Re: Port Question

[Joachim Schipper]

On Sun, Jan 29, 2006 at 08:19:34PM -0500, Dave Feustel wrote:
> PF works GREAT!
> 
> Here is a list of ports that have had data sent to them today.
> The 2nd number is the number of packets dropped.
> Is there anything in the list that I should pay particular attention to?

No, what a firewall blocks isn't at all interesting, unless 1) you are
being DoSed or 2) something that should be allowed, isn't.

As long as neither applies, the only thing that's interesting is what
the firewall allows - which may be more than you wanted.

Joachim

Re: VLAN Support under OpenBSD 3.8

[Daniel Ouellet]

Marco Fretz wrote:

hello there

short question: what are actually the supported gigabit nics to pull
out .1q vlans on an openbsd machine?


thanks and best regards
 marco



http://openbsd.org/i386.html#hardware

under:

Gigabit Ethernet Adapters

For a start.

Re: RAIDframe stability and reliability

[Joachim Schipper]

On Sun, Jan 29, 2006 at 03:30:10PM -0700, David Wilk wrote:
> I know RAIDframe is not in GENERIC, but I was wondering if anyone could
> speak to the stability and reliability of RAIDframe in 3.8.  I find myself
> really wanting to use software RAID 1 and haven't had any problems in
> testing thus far.
> 
> Any experiences would be good to hear.

I've used it myself. It works well - the only thing to watch out for is
that a dying drive on a IDE bus is likely to confuse the bus
sufficiently that the other drive on the bus (if there is one) goes down
as well. 

The main reason RAIDframe is not in GENERIC, I seem to recall, is that
it makes the kernel quite a bit bigger for no gain in the average case.

Also note that RAIDframe is quite unstable when poked - it works well,
as long as you treat it well; but incorrect configurations tend to cause
panics.

Of course, hardware RAID is likely to be faster.

JOachim

VLAN Support under OpenBSD 3.8

[Marco Fretz]

hello there

short question: what are actually the supported gigabit nics to pull
out .1q vlans on an openbsd machine?


thanks and best regards
 marco

Is PF synproxy rule should work on CARP interface?

[Daniel Ouellet]

As CARP interface are virtual interfaces oppose to physical one, does 
this mean that it is consider to be may be a bridge type of operations?


So, as the man page explain synproxy doesn't work on bridge setup would 
mean the below is normal?


I am curious and would like to understand why a simple rules like:

pass in on $ext_if proto tcp to carp1 port www flags S/SA keep state

works as well as:

pass in on $ext_if proto tcp to $ext_if port www flags S/SA keep state

but not this one:

pass in on $ext_if proto tcp to carp1 port www flags S/SA synproxy state

Everything else been equal and your web server run on the same server as 
pf and would answer to both IP assign to the physical interface as well 
as the virtual CARP interface.


That's the only explication I was able to come up with so far in my 
research.


Thanks for your inside.

Daniel

PS: Tested on both 3.8 GENERIC and 3.9-BETA.

(3.9beta/i386) sensorsd can not start?

[John Wong]

after upgrade to 3.9beta/i386, sensorsd can not start
when i start the sensorsd, it show the error message

shell$: /usr/sbin/sensorsd
sensorsd: sysctl: No such file or directory

what file or directory should i need?

shell$: cat /etc/sensorsd.conf

hw.sensors.0:low=4000
hw.sensors.12:high=55C
hw.sensors.13:high=55C
hw.sensors.14:high=80C


shell$: sysctl hw.sensors
---
hw.sensors.0=it0, Fan1, fanrpm, 4821 RPM
hw.sensors.3=it0, VCORE_A, volts_dc, 1.57 V
hw.sensors.4=it0, VCORE_B, volts_dc, 2.50 V
hw.sensors.5=it0, +3.3V, volts_dc, 3.31 V
hw.sensors.6=it0, +5V, volts_dc, 5.13 V
hw.sensors.7=it0, +12V, volts_dc, 12.10 V
hw.sensors.8=it0, Unused, volts_dc, -1.06 V
hw.sensors.9=it0, -12V, volts_dc, -9.99 V
hw.sensors.10=it0, +5VSB, volts_dc, 2.71 V
hw.sensors.11=it0, VBAT, volts_dc, 0.00 V
hw.sensors.12=it0, Temp1, temp, 33.00 degC / 91.40 degF
hw.sensors.13=it0, Temp2, temp, 33.00 degC / 91.40 degF
hw.sensors.14=it0, Temp3, temp, 58.00 degC / 136.40 degF
OpenBSD 3.9-beta (GENERIC) #0: Sun Jan 29 18:06:40 HKT 2006
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: AMD Sempron(tm) 2200+ ("AuthenticAMD" 686-class, 256KB L2 cache)
1.50 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE
cpu0: AMD Powernow: TS
real mem  = 234401792 (228908K)
avail mem = 206909440 (202060K)
using 2886 buffers containing 11821056 bytes (11544K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(be) BIOS, date 08/04/04, BIOS32 rev. 0 @
0xfa300
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 70102 dobusy 1 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xf/0xc6c4
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfc620/160 (8 entries)
pcibios0: PCI Exclusive IRQs: 5 10 11 12
pcibios0: PCI Interrupt Router at 000:17:0 ("VIA VT82C596A ISA" rev
0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc/0x7e00
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "VIA VT8378 PCI" rev 0x00
ppb0 at pci0 dev 1 function 0 "VIA VT8377 PCI-PCI" rev 0x00
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "VIA VT8378 VGA" rev 0x01: aperture at
0xd800, size 0x1000
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
rl0 at pci0 dev 10 function 0 "Realtek 8139" rev 0x10: irq 10, address
00:50:fc:99:64:6c
rlphy0 at rl0 phy 0: RTL internal phy
uhci0 at pci0 dev 16 function 0 "VIA VT83C572 USB" rev 0x80: irq 11
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: VIA UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1 at pci0 dev 16 function 1 "VIA VT83C572 USB" rev 0x80: irq 5
usb1 at uhci1: USB revision 1.0
uhub1 at usb1
uhub1: VIA UHCI root hub, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
uhci2 at pci0 dev 16 function 2 "VIA VT83C572 USB" rev 0x80: irq 10
usb2 at uhci2: USB revision 1.0
uhub2 at usb2
uhub2: VIA UHCI root hub, rev 1.00/1.00, addr 1
uhub2: 2 ports with 2 removable, self powered
ehci0 at pci0 dev 16 function 3 "VIA VT6202 USB" rev 0x82: irq 12
usb3 at ehci0: USB revision 2.0
uhub3 at usb3
uhub3: VIA EHCI root hub, rev 2.00/1.00, addr 1
uhub3: 6 ports with 6 removable, self powered
viapm0 at pci0 dev 17 function 0 "VIA VT8235 ISA" rev 0x00
iic0 at viapm0
pciide0 at pci0 dev 17 function 1 "VIA VT82C571 IDE" rev 0x06: ATA133,
channel 0 configured to compatibility, channel 1 configured to
compatibility
wd0 at pciide0 channel 0 drive 0: 
wd0: 16-sector PIO, LBA, 9772MB, 20014235 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 4
wd1 at pciide0 channel 1 drive 0: 
wd1: 16-sector PIO, LBA, 78167MB, 160086528 sectors
wd1(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 6
auvia0 at pci0 dev 17 function 5 "VIA VT8233 AC97" rev 0x50: irq 10
ac97: codec id 0x56494170 (VIA Technologies <70>)
ac97: codec features headphone, 18 bit DAC, 18 bit ADC, KS Waves 3D
audio0 at auvia0
vr0 at pci0 dev 18 function 0 "VIA RhineII-2" rev 0x74: irq 11, address
00:0f:ea:1a:02:74
ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 10: OUI
0x0a, model 0x4063
isa0 at mainbus0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: 
spkr0 at pcppi0
sysbeep0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
it0 at isa0 port 0x290/8: IT87
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
biomask ff6d netmask ff6d ttymask ffef
pctr: user-level cycle counter enabled
mtrr: Pentium Pro MTRR support
dkcsum: wd0 matches BIOS drive 0x80
dkcsum: wd1 matches BIOS drive 0x81
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302
wsdisplay0: screen 1 deleted
wsdisplay0: screen 1 added (80

MP kernels and wd0 errors on AMD64

[Nicholas Young]

Hello

When booting with the standard kernel everything works fine and I
can login/use the machine, run stress without any errors.

When booting with the MP kernel it will get to mounting the drive and
freeze, partial boot log below of where the error occurs.

I have tested this with AMD64/i386 of 3.8 and the AMD64 snapshot
24 Jan 2006. 

I had a go at using config to change the flags on the wd* device to
force it to use PIO mode (0xff0). This did not change anything.

The mother board is a ASUS A8N5X and it has 2 WDB800JD (80GB SATA)
disks.

I have seen similar problems in the archives although none where the
machine freezes after the disk errors.

Is there any other information that would help or any suggestions on
what to try next?

