Re: Packet overload?
On Mon, Jun 19, 2006 at 08:39:05PM -0700, Peter Bako wrote: > > However I've noticed that if more than one or two people are getting email > from their ISP (standard pop3), then the third person to try to get email > will get an error that the server could not be reached. - tcpdump on the soekris' internal and external ifaces for tcp and port 110 ? - can you duplicate this with any NAT stream ( put a biggish file up on an apache somewhere you control, have everyone in the office try to get it at the same time ), or after testing, is the pop3 thing the only way to see the issue? - you could try a stupid simple pf.conf, eg, one line that just says 'nat on $ext -> $ext' or so. - if two people are d/ling mail, what about just trying to telnet to ISP's pop3 server right from soekris. - could try pfctl -x misc or loud. don't be surprised if loud is very loud tho. that might be a pain over serial console. > Anyone have any idea as to the cause and a solution for this? I've though > it might be that the Soekris box is underpowered, but the processor is > basically a PII/266 with 128M of RAM, which should be enough for such a > small site. for just simple NAT, i would imagine you won't run into underpower issues in the context of this ~5person business. as long as you don't try to get "wirespeed" on them, or make them think about a ton of crypto, the soekris usually gets by fine with his little CPU -- jared [ openbsd 3.9-current GENERIC ( may 1 ) // i386 ]
256 color support for terminals under X
Hello misc@, I stumbled across a problem with all X terminal emulators in OpenBSD (that is xterm and aterm, eterm and rxvt from ports). None of the above seems to support 256 colors. I tried various combinations of $TERM (xterm, xterm-color, xterm-xfree86, xterm-256color) with all the terminals, running and not running screen. I need the 256 color support for the superb vim colorscheme (actually it is more than just colors) xterm16[0], and no gvim is not an option because I don't like GUIs that much. I googled for about 3 hours last night, but without a definite answer whether OpenBSD supports 256colors in terminal under X. The argument I read (sorry can't seem to find the link anymore) was that the 256color support had some issues and was removed. Does OpenBSD support 256colors? BTW. I'm running amd64 STABLE, but I can reproduce the same behavior on i386 current (1 month old). Regards, ahb [0] http://vim.sourceforge.net/scripts/script.php?script_id=795
Precios de Mayorista en Computacion y Electronica Ahora al Publico!!!!!!
RGS Componentes VEA LAS OFERTAS EN COMPUTACION Y ELECTRONICA Monitores - Camaras Digitales - MP3 - MP4 - DVD's - Memorias ENVMOS AL INTERIOR DEL PAMS Uruguay 390 Cap. Fed. Tel./Fax 011 - 4371-8594 Contactese: [EMAIL PROTECTED] COMPUTACION - Junio 2006 Codigo Fabricante Producto Dolares Kits' Armados Los Kits mencionados a continuacisn pueden ser modificados a gusto del cliente agregando o quitando cualquier componente KIT-01 CPU INTEL Celeron 2.13 CPU Celeron 2.13 ghz 533Mhz Monitor AOC Semi Plano 17'' Disco Rigido 80GB Mother ASROCK P4VM800 (sonido-video-modem-red AGP 8X DDR SATA) 256MB Memoria DDR Grabadora de CD 52x32x52 FLOPPY 3 1/2 Mouse, Teclado, Parlantes Gabinete Con Fuente 450 Watts Windows XP 410 KIT-02 CPU INTEL Pentium 4 CPU Pentium 4 2.66 ghz. Monitor LG Plano 17 '' Disco 80 GB Sata Mother Asus P5V800-MX (Video Audio Lan SATA AGP 8) Placa de Video AGP GeForce FX 5200 128MB Salida de TV 512MB Memoria DDR Grabadora de CD y DVD 16X16 DUAL LAYER FLOPPY 3 1/2 Mouse con scroll optico, Teclado, Parlantes Gabinete Con Fuente 450 Watts Windows XP. 649 KIT-03 CPU AMD Sempron 2600 64 Bits CPU Sempron 64bits 2600+ Socket 754 BOX Monitor AOC Semi Plano 17'' Disco Rigido 80GB Mother ASROCK K8VM800 UPGRADE Socket 754 Son, Video, Lan 256MB Memoria DDR Grabadora de CD 52x32x52 FLOPPY 3 1/2 Mouse, Teclado, Parlantes Modem Gabinete Con Fuente 450 Watts Windows XP 439 KIT-04 CPU AMD ATLON 3000 64 Bits CPU Athlon 64 3000+ Socket 754 Monitor LG Plano 17 '' Disco 80 GB Sata Mother K8V-MX Socket 754 Video Audio Lan SATA AGP 8X Placa de Video AGP GeForce FX 5200 128MB Salida de TV 512MB Memoria DDR Grabadora de CD y DVD 16X16 DUAL LAYER FLOPPY 3 1/2 Mouse con scroll optico, Teclado, Parlantes Gabinete Con Fuente 450 Watts Windows XP. 659 MONITORES MON-01 LG MONITOR 17 LG 710E (semi plano) - ver info no stock MON-02 LG MONITOR 17 LG T710SH (plano) - ver info SUPER OFERTA!!! 129 MON-03 LG MONITOR 17 LCD LG (1750s) - ver info 329 MON-04 AOC MONITOR 17 AOC CT700G (semi plano) 116 MON-05 LG MONITOR 19 T930B (plano) 219 MOTHERS AMD - SOCKET MOT-01 PC CHIPS PC-Chip AMD 2000 son-video-modem-red 90 MOT-02 ASUS K8V-MX Socket 754 Video Audio Lan SATA AGP 8X ver info 77 MOT-03 ASUS K8N Sonido Lan Sata AGP 8X ver info 84 MOT-04 ASROCK K8VM800 UPGRADE Socket 754 Son, Video, Lan - ver info 68 P IV - SOCKET MOT-05 ASROCK P4VM800 son-video-modem-red Socket 478 AGP 8X DDR SATA - ver info 62 MOT-06 ASUS P5S800-VM Socket 775 Video Audio Lan SATA AGP 8 - ver info 79 MOT-07 ASUS P5V800-MX Socket 775 Video Audio Lan SATA AGP 8 - ver info 75 MOT-08 ASROCK 775i65PV Video 64Mb AGP8X Audio Lan mATX SATA 68 PROCESADORES AMD - SOCKET - A - 754 -939 PRO-01 AMD Sempron 64bits 2600+ Socket 754 BOX - ver info 80 PRO-02 AMD Sempron 64bits 2800+ Socket 754 BOX - ver info 98 PRO-03 AMD Sempron 64bits 3000+ Socket 754 BOX - ver info 108 PRO-04 AMD Athlon 64 3000+ Socket 754 - ver info 144 PRO-05 AMD Athlon 64 3200+ Socket 939 199 PENTIUM / CELERON - SOCKET 478 Y 775 PRO-06 INTEL Pentium IV 2.66 ghz. Socket 775 BOX 130 PRO-07 INTEL Pentium IV 2,8 ghz. Socket 775 BOX 143 PRO-08 INTEL Pentium IV 3.0 ghz. Socket 775 BOX 220 PRO-09 INTEL Pentium IV 3.2 ghz. Socket 775 BOX 288 PRO-10 INTEL Celeron 2.13 ghz 533Mhz Socket 478 BOX SUPER OFERTA!!! 59 PRO-11 INTEL Celeron 2.66 ghz 533Mhz Socket 478 BOX no stock PRO-12 INTEL Celeron 2.53 ghz 533Mhz Socket 775 BOX no stock PRO-13 INTEL Celeron 2.66 ghz 533Mhz Socket 775 BOX no stock DISCOS RIGIDOS DIS-01 HITACHI / WD HARD DRIVE 40GB no stock DIS-02 HITACHI / WD HARD DRIVE 80GB - ver info SUPER OFERTA!!! 69 DIS-03 HITACHI / WD HARD DRIVE 160GB 105 DIS-04 HITACHI / WD HARD DRIVE 80Gb SERIAL ATA 71 DIS-05 HITACHI / WD HARD DRIVE 160GB SERIAL ATA 94 DIS-06 HITACHI / WD HARD DRIVE 200GB SERIAL ATA 114 PLACAS DE VIDEO VID-01 XFX GeForce FX 5200 128MB TV OUT 49 VID-02 XFX GeForce FX 6200 256MB TV OUT 69 VID-03 KOZUMI CAPTURADORA DE TV y FM CON CONTROL REMOTO - ver info SUPER OFERTA!!! 43 MEMORIAS MEM01 AENEON/ SYRIX/ETX DDR 256MB 3200 - 400 25 MEM02 AENEON/ SYRIX/ETX DDR 512MB 3200 - 400 - ver info SUPER OFERTA!!! 50 MEM03 AENEON/ SYRIX/ETX DDR 1024MB 3200 - 400 101 MEM04 SPECTEK DDR 512MB 3200 - 400 no stock MEM05 KINGSTON DDR 512MB 3200 - 400 EN BLISTER 59 MEM06 AENEON/ SYRIX/ETX DIMM 128MB PC 100 20 MEM07 AENEON/ SYRIX/ETX DIMM 128MB PC 133 18 MEM08 AENEON/ SYRIX/ETX DIMM 256MB PC 133 31 MEM09 AENEON/ SYRIX/ETX DIMM 256MB PC 133 75 GABINETES GAB-01 BISWAL Gabinete Biswal Atx + Kit - ver info 50 GAB-02 SOL TECH Gabinete Sol Tech Atx + Kit - ver info 40 GAB-03 BISWAL Gabinete Biswal Atx + Kit - ver info 39 GAB-04 BISWAL Gabinete Biswal Atx + Kit - ver info 40,5 GAB-05 BISWAL Gabinete Biswal Atx + Kit - ver inf
Re: Packet overload?
