Re: acpi
Alright we have enough dumps for now so please stop eating all my bandwidth :-) On Tue, Nov 08, 2005 at 10:54:47PM -0600, Marco Peereboom wrote: Jordan Hargrave (your friendly IPMI developer) has been plugging away at ACPI. He has written an ASL parser and an AML interpreter. Jordan also wrote a userland tool that dumps the ACPI tables and all kinds of other things. We can then replay these dumps to test the ASL parser and AML interpreter. In order to be able to test the AML interpreter we need as many ACPI dumps as possible. This is where *you* come in... You can find the binary and source at: http://www.peereboom.us/acpi.tgz I added the source code + silly makefile so that you can roll your own acpiscan. Simply delete the binary I provided (compiled on 3.8-current) and run make. As root run the following command: ./acpiscan -save descriptive_name_of_box example: ./acpiscan -save dell_pe1850 This will generate 3 files: dell_pe1850.DSDT dell_pe1850.FACP dell_pe1850.RSDT Yes, acpiscan WILL core dump at the end. Its supposed to! Tar and compress these files and send them to jordan@ and [EMAIL PROTECTED] Thanks, /marco
Re: su on 3.8 soekris
command groups does not exist on the soekris-box. but id. this is the output after reboot. ---snip--- $ id admin uid=1000(admin) gid=10(users) groups=10(users), 0(wheel) $ su Password: Nov 9 16:23:26 sample su: BAD SU admin to root on /dev/tty00 Sorry Nov 9 16:23:26 sample su: BAD SU admin to root on /dev/tty00 $ ---snip--- -Andreas On Wed, 2005-11-09 at 09:06 -0700, Bob Beck wrote: /etc/group ---snip--- wheel:*:0:root,admin ---snip--- when i type in su as admin i get an error in authlog ---snip--- Nov 9 13:37:39 sample su: BAD SU admin to root ---snip--- The password is 100% correct! I think you're missing something here. after making /etc/group have those entries in it, did you log out of admin and log back in? i.e. show us the shell output of something like this, as user admin: $ groups beck wheel $ su Password: # The groups command tells you what groups the session knows you belong to, not the contents of the /etc/group file, which says what will happen the next session you start. -Bob -- Mit freundlichen Gr|_en Best regards Andreas M|rdter DO NOT GIVE OUR ADDRESS TO THIRD PARTYS, WE HATE JUNK-MAIL ___ TBits.net GmbH | Telefon: +49 (0)7172 18391-0 Andreas M|rdter | Telefax: +49 (0)7172 18391-99 Seeweg 6 | Service: +49 (0)700 TBITSNET D-73553 Alfdorf | http://www.tbits.net | eMail:[EMAIL PROTECTED]
Re: ath0: bogus xmit rate 0x0
On Wed, 09 Nov 2005 20:17:14 +0100 Alexandre [EMAIL PROTECTED] wrote: Hi all, [...] uname -a gives OpenBOpenBSD hades.olympe.div 3.8 GENERIC#4 i386 Are you sure your uname -a output is correct? Well, hum, I had a typo. I meant that I am under 3.8-current. Thanks.
Re: Anyone tried a sun fire X2100 server yet?
On Wed, 09 Nov 2005 22:28:26 -0500 JD Harrington [EMAIL PROTECTED] wrote: Mike wrote: I don't know how similar the Ultra20 and X2100 are, but here's dmesg output from an Ultra20: This is completely off-topic, but how do you like the Ultra 20 overall? I need a new workstation for home, and I'm trying to decide between doing the Ultra 20 @ $360/year or building an Athlon64 X2. I'm leaning towards the latter because I know I'll be doing some upgrades right off the bat should I go with an Ultra 20, and I'll end up with significantly more machine, but there's just something about having a Sun logo that makes the decision a touch more difficult :) Anyway, I'd be interested to hear your thoughts. -JD hi, tho i really can't understand Sun using the 'Ultra' batch for a peeceeish thing, IMHO the Ultra 20 is a really good machine. first of all: you have ECC memory :) (when you choose the smallest config, AFAIR it comes with 2x 256MByte non-ECC, but it's surely exchangeable very easy). furthermore you can upgrade it to a dual core Opteron. Sun has an image to defend and they will by not selling crap but good and reliable machines. (IMHO it's really the worst way to 'build' 'computers' -- building peecees up from single parts whose quality is always degraded by capitalistic production issues; every single manufacturer you buy a product from wants maximum profit on it. of course, IBM, Sun etc. also have to follow those rules, but surely they got a different approach so quality gets not harmed that much.) timo
Re: su on 3.8 soekris
Andreas M|rdter wrote: command groups does not exist on the soekris-box. but id. this is the output after reboot. ---snip--- $ id admin uid=1000(admin) gid=10(users) groups=10(users), 0(wheel) $ su Password: Nov 9 16:23:26 sample su: BAD SU admin to root on /dev/tty00 Sorry Nov 9 16:23:26 sample su: BAD SU admin to root on /dev/tty00 $ ---snip--- -Andreas Which password do you use? The password of admin or the password of root? Using su you need the password of root. Using sudo su (if you use sudo) you need the password of admin. guido
Re: Bug bounty for pciide/atapiscsi
--On 10 November 2005 14:29 +1300, Stephen Nelson wrote: I tried your suggestion and got the same result as SamuraiChef, which is what I would expect - I want to use pciide, not disable it. If pciide is disabled then surely I can't read from the cdrom. pciide(4) isn't the only driver that talks to IDE controllers. If you disable it, the system should use wdc(4) instead.
Re: ath0: bogus xmit rate 0x0
Alexandre wrote: Hi all, I have an atheros based card on my OpenBSD 3.8. When I activate it, I have this error message ath0: bogus xmit rate 0x0 coming regurlaly when I try and ping another machine. Here is an extract of my dmesg : ath0 at pci0 dev 9 function 0 Atheros AR5212 rev 0x01: irq 9 ath0: AR5213 5.6 phy 4.1 rf5111 1.7 rf2111 2.3, FCC2A*, address 00:09:5b:e8:5f:e9 My hostname.ath0 is: inet 192.168.1.1 255.255.255.0 NONE media DS11 chan 8 nwid SPEENICS mediaopt hostap The laptop on which I have a wifi card (Netgear WG511) runs either Linux or Windows XP. I just put the adress 192.168.1.2 and I tried a ping from both side, but there is no answer. No wep or PF is used while testing. uname -a gives OpenBOpenBSD hades.olympe.div 3.8 GENERIC#4 i386 Thanks. Hi, There have been changes to ath in -current see: http://marc.theaimsgroup.com/?l=openbsd-miscm=112867773214527w=2 HTH Fred
Re: Mplayer DVD problem
On Wed, Nov 09, 2005 at 07:44:29PM -0500, Roy Morris wrote: libdvdread: Could not open /dev/rcd0c with libdvd. libdvdread: Can't open /dev/rcd0c for reading ERROR[ogle_nav]: faild to open/read the DVD callbacks.on_opendvd_activate(): DVDSetDVDRoot: Root not set WHat am I supposed to enter here? Enter challenge, e.g. the name of your OS: Is this some game? ;-) Aww, according to the ogle site, if you want to use encrypted dvds you need to install libdvdcss. Ummm is it just me or does that error say it can't read /dev/rcd0c ?? permissions right? no, the wrong answer was provided (ie. name of your OS). If I find some more time, we'll get rid of this limitation. Q: Why should one use libdvd instead of libdvdcss at all? A: man 3 acss
Re: Anyone tried a sun fire X2100 server yet?