Thanks

Nich



Partial dmesg from MP boot of 3.8:
...
lpt0 at isa0 port 0x378/4 irq 7
it0 at isa0 port 0x290/8: IT87
wd0(pciide2:0:0): timeout
type: ata
c_bcount: 512
c_skip: 0
wd0(pciide2:0:0): timeout
type: ata
c_bcount: 512
c_skip: 0

Full dmesg from AMD64 3.8:
OpenBSD 3.8 (GENERIC) #247: Sat Sep 10 15:53:26 MDT 2005
[EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC
real mem = 1073278976 (1048124K)
avail mem = 909139968 (887832K)
using 22937 buffers containing 107536384 bytes (105016K) of memory
mainbus0 (root)
cpu0 at mainbus0: (uniprocessor)
cpu0: AMD Athlon(tm) 64 X2 Dual Core Processor 3800+, 2010.53 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB
64b/line 16-way L2 cache
cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully
associative
cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully
associative
pci0 at mainbus0 bus 0: configuration mode 1
"Nvidia nForce4 DDR" rev 0xa3 at pci0 dev 0 function 0 not configured
"Nvidia nForce4 ISA" rev 0xa3 at pci0 dev 1 function 0 not configured
"Nvidia nForce4 SMBus" rev 0xa2 at pci0 dev 1 function 1 not configured
ohci0 at pci0 dev 2 function 0 "Nvidia nForce4 USB" rev 0xa2: irq 11,
version 1.0, legacy support
usb0 at ohci0: USB revision 1.0
uhub0 at usb0
uhub0: Nvidia OHCI root hub, rev 1.00/1.00, addr 1
uhub0: 10 ports with 10 removable, self powered
ehci0 at pci0 dev 2 function 1 "Nvidia nForce4 USB" rev 0xa3: irq 5
usb1 at ehci0: USB revision 2.0
uhub1 at usb1
uhub1: Nvidia EHCI root hub, rev 2.00/1.00, addr 1
uhub1: 10 ports with 10 removable, self powered
auich0 at pci0 dev 4 function 0 "Nvidia nForce4 AC97" rev 0xa2: irq 5,
nForce4 AC97
ac97: codec id 0x414c4790 (Avance Logic ALC850)
audio0 at auich0
pciide0 at pci0 dev 6 function 0 "Nvidia nForce4 IDE" rev 0xf2: DMA,
channel 0 configured to compatibility, channel 1 configured to
compatibility
atapiscsi0 at pciide0 channel 0 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0:  SCSI0
5/cdrom removable
cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 4
pciide0: channel 1 disabled (no drives)
pciide1 at pci0 dev 7 function 0 "Nvidia nForce4 SATA 1" rev 0xf3: DMA
pciide1: using irq 11 for native-PCI interrupt
pciide2 at pci0 dev 8 function 0 "Nvidia nForce4 SATA 2" rev 0xf3: DMA
pciide2: using irq 5 for native-PCI interrupt
wd0 at pciide2 channel 0 drive 0: 
wd0: 16-sector PIO, LBA48, 76324MB, 156312576 sectors
wd0(pciide2:0:0): using PIO mode 4, Ultra-DMA mode 5
wd1 at pciide2 channel 1 drive 0: 
wd1: 16-sector PIO, LBA48, 76319MB, 156301488 sectors
wd1(pciide2:1:0): using PIO mode 4, Ultra-DMA mode 5
ppb0 at pci0 dev 9 function 0 "Nvidia nForce4 PCI-PCI" rev 0xa2
pci1 at ppb0 bus 5
fxp0 at pci1 dev 6 function 0 "Intel 82557" rev 0x08, i82559: irq 3,
address 00:90:27:fe:23:3d
inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4
vga1 at pci1 dev 8 function 0 "S3 868" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
"Nvidia CK804 LAN" rev 0xa3 at pci0 dev 10 function 0 not configured
ppb1 at pci0 dev 11 function 0 "Nvidia nForce4 PCIE" rev 0xa3
pci2 at ppb1 bus 4
ppb2 at pci0 dev 12 function 0 "Nvidia nForce4 PCIE" rev 0xa3
pci3 at ppb2 bus 3
ppb3 at pci0 dev 13 function 0 "Nvidia nForce4 PCIE" rev 0xa3
pci4 at ppb3 bus 2
ppb4 at pci0 dev 14 function 0 "Nvidia nForce4 PCIE" rev 0xa3
pci5 at ppb4 bus 1
pchb0 at pci0 dev 24 function 0 "AMD AMD64 HyperTransport" rev 0x00
pchb1 at pci0 dev 24 function 1 "AMD AMD64 Address Map" rev 0x00
pchb2 at pci0 dev 24 function 2 "AMD AMD64 DRAM Cfg" rev 0x00
pchb3 at pci0 dev 24 function 3 "AMD AMD64 Misc Cfg" rev 0x00
isa0 at mainbus0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pmsi0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pmsi0 mux 0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
sysbeep0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
it

Re: error on ifconfig, bssid

[Damien Miller]

On Mon, 30 Jan 2006, Lucas Reddinger wrote:

> On 1/28/06, Damien Miller <[EMAIL PROTECTED]> wrote:
> 
> > use ipsec if you care about the traffic that does over such a link
> 
> ipsec protects the traffic, but it doesn't mean that the link won't
> drop. is there any way to protect the actual radio link?

802.11 doesn't offer any means of protecting management traffic at all.
hostapd(8) could help.

-d

Re: error on ifconfig, bssid

[Lucas Reddinger]

On 1/28/06, Damien Miller <[EMAIL PROTECTED]> wrote:
> setting a preferred bssid doesn't solve this at all, it just means that
> your attacker has to set her bssid (trivial) before their spoof your
> peer.

i guess you are right.

> use ipsec if you care about the traffic that does over such a link

ipsec protects the traffic, but it doesn't mean that the link won't
drop. is there any way to protect the actual radio link?

lucas

PF traffic understanding process of keep state setup with flag check.

[Daniel Ouellet]

Here is something that I want to make sure I understand properly. I am 
99.9% sure, but as I get so many entry in my logs, it make me want to 
verify my understanding a bit. So if someone would kindly correct me 
where/if I am wrong, that would be great!


To start with:

scrub in all

as explain in the man page will eliminate all packets with bad flags 
combinations, so keeping some type of bad guys away, or broken tcp 
stack. Great!


I also understand that when you have quick and keep state in your rules, 
obviously the rest of the rules set is skip if a match is found on that 
line, so:


pass in quick on bge0 inet proto tcp from any to xx.xx.xx.xx /
port = www flags S/SA keep state (if-bound)

Would create a state when an initial valid connection is coming to your 
web server and no more rules are checked from this point.


Now from the man page, this line above for normal traffic would then 
create a state in the state table and then traffic back and forth 
between this server and the source would skip any rules in the rule set 
regardless what they might be, or where they might be as well, as only 
the state table is check for this establish connection.


Now, if I have the line below pass the above state creation and I would 
get some sampling below in the log entry that would match this rule:


block drop in log quick on bge0 proto tcp from  to any

Obviously, I believe none of them are any valid entry, but in all cases, 
they do represent an attempt to do bad things what ever that might be to 
the web server, right?


Now, if a connection is log like theses, it is either a bad guy, or a 
very broken tcp stack right? None of theses can be legal traffic can it?


I go with my understanding above and the fact that a legit connection 
would and have to first establish that connection with the S flag set, 
so testing S/SA would definitely allow all valid traffic even if the 
source from it IS in the badguys table following that rule.


Even a sequence of lost connection, or reset connection would need to 
re-establish one using the sequence of S/SA flags, etc and then be in 
the state table and all is good right?


So, in this configuration, it's impossible that any of the sampling 
below is any good or valid traffic right?


Jan 29 11:34:47.917944 rule 16/(match) block in on bge0: 
82.233.201.137.3014 > xx.xx.xx.xx.80: F 0:0(0) ack 1 win 63932 
op,timestamp 50433 3792622651> (DF) [tos 0x70]

Jan 29 11:35:48.814097 rule 16/(match) block in on bge0: 62.23.142.10.80 
> xx.xx.xx.xx.80: . ack 0 win 1400 [tos 0x70]


Jan 29 11:44:41.023136 rule 16/(match) block in on bge0: 
82.230.177.22.60232 > xx.xx.xx.xx.80: R 121139167:121139167(0) ack 23

31710162 win 0 (DF) [tos 0x70]

Jan 29 12:44:44.269036 rule 16/(match) block in on bge0: 
82.189.216.151.46702 > xx.xx.xx.xx.80: FP 1036024437:1036024705(268)
ack 3791540179 win 5840  (DF) 
[tos 0x70]


Jan 29 13:00:21.671963 rule 16/(match) block in on bge0: 
212.138.47.23.5943 > xx.xx.xx.xx.80: F 1:1(0) ack 1 win 65535 [tos 0x

70]

Jan 29 13:05:11.674058 rule 16/(match) block in on bge0: 
212.138.47.23.5943 > xx.xx.xx.xx.80: R 2:2(0) ack 1 win 65535 [tos 0x

70]

Jan 29 16:58:09.030643 rule 16/(match) block in on bge0: 
200.222.138.173.1450 > xx.xx.xx.xx.80: P 0:193(193) ack 1 win 8576 (D

F) [tos 0x70]

Jan 29 18:52:55.017288 rule 16/(match) block in on bge0: 
83.77.136.90.49491 > xx.xx.xx.xx.80: RE 3354073858:3354073858(0) win

16896 [tos 0x70]

Re: Port Question

[Daniel Ouellet]

Dave Feustel wrote:

PF works GREAT!

