Re: OBSD hacks at ruxcon

[steve szmidt]

On Wednesday 05 March 2008, Ted Unangst wrote:
> On 3/5/08, steve szmidt <[EMAIL PROTECTED]> wrote:
> > Looks like the malloc is addressed. Anything on the other attack vectors?
>
> Do you have a particular concern or are you asking for a 53 slide
> response presentation?

25 would be enough. :)

I know that there is a lot of ongoing work and I figured that you would be 
quite familiar with what what Hawkes said, and would be able to say Oh yes, 
we closed those doors three releases ago, or some such. 

All the firewalls I build use OBSD, I tell my clients to buy it etc. Naturally 
if there was some particular scenario which he discovered that had not been 
resolved it's in my best interest to know about it. (I'm not concerned about 
things that require physical access.)

Not being able to keep up with all that goes on I try to chase down those that 
I do run into. Thus my question. 

The only things I use on these is pf and ssh, so I'm not concerned over some 
third party app with whatever holes in the app. However it is still not a 
default config. 
-- 

Steve Szmidt

"They that would give up essential liberty for temporary safety 
deserve neither liberty nor safety."
Benjamin Franklin

Re: OBSD hacks at ruxcon

[Stuart Henderson]

On 2008-03-05, steve szmidt <[EMAIL PROTECTED]> wrote:
> The only things I use on these is pf and ssh, so I'm not concerned over some 
> third party app with whatever holes in the app. However it is still not a 
> default config. 

You might like to note this from OpenSSH 3.9 (several years before the paper)
which means that some of the techniques mentioned don't apply to sshd.

* Make sshd(8) re-execute itself on accepting a new connection. This security
  measure ensures that all execute-time randomisations are reapplied for each 
  connection rather than once, for the master process' lifetime. This includes
  mmap and malloc mappings, shared library addressing, shared library mapping 
  order, ProPolice and StackGhost cookies on systems that support such things

pf - routing

[Almir Karic]

this is the deal, i am designing the network and i have some
questions, regarding route (OBSD 4.2) setup. the relevant interfaces
are $dmz_if (uplink for the servers in DMZ) and $ext_if the router
uplink.

the idea is to save one external IP by NOT assigning an external IP to
the $dmz_if, is it possible?

so the $dmz_if would be 10.0.0.1, and the servers would have external
IP as their 'primary' IP and an alias to somewhere in 10.0.0/24

so far i come up with:

pass in on $pub_if route-to $dmz_if from any to $ip

($pub_if is there as i am testing FROM $pub_if, i will change it to
something like ''{ $ext_if $pub_if $int_if }'' once i am done testing)

but that doesn't work, the ping doesn't get through, which if i add an
alias in the same subnet as the external IP's the ping from
$pub_if:network to my $ip gets through just fine.

any pointers/links/suggestions on how to achieve that?

-- 
error: one bad user found in front of screen

Re: floppy.fs

[Edd]

On Tue, Mar 04, 2008 at 11:22:11PM -0700, Paul Greidanus wrote:
> I'm just wondering how many people out there are using the floppy.fs 
> installer still?  I'm wondering if it would be a worthwhile thought to 
> expand past the 1.44Mb limit for the CD and .rd install options if there 
> are features that can be added to the installer.

What features do you have in mind?

Some arches do not have cdboot do they? This could be a problem.

-- 

Best Regards
Edd

http://students.dec.bmth.ac.uk/ebarrett

Panic: semop can-t undo undos

[klemen]

I'm getting an error on every few days:

panic: semop - can't undo undos

Because I have just remote access to server I can't give you trace or ps 
of an error.

I got an "sollution" for the probem on some other site but i doesn't help.

/(your system is running out of semaphore undo data structures. Try
increasing at least kern.seminfo.semmnu. Other semaphore related
sysctl's might need an increase as well)/

I increase kern.semiinfo.semmnu to 60 but seems like i get even 
frequently the errors.
*So I probably have to increase other related sysctl's and here is the 
question: whitch?*


Thanks for help.
klemen

Re: Panic: semop can-t undo undos

[Otto Moerbeek]

On Wed, Mar 05, 2008 at 09:38:01AM +0100, klemen wrote:

> 
> I'm getting an error on every few days:
>
> panic: semop - can't undo undos
>
> Because I have just remote access to server I can't give you trace or ps of 
> an error.
> I got an "sollution" for the probem on some other site but i doesn't help.
>
> /(your system is running out of semaphore undo data structures. Try
> increasing at least kern.seminfo.semmnu. Other semaphore related
> sysctl's might need an increase as well)/
>
> I increase kern.semiinfo.semmnu to 60 but seems like i get even frequently 
> the errors.
> *So I probably have to increase other related sysctl's and here is the 
> question: whitch?*
>
> Thanks for help.
> klemen

See

man 3 sysctl 

and
sysctl -a | grep seminfo

-Otto

Re: pf - routing

[Stuart Henderson]

On 2008-03-05, Almir Karic <[EMAIL PROTECTED]> wrote:
> this is the deal, i am designing the network and i have some
> questions, regarding route (OBSD 4.2) setup. the relevant interfaces
> are $dmz_if (uplink for the servers in DMZ) and $ext_if the router
> uplink.
>
> the idea is to save one external IP by NOT assigning an external IP to
> the $dmz_if, is it possible?

You say you're *designing* the network, so you're not trying to hack an
extra address out of an existing too-small setup. The correct approach is
to ask your ISP or LIR for a block of addresses the right size to fit
the machines you need. This is perfectly justified.

If you're desperate to save IP addresses, put the internal hosts on
private addresses and rdr the whole lot. Then because you don't need to
put the public addresses on an interface at all, you can also use the
all-0 and all-1 host addresses too.

Re: pf - routing

[Almir Karic]

On Wed, Mar 5, 2008 at 11:04 AM, Stuart Henderson <[EMAIL PROTECTED]> wrote:
> On 2008-03-05, Almir Karic <[EMAIL PROTECTED]> wrote:
>  > this is the deal, i am designing the network and i have some
>  > questions, regarding route (OBSD 4.2) setup. the relevant interfaces
>  > are $dmz_if (uplink for the servers in DMZ) and $ext_if the router
>  > uplink.
>  >
>  > the idea is to save one external IP by NOT assigning an external IP to
>  > the $dmz_if, is it possible?
>
>  You say you're *designing* the network, so you're not trying to hack an
>  extra address out of an existing too-small setup. The correct approach is
>  to ask your ISP or LIR for a block of addresses the right size to fit
>  the machines you need. This is perfectly justified.

the situation is the following, right now we have a linux router with
which has an 3 IF's uplink, dmz and lan, we don't like the way it does
nat for both lan (which is OK) and DMZ, which has proven not to be too
good, i am trying to replace that old linux router with OBSD router,
and would like to take the oportinity to get rid of nat, while still
not wasting the additional external ip. so no, i'm *not* trying to
hack additional adress out of existing setup :-)


>  If you're desperate to save IP addresses, put the internal hosts on
>  private addresses and rdr the whole lot. Then because you don't need to
>  put the public addresses on an interface at all, you can also use the
>  all-0 and all-1 host addresses too.
>

nat is what i am trying to get rid of in the first place (at least in DMZ).


-- 
error: one bad user found in front of screen

Re: floppy.fs

[Christopher Linn]

hi paul,

On Tue, Mar 04, 2008 at 11:22:11PM -0700, Paul Greidanus wrote:
> Hi All
>
> I'm just wondering how many people out there are using the floppy.fs 
> installer still?  I'm wondering if it would be a worthwhile thought to 
> expand past the 1.44Mb limit for the CD and .rd install options if there 
> are features that can be added to the installer.  No, I'm not thinking a 
> gui/menu based installer as the main reason, but there might be benefits to 
> something like that.
>
> Paul


i have five P-90 systems in production as firewalls. well, i overclock 
them to 100MHz.  anyways, floppy.fs are install media.  what do you 
need in the install media that isn't there?  thing is about systems 
this old, back then the HW was built alot better, so by gosh they're 
still around and they still run. ok they're noisier, 100 times bigger
and far less powerful than e.g. soekris, but hey. the floppy drives 
work.


cel


OpenBSD 4.3-beta (GENERIC) #675: Wed Feb 27 12:32:17 MST 2008
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium (P54C) ("GenuineIntel" 586-class) 100 MHz
cpu0: FPU,V86,DE,PSE,TSC,MSR,MCE,CX8
cpu0: F00F bug workaround installed
real mem  = 33124352 (31MB)
avail mem = 22425600 (21MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 03/20/96, BIOS32 rev. 0 @ 0xfd8d0
acpi at bios0 function 0x0 not configured
pcibios0 at bios0: rev 2.1 @ 0xf/0x1
pcibios0: PCI BIOS has 5 Interrupt Routing table entries
pcibios0: no compatible PCI ICU found
pcibios0: PCI bus #0 is the last bus
bios0: ROM list: 0xc/0x8000 0xcc000/0x1000 0xed000/0x1000
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 2 (bios)
pchb0 at pci0 dev 0 function 0 "Intel 82434LX/NX PCI/Cache/DRAM" rev 0x11
"PC Technology RZ1000" rev 0x01 at pci0 dev 1 function 0 not configured
pcib0 at pci0 dev 2 function 0 "Intel 82378IB ISA" rev 0x43
vga1 at pci0 dev 3 function 0 "ATI Mach64 GX" rev 0x01
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
fxp0 at pci0 dev 12 function 0 "Intel 8255x" rev 0x08, i82559: irq 9, address 
00:90:27:91:94:ec
inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
wdc0 at isa0 port 0x1f0/8 irq 14
wd0 at wdc0 channel 0 drive 0: 
wd0: 16-sector PIO, LBA, 1033MB, 2116800 sectors
wd0(wdc0:0:0): using BIOS timings
pcppi0 at isa0 port 0x61
midi0 at pcppi0: 
spkr0 at pcppi0
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
biomask fdfd netmask fffd ttymask 
softraid0 at root
root on wd0a swap on wd0b dump on wd0b


-- 
Christopher Linn   | By no means shall either the CEC
System Administrator II   | or MTU be held in any way liable
  Center for Experimental Computation | for any opinions or conjecture I
Michigan Technological University | hold to or imply to hold herein.

Re: Pre-release tests

[Antti Harri]

On Tue, 4 Mar 2008, Theo de Raadt wrote:


If you are able to, please submit a dmesglog of the running machine to
[EMAIL PROTECTED] -- with the Subject: set to the type of your machine
(ie. SunFire V215, or IBM eServer 325 or such) -- and PLEASE avoid the
use of MIME, but instead send your messages without any special
encoding since it lets our developers grep easily through the logs
looking for specific machines when they are fixing bugs.  Recently, I
have had to start deleting the MIME submissions with the SPAM.


Hi.

Is this working for mail systems that are behind NAT/hidden otherwise?
Or would I have to "proxy" my dmesgs through a "real" server rather than
using the default sendmail setup on the test machines?

At least I recall it previously worked so that it seemed to accepted the 
message for delivery but silently just dropped. This was with the bug 
reporting system, I have no idea what has happened to the dmesgs I've

previously sent.

Thanks.

--
Antti Harri

Re: pf - routing

[Stuart Henderson]

On 2008-03-05, Almir Karic <[EMAIL PROTECTED]> wrote:
> On Wed, Mar 5, 2008 at 11:04 AM, Stuart Henderson <[EMAIL PROTECTED]> wrote:
>> On 2008-03-05, Almir Karic <[EMAIL PROTECTED]> wrote:
>>  > this is the deal, i am designing the network and i have some
>>  > questions, regarding route (OBSD 4.2) setup. the relevant interfaces
>>  > are $dmz_if (uplink for the servers in DMZ) and $ext_if the router
>>  > uplink.
>>  >
>>  > the idea is to save one external IP by NOT assigning an external IP to
>>  > the $dmz_if, is it possible?
>>
>>  You say you're *designing* the network, so you're not trying to hack an
>>  extra address out of an existing too-small setup. The correct approach is
>>  to ask your ISP or LIR for a block of addresses the right size to fit
>>  the machines you need. This is perfectly justified.
>
> the situation is the following, right now we have a linux router with
> which has an 3 IF's uplink, dmz and lan, we don't like the way it does
> nat for both lan (which is OK) and DMZ, which has proven not to be too
> good, i am trying to replace that old linux router with OBSD router,
> and would like to take the oportinity to get rid of nat, while still
> not wasting the additional external ip.

Well, you need an IP address that the DMZ hosts can use as their gateway,
and it needs to get in their ARP table somehow...

There are ways, but they're hacks, and harder to get right than NAT or
asking for another address. (And if you're already using NAT, you'll be
renumbering the end hosts anyway, so moving block shouldn't be all that
painful).

If you're as clever as you (or people on a mailing list) can be when
configuring things, fixing any breakages can be a bit of a problem.