We ordered this very box for undeadly. It also took a while to arrive, but here's a preliminary dmesg (thanks to Kurt Seifried), further tests to follow (on-board RAID probably not working except for JBOD, second NIC not seen yet). Daniel OpenBSD 3.8-current (GENERIC) #319: Tue Nov 1 13:55:52 MST 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC real mem = 535265280 (522720K) avail mem = 447524864 (437036K) using 13119 buffers containing 53735424 bytes (52476K) of memory mainbus0 (root) cpu0 at mainbus0: (uniprocessor) cpu0: AMD Opteron(tm) Processor 146, 2010.54 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 64b/line 16-way L2 cache cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative pci0 at mainbus0 bus 0: configuration mode 1 Nvidia nForce4 DDR rev 0xa3 at pci0 dev 0 function 0 not configured pcib0 at pci0 dev 1 function 0 Nvidia nForce4 ISA rev 0xa3 Nvidia nForce4 SMBus rev 0xa2 at pci0 dev 1 function 1 not configured ohci0 at pci0 dev 2 function 0 Nvidia nForce4 USB rev 0xa2: irq 10, version 1.0, legacy support usb0 at ohci0: USB revision 1.0 uhub0 at usb0 uhub0: Nvidia OHCI root hub, rev 1.00/1.00, addr 1 uhub0: 8 ports with 8 removable, self powered ehci0 at pci0 dev 2 function 1 Nvidia nForce4 USB rev 0xa3: irq 11 usb1 at ehci0: USB revision 2.0 uhub1 at usb1 uhub1: Nvidia EHCI root hub, rev 2.00/1.00, addr 1 uhub1: 8 ports with 8 removable, self powered pciide0 at pci0 dev 6 function 0 Nvidia nForce4 IDE rev 0xf2: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility atapiscsi0 at pciide0 channel 0 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: MATSHITA, DVD-ROM SR-8178, PZ16 SCSI0 5/cdrom removable cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 4 pciide0: channel 1 disabled (no drives) pciide1 at pci0 dev 7 function 0 Nvidia nForce4 SATA 1 rev 0xf3: DMA pciide1: using irq 11 for native-PCI interrupt wd0 at pciide1 channel 0 drive 0: WDC WD800JD-00LSA0 wd0: 16-sector PIO, LBA48, 76319MB, 156301488 sectors wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5 wd1 at pciide1 channel 1 drive 0: WDC WD800JD-75JNC0 wd1: 16-sector PIO, LBA, 76293MB, 15625 sectors wd1(pciide1:1:0): using PIO mode 4, Ultra-DMA mode 5 pciide2 at pci0 dev 8 function 0 Nvidia nForce4 SATA 2 rev 0xf3: DMA pciide2: using irq 10 for native-PCI interrupt ppb0 at pci0 dev 9 function 0 Nvidia nForce4 PCI-PCI rev 0xa2 pci1 at ppb0 bus 1 vga1 at pci1 dev 5 function 0 ATI Rage XL rev 0x27 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) Nvidia CK804 LAN rev 0xa3 at pci0 dev 10 function 0 not configured ppb1 at pci0 dev 11 function 0 Nvidia nForce4 PCIE rev 0xa3 pci2 at ppb1 bus 2 ppb2 at pci0 dev 12 function 0 Nvidia nForce4 PCIE rev 0xa3 pci3 at ppb2 bus 3 ppb3 at pci0 dev 13 function 0 Nvidia nForce4 PCIE rev 0xa3 pci4 at ppb3 bus 4 bge0 at pci4 dev 0 function 0 Broadcom BCM5721 rev 0x11, BCM5750 B1 (0x4101): irq 5, address 00:e0:81:58:38:86 brgphy0 at bge0 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0 ppb4 at pci0 dev 14 function 0 Nvidia nForce4 PCIE rev 0xa3 pci5 at ppb4 bus 5 pchb0 at pci0 dev 24 function 0 AMD AMD64 HyperTransport rev 0x00 pchb1 at pci0 dev 24 function 1 AMD AMD64 Address Map rev 0x00 pchb2 at pci0 dev 24 function 2 AMD AMD64 DRAM Cfg rev 0x00 pchb3 at pci0 dev 24 function 3 AMD AMD64 Misc Cfg rev 0x00 isa0 at pcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 spkr0 at pcppi0 sysbeep0 at pcppi0 uhidev0 at uhub0 port 1 configuration 1 interface 0 uhidev0: Logitech Logitech USB Keyboard, rev 1.10/15.00, addr 2, iclass 3/1 ukbd0 at uhidev0: 8 modifier keys, 6 key codes wskbd1 at ukbd0 mux 1 wskbd1: connecting to wsdisplay0 uhidev1 at uhub0 port 1 configuration 1 interface 1 uhidev1: Logitech Logitech USB Keyboard, rev 1.10/15.00, addr 2, iclass 3/0 uhidev1: 3 report ids uhid0 at uhidev1 reportid 1: input=2, output=0, feature=0 uhid1 at uhidev1 reportid 2: input=1, output=0, feature=0 ums0 at uhidev1 reportid 3: 0 buttons and Z dir. wsmouse0 at ums0 mux 0 dkcsum: wd0 matches BIOS drive 0x80 wd1: no disk label dkcsum: wd1 matches BIOS drive 0x81 root on wd0a rootdev=0x0 rrootdev=0x300 rawdev=0x302
Re: su on 3.8 soekris
I use the root password. This password is correct. I think, I miss anything file or lib. output groups: ---snip--- # groups admin users wheel ---snip--- Andreas On Thu, 2005-11-10 at 10:04 +0100, Guido Tschakert wrote: Andreas M|rdter wrote: command groups does not exist on the soekris-box. but id. this is the output after reboot. ---snip--- $ id admin uid=1000(admin) gid=10(users) groups=10(users), 0(wheel) $ su Password: Nov 9 16:23:26 sample su: BAD SU admin to root on /dev/tty00 Sorry Nov 9 16:23:26 sample su: BAD SU admin to root on /dev/tty00 $ ---snip--- -Andreas Which password do you use? The password of admin or the password of root? Using su you need the password of root. Using sudo su (if you use sudo) you need the password of admin. guido
Strange behavior with carp and preemption
Dear list, I set up two OpenBSD 3.7 -stable firewalls using carp. Everything works except preemption. When only one interface on the master side fails (pull the Cable) the regarding carp0 interface on the backup side becomes master. But not carp1. I waited some minutes, but carp1 keeps being backup until I do a simple ifconfig(8) on the master side. Then it changes immediately. I can reproduce it, waiting some minutes, or only a fiew seconds. Once I do an ifconfig on the master side, the backup side becomes master on all carp's. Strange...? My config: MASTER Side: # cat /etc/hostname.bge0 inet 10.25.0.2 255.255.255.240 # cat /etc/hostname.carp0 inet 10.25.0.1 255.255.255.240 10.25.0.15 vhid 1 pass foo carpdev bge0 # cat /etc/hostname.bge1 inet 10.25.0.18 255.255.255.240 # cat /etc/hostname.carp1 inet 10.25.0.17 255.255.255.240 10.25.0.31 vhid 2 pass foo carpdev bge1 # cat /etc/hostname.pfsync0 up syncif bge0 BACKUP Side: # cat /etc/hostname.bge0 inet 10.25.0.3 255.255.255.240 # cat /etc/hostname.carp0 inet 10.25.0.1 255.255.255.240 10.25.0.15 vhid 1 advskew 100 pass foo carpdev bge0 # cat /etc/hostname.bge1 inet 10.25.0.18 255.255.255.240 # cat /etc/hostname.carp1 inet 10.25.0.17 255.255.255.240 10.25.0.31 vhid 2 advskew 100 pass foo carpdev bge1 preemtion is enabled on both machines using sysctl -w net.inet.carp.preempt=1 and in /etc/sysctl.conf Can anybody reproduce it, and has a solution for this problem? Any help would be very nice! :-) Thanks Ralf
