Re: ntpd use dhclient ntp-servers
On Thu, 3 May 2007, Tom Van Looy wrote: Hi, I wanted to let my ntp client use the servers it receives from the dhcp server (3.0 from packages). I made it working like this: I added ntp-servers to /etc/dhclient.conf, and the following function to the /sbin/dhclient-script script: add_new_ntp() { if [ -n $new_ntp_servers ]; then sed /^server/d /etc/ntpd.conf /etc/ntpd.conf.new for address in $new_ntp_servers; do echo server $address /etc/ntpd.conf.new done mv /etc/ntpd.conf.new /etc/ntpd.conf pkill -KILL ntpd ntpd fi } I use add_new_ntp after add_new_routes in BOUND|RENEW|REBIND|REBOOT) Is this the right way to do let ntp use dhclient? And, is what I did in add_new_ntp() the best way to do it? It seems that the script works. After executing /bin/sh /etc/netstart bce0 I see the following in /var/log/daemon: May 2 22:35:51 kaat dhclient[30663]: DHCPREQUEST on bce0 to 255.255.255.255 port 67 May 2 22:35:51 kaat dhclient[30663]: DHCPACK from 127.0.0.1 May 2 22:35:51 kaat ntpd[2737]: Lost child: child terminated; signal 9 (Killed) May 2 22:35:51 kaat ntpd[27146]: ntp engine ready May 2 22:35:51 kaat dhclient[30663]: bound to 192.168.1.80 -- renewal in 7200 seconds. May 2 22:36:11 kaat ntpd[27146]: peer 192.168.1.7 now valid May 2 22:36:14 kaat ntpd[27146]: peer 192.168.1.6 now valid May 2 22:38:13 kaat ntpd[27146]: clock is now synced May 2 22:52:39 kaat ntpd[12672]: adjusting clock frequency by -12.976140 to -12.976140ppm But I have two additional questions about this: 1) my dhcpd runs at 192.168.1.5 (remote), so why DHCPACK from 127.0.0.1? No idea on this one. 2) adjusting clock frequency by -12.976140 to -12.976140ppm. These values are the same, what just happend? The previous freq adjustment was 0. The new value will be persistent, the next time you reboot it'll start with the previously stored value. -Otto
Re: ntpd use dhclient ntp-servers
On Thursday, May 3, 2007 at 00:23:00 +0200, Tom Van Looy wrote: Hi, I wanted to let my ntp client use the servers it receives from the dhcp server (3.0 from packages). I made it working like this: I added ntp-servers to /etc/dhclient.conf, and the following function to the /sbin/dhclient-script script: add_new_ntp() { if [ -n $new_ntp_servers ]; then sed /^server/d /etc/ntpd.conf /etc/ntpd.conf.new for address in $new_ntp_servers; do echo server $address /etc/ntpd.conf.new done mv /etc/ntpd.conf.new /etc/ntpd.conf pkill -KILL ntpd ntpd fi } I use add_new_ntp after add_new_routes in BOUND|RENEW|REBIND|REBOOT) Is this the right way to do let ntp use dhclient? And, is what I did in add_new_ntp() the best way to do it? I'm not sure if it is wise to restart ntpd each time your dhcp lease is renewed. ntpd needs some time to settle and this will interrupt this process again and again. Maurice
Re: Redundant Firewalls, CARP + IPSEC + SASYNCD
[EMAIL PROTECTED] wrote: I have a redundant firewall setup with carp interfaces on both sides of the firewall. I have a mirror of this setup in a 2nd location. Now im a little confused on how to set up the VPN. Do I use 1) the physical interfaces between the peers or 2) do I use the carp interface as the peers or 3)do I use both the physical and carp interfaces as the peers. When trying to setup sasyncd in this sort of enviornment I cant get the slave firewall to establish an IKE session because of the ips of the peers. Can anyone give me any insight into this? What I have been doing is setting up the VPNs between the sites using the carp addrs. sasync follows the state of the carp interface so you should get box a -- box y- \ /\ carp 0 ---vpncarp 0 carp1 --internal nets / \/ box c -- box z- a netstat -rnf encap run on a and c should look the same and y and z should as well. Packets will only be forwarded down the tunnel by the machine who is carp master of either end. You will probably want to have internal carp ifaces as well, as seen on boxes y and z.
Re: authpf: real world uses of $user_id ?
Bob Beck wrote: * Matthias Bertschy [EMAIL PROTECTED] [2007-05-02 11:26]: I think this would only make sense if authpf could stand multiple connections from same host... Unfortunately, it is not possible: http://www.mail-archive.com/[EMAIL PROTECTED]/msg08318.html So, I still wonder why such a feature exists... Oh for god's sake. It matters when you play with tagging. You can tag in the authpf rule based on $user_id and then have rules which reference the tagged packet. I.e. packets tagged with beck get different treatment from everyone else. ... block out on $ext_if pass out quick on $ext_if tagged beck pass out quick on $ext_if tagged ckuethe pass out on $ext_if proto tcp port = {80,443,22} ... And yes it's useful, in some situations. if you can't think of it, probably not yours. -Bob now it is clear, thank you Bob ! Matthias
Re: LACP
hi! On Wed, May 02, 2007 at 05:56:53PM -0700, Tom Bombadil wrote: is there any support for LACP on openbsd? On any plan to have it working? lacp will be added as an additional protocol for trunk(4) very soon. A quick read on trunk(4) doesn't look very promising, but I read an interview on onlamp a while ago saying it would be available sometime. Thanks!
Re: : Serial console on OpenBSD 4.1 on HP ProLiant DL145 G3
Aah, here we go again. I still haven't figured out how to use the iLO remote console. I have tried ssh towards the iLO IP address and get no connection. I have tried telnet towards the iLO IP address and get a weird /./- prompt. Can I do anything useful with it? I have tried http towards the iLO IP address and get the server virtual power controls, etc, rather flashy, can remote power on, watch temperature sensors. Cool. But no console. You (or someone) just briefly mentioned Esc-Q. Where is it used? On Thu, May 03, 2007 at 01:41:32AM +0200, Reyk Floeter wrote: On Wed, May 02, 2007 at 05:41:49PM +0200, Raimo Niskanen wrote: I have now spent the entre afternoon on it, but I can not get the serial console to work. boot set tty com0 gives no prompt anywhere. I have tried many BIOS settings (but probably not all). Has anyone got it to work? yes, but i'm using it for the iLO remote console, not for the physical serial interface. it might conflict with the iLO interface, i think there are some related buttons in the BIOS IPMI/BCM section. # sysctl hw.product hw.product=ProLiant DL145 G3 # grep tty /etc/boot.conf set tty com0 # uname -m amd64 reyk -- / Raimo Niskanen, Erlang/OTP, Ericsson AB
Re: OSPF + BGP + emX watchdog timeout - box freezes
Henning Brauer schrieb: there is some weird unresolved bug in (or rather, with) em. only seems to happen with multiport ems. Maybe I can insert a delay before starten ospfd/bgpd; manually starting after boot works fine. I run this setup an two Dell Poweredge 1650 boxes with two em-interfaces which should be implemented as multiport nics. Regards, Falk
Re: Hardware Compatibility: Sun Ultra 20 or better suggestion
Hi Shane, On 5/3/07, Shane Harbour [EMAIL PROTECTED] wrote: I'm running -current on one of the older Ultra 20's and it works well for me. It's been a while since I've actually sat down and played with it, but most stuff is supported out of the box. I did have to put a different NIC in mine though. The built in nfe kept locking up during long transfers (like cvs updates) and I haven't had time to track down the issue. Here's the dmesg from my machine: Superb! I dont mind putting another NIC in, but I would hope that this is resolved in newer models. Thanks very much for this. -- Best Regards Edd --- http://students.dec.bournemouth.ac.uk/ebarrett/
Re: dmesg output Sun Fire 4200
Marco Peereboom wrote: I am running an X4100 with -current and I see no issues at all. If I may ask, how the Sun Integrated Lights Out Manager (ILOM) on this X4100 box compare to the regular LOM of the Sparc 64 series? Power cycle and possible to do full remote install via console as well like the regular Sun? I know the X2100 is far from the usual LOM I am use to. Thanks for your time! Best, Daniel
Using a DVD-RAM drive with OpenBSD
hi, i have a nice DVD-RAM drive in my Power Mac, which i'd like to put in my (amd64) home server for doing backups on this very nice medium. however, i wonder what's the best way to use it running OpenBSD; use it like a hard disc, or is there a way to use UDF (like the Mac does, and is the preferred format for DVD-RAM media)? [0] says that OpenBSD 3.8 supports read access to UDF; has there been progress on this (read: read + write)? thanks, timo schoeler -- The best cure for insomnia is to get a lot of sleep. -- W. C. Fields
