disks not detected during install
Hi misc, I'm trying to setup a new openbsd 3.9 install on i386. It worked before on that computer when I installed quickly to test for compatibility, but I needed to finish up some hardware stuff on it and then I wanted to install for real but it does not work anymore. It hangs at the disk: line Loading /3.9/I386/CDBOOT probing: pc0 com0 apm mem[639K 382M a20=on] disk: and then it stays there forever. The computer has two storage controllers. One is an ami-compatible raid controller. The other is the pciide-compatible sata sil3114 chip. Both appear to be working. If I unplug the scsi drives from the controller and leave the controller in, it will work. Also if I unplug the sata drives and leave the controller in, it will work. However all appears to be working quite well as I can install win2000 on it and all drives work well. Also as I've said openbsd 3.9 worked on it just a few days ago, but I can't find what I've changed. I thought it might be a bios settings problem so I played with the settings, but nothing seemed to help. Overall I think this makes no sense, what are some of the problems that might be happening?
Re: OSPFd, CARP and pfsync
On Tue, Oct 10, 2006 at 07:59:23PM +0200, Ronnie Garcia wrote: Hello, I have an OSPF enabled backbone and want to insert two firewalls. Each firewall will be connected to one different core router. My idea is to setup OSPFd on the interfaces plugged to the core, and CARP on the interfaces plugged to the other side (servers network). I have no routing protocol inside the servers network. From the servers side, trafic will go out from the firewall owning the shared IP (the master firewall). From the internet side, trafic will go in from both firewalls, whichever is the neerest from the core router. With this design, a SYN packet can enter thru FW2 and the corresponding ACK packet go back thru FW1. Will pfsync just handle the split sessions happily ? Will it handle the load for, say, 10k pps ? You normaly don't want to do split routing through firewalls. Eventhough pfsync may allow it, it will hurt performance because pfsync updates are done in batches. It is far better to just prefer the active router over the other. (This is actually what OpenOSPFD does (it announces the network only on the active router)). Instead of using direct connections into your two core routers it would be better to use two interconnected switches to connect all four routers on one LAN. -- :wq Claudio
Re: OSPFd, CARP and pfsync
* Chris Cappuccio [EMAIL PROTECTED] [2006-10-10 20:56]: Ronnie Garcia [EMAIL PROTECTED] wrote: Will pfsync just handle the split sessions happily ? Will it handle the load for, say, 10k pps ? with a soekris net4501? no with a 500mhz celeron or higher? yes uh, careful. pfsync is not realtime, it is only near-realtime, so a tcp session coming in throught fw A and going out through B _might_ be problematic wrt window scaling and friends. Note the might, it depends on a number of factors. and no, it is not feasable to make pfsync realtime. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: WLAN-Sec-Tools for OpenBSD?
Or is sniffing with kismet and then trying to crack the key with bsd-airtools (wich doesn`t implement the latest algorithms to speed this up) the only way on oBSD? Kind regards, Sebastian p.s. If somebody has a aircrack-ng port wich may compiles fine or even just supports the stuff it supports on Linux: please let me know... :) In fact, aircrack itself from aircrack suite compiles well. Try to collect dumps via Kismet and crack wepkey with aircrack. Sadly, there are no tools similar to aireplay for BSD, but it's on my TODO list (I'm slowly rewriting aireplay for BSD. It's so ugly and leeenooks-specific, that it's better to say I'm writing it from scratch)
Re: OSPFd, CARP and pfsync
On Tuesday 10 October 2006 19:59, Ronnie Garcia wrote: I have an OSPF enabled backbone and want to insert two firewalls. Each firewall will be connected to one different core router. ... With this design, a SYN packet can enter thru FW2 and the corresponding ACK packet go back thru FW1. Will pfsync just handle the split sessions happily ? Will it handle the load for, say, 10k pps ? I've tried exactly that and it was not reliable. The solution is pretty simple though, just make sure only one fw at the time is active. I've used Quagga with some ifstated-type hacks to make it work but these days OpenOSPFD sounds like your good friend. Or use CARP on both sides if that's an alternative. /Andreas
Re: OLPC
On 10/10/06 9:29 PM, ropers wrote: http://www.thejemreport.com/mambo/content/view/286/ from the above link: Technically end-users are not Marvell's customers because it neither makes nor sells the actual hardware that people use. Instead, it makes chips that OEMs in turn buy and integrate into other components or finished electronic goods like PC motherboards, handheld devices, and peripheral cards. Marvell is abstracted from the people who actually use its products, and in a twisted sort of way, it's entirely possible that Marvell's actual OEM customers are completely satisfied with its performance and behavior, even if end-users are not. Q.F.T. Yep, this is pure clueless capitalism that has nothing to do with an open source project, receiving money over the backs of children that need as much as possible of it for better education. .. http://www.theos.com/deraadt/jg That archive contains a jpg in base64 format. Here it is in decoded form: http://ropersonline.com/static/nigerian-classroom.jpg (Thank you!) Those kids will get RSI!!! +++chefren
Re: [OT] US security
On 11/10/06, Jan Stary [EMAIL PROTECTED] wrote: http://www.theonion.com/content/node/53928 Oh, this is SUCH torture! My common sense very resolutely tells me that these strings are pure gibberish, but I just can't help myself, trying to treat this as ciphertext. Is it base64? Apparently not, so what is it? I'm not a cryptographer, but this urge, really wanting to get at the cleartext that probably isn't even there, that's torture! Bastards. ;-) PS: I guess actual cryptographers around the world are feeling even worse, and the Onion writers know it. Feckin SOBs! ;o)
Re: I just cant see my authpf added rules with pfctl -a authpf/user(pid) -sA
Taisto Qvist wrote: Hi Folks, I am having the extremely annoying, and probably simple problem of not being able to list the rules in my authpf anchors, and its close to keeping me up all night. I had this issue when I configured this the first time, but I just cant remember what kind of simple syntax problem I have, if thats what it is. The system I have this problem on is a 3.9, just updated from 3.8, and most config is simply moved, and I might have missed some changes? First off, I thought that doing pfctl -sA would actually list ALL the underlying anchors for authpf/*, including the active users, currently logged in, but all i ever get is authpf. It would help if it was possible to just simply list all the underlying achors underneath authpf/, but that doesnt seem possible?? Any help extremely appreciated! - [EMAIL PROTECTED] /etc/authpf/users/cadq # ps ax | grep cadq 10910 p6 Is+ 0:00.01 -authpf: [EMAIL PROTECTED] (authpf) [EMAIL PROTECTED] /etc/authpf/users/cadq # dl | grep cadq Oct 11 00:58:25 vpngw authpf[10910]: allowing IP.IP.IP.IP, user cadq [EMAIL PROTECTED] /etc/authpf/users/cadq # pfctl -sA authpf [EMAIL PROTECTED] /etc/authpf/users/cadq # pfctl -a authpf -sA [EMAIL PROTECTED] /etc/authpf/users/cadq # pfctl -a authpf -sA -s r [EMAIL PROTECTED] /etc/authpf/users/cadq # pfctl -a authpf/cadq(10910) -sA Anchor 'authpf/cadq(10910)' not found. [EMAIL PROTECTED] /etc/authpf/users/cadq # pfctl -a authpf/cadq(10910) -sA -s r [EMAIL PROTECTED] /etc/authpf/users/cadq # pfctl -a authpf/cadq(10910) -sA -s r pfctl: DIOCGETRULES: Invalid argument [EMAIL PROTECTED] /etc/authpf/users/cadq # pfctl -a 'authpf/cadq(10910)' -sA -s r pfctl: DIOCGETRULES: Invalid argument [EMAIL PROTECTED] /etc/authpf/users/cadq # pfctl -a 'authpf/cadq(10910)' -s r pfctl: DIOCGETRULES: Invalid argument [EMAIL PROTECTED] /etc/authpf/users/cadq # pfctl -a 'authpf/cadq' -s r pfctl: DIOCGETRULES: Invalid argument [EMAIL PROTECTED] /etc/authpf/users/cadq # pfctl -a authpf/cadq -s r pfctl: DIOCGETRULES: Invalid argument [EMAIL PROTECTED] /etc/authpf/users/cadq # pfctl -s r | grep anchor anchor authpf/* all -- Regards Taisto Qvist IP-Solutions.se On reasonably -current: [EMAIL PROTECTED]:44]$ sudo pfctl -s Anchors -a 'authpf' -v authpf/ottoauthpf(23035) [EMAIL PROTECTED]:45]$ sudo pfctl -s rules -a 'authpf/ottoauthpf(23035)' pass in quick on fxp0 inet proto tcp from 10.0.1.99 to any keep state pass in quick on fxp0 inet proto udp from 10.0.1.99 to any keep state pass in quick on fxp0 inet proto icmp from 10.0.1.99 to any keep state -Otto
Re: disks not detected during install
On 11/10/06, Patrick Cummings [EMAIL PROTECTED] wrote: Hi misc, I'm trying to setup a new openbsd 3.9 install on i386. It worked before on that computer when I installed quickly to test for compatibility, but I needed to finish up some hardware stuff on it and then I wanted to install for real but it does not work anymore. It hangs at the disk: line Loading /3.9/I386/CDBOOT probing: pc0 com0 apm mem[639K 382M a20=on] disk: and then it stays there forever. The computer has two storage controllers. One is an ami-compatible raid controller. The other is the pciide-compatible sata sil3114 chip. Both appear to be working. If I unplug the scsi drives from the controller and leave the controller in, it will work. Also if I unplug the sata drives and leave the controller in, it will work. However all appears to be working quite well as I can install win2000 on it and all drives work well. Also as I've said openbsd 3.9 worked on it just a few days ago, but I can't find what I've changed. I thought it might be a bios settings problem so I played with the settings, but nothing seemed to help. Overall I think this makes no sense, what are some of the problems that might be happening? Can you boot from any of the install boot floppies? If so, can you provide a dmesg?
