Re: best hardware plataform for openbsd
I meant more CPU processing cycles per a given constant amount of money! That's it. On 10/7/06, Stuart Henderson [EMAIL PROTECTED] wrote: On 2006/10/07 19:29, Gustavo Rios wrote: I am evaluating processor hardware for using with openbsd. Two options of course: Intel and AMD. There are more options than just those. macppc and sparc64 are amongst the faster arch's too (and if you don't need out-and-out speed there are more to choose from). Motherboard chipsets also make a *HUGE* difference, of course. For the 64 bit version, which delivers the best relation price/benefits? Nobody can say that unless they know what you think is beneficial. You have to first define what you want, then go looking for something suitable.
Re: Letter to OLPC
Jeroen Massar wrote: Daniel Ouellet wrote: What strike me, among many things wrong and unreal here is the specific part as well: Marvell is not in a position to open their wireless firmware as it is currently dependent on the third party operating system kernel that they do not own. A GPL Linux device driver for the Marvell wireless chip, the Libertas driver, still under development but also fully fuctional can be found in our GIT tree. Everything is always under development ;) Claiming that they are dependent on third party stuff and that they can't release their firmware because of that though, now that is the odd part in here. But we could read this sentence differently and conclude that the GPL code writers have the power to demand that they release the firmware. Everyone that defend the GPL code should again look at themselves and realize that it is part of the license to make public the code and make it free for other to use when it is base on GPL. Well, my English may not be so good, but as I understand this as a none speaking English is that, We use GPL code, but we can't and will not release it I am pretty sure that Marvel didn't GPL their firmware. The rest though (the driver) is in GIT (linux kernel source revisions crap system), which does thus mean that it is publically available, license most likely GPL. The issues where this is all about, and also the part where Intel is being banged into is that the redistribution of the firmware is not allowed. Second point is that documentation to write ones own driver isn't available either. Well, sorry, I am not and never been a fan of GPL license code, but one thing I know about it is that is you use any part of it, you are force to release your code as well, like it or not! Not exactly. If you make a piece of code, thus your own original work, and tag it with GPL you don't actually have to release the code. You can even ask cash for it and other weird constructs: http://www.gnu.org/licenses/gpl-faq.html#DoesTheGPLAllowDownloadFee http://www.gnu.org/licenses/gpl-faq.html#TOCDoesTheGPLRequireAvailabilityToPublic http://www.gnu.org/philosophy/selling.html nProbe (see www.ntop.org) for instance does this, as from http://pkgsrc.se/net/nprobe : nProbe is licensed under the GPL, but is not currently available for public download. (You will need to know the appropriate username and password to download the distribution file for this package.) Please see the nProbe Availability section of ntop.org for more information. Thus yes, you can have GPL code that you don't have to distribute. Fun part though is that anyone that buys your GPL code can release and distribute it freely anyway because that is a 'freedom' they have from the GPL. The other side, if one takes from another author some GPL'd code and extend it, one HAS to release it, as you are not the original copyright owner. BSD license thus is more free than GPL in that respect, as it gives the user/extender of the code the option to spread it or not, while GPL restricts you and forces you to release it. This is also the reason why for instance iRiver's PMP-100 code had to be released, as they where re-using cadenux, which contained GPL'd code. I personally usually prefer BSD license for projects: everybody can do whatever they want with it. I do tend to add a clause that I would like to get a note saying yes I am happily using your code, simply because I like to know that people are actually using it. The 'thank you' factor is of importance there. (A 'your code sucks' is also welcome as long as people specify why so that I can improve on it and they can say 'thank you' anyway ;) On the subject of licenses though, no single commercial company will be able to use any GPL'd or BSD'd code anyway, for the simple reason that the author of the code might have (accidentally) coded some nice routine into it that is covered by some silly patent somewhere on this planet. The patentholder could find out that company X is using code based on project Y and then sue them because the code provided by Y has code that is covered by patent Z. As this can cost company X a lot of money company X will never use anything BSD or GPL'd, unless they have somebody do a lot of patent checks. But take a guess how many folks on this planet know and understand every single patent out there next to being able to analyze code and match them up with all those patents. Patent on the GIF format is a nice exaple to start out with ;) Greets, Jeroen Men, I must be pretty darn stupid I have to say. My point wasn't about the dam licenses or comparing GPL to BSD for crying at loud! I included here just as it was one small part of a stupid actions where some take Children's hostage for self profit and forget their own origin and at the same time have the power to make a change and choose to not do so again for self serving reason and hide themselves behind false pretenses! Why is it that everyone always
Re: best hardware plataform for openbsd
Gustavo Rios wrote: I meant more CPU processing cycles per a given constant amount of money! That's it. Then go for AMD, they have more instructions then Intel that now try to catch up to them! So, call it more instructions machine per dollar if you like that!
can not compile the new kernel
Hi! I've applied the patches from the errata page, and now I'm trying to recompile the kernel. /usr/src/sys/arch/i386/conf $ config GENERIC Don't forget to run make depend /usr/src/sys/arch/i386/conf $ cd ../compile/GENERIC /usr/src/sys/arch/i386/compile/GENERIC $ make clean depend Makefile, line 65: Could not find c /usr/src/sys/arch/i386/compile/GENERIC/../../../../lib/libkern/Makefile.inc Makefile, line 73: Could not find c /usr/src/sys/arch/i386/compile/GENERIC/../../../../compat/common/Makefile.inc Fatal errors encountered -- cannot continue Would someone help me with this? Thanks! Daniel -- LeVA
Re: X not working with NVIDIA GeForce 7800 GS on amd64
On Sat, Oct 07, 2006 at 12:11:53AM +0200, Andreas Maus wrote: Hi. I recently replaced my ATI X800 with a new NVIDIA GeForce 7800 GS. Checking the nv(4) man page and it states that it supports: [... snipp ...] GeForce 7XXX [... snipp ...] snip I have the same problem with a GeForce 7300GT. The problem is these chips are only supported by X.org 7.x (which is not yet in OpenBSD). After reading: http://www.undeadly.org/cgi?action=articlesid=2006071016 I hope 7.x will be OpenBSD soon. I already mailed matthieu@, but I didn't receive an answer. Since I'm the one asking for a favor and he is the one doing the work I didn't bother him further and will use the vesa driver until 7.x hits the tree. At that time I'll be a happy current tester :) Regards, ahb p.s. This xorg.conf section might be of interest to you. Section Device Identifier Card0 Driver vesa #Driver nv VendorName nVidia Corporation BoardName Unknown Board BusID PCI:2:0:0 EndSection
Re: Loading pf rules at boot with '-o' flag to pfctl...
