppcontrol \$if myauthproto=pap myauthname=xyz \ myauthkey=xyz !/sbin/ifconfig \$if inet 0.0.0.0 0.0.0.1 netmask 0x link1 !/sbin/route add default 0.0.0.1 !/usr/local/sbin/noip2 -c /etc/no-ip2.conf up Here is my dmesg and ifconfig pppoe0 debug output: Oct 6 19:29:10 gate /bsd: syncing disks... done Oct 6 19:29:10 gate /bsd: OpenBSD 3.8 (GENERIC) #1: Fri Sep 30 21:09:23 CEST 2005 Oct 6 19:29:10 gate /bsd: [EMAIL PROTECTED]:/home/cvs/OPENBSD_3_8/src/sys/arch/i386/compile/GENERIC Oct 6 19:29:10 gate /bsd: cpu0: Geode(TM) Integrated Processor by National Semi (Geode by NSC 586-class) 267 MHz Oct 6 19:29:10 gate /bsd: cpu0: FPU,TSC,MSR,CX8,CMOV,MMX Oct 6 19:29:10 gate /bsd: cpu0: TSC disabled Oct 6 19:29:10 gate /bsd: real mem = 133799936 (130664K) Oct 6 19:29:10 gate /bsd: avail mem = 115470336 (112764K) Oct 6 19:29:10 gate /bsd: using 1658 buffers containing 6791168 bytes (6632K) of memory Oct 6 19:29:10 gate /bsd: mainbus0 (root) Oct 6 19:29:10 gate /bsd: bios0 at mainbus0: AT/286+(00) BIOS, date 20/50/29, BIOS32 rev. 0 @ 0xf7840 Oct 6 19:29:10 gate /bsd: pcibios0 at bios0: rev 2.0 @ 0xf/0x1 Oct 6 19:29:10 gate /bsd: pcibios0: pcibios_get_intr_routing - function not supported Oct 6 19:29:10 gate /bsd: pcibios0: PCI IRQ Routing information unavailable. Oct 6 19:29:10 gate /bsd: pcibios0: PCI bus #0 is the last bus Oct 6 19:29:10 gate /bsd: bios0: ROM list: 0xc8000/0x9000 Oct 6 19:29:10 gate /bsd: cpu0 at mainbus0 Oct 6 19:29:10 gate /bsd: pci0 at mainbus0 bus 0: configuration mode 1 (bios) Oct 6 19:29:10 gate /bsd: pchb0 at pci0 dev 0 function 0 Cyrix GXm PCI rev 0x00 Oct 6 19:29:10 gate /bsd: sis0 at pci0 dev 6 function 0 NS DP83815 10/100 rev 0x00: DP83816A, irq 10, address 00:00:24:c2:9d:38 Oct 6 19:29:10 gate /bsd: nsphyter0 at sis0 phy 0: DP83815 10/100 PHY, rev. 1 Oct 6 19:29:10 gate /bsd: sis1 at pci0 dev 7 function 0 NS DP83815 10/100 rev 0x00: DP83816A, irq 10, address 00:00:24:c2:9d:39 Oct 6 19:29:10 gate /bsd: nsphyter1 at sis1 phy 0: DP83815 10/100 PHY, rev. 1 Oct 6 19:29:10 gate /bsd: sis2 at pci0 dev 8 function 0 NS DP83815 10/100 rev 0x00: DP83816A, irq 10, address 00:00:24:c2:9d:3a Oct 6 19:29:11 gate /bsd: nsphyter2 at sis2 phy 0: DP83815 10/100 PHY, rev. 1 Oct 6 19:29:11 gate /bsd: hifn0 at pci0 dev 10 function 0 Hifn 7955/7954 rev 0x00: LZS 3DES ARC4 MD5 SHA1 RNG AES PK, 32KB dram, irq 11 Oct 6 19:29:11 gate /bsd: gscpcib0 at pci0 dev 18 function 0 NS SC1100 ISA rev 0x00 Oct 6 19:29:11 gate /bsd: gpio0 at gscpcib0: 64 pins Oct 6 19:29:11 gate /bsd: NS SC1100 SMI/ACPI rev 0x00 at pci0 dev 18 function 1 not configured Oct 6 19:29:11 gate /bsd: pciide0 at pci0 dev 18 function 2 NS SCx200 IDE rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility Oct 6 19:29:11 gate /bsd: wd0 at pciide0 channel 0 drive 0: TOSHIBA MK2023GAS Oct 6 19:29:11 gate /bsd: wd0: 16-sector PIO, LBA, 19077MB, 39070080 sectors Oct 6 19:29:11 gate /bsd: wd1 at pciide0 channel 0 drive 1: SanDisk SDCFB-256 Oct 6 19:29:11 gate /bsd: wd1: 1-sector PIO, LBA, 245MB, 501760 sectors Oct 6 19:29:11 gate /bsd: wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 Oct 6 19:29:11 gate /bsd: wd1(pciide0:0:1): using PIO mode 4, DMA mode 2 Oct 6 19:29:11 gate /bsd: geodesc0 at pci0 dev 18 function 5 NS SC1100 X-Bus rev 0x00: iid 6 revision 3 wdstatus 0 Oct 6 19:29:11 gate /bsd: ohci0 at pci0 dev 19 function 0 Compaq USB OpenHost rev 0x08: irq 5, version 1.0, legacy support Oct 6 19:29:11 gate /bsd: usb0 at ohci0: USB revision 1.0 Oct 6 19:29:11 gate /bsd: uhub0 at usb0 Oct 6 19:29:11 gate /bsd: uhub0: Compaq OHCI root hub, rev 1.00/1.00, addr 1 Oct 6 19:29:11 gate /bsd: uhub0: 3 ports with 3 removable, self powered Oct 6 19:29:11 gate /bsd: isa0 at gscpcib0 Oct 6 19:29:11 gate /bsd: isadma0 at isa0 Oct 6 19:29:11 gate /bsd: pckbc0 at isa0 port 0x60/5 Oct 6 19:29:11 gate /bsd:
Re: BGP session clear by remote end when MD5 is configure AND the session was initiate from OpenBSD side failed and do not recover.
Claudio Jeker wrote: With bgpd master Clear session from bgpd side, session comes back up right away. Clear session from remote side, session comes back up with delay. With bgpd slave Clear session from bgpd side, session comes back up with delay. Clear session from remote side, session comes back up with possible very long delay. Much bigger then when master. I think this is fixed in -current. Henning commited something to make the delays on neighbor clears faster. My first tests was done with current (sep 29), but with a small difference in the setup lab. It was done in live network. But I will sure redo it again. It's to important to me for not be 150% sure it's working well. So far, it just wasn't. I have well over 100+ peer sessions, of witch ~70+ are using MD5 and I can't not have them stable. Plus I have no choice as well to either buy bigger Cisco routers, and hell I don't want that! Or use OpenBSD and that's what I want. I ma fed up with CPU limitation power of Cisco and I will kiss them goodbye! Even reloading the Cisco router and killing the bpgd and starting new, it will not come up! Always the same errors in the logs. No MD5 digest received from the OpenBSD side looks like. It looks like the tcpmd5 is enabled to late when opeining a session. I try to have a look at it. You have no idea how much I would appreciate that! I started to look at the code, but that's a long process for me. === Why is bgpd will not establish a session as slave when MD5 is configure even if the RFC said both sides should be allow to do so? bgpd wants to be the master every time? Something sure looks weird here. That's more like a bug. Btw. MD5 between to bgpd is working, at least it works for me. That's what I thought, but I know better then starting to say there is a bug. Before I do, I sure want to be sure, but it does look like it to me however so far. My tests so far show that you can have MD5 as long as OpenBSD is master, but clear sessions, depending with side initiate it, doesn't come back in one case and are slow in the other. (That was with 3.7 for my last tests on this one) Will redo. == But it should be establish however for MD5 for sure as any sides can be the master in a bgp session. However, not here? Comments on this? I think my tests are valid. Am I doing something I should be doing here? I don't think so, but that's what I found so far and why I can't keep a stable session with MD5 enable on it. For me it looks like a bug for now. Same thought here. Daniel
Re: kernel pppoe problem : pppoe0 : timeout
concerning my original post: sorry, I made a typo error in my hostname.pppoe0. I have this line: !/sbin/ifconfig \$if inet 0.0.0.0 0.0.0.1 netmask 0x I do NOT have link1 in the line, as written in the previous mail!!!
