OpenBSD 3.8 installation video
Hi, i install openbsd 3.8 in Vmware(my 3.8 test installation!) and capture installation steps to avi file . Video address is http://www.enderunix.org/docs/openbsd.avi , you need to install Vmware codec to play the video. For Linux/BSD, copy the vmnc.dll file (from the vmware codec) to /usr/lib/win32/ dir. for Windows install the http://vmware-svca.www.conxion.com/software/VMware-moviedecoder-5.0.0-13124.exe file. ps:It's only test installation and purposed to demonstrate install steps for non openbsd users.. -- Huzeyfe VNAL --- First Turkish Qmail book is out! Go check it. Duydunuz mu! Turkiye'nin ilk Qmail kitabi cikti. http://www.acikakademi.com/catalog/qmail/
Re: ciss is slow and uses all the CPU
I think this is enough to file a Problem Report, could you please do that? Read sendbug(1) and http://www.openbsd.org/report.html if unsure. I have a DL380 G3 which shows the same ciss0: cmd_stat 2 scsi_stat 0x0 messages so chances are mine's affected as well, I'll try to load it a bit and see what happens. Regards Johan M:son On Tuesday 01 November 2005 18.18, you wrote: I installed a snapshot on an HP Proliant DL360, and everything seems fine except that disk performance is terrible. Just running bonnie++ for a quick test it can only do 8MB/s write because its using 100% of the CPU. Top shows its all being spent in system time. For contrast, my slow laptop ATA drive does 14MB/s at 3% CPU usage. Adam OpenBSD 3.8-current (GENERIC) #169: Sun Oct 2 15:06:50 MDT 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Xeon(TM) CPU 3.06GHz (GenuineIntel 686-class) 3.07 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,A CPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT- ID real mem = 2147041280 (2096720K) avail mem = 1953218560 (1907440K) using 4278 buffers containing 107454464 bytes (104936K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 12/31/99, BIOS32 rev. 0 @ 0xf pcibios0 at bios0: rev 2.1 @ 0xf/0x2000 pcibios0: PCI BIOS has 7 Interrupt Routing table entries pcibios0: PCI Interrupt Router at 000:15:0 (ServerWorks CSB5 SouthBridge rev 0x00) pcibios0: PCI bus #0 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x4000 0xcc000/0x1800 0xee000/0x2000! cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 ServerWorks CNB20-HE rev 0x31 pchb1 at pci0 dev 0 function 1 ServerWorks CNB20-HE rev 0x00 pchb2 at pci0 dev 0 function 2 ServerWorks CNB20-HE rev 0x00 pci1 at pchb2 bus 1 bge0 at pci1 dev 2 function 0 Broadcom BCM5703X rev 0x02, BCM5703 A2 (0x1002): irq 11 address 00:0b:cd:d1:2a:c7 brgphy0 at bge0 phy 1: BCM5703 10/100/1000baseT PHY, rev. 2 vga1 at pci0 dev 3 function 0 ATI Rage XL rev 0x27 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) ciss0 at pci0 dev 4 function 0 Compaq Smart Array 5i/532 rev.2 rev 0x01: irq 3 ciss0: 1 LD HW rev 1 FW 2.38/2.38 lmap 4000:0 scsibus0 at ciss0: 1 targets sd0 at scsibus0 targ 0 lun 0: COMPAQ, LOGICAL VOLUME, 2.38 SCSI0 0/ direct fixed ciss0: cmd_stat 2 scsi_stat 0x0 ciss0: cmd_stat 2 scsi_stat 0x0 sd0: 69459MB, 69459 cyl, 64 head, 32 sec, 512 bytes/sec, 142253280 sec total vendor Compaq, unknown product 0xb203 (class system subclass miscellaneous, rev 0x01) at pci0 dev 5 function 0 not configured vendor Compaq, unknown product 0xb204 (class system subclass miscellaneous, rev 0x01) at pci0 dev 5 function 2 not configured pcib0 at pci0 dev 15 function 0 ServerWorks CSB5 SouthBridge rev 0x93 pciide0 at pci0 dev 15 function 1 ServerWorks CSB5 IDE rev 0x93: DMA atapiscsi0 at pciide0 channel 0 drive 0 scsibus1 at atapiscsi0: 2 targets cd0 at scsibus1 targ 0 lun 0: COMPAQ, CRN-8245B, 2.19 SCSI0 5/cdrom removable cd0(pciide0:0:0): using PIO mode 4, DMA mode 2 pchb3 at pci0 dev 15 function 3 ServerWorks CSB5 PCI rev 0x00 pchb4 at pci0 dev 17 function 0 ServerWorks CIOBX2 rev 0x05 pchb5 at pci0 dev 17 function 2 ServerWorks CIOBX2 rev 0x05 pci2 at pchb5 bus 4 bge1 at pci2 dev 2 function 0 Broadcom BCM5703X rev 0x02, BCM5703 A2 (0x1002): irq 10 address 00:0b:cd:d1:2a:c6 brgphy1 at bge1 phy 1: BCM5703 10/100/1000baseT PHY, rev. 2 isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pmsi0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pmsi0 mux 0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 sysbeep0 at pcppi0 npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec biomask e3ed netmask efed ttymask ffef pctr: user-level cycle counter enabled ciss0: cmd_stat 2 scsi_stat 0x0 ciss0: cmd_stat 2 scsi_stat 0x0 dkcsum: sd0 matches BIOS drive 0x80 root on sd0a ciss0: cmd_stat 2 scsi_stat 0x0 ciss0: cmd_stat 2 scsi_stat 0x0 ciss0: cmd_stat 2 scsi_stat 0x0 ciss0: cmd_stat 2 scsi_stat 0x0 rootdev=0x400 rrootdev=0xd00 rawdev=0xd02 ciss0: cmd_stat 2 scsi_stat 0x0 ciss0: cmd_stat 2 scsi_stat 0x0 ciss0: cmd_stat 2 scsi_stat 0x0 ciss0: cmd_stat 2 scsi_stat 0x0 !DSPAM:4367aa85188902939917969!