Re: Pre-release tests

[Stuart Henderson]

On 2008-03-05, Antti Harri <[EMAIL PROTECTED]> wrote:
> On Tue, 4 Mar 2008, Theo de Raadt wrote:
>
>> If you are able to, please submit a dmesglog of the running machine to
>> [EMAIL PROTECTED] -- with the Subject: set to the type of your machine
>> (ie. SunFire V215, or IBM eServer 325 or such) -- and PLEASE avoid the
>> use of MIME, but instead send your messages without any special
>> encoding since it lets our developers grep easily through the logs
>> looking for specific machines when they are fixing bugs.  Recently, I
>> have had to start deleting the MIME submissions with the SPAM.
>
> Is this working for mail systems that are behind NAT/hidden otherwise?
> Or would I have to "proxy" my dmesgs through a "real" server rather than
> using the default sendmail setup on the test machines?

It's always a good idea to make sure they're sent from an address which
works, so people can get back to you if they have questions. I usually
mail them to myself and then forward them (plaintext, inline, cutting out
the "Forwarded from ..." junk) to [EMAIL PROTECTED] This has another advantage 
that
they're then in a local Sent folder if I need to find them again later.

spamd topology

[Jeff Santos]

Hi,

Looking at some setups used in the past for spamd, I noticed that
many prefer to use a separate internal NIC to connect to each MX
instead of using the internal spamd  NIC connected to a switch,
where all MXs would be, including possibly other sub-domain MXs.

Is there anything wrong or inadequate with this secound approach?

Thanks.

Regards,

Jeff.

--
Want an e-mail address like mine?
Get a free e-mail account today at www.mail.com!

Re: pf - routing

[Jussi Peltola]

On Wed, Mar 05, 2008 at 11:28:16AM +, Stuart Henderson wrote:
> There are ways, but they're hacks, and harder to get right than NAT or
> asking for another address. (And if you're already using NAT, you'll be
> renumbering the end hosts anyway, so moving block shouldn't be all that
> painful).
 
Couldn't you bridge the DMZ? Not as simple, but not a hack either.

> If you're as clever as you (or people on a mailing list) can be when
> configuring things, fixing any breakages can be a bit of a problem.
 
Agreed :)

-- 
Jussi Peltola

Re: Pre-release tests

[Antti Harri]

Hi Stuart.

On Wed, 5 Mar 2008, Stuart Henderson wrote:


On 2008-03-05, Antti Harri <[EMAIL PROTECTED]> wrote:

On Tue, 4 Mar 2008, Theo de Raadt wrote:


If you are able to, please submit a dmesglog of the running machine to
[EMAIL PROTECTED] -- with the Subject: set to the type of your machine
(ie. SunFire V215, or IBM eServer 325 or such) -- and PLEASE avoid the
use of MIME, but instead send your messages without any special
encoding since it lets our developers grep easily through the logs
looking for specific machines when they are fixing bugs.  Recently, I
have had to start deleting the MIME submissions with the SPAM.


Is this working for mail systems that are behind NAT/hidden otherwise?
Or would I have to "proxy" my dmesgs through a "real" server rather than
using the default sendmail setup on the test machines?


It's always a good idea to make sure they're sent from an address which
works, so people can get back to you if they have questions.


One can always change the From and/or Reply-To headers to show the 
receiver where to point replies.


Isn't it also against the RFC just to silently drop messages and give
sender the accepted for delivery code?


I usually
mail them to myself and then forward them (plaintext, inline, cutting out
the "Forwarded from ..." junk) to [EMAIL PROTECTED] This has another advantage 
that
they're then in a local Sent folder if I need to find them again later.


Yes that's probably easier than scp + ssh + MUA.

--
Antti Harri

The Dilbert Problem...

[Mayuresh Kathe]

Hi,

There's a strange incident that's repeatable on my system (4.2).

Open up Firefox, make it load "www.dilbert.com", then open another tab
and visit any other website, then do the same for 2~3 more tabs.

The first (dilbert) tab takes a long time to load during which the
other tabs too show nothing, they get stuck at "Looking up..."

Is it a Firefox problem or something to do with the system?

Best,

~Mayuresh

Re: pf - routing

[Stuart Henderson]

On 2008-03-05, Jussi Peltola <[EMAIL PROTECTED]> wrote:
> On Wed, Mar 05, 2008 at 11:28:16AM +, Stuart Henderson wrote:
>> There are ways, but they're hacks, and harder to get right than NAT or
>> asking for another address. (And if you're already using NAT, you'll be
>> renumbering the end hosts anyway, so moving block shouldn't be all that
>> painful).
>  
> Couldn't you bridge the DMZ? Not as simple, but not a hack either.

Ah, how could I forget about that! (probably repressed from trying
to combine it with rdr before and getting very confused :-)

Re: floppy.fs

[Maxim Belooussov]

Hi,

>  The main reason I asked is that I have not seen a floppy disk, or drive
>  in the past 5 years, so it's interesting to know if others are actually
>  using floppies still for this?
>

Last time (2 months ago) I've used floppy.fs was to dd it to
CompactFlash media for a thin client. There was no other (easier) way
to install, as the box doesn't have floppy drive/cdrom.

Max

Re: Pre-release tests

[Stuart Henderson]

On 2008/03/05 13:57, Antti Harri wrote:
>
> Hi Stuart.
>
> On Wed, 5 Mar 2008, Stuart Henderson wrote:
>
>> On 2008-03-05, Antti Harri <[EMAIL PROTECTED]> wrote:
>>> On Tue, 4 Mar 2008, Theo de Raadt wrote:
>>>
 If you are able to, please submit a dmesglog of the running machine to
 [EMAIL PROTECTED] -- with the Subject: set to the type of your machine
 (ie. SunFire V215, or IBM eServer 325 or such) -- and PLEASE avoid the
 use of MIME, but instead send your messages without any special
 encoding since it lets our developers grep easily through the logs
 looking for specific machines when they are fixing bugs.  Recently, I
 have had to start deleting the MIME submissions with the SPAM.
>>>
>>> Is this working for mail systems that are behind NAT/hidden otherwise?
>>> Or would I have to "proxy" my dmesgs through a "real" server rather than
>>> using the default sendmail setup on the test machines?
>>
>> It's always a good idea to make sure they're sent from an address which
>> works, so people can get back to you if they have questions.
>
> One can always change the From and/or Reply-To headers to show the receiver 
> where to point replies.
>
> Isn't it also against the RFC just to silently drop messages and give
> sender the accepted for delivery code?

Something can be accepted for delivery, and then fail later on. If the
envelope address you sent a message from is invalid (which could well be
the case if it's a hidden system), there's no way that the mail servers
involved can let you know about this.

Re: The Dilbert Problem...

[Karl Sjodahl - dunceor]

On Wed, Mar 5, 2008 at 12:59 PM, Mayuresh Kathe
<[EMAIL PROTECTED]> wrote:
> Hi,
>
>  There's a strange incident that's repeatable on my system (4.2).
>
>  Open up Firefox, make it load "www.dilbert.com", then open another tab
>  and visit any other website, then do the same for 2~3 more tabs.
>
>  The first (dilbert) tab takes a long time to load during which the
>  other tabs too show nothing, they get stuck at "Looking up..."
>
>  Is it a Firefox problem or something to do with the system?
>
>  Best,
>
>  ~Mayuresh
>
>

I have seen this on both Windows and OpenBSD. The later firefox
releases (like from 2.0.0.3-2.0.0.5 something) I have seen problems
with having more tabs open.
I used to have a lot of tabs but now I have restricted myself to 3-4
or firefox is not useable.

BR
Dunceor

Re: pf - routing

[Almir Karic]

On Wed, Mar 5, 2008 at 12:43 PM, Jussi Peltola <[EMAIL PROTECTED]> wrote:
> On Wed, Mar 05, 2008 at 11:28:16AM +, Stuart Henderson wrote:
>  > There are ways, but they're hacks, and harder to get right than NAT or
>  > asking for another address. (And if you're already using NAT, you'll be
>  > renumbering the end hosts anyway, so moving block shouldn't be all that
>  > painful).
>
>  Couldn't you bridge the DMZ? Not as simple, but not a hack either.


now here is an idea :-)

thanks will have a look at it and come back when i have more questions.

-- 
error: one bad user found in front of screen

Re: The Dilbert Problem...

[Mayuresh Kathe]

On Wed, Mar 5, 2008 at 5:46 PM, Karl Sjodahl - dunceor
<[EMAIL PROTECTED]> wrote:
>
> On Wed, Mar 5, 2008 at 12:59 PM, Mayuresh Kathe
>  <[EMAIL PROTECTED]> wrote:
>  > Hi,
>  >
>  >  There's a strange incident that's repeatable on my system (4.2).
>  >
>  >  Open up Firefox, make it load "www.dilbert.com", then open another tab
>  >  and visit any other website, then do the same for 2~3 more tabs.
>  >
>  >  The first (dilbert) tab takes a long time to load during which the
>  >  other tabs too show nothing, they get stuck at "Looking up..."
>  >
>  >  Is it a Firefox problem or something to do with the system?
>  >
>  >  Best,
>  >
>  >  ~Mayuresh
>  >
>  >
>
>  I have seen this on both Windows and OpenBSD. The later firefox
>  releases (like from 2.0.0.3-2.0.0.5 something) I have seen problems
>  with having more tabs open.
>  I used to have a lot of tabs but now I have restricted myself to 3-4
>  or firefox is not useable.

I forgot to mention, my Firefox version is 2.0.0.6
Also I've only got a total of 3~4 tabs open while performing the Dilbert test.
Taking your cue, I tried an experiment, I opened up 10 tabs, but
without the Dilbert site and all of them opened up in parallel.

Re: The Dilbert Problem...

[Peter N. M. Hansteen]

"Mayuresh Kathe" <[EMAIL PROTECTED]> writes:

> The first (dilbert) tab takes a long time to load during which the
> other tabs too show nothing, they get stuck at "Looking up..."

another data point - here the dilbert site loads very slowly in a
firefox with about 15 tabs open already (lots of graphics it seems)
but other sites opened after it in separate tabs load normally.

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: The Dilbert Problem...

[Landry Breuil]

On Wed, Mar 5, 2008 at 1:18 PM, Mayuresh Kathe <[EMAIL PROTECTED]> wrote:
>
> On Wed, Mar 5, 2008 at 5:46 PM, Karl Sjodahl - dunceor
>  <[EMAIL PROTECTED]> wrote:
>  >
>  > On Wed, Mar 5, 2008 at 12:59 PM, Mayuresh Kathe
>  >  <[EMAIL PROTECTED]> wrote:
>  >  > Hi,
>  >  >
>  >  >  There's a strange incident that's repeatable on my system (4.2).
>  >  >
>  >  >  Open up Firefox, make it load "www.dilbert.com", then open another tab
>  >  >  and visit any other website, then do the same for 2~3 more tabs.
>  >  >
>  >  >  The first (dilbert) tab takes a long time to load during which the
>  >  >  other tabs too show nothing, they get stuck at "Looking up..."
>  >  >
>  >  >  Is it a Firefox problem or something to do with the system?
>  >  >
>  >  >  Best,
>  >  >
>  >  >  ~Mayuresh
>  >  >
>  >  >
>  >
>  >  I have seen this on both Windows and OpenBSD. The later firefox
>  >  releases (like from 2.0.0.3-2.0.0.5 something) I have seen problems
>  >  with having more tabs open.
>  >  I used to have a lot of tabs but now I have restricted myself to 3-4
>  >  or firefox is not useable.
>
>  I forgot to mention, my Firefox version is 2.0.0.6
>  Also I've only got a total of 3~4 tabs open while performing the Dilbert 
> test.
>  Taking your cue, I tried an experiment, I opened up 10 tabs, but
>  without the Dilbert site and all of them opened up in parallel.

Seems like an ipv6-dns-resolution problem to me.

My 2c.

Re: The Dilbert Problem...

[Boudewijn Dijkstra]

Op Wed, 05 Mar 2008 13:42:48 +0100 schreef Peter N. M. Hansteen  
<[EMAIL PROTECTED]>:

"Mayuresh Kathe" <[EMAIL PROTECTED]> writes:


The first (dilbert) tab takes a long time to load during which the
other tabs too show nothing, they get stuck at "Looking up..."


another data point - here the dilbert site loads very slowly in a
firefox with about 15 tabs open already (lots of graphics it seems)
but other sites opened after it in separate tabs load normally.


The delay is most likely caused by the DNS requests for all the different  
advert sites.  My guess is that Firefox handles the DNS requests in order,  
using the same execution context for all tabs, waiting for each one before  
proceeding to the next.  Requesting an  record that does not exist (or  
trying to connect to the first four bytes of an IPv6-address) might very  
well cause an additional slowdown.




--
Boudewijn Dijkstra
Indes - IDS B.V.
+31 345 545 535

Re: The Dilbert Problem...

[Florin Iamandi]

Mayuresh Kathe dixit (2008-03-05, 13:10:45):

> Hi,
> 
> There's a strange incident that's repeatable on my system (4.2).
> 
> Open up Firefox, make it load "www.dilbert.com", then open another tab
> and visit any other website, then do the same for 2~3 more tabs.
> 
> The first (dilbert) tab takes a long time to load during which the
> other tabs too show nothing, they get stuck at "Looking up..."
> 
> Is it a Firefox problem or something to do with the system?

What you describe migth be actually a DNS related problem. 