Re: Version 4.0 release
On Monday 09 October 2006 22:44, you wrote: I see 4.0 is coming out, and yet, no hardware raid support, no fixes for raidframe, and still no SMP support, for sparc64 on Ultrasparc II machines. yadda Just to give you an idea how lazy the OpenBSD developers are, I got up this morning and went downstairs to discover that not one of those idle bastards had even begun making breakfast for me. Not even ground the damn coffee beans. These people had better realise that they're not the only free breakfast service in town. And they never got my girlfriend a birthday present, leaving it up to *me* to do it myself. Unbelievable. -- Fergus Wilde Chetham's Library Long Millgate Manchester M3 1SB Tel: 0161 834 7961 Fax: 0161 839 5797 http://www.chethams.org.uk
Re: Would more information for ralink problem be useful?
Vic wrote: There is already open bug report about this: 5105, and I read some about it on misc@ I believe. Anyway, ral card drops me to ddb when swotching it from 11g mode to 11b, I had that happen to me yesterday on a two weeks old snapshot. Would it be of any use providing the trace and ps and maybe some other information? I could also try to compile kernel with debugging symbols and crash the box with it, if that would be of any help. Or is the problem already known well enough and all this information would be of no use? My pamic [SIC] report is still valid AFAIK, although I'm nowadays always forcing it to 11b mode (not the perfect solution), so I cannot really tell. Another ral-related bug report is #4953, which has been closed but also was very repeatable long after. I have not tried this in at least a month or so, but I reckon it is also still valid and should be re-opened. I'm on a tiny vacation and therefore cannot test it right now. /Alexander
Re: Setting up a box to do NAT and Static IPs
On 10/11/06, ropers [EMAIL PROTECTED] wrote: I've just had another thought: Why do the IP phones have to have public IPs? Is this because giving them NATted, private range IPs previously didn't work so well? The VoIP phones Patrick is using are probably (my guess) using the Session Initiation Protocol (SIP) for signalling. http://en.wikipedia.org/wiki/Session_Initiation_Protocol SIP embeds IP information of the host (phone) inside the exchanged application messages and make use of the Session Description Protocol whenever it tries to set up a voice call (using the INVITE transaction) so that both phone know which kind of of voice/video stream encoding to expect, and on which port and IP it'll be coming to/from. http://en.wikipedia.org/wiki/Session_Description_Protocol If Patrick puts the phones behind a NAT box then the phones will have private IPs and will reflect these privates IPs in whatever SIP messages they send out onto the Internet. Unfortunately, if public phones receive these SIP messages with private IPs they might try to contact said IPs, which will fail miserably. It's a similar issue to NAT and FTP, since FTP also embeds IP address inside the control stream of the FTP session. Hence this is why OpenBSD has ftp-proxy(8). If Patrick wants to use SIP behind NAt he'll need the added intelligence of an Application Level Gateway. http://en.wikipedia.org/wiki/Application-level_gateway An ALG tracks SIP sessions and performs all the necessary NATs and creates all the dynamic firewall rules to allow incoming and outgoing media traffic for phone calls. I don't think pf alone will fit the bill for this. That's why if he has public IPs available for the phones it might be the quickest route to success. Still, if you *are* stuck behind a NAT and you have SIP phones and you don't want to spend a fortune on an ALG there might be open source solutions (which I have never looked into) that will achieve the same thing. A quick search on Google did turn this up: http://siproxd.sourceforge.net/index.php?op=overview Could be interesting... -Martin -- Suburbia is where the developer bulldozes out the trees, then names the streets after them. --Bill Vaughan
Re: Wireless Kernel Panic
On Wed, 11 Oct 2006, Damien Bergamini wrote: | Here are the appropriate dmesg lines: | ral0 at pci1 dev 9 function 0 Ralink RT2561S rev 0x00: irq 12, address | 00:16:b6:98:85:1f | ral0: MAC/BBP RT2661B, RF RT2527 Another appropriate dmesg line would have been the OS version and the architecture it runs on ;) 3.9 cpu0: Intel(R) Celeron(R) CPU 1.70GHz (GenuineIntel 686-class) 1.70 GHzB | If I use /etc/hostname.ral0 (up mediaopt hostap nwid seenothing.org chan | 11 nwkey foobarfoobarf) to configure at boot or /sbin/ifconfig (using | the same as above) to configure at runtime the kernel panics with this | message: | uvm_fault(0xd6e45dc4, 0x0, 0, 1) - e | kernel: page fault trap, code=0 | Stopped at i80211_release_node +0x16 movl 0x 01(%esi), %ebx | | Is this a bad card? Is this a memory issue with the card itself? Is this | card not supported in hostap mode (although everything I've read says that | it is)? Am I configuring it incorrectly? Any help would be appreciated. More likely a problem in the ral(4) driver itself. Can you try to modify your /etc/hostname.ral0 like this: mediaopt hostap nwid seenothing.org chan 11 nwkey foobarfoobarf up Nope, same thing. Kernel panics and drops to the debugger. (ie put the up at the end). Otherwise, the card will be reset about 4 times. Thanks, Damien
X and -current
Would one of the developers please rebuild X for -current i386? The 10/10 snapshot seems to have cranked the libc revision, but the 10/7 X seems to still uses the old libc. (At least, on a fresh install using the 10/10 sets and the 10/7 X, it complains that it can't find libc.so.39 and .40 exists.) Thanks.
Re: Setting up a box to do NAT and Static IPs
On 11/10/06, Martin Gignac [EMAIL PROTECTED] wrote: On 10/11/06, ropers [EMAIL PROTECTED] wrote: I've just had another thought: Why do the IP phones have to have public IPs? Is this because giving them NATted, private range IPs previously didn't work so well? The VoIP phones Patrick is using are probably (my guess) using the Session Initiation Protocol (SIP) for signalling. http://en.wikipedia.org/wiki/Session_Initiation_Protocol SIP embeds IP information of the host (phone) inside the exchanged application messages and make use of the Session Description Protocol whenever it tries to set up a voice call (using the INVITE transaction) so that both phone know which kind of of voice/video stream encoding to expect, and on which port and IP it'll be coming to/from. http://en.wikipedia.org/wiki/Session_Description_Protocol If Patrick puts the phones behind a NAT box then the phones will have private IPs and will reflect these privates IPs in whatever SIP messages they send out onto the Internet. Unfortunately, if public phones receive these SIP messages with private IPs they might try to contact said IPs, which will fail miserably. It's a similar issue to NAT and FTP, since FTP also embeds IP address inside the control stream of the FTP session. Hence this is why OpenBSD has ftp-proxy(8). If Patrick wants to use SIP behind NAt he'll need the added intelligence of an Application Level Gateway. http://en.wikipedia.org/wiki/Application-level_gateway An ALG tracks SIP sessions and performs all the necessary NATs and creates all the dynamic firewall rules to allow incoming and outgoing media traffic for phone calls. I don't think pf alone will fit the bill for this. That's why if he has public IPs available for the phones it might be the quickest route to success. Still, if you *are* stuck behind a NAT and you have SIP phones and you don't want to spend a fortune on an ALG there might be open source solutions (which I have never looked into) that will achieve the same thing. A quick search on Google did turn this up: http://siproxd.sourceforge.net/index.php?op=overview Once again, thanks a whole bunch for your excellent and insightful information. :)
Re: Setting up a box to do NAT and Static IPs
On Wed, Oct 11, 2006 at 09:32:07AM -0400, Martin Gignac wrote: On 10/11/06, ropers [EMAIL PROTECTED] wrote: I've just had another thought: Why do the IP phones have to have public IPs? Is this because giving them NATted, private range IPs previously didn't work so well? The VoIP phones Patrick is using are probably (my guess) using the Session Initiation Protocol (SIP) for signalling. http://en.wikipedia.org/wiki/Session_Initiation_Protocol SIP embeds IP information of the host (phone) inside the exchanged application messages and make use of the Session Description Protocol whenever it tries to set up a voice call (using the INVITE transaction) so that both phone know which kind of of voice/video stream encoding to expect, and on which port and IP it'll be coming to/from. http://en.wikipedia.org/wiki/Session_Description_Protocol If Patrick puts the phones behind a NAT box then the phones will have private IPs and will reflect these privates IPs in whatever SIP messages they send out onto the Internet. Unfortunately, if public phones receive these SIP messages with private IPs they might try to contact said IPs, which will fail miserably. It's a similar issue to NAT and FTP, since FTP also embeds IP address inside the control stream of the FTP session. Hence this is why OpenBSD has ftp-proxy(8). If Patrick wants to use SIP behind NAt he'll need the added intelligence of an Application Level Gateway. http://en.wikipedia.org/wiki/Application-level_gateway An ALG tracks SIP sessions and performs all the necessary NATs and creates all the dynamic firewall rules to allow incoming and outgoing media traffic for phone calls. I don't think pf alone will fit the bill for this. That's why if he has public IPs available for the phones it might be the quickest route to success. Still, if you *are* stuck behind a NAT and you have SIP phones and you don't want to spend a fortune on an ALG there might be open source solutions (which I have never looked into) that will achieve the same thing. A quick search on Google did turn this up: http://siproxd.sourceforge.net/index.php?op=overview Could be interesting... -Martin If my memory serves me right, SIP actually has ALG built into the standard itself and www.opensip.org might already give you what you want. NAT traversal has been a problem for VoIP and there are several strategies. I am talking about UDP hole punching in my article. But you can do the same thing for TCP too though it might not work as reliably as UDP. http://www.linuxjournal.com/9004 But what I am wondering is since this is a known issue, if there is any better and more elegant solutions already... regards, Girish