Re: CARP+Pfsync+Bind
On Thu, 6 Oct 2005 16:55:05 +0400 Vladimir Potapov [EMAIL PROTECTED] wrote: We have 1 server on which running firewall and DNS master service. And we planned to install another server for load balancing and redudancy. 2 servers(each have running PF and BIND) will balancing load (or one will master and other slave) for DNS and PF. Does anyone protect DNS service via CARP and PFsync? Does it work? Whether there can be problems(for example, with zones transfers, dns queries Zone transfers are on tcp/53, DNS lookups are 53/udp, so: pass in on $ext_if proto udp from any to $DNS port 53 keep state and if required: pass in on $ext_if proto tcp from $ext_net to $DNS port 53 keep state I use TinyDNS here, so we don't really need to transfer zones as its handled with a single data file. CARP can be good with DNS. -- Regards, Ed http://www.usenix.org.uk
Re: BGP session clear by remote end when MD5 is configure AND the session was initiate from OpenBSD side failed and do not recover.
Claudio Jeker wrote: On Wed, Oct 05, 2005 at 06:33:05PM -0400, Daniel Ouellet wrote: == Without MD5 configure. With bgpd master Clear session from bgpd side, session comes back up right away. Clear session from remote side, session comes back up with delay. With bgpd slave Clear session from bgpd side, session comes back up with delay. Clear session from remote side, session comes back up with possible very long delay. Much bigger then when master. I see similar delays with my test setup. Most of the time it takes longer for a session to come back up because of different timers that are run. After a clear a reopen is tried immediately and that is most often blocked. In my case the cisco seems to be to slow to close the session in time for the reopen. It also matters where you close the connection because in one case the idle timer is run (30s) instead of the connect retry timer (120s). Also the idle timer has starts to grow if you flap the session often. The interesting facts here for me were how different it was for each side. I did this many times 10x+ on each setup to see. bgpd master to Cisco and clear from bgpd side to Cisco, the Cisco session comes back up instantly. As for Cisco master initiate clear to bgpd, was the slowest by far. I mean much longer. The other two possibilities are pretty much equal. It was interesting finding never the less. Why, I am not sure however. Now with MD5 configure. We only add tcp md5sig password test on bgpd side and neighbor 66.63.12.108 password test on the Cisco side. With bgpd master Clear session from bgpd side, session comes back up right away. Clear session from remote side, session comes back up with possible very long delay. With bgpd slave Just can't establish a session what so ever! The Cisco side will get stuck in the OpenSent mode and cycle a few times all without success. 66.63.12.1084 65001 0 1000 neverOpenSent I can't reproduce this. On my test setup all session come back up. I will try current again, and send even more details on my setup, or if you ever want to check it out, I have no problem what so ever to provide you access to both boxes directly for you to check it out as well. Just say the words if interested? I try Cisco IOS 12.3x and 12.4x, same results so far. Now looking at the logs from each side. OpenBSD try to use the port tcp/56923 and from the Cisco side we see this error: 35: *Oct 5 13:38:43.503 EDT: %TCP-6-BADAUTH: No MD5 digest from 66.63.12.108(179) to 66.63.12.107(56923) (RST) 36: *Oct 5 13:38:44.503 EDT: %TCP-6-BADAUTH: No MD5 digest from 66.63.12.108(179) to 66.63.12.107(56923) (RST) This is a Cizzz-coee / RFC feature. They enforce a TCP MD5 digest on TCP RST packets. Now that's just stupid because it is not possible to do that in some cases because the other side does not know the key at that time (e.g. to signalize that the port is unavailable). In your case this means that somehow the connection from the cisco to your OpenBSD box is blocked or there is nothing listening on port 179. Last tests at ~5 AM this morning, still show me this and nothing was in the path for blocking it a tall. I will recheck as it's been a few days without sleep so far, so I admit, I could start to be fussz a bit. Lack of sleep, but I will make sure before saying false things here. But in any case, not that I like it what so ever, I am not sure of the Cizzz-coee stuff. The sad thing is that they have a huge portions of the Internet routers still, hopefully changing quickly, but still, we need to interact with them a lots. Looks like the OpenBSD side do not provide the MD5 to the Cisco to establish the session. OpenBSD only misses the MD5 digest on the RST packets and that is actually OK. RFC 2385 actually mentions this special case in 4.1: A connectionless reset will be ignored by the receiver of the reset, since the originator of that reset does not know the key, and so cannot generate the proper signature for the segment. This means, for example, that connection attempts by a TCP which is generating signatures to a port with no listener will time out instead of being refused. Similarly, resets generated by a TCP in response to segments sent on a stale connection will also be ignored. Operationally this can be a problem since resets help BGP recover quickly from peer crashes. I can deal with that delay and I agree that it makes sense to refuse the reset, or ignore it, however, looks like so far, the session doesn't resets. May be because it does receive message still from the Cisco side on wrong ports, but somehow see it as keep alive. I really don't know what I am saying here, just a weird thoughts, but so far the results are that it doesn't resets. I will tests in more details again. But just know that something is not active in the best interest of the session here
Re: CARP+Pfsync+Bind
** Reply to message from ed [EMAIL PROTECTED] on Thu, 6 Oct 2005 14:04:20 +0100 Zone transfers are on tcp/53, DNS lookups are 53/udp, so: That's not quite the whole story: 53/tcp is also used when the response to a query is too big for a single UDP packet (the resolver sends a UDP query and gets a 'truncated' UDP reply, so the resolver retries the query using TCP) -- you should always pass both UDP and TCP for port 53 to avoid occasional obscure failures. pass in on $ext_if proto udp from any to $DNS port 53 keep state and if required: pass in on $ext_if proto tcp from $ext_net to $DNS port 53 keep state Dave -- Dave Anderson [EMAIL PROTECTED]
Re: WLAN (Linksys WPC111) + WEP
* Joost Tr wrote on Oct 6, 2005 [10:00, -] : can you connect with open authentication (-A 1) when you set to open auth. AP too Yes, with open authentication it works. I am not savvy enough to understand the difference. What is the difference between open and shared key? And what does it mean that the open auth. works and the shared one doesn't? -- Beste Gr|_e / Best regards , Nikolaus Hiebaum
Re: CARP+Pfsync+Bind
On Thu, 2005-10-06 at 14:04:20 +0100, ed proclaimed... I use TinyDNS here, so we don't really need to transfer zones as its handled with a single data file. CARP can be good with DNS. 53/tcp *is* required to answer normal queries. Since you're drinking djb's koolaid, see http://cr.yp.to/djbdns/tcp.html#why 512-bytes uncommon or a mistake? I think not.
Re: [Soekris] Ubiquity 400mW mini-PCI
maybe this link helps: http://www.exergia.biz/ptp/exap-GMF.htm
High Interrupt Mode Reported by 'Top' for Soekris 4801
I am a new owner of two Soekris 4801s running OpenBSD 3.7 (generic) with pf/pfsynch/carp for redundant firewalling. I've encountered a problem with high interrupts (and some packet loss), and after having perused the on-line FAQ/forums and finding nothing that I could identify as matching the symptoms I've observed, I am now looking for pointers on how to isolate the problem and perhaps fix it. I have sis0 in use for the outer interface, sis2 for the inner, sis1 for pfsync. There is an inner carp'd interface address (carp0) and an outer (carp1). The configuration is generally along the lines of the FAQ and man pages. When traffic through the Soekris reaches approximately 4Mbs, the interrupt mode reported by top reaches 75% or higher and there is a measurable packet loss (1% - 5% or so). From 'pfctl -si', the congestion counter goes up rapidly when the interrupts are highest. The interrupt mode increases as the traffic volume increases, and goes down to about 1% when I failover to the other firewall. When I failover, I observe exactly the same behavior on the newly active firewall. Checking forums, I see that there have been reports of very high interrupts on the sis device in the past for OpenBSD on Soekris, but I read that these were all corrected in recent OpenBSD releases (and the problem I read about only applied whenever one sis interface was left 'down', which is not the case for my circumstances since all interfaces are in use). I've checked with Soekris, and they've not heard of symptoms such as I describe with OpenBSD 3.7. I've not noticed anything amiss in dmesg or /var/log/messages (well, all sis devices are sharing IRQ 10 but this is normal on a 4801, the FAQ states that this is not a problem, and other 4801 users haven't reported symptoms like the ones I describe). I haven't posted dmesg or other info in this message (I thought it might be rude to do so without being asked). Can anyone offer pointers on how I might go about isolating this problem? Bill -- William Bloom| Systems Engineer|M P H A S I S Architecting Value | Eldorado Computing 5353 North 16th Street, Suite 400 Phoenix, Az 85016 | Direct: +11-602-604-3100 | Fax: +11-602-604-3115| http://www.eldocomp.com -- CONFIDENTIALITY NOTICE -- Information transmitted by this e-mail is proprietary to MphasiS and/or its Customers and is intended for use only by the individual or entity to which it is addressed, and may contain information that is privileged, confidential or exempt from disclosure under applicable law. If you are not the intended recipient or it appears that this mail has been forwarded to you without proper authority, you are notified that any use or dissemination of this information in any manner is strictly prohibited. In such cases, please notify us immediately at [EMAIL PROTECTED] and delete this mail from your records.
