Re: Bidirectional translation for DNS and WWW servers
On 6/5/07, Bray Mailloux [EMAIL PROTECTED] wrote:
Misc Users;
I'm having NAT problems; could someone examine my pf file and make some
recommendations?
This is really incomplete. What are you trying to accomplish? What
works and what doesn't? What are the interfaces for your internal,
dmz, and external networks (e.g. ifconfig output)?
PS: My pf.conf file
#Macros
# 192.168.0.1 subnet
ext_ip=64.142.102.8
int_ip=192.168.0.1
int_block=192.168.0.0/24
#DMZ subnet
#Interface
dmz_ip=192.168.1.1
#DNS 1
scarlett=192.168.1.2
pub_scarlett=64.142.102.9
#DNS 2
shelly=192.168.1.3
pub_shelly=64.142.102.10
#WWW 1
www_ip=192.168.1.4
pub_www=64.142.102.11
#Normalizing
#scrub in all
table natclients { $int_ip, !$scarlett, !$shelly, !$www_ip }
#NAT and Binat
nat on rl0 from $int_block to any - $ext_ip
nat on rl0 from $scarlett to any - $pub_scarlett
nat on rl0 from $shelly to any - $pub_shelly
nat on rl0 from $www_ip to any - $pub_www
#Default block policy
#block all
#Anti-spoofing
#block in quick from urpf-failed
#Traffic passing through
pass in all
#pass out all
#External interfaces
#pass in on rl0 inet proto { tcp, udp } all modulate state
pass out on rl0 proto { tcp, udp, icmp } all modulate state
Re: php5 missing the money_format() function
On 6/5/07, Daniel [EMAIL PROTECTED] wrote: I understand that The function money_format() is only defined if the system has strfmon capabilities. Even though you're not using Windows, the documentation says that the function is only defined if the system has strfmon capabilities. Looks like the documentation answered your question. Gentoo Linux - $ apropos strfmon strfmon (3) - convert monetary value to a string OpenBSD 4.1 - $ apropos strfmon strfmon: nothing appropriate Gordon
Re: Quad ethernet card
* Stuart Henderson wrote: On 2007/06/05 18:10, L. V. Lammert wrote: On Tue, 5 Jun 2007, Robert Franklin wrote: Why not a qfe card from Sun? I've used a quad port Sun PCI card for at least a few years in both me Sun AXI servers, and currently I have one installed in a dell 1550 that works just fine. You can find the Sun quad cards for really cheap off of ebay. I think I picked mine up for around $40 USD. Two problems with that: qfe is REALLY old qfe is for Sparc, .. might not work on Intel (like the Dell) Might be worth trying, but don't count on it working. I'm pretty sure hme(4) work ok on i386. Also on the cheaper side, znyx (e.g. netapp pulls; *full* length cards) and dfe570tx turn up at times. they do. I have a sun quad hme(4) pci card in an intel box. I've had mixed results with Intel quads, ranging from boxes refusing to POST (on the older ones) and ports not showing up, to corrupted input packets (GT on a certain motherboard using 64/133), to working absolutely fine...depends a lot on the motherboard I think. fwiw I found that RJ45 plugs lock into place much better on the newer ones (GT) rather than the older ones (ports are inverted).
Re: openbsd 4.1 install cd hangs at Realtek 8139
On 05 June 2007 at 15:26, in message [EMAIL PROTECTED], studio-v [EMAIL PROTECTED] wrote: I'm trying to install openbsd 4.1 on a firewall server. I'm using the cd41.iso. The problem is that when the computer boots from cd (in order to install), it hangs about halfway through. This is the last line: rl0 at pci2 dev 2 function 0 Realtek 8139 rev 0x10: irq 12 I've seen a similar problem since 3.8 ( http://archives.neohapsis.com/archives/openbsd/2006-01/0317.html )I never got to the bottom of this. Sometimes the machine would boot, other times it would just hang after the Realtek driver. One variation, is that the CD would boot fine, but the installed O/S wouldn't, the opposite to your problem. GTG
Re: Quad ethernet card
* Fredrik Carlsson [EMAIL PROTECTED] [2007-06-05 21:04]: Jason Dixon wrote: On Tue, 05 Jun 2007 18:26:19 +0200, Fredrik Carlsson [EMAIL PROTECTED] wrote: Hi, I'm planing to set up a new firewall and have a few questions about what quad ethernet cards people recommend? The server will probably be a Dell PE860 (they seem to be well supported by OpenBSD), but what quad cards should i buy? what cards have good performance? Do you really need a quad card? See the archives for similar threads and using vlan(4) instead. Hi, Thanks for the reply, Yes I will need a quad card for different reasons, I already use vlan today. Intel has a quad card that looks interesting, its quite expensive so it would be nice to now what the performance is ;) Intel PRO/1000GT Quad PCI-X Adapter (PWLA8494GT) werks fine. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: Quad ethernet card
* nate [EMAIL PROTECTED] [2007-06-05 21:44]: I built 3 OpenBSD 3.6(?) servers in mid 2005 with these cards, and was able to get a peak throughput of about 520Mbps in bridged mode (pf disabled) measured using iperf. the single-stream tcp test iperf uses is pretty meaningless (unless.. well, that's another story) Interrupt cpu time was ~30%, the rest of the cpu was idle. see... you don't actually test the system -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: pfctl -s labels vs netstat -I interface -b
* Ben Calvert [EMAIL PROTECTED] [2007-06-06 02:04]: On Jun 5, 2007, at 8:30 AM, Stefan Castille wrote: Dear list, I am trying to setup some bandwidth monitoring based on firewall rules (consolidate traffic per project in stead of per ip or interface). However I am unable to get correct statistics from pfctl. look for 'log (all)' in man pf.conf and then checkout man pflog wrong answer, what the OP does should work just fine. now, why it doesn't is a very good question. it DOES work here, I don't understand what is going on right now. to the OP, check with pfctl -vvss that states are created like you expect them to, that is the only reason I could think of, you pass at nfe0 rule not actually matching ebcause you create state on another interface. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: The tree is broken -- /sbin/ifconfig
* Stephan Andre' [EMAIL PROTECTED] [2007-06-05 23:08]: I think today's changes to libc broke ifconfig, which still knows about ipx stuff... missed to commit the ifconfig part from my tree, sorry folks -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
NAT / FTP - specific server
Hi all I'm having a problem getting through NAT using ftp-proxy to a certain server using active FTP. After analysing packets between this server and others that work, this server tries to establish a connection on the data port before giving the 200 OK to the PORT command. I'm thinking that ftp-proxy waits for this response before setting up rules. Can anyone confirm? If that is the case, does anyone have any ideas to get around it? Regards Brendan
Re: NAT / FTP - specific server
Brendan Grossman [EMAIL PROTECTED] writes: After analysing packets between this server and others that work, this server tries to establish a connection on the data port before giving the 200 OK to the PORT command. It would be interesting to know which, if any, ftp-proxy flags you are using. The reason I'm saying that is this reminds me vaguely of why I set up one of ours with -r. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ First, we kill all the spammers The Usenet Bard, Twice-forwarded tales delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
cvsync borked -- how to fix?
Hi, my cvsync mirror is broken. How can I fix this? I don't want to nuke the whole mirror and let it fetch it again... TIA Martin Remove ports/cad/Makefile,v Remove ports/cad/distinfo,v Remove ports/cad/DESCR,v Remove ports/cad/PFRAG.shared,v Remove ports/cad/PLIST,v Remove ports/cad/necpp Updater(RCS): ADD: /home/ms/obsd/cvsroot/ports/cad/necpp/Makefile,v Updater: RCS Error Socket Error: recv: 4 residue 4 Receiver(RESET) Error: recv Mux(SEND) Error: not running: 0 DirScan: RCS Error Mux(SEND) Error: not running: 1 FileScan(RCS): ADD /home/ms/obsd/cvsroot/ports/comms/minicom/patches/Attic/patch-po_ko_po,v FileScan: RCS Error Failed
Re: Quad ethernet card
Henning Brauer a icrit : * nate [EMAIL PROTECTED] [2007-06-05 21:44]: I built 3 OpenBSD 3.6(?) servers in mid 2005 with these cards, and was able to get a peak throughput of about 520Mbps in bridged mode (pf disabled) measured using iperf. the single-stream tcp test iperf uses is pretty meaningless (unless.. well, that's another story) What other tool would you recommend, then ? The idea is to simulate legit Internet traffic and/or DDoS traffic. -- Ronnie Garcia r.garcia at ovea dot com
Re: Quad ethernet card
* Ronnie Garcia [EMAIL PROTECTED] [2007-06-06 13:04]: Henning Brauer a icrit : * nate [EMAIL PROTECTED] [2007-06-05 21:44]: I built 3 OpenBSD 3.6(?) servers in mid 2005 with these cards, and was able to get a peak throughput of about 520Mbps in bridged mode (pf disabled) measured using iperf. the single-stream tcp test iperf uses is pretty meaningless (unless.. well, that's another story) What other tool would you recommend, then ? they all suck. best simulation is recording your real-world traffic using tcpdump and then use tcpreplay. but that is tricky too. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: NAT / FTP - specific server
On 2007/06/06 18:21, Brendan Grossman wrote: I'm having a problem getting through NAT using ftp-proxy to a certain server using active FTP. After analysing packets between this server and others that work, this server tries to establish a connection on the data port before giving the 200 OK to the PORT command. I'm thinking that ftp-proxy waits for this response before setting up rules. Can anyone confirm? If that is the case, does anyone have any ideas to get around it? It looks like it (around line 960 of ftp-proxy.c); RFC 959 isn't exhaustive and RFC 1123 doesn't clarify this, but I'd say the server is probably broken here - it seems odd that it should open the data connection before it's told to (i.e. by STOR/RETR/LIST). I think changing this in ftp-proxy would require a fair bit of reworking. Are you able to identify the server software that's in use? Perhaps an update is available...It wouldn't surprise me if it breaks some other NAT helpers too. Since we're on the subject of ftp-proxy, it is over-strict about parsing 227 replies to PASV - 4.1.2.6 in RFC 1123 warns about the lack of standardisation for these; a User-FTP program that interprets the PASV reply must scan the reply for the first digit of the host and port numbers - the one I saw was 227 Passive mode OK (10,0,0,138,4,8 ) ...typical... the RFC is absolutely clear about formatting of commands, as far as placing of spaces, but somewhat lacking in defining response formats, allowing such horrors as this (and publicfile's directory listing format :-)
Re: Quad ethernet card
Henning Brauer wrote: * Ronnie Garcia [EMAIL PROTECTED] [2007-06-06 13:04]: Henning Brauer a icrit : * nate [EMAIL PROTECTED] [2007-06-05 21:44]: I built 3 OpenBSD 3.6(?) servers in mid 2005 with these cards, and was able to get a peak throughput of about 520Mbps in bridged mode (pf disabled) measured using iperf. the single-stream tcp test iperf uses is pretty meaningless (unless.. well, that's another story) What other tool would you recommend, then ? they all suck. best simulation is recording your real-world traffic using tcpdump and then use tcpreplay. but that is tricky too. Well if you're interested in working out a vaguely real benchmark for the throughput of your appliance I recommend you choose a type of traffic and focus on it. So perhaps that's HTTP, SMTP or some other obvious protocol. Pick a diverse corpus of files or emails to handle, then pass the traffic through the host and see how you go. If you're just looking for a big number, open a single TCP session and send alot of traffic through it so you don't have to continually start new sessions (sessions are comparatively expensive). Henning has something in saying that most of the tools aren't great, in the end all benchmarks are artificial in some measure. Replaying traffic is equally artificial as it's only indicative of the traffic you recorded - which is likely to be biased towards whatever was happening at the time on your LAN. When all's said and done, benchmark for the traffic you expect and work from there. HTH Dave
Re: Quad ethernet card
best simulation is recording your real-world traffic using tcpdump and then use tcpreplay. but that is tricky too. Henning has something in saying that most of the tools aren't great, in the end all benchmarks are artificial in some measure. Replaying traffic is equally artificial as it's only indicative of the traffic you recorded - which is likely to be biased towards whatever was happening at the time on your LAN. Also worth noting is that if you're generating traffic from a single host, you're bound by the interrupt rates that host is capable of. Generate traffic from multiple sources if you really want to gauge high load. --Matt
Re: cvsync borked -- how to fix?
