Re: OpenBSD on IBM X40 ...

[Andreas Bihlmaier]

 Hi Andreas,
 Andreas Bihlmaier wrote,
 
  Besides the LED it works great and rock solid in DS11 Mode, but not at all 
  in
  DS54 aka 802.11g mode. I hope this mode will be supported soon as well :)
  It also works wonderful in monitor mode with kismet! (LED off as well)
 
 Oh, I did not get it working. Which source= line you are using?

The source line for kismet.conf is:
source=radiotap_bsd_b,ath0,ath0

My ath is actually an 802.11a,b,g , but radiotap_bsd_ab didn't work for me.

This works great with the kismet from ports/packages on 3.8-current (btw.
finally it is in ports :) )

 
 Is 802.11g not working?! 
At least not for me!

I would really like to have a DEFINITE answer on that as well, but so far I
only read about people having the same problem (only 802.11b works).


 As ssh user I did not recognized any performance issues, may be I
 always have 802.11b ;)
But when your home dir is mounted with NFS over IPSEC you will feel the
difference, trust me :(
 
  p.s. (at least it works solid as opposed to some other Unix-like-OS)
 
 Yeah, madwifi on my Netgear WGT634U segfaults very often... ;=)

Just one word from the devil ndiswrapper

Greetz,
ahb

Re: squid mime-type blocking

[Florian]

ok, req_mime_type -- rep_mime_type and it's ok :-)

Thanks a lot

Re: PPTP client

[Otto Moerbeek]

On Wed, 5 Oct 2005, Waldemar Brodkorb wrote:

 Hi,
 Otto Moerbeek wrote,
 
  
  On Fri, 30 Sep 2005, Peter Bako wrote:
  
   I have a situation where I need to connect an OpenBSD box to a MS Windows
   PPTP server (yep, I know it is not secure, but in this case I have no 
   choice
   in the matter).
   
   After looking around the net I found myself at
   http://pptpclient.sourceforge.net/.  So I downloaded, complied and 
   installed
   the program and tried to connect to my test box.  (Also complied a custom
   kernel using the GENERIC files with only the pseudo-device GRE line
   commented out.)  There aren't any OpenBSD specific instructions on the 
   site,
   but reading the generic docs, as well as the docs for NetBSD, the PPTP man
   pages, etc. I think I have enough to get started.  However when I try to
   connect up I get nothing but a list of errors (connection timed out, could
   not open connection, etc.)  I know the path from my OpenBSD box to the 
   test
   server is correct, because if I plug my Win2k laptop in it is able to
   successfully connect to the server.
   
   As far as I can tell the problem is a lack of MPPE support either in the
   Kernel or in PPP.  However I cannot find any information on how to get 
   this
   support onto an OpenBSD system.
   
   Has anyone gotten PPTP-client to work on an OpenBSD box and if yes, would
   you be kind enough to send me some steps or any other info on how you did
   it?
  
  Check the pptp package. It's a port of pptpclient. There used to be a
  FAQ entry about pptp, but it somehow was reduced to just mention pptp.
  
  The most important thing is to put net.inet.gre.allow=1 into your
  sysctl.conf. Or compile a kernel without gre(4), but why bother? It's
  a bit strange the pptp man page still contains instructions to
  recompile the kernel and does not mention the systcl. I'll prod the
  maintainer.
 
 Oh, that's probably me. What I never understood in the past:
 Do a PPTP user always have to set net.inet.gre.allow=1 ?

Yes, I think so. Though you should ask somebody like markus@ to
confirm that.

-Otto

Re: detect if a flag-day has happened in the meanwhile

[knitti]

On 10/6/05, Antti Nykdnen [EMAIL PROTECTED] wrote:
 I think he wants to compare already built kernels, from two different
 snapshots.

sorry, how couldn't I think about snapshots...

--knitti

OBSD 3.7 @ Samsung P35: Ati powerplay, disable system beeps?

[Vincent Immler]

Hi folks,

I just installed OpenBSD 3.7 on my Samsung P35 XVM 1600 III. Speedstep 
works fine, but what about Ati's powerplay?

Another problem I have:
During system shutdown/reboot the system usually beeps, but on my P35 
this beep is very loud, how to disable it?


Thanks in advance,
Vincent

Two Isp Fault Tollerance Help

[Alessandro Coppelli]

Hi to all.

One of my clients has got an Internet connection with a no much affidable 
provider. He reports continual disconnection and so on. I would like to do 
a second connection with another provider to obtain a sort of redundancy, a 
fault tollerance. What I have to do to obtain the automatic connection with 
both of the providers and to shift to the one that is connected when the 
other is in trouble? (  without problems for the client).


Ale

Re: sh-script executing

[Thomas Keusch]

On Wed, Sep 28, 2005 at 11:53:08AM +0800, Ilya A. Kovalenko wrote:

Hello,

  Greetings,
 
   I found out that sh(1) reads file in process of execution (instead of
 read whole file and execute it from memory image), which makes
 editing such scripts unreliable and/or dangerous. Is there any
 existing ways to solve this problem ?

just edit a copy, chmod +x and mv(1) it into place.


Regards,
 Thomas

Re: WLAN (Linksys WPC111) + WEP

[Joost Tr]

can you connect with open authentication (-A 1) when you set to open auth. 
AP too




From: Nikolaus Hiebaum [EMAIL PROTECTED]
To: OpenBSD mailing list - misc misc@openbsd.org
Subject: Re: WLAN (Linksys WPC111) + WEP
Date: Wed, 5 Oct 2005 23:34:19 +0200 (CEST)

  ifconfig wi0 192.168.200.2 255.255.255.0 nwid scyld nwkey 
BACE8A21EA


 According to the ifconfig man page, The key can either be a string, a 
series
 of hexadecimal digits (preceded by `0x'), or a set of keys... So I 
would try

 that.

Unfortunately, that didn't help.

--
Beste Gr|_e / Best regards ,
Nikolaus Hiebaum

Re: sh-script executing

[Ilya A. Kovalenko]

TK just edit a copy, chmod +x and mv(1) it into place.

  Slightly complicated, but works, because mv(1) removes
old file, so sh(1) working either old version or new one
(no hybrids).

Re: sh-script executing

[Andreas Kahari]

On 06/10/05, Ilya A. Kovalenko [EMAIL PROTECTED] wrote:
 TK just edit a copy, chmod +x and mv(1) it into place.

   Slightly complicated, but works, because mv(1) removes
 old file, so sh(1) working either old version or new one
 (no hybrids).

Yes, sh(1) will probably keep a descriptor to the old file and keep
using it until done.

However, does this have any kind of other implications?  The behaviour
that Ilya pointed out would not occur to me to be expected...

--
Andreas Kahari

Re: sh-script executing

[Otto Moerbeek]

On Thu, 6 Oct 2005, Andreas Kahari wrote:

 On 06/10/05, Ilya A. Kovalenko [EMAIL PROTECTED] wrote:
  TK just edit a copy, chmod +x and mv(1) it into place.
 
Slightly complicated, but works, because mv(1) removes
  old file, so sh(1) working either old version or new one
  (no hybrids).
 
 Yes, sh(1) will probably keep a descriptor to the old file and keep
 using it until done.
 
 However, does this have any kind of other implications?  The behaviour
 that Ilya pointed out would not occur to me to be expected...

I know this behaviour form every Unix system I've worked on. Besides,
the nice thing about the current way of doing things is that you can
read a script form a pipe and have the desired behaviour without any
special case code.

-Otto

Transit with OpenBGPd... How to allow only on or two as neighbor only ?

[Xavier Beaudouin]

Hello,

I'd like to find the good working solution when sending AS announces to
our peering / transit neigbor.

In fact on bgpd.conf man page we have :


neighbor $peer1 {
   remote-as 65001
   announce foo
   }

With foo :

  announce (all|none|self|default-route)

Problem is that I need to announce for example a pair of AS number..

How can I do that with openbgpd ?

Thanks !
/Xavier

-- 
Quand on essaye continuellement, on finit par y arriver. Donc, plus ca
rate, plus on a de chance que ca marche...
(Proverbe Shadok)

Re: sh-script executing

[Han Boetes]

Andreas Kahari wrote:
 Yes, sh(1) will probably keep a descriptor to the old file and
 keep using it until done.

 However, does this have any kind of other implications? The
 behaviour that Ilya pointed out would not occur to me to be
 expected...

In the meanwhile this behaviour has been changed in CVS. Perhaps
this will get backported as well. And if not it's pretty easy to
backport I'd guess.



# Han

Re: sh-script executing

[Otto Moerbeek]

On Thu, 6 Oct 2005, Han Boetes wrote:

 Andreas Kahari wrote:
  Yes, sh(1) will probably keep a descriptor to the old file and
  keep using it until done.
 
  However, does this have any kind of other implications? The
  behaviour that Ilya pointed out would not occur to me to be
  expected...
 
 In the meanwhile this behaviour has been changed in CVS. Perhaps
 this will get backported as well. And if not it's pretty easy to
 backport I'd guess.



What commit are you referring to? You can say that I'm closely
involved, but I have no idea which commit you are referring to.

-Otto

Re: Transit with OpenBGPd... How to allow only on or two as neighbor only ?

[Claudio Jeker]

On Thu, Oct 06, 2005 at 03:18:41PM +0200, Xavier Beaudouin wrote:
 Hello,
 
 I'd like to find the good working solution when sending AS announces to
 our peering / transit neigbor.
 
 In fact on bgpd.conf man page we have :
 
 
 neighbor $peer1 {
remote-as 65001
announce foo
}
 
 With foo :
 
   announce (all|none|self|default-route)
 
 Problem is that I need to announce for example a pair of AS number..
 
 How can I do that with openbgpd ?
 

The announce keyword is mostly for simple setups. For transit providers
announce should be set to all and real bgp filtering should be used.

The idea of announce is that small multihomed setups with e.g. two uplinks
just work in a save manner (defaulting to self and so not the full table
is reexported).

-- 
:wq Claudio

Re: Fwd: ntop

[shane mullins]

Ntop has a built in webserver that displays data in html that can be
viewed from any workstation.

Shane

- Original Message - 
From: Andreas Bihlmaier [EMAIL PROTECTED]
To: misc@openbsd.org
Sent: Thursday, October 06, 2005 1:30 AM
Subject: Re: Fwd: ntop


  I think he wants to compile version 3.1  - in ports tree there is
version 1.1.
 
  Are there any plans yes about porting newer version of ntop in next
  versions of obsd?

 Just as a question: In what way is ntop superior to pftop -v
speed -o rate ?
 Sure it perhaps is a matter of preference, but I just wan't to know :)

 
  Jernej
 
  On 10/1/05, Brian A. Seklecki [EMAIL PROTECTED]
wrote:
   What platform are you on? Are you compiling it from source?
  
   It works just fine in 3.7/i386.
  
   Just:
  
   bash-3.00# cd /usr/ports/net/ntop  make install clean
  
  
   If you insist on source, try looking at
/usr/ports/net/ntop/patches/*
  
   Try reading about Ports in the FAQ.
  
   ~BAS

 Greetz,
 ahb

openbgpd server hardware

[David Hill]

Hello -
We are planning to build an OpenBSD server to be our edge router.  We are 
terminating 5 DS3's into two Cisco routers and using bridge-groups and vlans to 
separate the connections.  This works very well in our test setup.

We plan on building two servers and using carp for redundancy.  Our initial 
setup includes AMD Opterons with 1GB RAM.  We will need PCI-X, or at least 
PCI/66Mhz NIC's for this project.  I have been told SysKonnect is the way to 
go, but to wait on support for their new SK-9SXX series cards.  We need 2 
dual-port gigabit cards.

The time is approaching where we need to implement this.  Do any of the 
developers know the status of the support for the SysKonnect SK-9SXX series?  
What gigabit chipsets should be my second choice?

