Re: Does OpenBSD-3.9(-current) support Marvell Yukon 88E8053 Gigabit Ethernet Controller?
Michael Bibby wrote: hi all: I use Marvell Yukon 88E8053 Gigabit Ethernet Controller on my laptop, but i can't find a driver for OpenBSD 3.8, So i want to know is there any other people use it and have a driver for it? thanks. Bibby 2006/04/17 I've had that chipset working with OpenBSD 3.8 and 3.9 from 2006-04-06 (I believe that was the date) on an Asus A8N-SLI Deluxe nForce4. I don't have the dmesg for it. I had to return that mobo for other reasons and forgot to archive the dmesg before I reformatted. I do have the newer version of that board, though, and it has the Marvel Yukon 88E1011. Here's the relevant portion from the dmesg: skc0 at pci1 dev 12 function 0 Marvell SKv2 rev 0x13: irq 3 skc0: Marvell Yukon Lite (0x9) sk0 at skc0 port A: address 00:15:f2:1d:21:6a eephy0 at sk0 phy 0: Marvell 88E1011 Gigabit PHY, rev. 5 Nvidia CK804 LAN rev 0xa3 at pci0 dev 10 function 0 not configured Based on my experience with the 88E8053 chipset on the other motherboard it seems reasonable to expect it would work with your laptop. Are you sure? I install FreeBSD 6.0 on my laptop, the marvell.com provides driver for FreeBSD(6.0-release, and some other versions). But FreeBSD 6.0 can't found my sound card which shipped on the mainboard. What a pity. :( Yesterday, I installed NetBSD 3.0 on it, it can't found both LAN NIC and wireless, but havn't drivers for them. :( :( I havn't try OpenBSD, i checked the hardware supported list, but it is out of the list. :( :( :( so i asked at [EMAIL PROTECTED] Have you tried booting with 3.8 shipping or one of the 3.9 snapshots and looked through the dmesg? I will try in this week. Thanks for you answer. :) I posted more about this mobo at http://marc.theaimsgroup.com/?l=openbsd-miscm=114531096016196w=2 --Aaron
Re: pppoe
Also how do I remove old tunx devices? What the? How do I get rid of the others? tun0 seems to be only in use there. If a connection drops out, I just connect again, but it leaves old tun devices and makes a new one, and sometimes I have to manually delete/add correct routes. Not sure if this is the correct way, let alone the easiest, but this is how I do it: if [ `ifconfig -a|grep -c tun0` -ne 0 ]; then /sbin/ifconfig tun0 destroy fi start connection here where you would do this depends on your setup. In mycase I have a specific script that brings the connection up. That works nicely. Unfortunately I've had to change my gateway from OpenBSD to FreeBSD, and even though destroy is specified in the manpage, it says this... ifconfig: SIOCIFDESTROY: Invalid argument
Re: pppoe
On Tue, Apr 18, 2006 at 11:52:47AM +0930, Brendan Grossman wrote: Hi everyone To bring up a pppoe connection, I use ppp -ddial provider But how do I take it down? Also how do I remove old tunx devices? # ifconfig tun0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1492 inet 219.90.xxx.xxx -- 203.2.124.224 netmask 0x Opened by PID 71830 tun1: flags=8010POINTOPOINT,MULTICAST mtu 1500 tun2: flags=8010POINTOPOINT,MULTICAST mtu 1500 inet 219.90.xxx.xxx -- 219.90.174.215 netmask 0x What the? How do I get rid of the others? tun0 seems to be only in use there. you can force ppp(8) to always use the same interface with the '-unit' option (see man page). For instance, ppp -ddial -unit0 provider will always use the tun0 interface. Then, to bring down the connection: kill `cat /var/run/tun0.pid` and wait few seconds. This will bring down the interface and remove routes. HTH, -- Alexandre
Re: LZMA and the Install Sets?
On Mon, 17 Apr 2006, Nick Holland wrote: Oh? Where are your numbers? Here's a benchmark about gzip vs lzma vs bzip2: http://tukaani.org/lzma/benchmarks Lasse Collin is also working on a more sane tool for the algorithm but I don't have enough information about that so if someone is interested he/she should contact Lasse directly. -- Antti Harri
Re: WLAN IPsec: flows between two non-AP peers
Damon McMahon wrote: Perhaps my understanding of ieee80211(9) and isakmpd(8) is awry? I have a simple WLAN setup, where there is a combined internet gateway/wireless AP, and several wireless nodes. I want each wireless node to be able to connect to all others for file sharing, etc and the connection should be over an IPsec layer. I can think of two ways theoretically to do this: 1. Configure each host to establish an IPsec tunnel directly with the other - i.e. peer-to-peer at the IP layer, although my understanding of ieee80211(9) is that the connection would still be bridged through the AP at the data-link layer. yes. the AP will forward traffic between the stations by default. there's currently no button to disable this behavior in openbsd (intra-bss blocking). 2. Route these connections through the access point at the IP layer, since they're already being bridged through the AP at the data-link layer. 2a) for example, on the accesspoint: - set the ap configuration, ip address and the aliases for each interface ap# cat /etc/hostname.ath0 inet 10.0.0.1 255.255.255.252 10.0.0.3 \ nwid MyAP nwkey ipsecinside \ media autoselect mode 11b mediaopt hostap inet alias 10.0.0.5 255.255.255.252 10.0.0.7 inet alias 10.0.0.9 255.255.255.252 10.0.0.11 - set the flows for each peer. any direct communication between the peers and the gateway will be bypassed (not encrypted) to allow the ISAKMP key exchange (a more complicated version is possible, i.e. with additional static flows, the proto keyword, ...) ap# cat /etc/ipsec.conf flow esp out from 10.0.0.1 to 10.0.0.2 type bypass ike passive esp from 10.0.0.0/30 to any peer 10.0.0.2 \ dstid peer1.wlan.local flow esp out from 10.0.0.5 to 10.0.0.6 type bypass ike passive esp from 10.0.0.4/30 to any peer 10.0.0.5 \ dstid peer2.wlan.local flow esp out from 10.0.0.9 to 10.0.0.10 type bypass ike passive esp from 10.0.0.8/30 to any peer 10.0.0.9 \ dstid peer3.wlan.local - start isakmpd and load the flows and SAs ap# isakmpd -K ap# ipsecctl -vf /etc/ipsec.conf - and the intersting lines in /etc/pf.conf: pass in on ath0 inet proto udp to (ath0) port isakmp keep state pass in on ath0 inet proto esp to (ath0) pass in on ath0 inet proto icmp to (ath0) icmp-type echoreq keep state 2b) ...and on the first wireless station: - the ip address configuration peer1# cat /etc/hostname.ath0 inet 10.0.0.2 255.255.255.252 10.0.0.3 \ nwid MyAP nwkey ipsecinside - two lines of ipsec configuration. i use dynamic mode for wireless nodes to enable DPD (dead peer detection). this improves reconnection if the station lost wireless connectivity to the ap. peer1# cat /etc/ipsec.conf flow esp out from 10.0.0.2 to 10.0.0.1 type bypass ike dynamic esp from 10.0.0.0/30 to any peer 10.0.0.1 - route everything though the ipsec gateway peer1# cat /etc/mygate 10.0.0.1 - exchange public keys, start the daemon and load rules peer1# scp /etc/isakmpd/private/local.pub \ 10.0.0.1:/etc/isakmpd/pubkeys/fqdn/$(hostname) peer1# scp 10.0.0.1:/etc/isakmpd/private/local.pub \ /etc/isakmpd/pubkeys/ipv4/10.0.0.1 peer1# isakmpd -K peer1# ipsecctl -vf /etc/ipsec.conf I'm not sure how to implement this either way and would appreciate some advice in this regard. I guess routing through the AP makes more sense as it will always by up wheras some of the nodes might be down at any given time? Any advice will be appreciated. reyk
Re: WLAN IPsec: flows between two non-AP peers
hi, some cut'n'paste errors... anyway, it's just an example. Reyk Floeter wrote: ap# cat /etc/ipsec.conf flow esp out from 10.0.0.1 to 10.0.0.2 type bypass ike passive esp from 10.0.0.0/30 to any peer 10.0.0.2 \ dstid peer1.wlan.local flow esp out from 10.0.0.5 to 10.0.0.6 type bypass ike passive esp from 10.0.0.4/30 to any peer 10.0.0.5 \ ike passive esp from 10.0.0.4/30 to any peer 10.0.0.6 dstid peer2.wlan.local flow esp out from 10.0.0.9 to 10.0.0.10 type bypass ike passive esp from 10.0.0.8/30 to any peer 10.0.0.9 \ ike passive esp from 10.0.0.8/30 to any peer 10.0.0.10 dstid peer3.wlan.local