Can't boot the latest snapshot for amd64 with Intel Pro 1000 GT Quad Server
Hello, I can't boot the latest snapshot if the card is plugged. The boot process stops just after (sometimes before) the starting of the network. If I boot from bsd.rd or bsd.mp it works fine : the card is detected and works. If I boot without the network card : bsd boots. Here is the dmesg from bsd.rd (latest snapshot): OpenBSD 4.0-current (RAMDISK_CD) #901: Fri Oct 6 19:11:39 MDT 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/RAMDISK_CD real mem = 536342525 (523772K) avail mem = 448868352 (438348K) using 13145 buffers containing 53841920 bytes (52580K) of memory maisbus0 (root) cpu0 at mainbus0: (uniprocessor) cpu0: Intel(R) Celeron(R) CPU 2.53GHz, 2533.72 MHz cpu0: FPU, VME, DE, PSE, TSC, MSR, PAE, MCE, CX8, APIC, SEP, MTRR, PGE, MCA, CMOV, PAT, PSE36, CFLUSH, DS, ACPI, MMX, FXSR, SSE, SSE2, SS, HTT, TM, SBF, SSE3, NXE, LONG cpu0: 256KB 64b/line 4-way L2 cache pci0 at mainbus0 bus 0: configuration mode 1 pchb0 at pci0 dev 0 function 0 Intel E7230 MCH rev 0x81 ppb0 at pci0 dev 28 function 0 Intel 82801GB PCIE rev 0x01 pci1 at ppb0 bus 1 ppb1 at pci1 dev 0 function 0 Intel PCIE-PCIE rev 0x09 pci2 at pbb1 bus 2 ppb2 at pci2 dev 1 function 0 Pericom PI7C21P100 PCIX-PCIX rev 0x01 pci3 at ppb2 bus 3 em0 at pci3 dev 4 function 0 Intel PRO/1000MT QP (82546GB) rev 0x03 : irq 10, address 00:0e:0c:bb:53:08 em1 at pci3 dev 4 function 1 Intel PRO/1000MT QP (82546GB) rev 0x03 : irq 11, address 00:0e:0c:bb:53:09 em2 at pci3 dev 6 function 0 Intel PRO/1000MT QP (82546GB) rev 0x03 : irq 15, address 00:0e:0c:bb:53:0a em3 at pci3 dev 6 function 1 Intel PRO/1000MT QP (82546GB) rev 0x03 : irq 5, adress 00:0e:0c:bb:53:0b ppb3 at pci0 dev 28 function 4 Intel 82801G PCIE rev 0x01 pci4 at ppb3 bus 4 bge0 at pci4 dev 0 function 0 Broadcom BCM5721 rev 0x21, BCM5750 C1 (0x4201) : irq 10, adress 00:17:31:a7:84:ba brgphy0 at bge0 phy 1 : BCM5750 10/100/1000baseT PHY, rev. 0 ppb4 at pci0 dev 28 function 5 Intel 82801G PCIE rev 0x01 pci5 at ppb4 bus 5 bge1 at pci5 dev 0 function 0 Broadcom BCM5721 rev 0x21, BCM5750 C1 (0x4201) : irq 11, address 00:17:31:a7:84:bb brgphy1 at bge1 phy 1 : BCM5750 10/100/1000baseT PHY, rev. 0 ppb5 at pci0 dev 30 function 0 Intel 82801BA AGP rev 0xe1 pci6 at ppb5 bus 6 vga1 at pci6 dev 2 function 0 ATI Rage XL rev 0x27 wsdisplay0 at vga1 mux 1 : console (80x25, vt100 emulation) Intel 82801GB LPC rev 0x01 at pci0 dev 31 function 0 not configured pciide0 at pci0 dev 31 function 1 Intel 82801GB IDE rev 0x01 : DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0 : QUANTUM FIREBALLlct15 07 wd0: 16-sector PIO, LBA, 7162MB, 14668290 sectors atapiscsi0 at pciide0 channel 0 drive 1 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0 : PLEXTOR, DVDR PX-716A, 1.08 SCSI0 5/cdrom removable wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 4 cd0(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 4 intr_established: pic pic0 pin 15: can't share type 3 with 2 pciide0: no compatibility interrupt for use by channel 1 pciide1 at pci0 dev 31 function 2 Intel 82801GB SATA rev 0x01: DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI pciide1: using irq 5 for native-PCI interrupt Intel 82801GB SMBus rev 0x01 at pci0 dev 31 function 3 not configured isa0 at mainbus0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0 : console keyboard, using wsdisplay0 rd0: fixed, 3584 blocks dkcsum: wd0 matches BIOS drive 0x80 root on rd0a rootdev=0x1100 rrootdev=0x2f00 rawdev=0x2f02 Thank you for your help. Don't hesitate to ask me questions about the card, I could help you to make it work. Bye.
Re: carp(4) debugging
Exciting stuff; totally missed the log sysctl. The netstat(8) reveals some interesting info about a persistent failover condition: $ netstat -sp carp carp: 7731906 packets received (IPv4) 0 packets received (IPv6) 0 packets discarded for bad interface 0 packets discarded for wrong TTL 0 packets shorter than header 0 discarded for bad checksums 0 discarded packets with a bad version 0 discarded because packet too short 0 discarded for bad authentication 0 discarded for bad vhid 0 discarded because of a bad address list 118961 packets sent (IPv4) 0 packets sent (IPv6) ** 152 send failed due to mbuf memory error But yet: $ netstat -m [...snip...] 290/558/6144 mbuf clusters in use (current/peak/max) 1224 Kbytes allocated to network (53% in use) 0 requests for memory denied 0 requests for memory delayed 0 calls to protocol drain routines Which is interesting because an identical backup unit does not exhibit these errors at all, even when running as MASTER for weeks at end. MBuf isn't getting exhausted; MRTG does show interfaces getting staturated either. The machine has an absurd ammount of RAM for a Router, too. Also interesting how it is printed out, as well, as if it is under the IPv6 statistics; however these systems have a userland and kernel compiled without IPv6 support. But since this is 3.7-era code, it's hard to imagine troubleshooting this further. Certainly a 4x upgrade is in order before I go chasing down an mbuf exhaustion problem. This is most likely related somehow to the absurdley high number of max states (set limit states 20, etc.) ~BAS On Wed, 11 Oct 2006, Ryan McBride wrote: On Tue, Oct 10, 2006 at 05:50:50PM -0400, Brian A. Seklecki wrote: Certainly a way to log events (interfaces, etc.) and the resulting actions taken by the code would be useful in mission critical environments. Anything beats tcpdump 'proto carp' and making guesses from there. Nothing new to 4.0, but a few of the things you can do besides using tcpdump are: route monitor - see interface link state change sysctl net.inet.carp.log=1 - generates primarily protocol error messages netstat -sp carp - display a number of relevant counters If you want to do more complicated things, like run commands when carp interfaces change state, you can have a look at ifstated. -Ryan l8* -lava (Brian A. Seklecki - Pittsburgh, PA, USA) http://www.spiritual-machines.org/ ...from back in the heady days when helpdesk meant nothing, diskquota meant everything, and lives could be bought and sold for a couple of pages of laser printout - and frequently were.
Re: OLPC
According to Stuart Henderson [EMAIL PROTECTED]: http://www.rtos.com/news/detail/?prid=104 Product Category ThreadX Deployments Representative Customers Wireless Networking 200,000,000 Broadcom, Intel, Marvell Even more curious is this at the bottom of that same table/figure: Space Probes 2 NASA Regards, web... -- William Bulley Email: [EMAIL PROTECTED]
Re: OLPC
On Oct 10, 2006, at 5:38 PM, Shane J Pearson wrote: By interesting, you mean one is well meaning, but a little kooky and not always in touch with reality and the other is focused and committed to maintaining some sanity in the world of computing? No, I didn't mean that. I meant that both gentlemen are personal friends of mine and that the contrast between these two giants of free and open source software could hardly be more striking. -- Jack J. Woehr Director of Development Absolute Performance, Inc. [EMAIL PROTECTED] 303-443-7000 ext. 527
Re: Setting up a box to do NAT and Static IPs
On 10/11/06, Girish Venkatachalam [EMAIL PROTECTED] wrote: If my memory serves me right, SIP actually has ALG built into the standard itself and www.opensip.org might already give you what you want. Hmm, wasn't aware of that. Do you have any specific RFC or 3GPP spec number that I could check out concerning this? -Martin -- Suburbia is where the developer bulldozes out the trees, then names the streets after them. --Bill Vaughan
RMS vs TdR (WAS: Re: OLPC)
Jack J. Woehr wrote: On Oct 10, 2006, at 5:38 PM, Shane J Pearson wrote: By interesting, you mean one is well meaning, but a little kooky and not always in touch with reality and the other is focused and committed to maintaining some sanity in the world of computing? No, I didn't mean that. I meant that both gentlemen are personal friends of mine and that the contrast between these two giants of free and open source software could hardly be more striking. Obviously there are elements trying to start an RMS/GNU versus TdR/BSD holy war. If you don't find it interesting that two men could take a stand for free and open ideals, and yet interpret those ideals so differently, then fine, it isn't interesting to you. Thanks for sharing, I guess. I don't find it very interesting myself yet I don't feel the need to tell the world, but that's just me. Maybe you've got it all worked out as part of your life plan. If you don't like RMS (or TdR for that matter) or his version of free and open ideals, then fine, you have the right to feel that way in most locales. I'm not particularly fond of RMS' views and ideas myself. But when you reply to the original poster's message feigning that you don't understand his point, well, then you come across as stupid. An inquisitive child could understand the difference between these two mens' views, and understand that some people might find it interesting. Really, truly stupid. And willing to share it with the rest of the world on a public mailing list, no less! Brilliant! If you want to start a holy war about the merits of these two positions then start a thread, preferably somewhere else, and howl into the wind. Nobody cares. We've all made up our minds about which side of the fence we are on. You aren't going to change my mind, or anyone else's. You are only making yourselves out to be a bunch of idiots. This sure doesn't help the image of the OpenBSD user base at all. When we aren't taken seriously it is, in part, because of childish melodrama like this thread. Breeno PS - Jack, some friendly advice, you are only encouraging them each time you reply. They obviously don't care about why you find interest in this subject. They only want to find a way to link you to RMS and then trash you.
