OpenBSD 3.8, fxp, device timeout

[Sven Wolf]

Hello,

I've a server at the German hoster Strato and I try to install OpenBSD 
3.8 on this machine. But I always get a device timeout of the Intel Nic 
(because of a wrong irq assignment?)  :( 


Here is the dmesg output:

OpenBSD 3.8 (RAMDISK) #9: Tue Jan  17 18:24:51 CET 2006
   [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/RAMDISK
cpu0: Intel(R) Celeron(R) CPU 2.40GHz ("GenuineIntel" 686-class) 2.40 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,
ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID

real mem  = 536387584 (523816K)
avail mem = 485179392 (473808K)
using 4278 buffers containing 26923008 bytes (26292K) of memory
mainbus0 (root)
acpi0 at mainbus0: revision 0 attached
acpitimer at acpi0 not configured
acpi device at acpi0 from table DSDT not configured
acpi device at acpi0 from table FACP not configured
bios0 at mainbus0: AT/286+(c0) BIOS, date 05/27/03, BIOS32 rev. 0 @ 0xfb330
apm0 at bios0: Power Management spec V1.2
apm0: flags 70102 dobusy 1 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xf/0xdf84
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfde90/240 (13 entries)
pcibios0: PCI Exclusive IRQs: 5 10 11 12
pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82371SB ISA" rev 0x00)
pcibios0: PCI bus #2 is the last bus
bios0: ROM list: 0xc/0x8000 0xc8000/0x1000
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82845 Host" rev 0x04
ppb0 at pci0 dev 1 function 0 "Intel 82845 AGP" rev 0x04
pci1 at ppb0 bus 1
ppb1 at pci0 dev 30 function 0 "Intel 82801BA AGP" rev 0x05
pci2 at ppb1 bus 2
fxp0 at pci2 dev 6 function 0 "Intel 82557" rev 0x08, i82559: irq 12, 
address 00:30:48:52:c9:fc

inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4
fxp1 at pci2 dev 7 function 0 "Intel 82557" rev 0x08, i82559: irq 12, 
address 00:30:48:52:c9:fd

inphy1 at fxp1 phy 1: i82555 10/100 PHY, rev. 4
vga1 at pci2 dev 8 function 0 "ATI Rage XL" rev 0x27
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
ichpcib0 at pci0 dev 31 function 0 "Intel 82801BA LPC" rev 0x05: failed 
to map I/O space
pciide0 at pci0 dev 31 function 1 "Intel 82801BA IDE" rev 0x05: DMA, 
channel 0 wired to compatibility, channel 1 
wired to compatibility

wd0 at pciide0 channel 0 drive 0: 
wd0: 16-sector PIO, LBA48, 58644MB, 120103200 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
pciide0: channel 1 disabled (no drives)
"Intel 82801BA SMBus" rev 0x05 at pci0 dev 31 function 3 not configured
isa0 at ichpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom0: console
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
biomask ede5 netmask fde5 ttymask ffe7
rd0: fixed, 3800 blocks
dkcsum: wd0 matches BIOS drive 0x80
root on rd0a
rootdev=0x1100 rrootdev=0x2f00 rawdev=0x2f02

I've created my own bootfloppy because with the default OpenBSD 3.8 
bootfloppy I get the same error. I've played (enabled/disabled) with 
following kernel options without luck:


option PCIBIOS_INTR_FIXUP_FORCE
option PCI_INTR_FIXUP (as for the netbsd kernel)
optionUSER_PCICONF# user-space PCI configuration
optionBOOT_CONFIG# boot-time kernel config
pcibios0 at bios0 flags 0x0008 (set to 0x0004, 0x0008, 0x0030)
acpi0at mainbus?
#acpitimer* at acpi?
#hpet*at acpi?
optionACPIVERBOSE
optionACPI_ENABLE

Has anyone any idea how I can assign an another irq than 12 to fxp? In 
my opinion this is the problem  :( 


Thanks and best regards,
Sven

rexx on openbsd

[Stephen Nelson]

I have some rexx scripts that I would like to run on OpenBSD.

Does anyone have any experience with running rexx on openbsd? I have 
tried brexx, regina, and oorexx so far.
Regina and oorexx fail to compile, and brexx doesn't seem to be feature 
complete (it doesn't seem to be able to propagate variables between 
functions properly).

I haven't been able to find anything about rexx in openbsd except a perl 
wrapper in an obscure OS/2 directory in the openbsd source.

Thanks,

Stephen

Re: Generating ICMP Redirects

[Steven S]

...
> I know this is not the answer to your question and I'd like
> to hear how
> you wind up getting the OpenBSD box to send the redirects you are
> looking for, but relying on redirects to do your routing for anything
> length of time is asking for trouble IMHO.  You might just be better
> off, temporarily, putting the PIX behind the OpenBSD box if
> possible or,
> if the servers are few, modifying their local route tables
> until the new
> VPN solution is in place.

We did in fact add static routes to the servers for now (yuck.)  I did some
more testing on my home fw and it seems that carp interfaces don't like
generating ICMP redirects (for me anyhow.)  Here is my test,

My WS (XP) - 192.168.83.51
My FW (OBSD 3.8)- 192.168.83.1
My server (OBSD 3.8) - 192.168.83.47

My WS normally has a default gw of the FW.  My rules to/from the inside LAN
to the FW are loose,
  #
  pass  inquick on $int_if from any to any
  pass  out   quick on $int_if from any to any
  #

So I create a route:
  [EMAIL PROTECTED] sudo route add -net 192.168.80 192.168.83.47
  add net 192.168.80: gateway 192.168.83.47

And I pinged 192.168.80.2 from my WS,  the FW did the "right thing"
   [EMAIL PROTECTED] sudo tcpdump -nei fxp1 net 192.168.80 or icmp
   tcpdump: listening on fxp1, link-type EN10MB
   20:54:17.738121 0:11:43:39:e1:59 0:d0:b7:23:c0:e7 0800 74: 192.168.83.51
> 192.168.80.1: icmp: echo request
   20:54:17.738340 0:d0:b7:23:c0:e7 0:90:27:42:d4:cc 0800 74: 192.168.83.51
> 192.168.80.1: icmp: echo request
   20:54:17.738434 0:d0:b7:23:c0:e7 0:11:43:39:e1:59 0800 70: 192.168.83.1 >
192.168.83.51: icmp: redirect 192.168.80.1 to host 192.168.83.47

Next I created a carp interface on the inside and created a route on my
workstation:
  [EMAIL PROTECTED] sudo ifconfig carp1 create
  [EMAIL PROTECTED] sudo ifconfig carp1 vhid 1 advskew 100 pass internal
192.168.83.2 netmask 255.255.255.0

  [EMAIL PROTECTED] route add 192.168.80.0 mask 255.255.255.0 192.168.83.2

And tried the ping again,
  [EMAIL PROTECTED] sudo tcpdump -nei fxp1 net 192.168.80 or icmp
  21:04:52.711456 0:11:43:39:e1:59 0:0:5e:0:1:1 0800 74: 192.168.83.51 >
192.168.80.2: icmp: echo request
  21:04:52.711577 0:d0:b7:23:c0:e7 0:90:27:42:d4:cc 0800 74: 192.168.83.51 >
192.168.80.2: icmp: echo request
  21:04:58.043062 0:11:43:39:e1:59 0:0:5e:0:1:1 0800 74: 192.168.83.51 >
192.168.80.2: icmp: echo request
  21:04:58.043217 0:d0:b7:23:c0:e7 0:90:27:42:d4:cc 0800 74: 192.168.83.51 >
192.168.80.2: icmp: echo request

Odd, since PF allows traffic on fxp1, not carp1.  So let's add carp1 to
pf...
  [EMAIL PROTECTED] sudo grep carp /etc/pf.conf
  pass  inquick on carp1 from any to any
  pass  out   quick on carp1 from any to any

And once again the FW happily routes the packet instead of sending an ICMP
redirect.
  [EMAIL PROTECTED] sudo tcpdump -nei fxp1 net 192.168.80 or icmp
  tcpdump: listening on fxp1, link-type EN10MB
  21:21:21.026831 0:11:43:39:e1:59 0:0:5e:0:1:1 0800 74: 192.168.83.51 >
192.168.80.2: icmp: echo request
  21:21:21.026954 0:d0:b7:23:c0:e7 0:90:27:42:d4:cc 0800 74: 192.168.83.51 >
192.168.80.2: icmp: echo request

I disabled pf and have the same results.  I've hit my knowledge limit so
delving into the source would be fruitless and annoying to the rest of you.
Should I create a bug report?

-Steve S.

P.S.  I'm not sure why the other box sent "host unreachables" and if I find
out more I update the archive.

Re: ffs panic on i386 3.8/stable

[Ted Unangst]

On 1/19/06, Tamas TEVESZ <[EMAIL PROTECTED]> wrote:
> barghest:/etc/ppp# chmod 06panic: ffs_read: type 0

can you perform some mem / hw testing?  this smells like disk corruption.

> as a strange addition, it seems that the board can pretty
> reliably be panicked with the following:
>
>
> barghest:~# sysctl ddb.console=1
> ddb.console: 0 -> 1 # then send a break
> barghest:~# Stopped at  Debugger+0x4:   leave
> ddb> boot
> synccrash   dumphaltreboot  poweroff
> ddb> boot sync
> syncing disks... panic: tsleep
> it seems always to give this same response to the same sequence of
> actions.
>
> granted, i'm not very frequent at intentionally dropping boxes to ddb
> then trying to screw them, but it isn't really supposed to work that
> way, is it?

the problem is, once you're in ddb, interrupts and the scheduler are
forcibly stopped, and sometimes they don't like coming back to life. 
spend less time in ddb, you'll be happier. :)

Re: windows -> pf -> inet -> pf -> ftpd [not working]

[Clint M. Sand]

To even begin to get help on this, you'd need to submit the pf rules on
those obsd boxen. 


On Thu, Jan 19, 2006 at 05:36:02PM -0500, Price, Joe wrote:
> I have a problem that when a Windows client tries to connect to this ftp
> site, windows explorer returns 'The operation timed out'.
> 
> 
> 
> The setup is, windows box behind a openbsd PF (NAT enabled) through the
> public internet to another openbsd PF (NAT enabled) which has a rdr rule
> to redirect to another openbsd machine behind it running ftpd.
> 
> 
> 
> I'm assuming the problem exists on one of the firewalls, or both.. Is
> this something that ftp-proxy can fix?
> 
> 
> 
> I know the ftp works because I can connect to it form the far end's
> openbsd box, just seems that I can't go through two NATs of PFs or
> something like that.
> 
> 
> 
> Any help is appreciated.
> 
> 
> 
> Thanks!

ffs panic on i386 3.8/stable

[Tamas TEVESZ]

hello,

i was setting up my wrap.1e board when the following happened. this is 
not the first actual installation of 3.8 on this very hardware, but i 
never got around to actually start configuring the box (i was playing 
with the etherboot upgrade mentioned earlier).

everything is via wrap's serial console, 57600 8n1; -stable sans 
today's pf_norm fix.