Re: xorg with Nvidia Go5600 at 1600x1200
Am Donnerstag, 6. Oktober 2005 11:36 schrieben Sie: Hi Stefan, (II) NV(0): Not using mode 1600x1200 (no mode of this name) This seems to be your problem. Caused by this: (II) NV(0): Not using default mode 1600x1200 (hsync out of range) You should try to create a modeline for 1600x1200 matching your screens capabilities. gtf(1) seems to be the way to go for that. Regards, Stephan
Re: CARP+Pfsync+Bind
On Thu, 6 Oct 2005 15:49:02 -0400 Dave Anderson [EMAIL PROTECTED] wrote: That's not quite the whole story: 53/tcp is also used when the response to a query is too big for a single UDP packet (the resolver sends a UDP query and gets a 'truncated' UDP reply, so the resolver retries the query using TCP) -- you should always pass both UDP and TCP for port 53 to avoid occasional obscure failures. Works fine on on the 2 domains where it's been implemented, of which I handled the conversion from BIND style to djbdns. No problems on UDP lookups alone, including some deep CNAMEs, which are just not required, but I'll deal with those at a later date. I haven't seen any problems since the change. Lookup times have improved, I can't state if this is due to the lack of TCP or the file system overheads with zone files, but I expect a mixture of the two. -- Regards, Ed http://www.usenix.org.uk
About VLAN and Carp
Hi Everyone, I am using OpenBSD and the great pf in a production environment. I want to be able to use vlan and carp at the same time. I have two firewalls. These two boxes are responsible for a number of subnet. I want to have a number of vlan defined on the openbsd to feed my Distribution Switch. Now I can do it, but only on the physical interface so I loose the redundancy. On a cisco, it would mean having a few VLAN with a router-interface for each. Each virtual interface would have VRRP enabled. When I try ifconfig vlan0 vlan 11 vlandev carp0 It gives me an error. Is there a way to do that? Regards Leo Goehrs CTO Work: +33 1 39 02 76 15 Mobile: +33 6 89 99 14 06 Fax: +33 1 39 02 01 51 Email: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] IM: 10257254 (ICQ) Alionis http://www.alionis.net 15 rue de la Paroisse http://maps.google.com/maps?q=15+rue+de+la+Paroisse%2CVersailles+78000%2CFra ncehl=en Versailles 78000 France [demime 1.01d removed an attachment of type image/jpeg which had a name of image001.jpg]
Sendmail TLS
Hello list, I'm trying to setup a sendmail config using tls to use gmail as a smart-host. I made a copy of openbsd-proto.mc as follows: divert(-1) # # Default OpenBSD sendmail configuration for systems accepting mail # from the internet. # # Note that lines beginning with dnl below are comments. divert(0)dnl VERSIONID(`@(#)openbsd-proto.mc $Revision: 1.11 $')dnl OSTYPE(openbsd)dnl define(`SMART_HOST', `smtp.gmail.com')dnl define(`confPRIVACY_FLAGS', `authwarnings,needmailhelo,noexpn,novrfy,nobodyreturn')dnl define(`confCW_FILE', `-o MAIL_SETTINGS_DIR`'local-host-names')dnl define(`confCT_FILE', `-o MAIL_SETTINGS_DIR`'trusted-users')dnl FEATURE(nouucp, `reject')dnl FEATURE(`access_db', `hash -o -TTMPF /etc/mail/access')dnl FEATURE(`blacklist_recipients')dnl FEATURE(`use_cw_file')dnl FEATURE(`mailertable', `hash -o /etc/mail/mailertable')dnl FEATURE(`use_ct_file')dnl FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable')dnl FEATURE(genericstable, `hash -o /etc/mail/genericstable')dnl FEATURE(always_add_domain)dnl FEATURE(redirect)dnl FEATURE(`no_default_msa')dnl DAEMON_OPTIONS(`Family=inet, Address=0.0.0.0, Name=MTA')dnl DAEMON_OPTIONS(`Family=inet6, Address=::, Name=MTA6, M=O')dnl DAEMON_OPTIONS(`Family=inet, Address=0.0.0.0, Port=587, Name=MSA, M=E')dnl DAEMON_OPTIONS(`Family=inet6, Address=::, Port=587, Name=MSA6, M=O, M=E')dnl CLIENT_OPTIONS(`Family=inet, Address=0.0.0.0')dnl CLIENT_OPTIONS(`Family=inet6, Address=::')dnl define(`confBIND_OPTS', `WorkAroundBroken')dnl define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')dnl define(`confCACERT_PATH', `CERT_DIR')dnl define(`confCACERT', `CERT_DIR/CAcert.pem')dnl define(`confSERVER_CERT', `CERT_DIR/localsendmailcert.pem')dnl define(`confSERVER_KEY', `CERT_DIR/localsendmailkey.pem')dnl define(`confCLIENT_CERT', `CERT_DIR/localsendmailcert.pem')dnl define(`confCLIENT_KEY', `CERT_DIR/localsendmailkey.pem')dnl MAILER(local)dnl MAILER(smtp)dnl LOCAL_RULESETS HMessage-Id: $CheckMessageId SCheckMessageId R $+ @ $+ $@ OK R$* $#error $: 553 Header Error Followed by: # make mysendmail.cf rm -f mysendmail.cf ( cd /usr/share/sendmail/cf /usr/bin/m4 /usr/share/sendmail/cf/../m4/cf.m4 mysendmail.mc /usr/share/sendmail/cf/mysendmail.cf ) echo ### mysendmail.mc ### mysendmail.cf sed -e 's/^/# /' /usr/share/sendmail/cf/mysendmail.mc mysendmail.cf chmod 444 mysendmail.cf Then I created the necessary certificates: $ sudo mkdir /etc/mail/certs $ sudo openssl dsaparam 1024 -out dsa1024.pem Generating DSA parameters, 1024 bit long prime This could take some time +..++++* .+..+...+.+.+.++.+...+...+..+.+...+.+.+...+..+...+.+++* $ sudo openssl req -x509 -nodes -days 365 -newkey dsa:dsa1024.pem -out /etc/mail/certs/localsendmailcert.pem -keyout /etc/mail/certs/localsendmailkey.pem Generating a 1024 bit DSA private key writing new private key to '/etc/mail/certs/localsendmailkey.pem' - You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. - Country Name (2 letter code) []:FR State or Province Name (full name) []:Alsace Locality Name (eg, city) []:Strasbourg Organization Name (eg, company) []:Me Organizational Unit Name (eg, section) []:mail Common Name (eg, fully qualified host name) []:localhost Email Address []:[EMAIL PROTECTED] $ sudo ln -s /etc/mail/certs/localsendmailcert.pem /etc/mail/certs/CAcert.pem $ sudo rm dsa1024.pem $ sudo chmod -R go-rwx /etc/mail/certs Then I ran sendmail with -C/etc/mail/mysendmail.cf When I tried to send an email from mutt, I got the following log: Oct 6 22:53:04 castor sm-mta[29257]: starting daemon (8.13.4): [EMAIL PROTECTED]:30:00 Oct 6 22:53:06 castor sm-mta[20830]: STARTTLS=client, relay=smtp.gmail.com, version=TLSv1/SSLv3, verify=FAIL, cipher=DES-CBC3-SHA, bits=168/168 Oct 6 22:53:06 castor sm-mta[20830]: j95E6r6E009458: to=[EMAIL PROTECTED], delay=1+06:46:13, xdelay=00:00:02, mailer=relay, pri=5611353, relay=smtp.gmail.com [72.14.205.109], dsn=5.0.0, stat=Service unavailable Oct 6 22:55:14 castor sendmail[17077]: j96KtEQB017077: from=ericd, size=561, class=0, nrcpts=1, msgid=[EMAIL PROTECTED], [EMAIL PROTECTED] Oct 6 22:55:14 castor sendmail[17077]: STARTTLS=client, relay=[127.0.0.1], version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-DSS-AES256-SHA, bits=256/256 Oct 6 22:55:14 castor sm-mta[721]: STARTTLS=server, [EMAIL PROTECTED] [127.0.0.1], version=TLSv1/SSLv3, verify=NO, cipher=DHE-DSS-AES256-SHA, bits=256/256 Oct 6 22:55:14 castor sm-mta[721]: j96KtEx1000721: from=[EMAIL