On 08/10/06, Martin Gignac [EMAIL PROTECTED] wrote: Hi, While playing around with pf I've gotten used to passing the '-o' flag to pfctl to optimize my rulesets when loading them. However, I've noticed that /etc/rc does not pass the '-o' flag when loading the ruleset with pfctl during boot. Moreover, I couldn't find any apparent variable in the /etc/rc.conf file I could use to tell /etc/rc to pass the '-o' flag during boot up. So whenever I reboot my machine I lose the optimization I get when loading them manually while specifying the '-o'. Is there any plan to add a variable in /etc/rc.conf to achieve this, or is using '-o' during boot considered a bad thing? Thanks, -Martin You are supposed to use the -o option to optimise your ruleset, then correct the ruleset in /etc/pf.conf so there should be no need to load the ruleset with -o everytime. Cheers z0mbix
Re: graphviz rendering of installed ports dependencies
Now, with colors : #!/bin/sh TOP_COLOR=greenyellow BOTTOM_COLOR=firebrick echo digraph pkg_dep echo { for PKG in $(pkg_info | cut -d' ' -f1) ; do PKG_INFO=$(pkg_info -c $PKG | tail -n+4 | tr -s '\n') echo \t\$PKG\ [label=\$PKG\\\n$PKG_INFO\]; REQ_BY= for REQ_BY in $(pkg_info -R $PKG | tail -n+4 | tr -s '\n') ; do echo \t\$REQ_BY\ - \$PKG\; done REQ=$(pkg_info -f $PKG | grep '@depend' | cut -d' ' -f2 | cut -d':' -f3) if [ -z $REQ_BY ] ; then echo \t\$PKG\ [color=\$TOP_COLOR\, style=\filled\]; elif [ -z $REQ ] ; then echo \t\$PKG\ [color=\$BOTTOM_COLOR\, style=\filled\]; fi done echo } 2006/10/8, Bruno Carnazzi [EMAIL PROTECTED]: First blood : #!/bin/sh echo digraph pkg_dep echo { for PKG in $(pkg_info | cut -d' ' -f1) do PKG_INFO=$(pkg_info -c $PKG | tail -n+4 | tr -s '\n') echo \t\$PKG\ [label=\$PKG\\\n$PKG_INFO\]; for REQ_BY in $(pkg_info -R $PKG | tail -n+4 | tr -s '\n') do echo \t\$REQ_BY\ - \$PKG\; done done echo } But for my big packages set, it does not produce a beautiful graph. Someone know how to beautify it ? Thank you, Bruno. Attached, my generated dot file (gosh ! gdm is really a pig !) : [SNIP] 2006/10/7, Matthias Kilian [EMAIL PROTECTED]: On Sat, Oct 07, 2006 at 10:32:21PM +0400, Bruno Carnazzi wrote: Someone knows if this kind of stuff already exists ? I just found this one (old, untested, and after all *not* supported, since it seems to directly access /var/db/pkg): http://vgai.de/gpkgview.sh Ciao, Kili
Re: best hardware plataform for openbsd
On 08/10/06, Stuart Henderson [EMAIL PROTECTED] wrote: On 2006/10/07 18:08, Brian wrote: There are more options than just those. macppc and sparc64 are amongst the faster arch's too (and if you don't need out-and-out speed there are more to choose from). Motherboard chipsets also make a *HUGE* difference, of course. I am looking at upgrading my motherboard and processor. It looks like NVIDIA is still not open source friendly. I saw some blobs on their site for FreeBSD with very restrictive licenses. I am seeing some VIA, SIS, and ATI motherboards that support AM2 sockets as alternatives to NVIDIA. I am looking at upgrading to a dual core amd64 X2 processor. Will this work with bsd.mp? Depends on the motherboard/chipset/bios. Also results may vary depending on which OpenBSD arch you use (e.g. I tried an AMD 8111/8131 based 2U server, running i386 MP kernel it hangs occasionally but has been rock-solid under amd64). And what chipset vendor is the most open with documentation? For the processors using hypertransport (I was going to say AMD processors, but it's used on some PowerPC boxes too) the most open chipset vendor is probably AMD themselves, but they aren't exactly used on desktop motherboards (or even much on server boards these days). Just by searching for the part numbers (e.g. 8111) you quickly find datasheets and information on revisions; any vendor should be making that type of information openly available. http://www.amd.com/us-en/Processors/TechnicalResources/0,,30_182_739_9004,00.html As you see from my example, open docs don't guarantee that everything works, but they make the job of making it work at all a lot easier (and I'm happy enough to have this particular box running the 64-bit kernel). I am leaning towards ATI. I want to support the open vendors with my cash. afaik, they're not particularly open. It may change with the AMD merger, who knows... I have a small pile of motherboards from when I was upgrading my desktop box that didn't really work well enough (I was trying to avoid nvidia of course), in the end I decided to buy whatever I could locally so that I'd return it if there was a problem. All I could find was nvidia, which I wasn't terribly happy about buying, but it worked, size of pile stopped increasing... don't get me wrong, this is not advice to buy from nvidia, it's advice to buy from somewhere where you can easily return the board for a refund if you don't like it :-) How about VIA chipsets, any opinion about boards having those? Say, Asus M2V (Via K8T890) ? (and, I don't know about the AM2 socket/retention mechanism, but if it's anything like S939 be damn careful removing the CPU if you do have to move it between boards...bye bye one 146, thanks for the glue-like thermal compound AMD..!) -- viq
Re: Problems with traffic shaping
On 07/10/06, S t i n g r a y [EMAIL PROTECTED] wrote: it is asymmetric What bandwidth have you configured the shaper for ? Some technologies like PPPoA or PPPoE over DSL will give you an overhead of 165% for empty ACKs, meaning that your shaper wont kick in since it doesn't consider the line to be full even if it in reality is getting cained. Since I'm stuck with PPP over DSL I have to modify the token bucket regulator for the shaping to work well. -- Tony Sarendal - [EMAIL PROTECTED] IP/Unix -= The scorpion replied, I couldn't help it, it's my nature =-
Re: Problems with traffic shaping
On 08/10/06, tony sarendal [EMAIL PROTECTED] wrote: On 07/10/06, S t i n g r a y [EMAIL PROTECTED] wrote: it is asymmetric What bandwidth have you configured the shaper for ? Doh ! altq on $extif cbq bandwidth 500Kb queue { def, msn, www, https, smtp, ssh, ftp } What kind of link do you actually have ? DSL ? If so, what does it run over DSL ? RFC1483 bridging ? PPPoA ? -- Tony Sarendal - [EMAIL PROTECTED] IP/Unix -= The scorpion replied, I couldn't help it, it's my nature =-
Re: Letter to OLPC
Theo de Raadt wrote on Sat, Oct 07, 2006 at 02:55:22PM -0600: Adriaan [EMAIL PROTECTED] wrote: See Jim Gettys defense at http://www.gettysfamily.org/wordpress/?p=27 [...] You can't say anything bad about the children, can you? Just as your rhetorical question suggests, indeed you can. I still hoped OLPC might at least focus on an appropriate auditorium. For example, here in Germany we do have millions of (relatively!!) disadvantaged children who might profit from free laptops (though i suspect the same money spent on teacher salaries to have more basic language training or even spent on better public toothcare might help them better). But the following paragraph by Jim Gettys flabbergasted me: || Many or most children in the world do not have electric || power, nor do they have computer networking. Without || power being available, even if access points cost nothing, || you have no network. So we are deploying mesh networking, || to allow a child's laptop to forward packets for their || friend or neighbor's laptop; each laptop becomes, in || effect, a battery powered access point for the others. So those children will get laptops before their families have electricity? Had they any choice, how many of them would choose that way? Given the effort and money used for the OLPC project - on what would those people like to spend it? Or, to ask the question in a polemical way, would they choose Marvell, and why? The criticism voiced by Siju and others does not only apply to several situations in general, but it does indeed appear to apply to this particular project. :-( Small wonder the project exhibits other flaws, too, when even this central aspect has been screwed up... -- Ingo Schwarze [EMAIL PROTECTED] Freedom is about choice. Unless all have equal opportunities to choose, it's incomplete.
