Re: Bioctl ciss controller status

[Stephan A. Rickauer]

On Fri, 20 Jul 2007 12:35:53 +0200 (CEST)
Markus Hennecke <[EMAIL PROTECTED]> wrote:

> > # bioctl ciss0
> > bioctl: Can't locate ciss0 device via /dev/bio
> 
> The cause is that the ciss_inquiry struct returned by the firmware
> has the member buswidth set to 0 (zero). So the physical drives do
> not get probed by the driver. If you set this to some other value
> (the original value in the last firmware versions was 16) the
> "Identify Drive" commands will fail. If you change the addressing
> mode from the "Big Bit" method to the old scheme the drives can be
> queried. I hacked up a small patch that made it "work" for the
> servers used in our project (DL 380 G5). I attach it here, but beware
> that it has some problems:
> 
> 1. Drives that are identified by the scsi id 0:0.0 do not display the 
> right status. We do not have a drive there, so I did not look into
> that for longer (no time for "beauty work").
> 
> 2. I had to check the drive present bit and would add only those
> drives that were present on driver initialisation. Else the bioctl
> would show all drives as "Invalid" (with exception to the one that
> would get the id 0:0.0).
> 
> Overall it is only a quick and dirty hack to make it work. I try to
> look into that because I will have the servers here available a
> little bit longer, but I can't promise that. The other parts of the
> overall project are eating up all my time...
> 
> So this is the hack, I checked the functionality by removing one of
> the drives and reinserting it. All seems to work ok with the
> exceptions mentioned above. You can even mark a drive via bioctl. The
> patch is against 4.1-stable, dmesg and bioctl output follows below.
> There is a similar system with 5 HDs in a RAID 5 that works too. Use
> this at your own risk:


This is good news, thanks a lot. I will test it next week.

However, if there is a developer interested in getting this quick
fix more beautiful, I could enable remote login on one of our
machines for testing and developing. Please contact me off list.

Thanks,

-- 

 Stephan A. Rickauer

 ---
 Institute of Neuroinformatics Tel  +41 44 635 30 50
 University / ETH Zurich   Sec  +41 44 635 30 52
 Winterthurerstrasse 190   Fax  +41 44 635 30 53
 CH-8057 ZurichWeb  www.ini.unizh.ch

 RSA public key:  https://www.ini.uzh.ch/~stephan/pubkey.asc
 ---

Re: Hack OpenBSD and improve fitness at the same time

[Mark Mathias]

exactly, you just open a "gym" and people will pay you money to power the
servers

On 7/20/07, bofh <[EMAIL PROTECTED] > wrote:
>
> Well, there's the obvious solution, right?  OUTSOURCE IT!!!  Just
> stick the sweaty person on the outside!
>
>
> On 7/20/07, Steve Shockley <[EMAIL PROTECTED]> wrote:
> > Stefan Olsson wrote:
> > > -Apart from health this could be used to generate electricity for
> Theo's
> > > servers!
> >
> > You're not looking at the big picture; if you've got some sweaty person
> > running the generator, that increases the cooling load in Theo's
> datacenter.
> >
> >
>
>
> --
> "This officer's men seem to follow him merely out of idle curiosity."
> -- Sandhurst officer cadet evaluation.
>
>


-- 
Mark Mathias

Re: dd if=/dev/audio of=/tmp/raw reads 0 bytes using azalia on 4.1-Release

[Deanna Phillips]

> I'm trying to record audio samples using azalia and
> 4.1-Release I can monitor the audio but cannot record it.

This is fixed in -current.

dd if=/dev/audio of=/tmp/raw reads 0 bytes using azalia on 4.1-Release

[Jamex Reynolds]

Hi

I'm trying to record audio samples using azalia and 4.1-Release
I can monitor the audio but cannot record it. dd fails to read anything from 
/dev/audio or /dev/sound eg. $ dd if=/dev/sound of=/tmp/raw
reads 0 bytes. The manual page for azalia(4) doesn't mention recording via 
line-in or mic being broken.

My dmesg and output of mixerctl -av and audioctl -a follow.



OpenBSD 4.1 (GENERIC) #874: Sat Mar 10 19:09:51 MST 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC
real mem = 1005121536 (981564K)
avail mem = 848392192 (828508K)
using 22937 buffers containing 100720640 bytes (98360K) of memory
mainbus0 (root)
bios0 at mainbus0: SMBIOS rev. 2.3 @ 0xf (36 entries)
bios0: MICRO-STAR INTERNATIONAL CO., LTD MS-7253
acpi at mainbus0 not configured
cpu0 at mainbus0: (uniprocessor)
cpu0: AMD Athlon(tm) 64 Processor 3200+, 2000.27 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,CX16,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 
16-way L2 cache
cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative
cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative
pci0 at mainbus0 bus 0: configuration mode 1
pchb0 at pci0 dev 0 function 0 "VIA K8M890 Host" rev 0x00
pchb1 at pci0 dev 0 function 1 "VIA K8M890 Host" rev 0x00
pchb2 at pci0 dev 0 function 2 "VIA K8M890 Host" rev 0x00
pchb3 at pci0 dev 0 function 3 "VIA K8M890 Host" rev 0x00
pchb4 at pci0 dev 0 function 4 "VIA K8M890 Host" rev 0x00
"VIA K8M890 IOAPIC" rev 0x00 at pci0 dev 0 function 5 not configured
pchb5 at pci0 dev 0 function 7 "VIA K8M890 Host" rev 0x00
ppb0 at pci0 dev 1 function 0 "VIA K8HTB AGP" rev 0x00
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "VIA DeltaChrome Video" rev 0x11
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ppb1 at pci0 dev 2 function 0 "VIA K8T890 PCI-PCI" rev 0x00
pci2 at ppb1 bus 2
ppb2 at pci0 dev 3 function 0 "VIA K8T890 PCI-PCI" rev 0x00
pci3 at ppb2 bus 3
pciide0 at pci0 dev 15 function 0 "VIA VT8237A SATA" rev 0x80: DMA
pciide0: using irq 11 for native-PCI interrupt
pciide1 at pci0 dev 15 function 1 "VIA VT82C571 IDE" rev 0x07: DMA, channel 0 
configured to compatibility, channel 1 configured to compatibility
wd0 at pciide1 channel 0 drive 0: 
wd0: 16-sector PIO, LBA48, 238475MB, 488397168 sectors
wd0(pciide1:0:0): using PIO mode 4, DMA mode 2
atapiscsi0 at pciide1 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0:  SCSI0 5/cdrom 
removable
cd0(pciide1:1:0): using PIO mode 4, DMA mode 2
uhci0 at pci0 dev 16 function 0 "VIA VT83C572 USB" rev 0xa0: irq 10
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: VIA UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1 at pci0 dev 16 function 1 "VIA VT83C572 USB" rev 0xa0: irq 11
usb1 at uhci1: USB revision 1.0
uhub1 at usb1
uhub1: VIA UHCI root hub, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
uhci2 at pci0 dev 16 function 2 "VIA VT83C572 USB" rev 0xa0: irq 11
usb2 at uhci2: USB revision 1.0
uhub2 at usb2
uhub2: VIA UHCI root hub, rev 1.00/1.00, addr 1
uhub2: 2 ports with 2 removable, self powered
uhci3 at pci0 dev 16 function 3 "VIA VT83C572 USB" rev 0xa0: irq 10
usb3 at uhci3: USB revision 1.0
uhub3 at usb3
uhub3: VIA UHCI root hub, rev 1.00/1.00, addr 1
uhub3: 2 ports with 2 removable, self powered
ehci0 at pci0 dev 16 function 4 "VIA VT6202 USB" rev 0x86: irq 11
usb4 at ehci0: USB revision 2.0
uhub4 at usb4
uhub4: VIA EHCI root hub, rev 2.00/1.00, addr 1
uhub4: 8 ports with 8 removable, self powered
pcib0 at pci0 dev 17 function 0 "VIA VT8237A ISA" rev 0x00
pchb6 at pci0 dev 17 function 7 "VIA VT8251 VLINK" rev 0x00
vr0 at pci0 dev 18 function 0 "VIA RhineII-2" rev 0x7c: irq 10, address 
00:16:17:dd:14:1f
rlphy0 at vr0 phy 1: RTL8201L 10/100 PHY, rev. 1
ppb3 at pci0 dev 19 function 0 "VIA VT8237A PCI-PCI" rev 0x00
pci4 at ppb3 bus 4
azalia0 at pci4 dev 1 function 0 "VIA HD Audio" rev 0x10: irq 11
azalia0: host: High Definition Audio rev. 1.0
azalia0: codec: 0x04x/0x10ec (rev. 0.2), HDA version 1.0
audio0 at azalia0
ppb4 at pci0 dev 19 function 1 "VIA VT8237A PCI-PCI" rev 0x00
pci5 at ppb4 bus 5
pchb7 at pci0 dev 24 function 0 "AMD AMD64 HyperTransport" rev 0x00
pchb8 at pci0 dev 24 function 1 "AMD AMD64 Address Map" rev 0x00
pchb9 at pci0 dev 24 function 2 "AMD AMD64 DRAM Cfg" rev 0x00
pchb10 at pci0 dev 24 function 3 "AMD AMD64 Misc Cfg" rev 0x00
isa0 at pcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: 
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
lm0 at isa0 port

Re: Hack OpenBSD and improve fitness at the same time

[bofh]

Well, there's the obvious solution, right?  OUTSOURCE IT!!!  Just
stick the sweaty person on the outside!


On 7/20/07, Steve Shockley <[EMAIL PROTECTED]> wrote:

Stefan Olsson wrote:
> -Apart from health this could be used to generate electricity for Theo's
> servers!

You're not looking at the big picture; if you've got some sweaty person
running the generator, that increases the cooling load in Theo's datacenter.





--
"This officer's men seem to follow him merely out of idle curiosity."
-- Sandhurst officer cadet evaluation.

Re: ypserv problem

[Edd Barrett]

On 20/07/07, Mark Leisher <[EMAIL PROTECTED]> wrote:

% cd /var/yp ; make

Everything builds OK (/var/yp//*.db and /etc/*.db) and I am
not running a slave.


Now as far as I know, yp uses the normal linux/unix passwd format (not
master.passwd). Did you forget pwd_mkd -p /etc/master.passwd (if you
used a custom DIR in makefile, then see the -d switch. I hope you did
or you are exporting a root password!!!).

Hope this helps.