Peter Bako wrote: I have a Soekris net4801 box running as a firewall for a friend of mine that runs a small business (about 5 employees). The ruleset is quite simple in that he does not run any internal servers, so I pretty much block all inbound traffic and allow all traffic back out. For inbound traffic I have the scrub command enabled and for outbound traffic (tcp and udp) I have keep state flag on. However I've noticed that if more than one or two people are getting email from their ISP (standard pop3), then the third person to try to get email will get an error that the server could not be reached. Until recently they have not received enough email for the email check and subsequent downloads to take long, so whenever anyone got this error they would just wait a few seconds and try again. However lately they have been getting a larger volume of email (expected due to an upturn in business), so this problem is getting much more noticed and annoying. Anyone have any idea as to the cause and a solution for this? I've though it might be that the Soekris box is underpowered, but the processor is basically a PII/266 with 128M of RAM, which should be enough for such a small site. Now, I have not seen your pf.conf, but only using a simple ruleset that you describe, my bet is that it is not the firewall that is causing the problem. Does the ISP/mailserver have restrictions by any chance? I cannot imagine that the 4801 would have ANY performance problem in the situation you describe, unless it is en/de-crypting stuff that passes through it. Even so, it would just make stuff go slower - not block stuff. /Alexander
Packet overload?
I have a Soekris net4801 box running as a firewall for a friend of mine that runs a small business (about 5 employees). The ruleset is quite simple in that he does not run any internal servers, so I pretty much block all inbound traffic and allow all traffic back out. For inbound traffic I have the scrub command enabled and for outbound traffic (tcp and udp) I have keep state flag on. However I've noticed that if more than one or two people are getting email from their ISP (standard pop3), then the third person to try to get email will get an error that the server could not be reached. Until recently they have not received enough email for the email check and subsequent downloads to take long, so whenever anyone got this error they would just wait a few seconds and try again. However lately they have been getting a larger volume of email (expected due to an upturn in business), so this problem is getting much more noticed and annoying. Anyone have any idea as to the cause and a solution for this? I've though it might be that the Soekris box is underpowered, but the processor is basically a PII/266 with 128M of RAM, which should be enough for such a small site. Thanks, Peter
Re: How do I add a new sysctl varible?
On 6/15/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: Hi, I have tried to follow the source code and and have been unable to add a variable. Is there a step by step guide any where? I want to have a counter (int) and an array[1000] of bytes. you probably want two sysctls. one using sysctl_rdint and one using sysctl_rdstruct (works on arrays too). just pick some nice names and create defines in sys/sysctl.h and add a case in a convenient switch in kern_sysctl.c. there are couple things to change in sysctl.h (add new define, increase maxid, add the name to the right list).
Pilar - Capital. dde $20.- Encomiendas - Miniflet.
PILAR - CAPITAL (y Gran Buenos Aires)ENCOMIENDAS - SOBRES MINI-FLET - TRAMITES VARIOSMERCADERIA, CAJAS, MUEBLES, ETCServicio puerta a puerta. Pilar a Capital dde. $ 20.- (puerta a puerta): Consultar otras zonas: Lujan - Gral Rodriguez y mas Absoluta confianza. Servicio especial a comercios y countries.Josi (011) [EMAIL PROTECTED]
Re: latest sendmail patch
Monah Baki wrote: Hi all, I'm trying to apply the latest patch for sendmail and on my "make", I get the following error: cc -O2 -pipe -DSTARTTLS -DMILTER -DFAST_PID_RECYCLE -D_FFR_USE_SETLOGIN -DSM_OMIT_BOGUS_WARNINGS -DNEWDB -DMAP_REGEX -DNETINET6 -DNEEDSGETIPNODE -DSM_CONF_SHM -DNIS -DTCPWRAPPERS -I/usr/src/gnu/usr.sbin/sendmail/sendmail/../sendmail -I/usr/src/gnu/usr.sbin/sendmail/sendmail/../include -c /usr/src/gnu/usr.sbin/sendmail/sendmail/deliver.c /usr/src/gnu/usr.sbin/sendmail/sendmail/deliver.c: In function `deliver': /usr/src/gnu/usr.sbin/sendmail/sendmail/deliver.c:3269: error: syntax error before '<<' token /usr/src/gnu/usr.sbin/sendmail/sendmail/deliver.c:3286: error: syntax error before '==' token /usr/src/gnu/usr.sbin/sendmail/sendmail/deliver.c:3294: error: syntax error before '>>' token /usr/src/gnu/usr.sbin/sendmail/sendmail/deliver.c:3430: confused by earlier errors, bailing out *** Error code 1 Stop in /usr/src/gnu/usr.sbin/sendmail/sendmail. *** Error code 1 Stop in /usr/src/gnu/usr.sbin/sendmail. The patch did not apply cleanly. Reinstall the 3_9_BASE sources from cvs or cd and patch it again. Did you apply the first sendmail patch before? If not, and they affect the same places in the same file(s), you might get conflicts like this. Dunno about these patches, though. /Alexander
latest sendmail patch
Hi all,
I'm trying to apply the latest patch for sendmail and on my "make", I get
the following error:
cc -O2 -pipe -DSTARTTLS -DMILTER -DFAST_PID_RECYCLE -D_FFR_USE_SETLOGIN
-DSM_OMIT_BOGUS_WARNINGS -DNEWDB -DMAP_REGEX -DNETINET6 -DNEEDSGETIPNODE
-DSM_CONF_SHM -DNIS -DTCPWRAPPERS
-I/usr/src/gnu/usr.sbin/sendmail/sendmail/../sendmail
-I/usr/src/gnu/usr.sbin/sendmail/sendmail/../include -c
/usr/src/gnu/usr.sbin/sendmail/sendmail/deliver.c
/usr/src/gnu/usr.sbin/sendmail/sendmail/deliver.c: In function `deliver':
/usr/src/gnu/usr.sbin/sendmail/sendmail/deliver.c:3269: error: syntax
error before '<<' token
/usr/src/gnu/usr.sbin/sendmail/sendmail/deliver.c:3286: error: syntax
error before '==' token
/usr/src/gnu/usr.sbin/sendmail/sendmail/deliver.c:3294: error: syntax
error before '>>' token
/usr/src/gnu/usr.sbin/sendmail/sendmail/deliver.c:3430: confused by
earlier errors, bailing out
*** Error code 1
Stop in /usr/src/gnu/usr.sbin/sendmail/sendmail.
*** Error code 1
Stop in /usr/src/gnu/usr.sbin/sendmail.
Partial dmesg
OpenBSD 3.9-current (GENERIC) #685: Mon Apr 10 14:00:41 MDT 2006
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium II ("GenuineIntel" 686-class, 512KB L2 cache) 349 MHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MM
X,FXSR
real mem = 536444928 (523872K)
avail mem = 482459648 (471152K)
Thank you
BSD Networking, Microsoft Notworking
Sendmail patch 001
I was wondering if anyone knew why there had been two versions of
001_sendmail.patch for 3.9.
When the patch was first released, I downloaded it and updated some of
my systems. This was the patch I downloaded:
http://erdelynet.com/downloads/3.9/001_sendmail.patch-ver1
The file from when 001 was first released and the one at
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/001_sendmail.patch
differs by (wrapping will probably break the diff):
--- 001_sendmail.patch-ver1 Mon Jun 19 19:11:08 2006
+++ 001_sendmail.patch-ver2 Mon Jun 19 19:11:17 2006
@@ -2982,16 +2982,3 @@
(void) sm_snprintf(h, l, "%03o",
(unsigned int)((unsigned char) c));
-Index: gnu/usr.sbin/sendmail/sendmail/version.c
-===
-RCS file: /cvs/src/gnu/usr.sbin/sendmail/sendmail/version.c,v
-retrieving revision 1.24
-diff -u -p -r1.24 version.c
gnu/usr.sbin/sendmail/sendmail/version.c 8 Apr 2005 16:00:52
- 1.24
-+++ gnu/usr.sbin/sendmail/sendmail/version.c 25 Mar 2006 04:21:17 -
-@@ -15,4 +15,4 @@
-
- SM_RCSID("@(#)$Sendmail: version.c,v 8.145 2005/03/25 18:44:44 ca Exp $")
-
--char Version[] = "8.13.4";
-+char Version[] = "8.13.5.20060308";
--
Support OpenBSD: http://www.openbsd.org/orders.html
Trouble with ural (Cisco-Linksys Wireless-G ProtableUSB)
Hi,
I have some troubles with a Cisco-Linksys Wireless-G ProtableUSB
Adapter, rev 2.00/0.04, addr 2, MAC/BBP RT2571 (rev 0x03), RF RT2526
After some hours the card go down or the computer crash (kernel panic)
- In dmesg i have this if i don't use the card :
ehci_sync_hc: tsleep() = 35
ehci_sync_hc: tsleep() = 35
ehci_sync_hc: tsleep() = 35
ural0 detached
ehci_sync_hc: tsleep() = 35
- If i make some trafic on the card i get a kernel panic
My motherboard is a VIA Nehemiah see dmesg. Is it possible the problem
come from the USB controler ?