Re: Letter to OLPC
On Sun, Oct 08, 2006 at 02:22:35PM +0200, Ingo Schwarze wrote: So those children will get laptops before their families have electricity? Had they any choice, how many of them would choose that way? Given the effort and money used for the OLPC project - on what would those people like to spend it? Or, to ask the question in a polemical way, would they choose Marvell, and why? The criticism voiced by Siju and others does not only apply to several situations in general, but it does indeed appear to apply to this particular project. :-( Small wonder the project exhibits other flaws, too, when even this central aspect has been screwed up... These matters are complex, and it's difficult to gauge all the effects. Months ago I heard a radio news story about one of the countries with many poor people (can't remember which) where many did not have good clothing. Charities in the US and other Western countries collected and donated huge amounts of clothing over a long period of time. Sounds nice? The country in question had a small but growing economy including a healthy textile industry. The influx of clothing effectively killed the textile industry there and put many people out of work, thus increasing the number of poor. The people donating clothing, and the charities collecting and distributing the clothing, had nothing but the best intentions, and it would be difficult to find *any* but the most noble motives. Still, interfering on a large scale is tricky and has unforeseen consequences. This can't be improved much if there are other motives involved. I've been staying out of this and I probably shouldn't have posted this, seeing that this is not germane to the issues of open/free. But the door's been opened, and the above is worth considering. To those wishing references, I don't have them. I heard it on NPR, and that's about all I remember. -- Darrin Chandler| Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ |
Re: graphviz rendering of installed ports dependencies
Now, with colored nodes, colored dependencies, and options handling : #!/bin/sh PROGNAME=$(basename $0) NODE_COLOR=0 DEP_COLOR=0 TOP_COL=greenyellow BOTTOM_COL=firebrick DEP_COL=lightgrey TOP_PKGS= get_fulldepends() { FULLDEP= STEP=$(pkg_info -f $1 | grep '@depend' | cut -d':' -f3 | tr '\n' ' ') until [ -z $STEP ] ; do DEP=$(echo $STEP | cut -d' ' -f1) echo $FULLDEP | grep $DEP /dev/null if [ $? -ne 0 ] ; then FULLDEP=$FULLDEP $DEP STEP=$STEP $(pkg_info -f $DEP | grep '@depend' | cut -d':' -f3 | tr '\n' ' ') fi STEP=$(echo $STEP | cut -s -d' ' -f2- | tr -d '\n') done echo $FULLDEP } ARGS=$(getopt nDb:d:t: $*) if [ $? -ne 0 ] ; then echo $PROGNAME [-nD] [-b color] [-d color] [-t color] exit 2 fi set -- $ARGS for i do case $i in -n) NODE_COLOR=1 shift;; -D) DEP_COLOR=1 shift;; -b) NODE_COLOR=1 BOTTOM_CO=$2; shift; shift;; -d) DEP_COLOR=1 DEP_COL=$2 ; shit; shift;; -t) NODE_COLOR=1 TOP_COL=$2; shift; shift;; --) shift; break;; esac done echo digraph pkg_dep echo { for PKG in $(pkg_info | cut -d' ' -f1) ; do PKG_INFO=$(pkg_info -c $PKG | tail -n+4 | tr -s '\n') echo \t\$PKG\ [label=\$PKG\\\n$PKG_INFO\]; REQ_BY= for REQ_BY in $(pkg_info -R $PKG | tail -n+4 | tr -s '\n') ; do echo \t\$REQ_BY\ - \$PKG\; done if [ -z $REQ_BY ] ; then TOP_PKGS=$TOP_PKGS $PKG fi if [ $NODE_COLOR -eq 1 ] ; then REQ=$(pkg_info -f $PKG | grep '@depend' | cut -d':' -f3) if [ -z $REQ_BY ] ; then echo \t\$PKG\ [color=\$TOP_COL\, style=\filled\]; elif [ -z $REQ ] ; then echo \t\$PKG\ [color=\$BOTTOM_COL\, style=\filled\]; fi fi done if [ $DEP_COLOR -eq 1 ] ; then for PKG in $TOP_PKGS ; do echo echo \tsubgraph \cluster_$PKG\ echo \t{ echo \t\tstyle=filled; echo \t\tcolor=$DEP_COL; echo \t\tlabel=\all-$PKG\; echo \t\t\$PKG\; for P in $(get_fulldepends $PKG) ; do echo \t\t\$P\; done echo \t} done fi echo } exit 0 2006/10/8, Bruno Carnazzi [EMAIL PROTECTED]: Now, with colors : [SNIP] 2006/10/8, Bruno Carnazzi [EMAIL PROTECTED]: First blood : [SNIP] But for my big packages set, it does not produce a beautiful graph. Someone know how to beautify it ? Thank you, Bruno. Attached, my generated dot file (gosh ! gdm is really a pig !) : [SNIP] 2006/10/7, Matthias Kilian [EMAIL PROTECTED]: On Sat, Oct 07, 2006 at 10:32:21PM +0400, Bruno Carnazzi wrote: Someone knows if this kind of stuff already exists ? I just found this one (old, untested, and after all *not* supported, since it seems to directly access /var/db/pkg): http://vgai.de/gpkgview.sh Ciao, Kili
Re: best hardware plataform for openbsd
On Sun, 8 Oct 2006, Gustavo Rios wrote: I meant more CPU processing cycles per a given constant amount of money! That's it. Hmmm, before I answer that question I'd like to know what are the intended uses? For example, for a DNS server I would seriously consider some of the platforms recently added, armish for one. diana
Re: Loading pf rules at boot with '-o' flag to pfctl...
On 10/8/06, z0mbix [EMAIL PROTECTED] wrote: You are supposed to use the -o option to optimise your ruleset, then correct the ruleset in /etc/pf.conf so there should be no need to load the ruleset with -o everytime. Ok, thanks, my bad. I originally thought the intent of the flag was to permit a user to keep a pf.conf rulesets organized in a way that made sense to him/her, yet have pfctl optimize it for better runtime performance when loading. -Martin
Re: graphviz rendering of installed ports dependencies
Note there is a problem when graphing application dependencies (-D option) . Graphviz can not draw nodes that are shared in multiples subgraph (ie : shared library used by multiple application). So, this functionnality only works for simple installations. Explanation : https://mailman.research.att.com/pipermail/graphviz-interest/2006q1/003421.html Best regards, Bruno. 2006/10/8, Bruno Carnazzi [EMAIL PROTECTED]: Now, with colored nodes, colored dependencies, and options handling : [SNIP] 2006/10/8, Bruno Carnazzi [EMAIL PROTECTED]: Now, with colors : [SNIP] 2006/10/8, Bruno Carnazzi [EMAIL PROTECTED]: First blood : [SNIP] But for my big packages set, it does not produce a beautiful graph. Someone know how to beautify it ? Thank you, Bruno. Attached, my generated dot file (gosh ! gdm is really a pig !) : [SNIP] 2006/10/7, Matthias Kilian [EMAIL PROTECTED]: On Sat, Oct 07, 2006 at 10:32:21PM +0400, Bruno Carnazzi wrote: Someone knows if this kind of stuff already exists ? I just found this one (old, untested, and after all *not* supported, since it seems to directly access /var/db/pkg): http://vgai.de/gpkgview.sh Ciao, Kili
IPv6 over PPPoE
Hi all With the help of my ISP I'm trying to get native IPv6 over ADSL (PPPoE). This isn't a regular offer and I'm the first customer who tries it out. My ISP has set me the following two RADIUS attributes: Framed-IPv6-Prefix = 2001:x:3000::1 Framed-IPv6-Route = 2001:x:4000::/48 2001:x:3000::1 1 To debug everything I used userspace ppp with the following ppp.conf: -- default: set log Phase Chat IPCP IPV6CP CCP tun command set redial 15 0 set reconnect 15 0 pppoe: set device !/usr/sbin/pppoe -i sis1 disable acfcomp protocomp deny acfcomp set mtu max 1454 set speed sync enable lqr set lqrperiod 5 set cd 5 set dial set login set timeout 0 set authname username set authkey password add! default HISADDR add! default HISADDR6 disable dns enable mssfixup enable ipv6 enable ipv6cp -- I'm unable to receive any IPv6 traffic over the wire: -- PPP ON clockwork show ipv6cp IPV6CP [Opened] His side:fe80::ff1c:1402 My side: fe80::2fe9:29b9 Queued packets: 0 Defaults: FSM retry = 3s, max 5 Config REQs, 5 Term REQs Connect time: 0:04:04 0 octets in, 4472 octets out 0 packets in, 77 packets out overall 18 bytes/sec currently 0 bytes/sec in, 56 bytes/sec out (over the last 5 secs) peak 280 bytes/sec on Sun Oct 8 16:46:09 2006 PPP ON clockwork -- Some packets out, but no packets in. If I run tcpdump on my sis1 interface I see that the icmp echo-requests are actually sent encapsulated in PPPoE. But I never get an answer. I tried to reach fe80::ff1c:1402 and some other IPv6-enabled sites (like mirror.switch.ch). Wasn't sucessful. I'm not really sure if I'm doing a mistake in my configuration. Has anyone of you any comments about my configuration or even a sample ppp.conf for using IPv6? I haven't found any IPv6-capable sample configuration with Google. Besides that there are two things which I worry about: - Both sides of the connection have link-local addresses assigned (fe80::). Is this the expected behaviour? - According to the manual page the Framed-IPv6-Prefix can be used in commands through the IPV6PREFIX variable. Does that mean that I manually need to set the non link-local address to the device? How? I tried out with ifconfig tun0 inet6 2001:x:3000::1 This resulted in the icmp echo-requests being sent with src address 2001:x:3000::1 - but there was still no answer. According to the log files on my system everything looks fine. Has anyone advice about how to further debug that issue? Regards, Thomas.