Thanks
David 

Re: BGP session clear by remote end when MD5 is configure AND the session was initiate from OpenBSD side failed and do not recover.

[Claudio Jeker]

On Wed, Oct 05, 2005 at 06:33:05PM -0400, Daniel Ouellet wrote:
 More on this with test results, example, setup use, and more details.
 

 ==
 
 Without MD5 configure.
 
 With bgpd master
 Clear session from bgpd side, session comes back up right away.
 Clear session from remote side, session comes back up with delay.
 
 With bgpd slave
 Clear session from bgpd side, session comes back up with delay.
 Clear session from remote side, session comes back up with possible very 
 long delay. Much bigger then when master.
 

I see similar delays with my test setup. Most of the time it takes longer
for a session to come back up because of different timers that are run.
After a clear a reopen is tried immediately and that is most often
blocked. In my case the cisco seems to be to slow to close the session in
time for the reopen.
It also matters where you close the connection because in one case the
idle timer is run (30s) instead of the connect retry timer (120s).
Also the idle timer has starts to grow if you flap the session often.

 
 
 Now with MD5 configure. We only add
 
 tcp md5sig password test on bgpd side and
 neighbor 66.63.12.108 password test on the Cisco side.
 
 With bgpd master
 Clear session from bgpd side, session comes back up right away.
 Clear session from remote side, session comes back up with possible very 
 long delay.
 
 With bgpd slave
 Just can't establish a session what so ever! The Cisco side will get 
 stuck in the OpenSent mode and cycle a few times all without success.
 
 66.63.12.1084 65001   0   1000 neverOpenSent
 

I can't reproduce this. On my test setup all session come back up.

...

 Now looking at the logs from each side. OpenBSD try to use the port 
 tcp/56923 and from the Cisco side we see this error:
 
 35: *Oct  5 13:38:43.503 EDT: %TCP-6-BADAUTH: No MD5 digest from 
 66.63.12.108(179) to 66.63.12.107(56923) (RST)
 36: *Oct  5 13:38:44.503 EDT: %TCP-6-BADAUTH: No MD5 digest from 
 66.63.12.108(179) to 66.63.12.107(56923) (RST)
 

This is a Cizzz-coee / RFC feature. They enforce a TCP MD5 digest on TCP RST
packets. Now that's just stupid because it is not possible to do that in
some cases because the other side does not know the key at that time (e.g.
to signalize that the port is unavailable).
In your case this means that somehow the connection from the cisco to your
OpenBSD box is blocked or there is nothing listening on port 179.

 Looks like the OpenBSD side do not provide the MD5 to the Cisco to 
 establish the session.
 

OpenBSD only misses the MD5 digest on the RST packets and that is actually 
OK. RFC 2385 actually mentions this special case in 4.1:
   A connectionless reset will be ignored by the receiver of the reset,
   since the originator of that reset does not know the key, and so
   cannot generate the proper signature for the segment.  This means,
   for example, that connection attempts by a TCP which is generating
   signatures to a port with no listener will time out instead of being
   refused.  Similarly, resets generated by a TCP in response to
   segments sent on a stale connection will also be ignored.
   Operationally this can be a problem since resets help BGP recover
   quickly from peer crashes. 

 It doesn't matter if I clean the session from the Cisco side, or the 
 bgpd side, order, etc. Both side, many times, what ever. It will simply 
 not come up!
 
 Even reloading the Cisco router and killing the bpgd and starting new, 
 it will not come up!
 
 Always the same errors in the logs.
 
 No MD5 digest received from the OpenBSD side looks like.
 

Does it initially come up? As I said I can not reproduce it.

 ===
 
 Why is bgpd will not establish a session as slave when MD5 is configure 
 even if the RFC said both sides should be allow to do so?
 
 bgpd wants to be the master every time?
 
 Something sure looks weird here.
 

Are you running pf? Perhaps the packet get blocked or modified on the way
in and so the session is reset.
Check with netstat -sptcp for the md5 counters.

BTW. I mostly reused your config. I just disabled soft-reconfig inbound
because my 2500 testbox would probably not survive that.

-- 
:wq Claudio

Re: Transit with OpenBGPd... How to allow only on or two as neighbor only ?

[Xavier Beaudouin]

[...]


 The announce keyword is mostly for simple setups. For transit providers
 announce should be set to all and real bgp filtering should be used.

 The idea of announce is that small multihomed setups with e.g. two uplinks
 just work in a save manner (defaulting to self and so not the full table
 is reexported).


Thanks Claudio,

But can you provide me a more detailed example. Because I have some
difficulies to make a filter for such setup...

/Xavier
-- 
Quand on essaye continuellement, on finit par y arriver. Donc, plus ca
rate, plus on a de chance que ca marche...
(Proverbe Shadok)

unsuscribe

[RGKärcher]

unsuscribe

Ricardo german Kdrcher

[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]







___ 
1GB gratis, Antivirus y Antispam 
Correo Yahoo!, el mejor correo web del mundo 
http://correo.yahoo.com.ar 

Fwd: Fwd: ntop

[Jernej Vodopivec]

Again forgot to cc:

-- Forwarded message --
From: Jernej Vodopivec [EMAIL PROTECTED]
Date: Oct 6, 2005 5:22 PM
Subject: Re: Fwd: ntop
To: Andreas Bihlmaier [EMAIL PROTECTED]


ntop
- displays data in html - can be viewed from any workstation withoud
installing additional products so
- it is easier to use
- displays traffic statistics
- stores statistics data...

Jernej

On 10/6/05, Andreas Bihlmaier [EMAIL PROTECTED] wrote:
 Just as a question: In what way is ntop superior to pftop -v speed -o 
 rate ?
 Sure it perhaps is a matter of preference, but I just wan't to know :)

Re: sh-script executing

[Han Boetes]

Otto Moerbeek wrote:
 On Thu, 6 Oct 2005, Han Boetes wrote:
  In the meanwhile this behaviour has been changed in CVS.
  Perhaps this will get backported as well. And if not it's
  pretty easy to backport I'd guess.

 What commit are you referring to? You can say that I'm closely
 involved, but I have no idea which commit you are referring to.

Oops

I completely misread this message. My bad.


-
Synopsis: sh executing extra lines, if script file was changed (grown) during 
execution

State-Changed-From-To: open-closed
State-Changed-By: tom
State-Changed-When: Thu Oct 6 05:16:19 MDT 2005
State-Changed-Why:
Don't edit shell scripts while they are running.  This is standard
UNIX behaviour.  Sorry.
--


# Han

Error on pkg_add on openbsd 3.8

[gwost]

Hello

I have smaller server with openbsd 3.8 on it. It all doing greate, exept the
finction pgk_add. I get:

bash-3.00# pkg_add -v ftp://ftp.openbsd.org/pub/OpenBSD/s.../symon-2.71.tgz
Can't locate object method add_size via package
OpenBSD::PackingElement::FDESC at
/usr/libdata/perl5/OpenBSD/PackingElement.pm line 545, $fh line 8.


How to fix that?

thanks

Re: Transit with OpenBGPd... How to allow only on or two as neighbor only ?

[tony sarendal]

On 06/10/05, Xavier Beaudouin [EMAIL PROTECTED] wrote:
 [...]

 
  The announce keyword is mostly for simple setups. For transit providers
  announce should be set to all and real bgp filtering should be used.
 
  The idea of announce is that small multihomed setups with e.g. two uplinks
  just work in a save manner (defaulting to self and so not the full table
  is reexported).
 

 Thanks Claudio,

 But can you provide me a more detailed example. Because I have some
 difficulies to make a filter for such setup...


The best way to make a scalable setup is by using bgp communities.
That way your transit/peering routers advertise based on information
you can set on origin or ingress into your network, not depending on
the prefix/as itself.

I have not checked how bgpd and community support looks in -current,
but when experimenting a few months back I had some problems with
setting multiple communities and I was also forced to use an external
route-server to see what was happening in my test network. I intend to
give this a new try when I have finished the project I'm currently
working on.

/Tony

--
Tony Sarendal - [EMAIL PROTECTED]
IP/Unix
   -= The scorpion replied,
   I couldn't help it, it's my nature =-

kernel pppoe problem : pppoe0 : timeout

[Didier Wiroth]

Hello,
(sorry for the long post!)
I used the ppp pppoe (for my dsl connection)  for some while and decided to 
switch to the kernel implementation.

I'm actually having a problem with kernel pppoe, after a reboot or when I try 
to connect/reconnect it takes about 
1 minute before it is able to connect. While running ifconfig pppoe0 debug 
(see below) I noticed a few pppoe0: timeout

When I used the ppp's pppoe implementation the connection and reconnection were 
almost instant. 

For information, here is my old ppp.conf:

default:
 set log Phase tun command
 set redial 7 0
 set reconnect 7 1

provider:
 set device !/usr/sbin/pppoe -i sis2
 disable acfcomp iface-alias deflate protocomp vjcomp pred1 ipv6cp
 deny acfcomp
 set mtu max 1454
 set mru max 1454
 set speed sync
 enable lqr
 set lqrperiod 5
 set dial
 set login
 set timeout 0
 set authname xyz
 set authkey xyz
 add default HISADDR
 enable mssfixup
 set server /var/run/internet  0177


Now, here is my new hostname.pppoe0
pppoedev sis2
!/sbin/ifconfig sis2 up media 10baseT 
!/usr/sbin/spppcontrol \$if myauthproto=pap myauthname=xyz \
myauthkey=xyz
!/sbin/ifconfig \$if inet 0.0.0.0 0.0.0.1 netmask 0x link1
!/sbin/route add default 0.0.0.1
!/usr/local/sbin/noip2 -c /etc/no-ip2.conf
up

Here is my dmesg and ifconfig pppoe0 debug output:

Oct  6 19:29:10 gate /bsd: syncing disks... done
Oct  6 19:29:10 gate /bsd: OpenBSD 3.8 (GENERIC) #1: Fri Sep 30 21:09:23 CEST 
2005
Oct  6 19:29:10 gate /bsd: [EMAIL 
PROTECTED]:/home/cvs/OPENBSD_3_8/src/sys/arch/i386/compile/GENERIC
Oct  6 19:29:10 gate /bsd: cpu0: Geode(TM) Integrated Processor by National 
Semi (Geode by NSC 586-class) 267 MHz
Oct  6 19:29:10 gate /bsd: cpu0: FPU,TSC,MSR,CX8,CMOV,MMX
Oct  6 19:29:10 gate /bsd: cpu0: TSC disabled
Oct  6 19:29:10 gate /bsd: real mem  = 133799936 (130664K)
Oct  6 19:29:10 gate /bsd: avail mem = 115470336 (112764K)
Oct  6 19:29:10 gate /bsd: using 1658 buffers containing 6791168 bytes (6632K) 
of memory
Oct  6 19:29:10 gate /bsd: mainbus0 (root)
Oct  6 19:29:10 gate /bsd: bios0 at mainbus0: AT/286+(00) BIOS, date 20/50/29, 
BIOS32 rev. 0 @ 0xf7840
Oct  6 19:29:10 gate /bsd: pcibios0 at bios0: rev 2.0 @ 0xf/0x1
Oct  6 19:29:10 gate /bsd: pcibios0: pcibios_get_intr_routing - function not 
supported
Oct  6 19:29:10 gate /bsd: pcibios0: PCI IRQ Routing information unavailable.
Oct  6 19:29:10 gate /bsd: pcibios0: PCI bus #0 is the last bus
Oct  6 19:29:10 gate /bsd: bios0: ROM list: 0xc8000/0x9000
Oct  6 19:29:10 gate /bsd: cpu0 at mainbus0
Oct  6 19:29:10 gate /bsd: pci0 at mainbus0 bus 0: configuration mode 1 (bios)
Oct  6 19:29:10 gate /bsd: pchb0 at pci0 dev 0 function 0 Cyrix GXm PCI rev 
0x00
Oct  6 19:29:10 gate /bsd: sis0 at pci0 dev 6 function 0 NS DP83815 10/100 
rev 0x00: DP83816A, irq 10, address 00:00:24:c2:9d:38
Oct  6 19:29:10 gate /bsd: nsphyter0 at sis0 phy 0: DP83815 10/100 PHY, rev. 1
Oct  6 19:29:10 gate /bsd: sis1 at pci0 dev 7 function 0 NS DP83815 10/100 
rev 0x00: DP83816A, irq 10, address 00:00:24:c2:9d:39
Oct  6 19:29:10 gate /bsd: nsphyter1 at sis1 phy 0: DP83815 10/100 PHY, rev. 1
Oct  6 19:29:10 gate /bsd: sis2 at pci0 dev 8 function 0 NS DP83815 10/100 
rev 0x00: DP83816A, irq 10, address 00:00:24:c2:9d:3a
Oct  6 19:29:11 gate /bsd: nsphyter2 at sis2 phy 0: DP83815 10/100 PHY, rev. 1
Oct  6 19:29:11 gate /bsd: hifn0 at pci0 dev 10 function 0 Hifn 7955/7954 rev 
0x00: LZS 3DES ARC4 MD5 SHA1 RNG AES PK, 32KB dram, irq 11
Oct  6 19:29:11 gate /bsd: gscpcib0 at pci0 dev 18 function 0 NS SC1100 ISA 
rev 0x00
Oct  6 19:29:11 gate /bsd: gpio0 at gscpcib0: 64 pins
Oct  6 19:29:11 gate /bsd: NS SC1100 SMI/ACPI rev 0x00 at pci0 dev 18 
function 1 not configured
Oct  6 19:29:11 gate /bsd: pciide0 at pci0 dev 18 function 2 NS SCx200 IDE 
rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to 
compatibility
Oct  6 19:29:11 gate /bsd: wd0 at pciide0 channel 0 drive 0: TOSHIBA MK2023GAS
Oct  6 19:29:11 gate /bsd: wd0: 16-sector PIO, LBA, 19077MB, 39070080 sectors
Oct  6 19:29:11 gate /bsd: wd1 at pciide0 channel 0 drive 1: SanDisk SDCFB-256
Oct  6 19:29:11 gate /bsd: wd1: 1-sector PIO, LBA, 245MB, 501760 sectors
Oct  6 19:29:11 gate /bsd: wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
Oct  6 19:29:11 gate /bsd: wd1(pciide0:0:1): using PIO mode 4, DMA mode 2
Oct  6 19:29:11 gate /bsd: geodesc0 at pci0 dev 18 function 5 NS SC1100 X-Bus 
rev 0x00: iid 6 revision 3 wdstatus 0
Oct  6 19:29:11 gate /bsd: ohci0 at pci0 dev 19 function 0 Compaq USB 
OpenHost rev 0x08: irq 5, version 1.0, legacy support
Oct  6 19:29:11 gate /bsd: usb0 at ohci0: USB revision 1.0
Oct  6 19:29:11 gate /bsd: uhub0 at usb0
Oct  6 19:29:11 gate /bsd: uhub0: Compaq OHCI root hub, rev 1.00/1.00, addr 1
Oct  6 19:29:11 gate /bsd: uhub0: 3 ports with 3 removable, self powered
Oct  6 19:29:11 gate /bsd: isa0 at gscpcib0
Oct  6 19:29:11 gate /bsd: isadma0 at isa0
Oct  6 19:29:11 gate /bsd: pckbc0 at isa0 port 0x60/5
Oct  6 19:29:11 gate /bsd: 

Re: BGP session clear by remote end when MD5 is configure AND the session was initiate from OpenBSD side failed and do not recover.

[Daniel Ouellet]

Claudio Jeker wrote:

With bgpd master
Clear session from bgpd side, session comes back up right away.
Clear session from remote side, session comes back up with delay.

With bgpd slave
Clear session from bgpd side, session comes back up with delay.
Clear session from remote side, session comes back up with possible very 
long delay. Much bigger then when master.





I think this is fixed in -current. Henning commited something to make the
delays on neighbor clears faster.


My first tests was done with current (sep 29), but with a small 
difference in the setup lab. It was done in live network. But I will 
sure redo it again. It's to important to me for not be 150% sure it's 
working well. So far, it just wasn't. I have well over 100+ peer 
sessions, of witch ~70+  are using MD5 and I can't not have them stable. 
Plus I have no choice as well to either buy bigger Cisco routers, and 
hell I don't want that! Or use OpenBSD and that's what I want. I ma fed 
up with CPU limitation power of Cisco and I will kiss them goodbye!


Even reloading the Cisco router and killing the bpgd and starting new, 
it will not come up!


Always the same errors in the logs.

No MD5 digest received from the OpenBSD side looks like.




It looks like the tcpmd5 is enabled to late when opeining a session.
I try to have a look at it.


You have no idea how much I would appreciate that! I started to look at 
the code, but that's a long process for me.



===

Why is bgpd will not establish a session as slave when MD5 is configure 
even if the RFC said both sides should be allow to do so?


bgpd wants to be the master every time?

Something sure looks weird here.




That's more like a bug. Btw. MD5 between to bgpd is working, at least it
works for me.


That's what I thought, but I know better then starting to say there is a 
bug. Before I do, I sure want to be sure, but it does look like it to me 
however so far. My tests so far show that you can have MD5 as long as 
OpenBSD is master, but clear sessions, depending with side initiate it, 
doesn't come back in one case and are slow in the other. (That was with 
3.7 for my last tests on this one) Will redo.



==

But it should be establish however for MD5 for sure as any sides can be 
the master in a bgp session.


However, not here?

Comments on this?

I think my tests are valid. Am I doing something I should be doing here? 
I don't think so, but that's what I found so far and why I can't keep a 
stable session with MD5 enable on it.





For me it looks like a bug for now.


Same thought here.

Daniel

Re: kernel pppoe problem : pppoe0 : timeout

[Didier Wiroth]

concerning my original post:
sorry, I made a typo error in my hostname.pppoe0.
I have this line:
!/sbin/ifconfig \$if inet 0.0.0.0 0.0.0.1 netmask 0x

I do NOT have  link1 in the line, as written in the previous mail!!!

Re: CARP+Pfsync+Bind

[ed]

On Thu,  6 Oct 2005 16:55:05 +0400
Vladimir Potapov [EMAIL PROTECTED] wrote:

 We have 1 server on which running firewall and DNS master service. And
 we planned to install another server for load balancing and redudancy.
 2 servers(each have running PF and BIND) will balancing load (or one
 will master and other slave) for DNS and PF.
 Does anyone protect DNS service via CARP and PFsync? Does it work?
 Whether there can be problems(for example, with zones transfers, dns
 queries 

Zone transfers are on tcp/53, DNS lookups are 53/udp, so:

pass in on $ext_if proto udp from any to $DNS port 53 keep state

and if required:

pass in on $ext_if proto tcp from $ext_net to $DNS port 53 keep state

I use TinyDNS here, so we don't really need to transfer zones as its
handled with a single data file. CARP can be good with DNS.

-- 
Regards, Ed http://www.usenix.org.uk

Re: BGP session clear by remote end when MD5 is configure AND the session was initiate from OpenBSD side failed and do not recover.

[Daniel Ouellet]

Claudio Jeker wrote:

On Wed, Oct 05, 2005 at 06:33:05PM -0400, Daniel Ouellet wrote:


==

Without MD5 configure.

With bgpd master
Clear session from bgpd side, session comes back up right away.
Clear session from remote side, session comes back up with delay.

With bgpd slave
Clear session from bgpd side, session comes back up with delay.
Clear session from remote side, session comes back up with possible very 
long delay. Much bigger then when master.





I see similar delays with my test setup. Most of the time it takes longer
for a session to come back up because of different timers that are run.
After a clear a reopen is tried immediately and that is most often
blocked. In my case the cisco seems to be to slow to close the session in
time for the reopen.
It also matters where you close the connection because in one case the
idle timer is run (30s) instead of the connect retry timer (120s).
Also the idle timer has starts to grow if you flap the session often.


The interesting facts here for me were how different it was for each 
side. I did this many times 10x+ on each setup to see. bgpd master to 
Cisco and clear from bgpd side to Cisco, the Cisco session comes back up 
instantly. As for Cisco master initiate clear to bgpd, was the slowest 
by far. I mean much longer. The other two possibilities are pretty much 
equal. It was interesting finding never the less. Why, I am not sure 
however.




Now with MD5 configure. We only add

tcp md5sig password test on bgpd side and
neighbor 66.63.12.108 password test on the Cisco side.

With bgpd master
Clear session from bgpd side, session comes back up right away.
Clear session from remote side, session comes back up with possible very 
long delay.


With bgpd slave
Just can't establish a session what so ever! The Cisco side will get 
stuck in the OpenSent mode and cycle a few times all without success.


66.63.12.1084 65001   0   1000 neverOpenSent




I can't reproduce this. On my test setup all session come back up.


I will try current again, and send even more details on my setup, or if 
you ever want to check it out, I have no problem what so ever to provide 
you access to both boxes directly for you to check it out as well. Just 
say the words if interested? I try Cisco IOS 12.3x and 12.4x, same 
results so far.


Now looking at the logs from each side. OpenBSD try to use the port 
tcp/56923 and from the Cisco side we see this error:


35: *Oct  5 13:38:43.503 EDT: %TCP-6-BADAUTH: No MD5 digest from 
66.63.12.108(179) to 66.63.12.107(56923) (RST)
36: *Oct  5 13:38:44.503 EDT: %TCP-6-BADAUTH: No MD5 digest from 
66.63.12.108(179) to 66.63.12.107(56923) (RST)





This is a Cizzz-coee / RFC feature. They enforce a TCP MD5 digest on TCP RST
packets. Now that's just stupid because it is not possible to do that in
some cases because the other side does not know the key at that time (e.g.
to signalize that the port is unavailable).
In your case this means that somehow the connection from the cisco to your
OpenBSD box is blocked or there is nothing listening on port 179.


Last tests at ~5 AM this morning, still show me this and nothing was in 
the path for blocking it a tall. I will recheck as it's been a few days 
without sleep so far, so I admit, I could start to be fussz a bit. Lack 
of sleep, but I will make sure before saying false things here. But in 
any case, not that I like it what so ever, I am not sure of the 
Cizzz-coee stuff. The sad thing is that they have a huge portions of the 
Internet routers still, hopefully changing quickly, but still, we need 
to interact with them a lots.


Looks like the OpenBSD side do not provide the MD5 to the Cisco to 
establish the session.





OpenBSD only misses the MD5 digest on the RST packets and that is actually 
OK. RFC 2385 actually mentions this special case in 4.1:

   A connectionless reset will be ignored by the receiver of the reset,
   since the originator of that reset does not know the key, and so
   cannot generate the proper signature for the segment.  This means,
   for example, that connection attempts by a TCP which is generating
   signatures to a port with no listener will time out instead of being
   refused.  Similarly, resets generated by a TCP in response to
   segments sent on a stale connection will also be ignored.
   Operationally this can be a problem since resets help BGP recover
   quickly from peer crashes. 


