Re: Sun Ultra 5 as a firewall?

[Joe S]

Jason Dixon wrote:


Unless you've got a DS-3 or better, why does it matter?


1 interface is for the ADSL connection. I'm not worried about that.
2 interfaces are local networks. It's the throughput between those 2 
that I noticed a bit of a bottleneck. It's not *that* bad. It's more 
suprising than anything else.

Re: DTrace

[Aaron Glenn]

On 10/9/05, Gustavo Rios [EMAIL PROTECTED] wrote:
 Sorry, i was talking about OBSD!
 Anyhow, what would it be the problem with DTrace, for OBSD not supporting it?


if you have to ask that question, you have no business running a tool
like dtrace.

aaron.glenn

Re: Sun Ultra 5 as a firewall?

[Aaron Glenn]

On 10/7/05, Marco Peereboom [EMAIL PROTECTED] wrote:
 I ran an Ultra-5 for 2 years straight as my home firewall.  It got replaced
 with an hppa just because I could :-) My mailserver is still an ultra-5 that
 has run for 3 years.  The only time it has been down is when my ups gave out.
 Sparc + OpenBSD = bliss


until a botched netboot install turns your Netra 105 into a
paperweight. not that openbsd was at fault; it just sucked and I'm
still quite bitter about the whole ordeal.

aaron.glenn

Re: Sun Ultra 5 as a firewall?

[Dylan Smith]

On Friday 07 October 2005 21:28, Joe S wrote:
 Is anyone on the list running an Ultra 5 as firewall? I would like to
 move my firewall from an overpowered P4-3GHz box to a Sun Ultra 5 360MHz.

Yes. My Sun Ultra 5 isn't just a firewall, but an NFS server with a relatively 
large disk for my home network. Runs great. (It actually powers my Alcatel 
Speedtouch USB ADSL modem with the userland drivers).

Processcontrol

[David]

OpenBSD i386 3.7 GENERIC.MP

How do you bind/lock a process (and if possible childs) to a specific cpu?
Directions to TFM/more info gladly accepted...

regards
/David

Re: OpenBSD i386 and macppc on one HDD

[Nick Holland]

Constantine A. Murenin wrote:
 Hello,
 
 I have an external USB 2.0 storage device with OpenBSD i386
 installation and some free space. Is it possible to install
 OpenBSD/macppc on that spare space without breaking my i386
 installation?

ew, ick.

 How will it all work? Would it be possible to share /etc, 

Since /etc is on the root partition, NO.
Since /etc holds configuration and your macppc and i386 machines will
have different configurations, NO.

 /var and
 /home partitions between i386 and macppc? Could the HDD be bootable on
 both i386 and macppc?

My inital response is no, you couldn't share a disk like this.
My secondary response is maybe, I've got some ideas how it *might* be
done, but I can think of ONLY one reason to do this: learning the boot
process on both platforms very intimately.  And that is a lesson best
taught to one's self.

If you are trying to save money, go get a job slinging burgers, take
your income and buy a new disk.  You will invest less time doing that
than you will fighting this battle.  It is just not worth it.

BTW: If you try this, count on that some free space turning into all
free space a few times, usually accidently, though probably at least
once deliberately.

Nick.

Re: OpenBSD i386 and macppc on one HDD

[Martin Reindl]

On Mon, Oct 10, 2005 at 07:00:55AM -0400, Nick Holland wrote:
 Constantine A. Murenin wrote:
  Hello,
  
  I have an external USB 2.0 storage device with OpenBSD i386
  installation and some free space. Is it possible to install
  OpenBSD/macppc on that spare space without breaking my i386
  installation?
 
 ew, ick.
 
  How will it all work? Would it be possible to share /etc, 
 
 Since /etc is on the root partition, NO.
 Since /etc holds configuration and your macppc and i386 machines will
 have different configurations, NO.
 
  /var and
  /home partitions between i386 and macppc? Could the HDD be bootable on
  both i386 and macppc?
 
 My inital response is no, you couldn't share a disk like this.
 My secondary response is maybe, I've got some ideas how it *might* be
 done, but I can think of ONLY one reason to do this: learning the boot
 process on both platforms very intimately.  And that is a lesson best
 taught to one's self.
 
 If you are trying to save money, go get a job slinging burgers, take
 your income and buy a new disk.  You will invest less time doing that
 than you will fighting this battle.  It is just not worth it.
 
 BTW: If you try this, count on that some free space turning into all
 free space a few times, usually accidently, though probably at least
 once deliberately.

Even more, as macppc is big-endian and i386 is little endian you will have
trouble with FFS ...

Re: Sun Ultra 5 as a firewall?

[Jason Dixon]

On Oct 10, 2005, at 2:16 AM, Joe S wrote:


Jason Dixon wrote:


Unless you've got a DS-3 or better, why does it matter?


1 interface is for the ADSL connection. I'm not worried about that.
2 interfaces are local networks. It's the throughput between those  
2 that I noticed a bit of a bottleneck. It's not *that* bad. It's  
more suprising than anything else.


Good point.  :)


--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net

Re: Gigabit network measurments with OpenBSD 3.8-beta (long)

[Schöberle Dániel]

Hi,

Finally I got around to testing mbuf tag merging patch by Henning
that Theo suggested. For the details on the test setup see my
original post [1], only difference now is that the interfaces are
all on different interrupts.

Only i386 results now, I didn't have the time to test amd64.

