Re: keep state for http connections

[Otto Moerbeek]

On Thu, 25 Jan 2007, Travers Buda wrote:

> On Wed, 24 Jan 2007 14:20:46 -0800
> "Kian Mohageri" <[EMAIL PROTECTED]> wrote:
> 
> > On 1/24/07, Travers Buda <[EMAIL PROTECTED]> wrote:
> > 
> > > Last time I checked though, clients only talk with the web server on
> > > port 80. So, the only reason you would want to keep state would be if
> > > you have a ruleset like block out all (which is generally only usefull
> > > if you don't trust the users of said machine.) So, just unconditionally
> > > pass port 80 traffic in both directions.
> > 
> > 
> > 
> > That was really bad advice.  Stateful filtering is much more efficient, and
> > that is very important for a firewall handling thousands of connections.
> > The default state limit of 10,000 is pretty reasonable and you can change it
> > easily.  I usually have around 100,000 states on my firewall.  You can also
> > put limits on the number of states each client can create to prevent Denial
> > of Service.  In my opinion, it is best to keep state unless you have a
> > reason NOT to.
> > 
> > Keeping state will soon be the default behavior in pf...that says something
> > about it.
> > 
> > Also see the three articles Daniel Hartmeier wrote:
> > 
> > http://undeadly.org/cgi?action=article&sid=20060927091645
> > 
> > -- 
> > Kian Mohageri
> > 
> 
> That is a good point that state table lookups are cheaper. You're
> right, keep state should be faster.
> 
> On the other hand, if you are in dire need of more ram, one could put 
> pass in quick proto tcp from any to any port 80
> at the top of their filtering rules (but below blacklisted IP's =)).
> Note the "quick," option. This would help mitigate the speed loss.
> 
> Alec, would you mind doing a brief benchmark of the two techniques?
> Just for kicks. 

Don't forget that keep state does more than speeding up things, it
also checks to see if the packets "fit into the state" of the
connection.  Just passing packets won't. 

-Otto

Re: compiling SMP kernel (how?)

[Daniel Ouellet]

Peter Matulis wrote:
I'm looking for instructions on compiling a kernel to run on my SMP 
system.  I've installed 4.0 and I can run bsd.mp but now I want to 
update my sources and recompile a new GENERIC kernel.


All is fully documented on the site.

Use the patch process only for the security advisory you need:
http://openbsd.org/faq/faq10.html#Patches

Or go the full way via CVS use if you pick that way:
http://openbsd.org/anoncvs.html

More details here:
http://openbsd.org/faq/faq5.html#BldGetSrc

Built your kernel:
http://openbsd.org/faq/faq5.html#BldKernel

Built your userland:
http://openbsd.org/faq/faq5.html#BldUserland

In short, all is there for you to do as you see fit.

Get yourself familiar with the process. All you need is above.

Best,

Daniel

Re: bcw Driver won't attach

[Sam Fourman Jr.]

ahh so I have to build a custom kernel.

ok Thank you

Sam Fourman Jr.

On 1/24/07, Jonathan Gray <[EMAIL PROTECTED]> wrote:

On Wed, Jan 24, 2007 at 11:03:04PM -0600, Sam Fourman Jr. wrote:
> Below is a dmesg and my Broadcom 4318 won't attach even after
> installing the firmware
>
> does anyone have a patch laying around out of tree?

It does not attach because the driver is not included
in GENERIC, this is because it is not yet finished.

Re: keep state for http connections

[Travers Buda]

On Wed, 24 Jan 2007 14:20:46 -0800
"Kian Mohageri" <[EMAIL PROTECTED]> wrote:

> On 1/24/07, Travers Buda <[EMAIL PROTECTED]> wrote:
> 
> > Last time I checked though, clients only talk with the web server on
> > port 80. So, the only reason you would want to keep state would be if
> > you have a ruleset like block out all (which is generally only usefull
> > if you don't trust the users of said machine.) So, just unconditionally
> > pass port 80 traffic in both directions.
> 
> 
> 
> That was really bad advice.  Stateful filtering is much more efficient, and
> that is very important for a firewall handling thousands of connections.
> The default state limit of 10,000 is pretty reasonable and you can change it
> easily.  I usually have around 100,000 states on my firewall.  You can also
> put limits on the number of states each client can create to prevent Denial
> of Service.  In my opinion, it is best to keep state unless you have a
> reason NOT to.
> 
> Keeping state will soon be the default behavior in pf...that says something
> about it.
> 
> Also see the three articles Daniel Hartmeier wrote:
> 
> http://undeadly.org/cgi?action=article&sid=20060927091645
> 
> -- 
> Kian Mohageri
> 

That is a good point that state table lookups are cheaper. You're
right, keep state should be faster.

On the other hand, if you are in dire need of more ram, one could put 
pass in quick proto tcp from any to any port 80
at the top of their filtering rules (but below blacklisted IP's =)).
Note the "quick," option. This would help mitigate the speed loss.

Alec, would you mind doing a brief benchmark of the two techniques?
Just for kicks. 

Travers Buda

rdr woes (3.9) transparent bridge pf

[patrick keshishian]

Greetings,

I have a transparent bridged pf serving my home network.
It has been running fairly nicely for some time now.

I have a web server behind it which I'm trying to move
to another server, same network, different IP.

I thought it might be a simple thing to just use a rdr
rule to point traffic intended for web server one (www1)
to web server two (www2) until the DNS changes take place.

But it doesn't seem to be working as expected.  Just to
test this out before committing to it, I added the following
to my pf.conf

   rdr proto tcp to $www1 port 8080 -> $www2 port www

I fire up a browser and type in the URL:

   http://www1:8080/

But it just sits there trying to load.  Client shows SYN_SENT
state.  www2 shows no states.  `pfctl -ss -v' shows:


all tcp www2:80 <- www1:8080 <- client:49639   CLOSED:SYN_SENT
all tcp client:49639 -> www2:80   SYN_SENT:CLOSED



Is there something I'm missing?

Anything else I should be keeping an eye on?


Note that client can connect to either web server directly,
that is there are no filter rules blocking client from
connecting to www[12]:80.


The only thing I can think of that may be putting a kink in
this picture is that the pf server is bridging the
interfaces transparently, and I'm using tags to base my
filtering policies on.  Reading pf.conf(5) I don't see any
particular thing that could cause problems with this
set up.


Any help would be appreciated.

--patrick

Re: compiling SMP kernel (how?)

[djgoku]

On 1/24/07, Peter Matulis <[EMAIL PROTECTED]> wrote:

I'm looking for instructions on compiling a kernel to run on my SMP
system.  I've installed 4.0 and I can run bsd.mp but now I want to
update my sources and recompile a new GENERIC kernel.


Read this: http://openbsd.org/stable.html

Re: compiling SMP kernel (how?)

[Marco Peereboom]

Why don't you use a snapshot instead?

If you need more instructions than provided in the FAQ you might not be
ready for kernel compiles and should rely on the kernels that are
provided to you.

On Wed, Jan 24, 2007 at 11:52:07PM -0500, Peter Matulis wrote:
> I'm looking for instructions on compiling a kernel to run on my SMP 
> system.  I've installed 4.0 and I can run bsd.mp but now I want to 
> update my sources and recompile a new GENERIC kernel.
> 
> Peter

Re: bcw Driver won't attach

[Jonathan Gray]

On Wed, Jan 24, 2007 at 11:03:04PM -0600, Sam Fourman Jr. wrote:
> Below is a dmesg and my Broadcom 4318 won't attach even after
> installing the firmware
> 
> does anyone have a patch laying around out of tree?

It does not attach because the driver is not included
in GENERIC, this is because it is not yet finished.

Re: A PHP management interface for OpenBSD ?

[David Bryan]

I really like the concept- but something you must remember when
developing any web app- Input Validation.

Ideally you would have a mysql database or file that just enables or
disables something ( literally a 1 or a 0 or true/false, then a
secondary program that creates config files from that with very little
that is used as input- maybe an IP address, or small flags.  Again
limiting the input so as to remove the possibility for command
injections.  If done well, this could be great!  Done poorly anyone
could own you box via SQL or command injections.

Check out OWASP for php filters, and other programing nuggets.

chefren wrote:
> On 1/25/07 1:34 AM, Passeur wrote:
>> We are in the process of developing a PHP framework with a web
>> frontend to
>> manage the OpenBSD settings through a web browser.
>
> It should be handy, I presume =all= configs, logins, groups, passwords
> and for example the settings for Apache and PHP itself included?
>
>> A friend advised me not to do that because of all the security holes
>> I will
>> introduce on OpenBSD.
>> He advised me rather using PHP to use CGI/PERL.
>>
>> What is your opinion ?
>
> "Let's punch through all carefully designed security layers of OpenBSD
> with a 'program' based on the most insecure language of the planet."
>
>
> Clueless
>
> +++chefren

bcw Driver won't attach

[Sam Fourman Jr.]

Below is a dmesg and my Broadcom 4318 won't attach even after
installing the firmware

does anyone have a patch laying around out of tree?

Sam Fourman Jr.

OpenBSD 4.0-current (GENERIC) #1350: Fri Jan 19 16:42:39 MST 2007
   [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Celeron(R) M processor 1.50GHz ("GenuineIntel"
686-class) 1.50 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,TM,SBF
real mem  = 526872576 (514524K)
avail mem = 472514560 (461440K)
using 4256 buffers containing 26468352 bytes (25848K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+ BIOS, date 09/12/05, BIOS32 rev. 0 @
0xfd710, SMBIOS rev. 2.31 @ 0xdf010 (19 entries)
bios0: Hewlett-Packard HP Pavilion dv1000 (EH443UA#ABA)
pcibios0 at bios0: rev 2.1 @ 0xfd710/0x8f0
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf20/192 (10 entries)
pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82371FB ISA" rev 0x00)
pcibios0: PCI bus #2 is the last bus
bios0: ROM list: 0xc/0xf200! 0xcf800/0x1000 0xdf000/0x800! 0xe/0x4000!
acpi at mainbus0 not configured
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82915GM/PM/GMS Host" rev 0x03
vga1 at pci0 dev 2 function 0 "Intel 82915GM/GMS Video" rev 0x03:
aperture at 0xb008, size 0x1000
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
"Intel 82915GM/GMS Video" rev 0x03 at pci0 dev 2 function 1 not configured
uhci0 at pci0 dev 29 function 0 "Intel 82801FB USB" rev 0x03: irq 3
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1 at pci0 dev 29 function 1 "Intel 82801FB USB" rev 0x03: irq 3
usb1 at uhci1: USB revision 1.0
uhub1 at usb1
uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
uhci2 at pci0 dev 29 function 2 "Intel 82801FB USB" rev 0x03: irq 4
usb2 at uhci2: USB revision 1.0
uhub2 at usb2
uhub2: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub2: 2 ports with 2 removable, self powered
uhci3 at pci0 dev 29 function 3 "Intel 82801FB USB" rev 0x03: irq 10
usb3 at uhci3: USB revision 1.0
uhub3 at usb3
uhub3: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub3: 2 ports with 2 removable, self powered
ehci0 at pci0 dev 29 function 7 "Intel 82801FB USB" rev 0x03: irq 3
usb4 at ehci0: USB revision 2.0
uhub4 at usb4
uhub4: Intel EHCI root hub, rev 2.00/1.00, addr 1
uhub4: 8 ports with 8 removable, self powered
ppb0 at pci0 dev 30 function 0 "Intel 82801BAM Hub-to-PCI" rev 0xd3
pci1 at ppb0 bus 1
rl0 at pci1 dev 0 function 0 "Realtek 8139" rev 0x10: irq 10, address
00:c0:9f:f7:71:b3
rlphy0 at rl0 phy 0: RTL internal PHY
"Broadcom BCM4318" rev 0x02 at pci1 dev 6 function 0 not configured
cbb0 at pci1 dev 9 function 0 "TI PCI7XX1 CardBus" rev
0x00pci_intr_map: no mapping for pin A
: couldn't map interrupt
"TI PCI7XX1 FireWire" rev 0x00 at pci1 dev 9 function 2 not configured
"TI PCI7XX1 Flash" rev 0x00 at pci1 dev 9 function 3 not configured
sdhc0 at pci1 dev 9 function 4 "TI PCI7XX1 Secure Data" rev 0x00: irq 11
sdmmc0 at sdhc0
sdmmc1 at sdhc0
sdmmc2 at sdhc0
auich0 at pci0 dev 30 function 2 "Intel 82801FB AC97" rev 0x03: irq 5, ICH6 AC97
ac97: codec id 0x43585430 (Conexant CX?)
ac97: codec features reserved, headphone, 18 bit DAC, 18 bit ADC, No 3D Stereo
audio0 at auich0
"Intel 82801FB Modem" rev 0x03 at pci0 dev 30 function 3 not configured
ichpcib0 at pci0 dev 31 function 0 "Intel 82801FBM LPC" rev 0x03: PM disabled
pciide0 at pci0 dev 31 function 1 "Intel 82801FB IDE" rev 0x03: DMA,
channel 0 configured to compatibility, channel 1 configured to
compatibility
wd0 at pciide0 channel 0 drive 0: 
wd0: 16-sector PIO, LBA, 76319MB, 156301488 sectors
atapiscsi0 at pciide0 channel 0 drive 1
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0:  SCSI0
5/cdrom removable
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
cd0(pciide0:0:1): using PIO mode 4, DMA mode 2
pciide0: channel 1 ignored (disabled)
ichiic0 at pci0 dev 31 function 3 "Intel 82801FB SMBus" rev 0x03: irq 3
iic0 at ichiic0
isa0 at ichpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pmsi0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pmsi0 mux 0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: 
spkr0 at pcppi0
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
biomask efdd netmask efdd ttymask ffdf
pctr: 686-class user-level performance counters enabled
mtrr: Pentium Pro MTRR support
dkcsum: wd0 matches BIOS drive 0x80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302

compiling SMP kernel (how?)