Thanks you for help
Romain
OpenBSD 3.9-current (KERNEL) #0: Sun May 21 00:18:50 CEST 2006
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/KERNEL
cpu0: VIA Nehemiah ("CentaurHauls" 686-class) 1.01 GHz
cpu0: FPU,DE,TSC,MSR,MTRR,PGE,CMOV,MMX,FXSR,SSE
real mem = 519598080 (507420K)
avail mem = 466046976 (455124K)
using 4256 buffers containing 26083328 bytes (25472K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(5e) BIOS, date 08/01/03, BIOS32 rev. 0 @
0xfaff0, SMB IOS rev. 2.2 @ 0xf0800 (26 entries)
bios0: VIA Technologies, Inc. VT8623-8235
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 70102 dobusy 1 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xf/0xdf44
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdeb0/144 (7 entries)
pcibios0: PCI Exclusive IRQs: 9 11
pcibios0: PCI Interrupt Router at 000:17:0 ("VIA VT82C596A ISA" rev
0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc/0xe000 0xd/0x800
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "VIA VT8623 PCI" rev 0x00
ppb0 at pci0 dev 1 function 0 "VIA VT8633 AGP" rev 0x00
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "VIA CLE266" rev 0x03: aperture at
0xe000, siz e 0x1000
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
vr0 at pci0 dev 15 function 0 "VIA VT6105 RhineIII" rev 0x8b: irq 11,
address 00 :40:63:c9:ea:00
ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 9: OUI
0x004063, model 0x0034
uhci0 at pci0 dev 16 function 0 "VIA VT83C572 USB" rev 0x80: irq 9
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: VIA UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1 at pci0 dev 16 function 1 "VIA VT83C572 USB" rev 0x80: irq 11
usb1 at uhci1: USB revision 1.0
uhub1 at usb1
uhub1: VIA UHCI root hub, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
uhci2 at pci0 dev 16 function 2 "VIA VT83C572 USB" rev 0x80: irq 9
usb2 at uhci2: USB revision 1.0
uhub2 at usb2
uhub2: VIA UHCI root hub, rev 1.00/1.00, addr 1
uhub2: 2 ports with 2 removable, self powered
ehci0 at pci0 dev 16 function 3 "VIA VT6202 USB" rev 0x82: irq 11
usb3 at ehci0: USB revision 2.0
uhub3 at usb3
uhub3: VIA EHCI root hub, rev 2.00/1.00, addr 1
uhub3: 6 ports with 6 removable, self powered
viapm0 at pci0 dev 17 function 0 "VIA VT8235 ISA" rev 0x00
iic0 at viapm0
pciide0 at pci0 dev 17 function 1 "VIA VT82C571 IDE" rev 0x06: ATA133,
channel 0 configured to compatibility, channel 1 configured to
compatibility
wd0 at pciide0 channel 0 drive 0:
wd0: 16-sector PIO, LBA48, 117800MB, 241254720 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
wd1 at pciide0 channel 1 drive 0:
wd1: 16-sector PIO, LBA, 78167MB, 160086528 sectors
wd1(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 6
auvia0 at pci0 dev 17 function 5 "VIA VT8233 AC97" rev 0x50: irq 9
ac97: codec id 0x56494161 (VIA Technologies VT1612A)
ac97: codec features headphone, 18 bit DAC, 18 bit ADC, KS Waves 3D
audio0 at auvia0
vr1 at pci0 dev 18 function 0 "VIA RhineII-2" rev 0x74: irq 9, address
00:40:63: c9:e9:ff
ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 5: OUI
0x004063, model 0x0032
xl0 at pci0 dev 20 function 0 "3Com 3c905C 100Base-TX" rev 0x78: irq 11,
address 00:01:03:27:3e:84
exphy0 at xl0 phy 24: 3Com internal media interface
isa0 at mainbus0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pmsi0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pmsi0 mux 0
pcppi0 at isa0 port 0x61
midi0 at pcppi0:
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
viasio0 at isa0 port 0x2e/2: VT1211 rev 0x02: HM WDG: not activated
viasio1 at isa0 port 0x4e/2: VT1211 rev 0x02: HM: not activated WDG: not
activat ed
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pccom2 at isa0 port 0x3e8/8 irq 5: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
biomask ef45 netmask ef45 ttymask ffc7
pctr: user-level cycle counter enabled
Kernelized RAIDframe activated
ural0 at uhub3 port 4
ural0: Cisco-Linksys Wireless-G ProtableUSB Adapter, rev 2.00/0.04, addr
2
ural0: MAC/BBP RT2571 (rev 0x03), RF
Re: mounting two times
Okay, everything works like a charm.
I chrooted mysql using chroot(8), than created pseudo file, and 2 vnode
disks.
Then mount {vnode disk} /{chroot path}/var/run/mysql && mount -f {vnode2
disk} /var/www/var/run/mysql.
Re: mounting two times
On 6/19/06, Lars Hansson <[EMAIL PROTECTED]> wrote: On Monday 19 June 2006 19:09, knitti wrote: > protocol attacks on the application which talks to mysql? Uhm, and using a domain socket is different how? ouch, snafu. sorry, I misunderstood. I don't think there's any practical security difference betwenn running chrooted with a domain socket vs. a local tcp socket --knitti
Re: pkg_add -ui - Using Ports except or real Packages?
On Mon, Jun 19, 2006 at 05:10:21PM +0200, [EMAIL PROTECTED] wrote: > Or, the other solution, would be enable pkg_add -ui (maybe with another > argument to use Ports) using the Port-system to update. The interface will use PKG_PATH. After all, using ports is just another kind of url, similar to ftp/scp. Unfortunately, this needs an almost complete rewrite/redesign of the way package lookups and package repositories are handled in the current tools. If you want, you can look at what's going on yourself, look in the package tools, around the PackageLocator.pm file and the PackageRepository stuff. You'll notice finding packages is not as generic as it should be (there should be a generic `search object', so that you can locate packages by stem, or by package path, or some other combinations), and the current way to look up packages does things the wrong way (looks in every repository instead of stopping at the first one that holds reasonable candidates)... and there's even some completely non-functional scaffolding to go build packages from the ports tree. Hey, if it was 4 hours of work, it would already be in the ports tree. The other way around (FETCH_PACKAGES) has been functional since the last ports hackathon thanks to nikolay, and there were already quite a few minor issues to solve to make it work correctly (partial downloads did tend to stick around in the package cache). As far as building and replacing in source goes, we do know we actually need to replace libtool with something that works, and doesn't go looking in /usr/local all the time (obnoxious twit), but again, this is not a 4 hours endeavor...
Re: What is the problem with sticky-address and round-robin?
Berk D. Demir wrote: > Because source tracking entries lives with state entries. As soon as the > state between the peers expire, your source tracking entry also > disappears by default. > Setting the time out "src.track" to any value other than zero (0) (whic > is the default value) will tell the kernel to keep the this tracking > entry after the expiration of last related state. Ok. I will refine my question. Why one machine with a source track entry and with it's states not expired, suddenly get the packets redirected to the other gateway? (Note, that the machine lose the internet connectivity) > I can not comment on this since I don't know the topology and your exact > config but sure, round-robin load balancing with sticky addresses works > perfectly in enterprise environments with huge loads (like 500K states). > > "pfctl -k" (with lower k) will kill the states. Not source tracking. I > explain above how these src-track entries disappear after state > expiration (or kill). > I know that pfctl -k kill only the states of one specific host. But, correct me i I'm wrong. If the src.track is on it's default of 0s, and i kill the states, then the src.track entry will expire, and will be removed right? > > Ok. It's becoming funnier. You don't even read the replies to you with > enough care. I've pasted you an excerpt from the man page. > >"increase the global options with set timeout source-track" > > ...What do you think this very particular line means? > > BTW. "set timeout source-track" is not valid in current pf > configuration. This line on man page may be changed with > s/source-track/src.track/ > > But following the man page will lead you to the related line > "src.track Length of time to retain a source tracking entry after > the last state expires." > > Sorry but man pages are not like HOWTOs in Linux world. They won't > generally give you "copy & paste to make it work" guidance. > > bdd > > Yes, i read with much care what you wrote. I've read the pf.conf man page from top-down and from bottom-up many times. Again, correct me if i'm wrong, but let's say that I'm using the sticky-address with the src.track within it's default value. If i open a connection from a machine, one state will be created and, because of the sticky-address, one source track entry will be created. If the connection is passing packets, the state will not expire and, consequently, the source track entry will not expire, right? Then, if i close my connection, let's say a TCP connection, it will enter in the FIN_WAIT state. Normally, after 2 minutes, this state expire. And then the source track enter in the expire time stage, right? In this case, the expire time is 0, so the source track entry is deleted, right? If i open another connection before the FIN_WAIT state is deleted, then the source track entry will have another state, and another connection, so it will not enter in the expire time stage. Then, i played with the src.track timeout and put 320 seconds, or 5,3... minutes. When there where no more states, the source track entry started to countdown from 00:05:33, to 00:00:00. If no state where created within this time, only then the source track were deleted. I tested it in my test firewall, and things remained the same: working. But when i replicated the sticky-address and the src.track 320 timeout to my main firewall, then the same weird behavior started: some machines , some times got to the internet, some times not. I am starting to look to other things. I do have 5 ethernet cards in my firewall. One fxp(4) and 4 rl(4). But all the rl(4) are in the same IRQ Address. I already had some problems with these cards, but the kernel showed watchdog timeouts and other things in the logs. But i'm not getting any of these in my logs. Both in the test firewall nor in my main firewall. I know that howto and man pages are not the "de facto" word about something. If you want real documentation, look at the sources. I only said it because it's true. I'm very well familiarized with the linux howto and guides, and know that many of them are just what you said, copy & paste, or "cake recipe" as we call them here. You don't need to be angry or impatient for answering my e-mails because trust me: i searched the man pages, the faq, google, google/bsd, and many other sources before asking in this list. And thanks for the help, anyway. My regards, -- Giancarlo Razzolini Linux User 172199 Moleque Sem Conteudo Numero #002 Slackware Current OpenBSD Stable Snike Tecnologia em Informatica 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
EuroBSDCon 2006 - Milan, Italy Nov. 10th-12th Call For Papers
Dear all, Historically, Berkeley Software Distribution (BSD) was one of the first reimplementation of the UNIX AT&T platform and it later became one of the key components of the Open Source movement. BSD has been the base for many different operating systems, most notably FreeBSD, NetBSD, OpenBSD, Darwin, and DragonFlyBSD, which are extensively used in many different areas like embedded applications, workstations and large Internet servers. The 5th European BSD conference is the 2006 event held in European continent where developers can meet, share new ideas and show off the progress of their work. It is also a great place for business players to get in touch with the BSD products and the people behind them. The conference comprises one day (Nov 10th) dedicated to tutorials and two days (Nov 11-12th) for technical sessions. *** Call For Tutorials *** In the first day different tutorial sessions will be held focusing on real-world scenarios and problem-solving. Tutorials will be conducted by speakers with a significative experience in their topics. If you're interested in presenting a tutorial, please contact the Program Committee at [EMAIL PROTECTED] *** Call For Papers *** The subsequent days will be dedicated to technical speeches about BSD related topics. Authors are invited to submit original and innovative papers about the applications, architecture, implementation, performance and security of BSD-derived operating systems. Topics of interests include but are not limited to: - Deployment and development of embedded BSD applications - System architecture and engineering - Network related development - Secure and safe coding techniques - Performance scalability issues - Porting to new/unsupported platforms - Operational and economical aspects Abstacts should be sent to [EMAIL PROTECTED] before Midnight CET on July 31st, 2006. Abstracts should be at most 10 lines long in simple text format, with a small bio of the author(s) attached. Accepted proposals should send complete papers before October 15th, 2006 and give the organizers the permission to publish them in the proceedings of the conference. Final papers should be around 12 pages long, and may include pictures and diagrams. *** Schedule *** - July 31st: Proposals due by midnight, CET. - August 15th: Accepted authors are informed. - August 20th: Schedule is out, registration is open - October 15th: Camera-ready papers due For more info on the event, visit http://www.eurobsdcon.org Thanks -- Massimiliano Stucchi [demime 1.01d removed an attachment of type application/pgp-signature]
Re: pkg_add -ui - Using Ports except or real Packages?