Re: Via EPIA boards
serious question: can one get systems of this class with 'features' like ECC memory? Not 100% sure, but I do not think so. There's no mention of ECC memory support on VIA's webpages dedicated to the EPIA line. Also, the memory selector tool on crucial.com lists non-ecc memory only. --Matt
Re: Via EPIA boards
Thus Matt Rowley [EMAIL PROTECTED] spake on Tue, 18 Apr 2006 08:11:17 -0400: serious question: can one get systems of this class with 'features' like ECC memory? Not 100% sure, but I do not think so. There's no mention of ECC memory support on VIA's webpages dedicated to the EPIA line. Also, the memory selector tool on crucial.com lists non-ecc memory only. hm. somehow missing ECC et al. keeps me from deploying such systems on a regular basis... even when they're 'only' x86. timo
Re: WLAN IPsec: flows between two non-AP peers
On 18 apr 2006, at 10.59, Reyk Floeter wrote: ... - set the flows for each peer. any direct communication between the peers and the gateway will be bypassed (not encrypted) to allow the ISAKMP key exchange (a more complicated version is possible, i.e. with additional static flows, the proto keyword, ...) This is a RFC requirement, even. When negotiating, isakmpd(8) uses setsockopt(2) to get the key exchange traffic to be transmitted as cleartext, regardless of any flows configured to encrypt peer to peer data. Any other (non-IKE) traffic is handled normally, i.e may be encrypted. For the main problem; it may be obvious but getting two WLAN hosts to do IPsec between each other via one or more gateways requires them to be on different subnets (as in Reyk's example). IPsec is very much an IP protocol, all general IP routing rules applies. For the kernel to encrypt/decrypt a packet is basically a routing decision (not by the same mechanism as IP routing, though). For two hosts on the same subnet, the direct delivery case applies, and if one want's IPsec it has to be setup between the two, directly. That said, it is probably possible to come up with some crazy design to permit this anyway, but IMO the administrative requirements to keep it working will easily outweigh any operational gain. I'd try to reconsider the intended purpose and use of the WLAN network (why is protected node-node traffic needed? Can we avoid this requirement?) ... or I'd try to find a good(!) L2 tunneling technique. /H
Re: OpenBGPD HEAD revision questions
* Thomas Bader [EMAIL PROTECTED] [2006-04-17 21:01]: Claudio Jeker schrieb: On Mon, Apr 17, 2006 at 04:47:52PM +0200, Thomas Bader wrote: [announce self is missing] Gosh! That's a fallout from Henning's nexthop self patch. I'll fix it ASAP. Thanks, that works for me. I have established that I've mistaken the meaning of self. I wanted to use that to prevent routes learned over iBGP getting announced to eBGP peers. They'll get announced though because they are (of course) from the same AS. Probably I need a filter list to get the behaviour I expect. This works well with IPv4, but not with IPv6: /etc/bgpd.conf:77: king bula sez: AF_INET only Whereas line 77 is: allow to $peer1 prefix fd:202c::80::/64 Is it planned to implement IPv6 prefixes in the filters? hmm, I need to check again what is missing, I thought we had the basics all done... either I misremmeber or I missed sth. definately palnned. 3.8 shipped with basic IPv6 support but there were some bugs hidden in it. 3.9 fixed those issues and added special options to bgpctl to show only a specified address family. OK. How well is IPv6 tested yet? I have seen some older postings which state that it's not well tested. I plan to use v4 and v6, but I need the later one for the time being only for testing and development purposes and not for critical applications. Shall I worry about not fully tested v6 support? if nobody tests it, it won;t get tested... my test feed worked well whenever I tested. I do not have any v6 production systems. I would not worry too much. I doubt you'll see any dramatic failures. You might run into things like the above, where parts of the code are v4 only and complain. but that really doesn't affect v4 operation, right :) -- BS Web Services, http://www.bsws.de/ OpenBSD-based Webhosting, Mail Services, Managed Servers, ... Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: PCMCIA USB 2.0
Erm, that's not true. I picked up one at Beelzebub Buy and it crashes my openBSD 3.8 machine. On 4/17/06, David Gwynne [EMAIL PROTECTED] wrote: i hope you mean cardbus and not pcmcia. there is such a thing as a pcmcia usb host controller, but it is usb 1 only, and we don't have a driver for it. if someone wants to give me one i might work on that in the future though (i want usb on my sparc). as for usb2 carbus controllers, anything you pick up will probably work. try to avoid the cards that do firewire and stuff as well as usb. your best bet is a straight usb card. dlg On 18/04/2006, at 5:53 AM, Dan Smythe wrote: Since my laptop only has a USB 1 on it, I was thinking about getting a PCMCIA USB 2.0 adapter. I looked on the hardware list, but couldn't find a list of supported models. Any suggestions? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- Try to do nothing for money that you wouldn't do for free. --Paul Krassner
Re: mysql charset problem
I switched to MySQL 5.0.19 and now i have some issues with charsets :/ In my config files, my.cnf i've got such a record: character-set-server=latin2 collation-server=latin2_general_ci But when it get data from the database to the website, then theres the problem because it doesn't get it in the right charset i think. I've got a solution to this but it's quite annoying. mysql_query(SET NAMES latin2); Is there any other way to setup this so I don't have to put that code on each page? Try adding this line to [mysqld] section: character-set-client-handshake=0
Re: Via EPIA boards
On Mon, Apr 17, 2006 at 02:12:03PM -0400, [EMAIL PROTECTED] wrote: My home firewall is running on a PD1. Similar to the M1, except with two NICs. NICs are supported. I don't think Xorg supports the VIA graphics chip, but doesn't matter to me. Both the old X11 and new Xorg work great on the VIA graphics adaptator commonly found on EPIA boards. The vr(4) nics suck quite often for me. I have to power off the box to recover a functionnal network interface. -- Olivier Cherrier
Re: BIND forwarding
Check http://groups.google.com/group/comp.protocols.dns.bind On 4/16/06, Darrin Chandler [EMAIL PROTECTED] wrote: On Sun, Apr 16, 2006 at 08:22:27AM +0200, Alexander Farber wrote: On the USENET I've learnt that forwarders shouldn't be used... Did you also learn why? I'd like to know. I don't use them often, but once in a while they are useful.
Re: BIND forwarding
On Tue, Apr 18, 2006 at 03:54:46PM +0200, Alexander Farber wrote: Check http://groups.google.com/group/comp.protocols.dns.bind That's quite a body of knowledge to catch up with. I'll be busy reading that for many years to come. Thanks for the useful tip! -- Darrin Chandler| Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ |
Re: LZMA and the Install Sets?
Le Mon, Apr 17, 2006 at 11:55:34PM -0400, Nick Holland ecrivait : ~/comptest $ time lzma e comp39d.tar comp39d.tar.lz 7m5.59s real 6m54.79s user 0m0.59s system (maximum RAM used: around 80M, I think) Comments: rzip and lzma turned in some good numbers (REALLY good numbers), The lzma package is useless. Although the algorithm is also LZMA, every time I tried, p7zip was better. 2x faster and always with greater compression (both at max compression level). 448032 comp39.tar 155904 comp39.tgz 42912 comp39.tar.lzma 34272 comp39.tar.7z lzma : 403.22s user 0.45s system 87% cpu 7:43.96 total 7za : 211.07s user 2.48s system 89% cpu 3:58.25 total http://p7zip.sourceforge.net/ Sure, LZMA compression needs memory, though. -- Frank Denis - frank [at] nailbox.fr Young Nails / Akzentz nail tech
Atlantic Canada's Music Store!