[Peter Matulis]

I'm looking for instructions on compiling a kernel to run on my SMP 
system.  I've installed 4.0 and I can run bsd.mp but now I want to 
update my sources and recompile a new GENERIC kernel.

Peter

Re: ipcomp

[Richard Thornton]

Thanks Jason,

Can someone tell me is ipcomp working, if so, how do I use it and does
it support deflate?

Cheers
Richard

On 23/01/07, Jason McIntyre <[EMAIL PROTECTED]> wrote:

On Tue, Jan 23, 2007 at 01:04:51PM +1100, Richard Thornton wrote:
>
> Just trying to ascertain if ipcomp(4) is fully integrated with
> ipsecctl(8), if it is can someone detail the ipsec.conf(5) config to
> use it, also does it support RFC2394 IP Payload Compression Using
> DEFLATE?
>

i believe it is not, and if it is some kind ipsec developer will correct
me.

jmc

Re: A PHP management interface for OpenBSD ?

[Darren Spruell]

On 1/24/07, chefren <[EMAIL PROTECTED]> wrote:

On 1/25/07 1:34 AM, Passeur wrote:
> We are in the process of developing a PHP framework with a web frontend to
> manage the OpenBSD settings through a web browser.
> A friend advised me not to do that because of all the security holes I will
> introduce on OpenBSD.
> He advised me rather using PHP to use CGI/PERL.
>
> What is your opinion ?


There's a perfectly good remote management interface for OpenBSD.

sshd(8).

DS

Re: Performance Statistics: -current

[Umnada Tyrolla]

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
> On Behalf Of Brian Candler
> Sent: Friday, January 19, 2007 7:07 AM
> To: Vijay Sankar
> Cc: Marc Balmer; Claudio Jeker; misc@openbsd.org
> Subject: Re: Performance Statistics: -current
> 
> On Thu, Jan 18, 2007 at 12:03:05PM -0600, Vijay Sankar wrote:
> > > if top shows ~20% system load, even when idle, try 
> disabling iic and ichiic
> > > in UKC.  sth we have to do here with an ASUS server.
> > 
> > Thank you very much for your reply.
> > 
> > I did not notice the system load to be very high (it was 
> 3.5% or so when 
> > building
> 
> Are you sure you saw only 3.5% CPU utilisation while building 
> the OpenBSD
> base system? That means the CPU was idle almost all of the time.
> 
> If true, it means the system was spending most of its time waiting for
> something else before it could continue - probably the disk.
> 
> Try looking at the output of "iostat -w2" while building. 
> Particularly of
> interest is the t/s (transfers per second) column.
> 
> When compiling code, most transfers will be small. A single hard drive
> spinning at 7200rpm is in theory capable of 240 transfers per second
> (assuming each transaction requires the platter to rotate on 
> average by half
> a turn), 

That doesn't seem like correct analysis.

> so values in the range 200-300 are to be expected.
> 

I think you're a phenomenologist. Me too, though. I saw this store
worker unloading a shopping cart starting with the boxes on top, so I'm
pretty sure workers put lowest priority boxes on the bottom of the cart.

> If you are seeing much less than this, then maybe your disk 
> subsystem has a
> problem - a badly setup RAID? No DMA? A faulty drive which is 
> doing retries?
> A bad IDE cable? (Check for warnings in /var/log/messages)
> 

Make sure there's no dust on the motherboard. I usually scrape some of
the dust crud off the leading edges of the fans, too.

>
> If it looks like disk I/O is slow, then using a disk 
> benchmark program might
> help you more systematically investigate and tweak. For 
> example, you will
> find bonnie and bonnie++ in packages.
> 
> If you post the full output of "dmesg", "mount" and "df -k", plus a
> description of your disk subsystem, people might have some 
> more suggestions.
> 

I suggest you buy an AMD opteron.

> HTH,
> 
> Brian.

Re: OT:

[Steve Shockley]

Tautvydas wrote:

Little off topic, but I need some help. For a week I'm working in a
small company. (~250 workstations). Till 2008 there will be 400-600
workstations. So, they are planning to buy something for spam/mail
filtering (http://www.barracudanetworks.com/ns/products/spam_overview.php).
I think the best would be to use openbsd+pf+spamd (with carp if
necessary). But - I have quite stupid CEO and I need many arguments,
why blackbox for many $$$ is bad (from corporate view).
Please, help me with these arguments.


We use a pair of Barracuda devices at work.  I admin them now, but I 
wasn't involved with the purchase.  They do function reasonably well, we 
get around 430k spam emails per day recently on ~40k valid messages into 
3000 mailboxes.


Users love it.  They like being able to manage their own level of spam 
and release their own messages from quarantine.


Our first boxes were the "400" models, like someone else said they're 
just cheap clones inside a 1U box.  We had lots of problems with the 
hardware, a bunch of boxes died or would crash.  (Oddly, it was only one 
box that would die, the other one was fine.)  The 400s wouldn't handle 
our mail volume, so we eventually made them replace them with the "600" 
model at no cost.  The 600 seems like a mid-level clone 1U box, it's a 
dual-proc with two SATA hotswap drives.  We've had no hardware problems 
with these machines.  Even with the 400s, Barracuda was always good 
about sending out a new box overnight.


The software is somewhat buggy, but they're quick with patches.

Our current big problem is that we get such a volume of spam that we can 
only keep 3 days of quarantine, which annoys the users.  The next 
version of the software (currently in beta) is supposed to fix that. 
I've proposed putting a spamd greylisting firewall in front of the boxes 
to take off most of the load.  (There, now this isn't completely off-topic!)


For the most part, the Barracudas have taken up little of my time, 
except for driving to our offsite location to replace bad hardware...


I'm working on implementing Maia Mailguard at home 
(http://www.maiamailguard.com), but that seems somewhat difficult to 
configure.


For a more negative view on the Barracuda setup, see 
http://packetstormsecurity.nl/papers/evaluation/Barracuda_Evil.txt. 
They seem to have resolved their GPL problems, but the rest of it seems 
to be true.  It also contains instructions on how to get root access 
with physical access to the box.


In all, the devices require very little maintenance and mostly solve the 
spam problem, but they have the usual problems "black boxes" have.

Re: A PHP management interface for OpenBSD ?

[chefren]

On 1/25/07 1:34 AM, Passeur wrote:

We are in the process of developing a PHP framework with a web frontend to
manage the OpenBSD settings through a web browser.


It should be handy, I presume =all= configs, logins, groups, passwords 
and for example the settings for Apache and PHP itself included?



A friend advised me not to do that because of all the security holes I will
introduce on OpenBSD.
He advised me rather using PHP to use CGI/PERL.

What is your opinion ?


"Let's punch through all carefully designed security layers of OpenBSD 
with a 'program' based on the most insecure language of the planet."



Clueless

+++chefren

Re: Memory and pmap

[Jonathan Gray]

On Wed, Jan 24, 2007 at 08:06:06PM +0100, Markus Ritzer wrote:
> Hello!
> 
> I try to port OpenBSD to the Microsoft Xbox (the old one). My OpenBSD Kernel 
> boots until it crashes while handling memory related things. FreeBSD, which 
> is already ported, has this code:
> 
> arch_i386_is_xbox tells if it is an Xbox and
> arch_i386_xbox_memsize is set to 64 oder 128, depend how much memory you have.
> 
> 
> #ifdef XBOX
> if (arch_i386_is_xbox) {
> /*
>  * We queried the memory size before, so chop off 4MB for
>  * the framebuffer and inform the OS of this.
>  */
> physmap[0] = 0;
> physmap[1] = (arch_i386_xbox_memsize * 1024 * 1024) - 
> XBOX_FB_SIZE;
> physmap_idx = 0;
> goto physmap_done;
> }
> #endif
> 
> 
> It sets up the physmap. I looked for hours on the code of OpenBSD, but I 
> cannot really find out how this is done here. The code belongs to the 
> function init386() in machdep.c.
> 
> Is there an equivalent struct in OpenBSD to FreeBSD's physmap ?
> 
> 
> Thank you in advance,
> 
> Markus Ritzer

You are better off looking at the NetBSD changes such as

http://mail-index.netbsd.org/source-changes/2007/01/04/0019.html
http://mail-index.netbsd.org/source-changes/2007/01/05/0040.html

and all the additional drivers they have added.

Seems they match on the PCI bridge and hard code sizes which
is rather gross:

http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/arch/i386/i386/machdep.c.diff?r1=1.586&r2=1.587&f=h

umass0: Phase Error, residue = 0

[frantisek holop]

hi there,

this is 4.0 release.  i have plugged in an iriver
player and an usb hdd.

when i umounted the iriver i got the residue messages.
i haven't seen this before, could someone comment on it please?

umass0 at uhub3 port 5 configuration 1 interface 0
umass0: iriver Limited iriver MP3 T10, rev 2.00/1.00, addr 2
umass0: using SCSI over Bulk-Only
scsibus1 at umass0: 2 targets
sd0 at scsibus1 targ 1 lun 0:  SCSI2 0/direct removable
sd0: 1950MB, 1950 cyl, 64 head, 32 sec, 512 bytes/sec, 3993600 sec total
umass1 at uhub3 port 4 configuration 1 interface 0
umass1: Western Digital External HDD, rev 2.00/1.02, addr 3
umass1: using SCSI over Bulk-Only
scsibus2 at umass1: 2 targets
sd1 at scsibus2 targ 1 lun 0:  SCSI0 0/direct fixed
sd1: 152627MB, 152627 cyl, 64 head, 32 sec, 512 bytes/sec, 312581808 sec total
umass0: Phase Error, residue = 0
umass0: Phase Error, residue = 0
umass0: Phase Error, residue = 0
umass0: Phase Error, residue = 0
umass0: Phase Error, residue = 0
sd0: WARNING: cache synchronization failed

-f
-- 
love sometimes expresses itself in sacrifice.

Re: keep state for http connections

[Kian Mohageri]

On 1/24/07, Travers Buda <[EMAIL PROTECTED]> wrote:

> Last time I checked though, clients only talk with the web server on
> port 80. So, the only reason you would want to keep state would be if
> you have a ruleset like block out all (which is generally only usefull
> if you don't trust the users of said machine.) So, just unconditionally
> pass port 80 traffic in both directions.



That was really bad advice.  Stateful filtering is much more efficient, and
that is very important for a firewall handling thousands of connections.
The default state limit of 10,000 is pretty reasonable and you can change it
easily.  I usually have around 100,000 states on my firewall.  You can also
put limits on the number of states each client can create to prevent Denial
of Service.  In my opinion, it is best to keep state unless you have a
reason NOT to.

Keeping state will soon be the default behavior in pf...that says something
about it.

