Re: kernel settings for pf default block
On 7/5/06, Lars Hansson [EMAIL PROTECTED] wrote: On Thursday 06 July 2006 01:35, c.s.r.c.murthy wrote: block all in pf.conf is ok, but it will go away when the rules are flushed for known/unknown reasons. I feel it is desirable to have a kernel parameter that does default blocking when all rules are flushed. The developers think otherwise: http://www.benzedrine.cx/pf/msg07442.html That thread is the result of FreeBSD being lazy in their porting (because /etc/rc wasn't changed to set up a default 'block all' on boot before bringing up the network) so it's not directly applicable to this rules are flushed case. However, why the hell would you ever randomly flush your rules for unknown reasons? You shouldn't be giving people you can't trust not to do that the ability to do that. As for known reasons, it's your own fault if you flush your rules without reloading at least a block all. If you just do something like #pftcl -f all echo block all | pfctl -f - then the switch over to the new ruleset is pretty snappy and hardly enough time for any malicious packets to get through. It shouldn't even be an issue since you shouldn't be testing rules on a production system anyway, or if you are and you are paranoid then you can simply 1) take down interfaces before working on pf 2) turn off routing. -Nick
Re: kernel settings for pf default block
c.s.r.c.murthy wrote: Hello Matthew, block all in pf.conf is ok, but it will go away when the rules are flushed for known/unknown reasons. I feel it is desirable to have a kernel parameter that does default blocking when all rules are flushed. But the default blocking will go away when the kernel parameters are flushed for known/unknown reasons too. Perhaps a setting for the network drivers so that if the pf.conf goes, and the kernel parameter are lost it can still block packets. But hey, if the setting goes away
Re: X not found
thats what i was asking, can i just install a small set of libs or do i need to entirely install X On 7/4/06, Peter Blair [EMAIL PROTECTED] wrote: If you have no parts of X installed, then how do you expect to link against it? If you plan to use your OpenBSD machine as a headless X client, then you'll need to install the requisite libs. You'll save yourself a lot of time and headache if you just install the X set. On 7/4/06, Lawrence Horvath [EMAIL PROTECTED] wrote: I have been getting the following error, and wasnt sure if i have to totally install X or can i just install a minimal lib set to get the error to stop, at this time I do not have any parts of X installed. # make === qemu-0.8.0p3 uses X11, but /usr/X11R6 not found. Thanks -- -Lawrence -- -Lawrence
Chillispot on OpenBSD
Ok, finally got Chillispot to run on OpenBSD, NetBSD Mac OS X :) http://www.geeklan.co.uk/?p=72 http://www.geeklan.co.uk/files/chillispot-1.0.patch Patch chillispot run make install chilli_LDFLAGS=-lcrypto Unfortunately I haven't written a sample PF config yet, but if you have a look in doc sub directory in the chillispot directory, there is a well commented iptables config file which says what needs to be done or you can grab a IPFW sample config here: http://www.geeklan.co.uk/files/chillispot-ipfw.conf Enjoy! :) Sevan / Venture37 -- The truth, the half-truth, and nothing like the truth. - Mark Brandon Read
Bridge wireless and wired networks.
Hello. On my laptop I use trunk(4) failover to switch between wired and wireless networks. It works great. But I think my solution for the router is a bit dirty. Is there a better way? The router has one interface connected to the internet (fxp0) and two interfaces for the internal network (ral0 and fxp1). When I get tired of waiting for a download to complete I wish to switch from wireless to a crossover cable (I rather not use a switch) without interruption. The solution I have: :; ifconfig fxp1: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 lladdr 00:02:b3:2b:b2:89 media: Ethernet autoselect (none) status: no carrier inet6 fe80::202:b3ff:fe2b:b289%fxp1 prefixlen 64 scopeid 0x2 inet 192.168.13.2 netmask 0xff00 broadcast 192.168.13.255 ral0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 lladdr 00:0e:2e:86:7b:14 media: IEEE802.11 autoselect hostap status: active ieee80211: nwid NAH chan 1 bssid 00:0e:2e:86:7b:14 nwkey Nope 100dBm inet 192.168.13.1 netmask 0xff00 broadcast 192.168.13.255 inet6 fe80::20e:2eff:fe86:7b14%ral0 prefixlen 64 scopeid 0x3 bridge0: flags=41UP,RUNNING mtu 1500 groups: bridge :; brconfig bridge0 bridge0: flags=41UP,RUNNING Configuration: priority 32768 hellotime 2 fwddelay 15 maxage 20 Interfaces: fxp1 flags=3LEARNING,DISCOVER port 2 ifpriority 128 ifcost 55 ral0 flags=3LEARNING,DISCOVER port 3 ifpriority 128 ifcost 55 Addresses (max cache: 100, timeout: 240): And then I start dhcpd with '/usr/sbin/dhcpd ral0 fxp1'. For me it would be beutifull to set the 192.168.13.1 address on bridge0 and have dhcpd listen only on bridge0 or maybe use trunk(4) in some mode for this but I have been unsuccessfull at that. Suggestions? Jan J
Re: File Server Advice Required
On 7/4/06, Joachim Schipper [EMAIL PROTECTED] wrote: On Tue, Jul 04, 2006 at 11:07:37AM -0700, Ginja_Ninja wrote: 3. Ultra secure remote login away from home on the laptop. Run it over IPsec, or OpenVPN if you want to be able to pass broken firewalls. (Note - setting up IPsec on OpenBSD is very easy, especially on -current; but setting up IPsec on Windows is, while not impossible, less trivial.) Getting your hands on a decent client makes the rest relatively simple. Some time ago, an HP sales rep told me that HP supplies 10 licences for the SafeNet SoftRemote client over at http://my.procurve.com/ at a rather nice price: for free. Now it itsn't OpenBSD or open source software, but SoftRemote has so far worked quite well for my purposes. Cheers, Rogier -- If you don't know where you're going, any road will get you there.
Re: kernel settings for pf default block
On Wed, Jul 05, 2006 at 02:36:44AM -0400, Nick Guenther wrote: #pftcl -f all echo block all | pfctl -f - then the switch over to the new ruleset is pretty snappy and hardly enough time for any malicious packets to get through. Flushing the ruleset is totally unneccessary when loading a new ruleset. Simply do: # pfctl -f /etc/pf.conf If there is some kind of error in your new ruleset, nothing changes - you're still running with your old ruleset. There is no window with no firewall rules unless you explicitly ask for it. Even with a default block policy in the kernel, what if you load a pass all ruleset for known/unknown reasons? The fact is that if you're root, you can do stupid things. Get used to it, and grant access appropriately.
July 4 Snapshot re interface problem?
Hey folks just thought I'd UPGRADE to a newer snapshot tonight and now I can't seem to get my re0 network interface to ping (from either the client or from OpenBSD) and/or packet forwarding via PF - although oddly I seems to be able to get receive dhcp queries from it and get a MAC address (but then - the client was Windows XP, and since I hadn't rebooted XP after the OpenBSD upgrade and of course XP tends to cache just about everthing... for the record I used XP's disable wait 5 seconds/enable interface and successfully got an IP address as a test). Anyways I have an xl card in the OpenBSD box, I switched everything to that and ping/nat-forwarding/internet works! (after a move of the hostname.re0 file and modifications my original pf.conf file) And yes I unrestricted seperate PF file and it didn't change a thing (example follows) Dmesg @ bottom... =-=-=-=-=-=- # cat /etc/pf.open # $OpenBSD: pf.conf,v 1.31 2006/01/30 12:20:31 camield Exp $ # # See pf.conf(5) and /usr/share/pf for syntax and examples. # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 # in /etc/sysctl.conf if packets are to be forwarded between interfaces. ext_if=rl0 int_if=re0 table spamd persist table spamd-white persist set skip on lo scrub in nat-anchor ftp-proxy/* rdr-anchor ftp-proxy/* nat on $ext_if from $int_if:network - ($ext_if) rdr on $int_if proto tcp from any to any port 21 - 127.0.0.1 \ port 8021 rdr pass on $ext_if proto tcp from spamd to port smtp \ - 127.0.0.1 port spamd rdr pass on $ext_if proto tcp from !spamd-white to port smtp \ - 127.0.0.1 port spamd anchor ftp-proxy/* pass in all keep state pass out all keep state =-=-=-=-=-=- The command I used to test the /etc/pf.open file: # pfctl -F all;pfctl -f /etc/pf.open I don't have the pfctl output because it was done in a different terminal at the time. =-=-=-=-=-=- # dmesg OpenBSD 3.9-current (GENERIC) #942: Tue Jul 4 19:31:30 MDT 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium III (GenuineIntel 686-class) 722 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE real mem = 536375296 (523804K) avail mem = 483475456 (472144K) using 4256 buffers containing 26923008 bytes (26292K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(a3) BIOS, date 06/28/00, BIOS32 rev. 0 @ 0xfb380, SMBIOS rev. 2.3 @ 0xf0800 (39 entries) bios0: http://www.abit.com.tw i440BX-W83977 (BH6) apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 70102 dobusy 1 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0xb808 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf00/144 (7 entries) pcibios0: PCI Exclusive IRQs: 10 11 12 pcibios0: PCI Interrupt Router at 000:07:0 (Intel 82371SB ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0x8000 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82443BX AGP rev 0x02 ppb0 at pci0 dev 1 function 0 Intel 82443BX AGP rev 0x02 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 Matrox MGA G400/G450 AGP rev 0x03 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pcib0 at pci0 dev 7 function 0 Intel 82371AB PIIX4 ISA rev 0x02 pciide0 at pci0 dev 7 function 1 Intel 82371AB IDE rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: ST3250823A wd0: 16-sector PIO, LBA48, 238475MB, 488397168 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: HL-DT-ST, DVDRAM GSA-4167B, DL12 SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 uhci0 at pci0 dev 7 function 2 Intel 82371AB USB rev 0x01: irq 11 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered piixpm0 at pci0 dev 7 function 3 Intel 82371AB Power rev 0x02: polling iic0 at piixpm0 iic0: addr 0x2d 00=c4 01=01 02=30 03=0b 04=3f 05=04 06=21 07=81 08=10 09=77 0a=44 0b=d3 0c=aa 0d=18 0e=08 0f=08 10=02 11=09 12=14 13=18 14=6e 15=2f 16=cd 17=e9 18=a1 19=1e 1a=87 1b=a2 1c=81 1d=b4 1e=8a 1f=00 20=68 21=5e 22=cd 23=ba 24=c4 25=db 26=d4 27=2b 2a=90 2b=8a 2c=04 2d=20 2e=20 2f=42 30=8c 31=1a 32=10 33=20 34=00 35=1a 36=23 37=95 38=54 39=82 3a=a0 3b=01 3c=50 3d=ac 3e=5a 3f=28 40=01 41=de 42=07 46=7f 47=58 48=2d 49=c0 4a=00 4b=c0 4c=c0 4d=c0 4e=5a 4f=00 50=01 51=00 52=00 56=7f 57=58 58=2d 59=c0 5a=c0 5b=c0 5c=c0 5d=c0 5e=c0 5f=00 60=68 61=5e 62=cd 63=ba 64=c4 65=db 66=d4 67=2b 6a=90 6b=8a 6c=04 6d=20 6e=20 6f=42 70=8c 71=1a 72=10 73=20 74=00 75=1a 76=23 77=95 78=54 79=82 7a=a0 7b=01 7c=50 7d=ac 7e=5a 7f=28 80=c4 81=01 82=30 83=0b 84=3f 85=04 86=21 87=81 88=10 89=77 8a=44 8b=d3 8c=aa 8d=18 8e=08 8f=08 90=02 91=09 92=14 93=18 94=6e 95=2f 96=cd 97=e9
Re: X not found
On Wed, Jul 05, 2006 at 12:03:35AM -0700, Lawrence Horvath wrote: thats what i was asking, can i just install a small set of libs or do i need to entirely install X xbase will do for (almost?) all ports. Joachim
Re: Bridge wireless and wired networks.