On Wed, Jun 06, 2007 at 11:27:24AM +0200, Martin Schr?der wrote: Hi, my cvsync mirror is broken. How can I fix this? I don't want to nuke the whole mirror and let it fetch it again... try the -L option in cvsync
Re: Quad ethernet card
Matt Rowley wrote: best simulation is recording your real-world traffic using tcpdump and then use tcpreplay. but that is tricky too. Henning has something in saying that most of the tools aren't great, in the end all benchmarks are artificial in some measure. Replaying traffic is equally artificial as it's only indicative of the traffic you recorded - which is likely to be biased towards whatever was happening at the time on your LAN. Also worth noting is that if you're generating traffic from a single host, you're bound by the interrupt rates that host is capable of. Generate traffic from multiple sources if you really want to gauge high load. Definitely. My personal experience is that an e1000 tops out at about ~820-850 Mb/s of raw throughput - i.e. on a single TCP session. Other things that may get in the way of Truly Awesome Throughput (TM) include things like socket timeouts on either client or server host, and file descriptors ; note that those only come into play when you're trying to simulate a web server or the like. However I'm not aware of any tools that handle that kind of distributed benchmark.. anyone ?
package compile options (courier-imap)
I have courier-imap installed on OpenBSD 4.0 as a package and I would like to have the unicode character set included since I serve out non ASCII characters (French). I see that 4.1 has some docs in the package contents [1] referring to this such as /usr/local/share/doc/courier/README.unicode.txt This file doesn't exist for 4.0. :( Thank you for any guidance in this matter. Juan [1] http://www.openbsd.org/4.1_packages/sparc64/courier-imap-4.1.1p0.tgz-contents.html Be smarter than spam. See how smart SpamGuard is at giving junk email the boot with the All-new Yahoo! Mail at http://mrd.mail.yahoo.com/try_beta?.intl=ca
hoststated: fatal: relay_dispatch_pfe: desynchronized,
Hi list,
First a tribut for the good work to the authors of hoststated.
In the future i plan to use hoststated in production environments
to check for the availability of our webservices.
But before I set it up on my production machine I would make some
testing. I took two tiny Soekrises with OpenBSD 4.1 stable installed,
configured the first one as loadbalancer and the second one as a webserver
with three IPs on one interface.
Here ist the setup in explicit detail:
--
| client |---| loadbalancer |-| webserver |
--
192.168.0.10192.168.0.1 10.0.0.10 10.0.0.1
10.0.0.2
10.0.0.3
my hoststated.conf:
snip
#
# Macros
#
public_ip=10.0.0.1
webhost1=10.0.0.1
webhost2=10.0.0.2
webhost3=10.0.0.3
#
# Global Options
#
interval 15
timeout 5000
prefork 1
log all
#
# Each table will be mapped to a pf table.
#
table webhosts {
real port 443
check https /index.html code 200
host $webhost1
host $webhost2
host $webhost3
}
table fallback {
real port 443
check https /index.html code 200
host 127.0.0.1
}
#
# Services will be mapped to a rdr rule.
#
service www {
virtual host $public_ip port 443
table webhosts
backup table fallback
}
/snip
At first everything seemed to work correctly. But when I tried to disable
one of the webhosts and bring him back after a few seconds, hoststated
crashed with the following messages in /var/log/deamon:
snip
Jun 6 11:37:24 loadbalancer hoststated[1333]: fatal: relay_dispatch_pfe:
desynchronized
Jun 6 11:37:24 loadbalancer hoststated[5247]: fatal: pfe_dispatch_relay: pipe
closed
Jun 6 11:37:24 loadbalancer hoststated[24980]: fatal: main_dispatch_relay:
pipe closed
Jun 6 11:37:24 loadbalancer hoststated[12810]: fatal: hce_dispatch_parent:
pipe closed
/snip
This were the commands which brought hoststated down:
# hoststatectl host disable 1
command succeeded
# hoststatectl host enable 1
command succeeded
# hoststatectl show hosts
hoststatectl: connect: /var/run/hoststated.sock: Connection refused
So I ask myself, is hoststated already stable enough for production
environments or should I wait for the release of 4.2 ?
Cheers!
Joerg
--
Dipl.-Ing. (FH) Joerg Streckfuss, Phone: +49 40 808077-631
PGP RSA/2048, E0D4BD3F, 90 C3 FB 4A CB D3 20 70 6B 04 47 84 B5 3C 28 8C
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
[demime 1.01d removed an attachment of type application/pkcs7-signature which
had a name of smime.p7s]
Re: cvsync borked -- how to fix?
2007/6/6, Martin Reindl [EMAIL PROTECTED]: On Wed, Jun 06, 2007 at 11:27:24AM +0200, Martin Schr?der wrote: Hi, my cvsync mirror is broken. How can I fix this? I don't want to nuke the whole mirror and let it fetch it again... try the -L option in cvsync Thanks, but that doesn't really help: Remove ports/cad/Makefile,v Remove ports/cad/distinfo,v Remove ports/cad/DESCR,v Remove ports/cad/PFRAG.shared,v Remove ports/cad/PLIST,v Remove ports/cad/necpp Updater(RCS): ADD: /home/ms/obsd/cvsroot/ports/cad/necpp/Makefile,v Updater: RCS Error Socket Error: recv: 2 residue 2 Receiver(DATA) Error: recv Mux(SEND) Error: not running: 0 DirScan: RCS Error Mux(SEND) Error: not running: 1 FileScan(RCS): REMOVE /home/ms/obsd/cvsroot/ports/comms/conserver/pkg/PLIST,v FileScan: RCS Error Failed Best Martin
Il vostro conto � stato sospeso
Caro cliente di Poste.it , Per i motivi di sicurezza abbiamo sospeso il vostro conto di operazioni bancarie in linea a BancoPostaOnline. Dovete confermare che non siete una vittima del furto di identit` per ristabilire il vostro conto. Dovete scattare il collegamento qui sotto e riempire la forma alla seguente pagina per realizzare il processo di verifica. https://bancopostaonline.poste.it/bpol/cartepre/formslogin.asp Li ringraziamo per la vostra attenzione rapida a questa materia. Capisca prego che questa h una misura di sicurezza progettata per contribuire a proteggere voi ed il vostro conto. Chiediamo scusa per e! ventuali inconvenienti. Grazie della collaborazione, Poste.it
Re: hoststated: fatal: relay_dispatch_pfe: desynchronized,
On Wed, 6 Jun 2007 14:09:19 +0200 Jvrg Streckfu_ [EMAIL PROTECTED] wrote: Hi list, First a tribut for the good work to the authors of hoststated. In the future i plan to use hoststated in production environments to check for the availability of our webservices. But before I set it up on my production machine I would make some testing. I took two tiny Soekrises with OpenBSD 4.1 stable installed, configured the first one as loadbalancer and the second one as a webserver with three IPs on one interface. Here ist the setup in explicit detail: Hi, can you give the output of uname -a please, I'd like to know what versions of current you are running.