I can deal with that delay and I agree that it makes sense to refuse the 
reset, or ignore it, however, looks like so far, the session doesn't 
resets. May be because it does receive message still from the Cisco side 
on wrong ports, but somehow see it as keep alive. I really don't know 
what I am saying here, just a weird thoughts, but so far the results are 
that it doesn't resets. I will tests in more details again. But just 
know that something is not active in the best interest of the session 
here 

Re: CARP+Pfsync+Bind

[Dave Anderson]

** Reply to message from ed [EMAIL PROTECTED] on Thu, 6 Oct 2005
14:04:20 +0100

Zone transfers are on tcp/53, DNS lookups are 53/udp, so:

That's not quite the whole story: 53/tcp is also used when the response
to a query is too big for a single UDP packet (the resolver sends a UDP
query and gets a 'truncated' UDP reply, so the resolver retries the
query using TCP) -- you should always pass both UDP and TCP for port 53
to avoid occasional obscure failures.

pass in on $ext_if proto udp from any to $DNS port 53 keep state

and if required:

pass in on $ext_if proto tcp from $ext_net to $DNS port 53 keep state

Dave

-- 
Dave Anderson
[EMAIL PROTECTED]

Re: WLAN (Linksys WPC111) + WEP

[Nikolaus Hiebaum]

* Joost Tr wrote on Oct 6, 2005 [10:00, -] :

 can you connect with open authentication (-A 1) when you set to open auth.
 AP too

Yes, with open authentication it works. I am not savvy enough to understand the 
difference.
What is the difference between open and shared key? And what does it mean that 
the open auth.
works and the shared one doesn't?

-- 
Beste Gr|_e / Best regards ,
Nikolaus Hiebaum

Re: CARP+Pfsync+Bind

[eric]

On Thu, 2005-10-06 at 14:04:20 +0100, ed proclaimed...

 I use TinyDNS here, so we don't really need to transfer zones as its
 handled with a single data file. CARP can be good with DNS.

53/tcp *is* required to answer normal queries.

Since you're drinking djb's koolaid, see 

http://cr.yp.to/djbdns/tcp.html#why

512-bytes uncommon or a mistake? I think not.

Re: [Soekris] Ubiquity 400mW mini-PCI

[Vincent Immler]

maybe this link helps:

http://www.exergia.biz/ptp/exap-GMF.htm

High Interrupt Mode Reported by 'Top' for Soekris 4801

[William Bloom]

I am a new owner of two Soekris 4801s running OpenBSD 3.7 (generic) with 
pf/pfsynch/carp for redundant firewalling.  I've encountered a problem with 
high 
interrupts (and some packet loss), and after having perused the on-line 
FAQ/forums and finding nothing that I could identify as matching the symptoms 
I've observed, I am now looking for pointers on how to isolate the problem and 
perhaps fix it.

I have sis0 in use for the outer interface, sis2 for the inner, sis1 for 
pfsync. 
  There is an inner carp'd interface address (carp0) and an outer (carp1).  The 
configuration is generally along the lines of the FAQ and man pages.

When traffic through the Soekris reaches approximately 4Mbs, the interrupt mode 
reported by top reaches 75% or higher and there is a measurable packet loss (1% 
- 5% or so).  From 'pfctl -si', the congestion counter goes up rapidly when the 
interrupts are highest.  The interrupt mode increases as the traffic volume 
increases, and goes down to about 1% when I failover to the other firewall. 
When I failover, I observe exactly the same behavior on the newly active 
firewall.

Checking forums, I see that there have been reports of very high interrupts on 
the  sis device in the past for OpenBSD on Soekris, but I read that these were 
all corrected in recent OpenBSD releases (and the problem I read about only 
applied whenever one sis interface was left 'down', which is not the case for 
my 
circumstances since all interfaces are in use).

I've checked with Soekris, and they've not heard of symptoms such as I describe 
with OpenBSD 3.7.  I've not noticed anything amiss in dmesg or 
/var/log/messages 
(well, all sis devices are sharing IRQ 10 but this is normal on a 4801, the FAQ 
states that this is not a problem, and other 4801 users haven't reported 
symptoms like the ones I describe).  I haven't posted dmesg or other info in 
this message (I thought it might be rude to do so without being asked).

Can anyone offer pointers on how I might go about isolating this problem?


Bill
-- 
William Bloom| Systems Engineer|M P H A S I S Architecting Value | Eldorado 
Computing
5353 North 16th Street, Suite 400 Phoenix, Az 85016 | Direct: +11-602-604-3100 
| 
Fax: +11-602-604-3115| http://www.eldocomp.com

-- CONFIDENTIALITY NOTICE --

Information transmitted by this e-mail is proprietary to MphasiS and/or its 
Customers and is intended for use only by the individual or entity to which it 
is addressed, and may contain information that is privileged, confidential or 
exempt from disclosure under applicable law. If you are not the intended 
recipient or it appears that this mail has been forwarded to you without proper 
authority, you are notified that any use or dissemination of this information 
in any manner is strictly prohibited. In such cases, please notify us 
immediately at [EMAIL PROTECTED] and delete this mail from your records.

Re: xorg with Nvidia Go5600 at 1600x1200

[Stephan Tesch]

Am Donnerstag, 6. Oktober 2005 11:36 schrieben Sie:

Hi Stefan,

 (II) NV(0): Not using mode 1600x1200 (no mode of this name)

This seems to be your problem. Caused by this:

 (II) NV(0): Not using default mode 1600x1200 (hsync out of range)

You should try to create a modeline for 1600x1200 matching your screens 
capabilities. gtf(1) seems to be the way to go for that.

Regards, 
Stephan

Re: CARP+Pfsync+Bind

[ed]

On Thu, 6 Oct 2005 15:49:02 -0400
Dave Anderson [EMAIL PROTECTED] wrote:

 That's not quite the whole story: 53/tcp is also used when the
 response to a query is too big for a single UDP packet (the resolver
 sends a UDP query and gets a 'truncated' UDP reply, so the resolver
 retries the query using TCP) -- you should always pass both UDP and
 TCP for port 53 to avoid occasional obscure failures.

Works fine on on the 2 domains where it's been implemented, of which
I handled the conversion from BIND style to djbdns. No problems on UDP
lookups alone, including some deep CNAMEs, which are just not required,
but I'll deal with those at a later date.

I haven't seen any problems since the change. Lookup times have
improved, I can't state if this is due to the lack of TCP or the file
system overheads with zone files, but I expect a mixture of the two.

-- 
Regards, Ed http://www.usenix.org.uk

About VLAN and Carp

[Léo Goehrs]

Hi Everyone,



I am using OpenBSD and the great pf in a production environment.



I want to be able to use vlan and carp at the same time.



I have two firewalls. These two boxes are responsible for a number of subnet.
I want to have a number of vlan defined on the openbsd to feed my Distribution
Switch. Now I can do it, but only on the physical interface so I loose the
redundancy.



On a cisco, it would mean having a few VLAN with a router-interface for each.

Each virtual interface would have VRRP enabled.



When I try



ifconfig vlan0 vlan 11 vlandev carp0



It gives me an error. Is there a way to do that?



Regards



Leo Goehrs
CTO



Work: +33 1 39 02 76 15
Mobile: +33 6 89 99 14 06
Fax: +33 1 39 02 01 51

Email: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
IM: 10257254 (ICQ)






Alionis http://www.alionis.net
15 rue de la Paroisse
http://maps.google.com/maps?q=15+rue+de+la+Paroisse%2CVersailles+78000%2CFra
ncehl=en Versailles 78000
France

[demime 1.01d removed an attachment of type image/jpeg which had a name of 
image001.jpg]

Sendmail TLS

[Eric Dillenseger]

Hello list,

I'm trying to setup a sendmail config using tls to use gmail as a smart-host.

I made a copy of openbsd-proto.mc as follows:
divert(-1)
#
# Default OpenBSD sendmail configuration for systems accepting mail
# from the internet.
#
# Note that lines beginning with dnl below are comments.

divert(0)dnl
VERSIONID(`@(#)openbsd-proto.mc $Revision: 1.11 $')dnl
OSTYPE(openbsd)dnl
define(`SMART_HOST', `smtp.gmail.com')dnl
define(`confPRIVACY_FLAGS',
`authwarnings,needmailhelo,noexpn,novrfy,nobodyreturn')dnl
define(`confCW_FILE', `-o MAIL_SETTINGS_DIR`'local-host-names')dnl
define(`confCT_FILE', `-o MAIL_SETTINGS_DIR`'trusted-users')dnl
FEATURE(nouucp, `reject')dnl
FEATURE(`access_db', `hash -o -TTMPF /etc/mail/access')dnl
FEATURE(`blacklist_recipients')dnl
FEATURE(`use_cw_file')dnl
FEATURE(`mailertable', `hash -o /etc/mail/mailertable')dnl
FEATURE(`use_ct_file')dnl
FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable')dnl
FEATURE(genericstable, `hash -o /etc/mail/genericstable')dnl
FEATURE(always_add_domain)dnl
FEATURE(redirect)dnl
FEATURE(`no_default_msa')dnl
DAEMON_OPTIONS(`Family=inet, Address=0.0.0.0, Name=MTA')dnl
DAEMON_OPTIONS(`Family=inet6, Address=::, Name=MTA6, M=O')dnl
DAEMON_OPTIONS(`Family=inet, Address=0.0.0.0, Port=587, Name=MSA, M=E')dnl
DAEMON_OPTIONS(`Family=inet6, Address=::, Port=587, Name=MSA6, M=O, M=E')dnl
CLIENT_OPTIONS(`Family=inet, Address=0.0.0.0')dnl
CLIENT_OPTIONS(`Family=inet6, Address=::')dnl
define(`confBIND_OPTS', `WorkAroundBroken')dnl
define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confCACERT', `CERT_DIR/CAcert.pem')dnl
define(`confSERVER_CERT', `CERT_DIR/localsendmailcert.pem')dnl
define(`confSERVER_KEY', `CERT_DIR/localsendmailkey.pem')dnl
define(`confCLIENT_CERT', `CERT_DIR/localsendmailcert.pem')dnl
define(`confCLIENT_KEY', `CERT_DIR/localsendmailkey.pem')dnl
MAILER(local)dnl
MAILER(smtp)dnl
LOCAL_RULESETS
HMessage-Id: $CheckMessageId

SCheckMessageId
R $+ @ $+ $@ OK
R$* $#error $: 553 Header Error

Followed by:
# make mysendmail.cf
rm -f mysendmail.cf
( cd /usr/share/sendmail/cf  /usr/bin/m4
/usr/share/sendmail/cf/../m4/cf.m4 mysendmail.mc 
/usr/share/sendmail/cf/mysendmail.cf )
echo ### mysendmail.mc ### mysendmail.cf
sed -e 's/^/# /' /usr/share/sendmail/cf/mysendmail.mc mysendmail.cf
chmod 444 mysendmail.cf

Then I created the necessary certificates:
$ sudo mkdir /etc/mail/certs

$ sudo openssl dsaparam 1024 -out dsa1024.pem
Generating DSA parameters, 1024 bit long prime
This could take some time
+..++++*
.+..+...+.+.+.++.+...+...+..+.+...+.+.+...+..+...+.+++*
$ sudo openssl req -x509 -nodes -days 365 -newkey dsa:dsa1024.pem
  -out /etc/mail/certs/localsendmailcert.pem
  -keyout /etc/mail/certs/localsendmailkey.pem
Generating a 1024 bit DSA private key
writing new private key to '/etc/mail/certs/localsendmailkey.pem'
-
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-
Country Name (2 letter code) []:FR
State or Province Name (full name) []:Alsace
Locality Name (eg, city) []:Strasbourg
Organization Name (eg, company) []:Me
Organizational Unit Name (eg, section) []:mail
Common Name (eg, fully qualified host name) []:localhost
Email Address []:[EMAIL PROTECTED]

$ sudo ln -s /etc/mail/certs/localsendmailcert.pem /etc/mail/certs/CAcert.pem
$ sudo rm dsa1024.pem

$ sudo chmod -R go-rwx /etc/mail/certs

Then I ran sendmail with -C/etc/mail/mysendmail.cf

When I tried to send an email from mutt, I got the following log:
Oct  6 22:53:04 castor sm-mta[29257]: starting daemon (8.13.4):
[EMAIL PROTECTED]:30:00
Oct  6 22:53:06 castor sm-mta[20830]: STARTTLS=client,
relay=smtp.gmail.com, version=TLSv1/SSLv3, verify=FAIL,
cipher=DES-CBC3-SHA, bits=168/168
Oct  6 22:53:06 castor sm-mta[20830]: j95E6r6E009458:
to=[EMAIL PROTECTED], delay=1+06:46:13,
xdelay=00:00:02, mailer=relay, pri=5611353, relay=smtp.gmail.com
[72.14.205.109], dsn=5.0.0, stat=Service unavailable
Oct  6 22:55:14 castor sendmail[17077]: j96KtEQB017077: from=ericd,
size=561, class=0, nrcpts=1,
msgid=[EMAIL PROTECTED], [EMAIL PROTECTED]
Oct  6 22:55:14 castor sendmail[17077]: STARTTLS=client,
relay=[127.0.0.1], version=TLSv1/SSLv3, verify=FAIL,
cipher=DHE-DSS-AES256-SHA, bits=256/256
Oct  6 22:55:14 castor sm-mta[721]: STARTTLS=server,
[EMAIL PROTECTED] [127.0.0.1], version=TLSv1/SSLv3, verify=NO,
cipher=DHE-DSS-AES256-SHA, bits=256/256
Oct  6 22:55:14 castor sm-mta[721]: j96KtEx1000721:
from=[EMAIL 

Re: xorg with Nvidia Go5600 at 1600x1200

[pirge]

Add this to your xorg.conf in the Device section for the nv driver:

Option FlatPanel True

and remove the Modes lines in the Screen section. It should default to
the largest res it can find.
Then double check the HorizSync and VertRefresh you have defined in
the Monitor section.