Re: bgpd.conf md5sig, iBGP and redistributing routes to/from ospf [forgot to sign it]
On Wed, Nov 02, 2005 at 12:34:29AM +0100, per engelbrecht wrote: Hi all [20051019 snap i386] I've made a setup with two identical bgp routers. On each router there's 3 peers (BGP and eBGP), one failover (carp/iBGP/ospf) interconnecting these routers and finally pipes backwards to the internal nets. Part of bgpd.conf further down. I'm replacing a single router (no ospf) fbsd/zebra setup. That should be no problem. Q: setting up iBGP I've used our own AS as 'remote-as' but can't find a 'no synchronization' option for this connection. Do I need it at all. Been poking around in /usr/src/usr.sbin/bgpd without solving it, but it's needed in zebra and Cisco IOS hence the question. A: ? There is no 'no synchronization' option. We never enforce the synchronisation of iBGP with an IGP. That's retarded. Like pumping 170'000 routes into OSPF and thinking all will be fine. Sure you may get bitten if you have routers that do not run iBGP in between the two iBGP routers but that's more a design problem and is solvable. Q: adding md5sig password, how can I activate these stepwise without having to take bgpd down/up and affecting all connections - ospfctl does not seem have it as an option. Would like to add md5sig one carrier at a time on a live system. A: ? Just add the 'tcp md5sig password fluffy' to a neighbor and bgpctl reload. Afterwards a bgpctl neighbor fluffy_peer clear will clear the session and activate tcp md5. You can do that one peer at a time. Q: running ospf with all peers + carp intfaces in area 0.0.0.0 and internal intfaces in area 0.0.0.1 (and from ospfd.conf) [...] fib-update yes redistribute connected [...] This is about redistributing routes - will the above let BGP and OSPF play along in the same way a 'redistribute ospf' in Zebra/Cisco IOS A: ? redistribute ospf is currently not implemented. bgpd is currently not able to redistribute routes added by ospfd. This is on the todo list. Q: default gateway is added to the routing table after all interfaces are configured. BGP is adding information into the routing table and so does OSPF (updates). That's 3 times redistributing of routes between different protocols and with 3 different administrative distances but still in/from the same table. Since directly connected (0) or static (1) connections are superior to e.g. eBGP (20) and OSPF (110) then should or shouldn't /etc/mygate be removed from a BGP router before putting it into production. Will it/can it mock the routing decision despite 'weight' in bgpd.conf due to the lower distance. A: ? Neither ospfd nor bgpd know about administrative distances. Currently it is only save to use the two together if there are no equal routes. If both bgpd and ospfd try to add the same route to the kernel routing table it will result in undefined behaviour. (mostly the first one wins). Again this is on the todo list (even before the redistribute thing). Part of bgpd.conf: [...] neighbor $peer0 { remote-as ABCD descrebgp sucks set nexthop aaa.aaa.aaa.aab multihop 10 local-address aaa.aaa.aaa.aaa announce self announce IPv6 none enforce neighbor-as yes set weight 100 #tcp md5sig password HotPotatoes } ... ... neighbor $carp { remote-as our_own_AS descrinternal local-address 172.16.0.1 depend on em5 I think this is not doing what you think. depend on is only useful on carp(4) interfaces. It does not make sense for physical interfaces. announce all That's actually the default :) announce IPv6 none enforce neighbor-as no That one as well. set weight 200 #tcp md5sig password NoPotatoes } I have a: deny from any prefix 172.16.0.0/12 prefixlen = 12 but the carp interface uses a /8 i.e. should be safe :) Iick. That will cause troubles with everything in the 172/8 range. You can add a rule like: allow from $carp prefix 172.16.0.0/24 afterwards. That would be much nicer. -- :wq Claudio
Re: in-kernel pppoe and automatic reconnect
On Wed, 02 Nov 2005 12:12:36 +, Dulmandakh Sukhbaatar wrote: I'm new to OBSD, and configured in-kernel pppoe as my internet gateway. I found out that with userland pppoe automatic reconnect is posible, but with in-kernel pppoe everytime pppoe connection lost, I need to reboot the system. I don't know how to manually reconnect the connection. Any suggestions? Please help. It was possible with 3.7. With 3.8 the reconnect is supposed to be even better. Which one did you try ? Plus, you find some re-connect script proposals in the archive. reboot is principally wrong to reconnect (though it might work). Uwe
Re: Crypto card question
On 11/2/05, Theo de Raadt [EMAIL PROTECTED] wrote: I'm setting up an OpenBSD 3.7 box as a VPN/SSH server. It will have a Broadcom 5805 installed to help offload some of the crypto processing. Our employees have laptops with XP loaded and Intel Pro 100/S cards installed. Will the crypto functionality on these cards work in conjunction with the Broadcom on the OBSD box? 3DES and maybe IPSEC seem to be the common elements of the two, thus the question. There is no documentation for the Intel Pro 100/S crypto functionality. To which mail address can requests for documentation be sent please? Kind Regards Siju
Re: bgpd.conf md5sig, iBGP and redistributing routes to/from ospf [forgot to sign it]