Re: Quad ethernet card
* Dave Harrison [EMAIL PROTECTED] [2007-06-06 13:52]: If you're just looking for a big number, open a single TCP session and send alot of traffic through it so you don't have to continually start new sessions (sessions are comparatively expensive). single tcp session benches are completely meaningless and will not max out any device faster than a moose fart -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: Quad ethernet card
Henning Brauer wrote: single tcp session benches are completely meaningless and will not max out any device faster than a moose fart was unaware that moose farts were slow. you learn something new every day :)
Re: hoststated: fatal: relay_dispatch_pfe: desynchronized,
On Wed, 6 Jun 2007, Pierre-Yves Ritschard wrote: On Wed, 6 Jun 2007 14:09:19 +0200 Jvrg Streckfu_ [EMAIL PROTECTED] wrote: testing. I took two tiny Soekrises with OpenBSD 4.1 stable installed, Hi, can you give the output of uname -a please, I'd like to know what versions of current you are running. looks like he's running 4.1 stable and not the latest and greatest -current code.
Re: Quad ethernet card
On Wed, 6 Jun 2007, Jacob Yocom-Piatt wrote: was unaware that moose farts were slow. you learn something new every day :) i believe the speed of moose farts varies in relationship to the moose, meese?, distance from Calgary.
Re: hoststated: fatal: relay_dispatch_pfe: desynchronized,
Am Wed, 6 Jun 2007 15:53:03 +0200 schrieb Pierre-Yves Ritschard [EMAIL PROTECTED]: On Wed, 6 Jun 2007 14:09:19 +0200 Jvrg Streckfu_ [EMAIL PROTECTED] wrote: Hi list, First a tribut for the good work to the authors of hoststated. In the future i plan to use hoststated in production environments to check for the availability of our webservices. But before I set it up on my production machine I would make some testing. I took two tiny Soekrises with OpenBSD 4.1 stable installed, configured the first one as loadbalancer and the second one as a webserver with three IPs on one interface. Here ist the setup in explicit detail: Hi, can you give the output of uname -a please, I'd like to know what versions of current you are running. Sorry, I'm running 4.1 stable. # uname -a OpenBSD loadbalancer 4.1 GENERIC#1435 i386 -- Dipl.-Ing. (FH) Joerg Streckfuss, Phone: +49 40 808077-631 PGP RSA/2048, E0D4BD3F, 90 C3 FB 4A CB D3 20 70 6B 04 47 84 B5 3C 28 8C DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Job Opening: IT Manager
I am looking for a replacement for my position at Specialty Printing Company in Niles, IL, northwest of Chicago. Here is the job description: Position Available: IT Manager Commercial printer seeking an IT Manager with experience maintaining and expanding a network of 10-100 workstations and running various services on a handful of servers. Required Skills: - BS/MS in computer-related field, CS or related IT concentration preferred - Linux/Unix administration: Apache, Postfix, BIND, pf, spam filtering, IPSec/VPNs, DHCP - Windows XP workstation administration: MS Office configuration, basic networking, antivirus management, reinstalling OS, license management, AD experience preferred - Network configuration: routing, DNS, port mapping, VLANs, switch management - Hardware repair: replacing failed components and upgrading existing components Please send resumes to [EMAIL PROTECTED] Pay is negotiable based on your skill set and experience. Please refrain from sending your resume if you are not already present in the US and able to work. Filling this position quickly (next 3 weeks) is a priority, so consider this when sending your resume. Cheers, Jacob Yocom-Piatt
Re: OpenBSD router playing up
pfctl -x loud when the SHTF pfctl -s and netstat -s Net-SNMP + MRTG on your interfaces? Any errors on netstat -i ? ~BAS On Tue, 5 Jun 2007, Open Phugu wrote: On 6/5/07, Karl Kopp [EMAIL PROTECTED] wrote: Hi All, I have a strange issue. We are using a OpenBSD 3.9 box running on an AMD64 CPU. Its doing BGP with our upstream provider and has some basic pf rules. Occasionally, the network slows to a crawl. I setup some external monitoring, and while a few simple HTTP checks of boxes on our network normally take a second or 2 (from 2 separate locations outside our network), this just went up to over 100 seconds and was only resolved by restarting the box. I'm learning this stuff, so am super keen if a) this is normal behavior (I'm guessing not) and b) how can I work out what is causing the problems? I've checked messages, and there is nothing strange in there (just some ftp-proxy 'client reset connection' and 'server refused connection' messages) and daemon (a few BGP updates not many). On restart, I get a flood of BGP updates. Where should I be looking? Should I just restart bgpd next time or does this seem like something else?? Any advice would be greatly appreciated! Post your dmesg, the contents of /etc/pf.conf and your BGP configuration file. Doing so will not solve your issue but it will give other members of the list more information about your setup. l8* -lava (Brian A. Seklecki - Pittsburgh, PA, USA) http://www.spiritual-machines.org/ Guilty? Yeah. But he knows it. I mean, you're guilty. You just don't know it. So who's really in jail? ~James Maynard Keenan
Re: Quad ethernet card
Henning Brauer wrote: * nate [EMAIL PROTECTED] [2007-06-05 21:44]: I built 3 OpenBSD 3.6(?) servers in mid 2005 with these cards, and was able to get a peak throughput of about 520Mbps in bridged mode (pf disabled) measured using iperf. the single-stream tcp test iperf uses is pretty meaningless (unless.. well, that's another story) Interrupt cpu time was ~30%, the rest of the cpu was idle. hmm, well I would expect this would provide a maximum number for throughput because there's only 1 connection, no extra processing vs multiple connections, not that multiple connections should matter since it was a bridge, and pf was disabled for the test. It doesn't make sense to me why more connections would increase throughput, can you(or someone) explain why this would be the case. I also would expect that this maximum number likely would not be achieved once pf is enabled and 'real world' traffic was flowing through the system keeping track of thousands of states from the ~400 hosts on both sides of the firewall. But at least it would give me a number, if I saw the same interrupt cpu% I could reasonably expect the box to be maxxed out. Fortunately normal network traffic was quite low, the biggest users of bandwidth were file copies via scp/rsync. Someone replied to my original post off-list and told me about a bug that was fixed in 2006 in the Intel GigE network driver that reduces the amount of pci hits per packet thus increasing throughput and packets per second, which may have contributed to the performance issue I experienced(again in mid 2005). Of course at the time I partipated in a thread very similar to this and I don't recall anyone responding with their openbsd network performance, so I had nothing to base it on(were the numbers normal? low ? high?). The FAQ says it's dependent on the system, and I purchased the fastest 32-bit CPU that was on the market at the time(64-bit was still too new I think that was (one of) the first releases to support 64-bit x86), and OpenBSD SMP crashed on all machines I tested at the time during boot). Even now I think I've gotten one response(may of been off-list) saying they get less than 500Mbit on their card(forgot which card off hand, not the Intel one though). So regardless of the performance I think it was about as fast as it was going to get, at the time. Short of absurdly low numbers (under 200Mbit, which I would of purchased a fully hardware firewall, we had just purchased 3000 gigabit switch ports so we were spending a bit), I was going to stick with OpenBSD because pf is a great tool, and easy to use, and the hardware was a good price too with hardware raid, triple redundant power supplies (each on a seperate UPS-backed circuit), hot swap fans etc. In the end the firewalls seemed to work out well, it's been 2 years since they launched and they haven't had a problem, fortunately network traffic is fairly low. Two firewalls are in active use(for different network segments, and are failover for each other's network segments), with a 3rd cold standby server. tcpreplay sounds like an interesting tool, I had not heard about it until your post. nate
Re: Quad ethernet card
Dave Harrison wrote: However I'm not aware of any tools that handle that kind of distributed benchmark.. anyone ? httperf can be run in an array of clients (--client option), although there is currently no way to automatically aggregate the results. -- Theodore Bullock, [EMAIL PROTECTED], [EMAIL PROTECTED] B.Sc Software Engineering Bike Across Canada Adventure http://www.comlore.com/bike
Re: Quad ethernet card
* nate [EMAIL PROTECTED] [2007-06-06 17:52]: Henning Brauer wrote: * nate [EMAIL PROTECTED] [2007-06-05 21:44]: I built 3 OpenBSD 3.6(?) servers in mid 2005 with these cards, and was able to get a peak throughput of about 520Mbps in bridged mode (pf disabled) measured using iperf. the single-stream tcp test iperf uses is pretty meaningless (unless.. well, that's another story) Interrupt cpu time was ~30%, the rest of the cpu was idle. hmm, well I would expect this would provide a maximum number for throughput because there's only 1 connection, no extra processing vs multiple connections, not that multiple connections should matter since it was a bridge, and pf was disabled for the test. It doesn't make sense to me why more connections would increase throughput, can you(or someone) explain why this would be the case. please go read up on tcp and the interactions between delay, window size, bandwidth etc. I tested at the time during boot). Even now I think I've gotten one response(may of been off-list) saying they get less than 500Mbit on their card(forgot which card off hand, not the Intel one though). i have a customer where we route about 800 MBit/s of real world traffic. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: /usr/obj partition AWOL