If dilbert.com doesn't resolve well using your current NS/resolver
library combination, some applications might wait to receive an answer
or a time out for the previous queried addresses before processing the
next request(s).

This behaviour can be avoided using a asynchronous resolver
implementation - in this case the application wouldn't wait for a reply
before performing the next queries. 

AFAIK the OpenBSD resolver library is not asynchronous, someone please
correct me if I'm wrong here.

However, if you can reproduce the behaviour using another browser, Opera
comes to mind, then you can exclude Firefox from your list of suspects
and the next step would be changing the NS you are using at this moment.

-- 
Digitally yours,
Florin Iamandi (Slippery)
Reason is the first victim of emotion. -- Scytale, Dune Messiah

[demime 1.01d removed an attachment of type application/pgp-signature]

Re: The Dilbert Problem...

[Otto Moerbeek]

On Wed, Mar 05, 2008 at 01:47:23PM +0100, Landry Breuil wrote:

> On Wed, Mar 5, 2008 at 1:18 PM, Mayuresh Kathe <[EMAIL PROTECTED]> wrote:
> >
> > On Wed, Mar 5, 2008 at 5:46 PM, Karl Sjodahl - dunceor
> >  <[EMAIL PROTECTED]> wrote:
> >  >
> >  > On Wed, Mar 5, 2008 at 12:59 PM, Mayuresh Kathe
> >  >  <[EMAIL PROTECTED]> wrote:
> >  >  > Hi,
> >  >  >
> >  >  >  There's a strange incident that's repeatable on my system (4.2).
> >  >  >
> >  >  >  Open up Firefox, make it load "www.dilbert.com", then open another 
> > tab
> >  >  >  and visit any other website, then do the same for 2~3 more tabs.
> >  >  >
> >  >  >  The first (dilbert) tab takes a long time to load during which the
> >  >  >  other tabs too show nothing, they get stuck at "Looking up..."
> >  >  >
> >  >  >  Is it a Firefox problem or something to do with the system?
> >  >  >
> >  >  >  Best,
> >  >  >
> >  >  >  ~Mayuresh
> >  >  >
> >  >  >
> >  >
> >  >  I have seen this on both Windows and OpenBSD. The later firefox
> >  >  releases (like from 2.0.0.3-2.0.0.5 something) I have seen problems
> >  >  with having more tabs open.
> >  >  I used to have a lot of tabs but now I have restricted myself to 3-4
> >  >  or firefox is not useable.
> >
> >  I forgot to mention, my Firefox version is 2.0.0.6
> >  Also I've only got a total of 3~4 tabs open while performing the Dilbert 
> > test.
> >  Taking your cue, I tried an experiment, I opened up 10 tabs, but
> >  without the Dilbert site and all of them opened up in parallel.
> 
> Seems like an ipv6-dns-resolution problem to me.
> 
> My 2c.

If that's the case, setting network.dns.disableIPv6 to true in
about:config should do the trick.

-Otto

Re: The Dilbert Problem...

[Paul de Weerd]

On Wed, Mar 05, 2008 at 01:47:23PM +0100, Landry Breuil wrote:
| On Wed, Mar 5, 2008 at 1:18 PM, Mayuresh Kathe <[EMAIL PROTECTED]> wrote:
| >
| > On Wed, Mar 5, 2008 at 5:46 PM, Karl Sjodahl - dunceor
| >  <[EMAIL PROTECTED]> wrote:
| >  >
| >  > On Wed, Mar 5, 2008 at 12:59 PM, Mayuresh Kathe
| >  >  <[EMAIL PROTECTED]> wrote:
| >  >  > Hi,
| >  >  >
| >  >  >  There's a strange incident that's repeatable on my system (4.2).
| >  >  >
| >  >  >  Open up Firefox, make it load "www.dilbert.com", then open another 
tab
| >  >  >  and visit any other website, then do the same for 2~3 more tabs.
| >  >  >
| >  >  >  The first (dilbert) tab takes a long time to load during which the
| >  >  >  other tabs too show nothing, they get stuck at "Looking up..."
| >  >  >
| >  >  >  Is it a Firefox problem or something to do with the system?
| >  >  >
| >  >  >  Best,
| >  >  >
| >  >  >  ~Mayuresh
| >  >  >
| >  >  >
| >  >
| >  >  I have seen this on both Windows and OpenBSD. The later firefox
| >  >  releases (like from 2.0.0.3-2.0.0.5 something) I have seen problems
| >  >  with having more tabs open.
| >  >  I used to have a lot of tabs but now I have restricted myself to 3-4
| >  >  or firefox is not useable.
| >
| >  I forgot to mention, my Firefox version is 2.0.0.6
| >  Also I've only got a total of 3~4 tabs open while performing the Dilbert 
test.
| >  Taking your cue, I tried an experiment, I opened up 10 tabs, but
| >  without the Dilbert site and all of them opened up in parallel.
| 
| Seems like an ipv6-dns-resolution problem to me.

A bit of background here :

Firefox can do  lookups (for IPv6 addresses) by default for
websites you visit. Some DNS servers don't like this sort of query
and, in stead of saying "hey, I dont understand what you want", they
ignore you in the hope that you go away. Things time out on your end,
your system will do a A lookup and from there you can continue
browsing the website.

In the case of the dilbert site, this doesn't seem to be the case.
Apparantly, one of the NS'en is not responding to queries at all (nor
ICMP Echo Requests - it's probably down or disconnected from the net
temporarily). Your caching NS may be trying to contact this one
nameserver. It'll wait for the timeout and then try one of the other
NS'en. The problem is exacerbated by the fact that www.dilbert.com has
a TTL of 300 seconds, so your caching NS doesn't keep this record in
memory too long.

The problem is that the resolver in OpenBSD isn't reentrant. If it's
doing nameresolution, it'll not do another one in parallel. So while
you wait for www.dilbert.com to get resolved (which takes long because
of this timeout), you open a new tab, enter an address and your
machine will have to resolve that too, which gets queued up (doesn't
get handled in parallel), so the other tab also waits on
www.dilbert.com to get resolved.

You can test this hypothesis by going to a website by its IP address.
Try visiting http://129.128.5.191/ (http://www.openbsd.org/) while
you're waiting for www.dilbert.com to load. Visiting by IP should work
(as it doesn't require a DNS lookup).

Cheers,

Paul 'WEiRD' de Weerd

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 

Re: The Dilbert Problem...

[Mayuresh Kathe]

On Wed, Mar 5, 2008 at 6:50 PM, Paul de Weerd <[EMAIL PROTECTED]> wrote:
>
> On Wed, Mar 05, 2008 at 01:47:23PM +0100, Landry Breuil wrote:
>  | On Wed, Mar 5, 2008 at 1:18 PM, Mayuresh Kathe <[EMAIL PROTECTED]> wrote:
>  | >
>  | > On Wed, Mar 5, 2008 at 5:46 PM, Karl Sjodahl - dunceor
>  | >  <[EMAIL PROTECTED]> wrote:
>  | >  >
>  | >  > On Wed, Mar 5, 2008 at 12:59 PM, Mayuresh Kathe
>  | >  >  <[EMAIL PROTECTED]> wrote:
>  | >  >  > Hi,
>  | >  >  >
>  | >  >  >  There's a strange incident that's repeatable on my system (4.2).
>  | >  >  >
>  | >  >  >  Open up Firefox, make it load "www.dilbert.com", then open 
> another tab
>  | >  >  >  and visit any other website, then do the same for 2~3 more tabs.
>  | >  >  >
>  | >  >  >  The first (dilbert) tab takes a long time to load during which the
>  | >  >  >  other tabs too show nothing, they get stuck at "Looking up..."
>  | >  >  >
>  | >  >  >  Is it a Firefox problem or something to do with the system?
>  | >  >  >
>  | >  >  >  Best,
>  | >  >  >
>  | >  >  >  ~Mayuresh
>  | >  >  >
>  | >  >  >
>  | >  >
>  | >  >  I have seen this on both Windows and OpenBSD. The later firefox
>  | >  >  releases (like from 2.0.0.3-2.0.0.5 something) I have seen problems
>  | >  >  with having more tabs open.
>  | >  >  I used to have a lot of tabs but now I have restricted myself to 3-4
>  | >  >  or firefox is not useable.
>  | >
>  | >  I forgot to mention, my Firefox version is 2.0.0.6
>  | >  Also I've only got a total of 3~4 tabs open while performing the 
> Dilbert test.
>  | >  Taking your cue, I tried an experiment, I opened up 10 tabs, but
>  | >  without the Dilbert site and all of them opened up in parallel.
>  |
>  | Seems like an ipv6-dns-resolution problem to me.
>
>  A bit of background here :
>
>  Firefox can do  lookups (for IPv6 addresses) by default for
>  websites you visit. Some DNS servers don't like this sort of query
>  and, in stead of saying "hey, I dont understand what you want", they
>  ignore you in the hope that you go away. Things time out on your end,
>  your system will do a A lookup and from there you can continue
>  browsing the website.
>
>  In the case of the dilbert site, this doesn't seem to be the case.
>  Apparantly, one of the NS'en is not responding to queries at all (nor
>  ICMP Echo Requests - it's probably down or disconnected from the net
>  temporarily). Your caching NS may be trying to contact this one
>  nameserver. It'll wait for the timeout and then try one of the other
>  NS'en. The problem is exacerbated by the fact that www.dilbert.com has
>  a TTL of 300 seconds, so your caching NS doesn't keep this record in
>  memory too long.
>
>  The problem is that the resolver in OpenBSD isn't reentrant. If it's
>  doing nameresolution, it'll not do another one in parallel. So while
>  you wait for www.dilbert.com to get resolved (which takes long because
>  of this timeout), you open a new tab, enter an address and your
>  machine will have to resolve that too, which gets queued up (doesn't
>  get handled in parallel), so the other tab also waits on
>  www.dilbert.com to get resolved.
>
>  You can test this hypothesis by going to a website by its IP address.
>  Try visiting http://129.128.5.191/ (http://www.openbsd.org/) while
>  you're waiting for www.dilbert.com to load. Visiting by IP should work
>  (as it doesn't require a DNS lookup).

Paul, I tried your idea of starting up www.dilbert.com and then
visiting http://129.128.5.191/ (the openbsd website).
It worked as you'd predicted.
So I guess its the problem with the OpenBSD resolver.

Sendbug

[Lewis, Rob]

X-sendbug-version: 4.2



Submitter-Id:  net

Originator:Charlie Root

Organization:

net

Synopsis:  NFS file locking not working

Severity:  critical

Priority:  high

Category:  NFS

Class: support

Release:   4.3

Environment:

NEC

System  : OpenBSD 4.2

Details : OpenBSD 4.2-current (GENERIC) #652: Mon Jan 28
14:04:36 MST 2008


[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC



Architecture: OpenBSD.i386

Machine : i386



Description:

We are having problems getting NFS file locking working
correctly. We have tried both NFS version 2 and 3 using both UDP and TCP
transport mechanisms. Whentwo users access the same file; both have the
ability to write to that file. Open Office also exhibits this behaviour.



How-To-Repeat:

Mount a shared file system to two different machines. Login as
two different users and access a single file from both machines. We are
using NIS for the user database. This can be replicated on all of our
installations.



Fix:

  None



OpenBSD 4.2-current (GENERIC) #652: Mon Jan 28 14:04:36 MST 2008

[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC



cpu0: Intel(R) Core(TM)2 CPU T5500 @ 1.66GHz ("GenuineIntel" 686-class)
1.67 GHz

cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,
CFL

USH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,TM2,CX
16,xTPR

real mem  = 1063284736 (1014MB)

avail mem = 1020211200 (972MB)

mainbus0 at root

bios0 at mainbus0: AT/286+ BIOS, date 09/18/06, BIOS32 rev. 0 @ 0xfdca4,
SMBIOS r

ev. 2.4 @ 0xdc010 (38 entries)

bios0: vendor NEC Computers SAS version "NOTE BIOS Version Q3A24" date
09/15/2006

bios0: NEC Computers SAS NEC VERSA M360

apm0 at bios0: Power Management spec V1.2

apm0: AC on, battery charge unknown

acpi at bios0 function 0x0 not configured

pcibios0: pcibios_get_status - function not supported

pcibios at bios0 function 0x1a not configured

bios0: ROM list: 0xc/0xe600! 0xce800/0x1000 0xdc000/0x4000!
0xe/0x1c00!

cpu0 at mainbus0

cpu0: unknown Enhanced SpeedStep CPU, msr 0x06130a2606000613

cpu0: using only highest and lowest power states

cpu0: Enhanced SpeedStep 1000 MHz (1004 mV): speeds: 1667, 1000 MHz

pci0 at mainbus0 bus 0: configuration mode 1 (no bios)

pchb0 at pci0 dev 0 function 0 "Intel 82945GM Host" rev 0x03

agp0 at pchb0: aperture at 0xc000, size 0x1000

vga1 at pci0 dev 2 function 0 "Intel 82945GM Video" rev 0x03

wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)

wsdisplay0: screen 1-5 added (80x25, vt100 emulation)