Will Maier [2006-06-19, 11:04:00]: > Yes, they are. Packages are built for stable, too, if security > updates are backported to the stable ports tree. What's the problem > here? note that due to lack of resources, updated -stable packages are only built for the i386 platform. you can build your own packages from a -stable ports tree, though. the out-of-date script will even give you a list that you can feed into the ports Makefile... -- steven Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm
Re: pkg_add -ui - Using Ports except or real Packages?
Sebastian: you screwed up the attributions. That makes things (more)
confusing. Fix your MUA.
On Mon, Jun 19, 2006 at 05:10:21PM +0200, [EMAIL PROTECTED] wrote:
> > You can do this the other way round, and make ports use packages
> > where possible; see FETCH_PACKAGES in bsd.port.mk(5).
>
> Bad idea because the packages at $ANY_OFFICIAL_FTP are not
> updated.
Yes, they are. Packages are built for stable, too, if security
updates are backported to the stable ports tree. What's the problem
here?
> That`s not what I ment as I said up2date. up2date for stables
> means all Patches avaiable for stable. So if you use Stable but
> curl *.1 except of *.3 you`re not up2date. :) That`s how I ment
> it.
What? I have no clue what you meant by this. Updated packages are
bulit for stable when updates are backported. Period. Look at the
updates[0] available for 3.9-stable. What's the problem here?
> > Or if you have enough systems using the same arch for it to be
> > worthwhile, you can build your own packages and point PKG_PATH
> > there.
>
> Well at home 1 AMD64 and 3 i386 (even just 2 of 3 use OpenBSD). I
> just wanted to point out that with pkg_add -ui there`s a VERY GOOD
> solution but even the best solution is useless if the packages
> don`t get updated. Maybe that can get solved with a Script *looks
> to the dev-Team* to update the packages on the FTP if a update is
> avaiable via Ports.
This happens already[0].
> Or, the other solution, would be enable pkg_add -ui (maybe with
> another argument to use Ports) using the Port-system to update.
> It`s not so easy to update all machines using the ports Easy
> == like pkg_add -ui :-/
So, assuming there's no package available, just make the package
(ports(7)) and install it on other machines with the same arch (like
Stuart suggested). Or add your build machine to your other machines'
PKG_PATH. It's easy.
But chances are, there's an updated package available. Don't expect
new features if you're running -stable.
> That`s all I wanted to point out. Why not using this neat
> update-tool (pkg_add -ui) because for now the dev-team limits it
> to a "upgrade"-tool (from one release to another) except an
> update-tool. And that`s kind of sad in my oppinion.
Again, this is unclear. But pkg_add handles upgrades _and_ updates.
If you're running -stable, you might not notice many package
updates, since that'll only happen when a new package is built to
address a security problem. If you want more packages to be built
faster, submit diffs to update the ports you're concerned with,
donate resources for a larger build infrastructure, or build your
own packages.
[0]http://www.openbsd.org/pkg-stable.html
--
o--{ Will Maier }--o
| jabber:[EMAIL PROTECTED] | [EMAIL PROTECTED] |
| freenode:..lt_kije | freenode:#madlug,#wilug |
*--[ BSD Unix: Live Free or Die ]--*
Re: turning on PF
Hello!
On Mon, Jun 19, 2006 at 08:54:22AM -0700, Lawrence Horvath wrote:
>[...]
>$ sudo pfctl -ef /etc/pf.conf
>Password:
>/etc/pf.conf:39: syntax error
>/etc/pf.conf:41: syntax error
>/etc/pf.conf:43: syntax error
>pfctl: Syntax error in config file: pf rules not loaded
>$
>39: altq on tl0 cbq bandwidth 100Kb queue {all}
>40:
>41: queue all bandwidth 100% (default)
>42:
>43: pass out on tl0 from any to any queue all
>44: pass in on tl0 from any to any
"all" is a reserved word. Use a different name for the queue.
Kind regards,
Hannah.
Re: mounting two times
On Mon, 19 Jun 2006 15:04:06 +0300 (EEST) "Martynas Venckus" <[EMAIL PROTECTED]> wrote: > > I'm still not clear on exactly why a domain socket is more secure than a > > localhost tcp socket. Faster? Sure, but probably not by an amount that > > matters. More secure? I really don't see how in this case. > > Okay, why we should it listen to unneded port? Somebody could insensibly > redirect packets. It's not the way it is supposed to be. > > You need to read the file for example, would you read it, or create a > socket, wait for connections from the script and then read it? The more > operations it performs, the more insecure the daemon is. Using a TCP socket instead of a unix domain socket is not performing more operations. You will probably have fewer problems if you stop creating problems for yourself. Adam
Re: turning on PF
On 6/19/06, Alexander Hall <[EMAIL PROTECTED]> wrote:
Lawrence Horvath wrote:
> Im having alittle trouble with my queues in PF i have the following in
> my pf.conf
>
>
> altq on tl0 cbq bandwidth 100Kb queue {all}
> queue all bandwidth 100% {default}
> pass out on tl0 from any to any queue all
> pass in on tl0 from any to any
>
>
> however i get the following:
>
> $ sudo pfctl -e
> pfctl: pf already enabled
> $ sudo pfctl -A
> $ sudo pfctl -R
> $ sudo pfctl -s queue
> No queue in use
Sorry for asking, but you have, at some point, run
"pfctl -ef /etc/pf.conf", right?
^^
(And made damn sure that the file exists at that place, too?)
/alexander
>
> This is on 3.9 Generic,
>
> thanks
$ sudo pfctl -ef /etc/pf.conf
Password:
/etc/pf.conf:39: syntax error
/etc/pf.conf:41: syntax error
/etc/pf.conf:43: syntax error
pfctl: Syntax error in config file: pf rules not loaded
$
39: altq on tl0 cbq bandwidth 100Kb queue {all}
40:
41: queue all bandwidth 100% (default)
42:
43: pass out on tl0 from any to any queue all
44: pass in on tl0 from any to any
--
-Lawrence
Re: pkg_add -ui - Using Ports except or real Packages?
> It`s not so easy to update all machines using the ports > Easy == like pkg_add -ui :-/ I love the OpenBSD package/ports system. 3 developments that I discovered recently: 1. pkg_add -ui, but it has deficiencies (such as no -stable packages for sparc64) 2. /usr/ports/infrastructure/build/out-of-date -- this tells you what needs updated 3. make update in ports -- this builds the new package, does pkg_add -r on the old one, and puts the new one in place. seamless, awesome. So get a ports tree on a fast system with disk (relatively speaking; i use a duron 700 instead of trying to build on my mini-itx firewall with only 512MB CF). Update the ports tree to stable, then run out-of-date. Out-of-date tells you what ports need updated, so either pkg_add -ui or run make update on unsupported-by-stable-packages-archs or if you need it faster than what shows up on the i386 FTP. If you have multiple systems of the same arch, you can "make package" and then distribute to your own systems via FTP/HTTP/etc. I do this on my sparcs -- make package on one, then use the pkg_add to install on it and the rest. I have no complaints about the package/ports updating system. This is light years ahead of where it was even 2 releases ago (or is it 3?). Marc Espie & all involved are my heroes. In general, I think a lot of people would be better served to watch the commit mailers or general announcements like plus.html and read documentation instead of complaining about how bad things are. Note this isn't a personal attack on you, sebastian, just an observation in general. Package management has come a long way, and I hope more people realize it and be thankful. - Seth > That`s all I wanted to point out. Why not using this neat update-tool > (pkg_add -ui) because for now the dev-team limits it to a "upgrade"-tool > (from one release to another) except an update-tool. And that`s kind of > sad in my oppinion. > > Kind regards, > Sebastian
Re: What is the problem with sticky-address and round-robin?
Then you might tell me why, even with a source track entry set directing traffic from one internal ip to one specific gateway, the packets sometimes are redirected to the other gateway? Because source tracking entries lives with state entries. As soon as the state between the peers expire, your source tracking entry also disappears by default. Setting the time out "src.track" to any value other than zero (0) (whic is the default value) will tell the kernel to keep the this tracking entry after the expiration of last related state. And something very weird happened in my test firewall. I putted 3 machines behind it, and one of them, with a source track of more than one hour, suddenly started to get it's packets redirected to the other gateway, and lost it's internet connectivity. I had to do a pfctl -k to kill the source track entry of the machine. I can not comment on this since I don't know the topology and your exact config but sure, round-robin load balancing with sticky addresses works perfectly in enterprise environments with huge loads (like 500K states). "pfctl -k" (with lower k) will kill the states. Not source tracking. I explain above how these src-track entries disappear after state expiration (or kill). I'll try to play with this timeout, and i read the man page. But nor the FAQ, nor the man page said that you must set the src.track timeout. That was the reason why i didn't messed with it. Ok. It's becoming funnier. You don't even read the replies to you with enough care. I've pasted you an excerpt from the man page. "increase the global options with set timeout source-track" ...What do you think this very particular line means? BTW. "set timeout source-track" is not valid in current pf configuration. This line on man page may be changed with s/source-track/src.track/ But following the man page will lead you to the related line "src.track Length of time to retain a source tracking entry after the last state expires." Sorry but man pages are not like HOWTOs in Linux world. They won't generally give you "copy & paste to make it work" guidance. bdd
Re: pkg_add -ui - Using Ports except or real Packages?