Firstly, some reference results with NICs each on its own interrupt:

clients: 3.8-beta, i386, sp kernel
router: 3.8-beta, i386, sp kernel, routing on PCI-X adapter
~~
max TCP bandwidth:  941 Mbits/sec
with TCP window size:   96-128KB
(larger windows sizes caused a drop in speed
probably due to CPU being at 100% interrupt)

max UDP bandwidth:  905 Mbits/sec
UDP packet size:1470
dropped packets:0%
(you can't set higher UDP bandwidth with iperf)

UDP pps results with 128 byte packet size:
pps %dropped
19608   0%
4   0%
83328   0.00096%
99980   0.0022%
   124950   0.0026%
   142772   0.0085%
   166501   0.039%
   196351   0.22%
   225851   1.4%
   240826   4.2%

clients: 3.8-beta, i386, sp kernel
router: 3.8-beta, i386, mp kernel, routing on PCI-X adapter
~~
max TCP bandwidth:  941 Mbits/sec
with TCP window size:   96-128KB
(larger windows sizes caused a drop in speed
probably due to CPU being at 100% interrupt)

max UDP bandwidth:  905 Mbits/sec
UDP packet size:1470
dropped packets:0%
(you can't set higher UDP bandwidth with iperf)

UDP pps results with 128 byte packet size:
pps %dropped
19608   0%
4   0%
83328   0%
99983   0.0012%
   124947   0.00096%
   142775   1.4%
   166493   0.62%
   196226   14%
   225451   32%
   241131   39%

- Now some -current results with the router:

clients: 3.8-beta, i386, sp kernel
router: 3.8-current, i386, sp kernel, routing on PCI-X adapter
~~
max TCP bandwidth:  941 Mbits/sec
with TCP window size:   96-256KB
(no drop in speed with larger window size)

max UDP bandwidth:  905 Mbits/sec
UDP packet size:1470
dropped packets:0%
(you can't set higher UDP bandwidth with iperf)

UDP pps results with 128 byte packet size:
pps %dropped
19608   0%
4   0%
83328   0%
99985   0.0008%
   124948   0.006%
   142764   0.0059%
   166459   0.053%
   196448   0.2%
   222766   1.7%
   231909   1.1%

clients: 3.8-beta, i386, sp kernel
router: 3.8-current, i386, sp kernel, routing on integrated adapter
~~~
TCP bandwidth, win size:750 Mbits/sec,  64KB
460 Mbits/sec,  96KB
751 Mbits/sec,  128KB
755 Mbits/sec,  192KB
760 Mbits/sec,  256KB
(strange drop at 96KB window, but no decrease at larger sizes)

max UDP bandwidth:  784 Mbits/sec
UDP packet size:1470
dropped packets:0%
(larger bandwidth tests failed)

UDP pps results with 128 byte packet size:
pps %dropped
19608   0%
4   0%
83328   0%
99983   0%
   124949   0.0008%
   142755   0.0017%
   166433   0.099%
   196415   0.22%
   220741   1.9%
   229492   2.6%

clients: 3.8-beta, i386, sp kernel
router: 3.8-current, i386, mp kernel, routing on integrated adapter
~~~
TCP bandwidth, win size:770 Mbits/sec,  64KB
652 Mbits/sec,  96KB
783 Mbits/sec,  128KB
783 Mbits/sec,  192KB
786 Mbits/sec,  256KB
(strange drop at 96KB window, but no decrease at larger sizes)

max UDP bandwidth:  784 Mbits/sec
UDP packet size:1470
dropped packets:0%
(larger bandwidth tests failed)

UDP pps results with 128 byte packet size:
pps %dropped
19608   0%
4   0%
83328   0%
99985   0%
   124946   0.0004%
   142758   0.00056%
   166428   0.0061%
   196229   15%
  

unnumbered PPPoE

[Talmage]

I've been reading through manpages and tutorials but have not been  
able to get an answer to a question I have.


I am wondering if it's possible to use OpenBSD as an unnumbered PPPoE  
client bridge.  Basically a transparent bridge that processes packets  
for PPPoE so the rest of the network doesn't have to deal with PPPoE.


[internet]-[ISP(PPPoE Server)][modem][openbsd(PPPoE  
Client)]-[multiple static IPs]


Kory T

carp-sasync-isakmpd failover problem...

[Stefan Sczekalla-Waldschmidt]

Hi,

we have an failover-test-setup looking like below:

 +CARP0-HOST(M)-CARP1--(WAN)
 |
(WAN)RemoteHost---RemotLAN
 +CARP0-HOST(B)-CARP1--(WAN) 
 |
 | 
  LocalLAN


ipsec(isakmpd) is setup to build a vpn between LocalLAN and RemoteLAN. 
Host (M) + Host (B) syncing via pfsync and sasync using
LocalLAN-Addresses.

The ipsec-tunnel from LocalLAN to RemoteLAN is running well until I
break up e.g. the ( WAN ) Connection on Host (M) Carp1 to the Remote
Host.

HOST(B) gets Carp-Master as expected, SA's seems to get synced too but
the tunnel fails to failover and the RemoteHost complains about
dropped messages due to notification type invalid_cookie.

I need to shutdown and restart the isakmpd at the RemoteHost for
repair the VPN-Tunnel ...

Any Ideas ?

We tried this using 3.7 current. 

Kind regards,

Stefan

pf altq blocking ssh

[John Kintaro Tate]

There is something wrong with my rules file, and I cant find the problem.

pf.conf...
#   $OpenBSD: pf.conf,v 1.28 2004/04/29 21:03:09 frantzen Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

localaddr = {192.168.0.4 127.0.0.1}
localhosts = 192.168.0.0/24
allowedusers = {x11, root, named, _portmap, www}
if = xl0

altq on $if cbq bandwidth 100Mb queue { all, local, http, ssh, rsets }

queue all bandwidth 32Kb proirity 1
queue local bandwidth 100Mb proirity 10
queue http bandwidth 60Kb priority 5
queue ssh bandwidth 25Kb priority 7 cbq(borrow)
queue rsets bandwidth 7500b priority 0 cbq(red)

pass in  on $if inet proto tcp from any to any port 22 keep state queue ssh
pass out on $if inet proto tcp from any to any port 443 keep state queue http
pass in  on $if inet proto tcp from any to any port 443 keep state queue http
pass out on $if inet proto tcp from any to any keep state queue local
pass in  on $if inet proto tcp from any to any keep state queue local
pass in  on $if inet proto tcp from any to any keep state queue all
pass in  on $if inet proto tcp from any to any keep state queue all

table localnet const { 192.168.1/24 }
table banned persist file /etc/banned

block drop in on $if from banned to $localaddr
block drop out on $if from $localaddr to banned

block drop out on $if from $localaddr to localnet
pass out on $if from $localaddr to localnet user $allowedusers keep state
pass in on $if from $localaddr to localnet keep state

