Re: Performance problem with CF card on AMD CS5536 IDE

2007-11-20 Thread Stefan Klein 
What I don't understand is why most cards perform very well on FreeBSD, but 
fail to perform on OpenBSD...


- Original Message - 
From: "Stuart Henderson" <[EMAIL PROTECTED]>

To: 
Sent: Friday, November 16, 2007 8:52 PM
Subject: Re: Performance problem with CF card on AMD CS5536 IDE



My sandisks are quite fast (8MB/s or more, though I just
had to throw a fairly new SDCFJ-1024 out with read errors?!)
- I have a newish kingston which is slow (1.5MB/s "elite
pro cf/1GB-S 50x") - and a bunch of assorted old 32-64MB
cards, the majority of which are reasonably quick
(fujifilm, sandisk and pqi come to mind)

Running cwm and fvwm at the same time?

2007-11-20 Thread Alexander Hall 

Hi!

I'm just curious how come it its possible to start (and run) cwm at the 
same time as running fvwm (from base). AFAIK a window manager normally 
cannot (or refuses to) run if another window manager is already in use. 
Is this only a courtsey from the second window manager? I thought there 
were limitations in X that forced this behaviour.


Anyway, I'd expect cwm to behave that way, too, but please feel free to 
explain to me why I'm wrong.


I also meant to ask about key bindings, but after finding a new part in 
the man pages, I realize I have to test a few things first. (Yes, it was 
quite a while since I last had a look at cwm) :-)


/Alexander

Re: mount_cd9660 options

2007-11-20 Thread frantisek holop 
hmm, on Mon, Nov 19, 2007 at 06:10:27PM +, Jason McIntyre said that
> On Mon, Nov 19, 2007 at 05:46:59PM +0100, frantisek holop wrote:
> > 
> > there are sub-headings in some man pages (e.g. ksh(1)), perhaps
> > that could be doable, somewhere lower in DESCRIPTION, e.g.
> > 
> >A fitting subtitle
> > Certain filesystems acquire flags based on their type and
> > content which are not always controlled by flags passed to their
> > respective mount command and so on, and so on.
> > 
> > mount_cd9660
> > norrip  No Rockridge extension
> > 
> > mount_XXX
> > flagdescription
> > 
> > 
> > or as Otto suggested, have it in the respective mount_XXX page.
> 
> yeah. i am waiting for all those kernel janitors to mail me diffs...

well, i can try coming up with something; but my experience
is that few documentation patches go in which are not
almost-totally-rewritten...

-f
-- 
i promise not to let it happen again - until next time.

Re: Running cwm and fvwm at the same time?

2007-11-20 Thread Jan Stary 
On Nov 20 10:26:22, Alexander Hall wrote:
> I'm just curious how come it its possible to start (and run) cwm at the 
> same time as running fvwm (from base).

How exactly does that happen on your box?

> AFAIK a window manager normally 
> cannot (or refuses to) run if another window manager is already in use. 
> Is this only a courtsey from the second window manager? I thought there 
> were limitations in X that forced this behaviour.

A window manager needs its own $DISPLAY,
but that's IMHO the only limitation.

tty00$ startx
tty01$ startx -- :1

Jan

Re: ftp-proxy not working properly

2007-11-20 Thread Raja Subramanian 
On 11/20/07, Jake Conk <[EMAIL PROTECTED]> wrote:
> # Pass ftp-proxy stuff
> pass in on $ext_if inet proto tcp to $ext_carp_ip port 21 \
>flags S/SA
> pass out on $int_if inet proto tcp to $ftp_server port 21 \
>user proxy flags S/SA
> anchor "ftp-proxy/*"

The explicit pass rules are not require for ftp-proxy.  Have
you tried without them?  man page specifies exactly what
you need.

Please run ftp-proxy with the "-d -D7 -v" flags, connect to
ftp.openbsd.org, and post ftp-proxy and your pf log output.

- Raja

acpiac

2007-11-20 Thread giovanni 
hello,

any reason for evaluating  _STA before _PSR for getting AC status?

if (aml_evalname(sc->sc_acpi, sc->sc_devnode, "_STA", 0, NULL, NULL)) {
dnprintf(10, "%s: no _STA\n",
DEVNAME(sc));
}

if (aml_evalname(sc->sc_acpi, sc->sc_devnode, "_PSR", 0, NULL, &res)) {
dnprintf(10, "%s: no _PSR\n",
DEVNAME(sc));
return (1);

-- 
see ya,
giovanni

Re: Running cwm and fvwm at the same time?

2007-11-20 Thread Alexander Hall 

Jan Stary wrote:

On Nov 20 10:26:22, Alexander Hall wrote:
I'm just curious how come it its possible to start (and run) cwm at the 
same time as running fvwm (from base).


How exactly does that happen on your box?


Well, using fvwm as window manager, I simply run cwm from a shell. I did 
not expect it to run, but it does.


Strange things happen though, as one might expect. After killing cwm 
(ctrl+c), I need to restart fvwm to restore the window placement etc.


AFAIK a window manager normally 
cannot (or refuses to) run if another window manager is already in use. 
Is this only a courtsey from the second window manager? I thought there 
were limitations in X that forced this behaviour.


A window manager needs its own $DISPLAY,
but that's IMHO the only limitation.

tty00$ startx
tty01$ startx -- :1


Well, these seems to run quite well on a single one. :-) Can anyone 
confirm this?


/Alexander

Re: Redirect Syntax Errors

2007-11-20 Thread RW 
On Mon, 19 Nov 2007 22:05:02 -0700, Shane Harbour wrote:

>For the last few hours I've been knocking my head against my desk.  I'm
>trying to setup spamd for the first time and keep receiving syntax
>errors on my redirect statements.  My redirect statements are:
>
>nat-anchor "ftp-proxy/*"
>rdr-anchor "ftp-proxy/*"
>rdr on {$int_if, $wifi_if} proto tcp from any to any port 21 -> 127.0.0
>.1 port 8021
>
># spamd #
>rdr on $ext_if inet proto tcp from  to $mail_svcs port smtp
>-> $mail_svcs port smtp
>rdr on $ext_if inet proto tcp from  to $mail_svcs port smtp
>-> 127.0.0.1 port spamd
>rdr on $ext_if inet proto tcp from  to $mail_svcs port smtp ->
>127.0.0.1 port spamd
>rdr on $ext_if inet proto tcp from  to $mail_svcs port smtp
>-> $mail_svcs port smtp
>rdr on $ext_if inet proto tcp from ! to $mail_svcs port
>smtp -> 127.0.0.1 port spamd
>#
>
>My redirect for ftp-proxy works just fine.  Every thing I've read (man
>pages, google, etc) says my syntax is right.  I've tried making it
>identical to the statement in the pf.conf(5) and still got the same
>error so I figured I'd turn to more knowledgeable folks.  I am using
>binat for my mail server and $mail_svcs contains my server IPs.
>
>I'm using 4.2-stable.  Any help/info/pointers are very much appreciated.
>

Have a look at the default pf.conf that comes with 4.2, or at least the
rdr section as it applies to spamd. Notice anything outstandingly
different?

e.g. where is the table  in the original? That is just for
openers.

You mention binat. I don't see it anywhere.

Now for the prime question:
Why do you not run spamd on the mailserver?

Do the redirects or binats (very simply) on the firewall and let a very
simple pf.conf handle the mail server.
Life gets much easier ;-)

Oh, and if you come back, please include the entire pf.conf. We ain't
mindreaders.

BTW no need to copy me in reply, I'm on the list. Ta.



Rod/
/earth: write failed, file system is full
cp: /earth/creatures: No space left on device

Re: Running cwm and fvwm at the same time?

2007-11-20 Thread Girish Venkatachalam 
On 10:26:22 Nov 20, Alexander Hall wrote:
> Hi!
> 
> I'm just curious how come it its possible to start (and run) cwm at the 
> same time as running fvwm (from base). AFAIK a window manager normally 
> cannot (or refuses to) run if another window manager is already in use. 

Correct.

> Is this only a courtsey from the second window manager? I thought there 
> were limitations in X that forced this behaviour.

It works at the X level. Only one program can take control of the root
window and decide window placements, receive events etc.

That X client has special status and is called as window manager.

> 
> Anyway, I'd expect cwm to behave that way, too, but please feel free to 
> explain to me why I'm wrong.

I dunno about cwm (never used it ) but if you use the Xnest program you
can run any number of X servers  and consequently
 run a different window manager in each.

$ export DISPLAY=host:display:screen

In the case of Xnest, it is yet another X client but it also acts as a X
server. So it runs as a normal X client inside which you can run any
window manager of your choice.

The other method is running Xserver on different virtual terminals as
mentioned in the reply to this post.

# X :n

or even 

$ startx -- :n

> 
> I also meant to ask about key bindings, but after finding a new part in 
> the man pages, I realize I have to test a few things first. (Yes, it was 
> quite a while since I last had a look at cwm) :-)

You can use a tool called XBindKeys.

http://hocwp.free.fr/xbindkeys/xbindkeys.html

I faintly remember that it compiled and worked fine for OpenBSD.

Best,
Girish

Re: mount_cd9660 options

2007-11-20 Thread Jason McIntyre 
On Tue, Nov 20, 2007 at 10:12:58AM +0100, frantisek holop wrote:
> > > 
> > > or as Otto suggested, have it in the respective mount_XXX page.
> > 
> > yeah. i am waiting for all those kernel janitors to mail me diffs...
> 
> well, i can try coming up with something; but my experience
> is that few documentation patches go in which are not
> almost-totally-rewritten...
> 

i was just being sarcastic. the comment was not pointed at you (or
anyone specifically).

i often have to rewrite stuff to make it fit in with how i see things,
but that doesn;t mean that the legwork cannot be done by others (it
can), or that's it's not worth it (it is), or unappreciated (it is).

and quite a few doc diffs do go in unaltered or with only minor
modification.

jmc

Binary emulation removed from OpenBSD 4.2?