Re: Using a DVD-RAM drive with OpenBSD
[adding footnote] hi, i have a nice DVD-RAM drive in my Power Mac, which i'd like to put in my (amd64) home server for doing backups on this very nice medium. however, i wonder what's the best way to use it running OpenBSD; use it like a hard disc, or is there a way to use UDF (like the Mac does, and is the preferred format for DVD-RAM media)? [0] says that OpenBSD 3.8 supports read access to UDF; has there been progress on this (read: read + write)? thanks, timo schoeler -- The best cure for insomnia is to get a lot of sleep. -- W. C. Fields [0] -- http://en.wikipedia.org/wiki/Universal_Disk_Format
Re: OpenBSD 4.1 Torrents
If you participate on this list, buy the cds. This isn't your flavor of the week linux distro. On 5/2/07, Matiss Miglans [EMAIL PROTECTED] wrote: I think there is checksums only for base system, without X, source, ports, packages, etc Or, I don't know where they find. Open Phugu wrote: On 5/2/07, Mike Erdely [EMAIL PROTECTED] wrote: On Wed, May 02, 2007 at 08:07:10PM -0400, Clint M. Sand wrote: On Tue, May 01, 2007 at 02:33:50PM -0700, andrew fresh wrote: http://openbsd.somedomain.net/index.php?version=4.1 Just out of curiosity... Is it logical to use an OS for the intense focus on security and correctness, yet download the binaries from a random person on a mailing list instead of any official source with reasonable file integrity checking process in place? Seems odd that people would use OpenBSD because they trust the code, yet download the binaries from random torrents on the internet. man 1 cksum ftp://ftp5.usa.openbsd.org/pub/OpenBSD/4.1/i386/CKSUM Seems odd that people would use OpenBSD because they trust the code, yet use a CRC32 to verify the integrity of said operating system. Speaking of this, when will the OpenBSD project begin to post SHA256 hashes to the ftp sites. MD5 is dead: these two files are different and yet have the same MD5 hash. http://www.cits.rub.de/imperia/md/content/magnus/letter_of_rec.ps http://www.cits.rub.de/imperia/md/content/magnus/order.ps
Re: dmesg output Sun Fire 4200
On 5/3/07, Daniel Ouellet [EMAIL PROTECTED] wrote: If I may ask, how the Sun Integrated Lights Out Manager (ILOM) on this X4100 box compare to the regular LOM of the Sparc 64 series? Power cycle and possible to do full remote install via console as well like the regular Sun? I don't know how LOM works on USIII boxes, but those on X4200 allow you complete control. You can (via Java based remote console) gain full control of the box. Ie. reboot, shutdown, access OpenBSD's console, install remotely, even mount an ISO image locally on your PC and install OpenBSD on it. Pretty much anything you ever wanted. And ILOM is on a dedicated network interface. Not like the X2100 shared crap.
Re: : Serial console on OpenBSD 4.1 on HP ProLiant DL145 G3
hi! On Thu, May 03, 2007 at 12:19:01PM +0200, Raimo Niskanen wrote: Aah, here we go again. I still haven't figured out how to use the iLO remote console. I have tried ssh towards the iLO IP address and get no connection. I have tried telnet towards the iLO IP address and get a weird /./- prompt. Can I do anything useful with it? RTFM ;) /./- cd system1 /./system1/- show /./system1 Targets log1 Properties name=Hewlett-Packard enabledstate=enabled Verbs cd version exit show reset start stop help /./system1/- stop System1 stopped. /./system1/- start System1 started. I have tried http towards the iLO IP address and get the server virtual power controls, etc, rather flashy, can remote power on, watch temperature sensors. Cool. But no console. You (or someone) just briefly mentioned Esc-Q. Where is it used? just press ESC-q anywhere at the prompt /./- ESC-q and you'll get the system console. leave it with ESC-( On Thu, May 03, 2007 at 01:41:32AM +0200, Reyk Floeter wrote: On Wed, May 02, 2007 at 05:41:49PM +0200, Raimo Niskanen wrote: I have now spent the entre afternoon on it, but I can not get the serial console to work. boot set tty com0 gives no prompt anywhere. I have tried many BIOS settings (but probably not all). Has anyone got it to work? yes, but i'm using it for the iLO remote console, not for the physical serial interface. it might conflict with the iLO interface, i think there are some related buttons in the BIOS IPMI/BCM section. # sysctl hw.product hw.product=ProLiant DL145 G3 # grep tty /etc/boot.conf set tty com0 # uname -m amd64 reyk -- / Raimo Niskanen, Erlang/OTP, Ericsson AB
Re: : : Serial console on OpenBSD 4.1 on HP ProLiant DL145 G3
Beautiful! Thanks a lot! But, which FM should I R? I have searched high and low alas apparently not right. On Thu, May 03, 2007 at 03:25:20PM +0200, Reyk Floeter wrote: hi! On Thu, May 03, 2007 at 12:19:01PM +0200, Raimo Niskanen wrote: Aah, here we go again. I still haven't figured out how to use the iLO remote console. I have tried ssh towards the iLO IP address and get no connection. I have tried telnet towards the iLO IP address and get a weird /./- prompt. Can I do anything useful with it? RTFM ;) /./- cd system1 /./system1/- show /./system1 Targets log1 Properties name=Hewlett-Packard enabledstate=enabled Verbs cd version exit show reset start stop help /./system1/- stop System1 stopped. /./system1/- start System1 started. I have tried http towards the iLO IP address and get the server virtual power controls, etc, rather flashy, can remote power on, watch temperature sensors. Cool. But no console. You (or someone) just briefly mentioned Esc-Q. Where is it used? just press ESC-q anywhere at the prompt /./- ESC-q and you'll get the system console. leave it with ESC-( On Thu, May 03, 2007 at 01:41:32AM +0200, Reyk Floeter wrote: On Wed, May 02, 2007 at 05:41:49PM +0200, Raimo Niskanen wrote: I have now spent the entre afternoon on it, but I can not get the serial console to work. boot set tty com0 gives no prompt anywhere. I have tried many BIOS settings (but probably not all). Has anyone got it to work? yes, but i'm using it for the iLO remote console, not for the physical serial interface. it might conflict with the iLO interface, i think there are some related buttons in the BIOS IPMI/BCM section. # sysctl hw.product hw.product=ProLiant DL145 G3 # grep tty /etc/boot.conf set tty com0 # uname -m amd64 reyk -- / Raimo Niskanen, Erlang/OTP, Ericsson AB -- / Raimo Niskanen, Erlang/OTP, Ericsson AB
Re: Hardware Compatibility: Sun Ultra 20 or better suggestion
On 5/3/07, Edd Barrett [EMAIL PROTECTED] wrote: Hi Shane, Superb! I dont mind putting another NIC in, but I would hope that this is resolved in newer models. Oh, the other thing was, these usually ship with ATI/Nvidea graphics cards. I couldnt care less for 3d accelleration, as long as I can run X reasonably well. Are you running X? -- Best Regards Edd --- http://students.dec.bournemouth.ac.uk/ebarrett/
Re: Hardware Compatibility: Sun Ultra 20 or better suggestion
Edd Barrett wrote: On 5/3/07, Edd Barrett [EMAIL PROTECTED] wrote: Hi Shane, Superb! I dont mind putting another NIC in, but I would hope that this is resolved in newer models. Oh, the other thing was, these usually ship with ATI/Nvidea graphics cards. I couldnt care less for 3d accelleration, as long as I can run X reasonably well. Are you running X? Yes I am. I did have it setup with the on-board graphics and it worked great even with 8MB of video RAM. However, I did put an NVIDIA PCI Express card in later since it was free :)
4.1-stable compile fails
Did a cvs up -rOPENBSD_4_1 against rt.fm, started a build and got the error below. Anyone else seeing this or did I mess up my source tree? editor.c does not exist in the reference directory, but the Makefile refers to it. Re-running a cvs up -rOPENBSD_4_1 doesn't add the file. And in case it helps, here's my .cvsrc: === cvs -q [EMAIL PROTECTED]:/cvs update -Pd === Thanks, -Jason === sbin/ccdconfig mkdep -a /usr/src/sbin/ccdconfig/ccdconfig.c === sbin/disklabel make: don't know how to make editor.c. Stop in /usr/src/sbin/disklabel. *** Error code 2 Stop in /usr/src/sbin. *** Error code 1 Stop in /usr/src. *** Error code 1 Stop in /usr/src (line 73 of Makefile).