Here is a list of ports that have had data sent to them today.
The 2nd number is the number of packets dropped.
Is there anything in the list that I should pay particular attention to?

Thanks,
Dave Feustel

23 104 telnet 23/udp Telnet
31 3 msg-auth 31/udp MSG Authentication
34 4 # 34/udp Unassigned
35 3 35/udp any private printer server
50 8 re-mail-ck 50/udp Remote Mail Checking Protocol
290 12
296 12
349 18 mftp 349/udp mftp
376 3 nip 376/udp Amiga Envoy Network Inquiry Proto
377 8 tnETOS 377/udp NEC Corporation
380 1 is99s 380/udp TIA/EIA/IS-99 modem server
487 5 saft 487/udp saft Simple Asynchronous File Transfer
490 2 micom-pfs 490/udp micom-pfs
495 2 intecourier 495/udp intecourier
496 2 pim-rp-disc 496/udp PIM-RP-DISC
525 5 timed 525/udp timeserver
900 1 omginitialrefs 900/udp OMG Initial Refs
906 8
921 5



Hi Dave,

Excuse me to asked it like this, but shouldn't you know the service you 
are running on your box and as such allow traffic to these ports instead 
of asking, here is the ports that receive traffic and what should I do 
about them?


The first thing in trying to protect your server(s) with PF is actually 
know what service you run, or want to run on that box, then you allow 
traffic to these ports and only these ports...


May be I am out of line, but look to me that you need to take a hard 
look at what you want to run on that box and block the rest and in the 
end so what if someone scan all the 65K ports on your box and you see 
them in your logs, if they are block properly and you run nothing on 
them, why even care if someone test them?


If I was paranoid, I would actually look at the traffic I allow in, in 
some sensitive ports if I care about it to see if something that I 
should limit more on theme should be done. For the rest, why care, they 
are block and that's the end of them!


If you want to be very paranoid, then no only block incoming ports, but 
also all outgoing ports and only allow specific ports that you know 
should be allow out. Reason for this would be that if for example your 
box, if running php for example get compromise on the php side and then 
try to connect to other web server and you know it is not support to be, 
then by blocking connections going out to port 80 would reduce your rick 
even more on that box and by doing so, will even reduce the risk of 
compromise via php if connection out from your server is not allow to 
port 80.


It is a bit harder to put in place, but again if you have security plan, 
then you know what type of traffic you are suppose to have and the 
excuse to say that my traffic is very complex, so blocking outgoing 
traffic wouldn't stand as that's an excuse use many times simply because 
one doesn't know their own requirements.


PF allow you amazing control and even limits as well on specific traffic 
if you like that, so pushing it to the limits would be interesting, but 
it is so flexible, that I would be surprise if you ever would reach it!


Anyway, block all, allow what you have service running on, block 
outgoing if you like on thing that shouldn't be there, and sleep well!



The rest, who cares what someone try to access from your box if the 
filter are well design!


So, you design them for what you run right!?

Have fun.

Daniel

Voce recebeu um cartao de Fernanda

[cartoesonline]

[IMAGE]

VIRTUALCARDS PARA VOCJ !!!

Tudo bem Coragco ?! Vocj acaba de receber um VIRTUALCARDS,
os cartues mais animados da Web.
Para visualiza-lo, basta clicar no link abaixo e pronto!

[IMAGE]

Clique aqui para visualizar o seu cartco

Caso vocj nco esteja conseguindo visualizar o cartco, por favor,
instale o plugin Macromedia Flash 5, clicando no botco abaixo.

[IMAGE]


Um grande abrago da Equipe VIRTUALCARDS.



Informagues sobre este e-mail

Este e-mail foi gerado automaticamente. Nco responda.
| Termos do Servigo e Polmtica de Privacidade |

Copyright ) 2001 - 2002 VITALEWEB - BRASIL
Todos os Direitos Reservados - All Rights Reserved

[IMAGE]

Re: Port Question

[David Higgs]

Why not use netstat(1) and figure out for yourself if you'd otherwise
be accepting traffic on any of those ports?  Also, if this is
non-essential traffic being dropped (and you aren't being DoS'd)
there's no reason to care about it.

--david

On 1/29/06, Dave Feustel <[EMAIL PROTECTED]> wrote:
> PF works GREAT!
>
> Here is a list of ports that have had data sent to them today.
> The 2nd number is the number of packets dropped.
> Is there anything in the list that I should pay particular attention to?
>
> Thanks,
> Dave Feustel
>
> 23 104 telnet 23/udp Telnet
> 31 3 msg-auth 31/udp MSG Authentication
> 34 4 # 34/udp Unassigned
> 35 3 35/udp any private printer server
> 50 8 re-mail-ck 50/udp Remote Mail Checking Protocol
> 290 12
> 296 12
> 349 18 mftp 349/udp mftp
> 376 3 nip 376/udp Amiga Envoy Network Inquiry Proto
> 377 8 tnETOS 377/udp NEC Corporation
> 380 1 is99s 380/udp TIA/EIA/IS-99 modem server
> 487 5 saft 487/udp saft Simple Asynchronous File Transfer
> 490 2 micom-pfs 490/udp micom-pfs
> 495 2 intecourier 495/udp intecourier
> 496 2 pim-rp-disc 496/udp PIM-RP-DISC
> 525 5 timed 525/udp timeserver
> 900 1 omginitialrefs 900/udp OMG Initial Refs
> 906 8
> 921 5
>
> --
> Lose, v., experience a loss, get rid of, "lose the weight"
> Loose, adj., not tight, let go, free, "loose clothing"

Port Question

[Dave Feustel]

PF works GREAT!

Here is a list of ports that have had data sent to them today.
The 2nd number is the number of packets dropped.
Is there anything in the list that I should pay particular attention to?

Thanks,
Dave Feustel

23 104 telnet 23/udp Telnet
31 3 msg-auth 31/udp MSG Authentication
34 4 # 34/udp Unassigned
35 3 35/udp any private printer server
50 8 re-mail-ck 50/udp Remote Mail Checking Protocol
290 12
296 12
349 18 mftp 349/udp mftp
376 3 nip 376/udp Amiga Envoy Network Inquiry Proto
377 8 tnETOS 377/udp NEC Corporation
380 1 is99s 380/udp TIA/EIA/IS-99 modem server
487 5 saft 487/udp saft Simple Asynchronous File Transfer
490 2 micom-pfs 490/udp micom-pfs
495 2 intecourier 495/udp intecourier
496 2 pim-rp-disc 496/udp PIM-RP-DISC
525 5 timed 525/udp timeserver
900 1 omginitialrefs 900/udp OMG Initial Refs
906 8
921 5

-- 
Lose, v., experience a loss, get rid of, "lose the weight"
Loose, adj., not tight, let go, free, "loose clothing"

New wafter release.

[ober]

Wafter 1.4 is out.
I have added initial OS detection for SYN packets.
Cleaned up the code, fixed some issues with
dropping valid RST packets.
http://www.linbsd.org/wafter.c

Again, this is just experimental code I use to learn.
Understand what it does before putting it on anything you consider 
important.



-Ober

Richard Chesler: [Reading a piece of paper] The first rule of Fight Club is you 
don't talk about Fight Club?
Narrator: [Voice-over] I'm half asleep again; I must've left the original in 
the copy machine.
Richard Chesler: The second rule of Fight Club - is this yours?
Narrator: Huh?
Richard Chesler: Pretend you're me, make a managerial decision: you find this, 
what would you do?

Re: SATA support in 3.8

[Stuart Henderson]

On 2006/01/29 17:27, David Wilk wrote:
> I had found the hardware list for pciide, and attempted to match up actual
> product model numbers with the chipset numbers listed, but found very little
> in the way of useful information.

On this type of cheap, generic product, there are uncountable brands
and there's every chance that they'll switch supplier without changing
what's printed on the box, so knowing what's worked for one person
might not help you anyway.

How about buying from somewhere that will tell you or let you see what's
printed on the chips, or somewhere that lets you return if it's no good?
A few minutes with a product search engine (froogle etc) should find at
least some vendors that tell you what they're selling in sufficient
detail.

Re: SATA support in 3.8

[David Wilk]

Thanks everyone for the great info.  I'm not, in fact, interested in RAID
support offered by the hardware, just plain-jane SATA.

I had found the hardware list for pciide, and attempted to match up actual
product model numbers with the chipset numbers listed, but found very little
in the way of useful information.  I even contacted promise, but they
haven't been a whole lot of help.

In the absence of some sort of hardware matrix that would match these two
numbers up, I was hoping the OpenBSD community might have some promise SATA
cards that are known to work and would be able to provide the model numbers
of those cards.  I know none of the SATA II cards are supported, but I don't
have any info on the first-gen of promise SATA cards.

If anyone knows any specific model numbers that would really help out alot,
thanks!

or, if anyone has any specific recommendations for add-on SATA cards
(promise or otherwise) I'd love to hear it.

thanks!