Re: RMS vs TdR (WAS: Re: OLPC)
On Oct 11, 2006, at 10:58 AM, Breen Ouellette wrote: PS - Jack, some friendly advice, you are only encouraging them each time you reply. They obviously don't care about why you find interest in this subject. They only want to find a way to link you to RMS and then trash you. Thanks, Breen. Have been a brash and testosterone-dizzy young engineer myself a quarter of a century ago, I don't mind being part of the humanities education of today's young engineers, as long as it doesn't take too much time out of my current engineering workday :-) -- Jack J. Woehr Director of Development Absolute Performance, Inc. [EMAIL PROTECTED] 303-443-7000 ext. 527
Re: Setting up a box to do NAT and Static IPs
Yes, I've tried siproxd, but my lack of knowledge has caused me to fail to get this working properly. I'm VERY excited with all the responses you folks gave me. Now I have to take the time to read all them over. I'll respond to the other posts very soon. Thank you once again for all the help - this mailing list rocks! Patrick Martin Gignac wrote: On 10/11/06, ropers [EMAIL PROTECTED] wrote: I've just had another thought: Why do the IP phones have to have public IPs? Is this because giving them NATted, private range IPs previously didn't work so well? The VoIP phones Patrick is using are probably (my guess) using the Session Initiation Protocol (SIP) for signalling. http://en.wikipedia.org/wiki/Session_Initiation_Protocol SIP embeds IP information of the host (phone) inside the exchanged application messages and make use of the Session Description Protocol whenever it tries to set up a voice call (using the INVITE transaction) so that both phone know which kind of of voice/video stream encoding to expect, and on which port and IP it'll be coming to/from. http://en.wikipedia.org/wiki/Session_Description_Protocol If Patrick puts the phones behind a NAT box then the phones will have private IPs and will reflect these privates IPs in whatever SIP messages they send out onto the Internet. Unfortunately, if public phones receive these SIP messages with private IPs they might try to contact said IPs, which will fail miserably. It's a similar issue to NAT and FTP, since FTP also embeds IP address inside the control stream of the FTP session. Hence this is why OpenBSD has ftp-proxy(8). If Patrick wants to use SIP behind NAt he'll need the added intelligence of an Application Level Gateway. http://en.wikipedia.org/wiki/Application-level_gateway An ALG tracks SIP sessions and performs all the necessary NATs and creates all the dynamic firewall rules to allow incoming and outgoing media traffic for phone calls. I don't think pf alone will fit the bill for this. That's why if he has public IPs available for the phones it might be the quickest route to success. Still, if you *are* stuck behind a NAT and you have SIP phones and you don't want to spend a fortune on an ALG there might be open source solutions (which I have never looked into) that will achieve the same thing. A quick search on Google did turn this up: http://siproxd.sourceforge.net/index.php?op=overview Could be interesting... -Martin
Re: Setting up a box to do NAT and Static IPs
Yes, I've tried siproxd, but my lack of knowledge has caused me to fail to get this working properly. Then using your available public IPs should be the ticket. -Martin -- Suburbia is where the developer bulldozes out the trees, then names the streets after them. --Bill Vaughan
Re: Setting up a box to do NAT and Static IPs
Martin Gignac wrote: On 10/11/06, Girish Venkatachalam [EMAIL PROTECTED] wrote: If my memory serves me right, SIP actually has ALG built into the standard itself and www.opensip.org might already give you what you want. Hmm, wasn't aware of that. Do you have any specific RFC or 3GPP spec number that I could check out concerning this? -Martin The standard? But SIP has so many. There are some old, long expired drafts that touch on the topic, e.g., http://www1.cs.columbia.edu/sip/drafts/draft-ietf-nat-protocol-complications-00.txt There's a best current practice document for call flow that mentions SIP ALGs: ftp://ftp.rfc-editor.org/in-notes/rfc3665.txt but that's more about proxies than about something that untangles NAT. But the core spec, RFC 3261, http://www.rfc-editor.org/rfc/rfc3261.txt , doesn't touch on the topic at all so far as I've ever noticed. NAT fixup for SIP is a nasty thing and I've seen a number of broken implementations and incompatible solutions. As a hosted IP PBX provider, we've had the best luck using session border controllers at the edge of our network, which are configured to assume that phones are behind NAT. We tell our customers to not even think about STUN ( ftp://ftp.rfc-editor.org/in-notes/rfc3489.txt ), to not even think about putting the phones behind a firewall with any ALG functionality turned on (one ALG works fine until we issue a reinvite upon changing from ringing all the phones in a hunt group to actually establishing RTP streams with the phone that picks up, at which point the ALG drops all the packets; one mostly works except it plays funny games with port numbers sometimes and starts sending registration requests from a single phone using multiple port numbers, leading to confusion about where we're to send invites, etc., etc.) Unfortunately, SIP is nowhere near being a standard where you can assume interop just because you implement a bunch of RFCs. Especially if you mix NAT in. See http://en.wikipedia.org/wiki/Session_Border_Controller for more, including some nice references. --Jon Radel [EMAIL PROTECTED] [demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]
Re: Setting up a box to do NAT and Static IPs
On 10/11/06, Jon Radel [EMAIL PROTECTED] wrote: If my memory serves me right, SIP actually has ALG built into the standard itself and www.opensip.org might already give you what you want. Hmm, wasn't aware of that. Do you have any specific RFC or 3GPP spec number that I could check out concerning this? -Martin The standard? But SIP has so many. I was asking because although I'm familiar with the usual SIP RFCs (3261 and family) I was not aware of the SIP actually has ALG built into the standard itself notion that Girish mentionned and I wanted to know if there was any actual documentation to support this. But the core spec, RFC 3261, http://www.rfc-editor.org/rfc/rfc3261.txt , doesn't touch on the topic at all so far as I've ever noticed. Yeah, I've never heard of this in 3261 either. NAT fixup for SIP is a nasty thing and I've seen a number of broken implementations and incompatible solutions. As a hosted IP PBX provider, we've had the best luck using session border controllers at the edge of our network, which are configured to assume that phones are behind NAT. Yeah, we use SBCs in IMS as well. Unfortunately, SIP is nowhere near being a standard where you can assume interop just because you implement a bunch of RFCs. Especially if you mix NAT in. Add to that the 3GPP and OMA additions for IMS and it gets even wilder. -Martin -- Suburbia is where the developer bulldozes out the trees, then names the streets after them. --Bill Vaughan
Re: Version 4.0 release
Girish Venkatachalam [EMAIL PROTECTED] wrote: Threads a big PITA. Best avoided. Creates more problems than solves. OpenBSD is about neatness, cleanliness and stability. Threads don't have any of them. :-) First of all, threads are a good choice for some tasks. Just because openbsd's threading support isn't as good as it could be, doesn't mean threads are bad. And even if this were the case, it would still not change the fact that plenty of software uses threads, and people would like to run such software on openbsd. Adam
Re: Setting up a box to do NAT and Static IPs
On 10/9/06, Patrick - South Valley Internet [EMAIL PROTECTED] wrote: Hi all, I have a box I installed OpenBSD 3.9 on. I'm trying to get this box to function as our office firewall. Here's the catch - we have VOIP phones that contact an external VOIP server outside of our firewall. I've been doing some research and found out that VOIP phones don't do NAT very well, and because of that you need to put them on their own static IPs. I've tried the sip proxy route, and honestly it was entirely over my head and I just couldn't understand how to get it to work. You are really asking for alot of work to try and do this with two NICs. Here's how we do it as a service provider: 1 vlan for data, 1 vlan for voice stuff. One device/router with essentially three interfaces: one that serves as a wan connection and two ethernet interfaces, one for each vlan. Firewall the data vlan however you want, and give each phone the equivlanet of a static address.
Re: Setting up a box to do NAT and Static IPs
On 11/10/06, Martin Gignac [EMAIL PROTECTED] wrote: Yes, I've tried siproxd, but my lack of knowledge has caused me to fail to get this working properly. Then using your available public IPs should be the ticket. -Martin Yah, it's becoming clearer. Use whatever is cleaner and easier to implement. If ALG/siproxd is actually **more** complex than NAT -- use NAT with VLANs and public IPs for the IP phones, as Martin said. OTOH, if you do have enough public IPs to play with, I'd still consider bridging and using only public IPs (then you don't need to do VLANs or NAT). And speaking of that, I just re-read your (Patrick's) earlier emails: Patrick wrote: Technically, we don't need NAT, but I want to free up some IP addresses in our company so we can use them elsewhere. That's why I wanted to put all the computers behind NAT. I guess I could assign an entire class C to our office computers, but IMO that isn't really efficient. Sorry if I'm asking stupid questions, but you know all about VLSM/CIDR, right? You know that you don't have to choose between assigning a whole class C subnet or NAT, right? You know that you can apportion any number of bits for your subnet, right? I was just playing with the details you gave earlier (mostly to practice and teach myself): Your friend suggested IPs like 216.139.44.142 and a 255.255.255.192 subnet mask: last octet for IP 216.139.44.142/26: 128 64 |32 16 8 4 2 1 1 0 | 0 0 1 1 1 0 + From 216.139.44.128/26 (x.y.z.1000) through 216.139.44.191/26 (x.y.z.1011), that's 64 IP addresses in total. How many hosts do you have, including the IP phones? How much room for future growth do you need to reserve? If you can steal enough bits off that last octet, then the easiest way may still be a bridge, which has the added advantage of being transparent to the end user. And it can be changed, substituted and removed in the future without so much as an interruption in service (as long as you have a switch with free ports both before and behind the firewall).