"Intel 82945GM Video" rev 0x03 at pci0 dev 2 function 1 not configured

azalia0 at pci0 dev 27 function 0 "Intel 82801GB HD Audio" rev 0x02: irq
10

azalia0: codec[s]: Realtek/0x0262, AT&T/Lucent/0x3026, using
Realtek/0x0262

audio0 at azalia0

ppb0 at pci0 dev 28 function 0 "Intel 82801GB PCIE" rev 0x02: irq 10

pci1 at ppb0 bus 2

wpi0 at pci1 dev 0 function 0 "Intel PRO/Wireless 3945ABG" rev 0x02: irq
10, MoW2

, address 00:18:de:88:86:6c

uhci0 at pci0 dev 29 function 0 "Intel 82801GB USB" rev 0x02: irq 10

uhci1 at pci0 dev 29 function 1 "Intel 82801GB USB" rev 0x02: irq 10

uhci2 at pci0 dev 29 function 2 "Intel 82801GB USB" rev 0x02: irq 10

uhci3 at pci0 dev 29 function 3 "Intel 82801GB USB" rev 0x02: irq 10

ehci0 at pci0 dev 29 function 7 "Intel 82801GB USB" rev 0x02: irq 10

ehci0: timed out waiting for BIOS

usb0 at ehci0: USB revision 2.0

uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1

ppb1 at pci0 dev 30 function 0 "Intel 82801BAM Hub-to-PCI" rev 0xe2

pci2 at ppb1 bus 3

re0 at pci2 dev 0 function 0 "Realtek 8169SC" rev 0x10: RTL8169/8110SCd
(0x1800),

 irq 10, address 00:16:36:c3:bc:9f

rgephy0 at re0 phy 7: RTL8169S/8110S PHY, rev. 2

cbb0 at pci2 dev 7 function 0 "Ricoh 5C476 CardBus" rev 0xb4: couldn't
map interr

upt

sdhc0 at pci2 dev 7 function 1 "Ricoh 5C822 SD/MMC" rev 0x18: irq 10

sdmmc0 at sdhc0

"Ricoh 5C843 MMC" rev 0x00 at pci2 dev 7 function 2 not configured

"Ricoh 5C592 Memory Stick" rev 0x09 at pci2 dev 7 function 3 not
configured

"Ricoh 5C852 xD" rev 0x04 at pci2 dev 7 function 4 not configured

ichpcib0 at pci0 dev 31 function 0 "Intel 82801GBM LPC" rev 0x02: PM
disabled

pciide0 at pci0 dev 31 function 1 "Intel 82801GB IDE" rev 0x02: DMA,
channel 0 co

nfigured to compatibility, channel 1 configured to compatibility

atapiscsi0 at pciide0 channel 0 drive 0

scsibus0 at atapiscsi0: 2 targets

cd0 at scsibus0 targ 0 lun 0:  SCSI0 5/cdrom
removable

cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2

pciide0: channel 1 ignored (disabled)

pciide1 at pci0 dev 31 function 2 "Intel 82801GBM SATA" rev 0x02: DMA,
channel 0

configured to native-PCI, channel 1 configured to native-PCI

pciide1: using irq 10 for native-PCI interrupt

wd0 at pciide1 channel 0 drive 0: 

wd0: 16-sector PIO, LBA48, 76319MB, 156301488 sectors

wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA 

Re: OBSD hacks at ruxcon

[Ted Unangst]

On 3/5/08, steve szmidt <[EMAIL PROTECTED]> wrote:
>  I know that there is a lot of ongoing work and I figured that you would be
>  quite familiar with what what Hawkes said, and would be able to say Oh yes,
>  we closed those doors three releases ago, or some such.

We've mostly done what we can.  Also, the presentation didn't really
deal with exploiting openbsd itself; a more accurate title would have
been "Circumventing OpenBSD's Exploit Mitigation."  With that in mind,
even if nothing had been addressed, OpenBSD would be no less secure
than an OS without these features.

Re: floppy.fs

[Giancarlo Razzolini]

Paul Greidanus escreveu:
> Hi All
>
> I'm just wondering how many people out there are using the floppy.fs
> installer still?  I'm wondering if it would be a worthwhile thought to
> expand past the 1.44Mb limit for the CD and .rd install options if there
> are features that can be added to the installer.  No, I'm not thinking a
> gui/menu based installer as the main reason, but there might be benefits
> to something like that.
>
> Paul
>
>
One thing that i miss a lot on floppy.fs is the dhcp client. I do have a
local openbsd mirror, with all the packages, ports, etc. And the system
installation too. I do the installation using a pen drive, not a floppy,
so it would be nice if there was another image, suited for a pen drive
or other things bigger than floppy. I know some archs doesn't have the
ability to boot from cd, or usb pen drives, and the only option left is
floppy or pxeboot. But, anyway, it would be nice to have another image
with more things in it, this image could even work as a rescue image.

My regards,

--
Giancarlo Razzolini
Linux User 172199
Red Hat Certified Engineer no:804006389722501
Moleque Sem Conteudo Numero #002
Slackware Current
OpenBSD Stable
Ubuntu 7.04 Feisty Fawn
Snike Tecnologia em Informatica
4386 2A6F FFD4 4D5F 5842  6EA0 7ABE BBAB 9C0E 6B85

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: OBSD hacks at ruxcon

[Alexander Hall]

Ted Unangst wrote:

On 3/5/08, steve szmidt <[EMAIL PROTECTED]> wrote:

 I know that there is a lot of ongoing work and I figured that you would be
 quite familiar with what what Hawkes said, and would be able to say Oh yes,
 we closed those doors three releases ago, or some such.


We've mostly done what we can.  Also, the presentation didn't really
deal with exploiting openbsd itself; a more accurate title would have
been "Circumventing OpenBSD's Exploit Mitigation."  With that in mind,
even if nothing had been addressed, OpenBSD would be no less secure
than an OS without these features.


I agree.

I do not consider these features of OpenBSD something that makes crappy 
programs run safer, but rather something that makes crappy programs 
crash, forcing them to be fixed or replaced.


/Alexander

Re: Sendbug

[Otto Moerbeek]

On Wed, Mar 05, 2008 at 01:44:07PM -, Lewis, Rob wrote:

> Description:
> 
> We are having problems getting NFS file locking working
> correctly. We have tried both NFS version 2 and 3 using both UDP and TCP
> transport mechanisms. Whentwo users access the same file; both have the
> ability to write to that file. Open Office also exhibits this behaviour.
> 
> 
> 
> How-To-Repeat:
> 
> Mount a shared file system to two different machines. Login as
> two different users and access a single file from both machines. We are
> using NIS for the user database. This can be replicated on all of our
> installations.

You do not say if you are using OpenBSD as a client or a server, but
start with reading man rpc.lockd, especially the BUGS section.

-Otto

ksh set -o pipefail

[Piotrek Kapczuk]

$ uname -r
4.2

$ set -o pipefail
/bin/ksh: set: pipefail: bad option
$ echo $KSH_VERSION
@(#)PD KSH v5.2.14 99/07/13.2

$ echo $0
/bin/ksh

$ (exit 2)
$ echo $?
2
$ (exit 2) |tee aa.txt
$ echo $?
0


Is there another way to get what I want ?
Are there any plans to implement this option ?

-- 
Regards
Piotrek Kapczuk

Re: Sendbug

[Otto Moerbeek]

On Wed, Mar 05, 2008 at 03:22:30PM -, Lewis, Rob wrote:

> 
> I am using OpenBSD as both client and server. We are running rpc.lockd
> on both client and server sides.

But did you read the manual page? It seems you did not.
OpenBSD NFS clients do not support locking.

-Otto

> Regards
> Robert
> 
> Petro-Canada UK Limited,
> 1 London Bridge,
> London,
> SE1 9BG
> Tel: +44 (0) 20 7105 6200
> Fax: +44 (0) 20 7105 6202
> Direct Line: +44 (0) 20 7105 6724
> mobile: +44 (0) 7802 651986
> email: [EMAIL PROTECTED]
> 
> 
> -Original Message-
> From: Otto Moerbeek [mailto:[EMAIL PROTECTED]
> Sent: 05 March 2008 15:20
> To: Lewis, Rob
> Cc: [EMAIL PROTECTED]; misc@openbsd.org; Buckley, Nadine; Hughes,
> Adrian; Le Monde, Paul
> Subject: Re: Sendbug
> 
> On Wed, Mar 05, 2008 at 01:44:07PM -, Lewis, Rob wrote:
> 
> > Description:
> >
> > We are having problems getting NFS file locking working
> > correctly. We have tried both NFS version 2 and 3 using both UDP and
> TCP
> > transport mechanisms. Whentwo users access the same file; both have
> the
> > ability to write to that file. Open Office also exhibits this
> behaviour.
> >
> >
> >
> > How-To-Repeat:
> >
> > Mount a shared file system to two different machines. Login as
> > two different users and access a single file from both machines. We
> are
> > using NIS for the user database. This can be replicated on all of our
> > installations.
> 
> You do not say if you are using OpenBSD as a client or a server, but
> start with reading man rpc.lockd, especially the BUGS section.
> 
>   -Otto
> 
> 
> 
> ***
> 
> This email communication is intended as a private communication for the sole 
> use of the primary addressee and those individuals listed for copies in the 
> original message. The information contained in this email is private and 
> confidential and if you are not an intended recipient you are hereby notified 
> that copying, forwarding or other dissemination or distribution of this 
> communication by any means is prohibited.  If you are not specifically 
> authorized to receive this email and if you believe that you received it in 
> error please notify the original sender immediately.  We honour similar 
> requests relating to the privacy of email communications.

Re: floppy.fs

[Michael Small]

On Tue, Mar 04, 2008 at 11:22:11PM -0700, Paul Greidanus wrote:
> Hi All
>
> I'm just wondering how many people out there are using the floppy.fs 
> installer still?  I'm wondering if it would be a worthwhile thought to 
> expand past the 1.44Mb limit for the CD and .rd install options if there 
> are features that can be added to the installer.  No, I'm not thinking a 
> gui/menu based installer as the main reason, but there might be benefits to 
> something like that.
>
> Paul
>

I've used it on my laptop, which lacks a working cdrom drive.  I
think the machine supports pxeboot, so I could manage without it I
think, but it's what I would use now if I did a fresh install instead
of an upgrade.

-- 
Mike Small
[EMAIL PROTECTED]

Re: The Dilbert Problem...

[ropers]

>  >  | >  > On Wed, Mar 5, 2008 at 12:59 PM, Mayuresh Kathe wrote:
>  >  | >  >  >
>  >  | >  >  > Hi,
>  >  | >  >  >
>  >  | >  >  >  There's a strange incident that's repeatable on my system 
> (4.2).
>  >  | >  >  >
>  >  | >  >  >  Open up Firefox, make it load "www.dilbert.com", then open 
> another tab
>  >  | >  >  >  and visit any other website, then do the same for 2~3 more 
> tabs.
>  >  | >  >  >
>  >  | >  >  >  The first (dilbert) tab takes a long time to load during which 
> the
>  >  | >  >  >  other tabs too show nothing, they get stuck at "Looking up..."
>  >  | >  >  >
>  >  | >  >  >  Is it a Firefox problem or something to do with the system?

>  >  | > On Wed, Mar 5, 2008 at 5:46 PM, Karl Sjodahl - dunceor wrote:
>  >  | >  >
>  >  | >  >  I have seen this on both Windows and OpenBSD. The later firefox
>  >  | >  >  releases (like from 2.0.0.3-2.0.0.5 something) I have seen 
> problems
>  >  | >  >  with having more tabs open.
>  >  | >  >  I used to have a lot of tabs but now I have restricted myself to 
> 3-4
>  >  | >  >  or firefox is not useable.

>  >  | On Wed, Mar 5, 2008 at 1:18 PM, Mayuresh Kathe wrote:
>  >  | >
>  >  | >  I forgot to mention, my Firefox version is 2.0.0.6
>  >  | >  Also I've only got a total of 3~4 tabs open while performing the 
> Dilbert test.
>  >  | >  Taking your cue, I tried an experiment, I opened up 10 tabs, but
>  >  | >  without the Dilbert site and all of them opened up in parallel.

>  > On Wed, Mar 05, 2008 at 01:47:23PM +0100, Landry Breuil wrote:
>  >  |
>  >  | Seems like an ipv6-dns-resolution problem to me.

> On Wed, Mar 5, 2008 at 6:50 PM, Paul de Weerd <[EMAIL PROTECTED]> wrote:
>  >
>  >
>  >  A bit of background here :
>  >
>  >  Firefox can do  lookups (for IPv6 addresses) by default for
>  >  websites you visit. Some DNS servers don't like this sort of query
>  >  and, in stead of saying "hey, I dont understand what you want", they
>  >  ignore you in the hope that you go away. Things time out on your end,
>  >  your system will do a A lookup and from there you can continue
>  >  browsing the website.
>  >
>  >  In the case of the dilbert site, this doesn't seem to be the case.
>  >  Apparantly, one of the NS'en is not responding to queries at all (nor
>  >  ICMP Echo Requests - it's probably down or disconnected from the net
>  >  temporarily). Your caching NS may be trying to contact this one
>  >  nameserver. It'll wait for the timeout and then try one of the other
>  >  NS'en. The problem is exacerbated by the fact that www.dilbert.com has
>  >  a TTL of 300 seconds, so your caching NS doesn't keep this record in
>  >  memory too long.
>  >
>  >  The problem is that the resolver in OpenBSD isn't reentrant. If it's
>  >  doing nameresolution, it'll not do another one in parallel. So while
>  >  you wait for www.dilbert.com to get resolved (which takes long because
>  >  of this timeout), you open a new tab, enter an address and your
>  >  machine will have to resolve that too, which gets queued up (doesn't
>  >  get handled in parallel), so the other tab also waits on
>  >  www.dilbert.com to get resolved.
>  >
>  >  You can test this hypothesis by going to a website by its IP address.
>  >  Try visiting http://129.128.5.191/ (http://www.openbsd.org/) while
>  >  you're waiting for www.dilbert.com to load. Visiting by IP should work
>  >  (as it doesn't require a DNS lookup).