Re: : : Serial console on OpenBSD 4.1 on HP ProLiant DL145 G3
So did anyone get the web console (which basically uses a VNC-ish java applet) working? BTW, ssh worked for me, it just took a lng time to login. - mdf On 5/3/07, Raimo Niskanen [EMAIL PROTECTED] wrote: Beautiful! Thanks a lot! But, which FM should I R? I have searched high and low alas apparently not right. On Thu, May 03, 2007 at 03:25:20PM +0200, Reyk Floeter wrote: hi! On Thu, May 03, 2007 at 12:19:01PM +0200, Raimo Niskanen wrote: Aah, here we go again. I still haven't figured out how to use the iLO remote console. I have tried ssh towards the iLO IP address and get no connection. I have tried telnet towards the iLO IP address and get a weird /./- prompt. Can I do anything useful with it? RTFM ;) /./- cd system1 /./system1/- show /./system1 Targets log1 Properties name=Hewlett-Packard enabledstate=enabled Verbs cd version exit show reset start stop help /./system1/- stop System1 stopped. /./system1/- start System1 started. I have tried http towards the iLO IP address and get the server virtual power controls, etc, rather flashy, can remote power on, watch temperature sensors. Cool. But no console. You (or someone) just briefly mentioned Esc-Q. Where is it used? just press ESC-q anywhere at the prompt /./- ESC-q and you'll get the system console. leave it with ESC-( On Thu, May 03, 2007 at 01:41:32AM +0200, Reyk Floeter wrote: On Wed, May 02, 2007 at 05:41:49PM +0200, Raimo Niskanen wrote: I have now spent the entre afternoon on it, but I can not get the serial console to work. boot set tty com0 gives no prompt anywhere. I have tried many BIOS settings (but probably not all). Has anyone got it to work? yes, but i'm using it for the iLO remote console, not for the physical serial interface. it might conflict with the iLO interface, i think there are some related buttons in the BIOS IPMI/BCM section. # sysctl hw.product hw.product=ProLiant DL145 G3 # grep tty /etc/boot.conf set tty com0 # uname -m amd64 reyk -- / Raimo Niskanen, Erlang/OTP, Ericsson AB -- / Raimo Niskanen, Erlang/OTP, Ericsson AB -- Matthew Franz http://www.threatmind.net/
Re: 4.1-stable compile fails
Some people mailed about it as 4.1 disklable compile issues -- Daniel -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Haag Sent: Thursday, May 03, 2007 5:16 PM To: misc@openbsd.org Subject: 4.1-stable compile fails Did a cvs up -rOPENBSD_4_1 against rt.fm, started a build and got the error below. Anyone else seeing this or did I mess up my source tree? editor.c does not exist in the reference directory, but the Makefile refers to it. Re-running a cvs up -rOPENBSD_4_1 doesn't add the file. And in case it helps, here's my .cvsrc: === cvs -q [EMAIL PROTECTED]:/cvs update -Pd === Thanks, -Jason === sbin/ccdconfig mkdep -a /usr/src/sbin/ccdconfig/ccdconfig.c === sbin/disklabel make: don't know how to make editor.c. Stop in /usr/src/sbin/disklabel. *** Error code 2 Stop in /usr/src/sbin. *** Error code 1 Stop in /usr/src. *** Error code 1 Stop in /usr/src (line 73 of Makefile).
Re: 4.1-stable compile fails
On 5/3/07, Jason Haag [EMAIL PROTECTED] wrote: Did a cvs up -rOPENBSD_4_1 against rt.fm, started a build and got the error below. Anyone else seeing this or did I mess up my source tree? editor.c does not exist in the reference directory, but the Makefile refers to it. Re-running a cvs up -rOPENBSD_4_1 doesn't add the file. And in case it helps, here's my .cvsrc: === cvs -q [EMAIL PROTECTED]:/cvs update -Pd === Thanks, -Jason === sbin/ccdconfig mkdep -a /usr/src/sbin/ccdconfig/ccdconfig.c === sbin/disklabel make: don't know how to make editor.c. Stop in /usr/src/sbin/disklabel. *** Error code 2 Stop in /usr/src/sbin. *** Error code 1 Stop in /usr/src. *** Error code 1 Stop in /usr/src (line 73 of Makefile). I have been getting exactly the same error trying to track 4.1 STABLE and 4.0 STABLE on my amd64 machine. I have tried several different mirrors with no luck. I don't know how to fix the problem, but you are not alone. -- Sean Malloy Registered GNU/Linux User #417855 www.catgrepsort.com
Re: : : HP ProLiant DL140 G3 problems
Hello Raimo, Wednesday, May 2, 2007, 9:52:40 AM, you wrote: RN Sorry, I can't make it work. For a DL140 G3 (or rather now a DL145 G3). RN I remember seing something like that on a DL380, though. RN telnet machine gives a weird prompt /./ that has no help and only RN responds with command errors. There is also a HTTP server running RN at the address. But not ssh. RN On Sat, Apr 28, 2007 at 10:46:45PM -0400, Steve Shockley wrote: Darth Lists wrote: Honestly, it blows big-time compared to a real serial console since it has a more or less useless scroll-back buffer. You can ssh in to the ILO IP address and get console redirection. You can even redirect the serial console to the ILO ssh after POST if you want. I believe you need at least iLO Select license to activate ssh and ssl, and DL100/DL300 are coming by default with just iLO Standard. BTW, why don't you call HP and ask them these questions? -- Best regards, Borismailto:[EMAIL PROTECTED]
Re: 4.1-stable compile fails
I have been getting exactly the same error trying to track 4.1 STABLE and 4.0 STABLE on my amd64 machine. I have tried several different mirrors with no luck. I don't know how to fix the problem, but you are not alone. I have been pointed to a thread on -tech: http://marc.info/?l=openbsd-techm=117816265602086w=2 According to the linked post above, using anoncvs.usa.openbsd.org will work. Haven't tried it yet, though. -Jason
Re: 4.1-stable compile fails
On Thu, May 03, 2007 at 10:41:32AM -0500, Sean Malloy wrote: I have been getting exactly the same error trying to track 4.1 STABLE and 4.0 STABLE on my amd64 machine. I have tried several different mirrors with no luck. I don't know how to fix the problem, but you are not alone. -- Sean Malloy Registered GNU/Linux User #417855 www.catgrepsort.com I had the same issue yesterday. I was able to use anoncvs.usa.openbsd.org to restore editor.c. Also there is my posting on tech@, where someone posted some links where you might be able to get the files from cvsweb. Might be worth checking out.
Re: pf - drop or return - is stealth mode overrated?