Jan Johansson skrev: Hello. On my laptop I use trunk(4) failover to switch between wired and wireless networks. It works great. But I think my solution for the router is a bit dirty. Is there a better way? The router has one interface connected to the internet (fxp0) and two interfaces for the internal network (ral0 and fxp1). When I get tired of waiting for a download to complete I wish to switch from wireless to a crossover cable (I rather not use a switch) without interruption. The solution I have: :; ifconfig fxp1: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 lladdr 00:02:b3:2b:b2:89 media: Ethernet autoselect (none) status: no carrier inet6 fe80::202:b3ff:fe2b:b289%fxp1 prefixlen 64 scopeid 0x2 inet 192.168.13.2 netmask 0xff00 broadcast 192.168.13.255 ral0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 lladdr 00:0e:2e:86:7b:14 media: IEEE802.11 autoselect hostap status: active ieee80211: nwid NAH chan 1 bssid 00:0e:2e:86:7b:14 nwkey Nope 100dBm inet 192.168.13.1 netmask 0xff00 broadcast 192.168.13.255 inet6 fe80::20e:2eff:fe86:7b14%ral0 prefixlen 64 scopeid 0x3 bridge0: flags=41UP,RUNNING mtu 1500 groups: bridge :; brconfig bridge0 bridge0: flags=41UP,RUNNING Configuration: priority 32768 hellotime 2 fwddelay 15 maxage 20 Interfaces: fxp1 flags=3LEARNING,DISCOVER port 2 ifpriority 128 ifcost 55 ral0 flags=3LEARNING,DISCOVER port 3 ifpriority 128 ifcost 55 Addresses (max cache: 100, timeout: 240): And then I start dhcpd with '/usr/sbin/dhcpd ral0 fxp1'. For me it would be beutifull to set the 192.168.13.1 address on bridge0 and have dhcpd listen only on bridge0 or maybe use trunk(4) in some mode for this but I have been unsuccessfull at that. well, it should work. however, you should set an address on either of the interfaces that constitutes the bridge, not the bridge itself. but you don't say exactly where you are unsuccessful... also, failover trunk ought to work, but i wouldn't know how a bridge pair directly hooked up against let's say a round robin trunk would behave. maybe then the finer options of brconfig(8) would be worth trying. /kami
Re: Preventing password reuse
On Tue, Jul 04, 2006 at 10:07:53PM -0400, STeve Andre' wrote: On Tuesday 04 July 2006 08:45, Joachim Schipper wrote: On Mon, Jul 03, 2006 at 09:22:59PM -0700, Jeff Simmons wrote: Well, just to play the devil's advocate here ... One of the main functions of any password hygiene program 'should' be to prevent users from changing 'mypassword1' to 'mypassword2' and then 'mypassword3', etc. (Yes, we can force complex passwords, but the idea is the same.) In conclusion the main thing we did wrong ... was to worry about criminals being clever; we should rather have worried about our customers ... being stupid. Ross Anderson, Security Engineering This suggests a rather fascist, and thus very effective approach: deny the users the right to create their own passwords, but institute some scheme that produces strong, but hopefully memorizable passwords. [snip] Oh Gods. If you do that with normal people, they will put those passwords on PostIts and leave them in safe places like monitors. MOST people have real real REAL problems remembering all but some very few passwords. People hate passwords, and even in secure institutions (like military environs) they circumvent them. Forcing a password on people results in a secure password, but in unsecure storage methods. We computer folks are weird in that we remember many of them. We computer folks are weird in that we can be made to understand that spending five minutes memorizing a password actually makes sense. Also, I do not necessarily advocate dd if=/dev/urandom bs=16 count=1 | b64encode - though that is a good method and produces proper passwords - but have you looked at something like the S/KEY scheme for producing text passwords? A slightly modified version could both create sentences that make some sense (for fairly low values of some), and if you add a little fuzzing somewhere the passwords are fairly strong. Consider five lower-case words chosen from 1024 possibilities each, for instance - this has 50 bits of entropy, roughly equivalent to a 10-character password based on natural language [1]; a little fuzzing and use of capitals will make the passwords chosen much more powerful, but a 10-character password based on natural language really isn't that shabby for a lower bound on password complexity. (Plus, with a secret algorithm/wordlist the above is significantly harder to crack; while assuming secrecy of your algorithm is a no-no in crypto, it's still a nice side benefit, and not completely unjustified if the wordlists are rotated regularly...) Of course, the above will create more complex passwords than people would choose themselves and make it impossible to use mydog1, mydog2, and so on; and yes, some people will be annoyed. However, since the goal was to improve password security (or, rather, getting the auditors to sign off for good password security), *some* increase in the complexity of passwords is inevitable - and communicating this well might lead to more understanding. The main disadvantage would be that it creates noticeably longer passwords; this is the price paid for an easily-remembered but still strong password. This can be offset by sprinkling more randomness (for instance, arbitrarily capitalize each letter with 50% chance - this adds 1 bit of entropy per character), but that makes the password less rememberable. (Note also that long, but memorizable, passwords will induce bitching but are less likely to make people use Post-its.) Joachim [1] Giving a generous 5 bits of entropy for each character; simple natural language has 2 - 4 bits by most counts, but passwords tend to be a little more random.
Re: News From HiFn
On Tue, 4 Jul 2006 18:48:28 +0200, Joachim Schipper [EMAIL PROTECTED] wrote: On Tue, Jul 04, 2006 at 12:16:45PM -0400, Nick Guenther wrote: On 7/4/06, Peter Blair [EMAIL PROTECTED] wrote: On 6/29/06, J.C. Roberts [EMAIL PROTECTED] wrote: I just got a call this afternoon from Tom Moore to let me know they've set up an anon FTP site (no registration) with their documentation: ftp://ftp.hifn.com This should take care of any of the long standing issues OpenBSD has had with the HiFn's procedures for releasing documentation. I was told HiFn is still working on their new ftp site, so I'm not sure how complete it is at the moment but at least we know there's a start and they are willing to continue working on it. Has anyone tried recently to connect to ftp.hifn.com ? I haven't been able to connect from multiple locations. Doesn't work here either. Curious... Looks like they're still working on it, as announced; it does not accept connections. Give them some time; this is not entirely unexpected behaviour from a server they just set up. Joachim Joachim has a good point. What error messages are you guys getting? -I'm thinking there would be a limit on the number of anon users the server will accept at any one time. Not only will all the various search engines try to index the site but also I would not be surprised if many individuals tried to make a local mirror of the site contents now that they are open. -The traffic influx might make a mess out of their IDS. jcr -- Free, Open Source CAD, CAM and EDA Tools http://www.DesignTools.org
Re: Bridge wireless and wired networks.
kami petersen [EMAIL PROTECTED] wrote: well, it should work. however, you should set an address on either of the interfaces that constitutes the bridge, not the bridge itself. but you don't say exactly where you are unsuccessful... It works, I just thought there might be a cleaner solution. For example both ral0 and fxp1 needs an IP address or dhcpd just refuses to work on the interface. also, failover trunk ought to work, A failover trunk will work for one laptop. But if a friend and I are sharing the wireless the friend will be cut off when the wired interfaces goes active. but i wouldn't know how a bridge pair directly hooked up against let's say a round robin trunk would behave. Don't understand this. maybe then the finer options of brconfig(8) would be worth trying. Yes, tuning of 'timeout' might be a good idea. Thanks.
Re: set skip on interface rule doesn't show up in pfctl -sr
* Giancarlo Razzolini [EMAIL PROTECTED] [2006-07-04 16:07]: My question is not only about ftp-proxy, i only used it to exemplify. My question is: if i tag a packet that is entering one interface and in the same rule (rdr pass, for example) i send this packet to an interface which is skipped by pf. I want to know if when this packet get out of this interface it will still be tagged or not. The only thing that the man page says is that tags are internal markers. So i'm supposing that if i send them to an interface skipped by pf, the tag will not be on the packets getting out of it. Just want to get sure about this, cause all my tests point to this conclusion. there is no notion of these tags in IP. they are only there as long as the packets are inside the kernel. when they leave the machine (by whatever interface) they're gone, and if the leave kernel space (think userland proxies) they're gone too. -- BS Web Services, http://www.bsws.de/ OpenBSD-based Webhosting, Mail Services, Managed Servers, ... Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: [OpenBGPd] Can a nexthop be set on routes announced as my network ?