Re: Letter to OLPC
On Sun, Oct 08, 2006 at 02:22:35PM +0200, Ingo Schwarze wrote: Theo de Raadt wrote on Sat, Oct 07, 2006 at 02:55:22PM -0600: Adriaan [EMAIL PROTECTED] wrote: See Jim Gettys defense at http://www.gettysfamily.org/wordpress/?p=27 [...] You can't say anything bad about the children, can you? Just as your rhetorical question suggests, indeed you can. I still hoped OLPC might at least focus on an appropriate auditorium. For example, here in Germany we do have millions of (relatively!!) disadvantaged children who might profit from free laptops (though i suspect the same money spent on teacher salaries to have more basic language training or even spent on better public toothcare might help them better). But the following paragraph by Jim Gettys flabbergasted me: || Many or most children in the world do not have electric || power, nor do they have computer networking. Without || power being available, even if access points cost nothing, || you have no network. So we are deploying mesh networking, || to allow a child's laptop to forward packets for their || friend or neighbor's laptop; each laptop becomes, in || effect, a battery powered access point for the others. So those children will get laptops before their families have electricity? Had they any choice, how many of them would choose that way? Given the effort and money used for the OLPC project - on what would those people like to spend it? Or, to ask the question in a polemical way, would they choose Marvell, and why? The criticism voiced by Siju and others does not only apply to several situations in general, but it does indeed appear to apply to this particular project. :-( Small wonder the project exhibits other flaws, too, when even this central aspect has been screwed up... Just to add some numbers, and because it's a neat tool (even if the 'export to Excel' button is evil [1]): http://jschipper.dynalias.net/~joachim/posts/20061008/hdr_report.html The source should be rather obvious. This page is on my home server, which is turned off when I feel like it (i.e. not often, but not never either), so might be unreliable. Play around on hdr.undp.org if so inclined. Joachim [1] Any reason why 'export to CSV' is not in there?
OpenBSD IPSec/ipsecctl + setkey
Hello misc I'm trying to setup IPSec between my OpenBSD wireless access point and a Linux client using setkey. I have managed to get IPSec working fine between the other OpenBSD servers on my network using ipsecctl, almost seemed too easy. Below are my ipsec.conf from the OpenBSD box and the ipsec.conf from the Linux box. I've made sure to allow all esp/ah traffic through pf and i'm not getting any errors in pflog. OpenBSD ipsec.conf: flow esp from 192.168.3.1 to 192.168.3.100 esp from 192.168.3.1 to 192.168.3.100 spi 0xdeadbeef:0xbeefdead \ auth hmac-md5 \ enc 3des-cbc \ authkey 0x360b3821897eb61dfc332e139e14fd62:0x360b3821897eb61dfc332e139e14fd62 \ enckey 0x49fce5b82ff7acc4d6aded691a0f5f9a65e18861ad4b66bf:0x61272157401bf304177fa8ac0c38de4095992d06c0499cf7 Linux ipsec.conf: #!/usr/sbin/setkey -f flush; spdflush; add 192.168.3.100 192.168.3.1 esp 0xbeefdead -E 3des-cbc 0x61272157401bf304177fa8ac0c38de4095992d06c0499cf7; add 192.168.3.1 192.168.3.100 esp 0xdeadbeef -E 3des-cbc 0x49fce5b82ff7acc4d6aded691a0f5f9a65e18861ad4b66bf; add 192.168.3.100 192.168.3.1 ah 0xbeefdead -A hmac-md5 0x360b3821897eb61dfc332e139e14fd62; add 192.168.3.1 192.168.3.100 ah 0xdeadbeef -A hmac-md5 0x360b3821897eb61dfc332e139e14fd62; spdadd 192.168.3.100 192.168.3.1 any -P out ipsec esp/transport//use ah/transport//use; spdadd 192.168.3.1 192.168.3.100 any -P in ipsec esp/transport//use ah/transport//use; I hope this is all the information someone requires to help. Thanks Tom
Re: IPv6 over PPPoE
On Sun, Oct 08, 2006 at 05:41:33PM +0200, Thomas Bader wrote: Hi all With the help of my ISP I'm trying to get native IPv6 over ADSL (PPPoE). This isn't a regular offer and I'm the first customer who tries it out. My ISP has set me the following two RADIUS attributes: Framed-IPv6-Prefix = 2001:x:3000::1 Framed-IPv6-Route = 2001:x:4000::/48 2001:x:3000::1 1 To debug everything I used userspace ppp with the following ppp.conf: -- default: set log Phase Chat IPCP IPV6CP CCP tun command set redial 15 0 set reconnect 15 0 pppoe: set device !/usr/sbin/pppoe -i sis1 disable acfcomp protocomp deny acfcomp set mtu max 1454 set speed sync enable lqr set lqrperiod 5 set cd 5 set dial set login set timeout 0 set authname username set authkey password add! default HISADDR add! default HISADDR6 disable dns enable mssfixup enable ipv6 enable ipv6cp -- I'm unable to receive any IPv6 traffic over the wire: -- PPP ON clockwork show ipv6cp IPV6CP [Opened] His side:fe80::ff1c:1402 My side: fe80::2fe9:29b9 Queued packets: 0 Defaults: FSM retry = 3s, max 5 Config REQs, 5 Term REQs Connect time: 0:04:04 0 octets in, 4472 octets out 0 packets in, 77 packets out overall 18 bytes/sec currently 0 bytes/sec in, 56 bytes/sec out (over the last 5 secs) peak 280 bytes/sec on Sun Oct 8 16:46:09 2006 PPP ON clockwork -- Some packets out, but no packets in. If I run tcpdump on my sis1 interface I see that the icmp echo-requests are actually sent encapsulated in PPPoE. But I never get an answer. I tried to reach fe80::ff1c:1402 and some other IPv6-enabled sites (like mirror.switch.ch). Wasn't sucessful. I'm not really sure if I'm doing a mistake in my configuration. Has anyone of you any comments about my configuration or even a sample ppp.conf for using IPv6? I haven't found any IPv6-capable sample configuration with Google. hi, i don't see anything bad with your config, currently i'm using something quite similar: /etc/hostname.xl0: inet 10.0.0.4 255.255.255.0 NONE inet6 alias 2001:x:4da3::1 /etc/hostname.tun0: !/usr/sbin/ppp -ddial -unit0 myisp /etc/ppp/ppp.conf: default: set log tun phase myisp: set log phase set redial 15 0 set device !/usr/sbin/pppoe -i ep1 set speed sync set authname mylogin set authkey mypasswd set mtu max 1492 set mru max 1492 disable mssfixup acfcomp protocomp deny acfcomp protocomp enable lqr /etc/ppp/ppp.linkup: myisp: add! MYADDR 127.0.0.1 add! default HISADDR add! MYADDR6 ::1 add! default HISADDR6 Besides that there are two things which I worry about: - Both sides of the connection have link-local addresses assigned (fe80::). Is this the expected behaviour? afaik yes; that's what ifconfig(8) gives for my tun(4) device: $ ifconfig tun0 tun0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1492 groups: tun egress inet6 fe80::2e0:29ff:fe00:2e0d%tun0 - prefixlen 64 scopeid 0x8 inet x.x.x.x -- y.y.y.y netmask 0x - According to the manual page the Framed-IPv6-Prefix can be used in commands through the IPV6PREFIX variable. Does that mean that I manually need to set the non link-local address to the device? How? I tried out with ifconfig tun0 inet6 2001:x:3000::1 This resulted in the icmp echo-requests being sent with src address 2001:x:3000::1 - but there was still no answer. hmm.. this may overwrite your local-link address. Try to make an alias with your statc IPv6 address: ifconfig tun0 inet6 alias 2001:x:3000:1 hth, -- Alexandre
OpenBSD PF firewall and Cisco VPN client
I am new to setting up VPN's. Is the following possible using OpenBSD pf for firewalling. The internal network is made up of Windows servers and workstations, and the external laptop/workstation is running Windows as well as having Cisco VPN client software. Would this external machine running Windows and the Cisco client be able to connect into the network remotely over the VPN through an OpenBSD based firewall? If this is possible I would appreciate if someone could point me in the write direction of where to read the appropriate documentation or guides. Thanks. Phusion
Re: Letter to OLPC