* Kian Mohageri [EMAIL PROTECTED] [2007-05-02 21:52]: Henning Brauer wrote: * Chris Smith [EMAIL PROTECTED] [2007-04-25 00:42]: Using openbsd as a firewall in several cases - a few small businesses, and also for home use. Some websites, such as grc.com, stress that stealth mode (which openbsd handles with ease) is the safest. But I've also read that using 'return' instead of 'drop' is good netizenship. So I'm wondered how others are handling this and what recommendations you might have. stealth mode is totally overrated. For my clarification, are we talking about stealth mode as in dropping everything (including pings) from untrusted hosts, or the default block-policy (drop vs. return)? the latter, drop. the former is not overrated. it is incredibly stupid. Based on this discussion, I'm trying to decide if I want to change our firewall block-policy to 'return' even though we already allow ping and 'return' traffic to the firewalls themselves so things like traceroute can work. being a nice net citizen you return and RST/icmp when you block sth. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: 4.1-stable compile fails
Using the the mirror anoncvs.usa.openbsd.org fixed the problem. Thanks.
4.1 Packages Page
http://www.openbsd.org/4.1_packages/ Gets a 404 error. http://www.openbsd.org/4.0_packages/ Works fine. Link found on: http://openbsd.org/faq/faq15.html
Re: CARP, carpdemote and kernel routing table
Hi, I have a very similar issue and I working on a solution with ifstated daemon. You have to remove the route from the routing table when a carp interface goes init or backup. Like that, the OSPF daemon will be able to add is route to the routing table. When a CARP interface come back has Master, the new route from CARP is automatically added to the routing table and replace the old OSPF route. Right now my script work well if I start everything in the good order;) I have to add some test/verification in it to make it more stable. I will post my script on this mailing list when I will have time to finish it (probably in a few days) FranC'ois Rousseau 2007/5/2, Falk Brockerhoff [EMAIL PROTECTED]: Claudio Jeker schrieb: Most people use carp on both sides of the firewall and then preemption will take care of makeing the backup system invisible to the network. If you are using carp with ospfd you need at the moment dedicated carp boxes that connect to your ospf cloud. The carp backup router will not announce the network and so no traffic will flow in his direction. This is not optimal I know. Ah ok, thank you for your explanation! I hope we can finally fix this at the upcomming c2k7 On the website there aren't any information about the upcoming c2k7 - can you tell me a spotted month? In another posting you wrote A spare brain, lot of beer, drugs and time. - let me know where to deliver a box of your favorite beer ;-) Regards, Falk
Dual-port Gigabit SX NICs?
I have a need to set up a sniffer based off NetOptics Fiber tap, collecting data from two different segments (so four interfaces total), with a total of around 800Mbps receive traffic, zero transmit. This would be our first foray into Fiber NICs on OpenBSD, looking for recommendations for on affordable, reliable dual 1000baseSX NICs with good OpenBSD support. Reading Mark Kettenis's O'Reilly interview for 4.0, I see that Marvell/SysKonnect is uncooperative and buggy. We mostly use Intel's Pro/1000 Quad cards for copper GigE, so I could go with the very expensive Intel PWLA8492MF, but at $750/each, the Intel card doesn't meet the affordable part of my criteria. Thanks, Kevin
Re: Redundant Firewalls, CARP + IPSEC + SASYNCD
Ok that setup is similar to what I have and I do have carp interfaces on both sides of the firewall. I was able to configure sasynd but when running netstat -rnf encap was not able to see any of the flows on the slave machine, but then I realized or thought that it was because the ISAKMPD session was not established on the slave machine. If your trying to establish the ISAKMPD session from the slave box which does not have control of the active carp interface, how is the ISAKMPD/IPSEC connection established? Doesn't it need to be established for sasynd to know about the SA's? or upon failover does the session then get established on the fly? Do you use isakmpd.conf or ipsec.conf to control your flows? Thanks. On 5/2/07, Dag Richards [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] wrote: I have a redundant firewall setup with carp interfaces on both sides of the firewall. I have a mirror of this setup in a 2nd location. Now im a little confused on how to set up the VPN. Do I use 1) the physical interfaces between the peers or 2) do I use the carp interface as the peers or 3)do I use both the physical and carp interfaces as the peers. When trying to setup sasyncd in this sort of enviornment I cant get the slave firewall to establish an IKE session because of the ips of the peers. Can anyone give me any insight into this? What I have been doing is setting up the VPNs between the sites using the carp addrs. sasync follows the state of the carp interface so you should get box a - - box y- \ /\ carp 0 ---vpncarp 0 carp1 --internal nets / \/ box c - - box z- a netstat -rnf encap run on a and c should look the same and y and z should as well. Packets will only be forwarded down the tunnel by the machine who is carp master of either end. You will probably want to have internal carp ifaces as well, as seen on boxes y and z.
Re: vmware vmxnet driver (vic) error
On Thu, May 03, 2007 at 08:01:53PM +0200, Bert Koelewijn wrote: Is anybody successfully using the vmxnet network driver (vic)? yes, i was using it with esx and the freeware vmware server. time to test it again... With various VMWare Server 1.0+ versions and host operating systems I'm experiencing the following problem: vm_fault(0xd5fd9298, 0x0, 0, 3) - e kernel: page fault trap, code=0 Stopped at _bus_dmamap_load_mbuf+0xf: movl$0,0x18(%esi) yuck do you get the ddb prompt to enter a 'trace' command? -Bert lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33224 groups: lo inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 vic0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:0c:29:07:b9:ae groups: egress media: Ethernet autoselect status: active inet 192.168.2.30 netmask 0xff00 broadcast 192.168.2.255 inet6 fe80::20c:29ff:fe07:b9ae%vic0 prefixlen 64 scopeid 0x1 pflog0: flags=0 mtu 33224 enc0: flags=0 mtu 1536 OpenBSD 4.1 (GENERIC) #1435: Sat Mar 10 19:07:45 MST 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Genuine Intel(R) CPU T2300 @ 1.66GHz (GenuineIntel 686-class) 1.67 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,SSE3 real mem = 267939840 (261660K) avail mem = 236793856 (231244K) using 3302 buffers containing 13524992 bytes (13208K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+ BIOS, date 04/17/06, BIOS32 rev. 0 @ 0xfd880, SMBIOS rev. 2.31 @ 0xe0010 (45 entries) bios0: VMware, Inc. VMware Virtual Platform apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 30102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xfd880/0x780 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf30/176 (9 entries) pcibios0: PCI Interrupt Router at 000:07:0 (Intel 82371FB ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x1000 0xdc000/0x4000! 0xe/0x4000! acpi at mainbus0 not configured cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82443BX AGP rev 0x01 ppb0 at pci0 dev 1 function 0 Intel 82443BX AGP rev 0x01 pci1 at ppb0 bus 1 pcib0 at pci0 dev 7 function 0 Intel 82371AB PIIX4 ISA rev 0x08 pciide0 at pci0 dev 7 function 1 Intel 82371AB IDE rev 0x01: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: VMware Virtual IDE Hard Drive wd0: 64-sector PIO, LBA, 8192MB, 16777216 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: NECVMWar, VMware IDE CDR10, 1.00 SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 piixpm0 at pci0 dev 7 function 3 Intel 82371AB Power rev 0x08: SMBus disabled vga1 at pci0 dev 15 function 0 VMware Virtual SVGA II rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) mpi0 at pci0 dev 16 function 0 Symbios Logic 53c1030 rev 0x01: irq 9 scsibus1 at mpi0: 16 targets vic0 at pci0 dev 17 function 0 VMware Virtual NIC rev 0x10: irq 11 vic0: VMXnet 864F, address 00:0c:29:07:b9:ae isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pmsi0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pmsi0 mux 0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 biomask ef65 netmask ef65 ttymask ffe7 pctr: 686-class user-level performance counters enabled mtrr: CPU supports MTRRs but not enabled dkcsum: wd0 matches BIOS drive 0x80 root on wd0a rootdev=0x0 rrootdev=0x300 rawdev=0x302 arp info overwritten for 192.168.2.254 by 00:50:56:fe:78:6c on vic0
Re: Redundant Firewalls, CARP + IPSEC + SASYNCD
[EMAIL PROTECTED] wrote: Ok that setup is similar to what I have and I do have carp interfaces on both sides of the firewall. I was able to configure sasynd but when running netstat -rnf encap was not able to see any of the flows on the slave machine, but then I realized or thought that it was because the ISAKMPD session was not established on the slave machine. I do not understand your terms here, ISAKMPD session If your trying to establish the ISAKMPD session from the slave box which does not have control of the active carp interface, how is the ISAKMPD/IPSEC connection established? Doesn't it need to be established for sasynd to know about the SA's? or upon failover does the session then get established on the fly? Do you use isakmpd.conf or ipsec.conf to control your flows? I use isakmpd.conf, though it seems to be deprecated and so really should be moving over to ipsec.conf. I have a dedicated NIC on each machine with a x-over cable to carry the sasync and pfsync traffic, you can use an ipsec tunnel for this though I found it to fail occasionally. Run isakmpd on both hosts with the listen addr being that of the carp iface and you should see SPI's propagated from the active server to the second. off to lunch now, if this does not clear things up sufficiently you should consider posting ifconfigs, sassync.conf isakmpd.conf and maybe some dumps ... maybe one of the smart people will help us then,. Thanks. On 5/2/07, *Dag Richards* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: I have a redundant firewall setup with carp interfaces on both sides of the firewall. I have a mirror of this setup in a 2nd location. Now im a little confused on how to set up the VPN. Do I use 1) the physical interfaces between the peers or 2) do I use the carp interface as the peers or 3)do I use both the physical and carp interfaces as the peers. When trying to setup sasyncd in this sort of enviornment I cant get the slave firewall to establish an IKE session because of the ips of the peers. Can anyone give me any insight into this? What I have been doing is setting up the VPNs between the sites using the carp addrs. sasync follows the state of the carp interface so you should get box a - - box y- \ /\ carp 0 ---vpncarp 0 carp1 --internal nets / \/ box c - - box z- a netstat -rnf encap run on a and c should look the same and y and z should as well. Packets will only be forwarded down the tunnel by the machine who is carp master of either end. You will probably want to have internal carp ifaces as well, as seen on boxes y and z.