barghest:/etc/ppp# uudecode
[demime removed a uuencoded section named ppp.conf which was 2 lines]
barghest:/etc/ppp# ls -l ppp.
ls: ppp.: No such file or directory
barghest:/etc/ppp# ls -l ppp.conf
-rw-r--r--  1 root  wheel  660 Jan 14 03:30 ppp.conf
barghest:/etc/ppp# chmod 06panic: ffs_read: type 0
Stopped at  Debugger+0x4:   leave
RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC!
DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION!
ddb> trace
Debugger(0,4003,0,400,d3b712a4) at Debugger+0x4
panic(d0509aed,d0509ae4,0,,0) at panic+0x63
ffs_read(dab0fe18,cfc0,dab0fe40,d0242974,d0580540) at ffs_read+0x36d
VOP_READ(d3b712a4,dab0fe98,0,d3bf3230,d01021e1) at VOP_READ+0x34
vn_read(d3bdadb0,d3bdadcc,dab0fe98,d3bf3230) at vn_read+0x72
dofileread(d3ba9a44,5,d3bdadb0,87979000,400) at dofileread+0x6c
sys_read(d3ba9a44,dab0ff68,dab0ff58,1000,8bb) at sys_read+0x47
syscall() at syscall+0x2ee
--- syscall (number 3) ---
0x9bb6581:
ddb> ps
   PID   PPID   PGRPUID  S   FLAGS  WAIT   COMMAND
*16387   4580260  0  7  0x4004 perl
  5086260260  0  3  0x4084  piperd mail
10260260  0  3  0x4084  piperd tee
  4580260260  0  3  0x4084  pause  sh
   260  25521260  0  3  0x4084  pause  sh
 25521   4174   4174  0  30x84  piperd cron
 22204  1  22204  0  3  0x4086  ttyin  ksh
  4174  1   4174  0  30x84  select cron
 12542  1  12542  0  3 0x40184  select sendmail
 24235  1  24235  0  30x84  select sshd
  2516  1   2516  0  3   0x184  select inetd
   317   2344   2344 83  3   0x184  poll   ntpd
  2344  1   2344  0  30x84  poll   ntpd
  5611  20614  20614 73  3   0x184  poll   syslogd
 20614  1  20614  0  30x84  netio  syslogd
 11063  1  11063 77  3   0x184  poll   dhclient
 18491  1   7301  0  30x86  poll   dhclient
 9  0  0  0  30x100204  crypto_wa  crypto
 8  0  0  0  30x100204  aiodoned   aiodoned
 7  0  0  0  30x100204  syncer update
 6  0  0  0  30x100204  cleanercleaner
 5  0  0  0  30x100204  reaper reaper
 4  0  0  0  30x100204  pgdaemon   pagedaemon
 3  0  0  0  30x100204  pftm   pfpurge
 2  0  0  0  30x100204  kmallockmthread
 1  0  1  0  3  0x4084  wait   init
 0 -1  0  0  3 0x80204  scheduler  swapper
ddb> show panic
ffs_read: type 0
ddb> boot reboot
panic: mtx_enter: locking against myself
Stopped at  Debugger+0x4:   leave
RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC!
DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION!
ddb> trace
Debugger(16e2f4,dab0eea0,d04462e4,d0957e68,d057f960) at Debugger+0x4
panic(d01021a3,dab0eeb0,d021a21c,d057f990,d0587d70) at panic+0x63
mtx_enter(d057f990,d0587d70,dab0eec0,d01e98a6,1) at mtx_enter+0x5b
timeout_del(d0957e68,0,dab0eef0,d01e99f5,dab0eee4) at timeout_del+0x14
sis_stop(d0957c00,dab0ef74,dab0ef20,d01e9b05) at sis_stop+0x3a
dohooks(d057f960,1,dab0ef50,d01e9ba1) at dohooks+0x5e
boot(4804,b0,dab0ef70,0,0) at boot+0x55
db_boot_poweroff_cmd(d0337fd0,0,,dab0ef78,d057dd80) at 
db_boot_poweroff_cmd
db_command(d057dd80,d057dba0,dab0f080,d01e8b41,b0) at db_command+0xff
db_command_loop(0,dab0f118,dab0f0c0,d0337e1f,1) at db_command_loop+0x8a
db_trap(1,0,0,0,0) at db_trap+0x86
kdb_trap(1,0,dab0f118,d057fac4) at kdb_trap+0xab
trap() at trap+0xa9
--- trap (number 1) ---
Debugger(16e2f4,dab0f194,dab0f230,d0957a68,d057f960) at Debugger+0x4
panic(d01021a3,dab0f1a4,d021a21c,d057f990,) at panic+0x63
mtx_enter(d057f990,,dab0f1b4,d01e98a6,1) at mtx_enter+0x5b
timeout_del(d0957a68,0,dab0f1e4,d01e99f5,dab0f1d8) at timeout_del+0x14
sis_stop(d0957800,dab0f268,dab0f214,d01e9b05) at sis_stop+0x3a
dohooks(d057f960,1,dab0f244,d01e9ba1) at dohooks+0x5e
boot(4804,d04f0caf,dab0f264,0,0) at boot+0x55
db_boot_poweroff_cmd(d0337fd0,0,,dab0f26c,d057dd80) at 
db_boot_poweroff_cmd
db_command(d057dd80,d057dba0,dab0f374,d01e8b41,b0) at db_command+0xff
db_command_loop(0,dab0f40c,dab0f3b4,d0337e1f,1) at db_command_loop+0x8a
db_trap(1,0,0,0,0) at db_trap+0x86
kdb_trap(1,0,dab0f40c,d057fac4) at kdb_trap+0xab
trap() at trap+0xa9
--- trap (number 1) ---
Debugger(16e2f4,dab0f488,d04462e4,d0957668,d057f960) at De

Re: time warp in -current

[Ted Unangst]

On 1/19/06, Wolfgang S. Rupprecht
> Turns out this was caused by the most recent changes to kern_clock.c
> and kern_time.c.  Compiling with these previous versions gave me a
> functional system clock again.

grr

Re: Generating ICMP Redirects

[Melameth, Daniel D.]

Steven S wrote:
> I'm using a pair of 3.8-stable (1/5/06) servers as the firewall and
> default gw (10.10.0.1/16) for a LAN .  VPN users (10.4.0.0/16) come
> into the LAN from a PIX (10.10.0.254/16) (changing soon to OpenVPN),
> and when the VPN users hit a server return packets are sent to the
> default gw.  I was expecting the OpenBSD server to generate an ICMP
> redirect and all would be well.  Unfortunately that is not happening.
> Instead the firewall is sending a host unreachable (yet the fw can
> ping the VPN host). 
> 
> Any pointers would be appreciated.

I know this is not the answer to your question and I'd like to hear how
you wind up getting the OpenBSD box to send the redirects you are
looking for, but relying on redirects to do your routing for anything
length of time is asking for trouble IMHO.  You might just be better
off, temporarily, putting the PIX behind the OpenBSD box if possible or,
if the servers are few, modifying their local route tables until the new
VPN solution is in place.

Re: time warp in -current

[Wolfgang S. Rupprecht]

I wrote:
> A GENERIC amd64 kernel compiled from today's sources is causing my
> Asus k8v-se-d to run fast by approximately 3 seconds per minute.
> (Obviously that was with ntpd not running.)  This has never been a
> problem before.  Is anyone else seeing this?

Turns out this was caused by the most recent changes to kern_clock.c
and kern_time.c.  Compiling with these previous versions gave me a
functional system clock again.

/*  $OpenBSD: kern_clock.c,v 1.56 2006/01/03 18:22:31 miod Exp $*/

/*  $OpenBSD: kern_time.c,v 1.52 2005/11/28 00:14:29 jsg Exp $  */

I think I see how this slipped by testing.  The problem only exhibited
itself after I ran mills/udel ntpd briefly.  This appeared to set a
persistent and exceedingly large slew rate that never timed out.  Ntpd
can't clear it and stopping ntpd only freezes the slew at the last
value.

The udel ntpd also couldn't control the system clock too well when it
was running.  It would lose control of the system within minutes as
the slew rate passed some magic rate (500ppm???).  As the time offset
got larger ntpd decided that all the reference clocks were "insane"
and didn't even try to sync to them any more.

My last tests showed a case with 1.5 second slew over a 10 second
span.  The following test showed the constant 1.5 sec/10 sec slew over
the course of several hours.

   while : ; do ntpdate -d ntp.sonic.net ; sleep 10 ; done

Hope this helps.

-wolfgang

connection to 3.8 box times out

[Igor Vilensky]

Greetings,

This is my first post. Apologies if not everything is pro forma.

I hope someone might help me with this issue.
Ssh session and pinging 3.8 Generic running on Compaq Deskpro SB time out
after 800 to 2400 when not actively using the box.
You get 'No route to Host' message in ping or ssh session freezes.
The box is connected to 4 port Belkin KVM switch on video and keyboard,
regular PS2 mouse is plugged in.
Re-plugging mouse wakes up the session/ping and it works for a little
while.  Pressing keys on mouse makes no difference.
Unplugging keyboard makes no difference, but connecting to Video and
keyboard on KVM and hitting a key on a keyboard
does wake up  OpenBSD so that it responds again.

Many Thanks!!

dmesg:

OpenBSD 3.8 (GENERIC) #138: Sat Sep 10 15:41:37 MDT 2005
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium II ("GenuineIntel" 686-class, 512KB L2 cache) 300 MHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR
real mem  = 268017664 (261736K)
avail mem = 237674496 (232104K)
using 3297 buffers containing 13504512 bytes (13188K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(c9) BIOS, date 12/09/98, BIOS32 rev. 0 @ 0xec700
apm0 at bios0: Power Management spec V1.2 (BIOS managing devices)
apm0: AC on, battery charge unknown
apm0: flags 130102 dobusy 0 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xec700/0x3900
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf7170/112 (5 entries)
pcibios0: PCI Interrupt Router at 000:20:0 ("Intel 82371AB PIIX4 ISA" rev
0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc/0x8000 0xc8000/0x800 0xe/0x8000!
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82443LX AGP" rev 0x03
ppb0 at pci0 dev 1 function 0 "Intel 82443LX AGP" rev 0x03
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "ATI Mach64 GZ" rev 0x3a
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
xl0 at pci0 dev 14 function 0 "3Com 3c905C 100Base-TX" rev 0x78: irq 11,
address 00:04:75:fa:30:d0
exphy0 at xl0 phy 24: 3Com internal media interface
pcib0 at pci0 dev 20 function 0 "Intel 82371AB PIIX4 ISA" rev 0x02
pciide0 at pci0 dev 20 function 1 "Intel 82371AB IDE" rev 0x01: DMA, channel
0 wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: 
wd0: 32-sector PIO, LBA, 4112MB, 8421840 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0:  SCSI0 5/cdrom
removable
cd0(pciide0:1:0): using PIO mode 4, DMA mode 2
uhci0 at pci0 dev 20 function 2 "Intel 82371AB USB" rev 0x01: irq 11
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
"Intel 82371AB Power" rev 0x02 at pci0 dev 20 function 3 not configured
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pmsi0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pmsi0 mux 0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: 
spkr0 at pcppi0
sysbeep0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
isapnp0 at isa0 port 0x279: read port 0x203
"ESS ES1869 Plug and Play AudioD, ESS0006, , " at isapnp0 port 0x800/8 not
configured
ess0 at isapnp0 "ESS ES1869 Plug and Play AudioD, ESS1869, , " port
0x220/16,0x388/4,0x330/2 irq 5 drq 1,0: ESS Technology ES1869 [version
0x688b]
ess0: audio1 interrupting at irq 5
audio0 at ess0
opl0 at ess0: model OPL3
midi1 at opl0: 
biomask ef4d netmask ef4d ttymask ffcf
pctr: 686-class user-level performance counters enabled
mtrr: Pentium Pro MTRR support
dkcsum: wd0 matches BIOS drive 0x80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302

Re: OpenBSD for Sun Cobalt Qube3

[Daniel Ouellet]

Wolfgang Kess wrote:

Hi,

can you give me some advice how to install OpenBSD 
on a Sun Cobalt Qube 3, please?


The Cube comes without cdrom or fd and no display

I read about the PXE installation 
http://www.openbsd.org/faq/faq6.html#PXE 



What kind of installation method do you recommend?


Regards
Wolfgang

The Cube outdated Linux dmesg:


I don't think it would work at all as the Cobalt always had their own 
hardware handling stuff. Plus to load it, you need a restore CD.


If you really want to play with this and see if that can even load, even 
if I think it would not, you can start by making your restore CD based 
on the instructions here:


http://netbsd.org/Ports/cobalt/restorecd-howto.html

I did work with Denis and Alex to test it on the Cobalt RaQ 2. So, 
that's only a starts, but you are really on your own.


The thing is that for the Cobalt, after it is loaded, you rlogin in the 
box to finish the configuration, but that's because the kernel is design 
that way for that box. In this case it wouldn't work. Assuming you can 
ever get the box to netboot and that it would actually detect the 
hardware properly, then you would need to built a configuration that 
would make the box in a working state for you to then access it. Usually 
you can do this via the console, but again, I don't think it would work 
out of the box on the console, but the only way to know if to try it.


I loaded NetBSD on plenty of Cobalt RaQ2 box

http://openbsdsupport.org/netbsd/

But that's not going to do much for you in here. The Cobalt RaQ 2 is 
mips base and th4e RaQ 3 is i386 base.


Good luck however. Would be nice to have it working in in, but I don't know.

Re: OpenBSD for Sun Cobalt Qube3

[Matthew S Elmore]

Greetings,

I'm not sure about this specific model but...

the Cobalt stuff, in most cases, has a very unusual boot loader (a Linux 
kernel that can only boot only certain type binaries IIRC) that would 
make it impossible to boot a BSD kernel.