2007-11-20 Thread João Salvatti 
Hi all,

Was it removed the sysctl which was used to activate the binary
emulation of the rc.conf at OpenBSD 4.2?

Thanks.

--
Joco Salvatti
Undergraduating in Computer Science
Federal University of Para - UFPA
web: http://www.openbsd-pa.org
e-mail: [EMAIL PROTECTED]

Re: max. length of public key

2007-11-20 Thread Michael Kreikenbaum 

Hi,

Am 15.11.2007 um 13:56 schrieb MohanKumar Shah - TLS , Chennai:


Is maximum length defined for a public key? If yes, what is the limit.

from ssh-keygen(1)
 -b bits
 Specifies the number of bits in the key to create.  For  
RSA keys,
 the minimum size is 768 bits and the default is 2048  
bits.  Gen-
 erally, 2048 bits is considered sufficient.  DSA keys  
must be ex-

 actly 1024 bits as specified by FIPS 186-2.


Thanks in advance,

HTH, you're welcome
Michael

--
And after all he never had any real hope in the affair from the  
beginning;

but being a cheerful hobbit he had not needed hope,
as long as despair could be postponed.
-- John Ronald Reuel Tolkien, ''The Lord of The Rings'', Book 4
   The Black Gate is Closed

Re: mutiple pptp pass-through PF

2007-11-20 Thread Beavis 
lars,

  thanks for the reply. as for the pptp implementation, I just wanted
to make PF do this (pass-through) like what other packet filtering
(iptables, even PIX) can do. I know how unsafe this implementation is,
but the site where we are currently getting this pptp connection to,
is an old branch office and i don't manage their network. they are
moving to the new facility where i have my pf firewalls in place, they
need this pptp pass-through during transition as soon as everybody is
moved here we can easily let this pptp go. on the other side of things
it would be nice to make PF do this pptp pass through, it makes pf
more of a over-all packet filter that can basically do "anything"

and personally .. it may sound like a joke here but .. with all of
pf's features .. i kinda envy crappy routers like LINKSYS that can do
PPTP pass-through and our beloved pf(4) can't


-b

On Nov 20, 2007 12:51 AM, Lars Noodin <[EMAIL PROTECTED]> wrote:
> Beavis wrote:
> > ... I'm trying to run multiple pptp
> > connections behind my 2 PF/carp firewalls. ...
>
> You should not be using PPTP.  You have your choice, IPsec with
> encryption or SSL with encryption:
> http://www.vpnc.org/vpn-standards.html
>
> Allowing PPTP inside your LAN is to encourage use of insecure methods
> and technologies that *cannot* be secured.
>
> You've got to move to IPsec sometime, why not now?
>
> If you are dealing with Apple, it may be helpful to reference earlier
> bug reports regarding that serious security flaw.  I myself filed
> problem ID #5517198, but that is marked as a duplicate of #4316417.
>
> We'll see if they can be assed to fix the gaping holes in the system.
>
> Regards,
> -Lars

load balancing FTP traffic with ftp-proxy and pf on two internet connections having same gateway.

2007-11-20 Thread Siju George 
Hi,

I got my second Internet connection yesterday.
It is from the same provider and I have 2 static IPs now with the same gateway.

I plan to use

http://www.openbsd.org/faq/pf/pools.html#outgoing

to load balance outgoing traffic from the LAN to the Internet.

How do I configure ftp-proxy so that FTp traffic is also load balanced?
Can't make it out from the ftp-proxy man page.

Thank you so much

Kind Regards

Siju

Re: Binary emulation removed from OpenBSD 4.2?

2007-11-20 Thread Peter N. M. Hansteen 
[EMAIL PROTECTED] (Peter N. M. Hansteen) writes:

> there are six kern.sysct.* lines in /etc/sysctl.conf on the OpenBSD

er, kern.emul.* lines.


-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.datadok.no/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: Binary emulation removed from OpenBSD 4.2?

2007-11-20 Thread Peter N. M. Hansteen 
"Joco Salvatti" <[EMAIL PROTECTED]> writes:

> Was it removed the sysctl which was used to activate the binary
> emulation of the rc.conf at OpenBSD 4.2?

there are six kern.sysct.* lines in /etc/sysctl.conf on the OpenBSD
machine I'm using at the moment.  I don't think those sysctls were
ever twiddled from rc.conf on OpenBSD.

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.datadok.no/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: max. length of public key

2007-11-20 Thread MohanKumar Shah - TLS , Chennai 
Thanks michael,

That would address the issue.


Regards,
Manny.
-Original Message-
From: Michael Kreikenbaum [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 20, 2007 7:08 PM
To: MohanKumar Shah - TLS , Chennai
Cc: misc@openbsd.org
Subject: Re: max. length of public key

Hi,

Am 15.11.2007 um 13:56 schrieb MohanKumar Shah - TLS , Chennai:

> Is maximum length defined for a public key? If yes, what is the limit.
from ssh-keygen(1)
  -b bits
  Specifies the number of bits in the key to create.  For
RSA keys,
  the minimum size is 768 bits and the default is 2048
bits.  Gen-
  erally, 2048 bits is considered sufficient.  DSA keys
must be ex-
  actly 1024 bits as specified by FIPS 186-2.

> Thanks in advance,
HTH, you're welcome
Michael

--
And after all he never had any real hope in the affair from the
beginning;
but being a cheerful hobbit he had not needed hope,
as long as despair could be postponed.
-- John Ronald Reuel Tolkien, ''The Lord of The Rings'',
Book 4
   The Black Gate is Closed



DISCLAIMER:
The contents of this e-mail and any attachment(s) are confidential and
intended for the named recipient(s) only.
It shall not attach any liability on the originator or HCL or its affiliates.
Any views or opinions presented in
this email are solely those of the author and may not necessarily reflect the
opinions of HCL or its affiliates.
Any form of reproduction, dissemination, copying, disclosure, modification,
distribution and / or publication of
this message without the prior written consent of the author of this e-mail is
strictly prohibited. If you have
received this email in error please delete it and notify the sender
immediately. Before opening any mail and
attachments please check them for viruses and defect.

MAC multicast address

2007-11-20 Thread Frédéric Plé 
Hello,

Is there a way to control which multicast MAC address an ethernet interface
should handle ?

I have  problem with a server running OpenBSD4.1-rel (A) with a pcn and carp
interface.
On the same Ethernet network, there is another server (B) and a
hi-availability cluster of firewalls (commercial product) (F composed of F1
and F2) reached via unicast IP  address (IPADDR{F}) over multicast MAC
address (MAC{F}).

When B wants to communicate to a service behind F (IP route is known via
IPADDR{FW} ) this appens :
- B send ARP request to ff:ff:ff:ff:ff:ff from MAC{B} "Who has IPADDR{FW}?
tell IPADDR{B}"
- B receive ARP response from MAC{F1} to MAC{B} "IPADDR{FW} is at MAC{F}
- B receive ARP response from MAC{F2} to MAC{B} "IPADDR{FW} is at MAC{F}
- B send an ethernet frame to F from MAC{B} IPADDR{B} to MAC{F}  IPADDR{F}
- A receive this ethernet frame
- A send a new frame from MAC{A} IPADDR{B} to MAC{?} (this MAC is a
multicast mac that is not used by any of my openbsd server)

This mean the one initial frame is duplicated and by cascade, huge of
ethernet frames are transmitted.

This behavour makes the performance of the firewall decreasing.


Ethernet frames sent by another sever (SERVER2) to a multicast mac address
that is handled by a cluster of firewall (commercial product) are received
and resent to another multicast mac address.


Thanks for help,

Fred

Re: mutiple pptp pass-through PF

2007-11-20 Thread Girish Venkatachalam 
On 07:28:05 Nov 20, Beavis wrote:
> lars,
> 
>   thanks for the reply. as for the pptp implementation, I just wanted
> to make PF do this (pass-through) like what other packet filtering
> (iptables, even PIX) can do. I know how unsafe this implementation is,
> but the site where we are currently getting this pptp connection to,
> is an old branch office and i don't manage their network. they are
> moving to the new facility where i have my pf firewalls in place, they
> need this pptp pass-through during transition as soon as everybody is
> moved here we can easily let this pptp go. on the other side of things
> it would be nice to make PF do this pptp pass through, it makes pf
> more of a over-all packet filter that can basically do "anything"
> 
> and personally .. it may sound like a joke here but .. with all of
> pf's features .. i kinda envy crappy routers like LINKSYS that can do
> PPTP pass-through and our beloved pf(4) can't
> 

pf(4) can do this. I have a diff with me but if I send it in the present
state, then Theo will catch my neck. :)

I should be able to submit a diff soon. I need to modify it to meet the
high standards of OpenBSD...

Please hang on.

Appreciate your patience.

Thanks.

regards,
Girish

Re: Ideas about bidirectional traffic shaping

2007-11-20 Thread NetOne - Doichin Dokov 

Ivo Chutkin ??:

Hello to all here,
I would be grateful if you share your ideas and experience with me.
The problem is not related to OpenBSD as I do not use it yet in 
production environment, but I plan to go over it as soon as I finish 
my tests and feel comfortable with it. :-)
Actually the developers have done grate job, thanks and keep the good 
work.

I work for small ISP with clients over metro links.
The problem is that I could not get outgoing traffic (from my clients 
to the Internet) shaped the correct way. I have 4 bgp sessions with 
different transit providers on 4 different interfaces, so sometimes I 
see outgoing traffic loads by single client over all 4 links which is 
4 times this client should get :-(
Is there a way to shape the outgoing traffic, for example, to total of 
5Mbps to single client no mater which interface he uses to exit? 
Something like combined queue... not 5Mbps per interface.


I was thinking about creating loopback interface for each client and 
put queues and redirect all traffic through it.

Is there a point doing this?
Currently it is single router setup.

I hope I made it somehow clear. If you need additional info just let 
me know.