Claudio Jeker wrote: On Wed, Nov 02, 2005 at 12:34:29AM +0100, per engelbrecht wrote: Hi all [20051019 snap i386] I've made a setup with two identical bgp routers. On each router there's 3 peers (BGP and eBGP), one failover (carp/iBGP/ospf) interconnecting these routers and finally pipes backwards to the internal nets. Part of bgpd.conf further down. I'm replacing a single router (no ospf) fbsd/zebra setup. That should be no problem. Q: setting up iBGP I've used our own AS as 'remote-as' but can't find a 'no synchronization' option for this connection. Do I need it at all. Been poking around in /usr/src/usr.sbin/bgpd without solving it, but it's needed in zebra and Cisco IOS hence the question. A: ? There is no 'no synchronization' option. We never enforce the synchronisation of iBGP with an IGP. That's retarded. Like pumping 170'000 routes into OSPF and thinking all will be fine. Sure you may get bitten if you have routers that do not run iBGP in between the two iBGP routers but that's more a design problem and is solvable. Hi Claudio Most documentation on BGP or OSPF is geared towards IOS systems or pro ISO systems like Zebra, with whatever options and syntax that comes with the territory. Finding alternatives for options like e.g. 'no synchronization' and'no auto-summary' when changing from (in my case) Zebra to OpenBGPD, is not covered too well in a otherwise fine documentation, but thank you for clarifying. A small paragraph in the bgpd.conf man page for people comming to OpenBGPD dealing with this would be nice. Q: adding md5sig password, how can I activate these stepwise without having to take bgpd down/up and affecting all connections - ospfctl does not seem have it as an option. Would like to add md5sig one carrier at a time on a live system. A: ? Just add the 'tcp md5sig password fluffy' to a neighbor and bgpctl reload. Afterwards a bgpctl neighbor fluffy_peer clear will clear the session and activate tcp md5. You can do that one peer at a time. Check. (thank you) Q: running ospf with all peers + carp intfaces in area 0.0.0.0 and internal intfaces in area 0.0.0.1 (and from ospfd.conf) [...] fib-update yes redistribute connected [...] This is about redistributing routes - will the above let BGP and OSPF play along in the same way a 'redistribute ospf' in Zebra/Cisco IOS A: ? redistribute ospf is currently not implemented. bgpd is currently not able to redistribute routes added by ospfd. This is on the todo list. Perfect. Q: default gateway is added to the routing table after all interfaces are configured. BGP is adding information into the routing table and so does OSPF (updates). That's 3 times redistributing of routes between different protocols and with 3 different administrative distances but still in/from the same table. Since directly connected (0) or static (1) connections are superior to e.g. eBGP (20) and OSPF (110) then should or shouldn't /etc/mygate be removed from a BGP router before putting it into production. Will it/can it mock the routing decision despite 'weight' in bgpd.conf due to the lower distance. A: ? Neither ospfd nor bgpd know about administrative distances. Currently it is only save to use the two together if there are no equal routes. If both bgpd and ospfd try to add the same route to the kernel routing table it will result in undefined behaviour. (mostly the first one wins). Again this is on the todo list (even before the redistribute thing). I guess reading BGP from Cisco literature would match learning TCP/IP with books from Microsoft ... The BGP implementation in Cisco IOS uses a administrative distance, hence the question. I you mean equal routes from a 'weight' point of view, then I have a problem. So fare all my peers have the same weight. Part of bgpd.conf: [...] neighbor $peer0 { remote-as ABCD descrebgp sucks set nexthop aaa.aaa.aaa.aab multihop 10 local-address aaa.aaa.aaa.aaa announce self announce IPv6 none enforce neighbor-as yes set weight 100 #tcp md5sig password HotPotatoes } ... ... neighbor $carp { remote-as our_own_AS descrinternal local-address 172.16.0.1 depend on em5 I think this is not doing what you think. depend on is only useful on carp(4) interfaces. It does not make sense for physical interfaces. I have carp1 on em5. I'll change em5 carp1 right away. Thank you. announce all That's actually the default :) I know. In every conf file I write what I want it to do (even defaults) and remove anything else. Makes it easy to parse for !me without having to know system 'default'. announce IPv6 none enforce neighbor-as no That one as well. Ditto. :) set weight 200 #tcp md5sig password NoPotatoes } I have a: deny from any prefix 172.16.0.0/12 prefixlen = 12 but the carp interface uses a /8 i.e. should be safe :) Iick. That will cause troubles with
Re: FAQ v3.8
Steven, Great job on FAQ 13 and FAQ 15! Thanks! On 11/1/05, Nick Holland [EMAIL PROTECTED] wrote: 2) Introducing, FAQ 15 - The OpenBSD packages and ports system! Steven Mestdagh (author of the also pretty new FAQ 13 - Multimedia has once again come through with a wonderful new page providing much greater documentation for the OpenBSD packages and ports system. Packages and ports have gone through some major evolutions in the last few releases, but the old faq8.html documentation had been lagging. Many thanks to Steven for his hard work on this! Nick. -- The only way to keep your health is to eat what you don't want, drink what you don't like, and do what you'd rather not. - Mark Twain