Re: xorg with Nvidia Go5600 at 1600x1200
Add this to your xorg.conf in the Device section for the nv driver: Option FlatPanel True and remove the Modes lines in the Screen section. It should default to the largest res it can find. Then double check the HorizSync and VertRefresh you have defined in the Monitor section. On 06/10/05, stefan hoffmann [EMAIL PROTECTED] wrote: Hi, thank you for your answer. pirge wrote: nv will do 1600x1200 - I run a geforce 2 go (dell inspiron 8100) with openbsd 3.7 generic at that resolution. Reading the nv man page I'm not sure it supports the Go5600..? As you can see in the log, the chipset is listed. Need to see your xorg.conf and xorg log ---xorg.conf: ---# File generated by xorgconfig. # all comments removed Section Module Loaddbe # Double buffer extension SubSection extmod Optionomit xfree86-dga # don't initialise the DGA extension EndSubSection Loadtype1 Loadfreetype EndSection Section Files RgbPath/usr/X11R6/lib/X11/rgb FontPath /usr/X11R6/lib/X11/fonts/misc/ FontPath /usr/X11R6/lib/X11/fonts/TTF/ FontPath /usr/X11R6/lib/X11/fonts/Type1/ FontPath /usr/X11R6/lib/X11/fonts/CID/ FontPath /usr/X11R6/lib/X11/fonts/75dpi/ FontPath /usr/X11R6/lib/X11/fonts/100dpi/ FontPath /usr/X11R6/lib/X11/fonts/local/ EndSection Section ServerFlags EndSection Section InputDevice Identifier Keyboard1 Driver kbd Option AutoRepeat 500 30 Option XkbRules xorg Option XkbModel pc104 Option XkbLayout de EndSection Section InputDevice Identifier Mouse1 Driver mouse Option Protocolwsmouse Option Device /dev/wsmouse Option ZAxisMapping 4 5 EndSection Section Monitor Identifier My Monitor HorizSync 31.5 - 64.3 VertRefresh 40-150 EndSection Section Device Identifier Standard VGA VendorName Unknown BoardName Unknown Driver vga EndSection # Device configured by xorgconfig: Section Device Identifier nVidia Go5600 Driver nv EndSection Section Screen Identifier Screen 1 Device nVidia Go5600 Monitor My Monitor DefaultDepth 24 Subsection Display Depth 16 Modes 1280x1024 1024x768 800x600 640x480 ViewPort0 0 EndSubsection Subsection Display Depth 24 Modes 1600x1200 1280x1024 800x600 640x480 ViewPort0 0 EndSubsection EndSection Section ServerLayout Identifier Simple Layout Screen Screen 1 InputDevice Mouse1 CorePointer InputDevice Keyboard1 CoreKeyboard EndSection ---xorg.conf. ---Xorg.0.log: (--) checkDevMem: using aperture driver /dev/xf86 (--) Using wscons driver in pcvt compatibility mode (version 3.32) (WW) GARTInit: AGPIOC_INFO failed (Device not configured) X Window System Version 6.8.2 Release Date: 9 February 2005 X Protocol Version 11, Revision 0, Release 6.8.2 Build Operating System: OpenBSD 3.7 i386 [ELF] Current Operating System: OpenBSD tymon.my.domain 3.7 GENERIC#50 i386 Build Date: 16 March 2005 Before reporting problems, check http://wiki.X.Org to make sure that you have the latest version. Module Loader present Markers: (--) probed, (**) from config file, (==) default setting, (++) from command line, (!!) notice, (II) informational, (WW) warning, (EE) error, (NI) not implemented, (??) unknown. (==) Log file: /var/log/Xorg.0.log, Time: Thu Oct 6 13:25:14 2005 (==) Using config file: /etc/X11/xorg.conf (==) ServerLayout Simple Layout (**) |--Screen Screen 1 (0) (**) | |--Monitor My Monitor (**) | |--Device nVidia Go5600 (**) |--Input Device Mouse1 (**) |--Input Device Keyboard1 (**) FontPath set to /usr/X11R6/lib/X11/fonts/misc/,/usr/X11R6/lib/X11/fonts/TTF/,/usr/X11R6/lib/X11/fonts/Type1/,/usr/X11R6/lib/X11/fonts/CID/,/usr/X11R6/lib/X11/fonts/75dpi/,/usr/X11R6/lib/X11/fonts/100dpi/,/usr/X11R6/lib/X11/fonts/local/ (**) RgbPath set to /usr/X11R6/lib/X11/rgb (==) ModulePath set to /usr/X11R6/lib/modules (II) Module ABI versions: X.Org ANSI C Emulation: 0.2 X.Org Video Driver: 0.7 X.Org XInput driver : 0.4 X.Org Server Extension : 0.2 X.Org Font Renderer : 0.4 (II) Loader running on openbsd (II) LoadModule: bitmap (II) Loading /usr/X11R6/lib/modules/fonts/libbitmap.a (II) Module bitmap: vendor=X.Org Foundation compiled for 6.8.2, module version = 1.0.0 Module class: X.Org Font Renderer ABI class: X.Org Font Renderer, version 0.4 (II) Loading font Bitmap (II) LoadModule: pcidata (II) Loading /usr/X11R6/lib/modules/libpcidata.a (II) Module pcidata: vendor=X.Org Foundation compiled for 6.8.2, module version = 1.0.0 ABI class: X.Org Video Driver, version 0.7
Re: WLAN (Linksys WPC111) + WEP
Here's an explenation of open vs shared http://www.dslreports.com/forum/remark,8645211~reverse=0;days=10;root=wlan;mode=full From: Nikolaus Hiebaum [EMAIL PROTECTED] To: OpenBSD mailing list - misc misc@openbsd.org Subject: Re: WLAN (Linksys WPC111) + WEP Date: Thu, 6 Oct 2005 22:03:50 +0200 (CEST) * Joost Tr wrote on Oct 6, 2005 [10:00, -] : can you connect with open authentication (-A 1) when you set to open auth. AP too Yes, with open authentication it works. I am not savvy enough to understand the difference. What is the difference between open and shared key? And what does it mean that the open auth. works and the shared one doesn't? -- Beste Gr|_e / Best regards , Nikolaus Hiebaum
Re: High Interrupt Mode Reported by 'Top' for Soekris 4801
If the Soekris did not come with ethernet chipsets which are just slightly over the bar of rl(4), the wimpy processor in the machine might be able to cope.
The Wikipedia article on OpenBSD
Recently I and several other people have worked to improve the OpenBSD article contained in the Wikipedia, I'm sure I need not explain how it works. Anyways, I've worked to get as much easily accessable information regarding OpenBSD in that article as possible and I've pretty much run into a wall, I've got little else I can add. I am putting a call out to the OpenBSD community at large to give a look at the article and see if they can improve it, fleshing out anything that has gaps and explaining some of the more complex concepts. Things like OpenBSD centred screenshots would be nice if people would be willing to upload them and list them in the gallery. I would have put this on the advocacy list, but really it seems to be dead and most advocacy seems to run through the misc list. Thanks http://en.wikipedia.org/wiki/OpenBSD _ MSN. Calendar keeps you organized and takes the effort out of scheduling get-togethers. http://join.msn.com/?pgmarket=en-capage=byoa/premxAPID=1994DI=1034SU=http://hotmail.com/encaHL=Market_MSNIS_Taglines Start enjoying all the benefits of MSN. Premium right now and get the first two months FREE*.
