current state of bioctl with the ciss driver?
Hello List, can someone tell me what the current state of bioctl support is for the ciss driver? I've got a ProLiant Dl380 G2 with a Compaq Smart Array 5i running vanilla 3.9 and there seems to be no support for bioctl. thanks, Robert Urban
Re: How to implement PF tables
So, may i get your words for:
table xxx { any !x.b.c/24 }
Thanks.
On 7/30/06, Jason Dixon [EMAIL PROTECTED] wrote:
On Jul 30, 2006, at 3:50 AM, Gustavo Rios wrote:
Hey folks,
i am structuring my first firewall server. I am having hard times with
the following building a tables that holds every IPv4 address but
excludes a given range.
My initial idea was:
table xxx { 0/0 !x.b.c/24 }
But it is not acceptable.
How would you handle that?
By default, any rule will match 0/0 by just using the any or all
keywords. Think about it.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
Re: How to implement PF tables
i am structuring my first firewall server. I am having hard
times with
the following building a tables that holds every IPv4 address but
excludes a given range.
My initial idea was:
table xxx { 0/0 !x.b.c/24 }
But it is not acceptable.
How would you handle that?
By default, any rule will match 0/0 by just using the any or all
keywords. Think about it.
So, may i get your words for:
table xxx { any !x.b.c/24 }
No. Step back and think about this for a second. By default, any
filter rule will match *everything*. Example:
block in on $ext_if from any to any
(or)
block in on $ext_if all
Stop trying to shoehorn the entire internet into a table. You don't
need to. Use negation to block the bad stuff. Example:
table bad_hosts { 1.2.3.4 }
pass in on $ext_if from ! bad_hosts to $webserver port 80
Translated, this is the same as saying pass in on my external
interface, any host *except* 1.2.3.4 to my webserver's port 80.
HTH.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
Re: current state of bioctl with the ciss driver?
On Jul 30, 2006, at 10:58 AM, Srebrenko Sehic wrote: ciss(4) has no bio(4) support, but marco@ might be working on it. Donate a ciss(4) compatible controller to speed things up. On 7/30/06, Robert Urban [EMAIL PROTECTED] wrote: Hello List, can someone tell me what the current state of bioctl support is for the ciss driver? I've got a ProLiant Dl380 G2 with a Compaq Smart Array 5i running vanilla 3.9 and there seems to be no support for bioctl. Indeed. According to want.html: ciss(4) and gdt(4) RAID cards for bio and bioctl development needed in Austin, Texas, USA. Contact [EMAIL PROTECTED] -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
pf issue with Soekris net4801
I have just used the flashdist script to install OpenBSD 3.9 to a Soekris net4801. Everything works great on in aside from pf. whenever I try to load a ruleset it errors out with pfctl: DIOCCLRIFFLAG: Operation not supported by device I have tried this with my standard ruleset and a simplified pass in all , pass out all ruleset. Both of the network interfaces that I have configured function properly and I can ping both the LAN and WAN. If I try to do anything with pf it generates the error listed above. i.e. pfctl -ef /etc/pf.conf, or pfctl -sn. If I run pfctl without any arguments it displays the help for pfctl, so it seams the binary loads O.K. Any Ideas?
Re: pf issue with Soekris net4801
On Jul 30, 2006, at 2:59 PM, drkfiber wrote: I have just used the flashdist script to install OpenBSD 3.9 to a Soekris net4801. Everything works great on in aside from pf. whenever I try to load a ruleset it errors out with pfctl: DIOCCLRIFFLAG: Operation not supported by device I have tried this with my standard ruleset and a simplified pass in all , pass out all ruleset. Both of the network interfaces that I have configured function properly and I can ping both the LAN and WAN. If I try to do anything with pf it generates the error listed above. i.e. pfctl -ef /etc/pf.conf, or pfctl -sn. If I run pfctl without any arguments it displays the help for pfctl, so it seams the binary loads O.K. Any Ideas? We can't help until you provide the necessary information (pf.conf and dmesg). Thanks, -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: pf issue with Soekris net4801
Thanks. I found the issue. I neglected to copy over the new source for 3.9. So the kernel I was compiling was actually 3.7. So useland was 3.9 but kernel 3.7. On 7/30/06, Jason Dixon [EMAIL PROTECTED] wrote: On Jul 30, 2006, at 2:59 PM, drkfiber wrote: I have just used the flashdist script to install OpenBSD 3.9 to a Soekris net4801. Everything works great on in aside from pf. whenever I try to load a ruleset it errors out with pfctl: DIOCCLRIFFLAG: Operation not supported by device I have tried this with my standard ruleset and a simplified pass in all , pass out all ruleset. Both of the network interfaces that I have configured function properly and I can ping both the LAN and WAN. If I try to do anything with pf it generates the error listed above. i.e. pfctl -ef /etc/pf.conf, or pfctl -sn. If I run pfctl without any arguments it displays the help for pfctl, so it seams the binary loads O.K. Any Ideas? We can't help until you provide the necessary information (pf.conf and dmesg). Thanks, -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
USB sound device recommendations?