Re: in-kernel pppoe and automatic reconnect
On Wed, Nov 02, 2005 at 12:12:36PM +, Dulmandakh Sukhbaatar wrote: I'm new to OBSD, and configured in-kernel pppoe as my internet gateway. I found out that with userland pppoe automatic reconnect is posible, but with in-kernel pppoe everytime pppoe connection lost, I need to reboot the system. I don't know how to manually reconnect the connection. Any suggestions? Please help. To make kernel pppoe reconnect I cycle the interface: ifconfig pppoe0 down ifconfig pppoe0 up Outgoing traffic should then still not work because the default route needs to be set anew. I came up with a small daemon that sets a new default route automatically when the IP changes on the pppoe0 interface and posted it to this list, to this day I use this and it works formidable. Someone replied to my post saying you don't need the daemon since another mode in pppoe (-link1 in ifconfig) does this. Whether it does or not I don't know since I never use it. Anyhow, here is the link for your experimentation: http://marc.theaimsgroup.com/?l=openbsd-miscm=111973574009710w=2 Regards, -peter
ipa under OpenBSD 3.8-current
Is ipa known to work under OpenBSD 3.8? I'm running the daemon with a valid config and believe it is set to report on 2 rules in my pf ruleset, but it reports 0 bytes where there should be 0 bytes if I read it correctly: # ipastat -R in$ -x -i oct-nov +-+-+ | From| To | +-+-+ | 2005.10.01/00:00:00 | 2005.11.30/24:00:00 | +-+-+ +-++---++ | Rule| Info | Bytes | Mbytes | +-++---++ | http_in | Inbound HTTP traffic | 0 | 0 | | ping_in | Inbound echo-request traffic | 0 | 0 | +-++---++ # sudo pfctl -vvsrules @11 pass in log on ne3 inet proto tcp from 10.0.1.0/24 to (ne3:1) port = www keep state label HTTP_in [ Evaluations: 12Packets: 72Bytes: 22115 States: 0 ] [ Inserted: uid 0 pid 18402 ] @12 pass in log inet proto icmp all icmp-type echoreq keep state label ICMP-echoreq [ Evaluations: 533 Packets: 42Bytes: 3528States: 0 ] [ Inserted: uid 0 pid 18402 ] # ipa -t -f /etc/ipa.conf global { update_db_time = 10s maxchunk = 2G db_group = wheel } rule http_in { info = Inbound HTTP traffic pf = 11 } rule ping_in { info = Inbound echo-request traffic pf = 12 } # ipa -V IPA, version 1.3.6 (OpenBSD/i386 3.8) Compiled on: o Oct 31 2005, 11:17:40 Compile options: -DWITHOUT_IPFW -DWITHOUT_IP6FW -DWITHOUT_IPFIL Support: o Packet Filter # uname -a OpenBSD openbsd.sancho2k.net 3.8 GENERIC#210 i386 # head -n1 /etc/motd OpenBSD 3.8-current (GENERIC) #210: Tue Oct 25 23:07:20 MDT 2005 -- Darren Spruell [EMAIL PROTECTED]
Re: A great article ( found on the OpenBSD site)
Spruell, Darren-Perot wrote: Don't forget the rest of the story: http://www.undeadly.org/cgi?action=articlesid=20051024113247pid=27mode=ex panded DS Right on. I blogged this a week or so ago (http://www.stilyagin.com/darrin/blog/2005/10/25/1310/). Damn sensationalist media types. -- Darrin Chandler [EMAIL PROTECTED] http://www.stilyagin.com/
Re: bgpd.conf md5sig, iBGP and redistributing routes to/from ospf [forgot to sign it]
* per engelbrecht [EMAIL PROTECTED] [2005-11-02 00:52]: I've made a setup with two identical bgp routers. On each router there's 3 peers (BGP and eBGP), one failover (carp/iBGP/ospf) interconnecting these routers and finally pipes backwards to the internal nets. Part of bgpd.conf further down. I'm replacing a single router (no ospf) fbsd/zebra setup. should just work. Q: setting up iBGP I've used our own AS as 'remote-as' but can't find a 'no synchronization' option for this connection. Do I need it at all. Been poking around in /usr/src/usr.sbin/bgpd without solving it, but it's needed in zebra and Cisco IOS hence the question. not needed. retarded idea in the first place... I mean, you don't need ip classless on OpenBSD either to tell it we're not in the 80s any more :) Q: adding md5sig password, how can I activate these stepwise without having to take bgpd down/up and affecting all connections - ospfctl does not seem have it as an option. Would like to add md5sig one carrier at a time on a live system. # bgpctl reload next time the session(s) in question traverses IDLE the settings become active. you can force that using # bgpctl neighbor foo clear -- BS Web Services, http://www.bsws.de/ OpenBSD-based Webhosting, Mail Services, Managed Servers, ... Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: Broadcom BCM5721 driver for OpenBSD 3.6
Reeann Zhang wrote: Do you have driver of Broadcom BCM5721 Gigabit Ethernet Controllers for openBSD 3.6 The card is not detected when installing. Try updating to 3.7 or 3.8, this should at least detect the card. You might have some problems with the link detection though. (At least, this occurs for me with a BCM5751.) [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: in-kernel pppoe and automatic reconnect
* Dulmandakh Sukhbaatar [EMAIL PROTECTED] [2005-11-02 05:25]: I'm new to OBSD, and configured in-kernel pppoe as my internet gateway. I found out that with userland pppoe automatic reconnect is posible, but with in-kernel pppoe everytime pppoe connection lost, I need to reboot the system. I don't know how to manually reconnect the connection. Any suggestions? Please help. huh? kernel PPPoE just reconnects when it loses the session -- BS Web Services, http://www.bsws.de/ OpenBSD-based Webhosting, Mail Services, Managed Servers, ... Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: in-kernel pppoe and automatic reconnect