On 06/10/05, stefan hoffmann [EMAIL PROTECTED] wrote:
 Hi,

 thank you for your answer.

 pirge wrote:
  nv will do 1600x1200 - I run a geforce 2 go (dell inspiron 8100) with
  openbsd 3.7 generic at that resolution.
   Reading the nv man page I'm not sure it supports the Go5600..?
 As you can see in the log, the chipset is listed.

  Need to see your xorg.conf and xorg log

 ---xorg.conf:
 ---# File generated by xorgconfig.

 # all comments removed

 Section Module
  Loaddbe  # Double buffer extension
  SubSection  extmod
Optionomit xfree86-dga   # don't initialise the DGA extension
  EndSubSection
  Loadtype1
  Loadfreetype
 EndSection

 Section Files
  RgbPath/usr/X11R6/lib/X11/rgb
  FontPath   /usr/X11R6/lib/X11/fonts/misc/
  FontPath   /usr/X11R6/lib/X11/fonts/TTF/
  FontPath   /usr/X11R6/lib/X11/fonts/Type1/
  FontPath   /usr/X11R6/lib/X11/fonts/CID/
  FontPath   /usr/X11R6/lib/X11/fonts/75dpi/
  FontPath   /usr/X11R6/lib/X11/fonts/100dpi/
  FontPath   /usr/X11R6/lib/X11/fonts/local/
 EndSection

 Section ServerFlags
 EndSection

 Section InputDevice
  Identifier Keyboard1
  Driver kbd
  Option AutoRepeat 500 30
  Option XkbRules  xorg
  Option XkbModel  pc104
  Option XkbLayout de
 EndSection

 Section InputDevice
  Identifier Mouse1
  Driver mouse
  Option Protocolwsmouse
  Option Device  /dev/wsmouse
  Option ZAxisMapping 4 5
 EndSection

 Section Monitor
  Identifier  My Monitor
  HorizSync   31.5 - 64.3
  VertRefresh 40-150
 EndSection

 Section Device
  Identifier Standard VGA
  VendorName Unknown
  BoardName  Unknown
  Driver vga
 EndSection

 # Device configured by xorgconfig:

 Section Device
  Identifier  nVidia Go5600
  Driver  nv
 EndSection

 Section Screen
  Identifier  Screen 1
  Device  nVidia Go5600
  Monitor My Monitor
  DefaultDepth 24
  Subsection Display
  Depth   16
  Modes   1280x1024 1024x768 800x600 640x480
  ViewPort0 0
  EndSubsection
  Subsection Display
  Depth   24
  Modes   1600x1200 1280x1024 800x600 640x480
  ViewPort0 0
  EndSubsection
 EndSection

 Section ServerLayout
  Identifier  Simple Layout
  Screen Screen 1
  InputDevice Mouse1 CorePointer
  InputDevice Keyboard1 CoreKeyboard
 EndSection
 ---xorg.conf.

 ---Xorg.0.log:
 (--) checkDevMem: using aperture driver /dev/xf86
 (--) Using wscons driver in pcvt compatibility mode (version 3.32)
 (WW) GARTInit: AGPIOC_INFO failed (Device not configured)

 X Window System Version 6.8.2
 Release Date: 9 February 2005
 X Protocol Version 11, Revision 0, Release 6.8.2
 Build Operating System: OpenBSD 3.7 i386 [ELF]
 Current Operating System: OpenBSD tymon.my.domain 3.7 GENERIC#50 i386
 Build Date: 16 March 2005
 Before reporting problems, check http://wiki.X.Org
 to make sure that you have the latest version.
 Module Loader present
 Markers: (--) probed, (**) from config file, (==) default setting,
 (++) from command line, (!!) notice, (II) informational,
 (WW) warning, (EE) error, (NI) not implemented, (??) unknown.
 (==) Log file: /var/log/Xorg.0.log, Time: Thu Oct  6 13:25:14 2005
 (==) Using config file: /etc/X11/xorg.conf
 (==) ServerLayout Simple Layout
 (**) |--Screen Screen 1 (0)
 (**) |   |--Monitor My Monitor
 (**) |   |--Device nVidia Go5600
 (**) |--Input Device Mouse1
 (**) |--Input Device Keyboard1
 (**) FontPath set to
 /usr/X11R6/lib/X11/fonts/misc/,/usr/X11R6/lib/X11/fonts/TTF/,/usr/X11R6/lib/X11/fonts/Type1/,/usr/X11R6/lib/X11/fonts/CID/,/usr/X11R6/lib/X11/fonts/75dpi/,/usr/X11R6/lib/X11/fonts/100dpi/,/usr/X11R6/lib/X11/fonts/local/
 (**) RgbPath set to /usr/X11R6/lib/X11/rgb
 (==) ModulePath set to /usr/X11R6/lib/modules
 (II) Module ABI versions:
 X.Org ANSI C Emulation: 0.2
 X.Org Video Driver: 0.7
 X.Org XInput driver : 0.4
 X.Org Server Extension : 0.2
 X.Org Font Renderer : 0.4
 (II) Loader running on openbsd
 (II) LoadModule: bitmap
 (II) Loading /usr/X11R6/lib/modules/fonts/libbitmap.a
 (II) Module bitmap: vendor=X.Org Foundation
 compiled for 6.8.2, module version = 1.0.0
 Module class: X.Org Font Renderer
 ABI class: X.Org Font Renderer, version 0.4
 (II) Loading font Bitmap
 (II) LoadModule: pcidata
 (II) Loading /usr/X11R6/lib/modules/libpcidata.a
 (II) Module pcidata: vendor=X.Org Foundation
 compiled for 6.8.2, module version = 1.0.0
 ABI class: X.Org Video Driver, version 0.7
 

Re: WLAN (Linksys WPC111) + WEP

[Joost Tr]

Here's an explenation of open vs shared
http://www.dslreports.com/forum/remark,8645211~reverse=0;days=10;root=wlan;mode=full



From: Nikolaus Hiebaum [EMAIL PROTECTED]
To: OpenBSD mailing list - misc misc@openbsd.org
Subject: Re: WLAN (Linksys WPC111) + WEP
Date: Thu, 6 Oct 2005 22:03:50 +0200 (CEST)

* Joost Tr wrote on Oct 6, 2005 [10:00, -] :

 can you connect with open authentication (-A 1) when you set to open 
auth.

 AP too

Yes, with open authentication it works. I am not savvy enough to understand 
the difference.
What is the difference between open and shared key? And what does it mean 
that the open auth.

works and the shared one doesn't?

--
Beste Gr|_e / Best regards ,
Nikolaus Hiebaum

Re: High Interrupt Mode Reported by 'Top' for Soekris 4801

[Theo de Raadt]

If the Soekris did not come with ethernet chipsets which are just
slightly over the bar of rl(4), the wimpy processor in the machine
might be able to cope.

The Wikipedia article on OpenBSD

[Jan Izary]

Recently I and several other people have worked to improve the OpenBSD 
article contained in the Wikipedia, I'm sure I need not explain how it 
works.


Anyways, I've worked to get as much easily accessable information regarding 
OpenBSD in that article as possible and I've pretty much run into a wall, 
I've got little else I can add.


I am putting a call out to the OpenBSD community at large to give a look at 
the article and see if they can improve it, fleshing out anything that has 
gaps and explaining some of the more complex concepts.


Things like OpenBSD centred screenshots would be nice if people would be 
willing to upload them and list them in the gallery.


I would have put this on the advocacy list, but really it seems to be dead 
and most advocacy seems to run through the misc list.


Thanks

http://en.wikipedia.org/wiki/OpenBSD

_
MSN. Calendar keeps you organized and takes the effort out of scheduling 
get-togethers. 
http://join.msn.com/?pgmarket=en-capage=byoa/premxAPID=1994DI=1034SU=http://hotmail.com/encaHL=Market_MSNIS_Taglines 
 Start enjoying all the benefits of MSN. Premium right now and get the 
first two months FREE*.

Re: About VLAN and Carp

[Mathieu Sauve-Frankel]

On Thu, Oct 06, 2005 at 11:17:04PM +0200, L?o Goehrs wrote:
 ifconfig vlan0 vlan 11 vlandev carp0
 
 
 
 It gives me an error. Is there a way to do that?

Yes there is.
 
The vlandev has to be the physical interface. 
Then you use the vlan interface as the carpdev.

Example: 

ifconfig em0 up
ifconfig vlan0 vlan 11 vlandev em0
ifconfig carp0 inet 10.0.0.1 netmask 255.255.255.0 vhid 1 carpdev vlan0


-- 
Mathieu Sauve-Frankel

Re: dual DVI graphics card

[L. V. Lammert]

On Thu, 6 Oct 2005, Matthew Weigel wrote:

 In theory, you should be able to answer your question simply by me
 mentioning that radeon(4) supports dual displays on video cards still
 available through retail channels.

 Finally, I can vouch for dual displays working fine on Radeon cards,
 although I use a card with one DVI and one VGA output.

PMFJI, but is there some sort of desktop 'manager' tool like Hydra to
control the desktop space?

Lee


  Leland V. Lammert[EMAIL PROTECTED]
Chief Scientist Omnitec Corporation
 Network/Internet Consultants   www.omnitec.net

Re: dual DVI graphics card

[Matthew Weigel]

Aaron Glenn wrote:
 On 10/6/05, Matthew Weigel [EMAIL PROTECTED] wrote:

 In theory, you should be able to answer your question simply by me
 mentioning that radeon(4) supports dual displays on video cards still
 available through retail channels.

 I wasn't clear enough in my original post. I'm looking to run
 1920x1200 on two DVI monitors; and I'd like some sort of OpenGL
 hardware acceleration support, however minor. None of the ATi chipsets
 currently support 1920x1200 on two DVI monitors.

It appears I was correct in guessing that simply mentioning that radeon(4)
is where to look would not give you the information you need in order to
arrive at the fact that the Radeon 9600 drives the products for which you
are searching.  Given the quality and tone of your response, I will avoid
correcting you and encourage you to buy what ever it is that you can find
that can meet your needs.