Re: ISAKMPD errors n. 8 and n. 118
On Thu, Nov 10, 2005 at 11:30:58AM +0100, [EMAIL PROTECTED] wrote: -bash-3.00# ipsecadm show sadb_dump: satype esp vers 2 len 38 seq 0 pid 0 errno 8: Exec format error sa: spi 0x1c5551f1 auth hmac-sha1 enc aes that's a bug in ipsecadm show.
Re: ISAKMPD errors n. 8 and n. 118
Hello! Thanks for your reply, first of all. Hi, the errno shown be ipsecadm can be ignored, nothing to worry about (and this was fixed post 3.7-stable). Besides this message the vpn is working as expected? Yes, as I said the VPN appears to be working just fine. So, *both* errors can be ignored, right (errno 8 and 118)? Have you got any link to this kind of documentation, by the way? Thanks again! --Rob
Re: ISAKMPD errors n. 8 and n. 118
man 3 errno On Thu, Nov 10, 2005 at 01:53:27PM +0100, [EMAIL PROTECTED] wrote: Hello! Thanks for your reply, first of all. Hi, the errno shown be ipsecadm can be ignored, nothing to worry about (and this was fixed post 3.7-stable). Besides this message the vpn is working as expected? Yes, as I said the VPN appears to be working just fine. So, *both* errors can be ignored, right (errno 8 and 118)? Have you got any link to this kind of documentation, by the way? Thanks again! --Rob
Re: OpenBSD Desktop Document
I think your doing a great job. It's a good start. Here's my 2 cents on what I would suggest doing. 1. Add page numbering (i.e. 1 of 2) 2. Add author/contact info. 3. Add version of document and revision # or date. Also I noticed you updated the document since the first post. This is great however looks like the PDF version is completely shot. Why do I say this, because there is no visual structuring of the document like you had before. I understand having the other formats but what the heck is the point of having a PDF if one doesn't have those advantages? It's my 2 cents do what you want with it because it's your document no one else's. Best, Adam
Re: acpi
On Wednesday 09 November 2005 10:52 pm, Jordan Hargrave wrote: Thanks for all the ACPI dumps everyone! I think I have enough of a sample set now, no more, please! :) Hmm.. the acpiscan should not be core dumping; there maybe an invalid address in the ACPI table? --jordan hargrave It did not core dump on me.
Re: OpenBSD Desktop Document
Great document! Are there any suggested partition sizes for the desktop environment? I'll try this out on a dell laptop once its finished with some work it's doing. roland
Re: Telnet daemon retired in 3.8 ?
It in not the question of sshd works or, not! In large environments, where you have a large number of legacy hardware (like Apollo 700, HP 3000, HP 7000, Solaris 2.5.1 etc., etc.), and the purpose of a UNIX box is other than to run a firewall, a webserver, mail-server, or MySQL, plus you have thousand + users, and clients (internal/external on different client platforms), yes it is bad not have telnetd running. Matthew is quite right, telnet is live and will be for very long time. It was a bad choice to be removed from the source tree. You reduce your options. Above, I am not arguing pro/contra telnetd, or sshd! What you are really telling us is that you are working in an Australian city's government running insecure protocols on your local network. That is your choice. But we won't help you build broken networks.
Re: ALTQ-Bandwidth management is not working as expected
Hi everyone, Closing Problem: Bandwidth management is not working as expected; instead of streaming data inbound with 237 Kb/sec without bandwidth management, it drops to 29 Kb/sec (tendency falling) with enabled bandwidth management. Fault: It's a shame, but Kb means Kilobit and not Kilobyte. I was so focused on the handling of the different schedulers, I didn't get this simple mistake. Sorry! Solution: Take your original values from your ADSL provider, e.g. DSL 2000 with 2048 Kb (= means Kilobits) downstream and 192 Kb (= again Kilobits) upstream. Thanks for your assistance, Benjamin -- Lust, ein paar Euro nebenbei zu verdienen? Ohne Kosten, ohne Risiko! Satte Provisionen f|r GMX Partner: http://www.gmx.net/de/go/partner
Re: OpenBSD Desktop Document
On 11/9/05, Roy Morris [EMAIL PROTECTED] wrote: Roy Morris wrote: I have been working on a document for newbies that helps them put together a basic/functional desktop under OpenBSD. If anyone has time, I'd like feed back. www.openalternatives.com/OpenBSD/OpenBSD-Desktop.pdfhttp://www.openaltern atives.com/OpenBSD/OpenBSD-Desktop.pdf Thanks Roy Thanks to all those that replied. I have made the changes suggestedand placed the document as {ps,pdf,txt} at www.openalternatives.com/OpenBSD/OpenBSD-Desktop.txthttp://www.openalternati ves.com/OpenBSD/OpenBSD-Desktop.txt www.openalternatives.com/OpenBSD/OpenBSD-Desktop.pshttp://www.openalternativ es.com/OpenBSD/OpenBSD-Desktop.ps www.openalternatives.com/OpenBSD/OpenBSD-Desktop.pdfhttp://www.openalternati ves.com/OpenBSD/OpenBSD-Desktop.pdf Cheers, Roy Great work, though you may want to have a peek at rotating your pdf, it's in landscape format. // Johan
Re: Telnet daemon retired in 3.8 ?