On Wed, Nov 02, 2005 at 04:42:12PM +0100, Henning Brauer wrote: * Dulmandakh Sukhbaatar [EMAIL PROTECTED] [2005-11-02 05:25]: I'm new to OBSD, and configured in-kernel pppoe as my internet gateway. I found out that with userland pppoe automatic reconnect is posible, but with in-kernel pppoe everytime pppoe connection lost, I need to reboot the system. I don't know how to manually reconnect the connection. Any suggestions? Please help. huh? kernel PPPoE just reconnects when it loses the session No only if you add -link1. -- :wq Claudio
Re: in-kernel pppoe and automatic reconnect
Claudio Jeker wrote: On Wed, Nov 02, 2005 at 04:42:12PM +0100, Henning Brauer wrote: * Dulmandakh Sukhbaatar [EMAIL PROTECTED] [2005-11-02 05:25]: I'm new to OBSD, and configured in-kernel pppoe as my internet gateway. I found out that with userland pppoe automatic reconnect is posible, but with in-kernel pppoe everytime pppoe connection lost, I need to reboot the system. I don't know how to manually reconnect the connection. Any suggestions? Please help. huh? kernel PPPoE just reconnects when it loses the session No only if you add -link1. Infact -link1 (ie. disable link1 == disable dial on demand) is the default behaviour. The manpage summarizes it quite nicely. By default it tries to keep the connection open at all times. Which includes trying to reconnect if the session is lost. There were a couple of problems in 3.7 with auto reconnection, which resulted in all kinds of workarounds being proposed/developed. In 3.8 none of them are necessary. It just works by default. Can
CARP
Hey folks, i am setting two firewalls to operate with CARP. They have three interface each, one to outside, one to inside and the third will link them both together. The outside network, is a just used for routing, it useds 192.68.0.*. I requested three address: 192.168.0.1 (Will be used for redundancy), 192.168.0.2 and 192.168.0.3 on each of the firewall outside interface. Each of the firewalls outside interface are connected to a switch. I doubt is that, funcionally my network reach address will be advertised as 192.168.0.1, i will be doing failover and load balance with it. Would this approach requires any special support into the switch device? Thanks
Re: Crypto card question
On 11/2/05, Theo de Raadt [EMAIL PROTECTED] wrote: I'm setting up an OpenBSD 3.7 box as a VPN/SSH server. It will have a Broadcom 5805 installed to help offload some of the crypto processing. Our employees have laptops with XP loaded and Intel Pro 100/S cards installed. Will the crypto functionality on these cards work in conjunction with the Broadcom on the OBSD box? 3DES and maybe IPSEC seem to be the common elements of the two, thus the question. There is no documentation for the Intel Pro 100/S crypto functionality. To which mail address can requests for documentation be sent please? We have grown tired of keeping track of the merry-go-round of employees constantly being shuffled at Intel, and we don't know who you can talk to. I wish people had more initiative, and did their OWN WORK at finding the people to get documentation from.
Re: CARP
On 11/2/05, Gustavo Rios [EMAIL PROTECTED] wrote: Would this approach requires any special support into the switch device? CARP does not require special support, I suppose. Rather, it requires a more feature-rich switch not blocking its traffic (multicast). In other words: if you don't disable it on the switch, it should work. CARP has worked fine for me since 3.5, on switches ranging from E 15,- (the infamous 'Sweex' type for those in the Netherlands) to large HP and Cisco devices. That includes VLANs, both tagged and not. Give it a spin. If your present switch poses problems, insert a 'dirt-cheap and dumb' device between the problematic switch and the CARP'ed interfaces. And make sure you don't block CARP packets in your firewall. Cheers, Rogier -- If you don't know where you're going, any road will get you there.
AODV implementation on the pipeline?
Hi [EMAIL PROTECTED], Just curious if there were any plans to implement an AODV routing daemon, given the emphasis on wireless applications lately. If this is not the case, I understand that a lot of OpenBSD developers provide with consultancy services for a fee. What would be the average price to create such an OpenAODV daemon? Thx, P
Re: CARP
Gustavo Rios wrote: Hey folks, i am setting two firewalls to operate with CARP. They have three interface each, one to outside, one to inside and the third will link them both together. The outside network, is a just used for routing, it useds 192.68.0.*. I requested three address: 192.168.0.1 (Will be used for redundancy), 192.168.0.2 and 192.168.0.3 on each of the firewall outside interface. Each of the firewalls outside interface are connected to a switch. I doubt is that, funcionally my network reach address will be advertised as 192.168.0.1, i will be doing failover and load balance with it. Would this approach requires any special support into the switch device? Thanks I don't know how you will load balance but failover will work, no special switch configuring required. Though without redundant switches you have your new single point of failure is the switches.
