OpenBSD 3.8, fxp, device timeout
Hello, I've a server at the German hoster Strato and I try to install OpenBSD 3.8 on this machine. But I always get a device timeout of the Intel Nic (because of a wrong irq assignment?) :( Here is the dmesg output: OpenBSD 3.8 (RAMDISK) #9: Tue Jan 17 18:24:51 CET 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/RAMDISK cpu0: Intel(R) Celeron(R) CPU 2.40GHz ("GenuineIntel" 686-class) 2.40 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH, ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID real mem = 536387584 (523816K) avail mem = 485179392 (473808K) using 4278 buffers containing 26923008 bytes (26292K) of memory mainbus0 (root) acpi0 at mainbus0: revision 0 attached acpitimer at acpi0 not configured acpi device at acpi0 from table DSDT not configured acpi device at acpi0 from table FACP not configured bios0 at mainbus0: AT/286+(c0) BIOS, date 05/27/03, BIOS32 rev. 0 @ 0xfb330 apm0 at bios0: Power Management spec V1.2 apm0: flags 70102 dobusy 1 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0xdf84 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfde90/240 (13 entries) pcibios0: PCI Exclusive IRQs: 5 10 11 12 pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82371SB ISA" rev 0x00) pcibios0: PCI bus #2 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x1000 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 "Intel 82845 Host" rev 0x04 ppb0 at pci0 dev 1 function 0 "Intel 82845 AGP" rev 0x04 pci1 at ppb0 bus 1 ppb1 at pci0 dev 30 function 0 "Intel 82801BA AGP" rev 0x05 pci2 at ppb1 bus 2 fxp0 at pci2 dev 6 function 0 "Intel 82557" rev 0x08, i82559: irq 12, address 00:30:48:52:c9:fc inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4 fxp1 at pci2 dev 7 function 0 "Intel 82557" rev 0x08, i82559: irq 12, address 00:30:48:52:c9:fd inphy1 at fxp1 phy 1: i82555 10/100 PHY, rev. 4 vga1 at pci2 dev 8 function 0 "ATI Rage XL" rev 0x27 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) ichpcib0 at pci0 dev 31 function 0 "Intel 82801BA LPC" rev 0x05: failed to map I/O space pciide0 at pci0 dev 31 function 1 "Intel 82801BA IDE" rev 0x05: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: wd0: 16-sector PIO, LBA48, 58644MB, 120103200 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 pciide0: channel 1 disabled (no drives) "Intel 82801BA SMBus" rev 0x05 at pci0 dev 31 function 3 not configured isa0 at ichpcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom0: console pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 biomask ede5 netmask fde5 ttymask ffe7 rd0: fixed, 3800 blocks dkcsum: wd0 matches BIOS drive 0x80 root on rd0a rootdev=0x1100 rrootdev=0x2f00 rawdev=0x2f02 I've created my own bootfloppy because with the default OpenBSD 3.8 bootfloppy I get the same error. I've played (enabled/disabled) with following kernel options without luck: option PCIBIOS_INTR_FIXUP_FORCE option PCI_INTR_FIXUP (as for the netbsd kernel) optionUSER_PCICONF# user-space PCI configuration optionBOOT_CONFIG# boot-time kernel config pcibios0 at bios0 flags 0x0008 (set to 0x0004, 0x0008, 0x0030) acpi0at mainbus? #acpitimer* at acpi? #hpet*at acpi? optionACPIVERBOSE optionACPI_ENABLE Has anyone any idea how I can assign an another irq than 12 to fxp? In my opinion this is the problem :( Thanks and best regards, Sven
rexx on openbsd
I have some rexx scripts that I would like to run on OpenBSD. Does anyone have any experience with running rexx on openbsd? I have tried brexx, regina, and oorexx so far. Regina and oorexx fail to compile, and brexx doesn't seem to be feature complete (it doesn't seem to be able to propagate variables between functions properly). I haven't been able to find anything about rexx in openbsd except a perl wrapper in an obscure OS/2 directory in the openbsd source. Thanks, Stephen
Re: Generating ICMP Redirects
... > I know this is not the answer to your question and I'd like > to hear how > you wind up getting the OpenBSD box to send the redirects you are > looking for, but relying on redirects to do your routing for anything > length of time is asking for trouble IMHO. You might just be better > off, temporarily, putting the PIX behind the OpenBSD box if > possible or, > if the servers are few, modifying their local route tables > until the new > VPN solution is in place. We did in fact add static routes to the servers for now (yuck.) I did some more testing on my home fw and it seems that carp interfaces don't like generating ICMP redirects (for me anyhow.) Here is my test, My WS (XP) - 192.168.83.51 My FW (OBSD 3.8)- 192.168.83.1 My server (OBSD 3.8) - 192.168.83.47 My WS normally has a default gw of the FW. My rules to/from the inside LAN to the FW are loose, # pass inquick on $int_if from any to any pass out quick on $int_if from any to any # So I create a route: [EMAIL PROTECTED] sudo route add -net 192.168.80 192.168.83.47 add net 192.168.80: gateway 192.168.83.47 And I pinged 192.168.80.2 from my WS, the FW did the "right thing" [EMAIL PROTECTED] sudo tcpdump -nei fxp1 net 192.168.80 or icmp tcpdump: listening on fxp1, link-type EN10MB 20:54:17.738121 0:11:43:39:e1:59 0:d0:b7:23:c0:e7 0800 74: 192.168.83.51 > 192.168.80.1: icmp: echo request 20:54:17.738340 0:d0:b7:23:c0:e7 0:90:27:42:d4:cc 0800 74: 192.168.83.51 > 192.168.80.1: icmp: echo request 20:54:17.738434 0:d0:b7:23:c0:e7 0:11:43:39:e1:59 0800 70: 192.168.83.1 > 192.168.83.51: icmp: redirect 192.168.80.1 to host 192.168.83.47 Next I created a carp interface on the inside and created a route on my workstation: [EMAIL PROTECTED] sudo ifconfig carp1 create [EMAIL PROTECTED] sudo ifconfig carp1 vhid 1 advskew 100 pass internal 192.168.83.2 netmask 255.255.255.0 [EMAIL PROTECTED] route add 192.168.80.0 mask 255.255.255.0 192.168.83.2 And tried the ping again, [EMAIL PROTECTED] sudo tcpdump -nei fxp1 net 192.168.80 or icmp 21:04:52.711456 0:11:43:39:e1:59 0:0:5e:0:1:1 0800 74: 192.168.83.51 > 192.168.80.2: icmp: echo request 21:04:52.711577 0:d0:b7:23:c0:e7 0:90:27:42:d4:cc 0800 74: 192.168.83.51 > 192.168.80.2: icmp: echo request 21:04:58.043062 0:11:43:39:e1:59 0:0:5e:0:1:1 0800 74: 192.168.83.51 > 192.168.80.2: icmp: echo request 21:04:58.043217 0:d0:b7:23:c0:e7 0:90:27:42:d4:cc 0800 74: 192.168.83.51 > 192.168.80.2: icmp: echo request Odd, since PF allows traffic on fxp1, not carp1. So let's add carp1 to pf... [EMAIL PROTECTED] sudo grep carp /etc/pf.conf pass inquick on carp1 from any to any pass out quick on carp1 from any to any And once again the FW happily routes the packet instead of sending an ICMP redirect. [EMAIL PROTECTED] sudo tcpdump -nei fxp1 net 192.168.80 or icmp tcpdump: listening on fxp1, link-type EN10MB 21:21:21.026831 0:11:43:39:e1:59 0:0:5e:0:1:1 0800 74: 192.168.83.51 > 192.168.80.2: icmp: echo request 21:21:21.026954 0:d0:b7:23:c0:e7 0:90:27:42:d4:cc 0800 74: 192.168.83.51 > 192.168.80.2: icmp: echo request I disabled pf and have the same results. I've hit my knowledge limit so delving into the source would be fruitless and annoying to the rest of you. Should I create a bug report? -Steve S. P.S. I'm not sure why the other box sent "host unreachables" and if I find out more I update the archive.
Re: ffs panic on i386 3.8/stable
On 1/19/06, Tamas TEVESZ <[EMAIL PROTECTED]> wrote: > barghest:/etc/ppp# chmod 06panic: ffs_read: type 0 can you perform some mem / hw testing? this smells like disk corruption. > as a strange addition, it seems that the board can pretty > reliably be panicked with the following: > > > barghest:~# sysctl ddb.console=1 > ddb.console: 0 -> 1 # then send a break > barghest:~# Stopped at Debugger+0x4: leave > ddb> boot > synccrash dumphaltreboot poweroff > ddb> boot sync > syncing disks... panic: tsleep > it seems always to give this same response to the same sequence of > actions. > > granted, i'm not very frequent at intentionally dropping boxes to ddb > then trying to screw them, but it isn't really supposed to work that > way, is it? the problem is, once you're in ddb, interrupts and the scheduler are forcibly stopped, and sometimes they don't like coming back to life. spend less time in ddb, you'll be happier. :)
Re: windows -> pf -> inet -> pf -> ftpd [not working]
To even begin to get help on this, you'd need to submit the pf rules on those obsd boxen. On Thu, Jan 19, 2006 at 05:36:02PM -0500, Price, Joe wrote: > I have a problem that when a Windows client tries to connect to this ftp > site, windows explorer returns 'The operation timed out'. > > > > The setup is, windows box behind a openbsd PF (NAT enabled) through the > public internet to another openbsd PF (NAT enabled) which has a rdr rule > to redirect to another openbsd machine behind it running ftpd. > > > > I'm assuming the problem exists on one of the firewalls, or both.. Is > this something that ftp-proxy can fix? > > > > I know the ftp works because I can connect to it form the far end's > openbsd box, just seems that I can't go through two NATs of PFs or > something like that. > > > > Any help is appreciated. > > > > Thanks!