[IMAGE][IMAGE] [IMAGE] Musicstop is Atlantic Canadaâs largest music company. We specialize in musical instruments printed music and everything you need for playing, performing and recording. Our expert staff can help you choose from our extensive selection of the industries leading brands. We can further accommodate you with rentals, financing, repairs and lessons. Musicstop has been serving Atlantic Canadians for over 35 years with 10 branches to serve you.[IMAGE] [IMAGE] Interested in taking up music but not sure where to start? Weâve put together three exceptional offers to help you reach your goal. Whether youâre interested in guitar, keyboards or drums, each package listed below represents excellent value. Owning an instrument from one of the three best known and respected musical instrument manufacturers in the world virtually guarantees your satisfaction. **Please note that the following very special offers are a result of exceptional, direct from the manufacturer purchases by Musicstop. We do have reasonable quantities available for immediate delivery but, they are limited, and rainchecks are not available. Peavey Stage Pack Hartley Peavey began building instruments and amplifiers in Mississippi over forty years ago. Today Peavey is renowned as one of the world leaders in musical equipment manufacturing. The Stage Pack is arguably the best introductory guitar package ever offered. Hereâs what you get: * Raptor guitar * Backstage amp * Digital tuner * Spare strings * Strap * Carry bag * Picks Instructional DVD The only thing missing is a recording contract! List $449 Regular price $349 Incredible at $249 [IMAGE] [IMAGE] Peavy Stage Pack $249! [IMAGE] [IMAGE] [IMAGE] Ludwig Accent 5pc Drum Kit The Ludwig drum company has been in business for almost 100 years. The superior sound and construction of Ludwig drums has solidly established them as industry leaders. Ludwig achieved household name status in the â60âs as Ringo Starrâs preferred brand. This is your opportunity to own a set of the most famous drums in the world at a truly exceptional price. Available in Black, Blue and Wine Red. List $659 Amazing at $399 (price does not include cymbals) Cymbal packs available from $99.00 [IMAGE] Ludwig Accent 5 Piece $399! [IMAGE] [IMAGE] [IMAGE] Yamaha PSR 175 Nobody comes close to Yamaha when it comes to quality, features and value. Portable keyboards used to sit somewhere in between toys and musical instruments. Not anymore. The PSR 175 is a remarkable tool for piano students, featuring digitally sampled piano sound and the Yamaha Education Suite II built-in lesson system. The DJ function provides cool loops and sounds for Pop, Hip Hop, and RB. Hundreds of additional on-board songs and sounds push the fun potential of this instrument off the charts! List $238 Regular price keyboard: $147.00, adaptor: $19.99 Unheard of at $119 including adaptor [IMAGE] [IMAGE] Yamaha PSR-175 Keyboard $119 [IMAGE] [IMAGE] [IMAGE] Interested in Signing up for our Online Newsletter? You will receive specials and information on our products as well as be eligible for our giveaways! [IMAGE] (C)2006 Musicstop http://www.musicstop.com/ Privacy Policy -- Your personal information is completely confidential. Musicstop will not sell, give, or otherwise distribute your email address to anyone. To view our complete privacy policy, please click here. To Unsubscribe -- To remove yourself from the Musicstop mailing list, just click here. [IMAGE]
time is always 10 minutes fast!
Hi there I've been trying to sync my system time using ntpd. I followed the FAQ on how to do this but it always seems that my time is 10 minutes fast. my /etc/ntpd.conf: # $OpenBSD: ntpd.conf,v 1.7 2004/07/20 17:38:35 henning Exp $ # sample ntpd configuration file, see ntpd.conf(5) # Addresses to listen on (ntpd does not listen by default) listen on * #sync to a single server server 0.north-america.pool.ntp.prg server 1.north-america.pool.ntp.org server 2.north-america.pool.ntp.org # use a random selection of 8 public stratum 2 servers # see http://twiki.ntp.org/bin/view/Servers/NTPPoolServers servers pool.ntp.org ~ Any hints or pointers much appreciated!! Thanks, Jerome
Re: Dual Core
Some of us have had problems with dual core: http://marc.theaimsgroup.com/?l=openbsd-miscm=113860396723795w=2 On 4/17/06, Gustavo Rios [EMAIL PROTECTED] wrote: Does it make any difference to have dual core processor or not with openbsd ? Thanks.
Re: time is always 10 minutes fast!
On Tue, Apr 18, 2006 at 11:07:17AM -0400, Jerome Santos wrote: Hi there I've been trying to sync my system time using ntpd. I followed the FAQ on how to do this but it always seems that my time is 10 minutes fast. my /etc/ntpd.conf: # $OpenBSD: ntpd.conf,v 1.7 2004/07/20 17:38:35 henning Exp $ # sample ntpd configuration file, see ntpd.conf(5) # Addresses to listen on (ntpd does not listen by default) listen on * #sync to a single server server 0.north-america.pool.ntp.prg server 1.north-america.pool.ntp.org server 2.north-america.pool.ntp.org # use a random selection of 8 public stratum 2 servers # see http://twiki.ntp.org/bin/view/Servers/NTPPoolServers servers pool.ntp.org ~ Any hints or pointers much appreciated!! You have both server *and* servers active in your config? Hmm. In any case ntpd should be logging to /var/log/daemon by default. Messages there will be a great clue as to what's going on, hopefully. I'd comment out the single server commands and go with servers pool.ntp.org and see what happens. -- Darrin Chandler| Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ |
Re: time is always 10 minutes fast!
On Tue, Apr 18, 2006 at 08:22:55AM -0700, Darrin Chandler wrote: You have both server *and* servers active in your config? Hmm. In any case ntpd should be logging to /var/log/daemon by default. Messages there will be a great clue as to what's going on, hopefully. I'd comment out the single server commands and go with servers pool.ntp.org and see what happens. Also, if your clock is too far off it'll never sync. In syslog you'll see entries like Adjusting time by 1000 secs, then Adjusting time by 1002 secs, etc. It'll continue to creep farther off. I'm not sure where the point is, but if you get your clock within, say, 5 minutes then it will sync fine if everything else is set up properly. You can use the -s flag for ntpd to initially set the time (as opposed to adjusting) if it's off very far. -- Darrin Chandler| Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ |
Server Compatibility List
I don't know if this has been posted before, but I found a nice openbsd server compatibility list: To ensure availability of appropriate server hardware platforms for Profense, Armorlogic is testing new server models from major manufacturers on an ongoing basis. It is our goal to provide our customers with server hardware platforms that are easily available in major parts of the world. Therefore, we only test/support standard and pre-configured server hardware from HP, Dell, IBM, Sun and Fujitsu-Siemens. http://www.armorlogic.com/openbsd_information_server_compatibility_list.html This list gave the the information I needed to go ahead and order the server for my shiny new 3.9 CDs. -- Will
Re: Dual Core
On Tue, Apr 18, 2006 at 09:19:55AM -0600, Matt Jibson wrote: Some of us have had problems with dual core: http://marc.theaimsgroup.com/?l=openbsd-miscm=113860396723795w=2 and where does it have any relation to the dual-core nature of the problem? it's mpbios problem. On 4/17/06, Gustavo Rios [EMAIL PROTECTED] wrote: Does it make any difference to have dual core processor or not with openbsd ? one or two cores does not really apear any different to software. on amd64 (numa) there could be consirderations wrt os design. still. we are not doing any of that (yet) anyway. cu -- paranoic mickey (my employers have changed but, the name has remained)
Re: time is always 10 minutes fast!
On Apr 18, 2006, at 11:07 AM, Jerome Santos wrote: Any hints or pointers much appreciated!! have you tried running ntpd -s once to set the time immediately? If you don't it will only be corrected gradually. Mike
Re: Dual Core
On Tue, 18 Apr 2006, Matt Jibson wrote: Some of us have had problems with dual core: http://marc.theaimsgroup.com/?l=openbsd-miscm=113860396723795w=2 That should be solved now, try a recent snap. I've been running the mentioned A8N5X mb fine with a dual core amd64. That is to say, until it went up in smoke. -Otto On 4/17/06, Gustavo Rios [EMAIL PROTECTED] wrote: Does it make any difference to have dual core processor or not with openbsd ? Thanks.
Re: time is always 10 minutes fast!
Hi, On Tue, Apr 18, 2006 at 11:07:17AM -0400, Jerome Santos wrote: Hi there I've been trying to sync my system time using ntpd. I followed the FAQ on how to do this but it always seems that my time is 10 minutes fast. my /etc/ntpd.conf: [...] #sync to a single server server 0.north-america.pool.ntp.prg ^^^ :) Could you please provide us the output of 'ls -l /etc/localtime' and the output of rdate? Maybe this can help us to resolve the problem. Bye Ollie -- Oliver Peter, email: [EMAIL PROTECTED], ICQ# 113969174 Worker bees can leave. Even drones can fly away. The Queen is their slave.
User specific resources limits increase live help needed.