pf and rdr pass
Hi, i have read in the pf manual that adding the pass keyword will bypass all the filter rules, however, i have problems, the packet is still blocked on the outgoing interface, this is my pf.conf: # # pf.conf _ OpenBSD 3.7 PF ruleset # # Options set block-policy drop # # Traffic Normalization scrub in all # # Packet Filtering rdr pass on gem0 inet proto tcp from 200.13.180.123 \ to 200.13.190.2 port 22 - 192.168.10.121 # default policy block log all label DEFAULT BLOCK: # trusted interfaces pass in quick on lo0 all pass out quick on lo0 all gem0 is the public interface where the ssh request is received and gem1 is the local interface directly connected to the 192.168.10.0/24 network. These is the pflog: Nov 02 08:16:17.151259 rule 0/(match) block out on gem1: 200.13.180.123.49814 192.168.10.121.22: S 3090574713:3090574713(0) win 5840 mss 1460,sackOK,timestamp 3182791293 0,nop,wscale 2 (DF) Nov 02 08:16:41.308555 rule 0/(match) block out on gem1: 200.13.180.123.49815 192.168.10.121.22: S 3154028339:3154028339(0) win 5840 mss 1460,sackOK,timestamp 3182815466 0,nop,wscale 2 (DF) If i add the following rule, the port forwarding works ok: pass out log quick on gem1 proto tcp from 200.13.180.12 to 192.168.10.121 \ port ssh flags S/SA keep state the relevant pflog: Nov 02 08:35:00.532917 rule 5/(match) pass out on gem1: 200.13.180.123.52782 192.168.10.121.22: S 29304265:29304265(0) win 5840 mss 1460,sackOK,timestamp 3183915398 0,nop,wscale 2 (DF) The pass rule on the rdr sentence only aplies to the gem0 interface? Am i missing something?, thanks
Re: pf and rdr pass
On Wednesday 02 November 2005 01:02 pm, Miguel wrote: The pass rule on the rdr sentence only aplies to the gem0 interface? Yes. I posted a similar query last Friday. See the thread titled rdr clarification. Am i missing something? Maybe the docs are confusing in that regard. I also thought that the pass meant through to the destination, but in practice this is clearly not the case. Chris
Re: CARP
On 11/2/05, Dag Richards [EMAIL PROTECTED] wrote: Though without redundant switches you have your new single point of failure is the switches. Which, in many cases, already was a single point of failure. Keeping a few spare, low-grade switches at least allows you to get things back up quickly in many cases. Whether that's 'true' redundancy is probably another debate. That said, even with switches being a single point of failure, introducing CARP does allow for additional benefits (such as maintenance becoming far less disruptive). Cheers, Rogier -- If you don't know where you're going, any road will get you there.
Re: CARP
Rogier Krieger wrote: On 11/2/05, Dag Richards [EMAIL PROTECTED] wrote: Though without redundant switches you have your new single point of failure is the switches. Which, in many cases, already was a single point of failure. Keeping a few spare, low-grade switches at least allows you to get things back up quickly in many cases. Whether that's 'true' redundancy is probably another debate. That said, even with switches being a single point of failure, introducing CARP does allow for additional benefits (such as maintenance becoming far less disruptive). Cheers, Rogier -- If you don't know where you're going, any road will get you there. True I guess I am just trying to justify the time I spent learning/configuring STP to quiet the local CISCO nazi's who howled at me for not buying PIX fw's. There is the small feature gap in not being able to fail back though. CARP of course will, but I can not force a pfsync of the states back before the ip migrates back to the master.
please publish SPF records
thanks in advance
CSAV for Exchange - Virus Alert
The message MESSAGE COULD NOT BE DELIVERED you sent to [EMAIL PROTECTED] [EMAIL PROTECTED] had the file attachment instruction.zip which was infected with the instruction.htm Infection: W32/[EMAIL PROTECTED] (exact) virus. The file attachment was quarantined at c:\Program Files\Command Software\CSAV for Exchange\Quarantine.
Re: CARP
On Nov 2, 2005, at 1:41 PM, Dag Richards wrote: True I guess I am just trying to justify the time I spent learning/ configuring STP to quiet the local CISCO nazi's who howled at me for not buying PIX fw's. There is the small feature gap in not being able to fail back though. CARP of course will, but I can not force a pfsync of the states back before the ip migrates back to the master. I suggest testing that again. As I recall in my lab things worked very nicely. They also worked when Jason did his demo @ NYCBSDCON, when the master came back, after a reboot, the scp slowed but did not stall nor fail. -Chad
IBM xSeries 336 - atapiscsi/pciide bug