On 1/29/06, Jonathan Gray <[EMAIL PROTECTED]> wrote:
>
> On Sun, Jan 29, 2006 at 04:43:18PM -0600, L. V. Lammert wrote:
> > At 03:28 PM 1/29/2006 -0700, David Wilk wrote:
> > >Howdy all, I was just wondering what SATA support was like in 3.8.
> > >Specifically, are there any promise controller add-in cards (as opposed
> to
> > >built-in to mobo) that anyone would recommend?  Or, are things as they
> were
> > >in May of '05 when Theo was less than enthused with then-current SATA
> > >support:
> http://marc.theaimsgroup.com/?l=openbsd-misc&m=111390018104270&w=2
> >
> > A number of MBs support SATA (e.g. ASUS, which we have been using since
> > 3.7), .. however, to my knowledge, Promise has never released anything
> but
> > fake driver-required devices which will not be supported.
>
> In terms of Promise SATA support any card incorporating a
> PDC20318/PDC20319/PDC20371/PDC20375/PDC20376/PDC20377/PDC20378/PDC20379
> chip should work fine.

Re: A small patch to make "input" style in license.template consistent

[Nick Guenther]

On 1/29/06, Rod.. Whitworth <[EMAIL PROTECTED]> wrote:
> A legal pedant once informed me that "(c)" is not a valid copyright
> mark. He says that the only valid marks are the C-in-a-circle character
> or "(copr)".
>
> It probably isn't uniform but the Berne Convention may have some rules.
>
> As usual IANAL so do your own checking but I'd hate to see somebody
> doing truly free software losing his/her rights over a tiny detail if
> the message I had was correct.
>

I thought that the Berne convention said that anything you make (or
perhaps just anything you publish? But that's a technicality since
showing a friend your code could count as publishing) is automatically
copyright'd by you. Putting copyright notice is just that: a notice.
It's helpful in enforcing your copyright if the issue comes up, but
it's not required.

-Nick

Re: A small patch to make "input" style in license.template consistent

[Rod.. Whitworth]

On Sun, 29 Jan 2006 10:12:28 -0300, AndrC)s Delfino wrote:

>Maybe it may help someone, :P
>
>--- license.template   Tue Jun  3 19:37:00 2003
>+++ license.template.1  Sun Jan 29 10:00:22 2006
>@@ -5,11 +5,14 @@
> should be separated by a comma, e.g.
> Copyright (c) 2003, 2004
>
>+Note that less than and greater than signs below MUST be removed;
>+they are there for you to enter your own information.
>+
> If you add extra text to the body of the license, be careful not to
> add further restrictions.
>
> /*
>- * Copyright (c) CCYY YOUR NAME HERE <[EMAIL PROTECTED]>
>+ * Copyright (c)   
>  *
>  * Permission to use, copy, modify, and distribute this softwae for any
>  * purpose with or without fee is hereby granted, provided that the above
>
>

A legal pedant once informed me that "(c)" is not a valid copyright
mark. He says that the only valid marks are the C-in-a-circle character
or "(copr)".

It probably isn't uniform but the Berne Convention may have some rules.

As usual IANAL so do your own checking but I'd hate to see somebody
doing truly free software losing his/her rights over a tiny detail if
the message I had was correct.

>From the land "down under": Australia.
Do we look  from up over?

Do NOT CC me - I am subscribed to the list.
Replies to the sender address will fail except from the list-server.

Re: SATA support in 3.8

[Jonathan Gray]

On Sun, Jan 29, 2006 at 04:43:18PM -0600, L. V. Lammert wrote:
> At 03:28 PM 1/29/2006 -0700, David Wilk wrote:
> >Howdy all, I was just wondering what SATA support was like in 3.8.
> >Specifically, are there any promise controller add-in cards (as opposed to
> >built-in to mobo) that anyone would recommend?  Or, are things as they were
> >in May of '05 when Theo was less than enthused with then-current SATA
> >support: http://marc.theaimsgroup.com/?l=openbsd-misc&m=111390018104270&w=2
> 
> A number of MBs support SATA (e.g. ASUS, which we have been using since 
> 3.7), .. however, to my knowledge, Promise has never released anything but 
> fake driver-required devices which will not be supported.

In terms of Promise SATA support any card incorporating a
PDC20318/PDC20319/PDC20371/PDC20375/PDC20376/PDC20377/PDC20378/PDC20379
chip should work fine.

Re: SATA support in 3.8

[Stuart Henderson]

On 2006/01/29 16:43, L. V. Lammert wrote:
> At 03:28 PM 1/29/2006 -0700, David Wilk wrote:
> >Howdy all, I was just wondering what SATA support was like in 3.8.
> >Specifically, are there any promise controller add-in cards (as opposed to
> >built-in to mobo) that anyone would recommend?  Or, are things as they were
> >in May of '05 when Theo was less than enthused with then-current SATA
> >support: http://marc.theaimsgroup.com/?l=openbsd-misc&m=111390018104270&w=2
> 
> A number of MBs support SATA (e.g. ASUS, which we have been using since 
> 3.7), .. however, to my knowledge, Promise has never released anything but 
> fake driver-required devices which will not be supported.

There are some SATA Promise controllers listed on pciide(4) and the
hardware lists on the platform pages (www.openbsd.org/i386.html etc:
the Promise ones aren't specifically listed as SATA, but a quick
search on the model numbers will confirm that some of them are).
Sometimes you may need to play with BIOS settings to make them work.

The bios-assisted-software-mirroring "RAID" controllers should show
up as plain sata controllers that you can use with ccd or raidframe.

(this doesn't say whether or not they're still finicky and buggy, though).

Re: SATA support in 3.8

[L. V. Lammert]

At 03:28 PM 1/29/2006 -0700, David Wilk wrote:

Howdy all, I was just wondering what SATA support was like in 3.8.
Specifically, are there any promise controller add-in cards (as opposed to
built-in to mobo) that anyone would recommend?  Or, are things as they were
in May of '05 when Theo was less than enthused with then-current SATA
support: http://marc.theaimsgroup.com/?l=openbsd-misc&m=111390018104270&w=2


A number of MBs support SATA (e.g. ASUS, which we have been using since 
3.7), .. however, to my knowledge, Promise has never released anything but 
fake driver-required devices which will not be supported.


Lee

RAIDframe stability and reliability

[David Wilk]

I know RAIDframe is not in GENERIC, but I was wondering if anyone could
speak to the stability and reliability of RAIDframe in 3.8.  I find myself
really wanting to use software RAID 1 and haven't had any problems in
testing thus far.

Any experiences would be good to hear.

thanks!

SATA support in 3.8

[David Wilk]

Howdy all, I was just wondering what SATA support was like in 3.8.
Specifically, are there any promise controller add-in cards (as opposed to
built-in to mobo) that anyone would recommend?  Or, are things as they were
in May of '05 when Theo was less than enthused with then-current SATA
support: http://marc.theaimsgroup.com/?l=openbsd-misc&m=111390018104270&w=2

Any pointers would be most welcome.


thanks!

Re: Regarding a SPARCSTATION 1+

[Alexander Bochmann]

...on Sun, Jan 29, 2006 at 07:38:50PM +0100, Alexander Bochmann wrote:

 > The other standard advice is to recompile at least 
 > libssl with -mcpu=supersparc, otherwise you won't 

Sorry, that's crap - the SS1+ doesn't have 
a supersparc CPU.

Alex.

Re: Wireless signal strength/quality on Ralink card?

[Jonathan Gray]

On Sun, Jan 29, 2006 at 04:15:22PM +0100, Jonas Fischer wrote:
> How do I see the wireless signal strength/quality on a ral interface in 
> OpenBSD 3.8?
> wicontrol and ancontrol does not support ral interface and Ifconfig does 
> not show it. :-(

ifconfig -M ral0 if you are associated to an access point.

tcpdump -i ral0 -y IEEE802_11_RADIO otherwise.

Can't set timezone in KDE - only UTC is shown

[Alexander Farber]

Hi,

does anydody please know, why can't I set timezone in KDE?
When I right-click on the clock -> Show timezone -> Configure timezones
then there is only one timezone - UTC. And the KDE clock is off by 1h.

At the same time I think the clock is ok on my laptop:

laptop:afarber {517} grep -i timezone /sys/arch/i386/conf/GENERIC.laptop
option  "TIMEZONE=-60"

laptop:afarber {520} date
Sun Jan 29 19:50:56 CET 2006

laptop:afarber {521} ll /etc/localtime
0 lrwxr-xr-x  1 root  wheel  33 Jan 17 19:57 /etc/localtime ->
/usr/share/zoneinfo/Europe/Berlin

Do I miss some KDE package? Here is what I have installed:

laptop:afarber {515} pkg_info |grep -i kde
kde-i18n-de-3.5.0   de translations for KDE
kde-i18n-ru-3.5.0   ru translations for KDE
kdeartwork-3.5.0p0  K Desktop Environment, additional artwork
kdebase-3.5.0p0 K Desktop Environment, basic applications
kdegames-3.5.0p0K Desktop Environment, games
kdegraphics-3.5.0p0 K Desktop Environment, graphic applications
kdelibs-3.5.0p0 K Desktop Environment, libraries
kdeutils-3.5.0p0K Desktop Environment, utilities
koffice-1.4.2   office suite for KDE
koffice-i18n-de-1.4.2 de translations for KDE
koffice-i18n-ru-1.4.2 ru translations for KDE

The clock in gkrellm shows correct time (same as `date`).