> On 2006/06/19 13:55, [EMAIL PROTECTED] wrote: >> Tec-Note: OpenBSD-3.9 STABLE on amd64 >> >> The -ui Switch for pkg_add is a realy "wonderfull" development but it >> needs updated Packages at the FTP. >> >> Just some examples from Software updated using Ports: >> Candidates for updating clamav-0.88.2 -> clamav-0.88 >> Candidates for updating cups-1.1.23p8 -> cups-1.1.23p8 <- ? >> Candidates for updating curl-7.15.3 -> curl-7.15.1 >> >> Would it maybe possible to add a "use the damn ports"-Switch to pkg_add? >> So that it uses the Ports except of the Packages (Somethign like -uip). > > You can do this the other way round, and make ports use packages > where possible; see FETCH_PACKAGES in bsd.port.mk(5). Bad idea because the packages at $ANY_OFFICIAL_FTP are not updated. >> For now pkg_add -ui is kind of useless to keep a System up2date. > > If you want a really up-to-date system, you can always run > -current, the snapshot packages are built quite often and by > doing this and providing good reports of problems you'll > help make the next version better. That`s not what I ment as I said up2date. up2date for stables means all Patches avaiable for stable. So if you use Stable but curl *.1 except of *.3 you`re not up2date. :) That`s how I ment it. > Or if you have enough systems using the same arch for it > to be worthwhile, you can build your own packages and point > PKG_PATH there. Well at home 1 AMD64 and 3 i386 (even just 2 of 3 use OpenBSD). I just wanted to point out that with pkg_add -ui there`s a VERY GOOD solution but even the best solution is useless if the packages don`t get updated. Maybe that can get solved with a Script *looks to the dev-Team* to update the packages on the FTP if a update is avaiable via Ports. Or, the other solution, would be enable pkg_add -ui (maybe with another argument to use Ports) using the Port-system to update. It`s not so easy to update all machines using the ports Easy == like pkg_add -ui :-/ That`s all I wanted to point out. Why not using this neat update-tool (pkg_add -ui) because for now the dev-team limits it to a "upgrade"-tool (from one release to another) except an update-tool. And that`s kind of sad in my oppinion. Kind regards, Sebastian -- Don't buy anything from YeongYang. Their Computercases are expensiv, they WTX-powersuplies start burning and their support refuse any RMA even there's still some warenty.
Re: What is the problem with sticky-address and round-robin?
Berk D. Demir wrote: > Giancarlo Razzolini <[EMAIL PROTECTED]> wrote: >> Hi all, >> [.. cut ..] >> Then, when i putted the sticky-address in the main firewall, strange >> things happened. The source-tracking states were created, but the >> machines, sometimes, were directed to the other link, not the one in the >> source-track. For example, when pinging an external address from an >> internal machine, the initial source track directed it to one of the >> links. The packets went right. Then, if i stopped the ping, and tried it >> again, the packets were directed to the other link. I confirmed this >> with tcpdump in the firewall's interfaces. >> [.. cut ..] > > Did you try to read the man page pf.conf(5)? > > I'm pasting the related paragraph below. > > Additionally, the sticky-address option can be specified to help ensure > that multiple connections from the same source are mapped to the same > redirection address. This option can be used with the random and > round-robin pool options. Note that by default these associations are > destroyed as soon as there are no longer states which refer to them; in > order to make the mappings last beyond the lifetime of the states, > increase the global options with set timeout source-track > See STATEFUL TRACKING OPTIONS for more ways to control the source > tracking. > > So setting "src.track" timeout to sane values (say 320 or 640 seconds) > will make things work as expected. > > Reading man pages from head-to-toe will sharpen your skills and decrease > your mail traffic. > > bdd > Then you might tell me why, even with a source track entry set directing traffic from one internal ip to one specific gateway, the packets sometimes are redirected to the other gateway? And something very weird happened in my test firewall. I putted 3 machines behind it, and one of them, with a source track of more than one hour, suddenly started to get it's packets redirected to the other gateway, and lost it's internet connectivity. I had to do a pfctl -k to kill the source track entry of the machine. I'll try to play with this timeout, and i read the man page. But nor the FAQ, nor the man page said that you must set the src.track timeout. That was the reason why i didn't messed with it. Anyway, thanks for the fast reply. Will tell if it works. My regards, -- Giancarlo Razzolini Linux User 172199 Moleque Sem Conteudo Numero #002 Slackware Current OpenBSD Stable Snike Tecnologia em Informatica 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: What is the problem with sticky-address and round-robin?
Giancarlo Razzolini <[EMAIL PROTECTED]> wrote: Hi all, [.. cut ..] Then, when i putted the sticky-address in the main firewall, strange things happened. The source-tracking states were created, but the machines, sometimes, were directed to the other link, not the one in the source-track. For example, when pinging an external address from an internal machine, the initial source track directed it to one of the links. The packets went right. Then, if i stopped the ping, and tried it again, the packets were directed to the other link. I confirmed this with tcpdump in the firewall's interfaces. > [.. cut ..] Did you try to read the man page pf.conf(5)? I'm pasting the related paragraph below. Additionally, the sticky-address option can be specified to help ensure that multiple connections from the same source are mapped to the same redirection address. This option can be used with the random and round-robin pool options. Note that by default these associations are destroyed as soon as there are no longer states which refer to them; in order to make the mappings last beyond the lifetime of the states, increase the global options with set timeout source-track See STATEFUL TRACKING OPTIONS for more ways to control the source tracking. So setting "src.track" timeout to sane values (say 320 or 640 seconds) will make things work as expected. Reading man pages from head-to-toe will sharpen your skills and decrease your mail traffic. bdd
Re: pkg_add -ui - Using Ports except or real Packages?
On 2006/06/19 13:55, [EMAIL PROTECTED] wrote: > Tec-Note: OpenBSD-3.9 STABLE on amd64 > > The -ui Switch for pkg_add is a realy "wonderfull" development but it > needs updated Packages at the FTP. > > Just some examples from Software updated using Ports: > Candidates for updating clamav-0.88.2 -> clamav-0.88 > Candidates for updating cups-1.1.23p8 -> cups-1.1.23p8 <- ? > Candidates for updating curl-7.15.3 -> curl-7.15.1 > > Would it maybe possible to add a "use the damn ports"-Switch to pkg_add? > So that it uses the Ports except of the Packages (Somethign like -uip). You can do this the other way round, and make ports use packages where possible; see FETCH_PACKAGES in bsd.port.mk(5). > For now pkg_add -ui is kind of useless to keep a System up2date. If you want a really up-to-date system, you can always run -current, the snapshot packages are built quite often and by doing this and providing good reports of problems you'll help make the next version better. Or if you have enough systems using the same arch for it to be worthwhile, you can build your own packages and point PKG_PATH there.
What is the problem with sticky-address and round-robin?
Hi all, I've been having a headache using the round-robin with the sticky-address option. I do have two exit links, and I'm doing load balancing with the round-robin on the outgoing packets from the internal net and from my other 2 dmz's. This setup works perfectly with some exceptions. There are some buggy web applications that use ip address in the sessions, and i do have to put their ip address in a table and use normal routing in this case. I want to use sticky-address, to make one machine that initially go out through one link, keeps going out through this one, until there are no more states or connections. I did some tests using a virtual openbsd machine with vmware, and putted one machine behind it, and the virtual machine was doing load balancing, with the same rules i use in my main firewall (only changed ip address and interfaces on the macros). This test worked nicely, without problems. Then, when i putted the sticky-address in the main firewall, strange things happened. The source-tracking states were created, but the machines, sometimes, were directed to the other link, not the one in the source-track. For example, when pinging an external address from an internal machine, the initial source track directed it to one of the links. The packets went right. Then, if i stopped the ping, and tried it again, the packets were directed to the other link. I confirmed this with tcpdump in the firewall's interfaces. Then, today i managed to get a switch, and putted more machines behind my test firewall. The sticky-address is working flawlessly. I don't know where to look. Both the main firewall and the test machine were mainly idle and with free memory, during the tests. There is some kind of limit with sticky-address? I read the man page, and saw that i can limit the number of source-tracks and/or states, etc. But i think that this isn't the right solution. Someone have a clue? Thanks in advance, -- Giancarlo Razzolini Linux User 172199 Moleque Sem Conteudo Numero #002 Slackware Current OpenBSD Stable Snike Tecnologia em Informatica 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: dmesg warning, "ahc0: Illegal cable configuration!!"
Nick,
I think you may be correct in your assumption that the HP Kayak implementation
of the AIC 7880 is a bit flaky. I enabled drive-powered termination and even
swapped the drive out for another of a different type, but the problem
remained.
There are no additional terminators in the chain apart from the end-of-cable
lump and whatever is or isn't enabled on the drive itself.
It doesn't apparently affect performance, so I'll leave it be.
Thanks for your analysis.
Regards,
Dan.
--- Nick Holland <[EMAIL PROTECTED]> wrote:
> Daniel Hammett wrote:
> ...>
> > "ahc0: Illegal cable configuration!!. Only two connectors on the adapter
> may be
> > used at a time!"
> >
> > [Full dmesg posted below]
>
> yay! :)
>
> > This isn't unique to OpenBSD: I've seen similar reports in the dmesg from
> SuSE
> > Linux using the 2.4.xx series kernels and also from FreeBSD version 6.