Re: About VLAN and Carp
On Thu, Oct 06, 2005 at 11:17:04PM +0200, L?o Goehrs wrote: ifconfig vlan0 vlan 11 vlandev carp0 It gives me an error. Is there a way to do that? Yes there is. The vlandev has to be the physical interface. Then you use the vlan interface as the carpdev. Example: ifconfig em0 up ifconfig vlan0 vlan 11 vlandev em0 ifconfig carp0 inet 10.0.0.1 netmask 255.255.255.0 vhid 1 carpdev vlan0 -- Mathieu Sauve-Frankel
Re: dual DVI graphics card
On Thu, 6 Oct 2005, Matthew Weigel wrote: In theory, you should be able to answer your question simply by me mentioning that radeon(4) supports dual displays on video cards still available through retail channels. Finally, I can vouch for dual displays working fine on Radeon cards, although I use a card with one DVI and one VGA output. PMFJI, but is there some sort of desktop 'manager' tool like Hydra to control the desktop space? Lee Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net
Re: dual DVI graphics card
Aaron Glenn wrote: On 10/6/05, Matthew Weigel [EMAIL PROTECTED] wrote: In theory, you should be able to answer your question simply by me mentioning that radeon(4) supports dual displays on video cards still available through retail channels. I wasn't clear enough in my original post. I'm looking to run 1920x1200 on two DVI monitors; and I'd like some sort of OpenGL hardware acceleration support, however minor. None of the ATi chipsets currently support 1920x1200 on two DVI monitors. It appears I was correct in guessing that simply mentioning that radeon(4) is where to look would not give you the information you need in order to arrive at the fact that the Radeon 9600 drives the products for which you are searching. Given the quality and tone of your response, I will avoid correcting you and encourage you to buy what ever it is that you can find that can meet your needs. Given the accuracy and completeness of the research you've done so far, I'm confident that something amusing will result. -- Matthew Weigel hacker [EMAIL PROTECTED]
Re: The Wikipedia article on OpenBSD
On 06/10/05, Jan Izary [EMAIL PROTECTED] wrote: Recently I and several other people have worked to improve the OpenBSD article contained in the Wikipedia, I'm sure I need not explain how it works. Anyways, I've worked to get as much easily accessable information regarding OpenBSD in that article as possible and I've pretty much run into a wall, I've got little else I can add. I am putting a call out to the OpenBSD community at large to give a look at the article and see if they can improve it, fleshing out anything that has gaps and explaining some of the more complex concepts. Things like OpenBSD centred screenshots would be nice if people would be willing to upload them and list them in the gallery. I would have put this on the advocacy list, but really it seems to be dead and most advocacy seems to run through the misc list. Thanks http://en.wikipedia.org/wiki/OpenBSD _ MSN. Calendar keeps you organized and takes the effort out of scheduling get-togethers. http://join.msn.com/?pgmarket=en-capage=byoa/premxAPID=1994DI=1034SU=http://hotmail.com/encaHL=Market_MSNIS_Taglines Start enjoying all the benefits of MSN. Premium right now and get the first two months FREE*. I had already noticed it and I was wondering who was doing it... Very nice work!
Re: dual DVI graphics card
On 10/6/05, Matthew Weigel [EMAIL PROTECTED] wrote: It appears I was correct in guessing that simply mentioning that radeon(4) is where to look would not give you the information you need in order to arrive at the fact that the Radeon 9600 drives the products for which you are searching. Given the quality and tone of your response, I will avoid correcting you and encourage you to buy what ever it is that you can find that can meet your needs. Perhaps you could drop the cocky attitude and do something productive with your catty prose? Thanks for the radeon(4) reference; I'm sure if any of the Radeon chips did 1920x1200 on two DVI it would have been very helpful. You see, just because the box or spec sheet says supports 1920x1200 doesn't mean the GPU will do 1920x1200 on both DVI ports. Infact, colorgraphics, which specializes in multi-display graphics cards, and uses the ATi Radeon GPU, notes that you get a max of 1600x1200 when using both DVI ports. So with that helpful lesson out of the way, you can shut your trap about radeon(4) and your patently stupid recommendations. Given the accuracy and completeness of the research you've done so far, I'm confident that something amusing will result. I'm confident you either lack basic reading comprehension skills, or talk out of your ass on a regular basis...or maybe both? Either way you can keep your future quality reponses right where they came from, your ass.
Re: High Interrupt Mode Reported by 'Top' for Soekris 4801
If the Soekris did not come with ethernet chipsets which are just slightly over the bar of rl(4), the wimpy processor in the machine might be able to cope. Throughput is only marginally better using an em in the pci slot of a 4801. I think there's some other problem. Yeah -- the super wimpy processor.
Re: High Interrupt Mode Reported by 'Top' for Soekris 4801
--On 06 October 2005 16:00 -0600, Theo de Raadt wrote: If the Soekris did not come with ethernet chipsets which are just slightly over the bar of rl(4), the wimpy processor in the machine might be able to cope. Throughput is only marginally better using an em in the pci slot of a 4801. I think there's some other problem.
Re: dual DVI graphics card
experiences setting it up? I've got my eye on the Matrox Millennium P750 card, but I can't find anything on any kind of support for OpenBSD (I'm not looking to run Linux, Solaris, or even FreeBSD all of which seem to have some sort of support). Their old cards used to be a good choice for open-source, but Parhelia-based cards are too proprietary. Pity.
Re: dual DVI graphics card
On 10/6/05, Stuart Henderson [EMAIL PROTECTED] wrote: Their old cards used to be a good choice for open-source, but Parhelia-based cards are too proprietary. Pity. I had used Matrox cards exclusively up until Parhelia was released however long ago. I think my Millenium II card is still chugging along in a closet somewhere. From what I can tell on Matrox's site, the Parhelia and the Millenium P750 are two distinct chipsets. aaron.glenn
Re: High Interrupt Mode Reported by 'Top' for Soekris 4801
I wondered that as well, but there appear to be lots (so it appears from other postings I found using google) of 4801s in use with OpenBSD, doing essentially the same thing as myself (Soekris w/ carp/pf/pfsynch). Yet, AFAICT, I'm the only one who's posted about this symptom. Since there are lots of people who do what I do, and if the problem were indeed that the 4801 processor is too wimpy, then wouldn't there be more problems like mine mentioned in the lists? And I'm running into high interrupts with only about 4Mbs throughput while others have claimed much higher values. Before I used this firewall that I have now, I used m0n0wall on FreeBSD. I chose OpenBSD over m0n0wall/FreeBSD due to m0n0wall state table limitations and lack of mature redundance features. But the m0n0wall handled this much traffic, and more, with a relatively low interrupt mode. As widely as OpenBSD is used on Soekris for firewalling compared to m0n0wall/FreeBSD with relatively few problems, I'm still not quite ready to decide that I haven't gotten myself a setup flaw somewhere. Just can't figure out where it could be. Bill Theo de Raadt wrote: If the Soekris did not come with ethernet chipsets which are just slightly over the bar of rl(4), the wimpy processor in the machine might be able to cope. Throughput is only marginally better using an em in the pci slot of a 4801. I think there's some other problem. Yeah -- the super wimpy processor. -- William Bloom| Snr Systems Engineer|M P H A S I S Architecting Value | Eldorado Computing 5353 North 16th Street, Suite 400 Phoenix, Az 85016 | Direct: +11-602-604-3100 | Fax: +11-602-604-3115| http://www.eldocomp.com -- CONFIDENTIALITY NOTICE -- Information transmitted by this e-mail is proprietary to MphasiS and/or its Customers and is intended for use only by the individual or entity to which it is addressed, and may contain information that is privileged, confidential or exempt from disclosure under applicable law. If you are not the intended recipient or it appears that this mail has been forwarded to you without proper authority, you are notified that any use or dissemination of this information in any manner is strictly prohibited. In such cases, please notify us immediately at [EMAIL PROTECTED] and delete this mail from your records.
Re: dual DVI graphics card
--On 06 October 2005 16:11 -0700, Aaron Glenn wrote: I had used Matrox cards exclusively up until Parhelia was released however long ago. I think my Millenium II card is still chugging along in a closet somewhere. From what I can tell on Matrox's site, the Parhelia and the Millenium P750 are two distinct chipsets. Millenium Pxxx and Parhelia share drivers. I bought a P650 before realising this, the only way I found to make it run with X is by extracting the relevant file from their closed-source i386 linux driver (they're not os-specific). It sits in a windows box now.