Also see the three articles Daniel Hartmeier wrote:

http://undeadly.org/cgi?action=article&sid=20060927091645

-- 
Kian Mohageri

Re: multi queu

[Joachim Schipper]

On Wed, Jan 24, 2007 at 07:44:01AM -0800, Lawrence Horvath wrote:
> On 1/24/07, Stuart Henderson <[EMAIL PROTECTED]> wrote:
> >On 2007/01/24 06:45, Lawrence Horvath wrote:
> >> usually its only possible to queue once going out an interface, as far
> >> as i know, is it possible to use a loopback interface to run traffic
> >> through muliple queues?
> >
> >what are you trying to achieve?
>
> Processing my mutliple queues, i would like to run it through 2 queue
> sets, one for capping and individual ip bandwidth management, and the
> second is a master cap, becuase you cant oversell queues
> 
> i have 10 megs at my disposal, and i need to allot 12 people 1 meg
> each, the math wont work on only one queue, and i dont want to have to
> set up multiple firewalls, id rather have everything in one nice
> pf.conf, im gonna do carp later

It's entirely possible I'm being stupid, but is there a good reason why
you couldn't just give each 1/12 of 10Mbps and then allow them to
borrow?

Joachim

Re: Using old thin clients as a BGP testbed

[Joachim Schipper]

On Wed, Jan 24, 2007 at 01:47:28PM +, Richard Wilson wrote:
> I work for a small hosting company, and the boss says he wants to start
> doing BGP for our upstream connection. This means I've got to learn BGP.
> At least I've managed to persuade him to buy me an O'Reilly book :-)
> However, the other thing I demanded was a test network of some kind. BGP
> is one of the few things where, if I get it wrong, I could mess up other
> people's stuff as well as my own. He said fine, here's a few pennies to
> do it with. Not nearly enough to buy even a couple of crap machines off
> ebay.
> 
> Then, an idea occured to me. We have half a dozen old HP t5125[0] thin
> clients, which have been unused since we upgraded our desktops to proper
> boxes. The plan: get half a dozen 512MB USB sticks, install 4.0 on them,
> boot off them, and bing! One test network. They're only 400MHz machines
> with 128MB of RAM, but I think they'll do for playing with routing, BGP
> et al, given what you can acieve with a Soekris.
> 
> My questions: Am I on a hiding to nothing here? Am I missing anything
> obvious? I plan to use the vlan driver to pretend to have more than one
> ethernet interface, with them all plugged in to a cheapo 8 port switch.
> Am I right in thinking that the dumb switch will just pass vlan tagged
> packets through without poking them, or am I going to encounter issues?
> 
> I don't mind poking at things and playing round till it works, but given
> the possibility of vlans not working over dumb switches, I figured I'd
> ask if I was on a hiding to nothing before I started.
> 
> Also, if anyone has any suggestions or comments, I'm all ears :-)

No, provided that OpenBSD actually works on those machines, which is
likely but not guaranteed, what you plan sounds good. They will
certainly have plenty of power.

I'd normally recommend setting up a NFS server in such a situation, but
your network is most likely not going to be that stable... ;-)

Joachim

Re: multi queu

[Lawrence Horvath]

Like i sd over selling, im setting the etherface queue to linkshare or
realtime(im having trouble finding the practical difference) to 1Mb,
then leaving no upper limit, so they can burst, but the
realtime|linkshare will protect other customers, im considering
setting all 12 people to 1Mb, and then setting the loopback queue to
10Mb, so i control the max bandwidth of the link, im also going to use
the loopback queue to prioritize certain traffic

i really doubt that more then 10 people will try to use more than a
meg at a time, thats why im over selling, so the linkshare|realtime
will still work ok, and the loopback queue will still keep anyone from
going over the 10 meg link, and allow certain over all prioritization.

its kinda strange i know, but i think it will work

On 1/24/07, Bill Marquette <[EMAIL PROTECTED]> wrote:

On 1/24/07, Lawrence Horvath <[EMAIL PROTECTED]> wrote:
> Processing my mutliple queues, i would like to run it through 2 queue
> sets, one for capping and individual ip bandwidth management, and the
> second is a master cap, becuase you cant oversell queues
>
> i have 10 megs at my disposal, and i need to allot 12 people 1 meg
> each, the math wont work on only one queue, and i dont want to have to
> set up multiple firewalls, id rather have everything in one nice
> pf.conf, im gonna do carp later

What's your guaranteed rate?  Obviously you aren't guaranteeing each
person 1mbit.

I think you'll need HFSC to do this, put your guaranteed rate as the
realtime limit and the 1mbit rate as the upperlimit for each queue.

--Bill




--
-Lawrence
-Student ID 1028219
-CCNA

Re: OpenBSD on software raid

[doc Hyde]

On 1/24/07, Thomas Alexander Frederiksen <[EMAIL PROTECTED]> wrote:
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> doc Hyde skrev:
> 
> > Still "component0" and still haven't inserted my /dev/sd0d hdd.
> >
> > As I mentionned earlier I did some heavy reading before asking you guys
> > the question.
> > I had already tested those commands as they are on several tutorials.
> >
> > Any suggestions?
>
> Sorry, I've been stuck at the same place on a Sparc64, but that turned
> out to be a platform-related issue (RaidFrame is not officially
> supported on Sparc64). No ideas for this issue on i386.
>
> /Thomas
>
> - --
> We're sysadmins. To us, data is protocol overhead.
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.5 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFFtx2Mn3fArG96EV8RAsgJAJ9UEqdBXRs3Lp2e2T95y+SlhT8lwgCg7LkJ
> xacloWamHGpbDyOUF90dR40=
> =WNrv
> -END PGP SIGNATURE-
>

I am a bit disappointed as my server used to be on Linux and never had any
issues adding a spare hdd after a failure.
I have reinstalled the OpenBSD system 3 times retrying the creation of the
raid0 and I get the same problem everytime.
It's really too bad as OpenBSD runs with less CPU/RAM than Linux and
certainly does the job much faster and securely.
I guess I'll have to find myself a RAID card.

Thanks anyways for your answers and advises.

Alban

Re: keep state for http connections

[Darren Spruell]

On 1/24/07, Travers Buda <[EMAIL PROTECTED]> wrote:

Last time I checked though, clients only talk with the web server on
port 80. So, the only reason you would want to keep state would be if
you have a ruleset like block out all (which is generally only usefull
if you don't trust the users of said machine.) So, just unconditionally
pass port 80 traffic in both directions.

Now I don't think that HTTP uses multiple ports on the server side to
send data to clients. A quick tcpdump on my end seems to confirm this.

[snip]

See? Google is only talking to me on port 80. And it does not look like
rfc2616 mentions any other ports besides 80.


Of course, like any other properly designed network app it uses the
existing socket for full duplex communication. You send a request to
port 80 so the response comes from port 80.

FTP and others that don't play like that are in the minority.

DS

Re: fan noise, speedstep

[Marco Peereboom]

There isn't much you can do.  Your BIOS is spinning the fans not
OpenBSD.

ACPI will in the future take over that functionality and the fans then
will be throttled more intelligently.

On Wed, Jan 24, 2007 at 08:57:54PM +0100, Vim Visual wrote:
> Hi,
> 
> I am using an ibm t43p and have realised that the fans are spinning
> *all* the time. When I was using the same laptop with a debian flavour
> I scarcely could hear them spinning.
> 
> In dmesg I see
> 
> cpu0: unknown Enhanced SpeedStep CPU, msr 0x0612112b0600112b
> cpu0: Enhanced SpeedStep 2267 MHz (1388 mV): speeds: 2267, 800 MHz
> 
> This "unknwon" must be the problem... ?? in any case, I have tried
> playing around with sysctl this way
> 
> tuffstein| sysctl -a hw.cpuspeed
> hw.cpuspeed=2262
> tuffstein| sudo sysctl -w hw.setperf=50
> hw.setperf: 100 -> 50
> tuffstein| sysctl -a hw.cpuspeed
> hw.cpuspeed=2267
> tuffstein| sudo sysctl -w hw.setperf=0
> hw.setperf: 50 -> 0
> tuffstein| sysctl -a hw.cpuspeed
> hw.cpuspeed=800
> 
> 
> But this doesn't help at all... the fans spin still all the time...
> 
> Even after suspending the laptop (zzz) and "waking it up" two hours
> later, so that the laptop is very cold, after some 20 sec the fan
> starts spinning again... and the laptop is cool, some 15 degrees C
> 
> How do I reduce, if not totally eliminate this noise?
> 
> Before you ask, yes, I have googled around but I must be very bad at
> it because I found nothing but this
> 
> http://www.cse.unsw.edu.au/~dons/x31.html
> 
> and he's doing the same than I am
> 
> If you're curious, here you are my dmesg
> 
> It says "using only highest and lowest power states"... maybe that's the 
> reason
> 
> --
> OpenBSD 4.0 (GENERIC) #1107: Sat Sep 16 19:15:58 MDT 2006
>   [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
> cpu0: Intel(R) Pentium(R) M processor 2.26GHz ("GenuineIntel"
> 686-class) 2.27 GHz
> cpu0: 
> FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,TM,SBF,EST,TM2
> cpu0: unknown Enhanced SpeedStep CPU, msr 0x0612112b0600112b
> cpu0: using only highest and lowest power states
> cpu0: Enhanced SpeedStep 2267 MHz (1388 mV): speeds: 2267, 800 MHz
> real mem  = 2145873920 (2095580K)
> avail mem = 1949347840 (1903660K)
> using 4256 buffers containing 107397120 bytes (104880K) of memory
> mainbus0 (root)
> bios0 at mainbus0: AT/286+(e5) BIOS, date 05/18/06, BIOS32 rev. 0 @
> 0xfd760, SMBIOS rev. 2.33 @ 0xe0010 (64 entries)
> bios0: IBM 2668Q1G
> apm0 at bios0: Power Management spec V1.2
> apm0: battery life expectancy 98%
> apm0: AC on, battery charge high
> apm0: flags 30102 dobusy 0 doidle 1
> pcibios0 at bios0: rev 2.1 @ 0xfd6f0/0x910
> pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdeb0/256 (14 entries)
> pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82371FB ISA" rev 0x00)
> pcibios0: PCI bus #12 is the last bus
> bios0: ROM list: 0xc/0x1 0xd/0x1600 0xd1800/0x1000
> 0xdc000/0x4000! 0xe/0x1
> cpu0 at mainbus0
> pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
> pchb0 at pci0 dev 0 function 0 "Intel 82915GM/PM/GMS Host" rev 0x03
> ppb0 at pci0 dev 1 function 0 "Intel 82915PM/GM PCIE" rev 0x03
> pci1 at ppb0 bus 1
> vga1 at pci1 dev 0 function 0 "ATI FireGL V3200" rev 0x80
> wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
> wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
> ppb1 at pci0 dev 28 function 0 "Intel 82801FB PCIE" rev 0x03
> pci2 at ppb1 bus 2
> bge0 at pci2 dev 0 function 0 "Broadcom BCM5751M" rev 0x11, BCM5750 B1
> (0x4101): irq 11, address 00:16:41:58:cd:b0
> brgphy0 at bge0 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0
> ppb2 at pci0 dev 28 function 2 "Intel 82801FB PCIE" rev 0x03
> pci3 at ppb2 bus 3
> uhci0 at pci0 dev 29 function 0 "Intel 82801FB USB" rev 0x03: irq 11
> usb0 at uhci0: USB revision 1.0
> uhub0 at usb0
> uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
> uhub0: 2 ports with 2 removable, self powered
> uhci1 at pci0 dev 29 function 1 "Intel 82801FB USB" rev 0x03: irq 11
> usb1 at uhci1: USB revision 1.0
> uhub1 at usb1
> uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1
> uhub1: 2 ports with 2 removable, self powered
> uhci2 at pci0 dev 29 function 2 "Intel 82801FB USB" rev 0x03: irq 11
> usb2 at uhci2: USB revision 1.0
> uhub2 at usb2
> uhub2: Intel UHCI root hub, rev 1.00/1.00, addr 1
> uhub2: 2 ports with 2 removable, self powered
> uhci3 at pci0 dev 29 function 3 "Intel 82801FB USB" rev 0x03: irq 11
> usb3 at uhci3: USB revision 1.0
> uhub3 at usb3
> uhub3: Intel UHCI root hub, rev 1.00/1.00, addr 1
> uhub3: 2 ports with 2 removable, self powered
> ehci0 at pci0 dev 29 function 7 "Intel 82801FB USB" rev 0x03: irq 11
> usb4 at ehci0: USB revision 2.0
> uhub4 at usb4
> uhub4: Intel EHCI root hub, rev 2.00/1.00, addr 1
> uhub4: 8 ports with 8 removable, self powered
> ppb3 at pci0 dev 30 function 0 "Intel 82801BAM Hub-to-PCI" rev 0xd3
> pci4 at ppb3 bus 11
> cbb0 at pci4 dev 0 

Re: keep state for http connections

[Travers Buda]

On Wed, 24 Jan 2007 08:26:11 -0800
Alexander Lind <[EMAIL PROTECTED]> wrote:

> If I have a busy http server or cluster (by busy I mean one that gets 
> hundreds of thousands of visitors per day), and I use an openbsd 
> firewall, should I keep state for all incoming http connections, or 
> should I just pass them all in without state and then pass them all out 
> without state instead of using states?
> 
> I'm afraid the state table will get filled up.
> 
> This is on openbsd 3.9
> 
> Alec
> 

Well, if you want to keep state, and are having trouble with memory,
try  

set optimization
   aggressive
 Aggressively expire connections.  This can greatly
reduce the memory usage of the firewall at the cost of dropping idle
 connections early.