Thanks for your time,
Ivo


This is how we do it:
* all external links go over ONE physical interface, and each BGP 
session to each provider is on a different VLAN, but on the very same 
physical interface
* as ALTQ works on physical interfaces, not vlans, we assign the queues 
on the physical interface that all VLANs to our carriers are configured on

* all VLANs are assigned to group "uplinks" (or whatever you choose)
* traffic is fed into queues from pf with rules like these : pass out on 
$ext_group_name from $client_ip to any queue $client_queue_out , where 
$ext_group_name is "uplinks" or whatever you've chosen, and 
$client_queue_out is a queue configured with altq on the physical interface

* voila, it works!

You should, though, keep in mind that states are kept on the 
establishment of the connection (flags S/SA), so you effectively need 4 
rules (yes, four) to match all of the clients' inbound/outbound traffic. 
Something like this:

pass in on $ext_group_name from any to $client_ip queue $client_queue_out
pass out on $ext_group_name from $client_ip to any queue $client_queue_out
pass in on $int_if from $client_ip to any queue $client_queue_in
pass out on $int_if from any to $client_ip queue $client_queue_in

That's because each state can shape effectively only one direction of 
the connection, thus we need states created on both interfaces.


If you need further help, don't hesitate to contact me.

Regards,
Doichin

Ideas about bidirectional traffic shaping

2007-11-20 Thread Ivo Chutkin 

Hello to all here,
I would be grateful if you share your ideas and experience with me.
The problem is not related to OpenBSD as I do not use it yet in 
production environment, but I plan to go over it as soon as I finish my 
tests and feel comfortable with it. :-)

Actually the developers have done grate job, thanks and keep the good work.
I work for small ISP with clients over metro links.
The problem is that I could not get outgoing traffic (from my clients to 
the Internet) shaped the correct way. I have 4 bgp sessions with 
different transit providers on 4 different interfaces, so sometimes I 
see outgoing traffic loads by single client over all 4 links which is 4 
times this client should get :-(
Is there a way to shape the outgoing traffic, for example, to total of 
5Mbps to single client no mater which interface he uses to exit? 
Something like combined queue... not 5Mbps per interface.


I was thinking about creating loopback interface for each client and put 
queues and redirect all traffic through it.

Is there a point doing this?
Currently it is single router setup.

I hope I made it somehow clear. If you need additional info just let me 
know.


Thanks for your time,
Ivo

Re: acpiac

2007-11-20 Thread Marco Peereboom 
yeah the spec tells us to.  Why?

On Tue, Nov 20, 2007 at 11:52:33AM +0100, giovanni wrote:
> hello,
> 
> any reason for evaluating  _STA before _PSR for getting AC status?
> 
> if (aml_evalname(sc->sc_acpi, sc->sc_devnode, "_STA", 0, NULL, NULL)) 
> {
> dnprintf(10, "%s: no _STA\n",
> DEVNAME(sc));
> }
> 
> if (aml_evalname(sc->sc_acpi, sc->sc_devnode, "_PSR", 0, NULL, &res)) 
> {
> dnprintf(10, "%s: no _PSR\n",
> DEVNAME(sc));
> return (1);
> 
> -- 
> see ya,
> giovanni

Re: Softraid Experimentation

2007-11-20 Thread Marco Peereboom 
You cant write past the coerced size.  The driver makes sure of that.

On Fri, Nov 16, 2007 at 01:34:57PM -0500, Nick Guenther wrote:
> On 11/16/07, Marco Peereboom <[EMAIL PROTECTED]> wrote:
> > On Fri, Nov 16, 2007 at 11:01:13AM -0500, Nick Guenther wrote:
> > >
> > > Hijacking the thread a bit: Do all your disks need to be the same size
> > > to use softraid? softraid(4) and bioctl(8) do not mention anything
> > > about that.
> >
> > No you don't.  Softraid will complain about asymmetric disks on creation
> > time but it does not limit the user in any way.
> >
> 
> So what happens in that case? If data is written to the end of the
> larger disk, is it just silently not mirrored on the smaller?
> 
> -Nick

Re: Ideas about bidirectional traffic shaping

2007-11-20 Thread NetOne - Doichin Dokov 

Stuart Henderson ??:

On 2007/11/20 18:30, NetOne - Doichin Dokov wrote:
  

pass in on $ext_group_name from any to $client_ip queue $client_queue_out
pass out on $ext_group_name from $client_ip to any queue $client_queue_out
pass in on $int_if from $client_ip to any queue $client_queue_in
pass out on $int_if from any to $client_ip queue $client_queue_in



queues on different interface can have the same name; this simplifies
your ruleset considerably.

  
Dunno if they can, but - if they do - i don't see what would it help in 
this case. Maybe I'm just dumb, would appreciate it if you shed some 
light on this.


Regards,
Doichin

Re: Ideas about bidirectional traffic shaping

2007-11-20 Thread Stuart Henderson 
On 2007/11/20 18:30, NetOne - Doichin Dokov wrote:
> pass in on $ext_group_name from any to $client_ip queue $client_queue_out
> pass out on $ext_group_name from $client_ip to any queue $client_queue_out
> pass in on $int_if from $client_ip to any queue $client_queue_in
> pass out on $int_if from any to $client_ip queue $client_queue_in

queues on different interface can have the same name; this simplifies
your ruleset considerably.

mt rewoffl freezes server

2007-11-20 Thread Jeff Ross 

Hi all,

I brought my servers up to current last Friday and have been plagued 
with instability ever since.  I don't yet have serial consoles set up so 
I'm not reporting the panics I've received, other than to say they've 
been primarily page faults.


However, one thing I can report is that every time I run mt rewoffl on 
my server with the tape drive attached, the server immediately locks up 
hard.  No keyboard, no ssh, no reply to pings, and no panic at first, 
although that must appear eventually.  I've had the page fault panic on 
the monitor every time I've ridden back into work to reboot the frozen 
server.


I'll have serial consoles on everything as soon as the parts get here, 
and can provide proper reports then.  My hope is that some developer can 
read this and have a "light bulb" moment.  We already know you devs can 
read minds, run faster than speeding hard disk platters, and leap tall 
server racks with a single bound  ;-)


The following dmesg is from a GENERIC.MP kernel that has had acpi 
disabled with config.  That doesn't seem to have made a difference in 
this case, though, since I just locked everything up again. I can 
provide a dmesg of the kernel before I disabled acpi after all the users 
go home tonight if needed.


Thanks,

Jeff Ross

OpenBSD 4.2-current (GENERIC.MP) #30: Fri Nov 16 17:58:26 MST 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel(R) Xeon(TM) CPU 2.66GHz ("GenuineIntel" 686-class) 2.67 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID,xTPR

real mem  = 2146988032 (2047MB)
avail mem = 2068156416 (1972MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 02/09/05, BIOS32 rev. 0 @ 0xf0010, 
SMBIOS rev. 2.3 @ 0xf82a0 (48 entries)

bios0: vendor American Megatrends Inc. version "080008" date 02/09/2005
pcibios0 at bios0: rev 2.1 @ 0xf/0x1
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf2ff0/224 (12 entries)
pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82801CA LPC" rev 0x00)
pcibios0: PCI bus #5 is the last bus
bios0: ROM list: 0xc/0x8000 0xc8000/0x1800 0xc9800/0x2200
acpi at mainbus0 not configured
mainbus0: Intel MP Specification (Version 1.4)
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 133 MHz
cpu1 at mainbus0: apid 6 (application processor)
cpu1: Intel(R) Xeon(TM) CPU 2.66GHz ("GenuineIntel" 686-class) 2.67 GHz
cpu1: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID,xTPR

mainbus0: bus 0 is type PCI
mainbus0: bus 1 is type PCI
mainbus0: bus 2 is type PCI
mainbus0: bus 3 is type PCI
mainbus0: bus 4 is type PCI
mainbus0: bus 5 is type PCI
mainbus0: bus 6 is type ISA
ioapic0 at mainbus0: apid 8 pa 0xfec0, version 20, 24 pins
ioapic1 at mainbus0: apid 9 pa 0xfec8, version 20, 24 pins
ioapic2 at mainbus0: apid 10 pa 0xfec80400, version 20, 24 pins
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel E7501 MCH Host" rev 0x01
ppb0 at pci0 dev 2 function 0 "Intel E7500 MCH" rev 0x01
pci1 at ppb0 bus 2
"Intel 82870P2 IOxAPIC" rev 0x04 at pci1 dev 28 function 0 not configured
ppb1 at pci1 dev 29 function 0 "Intel 82870P2 PCIX-PCIX" rev 0x04
pci2 at ppb1 bus 5
"Intel 82870P2 IOxAPIC" rev 0x04 at pci1 dev 30 function 0 not configured
ppb2 at pci1 dev 31 function 0 "Intel 82870P2 PCIX-PCIX" rev 0x04
pci3 at ppb2 bus 3
ppb3 at pci3 dev 3 function 0 "IBM 133 PCIX-PCIX" rev 0x03
pci_intr_map: bus 3 dev 3 func 0 pin 1; line 10
pci_intr_map: no MP mapping found
pci_intr_map: bus 3 dev 3 func 0 pin 2; line 10
pci_intr_map: no MP mapping found
pci_intr_map: bus 3 dev 3 func 0 pin 3; line 10
pci_intr_map: no MP mapping found
pci_intr_map: bus 3 dev 3 func 0 pin 4; line 10
pci_intr_map: no MP mapping found
pci4 at ppb3 bus 4
ami0 at pci4 dev 0 function 0 "Symbios Logic MegaRAID 320" rev 0x02: 
apic 9 int 0 (irq 10)

ami0: LSI 532, 32b, FW 414C, BIOS vH429, 128MB RAM
ami0: 2 channels, 0 FC loops, 3 logical drives
scsibus0 at ami0: 40 targets
sd0 at scsibus0 targ 0 lun 0:  SCSI2 0/direct fixed
sd0: 69618MB, 8875 cyl, 255 head, 63 sec, 512 bytes/sec, 142577664 sec total
sd1 at scsibus0 targ 1 lun 0:  SCSI2 0/direct fixed
sd1: 69618MB, 8875 cyl, 255 head, 63 sec, 512 bytes/sec, 142577664 sec total
sd2 at scsibus0 targ 2 lun 0:  SCSI2 0/direct fixed
sd2: 69618MB, 8875 cyl, 255 head, 63 sec, 512 bytes/sec, 142577664 sec total
scsibus1 at ami0: 16 targets
safte0 at scsibus1 targ 6 lun 0:  SCSI2 3/processor fixed
scsibus2 at ami0: 16 targets
safte1 at scsibus2 targ 6 lun 0:  SCSI2 3/processor fixed
ahc0 at pci3 dev 6 function 0 "Adaptec AHA-29160 U160" rev 0x02: apic 9 
int 4 (irq 10)

scsibus3 at ahc0: 16 targets
st0 at scsibus3 targ 6 lun 0:  SCSI3 
1/sequential removable
uhci0 at pci0 dev 29 function 0 "Intel 82801CA/CAM USB" rev 0x02: apic 8 
int 16 (irq 10)

ppb4 at pci0 dev 30 function 0 "Intel 82801BA

Re: load balancing FTP traffic with ftp-proxy and pf on two internet connections having same gateway.