Theo de Raadt wrote: It in not the question of sshd works or, not! In large environments, where you have a large number of legacy hardware Well, if you have lots of legacy hardware, maybe you could just run some well patched legacy openbsd 3.7 that still has what you need. Brandon What you are really telling us is that you are working in an Australian city's government running insecure protocols on your local network. That is your choice. But we won't help you build broken networks.
Cannot boot version 3.8 on HP pavilion 422
I tried to boot the new 3.8 version on a (rather old) PC, a HP pavilion 422.fr. I tried both to boot from cdrom38.fs and floppy38.fs and the result is the same : OpenBSD i386 BOOT 2.10 boot booting fd0a:/bsd: 3263620 Entry point at 0x100120 Lots of blue-background infos CD-Rom, DVD-Rom, nvidia cards OK ... Keyboard OK (a logitech wireless) after a while ... fdc0 at ISA port 0x3f0/6 Irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec ... And then nothing... I waited for some time but the PC is frozen, and the only thing to do is to unplug it. Note that the hardware works well : on the 80Go HD, I have an old Win89SE (10Go) and FreeBSD 5.4 (10Go) and I can boot both (my intend was to dedicate that PC to OpenBSD). Sorry to not give the whole log of messages, but I cannot copy them except by writing them fast on paper. I could get some specific part if required though. Any ideas? (Sorry if I did wrong something obvious :-) -- Lionel Vidal
borrowing in 3.8
Hi All, It's been a long time since I'm trying to do borrowing with pf and altq from OpenBSD and seams that it's not working for me. Here is what I do: altq on pcn0 cbq bandwidth 10Mb queue { std, ftp } queue std bandwidth 1024Kb cbq(default) queue ftp bandwidth 1Mb cbq { low, big } queue big bandwidth 80% priority 3 cbq(borrow) queue low bandwidth 64Kb priority 1 cbq(borrow) pass in quick on lo0 pass out quick on lo0 pass in quick on pcn0 inet proto tcp from any to pcn0 port 80 keep state queue low pass in quick on pcn0 inet proto tcp from any to pcn0 port 22 keep state queue big I run a apache and I'm sharing a 20MB file. When I download from the OpenBSD box I'm getting something like 8.31KB/Sec. If I take a look in the pfctl -vv -sq I get something like: queue big bandwidth 800Kb priority 3 cbq( borrow ) [ pkts:573 bytes: 87942 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] [ measured: 4.2 packets/s, 5.19Kb/s ] queue low bandwidth 64Kb cbq( borrow ) [ pkts:778 bytes:1104998 dropped pkts: 0 bytes: 0 ] [ qlength: 11/ 50 borrows:556 suspends:132 ] [ measured: 6.0 packets/s, 67.82Kb/s ] It seams that it's borrowing but not everything! Do you have any idea why? Do you have a working example? Thank you in advanced. Alex
Re: acpi
On Thu, Nov 10, 2005 at 08:24:35AM -0600, Justin Krejci wrote: It did not core dump on me. Same here.
Re: OpenBSD Desktop Document
Johan P. Lindstrvm wrote: Great work, though you may want to have a peek at rotating your pdf, it's in landscape format. // Johan Hmmm, It opened and printed in protrait for me. d
Re: Cannot boot version 3.8 on HP pavilion 422
Try: boot -c disable fdc Lionel Vidal wrote: I tried to boot the new 3.8 version on a (rather old) PC, a HP pavilion 422.fr. I tried both to boot from cdrom38.fs and floppy38.fs and the result is the same : OpenBSD i386 BOOT 2.10 boot booting fd0a:/bsd: 3263620 Entry point at 0x100120 Lots of blue-background infos CD-Rom, DVD-Rom, nvidia cards OK ... Keyboard OK (a logitech wireless) after a while ... fdc0 at ISA port 0x3f0/6 Irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec ... And then nothing... I waited for some time but the PC is frozen, and the only thing to do is to unplug it. Note that the hardware works well : on the 80Go HD, I have an old Win89SE (10Go) and FreeBSD 5.4 (10Go) and I can boot both (my intend was to dedicate that PC to OpenBSD). Sorry to not give the whole log of messages, but I cannot copy them except by writing them fast on paper. I could get some specific part if required though. Any ideas? (Sorry if I did wrong something obvious :-)
Re: Cannot boot version 3.8 on HP pavilion 422
On 11/10/05, Lionel Vidal [EMAIL PROTECTED] wrote: Sorry to not give the whole log of messages, but I cannot copy them except by writing them fast on paper. I could get some specific part if required though. Try attaching a serial console. See the FAQ [1] for more details. You will want to add a dmesg output to your report; it will make it easier for others to help you. Any ideas? (Sorry if I did wrong something obvious :-) Booting the kernel with verbose output to see which device (if any) gets in the way. You can then try disabling that particular device. I remember having similar symptoms, albeit on a different system than yours. Disabling ahc(4) did the trick for my particular case, although I don't know why it got in the way. Cheers, Rogier -- If you don't know where you're going, any road will get you there.