I have posted on this issue before, but I had little response so I have started a new post with all the information I have gathered in the hope that I can get the attention of someone who can help me. I apologize to anyone this inconveniences. I am attempting to create a cd-bootable email firewall using openbsd. The hardware I am using is IBM xSeries 336, which uses the INTEL 82801EB/ER IDE interface. I have tried the following with OpenBSD 3.7, 3.8, and current. OpenBSD can boot from cd and install from ftp successfully. However, I cannot access the CDROM drive during the install process or from the installed os. If I attempt to do this via disklabel or mount, I get the following error: cd0(pciide0:0:0): timeout type: atapi type: atapi c_bcount: 32 c_bcount: 32 c_skip: 0 c_skip: 0 pciide0:0:0: device timeout, c_bcount=32, c_skip=0, status=0x58DRDY,DSC,DRQ, ireason=0x2 This error repeats several times before the kernel gives up and I am returned to the shell. I have found a PR with the same symptoms: PR4570. Interestingly, this was with an nVidia nforce chipset. I am not sure if this is the same problem, I have added a note to the PR with my own dmesg. I am sure that the problem is in software, not hardware. I have confirmed this problem on another machine, and I have tested this machine with NetBSD, Linux, and Windows, all of which can use the cdrom without problems. On the suggestion of others, I have disabled UDMA and DMA, which no change. I have done the best I can to find out what is cause of this error. I can program in c, but I am not familiar with the OpenBSD kernel, or kernels in general. As far as I can determine, the error occurs when the kernel tries to read from the device, seeking completes successfully, the kernel requests the data, and then nothing happens, causing the kernel to jump to the timeout routine. I would greatly appreciate help with this. It is an important project for our company, and if it would help solve the problem we may be able to offer a bounty to get this hardware working. There is a someone at IBM who is willing to provide documentation to help solve this problem. Please let me know if there is any information that I haven't provided that would be useful. Thanks, Stephen Nelson [dmesg attached] OpenBSD 3.7-stable (GENERIC.MP) #0: Tue Nov 1 10:00:27 NZDT 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 1073123328 (1047972K) avail mem = 909103104 (887796K) using 22937 buffers containing 10752 bytes (105000K) of memory mainbus0 (root) mainbus0: Intel MP Specification (Version 1.4) (IBM ENSW X336 SMP) cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Xeon(TM) CPU 3.00GHz, 3000.58 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,LONG cpu0: 2MB 64b/line 8-way L2 cache cpu0: apic clock running at 27032Hz mpbios: bus 0 is type PCI mpbios: bus 1 is type PCI mpbios: bus 2 is type PCI mpbios: bus 3 is type PCI mpbios: bus 4 is type PCI mpbios: bus 5 is type PCI mpbios: bus 6 is type PCI mpbios: bus 7 is type PCI mpbios: bus 8 is type ISA ioapic0 at mainbus0 apid 14: pa 0x81cc7f24, version 20, 24 pins ioapic1 at mainbus0 apid 13: pa 0x81cc7e24, version 20, 24 pins ioapic2 at mainbus0 apid 12: pa 0x81cc7d24, version 20, 24 pins pci0 at mainbus0 bus 0: configuration mode 1 pchb0 at pci0 dev 0 function 0 Intel E7710 SMCH rev 0x0c Intel E7710 MCH ERR rev 0x0c at pci0 dev 0 function 1 not configured ppb0 at pci0 dev 2 function 0 Intel E7710 MCH PCIE rev 0x0c pci1 at ppb0 bus 2 ppb1 at pci0 dev 4 function 0 Intel E7710 MCH PCIE rev 0x0c pci2 at ppb1 bus 3 ppb2 at pci2 dev 0 function 0 Intel PCIE-PCIE rev 0x09 pci3 at ppb2 bus 4 mpt0 at pci3 dev 1 function 0 Symbios Logic 53c1030 rev 0x08: apic 13 int 4 (irq 11) mpt0: sending FW Upload request to IOC (size: 36, img size: 69956) mpt0: IM support: 4 scsibus0 at mpt0: 16 targets sd0 at scsibus0 targ 0 lun 0: LSILOGIC, 1030 IM, 1000 SCSI2 0/direct fixed sd0: 70006MB, 70006 cyl, 16 head, 128 sec, 512 bytes/sec, 143372288 sec total mpt0: target 0 Asynchronous at 0MHz width 8bit offset 0 QAS 0 DT 0 IU 0 ppb3 at pci2 dev 0 function 2 Intel PCIE-PCIE rev 0x09 pci4 at ppb3 bus 5 ppb4 at pci0 dev 6 function 0 Intel E7710 MCH PCIE rev 0x0c pci5 at ppb4 bus 6 bge0 at pci5 dev 0 function 0 Broadcom BCM5721 rev 0x11, unknown BCM5750 (0x4101): apic 14 int 16 (irq 11) address 00:14:5e:30:3e:fc brgphy0 at bge0 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0 ppb5 at pci0 dev 7 function 0 Intel E7710 MCH PCIE rev 0x0c pci6 at ppb5 bus 7 bge1 at pci6 dev 0 function 0 Broadcom BCM5721 rev 0x11, unknown BCM5750 (0x4101): apic 14 int 16 (irq 11) address 00:14:5e:30:3e:fd brgphy1 at bge1 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0 vendor Intel, unknown product 0x359b (class system subclass miscellaneous, rev 0x0c) at pci0 dev 8
Re: Make a backup
Abel Talaversn Estevez wrote: Hi all, I'm using OpenBSD in a firewall which runs 3.6 and I want to upgrade it from 3.6 to 3.7. This does not answer your question, but I'd recommend going to 3.8 if you can.
pflog question
hi there, i have a lot of these in my logs: Nov 01 07:28:12.871754 rule 5/(match) block in on ne3: 84.230.227.137 xxx.xxx.xxx.xxx: icmp: host 192.168.0.100 unreachable i am behind a nat. why are hosts on internet sending me these icmp unreachable messages for always different host numbers (mostly from the reserved ranges)? could it be, that a host from our local network is sending out the queries for which there are answer? or is this some kind of attack? -f -- some lose their tempers from seeing you keep yours.