I am having a problem with a specific user account that I can't shutdown as I would create data corruption now if I do so, but I also need to increase the resources of it as that user account can't login via ssh because it reach the limits. I get Disconnecting: fork failed: Resource temporarily unavailable and looking at the system running, I see that it use all the possible process available to that account. I try to change the login.conf to allow more, but it doesn't take effect now. Killing the process on that users, I can't do that now as I would at the same time create data corruptions, so I can't do it as these process are manipulating lots of data now. So, I am running out of ideas as to what to try to temporary address this issue now and then later make a permanent fix to it. Is it possible to do so as it is in use, or do I need to kill it. The process in question will continue to run for may be two more days now and I can't really wait that much as it is create real problem now. Any advise on this would be more then welcome. I am still doing research on Google to see what I can do, and I am sure some how I would find it eventually, but I am a bit in a crunch if someone would have a good suggestion, I would appreciate it. I am really starting the fell the heat on this. my problem is more of a timely fix then a proper solutions at this time Thanks Daniel
Re: Dual Core
Matt Jibson wrote: Some of us have had problems with dual core: http://marc.theaimsgroup.com/?l=openbsd-miscm=113860396723795w=2 Many improvements have been done since then. For my particular motherboard (Asus A8N-SLI Premium, rev 1.02), the amd64 MP went from problematic to working very well. /Sigfred
Re: Default Gateway, PF, BAD State
2006/4/6, Joachim Schipper [EMAIL PROTECTED]: On Thu, Apr 06, 2006 at 01:15:53AM +1200, Joshua Sandbrook wrote: Hello There. Ive got two openbsd gateways: 192.168.3.253 +192.168.4.254 - gateway to 192.168.4.0/24 subnet. this obsd box has a default gateway set to 192.168.3.254, and all hosts on the 192.168.4.0/24 subnet have their gateway set to 192.168.4.254. PF turned OFF. 192.168.3.254 - gateway to the internet, is set as default gateway for hosts on the 192.168.3.0/24. This box has a route set for 192.168.4.0/24 to 192.168.3.253. Now then... What happens is when a workstation ( 192.168.3.0/24 hosts ) trys to transfer a file to a host on the 192.168.4.0/24 subnet, it transfers around 60Kb, before it hangs and starts eventually times out or gets reset. This is with pf turned ON on the 192.168.3.254 box. Rules are to pass out and pass in everything. I 'set debug loud' in pf.conf, and in /var/log/messages lots of these types of messages showed up: Apr 6 17:21:31 sidb /bsd: pf: BAD state: TCP 192.168.3.222:33085 192.168.3.222:33085 192.168.4.51:22 [lo=2515403070 high=2515336655 win=49640 modulator=0] [lo=0 high=49640 win=1 modulator=0] 2:0 A seq=2515403070 ack=0 len=1460 ackskew=0 pkts=64:0 dir=out,fwd Now, if I turn pf OFF, everything works fine. And if I manually add a route to a workstation for 192.168.4.0/24 then it also works fine, because it then does not use the 192.168.3.254 gateway to get to 192.168.4.0/24. So then... any ideas how to fix this? No, but the fact that you claim 192.168.3.0/24 can get to 192.168.4.0/24 without going through the router means either one of us is confused or your network is set up in a rather strange way. Not sure, but I think a Proxy-ARP can do this sort of trick... Joachim
Re: Default Gateway, PF, BAD State
On 4/6/06, Joachim Schipper [EMAIL PROTECTED] wrote: On Thu, Apr 06, 2006 at 01:15:53AM +1200, Joshua Sandbrook wrote: Hello There. Ive got two openbsd gateways: 192.168.3.253 +192.168.4.254 - gateway to 192.168.4.0/24 subnet. this obsd box has a default gateway set to 192.168.3.254, and all hosts on the 192.168.4.0/24 subnet have their gateway set to 192.168.4.254. PF turned OFF. 192.168.3.254 - gateway to the internet, is set as default gateway for hosts on the 192.168.3.0/24. This box has a route set for 192.168.4.0/24 to 192.168.3.253. Now then... What happens is when a workstation ( 192.168.3.0/24 hosts ) trys to transfer a file to a host on the 192.168.4.0/24 subnet, it transfers around 60Kb, before it hangs and starts eventually times out or gets reset. This is with pf turned ON on the 192.168.3.254 box. Rules are to pass out and pass in everything. I 'set debug loud' in pf.conf, and in /var/log/messages lots of these types of messages showed up: Apr 6 17:21:31 sidb /bsd: pf: BAD state: TCP 192.168.3.222:33085 192.168.3.222:33085 192.168.4.51:22 [lo=2515403070 high=2515336655 win=49640 modulator=0] [lo=0 high=49640 win=1 modulator=0] 2:0 A seq=2515403070 ack=0 len=1460 ackskew=0 pkts=64:0 dir=out,fwd Now, if I turn pf OFF, everything works fine. And if I manually add a route to a workstation for 192.168.4.0/24 then it also works fine, because it then does not use the 192.168.3.254 gateway to get to 192.168.4.0/24. So then... any ideas how to fix this? No, but the fact that you claim 192.168.3.0/24 can get to 192.168.4.0/24 without going through the router means either one of us is confused or your network is set up in a rather strange way. The way I read it is: 192.168.4.0 - 192.168.4.254(router)192.168.3.253 - 192.168.3.0 - 192.168.3.254(router)public_ip - Internet Greg
Re: time is always 10 minutes fast!
On 2006-04-18 08:22:55 -0700, Darrin Chandler wrote: I'd comment out the single server commands and go with servers pool.ntp.org and see what happens. As pool.ntp.org will assign you timeservers from all over the world, time quality will not be ideal. You get a bit better result if you use the continental zones (For example europe, north-america, oceania or asia.pool.ntp.org), and even better time if you use the country zone (like ch.pool.ntp.org in Switzerland) - for all these zones, you can again use the 0, 1 or 2 prefixes, like 0.ch.pool.ntp.org. Note, however, that the country zone might not exist for your country, or might contain only one or two timeservers. If you know timeservers that are really close to you (measured by network distance, with traceroute or ping), time probably will be even better. servers north-america.pool.ntp.org should provide a better time. Best Martin -- http://www.tm.oneiros.de
how to log rdr rules in PF?
Hi all, How can I log rdr rules in PF? I've seen my question appear in the archieves, but I haven't seen an anwser. These are my rules: rdr pass inet proto tcp from spamd to any \ port smtp - 127.0.0.1 port 8025 rdr pass inet proto tcp from !spamd-white to any \ port smtp - 127.0.0.1 port 8025 when I use rdr pass log inet... pfctl -nf pf.conf gives a syntax error: pf.conf:35: syntax error Anyone? Regards, Jasper
Re: how to log rdr rules in PF?
Hi,
which OpenBSD version do you use?
man pf.conf says;
rdr-rule = [ no ] rdr [ pass [ log [ ( logopts ) ] ] ]
[ on ifspec ] [ af ]
[ protospec ] hosts [ tag string ] [ tagged string ]
[ - ( redirhost | { redirhost-list } )
[ portspec ] [ pooltype ] ]
On 4/18/06, Jasper Bal [EMAIL PROTECTED] wrote:
Hi all,
How can I log rdr rules in PF? I've seen my question appear in the
archieves, but I haven't seen an anwser. These are my rules:
rdr pass inet proto tcp from spamd to any \
port smtp - 127.0.0.1 port 8025
rdr pass inet proto tcp from !spamd-white to any \
port smtp - 127.0.0.1 port 8025
when I use rdr pass log inet... pfctl -nf pf.conf gives a syntax error:
pf.conf:35: syntax error
Anyone?
Regards,
Jasper
--
Huzeyfe VNAL
---
First Turkish Qmail book is out! Go check it.
Duydunuz mu! Turkiye'nin ilk Qmail kitabi cikti.
http://www.acikakademi.com/catalog/qmail/
Re: time is always 10 minutes fast!
**SOLVED** ( I think) First I killed ntpd, then did ntpd -s north-america.pool.ntp.org and got: set local clock to Tue Apr 18 13:28:59 EST 2006 (offset -3558.915779s) Except I want DST, so that it should show 2 PM. I can't figure out how to set this. On 4/18/06, Jerome Santos [EMAIL PROTECTED] wrote: Hi there I've been trying to sync my system time using ntpd. I followed the FAQ on how to do this but it always seems that my time is 10 minutes fast. my /etc/ntpd.conf: # $OpenBSD: ntpd.conf,v 1.7 2004/07/20 17:38:35 henning Exp $ # sample ntpd configuration file, see ntpd.conf(5) # Addresses to listen on (ntpd does not listen by default) listen on * #sync to a single server server 0.north-america.pool.ntp.prg server 1.north-america.pool.ntp.org server 2.north-america.pool.ntp.org # use a random selection of 8 public stratum 2 servers # see http://twiki.ntp.org/bin/view/Servers/NTPPoolServers servers pool.ntp.org ~ Any hints or pointers much appreciated!! Thanks, Jerome
Re: time is always 10 minutes fast!