BGP + Multiple Providers + Redundant Firewalls
Any recommendations on running BGP on redundant firewalls to multiple providers advertising the same network thru both links, and talking iBGP with the other firewall? Just asking because I ran into a problem with this scenario when traffic would enter 1 host, traverse the iBGP crossover link and then exit the 2nd host, and return traffic would come back in thru the 1st host. There was a mismatch of the states that seemed to cause my problems. Heres how i was set up. Problem Scenario: box-a --- Provider-A / | carp0 | \ box-b-Provider-B Solution: Box-A Box-B are my redundant firewalls running pfsync between the dedicated link. Box-C Box-D are just T1 routers running BGP. The routers route to carp1 on the firewalls and the firewalls route to carp0 on the routers. Box-C and Box-D run iBGP between there dedicated link to share routes to external networks. The multiple providers are for both redundancy and aggregate bandwidth. Running BGP in an active/backup scenarios based on who has the carp0 interface isnt an option because of the necessity of the aggregate bandwidth.This solution works fine for us but we really wanted to run on two boxes. I believe the only problem we have now is with BGP Convergence. If anyone has any tips on how to minimize this when I reboot box-c or box-d I that would be great. If anyone has comments, recommendations, adjustments, tips on our setup please do share. box-a switchbox-c- Provider-A / |\ | /| carp0 |carp1 | carp0 | \ |/ | \| box-b -switchbox-d-Provider-B
anyone working on packages for landisk?
Hello list, Is anyone working on packages for the landisk platform? If so, what packages are on your priority list? There was this quote from Diana which leads me to think this is not just a matter of building them for this arch: ===quoth Diana=== In my opinion the only thing needed to make the landisk platform really versatile is shared lib support, which is required for a lot of packages. /Jason
Re: anyone working on packages for landisk?
Is anyone working on packages for the landisk platform? If so, what packages are on your priority list? They are there in 4.1/packages/sh/ autobook-1.5.tgz libltdl-1.5.22p1.tgz autoconf-2.13p0.tgz libogg-1.1.3.tgz autoconf-2.52p1.tgz libtheora-1.0alpha7.tgz autoconf-2.57p0.tgz libtool-1.5.22p8.tgz autoconf-2.59p1.tgz libungif-4.1.4p0.tgz automake-1.4.6.tgz links+-2.1pre26-no_x11.tgz automake-1.8.5p1.tgz mergemaster-1.46p2.tgz automake-1.9.6p1.tgz metaauto-0.7.tgz bash-3.2.tgz mutt-1.4.2.2i.tgz bsd-airtools-0.2p2.tgz openmotif-2.1.30.5p2.tgz bzip2-1.0.4.tgz openmotif-debuglibs-2.1.30.5p0.tgz cdparanoia-3.a9.8p0.tgz openmotif-demos-2.1.30.5p0.tgz curl-7.16.0.tgz png-1.2.14p0.tgz epic4-2.4.tgzprocmail-3.22p1.tgz expat-2.0.0.tgz rsync-2.6.9.tgz fetchmail-6.3.6.tgz rtunes-0.6p0.tgz gettext-0.14.6.tgz screen-4.0.3p0.tgz gmake-3.80p1.tgz speex-1.0.5p0.tgz gnupg-1.4.6.tgz stunnel-4.20.tgz gtar-1.16.1.tgz t1lib-5.1.0p0.tgz help2man-1.29.tgztcpflow-0.21p0.tgz hping-2.0.0rc3p0.tgz tcsh-6.14.00p1.tgz id-utils-3.2dp0.tgz unzip-5.52.tgz index.txtvim-7.0.178-no_x11.tgz ircII-20040820.tgz vim-lang-7.0.178-no_x11.tgz jpeg-6bp3.tgzzsh-4.2.6p2.tgz libiconv-1.9.2p3.tgz Not very many, but maybe more next release. 'sh' is of course the cpu architecture for the landisk.
Re: Redundant Firewalls, CARP + IPSEC + SASYNCD
I mean Phase 1 of the IPSEC connection by ISAKMPD session. Hmm sounds like I'm on the right track but I definately missing something. Maybe I had some misconfigurations somewhere. I'll have to try again and see how it goes. If I still have problems I will post the configs.Thanks for the help. On 5/3/07, Dag Richards [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] wrote: Ok that setup is similar to what I have and I do have carp interfaces on both sides of the firewall. I was able to configure sasynd but when running netstat -rnf encap was not able to see any of the flows on the slave machine, but then I realized or thought that it was because the ISAKMPD session was not established on the slave machine. I do not understand your terms here, ISAKMPD session If your trying to establish the ISAKMPD session from the slave box which does not have control of the active carp interface, how is the ISAKMPD/IPSEC connection established? Doesn't it need to be established for sasynd to know about the SA's? or upon failover does the session then get established on the fly? Do you use isakmpd.conf or ipsec.conf to control your flows? I use isakmpd.conf, though it seems to be deprecated and so really should be moving over to ipsec.conf. I have a dedicated NIC on each machine with a x-over cable to carry the sasync and pfsync traffic, you can use an ipsec tunnel for this though I found it to fail occasionally. Run isakmpd on both hosts with the listen addr being that of the carp iface and you should see SPI's propagated from the active server to the second. off to lunch now, if this does not clear things up sufficiently you should consider posting ifconfigs, sassync.conf isakmpd.conf and maybe some dumps ... maybe one of the smart people will help us then,. Thanks. On 5/2/07, *Dag Richards* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: I have a redundant firewall setup with carp interfaces on both sides of the firewall. I have a mirror of this setup in a 2nd location. Now im a little confused on how to set up the VPN. Do I use 1) the physical interfaces between the peers or 2) do I use the carp interface as the peers or 3)do I use both the physical and carp interfaces as the peers. When trying to setup sasyncd in this sort of enviornment I cant get the slave firewall to establish an IKE session because of the ips of the peers. Can anyone give me any insight into this? What I have been doing is setting up the VPNs between the sites using the carp addrs. sasync follows the state of the carp interface so you should get box a - - box y- \ /\ carp 0 ---vpncarp 0 carp1 --internal nets / \/ box c - - box z- a netstat -rnf encap run on a and c should look the same and y and z should as well. Packets will only be forwarded down the tunnel by the machine who is carp master of either end. You will probably want to have internal carp ifaces as well, as seen on boxes y and z.