Regards
Alex

OpenBSD 3.9-beta (GENERIC.laptop) #1: Sun Jan 29 10:44:24 CET 2006
[EMAIL PROTECTED]:/sys/arch/i386/compile/GENERIC.laptop
cpu0: Intel(R) Pentium(R) M processor 1600MHz ("GenuineIntel"
686-class) 1.60 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,TM,SBF,EST,TM2
cpu0: Enhanced SpeedStep 1600 MHz (1484 mV): speeds: 1600, 1400, 1200,
1000, 800, 600 MHz
real mem  = 53588 (523112K)
avail mem = 481779712 (470488K)
using 4278 buffers containing 26886144 bytes (26256K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(64) BIOS, date 04/19/05, BIOS32 rev. 0 @ 0xfd750
apm0 at bios0: Power Management spec V1.2
apm0: battery life expectancy 100%
apm0: AC on, battery charge high
apm0: flags 30102 dobusy 0 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xfd6e0/0x920
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdea0/272 (15 entries)
pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82371FB ISA" rev 0x00)
pcibios0: PCI bus #4 is the last bus
bios0: ROM list: 0xc/0x1 0xd/0x1000 0xd1000/0x1000
0xdc000/0x4000! 0xe/0x1
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82855PE Hub" rev 0x03
ppb0 at pci0 dev 1 function 0 "Intel 82855PE AGP" rev 0x03
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "ATI Radeon Mobility M9 Lf" rev 0x02
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
uhci0 at pci0 dev 29 function 0 "Intel 82801DB USB" rev 0x01: irq 11
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1 at pci0 dev 29 function 1 "Intel 82801DB USB" rev 0x01: irq 11
usb1 at uhci1: USB revision 1.0
uhub1 at usb1
uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
uhci2 at pci0 dev 29 function 2 "Intel 82801DB USB" rev 0x01: irq 11
usb2 at uhci2: USB revision 1.0
uhub2 at usb2
uhub2: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub2: 2 ports with 2 removable, self powered
ehci0 at pci0 dev 29 function 7 "Intel 82801DB USB" rev 0x01: irq 11
usb3 at ehci0: USB revision 2.0
uhub3 at usb3
uhub3: Intel EHCI root hub, rev 2.00/1.00, addr 1
uhub3: 6 ports with 6 removable, self powered
ppb1 at pci0 dev 30 function 0 "Intel 82801BAM Hub-to-PCI" rev 0x81
pci2 at ppb1 bus 2
cbb0 at pci2 dev 0 function 0 "Texas Instruments PCI4520 CardBus" rev
0x01: irq 11
cbb1 at pci2 dev 0 function 1 "Texas Instruments PCI4520 CardBus" rev
0x01: irq 11
em0 at pci2 dev 1 function 0 "Intel PRO/1000MT (82540EP)" rev 0x03:
irq 11, address 00:0d:60:fc:c3:c6
iwi0 at pci2 dev 2 function 0 "Intel PRO/Wireless 2200BG" rev 0x05:
irq 11, address 00:15:00:23:e2:9c
cardslot0 at cbb0 slot 0 flags 0
cardbus0 at cardslot0: bus 3 device 0 cacheline 0x8, lattimer 0xb0
pcmcia0 at cardslot0
cardslot1 at cbb1 slot 1 flags 0
cardbus1 at cardslot1: bus 4 device 0 cacheline 0x8, lattimer 0xb0
pcmcia1 at cardslot1
ichpcib0 at pci0 dev 31 function 0 "Intel 82801DBM LPC" rev 0x01
pciide0 at pci0 dev 31 function 1 "Intel 82801DBM IDE" rev 0x01: DMA,
channel 0 configured to compatibility, channel 1 configured to
compatibility
wd0 at pciide0 channel 0 drive 0: 
wd0: 16-sector PIO, LBA, 38154MB, 78140160 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
wd1 at pciide0 channel 1 drive 0: 
wd1: 16-sector PIO, LBA, 76319MB, 156301488 sectors
wd1(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 5
ichiic0 at pci0 dev 31 function 3 "Intel 82801DB SMBus" rev 0x01: irq 11
iic0 at ichiic0
auich0 at pci0 dev 31 function 5 "Intel 82801DB AC97" rev 0x01: irq
11, ICH4 AC97
ac97: codec

Re: fsck_msdos misdetects corruption

[Nick Guenther]

> [:430] and [DOSBOOTBLOCKSIZE-6:], skipping the string space.

Er, sorry, I meant 4 bytes.

-Nick

Re: fsck_msdos misdetects corruption

[Nick Guenther]

The OpenBSD and NetBSD code is appearantly incorrect, from my tests. I modifed 
boot.c to dump the blocks to a file, then dissected them with python (yay 
python). What I found, at least in my case, is that the blocks are identical up 
to bye 430. From there to 6 bytes to the end (ie until byte 512-6) they differ 
(well, ignoring the nulls just there for padding). All they contain is error 
messages to display to the user (one is "Remove disks or other 
media.\xFF\r\nDisk  error\xFF\r\nPress any key to restart\r\n" and the other is 
"NTLDR is missing\xFF\r\nDisk error\xFF\r\nPress any key to restart\r\n").

So I submit this patch which is hard codes these limits (ick, I know, but other 
parts of the code already hard code locations)  by only checking [:430] and 
[DOSBOOTBLOCKSIZE-6:], skipping the string space.
I might be off by 1 somewhere, so a second pair of eyes doing a quick check 
would be good.

159c159,161
<   if (memcmp(block, backup, DOSBOOTBLOCKSIZE)) {
---
>   if (memcmp(block, backup, 429) ||
> memcmp(block+(DOSBOOTBLOCKSIZE-4), backup+(DOSBOOTBLOCKSIZE-4), 4)) { 
> //used to be: DOSBOOTBLOCKSIZE, changed to accomodate scandisk.exe stashing 
> error messages near the end of the boot block without updating the backup 
> fully

Re: Regarding a SPARCSTATION 1+

[Alexander Bochmann]

...on Sun, Jan 29, 2006 at 02:14:38PM +0200, Gabriel George POPA wrote:

 >   I'm wondering if OpenBSD 3.8 will work on a SPARCSTATION 1+ computer. 
 > Does anyone have a toy like this running OpenBSD?

Not currently, but I had an SS1+ under OpenBSD until 
about 3.2 (I think). Everything should work fine, 
but don't try to use ffs softupdates (see 
http://www.openbsd.org/faq/faq14.html#SoftUpdates).

The other standard advice is to recompile at least 
libssl with -mcpu=supersparc, otherwise you won't 
have much fun with ssh on this box (I rebuilt the 
whole system with that switch, but then that doesn't 
mean it works for anyone else).

Alex.

Re: Regarding a SPARCSTATION 1+

[David Coppa]

Gabriel George POPA wrote:

Hello all,


... snip ...

And another problem: it seems to have AUI ethernet. What kind of adapter 
(if any) can I find in order to use it's interface (AUI) with

a common 100BaseT switch?


http://www.dlink.ca/product.php?PID=245

I use this D-Link DE-853 on my VAXstation 4000/90

Bye,
David

Re: High Performance VLAN Router with OpenBSD

[Joachim Schipper]

On Sun, Jan 29, 2006 at 03:19:31PM +0100, Marco Fretz wrote:
> hello
> 
> thanks again!
> 
> ok, i agree my solution sounds not very simple =)
> 
> i never made something wit carp. i will see the manpage and will try to
> find and read some docs.
> 
> what i'm really dont understand is: how can carp to loadbalancing. if i
> get an arp answer from the first router, the next request for this ip
> will go to the same adress. so carp has do do "mac faking"? is carp
> "flooding" the subnet with random mac adresses for the same ip?

My understanding is that the following happens, if we have a CARPed
address $FW:

$CLIENT has a (default?) gateway for IP traffic set to $FW. When the
kernel receives a request to send a packet to a host on the relevant
subnet, a quick routing table lookup yields that this should be sent to
the physical (MAC) address associated with the IP address $FW. So,
$CLIENT tries to look up the MAC associated with $FW, finds nothing, and
sends an ARP query to find out who has $FW.

The hosts $FW1, $FW2, and $FW3, which together handle the CARPed address
$FW, see this query, and notice from which host it comes. Now, all three
perform some calculation, which tells them that, for example, $FW2
should handle requests from this host.

Now, $FW2 answers the ARP query, and all traffic from $CLIENT is
henceforth sent to $FW2.

Of course, this is a simplication, as the above does not fail over. In
fact, each of $FW[1-3] is a CARPed address (but without arpbalance, so
it acts as CARPed addresses typically do - communicating to find out
which is master, and the master then responds to ARP requests for the
CARPed address, as well as packets destined for that address).