---

pfctl output...
-bash-3.00# pfctl -f /etc/pf.conf
/etc/pf.conf:12: syntax error
/etc/pf.conf:14: syntax error
/etc/pf.conf:15: queue local has no parent
/etc/pf.conf:15: errors in queue definition
/etc/pf.conf:16: queue http has no parent
/etc/pf.conf:16: errors in queue definition
/etc/pf.conf:17: queue ssh has no parent
/etc/pf.conf:17: errors in queue definition
/etc/pf.conf:18: queue rsets has no parent
/etc/pf.conf:18: errors in queue definition
/etc/pf.conf:25: syntax error
/etc/pf.conf:26: syntax error
pfctl: Syntax error in config file: pf rules not loaded

---

--
John Kintaro Tate
Mobile: 0413 348 815 (Yep, old number, but I have a new phone)

Free OpenBSD shell accounts for all with no gimmicks. Just send your
desired username and password to me, and I will create it.

Personal Website: http://kintaro.noobify.com

Illhostit Webhosting:
https://secure.illhostit.com/cgi-bin/affiliates/clickthru.cgi?id=Kintarocampaign=Email

test

[Jared Solomon]

Testing new config.

--
The only way to keep your health is to eat what you don't want, drink
what you don't like, and do what you'd rather not.
- Mark Twain

Re: pf altq blocking ssh

[Karl-Heinz Wild]

On 10.10.2005, at 16:35, John Kintaro Tate wrote:


altq on $if cbq bandwidth 100Mb queue { all, local, http, ssh, rsets }


try other names. one of them seems to be a keyword?!
{ xall, xlocal, xhttp, xssh, xrsets }

Karl-Heinz

pf and altq group interface ...

[Karl-Heinz Wild]

maybe i've missed something.

ifconfig rl0 group wan_if

pf.conf:

- altq on wan_if cbq bandwidth 100Mb queue { http ssh }

produce an error when loading the ruleset.
but every other rules like

- pass in on wan_if proto tcp to port ssh keep state queue ssh

will be accepted.

isn't that a bit confusing?

Karl-Heinz

Re: pf altq blocking ssh

[Reyk Floeter]

On Tue, Oct 11, 2005 at 12:35:10AM +1000, John Kintaro Tate wrote:
 altq on $if cbq bandwidth 100Mb queue { all, local, http, ssh, rsets }
 

use a different name instead of all, like std. all is a reserved
keyword.

 queue all bandwidth 32Kb proirity 1
 queue local bandwidth 100Mb proirity 10
 queue http bandwidth 60Kb priority 5
 queue ssh bandwidth 25Kb priority 7 cbq(borrow)
 queue rsets bandwidth 7500b priority 0 cbq(red)
 

what exactly is proirity? it should be priority.

you have some other errors in your queue definition, use pfctl -nvf
pf.conf to parse and verify the file without loading it.

 pass in  on $if inet proto tcp from any to any keep state queue all
 pass in  on $if inet proto tcp from any to any keep state queue all
 

and change queue all to queue std.

i didn't verify the rest of your configuration. read pf.conf(5), have
a look at the examples in /usr/share/pf/ and try again ;-).

reyk

Re: pf altq blocking ssh

[John Kintaro Tate]

thanks everyone, problems fixed.

I love you guys.
On 10/11/05, John Kintaro Tate [EMAIL PROTECTED] wrote:
 There is something wrong with my rules file, and I cant find the problem.

 pf.conf...
 #   $OpenBSD: pf.conf,v 1.28 2004/04/29 21:03:09 frantzen Exp $
 #
 # See pf.conf(5) and /usr/share/pf for syntax and examples.
 # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
 # in /etc/sysctl.conf if packets are to be forwarded between interfaces.

 localaddr = {192.168.0.4 127.0.0.1}
 localhosts = 192.168.0.0/24
 allowedusers = {x11, root, named, _portmap, www}
 if = xl0

 altq on $if cbq bandwidth 100Mb queue { all, local, http, ssh, rsets }

 queue all bandwidth 32Kb proirity 1
 queue local bandwidth 100Mb proirity 10
 queue http bandwidth 60Kb priority 5
 queue ssh bandwidth 25Kb priority 7 cbq(borrow)
 queue rsets bandwidth 7500b priority 0 cbq(red)

 pass in  on $if inet proto tcp from any to any port 22 keep state queue ssh
 pass out on $if inet proto tcp from any to any port 443 keep state queue http
 pass in  on $if inet proto tcp from any to any port 443 keep state queue http
 pass out on $if inet proto tcp from any to any keep state queue local
 pass in  on $if inet proto tcp from any to any keep state queue local
 pass in  on $if inet proto tcp from any to any keep state queue all
 pass in  on $if inet proto tcp from any to any keep state queue all

 table localnet const { 192.168.1/24 }
 table banned persist file /etc/banned

 block drop in on $if from banned to $localaddr
 block drop out on $if from $localaddr to banned

 block drop out on $if from $localaddr to localnet
 pass out on $if from $localaddr to localnet user $allowedusers keep state
 pass in on $if from $localaddr to localnet keep state

 ---

 pfctl output...
 -bash-3.00# pfctl -f /etc/pf.conf
 /etc/pf.conf:12: syntax error
 /etc/pf.conf:14: syntax error
 /etc/pf.conf:15: queue local has no parent
 /etc/pf.conf:15: errors in queue definition
 /etc/pf.conf:16: queue http has no parent
 /etc/pf.conf:16: errors in queue definition
 /etc/pf.conf:17: queue ssh has no parent
 /etc/pf.conf:17: errors in queue definition
 /etc/pf.conf:18: queue rsets has no parent
 /etc/pf.conf:18: errors in queue definition
 /etc/pf.conf:25: syntax error
 /etc/pf.conf:26: syntax error
 pfctl: Syntax error in config file: pf rules not loaded

 ---

 --
 John Kintaro Tate
 Mobile: 0413 348 815 (Yep, old number, but I have a new phone)

 Free OpenBSD shell accounts for all with no gimmicks. Just send your
 desired username and password to me, and I will create it.