On 05/03/2008, Mayuresh Kathe <[EMAIL PROTECTED]> wrote:
>
> Paul, I tried your idea of starting up www.dilbert.com and then
>  visiting http://129.128.5.191/ (the openbsd website).
>  It worked as you'd predicted.
>  So I guess its the problem with the OpenBSD resolver.

If you're not able to code a parallel/reentrant DNS resolver for
OpenBSD (I'm not), then here's a possible partial workaround:

The Dilbert site carries heavy advertising. You can use the Ad Block
Plus Firefox Add-On to diable the ads. You may wonder how blocking
Ablobe Flush ads helps with a DNS resolution problem. Well, the reason
this works is that most ads these days are included from advertisement
agencies **which use their own domains**. So blocking these domains
not only saves you all that Flash garbage (which also incidentally
eats up clock cycles like candy), it also saves you from having to
look up the agencies' domain names in the first place. When I visit
Dilbert with ABP enabled, the following filters are actively blocking
flashvertisements:

*.247realmedia.com/RealMedia/ads/*
*.advertising.com/*
*.adsonar.com/*

So in case of dilbert.com, with an appropriate blocklist,
247realmedia.com, advertising.com and adsonar.com are never resolved =
no attempted IPv6 lookup attempt for them = less slowdown.

NB: As for the number of open tabs, Firefox 2.0.0.x is a real sieve
when it comes to memory. It leaks and leaks and leaks... The upcoming
Firefox 3 is reportedly going to be a major step forward, but I
haven't tried it yet.

The desktop machine I'm currently using runs Ubuntu

carp startup timing issues

[Clifford Bailey]

Hi,

I have a puzzling issue with carp which I wondered whether anyone knew
the answer to. I have two carp + pf + pfsync (on openbsd 4.2) boxes in
a standard failover configuration (master and backup designated by
advskew values). When the master is brought down the failover works
nicely. When the master comes back up though, it takes control
straight away, but doesn't respond to anything for between 5 and 20
seconds. I have found a workaround for this issue by enabling portfast
on the port switches that the firewall is connected to, but it doesn't
make any sense to me why the firewall acts in this way when portfast
is disabled.

Looking at the sequence of events when the master comes up I have:

1. Network interface comes up.
2. Switch port cycles through listening, learning, and finally moves
to forwarding state.
3. At the precise moment that the port enters the forwarding state
packets come to and from the firewall, so it wins the election and
becomes the master again as one would expect.
4. HOWEVER, although the master now originates and receives traffic,
it doesn't respond to any traffic, ie it won't send an echo reply to a
request or ack any tcp traffic.This stays like this for between 5 and
20 seconds,
5. 5-20seconds later, the machine starts responding to messages.

If I turn off portfast on the switch ports, the sequence is exactly
the same, except that the 5 to 20 second delay isn't there.

I have looked at the pf logs, and pf seems to have initialised
correctly and is passing in the echo requests, but I don't see
anything after this. So I have ruled out pf from my investigation.

I wondered if anyone had come across anything similar in the past, or
whether anyone has any advice on what to try to track down the issue?
Although I can fix it by turning off portfast (which is easy to do)
I'd like to understand why it is doing this to better understand the
system as a whole, so if anyone has any hints I'd really appreciate
hearing them.
Thanks!

Re: Sendbug

[Lewis, Rob]

Many Thanks for your help Otto

Petro-Canada UK Limited,
1 London Bridge,
London,
SE1 9BG
Tel: +44 (0) 20 7105 6200
Fax: +44 (0) 20 7105 6202
Direct Line: +44 (0) 20 7105 6724
mobile: +44 (0) 7802 651986
email: [EMAIL PROTECTED]


-Original Message-
From: Otto Moerbeek [mailto:[EMAIL PROTECTED]
Sent: 05 March 2008 15:25
To: Lewis, Rob
Cc: [EMAIL PROTECTED]; misc@openbsd.org; Buckley, Nadine; Hughes,
Adrian; Le Monde, Paul
Subject: Re: Sendbug

On Wed, Mar 05, 2008 at 03:22:30PM -, Lewis, Rob wrote:

>
> I am using OpenBSD as both client and server. We are running rpc.lockd
> on both client and server sides.

But did you read the manual page? It seems you did not.
OpenBSD NFS clients do not support locking.

-Otto

> Regards
> Robert
>
> Petro-Canada UK Limited,
> 1 London Bridge,
> London,
> SE1 9BG
> Tel: +44 (0) 20 7105 6200
> Fax: +44 (0) 20 7105 6202
> Direct Line: +44 (0) 20 7105 6724
> mobile: +44 (0) 7802 651986
> email: [EMAIL PROTECTED]
>
>
> -Original Message-
> From: Otto Moerbeek [mailto:[EMAIL PROTECTED]
> Sent: 05 March 2008 15:20
> To: Lewis, Rob
> Cc: [EMAIL PROTECTED]; misc@openbsd.org; Buckley, Nadine; Hughes,
> Adrian; Le Monde, Paul
> Subject: Re: Sendbug
>
> On Wed, Mar 05, 2008 at 01:44:07PM -, Lewis, Rob wrote:
>
> > Description:
> >
> > We are having problems getting NFS file locking working
> > correctly. We have tried both NFS version 2 and 3 using both UDP and
> TCP
> > transport mechanisms. Whentwo users access the same file; both have
> the
> > ability to write to that file. Open Office also exhibits this
> behaviour.
> >
> >
> >
> > How-To-Repeat:
> >
> > Mount a shared file system to two different machines. Login
as
> > two different users and access a single file from both machines. We
> are
> > using NIS for the user database. This can be replicated on all of
our
> > installations.
>
> You do not say if you are using OpenBSD as a client or a server, but
> start with reading man rpc.lockd, especially the BUGS section.
>
>   -Otto
>
>
>
> ***
>
> This email communication is intended as a private communication for
the sole use of the primary addressee and those individuals listed for
copies in the original message. The information contained in this email
is private and confidential and if you are not an intended recipient you
are hereby notified that copying, forwarding or other dissemination or
distribution of this communication by any means is prohibited.  If you
are not specifically authorized to receive this email and if you believe
that you received it in error please notify the original sender
immediately.  We honour similar requests relating to the privacy of
email communications.



***

This email communication is intended as a private communication for the sole
use of the primary addressee and those individuals listed for copies in the
original message. The information contained in this email is private and
confidential and if you are not an intended recipient you are hereby notified
that copying, forwarding or other dissemination or distribution of this
communication by any means is prohibited.  If you are not specifically
authorized to receive this email and if you believe that you received it in
error please notify the original sender immediately.  We honour similar
requests relating to the privacy of email communications.

Re: floppy.fs

[Douglas A. Tutty]

On Tue, Mar 04, 2008 at 11:22:11PM -0700, Paul Greidanus wrote:
> I'm just wondering how many people out there are using the floppy.fs 
> installer still?  I'm wondering if it would be a worthwhile thought to 
> expand past the 1.44Mb limit for the CD and .rd install options if there 
> are features that can be added to the installer.  No, I'm not thinking a 
> gui/menu based installer as the main reason, but there might be benefits 
> to something like that.

If the ability to boot floppy was removed, it would be a show stopper
for me and I guess I'd have to switch to NetBSD (assuming that they sill
do floppy initial boot).  My old boxes have CDs but they can only boot
from floppy or hard disk.

I wouldn't see a problem if you want to allow an initial boot from
floppy then run an enhanced installer from CD or some other source as an
option.  Just please don't get rid of floppy boot or increase the
minimum memory requirements.

Not that I have any say, but you asked.  

Doug.

Re: Sendbug

[Lewis, Rob]

I am using OpenBSD as both client and server. We are running rpc.lockd
on both client and server sides.
Regards
Robert

Petro-Canada UK Limited,
1 London Bridge,
London,
SE1 9BG
Tel: +44 (0) 20 7105 6200
Fax: +44 (0) 20 7105 6202
Direct Line: +44 (0) 20 7105 6724
mobile: +44 (0) 7802 651986
email: [EMAIL PROTECTED]


-Original Message-
From: Otto Moerbeek [mailto:[EMAIL PROTECTED]
Sent: 05 March 2008 15:20
To: Lewis, Rob
Cc: [EMAIL PROTECTED]; misc@openbsd.org; Buckley, Nadine; Hughes,
Adrian; Le Monde, Paul
Subject: Re: Sendbug

On Wed, Mar 05, 2008 at 01:44:07PM -, Lewis, Rob wrote:

> Description:
>
> We are having problems getting NFS file locking working
> correctly. We have tried both NFS version 2 and 3 using both UDP and
TCP
> transport mechanisms. Whentwo users access the same file; both have
the
> ability to write to that file. Open Office also exhibits this
behaviour.
>
>
>
> How-To-Repeat:
>
> Mount a shared file system to two different machines. Login as
> two different users and access a single file from both machines. We
are
> using NIS for the user database. This can be replicated on all of our
> installations.

You do not say if you are using OpenBSD as a client or a server, but
start with reading man rpc.lockd, especially the BUGS section.

-Otto



***

This email communication is intended as a private communication for the sole
use of the primary addressee and those individuals listed for copies in the
original message. The information contained in this email is private and
confidential and if you are not an intended recipient you are hereby notified
that copying, forwarding or other dissemination or distribution of this
communication by any means is prohibited.  If you are not specifically
authorized to receive this email and if you believe that you received it in
error please notify the original sender immediately.  We honour similar
requests relating to the privacy of email communications.

Re: floppy.fs

[Stuart Henderson]

On 2008-03-05, Giancarlo Razzolini <[EMAIL PROTECTED]> wrote:
>   I do the installation using a pen drive, not a floppy,
> so it would be nice if there was another image, suited for a pen drive
> or other things bigger than floppy.

Just do an OS installation to the pen drive then you can boot from it
and run bsd.rd. You can also copy the installation tgz files to it,
if you would like to install on machines without a working network.

I pretty much exclusively use netboot of some kind these days though,
pxeboot(8) is super easy on OpenBSD...

Re: floppy.fs

[Theo de Raadt]

> Paul Greidanus escreveu:
> > Hi All
> >
> > I'm just wondering how many people out there are using the floppy.fs
> > installer still?  I'm wondering if it would be a worthwhile thought to
> > expand past the 1.44Mb limit for the CD and .rd install options if there
> > are features that can be added to the installer.  No, I'm not thinking a
> > gui/menu based installer as the main reason, but there might be benefits
> > to something like that.
> >
> > Paul
> >
> >
> One thing that i miss a lot on floppy.fs is the dhcp client.

All the i386 floppies contain dhclient, so I don't know what you are
referring to.

> I do the installation using a pen drive, not a floppy,
> so it would be nice if there was another image, suited for a pen drive
> or other things bigger than floppy.

This is harder than it looks, and is on the long term list of things
to do to the bootblocks, to further solve the handling between CHS and
LBA issues.  Right now you cannot simply dd a floppy or larger to a
USB drive, and expect it to work.  The i386/amd64 boot code can't handle
it perfectly. 

> I know some archs doesn't have the
> ability to boot from cd, or usb pen drives, and the only option left is
> floppy or pxeboot. But, anyway, it would be nice to have another image
> with more things in it, this image could even work as a rescue image.

We've got a ton of boot options for each architecture.  If we could do more,
we would.

Re: The Dilbert Problem...

[Unix Fan]

I've been noticing a similar problem with Firefox on OpenBSD...



Try going to http://www.blahsfkfefe.non-existant/ and then trying a known site 
like http://www.google.ca/ .. It just locks up..



If this is an issue with OpenBSD's resolver, why don't the developers fix it?







-Nix Fan.

Re: openbsd router hardware

[Joe]

On Mar 1, 2008, at 5:32 PM, Brian A. Seklecki (Mobile) wrote:


On Mon, 2007-12-24 at 13:29 +0100, Joerg Zinke wrote:

Hi,

I'm looking for hardware to install an openbsd based dsl-router.
I already searched the list archives and looked at WRAP and Soekris,
but it seems that they do not match my requirements:

- fanless
- as small as possible


- Soekris
- Routerboard
- Axiomtek
- ARInfotek
- Nexcom
- Advantech
- Acrosser
- Win Enterprises

I think that we can agree that you really want to avoid VIA-anything.
You really get what you pay for.  Some set top models I've looked at:



Are you sure you know what you're talking about? VIA works great.