* Andrea Cocito [EMAIL PROTECTED] [2006-07-04 13:02]: Looking at the rationale behind that code I found interesting that it does something very similar to what we do here with a shell script: if the main router has one or more sessions down widthdraw its precedence on CARP interfaces. Another difference is that I think CARP interfaces should be demoted when bgpd is.. actually not running! that is intended to be doen soon, but it needs a more generic solution. the whole carp group-based demotion is still very new. Perhaps a per-peer config option like promote mask delta which actually promotes the skew of interfaces matching mask of a value delta would be more flexible (so one might boot with carp interfaces at skew say 200 and promote them of 50 for each session which is up). demotion does not affect advskew. this would add unneeded knobs, adding confusion, solving basically nothing. I see that most of the work done in porting openbgpd on FreeBSD is quite non-intrusive, if you agree I might prepare a clean and non- intrusive pach that makes it a bit more platform independent without affecting any feature on OpenBGPd (perhaps for who does not have interface groups we might use masks, like carp*) OpenBGPD is part of OpenBSD, other operating systems are of secodary interest. That said, we still try to code portable where possible. However, I keep explaining that turning a unix machine into a real BGP-speaking router requires more than just adding a userland BGP process. There are quite some kernel changes in the queue. Of course that leads to bgpd beeing tighter bound to OpenBSD - not much we can do about that. There'll likely always be a version running on $someotherOS, but it will always be behind the native version. The gap gets bigger, not smaller, over time. -- BS Web Services, http://www.bsws.de/ OpenBSD-based Webhosting, Mail Services, Managed Servers, ... Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: kernel settings for pf default block
* c.s.r.c.murthy [EMAIL PROTECTED] [2006-07-05 07:25]: block all in pf.conf is ok, but it will go away when the rules are flushed for known/unknown reasons. I feel it is desirable to have a kernel parameter that does default blocking when all rules are flushed. then certainly you want the patch below, to protect the ruleset beeing replaced by pass all for known/unknown reasons. Index: pf.c === RCS file: /cvs/src/sys/net/pf.c,v retrieving revision 1.512 diff -u -p -r1.512 pf.c --- pf.c17 May 2006 14:50:47 - 1.512 +++ pf.c5 Jul 2006 11:16:05 - @@ -5847,6 +5847,8 @@ pf_test(int dir, struct ifnet *ifp, stru struct pf_pdesc pd; int off, dirndx, pqid = 0; + return (PF_DROP); + if (!pf_status.running) return (PF_PASS); @@ -6175,6 +6177,8 @@ pf_test6(int dir, struct ifnet *ifp, str struct pf_ruleset *ruleset = NULL; struct pf_pdesc pd; int off, terminal = 0, dirndx; + + return (PF_DROP); if (!pf_status.running) return (PF_PASS); -- BS Web Services, http://www.bsws.de/ OpenBSD-based Webhosting, Mail Services, Managed Servers, ... Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: Bridge wireless and wired networks.
Jan Johansson skrev: kami petersen [EMAIL PROTECTED] wrote: well, it should work. however, you should set an address on either of the interfaces that constitutes the bridge, not the bridge itself. but you don't say exactly where you are unsuccessful... It works, I just thought there might be a cleaner solution. For example both ral0 and fxp1 needs an IP address or dhcpd just refuses to work on the interface. on the router: assign 192.168.13.1 to fxp1 and none to ral0, put both fxp1 and ral0 in the bridge, putting both ral0 and fxp1 in dhcpd.interfaces. a similar solution is working here. this is the basically the same as having only one interface with the above ip on it, that is wired to a switch with an antenna and two ethernet jacks. also, failover trunk ought to work, A failover trunk will work for one laptop. But if a friend and I are sharing the wireless the friend will be cut off when the wired interfaces goes active. but i wouldn't know how a bridge pair directly hooked up against let's say a round robin trunk would behave. Don't understand this. i'm talking about trunking on the clients. if using failover mode, only one interface is used at a time, but in round robin mode all interfaces are used 'simultaneously', with chances of confusing the bridge at the router by creating a loop in the network topology. if this is the case have a look at the spanning tree options of brconfig(8). however, i haven't been there, so this is just where i'd start. plus, i can't see the point of a trunk on the router. /k
Re: News From HiFn
Ya, that'd be nice if I ever made it to a prompt to enter 'anonymous', but the connection fails well before that point. $ ping ftp.hifn.com PING ftp.hifn.com (208.10.194.169): 56 data bytes 64 bytes from 208.10.194.169: icmp_seq=0 ttl=117 time=100.851 ms 64 bytes from 208.10.194.169: icmp_seq=1 ttl=117 time=100.228 ms ^C --- ftp.hifn.com ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max/stddev = 100.228/100.540/100.851/0.311 ms $ ftp ftp.hifn.com ftp: connect: Connection refused ftp Nice :) On 7/5/06, J.C. Roberts [EMAIL PROTECTED] wrote: On Tue, 4 Jul 2006 18:48:28 +0200, Joachim Schipper [EMAIL PROTECTED] wrote: On Tue, Jul 04, 2006 at 12:16:45PM -0400, Nick Guenther wrote: On 7/4/06, Peter Blair [EMAIL PROTECTED] wrote: On 6/29/06, J.C. Roberts [EMAIL PROTECTED] wrote: I just got a call this afternoon from Tom Moore to let me know they've set up an anon FTP site (no registration) with their documentation: ftp://ftp.hifn.com This should take care of any of the long standing issues OpenBSD has had with the HiFn's procedures for releasing documentation. I was told HiFn is still working on their new ftp site, so I'm not sure how complete it is at the moment but at least we know there's a start and they are willing to continue working on it. Has anyone tried recently to connect to ftp.hifn.com ? I haven't been able to connect from multiple locations. Doesn't work here either. Curious... Looks like they're still working on it, as announced; it does not accept connections. Give them some time; this is not entirely unexpected behaviour from a server they just set up. Joachim Joachim has a good point. What error messages are you guys getting? -I'm thinking there would be a limit on the number of anon users the server will accept at any one time. Not only will all the various search engines try to index the site but also I would not be surprised if many individuals tried to make a local mirror of the site contents now that they are open. -The traffic influx might make a mess out of their IDS. jcr -- Free, Open Source CAD, CAM and EDA Tools http://www.DesignTools.org
Re: DDOS attack
sonjaya wrote: How to blok ddos/Flooding/ssh brute attack with pf . Thanks to ( max-src-nodes 20, max-src-states 1 ) brute forcing just disappeared. Stephan [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Error building ntpd on -current
I just updated from CVS today and cannot do a make build anymore. I successfully installed a booted a GENERIC kernel. OpenBSD 3.9-current (GENERIC) #3: Wed Jul 5 09:38:20 CEST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium III (GenuineIntel 686-class) 602 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE real mem = 133722112 (130588K) avail mem = 115286016 (112584K) but cannot build userland: cc -o ntpd ntpd.o buffer.o log.o imsg.o ntp.o ntp_msg.o parse.o config.o server.o client.o sensors.o util.o ntpd.o(.text+0x9ec): In function `ntpd_adjfreq': : undefined reference to `adjfreq' ntpd.o(.text+0xa44): In function `ntpd_adjfreq': : undefined reference to `adjfreq' ntpd.o(.text+0xc32): In function `readfreq': : undefined reference to `adjfreq' collect2: ld returned 1 exit status *** Error code 1 Stop in /usr/src/usr.sbin/ntpd (line 93 of /usr/share/mk/bsd.prog.mk). *** Error code 1 Stop in /usr/src/usr.sbin. *** Error code 1 Stop in /usr/src. *** Error code 1 Stop in /usr/src (line 73 of Makefile). Any help is really appreciated. Thanks. -- Massimo
Re: Error building ntpd on -current
On Wed, Jul 05, 2006 at 03:35:40PM +0200, Massimo Lusetti wrote: I just updated from CVS today and cannot do a make build anymore. I successfully installed a booted a GENERIC kernel. OpenBSD 3.9-current (GENERIC) #3: Wed Jul 5 09:38:20 CEST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium III (GenuineIntel 686-class) 602 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE real mem = 133722112 (130588K) avail mem = 115286016 (112584K) but cannot build userland: cc -o ntpd ntpd.o buffer.o log.o imsg.o ntp.o ntp_msg.o parse.o config.o server.o client.o sensors.o util.o ntpd.o(.text+0x9ec): In function `ntpd_adjfreq': : undefined reference to `adjfreq' ntpd.o(.text+0xa44): In function `ntpd_adjfreq': : undefined reference to `adjfreq' ntpd.o(.text+0xc32): In function `readfreq': : undefined reference to `adjfreq' collect2: ld returned 1 exit status *** Error code 1 Stop in /usr/src/usr.sbin/ntpd (line 93 of /usr/share/mk/bsd.prog.mk). *** Error code 1 Stop in /usr/src/usr.sbin. *** Error code 1 Stop in /usr/src. *** Error code 1 Stop in /usr/src (line 73 of Makefile). Any help is really appreciated. Thanks. Seems like your kernel is older than your userland; adjfreq is a rather recent addition. Are you *really* certain that your kernel, both the one in /usr/src/sys and the one you are currently running, is from the same snapshot as ntp (and, presumably, the rest of /usr/src)? Joachim
Re: Preventing password reuse