Re: CARP+Pfsync+Bind
** Reply to message from ed [EMAIL PROTECTED] on Thu, 6 Oct 2005 22:15:25 +0100 On Thu, 6 Oct 2005 15:49:02 -0400 Dave Anderson [EMAIL PROTECTED] wrote: That's not quite the whole story: 53/tcp is also used when the response to a query is too big for a single UDP packet (the resolver sends a UDP query and gets a 'truncated' UDP reply, so the resolver retries the query using TCP) -- you should always pass both UDP and TCP for port 53 to avoid occasional obscure failures. Works fine on on the 2 domains where it's been implemented, of which I handled the conversion from BIND style to djbdns. No problems on UDP lookups alone, including some deep CNAMEs, which are just not required, but I'll deal with those at a later date. I haven't seen any problems since the change. Lookup times have improved, I can't state if this is due to the lack of TCP or the file system overheads with zone files, but I expect a mixture of the two. According to RFC 1035 section 4.2.1 you're riding for a fall: Messages carried by UDP are restricted to 512 bytes (not counting the IP or UDP headers). Longer messages are truncated and the TC bit is set in the header. RFC 2671 modifies this by specifying a method for using UDP packets containing more than 512 bytes, but the maximum size is still limited. RFC 2181 section 9 is quite clear: The TC bit should be set in responses only when an RRSet is required as a part of the response, but could not be included in its entirety. The TC bit should not be set merely because some extra information could have been included, but there was insufficient room. This includes the results of additional section processing. In such cases the entire RRSet that will not fit in the response should be omitted, and the reply sent as is, with the TC bit clear. If the recipient of the reply needs the omitted data, it can construct a query for that data and send that separately. Where TC is set, the partial RRSet that would not completely fit may be left in the response. When a DNS client receives a reply with TC set, it should ignore that response, and query again, using a mechanism, such as a TCP connection, that will permit larger replies. Responses long enough so that required information is truncated should be rare, so perhaps you've been lucky and not encountered any yet. Dave -- Dave Anderson [EMAIL PROTECTED]
Re: The Wikipedia article on OpenBSD
Jan Izary wrote: Recently I and several other people have worked to improve the OpenBSD article contained in the Wikipedia, I'm sure I need not explain how it works. Anyways, I've worked to get as much easily accessable information regarding OpenBSD in that article as possible and I've pretty much run into a wall, I've got little else I can add. I am putting a call out to the OpenBSD community at large to give a look at the article and see if they can improve it, fleshing out anything that has gaps and explaining some of the more complex concepts. Things like OpenBSD centred screenshots would be nice if people would be willing to upload them and list them in the gallery. I would have put this on the advocacy list, but really it seems to be dead and most advocacy seems to run through the misc list. Thanks http://en.wikipedia.org/wiki/OpenBSD Looks pretty good. My only suggestions would be to note that Nick handles the official FAQ, and adding Daniel Ouellet as the organizer/caretaker of the unofficial user's library.
Wireless issue (ath0: bogus xmit rate 0x0 error)
Hi List, I'm running 3.8 from the snapshot 2nd Oct, which I upgraded from 3.7, on a soekris net4501. My problem, is probably offtopic, but I'm hoping the wisdom of this list will point me in the right direction. I have an apple iBook G4 which will not connect to my OpenBSD ath0 minipci card in the soekris, I just get the following errors: ath0: bogus xmit rate 0x0 The iBook associates with the wireless network and I can connect to two other OpenBSD machines with wi0 and ipw0 cards in, which are running on the same wireless LAN. When the net4501 was running 3.7 I would get the same error message, but if I toggled the airport on and off on the ibook I would usually get a connection, or the soekris would crash, I caught a ps and partial trace from one of the 3.7 crashes which is shown below. Can anyone suggest away of resolving the iBooks inability to talk to the ath0 card? My dmesg, hostname.ath0 and the ps and trace follow. Thanks, in advance, Fred kernel:kernel: page fault trap, code=0 Stopped at Xrecurse_legacy8+0x7d: movl0x4(%ebx),%eax ddb ps PID PPID PGRPUID S FLAGS WAIT COMMAND kernel: page fault trap, code=0 Faulted in DDB; continuing... ddb trace Xrecurse_legacy8() at Xrecurse_legacy8+0x7d --- interrupt --- Xspllower(800,3a,0,0) at Xspllower+0xe cnputc(3a,6,d06d1bac,d01e24d1,6) at cnputc+0x26 db_putchar(3a,14,0,6) at db_putchar+0xc6 kprintf(d04fbc88,14,0,0,d06d1c98) at kprintf+0xe20 db_printf(d04fbc88,0,0,0) at db_printf+0x2d kdbprinttrap(6,0,0,0,0) at kdbprinttrap+0x18 kdb_trap(6,0,d06d1d34,600) at kdb_trap+0x46 trap() at trap+0xa9 --- trap (number 6) --- pmap_extract(d05cf940,d66d6800,d06d1dcc,0,d05cf940) at pmap_extract+0x36 _bus_dmamap_load_buffer(d0570440,d0836880,d66d6800,600,0) at _bus_dmamap_load_b uffer+0x58 _bus_dmamap_load_mbuf(d0570440,d0836880,d29c3100,1) at _bus_dmamap_load_mbuf+0x 90 ath_tx_start(d0839000,d092cc00,d083c5cc,d29c3100) at ath_tx_start+0x1b9 ath_start(d0839030,d65591b8,4c1b8,d65591e4) at ath_start+0xfc ath_rx_proc(d0839000,1,d0101f20,d06d21b4) at ath_rx_proc+0x1d6 ath_intr1(d0839000) at ath_intr1+0x130 Xrecurse_legacy10() at Xrecurse_legacy10+0x8a --- interrupt --- --db_more-- Xdoreti() at Xdoreti+0x23 --- interrupt --- Xdoreti() at Xdoreti+0x23 --- interrupt --- Xdoreti() at Xdoreti+0x7 --- interrupt --- Xdoreti() at Xdoreti+0x23 --- interrupt --- Xdoreti() at Xdoreti+0x23 --- interrupt --- Xdoreti() at Xdoreti+0x23 --- interrupt --- Xdoreti() at Xdoreti+0x23 --- interrupt --- Xdoreti() at Xdoreti+0x23 --- interrupt --- Xdoreti() at Xdoreti+0x7 --- interrupt --- Xdoreti() at Xdoreti+0x11 --- interrupt --- Xdoreti() at Xdoreti+0x23 --- interrupt --- Xdoreti() at Xdoreti+0x7 --db_more-- At this point I pressed the wrong key on the console and the soekris rebooted. Here is my hostname.ath0: inet 10.0.5.1 255.255.255.0 NONE media DS11 mediaopt hostap nwid wifinet nwkey x Here is the complete dmesg: OpenBSD 3.8-current (GENERIC) #169: Sun Oct 2 15:06:50 MDT 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: AMD Am486DX4 W/B or Am5x86 W/B 150 (AuthenticAMD 486-class) cpu0: FPU real mem = 66691072 (65128K) avail mem = 53411840 (52160K) using 839 buffers containing 3436544 bytes (3356K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 20/41/22, BIOS32 rev. 0 @ 0xf7840 pcibios0 at bios0: rev 2.0 @ 0xf/0x1 pcibios0: pcibios_get_intr_routing - function not supported pcibios0: PCI IRQ Routing information unavailable. pcibios0: PCI bus #0 is the last bus bios0: ROM list: 0xc8000/0x9000 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (bios) elansc0 at pci0 dev 0 function 0 AMD ElanSC520 PCI rev 0x00: product 0 stepping 1.1, CPU clock 133MHz, reset 1PWRGOOD gpio0 at elansc0: 32 pins ath0 at pci0 dev 16 function 0 Atheros AR5212 rev 0x01: irq 10 ath0: AR5213 5.9 phy 4.3 rf5112 3.6, FCC2A*, address 00:02:6f:21:ef:1c sis0 at pci0 dev 18 function 0 NS DP83815 10/100 rev 0x00: DP83816A, irq 11, address 00:00:24:c3:ff:20 nsphyter0 at sis0 phy 0: DP83815 10/100 PHY, rev. 1 sis1 at pci0 dev 19 function 0 NS DP83815 10/100 rev 0x00: DP83816A, irq 5, address 00:00:24:c3:ff:21 nsphyter1 at sis1 phy 0: DP83815 10/100 PHY, rev. 1 sis2 at pci0 dev 20 function 0 NS DP83815 10/100 rev 0x00: DP83816A, irq 9, address 00:00:24:c3:ff:22 nsphyter2 at sis2 phy 0: DP83815 10/100 PHY, rev. 1 isa0 at mainbus0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard wdc0 at isa0 port 0x1f0/8 irq 14 wd0 at wdc0 channel 0 drive 0: TOSHIBA THNCF512MPG wd0: 1-sector PIO, LBA, 488MB, 1000944 sectors wd0(wdc0:0:0): using BIOS timings pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 sysbeep0 at pcppi0 npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom0: console pccom1 at
Re: dual DVI graphics card