ffs panic on i386 3.8/stable
hello, i was setting up my wrap.1e board when the following happened. this is not the first actual installation of 3.8 on this very hardware, but i never got around to actually start configuring the box (i was playing with the etherboot upgrade mentioned earlier). everything is via wrap's serial console, 57600 8n1; -stable sans today's pf_norm fix. barghest:/etc/ppp# uudecode [demime removed a uuencoded section named ppp.conf which was 2 lines] barghest:/etc/ppp# ls -l ppp. ls: ppp.: No such file or directory barghest:/etc/ppp# ls -l ppp.conf -rw-r--r-- 1 root wheel 660 Jan 14 03:30 ppp.conf barghest:/etc/ppp# chmod 06panic: ffs_read: type 0 Stopped at Debugger+0x4: leave RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC! DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION! ddb> trace Debugger(0,4003,0,400,d3b712a4) at Debugger+0x4 panic(d0509aed,d0509ae4,0,,0) at panic+0x63 ffs_read(dab0fe18,cfc0,dab0fe40,d0242974,d0580540) at ffs_read+0x36d VOP_READ(d3b712a4,dab0fe98,0,d3bf3230,d01021e1) at VOP_READ+0x34 vn_read(d3bdadb0,d3bdadcc,dab0fe98,d3bf3230) at vn_read+0x72 dofileread(d3ba9a44,5,d3bdadb0,87979000,400) at dofileread+0x6c sys_read(d3ba9a44,dab0ff68,dab0ff58,1000,8bb) at sys_read+0x47 syscall() at syscall+0x2ee --- syscall (number 3) --- 0x9bb6581: ddb> ps PID PPID PGRPUID S FLAGS WAIT COMMAND *16387 4580260 0 7 0x4004 perl 5086260260 0 3 0x4084 piperd mail 10260260 0 3 0x4084 piperd tee 4580260260 0 3 0x4084 pause sh 260 25521260 0 3 0x4084 pause sh 25521 4174 4174 0 30x84 piperd cron 22204 1 22204 0 3 0x4086 ttyin ksh 4174 1 4174 0 30x84 select cron 12542 1 12542 0 3 0x40184 select sendmail 24235 1 24235 0 30x84 select sshd 2516 1 2516 0 3 0x184 select inetd 317 2344 2344 83 3 0x184 poll ntpd 2344 1 2344 0 30x84 poll ntpd 5611 20614 20614 73 3 0x184 poll syslogd 20614 1 20614 0 30x84 netio syslogd 11063 1 11063 77 3 0x184 poll dhclient 18491 1 7301 0 30x86 poll dhclient 9 0 0 0 30x100204 crypto_wa crypto 8 0 0 0 30x100204 aiodoned aiodoned 7 0 0 0 30x100204 syncer update 6 0 0 0 30x100204 cleanercleaner 5 0 0 0 30x100204 reaper reaper 4 0 0 0 30x100204 pgdaemon pagedaemon 3 0 0 0 30x100204 pftm pfpurge 2 0 0 0 30x100204 kmallockmthread 1 0 1 0 3 0x4084 wait init 0 -1 0 0 3 0x80204 scheduler swapper ddb> show panic ffs_read: type 0 ddb> boot reboot panic: mtx_enter: locking against myself Stopped at Debugger+0x4: leave RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC! DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION! ddb> trace Debugger(16e2f4,dab0eea0,d04462e4,d0957e68,d057f960) at Debugger+0x4 panic(d01021a3,dab0eeb0,d021a21c,d057f990,d0587d70) at panic+0x63 mtx_enter(d057f990,d0587d70,dab0eec0,d01e98a6,1) at mtx_enter+0x5b timeout_del(d0957e68,0,dab0eef0,d01e99f5,dab0eee4) at timeout_del+0x14 sis_stop(d0957c00,dab0ef74,dab0ef20,d01e9b05) at sis_stop+0x3a dohooks(d057f960,1,dab0ef50,d01e9ba1) at dohooks+0x5e boot(4804,b0,dab0ef70,0,0) at boot+0x55 db_boot_poweroff_cmd(d0337fd0,0,,dab0ef78,d057dd80) at db_boot_poweroff_cmd db_command(d057dd80,d057dba0,dab0f080,d01e8b41,b0) at db_command+0xff db_command_loop(0,dab0f118,dab0f0c0,d0337e1f,1) at db_command_loop+0x8a db_trap(1,0,0,0,0) at db_trap+0x86 kdb_trap(1,0,dab0f118,d057fac4) at kdb_trap+0xab trap() at trap+0xa9 --- trap (number 1) --- Debugger(16e2f4,dab0f194,dab0f230,d0957a68,d057f960) at Debugger+0x4 panic(d01021a3,dab0f1a4,d021a21c,d057f990,) at panic+0x63 mtx_enter(d057f990,,dab0f1b4,d01e98a6,1) at mtx_enter+0x5b timeout_del(d0957a68,0,dab0f1e4,d01e99f5,dab0f1d8) at timeout_del+0x14 sis_stop(d0957800,dab0f268,dab0f214,d01e9b05) at sis_stop+0x3a dohooks(d057f960,1,dab0f244,d01e9ba1) at dohooks+0x5e boot(4804,d04f0caf,dab0f264,0,0) at boot+0x55 db_boot_poweroff_cmd(d0337fd0,0,,dab0f26c,d057dd80) at db_boot_poweroff_cmd db_command(d057dd80,d057dba0,dab0f374,d01e8b41,b0) at db_command+0xff db_command_loop(0,dab0f40c,dab0f3b4,d0337e1f,1) at db_command_loop+0x8a db_trap(1,0,0,0,0) at db_trap+0x86 kdb_trap(1,0,dab0f40c,d057fac4) at kdb_trap+0xab trap() at trap+0xa9 --- trap (number 1) --- Debugger(16e2f4,dab0f488,d04462e4,d0957668,d057f960) at De
Re: time warp in -current
On 1/19/06, Wolfgang S. Rupprecht > Turns out this was caused by the most recent changes to kern_clock.c > and kern_time.c. Compiling with these previous versions gave me a > functional system clock again. grr
Re: Generating ICMP Redirects
Steven S wrote: > I'm using a pair of 3.8-stable (1/5/06) servers as the firewall and > default gw (10.10.0.1/16) for a LAN . VPN users (10.4.0.0/16) come > into the LAN from a PIX (10.10.0.254/16) (changing soon to OpenVPN), > and when the VPN users hit a server return packets are sent to the > default gw. I was expecting the OpenBSD server to generate an ICMP > redirect and all would be well. Unfortunately that is not happening. > Instead the firewall is sending a host unreachable (yet the fw can > ping the VPN host). > > Any pointers would be appreciated. I know this is not the answer to your question and I'd like to hear how you wind up getting the OpenBSD box to send the redirects you are looking for, but relying on redirects to do your routing for anything length of time is asking for trouble IMHO. You might just be better off, temporarily, putting the PIX behind the OpenBSD box if possible or, if the servers are few, modifying their local route tables until the new VPN solution is in place.
Re: time warp in -current
I wrote: > A GENERIC amd64 kernel compiled from today's sources is causing my > Asus k8v-se-d to run fast by approximately 3 seconds per minute. > (Obviously that was with ntpd not running.) This has never been a > problem before. Is anyone else seeing this? Turns out this was caused by the most recent changes to kern_clock.c and kern_time.c. Compiling with these previous versions gave me a functional system clock again. /* $OpenBSD: kern_clock.c,v 1.56 2006/01/03 18:22:31 miod Exp $*/ /* $OpenBSD: kern_time.c,v 1.52 2005/11/28 00:14:29 jsg Exp $ */ I think I see how this slipped by testing. The problem only exhibited itself after I ran mills/udel ntpd briefly. This appeared to set a persistent and exceedingly large slew rate that never timed out. Ntpd can't clear it and stopping ntpd only freezes the slew at the last value. The udel ntpd also couldn't control the system clock too well when it was running. It would lose control of the system within minutes as the slew rate passed some magic rate (500ppm???). As the time offset got larger ntpd decided that all the reference clocks were "insane" and didn't even try to sync to them any more. My last tests showed a case with 1.5 second slew over a 10 second span. The following test showed the constant 1.5 sec/10 sec slew over the course of several hours. while : ; do ntpdate -d ntp.sonic.net ; sleep 10 ; done Hope this helps. -wolfgang
connection to 3.8 box times out
Greetings, This is my first post. Apologies if not everything is pro forma. I hope someone might help me with this issue. Ssh session and pinging 3.8 Generic running on Compaq Deskpro SB time out after 800 to 2400 when not actively using the box. You get 'No route to Host' message in ping or ssh session freezes. The box is connected to 4 port Belkin KVM switch on video and keyboard, regular PS2 mouse is plugged in. Re-plugging mouse wakes up the session/ping and it works for a little while. Pressing keys on mouse makes no difference. Unplugging keyboard makes no difference, but connecting to Video and keyboard on KVM and hitting a key on a keyboard does wake up OpenBSD so that it responds again. Many Thanks!! dmesg: OpenBSD 3.8 (GENERIC) #138: Sat Sep 10 15:41:37 MDT 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium II ("GenuineIntel" 686-class, 512KB L2 cache) 300 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR real mem = 268017664 (261736K) avail mem = 237674496 (232104K) using 3297 buffers containing 13504512 bytes (13188K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(c9) BIOS, date 12/09/98, BIOS32 rev. 0 @ 0xec700 apm0 at bios0: Power Management spec V1.2 (BIOS managing devices) apm0: AC on, battery charge unknown apm0: flags 130102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xec700/0x3900 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf7170/112 (5 entries) pcibios0: PCI Interrupt Router at 000:20:0 ("Intel 82371AB PIIX4 ISA" rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x800 0xe/0x8000! cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 "Intel 82443LX AGP" rev 0x03 ppb0 at pci0 dev 1 function 0 "Intel 82443LX AGP" rev 0x03 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 "ATI Mach64 GZ" rev 0x3a wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) xl0 at pci0 dev 14 function 0 "3Com 3c905C 100Base-TX" rev 0x78: irq 11, address 00:04:75:fa:30:d0 exphy0 at xl0 phy 24: 3Com internal media interface pcib0 at pci0 dev 20 function 0 "Intel 82371AB PIIX4 ISA" rev 0x02 pciide0 at pci0 dev 20 function 1 "Intel 82371AB IDE" rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: wd0: 32-sector PIO, LBA, 4112MB, 8421840 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, DMA mode 2 uhci0 at pci0 dev 20 function 2 "Intel 82371AB USB" rev 0x01: irq 11 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered "Intel 82371AB Power" rev 0x02 at pci0 dev 20 function 3 not configured isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pmsi0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pmsi0 mux 0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: spkr0 at pcppi0 sysbeep0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec isapnp0 at isa0 port 0x279: read port 0x203 "ESS ES1869 Plug and Play AudioD, ESS0006, , " at isapnp0 port 0x800/8 not configured ess0 at isapnp0 "ESS ES1869 Plug and Play AudioD, ESS1869, , " port 0x220/16,0x388/4,0x330/2 irq 5 drq 1,0: ESS Technology ES1869 [version 0x688b] ess0: audio1 interrupting at irq 5 audio0 at ess0 opl0 at ess0: model OPL3 midi1 at opl0: biomask ef4d netmask ef4d ttymask ffcf pctr: 686-class user-level performance counters enabled mtrr: Pentium Pro MTRR support dkcsum: wd0 matches BIOS drive 0x80 root on wd0a rootdev=0x0 rrootdev=0x300 rawdev=0x302
Re: OpenBSD for Sun Cobalt Qube3
Wolfgang Kess wrote: Hi, can you give me some advice how to install OpenBSD on a Sun Cobalt Qube 3, please? The Cube comes without cdrom or fd and no display I read about the PXE installation http://www.openbsd.org/faq/faq6.html#PXE What kind of installation method do you recommend? Regards Wolfgang The Cube outdated Linux dmesg: I don't think it would work at all as the Cobalt always had their own hardware handling stuff. Plus to load it, you need a restore CD. If you really want to play with this and see if that can even load, even if I think it would not, you can start by making your restore CD based on the instructions here: http://netbsd.org/Ports/cobalt/restorecd-howto.html I did work with Denis and Alex to test it on the Cobalt RaQ 2. So, that's only a starts, but you are really on your own. The thing is that for the Cobalt, after it is loaded, you rlogin in the box to finish the configuration, but that's because the kernel is design that way for that box. In this case it wouldn't work. Assuming you can ever get the box to netboot and that it would actually detect the hardware properly, then you would need to built a configuration that would make the box in a working state for you to then access it. Usually you can do this via the console, but again, I don't think it would work out of the box on the console, but the only way to know if to try it. I loaded NetBSD on plenty of Cobalt RaQ2 box http://openbsdsupport.org/netbsd/ But that's not going to do much for you in here. The Cobalt RaQ 2 is mips base and th4e RaQ 3 is i386 base. Good luck however. Would be nice to have it working in in, but I don't know.