Re: ntpd use dhclient ntp-servers
Maurice Janssen wrote: On Thursday, May 3, 2007 at 00:23:00 +0200, Tom Van Looy wrote: Hi, I wanted to let my ntp client use the servers it receives from the dhcp server (3.0 from packages). I made it working like this: I added ntp-servers to /etc/dhclient.conf, and the following function to the /sbin/dhclient-script script: add_new_ntp() { if [ -n $new_ntp_servers ]; then sed /^server/d /etc/ntpd.conf /etc/ntpd.conf.new for address in $new_ntp_servers; do echo server $address /etc/ntpd.conf.new done mv /etc/ntpd.conf.new /etc/ntpd.conf pkill -KILL ntpd ntpd fi } I use add_new_ntp after add_new_routes in BOUND|RENEW|REBIND|REBOOT) Is this the right way to do let ntp use dhclient? And, is what I did in add_new_ntp() the best way to do it? I'm not sure if it is wise to restart ntpd each time your dhcp lease is renewed. ntpd needs some time to settle and this will interrupt this process again and again. Maurice You could be right. I changed it to only do it on REBOOT now. Any idea about the DHCPACK from 127.0.0.1? That's still strange.
pf wierd effect
Hi, Now it's time to play with pf. I got some weird trouble on pass ssh connections.. here is my pf.con # NICs ext_if=rl1 int_if=rl2 pf_if=rl0 allow_ports_out={80,110,143} allow_proto_out={tcp,udp,icmp} allow_proto_in={tcp, udp} table blocked_ips persist file /etc/blocked.conf table lan_hosts persist file /etc/lan.conf scrub out on $ext_if all random-id rdr on $ext_if proto $allow_proto_in from any to ($ext_if) port $ssh_ext_m2 - 192.168.0.2 port $ssh_int_m2 rdr on $ext_if proto $allow_proto_in from any to ($ext_if) port $http_ext_2 - 192.168.0.2 port $http_int_2 rdr on $ext_if proto $allow_proto_in from any to ($ext_if) port $http_ext_m2 - 192.168.0.3 port $http_int_m2 nat on $ext_if from lan_hosts to any - ($ext_if) pass out on $pf_if proto carp keep state pass on $pf_if proto pfsync block drop in quick on $ext_if from blocked_ips antispoof for $ext_if antispoof for $int_if #block in on $ext_if all block in all pass in on $int_if proto tcp from lan_hosts to ($int_if) port 22 flags S/SA modulate state pass out on $ext_if proto tcp from lan_hosts to any flags S/SA modulate state pass out on $ext_if proto udp from lan_hosts to any keep state It's a very simple pf.conf.. only for play. My trouble comes when i try to connect via ssh throught int_if ( My lan ). If i use block in all rule and pass in on $int_if proto tcp from lan_hosts to ($int_if) port $ssh_mer flags S/SA modulate state i can't connect to ssh. If i change block in all to block in on$ext_if all then i can connect to the host. With block in all and if i take off port 22 from the previous rule, ( so the rule will be: pass in on $int_if proto tcp from lan_hosts to ($int_if) flags S/SA modulate state) than again i can connect from the lan to the host via ssh. More schematic: I can't connect: block in all pass in on $int_if proto tcp from lan_hosts to ($int_if) port 22 flags S/SA modulate state I can connect: block in on $ext_if all pass in on $int_if proto tcp from lan_hosts to ($int_if) port 22 flags S/SA modulate state I can connect: block in on $ext_if all pass in on $int_if proto tcp from lan_hosts to ($int_if) flags S/SA modulate state I can't find why, any help? what i am doing bad? Thanks once again you all, Tang
Wap browser
Hi list, Is there any wap browser for openbsd ??, Because I'm trying to use the Openwave emulator using WINE, however I get this error: $ wine Openwave_SDK_622.exe fixme:win32:PE_LoadImage Need to relocate F:\OPEN~EPB.EXE, but no relocation records present (stripped during link). wine: can't exec 'Openwave_SDK_622.exe': error=0 wine: no executable file found. Any help ???, I don't care if I have to use wine, or one browser or any other tool, I just need to see the result of my developments in XHTML. Thanks to all __ Correo Yahoo! Espacio para todos tus mensajes, antivirus y antispam !gratis! Regmstrate ya - http://correo.yahoo.com.mx/
Re: Wap browser
May you could try wApua writing in perl. Br, ./nelson -murilo On Thu, May 03, 2007 at 03:21:45PM -0500, Rafael Morales wrote: Hi list, Is there any wap browser for openbsd ??
Re: 4.1-stable build fails for sparc64
On Monday, April 30, 2007 at 11:45:05 +0200, Maurice Janssen wrote: Hi, I'm trying to build a release(8) of 4.1-stable for a couple of architectures. I installed 4.1-release from the CD on i386, sparc and sparc64. I untarred the srs.tar.gz from the CD on an NFS server (also running 4.1-release) and updated the cvs tree through anoncvs (cvs -qd [EMAIL PROTECTED]:/cvs up -rOPENBSD_4_1 -Pd). So far so good. The updated /usr/src is mounted as nfs mount on the three systems that I'm building the release on. Compiling the kernel worked fine for all three systems. 'make build' failed on sparc64, but it worked fine for i386. sparc is still compiling, but it passed the point where sparc64 failed. The build for sparc64 failed somewhere in gnu/usr.bin/binutils (see below, dmesg also below). Any ideas what's going wrong? In my original attempt, /usr/obj was also an NFS mount. Today I tried again with /usr/obj on a local filesystem and the build finished without a problem. Very strange. Builds for sparc and i386 work fine when /usr/obj is NFS mounted. Should /osr/obj always be in a localfilesystem or is something else going in? Maurice
Re: Wap browser
You should try the firefox, wml browser extension wap 2.0 is just xhtml so any browser should work fine... Always test on your mobile device ;p :) hope this helps. On 5/3/07, Rafael Morales [EMAIL PROTECTED] wrote: Hi list, Is there any wap browser for openbsd ??, Because I'm trying to use the Openwave emulator using WINE, however I get this error: $ wine Openwave_SDK_622.exe fixme:win32:PE_LoadImage Need to relocate F:\OPEN~EPB.EXE, but no relocation records present (stripped during link). wine: can't exec 'Openwave_SDK_622.exe': error=0 wine: no executable file found. Any help ???, I don't care if I have to use wine, or one browser or any other tool, I just need to see the result of my developments in XHTML. Thanks to all __ Correo Yahoo! Espacio para todos tus mensajes, antivirus y antispam !gratis! Regmstrate ya - http://correo.yahoo.com.mx/
Re: openbsd 4.0 server, new setup, getting panics