On Tue, Jun 05, 2007 at 07:51:48AM +0200, Otto Moerbeek wrote: On Tue, 5 Jun 2007, Markus Lude wrote: On Mon, Jun 04, 2007 at 06:02:59PM -0500, Emilio Perea wrote: I follow -current on an i386 at work and an amd64 at home, and rarely run into any problem which is not self-inflicted. So when I had a weird experience this weekend, I assumed it was my fault. What happened was that after the usual sequence of [build kernel; reboot; build userland; reboot] the system complained that it could not fsck wd1j and dropped into single-user mode. wd1j is mounted on /usr/obj, and I thought that something in the last build had messed it up, so I ran newfs wd1j and got newfs: /dev/rwd1j: Device not configured disklabel wd1 showed partitions d-i and k-p, but no j. I added the partition, ran newfs, and everything seemed fine. This afternoon I installed the i386 snapshot downloaded this morning (dated Jun 3 19:19) on the work pc, and after reboot it was missing the /usr/obj partition (sd0g in this case). Everything seems to be working fine on both computers, but I didn't expect the partitions to disappear. Did nobody else run into this problem? Or did everybody else who saw it thought it was too obvious to mention it to the mailing list? I had a similar problem on sparc64 with a snapshot from jun 2. The system was unable to fsck some partitions and dropped to single user mode. Here the problems were with the /usr, /var, /tmp and /home partitions. Some further (and larger partitions) weren't affected. I installed an older snapshot. Any suggestions how to get this fixed or what to test/try? There were some validations checkc added to partitions. If a bad partition is found, it will be marked unused. The checks were a little to strict for some cases. A fix for that went in yesterday, so try a new snap. Thanks for your info. After rebuilding kernel and userland the problem still exists, but now the affected partitions are /var, /home and /data. Hmm. Unmounting /data and doing a manual fsck -f runs without problems. If the problem persists, please report with full disklabel output. $ cat /etc/fstab /dev/wd0a / ffs rw 1 1 /dev/wd0d /tmp ffs rw,nodev,nosuid 1 2 /dev/wd0e /usr ffs rw,nodev 1 2 /dev/wd0f /var ffs rw,nodev,nosuid 1 2 /dev/wd0g /home ffs rw,nodev,nosuid 1 2 /dev/wd0h /data ffs rw,nodev,nosuid 1 2 /dev/wd1d /backup ffs rw,nodev,nosuid 1 2 with an actual kernel: $ sudo disklabel wd0 # /dev/rwd0c: type: ESDI disk: ESDI/IDE disk label: ST3120213A flags: bytes/sector: 512 sectors/track: 63 tracks/cylinder: 16 sectors/cylinder: 1008 cylinders: 16383 total sectors: 16514064 rpm: 3600 interleave: 1 trackskew: 0 cylinderskew: 0 headswitch: 0 # microseconds track-to-track seek: 0 # microseconds drivedata: 0 16 partitions: # sizeoffset fstype [fsize bsize cpg] a: 1024128 0 4.2BSD 2048 16384 16 # Cyl 0 - 1015 b: 3072384 1024128swap # Cyl 1016 - 4063 c: 234441648 0 unused 0 0 # Cyl 0 -232580 d: 2048256 4096512 4.2BSD 2048 16384 16 # Cyl 4064 - 6095 e: 20479536 6144768 4.2BSD 2048 16384 16 # Cyl 6096 - 26412 disklabel: partition c: partition extends past end of unit disklabel: partition e: partition extends past end of unit older kernel: $ sudo disklabel wd0 [...] 16 partitions: # sizeoffset fstype [fsize bsize cpg] a: 1024128 0 4.2BSD 0 0 16 # Cyl 0 - 1015 b: 3072384 1024128swap # Cyl 1016 - 4063 c: 234441648 0 unused 0 0 # Cyl 0 -232580 d: 2048256 4096512 4.2BSD 0 0 16 # Cyl 4064 - 6095 e: 20479536 6144768 4.2BSD 0 0 16 # Cyl 6096 - 26412 f: 4095504 26624304 4.2BSD 0 0 16 # Cyl 26413 - 30475 g: 20479536 30719808 4.2BSD 0 0 16 # Cyl 30476 - 50792 h: 183242304 51199344 4.2BSD 0 0 16 # Cyl 50793 -232580 disklabel: partition c: partition extends past end of unit disklabel: partition e: partition extends past end of unit disklabel: partition f: offset past end of unit disklabel: partition f: partition extends past end of unit disklabel: partition g: offset past end of unit disklabel: partition g: partition extends past end of unit disklabel: partition h: offset past end of unit disklabel: partition h: partition extends past end of unit Any hints how to fix this beside repartition and reinstall? Regards, Markus
Problem with Intel Pro/1000 PT
Hello everybody, I've been getting some strange errors with this dual port nic. My system is a dual core AMD64 system running 4.1-stable with multiprocessor support enabled. The chipset of the card is 82571EB. This problem also occurs when I boot into a kernel without MP support. em0 works fine, but em1 throws watchdog timeout errors frequently, and it is so slow to the point of being unusable. em1 is slow even if it happens to not be throwing the watchdog timeout errors. I first noticed this when i set both devices to configure via dhcp. Thinking it might be a broken card, I swapped in another card of the same model and chipset, and experienced the same problem. The other nic in the system, re0, works fine. I've looked through some message boards on the subject but I have not found anything conclusive, and I'm at a loss at what the problem could be. I'm hoping it's a configuration issue, or a problem at my end. Any advice would be greatly appreciated. Bob Here is my dmesg: OpenBSD 4.1 (GENERIC.MP) #0: Sat Jun 2 21:46:21 EST 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/ GENERIC.MP real mem = 468185088 (457212K) avail mem = 388567040 (379460K) using 11481 buffers containing 47026176 bytes (45924K) of memory mainbus0 (root) bios0 at mainbus0: SMBIOS rev. 2.3 @ 0xf0100 (53 entries) bios0: Gigabyte Technology Co., Ltd. GA-MA69VM-S2 acpi at mainbus0 not configured mainbus0: Intel MP Specification (Version 1.4) cpu0 at mainbus0: apid 0 (boot processor) cpu0: AMD Athlon(tm) 64 X2 Dual Core Processor 3600+, 1904.58 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36, CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,CX16,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: apic clock running at 200MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: AMD Athlon(tm) 64 X2 Dual Core Processor 3600+, 1904.32 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36, CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,CX16,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW cpu1: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache cpu1: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu1: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative mpbios: bus 0 is type PCI mpbios: bus 1 is type PCI mpbios: bus 2 is type PCI mpbios: bus 3 is type PCI mpbios: bus 4 is type ISA ioapic0 at mainbus0 apid 2 pa 0xfec0, version 21, 24 pins ioapic0: misconfigured as apic 0, remapped to apid 2 pci0 at mainbus0 bus 0: configuration mode 1 pchb0 at pci0 dev 0 function 0 vendor ATI, unknown product 0x7910 rev 0x00 ppb0 at pci0 dev 1 function 0 vendor ATI, unknown product 0x7912 rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 5 function 0 vendor ATI, unknown product 0x791e rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) ppb1 at pci0 dev 2 function 0 vendor ATI, unknown product 0x7913 rev 0x00 pci2 at ppb1 bus 2 em0 at pci2 dev 0 function 0 Intel PRO/1000 PT (82571EB) rev 0x04: apic 2 int 18 (irq 12), address 00:0e:0c:6f:0b:1c em1 at pci2 dev 0 function 1 Intel PRO/1000 PT (82571EB) rev 0x04: apic 2 int 18 (irq 12), address 00:0e:0c:6f:0b:1d pciide0 at pci0 dev 18 function 0 ATI IXP600 SATA rev 0x00: DMA (unsupported), channel 0 configured to native-PCI, channel 1 configured to native-PCI pciide0: using apic 2 int 22 (irq 11) for native-PCI interrupt wd0 at pciide0 channel 0 drive 0: WDC WD800JD-75MSA3 wd0: 16-sector PIO, LBA48, 76292MB, 156247887 sectors pciide0: channel 1 ignored (not responding; disabled or no drives?) ohci0 at pci0 dev 19 function 0 ATI IXP600 USB rev 0x00: apic 2 int 16 (irq 7), version 1.0, legacy support usb0 at ohci0: USB revision 1.0 uhub0 at usb0 uhub0: ATI OHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered ohci1 at pci0 dev 19 function 1 ATI IXP600 USB rev 0x00: apic 2 int 17 (irq 5), version 1.0, legacy support usb1 at ohci1: USB revision 1.0 uhub1 at usb1 uhub1: ATI OHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered ohci2 at pci0 dev 19 function 2 ATI IXP600 USB rev 0x00: apic 2 int 18 (irq 12), version 1.0, legacy support usb2 at ohci2: USB revision 1.0 uhub2 at usb2 uhub2: ATI OHCI root hub, rev 1.00/1.00, addr 1 uhub2: 2 ports with 2 removable, self powered ohci3 at pci0 dev 19 function 3 ATI IXP600 USB rev 0x00: apic 2 int 17 (irq 5), version 1.0, legacy support usb3 at ohci3: USB revision 1.0 uhub3 at usb3 uhub3: ATI OHCI root hub, rev 1.00/1.00, addr 1 uhub3: 2 ports with 2 removable, self powered ohci4 at pci0 dev 19 function 4 ATI IXP600 USB rev
Re: Problem with Intel Pro/1000 PT
Original message from Robert Warning at 6-6-2007 19:16 Hello everybody, I've been getting some strange errors with this dual port nic. My system is a dual core AMD64 system running 4.1-stable with multiprocessor support enabled. The chipset of the card is 82571EB. This problem also occurs when I boot into a kernel without MP support. em0 works fine, but em1 throws watchdog timeout errors frequently, and it is so slow to the point of being unusable. em1 is slow even if it happens to not be throwing the watchdog timeout errors. I first noticed this when i set both devices to configure via dhcp. Thinking it might be a broken card, I swapped in another card of the same model and chipset, and experienced the same problem. The other nic in the system, re0, works fine. I've looked through some message boards on the subject but I have not found anything conclusive, and I'm at a loss at what the problem could be. I'm hoping it's a configuration issue, or a problem at my end. Any advice would be greatly appreciated. Bob, I've seen problems and watchdog timeout messages with the Intel em driver too. Henning Brauer and Mark Kettenis corrected the em driver and the cards now work properly. The current drivers (in src/sys/dev/pci/if_em*) will probably work with 4.1 but Henning and Mark are the ones to ask for more details. Daniel
Kernel MINIROOTSIZE 8192 = No Boot
The 1st stage loader just resets the prom before the kernel load.