Don't forget to raise the limits with pfctl.

Or, add more ram, or get a server pool going.

Last time I checked though, clients only talk with the web server on
port 80. So, the only reason you would want to keep state would be if
you have a ruleset like block out all (which is generally only usefull
if you don't trust the users of said machine.) So, just unconditionally
pass port 80 traffic in both directions.

Now I don't think that HTTP uses multiple ports on the server side to
send data to clients. A quick tcpdump on my end seems to confirm this.

tcpdump -n -i fxp0 not broadcast and not arp and not port 53
14:33:47.298032 128.255.167.160.21463 > 72.14.207.99.80: S
1157700480:1157700480(0) win 16384  (DF) 14:33:47.329927 64.233.187.99.80
> 128.255.167.160.19807: . ack 1 win 8190 14:33:47.337278 72.14.207.99.80 > 
> 128.255.167.160.21463: S 3340868886:3340868886(0) ack 1157700481 win 8190 
>  14:33:47.337345 128.255.167.160.21463 > 72.14.207.99.80: . ack 1 
> win 16384 (DF)
14:33:47.337444 128.255.167.160.21463 > 72.14.207.99.80: P 1:479(478)
ack 1 win 16384 (DF)

See? Google is only talking to me on port 80. And it does not look like
rfc2616 mentions any other ports besides 80.

Travers Buda

Re: keep state for http connections

[Rosen Iliev]

I have OpenBSD 3.9 doing load balancing to a farm of web servers (11 web 
servers). In the pick hours the traffic jumps over 32Mbits and around 
15,000 entries in the states table.

You can check my graph at: http://www.ilievi.net/15days.jpg
The firewall is running on:
cpu0: Intel Pentium III ("GenuineIntel" 686-class) 1 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,SER,MMX,FXSR,SSE

real mem  = 534290432 (521768K)
avail mem = 480735232 (469468K)

load averages:  0.92,  0.88,  0.83 13:58:18
27 processes:  26 idle, 1 on processor
CPU states:  2.2% user,  0.0% nice,  5.9% system, 12.5% interrupt, 79.4% 
idle

Memory: Real: 31M/99M act/tot  Free: 398M  Swap: 0K/1024M used/tot

My current limit
set limit states 3



Alexander Lind wrote:
If I have a busy http server or cluster (by busy I mean one that gets 
hundreds of thousands of visitors per day), and I use an openbsd 
firewall, should I keep state for all incoming http connections, or 
should I just pass them all in without state and then pass them all 
out without state instead of using states?


I'm afraid the state table will get filled up.

This is on openbsd 3.9

Alec

fan noise, speedstep

[Vim Visual]

Hi,

I am using an ibm t43p and have realised that the fans are spinning
*all* the time. When I was using the same laptop with a debian flavour
I scarcely could hear them spinning.

In dmesg I see

cpu0: unknown Enhanced SpeedStep CPU, msr 0x0612112b0600112b
cpu0: Enhanced SpeedStep 2267 MHz (1388 mV): speeds: 2267, 800 MHz

This "unknwon" must be the problem... ?? in any case, I have tried
playing around with sysctl this way

tuffstein| sysctl -a hw.cpuspeed
hw.cpuspeed=2262
tuffstein| sudo sysctl -w hw.setperf=50
hw.setperf: 100 -> 50
tuffstein| sysctl -a hw.cpuspeed
hw.cpuspeed=2267
tuffstein| sudo sysctl -w hw.setperf=0
hw.setperf: 50 -> 0
tuffstein| sysctl -a hw.cpuspeed
hw.cpuspeed=800


But this doesn't help at all... the fans spin still all the time...

Even after suspending the laptop (zzz) and "waking it up" two hours
later, so that the laptop is very cold, after some 20 sec the fan
starts spinning again... and the laptop is cool, some 15 degrees C

How do I reduce, if not totally eliminate this noise?

Before you ask, yes, I have googled around but I must be very bad at
it because I found nothing but this

http://www.cse.unsw.edu.au/~dons/x31.html

and he's doing the same than I am

If you're curious, here you are my dmesg

It says "using only highest and lowest power states"... maybe that's the reason

--
OpenBSD 4.0 (GENERIC) #1107: Sat Sep 16 19:15:58 MDT 2006
  [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Pentium(R) M processor 2.26GHz ("GenuineIntel"
686-class) 2.27 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,TM,SBF,EST,TM2
cpu0: unknown Enhanced SpeedStep CPU, msr 0x0612112b0600112b
cpu0: using only highest and lowest power states
cpu0: Enhanced SpeedStep 2267 MHz (1388 mV): speeds: 2267, 800 MHz
real mem  = 2145873920 (2095580K)
avail mem = 1949347840 (1903660K)
using 4256 buffers containing 107397120 bytes (104880K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(e5) BIOS, date 05/18/06, BIOS32 rev. 0 @
0xfd760, SMBIOS rev. 2.33 @ 0xe0010 (64 entries)
bios0: IBM 2668Q1G
apm0 at bios0: Power Management spec V1.2
apm0: battery life expectancy 98%
apm0: AC on, battery charge high
apm0: flags 30102 dobusy 0 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xfd6f0/0x910
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdeb0/256 (14 entries)
pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82371FB ISA" rev 0x00)
pcibios0: PCI bus #12 is the last bus
bios0: ROM list: 0xc/0x1 0xd/0x1600 0xd1800/0x1000
0xdc000/0x4000! 0xe/0x1
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82915GM/PM/GMS Host" rev 0x03
ppb0 at pci0 dev 1 function 0 "Intel 82915PM/GM PCIE" rev 0x03
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "ATI FireGL V3200" rev 0x80
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ppb1 at pci0 dev 28 function 0 "Intel 82801FB PCIE" rev 0x03
pci2 at ppb1 bus 2
bge0 at pci2 dev 0 function 0 "Broadcom BCM5751M" rev 0x11, BCM5750 B1
(0x4101): irq 11, address 00:16:41:58:cd:b0
brgphy0 at bge0 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0
ppb2 at pci0 dev 28 function 2 "Intel 82801FB PCIE" rev 0x03
pci3 at ppb2 bus 3
uhci0 at pci0 dev 29 function 0 "Intel 82801FB USB" rev 0x03: irq 11
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1 at pci0 dev 29 function 1 "Intel 82801FB USB" rev 0x03: irq 11
usb1 at uhci1: USB revision 1.0
uhub1 at usb1
uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
uhci2 at pci0 dev 29 function 2 "Intel 82801FB USB" rev 0x03: irq 11
usb2 at uhci2: USB revision 1.0
uhub2 at usb2
uhub2: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub2: 2 ports with 2 removable, self powered
uhci3 at pci0 dev 29 function 3 "Intel 82801FB USB" rev 0x03: irq 11
usb3 at uhci3: USB revision 1.0
uhub3 at usb3
uhub3: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub3: 2 ports with 2 removable, self powered
ehci0 at pci0 dev 29 function 7 "Intel 82801FB USB" rev 0x03: irq 11
usb4 at ehci0: USB revision 2.0
uhub4 at usb4
uhub4: Intel EHCI root hub, rev 2.00/1.00, addr 1
uhub4: 8 ports with 8 removable, self powered
ppb3 at pci0 dev 30 function 0 "Intel 82801BAM Hub-to-PCI" rev 0xd3
pci4 at ppb3 bus 11
cbb0 at pci4 dev 0 function 0 "Ricoh 5C476 CardBus" rev 0x8d: irq 11
iwi0 at pci4 dev 2 function 0 "Intel PRO/Wireless 2200BG" rev 0x05:
irq 11, address 00:16:6f:a4:62:d7
cardslot0 at cbb0 slot 0 flags 0
cardbus0 at cardslot0: bus 12 device 0 cacheline 0x0, lattimer 0xb0
pcmcia0 at cardslot0
auich0 at pci0 dev 30 function 2 "Intel 82801FB AC97" rev 0x03: irq
11, ICH6 AC97
ac97: codec id 0x41445374 (Analog Devices AD1981B)
ac97: codec features headphone, 20 bit DAC, No 3D Stereo
audio0 at aui

Re: [OT] Old books to good home

[Jason Dixon]

Thanks to everyone who responded.  All of the books have found good  
warm homes with families to care for them.  *sniff*


--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net

Re: Virtualisation on OpenBSD?

[Will Maier]

On Wed, Jan 24, 2007 at 08:02:01AM -0800, Lawrence Horvath wrote:
> I tried looking for source but was unable, vmware is a closed
> source as far as i can tell(please correct me if im wrong, as i
> like to get hold of the source) when i was looking for it online
> you have to download the binarys, and you have to email in for a
> serial number to use it, they also have higher up pay-for
> versions, with more features

VMware is closed source.

http://www.vmware.com/download/eula/workstation.html

-- 

o--{ Will Maier }--o
| web:...http://www.lfod.us/ | [EMAIL PROTECTED] |
*--[ BSD Unix: Live Free or Die ]--*

Memory and pmap

[Markus Ritzer]

Hello!

I try to port OpenBSD to the Microsoft Xbox (the old one). My OpenBSD Kernel 
boots until it crashes while handling memory related things. FreeBSD, which 
is already ported, has this code:

arch_i386_is_xbox tells if it is an Xbox and
arch_i386_xbox_memsize is set to 64 oder 128, depend how much memory you have.


#ifdef XBOX
if (arch_i386_is_xbox) {
/*
 * We queried the memory size before, so chop off 4MB for
 * the framebuffer and inform the OS of this.
 */
physmap[0] = 0;
physmap[1] = (arch_i386_xbox_memsize * 1024 * 1024) - 
XBOX_FB_SIZE;
physmap_idx = 0;
goto physmap_done;
}
#endif


It sets up the physmap. I looked for hours on the code of OpenBSD, but I 
cannot really find out how this is done here. The code belongs to the 
function init386() in machdep.c.

Is there an equivalent struct in OpenBSD to FreeBSD's physmap ?


Thank you in advance,

Markus Ritzer

Re: Virtualisation on OpenBSD?

[Lawrence Horvath]

I tried looking for source but was unable, vmware is a closed source
as far as i can tell(please correct me if im wrong, as i like to get
hold of the source) when i was looking for it online you have to
download the binarys, and you have to email in for a serial number to
use it, they also have higher up pay-for versions, with more features

On 1/24/07, Lachlan Gunn <[EMAIL PROTECTED]> wrote:

> vmware could run on OpenBSD if you have linux compatibility turned on i think

It uses a number of kernel modules, so I doubt it.  However, the
source may be available, so someone could probably try to implement
similar functionality.

--
Lachlan




--
-Lawrence
-Student ID 1028219
-CCNA

Re: Compiling OpenBSD Kernel With Generic SMP

[Ted Unangst]

On 1/24/07, Demuel I. Bendano, R.E.E <[EMAIL PROTECTED]> wrote:

Hi,

The GENERIC.MP kernel contains the following:

#   $OpenBSD: GENERIC.MP,v 1.6 2006/11/27 18:50:59 marco Exp $
#
#   GENERIC.MP - sample multiprocessor kernel
#

include "arch/i386/conf/GENERIC"


guess what this line does...

Re: Compiling OpenBSD Kernel With Generic SMP

[Woodchuck]

On Wed, 24 Jan 2007, Demuel I. Bendano, R.E.E wrote:

> Hi,
> 
> As you can see, there are only few entries in the GENERIC.MP and if it
> compiles indeed how about the device drivers usually found in the GENERIC?
> Would it be included when GENERIC.MP compiles?

YES.  That's what the "include" at the top of GENERIC.MP is all about.

as root:

cd /usr/sys/src/arch/i386/conf
config GENERIC.MP
cd ../compile/GENERIC.MP
make clean && make depend && make


Now the MP kernel is in the file "bsd" in the current directory.
You can install it however you want.

If you say "make install", it will be installed on the current machine
as /bsd, the default kernel.  The previous kernel will be in /obsd

Dave

Multipul IP's with PPPoE

[Justin Blackmore]

Hey Everyone,

Ok here is what I got:

[dsl modem] ←→ [Linksys]←→ [openbsd firewall running pf]

I would like to remove the Linksys from the equations. The Linksys does the 
pppoe auth to my provider and provides routing for my bundle of ip addresses 
"/28". The Linksys does not do any nat or port forwarding its in "router mode" 
it only routing ip space.