Infact I plan to write a doc for my own benifit, as I forget this a
lot. I can forward it your way, if and when I do.

--
Best Regards

Edd

---
http://students.dec.bournemouth.ac.uk/ebarrett

Re: Non critical but weird pf and openvpn problem

[a666]

On Fri, 20 Jul 2007 09:46:41 -0700 Mark Rolen <[EMAIL PROTECTED]> 
wrote:
>Using 
>the "pass quick on tun0" rule somewhere at the top of your rules 
>should 
>work for you, let me know if not.
>

I made the following two changes to my pf.conf and this fixed the 
problem.

#set skip on { lo, tun0 }
pass quick on { lo, tun0 }

Does this mean that "set skip on { lo, tun0 }" doesn't work for the 
tun interface?  Should I report it as a bug in sendbug or is it 
just some misunderstanding on my part?

Re: Hack OpenBSD and improve fitness at the same time

[Steve Shockley]

Stefan Olsson wrote:
-Apart from health this could be used to generate electricity for Theo's 
servers!


You're not looking at the big picture; if you've got some sweaty person 
running the generator, that increases the cooling load in Theo's datacenter.

Re: OT: serial console through S-Video 7-pin locking "dub" connector?

[K K]

On 7/20/07, Rob Schmersel <[EMAIL PROTECTED]> wrote:

That looks like an old Mac modem cable (RS-422 <> RS-232), different
beast. S-video does not even have the correct signals.

The Macintosh (and some old Sun hardware) serial port uses a 8-pin
Mini-DIN, a different pinout than other more common Mini-DIN
connectors (S-Video, PS/2 keyboard, etc).

More information and better pictures of Mac/Sun serial cables:
http://www.cablestogo.com/product.asp?cat%5fid=206&sku=02996
http://www.sunhelp.org/unix-serial-port-resources/serial-pinouts/

If you're digging through old Sun get and want to get an IPX or CP1500
working, you'll need one of these.

Kevin

Re: Compaq 6710b

[Fred Crowson]

RafaE Brodewicz wrote:

Fred Crowson pisze:

Have you tried boot -c and enabling acpi?


After "enable acpi" and "enable acpiec"
http://brodewicz.pl/boot_acpi.jpg

Sorry for image, but this laptop doesn't have serial port to drop dmesg 
output.


Regards.


I'm not sure it that's progress - but I'm copying it to the list, in 
case someone more knowledgeable than me can advise you how the:


panic: aml_die aml_setbufint: 983

can be resolved.

Fred
--
http://www.crowsons.com/puters/x41.htm

Re: Allocate more memory than 512 MB with squid

[Patrick Hemmen]

Hi,

yesterday I run the little c-program under the user root and it works.

Here is the source code of the program.

 #include 
 #include 
 int main() {
 size_t size = 936870912;
 char *a = malloc(size);
 if (a)
 printf("yes");
 else
 perror("no");
 }

Do I start squid correctly with the entry in /etc/rc.local?

Thanks.
Patrick


 > Patrick Hemmen wrote:
 > I start squid with the following entry in /etc/rc.local.
 >
 >  if [ -x /usr/local/sbin/squid ]; then
 >  echo -n ' squid';   /usr/local/sbin/squid
 >  fi
 >
 > Best regards.
 > Patrick

[demime 1.01d removed an attachment of type application/x-pkcs7-signature which 
had a name of smime.p7s]

Re: OT: serial console through S-Video 7-pin locking "dub" connector?

[Rob Schmersel]

vladas wrote:

Hi all,

Is it possible to connect to server's serial console through the
S-Video 7-pin locking "dub" connector - RS-232C cable [1]
directly without using Video/S-Video to VGA/Component Video
Converterconverter?

I need to connect to OpenBSD (RC-232C side) from windoze
(S-Video side).


[1] The pic is small/hopeless, but:
http://www.sanyo-lcdp.com/option/images/poa-ca-vgas.jpg
One end is RC-232C, other - S-Video (7 pins).


Would be gratefull for any pointers.



Nope,

That looks like an old Mac modem cable (RS-422 <> RS-232), different 
beast. S-video does not even have the correct signals.


/Rob

external storage system

[Gustavo Rios]

Dear gentleman,

i would like to know openbsd system administrator with the Dell/EMC
CX3-20 storage enginee! Is anybody using such with openbsd server?

What is your report on such matter?

Thanks in advance.

best regards.

Re: OT: seeking advice on how to address closed-source-only websites

[Joris Van Herzele]

My sincere gratitude to all those who were willing to spare both their 
time and experience and offer me some advice both inside this thread as 
by email sent directly to me.




A brief update for those interested :


1st : I did get an XML-based open-source copy of the form in question 
from my country's federal department for Economic Affairs. A polite 
request was sufficient for them to convert the MS Word document on my 
behalf. That is something which pleasantly surprised me allthough I was 
already hoping for it.



2nd : After informing my savings-bank that I regretted this situation 
but felt they left me with no other option than to register a complaint 
with both my country's federal department for Economic Affairs and -I'll 
attempt a translation here- the Commission for the Supervision of the 
Banking Industry, they suddenly did decide to remove the incorrect 
information that was visible on browsers without Adobe Flash Player.


This is a situation I find acceptable. As I stated in my very first mail 
to them I would obviously prefer having the correct information visible 
to all users but essential was not being confronted with incorrect 
interest-rates if you choose not to use Flash Player. (rather no info 
than false info)



So thank you all once again in helping me convince them to address this 
issue.




Kind Regards,


Joris Van Herzele

Re: fsck Segmentation fault on 4.1

[Otto Moerbeek]

On Fri, 20 Jul 2007, Marcos Laufer wrote:

> Will this be moved to -stable, or is it an uncommon thing ?

It's not very common, but the impact is pretty high. So once some more
test reports are coming in, we'll consider it. 

-Otto

> 
> - Original Message - 
> From: "Otto Moerbeek" <[EMAIL PROTECTED]>
> To: "Marcos Laufer" <[EMAIL PROTECTED]>
> Cc: 
> Sent: Thursday, July 19, 2007 3:09 PM
> Subject: Re: fsck Segmentation fault on 4.1
> 
> 
> On Fri, 13 Jul 2007, Otto Moerbeek wrote:
> 
> > On Fri, 13 Jul 2007, Marcos Laufer wrote:
> > 
> > > Otto ,
> > > 
> > > This is the error i get:
> > > It starts booting , and it starts fsck , it fails with /dev/rwd0e and 
> > > rwd0h,
> > > 
> > > (i could see once that when it finished it says:)
> > > fsck_ffs in free():  error: free_page: pointer to wrong page
> > > fsck: /dev/rwd0h: Abort trap
> > > 
> > > I reboot it again many times and that did not show again
> > > 
> > > 
> > > i try to fsck manually like this as you say and i get:
> > > 
> > > # ulimit -d unlimited
> > > # fsck -y /dev/rwd0e
> > > 
> > > INCONSISTENT CGSIZE=16384
> > > 
> > > FIX? yes
> > > 
> > > * * Last mounted on /usr
> > > * * Phase 1- Check Blocks and Sizes
> > > * * Phase 2 - Check pathnames
> > > * * Phase 3 - Check Conectivity
> > > * * Phase 4 - Check Reference Counts
> > > * * Phase 5 - Check Cyl Groups
> > > 
> > > CANNOT READ: BLK 64
> > > 
> > > CONTINUE? yes
> > > 
> > > fsck: /dev/rwd0e: Segmentation Fault
> > 
> > This is not an out of memory situation.
> > 
> > It looks like fsck_ffs has problems getting data from your disk,
> > probably because of hardware failure or bad cabling.  Sometimes it
> > detects it cannot read the data (the CANNOT READ: BLK 64 case), but it
> > is possible it gets corrupted data in other cases. 
> > 
> > Sadly, this can cause fsck_ffs to do the wrong thing and access wrong
> > memory and corrupt it's internal data. During the last year I've fixed
> > some stuff in this area, but there still remains cases that can go
> > wrong.
> 
> I misdiagnosed the problem. In the meantime I got another report with
> a dd of the partition which enabled me to diagnose the problem and
> make a fix for 4.1. Please test and report back. I'll be on vacation
> from Saturday, so it would be nice if you can answer before that. 
> 
> Anobody else seeing INCONSISTENT CGSIZE messages should try this as well.
> 
> NOTE: this diff only applies to 4.1. Current does not have the
> problem, due to a corrected CGSIZE macro.
> 
> -Otto
> 
> Index: setup.c
> ===
> RCS file: /cvs/src/sbin/fsck_ffs/setup.c,v
> retrieving revision 1.29
> diff -u -p -r1.29 setup.c
> --- setup.c 16 Feb 2007 08:34:29 - 1.29
> +++ setup.c 19 Jul 2007 18:02:36 -
> @@ -336,6 +336,7 @@ setup(char *dev)
>   sbdirty();
>   dirty(&asblk);
>   }
> +#if 0
>   if (sblock.fs_cgsize != fragroundup(&sblock, CGSIZE(&sblock))) {
>   pwarn("INCONSISTENT CGSIZE=%d\n", sblock.fs_cgsize);
>   sblock.fs_cgsize = fragroundup(&sblock, CGSIZE(&sblock));
> @@ -346,6 +347,7 @@ setup(char *dev)
>   dirty(&asblk);
>   }
>   }
> +#endif
>   if (INOPB(&sblock) != sblock.fs_bsize / sizeof(struct ufs1_dinode)) {
>   pwarn("INCONSISTENT INOPB=%d\n", INOPB(&sblock));
>   sblock.fs_inopb = sblock.fs_bsize / sizeof(struct ufs1_dinode);

Re: ypserv problem

[Mark Leisher]

Edd Barrett wrote:

Hi,

On 20/07/07, Mark Leisher <[EMAIL PROTECTED]> wrote:

I didn't see anything related in the archives, so apologies if it was
there and I missed it.

When I add a new user and rebuild the YP files, the new user is not
visible on client machines until I kill ypserv and start it again. What
am I missing?


What is your method for rebuilding the maps?



% cd /var/yp ; make

Everything builds OK (/var/yp//*.db and /etc/*.db) and I am 
not running a slave.

--
Mark Leisher

Re: ypserv problem

[Edd Barrett]

Hi,

On 20/07/07, Mark Leisher <[EMAIL PROTECTED]> wrote:

I didn't see anything related in the archives, so apologies if it was
there and I missed it.