Can anyone else confirm this? You don't even need to elfrdsetroot(8) to
test. Just compile bsd.rd with MINIROOTSIZE=16384. I've been using 32768
on my 4.0 systems for the bsd-appliance project.
I've tested it on an AMD Athalon, an AMD Geode, and a VMWare machine.
l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
http://www.spiritual-machines.org/
Guilty? Yeah. But he knows it. I mean, you're guilty.
You just don't know it. So who's really in jail?
~James Maynard Keenan
PS:
Also, am I imagining this:
.if !${IDENT:M-DI386_CPU}
CMACHFLAGS= -march=i486
.else
CMACHFLAGS=
.endif
Somewhere this logic must be getting short-circuited in my config. I'm
seeting -march=i486.
Re: Kernel MINIROOTSIZE 8192 = No Boot
It can't be that big. And in our tree, it isn't that big.
You're doing things on your own, hitting constraints that exist in the
code. You get to fix those things, since you've gone outside OpenBSD
parameters.
Not everything can work, you know.
The 1st stage loader just resets the prom before the kernel load.
Can anyone else confirm this? You don't even need to elfrdsetroot(8) to
test. Just compile bsd.rd with MINIROOTSIZE=16384. I've been using 32768
on my 4.0 systems for the bsd-appliance project.
I've tested it on an AMD Athalon, an AMD Geode, and a VMWare machine.
l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
http://www.spiritual-machines.org/
Guilty? Yeah. But he knows it. I mean, you're guilty.
You just don't know it. So who's really in jail?
~James Maynard Keenan
PS:
Also, am I imagining this:
.if !${IDENT:M-DI386_CPU}
CMACHFLAGS= -march=i486
.else
CMACHFLAGS=
.endif
Somewhere this logic must be getting short-circuited in my config. I'm
seeting -march=i486.
Re: Kernel MINIROOTSIZE 8192 = No Boot
I'm hoping to actually go smaller once FreeBSD has a funtional
pivot_root() in the VFS layer (we can steal it from them) Then I can do a
512k RD/MD image (init, tar, gzip, mount_mfs(8), sh, etc.), then
transition to a 64 to 96 meg MFS root.
I'm talking to a consultant tomorrow about some kernel work. If
pivot_root() discussion goes no where, I'll bounty it here.
On another system, I can have a full userland (/bin, /sbin) with as little
as a 8 MB RD/MD (with dynamic linking + crunchgen + some pruning).
It's tougher on OpenBSD, but I want it to work with my bsd-appliance
framework.
~BAS
On Wed, 6 Jun 2007, Theo de Raadt wrote:
It can't be that big. And in our tree, it isn't that big.
You're doing things on your own, hitting constraints that exist in the
code. You get to fix those things, since you've gone outside OpenBSD
parameters.
Not everything can work, you know.
The 1st stage loader just resets the prom before the kernel load.
Can anyone else confirm this? You don't even need to elfrdsetroot(8) to
test. Just compile bsd.rd with MINIROOTSIZE=16384. I've been using 32768
on my 4.0 systems for the bsd-appliance project.
I've tested it on an AMD Athalon, an AMD Geode, and a VMWare machine.
l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
http://www.spiritual-machines.org/
Guilty? Yeah. But he knows it. I mean, you're guilty.
You just don't know it. So who's really in jail?
~James Maynard Keenan
PS:
Also, am I imagining this:
.if !${IDENT:M-DI386_CPU}
CMACHFLAGS= -march=i486
.else
CMACHFLAGS=
.endif
Somewhere this logic must be getting short-circuited in my config. I'm
seeting -march=i486.
l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
http://www.spiritual-machines.org/
Guilty? Yeah. But he knows it. I mean, you're guilty.
You just don't know it. So who's really in jail?
~James Maynard Keenan
Re: Quad ethernet card
Henning has something in saying that most of the tools aren't great, in the end all benchmarks are artificial in some measure. Replaying traffic is equally artificial as it's only indicative of the traffic you recorded - which is likely to be biased towards whatever was happening at the time on your LAN. henning is trying to make the network layer and pf -- on balance -- manage all types of traffic faster. therefore it does not matter if the traffic is artificial or not, as long as it isn't skewed towards unrealistic. he's not working in the same area at all as you guys trying to make your web servers serve a few more pages.
Re: Quad ethernet card
On 6/6/07, Ronnie Garcia [EMAIL PROTECTED] wrote: Henning Brauer a icrit : * nate [EMAIL PROTECTED] [2007-06-05 21:44]: I built 3 OpenBSD 3.6(?) servers in mid 2005 with these cards, and was able to get a peak throughput of about 520Mbps in bridged mode (pf disabled) measured using iperf. the single-stream tcp test iperf uses is pretty meaningless (unless.. well, that's another story) What other tool would you recommend, then ? The idea is to simulate legit Internet traffic and/or DDoS traffic. net/netrate (from FreeBSD) was just committed as a port. Might be useful. http://www.undeadly.org/cgi?action=articlesid=20070603040549mode=expanded http://ports.openbsd.nu/net/netrate DS
Re: hoststated: fatal: relay_dispatch_pfe: desynchronized,
Hi,
On 07 06 06, J?rg Streckfu? wrote:
First a tribut for the good work to the authors of hoststated.
In the future i plan to use hoststated in production environments
to check for the availability of our webservices.
But before I set it up on my production machine I would make some
testing. I took two tiny Soekrises with OpenBSD 4.1 stable installed,
configured the first one as loadbalancer and the second one as a webserver
with three IPs on one interface.
Here ist the setup in explicit detail:
--
| client |---| loadbalancer |-| webserver |
--
192.168.0.10192.168.0.1 10.0.0.10 10.0.0.1
10.0.0.2
10.0.0.3
my hoststated.conf:
snip
#
# Macros
#
public_ip=10.0.0.1
webhost1=10.0.0.1
webhost2=10.0.0.2
webhost3=10.0.0.3
#
# Global Options
#
interval 15
timeout 5000
prefork 1
log all
#
# Each table will be mapped to a pf table.
#
table webhosts {
real port 443
check https /index.html code 200
host $webhost1
host $webhost2
host $webhost3
}
table fallback {
real port 443
check https /index.html code 200
host 127.0.0.1
}
#
# Services will be mapped to a rdr rule.
#
service www {
virtual host $public_ip port 443
table webhosts
backup table fallback
}
/snip
At first everything seemed to work correctly. But when I tried to disable
one of the webhosts and bring him back after a few seconds, hoststated
crashed with the following messages in /var/log/deamon:
snip
Jun 6 11:37:24 loadbalancer hoststated[1333]: fatal: relay_dispatch_pfe:
desynchronized
Jun 6 11:37:24 loadbalancer hoststated[5247]: fatal: pfe_dispatch_relay: pipe
closed
Jun 6 11:37:24 loadbalancer hoststated[24980]: fatal: main_dispatch_relay:
pipe closed
Jun 6 11:37:24 loadbalancer hoststated[12810]: fatal: hce_dispatch_parent:
pipe closed
/snip
This were the commands which brought hoststated down:
# hoststatectl host disable 1
command succeeded
# hoststatectl host enable 1
command succeeded
# hoststatectl show hosts
hoststatectl: connect: /var/run/hoststated.sock: Connection refused
So I ask myself, is hoststated already stable enough for production
environments or should I wait for the release of 4.2 ?
well ;)
probably you will have to wait for 4.2, but fix for similar problem (try
to disable table, then enable it ;)
so probably the same applies for host disabling, enabling...
at least, with this patch it works for me.