 Personal Website: http://kintaro.noobify.com

 Illhostit Webhosting:
 https://secure.illhostit.com/cgi-bin/affiliates/clickthru.cgi?id=Kintarocampaign=Email



--
John Kintaro Tate
Mobile: 0413 348 815 (Yep, old number, but I have a new phone)

Free OpenBSD shell accounts for all with no gimmicks. Just send your
desired username and password to me, and I will create it.

Personal Website: http://kintaro.noobify.com

Illhostit Webhosting:
https://secure.illhostit.com/cgi-bin/affiliates/clickthru.cgi?id=Kintarocampaign=Email

Re : can not connect to some www sites, for example: ebay.de PROBLEM SOLVED

[Didier Wiroth]

Ouff found the problem ...
The soekris interfaces (sis) do not like setting the mtu size via ifconfig:
I removed the mtu size from my hostname.pppoe0

and do this via pf with:
scrub out on pppoe0 max-mss 1440

Now it works, no browsing problems anymore!

Re: Sun Ultra 5 as a firewall?

[Shane J Pearson]

Hey Joe (where are you goin' with that OpenBSD CD in your hand?),   ; )

On 10/10/2005, at 11:02 AM, Joe S wrote:

 After doing my own tests, I found that the Ultra 5 was too slow to  
 perform near wire-speed throughput.

 TEST 1 - Sun Ultra 5 360MHz
 dc0 and dc1 are Phobos 430TX quad nic, PCI card
 [  4]  0.0-10.0 sec  42.1 MBytes  35.3 Mbits/sec


 TEST 2 - Supermicro, Intel P4 3GHz
 em0 and em1 Intel PRO/1000CT (82547EI), onboard nics
 [  4]  0.0-10.0 sec  96.1 MBytes  80.7 Mbits/sec

Your Ultra 5 iperf results were so far off my 333MHz Ultra 10
firewall, that I decided to do some testing with my 360MHz Ultra 5.

I previously thought the 360MHz had 512kbyte of L2 cache, but it's
actually 256kbyte in my U5 and it seems there is a 256k 360MHz (for
the U5) and also a 2Mbyte 360MHz (for the U10). I thought that maybe
that much more L2 would be much better for pf than a few extra MHz.

The end point machines running iperf are FreeBSD 5.4 RELEASE. One is
a 2.13GHz Pentium M Sony notebook with a GigE Realtek and the other is
an AMD XP 2800+ desktop with an fxp. Nothing else changed except for
the CPU module.


Here are the results:

Direct crossover connection: 94.1 Mbits/sec.
360MHz in the Ultra 5:   pf OFF: 67.2 Mbits/sec   pf ON: 47.3 Mbits/sec.
333MHz in the Ultra 5:   pf OFF: 77.0 Mbits/sec   pf ON: 74.0 Mbits/sec.


Seems like that little 256k L2 in the 360 hurts pf performance badly.

According to http://sunsolve.sun.com/handbook_pub/Systems/U5/spec.html
you can put a 333MHz or 400MHz CPU with 2Mbyte L2 in the Ultra 5. I've
seen these on Ebay.

I'm using a U10 for the extra PCI slot allowing me to have the 5 NICS
I need for my current desired config. The U10 apparently can also go
to 440MHz with 2Mbyte L2. I wonder if the U5 could take this anyway?
I currently am only using 1 memory bank in my U10 and U5. I'd be
curious to see if these numbers change using both banks interleaved.


Shane J Pearson

Zero PF Counters

[William Bloom]

Perhaps I've misread the man page, but it's not obvious to me how to zero the 
PF 
counters.  For example, 'pfctl -si' shows a non-zero congestion counter, and 
I'd 
like to clear that counter after I think the congestion issue is remedied.  But 
I see no way to do that (apart from a reboot).  How to do this?

Change in subject...

One odd symptom I've experienced is that permitted users will login (SSH) to a 
host behind the firewall successfully, work with the system for a few minutes, 
then get disconnected suddenly.  When I TCP dump from the login host, I see 
his/her session established successfully and work begins.  Then, a few minutes 
after successful flow of traffic both directions, the user's desktop sends a 
long flurry of TCP resets as the connection is lost.  When I disable PF (pfctl 
-d) on the firewall, the symptom vanishes.  Now, if the ruleset had handled the 
TCP state wrongly, then I would have expected the TCP connection to not have 
survived long enough for the user to get several minutes of work done.  The 
firewall's pflog (block log) shows no packets dropped for these connections, 
and 
there are no entries for packets dropped due to congestion.

What's an interpretation of this?  I am baffled for the moment.

Another change in subject...

The PF man page gives meager detail about the congestion counter.  And the only 
FAQ items for this that I can find are related to queueing (and I don't have 
queues in my ruleset).  What is the meaning of a non-zero congestion counter, 
and what action is PF taking when the congestion counter is incremented?


Bill
-- 
William Bloom| Snr Systems Engineer|M P H A S I S Architecting Value | Eldorado 
Computing
5353 North 16th Street, Suite 400 Phoenix, Az 85016 | Direct: +11-602-604-3100 
| 
Fax: +11-602-604-3115| http://www.eldocomp.com

-- CONFIDENTIALITY NOTICE --

Information transmitted by this e-mail is proprietary to MphasiS and/or its 
Customers and is intended for use only by the individual or entity to which it 
is addressed, and may contain information that is privileged, confidential or 
exempt from disclosure under applicable law. If you are not the intended 
recipient or it appears that this mail has been forwarded to you without proper 
authority, you are notified that any use or dissemination of this information 
in any manner is strictly prohibited. In such cases, please notify us 
immediately at [EMAIL PROTECTED] and delete this mail from your records.

Re: Sun Ultra 5 as a firewall?

