Re: SOLVED? Re: 4.0 -> 4.1 broke ipsec
On Thu, 27 Sep 2007, Brian A. Seklecki wrote: > > Ok, it's running now. The cause was not the move from 4.0 -> 4.1, but > > the move from a diskful to a diskless setup: The machine mounts its root > > fs via nfs. > > WHAT?!?!?! What the heck kind of security-minded sanity check would > fail based on the underlying VFS? > > Did you eventually get a PR open on this? This has to do with a bug in isakmpd, where scanning a dir could skip files. The bug could only be triggered on nfs mounts. -Otto > > ~BAS > > > > This runs just fine, except for isakmpd: It silently does > > not read any certificates from a NFS mounted directory. After moving > > /etc/isakmpd to a ramdisk, ipsec runs fine as well. > > > > Question: Is this a bug or a feature? If it is a feature, it really > > should be documented. If it is a bug, i am unable to fix it. I started > > digging into isakmpd's sources, but failed to further trace things in > > monitor.c's forking and privilege separation. > > > > Regards, > > > > Heinrich
Re: SOLVED? Re: 4.0 -> 4.1 broke ipsec
> Ok, it's running now. The cause was not the move from 4.0 -> 4.1, but > the move from a diskful to a diskless setup: The machine mounts its root > fs via nfs. WHAT?!?!?! What the heck kind of security-minded sanity check would fail based on the underlying VFS? Did you eventually get a PR open on this? ~BAS > This runs just fine, except for isakmpd: It silently does > not read any certificates from a NFS mounted directory. After moving > /etc/isakmpd to a ramdisk, ipsec runs fine as well. > > Question: Is this a bug or a feature? If it is a feature, it really > should be documented. If it is a bug, i am unable to fix it. I started > digging into isakmpd's sources, but failed to further trace things in > monitor.c's forking and privilege separation. > > Regards, > > Heinrich
Re: IDE or SCSI virtual disks for VMWare image?
Any word on the degraded performance of fork operations inside the vmware server guest? Or am I imagining that thread of e-mails? ~BAS On Sat, 2007-07-07 at 10:04 -0500, Todd Pytel wrote: > On Sat, 2007-07-07 at 10:44 -0400, Nick Holland wrote: > > > There's the answer to your question: For your app, it just won't matter. > > You've spent more time asking, and others (including myself) have spent
Re: Config problem of Intel 915GM
Safe to ignore - most i810 devices have duplicate PCI bus entries for the internal and external video. Both are drive by the same logical GPU, though. ~BAS On Sun, 2007-07-01 at 00:21 +0800, Alex Kwan wrote: > Hello! > > When I exit from the X, I got following warning message: > I810: No matching Device section for instance (BusID PCI:0:2:1) found > > I try to edit the BusID PCI:0:2:0 to BUSID PCI:02:0 in Section "Device" > of xorg.conf, > but it can't start the X, what is the problem and how to fix it? thanks!
Re: RAID1 powerloss - can parity rewrite be safely backgrounded?
raid(4) hasn't been touched in a while (years), so short answer: No. NetBSD is still actively committing to it, though, and has functional background parity recalculation. I understand there is interest in replacing RAIDFrame instead of resynchronizing the subtree. In the mean time, find a hardware RAID Controller that can be managed by OpenBSD via bio(4) and grab a UPS that works with upsd(8). ~BAS On Thu, 27 Sep 2007, Rob wrote: On 9/25/07, Matt <[EMAIL PROTECTED]> wrote: I'm running a RAID1 mirror on OpenBSD 4.1 (webserver) On a power failure the parity becomes dirty and needs rewriting, which results in > 1.5 hours 'downtime'. Is it safe to background this in /etc/rc or is that a no-no? I found a reference this was possible/safe on-list but it was a) 2003 and b) dealt with RAID5. I'd like to make sure I am not doing something dangerous. I frankly don't know enough to guarantee that this is safe, or not, but I had a RAID1 with big disks on an ancient machine that took about 26 hours to check parity (! -- this wasn't my idea), and I modified its rc to boot up, and then begin performing the parity check in the background. The only caveat I would give is that the operating system was installed and running on a 3rd, separate disk, and that network access to the mirrored drives was disabled until the parity rewrite was complete. - R.
Re: arc0: unable to query firmware for sensor info
On 27/09/2007, at 8:06 PM, Stephan A. Rickauer wrote: A new server shippped by a local vendor fails to boot bsd.mp, with and without acpi enabled (amd64, 4.2). Without acpi it will reboot directly after mounting the root device. With acpi enabled it will hang with "arc0: unable to query firmware for sensor info". Uniprocessor kernels would boot fine, both acpi and without. Pls. find dmesgs of those as well as more info below. I'm pretty sure that message from arc is a result of interrupts not being hooked up correctly. also, arc doesnt hang after printing that message, it gives control back to the rest of the kernel. presumably the kernel is hanging while waiting for io on the disk to work, but of course, the disk is on arc and interrupts arent wired up to it correctly so just blocks. dlg # cat 4.2-bsd-noacpi.dmesg OpenBSD 4.2 (GENERIC) #0: Thu Sep 27 12:10:25 CEST 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/ GENERIC real mem = 3757588480 (3583MB) avail mem = 3636060160 (3467MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.4 @ 0x99c00 (84 entries) bios0: vendor American Megatrends Inc. version "WTF2V028" date 01/24/2007 acpi at mainbus0 not configured ipmi0 at mainbus0: version 2.0 interface KCS iobase 0xca2/2 spacing 1 cpu0 at mainbus0: (uniprocessor) cpu0: Dual-Core AMD Opteron(tm) Processor 2212, 2000.24 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE3 6,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,CX16,NXE,MMXX,FFXSR,LONG, 3DNOW2,3DNOW cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 64b/line 16-way L2 cache cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative pci0 at mainbus0 bus 0: configuration mode 1 "NVIDIA nForce4 DDR" rev 0xa3 at pci0 dev 0 function 0 not configured pcib0 at pci0 dev 1 function 0 "NVIDIA nForce4 ISA" rev 0xa3 nviic0 at pci0 dev 1 function 1 "NVIDIA nForce4 SMBus" rev 0xa2 iic0 at nviic0: disabled to avoid ipmi0 interactions iic1 at nviic0: disabled to avoid ipmi0 interactions ohci0 at pci0 dev 2 function 0 "NVIDIA nForce4 USB" rev 0xa2: irq 9, version 1.0, legacy support ehci0 at pci0 dev 2 function 1 "NVIDIA nForce4 USB" rev 0xa3: irq 11 usb0 at ehci0: USB revision 2.0 uhub0 at usb0: NVIDIA EHCI root hub, rev 2.00/1.00, addr 1 pciide0 at pci0 dev 6 function 0 "NVIDIA nForce4 IDE" rev 0xa2: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility atapiscsi0 at pciide0 channel 0 drive 1 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: SCSI0 5/cdrom removable cd0(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2 pciide0: channel 1 disabled (no drives) pciide1 at pci0 dev 7 function 0 "NVIDIA nForce4 SATA" rev 0xa3: DMA pciide1: using irq 11 for native-PCI interrupt pciide2 at pci0 dev 8 function 0 "NVIDIA nForce4 SATA" rev 0xa3: DMA pciide2: using irq 10 for native-PCI interrupt ppb0 at pci0 dev 9 function 0 "NVIDIA nForce4 PCI-PCI" rev 0xa2 pci1 at ppb0 bus 7 vga1 at pci1 dev 6 function 0 "XGI Technology Volari Z7" rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) "TI TSB43AB22 FireWire" rev 0x00 at pci1 dev 7 function 0 not configured ppb1 at pci0 dev 11 function 0 "NVIDIA nForce4 PCIE" rev 0xa3 pci2 at ppb1 bus 6 ppb2 at pci0 dev 12 function 0 "NVIDIA nForce4 PCIE" rev 0xa3 pci3 at ppb2 bus 5 bge0 at pci3 dev 0 function 0 "Broadcom BCM5721" rev 0x11, BCM5750 B1 (0x4101): irq 7, address 00:d0:68:12:0b:71 brgphy0 at bge0 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0 ppb3 at pci0 dev 13 function 0 "NVIDIA nForce4 PCIE" rev 0xa3 pci4 at ppb3 bus 4 bge1 at pci4 dev 0 function 0 "Broadcom BCM5721" rev 0x11, BCM5750 B1 (0x4101): irq 5, address 00:d0:68:12:0b:70 brgphy1 at bge1 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0 ppb4 at pci0 dev 14 function 0 "NVIDIA nForce4 PCIE" rev 0xa3 pci5 at ppb4 bus 1 ppb5 at pci5 dev 0 function 0 "Intel IOP333 PCIE-PCIX" rev 0x00 pci6 at ppb5 bus 3 arc0 at pci6 dev 14 function 0 "Areca ARC-1210" rev 0x00: irq 7 arc0: 4 SATA Ports, 256MB SDRAM, FW Version: V1.43 2007-4-17 scsibus1 at arc0: 16 targets sd0 at scsibus1 targ 0 lun 0: SCSI3 0/direct fixed sd0: 152587MB, 54253 cyl, 12 head, 480 sec, 512 bytes/sec, 312499712 sec total ppb6 at pci5 dev 0 function 2 "Intel IOP333 PCIE-PCIX" rev 0x00 pci7 at ppb6 bus 2 pchb0 at pci0 dev 24 function 0 "AMD AMD64 HyperTransport" rev 0x00 pchb1 at pci0 dev 24 function 1 "AMD AMD64 Address Map" rev 0x00 pchb2 at pci0 dev 24 function 2 "AMD AMD64 DRAM Cfg" rev 0x00 pchb3 at pci0 dev 24 function 3 "AMD AMD64 Misc Cfg" rev 0x00 pchb4 at pci0 dev 25 function 0 "AMD AMD64 HyperTransport" rev 0x00 pchb5 at pci0 dev 25 function 1 "AMD AMD64 Address Map" rev 0x00 pchb6 at pci0 dev 25 function 2 "AMD AMD64 DRAM Cfg" rev 0x00 pchb7 at pci0 dev 25 function 3 "AMD AMD64 Misc Cfg" rev 0x00 is
Re: X server listing in XDM?
On Thu, Sep 27, 2007 at 05:05:13PM -0400, Hugo Villeneuve wrote: > On Thu, Sep 27, 2007 at 02:11:53PM +0100, Edd Barrett wrote: > > Hi there, > > > > Is it possible to have a list of X servers to connect to in XDM on > > OpenBSD, kind of like dtlogin on solaris? > > > > Thanks > > I agree on part 1 to 4. > 5. Manualy start the X server in indirect (chooser) mode at startup > in /etc/rc.local: > > if [ -x /usr/X11R6/bin/X ]; then > /usr/X11R6/bin/X -indirect 127.0.0.1 -from 192.168.45.21 vt05 :0 & > fi This I would do differently. The problem with this is that when X gets terminated (for instance when a user hits ) you end up with no X login. I have a line in /etc/ttys starting X. This wil restart X on termination. The line would look with the example values like: ttyC5 "/usr/X11R6/bin/X -indirect 127.0.0.1 -from 192.168.45.21 vt05 :0" xterm on My actual line looks as follows: ttyC8 "/usr/X11R6/bin/Xorg -indirect xdmcp -from alf vt09" xterm on my C5 has a getty (I have more than the standard number of vt's) xdmcp is a local host that allows indirect from * alf is the name of the machine running X. X is a symlink to Xorg so that is the same :0 is default and can be left out > There might be a way to setup cookies properly. You only really > need one xdm server willing to broadcast for you per network. This uses cookies fine. Janjaap van Velthooven -- / __/ /_/ __/ /_ __/ __/ /___ / / /_ __/___/_/_ /___ / / __/ /___ / / [EMAIL PROTECTED] /___/_/_/_/_/_/_/___/_/_/
Re: RAID1 powerloss - can parity rewrite be safely backgrounded?
On 9/25/07, Matt <[EMAIL PROTECTED]> wrote: > I'm running a RAID1 mirror on OpenBSD 4.1 (webserver) > On a power failure the parity becomes dirty and needs rewriting, which > results in > 1.5 hours 'downtime'. > Is it safe to background this in /etc/rc or is that a no-no? > > I found a reference this was possible/safe on-list but it was a) 2003 > and b) dealt with RAID5. > I'd like to make sure I am not doing something dangerous. I frankly don't know enough to guarantee that this is safe, or not, but I had a RAID1 with big disks on an ancient machine that took about 26 hours to check parity (! -- this wasn't my idea), and I modified its rc to boot up, and then begin performing the parity check in the background. The only caveat I would give is that the operating system was installed and running on a 3rd, separate disk, and that network access to the mirrored drives was disabled until the parity rewrite was complete. - R.
Re: mounting Sony digital camera in 4.1
On Fri, 28 Sep 2007, Chris wrote: I'm trying to mount a Sony DSC-P100. /var/log/messages output - Sep 27 14:33:23 host /bsd: ugen1: Sony Sony PTP, rev 2.00/2.00, addr 2 "PTP". Switch your camera to USB mass media mode. Then you will see SCSI device appearing that you can mount. OR Use software that can handle PTP devices such as digikam. (Haven't tried this with OpenBSD so YYMV) -- Antti Harri
mounting Sony digital camera in 4.1
I'm trying to mount a Sony DSC-P100. /var/log/messages output - Sep 27 14:33:23 host /bsd: ugen1: Sony Sony PTP, rev 2.00/2.00, addr 2 But there is no /dev/ugen1 rather /dev/ugen0.00 - 1.15 and I cannot seem to mount it with mount /dev/ugen0.00 or /dev/ugen0.01. I read the uge(4) manpage but confused as to what would be the device and the endpoint. Any help would be much appreciated. Thanks.