I do recall seeing where someone was able to boot FreeBSD on a RaQ3 but 
that was a while back.


Wolfgang Kess wrote:

Hi,

can you give me some advice how to install OpenBSD 
on a Sun Cobalt Qube 3, please?


The Cube comes without cdrom or fd and no display

I read about the PXE installation 
http://www.openbsd.org/faq/faq6.html#PXE 



What kind of installation method do you recommend?


Regards
Wolfgang

The Cube outdated Linux dmesg:


[root /root]# dmesg
Linux version 2.2.16C37_III ([EMAIL PROTECTED]) (gcc version egcs-2.91.6
  6 
19990314/Linux (egcs-1.1.2 release)) #1 Sat Apr 12 14:54:32 PDT 2003
Ignoring bogus EBDA pointer 5D8000
Detected 448219 kHz processor.
Pending 0x00
Calibrating delay loop... 894.57 BogoMIPS
Memory: 257488k/262144k available (1252k kernel code, 412k reserved, 2928k 
data,   
64k init)
Dentry hash table entries: 32768 (order 6, 256k)
Buffer cache hash table entries: 262144 (order 8, 1024k)
Page cache hash table entries: 65536 (order 6, 256k)
VFS: Diskquotas version dquot_6.4.0 initialized
CPU: L1 I Cache: 32K  L1 D Cache: 32K
CPU: L2 Cache: 128K
CPU: AMD AMD-K6(tm)-III Processor stepping 04
Checking 386/387 coupling... OK, FPU using exception 16 error reporting.
Checking 'hlt' instruction... OK.
POSIX conformance testing by UNIFIX
PCI: Using configuration type 1
PCI: Probing PCI hardware
Linux NET4.0 for Linux 2.2
Based upon Swansea University Computer Society NET3.039
NET4: Unix domain sockets 1.0 for Linux NET4.0.
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP, IGMP
TCP: Hash tables configured (ehash 262144 bhash 65536)
Initializing RT netlink socket
Starting kswapd v 1.6
Cobalt watchdog v1.4 enabled
Cobalt I2C bus initialized
Cobalt temperature sensor v1.4 enabled
Serial driver version 4.27 with no serial options enabled
ttyS00 at 0x03f8 (irq = 4) is a 16550A
ttyS01 at 0x02f8 (irq = 3) is a 16550A
pty: 256 Unix98 ptys configured
Real Time Clock Driver v1.09
lcd: Cobalt LCD Driver v3.12
keyboard: Timeout - AT keyboard not present?
keyboard: Timeout - AT keyboard not present?
serialnumber: Version 1.9 initialized. Serial number=4907d6b2a901.
Copyright (c)1994-2000 Axent Technologies, Inc.
Uniform Multi-Platform E-IDE driver Revision: 6.30
ide: Assuming 33MHz system bus speed for PIO modes; override with idebus=xx
ALI15X3: IDE controller on PCI bus 00 dev 78
ALI15X3: chipset revision 193
ALI15X3: 100% native mode on irq 14
ide0: BM-DMA at 0xf000-0xf007, BIOS settings: hda:DMA, hdb:DMA
ide1: BM-DMA at 0xf008-0xf00f, BIOS settings: hdc:DMA, hdd:DMA
hda: ST340810A, SN=5FB2VCEZ, FWREV=3.39, ATA DISK drive
ide: Assuming 33MHz system bus speed for PIO modes; override with idebus=xx
ide0 at 0x1f0-0x1f7,0x3f6 on irq 14
hda: ST340810A, 38166MB w/2048kB Cache, CHS=77545/16/63, UDMA(33)
md driver 0.90.0 MAX_MD_DEVS=256, MAX_REAL=12
translucent personality registered
linear personality registered
raid0 personality registered
raid1 personality registered
raid5 personality registered
raid5: measuring checksumming speed
raid5: MMX detected, trying high-speed MMX checksum routines
   pII_mmx   :   872.490 MB/sec
   p5_mmx:   882.777 MB/sec
   8regs :   429.387 MB/sec
   32regs:   281.940 MB/sec
using fastest function: p5_mmx (882.777 MB/sec)
sym53c8xx: at PCI bus 0, device 14, function 0
sym53c8xx: 53c875 detected
sym53c875-0: rev 0x4 on pci bus 0 device 14 function 0 irq 12
sym53c875-0: ID 7, Fast-20, Parity Checking
scsi0 : sym53c8xx-1.7.3a-20010304
scsi : 1 host.
scsi : detected total.
md.c: sizeof(mdp_super_t) = 4096
Partition check:
 hda: hda1 hda2 < hda5 hda6 > hda3 hda4
autodetecting RAID arrays
autorun ...
... autorun DONE.
VFS: Mounted root (ext2 filesystem) readonly.
Freeing unused kernel memory: 64k freed
Warning: unable to open an initial console.
Adding Swap: 131532k swap-space (priority -1)
dp83815.c:v1.30 National Semiconductor DP83815 PCI Ethernet Driver
eth0: National Semiconductor MacPhyter (dp83815)
eth0:   bus=0 func=128 io=0x6200 irq=11 ver=4.3
eth0:   ethernet addr=00:10:e0:05:41:b9
eth1: National Semiconductor MacPhyter (dp83815)
eth1:   bus=0 func=144 io=0x6300 irq=10 ver=4.3
eth1:   ethernet addr=00:10:e0:05:41:b8
eth0: speed=100 duplex=full link=up
NET4: AppleTalk 0.18 for Linux NET4.0
klips_debug:pfkey_x_debug_process: debugging not enabled
CSLIP: code copyright 1989 Regents of the University of California
usb.c: registered new driver usbdevfs
usb.c: registered new driver hub
usb-ohci.c: USB OHCI at membase 0xd085e000, IRQ 6
usb.c: new USB bus registered, assigned bus number 1
usb.c: USB new device connect, assigned device number 1

Re: Network performance on WRAP boards

[Chris Cappuccio]

at the smallest packet sizes, that sounds about right, if not slightly
low

Carlos Valiente [EMAIL PROTECTED] wrote:
> Hi! I have a couple of WRAP.1E boards running OpenBSD 3.8. Using iperf
> I can only get about 4 to 5 Mbit/s between them.
> 
> Is that figure reasonable for that kind of systems?
> 
> Cheers,
> 
> Carlos

-- 
"Don Rumsfeld has been chewing on my ankles." -- Dick Cheney

Re: OpenBSD for Sun Cobalt Qube3

[Joachim Schipper]

On Thu, Jan 19, 2006 at 11:03:33PM +0100, Wolfgang Kess wrote:
> Hi,
> 
> can you give me some advice how to install OpenBSD 
> on a Sun Cobalt Qube 3, please?
> 
> The Cube comes without cdrom or fd and no display
> 
> I read about the PXE installation 
> http://www.openbsd.org/faq/faq6.html#PXE 
> 
> 
> What kind of installation method do you recommend?

I'm going to go out on a limb and assume the box supports netbooting,
which your post suggests.

I've never actually used that procedure before - by virtue of lack of
suitable hardware in any quantity worth the bother (the quantity is
currently 1) - but it's supposed to be very easy, especially when
dealing with many systems.

The other options involve either hooking some sort of bootable device up
to the box, or preinstalling OpenBSD on the hard disk (you know, take it
out, put it in a machine that is already running OpenBSD, copy, return
it to the original, all the while hoping it still works...)

If there's already an OS on there, convincing it to either boot bsd.rd
or load entirely in RAM (so that you can do the local equivalent of nc
-l 23434 > /dev/hd0c) might be easier.

Joachim

windows -> pf -> inet -> pf -> ftpd [not working]

[Price, Joe]

I have a problem that when a Windows client tries to connect to this ftp
site, windows explorer returns 'The operation timed out'.



The setup is, windows box behind a openbsd PF (NAT enabled) through the
public internet to another openbsd PF (NAT enabled) which has a rdr rule
to redirect to another openbsd machine behind it running ftpd.



I'm assuming the problem exists on one of the firewalls, or both.. Is
this something that ftp-proxy can fix?



I know the ftp works because I can connect to it form the far end's
openbsd box, just seems that I can't go through two NATs of PFs or
something like that.



Any help is appreciated.



Thanks!

OpenBSD3.8 + smtp-vilter + spamassassin

[Mike_OpenBSDlistalias]

Hello,

Apologies if this is slightly OT, but I've been over this with the SA list
and they tell me spamassassin is working correctly.  Also since smtp-vilter
is one of two milters in packages, I thought there must be people on this
list with experience with it (And I know the author posts here)

I have been running an OpenBSD (now at 3.8) Sendmail relay in my dmz for a
couple years now that forwards to an internal Exchange server.  It's nothing
fancy and I'm not really a sendmail or unix expert but it's been getting the
job done.

So the time has come for taking anti-spam measures.  To start I'd just like
to mark spam instead of block it (so no OpenBSD's spamd yet), and to that
end I've installed SpamAssassin 3.0.4 and smtp-vilter 1.1.9, both from
packages.  

It 'works' to a certain extent, in that smtp-vilter headers are added to all
messages.  The problem is, the scores assigned to spam messages are clearly
much too low, and the large majority of spam is not marked as such and much
of it is actually scored negatively.  

However, testing manually on a spam I received...

# spamassassin < testspam.txt
and
# spamc -R < testspam.txt

...the message scores a 14.3.  However, when I actually received this
message in my mailbox, it was scored -1.6.

So I am thinking that there is a problem somewhere between smtp-vilter and
spamassassin, but where?  Has anyone seen this behavior or have a
suggestion?  smtp-vilter and (spamassassin's) spamd are both running, are
writing to maillog, and appear to be 'working' as far as I can tell.

This is how smtp-vilter and spamassassin are called:

>From my sendmail.mc:
INPUT_MAIL_FILTER(`smtp-vilter', `S=unix:/var/smtp-vilter/smtp-vilter.sock,
F=T, T=S:10m;R:10m;E:10m')dnl

>From my /etc/rc.conf.local:
smtp_vilter=yes

>From my /etc/rc.local:
# start smtp-vilter 

  if [ X"${smtp_vilter}" != X"NO" -a \
  -x /usr/local/sbin/smtp-vilter ]; then
  echo -n ' smtp-vilter'
  /usr/local/sbin/smtp-vilter -m -u _vilter -g _vilter
  fi

# Start Spamassassin daemon
/usr/local/bin/spamd -u _vilter -d -s mail -x && echo -e "spamd started..."

My entire /etc/smtp-vilter/smtp-vilter.conf: (comments removed)
user=_vilter
group=_vilter
chroot=/var/smtp-vilter
backend=spamd
config-file=spamd:/var/smtp-vilter/etc/spamd.conf
virus-strategy=notify-recipient
recipient-notification=/etc/smtp-vilter/recipient-notification
spam-strategy=mark
spam-subject-prefix="* SPAM *"
unwanted-strategy=mark
error-strategy=tempfail
port=unix:smtp-vilter.sock
tmpdir=/tmp
pidfile=/var/smtp-vilter/smtp-vilter.pid
log-facility=mail
logfile=/var/smtp-vilter/smtp-vilter.log
option=logspam
option=markall

My entire /var/smtp-vilter/etc/spamd.conf: (comments removed)
host=localhost
port=783
tries=3
timeout=600
maxsize=25
option=chroot-scanrealpath

I've read the man pages for smtp-vilter and smtp-vilter.conf, but I must be
doing something stupidly wrong.  Does anyone have any ideas or suggestions?
File permissions?  Something with the chrooting of smtp-vilter?

Thanks in advance for any and all help.

Mike Sassaman

OpenBSD for Sun Cobalt Qube3

[Wolfgang Kess]

Hi,

can you give me some advice how to install OpenBSD 
on a Sun Cobalt Qube 3, please?

The Cube comes without cdrom or fd and no display

I read about the PXE installation 
http://www.openbsd.org/faq/faq6.html#PXE 


What kind of installation method do you recommend?