Re: OpenBSD for Sun Cobalt Qube3
Greetings, I'm not sure about this specific model but... the Cobalt stuff, in most cases, has a very unusual boot loader (a Linux kernel that can only boot only certain type binaries IIRC) that would make it impossible to boot a BSD kernel. I do recall seeing where someone was able to boot FreeBSD on a RaQ3 but that was a while back. Wolfgang Kess wrote: Hi, can you give me some advice how to install OpenBSD on a Sun Cobalt Qube 3, please? The Cube comes without cdrom or fd and no display I read about the PXE installation http://www.openbsd.org/faq/faq6.html#PXE What kind of installation method do you recommend? Regards Wolfgang The Cube outdated Linux dmesg: [root /root]# dmesg Linux version 2.2.16C37_III ([EMAIL PROTECTED]) (gcc version egcs-2.91.6 6 19990314/Linux (egcs-1.1.2 release)) #1 Sat Apr 12 14:54:32 PDT 2003 Ignoring bogus EBDA pointer 5D8000 Detected 448219 kHz processor. Pending 0x00 Calibrating delay loop... 894.57 BogoMIPS Memory: 257488k/262144k available (1252k kernel code, 412k reserved, 2928k data, 64k init) Dentry hash table entries: 32768 (order 6, 256k) Buffer cache hash table entries: 262144 (order 8, 1024k) Page cache hash table entries: 65536 (order 6, 256k) VFS: Diskquotas version dquot_6.4.0 initialized CPU: L1 I Cache: 32K L1 D Cache: 32K CPU: L2 Cache: 128K CPU: AMD AMD-K6(tm)-III Processor stepping 04 Checking 386/387 coupling... OK, FPU using exception 16 error reporting. Checking 'hlt' instruction... OK. POSIX conformance testing by UNIFIX PCI: Using configuration type 1 PCI: Probing PCI hardware Linux NET4.0 for Linux 2.2 Based upon Swansea University Computer Society NET3.039 NET4: Unix domain sockets 1.0 for Linux NET4.0. NET4: Linux TCP/IP 1.0 for NET4.0 IP Protocols: ICMP, UDP, TCP, IGMP TCP: Hash tables configured (ehash 262144 bhash 65536) Initializing RT netlink socket Starting kswapd v 1.6 Cobalt watchdog v1.4 enabled Cobalt I2C bus initialized Cobalt temperature sensor v1.4 enabled Serial driver version 4.27 with no serial options enabled ttyS00 at 0x03f8 (irq = 4) is a 16550A ttyS01 at 0x02f8 (irq = 3) is a 16550A pty: 256 Unix98 ptys configured Real Time Clock Driver v1.09 lcd: Cobalt LCD Driver v3.12 keyboard: Timeout - AT keyboard not present? keyboard: Timeout - AT keyboard not present? serialnumber: Version 1.9 initialized. Serial number=4907d6b2a901. Copyright (c)1994-2000 Axent Technologies, Inc. Uniform Multi-Platform E-IDE driver Revision: 6.30 ide: Assuming 33MHz system bus speed for PIO modes; override with idebus=xx ALI15X3: IDE controller on PCI bus 00 dev 78 ALI15X3: chipset revision 193 ALI15X3: 100% native mode on irq 14 ide0: BM-DMA at 0xf000-0xf007, BIOS settings: hda:DMA, hdb:DMA ide1: BM-DMA at 0xf008-0xf00f, BIOS settings: hdc:DMA, hdd:DMA hda: ST340810A, SN=5FB2VCEZ, FWREV=3.39, ATA DISK drive ide: Assuming 33MHz system bus speed for PIO modes; override with idebus=xx ide0 at 0x1f0-0x1f7,0x3f6 on irq 14 hda: ST340810A, 38166MB w/2048kB Cache, CHS=77545/16/63, UDMA(33) md driver 0.90.0 MAX_MD_DEVS=256, MAX_REAL=12 translucent personality registered linear personality registered raid0 personality registered raid1 personality registered raid5 personality registered raid5: measuring checksumming speed raid5: MMX detected, trying high-speed MMX checksum routines pII_mmx : 872.490 MB/sec p5_mmx: 882.777 MB/sec 8regs : 429.387 MB/sec 32regs: 281.940 MB/sec using fastest function: p5_mmx (882.777 MB/sec) sym53c8xx: at PCI bus 0, device 14, function 0 sym53c8xx: 53c875 detected sym53c875-0: rev 0x4 on pci bus 0 device 14 function 0 irq 12 sym53c875-0: ID 7, Fast-20, Parity Checking scsi0 : sym53c8xx-1.7.3a-20010304 scsi : 1 host. scsi : detected total. md.c: sizeof(mdp_super_t) = 4096 Partition check: hda: hda1 hda2 < hda5 hda6 > hda3 hda4 autodetecting RAID arrays autorun ... ... autorun DONE. VFS: Mounted root (ext2 filesystem) readonly. Freeing unused kernel memory: 64k freed Warning: unable to open an initial console. Adding Swap: 131532k swap-space (priority -1) dp83815.c:v1.30 National Semiconductor DP83815 PCI Ethernet Driver eth0: National Semiconductor MacPhyter (dp83815) eth0: bus=0 func=128 io=0x6200 irq=11 ver=4.3 eth0: ethernet addr=00:10:e0:05:41:b9 eth1: National Semiconductor MacPhyter (dp83815) eth1: bus=0 func=144 io=0x6300 irq=10 ver=4.3 eth1: ethernet addr=00:10:e0:05:41:b8 eth0: speed=100 duplex=full link=up NET4: AppleTalk 0.18 for Linux NET4.0 klips_debug:pfkey_x_debug_process: debugging not enabled CSLIP: code copyright 1989 Regents of the University of California usb.c: registered new driver usbdevfs usb.c: registered new driver hub usb-ohci.c: USB OHCI at membase 0xd085e000, IRQ 6 usb.c: new USB bus registered, assigned bus number 1 usb.c: USB new device connect, assigned device number 1
Re: Network performance on WRAP boards
at the smallest packet sizes, that sounds about right, if not slightly low Carlos Valiente [EMAIL PROTECTED] wrote: > Hi! I have a couple of WRAP.1E boards running OpenBSD 3.8. Using iperf > I can only get about 4 to 5 Mbit/s between them. > > Is that figure reasonable for that kind of systems? > > Cheers, > > Carlos -- "Don Rumsfeld has been chewing on my ankles." -- Dick Cheney
Re: OpenBSD for Sun Cobalt Qube3
On Thu, Jan 19, 2006 at 11:03:33PM +0100, Wolfgang Kess wrote: > Hi, > > can you give me some advice how to install OpenBSD > on a Sun Cobalt Qube 3, please? > > The Cube comes without cdrom or fd and no display > > I read about the PXE installation > http://www.openbsd.org/faq/faq6.html#PXE > > > What kind of installation method do you recommend? I'm going to go out on a limb and assume the box supports netbooting, which your post suggests. I've never actually used that procedure before - by virtue of lack of suitable hardware in any quantity worth the bother (the quantity is currently 1) - but it's supposed to be very easy, especially when dealing with many systems. The other options involve either hooking some sort of bootable device up to the box, or preinstalling OpenBSD on the hard disk (you know, take it out, put it in a machine that is already running OpenBSD, copy, return it to the original, all the while hoping it still works...) If there's already an OS on there, convincing it to either boot bsd.rd or load entirely in RAM (so that you can do the local equivalent of nc -l 23434 > /dev/hd0c) might be easier. Joachim
windows -> pf -> inet -> pf -> ftpd [not working]
I have a problem that when a Windows client tries to connect to this ftp site, windows explorer returns 'The operation timed out'. The setup is, windows box behind a openbsd PF (NAT enabled) through the public internet to another openbsd PF (NAT enabled) which has a rdr rule to redirect to another openbsd machine behind it running ftpd. I'm assuming the problem exists on one of the firewalls, or both.. Is this something that ftp-proxy can fix? I know the ftp works because I can connect to it form the far end's openbsd box, just seems that I can't go through two NATs of PFs or something like that. Any help is appreciated. Thanks!
OpenBSD3.8 + smtp-vilter + spamassassin
Hello, Apologies if this is slightly OT, but I've been over this with the SA list and they tell me spamassassin is working correctly. Also since smtp-vilter is one of two milters in packages, I thought there must be people on this list with experience with it (And I know the author posts here) I have been running an OpenBSD (now at 3.8) Sendmail relay in my dmz for a couple years now that forwards to an internal Exchange server. It's nothing fancy and I'm not really a sendmail or unix expert but it's been getting the job done. So the time has come for taking anti-spam measures. To start I'd just like to mark spam instead of block it (so no OpenBSD's spamd yet), and to that end I've installed SpamAssassin 3.0.4 and smtp-vilter 1.1.9, both from packages. It 'works' to a certain extent, in that smtp-vilter headers are added to all messages. The problem is, the scores assigned to spam messages are clearly much too low, and the large majority of spam is not marked as such and much of it is actually scored negatively. However, testing manually on a spam I received... # spamassassin < testspam.txt and # spamc -R < testspam.txt ...the message scores a 14.3. However, when I actually received this message in my mailbox, it was scored -1.6. So I am thinking that there is a problem somewhere between smtp-vilter and spamassassin, but where? Has anyone seen this behavior or have a suggestion? smtp-vilter and (spamassassin's) spamd are both running, are writing to maillog, and appear to be 'working' as far as I can tell. This is how smtp-vilter and spamassassin are called: >From my sendmail.mc: INPUT_MAIL_FILTER(`smtp-vilter', `S=unix:/var/smtp-vilter/smtp-vilter.sock, F=T, T=S:10m;R:10m;E:10m')dnl >From my /etc/rc.conf.local: smtp_vilter=yes >From my /etc/rc.local: # start smtp-vilter if [ X"${smtp_vilter}" != X"NO" -a \ -x /usr/local/sbin/smtp-vilter ]; then echo -n ' smtp-vilter' /usr/local/sbin/smtp-vilter -m -u _vilter -g _vilter fi # Start Spamassassin daemon /usr/local/bin/spamd -u _vilter -d -s mail -x && echo -e "spamd started..." My entire /etc/smtp-vilter/smtp-vilter.conf: (comments removed) user=_vilter group=_vilter chroot=/var/smtp-vilter backend=spamd config-file=spamd:/var/smtp-vilter/etc/spamd.conf virus-strategy=notify-recipient recipient-notification=/etc/smtp-vilter/recipient-notification spam-strategy=mark spam-subject-prefix="* SPAM *" unwanted-strategy=mark error-strategy=tempfail port=unix:smtp-vilter.sock tmpdir=/tmp pidfile=/var/smtp-vilter/smtp-vilter.pid log-facility=mail logfile=/var/smtp-vilter/smtp-vilter.log option=logspam option=markall My entire /var/smtp-vilter/etc/spamd.conf: (comments removed) host=localhost port=783 tries=3 timeout=600 maxsize=25 option=chroot-scanrealpath I've read the man pages for smtp-vilter and smtp-vilter.conf, but I must be doing something stupidly wrong. Does anyone have any ideas or suggestions? File permissions? Something with the chrooting of smtp-vilter? Thanks in advance for any and all help. Mike Sassaman
OpenBSD for Sun Cobalt Qube3