Re: X server listing in XDM?
On Thu, Sep 27, 2007 at 02:11:53PM +0100, Edd Barrett wrote: > Hi there, > > Is it possible to have a list of X servers to connect to in XDM on > OpenBSD, kind of like dtlogin on solaris? > > Thanks > It's been a while and I haven't tried in a while but it used to go like this: 1. Enable XDMCP listening by xdm by commenting (adding "!" at the front of the line) in /etc/X11/xdm/xdm-config the line: !DisplayManager.requestPort: 0 2. Remove the local X server from xdm control by commenting the :0 line in /etc/X11/xdm/Xservers: #:0 local /usr/X11R6/bin/X vt05 3. Add your local network IP for indirect (chooser) or direct access in /etc/X11/xdm/Xaccess: 192.168.45.21 CHOOSER BROADCAST 192.168.45.21 or * CHOOSER BROADCAST * 4. Start xdm at startup in /etc/rc.conf.local: xdm_flags="" 5. Manualy start the X server in indirect (chooser) mode at startup in /etc/rc.local: if [ -x /usr/X11R6/bin/X ]; then /usr/X11R6/bin/X -indirect 127.0.0.1 -from 192.168.45.21 vt05 :0 & fi This is from memory, I don't have access to the system I setup like this. You might have to fiddle a bit. Read man pages (Xserver, xdm, etc.). I can't remember if & was necessary or if I did stdout/stderr redirections. There might be a way to setup cookies properly. You only really need one xdm server willing to broadcast for you per network. The -from option is added because OpenBSD X's server used to be really bad at selecting a proper local address for indirect/query mode. (It puts 127.0.0.1 by default or something.) I don't know if it now work as expected with the new Xorg. This can make it hard in a DHCP network or for a laptop changing location often. Hope this help. Hope I understood the question. -- Hugo Villeneuve <[EMAIL PROTECTED]> http://EINTR.net/
Anyone seen the quantis rng available?
It looks pretty interesting and I know support for it has been worked on for OpenBSD. The only problem is that is seems next to impossible to find in the U.S. There site shows very few distributors and of the three emails that I have sent them over the last year... I have yet to hear from them. Someone did tell me that they are expensive. Anyone know of a source that can get them? What kind of prices are they running?
Inaugura Urban Paintball II y falta muy poco !!!
-- Para Darse de baja, por favor haga clic aquo?=o?=o?= Para Desuscribirse, por favor, haga click aquí : http://mailing.marketing-ip.com.ar/box.php?funcml=unsub2&nl=285&mi=2751&[EMAIL PROTECTED]
Re: SMTP flood + spamdb
Bob Beck wrote: There is a quasi standard perl script which I have posted and is available frequently referenced in the archives of this list, and has already been mentioned twice in this thread. it is not "standard" with OpenBSD because pieces of it must be customized to be site specific, so it's not really a generic solution, but it can do some things the generic stuff can't. And that script works quite well, I can report. Heck, even not using the user validation parts it cuts a lot of crud out. (And by a lot, I mean a lot of what just spamd doesn't grab...). --Kurt
Re: SMTP flood + spamdb
* Juan Miscaro <[EMAIL PROTECTED]> [2007-09-27 11:36]: > > --- Bob Beck <[EMAIL PROTECTED]> wrote: > > [snip] > > > greylisting does what it does. It delays the initial email > > for 30 minutes or more. what you do with that 30 minutes will decide > > on how effective it is for you. > > > > In that 30 minutes) > > [snip] > > > 4) optionally, if you check the greylist against valid local mail > > addresses, you could trap them if they're mailing to bogus local > addresses > > (we do that here) > > Is there a standard way to achieve that or does one just hack a shell > script together? Yes, there are some standard ways as documented in spamd(8)- they are relatively new, so if your spamd is old you don't have them. see the /etc/mail/spamd/alloweddomains, etc. etc. There is a quasi standard perl script which I have posted and is available frequently referenced in the archives of this list, and has already been mentioned twice in this thread. it is not "standard" with OpenBSD because pieces of it must be customized to be site specific, so it's not really a generic solution, but it can do some things the generic stuff can't. -Bob
Re: SMTP flood + spamdb
--- Bob Beck <[EMAIL PROTECTED]> wrote: [snip] > greylisting does what it does. It delays the initial email > for 30 minutes or more. what you do with that 30 minutes will decide > on how effective it is for you. > > In that 30 minutes) [snip] > 4) optionally, if you check the greylist against valid local mail > addresses, you could trap them if they're mailing to bogus local addresses > (we do that here) Is there a standard way to achieve that or does one just hack a shell script together? // juan Be smarter than spam. See how smart SpamGuard is at giving junk email the boot with the All-new Yahoo! Mail at http://mrd.mail.yahoo.com/try_beta?.intl=ca
Re: Internet slowdown when pf is enabled? Running on i386 -current
thanks alot. I've created a new rulesets for my pf.conf, and it improves so
much. :)
On Thu, 27 Sep 2007 06:04:49 +0100, Stuart Henderson <[EMAIL PROTECTED]> wrote:
> On 2007/09/27 11:51, Reza Muhammad wrote:
>> > On Wed, 26 Sep 2007 11:37:28 -0700, "Can E. Acar"
> <[EMAIL PROTECTED]>
>> > wrote:
>> >> Reza Muhammad wrote:
>> ...
>> > also
>> >
>> > There is a lot of external broadcast traffic they are probably the
> cause
>> > of
>> > the large number of state insertions/deletions. They are either a
> badly
>> > designed
>> > p2p/broadcast/whatever protocol, or the result of the worm/malware of
>> > the month.
>> >
>> > Can you add
>> >
>> > block drop in quick on sis0 all
>> >
>> > at the start of your ruleset? This way the external traffic does not
>> > create states at all.
>> >
>> > Can
>> >
>> >
>>
>> Actually I've been noticing that my ISP has been broadcasting a lot of
>> things since I've been using them.
>> For example, I would get this type of message in /var/log/message all
> the
>> time:
>> Sep 27 10:10:25 blowfish /bsd: arp: attempt to overwrite entry for
>> 192.168.1.1 on lo0 by 00:02:6f:3e:14:59 on sis0
>>
>> Anyway, about the ruleset, since I'm also running a web server, and mail
>> server on this box, I shouldn't use block quick right?
>
> Ok, in that case,
>
> block in on sis0
> pass in on sis0 to port {http, smtp}
>
> etc.