Regards
Wolfgang

The Cube outdated Linux dmesg:


[root /root]# dmesg
Linux version 2.2.16C37_III ([EMAIL PROTECTED]) (gcc version egcs-2.91.6
  6 
19990314/Linux (egcs-1.1.2 release)) #1 Sat Apr 12 14:54:32 PDT 2003
Ignoring bogus EBDA pointer 5D8000
Detected 448219 kHz processor.
Pending 0x00
Calibrating delay loop... 894.57 BogoMIPS
Memory: 257488k/262144k available (1252k kernel code, 412k reserved, 2928k 
data,   
64k init)
Dentry hash table entries: 32768 (order 6, 256k)
Buffer cache hash table entries: 262144 (order 8, 1024k)
Page cache hash table entries: 65536 (order 6, 256k)
VFS: Diskquotas version dquot_6.4.0 initialized
CPU: L1 I Cache: 32K  L1 D Cache: 32K
CPU: L2 Cache: 128K
CPU: AMD AMD-K6(tm)-III Processor stepping 04
Checking 386/387 coupling... OK, FPU using exception 16 error reporting.
Checking 'hlt' instruction... OK.
POSIX conformance testing by UNIFIX
PCI: Using configuration type 1
PCI: Probing PCI hardware
Linux NET4.0 for Linux 2.2
Based upon Swansea University Computer Society NET3.039
NET4: Unix domain sockets 1.0 for Linux NET4.0.
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP, IGMP
TCP: Hash tables configured (ehash 262144 bhash 65536)
Initializing RT netlink socket
Starting kswapd v 1.6
Cobalt watchdog v1.4 enabled
Cobalt I2C bus initialized
Cobalt temperature sensor v1.4 enabled
Serial driver version 4.27 with no serial options enabled
ttyS00 at 0x03f8 (irq = 4) is a 16550A
ttyS01 at 0x02f8 (irq = 3) is a 16550A
pty: 256 Unix98 ptys configured
Real Time Clock Driver v1.09
lcd: Cobalt LCD Driver v3.12
keyboard: Timeout - AT keyboard not present?
keyboard: Timeout - AT keyboard not present?
serialnumber: Version 1.9 initialized. Serial number=4907d6b2a901.
Copyright (c)1994-2000 Axent Technologies, Inc.
Uniform Multi-Platform E-IDE driver Revision: 6.30
ide: Assuming 33MHz system bus speed for PIO modes; override with idebus=xx
ALI15X3: IDE controller on PCI bus 00 dev 78
ALI15X3: chipset revision 193
ALI15X3: 100% native mode on irq 14
ide0: BM-DMA at 0xf000-0xf007, BIOS settings: hda:DMA, hdb:DMA
ide1: BM-DMA at 0xf008-0xf00f, BIOS settings: hdc:DMA, hdd:DMA
hda: ST340810A, SN=5FB2VCEZ, FWREV=3.39, ATA DISK drive
ide: Assuming 33MHz system bus speed for PIO modes; override with idebus=xx
ide0 at 0x1f0-0x1f7,0x3f6 on irq 14
hda: ST340810A, 38166MB w/2048kB Cache, CHS=77545/16/63, UDMA(33)
md driver 0.90.0 MAX_MD_DEVS=256, MAX_REAL=12
translucent personality registered
linear personality registered
raid0 personality registered
raid1 personality registered
raid5 personality registered
raid5: measuring checksumming speed
raid5: MMX detected, trying high-speed MMX checksum routines
   pII_mmx   :   872.490 MB/sec
   p5_mmx:   882.777 MB/sec
   8regs :   429.387 MB/sec
   32regs:   281.940 MB/sec
using fastest function: p5_mmx (882.777 MB/sec)
sym53c8xx: at PCI bus 0, device 14, function 0
sym53c8xx: 53c875 detected
sym53c875-0: rev 0x4 on pci bus 0 device 14 function 0 irq 12
sym53c875-0: ID 7, Fast-20, Parity Checking
scsi0 : sym53c8xx-1.7.3a-20010304
scsi : 1 host.
scsi : detected total.
md.c: sizeof(mdp_super_t) = 4096
Partition check:
 hda: hda1 hda2 < hda5 hda6 > hda3 hda4
autodetecting RAID arrays
autorun ...
... autorun DONE.
VFS: Mounted root (ext2 filesystem) readonly.
Freeing unused kernel memory: 64k freed
Warning: unable to open an initial console.
Adding Swap: 131532k swap-space (priority -1)
dp83815.c:v1.30 National Semiconductor DP83815 PCI Ethernet Driver
eth0: National Semiconductor MacPhyter (dp83815)
eth0:   bus=0 func=128 io=0x6200 irq=11 ver=4.3
eth0:   ethernet addr=00:10:e0:05:41:b9
eth1: National Semiconductor MacPhyter (dp83815)
eth1:   bus=0 func=144 io=0x6300 irq=10 ver=4.3
eth1:   ethernet addr=00:10:e0:05:41:b8
eth0: speed=100 duplex=full link=up
NET4: AppleTalk 0.18 for Linux NET4.0
klips_debug:pfkey_x_debug_process: debugging not enabled
CSLIP: code copyright 1989 Regents of the University of California
usb.c: registered new driver usbdevfs
usb.c: registered new driver hub
usb-ohci.c: USB OHCI at membase 0xd085e000, IRQ 6
usb.c: new USB bus registered, assigned bus number 1
usb.c: USB new device connect, assigned device number 1
hub.c: USB hub found
hub.c: 2 ports detected
usb.c: registered new driver usblp
PPP: version 2.3.7 (demand dialling)
PPP line discipline registered.
PPP MPPE compression module registered


-- 

Re: Need advice about VPN

[Rod.. Whitworth]

On Thu, 19 Jan 2006 11:28:31 +, Stuart Henderson wrote:

>On 2006/01/19 10:39, Simon Slaytor wrote:
>> Stuart Henderson wrote:
>> >On 2006/01/19 09:38, Simon Slaytor wrote:
>> >
>> >>When comparing the two vpn solutions for speed, subjectively the OpenVPN 
>> >>feels slightly faster
>> >
>> >If you're using compression on OpenVPN but not on IPSEC, that would
>> >probably explain the speed difference.
>>
>> Agreed, any idea on how the cyphers compare  i.e. 3DES v Blowfish  in 
>> regard to CPU overhead?
>
>'openssl speed' will show you on your system, but Blowfish (and AES,
>at least at some block sizes) are something like twice as fast when
>implemented in software on a standard CPU.
>
>> I was not trying to suggest that this was a like for like comparison. I 
>> was merely trying to get the point across that OpenVPN is a viable 
>> alternative.
>
>There are strengths and weaknesses for each, overhead is only one
>factor (and not such an important one in smaller setups over relatively
>low-speed lines). I use OpenVPN and IPSEC in different situations (and
>will probably start using ssh tun-forwarding for a few places I'd use
>OpenVPN now - though, I'll have to investigate how tcp-wrapped-in-tcp
>works, since it would be most useful for me over wireless networks
>which have a lot of packet loss).
>
>

If you read http://sites.inka.de/sites/bigred/devel/tcp-tcp.html maybe
you won't want TCP-over-TCP. At least, if the author is correct, you
will consider that it may be worse than TCP-over-UDP is lossy
environments.

FWIW

Disclaimer : I don't consider myself sufficiently expert to judge the
accuracy of the assertions made there. They simply sounded plausible
based on the little I know.

>From the land "down under": Australia.
Do we look  from up over?

Do NOT CC me - I am subscribed to the list.
Replies to the sender address will fail except from the list-server.

Re: Generating ICMP Redirects

[Steven S]

Stuart Henderson wrote:
...
>> [EMAIL PROTECTED] pfctl -s rules |grep 10.4
>> pass in quick on fxp2 inet from 10.10.0.0/16 to 10.4.0.0/16
>> pass out quick on fxp2 inet from 10.4.0.0/16 to 10.10.0.0/16
> 
> I suspect you will need to allow the packets through in order to get
> the redirects sent. Are you allowing the outbound from 10.10
> to 10.4 to
> pass in another rule that you didn't include? If not, that's likely to
> be the problem. If you're not sure, make sure blocked packets
> are logged,
> then monitor pflog0.

There was nothing in pflog and here are my drop rules.  I have 'pass out all
keep state' rule at the head of the ruleset (possible issue?).  I'll be
testing further to find out more later tonight.  After some further research
I see I'll also need an rdr for the ICMP to source them from the carp
interface as opposed to the real ip.

[EMAIL PROTECTED] pfctl -s rules | grep block
block drop in quick on ! lo inet from 127.0.0.0/8 to any
block drop in quick on ! lo inet6 from ::1 to any
block drop in quick inet from 127.0.0.1 to any
block drop in quick inet6 from ::1 to any
block drop in quick on lo0 inet6 from fe80::1 to any
block drop in quick on ! fxp2 inet from 10.10.0.0/16 to any
block drop in quick inet from 10.10.0.251 to any
block drop in quick on fxp2 inet6 from fe80::202:a5ff:fe60:5850 to any
block drop in log all
block drop in quick inet from any to 255.255.255.255
block drop in quick inet from any to 10.255.255.255
block drop in quick inet from any to 10.10.255.255
block drop in quick on fxp2 proto tcp from any to any port = epmap
block drop in quick on fxp2 proto udp from any to any port = epmap
block drop in quick on fxp2 proto tcp from any to any port = netbios-ns
block drop in quick on fxp2 proto udp from any to any port = netbios-ns
block drop in quick on fxp2 proto udp from any to any port = netbios-dgm
block drop in quick on fxp2 proto tcp from any to any port = netbios-ssn
block drop in quick on fxp2 proto tcp from any to any port = microsoft-ds
block drop in quick on fxp2 proto udp from any to any port = ssdp
block drop in quick on fxp2 proto udp from any to any port = 5000

Release Song License

[Will H. Backman]

Are the OpenBSD Release songs also BSD licenced?  The lyrics page 
doesn't specify.

I wanted to know if they are "podcast safe".

Re: portmap daemon

[Theo de Raadt]

> I have been playing around with openbsd portmap. I am confused about
> the fact that if a program is registered above port 1024 any local
> user may remove it, right?

Yes.

> Does it sound good from a security point of view?

It's not that great, but unfortunately there is no solution to this
problem.  It is a bad design.

I've spent a lot of time working on RPC, making it more secure.  There
are many other restrictions for safety in our RPC and portmap code,
but there is no real solution to this.

portmap daemon

[Gustavo Rios]

I have been playing around with openbsd portmap. I am confused about
the fact that if a program is registered above port 1024 any local
user may remove it, right?

Does it sound good from a security point of view?

PS: Sorry if i seem stupid, but it is really strange for me.

Re: Network problem

[Jan Johansson]

Sebastian Schucht <[EMAIL PROTECTED]> wrote:
> rl0: flags=8843 mtu 1500
> address: 00:40:f4:63:63:3d
> media: Ethernet autoselect (100baseTX full-duplex)
> status: active
> inet XXX.100.40.69 netmask 0xff00 broadcast 141.100.40.255
> inet XXX.100.40.70 netmask 0xff00 broadcast XXX.100.40.255
> inet XXX.100.40.71 netmask 0xff00 broadcast XXX.100.40.255
> inet XXX.100.40.72 netmask 0xff00 broadcast XXX.100.40.255
> inet XXX.100.40.73 netmask 0xff00 broadcast XXX.100.40.255
> inet XXX.100.40.74 netmask 0xff00 broadcast XXX.100.40.255
> inet XXX.100.40.75 netmask 0xff00 broadcast XXX.100.40.255
> inet XXX.100.40.76 netmask 0xff00 broadcast XXX.100.40.255
> inet XXX.100.40.77 netmask 0xff00 broadcast XXX.100.40.255
> inet XXX.100.40.78 netmask 0xff00 broadcast XXX.100.40.255
> inet XXX.100.40.79 netmask 0xff00 broadcast XXX.100.40.255

I think the netmask is wrong here. For aliases on the same subnet
the second, third and so on should have a netmask of
255.255.255.255.

Network performance on WRAP boards

[Carlos Valiente]

Hi! I have a couple of WRAP.1E boards running OpenBSD 3.8. Using iperf
I can only get about 4 to 5 Mbit/s between them.

Is that figure reasonable for that kind of systems?

Cheers,

Carlos

ath(4) and 802.11a/h with DFS and TPC

[Holger Mauermann]

Hi,

when using 802.11a devices in Europe it is mandatory that they support
Dynamic Frequency Selection DFS and Transmit Power Control TPC
(802.11h). Is this supported by the OpenBSD ath(4) driver? Or is it
automatically enabled by the hardware?

But how do I set the countrycode for ath wifi cards? As far as I know
NetBSD has something like 'sysctl -w hw.ath.countrycode=xxx', but I
haven't found anything like this for OpenBSD.