On Tue, Apr 18, 2006 at 02:34:30PM -0400, Jerome Santos wrote: **SOLVED** ( I think) First I killed ntpd, then did ntpd -s north-america.pool.ntp.org and got: set local clock to Tue Apr 18 13:28:59 EST 2006 (offset -3558.915779s) Except I want DST, so that it should show 2 PM. I can't figure out how to set this. Have a look at /etc/localtime - specifically, to what file does it point? Joachim
Re: Server Compatibility List
On Tue, Apr 18, 2006 at 11:47:17AM -0400, Will H. Backman wrote: I don't know if this has been posted before, but I found a nice openbsd server compatibility list: To ensure availability of appropriate server hardware platforms for Profense, Armorlogic is testing new server models from major manufacturers on an ongoing basis. It is our goal to provide our customers with server hardware platforms that are easily available in major parts of the world. Therefore, we only test/support standard and pre-configured server hardware from HP, Dell, IBM, Sun and Fujitsu-Siemens. http://www.armorlogic.com/openbsd_information_server_compatibility_list.html This list gave the the information I needed to go ahead and order the server for my shiny new 3.9 CDs. This is known. There is also the OpenBSD Metastore http://www.openbsdmetastore.com/ which does not appear to be all that active lately... Joachim
Re: time is always 10 minutes fast!
On 2006/04/18 14:34, Jerome Santos wrote: Except I want DST, so that it should show 2 PM. I can't figure out how to set this. symlink /etc/localtime to /usr/share/zoneinfo/foo.
Re: time is always 10 minutes fast!
On 2006/04/18 19:37, Martin Schrvder wrote: time if you use the country zone (like ch.pool.ntp.org in Switzerland) - for all these zones, you can again use the 0, 1 or ...really crappy for some countries, alas. UK, from a well-connected host: round-trip min/avg/max/std-dev = 134.025/134.025/134.025/0.000 ms round-trip min/avg/max/std-dev = 16.014/16.014/16.014/0.000 ms round-trip min/avg/max/std-dev = 35.583/35.583/35.583/0.000 ms round-trip min/avg/max/std-dev = 152.936/152.936/152.936/0.000 ms round-trip min/avg/max/std-dev = 28.746/28.746/28.746/0.000 ms round-trip min/avg/max/std-dev = 115.822/115.822/115.822/0.000 ms round-trip min/avg/max/std-dev = 13.989/13.989/13.989/0.000 ms round-trip min/avg/max/std-dev = 9.453/9.453/9.453/0.000 ms
Re: User specific resources limits increase live help needed.
On Tue, Apr 18, 2006 at 11:56:11AM -0400, Daniel Ouellet wrote: I am having a problem with a specific user account that I can't shutdown as I would create data corruption now if I do so, but I also need to increase the resources of it as that user account can't login via ssh because it reach the limits. I get Disconnecting: fork failed: Resource temporarily unavailable and looking at the system running, I see that it use all the possible process available to that account. I try to change the login.conf to allow more, but it doesn't take effect now. Killing the process on that users, I can't do that now as I would at the same time create data corruptions, so I can't do it as these process are manipulating lots of data now. So, I am running out of ideas as to what to try to temporary address this issue now and then later make a permanent fix to it. Is it possible to do so as it is in use, or do I need to kill it. The process in question will continue to run for may be two more days now and I can't really wait that much as it is create real problem now. Any advise on this would be more then welcome. I am still doing research on Google to see what I can do, and I am sure some how I would find it eventually, but I am a bit in a crunch if someone would have a good suggestion, I would appreciate it. I am really starting the fell the heat on this. my problem is more of a timely fix then a proper solutions at this time It all depends on what is doing the actual constraining. If it is kern.maxproc, that is easily increased. If it's ulimit or login.conf, some smarter stuff might need to be done. gdb or similar could be used to make running processes do what one wants them to do - for example, to make a few system calls to raise the soft limit. Of course, this only helps if the soft limit is lower than the hard limit. On a slightly more hackish note, liberal use of cp (.ssh/authorized_keys) and chmod -R g+rwx might create a more-or-less equivalent account. Joachim
Re: Default Gateway, PF, BAD State
On Tue, Apr 18, 2006 at 10:08:45AM -0700, Greg Thomas wrote: On 4/6/06, Joachim Schipper [EMAIL PROTECTED] wrote: On Thu, Apr 06, 2006 at 01:15:53AM +1200, Joshua Sandbrook wrote: Hello There. Ive got two openbsd gateways: 192.168.3.253 +192.168.4.254 - gateway to 192.168.4.0/24 subnet. this obsd box has a default gateway set to 192.168.3.254, and all hosts on the 192.168.4.0/24 subnet have their gateway set to 192.168.4.254. PF turned OFF. 192.168.3.254 - gateway to the internet, is set as default gateway for hosts on the 192.168.3.0/24. This box has a route set for 192.168.4.0/24 to 192.168.3.253. Now then... What happens is when a workstation ( 192.168.3.0/24 hosts ) trys to transfer a file to a host on the 192.168.4.0/24 subnet, it transfers around 60Kb, before it hangs and starts eventually times out or gets reset. This is with pf turned ON on the 192.168.3.254 box. Rules are to pass out and pass in everything. I 'set debug loud' in pf.conf, and in /var/log/messages lots of these types of messages showed up: Apr 6 17:21:31 sidb /bsd: pf: BAD state: TCP 192.168.3.222:33085 192.168.3.222:33085 192.168.4.51:22 [lo=2515403070 high=2515336655 win=49640 modulator=0] [lo=0 high=49640 win=1 modulator=0] 2:0 A seq=2515403070 ack=0 len=1460 ackskew=0 pkts=64:0 dir=out,fwd Now, if I turn pf OFF, everything works fine. And if I manually add a route to a workstation for 192.168.4.0/24 then it also works fine, because it then does not use the 192.168.3.254 gateway to get to 192.168.4.0/24. So then... any ideas how to fix this? No, but the fact that you claim 192.168.3.0/24 can get to 192.168.4.0/24 without going through the router means either one of us is confused or your network is set up in a rather strange way. The way I read it is: 192.168.4.0 - 192.168.4.254(router)192.168.3.253 - 192.168.3.0 - 192.168.3.254(router)public_ip - Internet That makes sense. Still, the OP doesn't seem in a hurry to get his answers - I'd forgotten about this thread - so he's presumably solved his problem... Plus, I anticipate debugging this will require more information and lots of time. And will likely end up pointing to bad hardware or somesuch. Joachim
Re: time is always 10 minutes fast!
On Tue, 18 Apr 2006, Darrin Chandler wrote: You have both server *and* servers active in your config? Hmm. In any case ntpd should be logging to /var/log/daemon by default. Messages there will be a great clue as to what's going on, hopefully. ntpd allowes having multiple server and multiple servers lines. -Otto
Re: User specific resources limits increase live help needed.
Joachim Schipper wrote: It all depends on what is doing the actual constraining. If it is kern.maxproc, that is easily increased. If it's ulimit or login.conf, some smarter stuff might need to be done. Couldn't login with a specific user that gets: Server sent disconnect message type 2 (SSH_DISCONNECT_PROTOCOL_ERROR): fork failed: Resource temporarily unavailable Looks like all process were in used and couldn't be kill because it was going to corrupt data and create a lots more work. I searched google more this morning and spend a few hours trying to find a solutions. I thought that increasing the limits inside login.conf would be pickup right away at the next login, but look like it didn't, or may be it doesn't do it as long as the users account is in use, I don't know. In any case, the problem got so critical that I had to make the choice between giving myself a few days more work at cleaning up the mess of data corruptions or not allowing access to changed critical informations needed to be changed. It wasn't the best choice obviously, but time was the issue at hand and I add to kill many process to free resources to allow this. So, I wish I got something working sooner, or find how to do this properly, but didn't! So, I fix the issue with some damage to my free time, but all users and process are doing their thing normally without anything affecting them. Anyway, thanks for your feedback, but I had to make a choice and did it at the expense of a few white night coming up for me! Like I can sleep already! (: Thanks Daniel
Re: how to log rdr rules in PF?
Huzeyfe Onal schreef:
Hi,
which OpenBSD version do you use?
man pf.conf says;
rdr-rule = [ no ] rdr [ pass [ log [ ( logopts ) ] ] ]
[ on ifspec ] [ af ]
[ protospec ] hosts [ tag string ] [ tagged string ]
[ - ( redirhost | { redirhost-list } )
[ portspec ] [ pooltype ] ]
Hi Huzeyfe,
Thanks for your reply. Im using OpenBSD 3.6
my man pf.conf says:
rdr-rule = [ no ] rdr [ pass ] [ on ifspec ] [ af ]
[ protospec ] hosts [ tag string ]
[ - ( redirhost | { redirhost-list } )
[ portspec ] [ pooltype ] ]
I guess this anwsers my question. Allthough logging would have helped me
today, I don't consider it worthy of upgrading. My servers are 400km away...
Regards,
Jasper
Re: how to log rdr rules in PF?