> >
> > It doesn't appear to affect the machine in anyway that I can tell, e.g.
> there
> > are no unexpected hangs, slowdowns, disk problems, etc.
> >
> > The AIC-7880 wide SCSI is connnected to a single disk but there are
> multiple
> > (unused) connectors on the ribbon cable which end in a terminator block.
> >
> > The AIC-7860 narrow SCSI is connected to a single CD-RW drive. Again, there
> are
> > multiple (unused) connectors on the ribbon cable and this, too, ends in a
> > terminator block.
>
> this isn't the issue, as that's ahc1 according to the dmesg.
>
> > I have used multiple drives in the system and the same message appears.
> >
> > It occurs to me that there might be some issue with the disk drive itself
> > providing SCSI termination, or some other jumper configuration error.
> >
> > Alternatively, doe this message imply that I can only use either the
> AIC-7860
> > or the AIC-7880 but not both? I might try unplugging the CD-RW before
> booting
> > this evening.
>
> nope, again, ahc0 and ahc1 are two different devices, if it is whining
> about X, the problem is with X. Probably. :)
>
> As I recall, there are some variants of the Adaptec cards that use the
> ahc(4) driver that are kinda...curious. I think it is the 29160 (or
> some variant) which has both LVD U160 and a single-ended U2, plus a 50
> pin connector...and the rule is, you can use two of the three
> connectors, but not all three at the same time. I may be misremembering
> this...it might involve the external connector on the spine of the card,
> rather than the 50 pin connector. But the rule was..only two of the
> connectors. And note: it's the connectors in use, not the number of
> devices attached.
>
> As I recall, all it can do is look for terminators. If it finds more
> terminators than it expects, it apparently sets a "whine" flag that the
> driver looks for. Are there any extra terminators on the system? You
> indicate the cable has a terminator...could the drive also be
> terminated? Also make sure any unused SCSI connectors are just left
> unconnected.
>
> Otherwise...if everything is correct, and performance is appropriate,
> don't worry about it...probably a "quirk" in implementation on this
> machine. I don't recall ever seeing any ability to see messages like
> this under Windows, so I suspect HP may have been a little sloppy about
> how they implemented things.
>
> Nick.
>
>
> > --- dmesg included --->
> >
> > OpenBSD 3.9 (GENERIC.MP) #598: Thu Mar 2 02:37:06 MST 2006
> > [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP
> > cpu0: Intel Pentium II ("GenuineIntel" 686-class, 512KB L2 cache) 300 MHz
> > cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,MMX
> > real mem = 536453120 (523880K)
> > avail mem = 482435072 (471128K)
> > using 4278 buffers containing 26927104 bytes (26296K) of memory
> > mainbus0 (root)
> > bios0 at mainbus0: AT/286+(a1) BIOS, date 10/28/98, BIOS32 rev. 0 @ 0xfd77d
> > apm0 at bios0: Power Management spec V1.2
> > apm0: AC on, battery charge unknown
> > apm0: flags 30102 dobusy 0 doidle 1
> > pcibios0 at bios0: rev 2.1 @ 0xfd710/0x8f0
> > pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf20/192 (10 entries)
> > pcibios0: PCI Interrupt Router at 000:07:0 ("Intel 82371FB ISA" rev 0x00)
> > pcibios0: PCI bus #1 is the last bus
> > bios0: ROM list: 0xc/0x8000 0xc8000/0x4800
> > mainbus0: Intel MP Specification (Version 1.4) (HP XU/XW )
> > cpu0 at mainbus0: apid 1 (boot processor)
> > cpu0: apic clock running at 66 MHz
> > cpu1 at mainbus0: apid 0 (application processor)
> > cpu1: Intel Pentium II ("GenuineIntel" 686-class, 512KB L2 cache) 300 MHz
> > cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,MMX
> > mainbus0: bus 0 is type PCI
> > mainbus0: bus 1 is type PCI
> > mainbus0: bus 2 is type ISA
> > ioapic0 at mainbus0: apid 2 pa 0xfec0, version 11, 24 pins
> > pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
> > pchb0 at pci0 dev 0 function 0 "Intel 82443LX AGP" rev 0x03
> > ppb0 at pci0 dev 1 function 0 "
SOLVED - caching DNS server, pf, dhcp, tinyproxy
Dear All, Everything is working now: caching DNS server, pf, dhcp, and tinyproxy. For the record, these really were my friends: 1. pfctl -g -s rules | grep '^@' 2. tinyproxy compiled with --enable-debug 3. this list (awe shucks!) Tinyproxy.conf ended up being the culprit but not without a little help from me! :^) The first was blindly following directions to set 'User root' and 'Group root' in tinyproxy.conf. However, there is no group 'root.' I'm not sure what the implications of setting 'User root' are yet. But it works. The second was a typo in tinyproxy.conf. Based on my dhcp settings, 'Allow 192.168.0.0/25' should have been 'Allow 192.168.0.0/24' Kudos to everyone and their suggestions. Kind Regards, Allen Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: mounting two times
On Mon, 19 Jun 2006 15:06:53 +0300 (EEST) "Martynas Venckus" <[EMAIL PROTECTED]> wrote: > > I am not sure as I have not tried it, but I think mySQL creates its unix > > socket *before* it calls chroot() [or can be very easily fixed anyways]. > > No it can't create socket before chroot(), then how it would access mysql > data? > These are two completely unrelated issues ... The mysql server does not need the socket to access its data, the socket is there so that *clients* can communicate with the server. Please, read about chroot and unix sockets, as having a server that creates a unix socket then chroots "away" is a very common practice. -- veins
Re: cruxports for OpenBSD
On 6/18/06, Han Boetes <[EMAIL PROTECTED]> wrote: Nick Guenther wrote: > You are angry, understandably. Why do you assume I am angry? I am not. Don't you know how uncivil it is to make assumptions on other peoples emotions? > You've put a lot of work into your system and now you're being > told it's useless. I don't care if he thinks that. > On the other hand, realize that no one asked you in the first > place, you provided your list voluntarily (without even being > prompted by a single 'so?'). No one "asked you to defend" your > opinion. False, he just asked me to explain again what I just had explained. > Anyway, you should care why Joachim doesn't like it because he > is a developer so probably has good insights about > OpenBSD-related things. If he says what you're making is missing > things that pkg_* already has then he is probably correct. Thanks for telling what I should care about, I really appreciate it. I don't care if he likes pkg_* better for his usage, that's entirely up to him. I just showed people what I use and like, to offer them an alternative. Anyone is free to take it or leave it. > Joachim was very civil in his message, and gave each of your > points a fair evaluation. He was not civil, he asked me to explain again what I had already explained. And his personal evaluation is personal yet he makes it look like he speaks for the rest of the world, which is also not civil. > What if he had taken your completely new ports system as an > insult to all the work that has been done on pkg_*? Anybody can take anything as an insult. That's their business. I bet for instance you take my reply as an insult, while in reality I merely point out how uncivil it is what you wrote. Lack of uncivil words do not make something civilized. > You should realize this. Thank you for telling me what to realize. I really appreciate it. # Han you're an ass.
Re: mounting two times
On Mon, 19 Jun 2006 13:12:20 +0300 (EEST) "Martynas Venckus" <[EMAIL PROTECTED]> wrote: > Hello, > > I want to chroot mysql. So i chrooted it in /var/mysql (mysqld --chroot), > but web applications could access mysql server only by network, which is > not the most secure and fast way. Chrooting it to /var/www/mysql would not > be secure too. > > The problem could be solved creating pseudo device for /var/mysql/tmp -- > mysql socket would be there, and mount it two times (/var/mysql/tmp, > /var/www/somewhere). Is it possible? > > Also it could be done using mount --bind, but openbsd does not support it, > right? > > And also, i have seperate partitions to /var/www and /var/mysql, so i can > not hard link the socket cross over partition. > > Thanks. > I am not sure as I have not tried it, but I think mySQL creates its unix socket *before* it calls chroot() [or can be very easily fixed anyways]. In that case, you simply have to setup mySQL so that it creates the unix socket within httpd's chroot, it does not have to be within mySQL's. -- veins
Re: mounting two times
Martynas Venckus wrote: I am not sure as I have not tried it, but I think mySQL creates its unix socket *before* it calls chroot() [or can be very easily fixed anyways]. No it can't create socket before chroot(), then how it would access mysql data? Can you elaborate on this? I don't get it. Unchrooted it creates a socket (e.g. /var/run/mysql.sock) and then chroots itself to /var/mysql, where the data exists. What is (or would be) wrong with that? /Alexander
Re: mounting two times
On Mon, 19 Jun 2006 13:09:20 +0200 knitti <[EMAIL PROTECTED]> wrote: > On 6/19/06, Lars Hansson <[EMAIL PROTECTED]> wrote: > > On Monday 19 June 2006 18:12, Martynas Venckus wrote: > > > I want to chroot mysql. So i chrooted it in /var/mysql (mysqld --chroot), > > > but web applications could access mysql server only by network, which is > > > not the most secure and fast way. > > > > What's not secure about binding to localhost only? > > protocol attacks on the application which talks to mysql? > if you use some php stuff (any php sutff ;) and talk to mysql, you can > manipulate the db by sql injection. if _then_ mysql has e.g. a hole > which allows it to be manipulated or broken out into a shell, a chroot > would help al lot ;) > > --knitti > SQL injection is unrelated to the way mySQL is accessed or to the fact that it runs chrooted. A badly written PHP application may cause SQL injection attacks to be possible even with a chrooted mySQL server. Not to mention that a script may also open a Unix socket just as it could connect to the tcp socket, and it is very doubtful that an issue would affect the tiny portion of code that does the handling of connections. -- veins
Re: mounting two times
> I am not sure as I have not tried it, but I think mySQL creates its unix > socket *before* it calls chroot() [or can be very easily fixed anyways]. No it can't create socket before chroot(), then how it would access mysql data?
pkg_add -ui - Using Ports except or real Packages?