I have read nothing but good things about VIA cpu's from the  
developers on this list.


Perhaps you got a bad board in your past?

Re: openbsd router hardware

[Steven Rosenberg]

Joe wrote:

On Mar 1, 2008, at 5:32 PM, Brian A. Seklecki (Mobile) wrote:


On Mon, 2007-12-24 at 13:29 +0100, Joerg Zinke wrote:

Hi,

I'm looking for hardware to install an openbsd based dsl-router.
I already searched the list archives and looked at WRAP and Soekris,
but it seems that they do not match my requirements:

- fanless
- as small as possible


- Soekris
- Routerboard
- Axiomtek
- ARInfotek
- Nexcom
- Advantech
- Acrosser
- Win Enterprises

I think that we can agree that you really want to avoid VIA-anything.
You really get what you pay for.  Some set top models I've looked at:



Are you sure you know what you're talking about? VIA works great.

I have read nothing but good things about VIA cpu's from the developers 
on this list.


Perhaps you got a bad board in your past?



I have a thin client with an ECS motherboard and VIA C3 Samuel -- the 
earlier version of the CPU -- and OpenBSD 4.2 runs great on it.

Re: floppy.fs

[Richard Daemon]

On Wed, Mar 5, 2008 at 11:58 AM, Stuart Henderson <[EMAIL PROTECTED]> wrote:
> On 2008-03-05, Giancarlo Razzolini <[EMAIL PROTECTED]> wrote:
>  >   I do the installation using a pen drive, not a floppy,
>  > so it would be nice if there was another image, suited for a pen drive
>  > or other things bigger than floppy.
>
>  Just do an OS installation to the pen drive then you can boot from it
>  and run bsd.rd. You can also copy the installation tgz files to it,
>  if you would like to install on machines without a working network.
>
>  I pretty much exclusively use netboot of some kind these days though,
>  pxeboot(8) is super easy on OpenBSD...

Speaking of which, is there a way or any plans to add the option to
install from a tftpd itself rather than pxebooting - pull down the
pxeboot and bsd.rd files over tftp then install from ftp, http, etc.?

Just curious.

[off] Apache OpenBSD's project

[Saulo Bozzi]

*What can be said about Apache OpenBSD's project?*
*Is it countinuous? Is it working?*
*Is there a web site?*
*What kind of version is used?

Regards...bye.
*

Re: floppy.fs

[Paul Greidanus]

Douglas A. Tutty wrote:

On Tue, Mar 04, 2008 at 11:22:11PM -0700, Paul Greidanus wrote:
  
I'm just wondering how many people out there are using the floppy.fs 
installer still?  I'm wondering if it would be a worthwhile thought to 
expand past the 1.44Mb limit for the CD and .rd install options if there 
are features that can be added to the installer.  No, I'm not thinking a 
gui/menu based installer as the main reason, but there might be benefits 
to something like that.



If the ability to boot floppy was removed, it would be a show stopper
for me and I guess I'd have to switch to NetBSD (assuming that they sill
do floppy initial boot).  My old boxes have CDs but they can only boot
from floppy or hard disk.

I wouldn't see a problem if you want to allow an initial boot from
floppy then run an enhanced installer from CD or some other source as an
option.  Just please don't get rid of floppy boot or increase the
minimum memory requirements.

Not that I have any say, but you asked.  
  
It sounds like there's a huge amount of the community still using 
floppies on a near daily basis.. way more then I'd have thought. 

Of course, the only place I can remove the floppy images is from a 
personal mirror, so there's no risk.  And even if I could, with the 
response I got, there's no way that I'd even want to get rid of them.


Thanks everyone for the feedback!

Paul

Re: floppy.fs

[Theo de Raadt]

There is one thing that some people out there could work on.  Noone
in our group is currently working on it, and it would be nice.

- A very carefully designed improvement/replacement to disklabel -E
  that can sub-partition more automatically.

- Might be nice if it can handle multiple disks correctly, and if it was
  more aware of the consequences of partitions mounted inside each
  other.

- No existing features that disklabel -E has may be deleted.  People
  use them.

It is not easy to do right, but bad hacks won't qualify for this.

Re: openbsd router hardware

[Jay Hart]

> Joe wrote:
>> On Mar 1, 2008, at 5:32 PM, Brian A. Seklecki (Mobile) wrote:
>>
>>> On Mon, 2007-12-24 at 13:29 +0100, Joerg Zinke wrote:
 Hi,



>> Are you sure you know what you're talking about? VIA works great.
>>
>> I have read nothing but good things about VIA cpu's from the developers
>> on this list.
>>
>> Perhaps you got a bad board in your past?
>>
>
> I have a thin client with an ECS motherboard and VIA C3 Samuel -- the
> earlier version of the CPU -- and OpenBSD 4.2 runs great on it.
>
>
I second that, I have a VIA C7 running running 4.2, and works fine.

Jay

Re: write pf rules for acces concentrator server (pppoe)

[Siju George]

On Mon, Mar 3, 2008 at 6:34 PM, Henning Brauer <[EMAIL PROTECTED]> wrote:
> * Fratiman Vladut <[EMAIL PROTECTED]> [2008-03-01 23:16]:
>
>
>  since there is no ng interface on OpenBSD I assume you use some other
>  OS. which probably means you are doomed. On OpenBSD, you use interface
>  groups for that, and clonable interfaces by default are in a group
>  named by the interface base name, i. e. "ppp" for ppp0, ppp1, .. pppN.
>  I don't know if and to which extend other OSs that ported pf have
>  picked up interface groups.
>
>  --
>  Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
>  BS Web Services, http://bsws.de
>  Full-Service ISP - Secure Hosting, Mail and DNS Services
>  Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
>
>

FreeBSD has "ng" interface.

http://www.freebsdonline.com/content/view/452/468/

--Siju

HPLIP detection problem

[Predrag Punosevac]

Dear All,

I was wondering if I could get some help on HPLIP drivers.
I am trying to install Photosmart C5250 all-in-one and unlock its full 
functionality using HPLIP on 4.3 Beta.
After disabling ulpt and umass driver the scanner see the printer as 
ugen device which is necessary for HPLIP drivers to
work. If you wonder why did I have to disable umass driver that is 
because I noticed that printer gets detected as

umass device when I only disable ulpt.

I start hpssd daemon before the cupsd as necessary.  Since I use this 
machine for testing
pf is disabled and permission on device nodes are 0777. I also did 
change the groups on device nodes into _cupsd
I am in the group _cupsd and _saned. /etc/sane.d/dll.conf is edited and 
I did add hpaio line to be able to

use scanner.  /etc/hp/hp.conf is unedited.

hp-setup utility exits with the error that is unable to communicate to 
the printer.


The printer works like a charm if I live ulpt driver in the kernel and 
use ppd from the foomatic-db (essentially
if I use hpias. I installed Ubuntu 7.10 to see if the HPLIP has problems 
with the particular model but the printer
and scanner are fully functional. I do know that ugen driver is capable 
of handling scanners but I am really curious if

anybody got HPLIP fully functional.

The all-in-one is directly connected. No USB hubs.
Here are additional information as dmesg, hp-check.log file 
sane-find-scanner and similar.




# /usr/local/libexec/cups/backend/hp
direct hp "Unknown" HP printer (HPLIP)

#hp-info is
error no device found

#tail -f /var/log/messages
oko python2.5: hp-info[11445]error: No device found
oko python2.5: hp-info[11445]error:error occurred during interactive mode
error -Error occured during interactive mode

#hp-check -t

hp-check[22108]: info: :
Initializing. Please wait...
scheduler is running

1.2.7

OpenBSD oko.bagdala.net 4.3 GENERIC#675 i386

hp-check[22108]: info: :
hp-check[22108]: info: :---
hp-check[22108]: info: :| SYSTEM INFO |
hp-check[22108]: info: :---
hp-check[22108]: info: :
hp-check[22108]: info: :Basic system information:
hp-check[22108]: info: :OpenBSD oko.bagdala.net 4.3 GENERIC#675 i386
hp-check[22108]: info: :
hp-check[22108]: info: :Distribution:
hp-check[22108]: info: :unknown 0.0
hp-check[22108]: info: :
HPOJ running?
hp-check[22108]: info: :No, HPOJ is not running (OK).
hp-check[22108]: info: :
hp-check[22108]: info: :Checking Python version...
hp-check[22108]: info: :OK, version 2.5.2 installed
hp-check[22108]: info: :
hp-check[22108]: info: :Checking PyQt version...
error: NOT FOUND OR FAILED TO LOAD!
hp-check[22108]: info: :
hp-check[22108]: info: :Checking SIP version...
error: SIP not installed or version not found.
hp-check[22108]: info: :
hp-check[22108]: info: :Checking for CUPS...
hp-check[22108]: info: :Status: scheduler is running
hp-check[22108]: info: :Version: 1.2.7
hp-check[22108]: info: :
hp-check[22108]: info: :Checking for Reportlab...
hp-check[22108]: info: :OK, version >= 2.0
hp-check[22108]: info: :
hp-check[22108]: info: :
hp-check[22108]: info: :| DEPENDENCIES |
hp-check[22108]: info: :
hp-check[22108]: info: :
hp-check[22108]: info: :
hp-check[22108]: info: :Checking for dependency: cups - Common Unix 
Printing System...

hp-check[22108]: info: :OK, found.
hp-check[22108]: info: :
hp-check[22108]: info: :Checking for dependency: cups-devel- Common Unix 
Printing System development files...

hp-check[22108]: info: :OK, found.
hp-check[22108]: info: :
hp-check[22108]: info: :Checking for dependency: gcc - GNU Project C and 
C++ Compiler...

hp-check[22108]: info: :OK, found.
hp-check[22108]: info: :
hp-check[22108]: info: :Checking for dependency: GhostScript - 
PostScript and PDF language interpreter and previewer...

hp-check[22108]: info: :OK, found.
hp-check[22108]: info: :
hp-check[22108]: info: :Checking for dependency: libcrypto - OpenSSL 
cryptographic library...

hp-check[22108]: info: :OK, found.
hp-check[22108]: info: :
hp-check[22108]: info: :Checking for dependency: libjpeg - JPEG library...
hp-check[22108]: info: :OK, found.
hp-check[22108]: info: :
hp-check[22108]: info: :Checking for dependency: libnetsnmp-devel - SNMP 
networking library development files...

hp-check[22108]: info: :OK, found.
hp-check[22108]: info: :
hp-check[22108]: info: :Checking for dependency: libpthread - POSIX 
threads library...

hp-check[22108]: info: :OK, found.
hp-check[22108]: info: :
hp-check[22108]: info: :Checking for dependency: libtool - Library 
building support services...

hp-check[22108]: info: :OK, found.
hp-check[22108]: info: :
hp-check[22108]: info: :Checking for dependency: libusb - USB library...
hp-check[22108]: info: :OK, found.
hp-check[22108]: info: :
hp-check[22108]: info: :Checking for dependency: make - GNU make utility 
to maintain groups of programs...

hp-check[22108]: info: :OK, found.
hp-check[22108]: info: :
hp-check[22108]: info: :Checking for dependency: PIL - Py

Re: The Dilbert Problem...

[STeve Andre']

On Wednesday 05 March 2008 12:51:09 Unix Fan wrote:
> I've been noticing a similar problem with Firefox on OpenBSD...
>
>
>
> Try going to http://www.blahsfkfefe.non-existant/ and then trying a known
> site like http://www.google.ca/ .. It just locks up..
>
>
>
> If this is an issue with OpenBSD's resolver, why don't the developers fix
> it?

Well, I certainly haven't seen this, using the examples you gave.  I don't
know what the problem is, but regardless of what it is (or is not), the
developers have to hear of a problem before they can fix it...

--STeve Andre'

Re: floppy.fs

[Paul de Weerd]

On Wed, Mar 05, 2008 at 01:09:28PM -0500, Richard Daemon wrote:
| >  I pretty much exclusively use netboot of some kind these days though,
| >  pxeboot(8) is super easy on OpenBSD...
| 
| Speaking of which, is there a way or any plans to add the option to
| install from a tftpd itself rather than pxebooting - pull down the
| pxeboot and bsd.rd files over tftp then install from ftp, http, etc.?

What's the use ? If you can configure a tftp server, setting up an ftp
server isn't that much more work, is it ? I see hardly any benefit in
adding this (actually, none), why would you want it ?

Paul 'WEiRD' de Weerd

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 

Re: The Dilbert Problem...

[Paul de Weerd]

On Wed, Mar 05, 2008 at 09:51:09AM -0800, Unix Fan wrote:
| I've been noticing a similar problem with Firefox on OpenBSD...
| 
| Try going to http://www.blahsfkfefe.non-existant/ and then trying a known 
site like http://www.google.ca/ .. It just locks up..
| 
| If this is an issue with OpenBSD's resolver, why don't the developers fix it?