Aaron Glenn wrote: Perhaps you could drop the cocky attitude and do something productive with your catty prose? No, actually - the catty prose itself is unproductive. But you worked so hard to eliminate the productive options, I didn't want to give you anything but what you wanted. Thanks for the radeon(4) reference; I'm sure if any of the Radeon chips did 1920x1200 on two DVI it would have been very helpful. I'm no good at not helping; if you don't believe me, go take a look at the video cards that Apple sells. They specifically say their 9600 supports two 1920x1200 displays over DVI. If you'd like to wager that the 9600 that ATI sells specifically for Macs does less than the OEM 9600 that Apple sells, I'll give you good odds. -- Matthew Weigel hacker [EMAIL PROTECTED]
Re: The Wikipedia article on OpenBSD
Chris Zakelj wrote: Jan Izary wrote: Recently I and several other people have worked to improve the OpenBSD article contained in the Wikipedia, I'm sure I need not explain how it works. Anyways, I've worked to get as much easily accessable information regarding OpenBSD in that article as possible and I've pretty much run into a wall, I've got little else I can add. I am putting a call out to the OpenBSD community at large to give a look at the article and see if they can improve it, fleshing out anything that has gaps and explaining some of the more complex concepts. Things like OpenBSD centred screenshots would be nice if people would be willing to upload them and list them in the gallery. I would have put this on the advocacy list, but really it seems to be dead and most advocacy seems to run through the misc list. Thanks http://en.wikipedia.org/wiki/OpenBSD Looks pretty good. My only suggestions would be to note that Nick handles the official FAQ, and adding Daniel Ouellet as the organizer/caretaker of the unofficial user's library. If you have any article(s) that you want to find a home for, I would be more then happy to provide it! Contributions have been rare, so calls was maid before, many times in fact. But actual contributions were very fare in between. I do have two or three articles now that are waiting my free time to be posted, I apologies to the brave soles that actually send them to me! My apology guys, but I haven't forgotten them trust me. As for more place to post things, my own view and that doesn't represent anyone else views, is that we sure don't need to duplicate efforts. The locations are available, up to the users to make it happen. Again, great stuff directly for the system that deserve a place on OpenBSD.org, should be sent to the always ready and incredibly brave sole of Nick if that's a great quality for the FaQ. He sure will tell you if it is. But first, read his requirements here: http://www.holland-consulting.net/obsd/faq-help.html Then send what you have based on that, either to him, if it is FaQ stuff and of great quality, or me if that doesn't apply to the FaQ and we will find it a home. Daniel
Re: High Interrupt Mode Reported by 'Top' for Soekris 4801
On Fri, 7 Oct 2005 09:08, you wrote: I wondered that as well, but there appear to be lots (so it appears from other postings I found using google) of 4801s in use with OpenBSD, doing essentially the same thing as myself (Soekris w/ carp/pf/pfsynch). Yet, AFAICT, I'm the only one who's posted about this symptom. Since there are lots of people who do what I do, and if the problem were indeed that the 4801 processor is too wimpy, then wouldn't there be more problems like mine mentioned in the lists? And I'm running into high interrupts with only about 4Mbs throughput while others have claimed much higher values. Before I used this firewall that I have now, I used m0n0wall on FreeBSD. I chose OpenBSD over m0n0wall/FreeBSD due to m0n0wall state table limitations and lack of mature redundance features. But the m0n0wall handled this much traffic, and more, with a relatively low interrupt mode. As widely as OpenBSD is used on Soekris for firewalling compared to m0n0wall/FreeBSD with relatively few problems, I'm still not quite ready to decide that I haven't gotten myself a setup flaw somewhere. Just can't figure out where it could be. You'll find a few of us are running the interrupt holdoff patch, which IIRC, comes from the FreeBSD tree via [EMAIL PROTECTED] (See below). Patch trades off timeliness of response for reduced interrupts. Index: src/sys/dev/pci/if_sis.c === RCS file: /cvs/src/sys/dev/pci/if_sis.c,v retrieving revision 1.46 diff -u -r1.46 if_sis.c --- src/sys/dev/pci/if_sis.c27 May 2005 04:52:24 - 1.46 +++ src/sys/dev/pci/if_sis.c7 Jun 2005 07:14:37 - @@ -1692,6 +1692,10 @@ sis_stop(sc); sc-sis_stopped = 0; + /* Configure interrupt holdoff register. */ + if (sc-sis_type == SIS_TYPE_83815 sc-sis_srr == NS_SRR_16A) + CSR_WRITE_4(sc, NS_IHR, NS_IHR_VALUE); + mii = sc-sc_mii; /* Set MAC address */ Index: src/sys/dev/pci/if_sisreg.h === RCS file: /cvs/src/sys/dev/pci/if_sisreg.h,v retrieving revision 1.21 diff -u -r1.21 if_sisreg.h --- src/sys/dev/pci/if_sisreg.h 22 May 2005 05:40:52 - 1.21 +++ src/sys/dev/pci/if_sisreg.h 7 Jun 2005 07:14:38 - @@ -208,6 +208,20 @@ SIS_IMR_RX_IDLE|\ SIS_IMR_SYSERR) +/* Interrupt Holdoff Register */ +#define NS_IHR_HOLDCTL 0x0100 + +/* + * Interrupt holdoff value for NS DP8316. We can have the chip + * delay interrupt delivery for a certain period. Units are in + * 100us, and the default is 100us holdoff. + */ +#ifndef NS_IHR_DELAY +#define NS_IHR_DELAY 2 +#endif + +#define NS_IHR_VALUE (NS_IHR_HOLDCTL|NS_IHR_DELAY) + #define SIS_IER_INTRENB0x0001 #define SIS_PHYCTL_ACCESS 0x0010 -- Craig
Re: sh-script executing
OM I know this behaviour form every Unix system I've worked on. Besides, OM the nice thing about the current way of doing things is that you can OM read a script form a pipe and have the desired behaviour without any OM special case code. This behavior has any advantages for regular files ? Compatibility ? If so, do any editor has option to safe editing for this case ? (of course, I always can do editor wraparound).
RE: Re: sh-script executing
The editing is perfectlty safe. It is the reading of a file that is being changed that is unsafe. Of course there's Microsoft Windows. - --- Original Message --- - From: [EMAIL PROTECTED] To: misc@openbsd.org Sent: Fri, 7 Oct 2005 09:39:47 OM I know this behaviour form every Unix system I've worked on. Besides, OM the nice thing about the current way of doing things is that you can OM read a script form a pipe and have the desired behaviour without any OM special case code. This behavior has any advantages for regular files ? Compatibility ? If so, do any editor has option to safe editing for this case ? (of course, I always can do editor wraparound).
Re: CARP+Pfsync+Bind
On Thu, 6 Oct 2005 15:07:23 -0500 eric [EMAIL PROTECTED] wrote: On Thu, 2005-10-06 at 14:04:20 +0100, ed proclaimed... I use TinyDNS here, so we don't really need to transfer zones as its handled with a single data file. CARP can be good with DNS. 53/tcp *is* required to answer normal queries. TCP for for DNS lookups are probably going to incur latency. I'd rather just block that off and ensure that the DNS being provided does not leak excess 512 bytes. This might cause some problems with huge round robin lists, but we can all use pf round robin at the level should we require a huge address list. Since you're drinking djb's koolaid, see http://cr.yp.to/djbdns/tcp.html#why 512-bytes uncommon or a mistake? I think not. DJB woke a large portion of the world when he released djbdns, I'd not knock it, and it's pretty good advice at the above URL. -- Regards, Ed http://www.usenix.org.uk
Re: CARP+Pfsync+Bind
On Thu, 2005-10-06 at 22:15:52 +0100, ed proclaimed... TCP for for DNS lookups are probably going to incur latency. I'd rather just block that off and ensure that the DNS being provided does not leak excess 512 bytes. This might cause some problems with huge round robin lists, but we can all use pf round robin at the level should we require a huge address list. You really should be pumping gas at a gas station or something. Clearly you're not intersted in doing things correctly. DJB woke a large portion of the world when he released djbdns, I'd not knock it, and it's pretty good advice at the above URL. And the advice refers to an RFC (which was not written by djb) that specifically states that TCP can be used. I'm not knocking djb, I use qmail. I used to use tinydns, but then there were a whole world of problems with no ipv6 support natively, etc., and I just didn't want to bother anymore.