Thanks, Holger

Re: Generating ICMP Redirects

[Stuart Henderson]

On 2006/01/19 11:37, ober wrote:
> Isn't "Destination unreachable" icmp a reply to a closed udp port?

Not if it's coming from the firewall rather than the endpoint -
but 'block return' to a udp port does give 'destination unreachable'
icmp.

Re: Is it possible to run OpenBSD on ASRock 775TWINS-HDTV S775?

[Stuart Henderson]

On 2006/01/19 17:54, Joakim Roubert wrote:
> On 2006-01-19 17:43, Stuart Henderson wrote:
> 
> > Try looking for a BIOS setting called something like legacy/native,
> > and toggle it. By doing that, I got M5289 to function (DMA unsupported,
> > but even with onboard disks it still completes 'make build' faster than
> > anything else I have, and I think I'll put my ami(4) in that box
> > anyway).
> 
> Ok, I won't have the real RAID-H/W as an option, so the question is what
> "anything else" you have... :) How slow is the system without DMA? I
> would guess it would be horrible, but perhaps it is not?

CPU is fast enough that it wasn't horribly slow, but obviously not as
good as it could be.  "anything else" - in my case, the next fastest
is a celeron 2ghz (my asrock board has an opteron 146). I haven't seen
any reliability problems with it, but I haven't worked it harder than
a few cvs pulls and 'make build's.

> Now I have tried some different actions, and FreeBSD 6.0 finds the disks
>  right away (but not the network, but perhaps it is easier to tinker
> with that compared to the disk stuff?).

SuSE Linux seems to support the nic about the best. I don't see anything
in FreeBSD cvsweb to indicate that their -current would be any more likely
to support the nic but it may be worth trying (it took very many clicks
to find cvsweb after their website redesign - oops!)

> Unfortunately, I am not that much of a home-hacker, so I would like to
> fit the most secure and stable minimal UN*X system on this one. What
> would you do in my situation?

If it can be made to work without DMA somehow, try it and see if it
performs acceptably. (I don't know what's involved to make DMA work
and haven't had time to look at it yet). If not, I'd probably fit a
PCI card, most of the SATA cards are SiI3112 or some other equally
supported chip, see pciide(4) for a list. They cost about 10-15
pounds/euros/dollars from the cheaper retailers. Many of the cheap
'sata raid' cards will work fine as a plain sata controller.

Not very useful to you, but I'll mention it anyway - the newest
onchip SATA controllers from ULi and other manufacturers are mostly
AHCI SATA2, which is not supported on OpenBSD yet either, but at
least you can download the spec, which is a good start...

Re: Generating ICMP Redirects

[ober]

Isn't "Destination unreachable" icmp a reply to a closed udp port?


-Ober

Richard Chesler: [Reading a piece of paper] The first rule of Fight Club is you 
don't talk about Fight Club?
Narrator: [Voice-over] I'm half asleep again; I must've left the original in 
the copy machine.
Richard Chesler: The second rule of Fight Club - is this yours?
Narrator: Huh?
Richard Chesler: Pretend you're me, make a managerial decision: you find this, 
what would you do?

On Thu, 19 Jan 2006, Steven S wrote:


Date: Thu, 19 Jan 2006 10:58:44 -0500
From: Steven S <[EMAIL PROTECTED]>
To: misc@openbsd.org
Subject: Re: Generating ICMP Redirects

[EMAIL PROTECTED] wrote:

On Thu, Jan 19, 2006 at 10:32:40AM -0500, Steven S wrote:

...


What about sysctl net.inet.ip.forwarding? Is it set to 1?


wq Claudio


Yep.  The firewalls are working perfectly aside from this redirect issue.
They are even performing ISP load balancing (when the second ISP says up.)
FW1 is acting as primary and FW2 is standby (it's off right now.)

[EMAIL PROTECTED] sysctl -a |grep forw
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=0

-Steve S.

Re: openbsd live cd

[Karl-Ludwig Reinhard]

mh I don't want to build a live cd myself. I was looking for a ready- 
built one. may you have misunderstood me.

On Jan 19, 2006, at 8:55 AM, Jacob Meuser wrote:


On Thu, Jan 19, 2006 at 08:17:15AM +0100, Karl-Ludwig Reinhard wrote:

hello list,

I'm looking for a openbsd live cd for sys admins, but the only thing
I've found was the anonym.os. Is there any other live cd based on
openbsd?



http://www.onlamp.com/pub/a/bsd/2005/07/14/openbsd_live.html

first hit on google for "openbsd live cd".

the next two hits have methods as well.

--
<[EMAIL PROTECTED]>



--
Karl-Ludwig Reinhard
Im Schafacker 16
79541 Lvrrach

[EMAIL PROTECTED]
+49 7621 55486
Skype me: k4rlludwig

Re: openbsd live cd

[Bihlmaier Andreas]

On Wed, Jan 18, 2006 at 11:55:15PM -0800, Jacob Meuser wrote:
> On Thu, Jan 19, 2006 at 08:17:15AM +0100, Karl-Ludwig Reinhard wrote:
> > hello list,
> > 
> > I'm looking for a openbsd live cd for sys admins, but the only thing  
> > I've found was the anonym.os. Is there any other live cd based on  
> > openbsd?
> > 
> 

My personal "man livecd"
If anybody thinks something is wrong with it please tell me, I'm eager
to learn :)

Hint this is optimized for vim, tw=80 and syntax highlighting set to "CONF".

#   live_cd OpenBSD 2006.01.19

Since there isn't (unfortunately) an official OpenBSD Live CD we will create
one:

We need a current system and create a release with source code
-> release

# Alternatively you could use OpenBSD stable/release if you have the source code
# available

Create a directory, this will become root '/' on the CD.
# NOTE: If there is not enought free space on '/usr/' you have to choose a
# different directory (of course you can do so anyway) and change the paths in
# all following commands accordingly
"mkdir -p /usr/livecd/backups/dev"

# COMPLICATED way SKIP this! (Life is to short for this kind of stuff!)
#---
#Nun muss das gesamte root System, welches in der Release Tarballs enthalten ist
#in das livecd Verzeichnis entpackt werden:
#"cp baseXX.tgz /usr/livecd/ && cd /usr/livecd/ && tar pxzf baseXX.tgz"
 # Dies ist f|r alle gew|nschten Teile des Systems zu wiederholen!

## WICHTIG!
#Weitere Dateien anpassen:
#"etc/motd" "etc/mygate""etc/myname""etc/sysctl.conf"   "etc/rc.conf"
#"etc/defaultdomain"
#
#Tastatur Layout:
#"etc/kbdtype"
#
#F|r Netzwerkkarten vorsorgen:
#"etc/hostname.*"   "etc/resolv.conf"
#
#Hosts:
#"etc/hosts"
#
#Timezone:
#"rm etc/localtime && ln -s usr/share/zoneinfo/Europe/Berlin etc/localtime"

#Benutzer anlegen:
## Am einfachsten:
#Auf "Host System" den Benutzer, Gruppe anlegen und diese Eintrage per 
#Cut/Paste in "/etc/group" und "/etc/master.passwd" einf|gen.

#-> afterboot   # ssh , etc.

#-> sicherheit

#Packete hinzuf|gen ?
#---


# Simple way to get this done
Grab an empty hard drive and make a fresh nice and SLIM install of OpenBSD. As
said above you need the source code to the version you install!
# HINT: Against all good practices ONLY create an 'a' partition since it will
# make creating the CD much more easier than having multiple partions.
This includes all packages/ports you want to be on the CD.
You should configure the system EXACTLY like you want it to be on CD.
# WARNING:
# The settings should be fairly generic, especially /etc/X11/xorg.conf should
# use the vesa driver and a resolution of "1024x768"!


Now mount this partition with another OpenBSD system in order to create a
(compressed) tar archive.
# NOTE: Do not forget the 'p' flag!
"cd /mnt/ && tar pczf ~/livecd_root.tar.gz *"

We transfer this archive to our build machine and extract into our livecd
directory we created earlier:
"tar pxzf livecd_root.tar.gz -C /usr/livecd/"

We have to copy "/var", "/etc", "/dev", "/root" and "/home" from "/usr/livecd"
to "/usr/livecd/backup":
# WARNING: Delete the "shell history", "vim info" and other documents we might
# NOT want to have on our CD:
"cd /usr/livecd && rm -i {root,home/*}/{.history,.viminfo} "
"cp -pR /usr/livecd/{var,etc,root,home} /usr/livecd/backups/"
"cp -pR /usr/livecd/dev/MAKEDEV /usr/livecd/backups/dev/"
# WARNING: Check for permission issues in livecd directory

Since a CD is not huge we will compress the "backup" directories into compressed
tar archives:
# NOTE: This is ONE long command line, you could split it into several steps
"cd /usr/livecd/backups && \
tar pzcf var.tar.gz var && \
tar pzcf etc.tar.gz etc && \
tar pzcf dev.tar.gz dev && \
tar pzcf home.tar.gz home && \
tar pzcf root.tar.gz root/.[a-z]* && \
rm -rf /usr/livecd/backups/{var,etc,dev,home,root}"

We have to create virtual partitions in memory (MFS) since we want them to be
faster and more importantly writeable. On boot the content extract of the
archives under "/livecd/backups" is extract into them.

We have to modify the "etc/rc" script in order for this to work:
--- /usr/livecd/etc/rc -
# Insert this AFTER
# rm -f /fastboot # XXX (root now writeable)

# Create/mount mfs partitions
echo 'mounting mfs'
mount_mfs   -s 51200-o async,nosuid,nodev,noatime   swap/var
mount_mfs   -s 6144 -i 4096 -o async,nosuid,nodev,noatime   swap/etc
mount_mfs   -s 2048 -i 128  -o async,noatimeswap/dev
mount_mfs   -s 6144 -o async,nosuid,nodev,noatime   swap/tmp
mount_mfs   -s 8192 -o async,nosuid,nodev,noatime   swap/home
mount_mfs   -s 8192 -o async,nosuid,nodev,noatime   swap/root

# Seems that a short break is necessary here
sleep 2

# Copy over all stuff in 

Fwd: How can i send syslogd message to a OPENBSD server ?

[Michael Bibby]

thanks ,it works .
^_^

You will need to start syslog on the openbsd server with the -u option
> (see /etc/rc.conf and syslogd man pages) and also make sure you have
> pf.conf
> allowing port 514 udp from your linux host.

Re: Is it possible to run OpenBSD on ASRock 775TWINS-HDTV S775?

[Joakim Roubert]

On 2006-01-19 17:43, Stuart Henderson wrote:

>>vendor "Acer Labs", unknown product 0x5287 (class mass storage subclass
>>SATA, rev 0x02) at pci0 dev 31 function 1 not configured
> 
> Good, it's not hidden behind an unrecognisable pci-pci bridge.

Ok, at least that's something! :)

> Try looking for a BIOS setting called something like legacy/native,
> and toggle it. By doing that, I got M5289 to function (DMA unsupported,
> but even with onboard disks it still completes 'make build' faster than
> anything else I have, and I think I'll put my ami(4) in that box
> anyway).

Ok, I won't have the real RAID-H/W as an option, so the question is what
"anything else" you have... :) How slow is the system without DMA? I
would guess it would be horrible, but perhaps it is not?

The system I am to setup is a backup server that is to do pretty much
nothing but wait all the time, and each night get the backup from our
server. So perhaps the most incredible disk speed is not needed, but
disk I/O has to be reliable.

Now I have tried some different actions, and FreeBSD 6.0 finds the disks
 right away (but not the network, but perhaps it is easier to tinker
with that compared to the disk stuff?).

Unfortunately, I am not that much of a home-hacker, so I would like to
fit the most secure and stable minimal UN*X system on this one. What
would you do in my situation?

Regards,

/Joakim
-- 
 http://www.df.lth.se/~jokke/

Re: Need advice about VPN

[NetNeanderthal]

On 1/18/06, Hans-Joerg Hoexer <[EMAIL PROTECTED]> wrote:
> On Wed, Jan 18, 2006 at 11:20:55AM +0100, Joachim Schipper wrote:
> Forget about openvpn, there's no need to fiddle around with third
> party stuff.
OT: OpenVPN has its purposes, though this particular scenario
shouldn't be one of them.  On several occasions, I have run into
scenarios where connectivity was limited, ALL IPs were behind NAT,
endpoint IPs changed often and only specific TCP/UDP ports were
permitted.  (Many times in an attempt to specifically thwart IPSEC.) 
OpenVPN has proved robust and reliable in those environments.