When I add a new user and rebuild the YP files, the new user is not
visible on client machines until I kill ypserv and start it again. What
am I missing?


What is your method for rebuilding the maps?

--
Best Regards

Edd

---
http://students.dec.bournemouth.ac.uk/ebarrett

ypserv problem

[Mark Leisher]

I didn't see anything related in the archives, so apologies if it was 
there and I missed it.


When I add a new user and rebuild the YP files, the new user is not 
visible on client machines until I kill ypserv and start it again. What 
am I missing?

--
Mark Leisher

Re: Use certificate subjec/ASN1 t in ipsec.conf ?

[Hans-Joerg Hoexer]

Hi,

the Subject Alternative Name of your certificate will be used as phase 2
IDs, ie. that's what is sent.  If you want to use the Subject Canonical
Name, you have to additionlly provide an isakmpd.policy file and you have
to run isakmpd without the "-K" option.  See isakpmd.policy(5).

On Fri, Jul 20, 2007 at 07:09:18PM +0200, Markus Wernig wrote:
> Hi all
> 
> I'm setting up a OBSD 4.1 ipsec gateway, against which users will 
> authenticate using x509 certificates. They all use personal certificates 
> (key usage: digSig), which contains their user name and Email in the 
> subject. I need to authenticate them by the whole subject, but can't 
> seem to find out how.
> 
> I can authenticate them (i.e. it works) if I just use the email address 
> from the certificate as a filter in ipsec.conf along the lines:
> 
> ike passive esp tunnel from any to 192.168.0/24 srcid gate.my.domain 
> dstid [EMAIL PROTECTED]
> ike passive esp tunnel from 192.168.0/24 to any srcid gate.my.domain 
> dstid [EMAIL PROTECTED]
> 
> But what I need would look something like:
> 
> ike passive esp tunnel from any to 192.168.0/24 srcid gate.my.domain 
> dstid "/C=CH/CN=John Doe/[EMAIL PROTECTED]/O=My Org"
> ike passive esp tunnel from 192.168.0/24 to any srcid gate.my.domain 
> dstid "/C=CH/CN=John Doe/[EMAIL PROTECTED]/O=My Org"
> 
> When I configure this, with all possible variations of quoting and 
> backslashes, isakmpd tells me in the log file:
> 
> Jul 20 18:52:15 gate isakmpd[8707]: ipsec_validate_id_information: 
> dubious ID information accepted
> Jul 20 18:52:15 gate isakmpd[8707]: ike_phase_1_recv_ID: received remote 
> ID other than expected /C=CH/CN=John
> 
> Apropos the subjectAltName: openssl tells me about the certificate:
> 
> [...]
> X509v3 Subject Alternative Name:
> email:[EMAIL PROTECTED]
> [...]
> 
> Is there a way to see what is getting sent? isakmpd does not seem to 
> like the spaces in the /CN, is there a way to quote this for him?
> Is this possible at all?
> 
> thx for any hint
> 
> /markus

Use certificate subjec/ASN1 t in ipsec.conf ?

[Markus Wernig]

Hi all

I'm setting up a OBSD 4.1 ipsec gateway, against which users will 
authenticate using x509 certificates. They all use personal certificates 
(key usage: digSig), which contains their user name and Email in the 
subject. I need to authenticate them by the whole subject, but can't 
seem to find out how.


I can authenticate them (i.e. it works) if I just use the email address 
from the certificate as a filter in ipsec.conf along the lines:


ike passive esp tunnel from any to 192.168.0/24 srcid gate.my.domain 
dstid [EMAIL PROTECTED]
ike passive esp tunnel from 192.168.0/24 to any srcid gate.my.domain 
dstid [EMAIL PROTECTED]


But what I need would look something like:

ike passive esp tunnel from any to 192.168.0/24 srcid gate.my.domain 
dstid "/C=CH/CN=John Doe/[EMAIL PROTECTED]/O=My Org"
ike passive esp tunnel from 192.168.0/24 to any srcid gate.my.domain 
dstid "/C=CH/CN=John Doe/[EMAIL PROTECTED]/O=My Org"


When I configure this, with all possible variations of quoting and 
backslashes, isakmpd tells me in the log file:


Jul 20 18:52:15 gate isakmpd[8707]: ipsec_validate_id_information: 
dubious ID information accepted
Jul 20 18:52:15 gate isakmpd[8707]: ike_phase_1_recv_ID: received remote 
ID other than expected /C=CH/CN=John


Apropos the subjectAltName: openssl tells me about the certificate:

[...]
X509v3 Subject Alternative Name:
email:[EMAIL PROTECTED]
[...]

Is there a way to see what is getting sent? isakmpd does not seem to 
like the spaces in the /CN, is there a way to quote this for him?

Is this possible at all?

thx for any hint

/markus

Re: Non critical but weird pf and openvpn problem

[Mark Rolen]

[EMAIL PROTECTED] wrote:
Does this point to a problem with "set skip on { lo, tun0 }"?  I 
will try your suggestion to see if it works (pass quick on { tun0 
tun1 }), but I dislike using "quick" in my rules.


I added "up" to my /etc/hostname.tun0 to see if that worked based 
on one of the suggestions but the startup problem still exist?  I 
have since removed "up" since in the past I have never needed to 
use it and I read somewhere that "touch /etc/hostname.tun0" was all 
that I needed.
  
Your experience matches mine.  Having "up" in /etc/hostname.tun0 wasn't 
enough, openvpn traffic was still blocked on the tun interface.  Using 
the "pass quick on tun0" rule somewhere at the top of your rules should 
work for you, let me know if not.


For completeness, here's my pf.conf as well so you can compare. ..


ext_if="fxp2"
int_if="fxp1"
wifi_if="fxp0"

voip="192.168.10.2"

high_pri_tcp="22, 6667"
med_pri_tcp="21, 25, 80, 110, 443, 995, 1723"
high_pri_udp="53"
med_pri_udp="123"

table  persist

set skip on lo
set loginterface $ext_if
set ruleset-optimization basic
set block-policy return

scrub in

altq on $ext_if cbq bandwidth 495Kb queue { q_low, q_med, q_high, q_max }
queue q_low  bandwidth 63% priority 0 cbq(default)
queue q_med  bandwidth 15% priority 2 cbq(borrow)
queue q_high bandwidth 15% priority 4 cbq(borrow)
queue q_max bandwidth 7% priority 6 cbq(borrow)

nat-anchor "ftp-proxy/*"
nat on $ext_if from !($ext_if) -> ($ext_if:0)
rdr-anchor "ftp-proxy/*"
rdr on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
anchor "ftp-proxy/*"

antispoof quick for { lo $int_if $wifi_if }
block drop quick from 
block in log
pass out

pass quick on { tun0 tun1 }

pass quick on $int_if from $voip to any no state tag PHONE
pass quick on $int_if inet proto udp from any port 27960 no state tag Q3
pass quick on $int_if no state

pass in quick on $wifi_if inet proto tcp to ($wifi_if) port ssh
pass in quick on $wifi_if inet proto udp from any port bootpc to any 
port bootps

pass in quick on $wifi_if inet proto udp to ($wifi_if) port 1194
pass in quick on $wifi_if inet proto icmp to ($wifi_if)
## only used when an open AP needed, e.g. guests over
##pass in quick on $wifi_if
block in on $wifi_if

block in quick on $ext_if inet6 all
pass in on $ext_if inet proto icmp
pass in on $ext_if inet proto tcp to ($ext_if) port ssh flags S/SA \
keep state (source-track rule, max-src-conn-rate 5/60, overload \
 flush global) queue q_high
pass out on $ext_if inet to any queue (q_low,q_med)
pass out quick on $ext_if inet to any tagged PHONE queue q_max
pass out quick on $ext_if inet to any tagged Q3 queue q_high
pass out quick on $ext_if inet proto tcp to any port { $high_pri_tcp } 
queue q_high
pass out quick on $ext_if inet proto tcp to any port { $med_pri_tcp }  
queue (q_med,q_high)
pass out quick on $ext_if inet proto udp to any port { $high_pri_udp } 
queue q_high
pass out quick on $ext_if inet proto udp to any port { $med_pri_udp }  
queue q_med

pass out quick on $ext_if inet proto icmp queue q_high


HTH,
Mark

Re: Non critical but weird pf and openvpn problem

[a666]

Mark Rolen <[EMAIL PROTECTED]> wrote:

>I had the same symptom, where I'd have to manually reload my pf 
rules
>after a reboot to get OpenVPN traffic to flow.  Using tcpdump 
showed
>that pf was blocking all the traffic on my tun interfaces although 
I had
>a "set skip" rule for them.

Here are my pf rules:

ext_if="fxp0"
int_if="ath0"

set skip on { lo, tun0 }
set block-policy return

scrub in

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
nat on $ext_if from !($ext_if) -> ($ext_if:0)
rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021

anchor "ftp-proxy/*"
block in

antispoof quick for { lo, $int_if, tun0 }

pass in on $int_if proto tcp from 10.1.1.2 to 10.1.1.1 port ssh
pass in proto icmp
pass in on $int_if from 10.8.0.0/24 to any
pass in on $int_if proto udp from 10.1.1.2 to 10.1.1.1 port 1194
pass out

Note, this problem is occurring even though I too have "set skip on 
{ lo, tun0 }".  I stated before that I had another question I would 
post.  Since you brought this up, I'll post it.  About a two or 
three months ago, I posted a question about how come my openvpn 
wireless connection was not working with the above pf rules with 
one exception.  I did not have the this line in there:

pass in on $int_if from 10.8.0.0/24 to any

I still had to run pfctl -f /etc/pf.conf after bootup.  Even after 
running pfctl -f /etc/pf.conf, it would not work.  By adding this 
line it worked just fine.  So now I'm confused.  I thought the way 
this worked was that when I connect to openvpn, pf allows it on 
port 1194 which it then sends to tun0.  Since tun0 is not blocked 
from the "set skip on { lo, tun0 }" it should pass through tun0.  
By adding the line above, proves that this is not so.  So is there 
a bug, especially with the tun device, or am I not understanding 
something?  If I'm not understanding something, please enlighten me 
(it will be appreciated).

>Anyhow, I don't have the issue any longer because I just added 
this >rule:

>pass quick on { tun0 tun1 }

>That seems to be effective regardless of whether or not the 
interfaces
>exist when pf loads, so my OpenVPN tunnels work after reboots 
without
>intervention.