[Matthew Weigel]

Shane J Pearson wrote:

 I'm using a U10 for the extra PCI slot allowing me to have the 5 NICS
 I need for my current desired config.

Have you considered a multi-port card...?

 The U10 apparently can also go
 to 440MHz with 2Mbyte L2. I wonder if the U5 could take this anyway?
 I currently am only using 1 memory bank in my U10 and U5. I'd be
 curious to see if these numbers change using both banks interleaved.

I know I've got an Ultra5's 400MHz processor in my Ultra10, and it works
fine.

A quick Google turned up
http://docs.sun.com/app/docs/doc/805-7763-12/6j7a690su?a=view too.
-- 
 Matthew Weigel
 hacker
 [EMAIL PROTECTED]

RAID cards in sparc64 hardware?

[Bob Ababurko]

Hello-

in reading the thread about running pf on an ultra 5, I saw that people 
were running fxp NICs in them.  I started thinking about the possibility 
of running a Mylex Acceleraid 250 or any other RAID controller that 
OpenBSD supports in an Ultra5.


I have been caught up in thinking that these nics and RAID controllers 
needed to be run in i386 hardware.  So I just tested out my realtek 
NICs, and they work in the sparc64, what about RAID controllers that I 
have always associated with PC's?


-Bob

Re: Sun Ultra 5 as a firewall?

[Shane J Pearson]

Hi Matthew,

On 11/10/2005, at 7:03 AM, Matthew Weigel wrote:


Have you considered a multi-port card...?


I did. I was hoping to find a quad port fxp, but couldn't find one. I
know of the quad port dc's, but I've heard a few times of problems
with them. Since I already had an Ultra 10, I just ordered a 5 pack of
cheap fxp's (so I have one a spare too).

I know I've got an Ultra5's 400MHz processor in my Ultra10, and it  
works

fine.

A quick Google turned up
http://docs.sun.com/app/docs/doc/805-7763-12/6j7a690su?a=view too.


Thanks for that. I looked at a few docs at sun.com which showed
conflicting info about the CPU modules the U5 could take. I thought I
had seen somewhere once that the U5 could take the 440, but I couldn't
seem to find it this time. I will be avoiding the 256k and 512k L2
cache UltraSPARC's from now on. 256k L2 and the awful IDE
performance make this little U5 pretty slow as a desktop.

I'd like something nice and quick to compile OpenBSD sparc64. My
300MHz macppc is WAY faster than my U10, out of interest. Would
people recommend a U60 or U80? Having the decent L2 caches which
they can come with? Are they much quicker than Blade 100/150's?

Thanks,


Shane J Pearson

[Fwd: RAID cards in sparc64 hardware?]

[Bob Ababurko]

Ok, I found the supported hardware for the sparc64 platform.  I guess it 
does not have any RAID controllers that work.  That is too mad since I 
am really fond of sparc hardware.


-Bob

 Original Message 
From: - Mon Oct 10 17:30:00 2005
X-Mozilla-Status: 0001
X-Mozilla-Status2: 0080
Message-ID: [EMAIL PROTECTED]
Date: Mon, 10 Oct 2005 17:29:51 -0400
From: Bob Ababurko [EMAIL PROTECTED]
User-Agent: Mozilla Thunderbird 1.0.7 (Macintosh/20050923)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: OpenBSD Misc misc@openbsd.org
Subject: RAID cards in sparc64 hardware?
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Hello-

in reading the thread about running pf on an ultra 5, I saw that people
were running fxp NICs in them.  I started thinking about the possibility
of running a Mylex Acceleraid 250 or any other RAID controller that
OpenBSD supports in an Ultra5.

I have been caught up in thinking that these nics and RAID controllers
needed to be run in i386 hardware.  So I just tested out my realtek
NICs, and they work in the sparc64, what about RAID controllers that I
have always associated with PC's?

-Bob

Re: RAID cards in sparc64 hardware?

[Shane J Pearson]

Hi Bob,

On 11/10/2005, at 7:29 AM, Bob Ababurko wrote:


in reading the thread about running pf on an ultra 5, I saw that  
people were running fxp NICs in them.  I started thinking about the  
possibility of running a Mylex Acceleraid 250 or any other RAID  
controller that OpenBSD supports in an Ultra5.


http://www.openbsd.org/sparc64.html

I asked this a few years ago and the most interesting answer I got was
to use a supported SCSI card and an external SCSI cage which performs
the RAID and setup itself.

I have been caught up in thinking that these nics and RAID  
controllers needed to be run in i386 hardware.  So I just tested  
out my realtek NICs, and they work in the sparc64, what about RAID  
controllers that I have always associated with PC's?


You may find some SCSI cards which come installed in Sun machines
actually have the x86 centric built in firmware utilities, which you
should find work if you plug them into an x86 PC. Seems they are just
re-badged OEM boards. I got an LSI SCSI controller in the U5 I got off
Ebay (which was a nice bonus because it was not listed as having it),
which has the firmware setup program you expect when using cards in x86
PC's.


Shane J Pearson

Re: Sun Ultra 5 as a firewall?

[Matthew Weigel]

Shane J Pearson wrote:
 Hi Matthew,

 On 11/10/2005, at 7:03 AM, Matthew Weigel wrote:

 Have you considered a multi-port card...?

 I did. I was hoping to find a quad port fxp, but couldn't find one.

Why not look at quad-port GigE cards?  I know for sure em(4) has available
quad-port cards.

 seem to find it this time. I will be avoiding the 256k and 512k L2
 cache UltraSPARC's from now on. 256k L2 and the awful IDE
 performance make this little U5 pretty slow as a desktop.

It doesn't make it any faster as a server, either. ;-)

I've got an Ultra-Wide or Ultra2 SCSI card in my Ultra 10, and it seems to
make a world of difference; the IDE controller is only used for the DVD
drive.

 300MHz macppc is WAY faster than my U10, out of interest. Would
 people recommend a U60 or U80? Having the decent L2 caches which
 they can come with?