Joachim

> Am Sonntag, den 29.01.2006, 13:59 + schrieb tony sarendal:
> > On 29/01/06, Marco Fretz <[EMAIL PROTECTED]> wrote:
> > > is there something that i can do with carp? or how is a router cluster
> > > to realise? the problem is, i dont want a fail over, i need performance.
> > 
> > 
> > If you expect the traffic pattern to be from many to many directly connected
> > hosts you can let carp handle loadsharing
> > 
> > carp man page:
> >  net.inet.carp.arpbalanceBalance local traffic using ARP.  Disabled
> > by

> > I would keep it simple. Put all boxes on all lans and use carp.
> > IP routing is unidirectional, traffic from A->B doesn't have to go over the
> > same box
> > as traffic B->A. With three boxes you can get speed and a be pretty
> > resilient also.

Re: A small patch to make "input" style in license.template consistent

[Andrés Delfino]

Should I do that diff then?

On 1/29/06, Jasper Lievisse Adriaanse <[EMAIL PROTECTED]> wrote:
> On Sun, 29 Jan 2006 12:35:56 -0300
> AndrC)s Delfino <[EMAIL PROTECTED]> wrote:
>
> > Or... somehow I changed that word when sending the message. Anyway,
> > this is the correct diff:
> >
> > --- license.templateTue Jun  3 19:37:00 2003
> > +++ license.template.1  Sun Jan 29 12:33:55 2006
> > @@ -5,11 +5,14 @@
> >  should be separated by a comma, e.g.
> >  Copyright (c) 2003, 2004
> >
> > +Note that less than and greater than signs below must be removed;
> > +they are there for you to enter your own information.
> > +
> >  If you add extra text to the body of the license, be careful not to
> >  add further restrictions.
> >
> >  /*
> > - * Copyright (c) CCYY YOUR NAME HERE <[EMAIL PROTECTED]>
> > + * Copyright (c)   
> >   *
> >   * Permission to use, copy, modify, and distribute this software for any
> >   * purpose with or without fee is hereby granted, provided that the above
>
> Could you please quote under the message?
>
> anyway, it's much easer to use the "cvs diff" command it you're diffing
> against files that are in a repository.
>
> >
> > On 1/29/06, Jasper Lievisse Adriaanse <[EMAIL PROTECTED]> wrote:
> > > On Sun, 29 Jan 2006 07:17:23 -0800
> > > AndrC)s Delfino <[EMAIL PROTECTED]> wrote:
> > >
> > > > yes, I haven't that typo in the original file, sorry, :P
> > > Well, how come it didn't show up the diff?
> > > You didn't diff against the original then.
> > >
> > > >
> > > > On 1/29/06, Joachim Schipper <[EMAIL PROTECTED]> wrote:
> > > > > On Sun, Jan 29, 2006 at 10:12:28AM -0300, Andris Delfino wrote:
> > > > > > Maybe it may help someone, :P
> > > > > >
> > > > > > --- license.template   Tue Jun  3 19:37:00 2003
> > > > > > +++ license.template.1  Sun Jan 29 10:00:22 2006
> > > > > > @@ -5,11 +5,14 @@
> > > > > >  should be separated by a comma, e.g.
> > > > > >  Copyright (c) 2003, 2004
> > > > > >
> > > > > > +Note that less than and greater than signs below MUST be removed;
> > > > > > +they are there for you to enter your own information.
> > > > > > +
> > > > > >  If you add extra text to the body of the license, be careful not to
> > > > > >  add further restrictions.
> > > > > >
> > > > > >  /*
> > > > > > - * Copyright (c) CCYY YOUR NAME HERE <[EMAIL PROTECTED]>
> > > > > > + * Copyright (c)   
> > > > > >   *
> > > > > >   * Permission to use, copy, modify, and distribute this softwae 
> > > > > > for any
> > > > > ^^
> > > > > This typo is not there on my system (3.8-stable); I hope you added it
> > > > > somehow?
> > > > >
> > > > > Joachim
> > > >
> > >
> > >
> > > --
> > > "Security is decided by quality" -- Theo de Raadt
> > >
> > >
> > >
>
>
> --
> "Security is decided by quality" -- Theo de Raadt

Re: A small patch to make "input" style in license.template consistent

[Andrés Delfino]

Or... somehow I changed that word when sending the message. Anyway,
this is the correct diff:

--- license.templateTue Jun  3 19:37:00 2003
+++ license.template.1  Sun Jan 29 12:33:55 2006
@@ -5,11 +5,14 @@
 should be separated by a comma, e.g.
 Copyright (c) 2003, 2004

+Note that less than and greater than signs below must be removed;
+they are there for you to enter your own information.
+
 If you add extra text to the body of the license, be careful not to
 add further restrictions.

 /*
- * Copyright (c) CCYY YOUR NAME HERE <[EMAIL PROTECTED]>
+ * Copyright (c)   
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above

On 1/29/06, Jasper Lievisse Adriaanse <[EMAIL PROTECTED]> wrote:
> On Sun, 29 Jan 2006 07:17:23 -0800
> AndrC)s Delfino <[EMAIL PROTECTED]> wrote:
>
> > yes, I haven't that typo in the original file, sorry, :P
> Well, how come it didn't show up the diff?
> You didn't diff against the original then.
>
> >
> > On 1/29/06, Joachim Schipper <[EMAIL PROTECTED]> wrote:
> > > On Sun, Jan 29, 2006 at 10:12:28AM -0300, Andris Delfino wrote:
> > > > Maybe it may help someone, :P
> > > >
> > > > --- license.template   Tue Jun  3 19:37:00 2003
> > > > +++ license.template.1  Sun Jan 29 10:00:22 2006
> > > > @@ -5,11 +5,14 @@
> > > >  should be separated by a comma, e.g.
> > > >  Copyright (c) 2003, 2004
> > > >
> > > > +Note that less than and greater than signs below MUST be removed;
> > > > +they are there for you to enter your own information.
> > > > +
> > > >  If you add extra text to the body of the license, be careful not to
> > > >  add further restrictions.
> > > >
> > > >  /*
> > > > - * Copyright (c) CCYY YOUR NAME HERE <[EMAIL PROTECTED]>
> > > > + * Copyright (c)   
> > > >   *
> > > >   * Permission to use, copy, modify, and distribute this softwae for any
> > > ^^
> > > This typo is not there on my system (3.8-stable); I hope you added it
> > > somehow?
> > >
> > > Joachim
> >
>
>
> --
> "Security is decided by quality" -- Theo de Raadt

Re: A small patch to make "input" style in license.template consistent

[Andrés Delfino]

yes, I haven't that typo in the original file, sorry, :P

On 1/29/06, Joachim Schipper <[EMAIL PROTECTED]> wrote:
> On Sun, Jan 29, 2006 at 10:12:28AM -0300, Andris Delfino wrote:
> > Maybe it may help someone, :P
> >
> > --- license.template   Tue Jun  3 19:37:00 2003
> > +++ license.template.1  Sun Jan 29 10:00:22 2006
> > @@ -5,11 +5,14 @@
> >  should be separated by a comma, e.g.
> >  Copyright (c) 2003, 2004
> >
> > +Note that less than and greater than signs below MUST be removed;
> > +they are there for you to enter your own information.
> > +
> >  If you add extra text to the body of the license, be careful not to
> >  add further restrictions.
> >
> >  /*
> > - * Copyright (c) CCYY YOUR NAME HERE <[EMAIL PROTECTED]>
> > + * Copyright (c)   
> >   *
> >   * Permission to use, copy, modify, and distribute this softwae for any
> ^^
> This typo is not there on my system (3.8-stable); I hope you added it
> somehow?
>
>   Joachim

Wireless signal strength/quality on Ralink card?

[Jonas Fischer]

How do I see the wireless signal strength/quality on a ral interface in 
OpenBSD 3.8?
wicontrol and ancontrol does not support ral interface and Ifconfig does 
not show it. :-(

Re: High Performance VLAN Router with OpenBSD

[Marco Fretz]

hello and thanks


that's sounds cool. atm im reading a bit about carp and arp balancing.
but i think, thats my solution. 500 MBit/s would be enough for my
needs. 

so now, ive to get some boxes and do some tests... the lan party i spoke
from is still far away (in early august i think). after this, i will
post some links to cacti network graphs and some test results.

i will start work in a few weeks. if i get some further questions, i
will post them here...