isakmpd: rsa_sig_decode_hash: RSA_public_decrypt () failed
Hi all, We have a VPN Gateway to allow road warriors to securely access our network from anywhere (home,wlan). It runs OpenBSD 3.7 and the clients are WinXPSP2 machines using the built-in IPSec. Authentication is done with X.509 certificates which are distributed as PKCS#12 files. This has been running fine for over a year now. Some days ago i had to reinstall a client beacuse of a disk problem, and i cannot get IPSec to work anymore. isakmpd keeps reporting: rsa_sig_decode_hash: RSA_public_decrypt () failed dropped message from 134.102.176.91 port 500 due to notification type INVALID_ID_INFORMATION The other clients are still working fine. I have been double checking the config files (which i did not change) and created new certificates more than ones, but cannot find anything. My question: What requirements must ne met so that the certificate can be decrypted? Which public key is used? Is it sent along with the certificate? I can post my config and logfiles if required Thanks for your help, Heinrich -- Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341
Re: su on 3.8 soekris
On Thu, 2005-11-10 at 14:19 +0100, Joachim Schipper wrote: Is /dev/tty00 marked as 'secure' in /dev/ttys? ttys ---snip--- tty00 /usr/libexec/getty std.19200 vt100 on secure ---snip--- Passwort ist 100% correct!! Andreas Are you really, really sure you use the correct password? Can you login as root using this password? From the same keyboard, etc? If you type the password where you can see it (make sure it doesn't get stored anywhere!), does it match what you want to type? Failing that, you can always try debugging with ktrace(1)... Joachim -- Mit freundlichen Gr|_en Best regards Andreas M|rdter DO NOT GIVE OUR ADDRESS TO THIRD PARTYS, WE HATE JUNK-MAIL ___ TBits.net GmbH | Telefon: +49 (0)7172 18391-0 Andreas M|rdter | Telefax: +49 (0)7172 18391-99 Seeweg 6 | Service: +49 (0)700 TBITSNET D-73553 Alfdorf | http://www.tbits.net | eMail:[EMAIL PROTECTED]
Re: Instructions for tracking -CURRENT
On Nov 9, 2005, at 10:30 PM, Han Boetes wrote: Alari Kask wrote: Hello everybody, i put together some instructions for tracking -CURRENT, it's just for getting things done faster, than reading the cvs instructions on the homepage of openbsd. I bet you can't make it faster than this. ;-) http://www.xs4all.nl/~hanb/software/OpenBSD-binary-upgrade/ # Han http://php.khk.tartu.ee/~alari/?p=11
Re: Anyone tried a sun fire X2100 server yet?
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Hartmeier Sent: Thursday, November 10, 2005 4:55 AM To: Daniel Ouellet Cc: misc@openbsd.org Subject: Re: Anyone tried a sun fire X2100 server yet? We ordered this very box for undeadly. It also took a while to arrive, but here's a preliminary dmesg (thanks to Kurt Seifried), further tests to follow (on-board RAID probably not working except for JBOD, second NIC not seen yet). Daniel OpenBSD 3.8-current (GENERIC) #319: Tue Nov 1 13:55:52 MST 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC For the less daring of us, is anyone testing it with the 3.8 release? I'd love to know if it works ok without tracking current.
Re: Anyone tried a sun fire X2100 server yet?
On 2005-11-09 22:24:41 -0500, Mike wrote: cpu0: AMD Opteron(tm) Processor 148, 1005.28 MHz 1Ghz? So slow? :-) Best Martin -- http://www.tm.oneiros.de
Re: ports out-of-date question
In message [EMAIL PROTECTED] Denny White [EMAIL PROTECTED] wrote: [More ports@ than [EMAIL PROTECTED] Just trying to find out if the output from running ./out-of-date for installed packages is because I've cvsup'd current and rebuilt everything numerous times which, I'm pretty sure I read, is unsupported. You are recommended to use binary snapshots and packages where possible (particularly if you use CVSup which is a pain to build). See URL:http://www.openbsd.org/faq/faq5.html#WhySrc and URL:http://www.openbsd.org/faq/faq15.html Only fresh installs of current snapshot supported, I believe. Anyways, here's the output when I run ./out-of-date: -- archivers/bzip2 # c.38.2 - c.38.3 Your installed packages were linked against 38.2 of libc while you now have 38.3. They were also linked against an older pthread (6.1) than the one you currently have (6.2). Your installed packages are out of sync with your userland. If you use binary packages, this is still likely to happen as userland snapshots appear much more often than packages (since building a complete set of packages will take that much longer). However, if you have set up a suitable PKG_PATH, 'pkg_add -u' can help you keep up to do with your installed packages. [snip] devel/gettext # 0.10.40p3 - 0.14.5 Your installed gettext is out of date compared to the ports tree which will also show up in packages which depend on it. Similar for libtool, redhat-motif, gnupg. Not asking for any kind of fix or help on this, just to understand the why of it, like I stated above. Aware that what I did is unsupported. Finally getting insurance money back after hurricane Katrina first thing on agenda is to buy the new 3.8 cd's. :-) Previously, just experimenting trying to get to know the system. Have used mostly FreeBSD with portupgrade, portsnap, so forth. Thanks for any info. Definitely buy the CDs but be aware that your -current system is ahead of 3.8 (as on the CDs). Downgrading without completely reinstalling from scratch is not supported (again see FAQ 5) -- Andy Wingate URL:http://www.sparse.net OpenPGP key 0xC642BF8A Tagline missing. Last seen in the vicinity of usenet.