On Wed, Jul 05, 2006 at 12:24:34PM +0200, Joachim Schipper wrote: Consider five lower-case words chosen from 1024 possibilities each, for instance - this has 50 bits of entropy, roughly equivalent to a 10-character password based on natural language [1]; a little fuzzing and use of capitals will make the passwords chosen much more powerful, but a 10-character password based on natural language really isn't that shabby for a lower bound on password complexity. Diceware[1] is a list of 6^5 short, easy-to-remember words along with instructions on how to generate passwords with a few dice rolls. Five words from their list gives you a little over 64 bits of entropy. [1] http://world.std.com/~reinhold/diceware.html
Re: Error building ntpd on -current
On Wed, 5 Jul 2006, Joachim Schipper wrote: Seems like your kernel is older than your userland; adjfreq is a rather recent addition. That is not the problem. The problem is that libc is too old. adjfreq() is a new syscall, and as such needs a stub, which is in libc. -Otto Are you *really* certain that your kernel, both the one in /usr/src/sys and the one you are currently running, is from the same snapshot as ntp (and, presumably, the rest of /usr/src)? Joachim
Re: Error building ntpd on -current
On Wed, 2006-07-05 at 16:41 +0200, Otto Moerbeek wrote: You probably did not do a make build, but took a shortcut. No at all. I've followed precisely the procedure described here: http://www.openbsd.org/faq/faq5.html as I've always done before, I forgot to mention that the machine was a current from 10th June. Now I've upgraded that box to the latest snapshot and will do the same exactly procedure on the following box: OpenBSD 3.9-current (GENERIC) #0: Thu Jun 1 09:43:35 CEST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) 4 CPU 3.00GHz (GenuineIntel 686-class) 3.01 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,CNXT-ID,CX16 cpu0: unknown Enhanced SpeedStep CPU, msr 0x0f250f25 real mem = 1005088768 (981532K) avail mem = 909152256 (887844K) Just for the records, both machines (the one being reinstalled and the above one) where successfully updated from a snapshot of the 9th April. Thanks for your time. -- Massimo.run();
Virus Warning
** 送信したメールからウィルスが検出されました。 日時:07/05/06 22:18:44 [EMAIL PROTECTED] [EMAIL PROTECTED] ウイルス名:W32/MyDoom-O アクション:削除 ** The virus was detected from the received mail. DATE: 07/05/06 22:18:44 From: misc@openbsd.org To: [EMAIL PROTECTED] Virus: W32/MyDoom-O ** 送信者詐称によってこのメールを受け取ることがありますので、心当たりのない方は削除願います。
pan core dump question
Hello, (using latest current) I'm using pan 0.14.2 (nntp client). When I try to update the cache of my subscribed newsgroups the application crashes with the following message: GLib-ERROR **: gmem.c:135: failed to allocate 86749427 bytes aborting... Abort trap (core dumped) I'm not a programmer has anyone any idea what could be the problem? How can I solve this ? Many thx Didier
Re: Some though and more detail
Firstly thanks for everyone thought on this. As i say, i am in new waters with this, so getting my head around it all will take to reading and re-reading. For reference though, i intend to run a nano-itx system with a SATA drive. I have taken serious consideration to you suggestion of a multidisk setup, but i would like the smallest unit possible. It also means that noise and power usage wont be an issue. I know they dont draw much but i intend on living in a house that runs purely on solar panels in the near future. I also intend to run the OS off a Compact Flash Card / Secure Digital car or something similar, with the / directory on a 500 / 750 HDD. Then i suppose that i setup up my users from there ie /home/user1 and /home/user2 then i suppose its the job of the laptop OS to look at the file server for its files. Hmmm...there is still lots to think about, but i will keep this one brief for now and will reply again soon. The laptop itself (i am hopeing) will run Gentoo linux. The computer will run a flavour of Windows (sorry but its not mine, i have to, lol) Thanks again, and take care. G_N -- View this message in context: http://www.nabble.com/File-Server-Advice-Required-tf1891201.html#a5183828 Sent from the openbsd user - misc forum at Nabble.com.
Re: Error building ntpd on -current
On Wed, 5 Jul 2006, Massimo Lusetti wrote: On Wed, 2006-07-05 at 16:41 +0200, Otto Moerbeek wrote: You probably did not do a make build, but took a shortcut. No at all. I've followed precisely the procedure described here: http://www.openbsd.org/faq/faq5.html as I've always done before, I forgot to mention that the machine was a current from 10th June. What is the version of your libc? Check ls -l /usr/lib/libc.so.*, newest version should be 39.2. $ nm /usr/lib/libc.so.39.2 | grep adjfreq 000411f0 T _thread_sys_adjfreq 000411f0 W adjfreq If the verison is not 39.2, or the above command gives no matches, then you did not do a proper build. -Otto
Re: Reading a file that is been written make the system freeze?
Do you see anything unusual in the dmesg? -p.
Re: Reading a file that is been written make the system freeze?
Federico Giannici wrote: Pedro Martelletto wrote: On Thu, Jun 22, 2006 at 03:25:41PM +0200, Federico Giannici wrote: Yesterday another PC freezed! It just crashed again! did it freeze or did it crash? I wrote it into the first email: it freezes with no error at all, no network, only freezed video. can you try breaking into ddb? After a few days of attempts, I was able to make it freeze again, as usual during a dump! Now I can say that I'm NOT able to break into ddb (neither change the tty). And it doesn't responded to any network activity. The situation is becoming really embarrassing for me and I don't know what else to try. We have two servers that freeze. They have the same hardware (but I changed all the components of one of them). Both are OpenBSD 3.9 (one -stable and one -current). One is i386 and one amd64. One is MP and the other SM. One is a mail server and one is a web server. Both have quite a high CPU and disk activity. And both freeze! Thank you for any suggestion... Bye. -- ___ __ |- [EMAIL PROTECTED] |ederico Giannici http://www.neomedia.it ___
Re: Error building ntpd on -current
On Wed, 2006-07-05 at 17:38 +0200, Otto Moerbeek wrote: What is the version of your libc? Check ls -l /usr/lib/libc.so.*, newest version should be 39.2. $ nm /usr/lib/libc.so.39.2 | grep adjfreq 000411f0 T _thread_sys_adjfreq 000411f0 W adjfreq I'm building right now on the second box but it seems clear that that was the problem, just for the fact are you saying that On the box i'm building on right now i got this: libc.so.39.0 from 9th April and libc.so.39.1 from 1st June And if i understand correctly it's right to have that value before the build, i just have to have 39.2 after a successful build, right? If the verison is not 39.2, or the above command gives no matches, then you did not do a proper build. What could have been the problem? -- Massimo.run();
Re: Error building ntpd on -current
On 2006/07/05 18:14, Massimo Lusetti wrote: And if i understand correctly it's right to have that value before the build, i just have to have 39.2 after a successful build, right? No, you get 39.2 from an up-to-date snapshot base39.tgz. sthen:2$ tar tzf ~ftp/pub/OpenBSD/snapshots/i386/base39.tgz ./usr/lib/libc.so* ./usr/lib/libc.so.39.2 Compare file timestamps between your mirror and ftp.openbsd.org; if the mirror you're using is out of date, try another.
Re: Reading a file that is been written make the system freeze?
Pedro Martelletto wrote: Do you see anything unusual in the dmesg? I cannot see anything strange. Anyway, here it is the dmesg of the web server. The mail server have the same hardware, but started freezing since we installed an X2 CPU and upgraded to 3.9 (MP). I don't know if the freezes of both server are correlated in some way. We have another couple of PC with the same hardware and never freeze, but they have much lower CPU and disk usage. Which OS parameters do you suggest to increase in a busy server with a lot of concurrent processes? Thanks. OpenBSD 3.9-current (GENERIC) #591: Sat Jun 17 00:52:05 MDT 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC real mem = 2146758656 (2096444K) avail mem = 1835319296 (1792304K) using 22937 buffers containing 214884352 bytes (209848K) of memory mainbus0 (root) bios0 at mainbus0: SMBIOS rev. 2.3 @ 0xf0530 (67 entries) bios0: ASUSTeK Computer Inc. A8V cpu0 at mainbus0: (uniprocessor) cpu0: AMD Athlon(tm) 64 Processor 3500+, 2203.26 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative pci0 at mainbus0 bus 0: configuration mode 1 pchb0 at pci0 dev 0 function 0 VIA K8HTB Host rev 0x00 pchb1 at pci0 dev 0 function 1 VIA K8HTB Host rev 0x00 pchb2 at pci0 dev 0 function 2 VIA K8HTB Host rev 0x00 pchb3 at pci0 dev 0 function 3 VIA K8HTB Host rev 0x00 pchb4 at pci0 dev 0 function 4 VIA K8HTB Host rev 0x00 pchb5 at pci0 dev 0 function 7 VIA K8HTB Host rev 0x00 ppb0 at pci0 dev 1 function 0 VIA K8HTB AGP rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 ATI Radeon VE QY rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) skc0 at pci0 dev 10 function 0 Marvell Yukon 88E8001/8003/8010 rev 0x13, Marvell Yukon Lite (0x9): irq 10 sk0 at skc0 port A, address 00:15:f2:ce:0a:ef eephy0 at sk0 phy 0: Marvell 88E1011 Gigabit PHY, rev. 5 gdt0 at pci0 dev 13 function 0 Intel GDT RAID rev 0x00: irq 5 dpmem eff0 2-bus 1 cache device gdt0: ver 222, cache on, strategy 2, writeback on, blksz 32 gdt0: raw feat 1 cache feat 101 scsibus0 at gdt0: 35 targets sd0 at scsibus0 targ 0 lun 0: ICP, Host drive #00, SCSI2 0/direct fixed sd0: 105661MB, 105661 cyl, 64 head, 32 sec, 512 bytes/sec, 216395550 sec total scsibus1 at gdt0: 16 targets scsibus2 at gdt0: 16 targets pciide0 at pci0 dev 15 function 0 VIA VT6420 SATA rev 0x80: DMA pciide0: using irq 10 for native-PCI interrupt pciide1 at pci0 dev 15 