Hi, can you give me some advice how to install OpenBSD on a Sun Cobalt Qube 3, please? The Cube comes without cdrom or fd and no display I read about the PXE installation http://www.openbsd.org/faq/faq6.html#PXE What kind of installation method do you recommend? Regards Wolfgang The Cube outdated Linux dmesg: [root /root]# dmesg Linux version 2.2.16C37_III ([EMAIL PROTECTED]) (gcc version egcs-2.91.6 6 19990314/Linux (egcs-1.1.2 release)) #1 Sat Apr 12 14:54:32 PDT 2003 Ignoring bogus EBDA pointer 5D8000 Detected 448219 kHz processor. Pending 0x00 Calibrating delay loop... 894.57 BogoMIPS Memory: 257488k/262144k available (1252k kernel code, 412k reserved, 2928k data, 64k init) Dentry hash table entries: 32768 (order 6, 256k) Buffer cache hash table entries: 262144 (order 8, 1024k) Page cache hash table entries: 65536 (order 6, 256k) VFS: Diskquotas version dquot_6.4.0 initialized CPU: L1 I Cache: 32K L1 D Cache: 32K CPU: L2 Cache: 128K CPU: AMD AMD-K6(tm)-III Processor stepping 04 Checking 386/387 coupling... OK, FPU using exception 16 error reporting. Checking 'hlt' instruction... OK. POSIX conformance testing by UNIFIX PCI: Using configuration type 1 PCI: Probing PCI hardware Linux NET4.0 for Linux 2.2 Based upon Swansea University Computer Society NET3.039 NET4: Unix domain sockets 1.0 for Linux NET4.0. NET4: Linux TCP/IP 1.0 for NET4.0 IP Protocols: ICMP, UDP, TCP, IGMP TCP: Hash tables configured (ehash 262144 bhash 65536) Initializing RT netlink socket Starting kswapd v 1.6 Cobalt watchdog v1.4 enabled Cobalt I2C bus initialized Cobalt temperature sensor v1.4 enabled Serial driver version 4.27 with no serial options enabled ttyS00 at 0x03f8 (irq = 4) is a 16550A ttyS01 at 0x02f8 (irq = 3) is a 16550A pty: 256 Unix98 ptys configured Real Time Clock Driver v1.09 lcd: Cobalt LCD Driver v3.12 keyboard: Timeout - AT keyboard not present? keyboard: Timeout - AT keyboard not present? serialnumber: Version 1.9 initialized. Serial number=4907d6b2a901. Copyright (c)1994-2000 Axent Technologies, Inc. Uniform Multi-Platform E-IDE driver Revision: 6.30 ide: Assuming 33MHz system bus speed for PIO modes; override with idebus=xx ALI15X3: IDE controller on PCI bus 00 dev 78 ALI15X3: chipset revision 193 ALI15X3: 100% native mode on irq 14 ide0: BM-DMA at 0xf000-0xf007, BIOS settings: hda:DMA, hdb:DMA ide1: BM-DMA at 0xf008-0xf00f, BIOS settings: hdc:DMA, hdd:DMA hda: ST340810A, SN=5FB2VCEZ, FWREV=3.39, ATA DISK drive ide: Assuming 33MHz system bus speed for PIO modes; override with idebus=xx ide0 at 0x1f0-0x1f7,0x3f6 on irq 14 hda: ST340810A, 38166MB w/2048kB Cache, CHS=77545/16/63, UDMA(33) md driver 0.90.0 MAX_MD_DEVS=256, MAX_REAL=12 translucent personality registered linear personality registered raid0 personality registered raid1 personality registered raid5 personality registered raid5: measuring checksumming speed raid5: MMX detected, trying high-speed MMX checksum routines pII_mmx : 872.490 MB/sec p5_mmx: 882.777 MB/sec 8regs : 429.387 MB/sec 32regs: 281.940 MB/sec using fastest function: p5_mmx (882.777 MB/sec) sym53c8xx: at PCI bus 0, device 14, function 0 sym53c8xx: 53c875 detected sym53c875-0: rev 0x4 on pci bus 0 device 14 function 0 irq 12 sym53c875-0: ID 7, Fast-20, Parity Checking scsi0 : sym53c8xx-1.7.3a-20010304 scsi : 1 host. scsi : detected total. md.c: sizeof(mdp_super_t) = 4096 Partition check: hda: hda1 hda2 < hda5 hda6 > hda3 hda4 autodetecting RAID arrays autorun ... ... autorun DONE. VFS: Mounted root (ext2 filesystem) readonly. Freeing unused kernel memory: 64k freed Warning: unable to open an initial console. Adding Swap: 131532k swap-space (priority -1) dp83815.c:v1.30 National Semiconductor DP83815 PCI Ethernet Driver eth0: National Semiconductor MacPhyter (dp83815) eth0: bus=0 func=128 io=0x6200 irq=11 ver=4.3 eth0: ethernet addr=00:10:e0:05:41:b9 eth1: National Semiconductor MacPhyter (dp83815) eth1: bus=0 func=144 io=0x6300 irq=10 ver=4.3 eth1: ethernet addr=00:10:e0:05:41:b8 eth0: speed=100 duplex=full link=up NET4: AppleTalk 0.18 for Linux NET4.0 klips_debug:pfkey_x_debug_process: debugging not enabled CSLIP: code copyright 1989 Regents of the University of California usb.c: registered new driver usbdevfs usb.c: registered new driver hub usb-ohci.c: USB OHCI at membase 0xd085e000, IRQ 6 usb.c: new USB bus registered, assigned bus number 1 usb.c: USB new device connect, assigned device number 1 hub.c: USB hub found hub.c: 2 ports detected usb.c: registered new driver usblp PPP: version 2.3.7 (demand dialling) PPP line discipline registered. PPP MPPE compression module registered --
Re: Need advice about VPN
On Thu, 19 Jan 2006 11:28:31 +, Stuart Henderson wrote: >On 2006/01/19 10:39, Simon Slaytor wrote: >> Stuart Henderson wrote: >> >On 2006/01/19 09:38, Simon Slaytor wrote: >> > >> >>When comparing the two vpn solutions for speed, subjectively the OpenVPN >> >>feels slightly faster >> > >> >If you're using compression on OpenVPN but not on IPSEC, that would >> >probably explain the speed difference. >> >> Agreed, any idea on how the cyphers compare i.e. 3DES v Blowfish in >> regard to CPU overhead? > >'openssl speed' will show you on your system, but Blowfish (and AES, >at least at some block sizes) are something like twice as fast when >implemented in software on a standard CPU. > >> I was not trying to suggest that this was a like for like comparison. I >> was merely trying to get the point across that OpenVPN is a viable >> alternative. > >There are strengths and weaknesses for each, overhead is only one >factor (and not such an important one in smaller setups over relatively >low-speed lines). I use OpenVPN and IPSEC in different situations (and >will probably start using ssh tun-forwarding for a few places I'd use >OpenVPN now - though, I'll have to investigate how tcp-wrapped-in-tcp >works, since it would be most useful for me over wireless networks >which have a lot of packet loss). > > If you read http://sites.inka.de/sites/bigred/devel/tcp-tcp.html maybe you won't want TCP-over-TCP. At least, if the author is correct, you will consider that it may be worse than TCP-over-UDP is lossy environments. FWIW Disclaimer : I don't consider myself sufficiently expert to judge the accuracy of the assertions made there. They simply sounded plausible based on the little I know. >From the land "down under": Australia. Do we look from up over? Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server.
Re: Generating ICMP Redirects
Stuart Henderson wrote: ... >> [EMAIL PROTECTED] pfctl -s rules |grep 10.4 >> pass in quick on fxp2 inet from 10.10.0.0/16 to 10.4.0.0/16 >> pass out quick on fxp2 inet from 10.4.0.0/16 to 10.10.0.0/16 > > I suspect you will need to allow the packets through in order to get > the redirects sent. Are you allowing the outbound from 10.10 > to 10.4 to > pass in another rule that you didn't include? If not, that's likely to > be the problem. If you're not sure, make sure blocked packets > are logged, > then monitor pflog0. There was nothing in pflog and here are my drop rules. I have 'pass out all keep state' rule at the head of the ruleset (possible issue?). I'll be testing further to find out more later tonight. After some further research I see I'll also need an rdr for the ICMP to source them from the carp interface as opposed to the real ip. [EMAIL PROTECTED] pfctl -s rules | grep block block drop in quick on ! lo inet from 127.0.0.0/8 to any block drop in quick on ! lo inet6 from ::1 to any block drop in quick inet from 127.0.0.1 to any block drop in quick inet6 from ::1 to any block drop in quick on lo0 inet6 from fe80::1 to any block drop in quick on ! fxp2 inet from 10.10.0.0/16 to any block drop in quick inet from 10.10.0.251 to any block drop in quick on fxp2 inet6 from fe80::202:a5ff:fe60:5850 to any block drop in log all block drop in quick inet from any to 255.255.255.255 block drop in quick inet from any to 10.255.255.255 block drop in quick inet from any to 10.10.255.255 block drop in quick on fxp2 proto tcp from any to any port = epmap block drop in quick on fxp2 proto udp from any to any port = epmap block drop in quick on fxp2 proto tcp from any to any port = netbios-ns block drop in quick on fxp2 proto udp from any to any port = netbios-ns block drop in quick on fxp2 proto udp from any to any port = netbios-dgm block drop in quick on fxp2 proto tcp from any to any port = netbios-ssn block drop in quick on fxp2 proto tcp from any to any port = microsoft-ds block drop in quick on fxp2 proto udp from any to any port = ssdp block drop in quick on fxp2 proto udp from any to any port = 5000
Release Song License
Are the OpenBSD Release songs also BSD licenced? The lyrics page doesn't specify. I wanted to know if they are "podcast safe".
Re: portmap daemon
> I have been playing around with openbsd portmap. I am confused about > the fact that if a program is registered above port 1024 any local > user may remove it, right? Yes. > Does it sound good from a security point of view? It's not that great, but unfortunately there is no solution to this problem. It is a bad design. I've spent a lot of time working on RPC, making it more secure. There are many other restrictions for safety in our RPC and portmap code, but there is no real solution to this.
portmap daemon
I have been playing around with openbsd portmap. I am confused about the fact that if a program is registered above port 1024 any local user may remove it, right? Does it sound good from a security point of view? PS: Sorry if i seem stupid, but it is really strange for me.
Re: Network problem
Sebastian Schucht <[EMAIL PROTECTED]> wrote: > rl0: flags=8843 mtu 1500 > address: 00:40:f4:63:63:3d > media: Ethernet autoselect (100baseTX full-duplex) > status: active > inet XXX.100.40.69 netmask 0xff00 broadcast 141.100.40.255 > inet XXX.100.40.70 netmask 0xff00 broadcast XXX.100.40.255 > inet XXX.100.40.71 netmask 0xff00 broadcast XXX.100.40.255 > inet XXX.100.40.72 netmask 0xff00 broadcast XXX.100.40.255 > inet XXX.100.40.73 netmask 0xff00 broadcast XXX.100.40.255 > inet XXX.100.40.74 netmask 0xff00 broadcast XXX.100.40.255 > inet XXX.100.40.75 netmask 0xff00 broadcast XXX.100.40.255 > inet XXX.100.40.76 netmask 0xff00 broadcast XXX.100.40.255 > inet XXX.100.40.77 netmask 0xff00 broadcast XXX.100.40.255 > inet XXX.100.40.78 netmask 0xff00 broadcast XXX.100.40.255 > inet XXX.100.40.79 netmask 0xff00 broadcast XXX.100.40.255 I think the netmask is wrong here. For aliases on the same subnet the second, third and so on should have a netmask of 255.255.255.255.
Network performance on WRAP boards
Hi! I have a couple of WRAP.1E boards running OpenBSD 3.8. Using iperf I can only get about 4 to 5 Mbit/s between them. Is that figure reasonable for that kind of systems? Cheers, Carlos
ath(4) and 802.11a/h with DFS and TPC
Hi, when using 802.11a devices in Europe it is mandatory that they support Dynamic Frequency Selection DFS and Transmit Power Control TPC (802.11h). Is this supported by the OpenBSD ath(4) driver? Or is it automatically enabled by the hardware? But how do I set the countrycode for ath wifi cards? As far as I know NetBSD has something like 'sysctl -w hw.ath.countrycode=xxx', but I haven't found anything like this for OpenBSD. Thanks, Holger
Re: Generating ICMP Redirects
On 2006/01/19 11:37, ober wrote: > Isn't "Destination unreachable" icmp a reply to a closed udp port? Not if it's coming from the firewall rather than the endpoint - but 'block return' to a udp port does give 'destination unreachable' icmp.