Re: Cannot boot version 3.8 on HP pavilion 422
Rogier Krieger [EMAIL PROTECTED] writes: Try attaching a serial console. See the FAQ [1] for more details. You will want to add a dmesg output to your report; it will make it easier for others to help you. Unfortunately, I have none. But I miss the keyboard feel of my old Digital VT220... well that is another story and now an old one :-) Booting the kernel with verbose output to see which device (if any) gets in the way. You can then try disabling that particular device. I remember having similar symptoms, albeit on a different system than yours. Disabling ahc(4) did the trick for my particular case, although I don't know why it got in the way. Thanks for the advice. I set the verbose option and found that indeed also in my configuration, the probe on ahc make the PC freeze. After disabling it, it works fine. Now in the process of installing version 3.8! Again, I thank you a lot! Sorry for the trouble: I should have thought to try it. -- Lionel Vidal
Re: ports out-of-date question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Today Andy Wingate contributed the following: In message [EMAIL PROTECTED] Denny White [EMAIL PROTECTED] wrote: [More ports@ than [EMAIL PROTECTED] Just trying to find out if the output from running ./out-of-date for installed packages is because I've cvsup'd current and rebuilt everything numerous times which, I'm pretty sure I read, is unsupported. You are recommended to use binary snapshots and packages where possible (particularly if you use CVSup which is a pain to build). See URL:http://www.openbsd.org/faq/faq5.html#WhySrc and URL:http://www.openbsd.org/faq/faq15.html Only fresh installs of current snapshot supported, I believe. Anyways, here's the output when I run ./out-of-date: -- archivers/bzip2 # c.38.2 - c.38.3 Your installed packages were linked against 38.2 of libc while you now have 38.3. They were also linked against an older pthread (6.1) than the one you currently have (6.2). Your installed packages are out of sync with your userland. If you use binary packages, this is still likely to happen as userland snapshots appear much more often than packages (since building a complete set of packages will take that much longer). However, if you have set up a suitable PKG_PATH, 'pkg_add -u' can help you keep up to do with your installed packages. [snip] devel/gettext # 0.10.40p3 - 0.14.5 Your installed gettext is out of date compared to the ports tree which will also show up in packages which depend on it. Similar for libtool, redhat-motif, gnupg. Not asking for any kind of fix or help on this, just to understand the why of it, like I stated above. Aware that what I did is unsupported. Finally getting insurance money back after hurricane Katrina first thing on agenda is to buy the new 3.8 cd's. :-) Previously, just experimenting trying to get to know the system. Have used mostly FreeBSD with portupgrade, portsnap, so forth. Thanks for any info. Definitely buy the CDs but be aware that your -current system is ahead of 3.8 (as on the CDs). Downgrading without completely reinstalling from scratch is not supported (again see FAQ 5) -- Andy Wingate URL:http://www.sparse.net OpenPGP key 0xC642BF8A Tagline missing. Last seen in the vicinity of usenet. Okay Andy, I appreciate the info. If you have time, can you answer one more question? Could I alleviate this discrepancy by pkg_delete all installed packages and also deleting all of /usr/ports/distfiles, and then reinstall packages? And yes, I plan on a fresh install when I get the cd's. All important stuff backed up on regular basis. Thanks. Denny White GnuPG key : 0x1644E79A | http://wwwkeys.nl.pgp.net Fingerprint: D0A9 AD44 1F10 E09E 0E67 EC25 CB44 F2E5 1644 E79A iD8DBQFDc5Q1y0Ty5RZE55oRAhhLAJ92WVj7lam4DNeRbiCAGiiK/dYWHwCgyGLD gPiQo04JI9CXO3RMbsVjpU4= =LCJK -END PGP SIGNATURE-
pf - pass log all
Building a basic bridge for logging. Putting only pass log all in /etc/pf.conf seems to work, but is there a better way to do this? The log (all) option doesn't seem to apply to my situation, but I wanted to make sure.
pf weirdness with pfctl -f nonexistent.file
hi, i just observed a strange phenomenon, which, if it's intended behavior, i could not really find it documented anywhere (or failed to understand the doc, if it is). in its simplest form, it is as follows. given is a machine with a de0, part of a simple lan. the following configuration is loaded into pf: -- set skip on de0 block log all pass in on de0 from 192.168.1.10 to any keep state -- i'm logged in from 192.168.1.12 via de0, make a fat-fingered typo of `pfctl -f all' (instead of -F all), poof, get thrown out (connection reset by peer). from 192.168.1.10, the box is accessible. logged in from 1.10, looked around, generally everything looks ok, pfctl -sa shows the rules, shows pf enabled, whatnot, but it acts as if the `set skip on de0' part was somehow forgotten. i can not verify my suspicion as i couldn't find a way to get the current (as in `loaded into the kernel') `skip these interfaces' list (shouldn't that be included in -sr anyway?), but i couldn't find any other explanations. reproducible on 3.8-stable i386 and -current (as of 2-3 days ago) alpha. what's that? thanks, -- [-] mkdir /nonexistent
Re: radius on openbsd
man Chan wrote: Hello, I would like t know where can I get the authentication users using LDAP via Radius as it seems unavailable at the openbsd journel. Any pointers ? Thanks. Not sure about the ones in the ports tree, but freeradius works well http://www.freeradius.org/ ___ 7Q'Y.I,(l7s email 3q*!H $U8| Yahoo! Messenger http://messenger.yahoo.com.hk
OT: system administration utilities
Hey folks, i am writing some utilities and i am in need to test. I seeking sysadmin to test them in real condition environment. I am running OBSD 3.7 (in home) but i don't have a production environment where i could test them. The test should let the tester know about : Portability, Performance and Reliability, and of course, correctness. I am seeking the following platforms: (for 32 and/or 64 bit arch) OpenBSD FreeBSD NetBSD Solaris AIX DU Plan9 HP-UX QNX IRIX Linux SINIX Below is brief description: acd: a 100% compatible replacement for DJB CDB. srlmt: executes programs under system resource constraints rdtsc: echoes CPU time stamp counter on STDOUT (x86 ony) mac: evaluates message digest function. algr: commits data to persistent storage media, replacement DJB multilog. rscdb: manages system resources in portable fashion across different unix flavors. icldb: IP ACL control, replacement for DJB tcprules/tcprulescheck. If you are interested, please, drop me a note. Send it directly to [EMAIL PROTECTED] DON'T send misc@, please. Obs: replacements for DJB tools was motivated due to licensing. Mine, are 100% BSD like.
Re: radius on openbsd
man Chan wrote: Hello, I would like t know where can I get the authentication users using LDAP via Radius as it seems unavailable at the openbsd journel. Any pointers ? Thanks. Not sure about the ones in the ports tree, but freeradius works well http://www.freeradius.org/ FreeRADIUS does not work well, at least not out-of-box. Search the archives for a port submission of freeradius not long ago. Jonathan -- Jonathan Weiss http://blog.innerewut.de
Hardware RAID
Hi All, We are in the process of setting up a production OBSD box to do some (a lot!) of routing and I want to make sure I get as much redundancy as possible. We have failover everything in the box, and we will use carp to setup multiple boxes. In each, I want to do hardware RAID. Initially I bought the 3ware SATA RAID card, but its not supported. I then moved to an Adaptec 1210SA, which I now know only does software RAID. What are the options for hardware RAID for SATA drives on AMD64? Any advice would be greatly appreciated. I will blog about my setup (replacing a Cisco 2610 with 2 x OBSD routers) to share some knowledge ;) Cheers, Karl
Re: Hardware RAID
--On 11 November 2005 11:44 +1100, Karl Kopp wrote: as possible. We have failover everything in the box, and we will use carp to setup multiple boxes. In each, I want to do hardware RAID. Initially I bought the 3ware SATA RAID card, but its not supported. I then moved to an Adaptec 1210SA, which I now know only does software RAID. What are the options for hardware RAID for SATA drives on AMD64? Any advice would be greatly appreciated. For hardware RAID with a PCI controller, devices supported by ami(4) are your best bet: LSI/Symbios 523 SATA is listed - from an archived list post, these are 150-4 and 150-6. Some Dell CERC-SATA are supported too, but (again from list posts) others are Promise junk. http://www.mail-archive.com/misc@openbsd.org/msg09377.html says that 300-8X works too (but probably a bit overkill for your needs). [ bit of a reliance on archived list posts here, but when I asked recently for anyone using any ami(4) not listed in the doco so I could prepare a diff, I had a total of one reply, so list archives is the best I can do.. I'll wait a couple more days before sending it in case seeing this encourages anyone else to mail me, though I highly doubt it ] There are SATA-to-SATA mirroring controllers too, see faq (at least one of them had a box that fits anywhere in the chassis - arco, accusys, etc). Or assuming there's a socket, there's the cheap solid-state option of CF cards in a CF-IDE converter. Not RAID but it may do what you want.