function 1 VIA VT82C571 IDE rev 0x06: ATA133, channel 0 configured to compatibility, channel 1 configured to compatibility atapiscsi0 at pciide1 channel 0 drive 0 scsibus3 at atapiscsi0: 2 targets cd0 at scsibus3 targ 0 lun 0: HL-DT-ST, DVD-ROM GDR8163B, 0L23 SCSI0 5/cdrom removable cd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 2 pciide1: channel 1 disabled (no drives) uhci0 at pci0 dev 16 function 0 VIA VT83C572 USB rev 0x81: irq 11 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 16 function 1 VIA VT83C572 USB rev 0x81: irq 11 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered uhci2 at pci0 dev 16 function 2 VIA VT83C572 USB rev 0x81: irq 10 usb2 at uhci2: USB revision 1.0 uhub2 at usb2 uhub2: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub2: 2 ports with 2 removable, self powered uhci3 at pci0 dev 16 function 3 VIA VT83C572 USB rev 0x81: irq 10 usb3 at uhci3: USB revision 1.0 uhub3 at usb3 uhub3: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub3: 2 ports with 2 removable, self powered ehci0 at pci0 dev 16 function 4 VIA VT6202 USB rev 0x86: irq 5 usb4 at ehci0: USB revision 2.0 uhub4 at usb4 uhub4: VIA EHCI root hub, rev 2.00/1.00, addr 1 uhub4: 8 ports with 8 removable, self powered viapm0 at pci0 dev 17 function 0 VIA VT8237 ISA rev 0x00 iic0 at viapm0 auvia0 at pci0 dev 17 function 5 VIA VT8233 AC97 rev 0x60: irq 5 ac97: codec id 0x414c4790 (Avance Logic ALC850) audio0 at auvia0 pchb6 at pci0 dev 24 function 0 AMD AMD64 HyperTransport rev 0x00 pchb7 at pci0 dev 24 function 1 AMD AMD64 Address Map rev 0x00 pchb8 at pci0 dev 24 function 2 AMD AMD64 DRAM Cfg rev 0x00 pchb9 at pci0 dev 24 function 3 AMD AMD64 Misc Cfg rev 0x00 isa0 at mainbus0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 lm0 at isa0 port
dovecot from ports or from source
Hi, the dovecot ports pkg is a bit 'old' but would it make sense to istall this and then make a second installation from the current source? Does the port package come with any specific to OBSD conf files or should I go directly with the source? Thanks George
Re: more: NAT through encryption interface
Matthew Closson wrote: In setting up about 30 ISPEC tunnels on an OpenBSD box in the past 6 months I had this issue come up with about 4 of the remote peers. Typically it is one of two problems. 1. They have a made a policy level decision somewhere and say they will only route traffic to public IP's or they want to assign you a public IP from their IP space. Typically this is because they don't want to deal with the issue of multiple remote networks sharing the same private IP space. 2. Your IP space conflicts with another existing IP space they are routing to across another tunnel so they need you to NAT and make it look like you are coming from somewhere else. So here is what you can do: 1. Place another box in front of your box doing IPSEC and NAT the traffic before it gets there based on its destination. I got my setup working fine this way. Cheap boxes are easy to come by for simply doing NAT. I don't see how this would work. We can't NAT traffic after it's encapsulated -- so the NAT must be happening before IPsec encryption -- in other words, the extra NAT device goes between the internal network and the IPsec device. What if I have multiple VPNs in the same scenario? The only way I can see this working is if I run a bunch of overlapping subnets between the NAT and IPsec devices... that just sounds insane. I realise I'm probably missing or misunderstanding something here, but I could use the insight. Thanks, -Stephen-
Re: Some though and more detail
On Wed, Jul 05, 2006 at 08:26:45AM -0700, Ginja_Ninja wrote: Firstly thanks for everyone thought on this. As i say, i am in new waters with this, so getting my head around it all will take to reading and re-reading. For reference though, i intend to run a nano-itx system with a SATA drive. I have taken serious consideration to you suggestion of a multidisk setup, but i would like the smallest unit possible. It also means that noise and power usage wont be an issue. I know they dont draw much but i intend on living in a house that runs purely on solar panels in the near future. I also intend to run the OS off a Compact Flash Card / Secure Digital car or something similar, with the / directory on a 500 / 750 HDD. Why the CF? It's slow, and relatively expensive. It's good for embedded systems, but if you already have a huge disk, use that. Then i suppose that i setup up my users from there ie /home/user1 and /home/user2 then i suppose its the job of the laptop OS to look at the file server for its files. Hmmm...there is still lots to think about, but i will keep this one brief for now and will reply again soon. The laptop itself (i am hopeing) will run Gentoo linux. The computer will run a flavour of Windows (sorry but its not mine, i have to, lol) Also consider a backup strategy somewhere. I use tape, which works well, but tape drives are expensive. Using multiple disks also works, to some extent, but you didn't want to do that. Joachim
More Upgrading questions
Hi guys, ANy issue with adding X to an upgrade when the original version on the system did not have it? (I listened to way too much bad advice setting this system up with my co-worker, now I have to fix it) --Rob - Eirik Goransson / Rob Baldassano Member, Barony of Endless Hills; House Odlahorde; Viking All around Good Egg ; VROC #5029 (Tigger) come visit http://www.dracowolf.com Want to be your own boss? Learn how on Yahoo! Small Business.
tcpdump on enc0
Does tcpdump work on enc0? -Stephen-
Re: More Upgrading questions
From: [EMAIL PROTECTED] ANy issue with adding X to an upgrade when the original version on the system did not have it? (I listened to way too much bad advice setting this system up with my co-worker, now I have to fix it) No. The only thing it does is unpack a distribution set (a bunch of files) onto the filesystem. Make sure you set the sysctl machdep.allowaperture=1 if you will be running X. DS
Intel PRO/1000 PT
Hi, Is the Intel PRO/1000 PT still non-functional under our favorite OS? I searced around and found a message from Darrian Hale in late April that said he was having kernel panics with this NIC. Has anything changed? I have some Sun X2100s that I want to use as routers and the only missing bit is a good 2-port gigabit NIC that fits in the X2100's single PCI Express (8x) slot. thanks, Chris
Re: Some though and more detail
Joachim Schipper wrote: Why the CF? It's slow, and relatively expensive. It's good for embedded systems, but if you already have a huge disk, use that. h I can see your point. Its only a thought at the moment but the reason i am looking in this direction is: If the OS is seperated from the files and i decide to upgrade the storage HDD, i dont have to format and reinstall/setup the OS and the relevant applications. CF is slow, i agree with you, but how much crunching will the OS do ? I suppose i wont be able to have a swap file on the CF as it will destroy it quickly. Will have to pack it full of RAM. Thoughts welcome. Regards G_N -- View this message in context: http://www.nabble.com/File-Server-Advice-Required-tf1891201.html#a5186050 Sent from the openbsd user - misc forum at Nabble.com.
Re: tcpdump on enc0
tcpdump -entttv -i enc0 Stephen Bosch wrote: Does tcpdump work on enc0? -Stephen-
Re: tcpdump on enc0
On Wed, Jul 05, 2006 at 11:10:43AM -0600, Stephen Bosch wrote: Does tcpdump work on enc0? -Stephen- $ man enc The enc interface allows an administrator to see outgoing packets before they have been processed by ipsec(4), or incoming packets after they have been similarly processed, via tcpdump(8). -- Marcus Glocker, [EMAIL PROTECTED], http://www.nazgul.ch -
Re: tcpdump on enc0
Marcus Glocker wrote: On Wed, Jul 05, 2006 at 11:10:43AM -0600, Stephen Bosch wrote: Does tcpdump work on enc0? -Stephen- $ man enc The enc interface allows an administrator to see outgoing packets before they have been processed by ipsec(4), or incoming packets after they have been similarly processed, via tcpdump(8). I am not seeing any traffic on enc0 when using tcpdump, that is why I asked. Thanks, -Stephen-
Re: tcpdump on enc0
On Wed, 5 Jul 2006, Stephen Bosch wrote: Does tcpdump work on enc0? Are you really too lazy to read a manual page? -Otto
Re: tcpdump on enc0
Otto Moerbeek wrote: On Wed, 5 Jul 2006, Stephen Bosch wrote: Does tcpdump work on enc0? Are you really too lazy to read a manual page? Please don't get me started. I have been working on this problem with precious little assistance from folks like you for over a week now, and I've read enough man pages to bind two volumes. So the answer to your question, Otto, is No. -Stephen-
Re: Intel PRO/1000 PT
Christopher Snell wrote: Hi, Is the Intel PRO/1000 PT still non-functional under our favorite OS? I searced around and found a message from Darrian Hale in late April that said he was having kernel panics with this NIC. Has anything changed? # dmesg OpenBSD 3.9 (GENERIC.MP) #736: Thu Mar 2 04:02:03 MST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC.MP snip pci7 at ppb6 bus 7 em0 at pci7 dev 0 function 0 Intel PRO/1000 PT (82571EB) rev 0x06: apic 5 int 14 (irq 10), address 00:15:17:0b:75:54 em1 at pci7 dev 0 function 1 Intel PRO/1000 PT (82571EB) rev 0x06: apic 5 int 14 (irq 10), address 00:15:17:0b:75:55 snip
Re: More Upgrading questions
On Wed, 5 Jul 2006 08:46:52 -0700 (PDT) Rob Baldassano [EMAIL PROTECTED] wrote: Hi guys, ANy issue with adding X to an upgrade when the original version on the system did not have it? (I listened to way too much bad advice setting this system up with my co-worker, now I have to fix it) --Rob have you read http://www.openbsd.org/faq/faq4.html#AddFileSet ?