--- src/usr.sbin/hoststated/relay.c.origWed Mar 7 19:40:32 2007
+++ src/usr.sbin/hoststated/relay.c Sun May 13 18:37:48 2007
@@ -1775,7 +1775,7 @@
fatalx(relay_dispatch_pfe: invalid host id);
if (host-flags F_DISABLE)
break;
- if (host-up == st.up) {
+ if (host-up != st.up) {
log_debug(relay_dispatch_pfe: host %d = %d,
host-id, host-up);
fatalx(relay_dispatch_pfe: desynchronized);
and since you are not using check tcp, you probably won't notice this ;)
--- src/usr.sbin/hoststated/check_tcp.c.origSun May 13 18:36:36 2007
+++ src/usr.sbin/hoststated/check_tcp.c Sun May 13 18:37:07 2007
@@ -219,6 +219,7 @@
if (event == EV_TIMEOUT) {
cte-host-up = HOST_DOWN;
+ close(cte-s);
buf_free(cte-buf);
hce_notify_done(cte-host, tcp_read_buf: timeout);
return;
Re: Problem with Intel Pro/1000 PT
On 2007/06/06 13:16, Robert Warning wrote: I've been getting some strange errors with this dual port nic. My system is a dual core AMD64 system running 4.1-stable with multiprocessor support enabled. The chipset of the card is 82571EB. This problem also occurs when I boot into a kernel without MP support. em0 works fine, but em1 throws watchdog timeout errors frequently, and it is so slow to the point of being unusable. em1 is slow even if it happens to not be throwing the watchdog timeout errors. I first noticed this when i set both devices to configure via dhcp. Thinking it might be a broken card, I swapped in another card of the same model and chipset, and experienced the same problem. The other nic in the system, re0, works fine. I've looked through some message boards on the subject but I have not found anything conclusive, and I'm at a loss at what the problem could be. I'm hoping it's a configuration issue, or a problem at my end. Any advice would be greatly appreciated. Bob Here is my dmesg: OpenBSD 4.1 (GENERIC.MP) #0: Sat Jun 2 21:46:21 EST 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 468185088 (457212K) avail mem = 388567040 (379460K) using 11481 buffers containing 47026176 bytes (45924K) of memory mainbus0 (root) bios0 at mainbus0: SMBIOS rev. 2.3 @ 0xf0100 (53 entries) bios0: Gigabyte Technology Co., Ltd. GA-MA69VM-S2 acpi at mainbus0 not configured try 'enable acpi' at the boot loader; if it helps, you can make it permanent with config -e
Re: /usr/obj partition AWOL
On Wed, 6 Jun 2007, Markus Lude wrote: On Tue, Jun 05, 2007 at 07:51:48AM +0200, Otto Moerbeek wrote: On Tue, 5 Jun 2007, Markus Lude wrote: On Mon, Jun 04, 2007 at 06:02:59PM -0500, Emilio Perea wrote: I follow -current on an i386 at work and an amd64 at home, and rarely run into any problem which is not self-inflicted. So when I had a weird experience this weekend, I assumed it was my fault. What happened was that after the usual sequence of [build kernel; reboot; build userland; reboot] the system complained that it could not fsck wd1j and dropped into single-user mode. wd1j is mounted on /usr/obj, and I thought that something in the last build had messed it up, so I ran newfs wd1j and got newfs: /dev/rwd1j: Device not configured disklabel wd1 showed partitions d-i and k-p, but no j. I added the partition, ran newfs, and everything seemed fine. This afternoon I installed the i386 snapshot downloaded this morning (dated Jun 3 19:19) on the work pc, and after reboot it was missing the /usr/obj partition (sd0g in this case). Everything seems to be working fine on both computers, but I didn't expect the partitions to disappear. Did nobody else run into this problem? Or did everybody else who saw it thought it was too obvious to mention it to the mailing list? I had a similar problem on sparc64 with a snapshot from jun 2. The system was unable to fsck some partitions and dropped to single user mode. Here the problems were with the /usr, /var, /tmp and /home partitions. Some further (and larger partitions) weren't affected. I installed an older snapshot. Any suggestions how to get this fixed or what to test/try? There were some validations checkc added to partitions. If a bad partition is found, it will be marked unused. The checks were a little to strict for some cases. A fix for that went in yesterday, so try a new snap. Thanks for your info. After rebuilding kernel and userland the problem still exists, but now the affected partitions are /var, /home and /data. Hmm. Unmounting /data and doing a manual fsck -f runs without problems. If the problem persists, please report with full disklabel output. $ cat /etc/fstab /dev/wd0a / ffs rw 1 1 /dev/wd0d /tmp ffs rw,nodev,nosuid 1 2 /dev/wd0e /usr ffs rw,nodev 1 2 /dev/wd0f /var ffs rw,nodev,nosuid 1 2 /dev/wd0g /home ffs rw,nodev,nosuid 1 2 /dev/wd0h /data ffs rw,nodev,nosuid 1 2 /dev/wd1d /backup ffs rw,nodev,nosuid 1 2 with an actual kernel: $ sudo disklabel wd0 # /dev/rwd0c: type: ESDI disk: ESDI/IDE disk label: ST3120213A flags: bytes/sector: 512 sectors/track: 63 tracks/cylinder: 16 sectors/cylinder: 1008 cylinders: 16383 total sectors: 16514064 ^^^ 1008 * 16383 = 16514064 rpm: 3600 interleave: 1 trackskew: 0 cylinderskew: 0 headswitch: 0 # microseconds track-to-track seek: 0 # microseconds drivedata: 0 16 partitions: # sizeoffset fstype [fsize bsize cpg] a: 1024128 0 4.2BSD 2048 16384 16 # Cyl 0 - 1015 b: 3072384 1024128swap # Cyl 1016 - 4063 c: 234441648 0 unused 0 0 # Cyl 0 -232580 ^ Your disk size and c partition size do not match. Can you send a dmesg, to see what the actual size of your disk is? This is really needed to see what is going on. Did you at any time edit the disk size by hand? d: 2048256 4096512 4.2BSD 2048 16384 16 # Cyl 4064 - 6095 e: 20479536 6144768 4.2BSD 2048 16384 16 # Cyl 6096 - 26412 disklabel: partition c: partition extends past end of unit disklabel: partition e: partition extends past end of unit older kernel: $ sudo disklabel wd0 [...] 16 partitions: # sizeoffset fstype [fsize bsize cpg] a: 1024128 0 4.2BSD 0 0 16 # Cyl 0 - 1015 b: 3072384 1024128swap # Cyl 1016 - 4063 c: 234441648 0 unused 0 0 # Cyl 0 -232580 d: 2048256 4096512 4.2BSD 0 0 16 # Cyl 4064 - 6095 e: 20479536 6144768 4.2BSD 0 0 16 # Cyl 6096 - 26412 f: 4095504 26624304 4.2BSD 0 0 16 # Cyl 26413 - 30475 g: 20479536 30719808 4.2BSD 0 0 16 # Cyl 30476 - 50792 h: 183242304 51199344 4.2BSD 0 0 16 # Cyl 50793 -232580 disklabel: partition c: partition extends past end of unit disklabel: partition e: partition extends past end of unit disklabel: partition f: offset past end of unit disklabel: partition f: partition extends past end of unit disklabel: partition g: offset past end of unit disklabel: partition g:
Re: revenge of stupid vlan questions
Jon [EMAIL PROTECTED] wrote: Incidentally, it was the vlan(4) man page that gave me the idea to set the mtu to 1518: Some Ethernet chips will either discard or truncate Ethernet frames that are larger than 1514 bytes. This causes a problem as 802.1Q tagged frames can be up to 1518 bytes. Most controller chips can be told not to discard large frames and/or to increase the allowed frame size. Refer to the hardware manual for your chip to do this. For some reason I thought that meant it would be a good idea to up the mtu to 1518. No, this is not a correct setting. The interface MTU refers to the higher layer object, while the vlan(4) page is talking about frames on the wire. I wrote that into vlan(4) to explain to people how the added 802.1Q tag affects their network drivers, not so users would touch the MTU.
semi transparent spamd-bridge
Hello, I have found the article http://undeadly.org/cgi?action=articlesid=20061108134508 and tried to setup such a bridge with OpenBSD 4.1. Now before I go to deep into my setup, I have just one very basic question which still confuses me, and for me basically explains why my setup doesn't work. As far as I understood the article I am setting up a bridge with an ip assigned [1.1.1.5/24] to the external interface in front of my mailserver [1.1.1.35/24]. Now given the pf rules from above URL and spamd configured and running, I see the following problem: case 1: src host is whitelisted, connection is allowed to 1.1.1.35, everything works fine. case 2: src host is grey-/blacklisted and therefor redirected to 127.0.0.1, in this case i get just a timeout when i try to telnet to port 25 of 1.1.1.35 which as I understand is caused by many reasons, among them that the src hosts expects tcp packets only from 1.1.1.35 and not from 1.1.1.5 which is the only ip from which the bridges spamd could use to talk to the src host (sender mta). I have exhausted google in this matter and I know I must be doing/thinking somehting the completely wrong way(tm), but still i am just stuck in my understanding of how this could/should work and therefor having a hard time to get my test setup running obviously;-) Any hint, reading pointer, link etc. would be highly appreciated. Thanks in advance for any helpful kick in the right direction, Christoph -- Quis custodiet ipsos custodes?