Hello everybody, Tec-Note: OpenBSD-3.9 STABLE on amd64 The -ui Switch for pkg_add is a realy "wonderfull" development but it needs updated Packages at the FTP. Just some examples from Software updated using Ports: Candidates for updating clamav-0.88.2 -> clamav-0.88 Candidates for updating cups-1.1.23p8 -> cups-1.1.23p8 <- ? Candidates for updating curl-7.15.3 -> curl-7.15.1 Would it maybe possible to add a "use the damn ports"-Switch to pkg_add? So that it uses the Ports except of the Packages (Somethign like -uip). Why? 1. Ports are mostly more up2date then the Packages - Efficent and less work for the Maintainer 2. Peoples who wanna update don`t have to wait until somebody build a package - I mean such neat automatic-update (pkg_add -ui) - Creating Packages needs time (many Archs...) 3. Maybe even less traffic for the main-FTP - CVS-Updates should be made anyway As I already wrote in another mail. For now pkg_add -ui is kind of useless to keep a System up2date. It`s more like a "upgrade"-Tool if you switch from 3.8 to 3.9 or from 3.9 to current. But it`s not helping to keep the 3rd-Party-Software updated so nearly any Admin (well imagine somebody has Workstations with OpenBSD ;-) ) has to use the Ports anyway. That`s just my idea how to (maybe..?) solve that problem. And the problem is not a technical one... it`s more the time needed for somebody (don`t know who it is) to create the Packages. And if this guy simply has no time (well he spends his spare-time I guess) there`s no update and so using Ports is the only way anyway. Kind regards, Sebastian
Re: mounting two times
> I'm still not clear on exactly why a domain socket is more secure than a > localhost tcp socket. Faster? Sure, but probably not by an amount that > matters. More secure? I really don't see how in this case. Okay, why we should it listen to unneded port? Somebody could insensibly redirect packets. It's not the way it is supposed to be. You need to read the file for example, would you read it, or create a socket, wait for connections from the script and then read it? The more operations it performs, the more insecure the daemon is.
Re: Dynamically Increase IPC on OpenBSD ?
> On Behalf Of Marc Espie > On Mon, Jun 19, 2006 at 09:43:59AM +0200, Vincent Blondel wrote: > > Hello all, > > > > I would like to increase some IPC values on my OpenBSD 3.9 > box. These > > parameters need to be changed for Squid. > > > > When I look at the current values I receive next result > > > > [EMAIL PROTECTED] [/etc/squid] # ipcs -Q > > msginfo: > > msgmax: 16384 (max characters in a message) > > msgmni: 40 (# of message queues) > > msgmnb: 2048 (max characters in a message queue) > > msgtql: 40 (max # of messages in system) > > msgssz: 8 (size of a message segment) > > msgseg: 2048 (# of message segments in system) > > > > and would like to set these new ones. > > > > options MSGMNB=8192 > > options MSGMNI=40 > > options MSGSEG=512 > > options MSGSSZ=64 > > options MSGTQL=2048 > > > > but I still haven't found how I could increase dynamically > these settings > > and I don't find them in sysctl proposals. > > That's kern.seminfo and kern.shminfo Those are semaphores and shared memory. The OP needs message queues. I also needed to increase those values for squid's diskd but I compiled a new kernel, as I couldn't find the appropriate sysctls.
Re: mounting two times
On Monday 19 June 2006 19:09, knitti wrote: > protocol attacks on the application which talks to mysql? Uhm, and using a domain socket is different how? > if you use some php stuff (any php sutff ;) and talk to mysql, you can > manipulate the db by sql injection. And? This has nothing to do with what kind of socket is used. SQL injection problems doesn't magically go away if you use a domain socket. > if _then_ mysql has e.g. a hole > which allows it to be manipulated or broken out into a shell, a chroot > would help al lot ;) Uh, yes. it's in a chroot so you'll talk to it using tcp to localhost. I'm still not clear on exactly why a domain socket is more secure than a localhost tcp socket. Faster? Sure, but probably not by an amount that matters. More secure? I really don't see how in this case. --- Lars Hansson
Re: Dynamically Increase IPC on OpenBSD ?
Ok, I also saw these values but which one correspond to those I want ? Vincent. [EMAIL PROTECTED] [/root] # sysctl -a |egrep 'seminfo' kern.seminfo.semmni=10 kern.seminfo.semmns=60 kern.seminfo.semmnu=30 kern.seminfo.semmsl=60 kern.seminfo.semopm=100 kern.seminfo.semume=10 kern.seminfo.semusz=100 kern.seminfo.semvmx=32767 kern.seminfo.semaem=16384 > On Mon, Jun 19, 2006 at 09:43:59AM +0200, Vincent Blondel wrote: >> Hello all, >> >> I would like to increase some IPC values on my OpenBSD 3.9 box. These >> parameters need to be changed for Squid. >> >> When I look at the current values I receive next result >> >> [EMAIL PROTECTED] [/etc/squid] # ipcs -Q >> msginfo: >> msgmax: 16384 (max characters in a message) >> msgmni: 40 (# of message queues) >> msgmnb: 2048 (max characters in a message queue) >> msgtql: 40 (max # of messages in system) >> msgssz: 8 (size of a message segment) >> msgseg: 2048 (# of message segments in system) >> >> and would like to set these new ones. >> >> options MSGMNB=8192 >> options MSGMNI=40 >> options MSGSEG=512 >> options MSGSSZ=64 >> options MSGTQL=2048 >> >> but I still haven't found how I could increase dynamically these >> settings >> and I don't find them in sysctl proposals. > > That's kern.seminfo and kern.shminfo
Re: mounting two times
On 6/19/06, Lars Hansson <[EMAIL PROTECTED]> wrote: On Monday 19 June 2006 18:12, Martynas Venckus wrote: > I want to chroot mysql. So i chrooted it in /var/mysql (mysqld --chroot), > but web applications could access mysql server only by network, which is > not the most secure and fast way. What's not secure about binding to localhost only? protocol attacks on the application which talks to mysql? if you use some php stuff (any php sutff ;) and talk to mysql, you can manipulate the db by sql injection. if _then_ mysql has e.g. a hole which allows it to be manipulated or broken out into a shell, a chroot would help al lot ;) --knitti
Re: package dependencies
On 2006/06/19 11:34, Joachim Schipper wrote: > This has been covered over and over in the archives, but some > highlights: > > fvwmthe default, in base: this is not the newest version, as > fvwm switched to GPL. It's quite usable. It's also lighter on system resources than some people might think (if you change WM just because you want to use fewer resources, check you're actually improving things; some WM regarded as `lightweight' are heavier than fvwm).
Re: mounting two times
On Monday 19 June 2006 18:12, Martynas Venckus wrote: > I want to chroot mysql. So i chrooted it in /var/mysql (mysqld --chroot), > but web applications could access mysql server only by network, which is > not the most secure and fast way. What's not secure about binding to localhost only? --- Lars Hansson
mounting two times
Hello, I want to chroot mysql. So i chrooted it in /var/mysql (mysqld --chroot), but web applications could access mysql server only by network, which is not the most secure and fast way. Chrooting it to /var/www/mysql would not be secure too. The problem could be solved creating pseudo device for /var/mysql/tmp -- mysql socket would be there, and mount it two times (/var/mysql/tmp, /var/www/somewhere). Is it possible? Also it could be done using mount --bind, but openbsd does not support it, right? And also, i have seperate partitions to /var/www and /var/mysql, so i can not hard link the socket cross over partition. Thanks.
Re: 3.9 release 1st boot: kernel: stopped at scan_smbios
On Mon, Jun 19, 2006 at 10:29:06AM +0100, Craig Skinner wrote: > On Mon, Jun 19, 2006 at 10:43:10AM +0200, mickey wrote: > > On Sat, Jun 17, 2006 at 01:41:27AM +, Travers Buda wrote: > > > Looks like a crappy bios (pardon the redundancy,) try > > > > > > boot> boot -c > > > > > > UKC > disable pcibios > > > UKC > quit > > > > this obviously has nothing to do w/ pcibios. > > disable ipmi would be a better solution. > > i think this was fixed in -current that you should try as well plz. > > > > Thanks for the idea, but no difference. > > I have other boxes that this is not a problem for, so I'll use them > until the next release. oh right. me bad. ipmi is one of those drivers that is broken and does probe all the time that cannot be disabled... you can compile a kernel w/ removed ipmi i suppose. (or patch it w/ gdb and put "xorl %eax, %eax; ret" in ipmi_probe ;) cu -- paranoic mickey (my employers have changed but, the name has remained)
Re: cruxports for OpenBSD
On Sun, Jun 18, 2006 at 08:49:09PM -0400, Nick Guenther wrote: > On the other hand, realize that no one asked you in the first place, > you provided your list voluntarily (without even being prompted by a > single 'so?'). No one "asked you to defend" your opinion. Anyway, you > should care why Joachim doesn't like it because he is a developer so > probably has good insights about OpenBSD-related things. If he says > what you're making is missing things that pkg_* already has then he is > probably correct. > > Joachim was very civil in his message, and gave each of your points a > fair evaluation. What if he had taken your completely new ports system > as an insult to all the work that has been done on pkg_*? You should > realize this. Well, two smallish points: 1. I am only a developer in the sense that I wrote a couple of random scripts and some C code to calculate stuff, only one piece of which ever made it onto misc@ (much less into the tree - I'm not much of a coder, really, though I'm trying to improve); 2. Han is, arguably, right - I don't care for his work, and don't really believe his points for proposing it are worth the bother, but I could have phrased that quite a bit more constructively. For instance, mentioning that the 'merge /etc' part could, when done right (which is not easy), be interesting. Which I did, in a roundabout way, but... Joachim
Re: package dependencies
On Sun, Jun 18, 2006 at 09:24:24PM +0100, poncenby wrote: > On 17 Jun 2006, at 11:24, Joachim Schipper wrote: > > >On Thu, Jun 15, 2006 at 10:47:40PM +0100, poncenby wrote: > >>quick one for you knowledgeable chaps/chapesses... > >> > >>If one does not have OpenBSD installed how would one obtain a list of > >>the dependencies of a certain package, say gnome-desktop for > >>arguments sake? > >> > >>Many thanks > >> > >>poncenby > >> > >>p.s. this question comes from the need to know the exact packages to > >>download and burn to CD in order to get a reasonably usable desktop > >>system running gnome, when said system has no connection to the > >>interweb > > > >All other, quite good, replies aside... you are aware that GNOME > >is, to > >put it lightly, not working optimally on OpenBSD? > > > > so what desktop environment is working optimally on OpenBSD 3.9? This has been covered over and over in the archives, but some highlights: fvwmthe default, in base: this is not the newest version, as fvwm switched to GPL. It's quite usable. ion liked by many people, but very unlike traditional window managers (also see ratpoison) kde is pretty usable; it's not perfect, and something like Ubuntu will give you a 'more complete desktop experience', but it works There are also tens of lightweight window managers in ports; pick one you like. Joachim
Re: 3.9 release 1st boot: kernel: stopped at scan_smbios
On Mon, Jun 19, 2006 at 10:43:10AM +0200, mickey wrote: > On Sat, Jun 17, 2006 at 01:41:27AM +, Travers Buda wrote: > > Looks like a crappy bios (pardon the redundancy,) try > > > > boot> boot -c > > > > UKC > disable pcibios > > UKC > quit > > this obviously has nothing to do w/ pcibios. > disable ipmi would be a better solution. > i think this was fixed in -current that you should try as well plz. > Thanks for the idea, but no difference. I have other boxes that this is not a problem for, so I'll use them until the next release.