Hi, has anyone tested the Creative SoundBlaster Live! 24Bit USB on OpenBSD or can recommend a similar (or better) device? And for that Creative thing: is the wave table synthesizer really onboard, or is it just some bogus thing supported by windows drivers only? TIA Ciao, Kili, tired of el-cheapo onboard-sound.
pfr_detach_table
I am starting to see alot of these on 'dmesg' and wondering what they mean and how to troubleshoot. The network appears to be functions fine though. I am running 3.8-stable with a generic kernel. pfr_detach_table: refcount = 0. pfr_detach_table: refcount = 0. pfr_detach_table: refcount = 0. pfr_detach_table: refcount = 0. pfr_detach_table: refcount = 0. pfr_detach_table: refcount = 0. pfr_detach_table: refcount = 0. pfr_detach_table: refcount = 0. pfr_detach_table: refcount = 0. pfr_detach_table: refcount = 0. pfr_detach_table: refcount = 0. pfr_detach_table: refcount = 0. pfr_detach_table: refcount = 0. pfr_detach_table: refcount = 0.
pf: state insert failed: tree_lan_ext
Hi, With the rulesset: nat on sis0 from !(sis0) - (sis0) rdr on sis0 inet proto udp from any to any port = 12560 - 192.168.1.10 port 1 rdr on sis0 inet proto udp from any to any port = 12561 - 192.168.1.10 port 10001 (and pass quick on all if, no keep state) I get these errors when running debug misc: pf: state insert failed: tree_lan_ext lan: 192.168.1.10:1 gwy: xx.xxx.xxx.xx:12560 ext: uu.uu.uu.uu:18358 The udp-stream from 192.168.1.10 gets passed OK, but the incoming stream from uu.uu.uu.uu triggers the above error. Anyone has any idea on why this does occur and if there is any way that I can get it working. Thanks, Rickard.
Re: current state of bioctl with the ciss driver?
Jason Dixon wrote: On Jul 30, 2006, at 10:58 AM, Srebrenko Sehic wrote: ciss(4) has no bio(4) support, but marco@ might be working on it. Donate a ciss(4) compatible controller to speed things up. On 7/30/06, Robert Urban [EMAIL PROTECTED] wrote: Hello List, can someone tell me what the current state of bioctl support is for the ciss driver? I've got a ProLiant Dl380 G2 with a Compaq Smart Array 5i running vanilla 3.9 and there seems to be no support for bioctl. Indeed. According to want.html: ciss(4) and gdt(4) RAID cards for bio and bioctl development needed in Austin, Texas, USA. Contact [EMAIL PROTECTED] I promised mickey@ some money in return for some ciss logging a while ago. I have no idea on progress, but there might be something going on there as well. Rickard.
Re: pf: state insert failed: tree_lan_ext
On Sun, Jul 30, 2006 at 11:11:17PM +0200, Rickard Dahlstrand wrote: Hi, With the rulesset: nat on sis0 from !(sis0) - (sis0) rdr on sis0 inet proto udp from any to any port = 12560 - 192.168.1.10 port 1 rdr on sis0 inet proto udp from any to any port = 12561 - 192.168.1.10 port 10001 (and pass quick on all if, no keep state) I get these errors when running debug misc: pf: state insert failed: tree_lan_ext lan: 192.168.1.10:1 gwy: xx.xxx.xxx.xx:12560 ext: uu.uu.uu.uu:18358 The udp-stream from 192.168.1.10 gets passed OK, but the incoming stream from uu.uu.uu.uu triggers the above error. Anyone has any idea on why this does occur and if there is any way that I can get it working. Thanks, Rickard. Have you tried using nonat to exclude your rdr ports? -- Darrin Chandler| Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ |
Re: USB sound device recommendations?
On Sun, Jul 30, 2006 at 10:04:32PM +0200, Matthias Kilian wrote: Hi, has anyone tested the Creative SoundBlaster Live! 24Bit USB on OpenBSD or can recommend a similar (or better) device? I'm using the Creative Audigy 2 NX (USB) and the sound quality is great. You have to compile a custom kernel with option UAUDIO_MULTIPLE_ENDPOINTS. And for that Creative thing: is the wave table synthesizer really onboard, or is it just some bogus thing supported by windows drivers only? TIA Ciao, Kili, tired of el-cheapo onboard-sound. Yeah most of the onboard sound is crap, at least to my ears ;) Regards, ahb
Re: SATA DVD Support?