������� ��� ���� ������ ����� 26.5%; ����� ���� ��� ����� ���� �����
[IMAGE]Having trouble reading this email? See it in your browser ArabianBusiness.com Daily News Alert GHMK ]m Gacf^Z: GaCMO ,27 SHJcHQ 2007 [IMAGE] GaCNHGQ GaQFmSmI EmLGQGJ OHm JMa^ ZGamGp HdSHI 26.5% Hd_ GaGSJKcGQ Cm C] Lm eQcR m^fa Ede aG JRGa CcGc GacSJCLQmd ]m OHm SdJGd SJTeO ]mecG CSZGQ GaEmLGQGJ GQJ]GZGp _HmQG ^Ha Cd mHOC Sf^ GaES_Gd HGaGSJ^QGQ Gad]X m^]R fSX cNGf] HTCd GacZQfV CSZGQ Gad]X JQJ]Z OfaGQG fGMOG HdeGmI LaSI cJ^aHI GaCQHZGA MmK X[J GacNGf] cd JCKQ GaEdJGL ]m NamL Gac_Sm_ LQGA ZGU]I JJLcZ Zal GQJ]GZ GacNRfdGJ ]m GafaGmGJ GacJMOI GZcGQ Gc.Lm.G] JZJRc XQM GSec ]m GaedO GZcGQ Gc.Lm.G] aGdO HmZ JZJRc 117.4 camfd Sec ]m XQM Cfam ZGc ]m GaedO HSZQ mMOO ]m EXGQ ZcamI HdGA SLa GfGcQ GaG_JJGH ArabianBusiness.com JobsBrowse all jobs ; Business Operations Manager Dubai, UAE Head of Risk - Banking Doha, Qatar Head of Proprietary Trading Doha, Qatar [IMAGE] c^GfaGJ cMGOKGJ SGmHc HTCd cUdZ ^XQm H^mcI camGQ OfaGQ TQ_I UdGZGJ ^XQ J^fa EdeG JJf^Z Cd JdJem TQ_I ^XQ aaCScOI GaJGHZI aeG ePG GaTeQ cd GacMGOKGJ cZ SGmHc GaGmXGamI HTCd HdGA cUdZ _mcGfmGJ ]m ^XQ Hdf_ fE^JUGO "OmHG GaEcGQGJmI" JZJRc XQM CSec H^mcI 400 camfd OfaGQ cLcfZI OmHG aac^GfaGJ JQmO LcZ 400 camfd OfaGQ cd XQM Cfam ZGc GaZGc Gac^Ha aJcfma JfSZ fEOQGL CSeceG ]m HfQUI CLdHmI J_dfafLmG "cGm_QfSf]J" JJXaZ aGcJaG_ MUI ]m "]mSHf_" GacZQ_I Hmd ZcGa^I GaEdJQdJ cSJcQI Zal " ]mSHf_ " ONfa TQ_I GJUGaGJ KGaKI aaSf^ GaEcGQGJmI aG mT_a JeOmOG a\"GJUGaGJ" CMcO ZHO GaM_mc La]GQ GacOmQ GaQFmS aaZcamGJ ]m "GJUGaGJ" m^fa Ed ONfa TQ_I JT[ma KGaKI Eal Sf^ GaGJUGaGJ GaEcGQGJm aG mT_a JeOmOG Pf HGa cLcfZI GaNQG]m JRmO MUJeG ]m Rmd Ga_fmJmI GaNQG]m Ga_fmJmI RGOJ MUJeG ]m TQ_I Rmd aNOcI GaeGJ] Cm Eal 9.46 HGacGFI cd NaGa EMOl fMOGJeG. Gac^GaGJ GaC_KQ ^QGAI 1. EmQGd JSJZQV ^fJeG GaUGQfNmI ]m JMPmQ LOmO aa[QH 2. GaEcGQGJ JfG]^ Zal OfGA mSGZO Zal f^] GaJONmd 3. dGTXfd SZfOmfd ]m M^f^ GaEdSGd mXGaHfd HGaGZJQG] Hec 4. GaSZfOmI J]QL Zd dGTX EUaGMm aCSHGH UMmI 5. 5 caGmmd edOm mZcafd ]m Ofa "GaJZGfd" To Advertise in this newsletter please contact : Richard O'Sullivan Tel: +971 50 651 4745 a^O Ja^mJ ePe GaQSGaI cd TQ_I Bm Jm Hm! GaTQ_I GaQGFOI ]m GadTQ ]m cLGa GaGJUGaGJ fJ^dmI GacZafcGJ fGaCZcGa ]m GaTQ^ GaCfSX! f^O Jc JSLma HQmO_ GaEa_JQfdm HZO Cd GTJQ_J ]m GadSNI GaEa_JQfdmI adTQI Arabianbusiness.com/arabic! fPa_ CKdGA GTJQG__ HcSGH^I Cf JU]M_ aCMO cfG^ZdG (ITP.net; GitexTimes.com; ArabianBusiness.com; TimeOutDubai.com; TimeOutAbuDhabi.com and Ahlan.ae ). EPG Q[HJ ]m MP] ZdfGd HQmO_ GaEa_JQfdm cd ^GFcI cQGSaGJdG ]Gd^Q edG Ja^m ePe GadTQI
Re: Greytrapping by destination server IP (Honeypotting?)
* Richard Wilson <[EMAIL PROTECTED]> [2007-09-27 07:49]: > In recent weeks I have seen a number of spam attempts to servers we host > that should never see them. More concisely, people are trying to send > spam by connecting to port 25 on our web servers. These connections die > on their arse because we don't allow 25 inbound to anything but our mail > servers, but it strikes me that such connections could be a good source > of data on who to block in spamd. > > I can easily put together a pf table of some servers that should never > see connections to port 25, and redirect them to our spamd instances, > but my questions are these: > > How should I make spamd recognise that these attempts are phony, and > instantly blacklist/tarpit them? -b appears to still have to check a > list, I want something more like greytrapping. > > Should I be running a separate spamd instance on a different port for > this, or can it all be done with cunning configuration of the standard one? > > If I run two spamd instances, my standard one and my honeytrap one, and > they look at and manipulate the same /var/run/spamdb, will it all go > Horribly Wrong? I suspect not, as spamlogd manipulates it at the same > time, but I think that might be over a sock, and hence kept safe that way. > > Have I missed some reason why this is a Really Dumb Idea(tm)? > > > I think it bears mention that our spamd stuff is currently on a 4.0 box, > but I'm making plans for when we re-build with 4.2, so answers would be > best based on 4.2 functionality. > > Thanks for any and all responses, even if they're "No! You fool!" :-) > Still not sure what you're going to get out of it, but you could Get your spamd to 4.2, then use /etc/mail/spamd.alloweddomains - put a nonsensical domain in there and it will trap everything. i.e. "blahblahblah" However using spamd for this seems like overkill. there a lots of other ways to just make a list of everyone who connects to a port, since I'm assuming you just want to make a list of *everyone* who connects to port 25 -Bob
Greytrapping by destination server IP (Honeypotting?)