2007-11-20 Thread Steven Surdock 
Siju George wrote:
> Hi,
>
> I got my second Internet connection yesterday.
> It is from the same provider and I have 2 static IPs now with the
> same gateway.
>
> I plan to use
>
> http://www.openbsd.org/faq/pf/pools.html#outgoing
>
> to load balance outgoing traffic from the LAN to the Internet.
>
> How do I configure ftp-proxy so that FTp traffic is also load
> balanced? Can't make it out from the ftp-proxy man page.
>
Check the archives. I do not believe it is possible with 'route-to'.  In
fact, that URL says:  "The route-to option is used on traffic coming in
on the internal interface to specify the outgoing network interfaces..."
Which is not what is going on with ftp-proxy.  Check into multipath
routing (man 8 route) and let us know how it works for you.

-Steve S.

Re: Running cwm and fvwm at the same time?

2007-11-20 Thread Matthias Kilian 
On Tue, Nov 20, 2007 at 11:36:26AM +0100, Alexander Hall wrote:
> Well, these seems to run quite well on a single one. :-) Can anyone 
> confirm this?

Yes, I can reproduce this (launching cwm in a session already having
fvwm running, i.e. on the same display). I need a beer now.

Ciao,
Kili

Re: can't change password with passwd comand

2007-11-20 Thread Todd C. Miller 
In message <[EMAIL PROTECTED]>
so spake Jumping Mouse (kafriki):

> When I try to change a user password I get an error.
> I do this:
> 
> #  passwd  username
> enter a new password and  get: pwd_mkdb:  corrupted entrypwd_mkdb: at line
> #24pwd_mkdb: /etc/ptmp: Innapropriate file type or formatpasswd:
> etc/master.passwd unchanged
> 
> how can I fix this?

This indicates that your /etc/master.passwd file has some errors
unrelated to your attempt to change the password.

You should run the vipw command as root to fix the problem on line
24.  It sounds like that line is missing at least one field.

 - todd

Problems with Lynx (?) and Nmh

2007-11-20 Thread Aaron Hsu 
Hey all,

I am having some trouble with nmh and lynx in 4.2. For some reason, I cannot 
seem to use Lynx successfully as a pager for text/html parts. I have the 
following in my .mh_profile:

mhshow-show-text/html: %plynx '%F' 

And it tries to do its things, but then it fails. The error seems like it 
might be coming from Lynx:

/tmp//lynx-bHgkw13916/: No such directory
exit 1

Now, if I s/lynx/firefox/ in the profile, everything works fine. 
Additionally, everything works fine if I use less instead of lynx. 

I have been working on this for some time on an MH newsgroup, but apparently, 
the consensus is that this is a Lynx problem. I am not sure what to make 
of it. Does anyone know what is going on?

-- 
((name "Aaron Hsu")
 (email/xmpp "[EMAIL PROTECTED]")
 (site "http://www.aaronhsu.com";))

Re: Running cwm and fvwm at the same time?

2007-11-20 Thread Owain Ainsworth 
> > quite a while since I last had a look at cwm) :-)
> 
> You can use a tool called XBindKeys.
> 
> http://hocwp.free.fr/xbindkeys/xbindkeys.html

It's in ports... x11/xbindkeys.

However, the cwm keybinding support works fine. Since I documented it
and added some extra features it should be better (check the commit that
occurred in the last few days). If there's any problems with it. Let me
know.

-0-
-- 
When someone says "I want a programming language in which I need only
say what I wish done," give him a lollipop.

fxp changes between 4.2 and earlier releases causing stability problems?

2007-11-20 Thread Josh 

Hello,

I am having large stability problems since running 4.2 as firewalls. I 
have 1x fxp and 2x dual box fxp cards, and after a while, the boxes 
freeze up, this was the last log of vmstat on the master machine:


procs   memorypagedisks traps cpu
r b wavmfre   flt  re  pi  po  fr  sr wd0 fd0  int   sys   cs 
us sy id
021 0  47364724   196   0   1   0   0   4   3   0  562   355   14  
0  2 97


And on the secondary ( also frozen ):

procs   memorypagedisks traps cpu
r b wavmfre   flt  re  pi  po  fr  sr wd0 fd0  int   sys   cs 
us sy id
0 6 0  13900676   195   0   1   0   0   4   3   0  376   331   12  
0  2 97



I went into ddb on the backup machine ( it was otherwise unresponsive ) 
and I saw a bunch of processes in the netio state.


So basically, im trying to figure out what the problem is, as I would 
rather fix it than move back to obsd 4.1 or something else. At the 
moment I am guessing that it has something to do with the fxp driver ( 
from plus42.html - For fxp(4) 
, 
nudge the interrupt coalescing timeout to 128 ms. Lessens the interrupt 
load on busy fxp(4) 
 
cards a lot. )


But I could be barking up the wrong tree.

Any suggestions/ideas?


Thanks,
   Josh

OpenBSD 4.2 (GENERIC) #375: Tue Aug 28 10:38:44 MDT 2007
   [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Celeron ("GenuineIntel" 686-class, 128KB L2 cache) 399 MHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR

real mem  = 268005376 (255MB)
avail mem = 251502592 (239MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 11/24/98, BIOS32 rev. 0 @ 0xec700, 
SMBIOS rev. 2.1 @ 0xf1941 (48 entries)

bios0: vendor Compaq version "686T5" date 11/24/98
bios0: Compaq Deskpro EN Series SFF
pcibios0 at bios0: rev 2.1 @ 0xec700/0x3900
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf74f0/112 (5 entries)
pcibios0: PCI Interrupt Router at 000:20:0 ("Intel 82371AB PIIX4 ISA" 
rev 0x00)

pcibios0: PCI bus #3 is the last bus
bios0: ROM list: 0xc/0x8000 0xe/0x8000!
acpi at mainbus0 not configured
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x03
ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x03
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "ATI Rage Pro" rev 0x5c
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
fxp0 at pci0 dev 10 function 0 "Intel 8255x" rev 0x05, i82558: irq 11, 
address 00:04:54:1e:7d:04

inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 0
ppb1 at pci0 dev 13 function 0 "DEC 21152 PCI-PCI" rev 0x03
pci2 at ppb1 bus 2
fxp1 at pci2 dev 4 function 0 "Intel 8255x" rev 0x05, i82558: irq 11, 
address 00:50:8b:68:74:b8

inphy1 at fxp1 phy 1: i82555 10/100 PHY, rev. 0
fxp2 at pci2 dev 5 function 0 "Intel 8255x" rev 0x05, i82558: irq 11, 
address 00:50:8b:68:74:b9

inphy2 at fxp2 phy 1: i82555 10/100 PHY, rev. 0
ppb2 at pci0 dev 14 function 0 "DEC 21152 PCI-PCI" rev 0x03
pci3 at ppb2 bus 3
fxp3 at pci3 dev 4 function 0 "Intel 8255x" rev 0x05, i82558: irq 11, 
address 00:50:8b:66:7a:74

inphy3 at fxp3 phy 1: i82555 10/100 PHY, rev. 0
fxp4 at pci3 dev 5 function 0 "Intel 8255x" rev 0x05, i82558: irq 11, 
address 00:09:54:1e:3d:07

inphy4 at fxp4 phy 1: i82555 10/100 PHY, rev. 0
piixpcib0 at pci0 dev 20 function 0 "Intel 82371AB PIIX4 ISA" rev 0x02
pciide0 at pci0 dev 20 function 1 "Intel 82371AB IDE" rev 0x01: DMA, 
channel 0 wired to compatibility, channel 1 wired to compatibility

wd0 at pciide0 channel 0 drive 0: 
wd0: 16-sector PIO, LBA, 6149MB, 12594960 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 disabled (no drives)
uhci0 at pci0 dev 20 function 2 "Intel 82371AB USB" rev 0x01: irq 11
piixpm0 at pci0 dev 20 function 3 "Intel 82371AB Power" rev 0x02: SMI
iic0 at piixpm0
admtemp0 at iic0 addr 0x4c: adm1021
isa0 at piixpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: 
spkr0 at pcppi0
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
usb0 at uhci0: USB revision 1.0
uhub0 at usb0: Intel UHCI root hub, rev 1.00/1.00, addr 1
biomask fffd netmask fffd ttymask 
pctr: 686-class user-level performance counters enabled
mtrr: Pentium Pro MTRR support
dkcsum: wd0 matches BIOS drive 0x80
root on wd0a swap on wd0b dump on wd0b

Re: need help with softraid

2007-11-20 Thread Christopher Linn 
i'm wondering if i missed something that should be obvious...