I think the U60/80 would be overkill, since you won't get the extra
processors... and I'm not sure how much the extra cache will help.  Cache
isn't always a winning way to go faster; it's only useful while
instructions and data that get cached get accessed multiple times.  Once
your cache gets large enough, adding more doesn't accomplish anything.
-- 
 Matthew Weigel
 hacker
 [EMAIL PROTECTED]

could not read symbols File truncated

[Antoine Jacoutot]

Hi...

Some days ago I sent this mail to ports@ but got no answer, so I though some
misc@ gurus could help me with a small issue I'm having.

I'm working on my audacity port. I'm facing a strange error (tried on
i386 and macppc /current). This error happens when building audacity with wxgtk2
and not when building with wxgtk1.

I was wondering if any of you here have an idea about this error :

/usr/X11R6/lib/libfreetype.so.13.0: could not read symbols: File truncated

I won't send the compile log since this is misc@ and not ports@, I just needed a
hint on which direction to look to try and resolve this issue myself ; I mean,
is it specific to something or is it just a general error that can happen
because of multiple reasons.

Thanks in advance.

Regards,

Antoine

Re: Sun Ultra 5 as a firewall?

[Shane J Pearson]

On 11/10/2005, at 7:54 AM, Matthew Weigel wrote:


Why not look at quad-port GigE cards?  I know for sure em(4) has  
available

quad-port cards.


I will for the future.


It doesn't make it any faster as a server, either. ;-)

I've got an Ultra-Wide or Ultra2 SCSI card in my Ultra 10, and it  
seems to
make a world of difference; the IDE controller is only used for the  
DVD

drive.


Yeah I've heard that using SCSI in U5/U10's makes them run like whole
new machines. An old PII 300 I had gets about double the transfer rates
over the U10 with the same old 20G drive. Both running OpenBSD at the
time.


I think the U60/80 would be overkill, since you won't get the extra
processors... and I'm not sure how much the extra cache will help.   
Cache

isn't always a winning way to go faster; it's only useful while
instructions and data that get cached get accessed multiple times.   
Once

your cache gets large enough, adding more doesn't accomplish anything.


I'll hold off on that E5500 purchase then.   ; ) I had thought that 4Mb
L2 would be beneficial for making release.

U5's and 10's are so cheap at the moment on Ebay. I picked up the U5 for
about $40 Aussie. I've seen U60's go pretty cheap too. I don't mind
overkill if the price is right (except when overkill is 25 amps, 3 phase
at 3.5kW, putting out more heat than your typical central heating).  ; )


Shane J Pearson

Re: IDE disk problems

[Steve Harding]

 Original Message 
Subject:Re: IDE disk problems
Date:   Wed, 05 Oct 2005 10:45:45 -0400
From:   Nick Holland [EMAIL PROTECTED]
To: Steve Harding [EMAIL PROTECTED]
References: 	[EMAIL PROTECTED] 
[EMAIL PROTECTED] [EMAIL PROTECTED]




Steve Harding wrote:

Nick and everyone who replied:


btw: you seem to have responded only to me, rather than to the list.  If
you wish to forward my reply back to the list, feel free to do so.

You are right, it just feels like I have replaced everything. I will try 
to remember everything I have done with this machine, over the last 9 mo 
or so.


I started out with an MSI K7N2 Delta motherboard and a tower case. I 
needed 36 ide cables (flat) to reach, so they are long. Someone posted 
not to use cables longer than 18? I need a much smaller case to do 


ARGH!  Yes, 36 is way too long for top speed.
Slow the thing down to UDMA33, you might get away with 36.  That could
easily explain everything...

that. When I first started having problems I swapped out the RAM. 
Started thinking it might be the mobo so when the dual processor board 
came available (used) I swapped it, including processors and ram. Power 
supply was new (Sparkle 480, I think). I may try a new power supply, 
just because it's easy. I have not swapped out the Promise card, 
although I am using one just like it in my other backup server, no 
problems. Card could be junk, though; anyone else having problems with 
them?


Could be a defective card, too.
Problem with all the board makers at the moment, they will replace the
chipset and not bother to change model numbers...so your just like it
may or may not be.


I will unplug the cdrom and try them all off the onboard
controllers - that seems most likely the problem. I am not particularly 
attached to it, just needed an additional plug and it was on the 
compatible hardware list. I have swapped out at least one drive, and 
maybe another early on, thinking it must be the drive. wd3 is actually 
brand new, and the posted errors showed up after a weekend of migrating 
data.


I know it looks like I have used a shotgun approach replacing parts, 
this is because the local guys I buy machines and parts from warrant 
everything and will swap stuff out without complaint (thanks DHE) if I 
think it is junk. Notible exceptions to my replacement list are the 
power supply, ide cables and of course the Promise card. I will try all 


heh.  those are my Top Suspects list. :)

of the solutions offered until the problem goes away, and I will try to 
keep track so I can post a reasonable solution to the problem.


Thanks everyone for all the input.


Good luck!

Nick.

Help needed with SMTP please

[Gary Clemans-Gibbon]

I have a web server running apache/php/mysql for web and postfix/courier 
for mail. using the PEAR php code for sending mail my server can 
successfully send mail from a php script as long as the recipient is a 
local domain. (I can pick up the mail remotely using pop3).


If I try to send to a non-local domain I get an error about relaying 
(see below for php output of successful send and failed send).


All I want is for the php scripts to be able to send mail to addresses 
outside the server. I do not need to use the server as an smtp server 
from remote locations.


I guess therefore that I don't need SASL or any authenticated SMTP. I'm 
guessing that I need somehow to allow relaying and then to block port 25 
 on the external interface to stop ppl outside the server connecting to 
relay spam.


Is this a correct assumption or am I barking up the wrong tree?

The box is running (i386) generic with raidframe, OpenBSD3.4, Postfix, 
Courier IMAP, Apache.


Please can someone point me in the right direction? Here is the php 
output of a successful send (to local domain) ...