On Sun, Jul 30, 2006 at 12:56:21AM +0200, the unit calling itself Rogier Krieger wrote: I guess that squelches plans for a SATA HDD as well :( If by that you mean you expect OpenBSD to not support SATA HDDs, I can happily assure you you're wrong. OpenBSD supports various SATA controllers (such as your SiI 3112, the SiI 3114, etc.). I yet have to encounter a SATA HDD it does not support. OK, thanks - that's good news! Regarding SATA DVD drives, I have no experience with those (as in: I have yet to encounter them) so I cannot tell you whether they should work or not. Judging from Jacob's dmesg segment earlier in this thread, it appears they do not work (at least no the Plextor units). Danke, J
OpenBSD's own compiler
Hi I am curently studying the Ada programming language and I read about the different safety demands, which has been made a standard, upon compilers. I read about how Ada is been used in all areas where safety is of great issue, and about how it's being used in rockets, Boing Airplanes and so on because of it's high level of safety. What I understood from it is, that the demand and control upon compilers, rather than on the sourcecode, eliminates the possibility of a lot of errors in the sourcecode, the compiler will not compile the program, and since Ada is being used in a lot places, where lives dependt upon the software, it has to be very safe. I was wondering, would it be a stupid and bad idea, for the OpenBSD team to develope, an OpenBSD C compiler based upon the OpenBSD security knowledge and internal standards regarding the language? Making it impossible for the compiler to accept and compile programs with all the knows errors which cause problems. The OpenBSDs way of programming has clearly made it clear, what security and quality is all about. Now I know all the rules about, no talk, just develope, and whats else is here. I am not a developer. This is not an atempt to do anything other than ask a question. Seeing how OpenBSD's OpenSSH has been implemented world widely, the thought about a compiler made me wanna ask the question and learn from the answers. If you are one of those persons who just need to let of steam or just needs an excuse to flame someone, or if you in general think that my question is about the most stupid question you have ever read, then please, do something else with your time, don't answer this email, just ignore it - especially if you aren't a developer yourself. And if cant help yourself, just mail me off-list. The best and kind reagards. Rico
Re: OpenBSD's own compiler
An OpenBSD C compiler from scratch, AFAIK, is not an idea of the project. Today, I read about Theo's interest in Plan 9' C compiler. But, there are license problems, so, that is not possible; at least, right now. A source tree in Ada, I think, would be safer. But maybe it is not as portable/well-known as C. I'm not a developer nor an Ada programmer. Greetings On 7/30/06, Rico Secada [EMAIL PROTECTED] wrote: Hi I am curently studying the Ada programming language and I read about the different safety demands, which has been made a standard, upon compilers. I read about how Ada is been used in all areas where safety is of great issue, and about how it's being used in rockets, Boing Airplanes and so on because of it's high level of safety. What I understood from it is, that the demand and control upon compilers, rather than on the sourcecode, eliminates the possibility of a lot of errors in the sourcecode, the compiler will not compile the program, and since Ada is being used in a lot places, where lives dependt upon the software, it has to be very safe. I was wondering, would it be a stupid and bad idea, for the OpenBSD team to develope, an OpenBSD C compiler based upon the OpenBSD security knowledge and internal standards regarding the language? Making it impossible for the compiler to accept and compile programs with all the knows errors which cause problems. The OpenBSDs way of programming has clearly made it clear, what security and quality is all about. Now I know all the rules about, no talk, just develope, and whats else is here. I am not a developer. This is not an atempt to do anything other than ask a question. Seeing how OpenBSD's OpenSSH has been implemented world widely, the thought about a compiler made me wanna ask the question and learn from the answers. If you are one of those persons who just need to let of steam or just needs an excuse to flame someone, or if you in general think that my question is about the most stupid question you have ever read, then please, do something else with your time, don't answer this email, just ignore it - especially if you aren't a developer yourself. And if cant help yourself, just mail me off-list. The best and kind reagards. Rico -- AndrC)s Delfino
bufcachepercent samba
I am setting up a Samba fileserver on obsd 3.9-stable I noticed that up until obsd3.3, in section 11 of the faq, it recommended increasing bufcachepercent for fileservers with lots of free memory. Now there is no section 11 at all in the faq. For a box that is basically only going to do Samba, is it still ok to increase bufcachepercent to speed things up, and if so, are there any limits I should be aware of? Obviously I wouldn't set it to 95% but with 1 gb of RAM, is 50% ok. Thanks, Craig.
Re: How to implement PF tables
tableaddr-list = tableaddr-list [ , ] tableaddr-spec | tableaddr-spec you need to seperate with , to make that rule work. just to touch base on that, the brackets signify the comma is optional. ( not the first time i've seen a sugestion that someone needed to add/remove a comma for pf.conf ). anywhere you can put a comma, you can also leave it out; pfctl(8) parses the rule the same. -- jared [ openbsd 3.9-current GENERIC ( jun 22 ) // i386 ]
Re: How to implement PF tables
On 7/30/06, jared r r spiegel [EMAIL PROTECTED] wrote: anywhere you can put a comma, you can also leave it out; pfctl(8) parses the rule the same. -- I had commas give me problems around 3.7. But you're right, it shouldn't give problems anymore.