Jeroen Massar wrote: Daniel Ouellet wrote: [.. a part that you didn't want to make a 'point' about anyway..] Men, I must be pretty darn stupid I have to say. My point wasn't about the dam licenses or comparing GPL to BSD for crying at loud! Then don't mention it. Also learn how to reply to email: http://en.wikipedia.org/wiki/Posting_styles#Inline_replying I quote extract of their own answer, on witch you pick up only. From which you should know that I didn't comment on the rest of your comment as I didn't have any (important) comments on that part, the part I did comment on I did have a big comment on ;) Trying to tell me not to make a comment about something you wrote is IMHO 'darn stupid'. But hey I don't have to say that to somebody who already writes that that is the case ;) insert No offense and other such thingies Let me put it better then. I use their GPL part here ONLY to show how more ridiculous the answer was and oppose to what you say, they wrote and quote A GPL Linux device driver for the Marvell wireless chip... and then at the same time, they say they can't release anything. Then you go saying it possible to keep secret code that is GPL. All just doesn't fit, sorry! What got me going was that you turn the stupidity of their answer into a GPL/BSD issue that frankly have nothing to do with the essence of the problem where they refuse to release documentations and allow redistributions of FIRMWARE, but at the same time USE GPL that by itself ,if GPL ZEALOTS should go all over their own convictions and say, hey you can't do that and they don't. So, in the end it's all talks and nothing more. But I didn't make it a GPL issue, I use the GPL to show how untrue they really are, based on the principal of the license that all GPL defenders say it's good for. You are right in the fact that I may be shouldn't have included in the reply, but reading it was just to obvious that they were doing plenty in bad faith here including screwing up with the GPL license that is suppose to stop them from doing that exact same thing! And it was just way to obvious that they were not respecting the spirit of their own routs in term of codes used either. May be my hopes, obviously wrong here, were to put the spotlight to this part of the issue as well and include even the same Linux guys if you want to put pressure on OLPC and Marvel for taking and not giving back and are suppose to do so based on the same Linux (GPL) point of view. To me that's a very good example of testing their own convictions. They always said their license is very good, but never been tested. May be with the size of this issue here it's time they test it no? They should request to have open documentations and if they can't they can always use the GPL they love so much to force to open it, and pressure the OLPC to do the right thing. But looks like it will never happen. Best, Daniel
Re: Problems with traffic shaping
I don't see anything wrong here, perhaps tired eyes. If you run PPPoE and the DSL line then is ATM AAL5 with LLC/SNAP encapsulation altq isn't going to be very effective in cases where you have lots of ACKs going up stream. When altq sees an ACK it calculates 40 bytes, but that ACK is 106 bytes (2 ATM cells) on your DSL line. I modified the token bucket regulator in the kernel to adjust to what actually happens on the DSL line and after that the shaper worked as expected. I was planning to implement it properly so one could configure it from pf.conf with some option like tbradapt PPPoE-ATM-AAL5-LLCSNAP per queue so I could support other type of links also, but I can never find the time to actually do it. Time to try to get the kids to sleep. /Tony On 08/10/06, S t i n g r a y [EMAIL PROTECTED] wrote: Well its PPPoE over DSL here .. also i ran the command pfctl -vvsq got the following result , can you tell me what wrong ? looks fishy bash-3.1# pfctl -vvsq queue root_fxp0 bandwidth 500Kb priority 0 cbq( wrr root ) {www, msn, https, def, smtp} [ pkts: 7735 bytes:1320956 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] queue www bandwidth 150Kb cbq( red borrow ) [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] queue msn bandwidth 75Kb cbq( red borrow ) [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] queue https bandwidth 125Kb cbq( red borrow ) [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] queue def bandwidth 125Kb cbq( red borrow default ) [ pkts: 7735 bytes:1320956 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 2229 suspends: 0 ] queue smtp bandwidth 25Kb [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] queue root_fxp0 bandwidth 500Kb priority 0 cbq( wrr root ) {www, msn, https, def, smtp} [ pkts: 8105 bytes:1381772 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] [ measured:74.0 packets/s, 97.31Kb/s ] queue www bandwidth 150Kb cbq( red borrow ) [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] [ measured: 0.0 packets/s, 0 b/s ] queue msn bandwidth 75Kb cbq( red borrow ) [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] [ measured: 0.0 packets/s, 0 b/s ] queue https bandwidth 125Kb cbq( red borrow ) [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] [ measured: 0.0 packets/s, 0 b/s ] queue def bandwidth 125Kb cbq( red borrow default ) [ pkts: 8105 bytes:1381772 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 2296 suspends: 0 ] [ measured:74.0 packets/s, 97.31Kb/s ] queue smtp bandwidth 25Kb [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] [ measured: 0.0 packets/s, 0 b/s ] queue root_fxp0 bandwidth 500Kb priority 0 cbq( wrr root ) {www, msn, https, def, smtp} [ pkts: 8496 bytes:1444388 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] [ measured:76.1 packets/s, 98.75Kb/s ] queue www bandwidth 150Kb cbq( red borrow ) [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] [ measured: 0.0 packets/s, 0 b/s ] queue msn bandwidth 75Kb cbq( red borrow ) [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] [ measured: 0.0 packets/s, 0 b/s ] queue https bandwidth 125Kb cbq( red borrow ) [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] [ measured: 0.0 packets/s, 0 b/s ] queue def bandwidth 125Kb cbq( red borrow default ) [ pkts: 8496 bytes:1444388 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 2384 suspends: 0 ] [ measured:76.1 packets/s, 98.75Kb/s ] queue smtp bandwidth 25Kb [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] [ measured: 0.0 packets/s, 0 b/s ] *:$., 88,.$:*(((*$ Stingray *:$., 88,.$:*((*$
Vlans using a trunk device
While working with the trunk and vlan features of OpenBSD, I ran into one thing that I do not understand. In order to use a trunk device for multiple vlan's, the trunk device must have an ip address assigned. Let me illustrate my configuration (vlan ids do not match, but it's not relavent, see ifconfig for exact info): ++ +-+ +---+ | router | |modem| |servers| ++ +-+ +---+ | || +---+-+-+-+ | |vlan2|vlan3|vlan4| | trunk |inet |lan |dmz | +---+-+-+-+ switch| ++ |workstations| ++ ifconfig reads like this: # ifconfig lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33192 groups: lo inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x9 gem0: flags=8b63UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu 1500 lladdr 00:03:ba:04:b2:1d trunk: trunkdev trunk0 media: Ethernet 100baseTX full-duplex status: active inet6 fe80::203:baff:fe04:b21d%gem0 prefixlen 64 scopeid 0x1 hme0: flags=8b63UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu 1500 lladdr 00:03:ba:04:b2:1d trunk: trunkdev trunk0 media: Ethernet 100baseTX full-duplex status: active inet6 fe80::a00:20ff:feca:7dc4%hme0 prefixlen 64 scopeid 0x2 hme1: flags=8b63UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu 1500 lladdr 00:03:ba:04:b2:1d trunk: trunkdev trunk0 media: Ethernet 100baseTX full-duplex status: active inet6 fe80::a00:20ff:feca:7dc5%hme1 prefixlen 64 scopeid 0x3 hme2: flags=8b63UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu 1500 lladdr 00:03:ba:04:b2:1d trunk: trunkdev trunk0 media: Ethernet 100baseTX full-duplex status: active inet6 fe80::a00:20ff:feca:7dc6%hme2 prefixlen 64 scopeid 0x4 hme3: flags=8b63UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu 1500 lladdr 00:03:ba:04:b2:1d trunk: trunkdev trunk0 media: Ethernet 100baseTX full-duplex status: active inet6 fe80::a00:20ff:feca:7dc7%hme3 prefixlen 64 scopeid 0x5 pflog0: flags=141UP,RUNNING,PROMISC mtu 33192 pfsync0: flags=0 mtu 1460 enc0: flags=0 mtu 1536 trunk0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:03:ba:04:b2:1d trunk: trunkproto roundrobin trunkport hme0 active trunkport hme1 active trunkport hme3 active trunkport hme2 active trunkport gem0 master,active groups: trunk media: Ethernet autoselect status: active inet 10.1.1.1 netmask 0xff00 broadcast 10.1.1.255 inet6 fe80::203:baff:fe04:b21d%trunk0 prefixlen 64 scopeid 0xa vlan10: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:03:ba:04:b2:1d vlan: 10 priority: 0 parent interface: trunk0 groups: vlan inet6 fe80::203:baff:fe04:b21d%vlan10 prefixlen 64 scopeid 0xb inet 10.180.16.1 netmask 0xff00 broadcast 10.180.16.255 vlan2: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:03:ba:04:b2:1d vlan: 2 priority: 0 parent interface: trunk0 groups: vlan inet6 fe80::203:baff:fe04:b21d%vlan2 prefixlen 64 scopeid 0xc inet 10.107.208.1 netmask 0xff00 broadcast 10.107.208.255 vlan3: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:03:ba:04:b2:1d vlan: 3 priority: 0 parent interface: trunk0 groups: vlan egress inet6 stripped%vlan3 prefixlen 64 scopeid 0xd inet x.x.x.x netmask 0x broadcast z.z.z.z vlan30: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:03:ba:04:b2:1d vlan: 30 priority: 0 parent interface: trunk0 groups: vlan inet6 fe80::203:baff:fe04:b21d%vlan30 prefixlen 64 scopeid 0xe inet 10.180.17.1 netmask 0xff00 broadcast 10.180.17.255 The switch is configured such that the ports for the nodes are untagged and every vlan sends tagged packets to the trunk. When the trunk interface does not have an ip address assigned, no traffic moves through the vlans. This is what I am not understanding. I assigned 10.1.1.1 to the trunk interface since I am not using that subnet. How should I handle this subnet in my pf rules? The route tables show 10.1.1/24 as a routable subnet because it is assigned to the trunk interface: # route -n show Routing tables scrubbed to not wrap and removed nodes Destination Gateway Flags RefsUse Mtu Interface default x.x.x.x UGS 0 725698 - vlan3 10.1.1/24 link#10 UC 0 0 - trunk0 10.107.208/24 link#12 UC 0 0