Given the accuracy and completeness of the research you've done so far,
I'm confident that something amusing will result.
-- 
 Matthew Weigel
 hacker
 [EMAIL PROTECTED]

Re: The Wikipedia article on OpenBSD

[Marcos Latas]

On 06/10/05, Jan Izary [EMAIL PROTECTED] wrote:
 Recently I and several other people have worked to improve the OpenBSD
 article contained in the Wikipedia, I'm sure I need not explain how it
 works.

 Anyways, I've worked to get as much easily accessable information regarding
 OpenBSD in that article as possible and I've pretty much run into a wall,
 I've got little else I can add.

 I am putting a call out to the OpenBSD community at large to give a look at
 the article and see if they can improve it, fleshing out anything that has
 gaps and explaining some of the more complex concepts.

 Things like OpenBSD centred screenshots would be nice if people would be
 willing to upload them and list them in the gallery.

 I would have put this on the advocacy list, but really it seems to be dead
 and most advocacy seems to run through the misc list.

 Thanks

 http://en.wikipedia.org/wiki/OpenBSD

 _
 MSN. Calendar keeps you organized and takes the effort out of scheduling
 get-togethers.
 http://join.msn.com/?pgmarket=en-capage=byoa/premxAPID=1994DI=1034SU=http://hotmail.com/encaHL=Market_MSNIS_Taglines
   Start enjoying all the benefits of MSN. Premium right now and get the
 first two months FREE*.



I had already noticed it and I was wondering who was doing it... Very nice work!

Re: dual DVI graphics card

[Aaron Glenn]

On 10/6/05, Matthew Weigel [EMAIL PROTECTED] wrote:
 It appears I was correct in guessing that simply mentioning that radeon(4)
 is where to look would not give you the information you need in order to
 arrive at the fact that the Radeon 9600 drives the products for which you
 are searching.  Given the quality and tone of your response, I will avoid
 correcting you and encourage you to buy what ever it is that you can find
 that can meet your needs.

Perhaps you could drop the cocky attitude and do something productive
with your catty prose? Thanks for the radeon(4) reference; I'm sure if
any of the Radeon chips did 1920x1200 on two DVI it would have been
very helpful.

You see, just because the box or spec sheet says supports 1920x1200
doesn't mean the GPU will do 1920x1200 on both DVI ports. Infact,
colorgraphics, which specializes in multi-display graphics cards, and
uses the ATi Radeon GPU, notes that you get a max of 1600x1200 when
using both DVI ports.

So with that helpful lesson out of the way, you can shut your trap
about radeon(4) and your patently stupid recommendations.

 Given the accuracy and completeness of the research you've done so far,
 I'm confident that something amusing will result.

I'm confident you either lack basic reading comprehension skills, or
talk out of your ass on a regular basis...or maybe both? Either way
you can keep your future quality reponses right where they came from,
your ass.

Re: High Interrupt Mode Reported by 'Top' for Soekris 4801

[Theo de Raadt]

  If the Soekris did not come with ethernet chipsets which are just
  slightly over the bar of rl(4), the wimpy processor in the machine
  might be able to cope.
 
 Throughput is only marginally better using an em in the pci slot of a 
 4801. I think there's some other problem.

Yeah -- the super wimpy processor.

Re: High Interrupt Mode Reported by 'Top' for Soekris 4801

[Stuart Henderson]

--On 06 October 2005 16:00 -0600, Theo de Raadt wrote:


If the Soekris did not come with ethernet chipsets which are just
slightly over the bar of rl(4), the wimpy processor in the machine
might be able to cope.


Throughput is only marginally better using an em in the pci slot of a 
4801. I think there's some other problem.

Re: dual DVI graphics card

[Stuart Henderson]

experiences setting it up? I've got my eye on the Matrox Millennium
P750 card, but I can't find anything on any kind of support for
OpenBSD (I'm not looking to run Linux, Solaris, or even FreeBSD all of
which seem to have some sort of support).


Their old cards used to be a good choice for open-source, but 
Parhelia-based cards are too proprietary. Pity.

Re: dual DVI graphics card

[Aaron Glenn]

On 10/6/05, Stuart Henderson [EMAIL PROTECTED] wrote:

 Their old cards used to be a good choice for open-source, but
 Parhelia-based cards are too proprietary. Pity.


I had used Matrox cards exclusively up until Parhelia was released
however long ago. I think my Millenium II card is still chugging along
in a closet somewhere. From what I can tell on Matrox's site, the
Parhelia and the Millenium P750 are two distinct chipsets.

aaron.glenn

Re: High Interrupt Mode Reported by 'Top' for Soekris 4801

[William Bloom]

I wondered that as well, but there appear to be lots (so it appears from other 
postings I found using google) of 4801s in use with OpenBSD, doing essentially 
the same thing as myself (Soekris w/ carp/pf/pfsynch).  Yet, AFAICT, I'm the 
only one who's posted about this symptom.  Since there are lots of people who 
do 
what I do, and if the problem were indeed that the 4801 processor is too wimpy, 
then wouldn't there be more problems like mine mentioned in the lists?  And I'm 
running into high interrupts with only about 4Mbs throughput while others have 
claimed much higher values.

Before I used this firewall that I have now, I used m0n0wall on FreeBSD.  I 
chose OpenBSD over m0n0wall/FreeBSD due to m0n0wall state table limitations and 
lack of mature redundance features.  But the m0n0wall handled this much 
traffic, 
and more, with a relatively low interrupt mode.  As widely as OpenBSD is used 
on 
Soekris for firewalling compared to m0n0wall/FreeBSD with relatively few 
problems, I'm still not quite ready to decide that I haven't gotten myself a 
setup flaw somewhere.  Just can't figure out where it could be.


Bill

Theo de Raadt wrote:
If the Soekris did not come with ethernet chipsets which are just
slightly over the bar of rl(4), the wimpy processor in the machine
might be able to cope.

Throughput is only marginally better using an em in the pci slot of a 
4801. I think there's some other problem.
 
 
 Yeah -- the super wimpy processor.

-- 
William Bloom| Snr Systems Engineer|M P H A S I S Architecting Value | Eldorado 
Computing
5353 North 16th Street, Suite 400 Phoenix, Az 85016 | Direct: +11-602-604-3100 
| 
Fax: +11-602-604-3115| http://www.eldocomp.com

-- CONFIDENTIALITY NOTICE --

Information transmitted by this e-mail is proprietary to MphasiS and/or its 
Customers and is intended for use only by the individual or entity to which it 
is addressed, and may contain information that is privileged, confidential or 
exempt from disclosure under applicable law. If you are not the intended 
recipient or it appears that this mail has been forwarded to you without proper 
authority, you are notified that any use or dissemination of this information 
in any manner is strictly prohibited. In such cases, please notify us 
immediately at [EMAIL PROTECTED] and delete this mail from your records.

Re: dual DVI graphics card

[Stuart Henderson]

--On 06 October 2005 16:11 -0700, Aaron Glenn wrote:


I had used Matrox cards exclusively up until Parhelia was released
however long ago. I think my Millenium II card is still chugging along
in a closet somewhere. From what I can tell on Matrox's site, the
Parhelia and the Millenium P750 are two distinct chipsets.


Millenium Pxxx and Parhelia share drivers. I bought a P650 before 
realising this, the only way I found to make it run with X is by 
extracting the relevant file from their closed-source i386 linux driver 
(they're not os-specific). It sits in a windows box now.

Re: CARP+Pfsync+Bind

[Dave Anderson]

** Reply to message from ed [EMAIL PROTECTED] on Thu, 6 Oct 2005
22:15:25 +0100

On Thu, 6 Oct 2005 15:49:02 -0400
Dave Anderson [EMAIL PROTECTED] wrote:

 That's not quite the whole story: 53/tcp is also used when the
 response to a query is too big for a single UDP packet (the resolver
 sends a UDP query and gets a 'truncated' UDP reply, so the resolver
 retries the query using TCP) -- you should always pass both UDP and
 TCP for port 53 to avoid occasional obscure failures.

Works fine on on the 2 domains where it's been implemented, of which
I handled the conversion from BIND style to djbdns. No problems on UDP
lookups alone, including some deep CNAMEs, which are just not required,
but I'll deal with those at a later date.

I haven't seen any problems since the change. Lookup times have
improved, I can't state if this is due to the lack of TCP or the file
system overheads with zone files, but I expect a mixture of the two.

According to RFC 1035 section 4.2.1 you're riding for a fall:

Messages carried by UDP are restricted to 512 bytes (not 
counting the IP or UDP headers).  Longer messages are 
truncated and the TC bit is set in the header.

RFC 2671 modifies this by specifying a method for using UDP packets
containing more than 512 bytes, but the maximum size is still limited.

RFC 2181 section 9 is quite clear:

The TC bit should be set in responses only when an RRSet 
is required as a part of the response, but could not be 
included in its entirety.  The TC bit should not be set 
merely because some extra information could have been 
included, but there was insufficient room.  This includes 
the results of additional section processing.  In such 
cases the entire RRSet that will not fit in the response 
should be omitted, and the reply sent as is, with the TC 
bit clear.  If the recipient of the reply needs the 
omitted data, it can construct a query for that data and 
send that separately.

Where TC is set, the partial RRSet that would not 
completely fit may be left in the response.  When a DNS 
client receives a reply with TC set, it should ignore 
that response, and query again, using a mechanism, such 
as a TCP connection, that will permit larger replies.

Responses long enough so that required information is truncated should
be rare, so perhaps you've been lucky and not encountered any yet.

Dave

-- 
Dave Anderson
[EMAIL PROTECTED]

Re: The Wikipedia article on OpenBSD

[Chris Zakelj]

Jan Izary wrote:

 Recently I and several other people have worked to improve the OpenBSD
 article contained in the Wikipedia, I'm sure I need not explain how it
 works.

 Anyways, I've worked to get as much easily accessable information
 regarding OpenBSD in that article as possible and I've pretty much run
 into a wall, I've got little else I can add.

 I am putting a call out to the OpenBSD community at large to give a
 look at the article and see if they can improve it, fleshing out
 anything that has gaps and explaining some of the more complex concepts.

 Things like OpenBSD centred screenshots would be nice if people would
 be willing to upload them and list them in the gallery.

 I would have put this on the advocacy list, but really it seems to be
 dead and most advocacy seems to run through the misc list.

 Thanks

 http://en.wikipedia.org/wiki/OpenBSD

Looks pretty good.  My only suggestions would be to note that Nick
handles the official FAQ, and adding Daniel Ouellet as the
organizer/caretaker of the unofficial user's library.

Wireless issue (ath0: bogus xmit rate 0x0 error)

[Fred Crowson]

Hi List,

I'm running 3.8 from the snapshot 2nd Oct, which I upgraded from 3.7, on 
a soekris net4501.


My problem, is probably offtopic, but I'm hoping the wisdom of this list 
will point me in the right direction.


I have an apple iBook G4 which will not connect to my OpenBSD ath0 
minipci card in the soekris, I just get the following errors:


ath0: bogus xmit rate 0x0

The iBook associates with the wireless network and I can connect to two 
other OpenBSD machines with wi0 and ipw0 cards in, which are running on 
the same wireless LAN.


When the net4501 was running 3.7 I would get the same error message, but 
if I toggled the airport on and off on the ibook I would usually get a 
connection, or the soekris would crash, I caught a ps and partial trace 
from one of the 3.7 crashes which is shown below.


Can anyone suggest away of resolving the iBooks inability to talk to the 
ath0 card?


My dmesg, hostname.ath0 and the ps and trace follow.