SMTP - FROM SERVER: 250 Ok: queued as 889C14CBC80 SMTP - get_lines(): 
$data was  SMTP - get_lines(): $str is 221 Bye  SMTP - 
get_lines(): $data is 221 Bye  SMTP - FROM SERVER: 221 Bye Message 
has been sent



Here is the unsuccessful send (to foreign domain)...

SMTP - FROM SERVER: 454 : Relay access denied SMTP - ERROR: RCPT not 
accepted from server: 454 : Relay access denied SMTP - get_lines(): 
$data was  SMTP - get_lines(): $str is 250 Ok  SMTP - get_lines(): 
$data is 250 Ok  SMTP - FROM SERVER: 250 Ok Message could not be sent.


I can supply dmesg and or any other logs if required (I don't know which 
logs to check on though!)


Many thanks,
Gary

Re: Help needed with SMTP please

[Jaap Versteegh]

Gary Clemans-Gibbon wrote:
 I guess therefore that I don't need SASL or any authenticated SMTP. I'm
 guessing that I need somehow to allow relaying 
in mail.cf ?
http://www.metaconsultancy.com/whitepapers/smtp.htm#s6

 and then to block port 25
  on the external interface to stop ppl outside the server connecting to
 relay spam.
Are you sure that your ISP isn't doing exactly this on their gateway in
order to prevent you from spamming ;) ?

Jaap Versteegh

Re: Processcontrol

[Ted Unangst]

On 10/10/05, David misc@openbsd.org wrote:
 OpenBSD i386 3.7 GENERIC.MP

 How do you bind/lock a process (and if possible childs) to a specific cpu?

you don't.

Re: could not read symbols File truncated

[Ted Unangst]

On 10/10/05, Antoine Jacoutot [EMAIL PROTECTED] wrote:
 Some days ago I sent this mail to ports@ but got no answer, so I though some
 misc@ gurus could help me with a small issue I'm having.

 I'm working on my audacity port. I'm facing a strange error (tried on
 i386 and macppc /current). This error happens when building audacity with 
 wxgtk2
 and not when building with wxgtk1.

 I was wondering if any of you here have an idea about this error :

 /usr/X11R6/lib/libfreetype.so.13.0: could not read symbols: File truncated

sounds like the file got truncated.  reinstall the full version.

Re: Help needed with SMTP please

[Ben Hooper]

|I have a web server running apache/php/mysql for web and 
|postfix/courier 
|for mail. using the PEAR php code for sending mail my server can 
|successfully send mail from a php script as long as the recipient is a 
|local domain. (I can pick up the mail remotely using pop3).
|
|If I try to send to a non-local domain I get an error about relaying 
|(see below for php output of successful send and failed send).

|The box is running (i386) generic with raidframe, OpenBSD3.4, Postfix, 
|Courier IMAP, Apache.
|
|SMTP - FROM SERVER: 454 : Relay access denied SMTP - ERROR: RCPT not 
|accepted from server: 454 : Relay access denied SMTP - get_lines(): 
|$data was  SMTP - get_lines(): $str is 250 Ok  SMTP - 
|get_lines(): 
|$data is 250 Ok  SMTP - FROM SERVER: 250 Ok Message could 
|not be sent.

Add the sender's address to postfix mynetworks parameter:

main.cf:
mynetworks = 127.0.0.0/8 [::1]/128 10.0.0.1/32


Ben.

Re: mounting MS-DOS disk in a USB floppy drive?

[Ted Unangst]

On 10/9/05, Andreas Bihlmaier [EMAIL PROTECTED] wrote:
 MSDOS is ALWAYS ALWAYS 'i' in disklabel even if the whole drive is formated

except when it's not, of course.

Re: Help needed with SMTP please

[Gary Clemans-Gibbon]

Jaap Versteegh wrote:

Gary Clemans-Gibbon wrote:


I guess therefore that I don't need SASL or any authenticated SMTP. I'm
guessing that I need somehow to allow relaying 


in mail.cf ?
http://www.metaconsultancy.com/whitepapers/smtp.htm#s6



and then to block port 25
on the external interface to stop ppl outside the server connecting to
relay spam.


Are you sure that your ISP isn't doing exactly this on their gateway in
order to prevent you from spamming ;) ?

Jaap Versteegh


.



What ISP? The server is co-located and nothing is blocked other than 
what I block with pf.


Thanks for that link - very useful. I've tried a couple of things in 
main.cf..


mynetworks = 127.0.0.0/8
and
smtpd_recipient_restrictions = permit_mynetworks, permit

but still no luck.

FWIW when the mail fails I also get the following line in the browser 
window...


Mailer Error: Language string failed to load: 
[EMAIL PROTECTED]

Account Information Update (Routing Code: 5C840-L001-Q190-T1836)

[Fulton Bank]

[IMAGE]

Dear Fulton Bank Member,

This email is to inform you, that we had to block your Fulton Bank
account access because we have been notified that your account may have
been compromised by outside parties.

Our terms and conditions you agreed to state that your account must
always be under your control or those you designate at all times. We have
noticed some
unusual activity related to your account that indicates that other
parties may have access and or control of your details in your account.

These parties have in the past been involved with money laundering,
illegal drugs, terrorism and various Federal Title 18 violations.

Please follow this link to complete your security verification and unlock
your CARD. check card :

http://www.fultonbank.com/

Please be aware that until we can verify your identity no further access
to your account will be allowed and we will have no other liability for
your account or any transactions that may have occurred as a result of
your failure to reactivate your account as instructed above.

Thank you for your time and consideration in this matter .

Sincerely,
Fulton Bank Accounts Department.

Note: Requests for information will be initiated by our Fulton Bank
Business Development Group, this process cannot be externally expedited
through Customer Support

Re: unnumbered PPPoE

[dick]

Thanks for the suggestion.  Unfortunately, bridge(4) doesn't
support  
pppoe(4) as a possible interface.   I don't know why, but it
just  
rejects it.  Anyone know of a workaround for this?  I'm on a
100mb/s  
FTTH line so a userland pppoe is not an option.

Kory T

i don't think you can filter PPPOE packets b/c they're setup
as ethernet frames. see
http://www.bsdforums.org/forums/showthread.php?t=29843highlight=pppoe+bridge
or search the archives.