> Just make sure to take a look at vpn(8).  If ipsec does not suit
> your needs, take a look at tunneling using ssh(1) "-w".
Unfortunately, while I love the flexibility of SSH tunneling, I would
still consider it an ad-hoc solution for most, a massive drawback
being that it tunnels over TCP.

Re: Is it possible to run OpenBSD on ASRock 775TWINS-HDTV S775?

[Stuart Henderson]

On 2006/01/19 17:08, Joakim Roubert wrote:
> On 2006-01-19 15:42, Stuart Henderson wrote:
> > No dmesg, so it's difficult to help you...
> 
> Ok, here goes:
> (there might be typos, since I write down what I read on the screen next
> to me...)

well done :)

I have some similar ALi/ULi devices on a different ASRock board here,
and have got a little further.

> vendor "Acer Labs", unknown product 0x5287 (class mass storage subclass
> SATA, rev 0x02) at pci0 dev 31 function 1 not configured

Good, it's not hidden behind an unrecognisable pci-pci bridge.
Try looking for a BIOS setting called something like legacy/native,
and toggle it. By doing that, I got M5289 to function (DMA unsupported,
but even with onboard disks it still completes 'make build' faster than
anything else I have, and I think I'll put my ami(4) in that box
anyway).

> vendor "Acer Labs", unknown product 0x5263 (class network subclass
> ethernet, rev 0x50) at pci0 dev 27 function 0 not configured

that's actually near enough a dc(4), I have got as far as getting it
to pick up the right MAC address (the easy bit) but not detect any PHYs
(the bit which needs either a datasheet or someone better at reading
linux source than I).

Via K8T900 - Questions

[Paulo Rodriguez]

Dear misc,

Not so long ago Via released a new chipset which sounds very promising 
performance-wise, compared to the Nvidia solutions, the K8T900.
I was wondering whether there was already any interest from dev's for 
this platform.
The reason is simple: a dual-boot machine which can handle OpenBSD with 
full support, and Windows for the entertainment side (=games) would be 
great. An OpenBSD-friendly platform.
This without losing too much on performance (the Nvidia chipsets behave 
really well under Windows).
Currently, several mags did some tests on a Via reference design mobo, 
comparing it to the Nforce 4 ones, and it looked good!. Heck, I'm even 
willing to get the project a mobo as soon as one is available.

Kind regards,

P

Re: Is it possible to run OpenBSD on ASRock 775TWINS-HDTV S775?

[Joakim Roubert]

On 2006-01-19 15:42, Stuart Henderson wrote:

> No dmesg, so it's difficult to help you...

Ok, here goes:
(there might be typos, since I write down what I read on the screen next
to me...)

=

OpenBSD 3.8 (RAMDISK_CD) #794: Sat Sep 10 15:58:32 MDT 2005
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/RAMDISK_CD
cpu0: Intel(R) Celeron(R) CPU 2.80GHz ("GenuineIntel" 686-class) 2.80 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,TM2,CNXT-ID
real mem  = 469012480 (458020K)
avail mem = 421904384 (412016K)
using 4278 buffers containing 23552000 bytes (23000K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(00) BIOS, date 12/05/05, BIOS32 rev. 0 @ 0xf0010
apm0 at bios0: Power Management spec V1.2
apm0: flags 20102 dobusy 0 doidle 1
pcibios0 at bios0: rev 3.0 @ 0xf/0x1
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf5d60/144 (7 entries)
pcibios0: no compatible PCI ICU found: ICU vendor 0x10b9 product 0x1573
pcibios0: Warning, unable to fix up PCI interrupt routing
pcibios0: PCI bus #2 is the last bus
WARNING: can't reserve area for I/O APIC.
WARNING: can't reserve area for Local APIC.
WARNING: can't reserve area for BIOS PROM.
bios0: ROM list: 0xc/0xf000! 0xcf000/0x5600
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 vendor "ATI", unknown product 0x5a33 rev 0x01
ppb0 at pci0 dev 1 functon 0 "ATI RS480 PCIE" rev 0x00
pci1 at ppb0 bus 1
vga1 at pci1 dev 5 function 0 "ATI Radeon XPRESS 200" rev 0x00
wsdisplay0 at vga1 mix 1: console (80x25, vt100 emulation)
ppb1 at pci0 dev 25 function 0 vendor "Acer Labs", unknown product
0x5249 rev 0x00
pci2 at ppb1 bus 2
ral0 at pci2 dev 21 function 0 "Ralink RT2560" rev 0x01: irq 5, address
00:14:85:16:b2:2c
ral0: MAC/BBP RT2560 (rev 0x04), RF RT2525
vendor "Acer Labs", unknown product 0x5263 (class network subclass
ethernet, rev 0x50) at pci0 dev 27 function 0 not configured
ohci0 at pci0 dev 28 function 0 "Acer Labs M5237 USB" rev 0x03: irq 10,
version 1.0, legacy support
usb0 at ohci0: USB revision 1.0
uhub0 at usb0
uhub0: Acer Labs OHCI root hub, rev 1.00/1.00, addr 1
uhub0: 3 ports with 3 removable, self powered
ohci1 at pci0 dev 28 function 1 "Acer Labs M5237 USB" rev 0x03: irq 5,
version 1.0, legacy support
usb1 at ohci1: USB revision 1.0
uhub1 at usb1
uhub1: Acer Labs OHCI root hub, rev 1.00/1.00, addr 1
uhub1: 3 ports with 3 removable, self powered
ohci2 at pci0 dev 28 function 2 "Acer Labs M5237 USB" rev 0x03: irq 5,
version 1.0, legacy support
usb2 at ohci2: USB revision 1.0
uhub2 at usb2
uhub2: Acer Labs OHCI root hub, rev 1.00/1.00, addr 1
uhub2: 3 ports with 3 removable, self powered
ehci0 at pci0 dev 28 function 3 vendor "Acer Labs", unknown product
0x5239 rev 0x01: irq 5
isb3 at ehci0: USB revision 2.0
uhub3 at usb3
uhub3: Acer LAbs EHCI root hub, rev 2.00/1.00, addr 1
uhub3: 8 ports with 8 removable, self powered
vendor "Acer Labs", unknown product 0x5455 (class multimedia subclass
audio, rev 0x20) at pci0 dev 29 function 0 not configured
pcib0 at pci0 dev 30 function 0 vendor "Acer Labs", unknown product
0x1573 rev 0x31
"Acer Labs M7101 Power" rev 0x00 at pci0 dev 30 function 1 not configured
pciide0 at pci0 dev 31 function 0 "Acer Labs M5229 UDMA IDE" rev 0xc7:
DMA, channel 0 configured to compatibility, channel 1 configured to
compatibility
atapiscsi0 at pciide0 channel 0 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0:  SCSI0 5/cdrom
removable
cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 disabled (no drives)
vendor "Acer Labs", unknown product 0x5287 (class mass storage subclass
SATA, rev 0x02) at pci0 dev 31 function 1 not configured
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550A, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cul, 2 head, 18 sec
biomask fed netmask ffed ttymask ffef
rd0: fixed, 3800 blocks
root on rd0a
rootdev=0x1100 rrootdev=0x2f00 rawdev=0x2f02

=

Regards,

/Joakim
-- 
 http://www.df.lth.se/~jokke/

Re: Generating ICMP Redirects

[Steven S]

[EMAIL PROTECTED] wrote:
> On Thu, Jan 19, 2006 at 10:32:40AM -0500, Steven S wrote:
...
> 
> What about sysctl net.inet.ip.forwarding? Is it set to 1?
> 
>> wq Claudio

Yep.  The firewalls are working perfectly aside from this redirect issue.
They are even performing ISP load balancing (when the second ISP says up.)
FW1 is acting as primary and FW2 is standby (it's off right now.)

[EMAIL PROTECTED] sysctl -a |grep forw
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=0

-Steve S.

Re: Generating ICMP Redirects

[Stuart Henderson]

On 2006/01/19 10:32, Steven S wrote:
> I'm using a pair of 3.8-stable (1/5/06) servers as the firewall and default
> gw (10.10.0.1/16) for a LAN .  VPN users (10.4.0.0/16) come into the LAN
> from a PIX (10.10.0.254/16) (changing soon to OpenVPN), and when the VPN
> users hit a server return packets are sent to the default gw.  I was
> expecting the OpenBSD server to generate an ICMP redirect and all would be
> well.  Unfortunately that is not happening.  Instead the firewall is sending
> a host unreachable (yet the fw can ping the VPN host).

Immediate thoughts: firewall rules, net.inet.ip.forwarding setting.

> [EMAIL PROTECTED] pfctl -s rules |grep 10.4
> pass in quick on fxp2 inet from 10.10.0.0/16 to 10.4.0.0/16
> pass out quick on fxp2 inet from 10.4.0.0/16 to 10.10.0.0/16

I suspect you will need to allow the packets through in order to get
the redirects sent. Are you allowing the outbound from 10.10 to 10.4 to
pass in another rule that you didn't include? If not, that's likely to
be the problem. If you're not sure, make sure blocked packets are logged,
then monitor pflog0.

Re: Generating ICMP Redirects

[Claudio Jeker]

On Thu, Jan 19, 2006 at 10:32:40AM -0500, Steven S wrote:
> Greetings,
> 
> I'm using a pair of 3.8-stable (1/5/06) servers as the firewall and default
> gw (10.10.0.1/16) for a LAN .  VPN users (10.4.0.0/16) come into the LAN
> from a PIX (10.10.0.254/16) (changing soon to OpenVPN), and when the VPN
> users hit a server return packets are sent to the default gw.  I was
> expecting the OpenBSD server to generate an ICMP redirect and all would be
> well.  Unfortunately that is not happening.  Instead the firewall is sending
> a host unreachable (yet the fw can ping the VPN host).
> 
> Any pointers would be appreciated.  Here's some relevant info:
> 
> [EMAIL PROTECTED] tcpdump -nei fxp2 icmp
> 09:57:26.797397 0:2:a5:60:58:50 0:8:2:ce:99:65 0800 70: 10.10.0.251 >
> 10.10.0.11: icmp: host 10.4.0.67 unreachable
> 09:57:28.984736 0:2:a5:60:58:50 0:8:2:ce:99:65 0800 70: 10.10.0.251 >
> 10.10.0.11: icmp: host 10.4.0.67 unreachable
> 
> [EMAIL PROTECTED] ping 10.4.0.67
> PING 10.4.0.67 (10.4.0.67): 56 data bytes
> 64 bytes from 10.4.0.67: icmp_seq=0 ttl=128 time=66.969 ms
> 
> [EMAIL PROTECTED] netstat -rn | grep 10.4
> 10.4/1610.10.0.254UGS 061208  -   fxp2
> 
> [EMAIL PROTECTED] ifconfig carp2
> carp2: flags=8843 mtu 1500
> carp: MASTER carpdev fxp2 vhid 3 advbase 1 advskew 100
> groups: carp
> inet 10.10.0.1 netmask 0x broadcast 10.10.255.255
> [EMAIL PROTECTED] ifconfig fxp2
> fxp2: flags=8943 mtu 1500
> lladdr 00:02:a5:60:58:50
> media: Ethernet autoselect (100baseTX full-duplex)
> status: active
> inet 10.10.0.251 netmask 0x broadcast 10.10.255.255
> inet6 fe80::202:a5ff:fe60:5850%fxp2 prefixlen 64 scopeid 0x3 
> 
> [EMAIL PROTECTED] pfctl -s rules |grep 10.4
> pass in quick on fxp2 inet from 10.10.0.0/16 to 10.4.0.0/16
> pass out quick on fxp2 inet from 10.4.0.0/16 to 10.10.0.0/16
> 
> [EMAIL PROTECTED] sysctl -a |grep redi
> net.inet.ip.redirect=1
> net.inet.icmp.rediraccept=1
> net.inet.icmp.redirtimeout=600
> net.inet6.ip6.redirect=1
> net.inet6.icmp6.rediraccept=1
> net.inet6.icmp6.redirtimeout=600
> 

What about sysctl net.inet.ip.forwarding? Is it set to 1?