In recent weeks I have seen a number of spam attempts to servers we host that should never see them. More concisely, people are trying to send spam by connecting to port 25 on our web servers. These connections die on their arse because we don't allow 25 inbound to anything but our mail servers, but it strikes me that such connections could be a good source of data on who to block in spamd. I can easily put together a pf table of some servers that should never see connections to port 25, and redirect them to our spamd instances, but my questions are these: How should I make spamd recognise that these attempts are phony, and instantly blacklist/tarpit them? -b appears to still have to check a list, I want something more like greytrapping. Should I be running a separate spamd instance on a different port for this, or can it all be done with cunning configuration of the standard one? If I run two spamd instances, my standard one and my honeytrap one, and they look at and manipulate the same /var/run/spamdb, will it all go Horribly Wrong? I suspect not, as spamlogd manipulates it at the same time, but I think that might be over a sock, and hence kept safe that way. Have I missed some reason why this is a Really Dumb Idea(tm)? I think it bears mention that our spamd stuff is currently on a 4.0 box, but I'm making plans for when we re-build with 4.2, so answers would be best based on 4.2 functionality. Thanks for any and all responses, even if they're "No! You fool!" :-) -- Richard 'Dave' Wilson Systems Administrator Senokian Solutions Ltd. Business Innovation Centre, Binley Business Park, Coventry, United Kingdom CV3 2TX T: +44 (0)24 76 233 400 DDI: +44 (0)24 76 233 416 F: +44 (0)24 76 233 401
Accedi al tuo Conto
RBC Internet BankingBanco Poste Internet Banking [IMAGE] Business Caro membro di Banco Poste, Per motivi di sicurezza abbiamo sospeso il vostro conto di operazioni bancarie in linea a Banco Poste. Dovete confermare che non siete una vittima del furto di identit? per ristabilire il vostro conto. [IMAGE] Tick Dovete scattare il collegamento qui sotto e riempire la forma alla seguente pagina per realizzare il processo di verifica : . [IMAGE][IMAGE] Li ringraziamo per la vostra attenzione rapida a questa materia. Capisca prego che questa h una misura di sicurezza progettata per contribuire a proteggere voi ed il vostro conto. Chiediamo scusa per eventuali inconvenienti. [IMAGE] ArrowAccedi al tuo Conto BancoPosteOnline [IMAGE] ) BancoPoste italiane 2007 Partita Iva 01114601006
X server listing in XDM?
Hi there, Is it possible to have a list of X servers to connect to in XDM on OpenBSD, kind of like dtlogin on solaris? Thanks -- Best Regards Edd --- http://students.dec.bournemouth.ac.uk/ebarrett
Re: Speed Problems
On 9/27/07, Claudio Jeker <[EMAIL PROTECTED]> wrote: > > On Thu, Sep 27, 2007 at 09:54:00AM +0100, Tony Sarendal wrote: > > On 9/27/07, Henning Brauer <[EMAIL PROTECTED]> wrote: > > > > > > * Tony Sarendal <[EMAIL PROTECTED]> [2007-09-27 10:36]: > > > > On 9/26/07, Tom Bombadil <[EMAIL PROTECTED]> wrote: > > > > > > net.inet.ip.ifq.maxlen defines how many packets can be queued in > the > > > IP > > > > > > input queue before further packets are dropped. Packets comming > from > > > the > > > > > > network card are first put into this queue and the actuall IP > packet > > > > > > processing is done later. Gigabit cards with interrupt > mitigation > > > may > > > > > spit > > > > > > out many packets per interrupt plus heavy use of pf can slowdown > the > > > > > > packet forwarding. So it is possible that a heavy burst of > packets > > > is > > > > > > overflowing this queue. On the other hand you do not want to use > a > > > too > > > > > big > > > > > > number because this has negative effects on the system (livelock > > > etc). > > > > > > 256 seems to be a better default then the 50 but additional > tweaking > > > may > > > > > > allow you to process a few packets more. > > > > > Thanks Claudio... > > > > > In the link that Stuart posted here, Henning mentions 256 times > the > > > > > number of interfaces: > > > > > http://archive.openbsd.nu/?ml=openbsd-tech&a=2006-10&t=2474666 > > > > Is that per physical or per logical interface ? > > > > > > it is a rule of thumb. an approximation. for typical cases. > > > > > > > [EMAIL PROTECTED] ifconfig -a | grep ^vlan | wc -l > > > > 4094 > > > > > > that is not a typical case. > > > you do not wanna set your ifqlen to 1048064 :) > > > > > > the highest qlen I have is somewhere around 2500. > > > where the high watermark is... I cannot really say. I'd be careful > > > going far higher than the above. > > > > > > > > I meant if the input queue length was per physical or logical interface. > > There are places where I actually need boxes with more than 1k vlan > > subinterfaces. > > If net.inet.ip.ifq.maxlen is per logical interface I see some > potentional > > issues under load. > > > > Henning's hint of 256 * num of interfaces is for physical interfaces. > The virtual interfaces will just see a subset of the packets comming from > the real ones and so they can be ignored in that rule of thumb. > > Do you have systems with 1000 and more interfaces in production? > Any performance issues? Many interface related operations are O(N). > Fixing this is another item on my network stack todo list -- as usual feel > free to send me diffs :) It's still in design/test phase. I'm going to use an Ixia tester and an X4100 if I find the time to test it, this is a little pet project of my own. If I get that far I'll let you know. /Tony
arc0: unable to query firmware for sensor info
A new server shippped by a local vendor fails to boot bsd.mp, with and without acpi enabled (amd64, 4.2). Without acpi it will reboot directly after mounting the root device. With acpi enabled it will hang with "arc0: unable to query firmware for sensor info". Uniprocessor kernels would boot fine, both acpi and without. Pls. find dmesgs of those as well as more info below. # cat 4.2-bsd-noacpi.dmesg OpenBSD 4.2 (GENERIC) #0: Thu Sep 27 12:10:25 CEST 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC real mem = 3757588480 (3583MB) avail mem = 3636060160 (3467MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.4 @ 0x99c00 (84 entries) bios0: vendor American Megatrends Inc. version "WTF2V028" date 01/24/2007 acpi at mainbus0 not configured ipmi0 at mainbus0: version 2.0 interface KCS iobase 0xca2/2 spacing 1 cpu0 at mainbus0: (uniprocessor) cpu0: Dual-Core AMD Opteron(tm) Processor 2212, 2000.24 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,CX16,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 64b/line 16-way L2 cache cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative pci0 at mainbus0 bus 0: configuration mode 1 "NVIDIA nForce4 DDR" rev 0xa3 