Does this point to a problem with "set skip on { lo, tun0 }"?  I 
will try your suggestion to see if it works (pass quick on { tun0 
tun1 }), but I dislike using "quick" in my rules.

I added "up" to my /etc/hostname.tun0 to see if that worked based 
on one of the suggestions but the startup problem still exist?  I 
have since removed "up" since in the past I have never needed to 
use it and I read somewhere that "touch /etc/hostname.tun0" was all 
that I needed.

Re: fsck Segmentation fault on 4.1

[Marcos Laufer]

Will this be moved to -stable, or is it an uncommon thing ?

- Original Message - 
From: "Otto Moerbeek" <[EMAIL PROTECTED]>
To: "Marcos Laufer" <[EMAIL PROTECTED]>
Cc: 
Sent: Thursday, July 19, 2007 3:09 PM
Subject: Re: fsck Segmentation fault on 4.1


On Fri, 13 Jul 2007, Otto Moerbeek wrote:

> On Fri, 13 Jul 2007, Marcos Laufer wrote:
> 
> > Otto ,
> > 
> > This is the error i get:
> > It starts booting , and it starts fsck , it fails with /dev/rwd0e and rwd0h,
> > 
> > (i could see once that when it finished it says:)
> > fsck_ffs in free():  error: free_page: pointer to wrong page
> > fsck: /dev/rwd0h: Abort trap
> > 
> > I reboot it again many times and that did not show again
> > 
> > 
> > i try to fsck manually like this as you say and i get:
> > 
> > # ulimit -d unlimited
> > # fsck -y /dev/rwd0e
> > 
> > INCONSISTENT CGSIZE=16384
> > 
> > FIX? yes
> > 
> > * * Last mounted on /usr
> > * * Phase 1- Check Blocks and Sizes
> > * * Phase 2 - Check pathnames
> > * * Phase 3 - Check Conectivity
> > * * Phase 4 - Check Reference Counts
> > * * Phase 5 - Check Cyl Groups
> > 
> > CANNOT READ: BLK 64
> > 
> > CONTINUE? yes
> > 
> > fsck: /dev/rwd0e: Segmentation Fault
> 
> This is not an out of memory situation.
> 
> It looks like fsck_ffs has problems getting data from your disk,
> probably because of hardware failure or bad cabling.  Sometimes it
> detects it cannot read the data (the CANNOT READ: BLK 64 case), but it
> is possible it gets corrupted data in other cases. 
> 
> Sadly, this can cause fsck_ffs to do the wrong thing and access wrong
> memory and corrupt it's internal data. During the last year I've fixed
> some stuff in this area, but there still remains cases that can go
> wrong.

I misdiagnosed the problem. In the meantime I got another report with
a dd of the partition which enabled me to diagnose the problem and
make a fix for 4.1. Please test and report back. I'll be on vacation
from Saturday, so it would be nice if you can answer before that. 

Anobody else seeing INCONSISTENT CGSIZE messages should try this as well.

NOTE: this diff only applies to 4.1. Current does not have the
problem, due to a corrected CGSIZE macro.

-Otto

Index: setup.c
===
RCS file: /cvs/src/sbin/fsck_ffs/setup.c,v
retrieving revision 1.29
diff -u -p -r1.29 setup.c
--- setup.c 16 Feb 2007 08:34:29 - 1.29
+++ setup.c 19 Jul 2007 18:02:36 -
@@ -336,6 +336,7 @@ setup(char *dev)
  sbdirty();
  dirty(&asblk);
  }
+#if 0
  if (sblock.fs_cgsize != fragroundup(&sblock, CGSIZE(&sblock))) {
  pwarn("INCONSISTENT CGSIZE=%d\n", sblock.fs_cgsize);
  sblock.fs_cgsize = fragroundup(&sblock, CGSIZE(&sblock));
@@ -346,6 +347,7 @@ setup(char *dev)
  dirty(&asblk);
  }
  }
+#endif
  if (INOPB(&sblock) != sblock.fs_bsize / sizeof(struct ufs1_dinode)) {
  pwarn("INCONSISTENT INOPB=%d\n", INOPB(&sblock));
  sblock.fs_inopb = sblock.fs_bsize / sizeof(struct ufs1_dinode);

Re: Please it is urgent: new OpenBSD 4.1 crash

[carlopmart]

Stuart Henderson wrote:

On 2007/07/20 13:20, carlopmart wrote:

Stuart Henderson wrote:

On 2007/07/20 11:02, carlopmart wrote:
 This is my third post about problems with OpenBSD 4.1 during last two 
months ...

Yes, and someone replied with a PR (5508) they'd opened about it.
It's fixed already - src/sys/net/if_pfsync.c 1.83.
Maybe the question to ask is "can this be imported to -stable"...
Sorry but it isn't the same bug. Bug 5508 it is about pfsync bug, and this 
crash doesn't it ...


hmm, ok, but you said it's the third post, which (at least to me)
implies that it's the third post about the same problem...



Yes sorry, second post about this problem ... I write another post about 
bug 5508, total: three ... With OpenBSD 4.0 on the same servers all 
works ok ... I don't understand it...


--
CL Martinez
carlopmart {at} gmail {d0t} com

Re: OT: serial console through S-Video 7-pin locking 'dub' connector?

[vladas]

On 7/20/07, vladas wrote:

Eric,

On 7/20/07, Eric Huiban wrote:
> 9 pins DB plug to fit with a 15 pins DB plug.

Did you actually read my question?


List,

Sorry for the noise, user error.

Re: OT: serial console through S-Video 7-pin locking 'dub' connector?

[Eric Huiban]

Le ven 20 jui 2007 16:06:56 CEST, vladas  a C)crit:
>Eric,
>
>
>
>On 7/20/07, Eric Huiban [EMAIL PROTECTED]
>pf.net> wrote:
>> 9 pins DB plug to fit with a 15 pins DB plug.
>
>
>
>Did you actually read my question?

Yes : how to connect PC S-video plug (output connector only, separate
chrominance and luminance signals, around 0 to 0.75Volts linear electrical
signal, around 6MHz signals, video format) to a RS232 server system serial
console  plug (input and output connector, input and output asynchronous
serial lines with handshaking, -30V<--> -3V and +3V <--> +30V discrete
electrical signal, around 250kHz signals, UART format) using dumb
video cables ? This was confirmed by google after looking for "poa-ca-vgas"
which is only a classical Video to VGA adapter (et vice-versa) and not a
proprietary video+serial combo cable

The other point was the possibility to use a video to vga/composite video
smart converter. But there is no VGA signal in the configuration you seemed
to refer to.

Regards,
Eric.

Re: hardware problem?! strangely ssh error - SOLVED

[openbsd misc]

> -Urspr|ngliche Nachricht-
> Von: Stuart Henderson [mailto:[EMAIL PROTECTED]
> Gesendet: Freitag, 20. Juli 2007 01:22
> An: openbsd misc
> Betreff: Re: hardware problem?! strangely ssh error
>
> On 2007/07/20 00:02, Stuart Henderson wrote:
> > If there might be crypto hardware onboard, try sysctl
> kern.usercrypto=0
>
> The chip is detected as supporting AES, which gets used for
> ssh with default ciphers. Definitely try this sysctl (takes effect
> straight away) and if it helps please report back on misc@, if
> AES is detected incorrectly it would be useful to work out a
> way to identify and disable it..
>
>

Thanks a lot, that solved the problem.

Regards
  Hagen Volpers

Re: OT: serial console through S-Video 7-pin locking 'dub' connector?

[vladas]

Eric,

On 7/20/07, Eric Huiban <[EMAIL PROTECTED]> wrote:

9 pins DB plug to fit with a 15 pins DB plug.


Did you actually read my question?

Re: OT: serial console through S-Video 7-pin locking 'dub' connector?

[Eric Huiban]

Le ven 20 jui 2007 14:59:17 CEST, vladas  a C)crit:

>Is it possible to connect to server's serial console through the
>S-Video 7-pin locking "dub" connector - RS-232C cable [1]
>directly

The answer is simple as possible : No.

> without using Video/S-Video to VGA/Component Video
>Converterconverter?

"With..." or "Without..." :  No.

RS232 and video signals have nothing in common... except
perhaps their respective ground connexion.

>I need to connect to OpenBSD (RC-232C side) from windoze
> (S-Video side).

You will have better result playing with USB-Serial adapter
when trying to fiddle with RS232 on Windows(tm) side...

Note : take care of  USB-Serial adapter capability to send BREAK
signal if you realy need it...

>[1] The pic is small/hopeless, but:
>
>http://www.sanyo-lcdp.com/option/images/poa-ca-vgas.jpg
>One end is RC-232C, other - S-Video (7 pins).

This is VGA-to-SVideo (dumb) adapter. In no case you can connect
RS232 to VGA with this kind of cable excepted if you're using a
hammer to convince a 9 pins DB plug to fit with a 15 pins DB plug.
(Even in this case, i'm not sure that the concept is functionnaly
correct).

Eric.

Re: GENERIC: #option MTRR

[Timo Schoeler]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Thus "Die Gestalt" <[EMAIL PROTECTED]> spake on Fri, 20 Jul 2007
15:21:52 +0200:

> Everytime you use the option MTRR a kitten dies.

Bad Pentium Pro-Charma?
 
> On 7/19/07, Timo Schoeler <[EMAIL PROTECTED]> wrote:
> > Hi misc@,
> >
> > just out of curiosity: What's the reason for MTRR being disabled by
> > default?
> >
> > Thanks for enlightment,
> >
> > Timo :)
iD8DBQFGoLrh689t39h/zfARAs7CAJ9RliH4FNkkPp+uJc6W4KaMzTK5VACgxXeS
6GUSASrydo73o+5++6WmlvQ=
=bZdw
-END PGP SIGNATURE-

Re: GENERIC: #option MTRR

[Die Gestalt]

Everytime you use the option MTRR a kitten dies.

On 7/19/07, Timo Schoeler <[EMAIL PROTECTED]> wrote:

Hi misc@,

just out of curiosity: What's the reason for MTRR being disabled by default?

Thanks for enlightment,

Timo :)

OT: serial console through S-Video 7-pin locking "dub" connector?

[vladas]

Hi all,

Is it possible to connect to server's serial console through the
S-Video 7-pin locking "dub" connector - RS-232C cable [1]
directly without using Video/S-Video to VGA/Component Video
Converterconverter?

I need to connect to OpenBSD (RC-232C side) from windoze
(S-Video side).