Lemme think :

o It's not easy to solve properly
o It's not that big a deal
o It's something that takes time to do (right)
o Noone cares enough to fix it / other priorities

If this is a big deal to you, your patches will be welcomed on [EMAIL PROTECTED]
I'd even be happy to test 'em for you ;)

Cheers,

Paul 'WEiRD' de Weerd

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 

umsm(4) device attaches to ugen(4) instead

[Aaron Glenn]

Greets,

I've got a 2623DDU IBM Thinkpad T60p with a built in Sierra Wireless
MC5720 EVDO card and can't get it to recognize properly. Below is the
relevant dmesg snippet; after reading all relevant man pages (twice,
no less) I'm still at a loss. I'd appreciate a cluebat hit. I'm about
to fire up a 4.3 snapshot to test out snmpd -- here's to hoping it
automagically works :)

Thanks,
Aaron

OpenBSD 4.2 (GENERIC) #375: Tue Aug 28 10:38:44 MDT 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Genuine Intel(R) CPU T2500 @ 2.00GHz ("GenuineIntel" 686-class) 2 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,VMX,EST,TM2,xTPR
real mem  = 2145873920 (2046MB)
avail mem = 2067337216 (1971MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 05/24/06, BIOS32 rev. 0 @
0xfd6b0, SMBIOS rev. 2.4 @ 0xe0010 (68 entries)
bios0: vendor LENOVO version "79ET61WW (1.06 )" date 05/24/2006
bios0: LENOVO 2623DDU
pcibios0 at bios0: rev 2.1 @ 0xfd640/0x9c0
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdea0/272 (15 entries)
pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82371FB ISA" rev 0x00)
pcibios0: PCI bus #22 is the last bus
bios0: ROM list: 0xc/0x1 0xd/0x1000 0xd1000/0x1000
0xdc000/0x4000! 0xe/0x1
acpi at mainbus0 not configured
cpu0 at mainbus0
cpu0: unknown Enhanced SpeedStep CPU, msr 0x06130c2c06000613
cpu0: using only highest and lowest power states
cpu0: Enhanced SpeedStep 1000 MHz (1004 mV): speeds: 2000, 1000 MHz
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82945GM MCH" rev 0x03
ppb0 at pci0 dev 1 function 0 "Intel 82945GM PCIE" rev 0x03
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 vendor "ATI", unknown product 0x71c4 rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
azalia0 at pci0 dev 27 function 0 "Intel 82801GB HD Audio" rev 0x02: irq 11
azalia0: host: High Definition Audio rev. 1.0
azalia0: codec: Analog Devices AD1981HD (rev. 2.0), HDA version 1.0
azalia0: codec: Conexant/0x2bfa (rev. 0.0), HDA version 0.9
azalia0: codec[1]: No support for modem function groups
azalia0: codec[1]: No audio function groups
audio0 at azalia0
ppb1 at pci0 dev 28 function 0 "Intel 82801GB PCIE" rev 0x02
pci2 at ppb1 bus 2
em0 at pci2 dev 0 function 0 "Intel PRO/1000MT (82573L)" rev 0x00: irq
11, address 00:16:41:56:8f:37
ppb2 at pci0 dev 28 function 1 "Intel 82801GB PCIE" rev 0x02
pci3 at ppb2 bus 3
wpi0 at pci3 dev 0 function 0 "Intel PRO/Wireless 3945ABG" rev 0x02:
irq 11, MoW1, address 00:13:02:4a:20:23
ppb3 at pci0 dev 28 function 2 "Intel 82801GB PCIE" rev 0x02
pci4 at ppb3 bus 4
ppb4 at pci0 dev 28 function 3 "Intel 82801GB PCIE" rev 0x02
pci5 at ppb4 bus 12
uhci0 at pci0 dev 29 function 0 "Intel 82801GB USB" rev 0x02: irq 11
uhci1 at pci0 dev 29 function 1 "Intel 82801GB USB" rev 0x02: irq 11
uhci2 at pci0 dev 29 function 2 "Intel 82801GB USB" rev 0x02: irq 11
uhci3 at pci0 dev 29 function 3 "Intel 82801GB USB" rev 0x02: irq 11
ehci0 at pci0 dev 29 function 7 "Intel 82801GB USB" rev 0x02: irq 11
usb0 at ehci0: USB revision 2.0
uhub0 at usb0: Intel EHCI root hub, rev 2.00/1.00, addr 1
ppb5 at pci0 dev 30 function 0 "Intel 82801BAM Hub-to-PCI" rev 0xe2
pci6 at ppb5 bus 21
cbb0 at pci6 dev 0 function 0 "TI PCI1510 CardBus" rev 0x00: irq 11
cardslot0 at cbb0 slot 0 flags 0
cardbus0 at cardslot0: bus 22 device 0 cacheline 0x8, lattimer 0xb0
pcmcia0 at cardslot0
ichpcib0 at pci0 dev 31 function 0 "Intel 82801GBM LPC" rev 0x02: PM disabled
pciide0 at pci0 dev 31 function 1 "Intel 82801GB IDE" rev 0x02: DMA,
channel 0 configured to compatibility, channel 1 configured to
compatibility
atapiscsi0 at pciide0 channel 0 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0:  SCSI0
5/cdrom removable
cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 ignored (disabled)
ahci0 at pci0 dev 31 function 2 "Intel 82801GBM AHCI SATA" rev 0x02:
irq 11, AHCI 1.1
scsibus1 at ahci0: 32 targets
sd0 at scsibus1 targ 0 lun 0:  SCSI2 0/direct fixed
sd0: 95396MB, 12161 cyl, 255 head, 63 sec, 512 bytes/sec, 195371568 sec total
ichiic0 at pci0 dev 31 function 3 "Intel 82801GB SMBus" rev 0x02: irq 11
iic0 at ichiic0
usb1 at uhci0: USB revision 1.0
uhub1 at usb1: Intel UHCI root hub, rev 1.00/1.00, addr 1
usb2 at uhci1: USB revision 1.0
uhub2 at usb2: Intel UHCI root hub, rev 1.00/1.00, addr 1
usb3 at uhci2: USB revision 1.0
uhub3 at usb3: Intel UHCI root hub, rev 1.00/1.00, addr 1
usb4 at uhci3: USB revision 1.0
uhub4 at usb4: Intel UHCI root hub, rev 1.00/1.00, addr 1
isa0 at ichpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: 
spkr0 a

Re: floppy.fs

[Paul Greidanus]

Richard Daemon wrote:

On Wed, Mar 5, 2008 at 11:58 AM, Stuart Henderson <[EMAIL PROTECTED]> wrote:
  

On 2008-03-05, Giancarlo Razzolini <[EMAIL PROTECTED]> wrote:
 >   I do the installation using a pen drive, not a floppy,
 > so it would be nice if there was another image, suited for a pen drive
 > or other things bigger than floppy.

 Just do an OS installation to the pen drive then you can boot from it
 and run bsd.rd. You can also copy the installation tgz files to it,
 if you would like to install on machines without a working network.

 I pretty much exclusively use netboot of some kind these days though,
 pxeboot(8) is super easy on OpenBSD...



Speaking of which, is there a way or any plans to add the option to
install from a tftpd itself rather than pxebooting - pull down the
pxeboot and bsd.rd files over tftp then install from ftp, http, etc.?

  
I'm confused.. pxeboot/bsd.rd requires a tftp server, so you are booting 
from tftp already.  Do you want to install the system from tftpboot, 
i.e. base.tgz?  tftp is error prone, and bad for large files, so you 
almost need http/ftp to do large files.  And it's easy to setup ftp.

Re: The Dilbert Problem...

[Matthew Szudzik]

> I've been noticing a similar problem with Firefox on OpenBSD...

I've also experienced this problem, but was never able to reproduce it.
It would happen maybe once every month or two during normal web browsing
(which in my case means 5 or more tabs simultaneously open in Firefox).

Re: The Dilbert Problem...

[bofh]

On Wed, Mar 5, 2008 at 10:25 AM, ropers <[EMAIL PROTECTED]> wrote:

> NB: As for the number of open tabs, Firefox 2.0.0.x is a real sieve
> when it comes to memory. It leaks and leaks and leaks... The upcoming
> Firefox 3 is reportedly going to be a major step forward, but I
> haven't tried it yet.


It seems to be better, at least on osx.  I have a number of add-ons enabled,
and after a while, things slow down - I keep 15-30 tabs open at any one
time.  Using the nightlies I don't have as much issues as the 2.x series,
from a performance point of view.

-- 
http://www.glumbert.com/media/shift
http://www.youtube.com/watch?v=tGvHNNOLnCk
"This officer's men seem to follow him merely out of idle curiosity."  --
Sandhurst officer cadet evaluation.
"Securing an environment of Windows platforms from abuse - external or
internal - is akin to trying to install sprinklers in a fireworks factory
where smoking on the job is permitted."  -- Gene Spafford
learn french:  http://www.youtube.com/watch?v=j1G-3laJJP0&feature=related

Compile bind on 4.2 fails -> no acceptable grep in path

[Tom Van Looy]

The source is the src.tar.gz from CD's, I didn't update/patch it yet.

[EMAIL PROTECTED] ~]
# sysctl kern.version
kern.version=OpenBSD 4.2-stable (GENERIC) #0: Mon Mar  3 23:45:54 CET 2008
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC

[EMAIL PROTECTED] ~]
# cd /usr/src/usr.sbin/bind

[EMAIL PROTECTED] /usr/src/usr.sbin/bind]
# make -f Makefile.bsd-wrapper clean
rm -f

[EMAIL PROTECTED] /usr/src/usr.sbin/bind]
# make -f Makefile.bsd-wrapper obj
/usr/src/usr.sbin/bind/obj -> /usr/obj/usr.sbin/bind

[EMAIL PROTECTED] /usr/src/usr.sbin/bind]
# make -f Makefile.bsd-wrapper
PATH="/bin:/usr/bin:/sbin:/usr/sbin"  CC="cc" CFLAGS="-O2 -pipe  " LDFLAGS=""
INSTALL_PROGRAM="install -c -s"  sh /usr/src/usr.sbin/bind/configure
--prefix=/usr  --localstatedir=/var  --sysconfdir=/etc  --disable-shared
--disable-threads
checking build system type... i386-unknown-openbsd4.2
checking host system type... i386-unknown-openbsd4.2
checking whether make sets $(MAKE)... yes
checking for ranlib... ranlib
checking for a BSD-compatible install... /usr/bin/install -c
checking for ar... /usr/bin/ar
checking for etags... no
checking for emacs-etags... no
checking for perl5... no
checking for perl... /usr/bin/perl
checking for gcc... cc
checking for C compiler default output file name... a.out
checking whether the C compiler works... yes
checking whether we are cross compiling... no
checking for suffix of executables...
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether cc accepts -g... yes
checking for cc option to accept ISO C89... none needed
checking how to run the C preprocessor... cc -E
checking for grep that handles long lines and -e... configure: error: no
acceptable grep could be found in /bin:/usr/bin:/sbin:/usr/sbin:/usr/xpg4/bin
*** Error code 1

Stop in /usr/src/usr.sbin/bind (line 69 of
/usr/src/usr.sbin/bind/Makefile.bsd-wrapper).

[EMAIL PROTECTED] /usr/src/usr.sbin/bind]
which grep
/usr/bin/grep

This also occurs when I try to install acroread from ports.
The same error when compiling /usr/ports/archivers/gcpio as dependency.

I guess it must be my fault because I searched the list and didn't find
anything. But I don't see what I'm doing wrong ...

Kind regards,

Tom Van Looy

Re: problems with hoststated and relayd

[Reyk Floeter]

btw., did you test it with the latest code from -current?