Shared Queues / Queuing on Multiple Interfaces
I think I fumbled last week when I posted this original message in reply to one serveral months old (causing it to not be seen by MUA threading) The question remains: Can traffic travelling ingress on one-of-a-three-interface router be queued as it egresses the other two possible interfaces, enforcing a Frame-Relay CIR style sharing policy, but allowing either queue to borrow up to the maxiumum possible Downstream bandwidth on the original inteface? See URL and msg below: http://digitalfreaks.org/~lavalamp/Queues.png ~BAS -- Forwarded message -- Date: Mon, 3 Oct 2005 11:28:24 -0400 (EDT) From: Brian A. Seklecki [EMAIL PROTECTED] To: Henning Brauer [EMAIL PROTECTED] Cc: misc@openbsd.org, Tony Sarendal [EMAIL PROTECTED], jared r r spiegel [EMAIL PROTECTED], Seamus Wassman [EMAIL PROTECTED] Subject: Queing on Multiple Interfaces Revisited (WAS: Re: matching queues in both directions with stateful rulesets) On Mon, October 25, 2004 12:50 pm, Henning Brauer said: * Tony Sarendal [EMAIL PROTECTED] [2004-10-25 16:48]: Is there a way to assign wich queues stateful traffic will use in both directions ? yes, you can have queues with the same names on multiple interfaces. i. e. you create the queue customer1 on both your external (dc0) and his interface (vlan1). outbond will go to the one on dc0, inbound to the one on vlan1. A better topic would be perhaps upstream bandwidth distribution...downstream All, the PF FAQ states several fundementals about queuing: 1) queuing is only useful for packets in the outbound direction ..then later: 2) Note that queue designation can happen on an interface other than the one defined in the altq on directive: [...example rule set..] Queueing is enabled on fxp0 but the designation takes place on dc0. If packets matching the pass rule exit from interface fxp0, they will be queued in the ftp queue. This type of queueing can be very useful on routers. - I think a lot of confusion on this topic of multiple interfaaces originates from three problems: *) The FAQ/documentation doesn't discuss how stateful rules effect behavior of queue assigment of returing traffic. *) The FAQ/documentation doesn't really clarify how matching traffic inbound on one interface (of which the destination traffic matched will travel outbound on an inteface on which queuing is enabled) and applying it to the outbound queue of the designated interface (point #2 above) differs in behavior from simply matching traffic outbound on said queuing-enabled interface. *) The documentation is a bit ambiguous in the use of terminology such as direction, inbound, outbound, upstream, downstream, ingress, egress, etc., this is especially important with regards to the naming conventions on queues and also when the behavior of an example rulset is described. Back to the multiple interface issue: Let's looks at an example like a Frame Relay network mightsay that your objective is an SLA for your customers worded as so: Customer 1 has a 300Kbps bi-directional CIR. Customer 2 has a 500Kbps bi-directional CIR. Both may borrow from the total available. *) 1 or 2 physical interface, 3 logical, whatever. *) The upstream external interface is broadband/narrowband delivered via Fast Ethernet (xl0) *) For the sake of sanity, the narrowband connectivity is synchronous/symetric *) Customer handoff is 100mbs Ethernet (vlan10,vlan20), switch trunked *) The OpenBSD router is a perimeter router with a pass all style ruleset (with scrubbing and RFC1918 bogon filters, etc.) In this case, you can use a generic template to enforce upstream or outbound queues on xl0. altq on xl0 cbq queue { std-up cust1-up cust2-up } queue std-up cbq(default ecn) queue cust1-up bandwidth 10Mb cbq(ecn) queue cust2-up bandwidth 10Mb cbq(ecn) pass out on xl0 from $vlan10_subnet to any keep state queue cust1-up pass out on xl0 from $vlan20_subnet to any keep state queue cust1-up # these filters will match customer FTP uploads and HTTP GETs from cuomster-hosted web servers, etc. # this rule is redundant because the traffic would be forwarded anyway, it exists simply to match traffic into a queue and create a state table entry while we're at it. ... But then let's say you want to invert those rules. **NOTE**, if customer1 and customer2 were visibile via the same interface, then you could easily create a queue on that shared customer-facing interface with a bandwidth statement that matches the max hypothetical downstream speed of the broadband connection. Then divy it up using sub-queues and borrow statements. ...but what if Customer 1 and Customer 2 are on seperate interfaces? 1) You could create non-stateful matching rules as pass in on $ext_if 2) You could create non-stateful matching rules as pass out on $cust1 ..., pass out on $cust2..., But the question remains: Into what queue? What type of queue would be used to desginate a policy for downstream traffic flows that are traveling
Problem with altq cbq queuing.. please assist?
Hi I'm sharing a connection and I'm trying to set aside bandwidth for some users. Here is the pftop -v queue log QUEUEBANDW SCH PRIO PKTSBYTES DROP_P DROP_B QLEN BORROW SUSPENDS P/S B/S std_outpriq 35055249 0 dns_outpriq46 464 0games_out priq5 461 255660ssh_outpriq6 000tcp_ack_outpriq 7000root_xl0 10M cbq 0 657 1045720 std_in 7M cbq657 104572 0 luke_in1M cbq 00 0 pete_in1M cbq 00 0 nick_in1M cbq 00 0 As you can see the priq outbound queues work, But I can't get the cbq to work for inbound connections. All connections just go to the default queue. Here is my pf.conf - love to hear your thoughts, I've tried everything! # cat /etc/pf.conf # macros int_if = xl0 ext_if = xl1 tcp_services = { 22, 113, 5050, 443, 80 } udp_services = { 443, 5050 } icmp_types = echoreq priv_nets = { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } luke = 192.168.0.15 nick = 192.168.0.49 pete = 192.168.0.20 myth = 192.168.0.253 obsd = 192.168.0.250 games = { 6112:6119, 4711, 29900:29901, 1024:1124, 1500:4999, 27900, 28910, 16567, 55123:55125, 27910, 27960, 4000, 27020:27050, 1200, 27000:27015 } # options set block-policy return set loginterface $ext_if set optimization aggressive # scrub scrub in all scrub out on $ext_if all random-id #prioritization #outbound altq on $ext_if priq bandwidth 10Mb queue { std_out, web_req, dns_out, games_out, ssh_out, tcp_ack_out } queue std_out priq(default) queue web_req priority 3 queue dns_out priority 4 queue games_out priority 5 queue ssh_out priority 6 queue tcp_ack_out priority 7 #inbound altq on $int_if cbq bandwidth 10Mb queue { std_in, luke_in, pete_in, nick_in } queue std_in bandwidth 70% cbq(default borrow ecn) queue luke_inbandwidth 10% cbq(borrow ecn) queue pete_inbandwidth 10% cbq(borrow ecn) queue nick_inbandwidth 10% cbq(borrow ecn) # nat/rdr nat on $ext_if from $int_if:network to any - ($ext_if) static-port rdr on $int_if proto tcp from any to any port 21 - 127.0.0.1 port 8021 rdr on $int_if proto tcp from any to any port www - 127.0.0.1 port 3128 rdr on $ext_if proto { tcp, udp } from any to any port 443 - $int_if port 22 rdr on $ext_if proto { tcp, udp } from any to any port www - $myth port www # filter rules block log all pass quick on lo0 all #stop spoofing block drop in quick on $ext_if from $priv_nets to any block drop out quick on $ext_if from any to $priv_nets #pass rules pass in on $ext_if proto tcp from port 20 to ($ext_if) user proxy flags S/SA keep state pass in on $ext_if proto tcp from any to any port $tcp_services modulate state flags S/SA pass in on $ext_if proto udp from any to any port $udp_services keep state #allow icmp pass in inet proto icmp all icmp-type $icmp_types keep state #allow all traffic to and from lan pass in on $int_if from $int_if:network to any keep state pass out on $int_if from any to $int_if:network keep state pass out on $int_if from any to $luke queue luke_in pass out on $int_if from any to $pete queue pete_in pass out on $int_if from any to $nick queue nick_in #let internal traffic access external using queues defined above pass out on $ext_if proto tcp all modulate state flags S/SA queue (std_out, tcp_ack_out) pass out on $ext_if proto { udp, icmp } all keep state queue std_out pass out on $ext_if proto tcp from any to any port www modulate state queue web_req pass out on $ext_if proto { tcp udp } from any to any port domain keep state queue dns_out pass out on $ext_if proto { tcp udp } from any to any port $games keep state queue games_out pass out on $ext_if proto tcp from any to any port ssh modulate state queue ssh_out
Re: dual DVI graphics card
On 2005-10-06 14:37:03 -0700, Aaron Glenn wrote: I wasn't clear enough in my original post. I'm looking to run 1920x1200 on two DVI monitors; and I'd like some sort of OpenGL hardware acceleration support, however minor. None of the ATi chipsets currently support 1920x1200 on two DVI monitors. One DVI port does up to 1600x1200, so you need four DVI (two dual-link) ports. Best Martin -- http://www.tm.oneiros.de