Re: tcpdump on enc0
Otto Moerbeek wrote: On Wed, 5 Jul 2006, Stephen Bosch wrote: Does tcpdump work on enc0? Are you really too lazy to read a manual page? And for the record -- since some people found that question beyond the pale -- I have been tcpdumping enc0 all morning and I am seeing no traffic, inspite of the fact that I have active SAs up and running. And why? Because the man page doesn't mention that tcpdump ignores the host parameter when used with enc0 (this is something someone else was kind enough to point out, proving that the question wasn't pointless). So -- let's try this -- let's fix the man page, instead of being snarky and blaming the person asking the question. Thank you for your help. -Stephen-
Re: More Upgrading questions
On Wed, Jul 05, 2006 at 10:15:53AM -0700, Spruell, Darren-Perot wrote: From: [EMAIL PROTECTED] ANy issue with adding X to an upgrade when the original version on the system did not have it? (I listened to way too much bad advice setting this system up with my co-worker, now I have to fix it) No. The only thing it does is unpack a distribution set (a bunch of files) onto the filesystem. Make sure you set the sysctl machdep.allowaperture=1 if you will be running X. This question is answered in http://openbsd.rt.fm/faq/faq4.html#AddFileSet In addition, you might need machdep.allowaperture=2, per /etc/X11R6/README.
Re: Error building ntpd on -current
On Wed, 5 Jul 2006, Massimo Lusetti wrote: On Wed, 2006-07-05 at 17:38 +0200, Otto Moerbeek wrote: What is the version of your libc? Check ls -l /usr/lib/libc.so.*, newest version should be 39.2. $ nm /usr/lib/libc.so.39.2 | grep adjfreq 000411f0 T _thread_sys_adjfreq 000411f0 W adjfreq I'm building right now on the second box but it seems clear that that was the problem, just for the fact are you saying that On the box i'm building on right now i got this: libc.so.39.0 from 9th April and libc.so.39.1 from 1st June And if i understand correctly it's right to have that value before the build, i just have to have 39.2 after a successful build, right? If the verison is not 39.2, or the above command gives no matches, then you did not do a proper build. What could have been the problem? Hard to tell, your cvs mirror could be out of sync, you could have made a mistake. There's a reason we tell people to upgrade using snapshots: it's by far the most simple method, and as such less error-prone. -Otto
Re: tcpdump on enc0
On Jul 5, 2006, at 1:31 PM, Stephen Bosch wrote: Marcus Glocker wrote: On Wed, Jul 05, 2006 at 11:10:43AM -0600, Stephen Bosch wrote: Does tcpdump work on enc0? -Stephen- $ man enc The enc interface allows an administrator to see outgoing packets before they have been processed by ipsec(4), or incoming packets after they have been similarly processed, via tcpdump(8). I am not seeing any traffic on enc0 when using tcpdump, that is why I asked. Don't use any tcpdump filters, they don't work with enc0. A simple tcpdump -ni enc0 should be sufficient to see any packets crossing your tunnel. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: tcpdump on enc0
On Wed, Jul 05, 2006 at 11:10:43AM -0600, Stephen Bosch wrote: Does tcpdump work on enc0? -Stephen- yes: [EMAIL PROTECTED]:1$ sudo tcpdump -n -i enc0 Password: tcpdump: WARNING: enc0: no IPv4 address assigned tcpdump: listening on enc0, link-type ENC 19:32:49.036465 (authentic,confidential): SPI 0x7483bd72: 192.168.3.14.738 192.168.3.28.2049: xid 0x93071cba 112 getattr [|nfs] 19:32:49.037284 (authentic,confidential): SPI 0x97ed55a0: 192.168.3.28.2049 192.168.3.14.738: xid 0x93071cba reply ok 96 getattr DIR 40755 ids 0/0 sz 512 19:32:49.086492 (authentic,confidential): SPI 0x3beb96bd: 192.168.3.14.671 192.168.3.27.2049: xid 0x93071ecc 112 getattr [|nfs] 19:32:49.087405 (authentic,confidential): SPI 0x358880c8: 192.168.3.27.2049 192.168.3.14.671: xid 0x93071ecc reply ok 96 getattr DIR 40755 ids 0/0 sz 512 19:32:54.199148 (authentic,confidential): SPI 0x3beb96bd: 192.168.3.14.788 192.168.3.27.2049: xid 0x7200 40 null 19:32:54.199847 (authentic,confidential): SPI 0x358880c8: 192.168.3.27.2049 192.168.3.14.788: xid 0x7200 reply ok 24 null ^C 6 packets received by filter 0 packets dropped by kernel [EMAIL PROTECTED]:2$
Re: tcpdump on enc0
On Wed, Jul 05, 2006 at 11:30:54AM -0600, Stephen Bosch wrote: I am not seeing any traffic on enc0 when using tcpdump, that is why I asked. Are you sure IPsec is being used? Can you see IPsec-processed traffic on the physical interface?
Re: tcpdump on enc0
On Wed, 5 Jul 2006, Stephen Bosch wrote: Otto Moerbeek wrote: On Wed, 5 Jul 2006, Stephen Bosch wrote: Does tcpdump work on enc0? Are you really too lazy to read a manual page? And for the record -- since some people found that question beyond the pale -- I have been tcpdumping enc0 all morning and I am seeing no traffic, inspite of the fact that I have active SAs up and running. And why? Because the man page doesn't mention that tcpdump ignores the host parameter when used with enc0 (this is something someone else was kind enough to point out, proving that the question wasn't pointless). So -- let's try this -- let's fix the man page, instead of being snarky and blaming the person asking the question. Thank you for your help. I think that is very clear, after all the src and dst addresses are part of the ipsec encapsulated header, and not of a regular IP header. The host specifier of tcpdump only applies to IP headers. -Otto
Re: More Upgrading questions
On Wed, Jul 05, 2006 at 01:36:40PM -0400, I wrote: In addition, you might need machdep.allowaperture=2, per /etc/X11R6/README. A fairly obvious typo. It should be per /usr/X11R6/README.
Re: 3.9 + ath....panic fixed in -current and can it run G band yet as well ?
Allie Daneman [EMAIL PROTECTED] wrote: is why I bought this card ;) Should I shutup and upgrade to -current and/or will G band be supported (maybe 4.0) ? ath0 at pci0 dev 15 function 0 Atheros AR5212 rev 0x01: irq 11 ath0: AR5213 5.9 phy 4.3 rf5112 3.6, FCC2A*, address 00:0b:6b:37:29:87 your dmesg shows a 5213 chip, actually someone recently imported some HAL fixes from the linux atheros free-hal things which were in turn based on the original openbsd free hal. maybe this fixes your 5213 problems. try a current snapshot if not, then there is more reverse engineering to be done, but it's very slow and painstaking work.
Re: tcpdump on enc0
Matthew R. Dempsky wrote: On Wed, Jul 05, 2006 at 11:30:54AM -0600, Stephen Bosch wrote: I am not seeing any traffic on enc0 when using tcpdump, that is why I asked. Are you sure IPsec is being used? Can you see IPsec-processed traffic on the physical interface? Aye, I have other tunnels up that are working. This is part of my effort to get this NAT through IPsec working. The traffic is not going where I expect it to. I'm looking for a place to listen that will give me some insight into the problem. Thanks, -Stephen-
Re: X not found
so how do you install that, i was thinking it would just be # pkg_add /home/music/xbase39.tgz Can't resolve /home/music/xbase39.tgz but that didnt work, how do you install that package? On 7/5/06, Joachim Schipper [EMAIL PROTECTED] wrote: On Wed, Jul 05, 2006 at 12:03:35AM -0700, Lawrence Horvath wrote: thats what i was asking, can i just install a small set of libs or do i need to entirely install X xbase will do for (almost?) all ports. Joachim -- -Lawrence
Re: tcpdump on enc0
Otto Moerbeek wrote: On Wed, 5 Jul 2006, Stephen Bosch wrote: Otto Moerbeek wrote: On Wed, 5 Jul 2006, Stephen Bosch wrote: Does tcpdump work on enc0? Are you really too lazy to read a manual page? And for the record -- since some people found that question beyond the pale -- I have been tcpdumping enc0 all morning and I am seeing no traffic, inspite of the fact that I have active SAs up and running. And why? Because the man page doesn't mention that tcpdump ignores the host parameter when used with enc0 (this is something someone else was kind enough to point out, proving that the question wasn't pointless). So -- let's try this -- let's fix the man page, instead of being snarky and blaming the person asking the question. Thank you for your help. I think that is very clear, after all the src and dst addresses are part of the ipsec encapsulated header, and not of a regular IP header. The host specifier of tcpdump only applies to IP headers. -Otto Perhaps the lesson learned is: Include the command you are typing with any help request.
Re: tcpdump on enc0
On Wed, Jul 05, 2006 at 12:09:49PM -0600, Stephen Bosch wrote: | Otto Moerbeek wrote: | On Wed, 5 Jul 2006, Stephen Bosch wrote: | | Does tcpdump work on enc0? | | Are you really too lazy to read a manual page? | | And for the record -- since some people found that question beyond the | pale -- I have been tcpdumping enc0 all morning and I am seeing no | traffic, inspite of the fact that I have active SAs up and running. | | And why? | | Because the man page doesn't mention that tcpdump ignores the host | parameter when used with enc0 (this is something someone else was kind | enough to point out, proving that the question wasn't pointless). | | So -- let's try this -- let's fix the man page, instead of being snarky | and blaming the person asking the question. Let's try asking more informed questions then. You asked 'Does tcpdump work on enc0?'. The answer to this question is literally in the manpage. Had you given some context, you might have gotten more in depth responses. Here's an example : Hey everybody, I see in the manpage for enc that tcpdump should work on these pseudo-devices. I'm trying right now with tcpdump enc0 host 1.2.3.4 but I don't see any traffic. I do have active SAs up and running, so what is going on ? Of course I googled it, but I came up empty handed... Any response would be appreciated. Thanks, Stephen Bosch Had you given all the info you're giving us now beforehand in your single lined posting to this mailing list, I bet you would have gotten more useful answers. The only one who seems snarky is you, IMO. Cheers, Paul 'WEiRD' de Weerd -- [++-]+++.+++[---].+++[+ +++-].++[-]+.--.[-] http://www.weirdnet.nl/ [demime 1.01d removed an attachment of type application/pgp-signature]
Re: tcpdump on enc0
On 7/5/06, Stephen Bosch [EMAIL PROTECTED] wrote: Does tcpdump work on enc0? Did you ifconfig enc0 up -- GDB has a 'break' feature; why doesn't it have 'fix' too?