Thanks, in advance,

Fred


kernel:kernel: page fault trap, code=0
Stopped at  Xrecurse_legacy8+0x7d:  movl0x4(%ebx),%eax
ddb ps
   PID   PPID   PGRPUID  S   FLAGS  WAIT   COMMAND
kernel: page fault trap, code=0
Faulted in DDB; continuing...
ddb trace
Xrecurse_legacy8() at Xrecurse_legacy8+0x7d
--- interrupt ---
Xspllower(800,3a,0,0) at Xspllower+0xe
cnputc(3a,6,d06d1bac,d01e24d1,6) at cnputc+0x26
db_putchar(3a,14,0,6) at db_putchar+0xc6
kprintf(d04fbc88,14,0,0,d06d1c98) at kprintf+0xe20
db_printf(d04fbc88,0,0,0) at db_printf+0x2d
kdbprinttrap(6,0,0,0,0) at kdbprinttrap+0x18
kdb_trap(6,0,d06d1d34,600) at kdb_trap+0x46
trap() at trap+0xa9
--- trap (number 6) ---
pmap_extract(d05cf940,d66d6800,d06d1dcc,0,d05cf940) at pmap_extract+0x36
_bus_dmamap_load_buffer(d0570440,d0836880,d66d6800,600,0) at 
_bus_dmamap_load_b

uffer+0x58
_bus_dmamap_load_mbuf(d0570440,d0836880,d29c3100,1) at 
_bus_dmamap_load_mbuf+0x

90
ath_tx_start(d0839000,d092cc00,d083c5cc,d29c3100) at ath_tx_start+0x1b9
ath_start(d0839030,d65591b8,4c1b8,d65591e4) at ath_start+0xfc
ath_rx_proc(d0839000,1,d0101f20,d06d21b4) at ath_rx_proc+0x1d6
ath_intr1(d0839000) at ath_intr1+0x130
Xrecurse_legacy10() at Xrecurse_legacy10+0x8a
--- interrupt ---
--db_more--   Xdoreti() at Xdoreti+0x23
--- interrupt ---
Xdoreti() at Xdoreti+0x23
--- interrupt ---
Xdoreti() at Xdoreti+0x7
--- interrupt ---
Xdoreti() at Xdoreti+0x23
--- interrupt ---
Xdoreti() at Xdoreti+0x23
--- interrupt ---
Xdoreti() at Xdoreti+0x23
--- interrupt ---
Xdoreti() at Xdoreti+0x23
--- interrupt ---
Xdoreti() at Xdoreti+0x23
--- interrupt ---
Xdoreti() at Xdoreti+0x7
--- interrupt ---
Xdoreti() at Xdoreti+0x11
--- interrupt ---
Xdoreti() at Xdoreti+0x23
--- interrupt ---
Xdoreti() at Xdoreti+0x7
--db_more--

At this point I pressed the wrong key on the console and the soekris 
rebooted.


Here is my hostname.ath0:

inet 10.0.5.1 255.255.255.0 NONE media DS11 mediaopt hostap nwid wifinet 
nwkey x


Here is the complete dmesg:

OpenBSD 3.8-current (GENERIC) #169: Sun Oct  2 15:06:50 MDT 2005
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: AMD Am486DX4 W/B or Am5x86 W/B 150 (AuthenticAMD 486-class)
cpu0: FPU
real mem  = 66691072 (65128K)
avail mem = 53411840 (52160K)
using 839 buffers containing 3436544 bytes (3356K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(00) BIOS, date 20/41/22, BIOS32 rev. 0 @ 0xf7840
pcibios0 at bios0: rev 2.0 @ 0xf/0x1
pcibios0: pcibios_get_intr_routing - function not supported
pcibios0: PCI IRQ Routing information unavailable.
pcibios0: PCI bus #0 is the last bus
bios0: ROM list: 0xc8000/0x9000
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
elansc0 at pci0 dev 0 function 0 AMD ElanSC520 PCI rev 0x00: product 0 
stepping 1.1, CPU clock 133MHz, reset 1PWRGOOD

gpio0 at elansc0: 32 pins
ath0 at pci0 dev 16 function 0 Atheros AR5212 rev 0x01: irq 10
ath0: AR5213 5.9 phy 4.3 rf5112 3.6, FCC2A*, address 00:02:6f:21:ef:1c
sis0 at pci0 dev 18 function 0 NS DP83815 10/100 rev 0x00: DP83816A, 
irq 11, address 00:00:24:c3:ff:20

nsphyter0 at sis0 phy 0: DP83815 10/100 PHY, rev. 1
sis1 at pci0 dev 19 function 0 NS DP83815 10/100 rev 0x00: DP83816A, 
irq 5, address 00:00:24:c3:ff:21

nsphyter1 at sis1 phy 0: DP83815 10/100 PHY, rev. 1
sis2 at pci0 dev 20 function 0 NS DP83815 10/100 rev 0x00: DP83816A, 
irq 9, address 00:00:24:c3:ff:22

nsphyter2 at sis2 phy 0: DP83815 10/100 PHY, rev. 1
isa0 at mainbus0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard
wdc0 at isa0 port 0x1f0/8 irq 14
wd0 at wdc0 channel 0 drive 0: TOSHIBA THNCF512MPG
wd0: 1-sector PIO, LBA, 488MB, 1000944 sectors
wd0(wdc0:0:0): using BIOS timings
pcppi0 at isa0 port 0x61
midi0 at pcppi0: PC speaker
spkr0 at pcppi0
sysbeep0 at pcppi0
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom0: console
pccom1 at 

Re: dual DVI graphics card

[Matthew Weigel]

Aaron Glenn wrote:

 Perhaps you could drop the cocky attitude and do something productive
 with your catty prose?

No, actually - the catty prose itself is unproductive.  But you worked so
hard to eliminate the productive options, I didn't want to give you
anything but what you wanted.

 Thanks for the radeon(4) reference; I'm sure if
 any of the Radeon chips did 1920x1200 on two DVI it would have been
 very helpful.

I'm no good at not helping; if you don't believe me, go take a look at the
video cards that Apple sells.  They specifically say their 9600 supports
two 1920x1200 displays over DVI.  If you'd like to wager that the 9600
that ATI sells specifically for Macs does less than the OEM 9600 that
Apple sells, I'll give you good odds.
-- 
 Matthew Weigel
 hacker
 [EMAIL PROTECTED]

Re: The Wikipedia article on OpenBSD

[Daniel Ouellet]

Chris Zakelj wrote:

Jan Izary wrote:



Recently I and several other people have worked to improve the OpenBSD
article contained in the Wikipedia, I'm sure I need not explain how it
works.

Anyways, I've worked to get as much easily accessable information
regarding OpenBSD in that article as possible and I've pretty much run
into a wall, I've got little else I can add.

I am putting a call out to the OpenBSD community at large to give a
look at the article and see if they can improve it, fleshing out
anything that has gaps and explaining some of the more complex concepts.

Things like OpenBSD centred screenshots would be nice if people would
be willing to upload them and list them in the gallery.

I would have put this on the advocacy list, but really it seems to be
dead and most advocacy seems to run through the misc list.

Thanks

http://en.wikipedia.org/wiki/OpenBSD



Looks pretty good.  My only suggestions would be to note that Nick
handles the official FAQ, and adding Daniel Ouellet as the
organizer/caretaker of the unofficial user's library.


If you have any article(s) that you want to find a home for, I would be 
more then happy to provide it! Contributions have been rare, so calls 
was maid before, many times in fact. But actual contributions were very 
fare in between.


I do have two or three articles now that are waiting my free time to be 
posted, I apologies to the brave soles that actually send them to me! My 
apology guys, but I haven't forgotten them trust me.


As for more place to post things, my own view and that doesn't represent 
anyone else views, is that we sure don't need to duplicate efforts. The 
locations are available, up to the users to make it happen.


Again, great stuff directly for the system that deserve a place on 
OpenBSD.org, should be sent to the always ready and incredibly brave 
sole of Nick if that's a great quality for the FaQ. He sure will tell 
you if it is. But first, read his requirements here:


http://www.holland-consulting.net/obsd/faq-help.html

Then send what you have based on that, either to him, if it is FaQ stuff 
and of great quality, or me if that doesn't apply to the FaQ and we will 
find it a home.


Daniel

Re: High Interrupt Mode Reported by 'Top' for Soekris 4801

[Craig Barraclough]

On Fri, 7 Oct 2005 09:08, you wrote:
 I wondered that as well, but there appear to be lots (so it appears from
 other postings I found using google) of 4801s in use with OpenBSD, doing
 essentially the same thing as myself (Soekris w/ carp/pf/pfsynch).  Yet,
 AFAICT, I'm the only one who's posted about this symptom.  Since there are
 lots of people who do what I do, and if the problem were indeed that the
 4801 processor is too wimpy, then wouldn't there be more problems like mine
 mentioned in the lists?  And I'm running into high interrupts with only
 about 4Mbs throughput while others have claimed much higher values.

 Before I used this firewall that I have now, I used m0n0wall on FreeBSD.  I
 chose OpenBSD over m0n0wall/FreeBSD due to m0n0wall state table limitations
 and lack of mature redundance features.  But the m0n0wall handled this much
 traffic, and more, with a relatively low interrupt mode.  As widely as
 OpenBSD is used on Soekris for firewalling compared to m0n0wall/FreeBSD
 with relatively few problems, I'm still not quite ready to decide that I
 haven't gotten myself a setup flaw somewhere.  Just can't figure out where
 it could be.


You'll find a few of us are running the interrupt holdoff patch, which IIRC, 
comes from the FreeBSD tree via [EMAIL PROTECTED] (See below).
Patch trades off timeliness of response for reduced interrupts.

Index: src/sys/dev/pci/if_sis.c
===
RCS file: /cvs/src/sys/dev/pci/if_sis.c,v
retrieving revision 1.46
diff -u -r1.46 if_sis.c
--- src/sys/dev/pci/if_sis.c27 May 2005 04:52:24 -  1.46
+++ src/sys/dev/pci/if_sis.c7 Jun 2005 07:14:37 -
@@ -1692,6 +1692,10 @@
sis_stop(sc);
sc-sis_stopped = 0;

+   /* Configure interrupt holdoff register. */
+   if (sc-sis_type == SIS_TYPE_83815  sc-sis_srr == NS_SRR_16A)
+   CSR_WRITE_4(sc, NS_IHR, NS_IHR_VALUE);
+
mii = sc-sc_mii;

/* Set MAC address */
Index: src/sys/dev/pci/if_sisreg.h
===
RCS file: /cvs/src/sys/dev/pci/if_sisreg.h,v
retrieving revision 1.21
diff -u -r1.21 if_sisreg.h
--- src/sys/dev/pci/if_sisreg.h 22 May 2005 05:40:52 -  1.21
+++ src/sys/dev/pci/if_sisreg.h 7 Jun 2005 07:14:38 -
@@ -208,6 +208,20 @@
 SIS_IMR_RX_IDLE|\
 SIS_IMR_SYSERR)

+/* Interrupt Holdoff Register */
+#define NS_IHR_HOLDCTL 0x0100
+
+/*
+ * Interrupt holdoff value for NS DP8316. We can have the chip
+ * delay interrupt delivery for a certain period. Units are in
+ * 100us, and the default is 100us holdoff.
+ */
+#ifndef NS_IHR_DELAY
+#define NS_IHR_DELAY   2
+#endif
+
+#define NS_IHR_VALUE   (NS_IHR_HOLDCTL|NS_IHR_DELAY)
+
 #define SIS_IER_INTRENB0x0001

 #define SIS_PHYCTL_ACCESS  0x0010

-- 
Craig

Re: sh-script executing

[Ilya A. Kovalenko]

OM I know this behaviour form every Unix system I've worked on. Besides,
OM the nice thing about the current way of doing things is that you can
OM read a script form a pipe and have the desired behaviour without any
OM special case code.

This behavior has any advantages for regular files ? Compatibility ?

  If so, do any editor has option to safe editing for this case ?
(of course, I always can do editor wraparound).