On Thu, Nov 15, 2007 at 11:55:27AM -0600, Marco Peereboom wrote:
[...]
> 2. Boot with softraid enabled with RAID partitions without any
>filesystem on the softraid volume.
>   - Here is an example of creating a sofraid volume:
>   . disklabel wd0 and wd1 and create a RAID partition on
> wd0a and wd1a
>   . bioctl -c 1 -l /dev/wd0a,/dev/wd1a softraid0
>   - Reboot and save the dmesg
[...]

machine: UltraSPARC-III (dmesg at end)

the machine has 1 internal disk and 3 external disks. due to that great 
SMI wonkyness in scsibus ordering, the external disks end up being 
sd0, sd1 and sd2, and the internal (system) disk is sd3.

sources are from approx 11:00 or so on mon 19 nov (cvsync'd at that time).

i built the kernel by uncommenting the softraid lines in 
/sys/conf/GENERIC.

i tried using sd1 and sd2 as the RAID component physical disks:

# disklabel sd1
# /dev/rsd1c:
type: SCSI
disk: SCSI disk
label: JIM'S 18 Gbyte C
flags: vendor
bytes/sector: 512
sectors/track: 236
tracks/cylinder: 20
sectors/cylinder: 4720
cylinders: 7518
total sectors: 35566480
rpm: 7200
interleave: 1
trackskew: 0
cylinderskew: 0
headswitch: 0   # microseconds
track-to-track seek: 0  # microseconds
drivedata: 0 

16 partitions:
#size   offset  fstype [fsize bsize  cpg]
  c: 354802400  unused  0 0  
  d: 354755200RAID   

# disklabel sd2
# /dev/rsd2c:
type: SCSI
disk: SCSI disk
label: SEAGATE-ST118273
flags: vendor
bytes/sector: 512
sectors/track: 237
tracks/cylinder: 20
sectors/cylinder: 4740
cylinders: 7499
total sectors: 35566480
rpm: 7177
interleave: 1
trackskew: 0
cylinderskew: 0
headswitch: 0   # microseconds
track-to-track seek: 0  # microseconds
drivedata: 0 

16 partitions:
#size   offset  fstype [fsize bsize  cpg]
  c: 355452600  unused  0 0  
  d: 355405200RAID   




when i used bioctl to create the raid:

# bioctl -c 1 -l /dev/sd1d,/dev/sd2d softraid0
bioctl: BIOCCREATERAID: Invalid argument

and on the console:
softraid0: not yet partial bringup


i noticed that when i used disklabel -E defaults on the disks the 
the first time, the defaulted sizes were larger than the physical 
disks, and at first i thought thatt migh have caused the problem.
however i re-did the disklabels as above with no change in the 
bioctl output or the console msg.


dmesg is the boot before any disklabeling or bioctl actions,
with enabled softraid.



cel

dmesg: ---
console is keyboard/display
Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California.  All rights reserved.
Copyright (c) 1995-2007 OpenBSD. All rights reserved.  http://www.OpenBSD.org

OpenBSD 4.2-current (GENERIC) #1: Tue Nov 20 12:36:47 EST 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/sparc64/compile/GENERIC
real mem = 1073741824 (1024MB)
avail mem = 1026752512 (979MB)
mainbus0 at root: SUNW,Sun-Blade-1000 (UltraSPARC-III) 
cpu0 at mainbus0: SUNW,UltraSPARC-III (rev 5.4) @ 750 MHz
cpu0: physical 32K instruction (32 b/l), 64K data (32 b/l), 8192K external (512 
b/l)
"memory-controller" at mainbus0 not configured
schizo0 at mainbus0: "Schizo", version 5, ign 200, bus B 0 to 0
schizo0: dvma map c000-, iotdb 1cfc000-1dfc000
pci0 at schizo0
ebus0 at pci0 dev 5 function 0 "Sun RIO EBus" rev 0x01
"flashprom" at ebus0 addr 0-1f not configured
bbc0 at ebus0 addr 0-f
ppm0 at ebus0 addr e-28, 728000-728003, 30002e-30002f, 300600-300607
pcfiic0 at ebus0 addr 2e-2f, 2d-2d ipl 35
iic0 at pcfiic0
pcfiic1 at ebus0 addr 30-31 ipl 35
iic1 at pcfiic1
admtemp0 at iic1 addr 0x18: max1617
"tda8444" at iic1 addr 0x24 not configured
"scm001" at iic1 addr 0x20 not configured
"firei" at iic1 addr 0x30 not configured
"beep" at ebus0 addr 32-37 not configured
rtc0 at ebus0 addr 300070-300071 ipl 36: ds1287
"gpio" at ebus0 addr 300600-300607 not configured
pmc0 at ebus0 addr 300700-300701
"floppy" at ebus0 addr 3023f0-3023f7, 706000-70600f, 72-720003 ipl 37 not 
configured
lpt0 at ebus0 addr 300278-300287, 30002e-30002f, 70-7f ipl 28: polled
sab0 at ebus0 addr 40-40007f ipl 34: rev 3.2
sabtty0 at sab0 port 0
sabtty1 at sab0 port 1
gem0 at pci0 dev 5 function 1 "Sun ERI Ether" rev 0x01: ivec 0x21d, address 
00:03:ba:14:95:03
luphy0 at gem0 phy 1: LU6612 10/100 PHY, rev. 1
"Sun FireWire" rev 0x01 at pci0 dev 5 function 2 not configured
ohci0 at pci0 dev 5 function 3 "Sun USB" rev 0x01: ivec 0x21f, version 1.0, 
legacy support
siop0 at pci0 dev 6 function 0 "Symbios Logic 53c875" rev 0x37: ivec 0x218, 
using 4K of on-board RAM
scsibus0 at siop0: 16 targets
cd0 at scsibus0 targ 6 lun 0:  SCSI2 5/cdrom 
removable
siop1 at pci0 dev 6 function 1 "Symbi

Re: can't change password with passwd comand

2007-11-20 Thread Jumping Mouse 
Hi Clint and others,

I tried:

> # rm spwd* pwd* passwd* ptmp> # pwd_mkdb /etc/master.passwd

then
#passwd username

but I am still getting: (for all users)

pwd_mkdb: corrupted entrypwd_mkdb: at line #24pwd_mkdb: /etc/ptmp:
Inappropriate file type or formatpasswd: /etc/master.passwd: unchanged

I have searched the faqs but have not been able to find a good solution to
this issue.  Does anyone have any thoughts?



> Date: Mon, 19 Nov 2007 19:33:06 -0700> From: [EMAIL PROTECTED]> To:
[EMAIL PROTECTED]> CC: misc@openbsd.org> Subject: Re: can't change password
with passwd comand> > Jumping Mouse wrote:> > When I try to change a user
password I get an error.> > I do this:> >> > # passwd username> > enter a new
password and get: pwd_mkdb: corrupted entrypwd_mkdb: at line> > #24pwd_mkdb:
/etc/ptmp: Innapropriate file type or formatpasswd:> > etc/master.passwd
unchanged> >> > how can I fix this?> > > > # cd /etc> # cp -p spwd.db pwd.db
passwd /root/ # backup> # rm spwd* pwd* passwd* ptmp> # pwd_mkdb
/etc/master.passwd> # passwd  # try again>
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

Re: need help with softraid

2007-11-20 Thread Marco Peereboom 
You didn't use -C force or dd the metadata area first.