Re: pf weirdness with pfctl -f nonexistent.file
I'm pretty sure your theory is correct. You can query the list of interfaces with pfctl -vsI, which prints '(skip)' on those that are currently being skipped. Reloading the ruleset does (and should) clear the 'set skip' set, as we agreed that there should be no (or as little as possible) state in the kernel that persists across ruleset reloads. Other options are similarly cleared on reload (and then re-instated, if you reload a ruleset similar to the old one). So loading an empty ruleset should clear all such options. Now, if the ruleset doesn't exist at all (I assume you didn't have a file called 'all' lying in the cwd when running pfctl -f all), I guess nothing should happen except for the error message. I'll check about that. Or what would you prefer instead? Daniel
Re: pf weirdness with pfctl -f nonexistent.file
On Fri, 11 Nov 2005, Daniel Hartmeier wrote: I'm pretty sure your theory is correct. You can query the list of interfaces with pfctl -vsI, which prints '(skip)' on those that are currently being skipped. ah, yes, thank you. i did check, and yes, it's the skip flag that gets cleared. Reloading the ruleset does (and should) clear the 'set skip' set, as we agreed that there should be no (or as little as possible) state in the kernel that persists across ruleset reloads. Other options are similarly cleared on reload (and then re-instated, if you reload a ruleset similar to the old one). So loading an empty ruleset should clear all such options. Now, if the ruleset doesn't exist at all (I assume you didn't have a file called 'all' lying in the cwd when running pfctl -f all), I guess nothing should happen except for the error message. I'll check about that. Or what would you prefer instea exactly that. unless there's some master idea i'm not aware of (or can't think of), that seems to be the most reasonable behavior, no? -- [-] mkdir /nonexistent
Re: OpenBSD Desktop Document
Roy Morris wrote: Thanks to all those that replied. I have made the changes suggestedand placed the document as {ps,pdf,txt} at www.openalternatives.com/OpenBSD/OpenBSD-Desktop.txt www.openalternatives.com/OpenBSD/OpenBSD-Desktop.ps www.openalternatives.com/OpenBSD/OpenBSD-Desktop.pdf Great work! May I suggest shortening the tarball extraction command in the Installing Open Office 2.0 section... From this: A. gzip -d Ooo_2.0.0_LinuxIntel_install.tar.gz; \ tar -xvf Ooo_2.0.0_LinuxIntel_install.tar To this: A. gzip -cd Ooo_2.0.0_LinuxIntel_install.tar.gz | tar xvf - Less to type, less likely for a newbie user to make mistakes. And all instances of Open Office and OpenOffice should be OpenOffice.org if you want to keep things standardized. Once again, great start! Lawrence
Re: Hardware RAID
Hi All, We are in the process of setting up a production OBSD box to do some (a lot!) of routing and I want to make sure I get as much redundancy as possible. We have failover everything in the box, and we will use carp to setup multiple boxes. In each, I want to do hardware RAID. Initially I bought the 3ware SATA RAID card, but its not supported. I then moved to an Adaptec 1210SA, which I now know only does software RAID. What are the options for hardware RAID for SATA drives on AMD64? Any advice would be greatly appreciated. I will blog about my setup (replacing a Cisco 2610 with 2 x OBSD routers) to share some knowledge ;) Why bother with moving disks at all? Use CF in your routers mounted read-only. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: Strange behavior with carp and preemption
I'd have prefered that a more experienced person answer this one, but they don't seem to have, so be forewarned: everything I say here might be wrong. However, through the glory of mail lists, if I say something wrong, fifty people will jump all over me, and Google will put it at the top of the list when people google for my name. :) Ralf Hornik Mailings wrote: Dear list, I set up two OpenBSD 3.7 -stable firewalls using carp. Everything works except preemption. When only one interface on the master side fails (pull the Cable) the regarding carp0 interface on the backup side becomes master. But not carp1. Right. Nothing's wrong with the master carp1, why should it demote itself and have the backup take over? I waited some minutes, but carp1 keeps being backup until I do a simple ifconfig(8) on the master side. Then it changes immediately. yep. (though I'm not entirely sure I know what command you are typing by simple ifconfig(8).) I can reproduce it, waiting some minutes, or only a fiew seconds. Once I do an ifconfig on the master side, the backup side becomes master on all carp's. Strange...? not really, if you understand the modular approach here. My config: ... Can anybody reproduce it, and has a solution for this problem? Any help would be very nice! :-) Look at the pieces here: * CARP gives you redunancy on your INTERFACES...not your entire firewall. * pfsync keeps your firewall state tables in sync, so either machine can take over. If you lose a box completely, your system is fine. If you lose one cable or one NIC or so on, you have a problem. What you need is something that will watch all interfaces and shut down ALL (forcing a COMPLETE fail-over) if something goes wrong with any. That's a third part of the CARP toolset: ifstated(8) and ifstated(5). Yes, that's missing from the PF FAQ, though I just tossed a couple links in faq/pf/carp.html. More will get added when I get more knowledge of the topic (or Joel writes it :) Nick.
Re: Instructions for tracking -CURRENT
Alari Kask wrote: ... [I *refuse* to post that link again] I was right, more damage than good. I *really* wish people would quit accomplishing one little thing, writing it up in HOWTO form, and patting themselves on the back and thinking they were doing the world some kind of favor by publishing it. YOU ARE NOT. I pity the fool who thinks that seeing something in print makes it somehow true. There are a lot of such fools, unfortunately. Oh, look, I found it on a web page, it must be true! In the free world, you have the right to speak and write as you wish, regardless of the accuracy, but I will warn people: THINK, DAMMIT. Just because someone put it on a web page with an OpenBSD graphic DOES NOT MAKE IT USEFUL or even close to accurate. With this document, you try to lead people on a long path that will only sometimes get them where they want to go, and yet, the direct route (snapshots) is simpler, safer and faster. The long route has twists and turns you do not warn people about. Nick.