Re: Is it possible to run OpenBSD on ASRock 775TWINS-HDTV S775?
On 2006/01/19 17:54, Joakim Roubert wrote: > On 2006-01-19 17:43, Stuart Henderson wrote: > > > Try looking for a BIOS setting called something like legacy/native, > > and toggle it. By doing that, I got M5289 to function (DMA unsupported, > > but even with onboard disks it still completes 'make build' faster than > > anything else I have, and I think I'll put my ami(4) in that box > > anyway). > > Ok, I won't have the real RAID-H/W as an option, so the question is what > "anything else" you have... :) How slow is the system without DMA? I > would guess it would be horrible, but perhaps it is not? CPU is fast enough that it wasn't horribly slow, but obviously not as good as it could be. "anything else" - in my case, the next fastest is a celeron 2ghz (my asrock board has an opteron 146). I haven't seen any reliability problems with it, but I haven't worked it harder than a few cvs pulls and 'make build's. > Now I have tried some different actions, and FreeBSD 6.0 finds the disks > right away (but not the network, but perhaps it is easier to tinker > with that compared to the disk stuff?). SuSE Linux seems to support the nic about the best. I don't see anything in FreeBSD cvsweb to indicate that their -current would be any more likely to support the nic but it may be worth trying (it took very many clicks to find cvsweb after their website redesign - oops!) > Unfortunately, I am not that much of a home-hacker, so I would like to > fit the most secure and stable minimal UN*X system on this one. What > would you do in my situation? If it can be made to work without DMA somehow, try it and see if it performs acceptably. (I don't know what's involved to make DMA work and haven't had time to look at it yet). If not, I'd probably fit a PCI card, most of the SATA cards are SiI3112 or some other equally supported chip, see pciide(4) for a list. They cost about 10-15 pounds/euros/dollars from the cheaper retailers. Many of the cheap 'sata raid' cards will work fine as a plain sata controller. Not very useful to you, but I'll mention it anyway - the newest onchip SATA controllers from ULi and other manufacturers are mostly AHCI SATA2, which is not supported on OpenBSD yet either, but at least you can download the spec, which is a good start...
Re: Generating ICMP Redirects
Isn't "Destination unreachable" icmp a reply to a closed udp port? -Ober Richard Chesler: [Reading a piece of paper] The first rule of Fight Club is you don't talk about Fight Club? Narrator: [Voice-over] I'm half asleep again; I must've left the original in the copy machine. Richard Chesler: The second rule of Fight Club - is this yours? Narrator: Huh? Richard Chesler: Pretend you're me, make a managerial decision: you find this, what would you do? On Thu, 19 Jan 2006, Steven S wrote: Date: Thu, 19 Jan 2006 10:58:44 -0500 From: Steven S <[EMAIL PROTECTED]> To: misc@openbsd.org Subject: Re: Generating ICMP Redirects [EMAIL PROTECTED] wrote: On Thu, Jan 19, 2006 at 10:32:40AM -0500, Steven S wrote: ... What about sysctl net.inet.ip.forwarding? Is it set to 1? wq Claudio Yep. The firewalls are working perfectly aside from this redirect issue. They are even performing ISP load balancing (when the second ISP says up.) FW1 is acting as primary and FW2 is standby (it's off right now.) [EMAIL PROTECTED] sysctl -a |grep forw net.inet.ip.forwarding=1 net.inet6.ip6.forwarding=0 -Steve S.
Re: openbsd live cd
mh I don't want to build a live cd myself. I was looking for a ready- built one. may you have misunderstood me. On Jan 19, 2006, at 8:55 AM, Jacob Meuser wrote: On Thu, Jan 19, 2006 at 08:17:15AM +0100, Karl-Ludwig Reinhard wrote: hello list, I'm looking for a openbsd live cd for sys admins, but the only thing I've found was the anonym.os. Is there any other live cd based on openbsd? http://www.onlamp.com/pub/a/bsd/2005/07/14/openbsd_live.html first hit on google for "openbsd live cd". the next two hits have methods as well. -- <[EMAIL PROTECTED]> -- Karl-Ludwig Reinhard Im Schafacker 16 79541 Lvrrach [EMAIL PROTECTED] +49 7621 55486 Skype me: k4rlludwig
Re: openbsd live cd
On Wed, Jan 18, 2006 at 11:55:15PM -0800, Jacob Meuser wrote: > On Thu, Jan 19, 2006 at 08:17:15AM +0100, Karl-Ludwig Reinhard wrote: > > hello list, > > > > I'm looking for a openbsd live cd for sys admins, but the only thing > > I've found was the anonym.os. Is there any other live cd based on > > openbsd? > > > My personal "man livecd" If anybody thinks something is wrong with it please tell me, I'm eager to learn :) Hint this is optimized for vim, tw=80 and syntax highlighting set to "CONF". # live_cd OpenBSD 2006.01.19 Since there isn't (unfortunately) an official OpenBSD Live CD we will create one: We need a current system and create a release with source code -> release # Alternatively you could use OpenBSD stable/release if you have the source code # available Create a directory, this will become root '/' on the CD. # NOTE: If there is not enought free space on '/usr/' you have to choose a # different directory (of course you can do so anyway) and change the paths in # all following commands accordingly "mkdir -p /usr/livecd/backups/dev" # COMPLICATED way SKIP this! (Life is to short for this kind of stuff!) #--- #Nun muss das gesamte root System, welches in der Release Tarballs enthalten ist #in das livecd Verzeichnis entpackt werden: #"cp baseXX.tgz /usr/livecd/ && cd /usr/livecd/ && tar pxzf baseXX.tgz" # Dies ist f|r alle gew|nschten Teile des Systems zu wiederholen! ## WICHTIG! #Weitere Dateien anpassen: #"etc/motd" "etc/mygate""etc/myname""etc/sysctl.conf" "etc/rc.conf" #"etc/defaultdomain" # #Tastatur Layout: #"etc/kbdtype" # #F|r Netzwerkkarten vorsorgen: #"etc/hostname.*" "etc/resolv.conf" # #Hosts: #"etc/hosts" # #Timezone: #"rm etc/localtime && ln -s usr/share/zoneinfo/Europe/Berlin etc/localtime" #Benutzer anlegen: ## Am einfachsten: #Auf "Host System" den Benutzer, Gruppe anlegen und diese Eintrage per #Cut/Paste in "/etc/group" und "/etc/master.passwd" einf|gen. #-> afterboot # ssh , etc. #-> sicherheit #Packete hinzuf|gen ? #--- # Simple way to get this done Grab an empty hard drive and make a fresh nice and SLIM install of OpenBSD. As said above you need the source code to the version you install! # HINT: Against all good practices ONLY create an 'a' partition since it will # make creating the CD much more easier than having multiple partions. This includes all packages/ports you want to be on the CD. You should configure the system EXACTLY like you want it to be on CD. # WARNING: # The settings should be fairly generic, especially /etc/X11/xorg.conf should # use the vesa driver and a resolution of "1024x768"! Now mount this partition with another OpenBSD system in order to create a (compressed) tar archive. # NOTE: Do not forget the 'p' flag! "cd /mnt/ && tar pczf ~/livecd_root.tar.gz *" We transfer this archive to our build machine and extract into our livecd directory we created earlier: "tar pxzf livecd_root.tar.gz -C /usr/livecd/" We have to copy "/var", "/etc", "/dev", "/root" and "/home" from "/usr/livecd" to "/usr/livecd/backup": # WARNING: Delete the "shell history", "vim info" and other documents we might # NOT want to have on our CD: "cd /usr/livecd && rm -i {root,home/*}/{.history,.viminfo} " "cp -pR /usr/livecd/{var,etc,root,home} /usr/livecd/backups/" "cp -pR /usr/livecd/dev/MAKEDEV /usr/livecd/backups/dev/" # WARNING: Check for permission issues in livecd directory Since a CD is not huge we will compress the "backup" directories into compressed tar archives: # NOTE: This is ONE long command line, you could split it into several steps "cd /usr/livecd/backups && \ tar pzcf var.tar.gz var && \ tar pzcf etc.tar.gz etc && \ tar pzcf dev.tar.gz dev && \ tar pzcf home.tar.gz home && \ tar pzcf root.tar.gz root/.[a-z]* && \ rm -rf /usr/livecd/backups/{var,etc,dev,home,root}" We have to create virtual partitions in memory (MFS) since we want them to be faster and more importantly writeable. On boot the content extract of the archives under "/livecd/backups" is extract into them. We have to modify the "etc/rc" script in order for this to work: --- /usr/livecd/etc/rc - # Insert this AFTER # rm -f /fastboot # XXX (root now writeable) # Create/mount mfs partitions echo 'mounting mfs' mount_mfs -s 51200-o async,nosuid,nodev,noatime swap/var mount_mfs -s 6144 -i 4096 -o async,nosuid,nodev,noatime swap/etc mount_mfs -s 2048 -i 128 -o async,noatimeswap/dev mount_mfs -s 6144 -o async,nosuid,nodev,noatime swap/tmp mount_mfs -s 8192 -o async,nosuid,nodev,noatime swap/home mount_mfs -s 8192 -o async,nosuid,nodev,noatime swap/root # Seems that a short break is necessary here sleep 2 # Copy over all stuff in
Fwd: How can i send syslogd message to a OPENBSD server ?
thanks ,it works . ^_^ You will need to start syslog on the openbsd server with the -u option > (see /etc/rc.conf and syslogd man pages) and also make sure you have > pf.conf > allowing port 514 udp from your linux host.
Re: Is it possible to run OpenBSD on ASRock 775TWINS-HDTV S775?
On 2006-01-19 17:43, Stuart Henderson wrote: >>vendor "Acer Labs", unknown product 0x5287 (class mass storage subclass >>SATA, rev 0x02) at pci0 dev 31 function 1 not configured > > Good, it's not hidden behind an unrecognisable pci-pci bridge. Ok, at least that's something! :) > Try looking for a BIOS setting called something like legacy/native, > and toggle it. By doing that, I got M5289 to function (DMA unsupported, > but even with onboard disks it still completes 'make build' faster than > anything else I have, and I think I'll put my ami(4) in that box > anyway). Ok, I won't have the real RAID-H/W as an option, so the question is what "anything else" you have... :) How slow is the system without DMA? I would guess it would be horrible, but perhaps it is not? The system I am to setup is a backup server that is to do pretty much nothing but wait all the time, and each night get the backup from our server. So perhaps the most incredible disk speed is not needed, but disk I/O has to be reliable. Now I have tried some different actions, and FreeBSD 6.0 finds the disks right away (but not the network, but perhaps it is easier to tinker with that compared to the disk stuff?). Unfortunately, I am not that much of a home-hacker, so I would like to fit the most secure and stable minimal UN*X system on this one. What would you do in my situation? Regards, /Joakim -- http://www.df.lth.se/~jokke/
Re: Need advice about VPN
On 1/18/06, Hans-Joerg Hoexer <[EMAIL PROTECTED]> wrote: > On Wed, Jan 18, 2006 at 11:20:55AM +0100, Joachim Schipper wrote: > Forget about openvpn, there's no need to fiddle around with third > party stuff. OT: OpenVPN has its purposes, though this particular scenario shouldn't be one of them. On several occasions, I have run into scenarios where connectivity was limited, ALL IPs were behind NAT, endpoint IPs changed often and only specific TCP/UDP ports were permitted. (Many times in an attempt to specifically thwart IPSEC.) OpenVPN has proved robust and reliable in those environments. > Just make sure to take a look at vpn(8). If ipsec does not suit > your needs, take a look at tunneling using ssh(1) "-w". Unfortunately, while I love the flexibility of SSH tunneling, I would still consider it an ad-hoc solution for most, a massive drawback being that it tunnels over TCP.