Re: gcc and variable length arrays
On Tue, Oct 10, 2006 at 02:42:12PM -0700, Joe wrote: By the way, if anyone has any pointers (no pun intended) for a CS newbie, any help and recommendations are always appeciated. I like the OpenBSD development community and hope to contribute some code and patches in the future. Advanced UNIX Programming, by Stevens. Very well written and organized. The code samples are great too. m
OpenBSD 4.0 as a PostgreSQL Database Server
For those of you that are knowledgeable, and have the time to respond does anyone see any troubles with this hardware selection? I am mostly concerned with the raid Controller selection I am expecting it to have raid 5 across 16 drives with 1 spare the intent is to run a PostgreSQL 8.2 Server with OpenBSD 4.0 when they are both released MotherBoard GIGABYTE GA-4MXSV Socket T (LGA 775) Intel E7230 ATX Server CPU Intel Pentium D 940 Presler 3.2GHz 2 x 2MB L2 Cache LGA 775 Dual Core 16 Raid Drives Western Digital 200GB WD2000JS SATA II 7200RPM 8MB - OEM Raid Card Areca ARC-1260 16-Port PCI Express x8 SATA 3Gb/s RAID Controller - Retail Thank you for any Help Sam Fourman Jr.
Re: Setting up a box to do NAT and Static IPs
Hey Jens, On 10/11/06, ropers [EMAIL PROTECTED] wrote: OTOH, if you do have enough public IPs to play with, I'd still consider bridging and using only public IPs (then you don't need to do VLANs or NAT). To satisfy my own curiosity, what are the advantages in your view that bridging offers between the internal and external interface compared to using typical ip fowarding? (Note: I've never worked with bridging on an OpenBSD firewall, so I'm a newbie at it.) -Martin -- Suburbia is where the developer bulldozes out the trees, then names the streets after them. --Bill Vaughan
the cvs repository doesn't obey the attic criterion
the cvs info manual says: But in case you want to know, the rule is that the RCS file is stored in the attic if and only if the head revision on the trunk has state `dead'. counterexamples: /cvs/src/sbin/swapon/Attic/swapon.8,v /cvs/src/distrib/vax/ramdisk/dot.commonutils,v /cvs/src/sys/arch/mvme88k/stand/wrtvid/Makefile,v,v /cvs/ports/net/rrdtool/patches/patch-config_ltmain_sh,v /cvs/ports/x11/msttcorefonts/pkg/INSTALL,v
OpenBSD in Lenovo 3000 J105 ???
Hola Somebody has running OpenBSD in this machine, controller SATA works, run fine ?? Gracias Diego Fernando Nieto Moreno --- www.compumundohypermegared.org Comunidad de Usuarios OpenBSD Colombia
Re: OpenBSD 4.0 as a PostgreSQL Database Server
On 10/11/06, Sam Fourman Jr. [EMAIL PROTECTED] wrote: For those of you that are knowledgeable, and have the time to respond does anyone see any troubles with this hardware selection? I am mostly concerned with the raid Controller selection I am expecting it to have raid 5 across 16 drives with 1 spare You might want to evaluate a multilayer RAID setup with that many drives. I've found 0+1 (striped mirrors) and 0+5 to perform as well as plain RAID 5 but suffer a non-noticable degredation when a drive fails. In an odd note, my 0+1 array on an LSI card actually got faster everytime I pulled out a drive. 16 Raid Drives Western Digital 200GB WD2000JS SATA II 7200RPM 8MB - OEM Get the Raid Edition drives from WD. 1.2million hours MTBF at either 80% or 100% duty cycle. Their consumer-grade drives are only spec'd for 20% duty cycle, and are also less tolerant to temperature (thermal gradient and max operating temp). Raid Card Areca ARC-1260 16-Port PCI Express x8 SATA 3Gb/s RAID Controller - Retail Heard nothing but good stuff about the Areca cards. -- Jon
Re: Sun SMP Hardware [was RE: Version 4.0 release ]
So far, every reply has been, It's yours if you pay to ship it. Count me in; I will help pay shipping as well. Count me in too, I have slightly limited funds but will help as much as I can. Please contact me off list if I can be of any use. Patsy
if_em.c and rev 1.131
Hi misc I am looking at http://www.openbsd.org/cgi-bin/cvsweb/src/sys/dev/pci/if_em.c and can see the following... --snip-- revert revision 1.131, the code in question was later found to not ensure the proper alignment requirement for the VLAN layer on strict alignment architectures. This would result in Jumbo's working fine as long as VLANs were not in use. If VLANs were in use and a packet comes in with a size of 2046 bytes or larger, it would be corrupted as it came up through the VLAN layer. Also check the hw max frame size, instead of the MTU, so the alignment fixup is done as appropriate. --snip-- As I use VLANs alot I therefor have a question as this is not 100% clear to me... This was reverted in OBSD 3.8 and 3.9 but not in 4.0. As this according to cvs was reverted after OpenBSD 4.0 was tagged I therefor wonder if the problem exist in the 4.0 release. Excuse me if I missed something important I can't see... Thanks in advance Per-Olov Sjvholm
Re: OpenBSD 4.0 as a PostgreSQL Database Server
Sam Fourman Jr. [EMAIL PROTECTED] wrote: For those of you that are knowledgeable, and have the time to respond does anyone see any troubles with this hardware selection? I am mostly concerned with the raid Controller selection I am expecting it to have raid 5 across 16 drives with 1 spare I would suggest RAID 10 instead of 5 if you don't need 3TB of storage. It tolerates multiple drive failures (usually), and doesn't suffer the performance penalty while degraded that RAID 5 does. And if performance matters, I'd suggest 15k SCSI drives instead of the 7200 RPM SATA drives. Adam
ipsecctl parser behavior on OpenBSD 4.0 running generic kernel#1137
I wanted to test ipsec.conf before loading it and I noticed this odd behavior.
pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs]
10.200.0.46: [570]$ cat ipsec.conf
remote_gw = 192.168.0.1
remote_net = { 10.0.100.0/22, 10.0.2/24 }
local_net = { 172.16.18.0/26 }
ike esp from $local_net to $remote_net peer $remote_gw psk test123
pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs]
10.200.0.46: [571]$ ipsecctl -n -f ipsec.conf
pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs]
10.200.0.46: [572]$ echo $?
0
*This is expected!*
pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs]
10.200.0.46: [573]$ cat ipsec.conf
remote_gw = 192.168.0.1
remote_net = { 10.0.100.0/22, 10.0.2/24 }
local_net = { 172.16.18.0/26 }
ike esp from $local_net to $remote_net peer $remote_gw psk test123
pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs]
10.200.0.46: [574]$ ipsecctl -n -f ipsec.conf
ipsec.conf: 2: syntax error
ipsecctl: Syntax error in config file: ipsec rules not loaded
pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs]
10.200.0.46: [575]$ echo $?
1
*This is expected*
pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs]
10.200.0.46: [576]$ cat ipsec.conf
remote_gw = 192.168.0.1
remote_net = { 10.0.100.0/22, 10.0.2/24 }
local_net = { 172.16.18.0/26 }
ike esp from $local_net to $remote_net peer $remote_gw psk test123
pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs]
10.200.0.46: [577]$ ipsecctl -n -f ipsec.conf
ipsec.conf: 3: syntax error
ipsecctl: Syntax error in config file: ipsec rules not loaded
pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs]
10.200.0.46: [578]$ echo $?
1
*This is expected*
pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs]
10.200.0.46: [579]$ cat ipsec.conf
remote_gw = 192.168.0.1
remote_net = { 10.0.100.0/22, 10.0.2/24 }
local_net = { 172.16.18.0/26 }
ike esp from $local_net to $remote_net peer $remote_gw psk test123
pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs]
10.200.0.46: [580]$ ipsecctl -n -f ipsec.conf
pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs]
10.200.0.46: [581]$ echo $?
0
*Is this expected? I am missing a ending quote on line three and the parser
thinks this is correct*
pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs]
10.200.0.46: [582]$ cat ipsec.conf
remote_gw = 192.168.0.1
remote_net = { 10.0.100.0/22, 10.0.2/24 }
local_net = { 172.16.18.0/26 }
ike esp from $local_net to $remote_net peer $remote_gw psk test123
pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs]
10.200.0.46: [583]$ ipsecctl -n -f ipsec.conf
ipsec.conf: 5: syntax error
ipsecctl: Syntax error in config file: ipsec rules not loaded
pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs]
10.200.0.46: [584]$ cat ipsec.conf
remote_gw = 192.168.0.1
remote_net = { 10.0.100.0/22, 10.0.2/24 }
local_net = { 172.16.18.0/26 }
ike esp from $local_net to $remote_net peer $remote_gw
pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs]
10.200.0.46: [585]$ cat ipsec.conf
remote_gw = 192.168.0.1
remote_net = { 10.0.100.0/22, 10.0.2/24 }
local_net = { 172.16.18.0/26 }
ike esp from $local_net to $remote_net peer $remote_gw
pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs]
10.200.0.46: [586]$ ipsecctl -n -f ipsec.conf
ipsec.conf: 3: syntax error
ipsecctl: Syntax error in config file: ipsec rules not loaded
pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs]
10.200.0.46: [587]$ echo $?
1
*When I remove the psk string, the parser notices the problem and errors out*
pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs]
10.200.0.46: [588]$ cat ipsec.conf
remote_gw = 192.168.0.1
remote_net = { 10.0.100.0/22, 10.0.2/24 }
local_net = { 172.16.18.0/26 }
ike esp from $local_net to $remote_net peer $remote_gw psk test123
pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs]
10.200.0.46: [589]$ ipsecctl -n -f ipsec.conf
pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs]
10.200.0.46: [590]$ echo $?