Re: Hardware RAID
Hi Jason, Like yr idea - LOTS :) We may still use a disk for some logs, but if that goes, no big deal! Any idea how to mount a CF as a boot device? Quick search on Google didn't bring much back of interest. Is their a faq / how-to? Also, what kinds of CF adapters work - anything I should be looking out for? I checked on the amd64 page on OpenBSD and it didn't specifically mention anything about CF devices. Any advice would be greatly appreciated :) Cheers, Karl On 11/11/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi All, We are in the process of setting up a production OBSD box to do some (a lot!) of routing and I want to make sure I get as much redundancy as possible. We have failover everything in the box, and we will use carp to setup multiple boxes. In each, I want to do hardware RAID. Initially I bought the 3ware SATA RAID card, but its not supported. I then moved to an Adaptec 1210SA, which I now know only does software RAID. What are the options for hardware RAID for SATA drives on AMD64? Any advice would be greatly appreciated. I will blog about my setup (replacing a Cisco 2610 with 2 x OBSD routers) to share some knowledge ;) Why bother with moving disks at all? Use CF in your routers mounted read-only. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: Strange behavior with carp and preemption
On Thu, Nov 10, 2005 at 09:31:15PM -0500, Nick Holland wrote: I'd have prefered that a more experienced person answer this one, but they don't seem to have, so be forewarned: everything I say here might be wrong. However, through the glory of mail lists, if I say something wrong, fifty people will jump all over me, and Google will put it at the top of the list when people google for my name. :) Consider it done! I set up two OpenBSD 3.7 -stable firewalls using carp. Everything works except preemption. When only one interface on the master side fails (pull the Cable) the regarding carp0 interface on the backup side becomes master. But not carp1. Right. Nothing's wrong with the master carp1, why should it demote itself and have the backup take over? Because that is what preemption is supposed to do. When one interface on the carp master goes into BACKUP state (or is it any state that is not MASTER?), the others should become BACKUPs too. My experience is *sometimes* this is not instantaneous. At a minimum, the advskew should change and they should become BACKUPs in short order. I waited some minutes, but carp1 keeps being backup until I do a simple ifconfig(8) on the master side. Then it changes immediately. yep. (though I'm not entirely sure I know what command you are typing by simple ifconfig(8).) I can reproduce it, waiting some minutes, or only a fiew seconds. Once I do an ifconfig on the master side, the backup side becomes master on all carp's. Strange...? not really, if you understand the modular approach here. My config: ... Can anybody reproduce it, and has a solution for this problem? Any help would be very nice! :-) Look at the pieces here: * CARP gives you redunancy on your INTERFACES...not your entire firewall. * pfsync keeps your firewall state tables in sync, so either machine can take over. If you lose a box completely, your system is fine. If you lose one cable or one NIC or so on, you have a problem. That is definitely not true. Preemption is the answer here. If one carp interface fails, they all fail. Without preemption you either have a really good reason to be not using it or have a way to deal with such a situation. Imagine the typical situation: $wan_if, $lan_if, and $sync_if. Your run of the mill two legged failover setup. With preemption, if one or more of $wan_if/$lan_if fails, all other carp interfaces fail. Without preemption, if $wan_if fails, $lan_if is still the master and you've got a situation on your hands -- if all of $lan_if:network is using the current LAN master as their gateway, how is that host going to get out? Unless you play some tricks with ospf, bgpd or heck, even ifstated like I've done in the past, routing will fail. This is why preemption is a good choice in many cases. What you need is something that will watch all interfaces and shut down ALL (forcing a COMPLETE fail-over) if something goes wrong with any. That's a third part of the CARP toolset: ifstated(8) and ifstated(5). Yes, that's missing from the PF FAQ, though I just tossed a couple links in faq/pf/carp.html. More will get added when I get more knowledge of the topic (or Joel writes it :) Yes, you *can* do this with ifstated, but I'm not sure how recommended it is. I think the stock example that comes with ifstated is going down this path, but I'm not 100% sure. My suggestion would be to see that the advskew changes on the other carp interfaces when carp0 becomes a backup. If they do, that means preemption is definitely turned on and should work. -jon
Re: Strange behavior with carp and preemption
* Nick [EMAIL PROTECTED] [2005-11-11 03:34]: not really, if you understand the modular approach here. My config: ... Can anybody reproduce it, and has a solution for this problem? Any help would be very nice! :-) Look at the pieces here: * CARP gives you redunancy on your INTERFACES...not your entire firewall. * pfsync keeps your firewall state tables in sync, so either machine can take over. If you lose a box completely, your system is fine. If you lose one cable or one NIC or so on, you have a problem. What you need is something that will watch all interfaces and shut down ALL (forcing a COMPLETE fail-over) if something goes wrong with any. That's a third part of the CARP toolset: ifstated(8) and ifstated(5). nononononononononononono carp does that itself if preemp is enabled, if one interface becomes backup the others go to advskew 240 (and thus to backup too if there is a sane master around) -- BS Web Services, http://www.bsws.de/ OpenBSD-based Webhosting, Mail Services, Managed Servers, ... Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: Strange behavior with carp and preemption
Jon Hart wrote: On Thu, Nov 10, 2005 at 09:31:15PM -0500, Nick Holland wrote: I'd have prefered that a more experienced person answer this one, but they don't seem to have, so be forewarned: everything I say here might be wrong. However, through the glory of mail lists, if I say something wrong, fifty people will jump all over me, and Google will put it at the top of the list when people google for my name. :) Consider it done! 1 down, 49 left...Oh, there's Henning, 48 left... To the top of google we go! :) I set up two OpenBSD 3.7 -stable firewalls using carp. Everything works except preemption. When only one interface on the master side fails (pull the Cable) the regarding carp0 interface on the backup side becomes master. But not carp1. Right. Nothing's wrong with the master carp1, why should it demote itself and have the backup take over? Because that is what preemption is supposed to do. When one interface on the carp master goes into BACKUP state (or is it any state that is not MASTER?), the others should become BACKUPs too. My experience is *sometimes* this is not instantaneous. At a minimum, the advskew should change and they should become BACKUPs in short order. yes. I missed/forgot a major function of preemption, obviously. ... Yes, you *can* do this with ifstated, but I'm not sure how recommended it is. I think the stock example that comes with ifstated is going down this path, but I'm not 100% sure. My suggestion would be to see that the advskew changes on the other carp interfaces when carp0 becomes a backup. If they do, that means preemption is definitely turned on and should work. so, why didn't you answer the OP earlier? I left you guys 15 hours! :) ok, a few other ideas... are all the interfaces really in the carp group? are the interfaces accurately and reliably detecting the cable-unplug? Might some NICs (or their drivers) have trouble detecting that the cable was suddenly unplugged, and thus, the change in advskew doesn't take place? maybe I should shut up and go to bed before I make myself look even sillier? :) Nick.