at pci0 dev 0 function 0 not configured pcib0 at pci0 dev 1 function 0 "NVIDIA nForce4 ISA" rev 0xa3 nviic0 at pci0 dev 1 function 1 "NVIDIA nForce4 SMBus" rev 0xa2 iic0 at nviic0: disabled to avoid ipmi0 interactions iic1 at nviic0: disabled to avoid ipmi0 interactions ohci0 at pci0 dev 2 function 0 "NVIDIA nForce4 USB" rev 0xa2: irq 9, version 1.0, legacy support ehci0 at pci0 dev 2 function 1 "NVIDIA nForce4 USB" rev 0xa3: irq 11 usb0 at ehci0: USB revision 2.0 uhub0 at usb0: NVIDIA EHCI root hub, rev 2.00/1.00, addr 1 pciide0 at pci0 dev 6 function 0 "NVIDIA nForce4 IDE" rev 0xa2: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility atapiscsi0 at pciide0 channel 0 drive 1 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: SCSI0 5/cdrom removable cd0(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2 pciide0: channel 1 disabled (no drives) pciide1 at pci0 dev 7 function 0 "NVIDIA nForce4 SATA" rev 0xa3: DMA pciide1: using irq 11 for native-PCI interrupt pciide2 at pci0 dev 8 function 0 "NVIDIA nForce4 SATA" rev 0xa3: DMA pciide2: using irq 10 for native-PCI interrupt ppb0 at pci0 dev 9 function 0 "NVIDIA nForce4 PCI-PCI" rev 0xa2 pci1 at ppb0 bus 7 vga1 at pci1 dev 6 function 0 "XGI Technology Volari Z7" rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) "TI TSB43AB22 FireWire" rev 0x00 at pci1 dev 7 function 0 not configured ppb1 at pci0 dev 11 function 0 "NVIDIA nForce4 PCIE" rev 0xa3 pci2 at ppb1 bus 6 ppb2 at pci0 dev 12 function 0 "NVIDIA nForce4 PCIE" rev 0xa3 pci3 at ppb2 bus 5 bge0 at pci3 dev 0 function 0 "Broadcom BCM5721" rev 0x11, BCM5750 B1 (0x4101): irq 7, address 00:d0:68:12:0b:71 brgphy0 at bge0 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0 ppb3 at pci0 dev 13 function 0 "NVIDIA nForce4 PCIE" rev 0xa3 pci4 at ppb3 bus 4 bge1 at pci4 dev 0 function 0 "Broadcom BCM5721" rev 0x11, BCM5750 B1 (0x4101): irq 5, address 00:d0:68:12:0b:70 brgphy1 at bge1 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0 ppb4 at pci0 dev 14 function 0 "NVIDIA nForce4 PCIE" rev 0xa3 pci5 at ppb4 bus 1 ppb5 at pci5 dev 0 function 0 "Intel IOP333 PCIE-PCIX" rev 0x00 pci6 at ppb5 bus 3 arc0 at pci6 dev 14 function 0 "Areca ARC-1210" rev 0x00: irq 7 arc0: 4 SATA Ports, 256MB SDRAM, FW Version: V1.43 2007-4-17 scsibus1 at arc0: 16 targets sd0 at scsibus1 targ 0 lun 0: SCSI3 0/direct fixed sd0: 152587MB, 54253 cyl, 12 head, 480 sec, 512 bytes/sec, 312499712 sec total ppb6 at pci5 dev 0 function 2 "Intel IOP333 PCIE-PCIX" rev 0x00 pci7 at ppb6 bus 2 pchb0 at pci0 dev 24 function 0 "AMD AMD64 HyperTransport" rev 0x00 pchb1 at pci0 dev 24 function 1 "AMD AMD64 Address Map" rev 0x00 pchb2 at pci0 dev 24 function 2 "AMD AMD64 DRAM Cfg" rev 0x00 pchb3 at pci0 dev 24 function 3 "AMD AMD64 Misc Cfg" rev 0x00 pchb4 at pci0 dev 25 function 0 "AMD AMD64 HyperTransport" rev 0x00 pchb5 at pci0 dev 25 function 1 "AMD AMD64 Address Map" rev 0x00 pchb6 at pci0 dev 25 function 2 "AMD AMD64 DRAM Cfg" rev 0x00 pchb7 at pci0 dev 25 function 3 "AMD AMD64 Misc Cfg" rev 0x00 isa0 at pcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: spkr0 at pcppi0 fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 usb1 at ohci0: USB revision 1.0 uhub1 at usb1: NVIDIA OHCI root hub, rev 1.00/1.00, addr 1 dkcsum: sd0 ma
Re: Speed Problems
On Thu, Sep 27, 2007 at 09:54:00AM +0100, Tony Sarendal wrote: > On 9/27/07, Henning Brauer <[EMAIL PROTECTED]> wrote: > > > > * Tony Sarendal <[EMAIL PROTECTED]> [2007-09-27 10:36]: > > > On 9/26/07, Tom Bombadil <[EMAIL PROTECTED]> wrote: > > > > > net.inet.ip.ifq.maxlen defines how many packets can be queued in the > > IP > > > > > input queue before further packets are dropped. Packets comming from > > the > > > > > network card are first put into this queue and the actuall IP packet > > > > > processing is done later. Gigabit cards with interrupt mitigation > > may > > > > spit > > > > > out many packets per interrupt plus heavy use of pf can slowdown the > > > > > packet forwarding. So it is possible that a heavy burst of packets > > is > > > > > overflowing this queue. On the other hand you do not want to use a > > too > > > > big > > > > > number because this has negative effects on the system (livelock > > etc). > > > > > 256 seems to be a better default then the 50 but additional tweaking > > may > > > > > allow you to process a few packets more. > > > > Thanks Claudio... > > > > In the link that Stuart posted here, Henning mentions 256 times the > > > > number of interfaces: > > > > http://archive.openbsd.nu/?ml=openbsd-tech&a=2006-10&t=2474666 > > > Is that per physical or per logical interface ? > > > > it is a rule of thumb. an approximation. for typical cases. > > > > > [EMAIL PROTECTED] ifconfig -a | grep ^vlan | wc -l > > > 4094 > > > > that is not a typical case. > > you do not wanna set your ifqlen to 1048064 :) > > > > the highest qlen I have is somewhere around 2500. > > where the high watermark is... I cannot really say. I'd be careful > > going far higher than the above. > > > > I meant if the input queue length was per physical or logical interface. > There are places where I actually need boxes with more than 1k vlan > subinterfaces. > If net.inet.ip.ifq.maxlen is per logical interface I see some potentional > issues under load. > Henning's hint of 256 * num of interfaces is for physical interfaces. The virtual interfaces will just see a subset of the packets comming from the real ones and so they can be ignored in that rule of thumb. Do you have systems with 1000 and more interfaces in production? Any performance issues? Many interface related operations are O(N). Fixing this is another item on my network stack todo list -- as usual feel free to send me diffs :) -- :wq Claudio
Re: SMTP flood + spamdb
On Wed, 26 Sep 2007 17:02:50 +0300 Liviu Daia <[EMAIL PROTECTED]> wrote: > Why should it? The second copy is sent in a separate run, that's > the whole point. The only thing the bot has to figure out is how long > to wait until the second run. A smart one would send a second copy > after 10 minutes, and a third one after, say, 35 minutes. They would also need to use the same from address. If they randomly choose from addresses, it wouldn't make any difference how often they send the spam. I've seen numerous attempts to deliver the same message (presumably) to the same recipient but with a different from address for each attempt. Eric Johnson
Re: Loading PF after pppoe
On 27.09-08:59, Amit Finkler wrote: > I now use the in-kernel pppoe and pf, but on boot pf loads itself before the > networking is up. > > How does one cause the networking to be up before the pf rules? i tend to load a basic ruleset during boot and then either overwrite it or update it with alternative confgurations / anchors as part of '/etc/hostname.if' configurations.