On 2006/04/18 22:02, Jasper Bal wrote: Thanks for your reply. Im using OpenBSD 3.6 my man pf.conf says: rdr-rule = [ no ] rdr [ pass ] [ on ifspec ] [ af ] Drop the 'pass' from the rdr, and add explicit pass rules. I guess this anwsers my question. Allthough logging would have helped me today, I don't consider it worthy of upgrading. My servers are 400km away... I haven't yet had a time where the Upgrading without install media method on e.g. http://www.openbsd.org/faq/upgrade38.html has given any problems. If you want to be doubly sure, arrange things so that somebody close to the server can connect a serial console without trouble (e.g. 'set tty com0' in /etc/boot.conf and enable the relevant port in /etc/ttys).
Re: how to log rdr rules in PF?
Regarding running 3.6: I guess this anwsers my question. Allthough logging would have helped me today, I don't consider it worthy of upgrading. My servers are 400km away... If I publically gave all of you 10 reasons why you should not run code that old, would you upgrade?
Re: time is always 10 minutes fast!
That did it! Thanks a lot!!! Jerome On 4/18/06, Stuart Henderson [EMAIL PROTECTED] wrote: On 2006/04/18 14:34, Jerome Santos wrote: Except I want DST, so that it should show 2 PM. I can't figure out how to set this. symlink /etc/localtime to /usr/share/zoneinfo/foo.
Re: how to log rdr rules in PF?
Theo de Raadt schreef: Regarding running 3.6: I guess this anwsers my question. Allthough logging would have helped me today, I don't consider it worthy of upgrading. My servers are 400km away... If I publically gave all of you 10 reasons why you should not run code that old, would you upgrade? Maybe...
Re: how to log rdr rules in PF?
Jasper Bal wrote: Theo de Raadt schreef: Regarding running 3.6: I guess this anwsers my question. Allthough logging would have helped me today, I don't consider it worthy of upgrading. My servers are 400km away... If I publically gave all of you 10 reasons why you should not run code that old, would you upgrade? Maybe... The first being that it is so easy to do even remotely and I do that all the time now. Follow TO THE LETTER step by step, including the reboot in between step and you will be amaze how easy it is! So, first: http://openbsd.org/faq/upgrade37.html then: http://openbsd.org/faq/upgrade38.html and then when it is up, you do the upgrade to 3.9. (: Daniel
Re: how to log rdr rules in PF?
[OpenBSD-3.6] On Tue, Apr 18, 2006 at 02:34:00PM -0600, Theo de Raadt wrote: If I publically gave all of you 10 reasons why you should not run code that old, would you upgrade? Looking at errata*.html, 13 reasons would be closer to reality ;-) Ciao, Kili
Ethical question on misc suggestion
At the risk of been flame big time, and that's fine, I would however suggest that questions on misc@ follow the same criteria as the support for the OS it's self. Meaning, a new release come out, then support on the oldest is drop and only the last two are supported. Shouldn't support or question on misc@ follow the same policy. Over many years, I keep seeing many issues that are simply fix in new release, but that many users asked about and don't want to upgrade to the latest one to fix their problem. Just like the ethical things to do before asking question on misc@ is to do your homework, isn't it proper to asked the same thing for question on the OS in use? Make sense to me. I guess if someone doesn't want to give himself/herself the trouble to upgrades, why anyone here should then try to fix an issue already fix in new release? I don't know, may be I am just to narrow minded, but really upgrading the servers are so easy and Nick does an incredible job at providing the instructions on doing so that I can't see the point of not doing it really. I know may will tell me that their system is so complex and would take so much time to upgrade that I don't understand them or their setup. Great then, if that's the argument used that I don't understand their so complex setup, why asked for help in that case as it is so complex that no one would understand it. That's the catch 22 I tell you. If it is so complex not to be upgraded by a process so simple, then how can someone justify asking for help on something so complex that no one else could understand as upgrade is impossible to do I asked? I don't know, but I think this would help provide even more wide testing for latest release and if there is real issues with it, would get fix sooner and at the same time all users would benefit from something even more stable if that's even possible and then the level of question on misc@ might also diminish, or been about more actual issue that may be more users might be interested in. I don't know, but that's my take on it. If one can't give himself/herself the pain to upgrade, I sure don't see why anyone else should give themselves the pain to support it either! Regards, Daniel
ethernet-based video server recommendations
Can anyone recommend brands of video servers (for composite video cameras) that can be initialized and used without Java, Javascript, ActiveX, or any windows software? Thanks, Dave Feustel -- Lose, v., experience a loss, get rid of, lose the weight Loose, adj., not tight, let go, free, loose clothing
Re: Ethical question on misc suggestion
On 4/18/06, Daniel Ouellet [EMAIL PROTECTED] wrote: At the risk of been flame big time, and that's fine, I would however suggest that questions on misc@ follow the same criteria as the support for the OS it's self. Meaning, a new release come out, then support on the oldest is drop and only the last two are supported. Shouldn't support or question on misc@ follow the same policy. You know, you really could have left it at that. I stopped reading there and I doubt you had anything important to say in the rest of the message. If you did then it's your loss as not many people are going to read these types of messages to the end. Having said that, I'm sure if developers and users were forced to read misc then they would consider putting a policy such as the above in place. Otherwise, just ignore the older questions. Greg
Multi Firewalls Admin
Hi, I have to remote admin 54 OpenBSD firewalls. What tools can help me for that (Monitoring, Updates or PF broadcasts, getting firewalls logs, automate processes, ...), is there all in one ? Regards, Sacha.
Sun X2100
I'm considering purchasing a Sun X2100 to use a an OpenBSD based firewall. Any hardware issues I should be aware of? What have been peoples experince with these (or similar) machines? -- U.S. Encouraged by Vietnam Vote - Officials Cite 83% Turnout Despite Vietcong Terror - New York Times 9/3/1967
Re: dhcpclient diff (new options)
On 4/18/06, Joseph C. Bender [EMAIL PROTECTED] wrote:
Ted Unangst wrote:
another time, somebody should delete all this atom + 1 shit. any
computer that runs on electricity should be able to handle the strain.
Okay, so I have to ask.
Why would anyone do something that lame anyway?
Well, if you write something like:
if(*str == 'c')
{
//in here it's redundant to have strcmp check the first character,
since you already know it's a c
if(strcmp(str+1, har)) //if str == char
{
//eggs...
}
//spam...
}
It just cuts down the number of branches in the code... but it's
hardly worth it, it makes it to much more difficult to read.
-Nick
Re: Sun X2100
stan wrote: I'm considering purchasing a Sun X2100 to use a an OpenBSD based firewall. Any hardware issues I should be aware of? What have been peoples experince with these (or similar) machines? It worked. Undeadly host their site on it, the only issue at the time was the second Ethernet port wasn't supported. I don't know if that changed or not. Search the archive on it, there is information there including dmesg as well.
Re: Multi Firewalls Admin
On 4/17/06, xanadu [EMAIL PROTECTED] wrote: I have to remote admin 54 OpenBSD firewalls. What tools can help me for that (Monitoring, Updates or PF broadcasts, getting firewalls logs, automate processes, ...), is there all in one ? I believe you're looking for Jr Network Admin, still not available as a package yet. If you can't find one (check behind the filing cabinets), you'll want to investigate snmp, syslog, cron, rsync, your favourite scripting language, and perhaps a nice monitoring solution (I've used Cacti, Nagois, and Argus at various times). -- Jon Simola Systems Administrator ABC Communications
Re: Server Compatibility List
On Tue, Apr 18, 2006 at 11:47:17AM -0400, Will H. Backman wrote: I don't know if this has been posted before, but I found a nice openbsd server compatibility list: To ensure availability of appropriate server hardware platforms for Profense, Armorlogic is testing new server models from major manufacturers on an ongoing basis. It is our goal to provide our customers with server hardware platforms that are easily available in major parts of the world. Therefore, we only test/support standard and pre-configured server hardware from HP, Dell, IBM, Sun and Fujitsu-Siemens. http://www.armorlogic.com/openbsd_information_server_compatibility_list.html This list gave the the information I needed to go ahead and order the server for my shiny new 3.9 CDs. That is totally out of date for 3.9, everything except the x4200 should be fine.
Re: Sun X2100
stan wrote: I'm considering purchasing a Sun X2100 to use a an OpenBSD based firewall. Any hardware issues I should be aware of? What have been peoples experince with these (or similar) machines? I have been using a couple of the X2100's in testing environments for a few weeks, they run 3.9 well. In 3.8 the second NIC was not usable.