Re: turning on PF
Lawrence Horvath wrote:
Im having alittle trouble with my queues in PF i have the following in
my pf.conf
altq on tl0 cbq bandwidth 100Kb queue {all}
queue all bandwidth 100% {default}
pass out on tl0 from any to any queue all
pass in on tl0 from any to any
however i get the following:
$ sudo pfctl -e
pfctl: pf already enabled
$ sudo pfctl -A
$ sudo pfctl -R
$ sudo pfctl -s queue
No queue in use
Sorry for asking, but you have, at some point, run
"pfctl -ef /etc/pf.conf", right?
^^
(And made damn sure that the file exists at that place, too?)
/alexander
This is on 3.9 Generic,
thanks
Re: 3.9 release 1st boot: kernel: stopped at scan_smbios
On Sat, Jun 17, 2006 at 01:41:27AM +, Travers Buda wrote:
> Looks like a crappy bios (pardon the redundancy,) try
>
> boot> boot -c
>
> UKC > disable pcibios
> UKC > quit
this obviously has nothing to do w/ pcibios.
disable ipmi would be a better solution.
i think this was fixed in -current that you should try as well plz.
cu
> On Sat, 17 Jun 2006 00:45:29 +0100
> Craig Skinner <[EMAIL PROTECTED]> wrote:
>
> > Hi List,
> >
> > I've just installed 3.9 RELEASE on an i386 and got a kernel page
> > fault.
> >
> > Booted the box from the floppy39.fs, sliced the disk, installed some
> > sets & rebooted, as per normal.
> >
> > I don't use this box very often and the last release I had on it was
> > 3.6, which worked fine.
> >
> > Where do I go from here? 3.8?
> >
> > I piped the boot output from tip into a file:
> >
> > =07connected=0D
> > =FC>> OpenBSD/i386 BOOT 2.10
> > =0Dbooting hd0a:/bsd: \=08|=08/=08-=08\=084966344|=08/=08-=08\=08|=08/
> > =08-= =08\=08|=08/=08-=08\=08|=08/=08-=08\=08|=08/=08-=08\=08|=08/=08-
> > =08\=08|=08= /=08-=08\=08|=08/=08-=08\=08|=08/=08-=08\=08|=08/=08-=08
> > \=08|=08/=08-=08\= =08|=08/=08-=08\=08|=08/=08-=08\=08|=08/=08-=08
> > \=08|=08/=08-=08\=08|=08/=08= -=08\=08|=08/=08-=08\=08|=08/=08-=08
> > \=08|=08/=08-=08\=08|=08/=08-=08\=08|= =08/=08-=08\=08|=08/=08-=08
> > \=08|=08/=08-=08\=08|=08/=08-=08\=08|=08/=08-=08= \=08|=08/=08-=08
> > \=08|=08/=08-=08\=08|=08/=08-=08\=08|=08/=08-=08\=08|=08/= =08-=08
> > \=08|=08/=08-=08\=08|=08/=08-=08\=08|=08/=08-=08\=08|=08/=08-=08\=08=
> > |=08/=08-=08\=08|=08/=08-=08\=08|=08/=08-=08\=08|=08/=08-=08\=08|=08/
> > =08-= =08\=08|=08/=08-=08\=08|=08/=08-=08\=08|=08/=08-=08\=08|=08/=08-
> > =08\=08|=08= /=08-=08\=08|=08/=08-=08\=08|=08/=08-=08\=08|=08/=08-=08
> > \=08|=08/=08-=08\= =08|=08/=08-=08\=08|=08/=08-=08\=08|=08/=08-=08
> > \=08|=08/=08-=08\=08|=08/=08= -=08\=08|=08/=08-=08\=08|=08/=08-=08
> > \=08|=08/=08-=08\=08|=08/=08-=08\=08|= =08/=08-=08\=08|=08/=08-=08
> > \=08|=08/=08-=08\=08|=08/=08-=08\=08|=08/=08-=08= \=08|=08/=08-=08
> > \=08|=08/=08-=08\=08|=08/=08-=08\=08|=08/=08-=08\=08|=08/= =08-=08
> > \=08|=08/=08-=08\=08|=08/=08-=08\=08|=08/=08-=08\=08|=08/=08-=08\=08=
> > |=08/=08-=08\=08|=08/=08-=08\=08|=08/=08-=08\=08|=08/=08-=08\=08|=08/
> > =08-= =08\=08+867848 [52+255872|=08/=08-=08\=08|=08/=08-=08\=08|=08/
> > =08-=08\=08|= =08/=08-=08+237161\=08|=08/=08-=08\=08|=08/=08-=08\=08|
> > =08/=08-=08\=08|=08/= =08]=3D0x608d64 entry point at 0x100120
> >
> > [ using 493460 bytes of bsd ELF symbol table ]
> > Copyright (c) 1982, 1986, 1989, 1991, 1993
> > The Regents of the University of California. All rights
> > reserved. Copyright (c) 1995-2006 OpenBSD. All rights reserved.
> > http://www.OpenBSD.o= rg
> >
> > OpenBSD 3.9 (GENERIC) #617: Thu Mar 2 02:26:48 MST 2006
> > [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
> > cpu0: Intel Pentium III ("GenuineIntel" 686-class, 128KB L2 cache)
> > 635 MHz cpu0:
> > FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE=
> > 36,MMX,FXSR,SSE real mem =3D 199729152 (195048K)
> > avail mem =3D 175271936 (171164K)
> > using 2463 buffers containing 10088448 bytes (9852K) of memory
> > mainbus0 (root)
> > bios0 at mainbus0: AT/286+(00) BIOS, date 01/15/99, BIOS32 rev. 0 @
> > 0xfdb70 apm0 at bios0: Power Management spec V1.2
> > apm0: AC on, battery charge unknown
> > apm0: flags 30102 dobusy 0 doidle 1
> > pcibios0 at bios0: rev 2.1 @ 0xf/0x1
> > pcibios0: PCI BIOS has 9 Interrupt Routing table entries
> > pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82801AA LPC" rev
> > 0x00) pcibios0: PCI bus #1 is the last bus
> > bios0: ROM list: 0xc/0x8000
> > uvm_fault(0xd05c2f60, 0xdeeb8000, 0, 1) -> e
> > kernel: page fault trap, code=3D0
> > Stopped at scan_smbios+0xb9: cmpb$0,0(%ebx)
> > ddb>=20
>
--
paranoic mickey (my employers have changed but, the name has remained)
Re: Dynamically Increase IPC on OpenBSD ?
On Mon, Jun 19, 2006 at 09:43:59AM +0200, Vincent Blondel wrote: > Hello all, > > I would like to increase some IPC values on my OpenBSD 3.9 box. These > parameters need to be changed for Squid. > > When I look at the current values I receive next result > > [EMAIL PROTECTED] [/etc/squid] # ipcs -Q > msginfo: > msgmax: 16384 (max characters in a message) > msgmni: 40 (# of message queues) > msgmnb: 2048 (max characters in a message queue) > msgtql: 40 (max # of messages in system) > msgssz: 8 (size of a message segment) > msgseg: 2048 (# of message segments in system) > > and would like to set these new ones. > > options MSGMNB=8192 > options MSGMNI=40 > options MSGSEG=512 > options MSGSSZ=64 > options MSGTQL=2048 > > but I still haven't found how I could increase dynamically these settings > and I don't find them in sysctl proposals. That's kern.seminfo and kern.shminfo
Dynamically Increase IPC on OpenBSD ?
Hello all, I would like to increase some IPC values on my OpenBSD 3.9 box. These parameters need to be changed for Squid. When I look at the current values I receive next result [EMAIL PROTECTED] [/etc/squid] # ipcs -Q msginfo: msgmax: 16384 (max characters in a message) msgmni: 40 (# of message queues) msgmnb: 2048 (max characters in a message queue) msgtql: 40 (max # of messages in system) msgssz: 8 (size of a message segment) msgseg: 2048 (# of message segments in system) and would like to set these new ones. options MSGMNB=8192 options MSGMNI=40 options MSGSEG=512 options MSGSSZ=64 options MSGTQL=2048 but I still haven't found how I could increase dynamically these settings and I don't find them in sysctl proposals. So is there a way to this or is the only way to do it to compile a new kernel ? Regards Vincent