[1] The pic is small/hopeless, but:
http://www.sanyo-lcdp.com/option/images/poa-ca-vgas.jpg
One end is RC-232C, other - S-Video (7 pins).


Would be gratefull for any pointers.

Re: hardware problem?! strangely ssh error

[Maxim Belooussov]

Hi Hagen,



Hope that helps ...

Regards
  Hagen Volpers



Is your sshd-config different/modified? If your ssh client can't talk
to your own ssh daemon, might indicate they don't understand each
other and using different crypto.

Maxim

Re: Areca-1210 rd0 hang during install of 4.1 on amd64

[Nick Humphrey]

David Gwynne wrote:
> can you try a snapshot bsd.rd?
> 

David,

Below is dmesg from latest 4.1 amd64 snapshot of 2007-07-19 with acpi
enabled. Still hangs at same point.

Kind regards,

Nick

--


booting cd0a:/4.1/amd64/bsd.rd: 2193904+454704+2539776+0+331440
[80+226488+140163]=0x99da3c
entry point at 0x1001e0 [7205c766, 3404, 24448b12,
d840a304]*Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California.  All rights reserved.
Copyright (c) 1995-2007 OpenBSD. All rights reserved.
http://www.OpenBSD.org

OpenBSD 4.1-current (RAMDISK_CD) #1209: Thu Jul 19 15:26:32 MDT 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/RAMDISK_CD
real mem = 2079911936 (1983MB)
avail mem = 2009829376 (1916MB)
User Kernel Config
UKC> enable acpi
141 acpi0 enabled
UKC> quit
Continuing...
mainbus0 at root
acpi0 at mainbus0: rev 0
acpi0: tables DSDT FACP SSDT HPET MCFG APIC
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (HUB0)
cpu0 at mainbus0: (uniprocessor)
cpu0: AMD Athlon(tm) 64 X2 Dual Core Processor 5200+, 2612.30 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,CX16,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB
64b/line 16-way L2 cache
cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative
cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative
pci0 at mainbus0 bus 0: configuration mode 1
"NVIDIA MCP61 Memory" rev 0xa1 at pci0 dev 0 function 0 not configured
"NVIDIA MCP61 ISA" rev 0xa2 at pci0 dev 1 function 0 not configured
"NVIDIA MCP61 SMBus" rev 0xa2 at pci0 dev 1 function 1 not configured
"NVIDIA MCP61 Memory" rev 0xa2 at pci0 dev 1 function 2 not configured
ohci0 at pci0 dev 2 function 0 "NVIDIA MCP61 USB" rev 0xa2: irq 10,
version 1.0, legacy support
ehci0 at pci0 dev 2 function 1 "NVIDIA MPC61 USB" rev 0xa2: irq 11
usb0 at ehci0: USB revision 2.0
uhub0 at usb0: NVIDIA EHCI root hub, rev 2.00/1.00, addr 1
ppb0 at pci0 dev 4 function 0 "NVIDIA MCP61" rev 0xa1
pci1 at ppb0 bus 1
skc0 at pci1 dev 7 function 0 "D-Link Systems DGE-530T B1" rev 0x11,
Yukon Lite (0x9): irq 10
sk0 at skc0 port A: address 00:15:e9:aa:d3:34
eephy0 at sk0 phy 0: Marvell 88E1011 Gigabit PHY, rev. 5
pciide0 at pci0 dev 6 function 0 "NVIDIA MCP61 IDE" rev 0xa2: DMA,
channel 0 configured to compatibility, channel 1 configured to compatibility
atapiscsi0 at pciide0 channel 0 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: <_NEC, DVD_RW ND-2510A, 2.16> SCSI0
5/cdrom removable
cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 ignored (disabled)
ppb1 at pci0 dev 9 function 0 "NVIDIA MCP61 PCIE" rev 0xa2
pci2 at ppb1 bus 2
ppb2 at pci2 dev 0 function 0 "Intel IOP332 PCIE-PCIX" rev 0x07
pci3 at ppb2 bus 3
arc0 at pci3 dev 14 function 0 "Areca ARC-1210" rev 0x00: irq 11
arc0: 4 SATA Ports, 256MB SDRAM, FW Version: V1.43 2007-4-17
scsibus1 at arc0: 16 targets
sd0 at scsibus1 targ 0 lun 0:  SCSI3
0/direct fixed
sd0: 381469MB, 58128 cyl, 28 head, 480 sec, 512 bytes/sec, 781249536 sec
total
ppb3 at pci2 dev 0 function 2 "Intel IOP332 PCIE-PCIX" rev 0x07
pci4 at ppb3 bus 4
vga1 at pci0 dev 13 function 0 "NVIDIA GeForce 6100 nForce 430" rev 0xa2
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
pchb0 at pci0 dev 24 function 0 "AMD AMD64 HyperTransport" rev 0x00
pchb1 at pci0 dev 24 function 1 "AMD AMD64 Address Map" rev 0x00
pchb2 at pci0 dev 24 function 2 "AMD AMD64 DRAM Cfg" rev 0x00
pchb3 at pci0 dev 24 function 3 "AMD AMD64 Misc Cfg" rev 0x00
usb1 at ohci0: USB revision 1.0
uhub1 at usb1: NVIDIA OHCI root hub, rev 1.00/1.00, addr 1
isa0 at mainbus0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
rd0: fixed, 4096 blocks


-


End.

Re: Hack OpenBSD and improve fitness at the same time

[Karel Kulhavy]

On Fri, Jul 20, 2007 at 12:09:53PM +0100, Stefan Olsson wrote:

> -Apart from health this could be used to generate electricity for Theo's 
> servers! Then you could put in a section on the Donations page to come over 
> and do a few hours on the bike and help keeping the electricity bill down. 
> On the hackathons developers could be put on bikes while developing or 

One could make a hackathon on some attractive, natually beautiful place
without electricity. Someone would come with a large car and bring these
machines. Then the hackers could happily hack and intersperse their hacking
with enjoying the nature. You often get the key idea when you leave the
computer for a short time.

The hackathon could also move to enjoy multiple places.

CL<

Re: Hack OpenBSD and improve fitness at the same time

[Stefan Olsson]

- Original Message - 
From: "Karel Kulhavy" <[EMAIL PROTECTED]>
Add an everyday job to this and you get a shortage of time. Therefore I 
have

developed a special open source fitness machine for computer hackers which
allows exercising while sitting at the keyboard.

Twibright Exciter: http://ronja.twibright.com/exciter/


-Apart from health this could be used to generate electricity for Theo's 
servers! Then you could put in a section on the Donations page to come over 
and do a few hours on the bike and help keeping the electricity bill down. 
On the hackathons developers could be put on bikes while developing or there 
could be separate bikeathons for people who want to donate some physical 
effort to the project.



*yes, this is a joke*

Re: Please it is urgent: new OpenBSD 4.1 crash

[Stuart Henderson]

On 2007/07/20 13:20, carlopmart wrote:
> Stuart Henderson wrote:
>> On 2007/07/20 11:02, carlopmart wrote:
>>>  This is my third post about problems with OpenBSD 4.1 during last two 
>>> months ...
>> Yes, and someone replied with a PR (5508) they'd opened about it.
>> It's fixed already - src/sys/net/if_pfsync.c 1.83.
>> Maybe the question to ask is "can this be imported to -stable"...
>
> Sorry but it isn't the same bug. Bug 5508 it is about pfsync bug, and this 
> crash doesn't it ...

hmm, ok, but you said it's the third post, which (at least to me)
implies that it's the third post about the same problem...

Re: OpenBSD Berlin?

[Dirk Fohrenkamm]

> change president with "mild dictator", if you please
 Forget it.
>>> ok, that makes it: hard dictator
>> ... in this case I will look for a nice wall and a AK47 ;-)
>
> i recently watched four documentaries on atomic and hydrogen bombs...
> errr. ooops.
... :>  ...

> "WHO'S INTERESTED?" - he screamed
>> I do
>>
 So, there is not OpenBSD user group in berlin yet?
>> there has been a Berlin Unix User Group a while ago ...
>
> what i got from several forums (archives) it died in 2004
well rest in peace...

>>> it seems we're two of us...
>> three ... at least
>
> (it's even more in the meantime :)
(already noticed :)

>>> If there was a group in Berlin they'd read these emails, wouldn't they
>>>
 I admit: I don't like the german 'Pils' either; wine is fine,
 especially portuguese wine.
>>> wrong: especially _Spanish_ wine
>> :)
>
> freedom of choice is a nice thing, as long as we still have it :/

at least we have (yet) the freedom of choice which alcohol we use to blow
our brains away...

>>> So this is the last call:
>>>
>>>   ---> anybody interested? <---
>>
>> yes, obviously
>>
>>> If so, please email Timo and me, so that we do not "overwhelm" this
>>> mailing list with our messages
>
> [there were much worse threads than this ;) ]
>
>>> Cheers,
>>>
>>> Pau
>>>
>> greez from Prenzlauer Berg ...
>
> timo, near virchow

ok, to write something not that "OT": time? date? location? (as you know I
have quite a lot bars and restaurants around)

Dirk, sitting bored in a MCSE - course (sic!)

Re: Please it is urgent: new OpenBSD 4.1 crash

[carlopmart]

Stuart Henderson wrote:

On 2007/07/20 11:02, carlopmart wrote:
 This is my third post about problems with OpenBSD 4.1 during last two 
months ...


Yes, and someone replied with a PR (5508) they'd opened about it.
It's fixed already - src/sys/net/if_pfsync.c 1.83.

Maybe the question to ask is "can this be imported to -stable"...




Sorry but it isn't the same bug. Bug 5508 it is about pfsync bug, and 
this crash doesn't it ...

--
CL Martinez
carlopmart {at} gmail {d0t} com

Re: 4.1 !

[Frank Brodbeck]

Hi,

Karel Kulhavy has spoken, thus:
> I wonder whether getting the graphics somehow and asking a local shop to burn
> it on a hoodie for personal use would be fair use. I'm almost sure it would.

if you would make a substitutional donation for not buying the hoodie, I
would say so, too ;)

Have a nice day,
Frank.

-- 
What can you use used tampons for?  Tea bags for vampires.
openBSD - Can't fight the Systemagic. \ber tragic.
Frank Brodbeck <[EMAIL PROTECTED]>
Politicians do it to everyone.

Re: Please it is urgent: new OpenBSD 4.1 crash

[Stuart Henderson]

On 2007/07/20 11:02, carlopmart wrote:
>  This is my third post about problems with OpenBSD 4.1 during last two 
> months ...