0
pgurumur-vm-openbsd (OpenBSD): [~/working/networking/docs]
10.200.0.46: [591]$ uname -a
OpenBSD pgurumur-vm-openbsd.silverspringnet.com 4.0 GENERIC#1137 i386
dmesg:
OpenBSD 4.0-current (GENERIC) #1137: Wed Oct 4 06:34:08 MDT 2006
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Pentium(R) 4 CPU 2.80GHz (GenuineIntel 686-class) 2.80 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS
real mem = 267939840 (261660K)
avail mem = 236720128 (231172K)
using 3296 buffers containing 13500416 bytes (13184K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(53) BIOS, date 07/29/05, BIOS32 rev. 0 @ 0xfd880,
SMBIOS rev. 2.31 @ 0xe0010 (45 entries)
bios0: VMware, Inc. VMware Virtual Platform
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 30102 dobusy 0 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xfd880/0x780
pcibios0: PCI IRQ Routing Table rev 1.0 @
ports question
Sometimes ports have helpful messages that tell you the proper way to start it from rc.local or some other set of instructions that shoudl be your next step etc... Sometimes these get installed as a dependency of another app though and so the screen just keeps right on trucking and you don't have time to read it. Is there some command or somewhere you can go to see what the message was? --Bryan
Re: ports question
Bryan Irvine wrote: Sometimes these get installed as a dependency of another app though and so the screen just keeps right on trucking and you don't have time to read it. Is there some command or somewhere you can go to see what the message was? $ man pkg_info The argument you're looking for is '-M'. -- Matthew Weigel
Re: ports question
On Wed, Oct 11, 2006 at 03:28:08PM -0700, Bryan Irvine wrote:
Sometimes these get installed as a dependency of another app
though and so the screen just keeps right on trucking and you
don't have time to read it. Is there some command or somewhere
you can go to see what the message was?
$ man pkg_info
$ pkg_info -D python-2.4.3p0
Information for python-2.4.3p0
Install notice:
If you want to use this package as your default system python, create
symbolic links like so:
ln -s /usr/local/bin/python2.4 /usr/local/bin/python
ln -s /usr/local/bin/pydoc2.4 /usr/local/bin/pydoc
--
o--{ Will Maier }--o
| web:...http://www.lfod.us/ | [EMAIL PROTECTED] |
*--[ BSD Unix: Live Free or Die ]--*
Re: ports question
On 10/11/06, Matthew Weigel [EMAIL PROTECTED] wrote: Bryan Irvine wrote: Sometimes these get installed as a dependency of another app though and so the screen just keeps right on trucking and you don't have time to read it. Is there some command or somewhere you can go to see what the message was? $ man pkg_info The argument you're looking for is '-M'. Bingo! thanks! --Bryan
Re: Setting up a box to do NAT and Static IPs
On 11/10/06, Martin Gignac [EMAIL PROTECTED] wrote:
Hey Jens,
On 10/11/06, ropers [EMAIL PROTECTED] wrote:
OTOH, if you do have enough public IPs to play with, I'd still
consider bridging and using only public IPs (then you don't need to do
VLANs or NAT).
To satisfy my own curiosity, what are the advantages in your view that
bridging offers between the internal and external interface compared
to using typical ip fowarding?
(Note: I've never worked with bridging on an OpenBSD firewall, so I'm
a newbie at it.)
I have limited expertise myself --while I do claim some OpenBSD
experience, that experience is has its limits and I can't code. So
here's my understanding, but if I'm wrong anywhere I would be very
happy to get corrected:
Let's assume I have am OpenBSD box with adapters $ext_if and $int_if,
and $ext_if is connected to a switch on a WAN, and $int_if is
connected to a switch that a number of hosts are connected to. Let's
say on the WAN IP subnet 123.0.0.0/8 is being used. Now I somehow want
to provide firewall protection to the hosts on the $inf_if side.
I could use NAT and give both the $int_if and $ext_if NICs IP
addresses. That way I sould make the part on the $int_if side into a
subnet using eg. 192.168.0.0/16. I could assign 123.1.2.3 to $ext_if
and 192.168.1.2 to $int_if. I would not use bridging and none of the
NICs would be in promiscuous mode.
Or maybe I have gotten a small chunk off of that big fat 123.0.0.0/8
network to play with. So let's say I have been allocated
123.123.123.0/24. I would put the external interface in promiscuous
mode (echo up /etc/hostname.if) but assign an IP to the internal
one, say 123.123.123.123. This IP would be my default gateway on the
internal hosts. They need to know where the heck to send packets that
aren't for hosts on what's now their own local subnet. Apart from the
fact that I'm using IP addresses of the same type (public in this
case) on both sides of the firewall, and that those IPs have to be
properly assigned to/subnetted by me, I'm still king in my castle --
my 123.123.123.0/24 subnet can be fairly independent.
Finally, I could use bridging. This puts both NICs in promiscuous
mode, even if I assign an IP address to one of them, which is a good
idea to allow remote administration (I could assign IPs to both but
there's prolly no good reason to). Also I could decide to only allow
local/serial console administration, and on purpose don't give IPs to
either NICs. With bridging, both sides are logically on the same
network segment, it's as if the network parts in front and behind the
firewall were just one physical network segment. This is transparent
bridging. Neither host on either side needs to even know that that
bridge is even there. And indeed it would be largely useless (well,
useful for range extension beyond max cabling lengths) as long as it
weren't also filtering. Once you packet filter on the bridge it
becomes a magic cable that's just part of a larger segment, but for
some reason doesn't allow garbage through. Good if you have to share a
subnet with undesirables.
I have a setup where there's a switch that's directly connected to the
Internets, that's outside of my control, and that my Windows Server
2003 Domain Controller has to share with third parties. Yeuch! So I
put that box behind an OpenBSD nanny^Wbridging firewall. Trouble is,
there are all these other hosts outside that firewall who are directly
connected to the switch, and these all need to talk to the DC and
expect it to be on the same subnet. Also, I want to put more hosts
behind the firewall. No problem with bridging.
I hope this makes sense.
What I don't really understand is where bridging actually takes place,
and what happens in case of a filtering bridge. I thought that
bridging per se happened at the data-link layer of the OSI model,
while packet filtering happened at the network layer.
Neither do I understand what really goes on during IP forwarding as
opposed to bridging, or, for that matter, why I needed to enable
net.inet.ip.forwarding=1 in /etc/sysctl.conf for the bridge to work.
Cheers,
--ropers
PS: What was quite interesting to learn about is how to enable DHCP
requests (inclusive DHCPDISCOVER messages) from certain hosts to
traverse this firewall:
pass on $ext_if proto udp from { 0.0.0.0, goodoutsiders } port 68 to
$dhcpsrv port 67
pass on $ext_if proto udp from any port 68 to 255.255.255.255 port 67
pass on $ext_if proto udp from $dhcpsrv port 67 to { 255.255.255.255,
goodoutsiders } port 68
PPS: OT, but according to MS' official documentation, you can't turn
on the Windows Firewall on a DC (or if you do turn it on, the DC won't
work. But since putting the OpenBSD box in I've also learned that
there are additional solutions to the unprotected Win 2003 DC problem:
Core Force, building your own Windows firewall with IPsec and mmc,
hax0ring the registry of all DCs in the forest to constrain their use
of dynamic ports and then configuring exceptions
Re: RMS vs TdR (WAS: Re: OLPC)
Breen, Quoting Breen Ouellette [EMAIL PROTECTED]: PS - Jack, some friendly advice, you are only encouraging them each time you reply. They obviously don't care about why you find interest in this subject. They only want to find a way to link you to RMS and then trash you. I wasn't trying to start a holy war. I asked the question because interesting was placed in quotes, as if it had some greater unspoken meaning... I find the contrast between them ... um ... interesting. RMS being a bit out of touch sometimes is just my opinion. I'm not trying to link RMS to anyone or trash Jack. Shane This email was sent from Netspace Webmail: http://www.netspace.net.au
Re: ports question
PKG_INFO(1)OpenBSD Reference Manual NAME pkg_info - a utility for displaying information on software packages [...] -D Show the install-message file (if any) for each package (depre- cated option). -M Show the install-message file (if any) for each package. On Wed, 11 Oct 2006, Bryan Irvine wrote: Sometimes ports have helpful messages that tell you the proper way to start it from rc.local or some other set of instructions that shoudl be your next step etc... Sometimes these get installed as a dependency of another app though and so the screen just keeps right on trucking and you don't have time to read it. Is there some command or somewhere you can go to see what the message was? --Bryan l8* -lava (Brian A. Seklecki - Pittsburgh, PA, USA) http://www.spiritual-machines.org/ ...from back in the heady days when helpdesk meant nothing, diskquota meant everything, and lives could be bought and sold for a couple of pages of laser printout - and frequently were.