Re: lightweight openbsd
I am trying to make [OpenBSD] smaller by deleting unuseful files. I read man and then deside whether I need it or not. After deleting a dozen of files I received diffirent errors during startup. Don't do that then. I want to install it to 128mb CF. Unless you really WANT to find yourself totally out on a limb, ridiculed, laughed at and ignored, you need at least 587MB disk space. Why, you ask? Well, because. See http://tinyurl.com/qwm87 . That said, I will now give you some information that is probably going to make ME a legitimate target for the very same ridicule. Not because I wish to disrupt this list, but because I believe that if in doubt, disclose: A 256MB CF card should do the trick. I have an old PC that I could either bin or put to use. I chose to put it to use by squeezing OpenBSD onto it. That PC has a 210MB HDD. I installed only the following: [X] bsd [ ] bsd.rd [ ] bsd.mp [X] base39.tgz [X] etc39.tgz [ ] misc39.tgz [ ] comp39.tgz [X] man39.tgz [X] game39.tgz [ ] xbase39.tgz [ ] xetc39.tgz [ ] xshare39.tgz [ ] xfont39.tgz [ ] xserv39.tgz You could probably leave out man and game, but it won't win you much. You're probably now going to ask how I partitioned my HDD. This is where it gets really fugly. I was lazy, risky, naughty, etc. and used a 5MB swap partion (the machine has 40MB RAM) and only a **single** '/' partition (occupying the rest of the disk) for everything. !!! You should never do this. !!! Using a single '/' partition for everything is a very ugly, dangerous and deparate measure. There are reasons why the OpenBSD FAQ tells you to create seperate partitions. Just as an example: where this is not done, it might be possible for a program that has the right to write to /tmp to fill up the entire disk, as there is no seperation between /tmp and /. This is really bad and might lead to all kinds of unforseeable problems. !!! Do as I say, not as I do. !!! Using du(1) and friends to figure out precisely what's taking up how much disk space on the 210MB system in question, I can see this: # du -hPs /usr 144M/usr # du -hPs /var 6.4M/var # du -hPs /tmp 2.0K/tmp # df Filesystem 512-blocks Used Avail Capacity Mounted on /dev/wd0a 396444355856 2076894%/ # disklabel wd0 # Inside MBR partition 3: type A6 start 38 size 416442 # /dev/rwd0c: type: ESDI disk: ESDI/IDE disk label: Conner Periphera flags: bytes/sector: 512 sectors/track: 38 tracks/cylinder: 16 sectors/cylinder: 608 cylinders: 685 total sectors: 416480 rpm: 3600 interleave: 1 trackskew: 0 cylinderskew: 0 headswitch: 0 # microseconds track-to-track seek: 0 # microseconds drivedata: 0 16 partitions: # sizeoffset fstype [fsize bsize cpg] a:406144 10336 4.2BSD 2048 16384 503 # Cyl17 - 684 b: 1029838swap # Cyl 0*-16 c:416480 0 unused 0 0 # Cyl 0 - 684 So you probably could partition a 256MB CF like this; (root) 60MB /usr 160MB (no X) /var 15MB /tmp 15MB swap 6MB Doing so may not spare you ridicule on this list, because people could legitimately ask you what part of These are minimum values. @ http://tinyurl.com/qwm87 you don't understand. However, using such seperate partitions would be less naughty than doing what --I'm ashamed to say-- I've done. Also, be aware that the above does not include comp39.tgz -- if you want to compile something, you'll need a seperate box to do that. Plus, your options for installing any software at all on that PC are severely curtailed. What I'm doing with that box is running pf(4), playing wump(6) or tetris(6) via serial console and/or ssh, and that's pretty much it. In summary: - 128MB HDD -- fuggeddaboutit! - 256MB HDD -- technically possible (cf. above), but might earn you public ridicule. - 512MB HDD -- still below the FAQ minimum, but you might just get away with it. - 1GB HDD -- go play. Thanks and regards, Jens
Re: lightweight openbsd
* ropers wrote: I am trying to make [OpenBSD] smaller by deleting unuseful files. I read man and then deside whether I need it or not. After deleting a dozen of files I received diffirent errors during startup. OpenBSD, with samba cups and everything to make a nice embedded server can be packed in a file of less than 8 MB (we call that firmware). Of course, that needs a bit of engineering. We even put a nice command line interface ontop of it, so you can configure your system with a simple command set (this system, of course, is no longer OpenBSD per se, although it is based on OpenBSD and uses the OpenBSD kernel). - mb
Re: FTP Account Lockout
Also, you could do the following: 1) Limit the scope of the PCI certification by placing all CC storing or processing systems on a DMZ behind an appropriately configured firewall; AND 2) make sure that your FTP server is outside of this DMZ. This assumes that the FTP server does not contain or process credit card data, and does not have access to the new credit card processing environment. Appropriately configured firewall of course means configured according to the principle of least privilege, and in accordance with the rest of the PCI DSS requirements. Mark Maxey wrote: You can approach this a couple of ways 1. eliminate plaintext ftp all together. SSHv2 is an excellent free replacement here or you can use FTP-SSL 2. restrict access to this service in your firewall by ip 3. put the ftp behind vpn I'm a visa QDSP and these are a couple of things you could do. Joachim Schipper said: On Fri, Oct 06, 2006 at 12:56:43PM -0400, stuartv wrote: Hello list, The company I work for is required to get PCI (Payment Card something-or-other) certified in order to keep doing some of the things that we are doing with credit card payments. When I started working here it was an all MS shop, including the FTP server. In order to help secure things (at all), I talked the boss into letting me setup an OpenBSD server as the FTP server instead of windows2003. Since then, I have also setup firewalls, mail server, IDS etc. all based upon OpenBSD (and loving every minute of it). However, now that we need this cert, one of the few things still standing in the way is the requirement that we set up the FTP server to lockout (for 30min.) any account that fails to login 3 times in a row. I haven't been able to find any ftp software that does that. The FTP server that ships with OpenBSD uses system accounts, and I haven't figured out how to do that there either. If I don't get this figured out soon, The boss will loose patience and I will be right back to MS hell trying to secure a win2003 ftp server just because it will lockout an account that fails login 3 times in a row. (and then probably figure out how to setup a win2003 firewall, IDS, exchange server, etc etc etc... you get the pic) If anyone has any suggestions, please let me know. How about writing a login_* program for /usr/libexec/auth? It would be sufficient to check if there have been too many login attempts recently, and if not, call /usr/libexec/auth/login_passwd (or similar), and pass the response. There is quite a bit of information in login.conf(5). You'll also need to modify this file, so it's a good place to start. Joachim
Re: Vlans using a trunk device
On 2006/10/08 15:31, Axton Grams wrote: While working with the trunk and vlan features of OpenBSD, I ran into one thing that I do not understand. In order to use a trunk device for multiple vlan's, the trunk device must have an ip address assigned. Your ifconfig output is from when it's working, isn't it? Start from not-working and diff the two (ifconfig /tmp/broken; ifconfig trunk0 \ 10.1.1.1; ifconfig | diff -u /tmp/broken -) and see what changed. You'll probably see that before you added the address it wasn't configured UP. If that's the case, you just need to add the word up on a line in /etc/hostname.trunk0 Read some postings about changing mtu on vlan devices, but don't know enough to know what to do. If changing mtu makes a difference to vlans, you're probably better off searching for better NICs.