Yes, and someone replied with a PR (5508) they'd opened about it.
It's fixed already - src/sys/net/if_pfsync.c 1.83.

Maybe the question to ask is "can this be imported to -stable"...

Re: Bioctl ciss controller status

[Markus Hennecke]

On Fri, 20 Jul 2007, Stephan A. Rickauer wrote:


On Fri, 20 Jul 2007 00:49:03 -0600
Joel Knight <[EMAIL PROTECTED]> wrote:


--- Quoting Doros Eracledes on 2007/07/19 at 10:42 +0100:


I have a proliant DL360-G5 and loaded 4.1-stable on it, all
hardware is detected fine.

I want see if I can get the raid controller status with bioctl.

Controller initially came with firmware 1.20 so I upgraded it to the
latest (1.66) version but still can't get the raid controller status
using bioctl.
Here is what I get:
#bioctl sd0
bioctl: BIOCINQ: Inappropriate ioctl for device



Known issue, no fix.

mickey@ told me he found the issue but I'm not sure what happened to
the code. FYI, this issue doesn't seem to happen on the DL380.


I do have the same issue with 4.1 on a DL385, though. Only one volume
configured, controller firmware 2.08.

# bioctl ciss0
bioctl: Can't locate ciss0 device via /dev/bio


The cause is that the ciss_inquiry struct returned by the firmware has the 
member buswidth set to 0 (zero). So the physical drives do not get probed 
by the driver. If you set this to some other value (the original value in 
the last firmware versions was 16) the "Identify Drive" commands will 
fail. If you change the addressing mode from the "Big Bit" method to the 
old scheme the drives can be queried. I hacked up a small patch that made 
it "work" for the servers used in our project (DL 380 G5). I attach it 
here, but beware that it has some problems:


1. Drives that are identified by the scsi id 0:0.0 do not display the 
right status. We do not have a drive there, so I did not look into that 
for longer (no time for "beauty work").


2. I had to check the drive present bit and would add only those drives 
that were present on driver initialisation. Else the bioctl would show all 
drives as "Invalid" (with exception to the one that would get the id 
0:0.0).


Overall it is only a quick and dirty hack to make it work. I try to look 
into that because I will have the servers here available a little bit 
longer, but I can't promise that. The other parts of the overall project 
are eating up all my time...


So this is the hack, I checked the functionality by removing one of the 
drives and reinserting it. All seems to work ok with the exceptions 
mentioned above. You can even mark a drive via bioctl. The patch is 
against 4.1-stable, dmesg and bioctl output follows below. There is a 
similar system with 5 HDs in a RAID 5 that works too. Use this at your 
own risk:


Index: ciss.c
===
RCS file: /cvs/src/sys/dev/ic/ciss.c,v
retrieving revision 1.24
diff -u -p -r1.24 ciss.c
--- ciss.c  18 Jan 2007 14:46:24 -  1.24
+++ ciss.c  20 Jul 2007 10:21:41 -
@@ -330,6 +330,14 @@ ciss_attach(struct ciss_softc *sc)
sc->maxunits = inq->numld;
sc->nbus = inq->nscsi_bus;
sc->ndrives = inq->buswidth;
+
+   if (sc->ndrives == 0) {
+   /* Handle the new firmware */
+
+   sc->sc_flags |= CISS_NOBIGBIT;
+   sc->ndrives = 16;
+   }
+
printf(": %d LD%s, HW rev %d, FW %4.4s/%4.4s\n",
inq->numld, inq->numld == 1? "" : "s",
inq->hw_rev, inq->fw_running, inq->fw_stored);
@@ -1152,11 +1160,19 @@ ciss_ioctl(struct device *dev, u_long cm
if (!ldp)
continue;
for (pd = 0; pd < ldp->ndrives; pd++)
-   if (ldp->tgts[pd] == (CISS_BIGBIT +
-   bb->bb_channel * sc->ndrives +
-   bb->bb_target))
-   error = ciss_blink(sc, ld, pd,
-   bb->bb_status, blink);
+   if (sc->sc_flags & CISS_NOBIGBIT) {
+   if (ldp->tgts[pd] == (
+   bb->bb_channel * sc->ndrives +
+   bb->bb_target))
+   error = ciss_blink(sc, ld, pd,
+   bb->bb_status, blink);
+   } else {
+   if (ldp->tgts[pd] == (CISS_BIGBIT +
+   bb->bb_channel * sc->ndrives +
+   bb->bb_target))
+   error = ciss_blink(sc, ld, pd,
+   bb->bb_status, blink);
+   }
}
break;

@@ -1318,9 +1334,14 @@ ciss_pdscan(struct ciss_softc *sc, int l
pdid = sc->scratch;
for (i = 0; i < sc->nbus; i++)
for (j = 0; j < sc->ndrives; j++) {
-   drv = CISS_BIGBIT + i * sc->ndrives + j;
-   if (!ciss_pdid(sc, drv, pd

Re: PF Config problem

[Stuart Henderson]

On 2007/07/20 10:46, Gordon Ross wrote:
> Going off on a tangent here: Why is it that I've just picked this up and
> no-one else has ?

I think because you had no rules (pass or block) affecting outgoing
packets - it's quite common to start things off with just 'block'
(without specifying the direction) or 'block log' which would give
more clues about what's going wrong when you tcpdump -netti pflog0.

It's possibly also connected with the change to defaulting to
'flags S/SA' (done to avoid sequence number problems with TCP
window-scaling without requiring people to change rulesets) -
though I didn't work through your rules to check that.

> I haven't tried your diff - let me know if you want me to.

It just changes the implicit rule to keep state so shouldn't
affect things for you now you've added specific rules; I was more
throwing it out for discussion. Actually looking at it again,
flags probably need to be addressed too, maybe with

pf_default_rule.flags = 1; /* SYN */
pf_default_rule.flagset = 18; /* SYN+ACK */

but I'm not so sure about that.

Re: OpenBSD Berlin?

[Timo Schoeler]

change president with "mild dictator", if you please

Forget it.

ok, that makes it: hard dictator

... in this case I will look for a nice wall and a AK47 ;-)


i recently watched four documentaries on atomic and hydrogen bombs... 
errr. ooops.



"WHO'S INTERESTED?" - he screamed

I do


So, there is not OpenBSD user group in berlin yet?

there has been a Berlin Unix User Group a while ago ...


what i got from several forums (archives) it died in 2004


it seems we're two of us...

three ... at least


(it's even more in the meantime :)


If there was a group in Berlin they'd read these emails, wouldn't they


I admit: I don't like the german 'Pils' either; wine is fine,
especially portuguese wine.

wrong: especially _Spanish_ wine

:)


freedom of choice is a nice thing, as long as we still have it :/


So this is the last call:

  ---> anybody interested? <---


yes, obviously


If so, please email Timo and me, so that we do not "overwhelm" this
mailing list with our messages


[there were much worse threads than this ;) ]


Cheers,

Pau


greez from Prenzlauer Berg ...


timo, near virchow

Re: OpenBSD Berlin?

[Dirk Fohrenkamm]

>> > change president with "mild dictator", if you please
>>
>> Forget it.
>
> ok, that makes it: hard dictator
... in this case I will look for a nice wall and a AK47 ;-)

>> > "WHO'S INTERESTED?" - he screamed
I do

>> So, there is not OpenBSD user group in berlin yet?
there has been a Berlin Unix User Group a while ago ...

> it seems we're two of us...
three ... at least

> If there was a group in Berlin they'd read these emails, wouldn't they
>
>> I admit: I don't like the german 'Pils' either; wine is fine,
>> especially portuguese wine.
> wrong: especially _Spanish_ wine
:)

> So this is the last call:
>
>   ---> anybody interested? <---

yes, obviously

> If so, please email Timo and me, so that we do not "overwhelm" this
> mailing list with our messages
>
> Cheers,
>
> Pau
>
greez from Prenzlauer Berg ...

Re: PF Config problem

[Gordon Ross]

>>> On 20 July 2007 at 10:04, in message
<[EMAIL PROTECTED]>, Stuart Henderson
<[EMAIL PROTECTED]> wrote:
> On 2007/07/20 08:45, Gordon Ross wrote:
>> > Might be below the minimum; there's no explicit "pass out".
>>
>> No, the packets get out the "other side" of the OBSD box to the
destination,
>> it's the return packets that get blocked.
>
> Yes, exactly. Your implicit 'pass out' will allow the outbound
> packets but it looks like this isn't stateful so it won't permit
> the return packets (current behaviour doesn't match pf.conf(5)
> docs; the diff below should address this).

Phew ! I thought my brain had gone the same way as my hair... ;-)

> Can you try just adding 'pass out' to the top of the ruleset
> please?

I did:

pass in on $int_if proto tcp from 172.16.2.34 to 192.168.249.3 keep state
pass out on $out_if

and that worked.

> I guess it will help, you could then refine it by tagging
> incoming packets and 'pass out on XX tagged FOO' which is much
> easier than doing each rule individually.

I then did:

pass in on $int_if proto tcp from 172.16.2.34 to 192.168.249.3 tag TEST_TAG
keep state
pass out on $out_if tagged TEST_TAG

and that worked as well - and (I believe) is tighter than just a "pass out".
(Certainly solves my paranoid problem in my previous posting)

Going off on a tangent here: Why is it that I've just picked this up and
no-one else has ? Is it because I'm running in full paranoia mode and blocking
*everything* unless explicitly allowed ?

I haven't tried your diff - let me know if you want me to.

Thanks for your help, much appreciated.

GTG

Re: Please it is urgent: new OpenBSD 4.1 crash

[Nick Guenther]

On 7/20/07, carlopmart <[EMAIL PROTECTED]> wrote:

Hi all,

  This is my third post about problems with OpenBSD 4.1 during last two
months ...

  Crash report from console:


  How can I fix this?? I can find any bug report abot this on OpeBSD's
site 

  Please it is very urgent ...

  Many thanks.


How is this urgent? Is this *repeatable*? If it's not happening
regularly, how can it be urgent?

Please it is urgent: new OpenBSD 4.1 crash

[carlopmart]

Hi all,

 This is my third post about problems with OpenBSD 4.1 during last two 
months ...