The symptoms you describe sound like classic hardware problems, however, I see a couple things worthy of note in your dmesg: - OpenBSD 4.0 (GENERIC) #1107: Sat Sep 16 19:15:58 MDT 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: AMD Duron(tm) Processor (AuthenticAMD 686-class, 64KB L2 cache) 1.61 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE No idea why, but I've seen a number of AMD systems of that vintage which were temperamental about their RAM. Wasn't that the RAM was bad...but the system bus timing was off in some way. Curiously, these machines had more-than-usual amounts of clock speed control, and they seemed to settle down by cranking down the clock speed a tad. You won't miss it, really. I have set the front side bus to be 200, instead of 266 and am re-running the memory tests. I was still getting errors after decreasing the fsb speed. I modified the bios as follows: - sdram timing by spd enabled - auto detect pci clock enabled - clk spread spectrum enabled I retested the memory, ran it overnight using memtest86+. No errors. I don't know which of the above fixed the problem. However, it is not causing any memory errors now. Thanks so much for the pointers. JohnM -- john mendenhall [EMAIL PROTECTED] surf utopia internet services
new openbsd 4.0 server, panic on ufsdirhash
I am attempting to get the source copied from the cd to /usr/src. I ran the tar command to extract the source from the cd. The system panicked after a minute or two. After this, I rebooted. When it came up, I went to the src dir to see what was there. I tried removing the partial set of files. It panicked after just a short time. The dmesg is at the bottom. Does this indicate I have a bad drive? Or, does it just need fsck run on it? I just installed openbsd 4.0 on this box a few days ago. It rebuilt the file systems from scratch. Do I need to redo everything? Or, do I need to start looking at hardware problems with the drive or the motherboard? Please let me know the next step to run that will help me get to a stable system. Thanks! JohnM panic #1: - panic: kernel diagnostic assertion (dirblock dh-dh_nblk dh-dh_blkfree[dirblock] = (((slotneeded) + ((4) - 1)) / (4))) failed: file /usr/src/sys/ufs/ufs/ufs_dirhash.c, line 510 Stopped at Debugger+0x4: leave RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC! DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION! ddb Debugger(40,e9e27b88,e9e27b70,3,d6a8d690) at Debugger+0x4 panic(d0660c40,d06305f7,d0675ea0,d0675e20,1fe) at panic+0x63 tablefull(d06305f7,d0675e20,1fe,d0675ea0,d07172c0) at tablefull ufsdirhash_findfree(d6a8d690,18,e9e27c3c,e9e27e3c) at ufsdirhash_findfree+0x94 ufs_lookup(e9e27c68,e9e27e3c,e9e27c80,d035162e,d0717180) at ufs_lookup+0x18e VOP_LOOKUP(d6a8c444,e9e27e28,e9e27e3c,20) at VOP_LOOKUP+0x2e lookup(e9e27e18,d6c02c00,400,e9e27e30) at lookup+0x1d0 namei(e9e27e18,d1167310,e9e27d60,1e4940) at namei+0x180 vn_open(e9e27e18,e02,1a4,d6b2bcb0) at vn_open+0x7b sys_open(d6b2bcb0,e9e27f68,e9e27f58,0,0) at sys_open+0xdb syscall() at syscall+0x2ea --- syscall (number 5) --- 0x1c00e3e1: ddbPID PPID PGRPUID S FLAGS WAIT COMMAND 30524 14560 14560 0 3 0x4086 pipewr gzip *14560 16456 14560 0 7 0x4006 tar 16456 14200 16456 1000 3 0x4086 pause csh 14200 14618 14618 1000 3 0x184 select sshd 14618 19009 14618 0 3 0x4084 netio sshd 4633 1 4633 0 3 0x4086 ttyin getty 11447 1 11447 0 3 0x4086 ttyin getty 18246 1 18246 0 3 0x4086 ttyin getty 22102 1 22102 0 3 0x4086 ttyin getty 11015 1 11015 0 3 0x4086 ttyin getty 27803 1 27803 0 30x84 select cron 26298 1 26298 0 3 0x40184 select sendmail 19009 1 19009 0 30x84 select sshd 12832 1 12832 0 3 0x184 select inetd 10395 26437 26437 83 3 0x184 poll ntpd 26437 1 26437 0 30x84 poll ntpd 1666 2020 2020 73 3 0x184 poll syslogd 2020 1 2020 0 30x8c netio syslogd 13 0 0 0 30x100204 crypto_wa crypto 12 0 0 0 30x100204 aiodoned aiodoned 11 0 0 0 30x100204 syncer update 10 0 0 0 30x100204 cleanercleaner 9 0 0 0 30x100204 reaper reaper 8 0 0 0 30x100204 pgdaemon pagedaemon 7 0 0 0 30x100204 pftm pfpurge 6 0 0 0 30x100204 wait wskbd_hotkey 5 0 0 0 30x100204 usbtsk usbtask 4 0 0 0 30x100204 usbevt usb0 3 0 0 0 30x100204 apmev apm0 2 0 0 0 30x100204 kmallockmthread 1 0 1 0 3 0x4084 wait init 0 -1 0 0 3 0x80204 scheduler swapper - panic #2: - WARNING: / was not properly unmounted panic: ufsdirhash_findslot: 'crash66.C' not found Stopped at Debugger+0x4: leave RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC! DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION! ddb Debugger(d6c53118,0,2000,d12e4220,400) at Debugger+0x4 panic(d0676280,9,ddafa748,d12e4220,7ff) at panic+0x63 ufsdirhash_delslot(d12e5c00,ddafa748,9,740,d6b99b38) at ufsdirhash_delslot ufsdirhash_remove(d6b99d30,ddafa740,740,d12e5c00) at ufsdirhash_remove+0x3c ufs_dirremove(d6b9f1d4,d6b99b38,800c,0) at ufs_dirremove+0x6b ufs_remove(e9e27e88,d6b9f30c,d6b309e0,d6c141e0,d0717580) at ufs_remove+0x9b VOP_REMOVE(d6b9f1d4,d6b9f30c,e9e27edc,2) at VOP_REMOVE+0x2e sys_unlink(d6b309e0,e9e27f68,e9e27f58,b,252) at sys_unlink+0x80 syscall() at syscall+0x2ea --- syscall (number 10) --- 0x1c007f95: ddb syncing disks... 31 28 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 giving up rebooting... - dmesg: - OpenBSD 4.0 (GENERIC) #1107: Sat Sep 16 19:15:58 MDT 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: AMD
DJBDNS woes
So, I recently installed daemontools, ucspi and djbdns. But, to my demise, after compiling the source and configuring the system, I've found that the directory /service/tinydns/root does not exist! Have anyone experienced a similar problem?
Re: DJBDNS woes
You need to read the directions a bit closer.like this part. http://cr.yp.to/djbdns/run-server.html Bray Mailloux([EMAIL PROTECTED])@Thu, May 03, 2007 at 05:33:25PM -0700: So, I recently installed daemontools, ucspi and djbdns. But, to my demise, after compiling the source and configuring the system, I've found that the directory /service/tinydns/root does not exist! Have anyone experienced a similar problem? -- ~Allie D. Sex is a natural bodily process, like a stroke.
Spamd Q
I've just upgraded my firewall to 4.1. The firewall runs spamd, and redirects connections (that don't go to spamd) to a server behind the firewall. I modified my pf.conf per the sample in the spamd(8) man page. It's a couple of days later, and suddenly I realize that I'm only getting mail that's explicitly in my whitelist, from this rule: rdr on $ext_cable proto tcp from spamd-mywhite to port smtp - $mail port 25 I'm thinking my problem is the no rdr rule, maybe that's preventing the smtp connections from getting redirected. Here's all my smtp-related rdr rules: rdr on $ext_cable proto tcp from spamd-mywhite to port smtp - $mail port 25 no rdr on $ext_cable proto tcp from spamd-white to any port smtp rdr pass on $ext_cable proto tcp from any to any port smtp - 127.0.0.1 port spamd # Send smtp to mail server rdr on $ext_cable inet proto tcp from any to any port 25 - $mail port 25 So, what's my best solution? Would changing the no rdr to a rdr - $mail do what I want, or would I be better off moving spamd to my mail server?