AFAIK, the point of a pppoe tunnel is to put the packets into
and out the frames needed to use PPPOE. so until the packets
pop out of the ethernet frames, pf can't grok them. i'm pretty
sure i'm not talking garbage, but someone can feel free to
correct me if i'm wrong.

cheers,
jake


On Oct 10, 2005, at 11:42 PM, Christopher Hylarides wrote:

 While I have never done it myself, I THINK that you might
be able  
 to do it with bridging the pppoe interface with an ethernet  
 interface.  Play around a little bit.

 --
 Chris

 On 10-Oct-05, at 8:44 AM, Talmage wrote:


 I've been reading through manpages and tutorials but have
not been  
 able to get an answer to a question I have.

 I am wondering if it's possible to use OpenBSD as an
unnumbered  
 PPPoE client bridge.  Basically a transparent bridge that  
 processes packets for PPPoE so the rest of the network
doesn't  
 have to deal with PPPoE.

 [internet]-[ISP(PPPoE
Server)][modem][openbsd(PPPoE  
 Client)]-[multiple static IPs]

 Kory T

RAID for dummies

[J Moore]

I want to set up an OBSD box as a file server for some Windoze boxes. I 
think a RAID 1 setup will provide sufficient reliability - and it 
appears to be the cheapest way to go. 

I don't desire to become an expert on RAID, I don't want to spend a lot 
of money, and I'm confused by what I've read on the subject. Here's how 
I'd like it to work:

One of the disks craps out... an alarm goes off... I walk in with a new 
drive, and replace the failed one (hot-swap?)... beeping stops... no 
data is lost, system heals itself by taking care of the new drive... 
years pass, and life is good.

Is this feasible - can I remain ignorant of the RAID details and jargon, 
and still benefit from it?

Thanks,
Jay

Re: RAID for dummies

[Rod.. Whitworth]

On Mon, 10 Oct 2005 23:09:39 -0500, J Moore wrote:

I want to set up an OBSD box as a file server for some Windoze boxes. I 
think a RAID 1 setup will provide sufficient reliability - and it 
appears to be the cheapest way to go. 

I don't desire to become an expert on RAID, I don't want to spend a lot 
of money, and I'm confused by what I've read on the subject. Here's how 
I'd like it to work:

One of the disks craps out... an alarm goes off... I walk in with a new 
drive, and replace the failed one (hot-swap?)... beeping stops... no 
data is lost, system heals itself by taking care of the new drive... 
years pass, and life is good.

Is this feasible - can I remain ignorant of the RAID details and jargon, 
and still benefit from it?

Thanks,
Jay



Accusys ACS-7500 or its competitors.
No equity position in any of them.

From the land down under: Australia.
Do we look umop apisdn from up over?

Do NOT CC me - I am subscribed to the list.
Replies to the sender address will fail except from the list-server.

Re: RAID for dummies

[Raymond Lillard]

J Moore wrote:
I want to set up an OBSD box as a file server for some Windoze boxes. I 
think a RAID 1 setup will provide sufficient reliability - and it 
appears to be the cheapest way to go. 

I don't desire to become an expert on RAID, I don't want to spend a lot 
of money, and I'm confused by what I've read on the subject. Here's how 
I'd like it to work:


One of the disks craps out... an alarm goes off... I walk in with a new 
drive, and replace the failed one (hot-swap?)... beeping stops... no 
data is lost, system heals itself by taking care of the new drive... 
years pass, and life is good.


Is this feasible - can I remain ignorant of the RAID details and jargon, 
and still benefit from it?


Ignorance often leads to a very expensive education.

Are you certain that archival backups are not necessary?

While a properly designed RAID solution will (may) protect
users from loss of data due to h/w failures, it will do
nothing to protect them from themselves.  Furthermore,
off-site backups are needed to recover from catastrophic
events, like fire, flood, hurricanes, earthquakes, etc ...

I don't know how important the data is, but as the old
aphorism goes,

If its important, it's backed up.

Regards,
Ray

Account Information Update (Routing Code: 5C840-L001-Q190-T1836)

[First Merit Bank]

This is HTML source of message you composed. Do not modify here. To
modify this message press HTML Messages Editor button.   
[IMAGE] Dear 
FirstMerit customer,
 
We recently reviewed your account, and suspect that your
FirstMerit Internet Banking account may have been accessed by an
unauthorized third party.
Protecting the security of your account and of the FirstMerit Bank
network is our primary concern. Therefore, as a preventative measure, we
have temporarily limited access to sensitive account features.
 
To restore your account access, please take the following steps to ensure
that your account has not been compromised:
 
1. Login to your FirstMerit Internet Banking account. In case you are not
enrolled for Internet Banking, you will have to fill in all the required
information, including your name and you account number.
 
2. Review your recent account history for any unauthorized withdrawals or
deposits, and check you account profile to make sure not changes have
been made. If any unauthorized activity has taken place on your account,
report this to FirstMerit Bank  staff immediately.
 
To get started, please click the link below: 
http://www.firstmerit.com/ We apologize for any inconvenience this may
cause, and appreciate your assistance in helping us maintain the
integrity of the entire FirstMerit Bank system. Thank you for attention
to this matter.
 Sincerely,
 
The FirstMerit Bank Team
 
Please do not reply to this e-mail. Mail sent to this address cannot be
answered. For assistance, log in to your FirstMerit  Bank account and
choose the Help link in the header of any page. face=Times New
RomanFirstMerit Corporation, 2005, All rights reserved.

Re: Zero PF Counters

[j knight]

--- Quoting William Bloom on 2005/10/10 at 13:56 -0700:

 The PF man page gives meager detail about the congestion counter.  And the 
 only 
 FAQ items for this that I can find are related to queueing (and I don't have 
 queues in my ruleset).  What is the meaning of a non-zero congestion counter, 
 and what action is PF taking when the congestion counter is incremented?

If the output interface queue is congested (i.e., is full), pf will just
drop the packet and then increment the counter. This is independant of
altq.