[pppoe](gateway 216.196.xxx.xxx) <>  [Linksys](public 209.193.xxx.xxx/28) 
---> Openbsd firewall using PF

Does this make sence at all?

Thanks :-)

Justin

Re: keep state for http connections

[Darren Spruell]

On 1/24/07, Alexander Lind <[EMAIL PROTECTED]> wrote:

If I have a busy http server or cluster (by busy I mean one that gets
hundreds of thousands of visitors per day), and I use an openbsd
firewall, should I keep state for all incoming http connections, or
should I just pass them all in without state and then pass them all out
without state instead of using states?


My advice: stateful filtering without a doubt. If you've got concerns
with your state tables, you can increase the limits as needed, and if
you've got a firewall able to support the traffic you shouldn't have a
resource issue doing so (increased memory utilization, although not
like it's a RAM hog.)

DS

keep state for http connections

[Alexander Lind]

If I have a busy http server or cluster (by busy I mean one that gets 
hundreds of thousands of visitors per day), and I use an openbsd 
firewall, should I keep state for all incoming http connections, or 
should I just pass them all in without state and then pass them all out 
without state instead of using states?


I'm afraid the state table will get filled up.

This is on openbsd 3.9

Alec

Re: Virtualisation on OpenBSD?

[Lachlan Gunn]

I tried looking for source but was unable, vmware is a closed source
as far as i can tell(please correct me if im wrong, as i like to get
hold of the source) when i was looking for it online you have to
download the binarys, and you have to email in for a serial number to
use it, they also have higher up pay-for versions, with more features


It is closed-source, however source to the kernel modules is
distributed with the binaries, even if not with a free licence.  I
imagine that this would help with reverse engineering the driver,
although I'm not sure whether the use of this as an aid to
reverse-engineering the driver would be allowable under project
policies.

--
Lachlan

Re: Virtualisation on OpenBSD?

[L. V. Lammert]

On Thu, 25 Jan 2007, Lachlan Gunn wrote:

> Sorry, accidentally sent that to the wrong address.
>
> > vmware could run on OpenBSD if you have linux compatibility turned on i 
> > think
>
> It uses a number of kernel modules, so I doubt it.  However, the
> source may be available, so someone could probably try to implement
> similar functionality.
>
Much better to want on the Xen implementation, which in the works.
Possibly at the Hackthon?

Lee

Re: Virtualisation on OpenBSD?

[Darren Spruell]

On 1/24/07, Jeroen Massar <[EMAIL PROTECTED]> wrote:

>> vmware could run on OpenBSD if you have linux compatibility turned on
>> i think
>
> It uses a number of kernel modules, so I doubt it.  However, the
> source may be available, so someone could probably try to implement
> similar functionality.

google(vmware openbsd) results:

Hit #1:
http://www.monkey.org/~marius/pages/?page=VMWare_for_OpenBSD
8<---
VMWare workstation is a virtual machine for x86 processors. One of its
supported host architectures is Linux. With the help of OpenBSDbs Linux
emulation, and a kernel module, it is possible to run VMWare on OpenBSD.
->8


Note that this is getting fairly out of date - vmware 3 supported
mostly, vmware 4 not working but progressing (no updates on this since
late 2003). No mention of VMware 5...

DS

Re: Virtualisation on OpenBSD?

[Jeroen Massar]

Lachlan Gunn wrote:
> Sorry, accidentally sent that to the wrong address.
>
>> vmware could run on OpenBSD if you have linux compatibility turned on
>> i think
>
> It uses a number of kernel modules, so I doubt it.  However, the
> source may be available, so someone could probably try to implement
> similar functionality.

google(vmware openbsd) results:

Hit #1:
http://www.monkey.org/~marius/pages/?page=VMWare_for_OpenBSD
8<---
VMWare workstation is a virtual machine for x86 processors. One of its
supported host architectures is Linux. With the help of OpenBSDbs Linux
emulation, and a kernel module, it is possible to run VMWare on OpenBSD.
->8

Greets,
 Jeroen

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: Compiling OpenBSD Kernel With Generic SMP

[Demuel I. Bendano, R.E.E]

Hi,

The GENERIC.MP kernel contains the following:

#   $OpenBSD: GENERIC.MP,v 1.6 2006/11/27 18:50:59 marco Exp $
#
#   GENERIC.MP - sample multiprocessor kernel
#

include "arch/i386/conf/GENERIC"

option  MULTIPROCESSOR  # Multiple processor support

cpu*at mainbus?
ioapic* at mainbus?
acpimadt*   at acpi?
~
~

Whereas, the GENERIC kernel contains:


#   $OpenBSD: GENERIC,v 1.546 2007/01/22 19:54:24 mk Exp $
#
# For further information on compiling OpenBSD kernels, see the config(8)
# man page.
#
# For further information on hardware support for this architecture, see
# the intro(4) man page.  For further information about kernel options
# for this architecture, see the options(4) man page.  For an explanation
# of each device driver in this file see the section 4 man page for the
# device.

machine i386
include "../../../conf/GENERIC"
maxusers32  # estimated number of users

option  I386_CPU# CPU classes; at least one is REQUIRED
option  I486_CPU
option  I586_CPU
option  I686_CPU

option  USER_PCICONF# user-space PCI configuration

#option VM86# Virtual 8086 emulation
option  KVM86   # Kernel Virtual 8086 emulation
option  USER_LDT# user-settable LDT; see i386_set_ldt(2)
option  APERTURE# in-kernel aperture driver for XFree86

#option KGDB# Remote debugger support; exclusive of DDB
#option "KGDB_DEVNAME=\"pccom\"",KGDBADDR=0x2f8,KGDBRATE=9600

option  COMPAT_SVR4 # binary compatibility with SVR4
option  COMPAT_IBCS2# binary compatibility with SCO and ISC
option  COMPAT_LINUX# binary compatibility with Linux
option  COMPAT_FREEBSD  # binary compatibility with FreeBSD
option  COMPAT_BSDOS# binary compatibility with BSD/OS
option  COMPAT_AOUT # a.out binaries are emulated

option  PROCFS  # /proc
#option NTFS# Experimental NTFS support

# or useroot on nfs swap on nfs
config  bsd swap generic

mainbus0 at root

cpu0at mainbus?
bios0   at mainbus0
apm0at bios0 flags 0x   # flags 0x0101 to force protocol version 1.1
pcibios0 at bios0 flags 0x  # use 0x30 for a total verbose
ipmi0   at mainbus? # IPMI
esm0at mainbus? # Dell Embedded Server Management

isa0at mainbus0
isa0at pcib?
isa0at ichpcib?
isa0at gscpcib?
eisa0   at mainbus0
pci*at mainbus0

#option ACPIVERBOSE
#option ACPI_ENABLE

acpi0   at mainbus? disable
#acpitimer* at acpi?
#acpihpet*  at acpi?
#acpiac*at acpi?
#acpibat*   at acpi?
#acpibtn*   at acpi?
#acpicpu*   at acpi?
#acpidock*  at acpi?
acpiec* at acpi?disable
acpiprt*at acpi?
#acpitz*at acpi?

option  PCIVERBOSE
option  EISAVERBOSE
option  USBVERBOSE

pchb*   at pci? # PCI-Host bridges
ppb*at pci? # PCI-PCI bridges
pci*at ppb?
pci*at pchb?
pcib*   at pci? # PCI-ISA bridge
ichpcib* at pci?# Intel ICHx/ICHx-M LPC bridges
gscpcib* at pci?# NS Geode SC1100 PCI-ISA bridge
gpio*   at gscpcib?

# power management and other environmental stuff
elansc* at pci? # AMD Elan SC520 System Controller
gpio*   at elansc?
geodesc* at pci?# Geode SC1100/SCx200 IAOC
#gscpm* at pci? # NS Geode SC1100 SMI/ACPI module
#ichwdt* at pci?# Intel 6300ESB ICH watchdog timer
wdt0at pci? # Ind Computer Source PCI-WDT50x driver
pwdog0  at pci? # Quancom PWDOG1 watchdog timer

# National Semiconductor LM7[89] and compatible hardware monitors
lm0 at isa? port 0x290
#lm1at isa? port 0x280
#lm2at isa? port 0x310
nsclpcsio* at isa? port 0x2e# NS PC87366 LPC Super I/O
nsclpcsio* at isa? port 0x4e
gpio*   at nsclpcsio?
gscsio* at isa? port 0x2e   # NS Geode SC1100 Super I/O
gscsio* at isa? port 0x15c
iic*at gscsio?  # ACCESS.bus 1 & 2
piixpm* at pci? # Intel PIIX power management
iic*at piixpm?
alipm*  at pci? # Acer Labs M7101 power management
iic*at alipm?
ichiic* at pci? # Intel ICH SMBus controller
iic*at ichiic?
viapm*  at pci? # VIA VT8237 power management
iic*at viapm?
amdiic* at pci? # AMD-8111 SMBus controller
iic*at amdiic?
nviic*  at pci? # NVIDIA nForce2/3/4 SMBus controller
iic*at nviic?
amdpm*  at pci? # AMD-7xx/8111 and NForce SMBus
controller
iic*at amdpm?

it0 at isa? port 0x290  # IT8705F, IT8712F and SiS970
hardware

Re: High Load - t/s

[Brian Candler]

On Tue, Jan 23, 2007 at 02:03:42PM +0100, Jonas Thambert wrote:
> The problem is the t/s on the sd1 device where I have the
> email-storage. Have less than 10 accounts and clients on a
> Xeon 3.0 Ghz server with 1 Gb RAM. I have tried to see why I have so
> many t/s on the disk but I can not figure it out. The disks
> are SCSI-disks 15 000 rpm.

OK, so apart from possibly the disk subsystem topping out at 140tps (see
previous response), there's the question of whether it's reasonable to
expect this many tps from just 10 clients. This will be a function of:

(1) the client software (the profile of commands it issues)
(2) the server software (e.g. how well it caches and indexes internally)
(3) the O/S's filesystem (e.g. how well it copes with large numbers of files
in one directory)

These problems can be exacerbated if you have users with thousands of
messages in their mailboxes.

So you can investigate this, by for example capturing the IMAP sessions
between the clients and the server, and discovering what sequences of
commands are being issued. If the client is being stupid, try another client

(e.g. a stupid client, when it opens a mailbox containing 1,000 messages it
has already seen, still issues 1,000 more IMAP commands to open them)

You can capture using tcpdump on port 143, or in the case of courier set
IMAPDEBUGFILE=log.txt in the imapd config file, and all client requests and
responses will be stored in file "log.txt" inside the user's Maildir.

If you know the profile of commands issued by a client, you can try issuing
them manually to a server to see how it handles them in terms of file I/O
operations, e.g. with strace. If it is poor, then try a different server.

Regards,

Brian.

Re: Compiling OpenBSD Kernel With Generic SMP

[Demuel I. Bendano, R.E.E]

Hi,

As you can see, there are only few entries in the GENERIC.MP and if it
compiles indeed how about the device drivers usually found in the GENERIC?
Would it be included when GENERIC.MP compiles?


Regards,
Demuel

>Josh Grosse
> On Wed, Jan 24, 2007 at 10:24:17PM +0800, Demuel I. Bendano, R.E.E wrote:
>
>> ...I have a machine, Dell 1855, that has one SATA hard disk drive but
>> with
>> two Pentium Xeon 2.0Ghz processor. Now, I have both the stable/current
>> source code both for the kernel and the userland. I suppose that the
>> GENERIC kernel supports only one processor whereas the GENERIC.SMP
>> supports multiple processor. The FAQ deals with the GENERIC processor
>> and
>> I cannot get anything under it that tells what to do if one will compile
>> from the source code with a GENERIC.SMP kernel.
>
> It's "GENERIC.MP" -- to create a -stable version of that kernel, make
> three
> changes to the step-by-step instructions in FAQ 5:
>
> 1) use "config GENERIC.MP" instead of "config GENERIC"
> 2) cd to "../compile/GENERIC.MP" instead of "../compile/GENERIC"
> 3) when copying the "bsd" kernel to your root partition, either copy it to
>"/bsd" or "/bsd.mp" depending on how you manage your -release bsd.mp
> kernel.