On Tue, Nov 20, 2007 at 04:18:09PM -0500, Christopher Linn wrote:
> i'm wondering if i missed something that should be obvious...
> 
> On Thu, Nov 15, 2007 at 11:55:27AM -0600, Marco Peereboom wrote:
> [...]
> > 2. Boot with softraid enabled with RAID partitions without any
> >filesystem on the softraid volume.
> > - Here is an example of creating a sofraid volume:
> > . disklabel wd0 and wd1 and create a RAID partition on
> >   wd0a and wd1a
> > . bioctl -c 1 -l /dev/wd0a,/dev/wd1a softraid0
> > - Reboot and save the dmesg
> [...]
> 
> machine: UltraSPARC-III (dmesg at end)
> 
> the machine has 1 internal disk and 3 external disks. due to that great 
> SMI wonkyness in scsibus ordering, the external disks end up being 
> sd0, sd1 and sd2, and the internal (system) disk is sd3.
> 
> sources are from approx 11:00 or so on mon 19 nov (cvsync'd at that time).
> 
> i built the kernel by uncommenting the softraid lines in 
> /sys/conf/GENERIC.
> 
> i tried using sd1 and sd2 as the RAID component physical disks:
> 
> # disklabel sd1
> # /dev/rsd1c:
> type: SCSI
> disk: SCSI disk
> label: JIM'S 18 Gbyte C
> flags: vendor
> bytes/sector: 512
> sectors/track: 236
> tracks/cylinder: 20
> sectors/cylinder: 4720
> cylinders: 7518
> total sectors: 35566480
> rpm: 7200
> interleave: 1
> trackskew: 0
> cylinderskew: 0
> headswitch: 0   # microseconds
> track-to-track seek: 0  # microseconds
> drivedata: 0 
> 
> 16 partitions:
> #size   offset  fstype [fsize bsize  cpg]
>   c: 354802400  unused  0 0  
>   d: 354755200RAID   
> 
> # disklabel sd2
> # /dev/rsd2c:
> type: SCSI
> disk: SCSI disk
> label: SEAGATE-ST118273
> flags: vendor
> bytes/sector: 512
> sectors/track: 237
> tracks/cylinder: 20
> sectors/cylinder: 4740
> cylinders: 7499
> total sectors: 35566480
> rpm: 7177
> interleave: 1
> trackskew: 0
> cylinderskew: 0
> headswitch: 0   # microseconds
> track-to-track seek: 0  # microseconds
> drivedata: 0 
> 
> 16 partitions:
> #size   offset  fstype [fsize bsize  cpg]
>   c: 355452600  unused  0 0  
>   d: 355405200RAID   
> 
> 
> 
> 
> when i used bioctl to create the raid:
> 
> # bioctl -c 1 -l /dev/sd1d,/dev/sd2d softraid0
> bioctl: BIOCCREATERAID: Invalid argument
> 
> and on the console:
> softraid0: not yet partial bringup
> 
> 
> i noticed that when i used disklabel -E defaults on the disks the 
> the first time, the defaulted sizes were larger than the physical 
> disks, and at first i thought thatt migh have caused the problem.
> however i re-did the disklabels as above with no change in the 
> bioctl output or the console msg.
> 
> 
> dmesg is the boot before any disklabeling or bioctl actions,
> with enabled softraid.
> 
> 
> 
> cel
> 
> dmesg: ---
> console is keyboard/display
> Copyright (c) 1982, 1986, 1989, 1991, 1993
>   The Regents of the University of California.  All rights reserved.
> Copyright (c) 1995-2007 OpenBSD. All rights reserved.  http://www.OpenBSD.org
> 
> OpenBSD 4.2-current (GENERIC) #1: Tue Nov 20 12:36:47 EST 2007
> [EMAIL PROTECTED]:/usr/src/sys/arch/sparc64/compile/GENERIC
> real mem = 1073741824 (1024MB)
> avail mem = 1026752512 (979MB)
> mainbus0 at root: SUNW,Sun-Blade-1000 (UltraSPARC-III) 
> cpu0 at mainbus0: SUNW,UltraSPARC-III (rev 5.4) @ 750 MHz
> cpu0: physical 32K instruction (32 b/l), 64K data (32 b/l), 8192K external 
> (512 b/l)
> "memory-controller" at mainbus0 not configured
> schizo0 at mainbus0: "Schizo", version 5, ign 200, bus B 0 to 0
> schizo0: dvma map c000-, iotdb 1cfc000-1dfc000
> pci0 at schizo0
> ebus0 at pci0 dev 5 function 0 "Sun RIO EBus" rev 0x01
> "flashprom" at ebus0 addr 0-1f not configured
> bbc0 at ebus0 addr 0-f
> ppm0 at ebus0 addr e-28, 728000-728003, 30002e-30002f, 300600-300607
> pcfiic0 at ebus0 addr 2e-2f, 2d-2d ipl 35
> iic0 at pcfiic0
> pcfiic1 at ebus0 addr 30-31 ipl 35
> iic1 at pcfiic1
> admtemp0 at iic1 addr 0x18: max1617
> "tda8444" at iic1 addr 0x24 not configured
> "scm001" at iic1 addr 0x20 not configured
> "firei" at iic1 addr 0x30 not configured
> "beep" at ebus0 addr 32-37 not configured
> rtc0 at ebus0 addr 300070-300071 ipl 36: ds1287
> "gpio" at ebus0 addr 300600-300607 not configured
> pmc0 at ebus0 addr 300700-300701
> "floppy" at ebus0 addr 3023f0-3023f7, 706000-70600f, 72-720003 ipl 37 not 
> configured
> lpt0 at ebus0 addr 300278-300287, 30002e-30002f, 70-7f ipl 28: polled
> sab0 at ebus0 addr 40-40007f ipl 34: rev 3.2
> sabtty0 at sab0 port 0
> sabtty1 at sab0 port 1
> gem0 at pci0 dev 5 function 1 "Sun ERI Ether" rev 0x01: ivec 0x21d, address 
> 00:03:ba:14:95:03
> luphy0 at gem0 phy 1: LU6612

restore hanging on an "unusual" file name

2007-11-20 Thread Jeff Ross 

Hi,

I'm trying to restore from a level 0 dump file taken from our samba 
server, so the file in question was created by windows.


The dump file is made with the following command:

/sbin/dump -0au -f - /dev/rsd1d | gzip | ssh nirvana.internal 'cd 
/backup/dukkha/full/; dd of=shared.gz'


restore is hanging on a file name with some weird characters.

restore > cd Jawnie/SC2007
restore > verbose
verbose mode on
restore > ls
./Jawnie/SC2007:
1834258 ./
1834112 ../
1834490 4582_photo_22200523428PM_Zablocki_Craignewweb.jpg
1834450 April2007.qxp
1834487 Bio.doc
1834480 Carlie07_grey.jpg
1834488 Document Scrap 'C/

Once it prints that last character, restore is frozen.  ctrl-c will 
bring it back to the restore> prompt from a hung ls, but during extract

I have to kill the xterm itself and then log back in.

ktrace run on the restore pid yields a little more of the filename:



   "
 11609 restore  RET   write 27/0x1b
 11609 restore  CALL  write(0x2,0x80147000,0x34)
 11609 restore  GIO   fd 2 wrote 52 bytes
   "1834488 Document Scrap '\M-o\M^C\M^X Journal Entrie...'.shs
   "

On a console (not xterm) the file name appears to be

Document Scrap 'C/ Journal Entrie...'.shs

(that's a lower case "i" with two dots over it.)

After the ctrl-c, I stop ktrace and this is the last of the kdump.

 11609 restore  RET   write 1
 11609 restore  CALL  sigprocmask(0x1,0)
 11609 restore  RET   sigprocmask 0
 11609 restore  CALL  write(0x2,0x80147000,0xa)
 11609 restore  GIO   fd 2 wrote 10 bytes
   "restore > "
 11609 restore  RET   write 10/0xa
 11609 restore  CALL  read(0,0x8ba15000,0x1)
 11609 restore  PSIG  SIGINT caught handler=0x1c002044 mask=0x0
 11609 restore  RET   read RESTART
 11609 restore  CALL  sigprocmask(0x3,0)
 11609 restore  RET   sigprocmask 2
 11609 restore  CALL  write(0x2,0x80147000,0xa)
 11609 restore  GIO   fd 2 wrote 10 bytes
   "restore > "
 11609 restore  RET   write 10/0xa
 11609 restore  CALL  read(0,0x8ba15000,0x1)

This file is of no consequence other than restore can't proceed beyond 
it.  In order to continue I added all the files, then used delete Docu* 
to remove it from the extract list.


I tried to extract it by the directory and by the inode and restore 
hangs either way.


The dump file itself is 15.1 GB uncompressed and 12 GB compressed so I'm 
attaching it to this e-mail...just kidding!  But I can make it available 
if someone needs it--contact me off list.


Thanks,

Jeff Ross

Re: can't change password with passwd comand

2007-11-20 Thread Clint Pachl 

Jumping Mouse wrote:

Hi Clint and others,

I tried:

  

# rm spwd* pwd* passwd* ptmp> # pwd_mkdb /etc/master.passwd



then
#passwd username

but I am still getting: (for all users)

pwd_mkdb: corrupted entrypwd_mkdb: at line #24pwd_mkdb: /etc/ptmp:
Inappropriate file type or formatpasswd: /etc/master.passwd: unchanged

I have searched the faqs but have not been able to find a good solution to
this issue.  Does anyone have any thoughts?
  


Does line #24 have a subtle error? Check the format against passwd(5).

BTW, are you the guy that inherited an OpenBSD system without a root 
account?

Re: restore hanging on an "unusual" file name

2007-11-20 Thread Jeff Ross 

Jeff Ross wrote:

Hi,


   "
 11609 restore  RET   write 27/0x1b
 11609 restore  CALL  write(0x2,0x80147000,0x34)
 11609 restore  GIO   fd 2 wrote 52 bytes
   "1834488 Document Scrap '\M-o\M^C\M^X Journal Entrie...'.shs
   "

On a console (not xterm) the file name appears to be

Document Scrap 'C/ Journal Entrie...'.shs

(that's a lower case "i" with two dots over it.)


My original e-mail did get mangled a little.

The C/ above is really the lowercase i with two dots over it.

Jeff

Re: Hoststated and randomly dropped connections

2007-11-20 Thread Preston Norvell 
After some research on sysctl values for other loadbalancers, I borrowed
some best practices values and set kern.maxfiles and kern.somaxconn to
higher values and it seems to have largely helped the issue.  With 181458
sessions we've seen 257 errors (from any source, may not be the specific
issue we were having before), which is about two orders of magnitude fewer
than before.  I'll be researching these remaining errors, but we're
hammering a single server enough (due to a load balancer algo issue) that it
may simply be a little too much for the app server itself.

These are the values I am using now:
kern.maxfiles=32768
kern.somaxconn=256

I have also increased the the soft limit for files to 512 daemon.

Between these settings, I appear to be in pretty good shape now.

Thanks everyone for the help.

;P mn

On 2007/11/19 2:26 PM, "Preston Norvell"
<[EMAIL PROTECTED]> muttered eloquently:

> Thanks much, 
> 
> I'll start digging into the sysctls.  I'm reasonably certain it isn't
> something with the app servers, because in the tcpdump output I can see the
> conversation between the load balancer and the app server complete
> successfully (all aspects of the request/response even), it's just from the
> load balancer to the client machines that gets tetchy.  I will try the retry
> value though; it certainly wouldn't hurt and sounds like a good idea.
> 
> Thanks again,
> 
> ;P mn
> 
> 
> On 2007/11/19 2:20 AM, "Reyk Floeter" <[EMAIL PROTECTED]> muttered
> eloquently:
> 
>> hi!
>> 
>> are you sure that the apaches are not dropping the connections when
>> you reach a specific limit of max connections? i've seen problems like
>> this with apache2+linux webservers.
>> 
>> - make sure that you tuned some sysctls for hoststated. for example
>> kern.maxfiles, kern.somaxconn, kern.maxclusters,
>> net.inet.ip.ifq.maxlen. you have to be very careful when tuning the
>> sysctls, but you mostly always have to bump them up for L7 load
>> balancing.
>> 
>> - try out the "retry" option in the table configuration. this is a
>> work-around for buggy backends. i experienced that the _backend_
>> servers sometimes drop the inbound connection attempts, so i added
>> this option to immediatly retry it... which works very well.
>> 
>> table foo {
>> real port 80
>> check http '/ZendPlatform/client/getPing.php' code 200
>> 
>> host $www01 retry 2
>> host $www02 retry 2
>> host $www03 retry 2
>> ...
>> 
>> demote carp
>> }
>> 
>> reyk
>> 
>> On Mon, Nov 19, 2007 at 12:14:18AM -0800, Preston Norvell wrote:
>>> We have been trying to migrate from an Apache proxy balancer to hoststated
>>> and have run into a couple issues, one of which I have asked about and the I
>>> write about now.
>>> 
>>> We are using 4.2-stable:
>>> OpenBSD mesh1 4.2 GENERIC.MP#1378 amd64
>>> 
>>> This particular issue is rather odd, such that I'm afraid my description may
>>> be somewhat confusing, but here goes...
>>> 
>>> We are doing layer 7 http load balancing for an application hosted on 8+
>>> machines behind the hoststated box for clients on the Internet.  In our
>>> testing, we seem to have an issue with hoststated somewhat randomly dropping
>>> inbound connections to a resource behind it.  It is not exactly
>>> deterministic, in that we cannot seem to generate a specific packet to make
>>> the connection fail, but it's just about statistically guaranteed to fail.
>>> The failure rate goes up as the traffic increases, though even a sequential
>>> run of 1000 single connections is likely to fail once or twice.
>>> 
 From a tcpdump standpoint, I see the connection established through the
 load
>>> balancer.  The GET request is issued from the client machine, which is
>>> delivered by hoststated to the server, which dutifully considers the request
>>> and returns a valid response.  Oddly though, on the client-facing side of
>>> the load balancer,  immediately after the GET request is received, a FIN is
>>> sent from the load balancer itself.
>>> 
>>> As stated, the likelihood of this occurring goes up with more traffic, even
>>> with low-bandwidth request/response sequences.  The only message of any
>>> import in any log I've looked in is the following from /var/log/daemon:
>>> 
>>> Nov 18 17:17:02 mesh1 hoststated[1945]: relay appx, session 2948 (50
>>> active), a.b.c.d -> 10.100.0.208:8080, session failed
>>> 
>>> There are no blocks in pf, and no errors as far as the app server is
>>> concerned.  The connections work fine through a similarly configured OpenBSD
>>> firewall without hoststated in the loop.
>>> 
>>> I'm not sure where to start looking next to narrow down the issue farther,
>>> does anyone have any suggestions?
>>> 
>>> Thanks much,
>>> 
>>> ;P mn
>>> 
>>> --
>>> Preston M Norvell <[EMAIL PROTECTED]>
>>> Systems/Network Administrator
>>> Serials Solutions 
>>> Phone:  (866) SERIALS (737-4257) ext 1094
>>> 
> 
> --
> Preston M Norvell <[EMAIL PROTECTED]>
> Systems/Network Administrator
> Serials Solutio

Re: Hoststated and randomly dropped connections

2007-11-20 Thread Stuart Henderson 
On 2007/11/20 14:46, Preston Norvell wrote:
> kern.maxfiles=32768

32k seems excessive ..

> > On 2007/11/19 2:20 AM, "Reyk Floeter" <[EMAIL PROTECTED]> muttered
> > eloquently:
> > 
> >> net.inet.ip.ifq.maxlen

did you look at this?

if you see >0 in net.inet.ip.ifq.drops, you quite likely need
to bump it.

Re: Hoststated and randomly dropped connections

2007-11-20 Thread Preston Norvell 
On 2007/11/20 3:49 PM, "Stuart Henderson" <[EMAIL PROTECTED]> muttered
eloquently:

> On 2007/11/20 14:46, Preston Norvell wrote:
>> kern.maxfiles=32768
> 
> 32k seems excessive ..
> 

It may be.  As I said I pulled it from a balancer config for *BSD for a
commercial balancer.  As we continue testing I will likely back it down to
see what effect it has and as I try to determine what causes the remaining
failed connections (we're up to 318 out of 288199 now).  It will also be
interesting when we bump up the number different relays the load balancer is
handling.


>>> On 2007/11/19 2:20 AM, "Reyk Floeter" <[EMAIL PROTECTED]> muttered
>>> eloquently:
>>> 
 net.inet.ip.ifq.maxlen
> 
> did you look at this?
> 
> if you see >0 in net.inet.ip.ifq.drops, you quite likely need
> to bump it.
> 

Yeah.  It has been sitting at zero since we started this phase of testing,
without any reboots so I took it to mean things were probably ok there.

;P mn

--
Preston M Norvell <[EMAIL PROTECTED]>
Systems/Network Administrator
Serials Solutions 
Phone:  (866) SERIALS (737-4257) ext 1094

Re: can't change password with passwd comand

2007-11-20 Thread Jumping Mouse 
Hi Clint,  Yes I am the one.   as for changing the password this seems to
happen to any user except for the root acount, I am able to use  passwd to
change the root account password.  Here is line 24: (I removed the password
and real usernmame) username::1000:0::0:0:username:/home/username:/bin/ksh I
don't know if this matters but there is no ptmp file in the /etc directory
(no was there before I followed your earlier instructions)> Date: Tue, 20 Nov
2007 15:59:52 -0700> From: [EMAIL PROTECTED]> To: [EMAIL PROTECTED]> CC:
misc@openbsd.org> Subject: Re: can't change password with passwd comand> >
Jumping Mouse wrote:> > Hi Clint and others,> >> > I tried:> >> > > >> # rm
spwd* pwd* passwd* ptmp> # pwd_mkdb /etc/master.passwd> >> > >> > then> >
#passwd username> >> > but I am still getting: (for all users)> >> > pwd_mkdb:
corrupted entrypwd_mkdb: at line #24pwd_mkdb: /etc/ptmp:> > Inappropriate file
type or formatpasswd: /etc/master.passwd: unchanged> >> > I have searched the
faqs but have not been able to find a good solution to> > this issue. Does
anyone have any thoughts?> > > > Does line #24 have a subtle error? Check the
format against passwd(5).> > BTW, are you the guy that inherited an OpenBSD
system without a root > account?
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

Re: can't change password with passwd comand

2007-11-20 Thread Jumping Mouse 
One more follow up:

I added a new user.
then tried to change the users password with the passwd command and I get the
same results:

pwd_mkdb: corrupted entrypwd_mkdb: at line #25pwd_mkdb: /etc/ptmp:
Inappropriate file type or formatpasswd: /etc/master.passwd: unchanged

> From: [EMAIL PROTECTED]> To: [EMAIL PROTECTED]; misc@openbsd.org>
Subject: Re: can't change password with passwd comand> Date: Wed, 21 Nov 2007
01:13:56 +0100> > Hi Clint, Yes I am the one. as for changing the password
this seems to> happen to any user except for the root acount, I am able to use
passwd to> change the root account password. Here is line 24: (I removed the
password> and real usernmame)
username::1000:0::0:0:username:/home/username:/bin/ksh I> don't know if this
matters but there is no ptmp file in the /etc directory> (no was there before
I followed your earlier instructions)> Date: Tue, 20 Nov> 2007 15:59:52 -0700>
From: [EMAIL PROTECTED]> To: [EMAIL PROTECTED]> CC:> misc@openbsd.org>
Subject: Re: can't change password with passwd comand> >> Jumping Mouse
wrote:> > Hi Clint and others,> >> > I tried:> >> > > >> # rm> spwd* pwd*
passwd* ptmp> # pwd_mkdb /etc/master.passwd> >> > >> > then> >> #passwd
username> >> > but I am still getting: (for all users)> >> > pwd_mkdb:>
corrupted entrypwd_mkdb: at line #24pwd_mkdb: /etc/ptmp:> > Inappropriate
file> type or formatpasswd: /etc/master.passwd: unchanged> >> > I have
searched the> faqs but have not been able to find a good solution to> > this
issue. Does> anyone have any thoughts?> > > > Does line #24 have a subtle
error? Check the> format against passwd(5).> > BTW, are you the guy that
inherited an OpenBSD> system without a root > account?>
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/>
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

Re: Compromising a host with pf enabled?

2007-11-20 Thread Luca Corti 
On Mon, 2007-11-19 at 22:53 -0700, Clint Pachl wrote:
> In my DMZ research, some sources state that all services need to be 
> replicated in each DMZ. Following that advice, I would have to setup 
> Kerberos, ntp, backup, and DNS in each DMZ and the LAN; that sounds like 
> a lot of work. What do you guys think?

That you are basically bypassing your own firewall. Just create a third
subnet for your management services and allow only the lan and dmzs to
access it through the firewall. Not perfect but IMHO better than
establishing a direct path between a dmz and a lan and adding complexity
to monitor traffic on that path.

ciao

Luca

Formal verification as another tool for ensuring OpenBSD quality

2007-11-20 Thread Andrés 
Hi, I have read about formal verification, and it sounds like a
perfect tool to outreach the project goals. I'm pretty sure developers
know about it, so I'd like to read comments or opinions.

http://en.wikipedia.org/wiki/Formal_verification

Greetings.

Re: can't change password with passwd comand

2007-11-20 Thread Clint Pachl 

Jumping Mouse wrote:

One more follow up:

I added a new user.
then tried to change the users password with the passwd command and I get the
same results:

pwd_mkdb: corrupted entrypwd_mkdb: at line #25pwd_mkdb: /etc/ptmp:
Inappropriate file type or formatpasswd: /etc/master.passwd: unchanged
  


That's interesting. The line with the error moved from #24 to #25. Make 
sure there are no empty lines anywhere in the file (check the last line) 
and no trailing spaces after any entry.


Also, the formatting of your replies are really messed up and are 
difficult to read. Are you sending in plain text?

Re: can't change password with passwd comand

2007-11-20 Thread Clint Pachl 

Jumping Mouse wrote:

Hi Clint,  Yes I am the one.   as for changing the password this seems to
happen to any user except for the root acount, I am able to use  passwd to
change the root account password.  Here is line 24: (I removed the password
and real usernmame) username::1000:0::0:0:username:/home/username:/bin/ksh


I was going to say, don't remove the username or password because the 
problem could be embedded in either one of those fields. Anyway, check 
to make sure that there is no whitespace adjacent to any colons.

 I
don't know if this matters but there is no ptmp file in the /etc directory
(no was there before I followed your earlier instructions)


Doesn't matter. Just wanted to make sure it wasn't causing any problems 
when running passwd, which uses that file name as it's temp file.