Re: Vlans using a trunk device
Stuart Henderson wrote: On 2006/10/08 15:31, Axton Grams wrote: While working with the trunk and vlan features of OpenBSD, I ran into one thing that I do not understand. In order to use a trunk device for multiple vlan's, the trunk device must have an ip address assigned. Your ifconfig output is from when it's working, isn't it? Start from not-working and diff the two (ifconfig /tmp/broken; ifconfig trunk0 \ 10.1.1.1; ifconfig | diff -u /tmp/broken -) and see what changed. You'll probably see that before you added the address it wasn't configured UP. If that's the case, you just need to add the word up on a line in /etc/hostname.trunk0 Read some postings about changing mtu on vlan devices, but don't know enough to know what to do. If changing mtu makes a difference to vlans, you're probably better off searching for better NICs. Stuart, Thanks for the info. It must have been some other config problem that I misinterpreted as the trunk interface needing an ip. Altered the hostname.trunk0 with the appropriate parameters (no ip, just up and trunkdevs) and all is well. Started this this morning and changed a lot in that time frame. Works like a charm. Axton Grams
Thanks (USB umass device)
I plugged in my attache' USB drive in today, and it worked. scsibus2 at umass1: 2 targets sd4 at scsibus2 targ 1 lun 0: PNY, Attache 2.0, 4.70 SCSI0 0/direct removable sd4: 117MB, 117 cyl, 64 head, 32 sec, 512 bytes/sec, 239872 sec total Thanks for fixing this issue. I had posted about it not working well over a year ago. Thanks, Brian Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: IPv6 over PPPoE
On 2006/10/08 17:41, Thomas Bader wrote: I tried to reach fe80::ff1c:1402 link-local needs the network interface to be specified; you would need fe80::ff1c:1402%tun0 here. - According to the manual page the Framed-IPv6-Prefix can be used in commands through the IPV6PREFIX variable. that's for when you've got ppp(8) at central site handling connections from clients (authenticating them against a radius server of your own); I may have parsed your message incorrectly but it doesn't sound like that's what you're doing. Framed-IPv6-Prefix = 2001:x:3000::1 Both sides of the connection have link-local addresses assigned (fe80::). Is this the expected behaviour? I don't _think_ so ... I haven't configured it myself but it looks like it probably needs the prefixlen too e.g. Framed-IPv6-Prefix = 2001:x:3000::/64 btw - has anyone in .uk got ppp(8) to connect to BT-provided ADSL by pppoe? (I'd like to try ipv6-over-ppp too but BT keep breaking off LCP and I haven't been able to work out why ... pppoe(4) works nicely but hasn't been taught about ipv6 yet)
benefits of older versions
why are older versions of openbsd (or linux or whatever os) kept around? is it because some of the older versions may work better with older machines? for instance, i recall that our 486 and p120 did really well with slackware 8. we're going to get some 486s going again - should i use an older version of openbsd? also, do some people like to stick with what is tried and true? our home servers (p800) are running openbsd 3.9 beautifully. i want to try openbsd 4.0 on my personal machine and wonder whether i should change to 4 on the servers just to stay current. -- In friendship, prad ... with you on your journey Towards Freedom http://www.towardsfreedom.com (website) Information, Inspiration, Imagination - truly a site for soaring I's
Re: Vlans using a trunk device
Two ideas come to mind: Either use one interface for each VLAN, or create VLAN interfaces on each ethernet interface and then trunk all the VLAN interfaces assigned to the same VLAN. Dustin Lundquist Axton Grams wrote: While working with the trunk and vlan features of OpenBSD, I ran into one thing that I do not understand. In order to use a trunk device for multiple vlan's, the trunk device must have an ip address assigned. Let me illustrate my configuration (vlan ids do not match, but it's not relavent, see ifconfig for exact info): ++ +-+ +---+ | router | |modem| |servers| ++ +-+ +---+ | || +---+-+-+-+ | |vlan2|vlan3|vlan4| | trunk |inet |lan |dmz | +---+-+-+-+ switch| ++ |workstations| ++ ifconfig reads like this: # ifconfig lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33192 groups: lo inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x9 gem0: flags=8b63UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu 1500 lladdr 00:03:ba:04:b2:1d trunk: trunkdev trunk0 media: Ethernet 100baseTX full-duplex status: active inet6 fe80::203:baff:fe04:b21d%gem0 prefixlen 64 scopeid 0x1 hme0: flags=8b63UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu 1500 lladdr 00:03:ba:04:b2:1d trunk: trunkdev trunk0 media: Ethernet 100baseTX full-duplex status: active inet6 fe80::a00:20ff:feca:7dc4%hme0 prefixlen 64 scopeid 0x2 hme1: flags=8b63UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu 1500 lladdr 00:03:ba:04:b2:1d trunk: trunkdev trunk0 media: Ethernet 100baseTX full-duplex status: active inet6 fe80::a00:20ff:feca:7dc5%hme1 prefixlen 64 scopeid 0x3 hme2: flags=8b63UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu 1500 lladdr 00:03:ba:04:b2:1d trunk: trunkdev trunk0 media: Ethernet 100baseTX full-duplex status: active inet6 fe80::a00:20ff:feca:7dc6%hme2 prefixlen 64 scopeid 0x4 hme3: flags=8b63UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu 1500 lladdr 00:03:ba:04:b2:1d trunk: trunkdev trunk0 media: Ethernet 100baseTX full-duplex status: active inet6 fe80::a00:20ff:feca:7dc7%hme3 prefixlen 64 scopeid 0x5 pflog0: flags=141UP,RUNNING,PROMISC mtu 33192 pfsync0: flags=0 mtu 1460 enc0: flags=0 mtu 1536 trunk0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:03:ba:04:b2:1d trunk: trunkproto roundrobin trunkport hme0 active trunkport hme1 active trunkport hme3 active trunkport hme2 active trunkport gem0 master,active groups: trunk media: Ethernet autoselect status: active inet 10.1.1.1 netmask 0xff00 broadcast 10.1.1.255 inet6 fe80::203:baff:fe04:b21d%trunk0 prefixlen 64 scopeid 0xa vlan10: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:03:ba:04:b2:1d vlan: 10 priority: 0 parent interface: trunk0 groups: vlan inet6 fe80::203:baff:fe04:b21d%vlan10 prefixlen 64 scopeid 0xb inet 10.180.16.1 netmask 0xff00 broadcast 10.180.16.255 vlan2: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:03:ba:04:b2:1d vlan: 2 priority: 0 parent interface: trunk0 groups: vlan inet6 fe80::203:baff:fe04:b21d%vlan2 prefixlen 64 scopeid 0xc inet 10.107.208.1 netmask 0xff00 broadcast 10.107.208.255 vlan3: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:03:ba:04:b2:1d vlan: 3 priority: 0 parent interface: trunk0 groups: vlan egress inet6 stripped%vlan3 prefixlen 64 scopeid 0xd inet x.x.x.x netmask 0x broadcast z.z.z.z vlan30: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:03:ba:04:b2:1d vlan: 30 priority: 0 parent interface: trunk0 groups: vlan inet6 fe80::203:baff:fe04:b21d%vlan30 prefixlen 64 scopeid 0xe inet 10.180.17.1 netmask 0xff00 broadcast 10.180.17.255 The switch is configured such that the ports for the nodes are untagged and every vlan sends tagged packets to the trunk. When the trunk interface does not have an ip address assigned, no traffic moves through the vlans. This is what I am not understanding. I assigned 10.1.1.1 to the trunk interface since I am not using that subnet. How should I handle this subnet in my pf rules? The route tables show 10.1.1/24 as a routable subnet because it is assigned to the trunk interface: # route -n show Routing tables scrubbed to not wrap and
Re: benefits of older versions