Re: multi queu

[Stuart Henderson]

On 2007/01/24 07:44, Lawrence Horvath wrote:
> Processing my mutliple queues, i would like to run it through 2 queue
> sets, one for capping and individual ip bandwidth management, and the
> second is a master cap, becuase you cant oversell queues
> 
> i have 10 megs at my disposal, and i need to allot 12 people 1 meg
> each, the math wont work on only one queue, and i dont want to have to
> set up multiple firewalls, id rather have everything in one nice
> pf.conf, im gonna do carp later

ok, just checking you weren't trying to work out how to do queuing in+out
since that's 'queue XX on outside' and 'queue XX on inside' (two separate
queues but with the same name so you can assign by a single PF rule).

in that case ...

> >> usually its only possible to queue once going out an interface, as far
> >> as i know, is it possible to use a loopback interface to run traffic
> >> through muliple queues?

don't know, why not try it and add to the pool of knowledge (:

Re: Compiling OpenBSD Kernel With Generic SMP

[Jack J. Woehr]

On Jan 24, 2007, at 7:24 AM, Demuel I. Bendano, R.E.E wrote:

>  The FAQ deals with the GENERIC processor and
> I cannot get anything under it that tells what to do if one will  
> compile
> from the source code with a GENERIC.SMP kernel.

$ sudo su -
# mkdir /usr/local/kernel
# cd /usr/local/kernel
# cp /usr/src/sys/arch/i386/conf/GENERIC.MP .
# config -s /usr/src/sys -b . GENERIC.MP
# make depend
# make
# make install
# reboot

Good luck!

-- 
Jack J. Woehr
Director of Development
Absolute Performance, Inc.
[EMAIL PROTECTED]
303-443-7000 ext. 527

Virtualisation on OpenBSD?

[Lachlan Gunn]

Sorry, accidentally sent that to the wrong address.


vmware could run on OpenBSD if you have linux compatibility turned on i think


It uses a number of kernel modules, so I doubt it.  However, the
source may be available, so someone could probably try to implement
similar functionality.

--
Lachlan

Re: Virtualisation on OpenBSD?

[Tobias Weisserth]

Hi there,

On Jan 24, 2007, at 1:49 PM, John Tate wrote:

Is there any software that supports OpenBSD that can do full  
virtualisation?

I don't think VMware would be supported on OpenBSD.


I don't think there is anything that really fits what you're looking  
for. The NetBSD project has neat Xen integration both for running  
NetBSD as host or guest system.


If you're looking for something like vmware then check out  
www.virtualbox.de. The GPL'ed the software recently and I've got it  
running on openSUSE. It runs a lot of guest systems including OpenBSD  
and it's much faster than qemu. There's a Linux kernel module  
included. I guess it does the same as the closed-source qemu module,  
so maybe this is sufficient for you. Hope this helps somehow.


regards,
Tobias

Using old thin clients as a BGP testbed

[Richard Wilson]

I work for a small hosting company, and the boss says he wants to start
doing BGP for our upstream connection. This means I've got to learn BGP.
At least I've managed to persuade him to buy me an O'Reilly book :-)
However, the other thing I demanded was a test network of some kind. BGP
is one of the few things where, if I get it wrong, I could mess up other
people's stuff as well as my own. He said fine, here's a few pennies to
do it with. Not nearly enough to buy even a couple of crap machines off
ebay.

Then, an idea occured to me. We have half a dozen old HP t5125[0] thin
clients, which have been unused since we upgraded our desktops to proper
boxes. The plan: get half a dozen 512MB USB sticks, install 4.0 on them,
boot off them, and bing! One test network. They're only 400MHz machines
with 128MB of RAM, but I think they'll do for playing with routing, BGP
et al, given what you can acieve with a Soekris.

My questions: Am I on a hiding to nothing here? Am I missing anything
obvious? I plan to use the vlan driver to pretend to have more than one
ethernet interface, with them all plugged in to a cheapo 8 port switch.
Am I right in thinking that the dumb switch will just pass vlan tagged
packets through without poking them, or am I going to encounter issues?

I don't mind poking at things and playing round till it works, but given
the possibility of vlans not working over dumb switches, I figured I'd
ask if I was on a hiding to nothing before I started.

Also, if anyone has any suggestions or comments, I'm all ears :-)


[0]
http://h10010.www1.hp.com/wwpc/us/en/sm/WF06a/12454-321959-89307-338927-89307-472257.html
-- 

Richard 'Dave' Wilson
Systems Administrator

Senokian Solutions Ltd.
Business Innovation Centre,
Binley Business Park, Coventry,
United Kingdom
CV3 2TX
T: +44 (0)24 76 233 400
DDI: +44 (0)24 76 233 416
F: +44 (0)24 76 233 401

Re: High Load - t/s

[Brian Candler]

On Tue, Jan 23, 2007 at 01:35:35PM +0100, Jonas Thambert wrote:
> I'm using a Adaptec 2010S SCSI RAID card. I have tried
> and tweaked the courier imap server the best I can
> without any luck.
...
> The sd1 disk has 140 t/s. CPU-load is nothing.

And "sd1" is actually a RAID array of some sort, rather than a single disk?

My guess is that 140 tps is a fundamental limit of your RAID array,
especially if you are running RAID 5. Try turning off your IMAP server and
running a benchmark like bonnie++ (in ports) to establish this.

An IMAP server generates lots of random file reads and writes, with a
relatively high proportion of file creations, writes and deletions.

Many people don't seem to realise that a RAID 5 array has far *worse* write
performance than a single disk. In a basic RAID 5 array, a single 'write
block' operation actually takes 4 disk transactions across 2 disks:

1a. read the old data block
1b. read the old parity block
2. calculate the new parity (= old parity ^ old data ^ new data)
3a. write the new data block
3b. write the new parity block

1a and 1b can take place concurrently on the two disks, but step 2 can't be
done until both 1a and 1b are complete. Steps 3a and 3b can be speeded up by
writing via a battery-backed cache, but the rest is laws-of-physics stuff.

Some solutions you can consider are:

(1) Use mirroring (RAID 1) instead of RAID 5, since disks are cheap.

With RAID 1, a write operation simply has to write the same data block to
both disks, which happens concurrently. You also get double the number of
read operations per second, since you have two copies of the data, so one
client can be searching for a block while a second client searches for
another block on the other disk.

(2) Use a filesystem which intrinsically coalesces writes. The best example
I can cite is the Network Appliance WAFL filesystem. NetApps give extremely
good performance but are very expensive (although worth it IMO)

Sun's ZFS looks to be an upcoming contender in this space; building a
fileserver using OpenSolaris + ZFS + NFS is an option, or the FreeBSD port
of ZFS is nearing completion. No option for OpenBSD that I'm aware of though
:-(

(3) Divide your users' mail directories across multiple disks or RAID sets,
either with a database, or even symlinks (e.g. /var/mail/0-7 are symlinked
to one disk, /var/mail/8-f are symlinked to another)

This is better than striping IMO. For example, if you have six disks, I'd
recommend three mirrored pairs mounted on /mail1, /mail2 and /mail3, rather
than striping-over-mirroring or vice versa. Then if you lose a pair of
disks, at least 2/3rd of your mail is unaffected.

(4) Off-load other disk operations to another disk.

Now, you don't say much about your IMAP cluster, but presumably it receives
incoming mail using SMTP or LMTP. This means you have an MTA (e.g. sendmail,
postfix, exim etc) which accepts the mail.

This MTA will need its own spool directory where it stores a copy of each
incoming message until it has been successfully delivered into its final
place. Put this on a different disk to speed things up (you can get away
with a single disk, if you are prepared to accept the small risk of a
handful of messages being lost if this disk fails). The spool directory is
often a heavy offender because for each incoming message there will be a 
  create - write - sync - read - delete
sequence of operations.

For additional performance, Exim has the ability to split its spool
directory across a number of subdirectories, which you can symlink to
multiple disks.

Putting the MTA spool directory on a battery-backed RAM disk is best of all.

At very least, separating things out this way will make it clear in the tps
figures how much is due to the MTA spooling and how much due to operations
in the users' mailstores.

HTH,

Brian.

Re: multi queu

[Lawrence Horvath]

Processing my mutliple queues, i would like to run it through 2 queue
sets, one for capping and individual ip bandwidth management, and the
second is a master cap, becuase you cant oversell queues

i have 10 megs at my disposal, and i need to allot 12 people 1 meg
each, the math wont work on only one queue, and i dont want to have to
set up multiple firewalls, id rather have everything in one nice
pf.conf, im gonna do carp later

On 1/24/07, Stuart Henderson <[EMAIL PROTECTED]> wrote:

On 2007/01/24 06:45, Lawrence Horvath wrote:
> usually its only possible to queue once going out an interface, as far
> as i know, is it possible to use a loopback interface to run traffic
> through muliple queues?

what are you trying to achieve?





--
-Lawrence
-Student ID 1028219
-CCNA

Compiling OpenBSD Kernel With Generic SMP

[Demuel I. Bendano, R.E.E]

All,

I have a machine, Dell 1855, that has one SATA hard disk drive but with
two Pentium Xeon 2.0Ghz processor. Now, I have both the stable/current
source code both for the kernel and the userland. I suppose that the
GENERIC kernel supports only one processor whereas the GENERIC.SMP
supports multiple processor. The FAQ deals with the GENERIC processor and
I cannot get anything under it that tells what to do if one will compile
from the source code with a GENERIC.SMP kernel.

Any tips and sidecomments are welcome.


Regards,
Demuel

Re: multi queu

[Stuart Henderson]

On 2007/01/24 06:45, Lawrence Horvath wrote:
> usually its only possible to queue once going out an interface, as far
> as i know, is it possible to use a loopback interface to run traffic
> through muliple queues?

what are you trying to achieve?

Re: Virtualisation on OpenBSD?

[Adam Douglas]

I have OpenBSD v3.7 and v3.8 run just fine in VMWare Server. I however
haven't fixed the VMWare Tools issue as of yet but apparently there is a
work around to have VMWare Tools work for OpenBSD as well. I have a
bunch of OpenBSD on VMWare bookmarks if you want me to post.

> Is there any software that supports OpenBSD that can do full 
> virtualisation?
> I don't think VMware would be supported on OpenBSD.

Re: atactl smartstatus to email other than cron user

[Han Boetes]

Paul de Weerd wrote:
> > You just sent _all_ output to /dev/null
>
> Please learn how the shell redirects output :
>
>   $ (ls fiets; ls auto) > /dev/null
>   ls: fiets: No such file or directory
>   $ (ls fiets; ls auto) 2> /dev/null
>   auto
>   $ (ls fiets; ls auto) 2> &1 > /dev/null
>   ls: fiets: No such file or directory
>   $ (ls fiets; ls auto) > /dev/null 2> &1
>   $ 

Ah ok. Thanks for pointing this out.



# Han

multi queu

[Lawrence Horvath]

usually its only possible to queue once going out an interface, as far
as i know, is it possible to use a loopback interface to run traffic
through muliple queues?


internet--->em0 (queue)--->lo2 (queue)->em1--->lan

--
-Lawrence
-Student ID 1028219
-CCNA

Re: JOB OFFER

[Luca Corti]

On Wed, 2007-01-24 at 05:51 -0800, Lawrence Horvath wrote:
> classify them as spam of if i should just delete them, i was concerned

If they use bayesian filters for classification only the message body
should be passed to the filter. Blacklisting (if done by gmail
automatically when you report spam) should apply to the sender, so this
should be safe too.

I am not familiar with gmail though, so can't tell for sure.

ciao

Luca

Re: atactl smartstatus to email other than cron user

[Paul de Weerd]

On Wed, Jan 24, 2007 at 03:08:50PM +0059, Han Boetes wrote:
| Joachim Schipper wrote:
| > You'd need to use
| >
| > 0 * * * * /sbin/atactl /dev/wd0c smartstatus 2>&1 >/dev/null | \
| > mail -s "wd0 ERRORS on serverXYZ" [EMAIL PROTECTED]
| 
| You just sent _all_ output to /dev/null

Please learn how the shell redirects output :

$ (ls fiets; ls auto) > /dev/null
ls: fiets: No such file or directory
$ (ls fiets; ls auto) 2> /dev/null
auto
$ (ls fiets; ls auto) 2>&1 > /dev/null
ls: fiets: No such file or directory
$ (ls fiets; ls auto) > /dev/null 2>&1
$ 

Paul 'WEiRD' de Weerd

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 

Re: atactl smartstatus to email other than cron user

[Matthew R. Dempsky]

On Wed, Jan 24, 2007 at 03:08:50PM +0059, Han Boetes wrote:
> Joachim Schipper wrote:
> > You'd need to use
> >
> > 0 * * * * /sbin/atactl /dev/wd0c smartstatus 2>&1 >/dev/null | \
> > mail -s "wd0 ERRORS on serverXYZ" [EMAIL PROTECTED]
> 
> You just sent _all_ output to /dev/null

No he didn't.