thanks

marco


Am Sonntag, den 29.01.2006, 09:50 -0500 schrieb Jason Dixon:
> On Jan 29, 2006, at 6:22 AM, Marco Fretz wrote:
> 
> > hello there
> >
> > we are planning a medium lan party with about 200 - 300 clients.  
> > it's a
> > normal gamer lan party but there will be a lot of traffic.
> >
> > we will habe about 6 subnets (like 10.5.0.0/24, 10.6.0.0/24, and so  
> > on)
> > that we have to route under each other. if we get a good sponsor we  
> > may
> > habe some layer 3 cisco swiches that can do wirespeed routing.
> >
> > but i  dont think so... i may have to get some 3 GHz Intel P4 Boxes
> > (About 1 GB Memory) and do the VLAN Routing on these openbsd boxes.
> >
> > will i get about 1GBit/s throughput with such a box?
> > is it better to use a gigabit ethernet card for each subnet or  
> > should i
> > get the vlans on one intel card?
> >
> > is it better to route all vlans on one box or should i split up the
> > routing on about 3 boxes?
> 
> I just deployed a similar setup using a pair of OpenBSD/CARP servers  
> on inexpensive servers and a cluster of Cisco 2950s.  Each server is  
> an Iron Systems A320R with a 2.0 GHz Celeron, 256MB memory, 64bit/ 
> 66MHz PCI-X slot, dual onboard Intel 1000BaseT, and onboard CF-to-IDE  
> adapter in place of the original SATA drive.  A 64bit SysKonnect  
> 1000BaseT in the PCI slot and handles pfsync traffic.
> 
> The internal em interfaces are trunked on Cisco 1000BaseT GBICs.   
> Each router handles 10 internal VLANs on carp interfaces.  My iperf  
> tests maxed out at ~500Mbps;  a faster processor and more bus would  
> likely yield much higher throughput.  Still not bad for around $700  
> per server.
> 
> --
> Jason Dixon
> DixonGroup Consulting
> http://www.dixongroup.net

Re: High Performance VLAN Router with OpenBSD

[Marco Fretz]

hello

thanks again!

ok, i agree my solution sounds not very simple =)

i never made something wit carp. i will see the manpage and will try to
find and read some docs.

what i'm really dont understand is: how can carp to loadbalancing. if i
get an arp answer from the first router, the next request for this ip
will go to the same adress. so carp has do do "mac faking"? is carp
"flooding" the subnet with random mac adresses for the same ip?

thanks, regards
marco


Am Sonntag, den 29.01.2006, 13:59 + schrieb tony sarendal:
> On 29/01/06, Marco Fretz <[EMAIL PROTECTED]> wrote:
> 
> > ok thanks
> >
> > i think, 400 Mbit/s throughput should be enough for this usage.
> >
> > another question: does anyone know if there is a network card that can
> > do something like cisco wirespeed routing? or is there anything that can
> > handle software and hardware routing on a normal intel box?
> 
> 
> Cisco wirespeed routing ? Sounds like a marketing term, since I don't
> run into that very often in real life, at least not for internet routing.
> 
> From what I know you wont find any hardware/software combo for openbsd
> which will do the L3 forwarding in the network card hardware.
> 
> 
> > > Since your boxes may have problems if you expect 1Gbps of traffic
> > > load sharing may help the situation a bit.
> > > There are a few ways of doing thit depending on environment.
> >
> > is there something that i can do with carp? or how is a router cluster
> > to realise? the problem is, i dont want a fail over, i need performance.
> 
> 
> If you expect the traffic pattern to be from many to many directly connected
> hosts you can let carp handle loadsharing
> 
> carp man page:
>  net.inet.carp.arpbalanceBalance local traffic using ARP.  Disabled
> by
>  default.
> 
> whats about this:
> > i put 3 intel boxes with 2 Gbit nics in each one in a privat subnet with
> > the first card. on the secount card i pull out 2 vlans on each machine.
> > now i can do the routing with static routing on these 3 machines.
> >
> > vlan1 and 2 is on machine A
> > vlan3 and 4 is on machine B
> > vlan5 and 6 is on machine C
> >
> > so traffic from 5 to 6 is routet on C only, so i dont have any
> > performance needed on A and B
> >
> > but traffice from e.g. 1 to 3 needs prformance on A and B.
> >
> > you think thats a good idea?
> 
> 
> I would keep it simple. Put all boxes on all lans and use carp.
> IP routing is unidirectional, traffic from A->B doesn't have to go over the
> same box
> as traffic B->A. With three boxes you can get speed and a be pretty
> resilient also.
> 
> /Tony

Re: A small patch to make "input" style in license.template consistent

[Joachim Schipper]

On Sun, Jan 29, 2006 at 10:12:28AM -0300, Andris Delfino wrote:
> Maybe it may help someone, :P
> 
> --- license.template   Tue Jun  3 19:37:00 2003
> +++ license.template.1  Sun Jan 29 10:00:22 2006
> @@ -5,11 +5,14 @@
>  should be separated by a comma, e.g.
>  Copyright (c) 2003, 2004
> 
> +Note that less than and greater than signs below MUST be removed;
> +they are there for you to enter your own information.
> +
>  If you add extra text to the body of the license, be careful not to
>  add further restrictions.
> 
>  /*
> - * Copyright (c) CCYY YOUR NAME HERE <[EMAIL PROTECTED]>
> + * Copyright (c)   
>   *
>   * Permission to use, copy, modify, and distribute this softwae for any
^^
This typo is not there on my system (3.8-stable); I hope you added it
somehow?

Joachim

Re: High Performance VLAN Router with OpenBSD

[Jason Dixon]

On Jan 29, 2006, at 6:22 AM, Marco Fretz wrote:


hello there

we are planning a medium lan party with about 200 - 300 clients.  
it's a

normal gamer lan party but there will be a lot of traffic.

we will habe about 6 subnets (like 10.5.0.0/24, 10.6.0.0/24, and so  
on)
that we have to route under each other. if we get a good sponsor we  
may

habe some layer 3 cisco swiches that can do wirespeed routing.

but i  dont think so... i may have to get some 3 GHz Intel P4 Boxes
(About 1 GB Memory) and do the VLAN Routing on these openbsd boxes.

will i get about 1GBit/s throughput with such a box?
is it better to use a gigabit ethernet card for each subnet or  
should i

get the vlans on one intel card?

is it better to route all vlans on one box or should i split up the
routing on about 3 boxes?


I just deployed a similar setup using a pair of OpenBSD/CARP servers  
on inexpensive servers and a cluster of Cisco 2950s.  Each server is  
an Iron Systems A320R with a 2.0 GHz Celeron, 256MB memory, 64bit/ 
66MHz PCI-X slot, dual onboard Intel 1000BaseT, and onboard CF-to-IDE  
adapter in place of the original SATA drive.  A 64bit SysKonnect  
1000BaseT in the PCI slot and handles pfsync traffic.


The internal em interfaces are trunked on Cisco 1000BaseT GBICs.   
Each router handles 10 internal VLANs on carp interfaces.  My iperf  
tests maxed out at ~500Mbps;  a faster processor and more bus would  
likely yield much higher throughput.  Still not bad for around $700  
per server.


--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net

Re: High Performance VLAN Router with OpenBSD

[tony sarendal]

On 29/01/06, Marco Fretz <[EMAIL PROTECTED]> wrote:

> ok thanks
>
> i think, 400 Mbit/s throughput should be enough for this usage.
>
> another question: does anyone know if there is a network card that can
> do something like cisco wirespeed routing? or is there anything that can
> handle software and hardware routing on a normal intel box?


Cisco wirespeed routing ? Sounds like a marketing term, since I don't
run into that very often in real life, at least not for internet routing.

>From what I know you wont find any hardware/software combo for openbsd
which will do the L3 forwarding in the network card hardware.


> > Since your boxes may have problems if you expect 1Gbps of traffic
> > load sharing may help the situation a bit.
> > There are a few ways of doing thit depending on environment.
>
> is there something that i can do with carp? or how is a router cluster
> to realise? the problem is, i dont want a fail over, i need performance.


If you expect the traffic pattern to be from many to many directly connected
hosts you can let carp handle loadsharing

carp man page:
 net.inet.carp.arpbalanceBalance local traffic using ARP.  Disabled
by
 default.

whats about this:
> i put 3 intel boxes with 2 Gbit nics in each one in a privat subnet with
> the first card. on the secount card i pull out 2 vlans on each machine.
> now i can do the routing with static routing on these 3 machines.
>
> vlan1 and 2 is on machine A
> vlan3 and 4 is on machine B
> vlan5 and 6 is on machine C
>
> so traffic from 5 to 6 is routet on C only, so i dont have any
> performance needed on A and B
>
> but traffice from e.g. 1 to 3 needs prformance on A and B.
>
> you think thats a good idea?


I would keep it simple. Put all boxes on all lans and use carp.
IP routing is unidirectional, traffic from A->B doesn't have to go over the
same box
as traffic B->A. With three boxes you can get speed and a be pretty
resilient also.

/Tony

Request for a questions in FAQ

[Andrés Delfino]

I think that a "What is the preferred way to submit contributions?"
(and give the exact diff command with prefered arguments, and "What is
the preferred license when submiting contributions?" would answer the
two most common questions when someone wants to contribute to the
project.

Greetings

Re: High Performance VLAN Router with OpenBSD

[Marco Fretz]

ok thanks

i think, 400 Mbit/s throughput should be enough for this usage. 

another question: does anyone know if there is a network card that can
do something like cisco wirespeed routing? or is there anything that can
handle software and hardware routing on a normal intel box?