Re: Setting up a box to do NAT and Static IPs
On 2006/10/12 01:15, ropers wrote: Or maybe I have gotten a small chunk off of that big fat 123.0.0.0/8 network to play with. So let's say I have been allocated 123.123.123.0/24. Normally, you get a separate address _as_well_. Let's say 123.4.5.6/30. Say you don't run a dynamic routing protocol you would set the default route to 123.4.5.5. The internal network 123.123.123.0 is yours to play with and carve up as you like, say you take 123.123.123.1 and tell the other hosts in the subnet that's their default gateway. Provider receives packets for 123.123.123.123; their route table has 123.4.5.6 as the destination for 123.123.123/24 and sends the packets along. No promiscuous interfaces, this is just plain ordinary IP routing. I have a setup where there's a switch that's directly connected to the Internets, that's outside of my control, and that my Windows Server 2003 Domain Controller has to share with third parties. Yeuch! So I put that box behind an OpenBSD nanny^Wbridging firewall. Yes, bridging firewalls are useful where you don't have IP traffic for the whole subnet forwarded to your router by normal IP routing. The situation you describe is one. ISPs giving a `managed router' where they can't be bothered to manage it enough to add routing-table entries for you is another. What I don't really understand is where bridging actually takes place, and what happens in case of a filtering bridge. I thought that bridging per se happened at the data-link layer of the OSI model, OSI is just a model (-: Neither do I understand what really goes on during IP forwarding as opposed to bridging with forwarding(routing) tcp/ip packets have a destination IP address which isn't bound to an interface on the router but the MAC address _is_ the address of the routers (destination address is not ARP'd for because the previous router knows it's not a directly-connected destination). with bridging, the MAC address is of the final destination, and is learned by the previous router by ARPing for it (ethernet broadcasts cross the bridge unaltered). see tcpdump -e or, for that matter, why I needed to enable net.inet.ip.forwarding=1 in /etc/sysctl.conf for the bridge to work. I'm not sure you do, but I think you need it for PF. If it was a bit more sensible time of day I'd double-check (-:
blurb blurb
I've been thinking about the legal blurbs in the source files, the most permissive being the one in, for example, src/bin/chio/parse.y I feel it's a bit silly to bother with them, since they have no technical significance. But perhaps it's worthwhile, every once in a while, to ponder the real world and its constraints. The motivation for authors to put blurbs in their work must be some kind of fear. The nature of this fear can be guessed from the wording of the blurb. The authors hope that the blurb affords them protection. I wonder if the following language would provide the same level of protection or better: We, the authors of this work, are giving it away to you, dear reader (and to everyone else), as an opportunity, not as a service. Do with it whatever you want. We welcome your contributions, and we owe you nothing. I imagine that putting this one in place of the orthodox blurb would be an inspiring demonstration of resistance to fear. Surely no judge could misunderstand its intention. Please discuss.
Re: blurb blurb
I've been thinking about the legal blurbs in the source files, the most permissive being the one in, for example, src/bin/chio/parse.y I feel it's a bit silly to bother with them, since they have no technical significance. But perhaps it's worthwhile, every once in a while, to ponder the real world and its constraints. No. You are wrong. That is a legal document that is well understood. In this case, it is a slightly modified ISC copyright rights granting statement. The motivation for authors to put blurbs in their work must be some kind of fear. The nature of this fear can be guessed from the wording of the blurb. The authors hope that the blurb affords them protection. No. It is a copyright statement that GRANTS RIGHTS. If we don't have that there, then noone gets a collection of grants which they depend on now. I wonder if the following language would provide the same level of protection or better: We, the authors of this work, are giving it away to you, dear reader (and to everyone else), as an opportunity, not as a service. Do with it whatever you want. We welcome your contributions, and we owe you nothing. I imagine that putting this one in place of the orthodox blurb would be an inspiring demonstration of resistance to fear. Surely no judge could misunderstand its intention. Please discuss. Discuss what? Only one thing is obvious. You don't understand the history of copyright treaties and per-country copyright laws that impliment those treaties on a regional level, nor what we are legally trying to give people. How about you just leave this to people who have been dealing with this for years? Your blurb does not say let anyone use the software in the way we intend. Trust us. We know what we are doing.
Firefox/Iceweasel in OpenBSD
Due to the recent flair over the use of the Firefox logo, the GNU camp has decided to fork the entire project, into IceWeasel. The idea here is that they can't use the FF logo freely, so of course they must fork it. I just want to know how this is going to affect the OpenBSD camp, if at all. David Sampson
Re: Setting up a box to do NAT and Static IPs
Hi again Jens, On 10/11/06, Stuart Henderson [EMAIL PROTECTED] wrote: On 2006/10/12 01:15, ropers wrote: Or maybe I have gotten a small chunk off of that big fat 123.0.0.0/8 network to play with. So let's say I have been allocated 123.123.123.0/24. Normally, you get a separate address _as_well_. Let's say 123.4.5.6/30. Say you don't run a dynamic routing protocol you would set the default route to 123.4.5.5. The internal network 123.123.123.0 is yours to play with and carve up as you like, say you take 123.123.123.1 and tell the other hosts in the subnet that's their default gateway. I think what confused my about your suggestion of using bridging is because I'm used to having setups like the one Stuart mentioned: that is, having an ISP assign an IP for the external interface of my firewall (a /30 one in the case of a point-to-point link) and giving me a range of public IPs for which the next hop router will be configured as the IP assigned to the external interface. This info will be configured in the ISP's router (the default gateway from my firewall's point of view) and I'll use the range of public IPs on the internal interface. In these types of cases I wouldn't use bridging; simply IP forwarding. Yes, bridging firewalls are useful where you don't have IP traffic for the whole subnet forwarded to your router by normal IP routing. The situation you describe is one. ISPs giving a `managed router' where they can't be bothered to manage it enough to add routing-table entries for you is another. I've never had to deal with the cases mentioned in the paragraph above, which explains why I've never looked into bridging. Also, I am a bit concerned about having the phones and the office computers on the same subnet: some of these brands of VoIP phones (at least the Cisco 7940s) have a TELNET interface on them and can boot off of a TFTPd server. I think it'd be safer to have the phones on their own subnets, protected by the OpenBSD firewall, so that some curious office worker armed with nmap doesn't start trying to figure out the IPs of all the phone and begins trying to access them just for the fun of it. Also, by separating the phones from the PCs in two different subnets you save a bit on broadcast and possible multicast (if your switch is not IGMP-aware) traffic. Anyway, I guess that's how I'd do it. -Martin -- Suburbia is where the developer bulldozes out the trees, then names the streets after them. --Bill Vaughan
open source PLCs?
is there any open source software that allows for use of OTS computers as PLCs for manufacturing equipment?
Re: open source PLCs?
On Wed, 11 Oct 2006, Jacob Yocom-Piatt wrote: is there any open source software that allows for use of OTS computers as PLCs for manufacturing equipment? 6,010,000 hits on Google, .. or did you have a different question? Lee Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net
Re: Setting up a box to do NAT and Static IPs
On Wed, Oct 11, 2006 at 12:22:06PM -0400, Martin Gignac wrote: On 10/11/06, Girish Venkatachalam [EMAIL PROTECTED] wrote: If my memory serves me right, SIP actually has ALG built into the standard itself and www.opensip.org might already give you what you want. Hmm, wasn't aware of that. Do you have any specific RFC or 3GPP spec number that I could check out concerning this? -Martin You could have easily googled for SIP RFC. That is what one would expect from OpenBSD crowd... Anyway I can certainly provide you with more info. But the problem is, I worked on VoIP more than two years ago and I never really worked on SIP. I read the RFC, that is all. Check out http://www.faqs.org/rfcs/rfc3261.html Pay particular attention to the various components of the protocol. In particular, focus on proxy server and user agent. SIP I believe is quite popular in the VoIP world and it has a simple text protocol very similar to HTTP. I am sorry, I can't help you any further. I wish I had more experience implementing real world VoIP solutions but I don't have. All the best! regards, Girish
Re: blurb blurb
On Thu, 12 Oct 2006, Paul Stoeber wrote: I wonder if the following language would provide the same level of protection or better: We, the authors of this work, are giving it away to you, dear reader (and to everyone else), as an opportunity, not as a service. Do with it whatever you want. We welcome your contributions, and we owe you nothing. This fails to grant the rights explicitly identified in the Berne convention[1] and probably doesn't have the legal effect that you intend. I imagine that putting this one in place of the orthodox blurb would be an inspiring demonstration of resistance to fear. Surely no judge could misunderstand its intention. I think case law proves you wrong here too. -d [1] http://www.law.cornell.edu/treaties/berne/overview.html
Re: Firefox/Iceweasel in OpenBSD
AFAIK, no, but I was hoping to glean that information from the list... On Wed, 2006-10-11 at 23:31 -0500, Sam Fourman Jr. wrote: is someone planning on making a OpenBSD port for IceWeasel? Sam Fourman Jr. On 10/11/06, David Sampson [EMAIL PROTECTED] wrote: Due to the recent flair over the use of the Firefox logo, the GNU camp has decided to fork the entire project, into IceWeasel. The idea here is that they can't use the FF logo freely, so of course they must fork it. I just want to know how this is going to affect the OpenBSD camp, if at all. David Sampson
Re: Setting up a box to do NAT and Static IPs
On Thu, Oct 12, 2006 at 09:26:21AM +0530, Girish Venkatachalam wrote: On Wed, Oct 11, 2006 at 12:22:06PM -0400, Martin Gignac wrote: On 10/11/06, Girish Venkatachalam [EMAIL PROTECTED] wrote: If my memory serves me right, SIP actually has ALG built into the standard itself and www.opensip.org might already give you what you want. Hmm, wasn't aware of that. Do you have any specific RFC or 3GPP spec number that I could check out concerning this? -Martin You could have easily googled for SIP RFC. That is what one would expect from OpenBSD crowd... Very Sorry Martin. I was not in a good mood this morning and I also got angry since I didn't know enough to help you out. Because VoIP has always fascinated me and even my attempts at hacking Asterisk fizzled out. I hope to play with these things soon. Please don't mind it. I had a dream last night and could not get proper sleep. Have a nice day! Hope you don't take it to heart. regards, Girish