Re: Is it possible to run OpenBSD on ASRock 775TWINS-HDTV S775?
On 2006/01/19 17:08, Joakim Roubert wrote: > On 2006-01-19 15:42, Stuart Henderson wrote: > > No dmesg, so it's difficult to help you... > > Ok, here goes: > (there might be typos, since I write down what I read on the screen next > to me...) well done :) I have some similar ALi/ULi devices on a different ASRock board here, and have got a little further. > vendor "Acer Labs", unknown product 0x5287 (class mass storage subclass > SATA, rev 0x02) at pci0 dev 31 function 1 not configured Good, it's not hidden behind an unrecognisable pci-pci bridge. Try looking for a BIOS setting called something like legacy/native, and toggle it. By doing that, I got M5289 to function (DMA unsupported, but even with onboard disks it still completes 'make build' faster than anything else I have, and I think I'll put my ami(4) in that box anyway). > vendor "Acer Labs", unknown product 0x5263 (class network subclass > ethernet, rev 0x50) at pci0 dev 27 function 0 not configured that's actually near enough a dc(4), I have got as far as getting it to pick up the right MAC address (the easy bit) but not detect any PHYs (the bit which needs either a datasheet or someone better at reading linux source than I).
Via K8T900 - Questions
Dear misc, Not so long ago Via released a new chipset which sounds very promising performance-wise, compared to the Nvidia solutions, the K8T900. I was wondering whether there was already any interest from dev's for this platform. The reason is simple: a dual-boot machine which can handle OpenBSD with full support, and Windows for the entertainment side (=games) would be great. An OpenBSD-friendly platform. This without losing too much on performance (the Nvidia chipsets behave really well under Windows). Currently, several mags did some tests on a Via reference design mobo, comparing it to the Nforce 4 ones, and it looked good!. Heck, I'm even willing to get the project a mobo as soon as one is available. Kind regards, P
Re: Is it possible to run OpenBSD on ASRock 775TWINS-HDTV S775?
On 2006-01-19 15:42, Stuart Henderson wrote: > No dmesg, so it's difficult to help you... Ok, here goes: (there might be typos, since I write down what I read on the screen next to me...) = OpenBSD 3.8 (RAMDISK_CD) #794: Sat Sep 10 15:58:32 MDT 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/RAMDISK_CD cpu0: Intel(R) Celeron(R) CPU 2.80GHz ("GenuineIntel" 686-class) 2.80 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,TM2,CNXT-ID real mem = 469012480 (458020K) avail mem = 421904384 (412016K) using 4278 buffers containing 23552000 bytes (23000K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 12/05/05, BIOS32 rev. 0 @ 0xf0010 apm0 at bios0: Power Management spec V1.2 apm0: flags 20102 dobusy 0 doidle 1 pcibios0 at bios0: rev 3.0 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf5d60/144 (7 entries) pcibios0: no compatible PCI ICU found: ICU vendor 0x10b9 product 0x1573 pcibios0: Warning, unable to fix up PCI interrupt routing pcibios0: PCI bus #2 is the last bus WARNING: can't reserve area for I/O APIC. WARNING: can't reserve area for Local APIC. WARNING: can't reserve area for BIOS PROM. bios0: ROM list: 0xc/0xf000! 0xcf000/0x5600 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 vendor "ATI", unknown product 0x5a33 rev 0x01 ppb0 at pci0 dev 1 functon 0 "ATI RS480 PCIE" rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 5 function 0 "ATI Radeon XPRESS 200" rev 0x00 wsdisplay0 at vga1 mix 1: console (80x25, vt100 emulation) ppb1 at pci0 dev 25 function 0 vendor "Acer Labs", unknown product 0x5249 rev 0x00 pci2 at ppb1 bus 2 ral0 at pci2 dev 21 function 0 "Ralink RT2560" rev 0x01: irq 5, address 00:14:85:16:b2:2c ral0: MAC/BBP RT2560 (rev 0x04), RF RT2525 vendor "Acer Labs", unknown product 0x5263 (class network subclass ethernet, rev 0x50) at pci0 dev 27 function 0 not configured ohci0 at pci0 dev 28 function 0 "Acer Labs M5237 USB" rev 0x03: irq 10, version 1.0, legacy support usb0 at ohci0: USB revision 1.0 uhub0 at usb0 uhub0: Acer Labs OHCI root hub, rev 1.00/1.00, addr 1 uhub0: 3 ports with 3 removable, self powered ohci1 at pci0 dev 28 function 1 "Acer Labs M5237 USB" rev 0x03: irq 5, version 1.0, legacy support usb1 at ohci1: USB revision 1.0 uhub1 at usb1 uhub1: Acer Labs OHCI root hub, rev 1.00/1.00, addr 1 uhub1: 3 ports with 3 removable, self powered ohci2 at pci0 dev 28 function 2 "Acer Labs M5237 USB" rev 0x03: irq 5, version 1.0, legacy support usb2 at ohci2: USB revision 1.0 uhub2 at usb2 uhub2: Acer Labs OHCI root hub, rev 1.00/1.00, addr 1 uhub2: 3 ports with 3 removable, self powered ehci0 at pci0 dev 28 function 3 vendor "Acer Labs", unknown product 0x5239 rev 0x01: irq 5 isb3 at ehci0: USB revision 2.0 uhub3 at usb3 uhub3: Acer LAbs EHCI root hub, rev 2.00/1.00, addr 1 uhub3: 8 ports with 8 removable, self powered vendor "Acer Labs", unknown product 0x5455 (class multimedia subclass audio, rev 0x20) at pci0 dev 29 function 0 not configured pcib0 at pci0 dev 30 function 0 vendor "Acer Labs", unknown product 0x1573 rev 0x31 "Acer Labs M7101 Power" rev 0x00 at pci0 dev 30 function 1 not configured pciide0 at pci0 dev 31 function 0 "Acer Labs M5229 UDMA IDE" rev 0xc7: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility atapiscsi0 at pciide0 channel 0 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: SCSI0 5/cdrom removable cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 pciide0: channel 1 disabled (no drives) vendor "Acer Labs", unknown product 0x5287 (class mass storage subclass SATA, rev 0x02) at pci0 dev 31 function 1 not configured isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550A, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cul, 2 head, 18 sec biomask fed netmask ffed ttymask ffef rd0: fixed, 3800 blocks root on rd0a rootdev=0x1100 rrootdev=0x2f00 rawdev=0x2f02 = Regards, /Joakim -- http://www.df.lth.se/~jokke/
Re: Generating ICMP Redirects
[EMAIL PROTECTED] wrote: > On Thu, Jan 19, 2006 at 10:32:40AM -0500, Steven S wrote: ... > > What about sysctl net.inet.ip.forwarding? Is it set to 1? > >> wq Claudio Yep. The firewalls are working perfectly aside from this redirect issue. They are even performing ISP load balancing (when the second ISP says up.) FW1 is acting as primary and FW2 is standby (it's off right now.) [EMAIL PROTECTED] sysctl -a |grep forw net.inet.ip.forwarding=1 net.inet6.ip6.forwarding=0 -Steve S.
Re: Generating ICMP Redirects
On 2006/01/19 10:32, Steven S wrote: > I'm using a pair of 3.8-stable (1/5/06) servers as the firewall and default > gw (10.10.0.1/16) for a LAN . VPN users (10.4.0.0/16) come into the LAN > from a PIX (10.10.0.254/16) (changing soon to OpenVPN), and when the VPN > users hit a server return packets are sent to the default gw. I was > expecting the OpenBSD server to generate an ICMP redirect and all would be > well. Unfortunately that is not happening. Instead the firewall is sending > a host unreachable (yet the fw can ping the VPN host). Immediate thoughts: firewall rules, net.inet.ip.forwarding setting. > [EMAIL PROTECTED] pfctl -s rules |grep 10.4 > pass in quick on fxp2 inet from 10.10.0.0/16 to 10.4.0.0/16 > pass out quick on fxp2 inet from 10.4.0.0/16 to 10.10.0.0/16 I suspect you will need to allow the packets through in order to get the redirects sent. Are you allowing the outbound from 10.10 to 10.4 to pass in another rule that you didn't include? If not, that's likely to be the problem. If you're not sure, make sure blocked packets are logged, then monitor pflog0.
Re: Generating ICMP Redirects
On Thu, Jan 19, 2006 at 10:32:40AM -0500, Steven S wrote: > Greetings, > > I'm using a pair of 3.8-stable (1/5/06) servers as the firewall and default > gw (10.10.0.1/16) for a LAN . VPN users (10.4.0.0/16) come into the LAN > from a PIX (10.10.0.254/16) (changing soon to OpenVPN), and when the VPN > users hit a server return packets are sent to the default gw. I was > expecting the OpenBSD server to generate an ICMP redirect and all would be > well. Unfortunately that is not happening. Instead the firewall is sending > a host unreachable (yet the fw can ping the VPN host). > > Any pointers would be appreciated. Here's some relevant info: > > [EMAIL PROTECTED] tcpdump -nei fxp2 icmp > 09:57:26.797397 0:2:a5:60:58:50 0:8:2:ce:99:65 0800 70: 10.10.0.251 > > 10.10.0.11: icmp: host 10.4.0.67 unreachable > 09:57:28.984736 0:2:a5:60:58:50 0:8:2:ce:99:65 0800 70: 10.10.0.251 > > 10.10.0.11: icmp: host 10.4.0.67 unreachable > > [EMAIL PROTECTED] ping 10.4.0.67 > PING 10.4.0.67 (10.4.0.67): 56 data bytes > 64 bytes from 10.4.0.67: icmp_seq=0 ttl=128 time=66.969 ms > > [EMAIL PROTECTED] netstat -rn | grep 10.4 > 10.4/1610.10.0.254UGS 061208 - fxp2 > > [EMAIL PROTECTED] ifconfig carp2 > carp2: flags=8843 mtu 1500 > carp: MASTER carpdev fxp2 vhid 3 advbase 1 advskew 100 > groups: carp > inet 10.10.0.1 netmask 0x broadcast 10.10.255.255 > [EMAIL PROTECTED] ifconfig fxp2 > fxp2: flags=8943 mtu 1500 > lladdr 00:02:a5:60:58:50 > media: Ethernet autoselect (100baseTX full-duplex) > status: active > inet 10.10.0.251 netmask 0x broadcast 10.10.255.255 > inet6 fe80::202:a5ff:fe60:5850%fxp2 prefixlen 64 scopeid 0x3 > > [EMAIL PROTECTED] pfctl -s rules |grep 10.4 > pass in quick on fxp2 inet from 10.10.0.0/16 to 10.4.0.0/16 > pass out quick on fxp2 inet from 10.4.0.0/16 to 10.10.0.0/16 > > [EMAIL PROTECTED] sysctl -a |grep redi > net.inet.ip.redirect=1 > net.inet.icmp.rediraccept=1 > net.inet.icmp.redirtimeout=600 > net.inet6.ip6.redirect=1 > net.inet6.icmp6.rediraccept=1 > net.inet6.icmp6.redirtimeout=600 > What about sysctl net.inet.ip.forwarding? Is it set to 1? -- :wq Claudio
Generating ICMP Redirects
Greetings, I'm using a pair of 3.8-stable (1/5/06) servers as the firewall and default gw (10.10.0.1/16) for a LAN . VPN users (10.4.0.0/16) come into the LAN from a PIX (10.10.0.254/16) (changing soon to OpenVPN), and when the VPN users hit a server return packets are sent to the default gw. I was expecting the OpenBSD server to generate an ICMP redirect and all would be well. Unfortunately that is not happening. Instead the firewall is sending a host unreachable (yet the fw can ping the VPN host). Any pointers would be appreciated. Here's some relevant info: [EMAIL PROTECTED] tcpdump -nei fxp2 icmp 09:57:26.797397 0:2:a5:60:58:50 0:8:2:ce:99:65 0800 70: 10.10.0.251 > 10.10.0.11: icmp: host 10.4.0.67 unreachable 09:57:28.984736 0:2:a5:60:58:50 0:8:2:ce:99:65 0800 70: 10.10.0.251 > 10.10.0.11: icmp: host 10.4.0.67 unreachable [EMAIL PROTECTED] ping 10.4.0.67 PING 10.4.0.67 (10.4.0.67): 56 data bytes 64 bytes from 10.4.0.67: icmp_seq=0 ttl=128 time=66.969 ms [EMAIL PROTECTED] netstat -rn | grep 10.4 10.4/1610.10.0.254UGS 061208 - fxp2 [EMAIL PROTECTED] ifconfig carp2 carp2: flags=8843 mtu 1500 carp: MASTER carpdev fxp2 vhid 3 advbase 1 advskew 100 groups: carp inet 10.10.0.1 netmask 0x broadcast 10.10.255.255 [EMAIL PROTECTED] ifconfig fxp2 fxp2: flags=8943 mtu 1500 lladdr 00:02:a5:60:58:50 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 10.10.0.251 netmask 0x broadcast 10.10.255.255 inet6 fe80::202:a5ff:fe60:5850%fxp2 prefixlen 64 scopeid 0x3 [EMAIL PROTECTED] pfctl -s rules |grep 10.4 pass in quick on fxp2 inet from 10.10.0.0/16 to 10.4.0.0/16 pass out quick on fxp2 inet from 10.4.0.0/16 to 10.10.0.0/16 [EMAIL PROTECTED] sysctl -a |grep redi net.inet.ip.redirect=1 net.inet.icmp.rediraccept=1 net.inet.icmp.redirtimeout=600 net.inet6.ip6.redirect=1 net.inet6.icmp6.rediraccept=1 net.inet6.icmp6.redirtimeout=600
Re: Is it possible to run OpenBSD on ASRock 775TWINS-HDTV S775?