Re: X not found
On Wed, 2006-07-05 at 11:42:22 -0700, Lawrence Horvath wrote... so how do you install that, i was thinking it would just be # pkg_add /home/music/xbase39.tgz Can't resolve /home/music/xbase39.tgz Get the tarballs from a mirror, then... $ su - root # cd / # tar zxpvf /path/to/xbase39.tgz
Re: 3.9 + ath....panic fixed in -current and can it run G band yet as well ?
On 7/4/06, Allie Daneman [EMAIL PROTECTED] wrote: I've been having the panic problem reported by others on stable and saw a post by Reyk that it's fixed in -current. That's awesome, thanks for the fix...but I also wanted to ask if there's work towards getting G band working in the ath driver, specifically the AR5212 chip. I'm running a Soekris 4521 w/miniPCI and would LOVE to run G band...which is why I bought this card ;) Should I shutup and upgrade to -current and/or will G band be supported (maybe 4.0) ? dmesg ath0 at pci0 dev 15 function 0 Atheros AR5212 rev 0x01: irq 11 ath0: AR5213 5.9 phy 4.3 rf5112 3.6, FCC2A*, address 00:0b:6b:37:29:87 CVS commit by reyk File: [OpenBSD] / src / sys / dev / ic / ath.c (download) Revision 1.52, Fri Jun 23 21:53:01 2006 UTC (10 days, 19 hours ago) by reyk Branch: MAIN CVS Tags: HEAD Changes since 1.51: +4 -2 lines set the RSSI Max value in ath(4) and use the new RSSI radiotap header instead of the old db signal header. also allow tcpdump and hostapd to print the new RSSI radiotap header values current/max rssi. ok damien@ jsg@ I'm no longer seeing panics with my AR5211 (as listed in PR 5054) but I still can't connect via 802.11a or 802.11b. This is with the Netgear WAB501, I'm still getting the cardbus errors like these: cbb0: bad Vcc request. sock_ctrl 0x30, sock_status 0x3b20 ath0 at cardbus0 dev 0 function 0 NETGEAR WAB501 802.11a/b Wireless Adapter, 00 , \M^?: irq 11 ath0: AR5211 4.2 phy 3.0 rf5111 1.7 rf2111 2.3, FCC1A, address 00:09:5b:40:7d:3c cbb0: bad Vcc request. sock_ctrl 0x0, sock_status 0x3b69 Greg
Re: X not found
Hey Lawrence, # pkg_add /home/music/xbase39.tgz Can't resolve /home/music/xbase39.tgz but that didnt work, how do you install that package? cd / tar zxpf /home/music/xbase39.tgz Read http://www.openbsd.org/faq/upgrade39.html. HTH... Nico
Re: X not found
Lawrence Horvath wrote: so how do you install that, i was thinking it would just be # pkg_add /home/music/xbase39.tgz Can't resolve /home/music/xbase39.tgz gunzip, tar. -- Adam PAPAI D i g i t a l Influence http://www.digitalinfluence.hu E-mail: [EMAIL PROTECTED] Phone: +36 30 33-55-735 (Hungary) Phone: +49 176-67264167 (Germany)
Re: X not found
The file sets that are used to install OpenBSD are not packages even though they end in the tgz extension. Thus, pkg_add doesn't know what to do with it. Try a command like this instead: # cd / # tar -xvpzf /home/music/xbase39.tgz The -v is optional, but make sure you include -p to preserve permissions. The tar command should be run from the root directory (unless you also use the -C switch). On Wednesday 05 July 2006 13:42, you wrote: so how do you install that, i was thinking it would just be # pkg_add /home/music/xbase39.tgz Can't resolve /home/music/xbase39.tgz but that didnt work, how do you install that package? On 7/5/06, Joachim Schipper [EMAIL PROTECTED] wrote: On Wed, Jul 05, 2006 at 12:03:35AM -0700, Lawrence Horvath wrote: thats what i was asking, can i just install a small set of libs or do i need to entirely install X xbase will do for (almost?) all ports. Joachim -- Dan RamaleyDial Center 118, Drake University Network Programmer/Analyst 2407 Carpenter Ave +1 515 271-4540Des Moines IA 50311 USA
NAT before IPsec: final conclusions? what I want to do can't be done without more equipment
Hi, everybody: First -- thanks to everyone who tried to help me out on this one. It is most appreciated. I apologise if my questions or responses rubbed anyone the wrong way. It wasn't intended. I want to recap the situation because I think that, indeed, what I want to do can't be done. I have a security association between a carp alias address (call it $alias) and a private IP address (call it $remote_private_IP) at the remote end. It is in tunnel mode. The ipsec man page says: NAT can also be applied to enc# interfaces, but special care should be taken because of the interactions between NAT and the IPsec flow match- ing, especially on the packet output path. Inside the TCP/IP stack, packets go through the following stages: UL/R - [X] - PF/NAT(enc0) - IPsec - PF/NAT(IF) - IF UL/R PF/NAT(enc0) - IPsec - PF/NAT(IF) - IF With IF being the real interface and UL/R the Upper Layer or Routing code. The [X] stage on the output path represents the point where the packet is matched against the IPsec flow database (SPD) to determine if and how the packet has to be IPsec-processed. If, at this point, it is determined that the packet should be IPsec-processed, it is processed by the PF/NAT code. Unless PF drops the packet, it will then be IPsec-pro- cessed, even if the packet has been modified by NAT. This would explain why, when I ping -I from the carp alias on the IPsec gateway itself to the remote private IP, I get replies. If I add a binat rule in pf.conf: binat pass log on $enc_if from $internal_host to any - $alias Then the ping -I stops working on the IPsec gateway. This is true even if I add a static route, like so: route add $remote_private_IP $alias Going by the contents of man 4 ipsec, this just isn't going to work. The IPsec flow matching is happening before NAT, so it has to come from $alias before it even gets processed by pf. This means that it will be necessary to do the required NAT on other hardware -- this is probably advisable in the long run, anyway, as I anticipate more such requests in the future. Thanks, -Stephen-
Re: X not found
From: [EMAIL PROTECTED] so how do you install that, i was thinking it would just be # pkg_add /home/music/xbase39.tgz Can't resolve /home/music/xbase39.tgz but that didnt work, how do you install that package? You start with the FAQ: http://www.openbsd.org/faq/faq4.html#AddFileSet DS On 7/5/06, Joachim Schipper [EMAIL PROTECTED] wrote: On Wed, Jul 05, 2006 at 12:03:35AM -0700, Lawrence Horvath wrote: thats what i was asking, can i just install a small set of libs or do i need to entirely install X xbase will do for (almost?) all ports.
Re: Question related to automaticly encrypted /tmp /vat/tmp (like swap..?)
On Tuesday 04 July 2006 11:13, Hannah Schroeter wrote: It *is*. I've done so since a nearly uncountable number of years. Something like this in /etc/fstab helps. /dev/wd0b /tmpmfs rw,-m0,-s204800 0 0 In the past i've always symlinked /tmp to point to /var/tmp. This has never caused any noticeable problems, but i realize that it isn't the proper way to do things and carries some risk. I have not seen documented how mfs allocates memory, so i just did a quick test. On a machine with 205 MB of RAM free i mounted a 128 MB mfs. Free RAM dropped to 199 MB; only 6 MB used! So OpenBSD must only allocate RAM for sectors that have actually been written to. Since the system is not using any more RAM than it has to, i think i'll switch to using mfs for /tmp as well. -- Dan RamaleyDial Center 118, Drake University Network Programmer/Analyst 2407 Carpenter Ave +1 515 271-4540Des Moines IA 50311 USA
About soft updates
Hi, I've been trying to find out whether to enable soft updates or not, and I have not really seen any reason not to, other than that it is not enabled by default. In order not to spread (or consume) FUD, I would like to know if soft updates are considered reliable and in which situations, if any, soft updates are specifically recommended or not recommended. Thanks, Alexander
Re: ichiic0: errors on MP (Sorry about the no subject post!)
As anyone seen this? No matter what I do I cant stop this from happing. I am at the point of being forced to use another OS that I DONT want to use. Any help would be very much appreciated. As a workaround you could disable ichiic in the kernel config. Use man config for hints on how to accomplish this. Presuming you want to have this fixed properly, can you try compiling a GENERIC.MP kernel with option MPVERBOSE in the kernel configuration file and post the full dmesg? Mark
Re: About soft updates
On Wed, Jul 05, 2006 at 11:19:04PM +0200, Alexander Hall wrote: Hi, I've been trying to find out whether to enable soft updates or not, and I have not really seen any reason not to, other than that it is not enabled by default. In order not to spread (or consume) FUD, I would like to know if soft updates are considered reliable and in which situations, if any, soft updates are specifically recommended or not recommended. Was the answer in FAQ 14.5 insufficient? :)
Synaptic touchpad woes:
I am using OpenBSD 3.9 using a Compaq M2105US Laptop with no problems and xorgcfg created a config that supports my touch pad but there is an annoying tap to click issue that I would like to turn off. Thank you for your time.