OT - SSHD

2007-11-20 Thread yance 
Hi All,

Not specifically about OpenBSD, it is SSHD.

What causes sshd not to respond? Attached is sshd -v -v.

I tried to connect to the box remotely, it seems like sshd is asleep somehow.


Kind regards,


Yance
ssh -v -v -l yance 192.168.1.3
OpenSSH_3.8.1p1 FreeBSD-20040419, OpenSSL 0.9.7e 25 Oct 2004
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to 192.168.1.3 [192.168.1.3] port 22.
debug1: Connection established.
debug1: identity file /home/yance/.ssh/identity type -1
debug1: identity file /home/yance/.ssh/id_rsa type -1
debug1: identity file /home/yance/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.5p1 
FreeBSD-20030924
debug1: match: OpenSSH_3.5p1 FreeBSD-20030924 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1 FreeBSD-20040419
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: 
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-dss,ssh-rsa
debug2: kex_parse_kexinit: 
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,[EMAIL
 PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: 
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,[EMAIL
 PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL 
PROTECTED],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL 
PROTECTED],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: 
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-dss
debug2: kex_parse_kexinit: 
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,[EMAIL
 PROTECTED]
debug2: kex_parse_kexinit: 
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,[EMAIL
 PROTECTED]
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL 
PROTECTED],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL 
PROTECTED],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 125/256
debug2: bits set: 517/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '192.168.1.3' is known and matches the DSA host key.
debug1: Found key in /home/yance/.ssh/known_hosts:10
debug2: bits set: 537/1024
debug1: ssh_dss_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/yance/.ssh/identity (0x0)
debug2: key: /home/yance/.ssh/id_rsa (0x0)
debug2: key: /home/yance/.ssh/id_dsa (0x0)

Re: can't change password with passwd comand

2007-11-20 Thread Nick Holland 
Jumping Mouse wrote:
> Hi Clint and others,
> 
> I tried:
> 
>> # rm spwd* pwd* passwd* ptmp> # pwd_mkdb /etc/master.passwd

pointless.

> then
> #passwd username
> 
> but I am still getting: (for all users)
> 
> pwd_mkdb: corrupted entrypwd_mkdb: at line #24pwd_mkdb: /etc/ptmp:
> Inappropriate file type or formatpasswd: /etc/master.passwd: unchanged

right.  If the file is corrupted, the file is corrupted, it isn't going
to spend a lot of time trying to push a change in and maybe make it
worse.  It is curious that it does let you change root's PW, but that's
nice, it does let you get back in and fix the rest.

> I have searched the faqs but have not been able to find a good solution to
> this issue.  Does anyone have any thoughts?

EXACTLY what it says.  Something around line 24 is wrong.

A FEW ideas:
* Line break at col 80 that you are assuming is a wrap, but it isn't.
* Trailing spaces.
* Blank lines (including an extra newline at end-of-file)

Those are some of the errors I've made.  I've probably repressed the
really funny ones.  You are free to make your own. :)

You can add and delete users all you want, there's something wrong with
the master.passwd file.  When you call up vipw or passwd, it makes a copy
of that file to /etc/ptmp, you edit that file, then it does a sanity check
and if it passes the sanity check, it rolls that file back to
master.passwd, and makes the rest of the files (not necessarily in that
order).  Yours doesn't pass the sanity check.

Before you run vipw/passwd/whatever there is no /etc/ptmp file unless
someone killed an edit inappropriately.  If that's the case, it doesn't
let you edit the file in the first place.

Your file is corrupted.  You need to fix it.  Don't edit the file
and then expect us to spot the error unless it is really blatant, and
at this point, don't bother trying to convey much info at all over that
mailer you are using. :)

Worst case, assuming you are the only one (or one of few) on the system,
grab the /etc/master.passwd from the etcXX.tgz file of the appropriate
version of OpenBSD you are running, stick it in /etc, run vipw, make a
trivial change (or run mkwhateveritis), exit, change root's PW, and
re-populate the file one user at a time.

You already know unpleasant things happened to your passwd file.
You have a regular "user" at line 24...that's been a while since a
regular user popped up that early in the file.  You probably have got
lots of problems there.  Fortunately, it is pretty easy to rebuild.
Just save a copy of your current version, and after the dust settles,
copy over the individual users you need (and watch for wraps!).
And ONLY those users...

Nick.

Is this load balancing Idea for squid ok while using route-to or is there a better one?

2007-11-20 Thread Siju George 
Hi,

I have two internet connections connected to my firewall now.
Both are from the same ISPs with IP addresses "IP1" and "IP2"
Both have the same gateway "GWIP"

$ext_if="IP1"
$ext_if2="IP2"

Now to load balance squid what I am doing is to tag half of the
packets comming to squid using the rules

===
pass in on $int_if inet proto tcp from $int_if:network to any port 8080 \
keep state tag squid probability 50% label squid

pass in quick on $int_if inet proto tcp from $int_if:network to any
port { 21, 8080 } keep state

pass in on $int_if route-to { ($ext_if $gateway), ($ext_if2 $gateway)
} round-robin \
 from $int_if:network to any keep state

===

This gets half of the traffic that comes to squid tagged and labeled as 'squid'

then I have the following NAT rule for the $ext_if which is the
default route to  NAT the tagged rules ( i.e half of squid traffic )
to "IP2" on $ext_if2

=

nat on $ext_if from $int_if:network to any tagged squid -> ($ext_if2)

nat on $ext_if from $int_if:network to any -> ($ext_if)

nat on $ext_if2 from $int_if:network to any -> ($ext_if2)

=

and finally for the filter rules to route the tagged packets through
the second interface.

==

pass out quick on $ext_if route-to ( $ext_if2 $gateway ) inet proto tcp \
all modulate state flags S/SA tagged squid

pass out on $ext_if route-to ( $ext_if $gateway ) proto tcp \
all modulate state flags S/SA

pass out on $ext_if2 route-to ( $ext_if2 $gateway ) proto tcp \
all modulate state flags S/SA

pass out on $ext_if route-to ( $ext_if $gateway ) proto { udp, icmp }
all keep state

pass out on $ext_if2 route-to ( $ext_if2 $gateway ) proto { udp, icmp
} all keep state

===

derived this Idea from

http://osdir.com/ml/openbsd.pf/2005-02/msg00124.html

after searching the archives.

Just wondering if there is a better way to do it :-)

Thank you so much especially Danny for the post :-)))

Kind Regards

Siju

OT: travel to opencon from berlin

2007-11-20 Thread Sebastian Reitenbach 
Hi,

I'd like to take the train to opencon in venice, starting from somewhere 
near berlin. In case there is someone else going by train, let me know, 
maybe we can take the same. I haven't booked anything yet, but want to do 
so this week. 
Let me know either here or offlist.

thanks
Sebastian

Re: OT - SSHD

2007-11-20 Thread Girish Venkatachalam 
On 11:58:03 Nov 21, [EMAIL PROTECTED] wrote:
> Hi All,
> 
> Not specifically about OpenBSD, it is SSHD.
> 
> What causes sshd not to respond? Attached is sshd -v -v.
> 
> I tried to connect to the box remotely, it seems like sshd is asleep somehow.
> 
> 
> Kind regards,
> 
> 
> Yance
> ssh -v -v -l yance 192.168.1.3
> OpenSSH_3.8.1p1 FreeBSD-20040419, OpenSSL 0.9.7e 25 Oct 2004
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug2: ssh_connect: needpriv 0
> debug1: Connecting to 192.168.1.3 [192.168.1.3] port 22.
> debug1: Connection established.
> debug1: identity file /home/yance/.ssh/identity type -1
> debug1: identity file /home/yance/.ssh/id_rsa type -1
> debug1: identity file /home/yance/.ssh/id_dsa type -1
> debug1: Remote protocol version 1.99, remote software version OpenSSH_3.5p1 
> FreeBSD-20030924
> debug1: match: OpenSSH_3.5p1 FreeBSD-20030924 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1 FreeBSD-20040419
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug2: kex_parse_kexinit: 
> diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-dss,ssh-rsa
> debug2: kex_parse_kexinit: 
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,[EMAIL
>  PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr
> debug2: kex_parse_kexinit: 
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,[EMAIL
>  PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL 
> PROTECTED],hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL 
> PROTECTED],hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib
> debug2: kex_parse_kexinit: none,zlib
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: kex_parse_kexinit: 
> diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-dss
> debug2: kex_parse_kexinit: 
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,[EMAIL
>  PROTECTED]
> debug2: kex_parse_kexinit: 
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,[EMAIL
>  PROTECTED]
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL 
> PROTECTED],hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL 
> PROTECTED],hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib
> debug2: kex_parse_kexinit: none,zlib
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: mac_init: found hmac-md5
> debug1: kex: server->client aes128-cbc hmac-md5 none
> debug2: mac_init: found hmac-md5
> debug1: kex: client->server aes128-cbc hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> debug2: dh_gen_key: priv key bits set: 125/256
> debug2: bits set: 517/1024
> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> debug1: Host '192.168.1.3' is known and matches the DSA host key.
> debug1: Found key in /home/yance/.ssh/known_hosts:10
> debug2: bits set: 537/1024
> debug1: ssh_dss_verify: signature correct
> debug2: kex_derive_keys
> debug2: set_newkeys: mode 1
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug2: set_newkeys: mode 0
> debug1: SSH2_MSG_NEWKEYS received
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug2: service_accept: ssh-userauth
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug2: key: /home/yance/.ssh/identity (0x0)
> debug2: key: /home/yance/.ssh/id_rsa (0x0)
> debug2: key: /home/yance/.ssh/id_dsa (0x0)

Not sure if it is the same problem you are facing.

But FreeBSD used to have problems with the OpenSSL library causing this.

Just go to 

/usr/ports/security/openssl on your FreeBSD *server* box

and

# make deinstall
# make clean
# make reinstall

This should fix it.

Best of luck!

Check the FreeBSD archives. 

Thanks.

regards,
Girish