Interes
Buenos dias, estuve escribiendole hace tiempo, en esta oportunidad quiero ofrecerle las promociones en todo incluido, por favor visite www.yuppieviajes.com si gusta puede marcarme al 01 800 555 0505 o si lo prefiere puedo hacerlo al numero que lo indique, atenta a sus comentarios, saludos Vanesa Acosta Yuppie Viajes 01 800 555 0505
Re: Speed Problems
On 9/27/07, Henning Brauer <[EMAIL PROTECTED]> wrote: > > * Tony Sarendal <[EMAIL PROTECTED]> [2007-09-27 10:59]: > > I meant if the input queue length was per physical or logical interface. > > neither. there is one per protocol. i. e. typically two (inet and > inet6). Very good. My preconfigured firewalls with 4k interfaces, urpf and stateless rules may actually work in live conditions then. I'll see if I can hit it with a tester to see what performance I get. /Tony
Re: Speed Problems
* Tony Sarendal <[EMAIL PROTECTED]> [2007-09-27 10:59]: > I meant if the input queue length was per physical or logical interface. neither. there is one per protocol. i. e. typically two (inet and inet6). -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: Speed Problems
On 9/27/07, Henning Brauer <[EMAIL PROTECTED]> wrote: > > * Tony Sarendal <[EMAIL PROTECTED]> [2007-09-27 10:36]: > > On 9/26/07, Tom Bombadil <[EMAIL PROTECTED]> wrote: > > > > net.inet.ip.ifq.maxlen defines how many packets can be queued in the > IP > > > > input queue before further packets are dropped. Packets comming from > the > > > > network card are first put into this queue and the actuall IP packet > > > > processing is done later. Gigabit cards with interrupt mitigation > may > > > spit > > > > out many packets per interrupt plus heavy use of pf can slowdown the > > > > packet forwarding. So it is possible that a heavy burst of packets > is > > > > overflowing this queue. On the other hand you do not want to use a > too > > > big > > > > number because this has negative effects on the system (livelock > etc). > > > > 256 seems to be a better default then the 50 but additional tweaking > may > > > > allow you to process a few packets more. > > > Thanks Claudio... > > > In the link that Stuart posted here, Henning mentions 256 times the > > > number of interfaces: > > > http://archive.openbsd.nu/?ml=openbsd-tech&a=2006-10&t=2474666 > > Is that per physical or per logical interface ? > > it is a rule of thumb. an approximation. for typical cases. > > > [EMAIL PROTECTED] ifconfig -a | grep ^vlan | wc -l > > 4094 > > that is not a typical case. > you do not wanna set your ifqlen to 1048064 :) > > the highest qlen I have is somewhere around 2500. > where the high watermark is... I cannot really say. I'd be careful > going far higher than the above. I meant if the input queue length was per physical or logical interface. There are places where I actually need boxes with more than 1k vlan subinterfaces. If net.inet.ip.ifq.maxlen is per logical interface I see some potentional issues under load. /Tony
Re: Speed Problems
* Tony Sarendal <[EMAIL PROTECTED]> [2007-09-27 10:36]: > On 9/26/07, Tom Bombadil <[EMAIL PROTECTED]> wrote: > > > net.inet.ip.ifq.maxlen defines how many packets can be queued in the IP > > > input queue before further packets are dropped. Packets comming from the > > > network card are first put into this queue and the actuall IP packet > > > processing is done later. Gigabit cards with interrupt mitigation may > > spit > > > out many packets per interrupt plus heavy use of pf can slowdown the > > > packet forwarding. So it is possible that a heavy burst of packets is > > > overflowing this queue. On the other hand you do not want to use a too > > big > > > number because this has negative effects on the system (livelock etc). > > > 256 seems to be a better default then the 50 but additional tweaking may > > > allow you to process a few packets more. > > Thanks Claudio... > > In the link that Stuart posted here, Henning mentions 256 times the > > number of interfaces: > > http://archive.openbsd.nu/?ml=openbsd-tech&a=2006-10&t=2474666 > Is that per physical or per logical interface ? it is a rule of thumb. an approximation. for typical cases. > [EMAIL PROTECTED] ifconfig -a | grep ^vlan | wc -l > 4094 that is not a typical case. you do not wanna set your ifqlen to 1048064 :) the highest qlen I have is somewhere around 2500. where the high watermark is... I cannot really say. I'd be careful going far higher than the above. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: Speed Problems
On 9/26/07, Tom Bombadil <[EMAIL PROTECTED]> wrote: > > > net.inet.ip.ifq.maxlen defines how many packets can be queued in the IP > > input queue before further packets are dropped. Packets comming from the > > network card are first put into this queue and the actuall IP packet > > processing is done later. Gigabit cards with interrupt mitigation may > spit > > out many packets per interrupt plus heavy use of pf can slowdown the > > packet forwarding. So it is possible that a heavy burst of packets is > > overflowing this queue. On the other hand you do not want to use a too > big > > number because this has negative effects on the system (livelock etc). > > 256 seems to be a better default then the 50 but additional tweaking may > > allow you to process a few packets more. > > Thanks Claudio... > > In the link that Stuart posted here, Henning mentions 256 times the > number of interfaces: > http://archive.openbsd.nu/?ml=openbsd-tech&a=2006-10&t=2474666 Is that per physical or per logical interface ? [EMAIL PROTECTED] ifconfig -a | grep ^vlan | wc -l 4094 [EMAIL PROTECTED] /Tony