On 2006-01-19 15:42, Stuart Henderson wrote: > No dmesg, so it's difficult to help you... Even if all you can do is > boot the install kernel, save a dmesg to a file, and ftp it somewhere, > that's a lot better than nothing. I will see if I can fix that. > ULi want an NDA before releasing documentation, and have now been bought > by nvidia, so finding information to write correct drivers isn't going > to be easy. N! :-( But, on the other hand, when it comes to gfx cards there is, for Linux, support for all cards but one (old), so perhaps they will do the same with these ones. > If you haven't already, try playing with the BIOS settings. You may be > able to get your disks to work (but even if you do, possibly no DMA). Ok! Thanks a lot for your input! Perhaps I will have to go with another OS on this machine (I am about to get us a more critical server too; I will make sure I get a controller OpenBSD really supports on that one, because that one really has to run OBSD.) Best regards, /Joakim -- http://www.df.lth.se/~jokke/
Victor
Florida Vacation Rental The Colony At Sable TraceNorth Port, FL30 Minutes South of Sarasota FL NEW CONDO 1st floor (1168 SQ/FT Living) Available Feb 1st. The Colony at Sable Trace is a new condominium gated community withinSable Trace Golf Course (semi-private course). This 1st floor unit offers: * 2 Bedrooms * 1 Den/Bedroom * 2 Full Baths * 1 Car Garage * All Appliances * Gated Community * Over looking 17th hole of Sable Trace Golf Course * Community Pool and Fitness Center less than 200' Away * 19 miles from Gulf Beaches (Englewood or Venice) Furnished, No Smoking, No Pets $1,200 Month If Annual Lease$2,200 November - AprilWeekly Rates Available (please call) SEE PICTURES For more information please, feel free to contact me. Thanks,Victor PlanteDP Resources941-423-2051 [IMAGE] [IMAGE] Email Marketing 101 7 PMB 153 7 North Port, FL 34287
Re: Need advice about VPN
On Thu, Jan 19, 2006 at 11:28:31AM +, Stuart Henderson wrote: > On 2006/01/19 10:39, Simon Slaytor wrote: > > Stuart Henderson wrote: > > >On 2006/01/19 09:38, Simon Slaytor wrote: > > > > > >>When comparing the two vpn solutions for speed, subjectively the OpenVPN > > >>feels slightly faster > > > > > >If you're using compression on OpenVPN but not on IPSEC, that would > > >probably explain the speed difference. > > > > Agreed, any idea on how the cyphers compare i.e. 3DES v Blowfish in > > regard to CPU overhead? > > 'openssl speed' will show you on your system, but Blowfish (and AES, > at least at some block sizes) are something like twice as fast when > implemented in software on a standard CPU. Not to mention the fact that in-kernel software, all else being equal, runs faster due to the lack of context switches and so on. OTOH, OpenVPN uses adaptive compression, which can at times be preferable to the IPsec on/off option. Joachim
Re: Is it possible to run OpenBSD on ASRock 775TWINS-HDTV S775?
On 2006/01/19 14:33, Joakim Roubert wrote: > I have a computer based on this motherboard (more info here: > http://www.asrock.com/product/product_775Twins-HDTV.htm), and the > OpenBSD 3.8 install CD won't find the disks. > > The southbridge is an ULi 1573, and since it is not present in the > OpenBSD chipset support list, the reason 3.8 won't find my disks are > rather obvious even to me. :) > > FreeBSD finds the disks, though, but I would prefer to run OpenBSD on > the machine. You guys that know everything there is to know about > OpenBSD, is there support in ULi 1573 to find in the CVS or so? No dmesg, so it's difficult to help you... Even if all you can do is boot the install kernel, save a dmesg to a file, and ftp it somewhere, that's a lot better than nothing. ULi want an NDA before releasing documentation, and have now been bought by nvidia, so finding information to write correct drivers isn't going to be easy. If you haven't already, try playing with the BIOS settings. You may be able to get your disks to work (but even if you do, possibly no DMA).
Re: ntpd is not adjusting time
At 12:59 PM 2/11/05, Henning Brauer wrote: * Frank Bax <[EMAIL PROTECTED]> [2005-02-11 18:53]: > At 07:59 AM 2/11/05, Henning Brauer wrote: > >* Frank Bax <[EMAIL PROTECTED]> [2005-02-11 04:08]: > >> ntp engine ready > >> no reply from 192.117.105.69 received in time > >> no reply from 82.69.129.106 received in time > >> no reply from 81.7.132.92 received in time > >> The log file contains *many* of these entries - looks like 15 sites, then > >> they start over - repeating until I kill the process. What kind of problem > >> causes this message? This site is using an ADSL connection to internet, > >> but we have no other sites with the same ISP. > > > >you don't receive replies. network issue, maybe firewall. > > > This machine does not have pf enabled. The site uses the same (D-link > DI-7404P) router/firewall as other sites where ntp is working > properly. Router has basic/default config, except I added forwarding of > incoming port 22 to the "problem" bsd system. I can even ping some of the > time servers (I've read that not all time servers reply to ping). The only > variable I can think of is ISP, which is different at each site (not my > idea, its a long story). I don't know what commands to use to prove this > might be an ISP issue. well, no matter what, you are not receiving replies. Upgrade to 3.8 yesterday (a bit overdue) and the problem went away.
Is it possible to run OpenBSD on ASRock 775TWINS-HDTV S775?
Hi! I have a computer based on this motherboard (more info here: http://www.asrock.com/product/product_775Twins-HDTV.htm), and the OpenBSD 3.8 install CD won't find the disks. The southbridge is an ULi 1573, and since it is not present in the OpenBSD chipset support list, the reason 3.8 won't find my disks are rather obvious even to me. :) FreeBSD finds the disks, though, but I would prefer to run OpenBSD on the machine. You guys that know everything there is to know about OpenBSD, is there support in ULi 1573 to find in the CVS or so? Best regards, /Joakim -- http://www.df.lth.se/~jokke/
Re: dup-to
hi , i meant where to put RULE with dup-to to not to mess with other , espessially with RULE using route-to , i would test it mysel but this fw is quite important , so if anyone using it a i would happy for tips , anyway manpage no telling how dup-to is interact with rules with route-to , fastroute or reply-to . On 1/19/06, john gotti <[EMAIL PROTECTED]> wrote: > > hi , i meant where to put RULE with dup-to to not to mess with other , > espessially with RULE using route-to , i would test it mysel but this fw is > quite important , so if anyone using it a i would happy for tips , anyway > manpage no telling how dup-to is interact with rules with route-to , > fastroute or reply-to . > > On 1/19/06, john gotti <[EMAIL PROTECTED]> wrote: > > > > > > > > On 1/19/06, john gotti < [EMAIL PROTECTED]> wrote: > > > > > > hi , i meant where to put RULE with dup-to to not to mess with other , > > > espessially with RULE using route-to , i would test it mysel but this fw is > > > quite important , so if anyone using it a i would happy for tips , anyway > > > manpage no telling how dup-to is interact with rules with route-to , > > > fastroute or reply-to . > > > > > > regards > > > Jacek > > > > > > On 1/18/06, yary < [EMAIL PROTECTED]> wrote: > > > > > > > > dup-to isn't a rule, it's something you add to a "pass" rule > > > > > > > > take a look at the pf.conf man page, and study the BNF section at > > > > the > > > > end for syntax. > > > > > > > > and search this list/internet at large for examples
Re: dup-to
hi , i meant where to put RULE with dup-to to not to mess with other , espessially with RULE using route-to , i would test it mysel but this fw is quite important , so if anyone using it a i would happy for tips , anyway manpage no telling how dup-to is interact with rules with route-to , fastroute or reply-to . On 1/19/06, john gotti <[EMAIL PROTECTED]> wrote: > > > > On 1/19/06, john gotti <[EMAIL PROTECTED]> wrote: > > > > hi , i meant where to put RULE with dup-to to not to mess with other , > > espessially with RULE using route-to , i would test it mysel but this fw is > > quite important , so if anyone using it a i would happy for tips , anyway > > manpage no telling how dup-to is interact with rules with route-to , > > fastroute or reply-to . > > > > regards > > Jacek > > > > On 1/18/06, yary < [EMAIL PROTECTED]> wrote: > > > > > > dup-to isn't a rule, it's something you add to a "pass" rule > > > > > > take a look at the pf.conf man page, and study the BNF section at the > > > end for syntax. > > > > > > and search this list/internet at large for examples
Re: dup-to
On 1/19/06, john gotti <[EMAIL PROTECTED]> wrote: > > hi , i meant where to put RULE with dup-to to not to mess with other , > espessially with RULE using route-to , i would test it mysel but this fw is > quite important , so if anyone using it a i would happy for tips , anyway > manpage no telling how dup-to is interact with rules with route-to , > fastroute or reply-to . > > regards > Jacek > > On 1/18/06, yary <[EMAIL PROTECTED]> wrote: > > > > dup-to isn't a rule, it's something you add to a "pass" rule > > > > take a look at the pf.conf man page, and study the BNF section at the > > end for syntax. > > > > and search this list/internet at large for examples
Newsletter della 4� settimana 2006