-- 
:wq Claudio

Generating ICMP Redirects

[Steven S]

Greetings,

I'm using a pair of 3.8-stable (1/5/06) servers as the firewall and default
gw (10.10.0.1/16) for a LAN .  VPN users (10.4.0.0/16) come into the LAN
from a PIX (10.10.0.254/16) (changing soon to OpenVPN), and when the VPN
users hit a server return packets are sent to the default gw.  I was
expecting the OpenBSD server to generate an ICMP redirect and all would be
well.  Unfortunately that is not happening.  Instead the firewall is sending
a host unreachable (yet the fw can ping the VPN host).

Any pointers would be appreciated.  Here's some relevant info:

[EMAIL PROTECTED] tcpdump -nei fxp2 icmp
09:57:26.797397 0:2:a5:60:58:50 0:8:2:ce:99:65 0800 70: 10.10.0.251 >
10.10.0.11: icmp: host 10.4.0.67 unreachable
09:57:28.984736 0:2:a5:60:58:50 0:8:2:ce:99:65 0800 70: 10.10.0.251 >
10.10.0.11: icmp: host 10.4.0.67 unreachable

[EMAIL PROTECTED] ping 10.4.0.67
PING 10.4.0.67 (10.4.0.67): 56 data bytes
64 bytes from 10.4.0.67: icmp_seq=0 ttl=128 time=66.969 ms

[EMAIL PROTECTED] netstat -rn | grep 10.4
10.4/1610.10.0.254UGS 061208  -   fxp2

[EMAIL PROTECTED] ifconfig carp2
carp2: flags=8843 mtu 1500
carp: MASTER carpdev fxp2 vhid 3 advbase 1 advskew 100
groups: carp
inet 10.10.0.1 netmask 0x broadcast 10.10.255.255
[EMAIL PROTECTED] ifconfig fxp2
fxp2: flags=8943 mtu 1500
lladdr 00:02:a5:60:58:50
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 10.10.0.251 netmask 0x broadcast 10.10.255.255
inet6 fe80::202:a5ff:fe60:5850%fxp2 prefixlen 64 scopeid 0x3 

[EMAIL PROTECTED] pfctl -s rules |grep 10.4
pass in quick on fxp2 inet from 10.10.0.0/16 to 10.4.0.0/16
pass out quick on fxp2 inet from 10.4.0.0/16 to 10.10.0.0/16

[EMAIL PROTECTED] sysctl -a |grep redi
net.inet.ip.redirect=1
net.inet.icmp.rediraccept=1
net.inet.icmp.redirtimeout=600
net.inet6.ip6.redirect=1
net.inet6.icmp6.rediraccept=1
net.inet6.icmp6.redirtimeout=600

Re: Is it possible to run OpenBSD on ASRock 775TWINS-HDTV S775?

[Joakim Roubert]

On 2006-01-19 15:42, Stuart Henderson wrote:

> No dmesg, so it's difficult to help you... Even if all you can do is
> boot the install kernel, save a dmesg to a file, and ftp it somewhere,
> that's a lot better than nothing.

I will see if I can fix that.

> ULi want an NDA before releasing documentation, and have now been bought
> by nvidia, so finding information to write correct drivers isn't going
> to be easy.

N! :-( But, on the other hand, when it comes to gfx cards there is,
for Linux, support for all cards but one (old), so perhaps they will do
the same with these ones.

> If you haven't already, try playing with the BIOS settings. You may be
> able to get your disks to work (but even if you do, possibly no DMA).

Ok! Thanks a lot for your input! Perhaps I will have to go with another
OS on this machine (I am about to get us a more critical server too; I
will make sure I get a controller OpenBSD really supports on that one,
because that one really has to run OBSD.)

Best regards,

/Joakim
-- 
 http://www.df.lth.se/~jokke/

Victor

[Victor]

Florida Vacation Rental The Colony At Sable TraceNorth Port, FL30 Minutes
South of Sarasota FL NEW CONDO 1st floor (1168 SQ/FT Living)
Available Feb 1st. The Colony at Sable Trace is a new condominium gated
community withinSable Trace Golf Course (semi-private course). This 1st
floor unit offers:

  * 2 Bedrooms

  * 1 Den/Bedroom

  * 2 Full Baths

  * 1 Car Garage

  * All Appliances

  * Gated Community

  * Over looking 17th hole of Sable Trace Golf Course

  * Community Pool and Fitness Center less than 200' Away

  * 19 miles from Gulf Beaches (Englewood or Venice)

Furnished, No Smoking, No Pets $1,200 Month If Annual Lease$2,200
November - AprilWeekly Rates Available (please call) SEE PICTURES For
more information please, feel free to contact me. Thanks,Victor PlanteDP
Resources941-423-2051

[IMAGE]
[IMAGE] Email Marketing 101 7 PMB 153 7 North Port, FL 34287

Re: Need advice about VPN

[Joachim Schipper]

On Thu, Jan 19, 2006 at 11:28:31AM +, Stuart Henderson wrote:
> On 2006/01/19 10:39, Simon Slaytor wrote:
> > Stuart Henderson wrote:
> > >On 2006/01/19 09:38, Simon Slaytor wrote:
> > >
> > >>When comparing the two vpn solutions for speed, subjectively the OpenVPN 
> > >>feels slightly faster
> > >
> > >If you're using compression on OpenVPN but not on IPSEC, that would
> > >probably explain the speed difference.
> >
> > Agreed, any idea on how the cyphers compare  i.e. 3DES v Blowfish  in 
> > regard to CPU overhead?
> 
> 'openssl speed' will show you on your system, but Blowfish (and AES,
> at least at some block sizes) are something like twice as fast when
> implemented in software on a standard CPU.

Not to mention the fact that in-kernel software, all else being equal,
runs faster due to the lack of context switches and so on.

OTOH, OpenVPN uses adaptive compression, which can at times be
preferable to the IPsec on/off option.

Joachim

Re: Is it possible to run OpenBSD on ASRock 775TWINS-HDTV S775?

[Stuart Henderson]

On 2006/01/19 14:33, Joakim Roubert wrote:
> I have a computer based on this motherboard (more info here:
> http://www.asrock.com/product/product_775Twins-HDTV.htm), and the
> OpenBSD 3.8 install CD won't find the disks.
> 
> The southbridge is an ULi 1573, and since it is not present in the
> OpenBSD chipset support list, the reason 3.8 won't find my disks are
> rather obvious even to me. :)
> 
> FreeBSD finds the disks, though, but I would prefer to run OpenBSD on
> the machine. You guys that know everything there is to know about
> OpenBSD, is there support in ULi 1573 to find in the CVS or so?

No dmesg, so it's difficult to help you... Even if all you can do is
boot the install kernel, save a dmesg to a file, and ftp it somewhere,
that's a lot better than nothing.

ULi want an NDA before releasing documentation, and have now been bought
by nvidia, so finding information to write correct drivers isn't going
to be easy.

If you haven't already, try playing with the BIOS settings. You may be
able to get your disks to work (but even if you do, possibly no DMA).

Re: ntpd is not adjusting time

[Frank Bax]

At 12:59 PM 2/11/05, Henning Brauer wrote:


* Frank Bax <[EMAIL PROTECTED]> [2005-02-11 18:53]:
> At 07:59 AM 2/11/05, Henning Brauer wrote:
> >* Frank Bax <[EMAIL PROTECTED]> [2005-02-11 04:08]:
> >> ntp engine ready
> >> no reply from 192.117.105.69 received in time
> >> no reply from 82.69.129.106 received in time
> >> no reply from 81.7.132.92 received in time
> >> The log file contains *many* of these entries - looks like 15 sites, 
then
> >> they start over - repeating until I kill the process.  What kind of 
problem

> >> causes this message?  This site is using an ADSL connection to internet,
> >> but we have no other sites with the same ISP.
> >
> >you don't receive replies. network issue, maybe firewall.
> >
> This machine does not have pf enabled.  The site uses the same (D-link
> DI-7404P) router/firewall as other sites where ntp is working
> properly.  Router has basic/default config, except I added forwarding of
> incoming port 22 to the "problem" bsd system.  I can even ping some of the
> time servers (I've read that not all time servers reply to ping).  The 
only

> variable I can think of is ISP, which is different at each site (not my
> idea, its a long story).  I don't know what commands to use to prove this
> might be an ISP issue.

well, no matter what, you are not receiving replies.




Upgrade to 3.8 yesterday (a bit overdue) and the problem went away. 

Is it possible to run OpenBSD on ASRock 775TWINS-HDTV S775?

[Joakim Roubert]

Hi!

I have a computer based on this motherboard (more info here:
http://www.asrock.com/product/product_775Twins-HDTV.htm), and the
OpenBSD 3.8 install CD won't find the disks.

The southbridge is an ULi 1573, and since it is not present in the
OpenBSD chipset support list, the reason 3.8 won't find my disks are
rather obvious even to me. :)

FreeBSD finds the disks, though, but I would prefer to run OpenBSD on
the machine. You guys that know everything there is to know about
OpenBSD, is there support in ULi 1573 to find in the CVS or so?

Best regards,

/Joakim
-- 
 http://www.df.lth.se/~jokke/

Re: dup-to

[john gotti]

hi , i meant where to put RULE with dup-to to not to mess with other ,
espessially with RULE using route-to , i would test it mysel but this fw is
quite important , so if anyone using it a i would happy for tips , anyway
manpage no telling how dup-to  is interact with rules with route-to ,
fastroute or reply-to .

On 1/19/06, john gotti <[EMAIL PROTECTED]> wrote:
>
> hi , i meant where to put RULE with dup-to to not to mess with other ,
> espessially with RULE using route-to , i would test it mysel but this fw is
> quite important , so if anyone using it a i would happy for tips , anyway
> manpage no telling how dup-to  is interact with rules with route-to ,
> fastroute or reply-to .
>
> On 1/19/06, john gotti <[EMAIL PROTECTED]> wrote:
> >
> >
> >
> > On 1/19/06, john gotti < [EMAIL PROTECTED]> wrote:
> > >
> > > hi , i meant where to put RULE with dup-to to not to mess with other ,
> > > espessially with RULE using route-to , i would test it mysel but this fw
is
> > > quite important , so if anyone using it a i would happy for tips ,
anyway
> > > manpage no telling how dup-to  is interact with rules with route-to ,
> > > fastroute or reply-to .
> > >
> > > regards
> > > Jacek
> > >
> > > On 1/18/06, yary < [EMAIL PROTECTED]> wrote:
> > > >
> > > > dup-to isn't a rule, it's something you add to a "pass" rule
> > > >
> > > > take a look at the pf.conf man page, and study the BNF section at
> > > > the
> > > > end for syntax.
> > > >
> > > > and search this list/internet at large for examples

Re: dup-to

[john gotti]

hi , i meant where to put RULE with dup-to to not to mess with other ,
espessially with RULE using route-to , i would test it mysel but this fw is
quite important , so if anyone using it a i would happy for tips , anyway
manpage no telling how dup-to  is interact with rules with route-to ,
fastroute or reply-to .