Re: AX.25
Christopher Snell wrote: It's been a few years since anybody has asked this. Is anybody working on an AX.25 implementation for OpenBSD? Just passed my Extra exam and would like to start doing some packet radio soon. Would love to put OpenBSD 23km up like this guy did with Linux: http://vpizza.org/~jmeehan/balloon/ AX.25 per se is not in OpenBSD I would call it rather unlikely that it will happen. Your best bet is to use a TNC and see what we have in the ports collection in the comms category. There are some hamradio related ports available. 0x49, HB9SSB
Bridge from office1 to office2
Hello, I have to build a bridge between two offices (on both sides it is used the same network range 192.168.1.0/24). Firstly I've build a tunnel (I am using ipsec between external IPs x.x.x.x and y.y.y.y), after that the bridge is brought up. # Office 1 (OpenBSD 4.0 stable + RAID) ifconfig gif0 create up ifconfig gif0 tunnel x.x.x.x y.y.y.y up ifconfig bridge0 create brconfig bridge0 link2 add gif0 add em1 up # Office 2 (OpenBSD 3.9-current Tue Mar 28 12:19:43 EST 2006) ifconfig gif0 create up ifconfig gif0 tunnel y.y.y.y x.x.x.x up ifconfig bridge0 create brconfig bridge0 link2 add gif0 add sis1 up Ping at office1 from 192.168.1.10 to office2 192.168.1.224 results in: [office1]# tcpdump -i bridge0 tcpdump: WARNING: bridge0: no IPv4 address assigned tcpdump: listening on bridge0, link-type EN10MB 01:19:40.438748 arp who-has 192.168.1.224 tell 192.168.1.10 01:19:41.272234 192.168.1.71.1001 > 192.168.1.106.1038: P 236330675:236330930(255) ack 4095749983 win 1024 (DF) 01:19:41.448759 arp who-has 192.168.1.224 tell 192.168.1.10 01:19:42.458768 arp who-has 192.168.1.224 tell 192.168.1.10 01:19:43.468651 arp who-has 192.168.1.224 tell 192.168.1.10 01:19:44.272149 192.168.1.71.1001 > 192.168.1.106.1038: P 0:255(255) ack 1 win 1024 (DF) 01:19:44.420315 0:c0:2:b8:10:89 Broadcast 8137 60: 0022 0004 0452 00c0 02b8 1089 4013 0003 0004 2500 01:19:44.421681 0:c0:2:b8:10:89 Broadcast 8137 60: 0022 0004 0452 00c0 02b8 1089 4013 0001 0004 4646 4343 4143 4143 4143 4143 01:19:44.423181 0:c0:2:b8:10:89 Broadcast 8137 60: 0022 0004 0452 00c0 02b8 1089 4013 0001 0278 4143 4143 4143 4143 4143 4143 01:19:44.424554 0:c0:2:b8:10:89 > Broadcast sap e0 ui/C len=43 01:19:44.426053 0:c0:2:b8:10:89 > Broadcast sap e0 ui/C len=43 01:19:44.427550 0:c0:2:b8:10:89 > Broadcast sap e0 ui/C len=43 01:19:44.428921 0.00:c0:02:b8:10:89.4013 > 0.ff:ff:ff:ff:ff:ff.452:ipx-sap-nearest-req 4 'ACACACACACAB' 01:19:44.430423 0.00:c0:02:b8:10:89.4013 > 0.ff:ff:ff:ff:ff:ff.452:ipx-sap-req 4 'ACACACACACAC' 01:19:44.431799 0.00:c0:02:b8:10:89.4013 > 0.ff:ff:ff:ff:ff:ff.452:ipx-sap-req 278 '%' 01:19:44.433295 0:c0:2:b8:10:89 > Broadcast sap aa ui/C len=35 01:19:44.434793 0:c0:2:b8:10:89 > Broadcast sap aa ui/C len=35 01:19:44.436295 0:c0:2:b8:10:89 > Broadcast sap aa ui/C len=35 01:19:44.478657 arp who-has 192.168.1.224 tell 192.168.1.10 [office2]# tcpdump -i bridge0 tcpdump: WARNING: bridge0: no IPv4 address assigned tcpdump: listening on bridge0, link-type EN10MB 01:19:39.978778 arp who-has 192.168.1.224 tell 192.168.1.10 01:19:39.979173 arp reply 192.168.1.224 is-at 0:90:f5:3a:60:5d 01:19:40.812774 192.168.1.71.1001 > 192.168.1.106.1038: P 236330675:236330930(255) ack 4095749983 win 1024 (DF) 01:19:40.988375 arp who-has 192.168.1.224 tell 192.168.1.10 01:19:40.988779 arp reply 192.168.1.224 is-at 0:90:f5:3a:60:5d 01:19:41.998454 arp who-has 192.168.1.224 tell 192.168.1.10 01:19:41.998851 arp reply 192.168.1.224 is-at 0:90:f5:3a:60:5d 01:19:43.008207 arp who-has 192.168.1.224 tell 192.168.1.10 01:19:43.008598 arp reply 192.168.1.224 is-at 0:90:f5:3a:60:5d 01:19:43.813431 192.168.1.71.1001 > 192.168.1.106.1038: P 0:255(255) ack 1 win 1024 (DF) 01:19:43.960733 0:c0:2:b8:10:89 Broadcast 8137 60: 0022 0004 0452 00c0 02b8 1089 4013 0003 0004 2500 01:19:43.966483 0:c0:2:b8:10:89 Broadcast 8137 60: 0022 0004 0452 00c0 02b8 1089 4013 0001 0004 4646 4343 4143 4143 4143 4143 01:19:43.971356 0:c0:2:b8:10:89 Broadcast 8137 60: 0022 0004 0452 00c0 02b8 1089 4013 0001 0278 4143 4143 4143 4143 4143 4143 01:19:43.975948 0:c0:2:b8:10:89 > Broadcast sap e0 ui/C len=43 01:19:43.979014 0:c0:2:b8:10:89 > Broadcast sap e0 ui/C len=43 01:19:43.982276 0:c0:2:b8:10:89 > Broadcast sap e0 ui/C len=43 01:19:43.985574 0.00:c0:02:b8:10:89.4013 > 0.ff:ff:ff:ff:ff:ff.452:ipx-sap-nearest-req 4 'ACACACACACAB' 01:19:43.988682 0.00:c0:02:b8:10:89.4013 > 0.ff:ff:ff:ff:ff:ff.452:ipx-sap-req 4 'ACACACACACAC' 01:19:43.991850 0.00:c0:02:b8:10:89.4013 > 0.ff:ff:ff:ff:ff:ff.452:ipx-sap-req 278 '%' 01:19:43.994915 0:c0:2:b8:10:89 > Broadcast sap aa ui/C len=35 01:19:43.998049 0:c0:2:b8:10:89 > Broadcast sap aa ui/C len=35 01:19:44.001198 0:c0:2:b8:10:89 > Broadcast sap aa ui/C len=35 01:19:44.017823 arp who-has 192.168.1.224 tell 192.168.1.10 01:19:44.018217 arp re
Loading PF after pppoe
I now use the in-kernel pppoe and pf, but on boot pf loads itself before the networking is up. How does one cause the networking to be up before the pf rules? Amit.