Re: Setting up a box to do NAT and Static IPs
On 10/12/06, Girish Venkatachalam [EMAIL PROTECTED] wrote: Very Sorry Martin. I was not in a good mood this morning and I also got angry since I didn't know enough to help you out. Have a nice day! Hope you don't take it to heart. No sweat. :-) -- Suburbia is where the developer bulldozes out the trees, then names the streets after them. --Bill Vaughan
Re: Firefox/Iceweasel in OpenBSD
On 10/12/06, David Sampson [EMAIL PROTECTED] wrote: Due to the recent flair over the use of the Firefox logo, the GNU camp has decided to fork the entire project, into IceWeasel. The idea here is that they can't use the FF logo freely, so of course they must fork it. I just want to know how this is going to affect the OpenBSD camp, if at all. Just going through it in http://en.wikipedia.org/wiki/Iceweasel I found === 1) The name IceWeasel was coined to refer to Mozilla Firefox during a long debate within the Debian Project in 2004 and 2005. Mozilla enforces trademarks vigorously and claims the right to deny the use of the name Firefox to unofficial builds. 2) Distributions that do not have this permission must compile the Firefox source with an option enabled that gives Firefox a generic name and does not use the official logo or other artwork. I don't know about 4.0 but in 3.9 it compiles with the name mozilla-firefox. Is this wrong? or did I miss something? Thankyou so much Kind Regards Siju
Re: Setting up a box to do NAT and Static IPs
On 10/11/06, Girish Venkatachalam [EMAIL PROTECTED] wrote: On Wed, Oct 11, 2006 at 12:22:06PM -0400, Martin Gignac wrote: On 10/11/06, Girish Venkatachalam [EMAIL PROTECTED] wrote: If my memory serves me right, SIP actually has ALG built into the standard itself and www.opensip.org might already give you what you want. Hmm, wasn't aware of that. Do you have any specific RFC or 3GPP spec number that I could check out concerning this? -Martin You could have easily googled for SIP RFC. That is what one would expect from OpenBSD crowd... Anyway I can certainly provide you with more info. But the problem is, I worked on VoIP more than two years ago and I never really worked on SIP. I read the RFC, that is all. Check out http://www.faqs.org/rfcs/rfc3261.html Pay particular attention to the various components of the protocol. In particular, focus on proxy server and user agent. Yeah, I'm familiar with 3261. However the SIP proxy that 3261 talks about has a completely different function than what an ALG/SBC does. Maybe I shouldn't have used the term SIP proxy in my previous e-mails. My bad. -Martin -- Suburbia is where the developer bulldozes out the trees, then names the streets after them. --Bill Vaughan
Re: Firefox/Iceweasel in OpenBSD
Hrrmpf. It seems like this goes against OpenBSD philosophy, but there are many who know far more than I on this subject Maybe TDR hasn't decided/thought about it, I don't know. I would like to continue to use firefox under that name, and use the logo too, but it probably isn't as simple as that. David Sampson dbsrolltide_at_bellsouth.net On Thu, 2006-10-12 at 10:37 +0530, Siju George wrote: On 10/12/06, David Sampson [EMAIL PROTECTED] wrote: Due to the recent flair over the use of the Firefox logo, the GNU camp has decided to fork the entire project, into IceWeasel. The idea here is that they can't use the FF logo freely, so of course they must fork it. I just want to know how this is going to affect the OpenBSD camp, if at all. Just going through it in http://en.wikipedia.org/wiki/Iceweasel I found === 1) The name IceWeasel was coined to refer to Mozilla Firefox during a long debate within the Debian Project in 2004 and 2005. Mozilla enforces trademarks vigorously and claims the right to deny the use of the name Firefox to unofficial builds. 2) Distributions that do not have this permission must compile the Firefox source with an option enabled that gives Firefox a generic name and does not use the official logo or other artwork. I don't know about 4.0 but in 3.9 it compiles with the name mozilla-firefox. Is this wrong? or did I miss something? Thankyou so much Kind Regards Siju
pf+altq problem
Dear list.
My pf.conf not working.
I have pf in bridge machine with xl2 to internet
firewall and xl1 to
internal switch. Bridging is ok.
This my simple pf.conf
me=172.16.0.228
altq on xl1 bandwidth 100% cbq queue {me,dflt}
queue mebandwidth 8Kb
queue dflt bandwidth 16Kb cbq (default)
block log on {xl1,xl2} all
pass out log on xl1 from $me to any keep state
pass log on xl2 from $me to any keep state queue (me)
This rule is match when i try to connect to iperf
server
# tcpdump -nett -i pflog0 | grep 172.16.0.228
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: listening on pflog0, link-type PFLOG
1160655756.150048 rule 3/(match) pass in on xl2:
172.16.0.228.44405
128.6.231.102.5001: [|tcp] (DF)
1160655756.150059 rule 2/(match) pass out on xl1:
172.16.0.228.44405
128.6.231.102.5001: [|tcp] (DF)
But iperf tell me that this connection is 24.4
Kbits/Sec. (more than 8Kbps)
[EMAIL PROTECTED] beastie]# iperf -c lss.rutgers.edu
Client connecting to lss.rutgers.edu, TCP port 5001
TCP window size: 16.0 KByte (default)
[ 3] local 172.16.0.228 port 44408 connected with
128.6.231.102 port
5001
[ 3] 0.0-16.1 sec 48.0 KBytes 24.4 Kbits/sec
I'm expecting that iperf report it equal with the
bandwidth that i assign to (me) queue pipe.
Is there any thing wrong or i missed something here
???
Please help me
regards
Reza
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
Re: Firefox/Iceweasel in OpenBSD
On 10/11/06, David Sampson [EMAIL PROTECTED] wrote: AFAIK, no, but I was hoping to glean that information from the list... On Wed, 2006-10-11 at 23:31 -0500, Sam Fourman Jr. wrote: is someone planning on making a OpenBSD port for IceWeasel? and the point would be? what makes iceweasel a better browser than firefox?
Re: RMS vs TdR (WAS: Re: OLPC)
Breen, I am replying to this in full because I want my intentions known. I'll leave it at this. On 12/10/2006, at 2:58 AM, Breen Ouellette wrote: Jack J. Woehr wrote: On Oct 10, 2006, at 5:38 PM, Shane J Pearson wrote: By interesting, you mean one is well meaning, but a little kooky and not always in touch with reality and the other is focused and committed to maintaining some sanity in the world of computing? No, I didn't mean that. I meant that both gentlemen are personal friends of mine and that the contrast between these two giants of free and open source software could hardly be more striking. Obviously there are elements trying to start an RMS/GNU versus TdR/ BSD holy war. If you are referring to me, you are right off the mark. I never mentioned GNU or BSD and had no intention of starting anything. It was just a throw-away comment in support of the OpenBSD leadership. If you don't find it interesting that two men could take a stand for free and open ideals, and yet interpret those ideals so differently, then fine, it isn't interesting to you. I never said it was not interesting. If you don't like RMS (or TdR for that matter) or his version of free and open ideals, then fine, you have the right to feel that way in most locales. I'm not particularly fond of RMS' views and ideas myself. I very much respect both, but lean towards Theo's ideals and line of practical thinking, which is always very thought provoking for me. But that is just me. I wouldn't waste time trying to start a flame war, because this is just my opinion and I don't want to waste misc@ users time. I do now see that I probably just should have kept my opinion to myself, because it could be misinterpreted and was probably not worth mentioning. But when you reply to the original poster's message feigning that you don't understand his point, well, then you come across as stupid. An inquisitive child could understand the difference between these two mens' views, and understand that some people might find it interesting. Who are you referring to with this? Am I the stupid person for finding a vague comment to be vague? If I don't ask, then I can only make assumptions with something like: '...um... interesting' And my comment was mostly meant in jest. Really, truly stupid. And willing to share it with the rest of the world on a public mailing list, no less! Brilliant! I, when confronted with a vague comment, ask a question for clarification. Which admittedly was meant more of a humorous, rhetorical question. Whereas you, confronted with something also vague (to a lesser extent), choose to read a LOT into it and then go on the attack, publicly with a tirade against a bunch of incorrect assumptions. So which is more stupid? If you want to start a holy war about the merits of these two positions then start a thread, preferably somewhere else, and howl into the wind. Nobody cares. We've all made up our minds about which side of the fence we are on. You aren't going to change my mind, or anyone else's. You are only making yourselves out to be a bunch of idiots. I think you have rather made quite the arse of yourself, Breen. I can now see the danger of a holy war erupting from my oversight, but mostly due to presumptuous people like you, who shoot first then ask questions later. This sure doesn't help the image of the OpenBSD user base at all. When we aren't taken seriously it is, in part, because of childish melodrama like this thread. Frankly, I don't much worry about the perception of the OpenBSD user base, because I think any negative perceptions towards it as a whole would be unfounded. There are idiots in every user camp. However this user camp makes up for them and then some, with some really helpful decent people on the list. I just temporarily put them on my twit list. But in the past 7 years or so, I've only put ONE person from misc@ in my twit list and I've since taken them off, now that they've become more reasonable. PS - Jack, some friendly advice, you are only encouraging them each time you reply. They obviously don't care about why you find interest in this subject. They only want to find a way to link you to RMS and then trash you. You find a lot of things obvious for a guy who is so presumptuous. For the record, I respect the intentions of RMS and I highly respect the intentions and practical thinking of Theo, the OpenBSD project, the developers and much of the user base. I've been enjoying OpenBSD since 2.5 and I try to buy OpenBSD items and donate whenever I am financially able. I tried to donate brand new SCSI disks when Theo asked for them for the older machines and I purchased a brand new SCSI card for an Aussie developer and had it sent to him, while I was mostly unemployed with small funds. My intentions are honourable here. I messed up by touching
Re: Setting up a box to do NAT and Static IPs
On 10/12/06, Martin Gignac [EMAIL PROTECTED] wrote: Yeah, I'm familiar with 3261. However the SIP proxy that 3261 talks about has a completely different function than what an ALG/SBC does. Maybe I shouldn't have used the term SIP proxy in my previous e-mails. My bad. I don't know if it'll make things any clearer (I doubt it), but you could compare the SIP proxy in RFC 3261 as a combination HSS/CSCF in 3GPP IMS (IP Multimedia Subsystem) parlance whereas the ALG/SBC performs the function of an I-BCF/I-BGF (man, who thinks up all of these acronyms). http://en.wikipedia.org/wiki/IP_Multimedia_Subsystem http://www.dataconnection.com/sbc/imsarch.htm -Martin -- Suburbia is where the developer bulldozes out the trees, then names the streets after them. --Bill Vaughan