On Sun, Oct 08, 2006 at 05:39:58PM -0700, prad wrote: why are older versions of openbsd (or linux or whatever os) kept around? is it because some of the older versions may work better with older machines? for instance, i recall that our 486 and p120 did really well with slackware 8. we're going to get some 486s going again - should i use an older version of openbsd? also, do some people like to stick with what is tried and true? our home servers (p800) are running openbsd 3.9 beautifully. i want to try openbsd 4.0 on my personal machine and wonder whether i should change to 4 on the servers just to stay current. In some situations it may be difficult to upgrade to the latest release. For that, it's good to have critical patches available for a period of time. If you have any good way of upgrading, then you should do it. If you are unsure of the upgrade and have a spare computer available then try it there first. If you have problems, your best chance of getting help is when you run the current version. That's what the developers have been working on, and that's what everyone else is using. -- Darrin Chandler| Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ |
Re: best hardware plataform for openbsd
I would use them for a X server. It will serve about 128 X clients. On 10/8/06, Diana Eichert [EMAIL PROTECTED] wrote: On Sun, 8 Oct 2006, Gustavo Rios wrote: I meant more CPU processing cycles per a given constant amount of money! That's it. Hmmm, before I answer that question I'd like to know what are the intended uses? For example, for a DNS server I would seriously consider some of the platforms recently added, armish for one. diana
Re: benefits of older versions
prad wrote: why are older versions of openbsd (or linux or whatever os) kept around? Not sure what you are referring to..I'm guessing you are referring to things you saw on some FTP servers and for sale on the website... If so, the answer is, much the same reason libraries don't throw away books or magazines when newer editions come out. Or why I keep books that cover electronic tube pinouts and specs, and why I have a WWII vintage book of trig tables and a 1930's vintage Comptometer at my desk at work. Ok, that really doesn't answer the question very well, let's try this: Because they are way cool bits of history, (btw: I do use the Comptometer from time to time...there hasn't been something invented that adds numbers better (and it's fun to watch people stare when I do)), is it because some of the older versions may work better with older machines? for instance, i recall that our 486 and p120 did really well with slackware 8. we're going to get some 486s going again - should i use an older version of openbsd? General answer: NO. Slightly more specific: From time to time, the developers have to drop support for a platform for various reasons, usually because no one cares to or is able to maintain it. HOWEVER, it may happen that you desire to revive one of these platforms, let us say, Amiga. In that case, you would probably want to start by bringing your development machine up on OpenBSD 3.2 (the last Amiga-supported version) and move forward from there. Or maybe you just want to see SOMETHING running on your PMAX or Sun3 system...in which case, fine, run an old version of OpenBSD, but keep it protected from the evil outside world. However, if you are wishing to run a supported platform, run the current release. That isn't to say it is always the easiest thing to do. OpenBSD/i386 3.0 ran pretty well on 16M of RAM for very simple applications. OpenBSD 4.0/i386 will probably want at least 24M, if not 32M for comparable utility. HOWEVER, five years ago, 16M was a reasonable surplus machine. Now, my office throws away 400MHz machines with 128M of RAM (ok, many start with more than 128M RAM, but I strip them down to 128M before they leave :). So, I'd really have difficulty imagining why you would want to run on such restricted hardware, when minor upgrades would make your life so much easier. If I were running OpenBSD on a 486 I expected to do a lot of work on, I'd reduce the SSH key size to what it was a couple releases ago, as the new, bigger keys take forever to generate, and a long time to log in. I'd try to have at least 32M of RAM. But, I'd run 4.0. It isn't like in the last five years, the requirements of OpenBSD have gone from 486 to P4. They have basically gone from 486 to..uh..486. 16M of RAM to 32M. That's really not bad. This isn't the growth rate that most other OSs have shown in the same time period. This is not a valid reason to run an obsolete version. This isn't like my Comptometer, the new versions really are better. :) also, do some people like to stick with what is tried and true? our home servers (p800) are running openbsd 3.9 beautifully. i want to try openbsd 4.0 on my personal machine and wonder whether i should change to 4 on the servers just to stay current. Lots of people don't upgrade when they should. Lots of people do lots of stupid things, that's not justification for you doing so. Keep your system current. There are lots of reasons to do that, few good reasons not to. While I hate the expression, all software has bugs (both because it denies the possibility of writing correct software, and it is also used as an excuse to not bother doing what is known can be done to write better software), OpenBSD developers work on the assumption that there are still bugs to be found and eliminated from OpenBSD. Fixes of critical issues are only pushed back to the previous release of OpenBSD (i.e., at the moment, critical issues are only fixed in 3.8 and 3.9, soon to be 3.9 and 4.0). So, if you are running 3.6 and a security problem is found, you will have to do an emergency upgrade. It is much better to just have the upgrade process part of your life. It is tempting to look at OpenBSD's security record and assume you can just put it in place and forget it. Unfortunately, that is not a good plan. I'd also advise keeping up with each release, don't sit back and wait for your system to go out of support, then upgrade two releases at a time. Nick.
Re: benefits of older versions
On Sun, 08 Oct 2006 22:36:47 -0400 Nick Holland [EMAIL PROTECTED] wrote: Keep your system current. There are lots of reasons to do that, few good reasons not to. nick you have answered my questions totally! even those i had difficulty in figuring out how to ask (and therefore didn't). i appreciate your suggestions too darrin. the key idea seems to be that there is a reason that these versions come about - they are better than what came before and pretty well on any machine. i like doodling with old stuff (still have the slackware 7 cd) and that is fine for doodling, but for stuff other than that, your comments make it clear to keep moving with openbsd even if things work well with a particular version. like you say It is much better to just have the upgrade process part of your life ... after all, the developers do! thank you! -- In friendship, prad ... with you on your journey Towards Freedom http://www.towardsfreedom.com (website) Information, Inspiration, Imagination - truly a site for soaring I's
Re: Loading pf rules at boot with '-o' flag to pfctl...
On Sun, Oct 08, 2006 at 01:53:42AM -0400, Martin Gignac wrote: Is there any plan to add a variable in /etc/rc.conf to achieve this, or is using '-o' during boot considered a bad thing? The plan is to make it possible to specify the optimization level directly in the pf.conf file (which one could override on the command line) Unfortunately it's not a trivial change - the way the parser is set up right now you have to know whether to apply optimisation before you start reading the pf.conf file, so reading it from the file is not currently an option.