On 1/19/06, john gotti <[EMAIL PROTECTED]> wrote:
>
>
>
> On 1/19/06, john gotti <[EMAIL PROTECTED]> wrote:
> >
> > hi , i meant where to put RULE with dup-to to not to mess with other ,
> > espessially with RULE using route-to , i would test it mysel but this fw
is
> > quite important , so if anyone using it a i would happy for tips , anyway
> > manpage no telling how dup-to  is interact with rules with route-to ,
> > fastroute or reply-to .
> >
> > regards
> > Jacek
> >
> > On 1/18/06, yary < [EMAIL PROTECTED]> wrote:
> > >
> > > dup-to isn't a rule, it's something you add to a "pass" rule
> > >
> > > take a look at the pf.conf man page, and study the BNF section at the
> > > end for syntax.
> > >
> > > and search this list/internet at large for examples

Re: dup-to

[john gotti]

On 1/19/06, john gotti <[EMAIL PROTECTED]> wrote:
>
> hi , i meant where to put RULE with dup-to to not to mess with other ,
> espessially with RULE using route-to , i would test it mysel but this fw is
> quite important , so if anyone using it a i would happy for tips , anyway
> manpage no telling how dup-to  is interact with rules with route-to ,
> fastroute or reply-to .
>
> regards
> Jacek
>
> On 1/18/06, yary <[EMAIL PROTECTED]> wrote:
> >
> > dup-to isn't a rule, it's something you add to a "pass" rule
> >
> > take a look at the pf.conf man page, and study the BNF section at the
> > end for syntax.
> >
> > and search this list/internet at large for examples

Newsletter della 4� settimana 2006

[Borghi Toscani News]

[IMAGE]

[IMAGE]

Borghi Toscani | E - mail | Registrati | Inserisci un locale | Meteo |
News

[IMAGE]

NUOVI
INSERIMENTI

Newsletter della 4B0 settimana 2006

LINK
CONSIGLIATI

Lorenzo il Magnifico

LAST MINUTE IN TOSCANA

OFFERTE SOGGIORNI IN TOSCANA

OFFERTE LAST MINUTE FIRENZE

Last Minute Abetone

Offerte Abetone

News, eventi e manifestazioni in Toscana questa settimana

Data

Evento

Tipologia

19/01/2006

Leonetto Tintori e la scuola di Vainella PRATO

(Mostre)

19/01/2006

La grande guerra degli artisti FIRENZE

(Mostre)

20/01/2006

Cow Parade 2005 FIRENZE

(Mostre)

20/01/2006

Pitti immagine bimbo n. 62 FIRENZE

(Mostre)

20/01/2006

Fiera del cioccolato artigianale FIRENZE

(Sagre e Fiere)

21/01/2006

Maremma antiquaria MARINA DI GROSSETO

(Mercatini)

21/01/2006

Fiera arcobaleni SESTO FIORENTINO

(Sagre e Fiere)

22/01/2006

Palio di S. Antonio Abate BUTI

(Concerti)

22/01/2006

La domenica del tarlo SANSEPOLCRO

(Mercatini)

22/01/2006

Che mondo che fa FUCECCHIO

(Mostre)

22/01/2006

Mercatino biologico grevigiano GREVE IN CHIANTI

(Sagre e Fiere)

22/01/2006

Oliogustando AREZZO

(Sagre e Fiere)

23/01/2006

Enzo Baldoni...un ficcanaso...uno di noi SESTO FIORENTI

(Mostre)

24/01/2006

Visite guidate dell'associazione akropolis FIRENZE

(Escursioni)

25/01/2006

IIIB0 Trofeo Mariotti & Pedini ABETONE

(Gare)

26/01/2006

Marilyn and friends FIRENZE

(Mostre)

28/01/2006

IVB0 Trofeo CittC  di Firenze PULICCHIO

(Gare)

28/01/2006

Fiera arcobaleni SESTO FIORENTINO

(Sagre e Fiere)

29/01/2006

Carnevale CASTELFRANCO DI SOTTO

(Folklore)

29/01/2006

Fiera del cioccolato artigianale FIRENZE

(Sagre e Fiere)

escursioni toscana

PITTI IMMAGINE BIMBO N. 62

PALIO DI SANT'ANTONIO ABATE

Settembre lucchese20 b 22 gennaio 2006
Firenze, Fortezza da Basso Pitti Immagine Bimbo C( la manifestazione
punto di riferimento per la moda nazionale e internazionale per bambini e
ragazzi da 0 a 18 anni, C( lbanteprima delle collezioni di 

Pitti immagine bimbo n. 62

Settembre luccheseIl Palio di SantbAntonio Abate si terrC  questbanno
Domenica 22 Gennaio.
Questo palio, diventato uno fra i piC9 importanti dbItalia, consiste in
una corsa di cavalli preceduta, in mattinata, da una sfilata in costume
di tutte le

Palio di Sant'Antonio Abate

Raccolta delle informazioni e Registrazione ai servizi
Piramedia srl, in qualitC  di titolare del trattamento, Ti informa che i
dati personali che ci avrai fornito, volontariamente o automaticamente
attraverso i nostri portali, saranno trattati, con il tuo consenso allo
scopo di trasmetterti i servizi da te richiesti. In particolare ti
verranno inviate tramite posta elettronica o sms, informative o offerte a
carattere commerciale o pubblicitario, inerenti al Turismo. Ti verranno
inviate inoltre comunicazioni circa modifiche, miglioramenti, o
cambiamenti dei servizi da noi proposti. In coda ad ognuno di questi
messaggi sarC  sempre presente il modo perchC) tu possa rimuovere i tuoi
dati dal nostro archivio.
Piramedia srl, non raccoglierC  in nessun modo dati ritenuti sensibili e
si impegna a non utilizzare i tuoi dati, o cederli a terzi, per finalitC 
che siano diverse da quelle qui sopra elencate.
Formula di acquisizione del consenso dell'interessato.
Il/la sottoscritto/a, acquisite le informazioni fornite dal titolare del
trattamento ai sensi dell'articolo 13 del D.Lgs. 196/2003, l'interessato:
- presta il suo consenso al trattamento dei dati personali per i fini
indicati nella suddetta informativa.
- presta il suo consenso per la comunicazione dei dati personali per le
finalitC  ed ai soggetti indicati nell'informativa.
- presta il suo consenso per la diffusione dei dati personali per le
finalitC  e nell'ambito indicato nell'informativa.

DISDETTA
Se non vuoi piC9 ricevere l'edizione gratuita di "BorghiToscani.com"
clicca su questo link: disdetta

Vecoli

Cottage Vecoli

Tenuta il Cicalino

Tenuta il Cicalino

Centro Velico Naregno

Centro Velico Naregno

Tirrenia Ferries

Tirrenia
Ferries

Hotel Le Acacie

Hotel Le Acacie

Hotel Tornese

Hotel
Tornese

San Domenico

Podere gli Olmi

MaranathC 

Youth Residence

PLP guest house

Rooms with a view

Althea rooms

Park Hotel

Argentario Camping

Il Gabbiano

Le Cannelle

Argentario Osa

Talamone Camping

Hotel Telamonio

Hotel Capo Duomo

Pian dei Pini

La Valentina

Cavalleggeri

Hotel L'Etrusco

Le Colombe

Borgo Dolciano

Locanda dei Guelfi

Villino Il Magnifico

Villa Elea

Fontecastello

Hotel Massimo

Hotel Alex

A casa di Dante

B&B Gilda

Podere Giarlinga

Fonte del Cieco

Ninna Nanna

Campo di Carlo

Hotel La Pergola

Podere Saliciaia

Hotel Galli

Villa Conti

Albergo La Scogliera

Valle Santa Maria

Hotel Fontalleccio

1999 - 2005 - Copyright and Project by Piramedia srl - Tutti I Diritti
Riservati -Privacy

[IMAGE]

Re: Need advice about VPN

[Stuart Henderson]

On 2006/01/19 10:39, Simon Slaytor wrote:
> Stuart Henderson wrote:
> >On 2006/01/19 09:38, Simon Slaytor wrote:
> >
> >>When comparing the two vpn solutions for speed, subjectively the OpenVPN 
> >>feels slightly faster
> >
> >If you're using compression on OpenVPN but not on IPSEC, that would
> >probably explain the speed difference.
>
> Agreed, any idea on how the cyphers compare  i.e. 3DES v Blowfish  in 
> regard to CPU overhead?

'openssl speed' will show you on your system, but Blowfish (and AES,
at least at some block sizes) are something like twice as fast when
implemented in software on a standard CPU.

> I was not trying to suggest that this was a like for like comparison. I 
> was merely trying to get the point across that OpenVPN is a viable 
> alternative.

There are strengths and weaknesses for each, overhead is only one
factor (and not such an important one in smaller setups over relatively
low-speed lines). I use OpenVPN and IPSEC in different situations (and
will probably start using ssh tun-forwarding for a few places I'd use
OpenVPN now - though, I'll have to investigate how tcp-wrapped-in-tcp
works, since it would be most useful for me over wireless networks
which have a lot of packet loss).

Re: Need advice about VPN

[Simon Slaytor]

Stuart Henderson wrote:

>On 2006/01/19 09:38, Simon Slaytor wrote:
>  
>
>>When comparing the two vpn solutions for speed, subjectively the OpenVPN 
>>feels slightly faster
>>
>>
>
>If you're using compression on OpenVPN but not on IPSEC, that would
>probably explain the speed difference.
>
>
>
>  
>
Agreed, any idea on how the cyphers compare  i.e. 3DES v Blowfish  in 
regard to CPU overhead?

I was not trying to suggest that this was a like for like comparison. I 
was merely trying to get the point across that OpenVPN is a viable 
alternative.

Re: Need advice about VPN

[Stuart Henderson]

On 2006/01/19 09:38, Simon Slaytor wrote:
> When comparing the two vpn solutions for speed, subjectively the OpenVPN 
> feels slightly faster

If you're using compression on OpenVPN but not on IPSEC, that would
probably explain the speed difference.

Re: Need advice about VPN

[Simon Slaytor]

Going to go against the flow here and say go for OpenVPN.

This recommendation is based on the following observations:

It's easy to implement
It's secure
It's stable
By using the tls-auth option the fact that your firewall is acting as a 
vpn endpoint becomes invisible to the 'net'

It easily handles NAT'ing firewalls with no special NAT requirements
Will easily work with dynamic DNS clients as end points.
Works well with OpenBSD

In your scenario you could setup a single central OpenVPN/CA server to 
act as a VPN concentrator your 2nd site and your two colo servers could 
then act as 'clients' making admin and setup very straight forward.


With regard to the speed of IPSec v OpenVPN (SSL/TLS), we use IPSec for 
site to site VPN's (3DES+PFS) where each end has a static IP and OpenVPN 
(Blowfish) for our 'road warriors'


The IPSec VPN's terminate onto a 3.8 box with a 450Mhz CPU (K62)
OpenVPN runs on a separate 3.8 box behind the firewall and uses a PII 
450Mhz CPU


When comparing the two vpn solutions for speed, subjectively the OpenVPN 
feels slightly faster, but there's not much in it and the different 
encyption schemes may well account for the speed variance, we don't push 
a lot of traffic through the VPN's hence I can get away with low power 
hardware. However what I'm trying to say is that running OpenVPN doesn't 
require a large amount of horsepower and is no disadvantage over IPSec.


Regards

Simon

Re: 3.8/64 bits/snmp

[Sylvain Coutant]

> I've seen the same on amd64 (OpenBSD 3.7 and 3.8) running net-snmp 5.x.

Yep, that's it ;-)


> I haven't noticed any issue with interface counters,

On our platform, interface counters are sent back using Counter32 while 
carrying 64 bits values. It works while the counter is less than 4 GB but our 
monitor rejects larger values ...


> The problem is with net-snmp. Beyond this I haven't chased it down.

But not on all platform. Netsnmp 5 works great with OpenBSD i386 or Ubuntu 
amd64.

BR,
--
Sylvain COUTANT

ADVISEO
http://www.adviseo.fr/
http://www.open-sp.fr/

Re: How can i send syslogd message to a OPENBSD server ?

[Justin Krejci]

On Thursday 19 January 2006 01:37 am, Michael Bibby wrote:
> hello ,[EMAIL PROTECTED]
>
> I have a Linux(SUSE ENTERPRISE LINUX 9) system ,and i want to send all
> syslogd messages
> to another system which runs OpenBSD 3.8 release . How can i do with
> OpenBSD ?
>
> well ,i know how to configure it in Linux(suse):
>
> Server (get all messages sent from client,IP:192.168.0.1):
> == /etc/syslogd.conf ==
> *.* -/var/log/messages
>
> == /etc/sysconfig/syslog ==
> SYSLOGD_PARAMS="-r"
>
> Client (send all syslogd messages to Server):
> == /etc/syslogd.conf ==
> *.* @192.168.0.1


You will need to start syslog on the openbsd server with the -u option 
(see /etc/rc.conf and syslogd man pages) and also make sure you have pf.conf 
allowing port 514 udp from your linux host.

Re: Anonym.OS - OpenBSD-based live CD

[NetNeanderthal]

On 1/19/06, Scott Francis <[EMAIL PROTECTED]> wrote:
> Surprisingly, nobody else has mentioned this on-list yet (perhaps
> because it's been all over the news elsewhere):
> http://news.google.com/news?hl=en&ned=us&q=anonym.os&btnG=Search+News

It was reported on undeadly.org.

> I'm not in the least surprised that OpenBSD was chosen as the base for
> a live CD focused on privacy, anonymity and security - in fact, I
> can't really imagine doing what they did with any other platform
> (certainly not doing it as well).

I'm less than impressed with it after mounting the iso and viewing the
contents.  Their documentation is poor, if not void of content
altogether.

Call Anonym.OS what it is, a coagulated lump of untrusted packages and
scripts conveniently bundled for those who are unwilling or unable to
use OpenBSD in its native form.  It reeks of a clumsily-staged
publicity stunt.

I digress; OpenBSD is free.