Re: dovecot from ports or from source
On Wed, Jul 05, 2006 at 06:37:56PM +0200, FTP wrote: Hi, the dovecot ports pkg is a bit 'old' but would it make sense to istall this and then make a second installation from the current source? Does the port package come with any specific to OBSD conf files or should I go directly with the source? If you want a more recent version than is found in -stable, try the one from -current (though you get to keep the pieces if it breaks, as usual). If you want an even newer version, yes, you'll have to compile it yourself. Take a good look at the port; usually, using a newer version is fairly easy. Joachim
Re: About soft updates
On 2006/07/05 23:19, Alexander Hall wrote: I have not really seen any reason not to, other than that it is not enabled by default. Here's one reason you might sometimes not want it: space of deleted files isn't recovered until the delayed updates have been written out. This is particularly apparent if you want to upgrade to 3.9 on a system where /usr is barely large enough (-:
Re: Some though and more detail
On Wed, Jul 05, 2006 at 10:23:57AM -0700, Ginja_Ninja wrote: Joachim Schipper wrote: Why the CF? It's slow, and relatively expensive. It's good for embedded systems, but if you already have a huge disk, use that. h I can see your point. Its only a thought at the moment but the reason i am looking in this direction is: If the OS is seperated from the files and i decide to upgrade the storage HDD, i dont have to format and reinstall/setup the OS and the relevant applications. CF is slow, i agree with you, but how much crunching will the OS do ? I suppose i wont be able to have a swap file on the CF as it will destroy it quickly. Will have to pack it full of RAM. If you want to put a different HD in, you'll have to copy the data anyway; copying the OS as well is not exactly difficult (the only thing you could reasonably do wrong is forget to re-run installboot(8)). (Note: *NIX is not Windows, just tarring and untarring results in a system that still works fine, if a bootloader is added. This is as true for OpenBSD as it is for, say, Linux - barring a kernel optimized for your specific hardware, of course, which is not recommended for OpenBSD and not usual in the Linux world.) The OS shouldn't use the disk much, but adding CF will make your server more complex, more expensive, and slower. I really don't see the point. RAM is in general a very good idea for a server; this is less true for a fileserver, though - good disks matter. If you have the money, consider a good disk and a good controller. Or, if possible, a RAID array (which is fast, not too expensive if you actually use the I, and more reliable than any single disk). Joachim
Issues with OpenOSPFD in 3.9?
Hi, I'm about to deploy OpenOSPFD in a live environment and my question goes out to those who have used(or are using) OpenOSPFD that shipped with 3.9. It has been running it a lab enviroment for quite some time with only minor issues. Are there any known issues regarding the version of OpenOSPFD that is included in 3.9? what problems have you seen or experienced? If you for some reason want to reply off list that's ok too. Regards Andreas
Re: About soft updates
Josh Grosse wrote: On Wed, Jul 05, 2006 at 11:19:04PM +0200, Alexander Hall wrote: Hi, I've been trying to find out whether to enable soft updates or not, and I have not really seen any reason not to, other than that it is not enabled by default. In order not to spread (or consume) FUD, I would like to know if soft updates are considered reliable and in which situations, if any, soft updates are specifically recommended or not recommended. Was the answer in FAQ 14.5 insufficient? :) ! Thus, a large performance increase is seen in disk writing performance. - So would mounting async, but I would not use that for any important data. ! Note to sparc users: Do not enable soft updates on sun4 or sun4c machines. /.../ - I'm on i386. Yes, FAQ 14.5 was insufficient.
Re: About soft updates
Stuart Henderson wrote: On 2006/07/05 23:19, Alexander Hall wrote: I have not really seen any reason not to, other than that it is not enabled by default. Here's one reason you might sometimes not want it: space of deleted files isn't recovered until the delayed updates have been written out. This is particularly apparent if you want to upgrade to 3.9 on a system where /usr is barely large enough (-: Been there too. 256MB CF card on soekris 4801. Much trouble also came from upgrading a running system, though, which made the old libs and other binaries, albeit unlinked, occupy a lot of precious disk space. So - unpacking failed, but only after fsck'ing up the login libs. Thank g*d I kept that serial cable and bsd.rd handy. :)
happy upgrade camper
After the heat I took trying to upgrade from 3.7 to 3.8 via source recompile, I took the advice to heart to simply untar some binaries right over the top of my running system, which seemed a lot more scary to me. However, I'm happy to report that my system is now running 3.9 with little if any problems. CGI.pm got downgraded, so my webserver died until I figured that out, but everything else was minor. Thanks y'all for making it just work! -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 merlyn@stonehenge.com URL:http://www.stonehenge.com/merlyn/ Perl/Unix/security consulting, Technical writing, Comedy, etc. etc. See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
Re: Some though and more detail
On 2006/07/06 00:13, Joachim Schipper wrote: The OS shouldn't use the disk much, but adding CF will make your server more complex, more expensive, and slower. I really don't see the point. OTOH, if files on the HD are only accessed infrequently and the disk is spun down the rest of the time, this could reduce power use, heat and noise, and isn't any more complicated than, say, having two hard drives. We are now in the days of being able to make a complete OS install onto a flashcard which costs less than the cheapest hard drive. Or, if possible, a RAID array (which is fast, not too expensive if you actually use the I, and more reliable than any single disk). more reliable than any single disk - not always.
Mikrotik's routerboard 44
Hi I'm in the process of building firewall (Obviously it will run OpenBSD) and I need to put in a quad NIC card. There's Intel Quad card that I had a success with in the past but is expensive as hell. I found a company called Mikrotik that makes a Quad NIC card and I'm looking for success/failure stories of running it in a OpenBSD box ...
Re: happy upgrade camper
Consider using this script the next time: http://www.xs4all.nl/~hanb/software/OpenBSD-binary-upgrade/ # Han
Re: 3.9 + ath....panic fixed in -current and can it run G band yet as well ?
Chris Cappuccio([EMAIL PROTECTED])@Wed, Jul 05, 2006 at 12:03:35PM -0700: Allie Daneman [EMAIL PROTECTED] wrote: is why I bought this card ;) Should I shutup and upgrade to -current and/or will G band be supported (maybe 4.0) ? ath0 at pci0 dev 15 function 0 Atheros AR5212 rev 0x01: irq 11 ath0: AR5213 5.9 phy 4.3 rf5112 3.6, FCC2A*, address 00:0b:6b:37:29:87 your dmesg shows a 5213 chip, actually someone recently imported some HAL fixes from the linux atheros free-hal things which were in turn based on the original openbsd free hal. maybe this fixes your 5213 problems. try a current snapshot Tried itno difference, no G band still. if not, then there is more reverse engineering to be done, but it's very slow and painstaking work. I bet...you have any recommendations for Soekris/OpenBSD friendly G band MiniPCI cards ? Man I just bought another ath card too...it may be hitting Ebay when it arrives ;) ~Allie
Re: Mikrotik's routerboard 44
Paolo Supino wrote: Hi I'm in the process of building firewall (Obviously it will run OpenBSD) and I need to put in a quad NIC card. There's Intel Quad card that I had a success with in the past but is expensive as hell. I found a company called Mikrotik that makes a Quad NIC card and I'm looking for success/failure stories of running it in a OpenBSD box ... I can't say no for sure, but looking here: http://openbsd.org/i386.html#hardware I don't see it on the list of supported hardware. S, I would guess it is not supported. May be you know the chipset they use and then you can go back and look if it is on the list and if so, it might work. As for the Intel expensive one, may be expensive for a reason. It does work.
'route to' question
Hello lists! (sorry if cross-list posting is frowned upon) I'm setting up a BSD/pf machine that will be working as a binat firewall for a number of hosts on two /28 subnets belonging to the same co-location provider. The BSD machine is already live, working hard for one subnet, and I don't have extra hardware to test this out in a lab environment (nice, I know), so I'd just like a little wisdom from the lists before I go live with this pf change: I'm wondering if I can use the route to option with pf in order to force all traffic from subnet A through subnet A's gateway, while subnet B's traffic goes through subnet B's gateway. Right now, subnet B is setup and running with B's gateway as the host for the 0.0.0.0 network. Now, with straight routing, I can't seem to find a way to enable multi-path routing to the 0.0.0.0 network along these lines: if src is from netA: pass traffic to gwA if src is from netB: pass traffic to gwB Now, since I have only one external interface (see diagram at bottom), how can I rearrange the following pf statements (from the pf faq): pass out on em0 route-to (em0 $ext_gw2) from em0 to any pass out on em0 route-to (em0 $ext_gw1) from em0 to any Can I get by by simply aliasing all of the IPs on em0 (external interface) or do I have to vlan the external device to get distinct interface names? Thanks, Pete. Quick/Dirty Diagram: 204.15.193.0\28 + (aliases 204.15.193.2-14) | +-- (em0) BSD (em1) --+ (Tagged VLAN) | | 204.15.193.16\28 -- + | ( aliases 204.15.193.18-30) +-+ | +-+- VLAN2 (192.168.3/24) | | | +- VLAN5 (10.10.5/24) | +--- VLAN6 (10.10.6/24)
Re: 3.9 + ath....panic fixed in -current and can it run G band yet as well ?
On Wed, 5 Jul 2006 18:35:58 -0700, Allie Daneman wrote: if not, then there is more reverse engineering to be done, but it's very slow and painstaking work. I bet...you have any recommendations for Soekris/OpenBSD friendly G band MiniPCI cards ? Man I just bought another ath card too...it may be hitting Ebay when it arrives ;) MSI makes one using ral. The PCI version seems to work ok. From the land down under: Australia. Do we look umop apisdn from up over? Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server.
problems configuring and making nmap 4.11 on OpenBSD 3.9 stable
I'm running OpenBSD 3.9 stable, arch i386. Also autoconf-2.59. I'd install the nmap package, but it's an older version. When I run ./configure --with-openssl=/usr/sbin/ I get a number of warnings like the following: configure: WARNING: net/if.h: present but cannot be compiled configure: WARNING: net/if.h: check for missing prerequisite headers? configure: WARNING: net/if.h: see the Autoconf documentation configure: WARNING: net/if.h: section Present But Cannot Be Compiled configure: WARNING: net/if.h: proceeding with the preprocessor's result configure: WARNING: net/if.h: in the future, the compiler will take precedence configure: WARNING: ## -- ## configure: WARNING: ## Report this to the AC_PACKAGE_NAME lists. ## configure: WARNING: ## -- ## This happens for several files: net/if.h, sys/sysctl.h, net/if_arp.h, net/fpvar.h, net/route.h, and netinet/in_var.h. Then when I run make I get: Makefile, line 1: Need an operator Makefile, line 14: Need an operator Makefile, line 15: Need an operator Makefile, line 21: Need an operator Makefile, line 38: Need an operator Makefile, line 49: Need an operator Makefile, line 51: Need an operator Makefile, line 190: Could not find makefile.dep Fatal errors encountered -- cannot continue I can provide the contents of my config.log file if necessary. TIA for help.