postfix timeout
Hi list, I have some problem with my postfix on 4.1 stable. If I do a telnet localhost 25, then HELO is OK but after the MAIL FROM: command there is no answer. In the maillog there is only a note about the connection (connect from localhost[127.0.0.1]), but not any error messages. Got any idea what is going wrong? Thank you, bdz postfix-2.4.20070125-mysql for virtual domains with mysql backend. kozpontiagy# postconf -n command_directory = /usr/local/sbin config_directory = /etc/postfix daemon_directory = /usr/local/libexec/postfix debug_peer_level = 2 html_directory = /usr/local/share/doc/postfix/html inet_interfaces = all inet_protocols = all mail_owner = _postfix mailq_path = /usr/local/sbin/mailq manpage_directory = /usr/local/man mydestination = localhost localhost.$mydomain $myhostname mydomain = fokazsir.hu myhostname = mail.fokazsir.hu mynetworks = 127.0.0.0/8 myorigin = $myhostname newaliases_path = /usr/local/sbin/newaliases queue_directory = /var/spool/postfix readme_directory = /usr/local/share/doc/postfix/readme sample_directory = /etc/postfix sendmail_path = /usr/local/sbin/sendmail setgid_group = _postdrop smtpd_banner = $myhostname ESMTP $mail_name transport_maps = mysql:/etc/postfix/mysql_virtual_transport.cf unknown_local_recipient_reject_code = 550 virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf virtual_gid_maps = static:2000 virtual_mailbox_base = /var/mailhome/vhosts virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains.cf virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailboxes.cf virtual_minimum_uid = 2000 virtual_uid_maps = static:2000
Re: semi transparent spamd-bridge
On Wed, Jun 06, 2007 at 09:44:30PM +0200, Christoph Schneeberger wrote: I have found the article http://undeadly.org/cgi?action=articlesid=20061108134508 and tried to setup such a bridge with OpenBSD 4.1. I also used that article to do this setup, and it worked fine... case 1: src host is whitelisted, connection is allowed to 1.1.1.35, everything works fine. case 2: src host is grey-/blacklisted and therefor redirected to 127.0.0.1, in this case i get just a timeout when i try to telnet to port 25 of 1.1.1.35 which as I understand is caused by many reasons, among them that the src hosts expects tcp packets only from 1.1.1.35 and not from 1.1.1.5 which is the only ip from which the bridges spamd could use to talk to the src host (sender mta). I don't think case 2 is for the reason you point out. At least I never had that problem. Do you have the absolutely essential pass ... route-to ... rule correct? -- Darrin Chandler| Phoenix BSD User Group | MetaBUG [EMAIL PROTECTED] | http://phxbug.org/ | http://metabug.org/ http://www.stilyagin.com/ | Daemons in the Desert | Global BUG Federation
Bidirectional translation for DNS and WWW servers
# ifconfig
lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33224
groups: lo
inet 127.0.0.1 netmask 0xff00
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:50:bf:3a:2e:66
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 64.142.102.8 netmask 0xff00 broadcast 64.142.102.255
inet6 fe80::250:bfff:fe3a:2e66%rl0 prefixlen 64 scopeid 0x1
rl1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:13:46:30:0b:b2
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255
inet6 fe80::213:46ff:fe30:bb2%rl1 prefixlen 64 scopeid 0x2
vr0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:19:5b:3d:12:12
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.0.1 netmask 0xff00 broadcast 192.168.0.255
inet6 fe80::219:5bff:fe3d:1212%vr0 prefixlen 64 scopeid 0x3
pflog0: flags=141UP,RUNNING,PROMISC mtu 33224
enc0: flags=0 mtu 1536
# cat /etc/pf.conf
#Macros
# 192.168.0.1 subnet
ext_ip=64.142.102.8
int_ip=192.168.0.1
int_block=192.168.0.0/24
#DMZ subnet
#Interface
dmz_ip=192.168.1.1
#DNS 1
scarlett=192.168.1.2
pub_scarlett=64.142.102.9
#DNS 2
shelly=192.168.1.3
pub_shelly=64.142.102.10
#WWW 1
www_ip=192.168.1.4
pub_www=64.142.102.11
#Normalizing
#scrub in all
#NAT and Binat
nat on rl0 from $int_block to any - $ext_ip
binat on rl0 from $scarlett to any - $pub_scarlett
binat on rl0 from $shelly to any - $pub_shelly
binat on rl0 from $www_ip to any - $pub_www
#Default block policy
#block all
#Anti-spoofing
#block in quick from urpf-failed
#Traffic passing through
pass in all
pass out all
#External interfaces
#pass in on rl0 inet proto { tcp, udp } all modulate state
#pass out on rl0 proto { tcp, udp, icmp } all modulate state
# dmesg
OpenBSD 4.1 (GENERIC) #1435: Sat Mar 10 19:07:45 MST 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium III (GenuineIntel 686-class) 931 MHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE
real mem = 401108992 (391708K)
avail mem = 357941248 (349552K)
using 4278 buffers containing 20180992 bytes (19708K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+ BIOS, date 10/14/00, BIOS32 rev. 0 @ 0xfd8a0
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 30102 dobusy 0 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xfd8a0/0x760
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf50/144 (7 entries)
pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82371FB ISA rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc/0xa000
acpi at mainbus0 not configured
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel 82810E rev 0x03: rng active, 7Kb/sec
vga1 at pci0 dev 1 function 0 Intel 82810E Graphics rev 0x03: aperture at
0xf800, size 0x400
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ppb0 at pci0 dev 30 function 0 Intel 82801AA Hub-to-PCI rev 0x02
pci1 at ppb0 bus 1
rl0 at pci1 dev 11 function 0 Realtek 8139 rev 0x10: irq 5, address
00:50:bf:3a:2e:66
rlphy0 at rl0 phy 0: RTL internal PHY
rl1 at pci1 dev 13 function 0 D-Link Systems 530TX+ rev 0x10: irq 9,
address 00:13:46:30:0b:b2
rlphy1 at rl1 phy 0: RTL internal PHY
vr0 at pci1 dev 14 function 0 VIA VT6105 RhineIII rev 0x86: irq 10,
address 00:19:5b:3d:12:12
ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 4: OUI
0x004063, model 0x0034
ichpcib0 at pci0 dev 31 function 0 Intel 82801AA LPC rev 0x02
pciide0 at pci0 dev 31 function 1 Intel 82801AA IDE rev 0x02: DMA, channel
0 wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: WDC WD100EB-11BHF0
wd0: 16-sector PIO, LBA, 9541MB, 19541088 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 4
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: SONY, CD-RW CRX320EE, RYK4 SCSI0 5/cdrom
removable
cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
uhci0 at pci0 dev 31 function 2 Intel 82801AA USB rev 0x02: irq 11
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
ichiic0 at pci0 dev 31 function 3 Intel 82801AA SMBus rev 0x02: irq 9
iic0 at ichiic0
isa0 at ichpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: PC speaker
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
it0 at isa0 port 0x290/8: IT87
npx0 at isa0
Re: Bidirectional translation for DNS and WWW servers
rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:50:bf:3a:2e:66 groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet 64.142.102.8 netmask 0xff00 broadcast 64.142.102.255 inet6 fe80::250:bfff:fe3a:2e66%rl0 prefixlen 64 scopeid 0x1 binat on rl0 from $scarlett to any - $pub_scarlett binat on rl0 from $shelly to any - $pub_shelly binat on rl0 from $www_ip to any - $pub_www the external addresses you're pointing to in your binat statements, you have them configured as aliases to your external interface (rl0), right? (one can't tell from ifconfig output unless you run 'ifconfig rl0' explicitly) --Matt
Re: semi transparent spamd-bridge
Darrin Chandler wrote: On Wed, Jun 06, 2007 at 09:44:30PM +0200, Christoph Schneeberger wrote: I have found the article http://undeadly.org/cgi?action=articlesid=20061108134508 and tried to setup such a bridge with OpenBSD 4.1. I also used that article to do this setup, and it worked fine... case 1: src host is whitelisted, connection is allowed to 1.1.1.35, everything works fine. case 2: src host is grey-/blacklisted and therefor redirected to 127.0.0.1, in this case i get just a timeout when i try to telnet to port 25 of 1.1.1.35 which as I understand is caused by many reasons, among them that the src hosts expects tcp packets only from 1.1.1.35 and not from 1.1.1.5 which is the only ip from which the bridges spamd could use to talk to the src host (sender mta). I don't think case 2 is for the reason you point out. At least I never had that problem. Do you have the absolutely essential pass ... route-to ... rule correct? Thanks for following up. Yes, I think at least, thats what my pf.conf looks like: ext_if=fxp0 int_if=xl0 table spamd persist table spamd-white persist table whitelist persist file /etc/whitelist.txt rdr pass on $ext_if inet proto tcp from spamd to any port smtp - 127.0.0.1 port 8025 rdr pass on $ext_if inet proto tcp from !spamd-white to any port smtp - 127.0.0.1 port 8025 pass in log on $ext_if route-to lo0 inet proto tcp from any to 127.0.0.1 port 8025 keep state -- ---+ / Christoph Schneeberger/ SCS TeleMedia AG | / GIAC GSEC / Liestalerstrasse 47| / [EMAIL PROTECTED] / [EMAIL PROTECTED] | / 4419 Lupsingen/ http://www.telemedia.ch | / tel +41 61 915 9155 / fax +41 61 911 0714 | + This e-mail is confidential and may be privileged. It may be read, copied and used only by the addressee. If you have received it in error, please contact us immediately. Quis custodiet ipsos custodes?
Re: Bidirectional translation for DNS and WWW servers
Matt Rowley wrote: rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:50:bf:3a:2e:66 groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet 64.142.102.8 netmask 0xff00 broadcast 64.142.102.255 inet6 fe80::250:bfff:fe3a:2e66%rl0 prefixlen 64 scopeid 0x1 binat on rl0 from $scarlett to any - $pub_scarlett binat on rl0 from $shelly to any - $pub_shelly binat on rl0 from $www_ip to any - $pub_www the external addresses you're pointing to in your binat statements, you have them configured as aliases to your external interface (rl0), right? (one can't tell from ifconfig output unless you run 'ifconfig rl0' explicitly) --Matt No, I did not. I removed them in the past for reasons unknown. Thank you for your help, everyone.
Re: Bidirectional translation for DNS and WWW servers
On 2007/06/06 14:32, BradenM - Sonoma Computer wrote: ...pretty useful info... Also useful for any suspected PF problems: # pfctl -sa (to check that the ruleset did indeed get loaded, and that PF is enabled - if you can also have some pings running we'll see how state tables look too). # sysctl net.inet.ip.forwarding (you never know...) How does traffic from the outside reach this machine? Is whatever device that's giving it connectivity setup to send traffic for all the relevant IP addresses to this box? You should be able to pfctl -d to disable PF and ping each address from outside. If not there's a more fundamental problem that needs looking at before examining the PF configuration. Fix then enable PF again (pfctl -e). Not relevant to you since you pass all traffic, but other people are reading this who might not: 'log' on all block rules, reload PF, and (ifconfig pflog0 up; tcpdump -nettipflog0)
Re: semi transparent spamd-bridge
On 6/6/07, Christoph Schneeberger [EMAIL PROTECTED] wrote: case 1: src host is whitelisted, connection is allowed to 1.1.1.35, everything works fine. case 2: src host is grey-/blacklisted and therefor redirected to 127.0.0.1, in this case i get just a timeout when i try to telnet to port 25 of 1.1.1.35 which as I understand is caused by many reasons, among them that the src hosts expects tcp packets only from 1.1.1.35 and not from 1.1.1.5 which is the only ip from which the bridges spamd could use to talk to the src host (sender mta). Try some tcpdump'ing to see where it is failing, for example on lo0 or $ext_if. Add some 'log' to your rules. can the bridge talk to other internet hosts? Does it have a default gateway? Is spamd actually running? spamlogd? Is that the complete pf.conf? Give more complete information, including the obvious stuff. -Mark
Re: mysql4
I'm not sure that the reason mysql4 isn't in the packages is due to lack of time or resources.. There must be some other reason, i think this because everytime there are more and more packages, so removing one that so many people use is kind of weird. I was thinking about upgrading (by making a fresh install) to 4.1 an old 3.4 webserver that also runs mysql4, and i had the intention of installing mysql4 on the new one so no modification on applications are needed. I can't upgrade the users applications because this server runs at least 1000 websites , the users won't like to modifiy their code, and i am not a programmer neither. But if it's not in the packages , i guess i should have to compile it myself then. I just wanted to know the real reason (maybe there is a security reason) of why mysql4 isn't included in packages anymore, not just a guess. - Original Message - From: Daniel Ouellet [EMAIL PROTECTED] To: misc@openbsd.org Sent: Tuesday, June 05, 2007 11:46 PM Subject: Re: mysql4 Marcos Laufer wrote: Hello there, I don't know if this has been asked or discussed before,.. here's no mysql4 packages in OpenBSD 4.1 . Why? mysql-server-5.0.33.tgz Is available. They do not have the resources to have every possible version as packages, nor do they have the equipment to make all of them. If you want a packages, as an example, 4.1 for i386 have the above ready to go. I guess just upgrade your applications as you upgrade your OS, why not.