RE: Re: sh-script executing

[tony]

The editing is perfectlty safe.
It is the reading of a file that is being changed that is unsafe.

Of course there's Microsoft Windows.

- --- Original Message --- -
From: [EMAIL PROTECTED]
To: misc@openbsd.org
Sent: Fri, 7 Oct 2005 09:39:47

OM I know this behaviour form every Unix system
I've worked on. Besides,
OM the nice thing about the current way of doing
things is that you can
OM read a script form a pipe and have the desired
behaviour without any
OM special case code.

This behavior has any advantages for regular files
? Compatibility ?

  If so, do any editor has option to safe editing
for this case ?
(of course, I always can do editor wraparound).

Re: CARP+Pfsync+Bind

[ed]

On Thu, 6 Oct 2005 15:07:23 -0500
eric [EMAIL PROTECTED] wrote:

 On Thu, 2005-10-06 at 14:04:20 +0100, ed proclaimed...
 
  I use TinyDNS here, so we don't really need to transfer zones as its
  handled with a single data file. CARP can be good with DNS.
 
 53/tcp *is* required to answer normal queries.

TCP for for DNS lookups are probably going to incur latency. I'd rather
just block that off and ensure that the DNS being provided does not leak
excess  512 bytes. This might cause some problems with huge round robin
lists, but we can all use pf round robin at the level should we require
a huge address list.

 Since you're drinking djb's koolaid, see 
 
 http://cr.yp.to/djbdns/tcp.html#why
 
 512-bytes uncommon or a mistake? I think not.

DJB woke a large portion of the world when he released djbdns, I'd not
knock it, and it's pretty good advice at the above URL.

-- 
Regards, Ed http://www.usenix.org.uk

Re: CARP+Pfsync+Bind

[eric]

On Thu, 2005-10-06 at 22:15:52 +0100, ed proclaimed...

 TCP for for DNS lookups are probably going to incur latency. I'd rather
 just block that off and ensure that the DNS being provided does not leak
 excess  512 bytes. This might cause some problems with huge round robin
 lists, but we can all use pf round robin at the level should we require
 a huge address list.

You really should be pumping gas at a gas station or something. Clearly
you're not intersted in doing things correctly.

 DJB woke a large portion of the world when he released djbdns, I'd not
 knock it, and it's pretty good advice at the above URL.

And the advice refers to an RFC (which was not written by djb) that
specifically states that TCP can be used.

I'm not knocking djb, I use qmail. I used to use tinydns, but then there
were a whole world of problems with no ipv6 support natively, etc., and I
just didn't want to bother anymore.

Shared Queues / Queuing on Multiple Interfaces

[Brian A. Seklecki]

I think I fumbled last week when I posted this original message in reply 
to one serveral months old (causing it to not be seen by MUA threading)


The question remains:

Can traffic travelling ingress on one-of-a-three-interface router be 
queued as it egresses the other two possible interfaces, enforcing a 
Frame-Relay CIR style sharing policy, but allowing either queue to 
borrow up to the maxiumum possible Downstream bandwidth on the original 
inteface?


See URL and msg below:

http://digitalfreaks.org/~lavalamp/Queues.png

~BAS

-- Forwarded message --
Date: Mon, 3 Oct 2005 11:28:24 -0400 (EDT)
From: Brian A. Seklecki [EMAIL PROTECTED]
To: Henning Brauer [EMAIL PROTECTED]
Cc: misc@openbsd.org, Tony Sarendal [EMAIL PROTECTED],
jared r r spiegel [EMAIL PROTECTED], Seamus Wassman [EMAIL PROTECTED]
Subject: Queing on Multiple Interfaces Revisited (WAS: Re: matching queues
in both directions with stateful rulesets)


On Mon, October 25, 2004 12:50 pm, Henning Brauer said:

* Tony Sarendal [EMAIL PROTECTED] [2004-10-25 16:48]:

Is there a way to assign wich queues stateful traffic
will use in both directions ?


yes, you can have queues with the same names on multiple interfaces.

i. e. you create the queue customer1 on both your external (dc0) and
his interface (vlan1). outbond will go to the one on dc0, inbound to
the one on vlan1.


A better topic would be perhaps upstream bandwidth
distribution...downstream

All, the PF FAQ states several fundementals about queuing:

1) queuing is only useful for packets in the outbound direction

..then later:

2) Note that queue designation can happen on an interface other than the
one defined in the altq on directive:
  [...example rule set..]

 Queueing is enabled on fxp0 but the designation takes place on dc0. If
packets matching the pass rule exit from interface fxp0, they will be
queued in the ftp queue. This type of queueing can be very useful on
routers.

-

I think a lot of confusion on this topic of multiple interfaaces
originates from three problems:

*) The FAQ/documentation doesn't discuss how stateful rules effect
behavior of queue assigment of returing traffic.

*) The FAQ/documentation doesn't really clarify how matching traffic
inbound on one interface (of which the destination traffic matched will
travel outbound on an inteface on which queuing is enabled) and applying
it to the outbound queue of the designated interface (point #2 above)
differs in behavior from simply matching traffic outbound on said
queuing-enabled interface.

*) The documentation is a bit ambiguous in the use of terminology such as
direction, inbound, outbound, upstream, downstream, ingress,
egress, etc.,
this is especially important with regards to the naming conventions on
queues and also when the behavior of an example rulset is described.

Back to the multiple interface issue:

Let's looks at an example like a Frame Relay network mightsay that
your objective is an SLA for your customers worded as so:

Customer 1 has a 300Kbps bi-directional CIR. Customer 2 has a 500Kbps
bi-directional CIR.  Both may borrow from the total available.

*) 1 or 2 physical interface, 3 logical, whatever.
*) The upstream external interface is broadband/narrowband delivered via
Fast Ethernet (xl0)
*) For the sake of sanity, the narrowband connectivity is
synchronous/symetric
*) Customer handoff is 100mbs Ethernet (vlan10,vlan20), switch trunked
*) The OpenBSD router is a perimeter router with a pass all style
ruleset (with scrubbing and RFC1918 bogon filters, etc.)

In this case, you can use a generic template to enforce upstream or
outbound queues on xl0.

altq on xl0 cbq queue { std-up cust1-up cust2-up }
queue std-up cbq(default ecn)
queue cust1-up bandwidth 10Mb cbq(ecn)
queue cust2-up bandwidth 10Mb cbq(ecn)

pass out on xl0 from $vlan10_subnet to any keep state queue cust1-up
pass out on xl0 from $vlan20_subnet to any keep state queue cust1-up
# these filters will match customer FTP uploads and HTTP GETs from
cuomster-hosted web servers, etc.
# this rule is redundant because the traffic would be forwarded anyway, it
exists simply to match traffic into a queue and create a state table entry
while we're at it.

...

But then let's say you want to invert those rules.

**NOTE**, if customer1 and customer2 were visibile via the same interface,
then you could easily create a queue on that shared customer-facing
interface with a bandwidth statement that matches the max hypothetical
downstream speed of the broadband connection.  Then divy it up using
sub-queues and borrow statements.

...but what if Customer 1 and Customer 2 are on seperate interfaces?

1) You could create non-stateful matching rules as pass in on $ext_if
2) You could create non-stateful matching rules as pass out on $cust1
..., pass out on $cust2...,

But the question remains: Into what queue?  What type of queue would be
used to desginate a policy for downstream traffic flows that are
traveling 

Problem with altq cbq queuing.. please assist?

[Luke Fogarty]

Hi

I'm sharing a connection and I'm trying to set aside bandwidth for some
users. Here is the pftop -v queue log

QUEUEBANDW SCH  PRIO PKTSBYTES
DROP_P   DROP_B QLEN   BORROW SUSPENDS P/S B/S
std_outpriq   35055249
0
dns_outpriq46  464
0games_out  priq5  461
255660ssh_outpriq6
000tcp_ack_outpriq
7000root_xl0
10M cbq 0  657   1045720
 std_in 7M cbq657   104572
0
 luke_in1M cbq  00
0
 pete_in1M cbq  00
0
 nick_in1M cbq  00
0


As you can see the priq outbound queues work, But I can't get the cbq to
work for inbound connections. All connections just go to the default
queue.

Here is my pf.conf - love to hear your thoughts, I've tried everything!

# cat /etc/pf.conf
# macros
int_if = xl0
ext_if = xl1
tcp_services = { 22, 113, 5050, 443, 80 }
udp_services = { 443, 5050 }
icmp_types = echoreq
priv_nets = { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }
luke = 192.168.0.15
nick = 192.168.0.49
pete = 192.168.0.20
myth = 192.168.0.253
obsd = 192.168.0.250
games = { 6112:6119, 4711, 29900:29901, 1024:1124, 1500:4999, 27900,
28910, 16567, 55123:55125, 27910, 27960, 4000, 27020:27050, 1200,
27000:27015 }

# options
set block-policy return
set loginterface $ext_if
set optimization aggressive

# scrub
scrub in all
scrub out on $ext_if all random-id

#prioritization

#outbound

altq on $ext_if priq bandwidth 10Mb queue { std_out, web_req, dns_out,
games_out, ssh_out, tcp_ack_out }

queue std_out priq(default)
queue web_req priority 3
queue dns_out priority 4
queue games_out priority 5
queue ssh_out priority 6
queue tcp_ack_out priority 7

#inbound

altq on $int_if cbq bandwidth 10Mb queue { std_in, luke_in, pete_in,
nick_in }

queue std_in bandwidth 70% cbq(default borrow ecn)
queue luke_inbandwidth 10% cbq(borrow ecn)
queue pete_inbandwidth 10% cbq(borrow ecn)
queue nick_inbandwidth 10% cbq(borrow ecn)

# nat/rdr
nat on $ext_if from $int_if:network to any - ($ext_if) static-port
rdr on $int_if proto tcp from any to any port 21 - 127.0.0.1 port 8021
rdr on $int_if proto tcp from any to any port www - 127.0.0.1 port 3128
rdr on $ext_if proto { tcp, udp } from any to any port 443 - $int_if
port 22
rdr on $ext_if proto { tcp, udp } from any to any port www - $myth port
www

# filter rules
block log all

pass quick on lo0 all

#stop spoofing

block drop in  quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets

#pass rules

pass in on $ext_if proto tcp from port 20 to ($ext_if) user proxy flags
S/SA keep state
pass in on $ext_if proto tcp from any to any port $tcp_services modulate
state flags S/SA
pass in on $ext_if proto udp from any to any port $udp_services keep
state

#allow icmp

pass in inet proto icmp all icmp-type $icmp_types keep state

#allow all traffic to and from lan

pass in  on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
pass out on $int_if from any to $luke queue luke_in
pass out on $int_if from any to $pete queue pete_in
pass out on $int_if from any to $nick queue nick_in


#let internal traffic access external using queues defined above

pass out on $ext_if proto tcp all modulate state flags S/SA queue
(std_out, tcp_ack_out)
pass out on $ext_if proto { udp, icmp } all keep state queue std_out
pass out on $ext_if proto tcp from any to any port www modulate state
queue web_req
pass out on $ext_if proto { tcp udp } from any to any port domain keep
state queue dns_out
pass out on $ext_if proto { tcp udp } from any to any port $games keep
state queue games_out
pass out on $ext_if proto tcp from any to any port ssh modulate state
queue ssh_out

Re: dual DVI graphics card

[Martin Schröder]

On 2005-10-06 14:37:03 -0700, Aaron Glenn wrote:
 I wasn't clear enough in my original post. I'm looking to run
 1920x1200 on two DVI monitors; and I'd like some sort of OpenGL
 hardware acceleration support, however minor. None of the ATi chipsets
 currently support 1920x1200 on two DVI monitors.

One DVI port does up to 1600x1200, so you need four DVI (two
dual-link) ports.

Best
Martin
-- 
http://www.tm.oneiros.de