Re: another dumb vlan question
On 5/2/07, Matiss Miglans [EMAIL PROTECTED] wrote: Hi Scenario 1 will be right. Don't mix there normal ethernet with vlan's. Jonathan Whiteman wrote: Lets say I'm setting up vlan devices so that 4 completely separate subnets' gateways can share same ethernet port on the router. Is it more appropriate to give the physical device itself an ip address and then create 3 vlan devices, or to give the physical device no ip address at all and create 4 vlan devices? Or? The basic functionality of vlan devices seems straightforward enough. I imagined starting with one of the following two configurations but the man pages referenced from the openbsd faq did not clarify this point for me. Any advice is appreciated, ~jon -- scenario 1 -- hostname.dc0: up hostname.vlan0: inet 172.17.1.1 255.255.255.0 172.17.1.255 vlan 512 vlandev dc0 vlanprio 1 hostname.vlan1: inet 172.17.2.1 255.255.255.0 172.17.2.255 vlan 513 vlandev dc0 vlanprio 2 hostname.vlan2: inet 172.17.3.1 255.255.255.0 172.17.3.255 vlan 514 vlandev dc0 vlanprio 3 hostname.vlan3: inet 172.17.4.1 255.255.255.0 172.17.4.255 vlan 515 vlandev dc0 vlanprio 4 -- scenario 2 -- hostname.dc0: inet 172.17.1.1 255.255.255.0 172.17.1.255 vlan 512 vlandev dc0 vlanprio 1 hostname.vlan0: inet 172.17.2.1 255.255.255.0 172.17.2.255 vlan 513 vlandev dc0 vlanprio 2 hostname.vlan1: inet 172.17.3.1 255.255.255.0 172.17.3.255 vlan 514 vlandev dc0 vlanprio 3 hostname.vlan2: inet 172.17.4.1 255.255.255.0 172.17.4.255 vlan 515 vlandev dc0 vlanprio 4 Scenario 1 is the right way. This is my setup, which has 5 physical interfaces, with 4 vlans, using trunk to aggregate the interfaces with round-robin. What I don't understand is why ipv6 addresses are assigned to each physical iface (lack of knowledge on my part I'm sure). # ifconfig -a lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33192 groups: lo inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x9 gem0: flags=8b63UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu 1500 lladdr 00:03:ba:04:b2:1d trunk: trunkdev trunk0 media: Ethernet 100baseTX full-duplex status: active inet6 fe80::203:baff:fe04:b21d%gem0 prefixlen 64 scopeid 0x1 hme0: flags=8b63UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu 1500 lladdr 00:03:ba:04:b2:1d trunk: trunkdev trunk0 media: Ethernet 100baseTX full-duplex status: active inet6 fe80::a00:20ff:feca:7dc4%hme0 prefixlen 64 scopeid 0x2 hme1: flags=8b63UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu 1500 lladdr 00:03:ba:04:b2:1d trunk: trunkdev trunk0 media: Ethernet 100baseTX full-duplex status: active inet6 fe80::a00:20ff:feca:7dc5%hme1 prefixlen 64 scopeid 0x3 hme2: flags=8b63UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu 1500 lladdr 00:03:ba:04:b2:1d trunk: trunkdev trunk0 media: Ethernet 100baseTX full-duplex status: active inet6 fe80::a00:20ff:feca:7dc6%hme2 prefixlen 64 scopeid 0x4 hme3: flags=8b63UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu 1500 lladdr 00:03:ba:04:b2:1d trunk: trunkdev trunk0 media: Ethernet 100baseTX full-duplex status: active inet6 fe80::a00:20ff:feca:7dc7%hme3 prefixlen 64 scopeid 0x5 pflog0: flags=141UP,RUNNING,PROMISC mtu 33192 pfsync0: flags=0 mtu 1460 groups: carp enc0: flags=0 mtu 1536 trunk0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:03:ba:04:b2:1d trunk: trunkproto roundrobin trunkport hme0 active trunkport hme1 active trunkport hme3 active trunkport hme2 active trunkport gem0 master,active groups: trunk media: Ethernet autoselect status: active inet6 fe80::203:baff:fe04:b21d%trunk0 prefixlen 64 scopeid 0xa vlan10: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:03:ba:04:b2:1d vlan: 10 priority: 0 parent interface: trunk0 groups: vlan inet6 fe80::203:baff:fe04:b21d%vlan10 prefixlen 64 scopeid 0xb inet 10.180.16.1 netmask 0xff00 broadcast 10.180.16.255 vlan2: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:03:ba:04:b2:1d vlan: 2 priority: 0 parent interface: trunk0 groups: vlan inet6 fe80::203:baff:fe04:b21d%vlan2 prefixlen 64 scopeid 0xc inet 10.107.208.1 netmask 0xff00 broadcast 10.107.208.255 vlan3: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:03:ba:04:b2:1d vlan: 3 priority: 0 parent interface: trunk0 groups:
malo driver
According to http://openbsd.org/i386.html#hardware the Netgear WG511v2 Wireless PC card should work, using the malo driver: Marvell Libertas IEEE 802.11b/g CardBus adapters (malo), including: (G) Netgear WG511v2 But on a laptop with OpenBSD 4.1, the card was not (apparently) recognized, nor did the malo driver seem to load. This same system recognies a Netgear MA111 v1 usb wireless adapter, automatically loading the wi driver, and the whole system was installed by network that way, with no wired ethernet connection needed. So, does the malo driver need to be loaded manually, and is it even on the OpenBSD 4.1 network install cd (from cd41.iso)?
Re: 4.1 Packages Page
On 5/3/07, djgoku [EMAIL PROTECTED] wrote: http://www.openbsd.org/4.1_packages/ Gets a 404 error. http://www.openbsd.org/4.0_packages/ Works fine. Link found on: http://openbsd.org/faq/faq15.html http://www.openbsd.org/cgi-bin/cvsweb/ Am also having issues with cvsweb. Anyone else?
Re: 4.1 Packages Page
No problems with cvsweb here. but packages page isn't available On 5/4/07, djgoku [EMAIL PROTECTED] wrote: On 5/3/07, djgoku [EMAIL PROTECTED] wrote: http://www.openbsd.org/4.1_packages/ Gets a 404 error. http://www.openbsd.org/4.0_packages/ Works fine. Link found on: http://openbsd.org/faq/faq15.html http://www.openbsd.org/cgi-bin/cvsweb/ Am also having issues with cvsweb. Anyone else?
wpi firmware on amd64 platform
I installed OpenBSD-current on my laptop and downloaded wpi firmware from http://damien.bergamini.free.fr/packages/openbsd/wpi-firmware-1.13.tgz by the wpi manual. After running pkg_add -v wpi-firmware-1.13.tgz, the pkg_add says that tarball is the incompatible. I thought the firmware was not platform-relative, So I run pkg_add -A i386 -v wpi-firmware-1.13.tgz, and it was ok. When I run dhclient wpi0, the result was below: wpi0: timeout waiting for thermal sensors calibration wpi0: timeout waiting for thermal sensors calibration wpi0: fatal firmware error It there something that I missed ? Thanks for any tips !
about spam
Hi ,all .my name is tuyosi , a japanese . there are little infomation about spamd . so i barely run spamd in my own fashion . but i donot see whethe my way is good or not , so i make quetions. my doing is next , 1)in /etc/services , i add next line spamd-sync 8025/udp 2)in /etc/pf.conf , according to ' man pf.conf , i add next line rdr on $ext_if inet proto tcp from spammers to port smtp \ tag SPAMD - 127.0.0.1 port spamd block in on $ext_if pass in on $ext_if inet proto tcp tagged SPAMD 3) in /etc/rc.local , i add next lines if [ -x /usr/local/bin/spamd ]; then echo -n ' ---spamd--- '; /usr/local/bin/spamd -d fi 4) in /etc/rc/conf.local #spamd_flags= #NO # for normal use: and see spamd-setup(8) spamd_grey=YES #NO # use spamd greylisting if YES spamlogd_flags=-i pppoe0 # use eg. -i interface and see spamlogd(8) namely spamd_flags= has no effect . and restart openbsd , # ps -ax | grep spam 13425 ?? Is 0:19.82 perl: /usr/local/bin/spamd -d (perl) 23460 ?? I 0:00.06 perl: spamd child (perl) 6975 ?? I 0:00.10 perl: spamd child (perl) 5950 p0 I+ 0:00.02 grep spam where do i see orthodox practice of spamd ?
Re: another dumb vlan question
Axton wrote: On 5/2/07, Matiss Miglans [EMAIL PROTECTED] wrote: Hi Scenario 1 will be right. Don't mix there normal ethernet with vlan's. Jonathan Whiteman wrote: Lets say I'm setting up vlan devices so that 4 completely separate subnets' gateways can share same ethernet port on the router. Is it more appropriate to give the physical device itself an ip address and then create 3 vlan devices, or to give the physical device no ip address at all and create 4 vlan devices? Or? I have a hypothetical question regarding security concerning this setup. Would it be more secure to have 4 physically different interfaces each connected to a single VLAN? I am kind of new to VLANs and I am trying to discern the security issues involved. I was thinking about doing something similar to the OP. -pachl