Re: mysql4
Marcos Laufer wrote: I'm not sure that the reason mysql4 isn't in the packages is due to lack of time or resources.. There must be some other reason, i think this because everytime there are more and more packages, so removing one that so many people use is kind of weird. http://openbsd.org/faq/faq15.html#PkgFAQ And the keep packages in sync with the OS. The version 4 was there a long time ago. Plus it's not the policy of the project to keep multiple version of a packages. PHP is an exception as an example, but sooner or later you can sure expect to see the PHP 4.x be drop all together for example. I was thinking about upgrading (by making a fresh install) to 4.1 an old 3.4 webserver that also runs mysql4, and i had the intention of installing mysql4 on the new one so no modification on applications are needed. No change in application would be needed really. Your SQL query are still SQL and will work as they are now. New version added new SQL functionality, but if you read MySQL, you will see, they didn't drop anything. Why would you think it wouldn't work. I see nothing to that effect at all. Any specific facts you want to share? I can't upgrade the users applications because this server runs at least 1000 websites , the users won't like to modifiy their code, and i am not a programmer neither. Nor would you have too. You connect to the database either by sockets or TCP connections. As long as your server is setup properly, it does the same thing. Again, any facts you want to share to the contrary? But if it's not in the packages , i guess i should have to compile it myself then. I just wanted to know the real reason (maybe there is a security reason) of why mysql4 isn't included in packages anymore, not just a guess. Again all explain here, not a guess: http://openbsd.org/faq/faq15.html#PkgFAQ And more specifically, quote The ports collection is a volunteer project. Sometimes the project simply doesn't have the developer resources to keep everything up-to-date. Developers pretty much pick up what they consider interesting and can test in their environment. Your donations can make a difference for testing ports on more platforms. This statement also work both ways, meaning newer and older version. Simply not the resources to keep all possible version, plus it would pretty much useless if you asked me, witch I am sure you would disagree anyway. But no, my first answer wasn't speculations, or guess. Best, Daniel
Re: How to run and manage a DNS server.
On 6/6/07, Bray Mailloux [EMAIL PROTECTED] wrote: Hello; This is my first time managing anything larger than a simple dhcp or pf box and I'm wondering if there is anyone available on this list who can answer a few questions I have concerning the creation and management of DNS servers. Give us details of what you want to accomplish and your questions.
Re: How to run and manage a DNS server.
well here is a question, I was wondering if there would be anyway to make OpenBSD based DNS servers have a PostgreSQL backend. (I know there will be a performance hit) and does anyone know of a gtk front end for DNS management? or maybe a web based solution that is just DNS not like a full install of webmin. Sam Fourman Jr. On 6/6/07, Open Phugu [EMAIL PROTECTED] wrote: On 6/6/07, Bray Mailloux [EMAIL PROTECTED] wrote: Hello; This is my first time managing anything larger than a simple dhcp or pf box and I'm wondering if there is anyone available on this list who can answer a few questions I have concerning the creation and management of DNS servers. Give us details of what you want to accomplish and your questions.
Re: How to run and manage a DNS server.
Basically since this is openbsd, my last obsd box came with chrooted 'named' already present on the machine. I edited the config files named.conf, dropped in a 'zone file' for mydomain.com, with the proper syntax, serial number (today's date with a 01 as: 2007060601), and restarted named/bind. -important because named/bind only parses the new changes in the config after a restart -maybe i'm wrong here but it's a good practice to get in the habit of [assuring daemons re-read config files after changes]. I was then able to use the 'dig' command on the server, as well as various linux, unix clients to verify dns was propagating, and with the intended results. Boo ya, there's my web server. And there's my mail. wahoo. It's a 5 minute task for a seasoned individual, but sort of a day-by-day learning experience for a beginner to graduate to 'knowing it cold' e.g. troubleshooting routers, loadbalancers, email, and dns all at once. I am glad I chose Openbsd to learn all about making DNS servers because for one, this project is very modular, it doesn't try to do too much or be too many things, and secondly, at it's core, it's a really nice networking OS. Thirdly, it's 'secure-by-default', which in your case you are in a win-win situation because 'chrooted bind' comes already installed and ready for you to configure and deploy. I left out some technical detail in this response to give you an overview. You edit a few files and restart the daemon, do some dig commands, and see if you can reach your intended target servers (maybe an apache server or something on another IP). Maybe you also remove some difficulties by making sure your firewalled environment (work or home), as well as your nat or routing is in order. Don't want too many of those outside factors impacting your learning experience by way of mystery, rather by intent or controlled circumstance. That said, there at hundreds of brilliant minds who peruse this list over a given week, -surely one of them can give you a command by command sequence, -perhaps i'll bust out a 4.1 box and send you my command history, I could use a 4th dns server around here. I forget if obsd does 64-bit/smp/amd, time to go visit www.openbsd.org and look at the FAQ. A great place to hang. You'll probably see DNS server info there, or type man named and see what you get. -krb Bray Mailloux wrote: Hello; This is my first time managing anything larger than a simple dhcp or pf box and I'm wondering if there is anyone available on this list who can answer a few questions I have concerning the creation and management of DNS servers. Thanks; Bray.
Re: How to run and manage a DNS server.
Sam Fourman Jr. wrote: well here is a question, I was wondering if there would be anyway to make OpenBSD based DNS servers have a PostgreSQL backend. (I know there will be a performance hit) and does anyone know of a gtk front end for DNS management? or maybe a web based solution that is just DNS not like a full install of webmin. Are you running an ISP setup? If not, it's not like you will have many changes in DNS entry to worth that much trouble. Plus if you never did DNS setup before, don't you think it would be much safer to start to learn what you need and use the setup offer as is first? Or are you doing this just to get a Microsoft like GUI interface? The real question you should asked yourself first to see if you even need that is how often will you change your DNS entry and how many domains will you manage? Based on your experience, I would venture to say that you wouldn't have many domains and would need many changes, so your request is way out of proportion with the problem you try to solve and the knowledge you try to get as well. I could be wrong, but look like you put the carriage before the horses here no? KISS is your friend, specially when you try to learn it. Best, Daniel.
Re: How to run and manage a DNS server.
More for you. Go here: http://openbsdsupport.org/ 4th one from the top called OpenBSD as a domain name server Also you can read to get understanding of DNS usage here: http://cr.yp.to/djbdns.html ( that's not bind, but provide good detials on how things work as well) Same here: http://lifewithdjbdns.org/ and then the big bible on bind http://www.isc.org/index.pl, the specific section on BIND. And finally there is the man page as well. But just the first link will definitely get you going for sure. Best, Daniel
Re: How to run and manage a DNS server.
On 6/6/07, Karl R Balsmeier [EMAIL PROTECTED] wrote: ... and restarted named/bind. -important because named/bind only parses the new changes in the config after a restart -maybe i'm wrong here but it's a good practice to get in the habit of [assuring daemons re-read config files after changes]. sudo rndc reload no need to restart the daemon and interrupt services... -- GDB has a 'break' feature; why doesn't it have 'fix' too?
Re: How to run and manage a DNS server.
On 6/6/07, Sam Fourman Jr. [EMAIL PROTECTED] wrote: well here is a question, I was wondering if there would be anyway to make OpenBSD based DNS servers have a PostgreSQL backend. (I know there will be a performance hit) This (http://home.tiscali.cz:8080/~cz210552/sqldns.html) might do what you want, but be warned, it might be *very* slow. A simpler solution would be to use bind and regularly dump the contents of the database into the zone files.
need a machine for an itanium port
im getting to the point where there's no challenge left in writing device drivers, i want to move onto something new. so after i finish making the pile of controllers on my desk work, the thing i'd like to do the most is port openbsd to a new architecture, specifically itanium. to do that work though i'd need an itanium to hack on. if itanium support is something you would like to see happen then i'd appreciate some help getting a system. the machine would have to come to brisbane, australia, and i would prefer a rack mountable system (1u or 2u) and something that is nice to remotely administer. email me ([EMAIL PROTECTED]) and Theo ([EMAIL PROTECTED]) if you'd like to help. thanks, dlg
Re: How to run and manage a DNS server.
http://lifewithdjbdns.org (henning@ wrote this ;-) It's not about bind but it has stuff about mysql and ISP-Environments. So it may be of your interest. Sam Fourman Jr. wrote: well here is a question, I was wondering if there would be anyway to make OpenBSD based DNS servers have a PostgreSQL backend. (I know there will be a performance hit) and does anyone know of a gtk front end for DNS management? or maybe a web based solution that is just DNS not like a full install of webmin. Sam Fourman Jr. On 6/6/07, Open Phugu [EMAIL PROTECTED] wrote: On 6/6/07, Bray Mailloux [EMAIL PROTECTED] wrote: Hello; This is my first time managing anything larger than a simple dhcp or pf box and I'm wondering if there is anyone available on this list who can answer a few questions I have concerning the creation and management of DNS servers. Give us details of what you want to accomplish and your questions.