 Crash report from console:

 ddb> kernel:  page fault trap, code=0
Stopped at_bus_dmamap_load_mbuf +0xf:   movl   $0,0x18 (%esi)

ddb> show panic
the kernel did not panic

ddb> trace
_bus_dmamap_load_mbuf(d07457e0,0,da3c1100,1) at _bus_dmamap_load_mbuf+0xf
em_get_buf(d294b800,99,b0,1) at em_get_buf+0x107
em_rxeof(d294b800,fffe,d08ace1c,d05a3864,0) at em_rxeof+0x384
em_intr(d294b800) at em_intr+0xbb
Xrecurse_legacy3() at Xrecurse_legacy3+0xad
---Interrupt---
apm_cpu_idle(b0,d07751e0,d0775040,7fff,d0337c5f) at apm_cpu_idle+0x42
idle_loop(58,10,0,0,8aa000) at idle_loop+0x5
bpendtsleep(d0775040,4,d06937ac,0,0,d042ecc3,8,286) at bpendtsleep
uvm_scheduler(d077503c,3,0,d064afd0,2) at uvm_scheduler+0x20
check_console (0,0,0,0,0) at check_console

 I am using GENRIC kernel with latest patches:

OpenBSD 4.1 (GENERIC) #0: Wed Jun 20 08:11:12 CEST 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Pentium(R) 4 CPU 3.20GHz ("GenuineIntel" 686-class) 3.21 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID,xTPR

real mem  = 2146795520 (2096480K)
avail mem = 1952096256 (1906344K)
using 4278 buffers containing 107462656 bytes (104944K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+ BIOS, date 02/02/04, BIOS32 rev. 0 @ 0xffe90, 
SMBIOS rev. 2.3 @ 0xfb030 (83 entries)

bios0: Dell Computer Corporation PowerEdge 750
pcibios0 at bios0: rev 2.1 @ 0xf/0x1
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfc570/144 (7 entries)
pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 6300ESB LPC" rev 0x00)
pcibios0: PCI bus #4 is the last bus
bios0: ROM list: 0xc/0x8000 0xc8000/0x1000 0xc9000/0x5600 
0xce800/0x1000 0xec000/0x4000!

acpi at mainbus0 not configured
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82875P Host" rev 0x02
ppb0 at pci0 dev 3 function 0 "Intel 82875P PCI-CSA" rev 0x02
pci1 at ppb0 bus 1
em0 at pci1 dev 1 function 0 "Intel PRO/1000CT (82547GI)" rev 0x00: irq 
3, address 00:c0:9f:3d:0e:b5

ppb1 at pci0 dev 28 function 0 "Intel 6300ESB PCIX" rev 0x02
pci2 at ppb1 bus 2
ppb2 at pci2 dev 1 function 0 "IBM 133 PCIX-PCIX" rev 0x02
pci3 at ppb2 bus 3
em1 at pci3 dev 4 function 0 "Intel PRO/1000MT QP (82546EB)" rev 0x01: 
irq 11, address 00:04:23:b8:4c:bc
em2 at pci3 dev 4 function 1 "Intel PRO/1000MT QP (82546EB)" rev 0x01: 
irq 11, address 00:04:23:b8:4c:bd
em3 at pci3 dev 6 function 0 "Intel PRO/1000MT QP (82546EB)" rev 0x01: 
irq 11, address 00:04:23:b8:4c:be
em4 at pci3 dev 6 function 1 "Intel PRO/1000MT QP (82546EB)" rev 0x01: 
irq 11, address 00:04:23:b8:4c:bf

uhci0 at pci0 dev 29 function 0 "Intel 6300ESB USB" rev 0x02: irq 11
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1 at pci0 dev 29 function 1 "Intel 6300ESB USB" rev 0x02: irq 10
usb1 at uhci1: USB revision 1.0
uhub1 at usb1
uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
"Intel 6300ESB WDT" rev 0x02 at pci0 dev 29 function 4 not configured
"Intel 6300ESB APIC" rev 0x02 at pci0 dev 29 function 5 not configured
ehci0 at pci0 dev 29 function 7 "Intel 6300ESB USB" rev 0x02: irq 7
usb2 at ehci0: USB revision 2.0
uhub2 at usb2
uhub2: Intel EHCI root hub, rev 2.00/1.00, addr 1
uhub2: 4 ports with 4 removable, self powered
ppb3 at pci0 dev 30 function 0 "Intel 82801BA AGP" rev 0x0a
pci4 at ppb3 bus 4
em5 at pci4 dev 2 function 0 "Intel PRO/1000MT (82541GI)" rev 0x00: irq 
10, address 00:c0:9f:3d:0e:b6

ahc0 at pci4 dev 3 function 0 "Adaptec AHA-3960D U160" rev 0x01: irq 11
scsibus0 at ahc0: 16 targets
sd0 at scsibus0 targ 0 lun 0:  SCSI3 0/direct 
fixed

sd0: 34732MB, 49855 cyl, 2 head, 713 sec, 512 bytes/sec, 71132959 sec total
ahc1 at pci4 dev 3 function 1 "Adaptec AHA-3960D U160" rev 0x01: irq 10
scsibus1 at ahc1: 16 targets
vga1 at pci4 dev 14 function 0 "ATI Rage XL" rev 0x27
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ichpcib0 at pci0 dev 31 function 0 "Intel 6300ESB LPC" rev 0x02
pciide0 at pci0 dev 31 function 2 "Intel 6300ESB SATA" rev 0x02: DMA, 
channel 0 configured to compatibility, channel 1 configured to compatibility

atapiscsi0 at pciide0 channel 0 drive 0
scsibus2 at atapiscsi0: 2 targets
cd0 at scsibus2 targ 0 lun 0:  SCSI0 5/cdrom removable
cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
ichiic0 at pci0 dev 31 function 3 "Intel 6300ESB SMBus" rev 0x02: SMBus 
disabled

isa0 at ichpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pmsi0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pmsi0 mux 0
pcppi0

Re: PF Config problem

[Stuart Henderson]

On 2007/07/20 08:45, Gordon Ross wrote:
> > Might be below the minimum; there's no explicit "pass out".
> 
> No, the packets get out the "other side" of the OBSD box to the destination,
> it's the return packets that get blocked.

Yes, exactly. Your implicit 'pass out' will allow the outbound
packets but it looks like this isn't stateful so it won't permit
the return packets (current behaviour doesn't match pf.conf(5)
docs; the diff below should address this).

Can you try just adding 'pass out' to the top of the ruleset
please? I guess it will help, you could then refine it by tagging
incoming packets and 'pass out on XX tagged FOO' which is much
easier than doing each rule individually.

Index: pf_ioctl.c
===
RCS file: /cvs/src/sys/net/pf_ioctl.c,v
retrieving revision 1.182
diff -u -p -r1.182 pf_ioctl.c
--- pf_ioctl.c  24 Jun 2007 11:17:13 -  1.182
+++ pf_ioctl.c  20 Jul 2007 08:56:32 -
@@ -177,6 +177,7 @@ pfattach(int num)
/* default rule should never be garbage collected */
pf_default_rule.entries.tqe_prev = &pf_default_rule.entries.tqe_next;
pf_default_rule.action = PF_PASS;
+   pf_default_rule.keep_state = PF_STATE_NORMAL;
pf_default_rule.nr = -1;
pf_default_rule.rtableid = -1;

Re: PF Config problem

[Gordon Ross]

>>> On 19 July 2007 at 23:52, in message
<[EMAIL PROTECTED]>, Stuart Henderson
<[EMAIL PROTECTED]> wrote:
> On 2007/07/19 15:38, Gordon Ross wrote:
>> Cutting down the pf ruleset to the bare minimum, I have:
>
> Might be below the minimum; there's no explicit "pass out".
> There's an implicit one, but I suspect it might not be keeping
> state (though the default as of 4.1 is to keep state, I suspect
> this _may_ apply only to rules configured by pfctl and not implicit
> ones). And if that's the case it won't permit the return traffic.

Made a little bit of progress..

If I change

pass in on $int_if proto tcp from 172.16.2.34 to 192.168.249.3 keep state

to:

pass proto tcp from 172.16.2.34 to 192.168.249.3 keep state

Then that works fine. Now I can half see why this does work: I've not
specified a direction or interface for the rule. For a simple two-interface
firewall, that's should be OK. My thoughts turn to when I have a firewall with
more than two interfaces: What would happen to a spoofed packet appearing on a
"wrong" interface ? As the rule no longer specifies interfaces, I could see
that PF would allow the packet through... Would the solution be to create
rules that only allow "valid" addresses to come in to interfaces ? Or am I
being paranoid ?

GTG

Re: Non critical but weird pf and openvpn problem

[Henning Brauer]

* jean-philippe luiggi <[EMAIL PROTECTED]> [2007-07-20 03:04]:
> I'm perhaps wrong but i think the interface must exists before loading
> any rules which use it. 

yes, you are almost wrong.

-- 
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam

Re: Non critical but weird pf and openvpn problem

[a666]

I do have an /etc/hostname.tun0 file that I created manually with 
touch.  