Re: pppoe
On Tue, Apr 18, 2006 at 11:52:47AM +0930, Brendan Grossman wrote: Hi everyone To bring up a pppoe connection, I use ppp -ddial provider But how do I take it down? Also how do I remove old tunx devices? # ifconfig tun0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1492 inet 219.90.xxx.xxx -- 203.2.124.224 netmask 0x Opened by PID 71830 tun1: flags=8010POINTOPOINT,MULTICAST mtu 1500 tun2: flags=8010POINTOPOINT,MULTICAST mtu 1500 inet 219.90.xxx.xxx -- 219.90.174.215 netmask 0x What the? How do I get rid of the others? tun0 seems to be only in use there. It seems strange to me that you have this problem because I once had a setup similar to yours (under 3.4-3.5-3.6) and never had this problem. Maybe you did not do something right, maybe it's a bug but without showing more info one can only guess. The info required here would be the version you are running, your ppp.conf file (sanitized to remove passwords, of course) and your linkup and linkdown script if they contain anything. On another topic, if you are running 3.7 or higher, you could give the in-kernel pppoe a try, unless, of course, you have already tried and some wierd thing your provider is doing prevents it from working. Arnaud -- i think we should rewrite the kernel in java since it has good support for threads. - Ted Unangst
Re: Multi Firewalls Admin
Sasha, Shameless SelfPromotion If you check out http://www.allard.nu/pfw/, it's most likely going to be the closest thing for you. It can do PF broadcasts (installing a ruleset on multiple firewalls at once), examining logs on remote firewalls and do basic monitoring of your firewalls as well. /Shameless SelfPromotion Regards, //johan Hi, I have to remote admin 54 OpenBSD firewalls. What tools can help me for that (Monitoring, Updates or PF broadcasts, getting firewalls logs, automate processes, ...), is there all in one ? Regards, Sacha.
Re: WLAN IPsec: flows between two non-AP peers
Hekan, Thanks for your clarification on Reyk's explanation, and thank you Reyk too. On 18/04/06, Hekan Olsson [EMAIL PROTECTED] wrote: For the main problem; it may be obvious but getting two WLAN hosts to do IPsec between each other via one or more gateways requires them to be on different subnets (as in Reyk's example). Obvious to someone who has a decent understanding of TCP/IP, perhaps ;-) Obviously I am very much a novice! IPsec is very much an IP protocol, all general IP routing rules applies. For the kernel to encrypt/decrypt a packet is basically a routing decision (not by the same mechanism as IP routing, though). This was where I needed some assistance. Your explanation and Reyk's examples have clarified this for me. For two hosts on the same subnet, the direct delivery case applies, and if one want's IPsec it has to be setup between the two, directly. Yes, that makes sense to me now. I guess I was thinking something like a switched LAN, but thinking about that, a conventional switched ethernet LAN is insecure as well. That said, it is probably possible to come up with some crazy design to permit this anyway, but IMO the administrative requirements to keep it working will easily outweigh any operational gain. I'd try to reconsider the intended purpose and use of the WLAN network (why is protected node-node traffic needed? Can we avoid this requirement?) ... or I'd try to find a good(!) L2 tunneling technique. My (perhaps rather naive) requirement is to create something similar to a WEP/WPA protected WLAN but using secure, open source tools instead of the insecure, poorly designed tools that abound. I'm reasonably confident now that I know the correct path to take. Many thanks again, Damon
Re: Sun X2100
On Tue, Apr 18, 2006 at 04:39:44PM -0700, Dag Richards wrote: stan wrote: I'm considering purchasing a Sun X2100 to use a an OpenBSD based firewall. Any hardware issues I should be aware of? What have been peoples experince with these (or similar) machines? I have been using a couple of the X2100's in testing environments for a few weeks, they run 3.9 well. In 3.8 the second NIC was not usable. Thanks, that's important info, as I am planing on useing both. Out of curiosity what was the issue? I would assume they are both the same hardware type, no? -- U.S. Encouraged by Vietnam Vote - Officials Cite 83% Turnout Despite Vietcong Terror - New York Times 9/3/1967
recover raidframe
hi, I have two raids set up, raid0 (boot) and raid1 (a fiberchannel SAN), I need to boot my raid kernel and bring up raid0 (automatically rebuilding parity), but not bring up raid1. I renamed the raid1.conf file in root as temp.raid1.conf hoping that when the kernel booted up it wouldn't construct raid1, but it grabbed it from somewhere (probably from raid0a). raid1 is a 500GB SAN and takes 5 hours to rebuild parity (which isn't working, so I am just going to newfs the drives and start from scratch). so what file do I delete, or command do I give so I get the raid kernel, but omit raid1? I don't mind omitting raid0 either, I can easily rebuild that by copy backing from sd1d, but I can't turn off autoconfig if I don't have the raid kernel booted, but when I 'boot disk0:a bsd.raid' it automatically configures raid1, which I don't want to do. thanks
Re: recover raidframe
so what file do I delete, or command do I give so I get the raid kernel, but omit raid1? I don't mind omitting raid0 either, I can easily rebuild that by copy backing from sd1d, but I can't turn off autoconfig if I don't have the raid kernel booted, but when I 'boot disk0:a bsd.raid' it automatically configures raid1, which I don't want to do. You want to `boot -s` or in your case `boot disk0:a bsd.raid -s` and then something like mount / ed /etc/rc ,s/^raidctl/#raidctl/ w q reboot or raidctl -A no raid1 reboot (either remove parity rebuild or unconfig raid1 - if the former you will want to also remove any /etc/fstab entry to prevent long fsck) Good luck, -f http://www.blackant.net/
Re: pppoe
On 4/18/06, Han Boetes [EMAIL PROTECTED] wrote: More ellegant is: if ! ifconfig -a | grep -q tun0; then Yet another way to write this: (Though not quite as readable?) ifconfig tun0 /dev/null 21 ifconfig $_ destroy
Re: how to log rdr rules in PF?
Theo de Raadt wrote: Regarding running 3.6: I guess this anwsers my question. Allthough logging would have helped me today, I don't consider it worthy of upgrading. My servers are 400km away... If I publically gave all of you 10 reasons why you should not run code that old, would you upgrade? I think our fearless leader has struck on a way to increase upgrades and CD sales Each new CD release comes with proof of concept code to exploit old releases. :) Eddie
Re: pppoe
NetNeanderthal wrote: On 4/18/06, Han Boetes [EMAIL PROTECTED] wrote: More ellegant is: if ! ifconfig -a | grep -q tun0; then Yet another way to write this: (Though not quite as readable?) ifconfig tun0 /dev/null 21 ifconfig $_ destroy I thought up the same construction after I posted the previous message. Though I didn't know that $_ means the last argument. Nice trick, though not very readable indeed. :-) The point is the same though: To check the return value instead of the resulting text. # Han
fs block-number (soft) error - uncorrectable/corrected?