[IMAGE] [IMAGE] Borghi Toscani | E - mail | Registrati | Inserisci un locale | Meteo | News [IMAGE] NUOVI INSERIMENTI Newsletter della 4B0 settimana 2006 LINK CONSIGLIATI Lorenzo il Magnifico LAST MINUTE IN TOSCANA OFFERTE SOGGIORNI IN TOSCANA OFFERTE LAST MINUTE FIRENZE Last Minute Abetone Offerte Abetone News, eventi e manifestazioni in Toscana questa settimana Data Evento Tipologia 19/01/2006 Leonetto Tintori e la scuola di Vainella PRATO (Mostre) 19/01/2006 La grande guerra degli artisti FIRENZE (Mostre) 20/01/2006 Cow Parade 2005 FIRENZE (Mostre) 20/01/2006 Pitti immagine bimbo n. 62 FIRENZE (Mostre) 20/01/2006 Fiera del cioccolato artigianale FIRENZE (Sagre e Fiere) 21/01/2006 Maremma antiquaria MARINA DI GROSSETO (Mercatini) 21/01/2006 Fiera arcobaleni SESTO FIORENTINO (Sagre e Fiere) 22/01/2006 Palio di S. Antonio Abate BUTI (Concerti) 22/01/2006 La domenica del tarlo SANSEPOLCRO (Mercatini) 22/01/2006 Che mondo che fa FUCECCHIO (Mostre) 22/01/2006 Mercatino biologico grevigiano GREVE IN CHIANTI (Sagre e Fiere) 22/01/2006 Oliogustando AREZZO (Sagre e Fiere) 23/01/2006 Enzo Baldoni...un ficcanaso...uno di noi SESTO FIORENTI (Mostre) 24/01/2006 Visite guidate dell'associazione akropolis FIRENZE (Escursioni) 25/01/2006 IIIB0 Trofeo Mariotti & Pedini ABETONE (Gare) 26/01/2006 Marilyn and friends FIRENZE (Mostre) 28/01/2006 IVB0 Trofeo CittC di Firenze PULICCHIO (Gare) 28/01/2006 Fiera arcobaleni SESTO FIORENTINO (Sagre e Fiere) 29/01/2006 Carnevale CASTELFRANCO DI SOTTO (Folklore) 29/01/2006 Fiera del cioccolato artigianale FIRENZE (Sagre e Fiere) escursioni toscana PITTI IMMAGINE BIMBO N. 62 PALIO DI SANT'ANTONIO ABATE Settembre lucchese20 b 22 gennaio 2006 Firenze, Fortezza da Basso Pitti Immagine Bimbo C( la manifestazione punto di riferimento per la moda nazionale e internazionale per bambini e ragazzi da 0 a 18 anni, C( lbanteprima delle collezioni di Pitti immagine bimbo n. 62 Settembre luccheseIl Palio di SantbAntonio Abate si terrC questbanno Domenica 22 Gennaio. Questo palio, diventato uno fra i piC9 importanti dbItalia, consiste in una corsa di cavalli preceduta, in mattinata, da una sfilata in costume di tutte le Palio di Sant'Antonio Abate Raccolta delle informazioni e Registrazione ai servizi Piramedia srl, in qualitC di titolare del trattamento, Ti informa che i dati personali che ci avrai fornito, volontariamente o automaticamente attraverso i nostri portali, saranno trattati, con il tuo consenso allo scopo di trasmetterti i servizi da te richiesti. In particolare ti verranno inviate tramite posta elettronica o sms, informative o offerte a carattere commerciale o pubblicitario, inerenti al Turismo. Ti verranno inviate inoltre comunicazioni circa modifiche, miglioramenti, o cambiamenti dei servizi da noi proposti. In coda ad ognuno di questi messaggi sarC sempre presente il modo perchC) tu possa rimuovere i tuoi dati dal nostro archivio. Piramedia srl, non raccoglierC in nessun modo dati ritenuti sensibili e si impegna a non utilizzare i tuoi dati, o cederli a terzi, per finalitC che siano diverse da quelle qui sopra elencate. Formula di acquisizione del consenso dell'interessato. Il/la sottoscritto/a, acquisite le informazioni fornite dal titolare del trattamento ai sensi dell'articolo 13 del D.Lgs. 196/2003, l'interessato: - presta il suo consenso al trattamento dei dati personali per i fini indicati nella suddetta informativa. - presta il suo consenso per la comunicazione dei dati personali per le finalitC ed ai soggetti indicati nell'informativa. - presta il suo consenso per la diffusione dei dati personali per le finalitC e nell'ambito indicato nell'informativa. DISDETTA Se non vuoi piC9 ricevere l'edizione gratuita di "BorghiToscani.com" clicca su questo link: disdetta Vecoli Cottage Vecoli Tenuta il Cicalino Tenuta il Cicalino Centro Velico Naregno Centro Velico Naregno Tirrenia Ferries Tirrenia Ferries Hotel Le Acacie Hotel Le Acacie Hotel Tornese Hotel Tornese San Domenico Podere gli Olmi MaranathC Youth Residence PLP guest house Rooms with a view Althea rooms Park Hotel Argentario Camping Il Gabbiano Le Cannelle Argentario Osa Talamone Camping Hotel Telamonio Hotel Capo Duomo Pian dei Pini La Valentina Cavalleggeri Hotel L'Etrusco Le Colombe Borgo Dolciano Locanda dei Guelfi Villino Il Magnifico Villa Elea Fontecastello Hotel Massimo Hotel Alex A casa di Dante B&B Gilda Podere Giarlinga Fonte del Cieco Ninna Nanna Campo di Carlo Hotel La Pergola Podere Saliciaia Hotel Galli Villa Conti Albergo La Scogliera Valle Santa Maria Hotel Fontalleccio 1999 - 2005 - Copyright and Project by Piramedia srl - Tutti I Diritti Riservati -Privacy [IMAGE]
Re: Need advice about VPN
On 2006/01/19 10:39, Simon Slaytor wrote: > Stuart Henderson wrote: > >On 2006/01/19 09:38, Simon Slaytor wrote: > > > >>When comparing the two vpn solutions for speed, subjectively the OpenVPN > >>feels slightly faster > > > >If you're using compression on OpenVPN but not on IPSEC, that would > >probably explain the speed difference. > > Agreed, any idea on how the cyphers compare i.e. 3DES v Blowfish in > regard to CPU overhead? 'openssl speed' will show you on your system, but Blowfish (and AES, at least at some block sizes) are something like twice as fast when implemented in software on a standard CPU. > I was not trying to suggest that this was a like for like comparison. I > was merely trying to get the point across that OpenVPN is a viable > alternative. There are strengths and weaknesses for each, overhead is only one factor (and not such an important one in smaller setups over relatively low-speed lines). I use OpenVPN and IPSEC in different situations (and will probably start using ssh tun-forwarding for a few places I'd use OpenVPN now - though, I'll have to investigate how tcp-wrapped-in-tcp works, since it would be most useful for me over wireless networks which have a lot of packet loss).
Re: Need advice about VPN
Stuart Henderson wrote: >On 2006/01/19 09:38, Simon Slaytor wrote: > > >>When comparing the two vpn solutions for speed, subjectively the OpenVPN >>feels slightly faster >> >> > >If you're using compression on OpenVPN but not on IPSEC, that would >probably explain the speed difference. > > > > > Agreed, any idea on how the cyphers compare i.e. 3DES v Blowfish in regard to CPU overhead? I was not trying to suggest that this was a like for like comparison. I was merely trying to get the point across that OpenVPN is a viable alternative.
Re: Need advice about VPN
On 2006/01/19 09:38, Simon Slaytor wrote: > When comparing the two vpn solutions for speed, subjectively the OpenVPN > feels slightly faster If you're using compression on OpenVPN but not on IPSEC, that would probably explain the speed difference.
Re: Need advice about VPN
Going to go against the flow here and say go for OpenVPN. This recommendation is based on the following observations: It's easy to implement It's secure It's stable By using the tls-auth option the fact that your firewall is acting as a vpn endpoint becomes invisible to the 'net' It easily handles NAT'ing firewalls with no special NAT requirements Will easily work with dynamic DNS clients as end points. Works well with OpenBSD In your scenario you could setup a single central OpenVPN/CA server to act as a VPN concentrator your 2nd site and your two colo servers could then act as 'clients' making admin and setup very straight forward. With regard to the speed of IPSec v OpenVPN (SSL/TLS), we use IPSec for site to site VPN's (3DES+PFS) where each end has a static IP and OpenVPN (Blowfish) for our 'road warriors' The IPSec VPN's terminate onto a 3.8 box with a 450Mhz CPU (K62) OpenVPN runs on a separate 3.8 box behind the firewall and uses a PII 450Mhz CPU When comparing the two vpn solutions for speed, subjectively the OpenVPN feels slightly faster, but there's not much in it and the different encyption schemes may well account for the speed variance, we don't push a lot of traffic through the VPN's hence I can get away with low power hardware. However what I'm trying to say is that running OpenVPN doesn't require a large amount of horsepower and is no disadvantage over IPSec. Regards Simon
Re: 3.8/64 bits/snmp
> I've seen the same on amd64 (OpenBSD 3.7 and 3.8) running net-snmp 5.x. Yep, that's it ;-) > I haven't noticed any issue with interface counters, On our platform, interface counters are sent back using Counter32 while carrying 64 bits values. It works while the counter is less than 4 GB but our monitor rejects larger values ... > The problem is with net-snmp. Beyond this I haven't chased it down. But not on all platform. Netsnmp 5 works great with OpenBSD i386 or Ubuntu amd64. BR, -- Sylvain COUTANT ADVISEO http://www.adviseo.fr/ http://www.open-sp.fr/
Re: How can i send syslogd message to a OPENBSD server ?
On Thursday 19 January 2006 01:37 am, Michael Bibby wrote: > hello ,[EMAIL PROTECTED] > > I have a Linux(SUSE ENTERPRISE LINUX 9) system ,and i want to send all > syslogd messages > to another system which runs OpenBSD 3.8 release . How can i do with > OpenBSD ? > > well ,i know how to configure it in Linux(suse): > > Server (get all messages sent from client,IP:192.168.0.1): > == /etc/syslogd.conf == > *.* -/var/log/messages > > == /etc/sysconfig/syslog == > SYSLOGD_PARAMS="-r" > > Client (send all syslogd messages to Server): > == /etc/syslogd.conf == > *.* @192.168.0.1 You will need to start syslog on the openbsd server with the -u option (see /etc/rc.conf and syslogd man pages) and also make sure you have pf.conf allowing port 514 udp from your linux host.
Re: Anonym.OS - OpenBSD-based live CD
On 1/19/06, Scott Francis <[EMAIL PROTECTED]> wrote: > Surprisingly, nobody else has mentioned this on-list yet (perhaps > because it's been all over the news elsewhere): > http://news.google.com/news?hl=en&ned=us&q=anonym.os&btnG=Search+News It was reported on undeadly.org. > I'm not in the least surprised that OpenBSD was chosen as the base for > a live CD focused on privacy, anonymity and security - in fact, I > can't really imagine doing what they did with any other platform > (certainly not doing it as well). I'm less than impressed with it after mounting the iso and viewing the contents. Their documentation is poor, if not void of content altogether. Call Anonym.OS what it is, a coagulated lump of untrusted packages and scripts conveniently bundled for those who are unwilling or unable to use OpenBSD in its native form. It reeks of a clumsily-staged publicity stunt. I digress; OpenBSD is free.