What is the theory of openvpn being the problem source?  Obviously 
openvpn started up correctly or I would have to do more to fix the 
problem than merely running pfctl -f /etc/pf.conf. :-)  Thanks for 
the pfctl -sr suggestion.  Though I use this often, but I never 
thought to run this before doing pfctl -f /etc/pf.conf after 
booting up, duh. :-)

On Thu, 19 Jul 2007 16:47:58 -0700 Tim Kuhlman 
<[EMAIL PROTECTED]> wrote:
>On Thu July 19 2007 5:12:58 pm Bill wrote:
>> On Thu, 19 Jul 2007 15:06:55 -0700
>>
>> <[EMAIL PROTECTED]> spake:
>> > I have the same problem.  I was going to post a this question 
>too
>> > along with another question.
>> >
>> > When I first boot up my OpenBSD 4.1 sever.  I can not access 
>my
>> > OpenVPN wireless connection.  I can access ssh wirelessly 
>though.
>> > So what I do is login via ssh and run pfctl -f /etc/pf.conf.  
>Now
>> > my OpenVPN connection works just fine.  I too have my startup
>> > script in /etc/rc.local but it is much simpler:
>> >
>> > /usr/local/sbin/openvpn /var/openvpn/server.conf
>> >
>> > I am curious to know why pf requires a command line start for 
>it to
>> > work.
>>
>> I have a few OpenVPN installations running and do not have this 
>problem
>> with any of them.  I start my PF normally through the 
>rc.conf.local
>>
>
>Same here I have few installations which are very reliable and 
>problem free.
>
>> Do you have a hostname.tun0 file in /etc?
>>
>> I forget if OpenVPN will create the tun0, but it could be why PF 
>needs
>> to be run after in your instance.  I have simply:
>>
>> UP
>
>my hostname.tun0 is set to
>inet 0.0.0.0 0.0.0.0 NONE
>
>Either way probably works fine.
>
>Have you checked out your log files? Openvpn does a good job 
>logging in my 
>experience. If the logs are empty I would try turning up the 
>verbosity or 
>running openvpn by hand before doing a reload of the pf rules. It 
>would also 
>be interesting to run pfctl -sr before reloading to see if they 
>even loaded 
>properly.
>
>-- 
>Tim Kuhlman
>Network Administrator
>ColoradoVnet.com

Re: Bioctl ciss controller status

[Stephan A. Rickauer]

On Fri, 20 Jul 2007 00:49:03 -0600
Joel Knight <[EMAIL PROTECTED]> wrote:

> --- Quoting Doros Eracledes on 2007/07/19 at 10:42 +0100:
> 
> > I have a proliant DL360-G5 and loaded 4.1-stable on it, all
> > hardware is detected fine.
> > 
> > I want see if I can get the raid controller status with bioctl.
> > 
> > Controller initially came with firmware 1.20 so I upgraded it to the
> > latest (1.66) version but still can't get the raid controller status
> > using bioctl.
> > Here is what I get:
> > #bioctl sd0
> > bioctl: BIOCINQ: Inappropriate ioctl for device
> 
> 
> Known issue, no fix.
> 
> mickey@ told me he found the issue but I'm not sure what happened to
> the code. FYI, this issue doesn't seem to happen on the DL380.

I do have the same issue with 4.1 on a DL385, though. Only one volume
configured, controller firmware 2.08.

# bioctl ciss0
bioctl: Can't locate ciss0 device via /dev/bio

-- 

 Stephan A. Rickauer

 ---
 Institute of Neuroinformatics Tel  +41 44 635 30 50
 University / ETH Zurich   Sec  +41 44 635 30 52
 Winterthurerstrasse 190   Fax  +41 44 635 30 53
 CH-8057 ZurichWeb  www.ini.unizh.ch

 RSA public key:  https://www.ini.uzh.ch/~stephan/pubkey.asc
 ---

Re: GPL is free for forcing people to free code when they publish, not free as in free to do what you want, which is actually what free as in BSD, and real freedom ends at the tip of my nose

[Karel Kulhavy]

On Fri, Apr 13, 2007 at 08:25:43AM -0400, Umnada Tyrolla wrote:
> Why isn't there some zealot out there who recodes gpl stuff into 
> bsd licensed code? That would be a service to developers, at least.

Because preaching takes much less energy than sitting for long hours at a
computer and figuring out why a piece of code is refusing to work.

I myself coded some GPL software and released it, the biggest one is 25% of the
Links browser which is included in the OpenBSD packages. It's not clear to me
what's better, GPL or BSD. I don't care. Personally I always choose GPL for
software projects and GFDL for hardware projects. 

Due to law, hardware is de facto always released under a BSD style licence.  I
didn't have any problem with the fact that my hardware is under BSD. Neither
had I problem with my software being released under GPL.

CL<

Just found: "Insights into a migration project at INI"

[Wild Karl-Heinz]

sounds nice :)

http://www.ini.unizh.ch/~stephan/talks/LinuxTag07.pdf

or in html

http://209.85.129.104/search?q=cache:Mp4bVfAMVmYJ:www.ini.unizh.ch/~stephan/talks/LinuxTag07.pdf+Stephan+A.+Rickauer+Institute+of+Neuroinformatics+(INI)+at+ETH&hl=de&ct=clnk&cd=4&gl=li&client=firefox-a

Karl-Heinz

Re: 4.1 !

[Karel Kulhavy]

On Fri, Apr 13, 2007 at 11:10:26AM +0200, Paul de Weerd wrote:
> It's in ! It looks very very very cool ;)
> 
> Thanks Wim for such an incredibly speedy delivery !

In my last case Wim delivered very slowly. I wanted to buy an obsd hoodie as a
christmas 2006 present.  Wim assured me it shouldn't be a problem to pay and
deliver it before christmas, and then the e-mail invoice (payment details) came
as late as after christmas! 

So I didn't even pay him and told him it's of no use for me anymore because
I had to buy a different gift instead of it.

I wonder whether getting the graphics somehow and asking a local shop to burn
it on a hoodie for personal use would be fair use. I'm almost sure it would.

CL<

> 
> Now, on to upgrade my machine ;)
> 
> Paul
> 
> PS: apologies in advance for the noise this will no doubt generate...
> 
> -- 
> >[<++>-]<+++.>+++[<-->-]<.>+++[<+
> +++>-]<.>++[<>-]<+.--.[-]
>  http://www.weirdnet.nl/ 

Re: PF Config problem

[Gordon Ross]

>>> On 19 July 2007 at 18:55, in message <[EMAIL PROTECTED]>,
Dag
Richards <[EMAIL PROTECTED]> wrote:
> Gordon Ross wrote:
>> So why is this different to what I put ?
>>
>> #These three lines allow the failover mechanisms to work
>> pass on { $int_if } proto carp keep state
>> pass on { $adsl_if } proto carp keep state
>> pass quick on { $pfsync_if} proto pfsync
[snip]
> The difference is you were paying attention.

;-)

> I really thought I saw pass out not just pass on your lines.
>
> When you do
>
> tcpdump -n -e -ttt -i pflog0
>
> with rules enables to you see inbound carp being blocked?

No CARP packets are being blocked.

GTG

Re: PF Config problem

[Gordon Ross]

>>> On 19 July 2007 at 23:52, in message
<[EMAIL PROTECTED]>, Stuart Henderson
<[EMAIL PROTECTED]> wrote:
> On 2007/07/19 15:38, Gordon Ross wrote:
>> Cutting down the pf ruleset to the bare minimum, I have:
>
> Might be below the minimum; there's no explicit "pass out".

No, the packets get out the "other side" of the OBSD box to the destination,
it's the return packets that get blocked.

> There's an implicit one, but I suspect it might not be keeping
> state (though the default as of 4.1 is to keep state, I suspect
> this _may_ apply only to rules configured by pfctl and not implicit
> ones). And if that's the case it won't permit the return traffic.

This is my problem - the return traffic is not being allowed back in.

Surely I don't need to write explicit "pass in" rules for the return packets ?
Or have I missed something really silly/obvious ?

> I would have a look at http://www.openbsd.org/faq/pf/tagging.html
> before you start writing much more.

Noted. However, it's not going to help me right now :-(

Thanks,

GTG

Intel SRCSAS144E

[Stephan A. Rickauer]

Anyone having first hands experience with Intels SRCSAS144E RAID
controller? According to mfi(4) it is not only supported but also
registers nicely with bio(4).

A bioctl output would be highly appreciated, too.

Thanks,

-- 

 Stephan A. Rickauer

 ---
 Institute of Neuroinformatics Tel  +41 44 635 30 50
 University / ETH Zurich   Sec  +41 44 635 30 52
 Winterthurerstrasse 190   Fax  +41 44 635 30 53
 CH-8057 ZurichWeb  www.ini.unizh.ch

 RSA public key:  https://www.ini.uzh.ch/~stephan/pubkey.asc
 ---

Re: Zurich OpenBSD

[Karel Kulhavy]

On Wed, Jul 18, 2007 at 01:27:28PM +0400, Anton Karpov wrote:
> > RFC, anyone? :)
> >
> > > My coffee had just run out, so no keyboard harmed.
> >
> > Timo
> >
> >
> 
> I like the idea of T-shirts and stickers "It's an OpenBSD thing. You
> wouldn't understand" ;-)

I have the big white Puffy sticker on my black snowboard. It looks quite cool
even without knowledge that it's about OpenBSD. So that all the people queing
for the lift and watching other peoples' boring Volcom, Burton and Santa Cruz
stickers know I am using OpenBSD ;-)

CL<

Hack OpenBSD and improve fitness at the same time

[Karel Kulhavy]

I understand that hacking OpenBSD code requires a lot of time commitment
sitting in front of a computer but that people possibly also have concerns
about their health which needs regular exercise.

Add an everyday job to this and you get a shortage of time. Therefore I have
developed a special open source fitness machine for computer hackers which
allows exercising while sitting at the keyboard.

Twibright Exciter: http://ronja.twibright.com/exciter/

Happy hacking and no worries about your health anymore!

CL<

Re: stty -echo not working

[Otto Moerbeek]

On Fri, 20 Jul 2007, Chris Mason wrote:

> Hi,
> 
> I know I am doing something wrong as opposed to a problem with OpenBSD, but I
> can't get the stty command working correctly.
> I have searched on Google but I am unable to find any reference to it not
> working.. everyone suggests this method.
> On any other system I can do "stty -echo" to turn the terminal echo off, but
> on OpenBSD 4.0/4.1 it doesn't have any affect:
> 
> mail:/root# stty -echo
> mail:/root# stty -e
> speed 38400 baud; 24 rows; 80 columns;
> lflags: icanon isig iexten -echo echoe -echok echoke -echonl echoctl
>   -echoprt -altwerase -noflsh -tostop -flusho pendin -nokerninfo
>   -extproc -xcase
> iflags: -istrip icrnl -inlcr -igncr -iuclc ixon -ixoff ixany imaxbel
>   -ignbrk brkint -inpck -ignpar -parmrk
> oflags: opost onlcr -ocrnl -onocr -onlret -olcuc oxtabs -onoeot
> cflags: cread cs8 -parenb -parodd hupcl -clocal -cstopb -crtscts -mdmbuf
> discard dsusp   eof eol eol2erase   intrkilllnext
> ^O  ^Y  ^D^?  ^C  ^U  ^V
> min quitreprint start   status  stopsusptimewerase
> 1   ^\  ^R  ^Q   ^S  ^Z  0   ^W
> 
> Does anyone have any idea what I am doing wrong?

in interactive editing mode, ksh itself echos the chars. Try this:

set +o emacs
stty -echo

Note that applies only to command line mode, if a script interacts
with the terminal, it will work as expected.

-Otto

Re: Since location mails seem to be the thing for the past couple of days....

[Andreas Andersson]

Joshua Smith skrev:

Anyone in or around Morgantown, WV USA?

Thanks,
Josh



Or in Trollhdttan, Sweden?
/ Andreas