Re: USB printer not working

[Heinrich Rebehn]

Heinrich Rebehn wrote:

Hi all,

i just received a Soekris 4801 which i want to use as a file and print 
server. However, i cannot get the printer to work. For testing purposes 
i am using a  HP Deskjet 600 connected via a USB/Parallel cable.


When i connect the printer it shows up as:

ulpt0 at uhub0 port 1 configuration 1 interface 0
ulpt0: Prolific Technology Inc. IEEE-1284 Controller, rev 1.00/2.02, 
addr 2, iclass 7/1

ulpt0: using bi-directional mode

Trying to access the printer:

# echo "Hello World" > /dev/ulpt0
-bash: /dev/ulpt0: Resource temporarily unavailable
# echo "Hello World" > /dev/ulpt0
-bash: /dev/ulpt0: Device busy

Further attempts always yield "Device busy".

The printer is working fine on another machine under Windows and Linux.
The soekris' USB port seems to be ok too, since i can access a USB stick.

Browsing the web only showed some old posts saying that this used to 
work with 2.8 :-(. The FAQ says nothing about printing at all.


Am i missing something? Anything to configure?

dmesg is attached. Thanks for any help :-)



For the records: Connecting the USB/Parallel adapter cable via a USB HUB 
works. So does using a "real" USB printer. So it seemed to be a USB 
power problem.


--Heinrich

Re: atactl smartstatus to email other than cron user

[Han Boetes]

Joachim Schipper wrote:
> You'd need to use
>
> 0 * * * * /sbin/atactl /dev/wd0c smartstatus 2>&1 >/dev/null | \
>   mail -s "wd0 ERRORS on serverXYZ" [EMAIL PROTECTED]

You just sent _all_ output to /dev/null


# Han

Re: JOB OFFER

[Lawrence Horvath]

I get a number of spams that make it though the misc list, not many
but at least a few, i use gmail and wasn't sure if its safe to
classify them as spam of if i should just delete them, i was concerned
that in classifying them as spam it could count negative toward the
list server?

thanks

On 1/24/07, Raymond Limited <[EMAIL PROTECTED]> wrote:

Good Day,

Are you looking for a lucrative job? The job takes only 3-5 hours a
week , And it a chance for you to make over $3,000 extra per month
depending on how usefull you are to the company.

Also you do not need to resume at any office to get started ,Its a work from 
home and you do not pay any fee to get started . Try now without risking your 
current job.

Do get back to me if interested

Thanks
Tanya





--
-Lawrence
-Student ID 1028219
-CCNA

Re: apache security

[Alexander Farber]

Joachim, could you share your config files for that?

On 1/23/07, Joachim Schipper <[EMAIL PROTECTED]> wrote:

The simple solution is to not allow the web server to write anywhere but /tmp.



Regards
Alex

--
http://preferans.de

Re: Virtualisation on OpenBSD?

[Lawrence Horvath]

qemu is your best bet, its not quite as fast as vmware but it runs on
OpenBSD, and supports several archs, it has a nice pkg and everything

vmware could run on OpenBSD if you have linux compatibility turned on i think



On 1/24/07, John Tate <[EMAIL PROTECTED]> wrote:

Is there any software that supports OpenBSD that can do full virtualisation?
I don't think VMware would be supported on OpenBSD.

--
Faced with the fact that Intelligent Design doesn't meet the criteria for a
scientific theory, leading proponent redefines what a scientific theory is.
Result: Astrology now a scientific theory.





--
-Lawrence
-Student ID 1028219
-CCNA

Re: The OACK Project

[Per-Erik Persson]

This rings a bell to me.
I don't know if it still is true but "a while ago" tftpd was binding to 
the networkcard it found first.
Try to run it on a machine that only has one networkcard and see if it 
works better.

If you look at older postings you will probably find the exact problem.
Howerver what you describe might be another problem, but I spent a log 
of time trying to get an old mac to boot via tftp and never succeded 
until I accidently hooked the client up on the other networkcard


Jonathan Eifrig wrote:


Rogier Krieger wrote:


On 1/24/07, Jonathan Eifrig <[EMAIL PROTECTED]> wrote:


tftpd[]: oack: Permission denied



That may have something to do with *file* permissions. Quoting tftpd(8):

"The use of tftp(1) does not require an account or password on the 
remote

system.  Due to the lack of authentication information, tftpd will allow
only publicly readable files to be accessed."

Are the files you're trying to serve world-readable?



Yes.  :-)

As I said, the problem is client-specific: a tftp client running on 
the same machine as the server can retrieve files with no problem.  
Clients on remote machines timeout.


It's as if the tftpd process is not allowed to use eth0 or some such.

Re: isakmpd + carp + sasyncd failover problems

[Kai Mosebach]

We are running productive already, hence an update to -current is too 
good at the moment. Please let me know if it brings some enhancements. I 
will setup another test scenario then.


cheers Kai


On Thu, Jan 18 2007 at 14:16, Kai Mosebach wrote:
we are using 3 Soekris firewall pairs in our companies setup to provide 
failover IPSec connections between 3 sites using OpenBSD 4.0 RELEASE. 
The big picture looks like this :


A -> B (passive)
A -> C (passive)
B -> C (passive)

By now its basically working fine, but with the IPSec failover we have 
several problems which i cannot come by after several days of testing.


The main problem is, that if MASTER is rebooted, the SLAVE takes over, 
fine.
Once the MASTER comes up again, it takes over the SAs of the SLAVE but 
as soon as its carp interfaces get demoted (and he becomes an isakmpd 
master) he acquires new SAs which leads to an failure in the IPSec 
tunnel, as there are twice as much SAs in the SA-DB than before and 
(supposedly) the newly created SAs of the MASTER are used which leads to 
an "invalid cookie" on the remote site. I tweaked the /etc/rc script to 
do the demotion later (or i do it manually) and its directly related to 
the point where the isakmpd is becoming master again.


I have a smaller setup (1 carp cluster and a single box at the other
end) and also noted the duplicate SAs. I updated to current
in order to see a resolution of this problem with no luck. 


I didn't see the "invalid Cookie" message in log files.


Claer

Re: The OACK Project

[Jonathan Eifrig]

Rogier Krieger wrote:

On 1/24/07, Jonathan Eifrig <[EMAIL PROTECTED]> wrote:

tftpd[]: oack: Permission denied


That may have something to do with *file* permissions. Quoting tftpd(8):

"The use of tftp(1) does not require an account or password on the remote
system.  Due to the lack of authentication information, tftpd will allow
only publicly readable files to be accessed."

Are the files you're trying to serve world-readable?


Yes.  :-)

As I said, the problem is client-specific: a tftp client running on the 
same machine as the server can retrieve files with no problem.  Clients 
on remote machines timeout.


It's as if the tftpd process is not allowed to use eth0 or some such.

Virtualisation on OpenBSD?

[John Tate]

Is there any software that supports OpenBSD that can do full virtualisation?
I don't think VMware would be supported on OpenBSD.

-- 
Faced with the fact that Intelligent Design doesn't meet the criteria for a
scientific theory, leading proponent redefines what a scientific theory is.
Result: Astrology now a scientific theory.

Re: The OACK Project

[Jason Dixon]

On Jan 24, 2007, at 6:18 AM, Jonathan Eifrig wrote:


I'm trying to get a Soekris box to boot from an OpenBSD tftp server.
I've gotten my DHCP server working, but I'm having trouble with my  
tftpd

configuration. (I guess it's not so Trivial as I thought! :-))

When the client attempts to retrieve pxeboot from the tftp server, the
client times out and on the server I get the following (unhelpful)
message dumped to the syslog:

tftpd[]: oack: Permission denied
...
tftpd[]: nak: Permission denied

This happens with any remote client. Interestingly, if I attempt to  
tftp
from the server locally, it works fine: only remote clients have a  
problem.


My tftp daemon is started from inetd (which I guess technically  
makes it

not a daemon at all); I just uncommented the tftpd lines in the
distributed inetd.conf file.

Obviously, there's some sort of network permissions configuration  
layer

I'm missing. Any ideas of where to look?


What are the perms on /tftpboot/*?  The tftpd daemon is privsep.  The  
code snippets that generate those errors (src/libexec/tftpd/tftpd.c)  
would indeed suggest a network permissions problem as you mention,  
but it can't hurt to check.



--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net

Re: The OACK Project

[Rogier Krieger]

On 1/24/07, Jonathan Eifrig <[EMAIL PROTECTED]> wrote:

tftpd[]: oack: Permission denied


That may have something to do with *file* permissions. Quoting tftpd(8):

"The use of tftp(1) does not require an account or password on the remote
system.  Due to the lack of authentication information, tftpd will allow
only publicly readable files to be accessed."

Are the files you're trying to serve world-readable?

Cheers,

Rogier

--
If you don't know where you're going, any road will get you there.

ipsec.conf question

[stan]

I've got some basic tuneling working using ipsec, and I'm trying to make it
a bit more robuts. Here's what works:

Machine A:

ike esp from 192.168.1.0/24 to 192.168.9.0/24 peer XX.92.176.37
ike esp from XX.92.176.33 to 192.168.9.0/24 peer XX.92.176.37
ike esp from XX.92.176.33 to XX.92.176.37

Machine B:

ike esp from 192.168.9.0/24 to 192.168.1.0/24 peer XX.92.176.33
ike esp from 192.168.9.0/24 to 192.168.8.0/24 peer XX.92.176.33
ike esp from XX.92.176.37 to XX.92.176.33

Now both machines are in active mode, which seems a bit of an issue, and
machine B has a dynamic IP (with fixed name), so I changed these to:

Machine A:

ike passive esp from 192.168.1.0/24 to 192.168.9.0/24 peer XX.92.176.37
ike passive esp from XX.92.176.33 to 192.168.9.0/24 peer XX.92.176.37
ike passive esp from XX.92.176.33 to XX.92.176.37

Machine B:

ike dynamic esp from 192.168.9.0/24 to 192.168.1.0/24 peer XX.92.176.33
ike dynamic esp from 192.168.9.0/24 to 192.168.8.0/24 peer XX.92.176.33
ike dynamic esp from XX.92.176.37 to XX.92.176.33

But now machine "A" can't ping the interface to the internal net on "B"
"B" CAN ping the internal interface on "A"

Can anyone explain what mistake I'm making here, please?



-- 
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)

The OACK Project

[Jonathan Eifrig]

I'm trying to get a Soekris box to boot from an OpenBSD tftp server.
I've gotten my DHCP server working, but I'm having trouble with my tftpd
configuration. (I guess it's not so Trivial as I thought! :-))

When the client attempts to retrieve pxeboot from the tftp server, the
client times out and on the server I get the following (unhelpful)
message dumped to the syslog:

tftpd[]: oack: Permission denied
...
tftpd[]: nak: Permission denied

This happens with any remote client. Interestingly, if I attempt to tftp
from the server locally, it works fine: only remote clients have a problem.

My tftp daemon is started from inetd (which I guess technically makes it
not a daemon at all); I just uncommented the tftpd lines in the
distributed inetd.conf file.

Obviously, there's some sort of network permissions configuration layer
I'm missing. Any ideas of where to look?

Re: uvm_fault

[mickey]

On Tue, Jan 23, 2007 at 03:40:11PM -0500, test wrote:
> I have a similar problem.  I would suspect it's my hdd or possible RAM,
> because this only happens when I am trying to recompile the kernel, or install
> something from the ports tree.  It panics with this error.

this problem is there from about 3.6 at least.
in a nutshell pmap leaks pv_entry structs and
those contain pointers that become invalid and
dereferenced. in your case it's the page directory
pointer that's get busted.

cu
-- 
paranoic mickey   (my employers have changed but, the name has remained)

Re: OpenBGPD in ISP-Planet's article

[Lars Hansson]

Claudio Jeker wrote:
> We don't do the Cisco CLI and route-map thing -- which is in my opinion a
> very good thing.

Ah. I wasnt aware that those are in the standard though ;)

---
Lars

Re: OT: Getting a premade box or doing it yourself

[Toni Mueller]

Hi,

On Sun, 21.01.2007 at 13:53:22 +, Jeroen Massar <[EMAIL PROTECTED]> wrote:
> others, I would actually suggest that Barracuda does it, as they have
> their arguments, you don't ;)

they have a professional sales department which can cook up any story
you want (probably), and the original poster hasn't, and they also had
more time to actually do it.