> Since your boxes may have problems if you expect 1Gbps of traffic
> load sharing may help the situation a bit.
> There are a few ways of doing thit depending on environment.

is there something that i can do with carp? or how is a router cluster
to realise? the problem is, i dont want a fail over, i need performance.

whats about this:
i put 3 intel boxes with 2 Gbit nics in each one in a privat subnet with
the first card. on the secount card i pull out 2 vlans on each machine.
now i can do the routing with static routing on these 3 machines. 

vlan1 and 2 is on machine A
vlan3 and 4 is on machine B
vlan5 and 6 is on machine C

so traffic from 5 to 6 is routet on C only, so i dont have any
performance needed on A and B

but traffice from e.g. 1 to 3 needs prformance on A and B.

you think thats a good idea? 



thanks a lot, kind regards
marco


Am Sonntag, den 29.01.2006, 12:03 + schrieb tony sarendal:
> On 29/01/06, Marco Fretz <[EMAIL PROTECTED]> wrote:
> 
> > hello there
> >
> > we are planning a medium lan party with about 200 - 300 clients. it's a
> > normal gamer lan party but there will be a lot of traffic.
> >
> > we will habe about 6 subnets (like 10.5.0.0/24, 10.6.0.0/24, and so on)
> > that we have to route under each other. if we get a good sponsor we may
> > habe some layer 3 cisco swiches that can do wirespeed routing.
> >
> > but i  dont think so... i may have to get some 3 GHz Intel P4 Boxes
> > (About 1 GB Memory) and do the VLAN Routing on these openbsd boxes.
> >
> > will i get about 1GBit/s throughput with such a box?
> 
> 
> Probably not. Your box will be limited by the pps it can handle.
> I don't know exactly what pps your hardware can handle, but I guess
> around 100-200kpps shouldn't be totally unrealistic.
> 
> If your average packet size is 300 bytes your box will be able to handle
> a total throughput of 240-480Mbps.
> 
> 
> 
> 
> > is it better to use a gigabit ethernet card for each subnet or should i
> > get the vlans on one intel card?
> 
> 
> I personally like the vlan trunk setup if it's a statically routed
> environment,
> been using it since around -98 or -99 without problems.
> 
> is it better to route all vlans on one box or should i split up the
> > routing on about 3 boxes?
> 
> 
> Since your boxes may have problems if you expect 1Gbps of traffic
> load sharing may help the situation a bit.
> There are a few ways of doing thit depending on environment.
> 
> If you do this on OpenBSD, I would appreciate it if you could give us a
> summary
> afterwards on how things went and what kind of performance you got.
> 
> /Tony
> 
> --
> Tony Sarendal - [EMAIL PROTECTED]
> IP/Unix
>-= The scorpion replied,
>"I couldn't help it, it's my nature" =-

A small patch to make "input" style in license.template consistent

[Andrés Delfino]

Maybe it may help someone, :P

--- license.template   Tue Jun  3 19:37:00 2003
+++ license.template.1  Sun Jan 29 10:00:22 2006
@@ -5,11 +5,14 @@
 should be separated by a comma, e.g.
 Copyright (c) 2003, 2004

+Note that less than and greater than signs below MUST be removed;
+they are there for you to enter your own information.
+
 If you add extra text to the body of the license, be careful not to
 add further restrictions.

 /*
- * Copyright (c) CCYY YOUR NAME HERE <[EMAIL PROTECTED]>
+ * Copyright (c)   
  *
  * Permission to use, copy, modify, and distribute this softwae for any
  * purpose with or without fee is hereby granted, provided that the above

Re: Regarding a SPARCSTATION 1+

[Stuart Henderson]

On 2006/01/29 14:14, Gabriel George POPA wrote:
>   I'm wondering if OpenBSD 3.8 will work on a SPARCSTATION 1+ computer. 

It's listed on sparc.html.

> And another problem: it seems to have AUI ethernet. What kind of adapter 
> (if any) can I find in order to use it's interface (AUI) with
> a common 100BaseT switch?

AUI to 10baseT adaptor - try ebay.

Re: Regarding a SPARCSTATION 1+

[Gabriel George POPA]

 Thank you very much for your advice. That's what I has looking for.
 Thank you again!

Brett Lymn wrote:

>On Sun, Jan 29, 2006 at 02:14:38PM +0200, Gabriel George POPA wrote:
>  
>
>>And another problem: it seems to have AUI ethernet. What kind of adapter 
>>(if any) can I find in order to use it's interface (AUI) 
>>
>>
>
>The thing you are looking for is called a medium access unit (MAU), it
>converts the AUI into either 10base-2 or 10base-T depending on the
>unit you get.  They may be rare beasties now as most were probably
>thrown out as "old junk" years ago.
>
>  
>
>>with
>>a common 100BaseT switch?
>>
>>
>>
>
>The network interface in a 1+ is 10Mbit/s only.  Make sure your switch
>can handle that.

Re: Regarding a SPARCSTATION 1+

[Brett Lymn]

On Sun, Jan 29, 2006 at 02:14:38PM +0200, Gabriel George POPA wrote:
> 
> And another problem: it seems to have AUI ethernet. What kind of adapter 
> (if any) can I find in order to use it's interface (AUI) 

The thing you are looking for is called a medium access unit (MAU), it
converts the AUI into either 10base-2 or 10base-T depending on the
unit you get.  They may be rare beasties now as most were probably
thrown out as "old junk" years ago.

>with
> a common 100BaseT switch?
> 

The network interface in a 1+ is 10Mbit/s only.  Make sure your switch
can handle that.

-- 
Brett Lymn

Regarding a SPARCSTATION 1+

[Gabriel George POPA]

   Hello all,

  I'm wondering if OpenBSD 3.8 will work on a SPARCSTATION 1+ computer. 
Does anyone have a toy like this running OpenBSD?
And another problem: it seems to have AUI ethernet. What kind of adapter 
(if any) can I find in order to use it's interface (AUI) with

a common 100BaseT switch?
  Thank you.

  Best regards,
Gabriel 
George POPA

Clustering using OpenBSD

[Gabriel George POPA]

   Hello all,

  I'm planning to deploy a small cluster behind my firewall (for test 
purposes). What would be the recommender program
to use for clustering and wht can it do? Where should I start? I have 5 
workstations (1GHz Intel Celeron)+server 3GHz Intel P4.
I know several ways of "clustering", but I ask you because you might 
know what is the best method to use with OpenBSD.

Oh, and what's with that picture on www.openbsd.org (lower-right corner)?

   
Respectfully yours,

Gabriel George POPA

Re: High Performance VLAN Router with OpenBSD

[tony sarendal]

On 29/01/06, Marco Fretz <[EMAIL PROTECTED]> wrote:

> hello there
>
> we are planning a medium lan party with about 200 - 300 clients. it's a
> normal gamer lan party but there will be a lot of traffic.
>
> we will habe about 6 subnets (like 10.5.0.0/24, 10.6.0.0/24, and so on)
> that we have to route under each other. if we get a good sponsor we may
> habe some layer 3 cisco swiches that can do wirespeed routing.
>
> but i  dont think so... i may have to get some 3 GHz Intel P4 Boxes
> (About 1 GB Memory) and do the VLAN Routing on these openbsd boxes.
>
> will i get about 1GBit/s throughput with such a box?


Probably not. Your box will be limited by the pps it can handle.
I don't know exactly what pps your hardware can handle, but I guess
around 100-200kpps shouldn't be totally unrealistic.

If your average packet size is 300 bytes your box will be able to handle
a total throughput of 240-480Mbps.




> is it better to use a gigabit ethernet card for each subnet or should i
> get the vlans on one intel card?


I personally like the vlan trunk setup if it's a statically routed
environment,
been using it since around -98 or -99 without problems.

is it better to route all vlans on one box or should i split up the
> routing on about 3 boxes?


Since your boxes may have problems if you expect 1Gbps of traffic
load sharing may help the situation a bit.
There are a few ways of doing thit depending on environment.

If you do this on OpenBSD, I would appreciate it if you could give us a
summary
afterwards on how things went and what kind of performance you got.

/Tony

--
Tony Sarendal - [EMAIL PROTECTED]
IP/Unix
   -= The scorpion replied,
   "I couldn't help it, it's my nature" =-

High Performance VLAN Router with OpenBSD

[Marco Fretz]

hello there

we are planning a medium lan party with about 200 - 300 clients. it's a
normal gamer lan party but there will be a lot of traffic.

we will habe about 6 subnets (like 10.5.0.0/24, 10.6.0.0/24, and so on)
that we have to route under each other. if we get a good sponsor we may
habe some layer 3 cisco swiches that can do wirespeed routing.

but i  dont think so... i may have to get some 3 GHz Intel P4 Boxes
(About 1 GB Memory) and do the VLAN Routing on these openbsd boxes.

will i get about 1GBit/s throughput with such a box?
is it better to use a gigabit ethernet card for each subnet or should i
get the vlans on one intel card?

is it better to route all vlans on one box or should i split up the
routing on about 3 boxes?

may anyone have some nice ideas! thanks a lot...

kind regards
marco

/etc/group: add group to a group

[Antoine Jacoutot]

Hi...

I'm sorry to ask such a stupid question, but is there _any_ way to add a 
group to another group (in /etc/group) ?
If it's not possible (which I tend to believe since there's nothing in the 
man page that shows it could be done), do you guys have any tricks on how 
to allow for instance 2 groups to write to a directory without creating a 
3rd group and adding all members or group1 and group2 to it (which, for 
this simple exemple is already a pain to administer) ?


Thanks in advance.
Regards,

--
Antoine