Hi, This is the second time I've been seeing this type of an error: Mar 27 01:30:47 box /bsd: wd0f: reading fsbn 3967732 of 3967732-3967735 (wd0 bn 9723412; cn 9646 tn 3 sn 55), retrying Mar 27 01:30:48 box /bsd: wd0: soft error (corrected) -- Apr 17 01:30:34 box /bsd: wd0f: uncorrectable data error reading fsbn 3655388 of 3655388-3655391 (wd0 bn 9411068; cn 9336 tn 6 sn 2), retrying Apr 17 01:30:36 box /bsd: wd0: soft error (corrected) wd0f is my /usr partition. How serious is this? Should I start looking into a hard-disk replacement? Obviously I'm making a back-up of data files I would like to keep. This is on OpenBSD 3.7 GENERIC (I'm about to upgrade it to 3.9). I noticed (google/MARC searched) that there is no definitive answer given for this topic. Some suggestions that it might be a drive going bad [1]. Wondering if I should simply wait to replace the drive before upgrading. Thanks in advance, --patrick [1] http://marc.theaimsgroup.com/?l=openbsd-miscm=108121869925371w=2 OpenBSD 3.7-stable (GENERIC) #0: Mon Aug 1 19:32:49 PDT 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: AMD Sempron(tm) Processor 2600+ (AuthenticAMD 686-class) 1.61 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2 real mem = 536387584 (523816K) avail mem = 482521088 (471212K) using 4278 buffers containing 26923008 bytes (26292K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(6b) BIOS, date 04/08/05, BIOS32 rev. 0 @ 0xfa120 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown pcibios0 at bios0: rev 2.1 @ 0xf/0xc4b4 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfc380/288 (16 entries) pcibios0: bad IRQ table checksum pcibios0: PCI BIOS has 17 Interrupt Routing table entries pcibios0: PCI Exclusive IRQs: 3 5 10 11 12 pcibios0: no compatible PCI ICU found pcibios0: Warning, unable to fix up PCI interrupt routing pcibios0: PCI bus #2 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x800 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Nvidia nForce3 250 PCI Host rev 0xa1 pcib0 at pci0 dev 1 function 0 Nvidia nForce3 250 ISA rev 0xa2 Nvidia nForce3 250 SMBus rev 0xa1 at pci0 dev 1 function 1 not configured ohci0 at pci0 dev 2 function 0 Nvidia nForce3 250 USB rev 0xa1: irq 12, version 1.0, legacy support usb0 at ohci0: USB revision 1.0 uhub0 at usb0 uhub0: Nvidia OHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub0: 4 ports with 4 removable, self powered ohci1 at pci0 dev 2 function 1 Nvidia nForce3 250 USB rev 0xa1: irq 10, version 1.0, legacy support usb1 at ohci1: USB revision 1.0 uhub1 at usb1 uhub1: Nvidia OHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub1: 4 ports with 4 removable, self powered ehci0 at pci0 dev 2 function 2 Nvidia nForce3 250 USB2 rev 0xa2: irq 11 ehci0: EHCI version 1.0 ehci0: companion controllers, 4 ports each: ohci0 ohci1 usb2 at ehci0: USB revision 2.0 uhub2 at usb2 uhub2: Nvidia EHCI root hub, class 9/0, rev 2.00/1.00, addr 1 uhub2: single transaction translator uhub2: 8 ports with 8 removable, self powered Nvidia nForce3 LAN rev 0xa2 at pci0 dev 5 function 0 not configured auich0 at pci0 dev 6 function 0 Nvidia nForce3 250 AC-97 Audio rev 0xa1: irq 3, nForce3 AC97 ac97: codec id 0x414c4780 (Avance Logic ALC658) ac97: codec features 20 bit DAC, 18 bit ADC, No 3D Stereo audio0 at auich0 pciide0 at pci0 dev 8 function 0 Nvidia nForce3 250 IDE rev 0xa2: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: Maxtor 6Y080P0 wd0: 16-sector PIO, LBA, 78167MB, 160086528 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 6 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: _NEC, DVD_RW ND-3540A, 1.01 SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 pciide1 at pci0 dev 10 function 0 Nvidia nForce3 250 SATA rev 0xa2: DMA (unsupported), channel 0 wired to native-PCI, channel 1 wired to native-PCI pciide1: using irq 11 for native-PCI interrupt pciide1: channel 0 ignored (not responding; disabled or no drives?) pciide1: channel 1 ignored (not responding; disabled or no drives?) ppb0 at pci0 dev 11 function 0 Nvidia nForce3 250 AGP rev 0xa2 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 ATI Rage 128 Pro TF rev 0x00 wsdisplay0 at vga1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) ppb1 at pci0 dev 14 function 0 Nvidia nForce3 250 PCI-PCI rev 0xa2 pci2 at ppb1 bus 2 xl0 at pci2 dev 7 function 0 3Com 3c905C 100Base-TX rev 0x74: irq 10, address 00:01:02:c2:a1:b9 bmtphy0 at xl0 phy 24: Broadcom 3C905C internal PHY, rev. 6 pchb1 at pci0 dev 24 function 0 AMD AMD64 HyperTransport rev 0x00 pchb2 at pci0 dev 24 function 1 AMD AMD64 Address Map rev 0x00 pchb3 at pci0 dev 24 function 2 AMD AMD64 DRAM Cfg rev 0x00 pchb4 at pci0 dev 24 function
Re: fs block-number (soft) error - uncorrectable/corrected?
definitive answer: replace the disk. On 19/04/2006, at 1:04 PM, patrick ~ wrote: Hi, This is the second time I've been seeing this type of an error: Mar 27 01:30:47 box /bsd: wd0f: reading fsbn 3967732 of 3967732-3967735 (wd0 bn 9723412; cn 9646 tn 3 sn 55), retrying Mar 27 01:30:48 box /bsd: wd0: soft error (corrected) -- Apr 17 01:30:34 box /bsd: wd0f: uncorrectable data error reading fsbn 3655388 of 3655388-3655391 (wd0 bn 9411068; cn 9336 tn 6 sn 2), retrying Apr 17 01:30:36 box /bsd: wd0: soft error (corrected) wd0f is my /usr partition. How serious is this? Should I start looking into a hard-disk replacement? Obviously I'm making a back-up of data files I would like to keep. This is on OpenBSD 3.7 GENERIC (I'm about to upgrade it to 3.9). I noticed (google/MARC searched) that there is no definitive answer given for this topic. Some suggestions that it might be a drive going bad [1]. Wondering if I should simply wait to replace the drive before upgrading. Thanks in advance, --patrick [1] http://marc.theaimsgroup.com/?l=openbsd-miscm=108121869925371w=2 OpenBSD 3.7-stable (GENERIC) #0: Mon Aug 1 19:32:49 PDT 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: AMD Sempron(tm) Processor 2600+ (AuthenticAMD 686-class) 1.61 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE3 6,CFLUSH,MMX,FXSR,SSE,SSE2 real mem = 536387584 (523816K) avail mem = 482521088 (471212K) using 4278 buffers containing 26923008 bytes (26292K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(6b) BIOS, date 04/08/05, BIOS32 rev. 0 @ 0xfa120 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown pcibios0 at bios0: rev 2.1 @ 0xf/0xc4b4 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfc380/288 (16 entries) pcibios0: bad IRQ table checksum pcibios0: PCI BIOS has 17 Interrupt Routing table entries pcibios0: PCI Exclusive IRQs: 3 5 10 11 12 pcibios0: no compatible PCI ICU found pcibios0: Warning, unable to fix up PCI interrupt routing pcibios0: PCI bus #2 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x800 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Nvidia nForce3 250 PCI Host rev 0xa1 pcib0 at pci0 dev 1 function 0 Nvidia nForce3 250 ISA rev 0xa2 Nvidia nForce3 250 SMBus rev 0xa1 at pci0 dev 1 function 1 not configured ohci0 at pci0 dev 2 function 0 Nvidia nForce3 250 USB rev 0xa1: irq 12, version 1.0, legacy support usb0 at ohci0: USB revision 1.0 uhub0 at usb0 uhub0: Nvidia OHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub0: 4 ports with 4 removable, self powered ohci1 at pci0 dev 2 function 1 Nvidia nForce3 250 USB rev 0xa1: irq 10, version 1.0, legacy support usb1 at ohci1: USB revision 1.0 uhub1 at usb1 uhub1: Nvidia OHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub1: 4 ports with 4 removable, self powered ehci0 at pci0 dev 2 function 2 Nvidia nForce3 250 USB2 rev 0xa2: irq 11 ehci0: EHCI version 1.0 ehci0: companion controllers, 4 ports each: ohci0 ohci1 usb2 at ehci0: USB revision 2.0 uhub2 at usb2 uhub2: Nvidia EHCI root hub, class 9/0, rev 2.00/1.00, addr 1 uhub2: single transaction translator uhub2: 8 ports with 8 removable, self powered Nvidia nForce3 LAN rev 0xa2 at pci0 dev 5 function 0 not configured auich0 at pci0 dev 6 function 0 Nvidia nForce3 250 AC-97 Audio rev 0xa1: irq 3, nForce3 AC97 ac97: codec id 0x414c4780 (Avance Logic ALC658) ac97: codec features 20 bit DAC, 18 bit ADC, No 3D Stereo audio0 at auich0 pciide0 at pci0 dev 8 function 0 Nvidia nForce3 250 IDE rev 0xa2: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: Maxtor 6Y080P0 wd0: 16-sector PIO, LBA, 78167MB, 160086528 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 6 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: _NEC, DVD_RW ND-3540A, 1.01 SCSI0 5/ cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 pciide1 at pci0 dev 10 function 0 Nvidia nForce3 250 SATA rev 0xa2: DMA (unsupported), channel 0 wired to native-PCI, channel 1 wired to native-PCI pciide1: using irq 11 for native-PCI interrupt pciide1: channel 0 ignored (not responding; disabled or no drives?) pciide1: channel 1 ignored (not responding; disabled or no drives?) ppb0 at pci0 dev 11 function 0 Nvidia nForce3 250 AGP rev 0xa2 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 ATI Rage 128 Pro TF rev 0x00 wsdisplay0 at vga1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) ppb1 at pci0 dev 14 function 0 Nvidia nForce3 250 PCI-PCI rev 0xa2 pci2 at ppb1 bus 2 xl0 at pci2 dev 7 function 0 3Com 3c905C 100Base-TX rev 0x74: irq 10, address 00:01:02:c2:a1:b9 bmtphy0 at xl0 phy 24: Broadcom 3C905C internal PHY, rev. 6 pchb1 at pci0 dev 24 function 0 AMD AMD64 HyperTransport rev 0x00 pchb2 at pci0 dev 24