> Same reason why Windows Servers are a good thing to give to
> organizations that have stupid people, they won't be able to understand
> OpenBSD either, but clicking is something that almost everybody can do.

Of course, randomly clicking here and there in an easy-to-use Active
Directory tree just does the job nicely. *veg*

> Thing that would make any *BSD/Linux etc great: clickability & wizards.
> also known as the K.I.S.S. principle.

Right. We instantly need to revive SMIT & friends which I thought would
already have wandered off into oblivion...

Please don't mistake having a GUI with being easy. You still need some
understanding of the task you want to do. I know serious people who
sell Windows support to big companies who actually say that you can't
really do your job unless you "resort" to write (and use) the Windows
equivalent of Unix shell scripts because the GUI doesn't let you do
things you just need to do.

But if you really think you need such stuff, I recommend that you look
at the (Debian centered) GOsa2 or UCS packages. From the outside, they
look like webmin on steroids, and they actually might do the trick for
you.  It should be possible to adapt them to the requirements of
working on, and with, OpenBSD instead of Debian.

I'm sure there are other packages out there that do a similar job.



Best,
--Toni++

Re: OpenBGPD in ISP-Planet's article

[Stuart Henderson]

On 2007/01/24 17:46, Lars Hansson wrote:
> Cool, but...
> Alexey Suslikov wrote:
> >> Non-standard of BGP functionality (modeled after PF).
> What does that even mean? What is non-standard?

I think they mean "it isn't an IOS clone"...

Re: 2 gateway in OBSD 4.0

[Reza Muhammad]

--- Greg Thomas <[EMAIL PROTECTED]> wrote:

> On 1/23/07, sonjaya <[EMAIL PROTECTED]> wrote:
> > Dear All
> >
> > Any posible way to using 2 gateway in n out
> without  using routed
> > protcol such as bgp/osf
> > Because i have two connection to Internet
> > basic  diagram
> >   |-gw01---|
> >  internet   | obsd 4.0 |---Lan
> >   |---gw02--|
> >
> > - 2 Ip public
> > - 1 server obsd  4.0 with 3 Networkcard
> >  - 2 box gw
> >
> > I plan obsd 4.0 for :
> >
> > 1. ns server who have 2 ip public from 2 isp
> >
> > question  iwant ask , how to set 2 gw without 
> have bgp/osf  access ?
> >
> 
> I'm surprised no one has asked this question before.
>  Oh, wait,  checks the archives>, oh, yeah, someone just
> discussed that scenario
> this week.
> 
> http://www.openbsd.org/faq/pf/pools.html#outgoing
> 
> Greg
> 

What about -mpath in route(8) ??
is it doing ok now in 4.0 ?


regards
Reza



 

Bored stiff? Loosen up... 
Download and play hundreds of games for free on Yahoo! Games.
http://games.yahoo.com/games/front

Re: OpenBGPD in ISP-Planet's article

[Ronnie Garcia]

Alexey Suslikov a icrit :

OpenBGPD/OpenBSD: Free OpenBSD-based EGP/IGP routing platform.
Solid, secure, free, and very scalable. Again, you're operating without
vendor support. Non-standard of BGP functionality (modeled after PF).
Awesome integration with CARP and PF, makes for great firewalls, routers
and route servers. If you are system administrator and appreciate Unix,
you will fall in love with OpenBGPD. If you are a Linux admin, you 
will be

surprised at the lack of learning curve involved. Community support is
actually pretty good.


http://www.isp-planet.com/equipment/2007/routers_bol.html


While you are at it, and because i did not see it mentionned in this 
list, there is a very good prez made by claudio@ :


Routing with OpenBSD using OpenOSPFD and OpenBGPD
http://www.openbsd.org/papers/linuxtag06-network.pdf

--
Ronnie Garcia 

vnconfig -K only with a saltfile

[Michael]

Hi,

I wonder how secure it would be to hardcode a password and just use the 
saltfile to decrypt a partition? The saltfile would be located on an USB 
stick and the partition could automatically be mounted when the stick 
gets plugged in, using hotplugd.


I used a md5sum as password example here.
See example diff below.

--- usr.sbin/vnconfig/vnconfig.c.orig Wed Jan 24 10:50:09 2007
+++ usr.sbin/vnconfig/vnconfig.c  Wed Jan 24 10:56:25 2007
@@ -143,7 +143,8 @@
rounds = strtonum(arg, 1000, INT_MAX, &errstr);
if (errstr)
err(1, "rounds: %s", errstr);
-   key = getpass("Encryption key: ");
+// key = getpass("Encryption key: ");
+   key = "e715ae86932cf0cc5cafdf353c0426ac";
if (!key || strlen(key) == 0)
errx(1, "Need an encryption key");
strncpy(keybuf, key, sizeof(keybuf));

Also, I am wondering, what is the best value for ROUNDS to use, is there 
any good documentation about that somewhere?



 - Michael

Re: OpenBGPD in ISP-Planet's article

[Claudio Jeker]

On Wed, Jan 24, 2007 at 05:46:44PM +0800, Lars Hansson wrote:
> Cool, but...
> Alexey Suslikov wrote:
> >> Non-standard of BGP functionality (modeled after PF).
> What does that even mean? What is non-standard?
> 

We don't do the Cisco CLI and route-map thing -- which is in my opinion a
very good thing.

-- 
:wq Claudio

Re: set obsd 3.9 as dns server

[RedShift]

Craig Skinner wrote:

On Wed, Jan 24, 2007 at 09:25:13AM +0700, sonjaya wrote:

Dear all

i have obsd 3.9 , i want setup as dns name for my ip public and
mydomain , i try follow step in
openbsdsupport.org , but until now always get error lame server and
etc , so where i get good tutorial about setup obsd as name server for
my public ip and my domain .



http://www.oreilly.com/catalog/dnsbindckbk/
http://www.oreilly.com/catalog/dns4/
http://sicute.blogspot.com/2007/01/dns-fundamentalsbind.html


-sonjaya-
http://sicute.blogspot.com





www.dnsstuff.com Very usefull site with all sorts of DNS/ip testing. It 
will not only tell you you have lame name resolving, but will also tell 
you what it is and therefore how to solve it

Re: OpenBGPD in ISP-Planet's article

[Luca Corti]

On Wed, 2007-01-24 at 17:46 +0800, Lars Hansson wrote:
> What does that even mean? What is non-standard?

I think the article refers to the fact that OpenBGPd is integrated with
OpenBSD specific features like PF/CARP.

ciao

Luca

Re: OpenBGPD in ISP-Planet's article

[Lars Hansson]

Cool, but...
Alexey Suslikov wrote:
>> Non-standard of BGP functionality (modeled after PF).
What does that even mean? What is non-standard?


---
Lars Hansson

Re: atactl smartstatus to email other than cron user

[Joachim Schipper]

On Wed, Jan 24, 2007 at 02:51:50AM +, Paul Pruett wrote:
> Using cron and atactl to email smartstatus errors
> to an email address other than cron user:
> -
> 
> 
> I was playing with the suggesion in the man
> page for atactl and smart status. After using rc.local
> to make sure smart is enabled, something like
>  echo -n 'wd0: '
>  /sbin/atactl wd0 smartenable
>  /sbin/atactl wd0 smartstatus
> 
> Now to put someting in crontab to hourly check for errors,
> per suggestion of man page for atactl I could use:
> 0 * * * * /sbin/atactl /dev/wd0c smartstatus >/dev/null
> 
> And the error will email to root, or if the variable
> [EMAIL PROTECTED]
> Then all error messages from cron will go there :(
> 
> I can see where I might want some tasks to email
> standard error messages to other than the cron user or MAILTO,
> like sending an email to a pager or other alert email box.
> Thus the question, how to edit cron task to send normal output to null
> but email error messages...  Handling outputs if I rember
> and a quick google found a page that seems to confirm,
> http://ibmdocs.ncep.noaa.gov/userman/cron.html
> suggests 1> should be standard and 2> should be errors
> so we should be able to do something like
> 
> 0 * * * * /sbin/atactl /dev/wd0c smartstatus 1>/dev/null 2>mail -s "wd0 
> ERRORS on serverXYZ" [EMAIL PROTECTED]
> 
> 
> Other than using up your pager allotment, does anyone see
> a problem doing it this way, please correct.
> 
> 
> If a server is not raid, and using cheaper ide/sata drives,
> this might be a useful way to be urgently notifed of
> a hard drive that may fail.

You'd need to use

0 * * * * /sbin/atactl /dev/wd0c smartstatus 2>&1 >/dev/null | \
mail -s "wd0 ERRORS on serverXYZ" [EMAIL PROTECTED]

but aside from that, it sounds okay. Of course, Damien's solution is
superior if atactl is halfway sane software.

(Note the pipe; you need to do something like that to get the data to
the mail command, and this is the most portable. Also note that 1 in 1>
is not necessary, as that's the default, and that 2>&1 redirects stderr
tot stdout.)

You'll most probably end up writing a script anyway, if you want this to
work on several servers.

Joachim

Re: isakmpd + carp + sasyncd failover problems

[Claer]

On Thu, Jan 18 2007 at 14:16, Kai Mosebach wrote:
> we are using 3 Soekris firewall pairs in our companies setup to provide 
> failover IPSec connections between 3 sites using OpenBSD 4.0 RELEASE. 
> The big picture looks like this :
> 
> A -> B (passive)
> A -> C (passive)
> B -> C (passive)
> 
> By now its basically working fine, but with the IPSec failover we have 
> several problems which i cannot come by after several days of testing.
> 
> The main problem is, that if MASTER is rebooted, the SLAVE takes over, 
> fine.
> Once the MASTER comes up again, it takes over the SAs of the SLAVE but 
> as soon as its carp interfaces get demoted (and he becomes an isakmpd 
> master) he acquires new SAs which leads to an failure in the IPSec 
> tunnel, as there are twice as much SAs in the SA-DB than before and 
> (supposedly) the newly created SAs of the MASTER are used which leads to 
> an "invalid cookie" on the remote site. I tweaked the /etc/rc script to 
> do the demotion later (or i do it manually) and its directly related to 
> the point where the isakmpd is becoming master again.

I have a smaller setup (1 carp cluster and a single box at the other
end) and also noted the duplicate SAs. I updated to current
in order to see a resolution of this problem with no luck. 

I didn't see the "invalid Cookie" message in log files.


Claer

OpenBGPD in ISP-Planet's article

[Alexey Suslikov]

OpenBGPD/OpenBSD: Free OpenBSD-based EGP/IGP routing platform.
Solid, secure, free, and very scalable. Again, you're operating without
vendor support. Non-standard of BGP functionality (modeled after PF).
Awesome integration with CARP and PF, makes for great firewalls, routers
and route servers. If you are system administrator and appreciate Unix,
you will fall in love with OpenBGPD. If you are a Linux admin, you will be
surprised at the lack of learning curve involved. Community support is
actually pretty good.


http://www.isp-planet.com/equipment/2007/routers_bol.html

Re: 2 gateway in OBSD 4.0

[Unnikrishnan P]

> Any posible way to using 2 gateway in n out without  using 
> routed protcol such as bgp/osf Because i have two connection 
> to Internet basic  diagram
>   |-gw01---|
>  internet   | obsd 4.0 |---Lan
>   |---gw02--|
> 
> - 2 Ip public
> - 1 server obsd  4.0 with 3 Networkcard
>  - 2 box gw
> 
> I plan obsd 4.0 for :
> 
> 1. ns server who have 2 ip public from 2 isp
> 
> question  iwant ask , how to set 2 gw without  have bgp/osf  access ?

Use Multipath routing . 

http://www.openbsd.org/papers/opencon06-network/mgp7.html
http://www.openbsd.org/papers/opencon06-network/mgp8.html
http://www.openbsd.org/papers/opencon06-network/mgp9.html


Unni

Re: set obsd 3.9 as dns server

[Craig Skinner]

On Wed, Jan 24, 2007 at 09:25:13AM +0700, sonjaya wrote:
> Dear all
> 
> i have obsd 3.9 , i want setup as dns name for my ip public and
> mydomain , i try follow step in
> openbsdsupport.org , but until now always get error lame server and
> etc , so where i get good tutorial about setup obsd as name server for
> my public ip and my domain .
> 

http://www.oreilly.com/catalog/dnsbindckbk/
http://www.oreilly.com/catalog/dns4/
http://sicute.blogspot.com/2007/01/dns-fundamentalsbind.html

> -sonjaya-
> http://sicute.blogspot.com
> 

-- 
Craig Skinner | http://www.kepax.co.uk | [EMAIL PROTECTED]