Re: IBM xSeries 336 - atapiscsi/pciide bug
On Thu, 03 Nov 2005 11:09:17 +1300, Stephen Nelson wrote: OpenBSD can boot from cd and install from ftp successfully. However, I cannot access the CDROM drive during the install process or from the installed os. I would greatly appreciate help with this. It is an important project for our company, and if it would help solve the problem we may be able to offer a bounty to get this hardware working. Let me repeat my suggestion as well, then: Open one of the boxes and swap the IDE-cable. Then swap the CD with another drive; different manufacturer. There is still a small chance that you ran into a bus master problem with two devices requesting it (1030 and DVD). The latest Intel IDE-chips are said to not support bus mastering. When the DVD is such a device, it will bring conflicts. I agree that the chances of the latter are low, because other OSes support both devices. But if you're really interested, give it a go. Or, donate one of the boxes to a developer to get it resolved ;) Uwe
PPTP in 3.7
I am trying to find some current documentation or pointers on how to setup a PPTP connection from my OpenBSD 3.7 firewall to my work VPN running PPTP. I've seen quite a few things, but most are outdated or conflicting in the instructions they give. I have seen some references to the kernel supporting this functionality natively while other say that recompiling the kernel is necessary and still others say a third party program is needed. I am just looking for somewhere to start that has current information or maybe even a copy of the configs from someone who has set this up before. I'd also like to find information on what settings are needed in pf if a PPTP connection is used, but the networks is bridges are using the same addressing scheme. I also need to know how to configure the router (OpenBSD) to pass traffic to certain addresses out the VPN connection, others back into the LAN, and the rest out my cable connection. I need to know how to configure the VPN so that it is not my default gateway out since my home connection is much faster than the T1 at my office where the VPN connects. Thanks for any pointers, hints, advice, configs or whatever else anyone has to contribute and I'm sorry for being a bother, but while the information is out there, I have been unable to find what is relevant to my config. Thanks, Logical_1
Re: IBM xSeries 336 - atapiscsi/pciide bug
Thanks for your prompt reply. I misunderstood you last time, I thought you were suggesting that one of the drives was defective. I tried swapping the CDROM, but the x336 are 1U rackmounted servers, and they use custom IDE cables. As I don't have access to any other IBM rackmounted servers, I don't have any other devices to swap in. I could order another drive from IBM, but as I know this problem exists for others I think it's unlikely that this is the source and I don't think that it's worth the cost. Regarding your second suggestion - firstly I am in New Zealand, secondly, the machines don't belong to my company, and we don't have the means to buy another one. I have been communicating with IBM, and while they are interested in knowing if this is resolved and are happy to supply documentation, they're not interested to the extent of providing hardware to resolve it. While I realize it's not ideal, if it's at all helpful I can provide access to a machine via ssh for a developer who is working on a fix. Stephen Uwe Dippel wrote: On Thu, 03 Nov 2005 11:09:17 +1300, Stephen Nelson wrote: OpenBSD can boot from cd and install from ftp successfully. However, I cannot access the CDROM drive during the install process or from the installed os. I would greatly appreciate help with this. It is an important project for our company, and if it would help solve the problem we may be able to offer a bounty to get this hardware working. Let me repeat my suggestion as well, then: Open one of the boxes and swap the IDE-cable. Then swap the CD with another drive; different manufacturer. There is still a small chance that you ran into a bus master problem with two devices requesting it (1030 and DVD). The latest Intel IDE-chips are said to not support bus mastering. When the DVD is such a device, it will bring conflicts. I agree that the chances of the latter are low, because other OSes support both devices. But if you're really interested, give it a go. Or, donate one of the boxes to a developer to get it resolved ;) Uwe
Re: Crypto card question
On 11/2/05, Theo de Raadt [EMAIL PROTECTED] wrote: On 11/2/05, Theo de Raadt [EMAIL PROTECTED] wrote: I'm setting up an OpenBSD 3.7 box as a VPN/SSH server. It will have a Broadcom 5805 installed to help offload some of the crypto processing. Our employees have laptops with XP loaded and Intel Pro 100/S cards installed. Will the crypto functionality on these cards work in conjunction with the Broadcom on the OBSD box? 3DES and maybe IPSEC seem to be the common elements of the two, thus the question. There is no documentation for the Intel Pro 100/S crypto functionality. To which mail address can requests for documentation be sent please? We have grown tired of keeping track of the merry-go-round of employees constantly being shuffled at Intel, and we don't know who you can talk to. I wish people had more initiative, and did their OWN WORK at finding the people to get documentation from. alright :-) kind regards Siju
ibook+openbsd3.8
Good day. I have installed OpenBSD 3.8 on my ibook G4, all fine, but i can't switch to another console, just can use ttyC0, i tried different methods but without results. Thanks in advance Atte. Eder
Re: ibook+openbsd3.8
On Thu, 3 Nov 2005, Eder M. G. A. wrote: Good day. I have installed OpenBSD 3.8 on my ibook G4, all fine, but i can't switch to another console, just can use ttyC0, i tried different methods but without results. macppc uses vgafb(4) and does not support multiple consoles. -Otto
Re: ibook+openbsd3.8
Otto Moerbeek wrote: On Thu, 3 Nov 2005, Eder M. G. A. wrote: I have installed OpenBSD 3.8 on my ibook G4, all fine, but i can't switch to another console, just can use ttyC0, i tried different methods but without results. macppc uses vgafb(4) and does not support multiple consoles. Therefor most people use screen in the console. Sample screen-session for beginners: $ screen c-a c (that's control-a and then press c) $ echo hello world c-a c-a $ echo first window c-a c-a c-d c-d # Han
Re: ibook+openbsd3.8
On Thu, 3 Nov 2005 07:47:14 +0100 (CET) Otto Moerbeek [EMAIL PROTECTED] wrote: On Thu, 3 Nov 2005, Eder M. G. A. wrote: Good day. I have installed OpenBSD 3.8 on my ibook G4, all fine, but i can't switch to another console, just can use ttyC0, i tried different methods but without results. macppc uses vgafb(4) and does not support multiple consoles. -Otto Maybe you can use screen(1)? Cheers, Jasper -- Security is decided by quality -- Theo de Raadt