On Mon, Mar 03, 2008 at 07:37:53PM +0100, Sebastian Reitenbach wrote:
> Reyk Floeter <[EMAIL PROTECTED]> wrote: 
> > hi!
> > 
> > it tested your config and it works fine without problems, there is no
> > bug in relayd here...
> > 
> > ...you seem to make a common mistake:
> > 
> > > forward to  port http mode hash \
> > > check http "/" code 200
> > 
> > you expect that the webservers always return the HTTP error code 200
> > OK.  this is not how HTTP works.  your webserver may return another
> > error based on the site, state, or configuration (moved, not allowed,
> > not found, server error, ...).
> > 
> > please test the following:
> > 
> > $ lynx -head http://10.0.0.121/
> This was done on the host running relayd:
> HTTP/1.1 200 OK
> Date: Mon, 03 Mar 2008 18:22:37 GMT
> Server: Apache
> Last-Modified: Tue, 28 Aug 2007 16:00:16 GMT
> ETag: "fccbb0109d4b4b44b551e2fe7cc156404b93a785"
> Accept-Ranges: bytes
> Content-Length: 2216
> Connection: close
> Content-Type: text/html
> 
> On the 4.2 host, this check works also well with hoststated, there its
> embedded in the table definition, see last configuration snippet. But with
>  hoststated, I have the other problem mentioned below.
> The / on the apache instances is just serving the apache index page. 
> The application itself sits behind a location, but I think checking just the
> apache availability, and then assuming the application is there too, is fine
> for testing.
> 
> > 
> > and you will see the HTTP header.  for example, the following header
> > would require you to change your check to 'check http "/" code 302'
> > (or even 'check http "/oxid/" code 200'):
> > 
> > HTTP/1.1 302 Found
> > Date: Mon, 03 Mar 2008 17:24:10 GMT
> > Server: Apache
> > Location: /oxid/
> > Connection: close
> > Content-Type: text/html
> > 
> > i normally use a special monitor script to check the state on the
> > webservers, for example the Zend platform provides the following
> > self-test:
> > 
> > check http '/ZendPlatform/client/getPing.php' code 200
> 
> there is unfortunately no such thing in the app I want to use, at least not 
> that I am aware of, but I think the ordinary http check is ok for now.
> 
> Sebastian
> 
> > 
> > reyk
> > 
> > On Mon, Mar 03, 2008 at 07:45:00AM +0100, Sebastian Reitenbach wrote:
> > > Hi,
> > > 
> > > this is the first time I play around with hoststated/relayd.
> > > I have a stateful web application, and try to use hoststated/relayd in 
> front
> > > of it. Because the application is stateful, the client has to be 
> redirected
> > > to the same instance for the session lifetime. The session id is encoded 
> as
> > > GET parameter "wosid". Further I have the problem that many of the users 
> are
> > > either sitting behind a proxy or a NAT'ed IP address, so these should 
> not be
> > > redirected to the same application instance.
> > > I tried with hoststated on OpenBSD 4.2 i386 and with relayd on
> > > OpenBSD -snapshot sparc64 from beginning of February 08.
> > > 
> > > I'm not sure, whether I see the same problems, as described here in that
> > > thread:
> > > 
> http://www.nabble.com/relayd-http-check-connection-failures--hoststated-operates-correctly-to15646508.html
> 
> > > 
> > > Well, I do not fiddle around with carp interfaces, and I also tried the
> > > patch with the timeout, that did not fixed my problem.
> > > 
> > > First I tried to use relayd, until I came across above mentioned thread,
> > > however, first I tried to setup a ssl accelerator as in the example:
> > > 
> > > ext_addr="10.0.0.24"
> > > ogo1="10.0.0.121"
> > > ogo2="10.0.0.122"
> > > ogo3="10.0.0.123"
> > > ogo4="10.0.0.124"
> > > ogo5="10.0.0.125"
> > > 
> > > timeout 
> > > 
> > > table  { $ogo1 $ogo2 $ogo3 $ogo4 $ogo5 }
> > > 
> > > http protocol httpssl {
> > > header append "$REMOTE_ADDR" to "X-Forwarded-For"
> > > header append "$SERVER_ADDR:$SERVER_PORT" to "X-Forwarded-By"
> > > header change "Connection" to "close"
> > > cookie hash "wosid"
> > > url hash "wosid"
> > > url log "wosid"
> > > 
> > > # Various TCP performance options
> > > #   tcp { nodelay, sack, socket buffer 65536, backlog 128 }
> > > 
> > > #   ssl { no sslv2, sslv3, tlsv1, ciphers HIGH }
> > > #   ssl session cache disable
> > > }
> > > 
> > > relay wwwssl {
> > > # Run as a SSL accelerator
> > > listen on $ext_addr port 443 ssl
> > > protocol httpssl
> > > 
> > > # Forward to hosts in the webhosts table using a src/dst hash
> > > forward to  port http mode hash \
> > > check http "/" code 200
> > > }
> > > 
> > > # relayd -d -vv -f /etc/relayd.conf
> > > startup
> > > init_filter: filter init done
> > > init_tables: created 0 tables
> > > relay_privinit: adding relay wwwssl
> > > protocol 0: name httpssl
> > > flags: 0x0004
> > > type: http
> > >

Re: The Dilbert Problem...

[Travers Buda]

* Unix Fan <[EMAIL PROTECTED]> [2008-03-05 09:51:09]:

> I've been noticing a similar problem with Firefox on OpenBSD...
> 
> 
> 
> Try going to http://www.blahsfkfefe.non-existant/ and then trying a known 
> site like http://www.google.ca/ .. It just locks up..
> 
> 
> 
> If this is an issue with OpenBSD's resolver, why don't the developers fix it?
> 
> 
> 
> 
> 
> 
> 
> -Nix Fan.
> 
> 
> 

I can't duplicate your problem on amd64-beta and version 2.0.0.12.


However, I have seen behavior similar to what you describe.  I don't
think it's an issue with the stub resolver, since I've not seen
this with any other application that is or runs on OpenBSD.  It is
very likely this is a bug in the firefox/mozilla code which I have
suspected before is DNS-related but could be so many other things
as well.


-- 
Travers Buda

Re: [off] Apache OpenBSD's project

[Saulo Bozzi Daleprane]

Saulo Bozzi Daleprane wrote:
> Siju George wrote:
>> On Thu, Mar 6, 2008 at 12:05 AM, Saulo Bozzi <[EMAIL PROTECTED]> wrote:
>>   
>>> *What can be said about Apache OpenBSD's project?*
>>>
>>> 
>>
>> I hope you are referring to the apache distributed in the base system.
>>
>>   
> (Yes, I'm).
>>> *Is it countinuous? Is it working?*
>>>
>>> 
>>
>> it is working more securely with the chrooted environment.
>>
>> I run PHP websites and backuppc Web based GUI using it on OpenBSD.
>>
>> If you asked if the development is continuous then I think yes.
>> because it is in the base system it is taken care of well a henning
>> told me an year or so back that it has about 4,000 lines of difference
>> in code compared to the one released by the apache foundation.
>>
>>
>>
>>   
> Cool. Very good.
>>> *Is there a web site?*
>>>
>>> 
>>
>> http://www.openbsd.org/faq/faq10.html#httpdchroot
>>
>>   
This web site is about chroot in the apache of OpenBSD and not about 
apache OpenBSD's project (modified by the project).
Is there web site about patchs applied which talks about apache itself? 
It should have.
>
>>> *What kind of version is used?
>>>
>>> Regards...bye.
>>> *
>>>
>>>
>>> 
>>
>> It was forked off from the Apache Foundation project and does not
>> follow its version number hence.
>>
>> --siju
>>
>>   
>
>
> -- 
>
> *Saulo Bozzi Daleprane*
>
> Equipe de TI - Head Office
>
> Brazshipping Marmtima LTDA
>
> Phone: 55 27 2121-6806
>
> mailto: [EMAIL PROTECTED] 
>
>  
>
> /"Truly great madness cannot be achieved without significant 
> intelligence"./
>


-- 

*Saulo Bozzi Daleprane*

Equipe de TI - Head Office

Brazshipping Marmtima LTDA

Phone: 55 27 2121-6806

mailto: [EMAIL PROTECTED] 

 

/"Truly great madness cannot be achieved without significant intelligence"./

Re: umsm(4) device attaches to ugen(4) instead

[Travers Buda]

* Aaron Glenn <[EMAIL PROTECTED]> [2008-03-05 12:24:24]:

> Greets,
> 
> I've got a 2623DDU IBM Thinkpad T60p with a built in Sierra Wireless
> MC5720 EVDO card and can't get it to recognize properly. Below is the
> relevant dmesg snippet; after reading all relevant man pages (twice,
> no less) I'm still at a loss. I'd appreciate a cluebat hit. I'm about
> to fire up a 4.3 snapshot to test out snmpd -- here's to hoping it
> automagically works :)
> 
> Thanks,
> Aaron
> 
> OpenBSD 4.2 (GENERIC) #375: Tue Aug 28 10:38:44 MDT 2007
> [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
> cpu0: Genuine Intel(R) CPU T2500 @ 2.00GHz ("GenuineIntel" 686-class) 2 GHz
> cpu0: 
> FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,VMX,EST,TM2,xTPR
> real mem  = 2145873920 (2046MB)
> avail mem = 2067337216 (1971MB)
> mainbus0 at root
> bios0 at mainbus0: AT/286+ BIOS, date 05/24/06, BIOS32 rev. 0 @
> 0xfd6b0, SMBIOS rev. 2.4 @ 0xe0010 (68 entries)
> bios0: vendor LENOVO version "79ET61WW (1.06 )" date 05/24/2006
> bios0: LENOVO 2623DDU
> pcibios0 at bios0: rev 2.1 @ 0xfd640/0x9c0
> pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdea0/272 (15 entries)
> pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82371FB ISA" rev 0x00)
> pcibios0: PCI bus #22 is the last bus
> bios0: ROM list: 0xc/0x1 0xd/0x1000 0xd1000/0x1000
> 0xdc000/0x4000! 0xe/0x1
> acpi at mainbus0 not configured
> cpu0 at mainbus0
> cpu0: unknown Enhanced SpeedStep CPU, msr 0x06130c2c06000613
> cpu0: using only highest and lowest power states
> cpu0: Enhanced SpeedStep 1000 MHz (1004 mV): speeds: 2000, 1000 MHz
> pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
> pchb0 at pci0 dev 0 function 0 "Intel 82945GM MCH" rev 0x03
> ppb0 at pci0 dev 1 function 0 "Intel 82945GM PCIE" rev 0x03
> pci1 at ppb0 bus 1
> vga1 at pci1 dev 0 function 0 vendor "ATI", unknown product 0x71c4 rev 0x00
> wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
> wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
> azalia0 at pci0 dev 27 function 0 "Intel 82801GB HD Audio" rev 0x02: irq 11
> azalia0: host: High Definition Audio rev. 1.0
> azalia0: codec: Analog Devices AD1981HD (rev. 2.0), HDA version 1.0
> azalia0: codec: Conexant/0x2bfa (rev. 0.0), HDA version 0.9
> azalia0: codec[1]: No support for modem function groups
> azalia0: codec[1]: No audio function groups
> audio0 at azalia0
> ppb1 at pci0 dev 28 function 0 "Intel 82801GB PCIE" rev 0x02
> pci2 at ppb1 bus 2
> em0 at pci2 dev 0 function 0 "Intel PRO/1000MT (82573L)" rev 0x00: irq
> 11, address 00:16:41:56:8f:37
> ppb2 at pci0 dev 28 function 1 "Intel 82801GB PCIE" rev 0x02
> pci3 at ppb2 bus 3
> wpi0 at pci3 dev 0 function 0 "Intel PRO/Wireless 3945ABG" rev 0x02:
> irq 11, MoW1, address 00:13:02:4a:20:23
> ppb3 at pci0 dev 28 function 2 "Intel 82801GB PCIE" rev 0x02
> pci4 at ppb3 bus 4
> ppb4 at pci0 dev 28 function 3 "Intel 82801GB PCIE" rev 0x02
> pci5 at ppb4 bus 12
> uhci0 at pci0 dev 29 function 0 "Intel 82801GB USB" rev 0x02: irq 11
> uhci1 at pci0 dev 29 function 1 "Intel 82801GB USB" rev 0x02: irq 11
> uhci2 at pci0 dev 29 function 2 "Intel 82801GB USB" rev 0x02: irq 11
> uhci3 at pci0 dev 29 function 3 "Intel 82801GB USB" rev 0x02: irq 11
> ehci0 at pci0 dev 29 function 7 "Intel 82801GB USB" rev 0x02: irq 11
> usb0 at ehci0: USB revision 2.0
> uhub0 at usb0: Intel EHCI root hub, rev 2.00/1.00, addr 1
> ppb5 at pci0 dev 30 function 0 "Intel 82801BAM Hub-to-PCI" rev 0xe2
> pci6 at ppb5 bus 21
> cbb0 at pci6 dev 0 function 0 "TI PCI1510 CardBus" rev 0x00: irq 11
> cardslot0 at cbb0 slot 0 flags 0
> cardbus0 at cardslot0: bus 22 device 0 cacheline 0x8, lattimer 0xb0
> pcmcia0 at cardslot0
> ichpcib0 at pci0 dev 31 function 0 "Intel 82801GBM LPC" rev 0x02: PM disabled
> pciide0 at pci0 dev 31 function 1 "Intel 82801GB IDE" rev 0x02: DMA,
> channel 0 configured to compatibility, channel 1 configured to
> compatibility
> atapiscsi0 at pciide0 channel 0 drive 0
> scsibus0 at atapiscsi0: 2 targets
> cd0 at scsibus0 targ 0 lun 0:  SCSI0
> 5/cdrom removable
> cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
> pciide0: channel 1 ignored (disabled)
> ahci0 at pci0 dev 31 function 2 "Intel 82801GBM AHCI SATA" rev 0x02:
> irq 11, AHCI 1.1
> scsibus1 at ahci0: 32 targets
> sd0 at scsibus1 targ 0 lun 0:  SCSI2 0/direct 
> fixed
> sd0: 95396MB, 12161 cyl, 255 head, 63 sec, 512 bytes/sec, 195371568 sec total
> ichiic0 at pci0 dev 31 function 3 "Intel 82801GB SMBus" rev 0x02: irq 11
> iic0 at ichiic0
> usb1 at uhci0: USB revision 1.0
> uhub1 at usb1: Intel UHCI root hub, rev 1.00/1.00, addr 1
> usb2 at uhci1: USB revision 1.0
> uhub2 at usb2: Intel UHCI root hub, rev 1.00/1.00, addr 1
> usb3 at uhci2: USB revision 1.0
> uhub3 at usb3: Intel UHCI root hub, rev 1.00/1.00, addr 1
> usb4 at uhci3: USB revision 1.0
> uhub4 at usb4: Intel UHCI root hub, rev 1.00/1.00, addr 1
> isa0 at ichpcib0
> isadma0 at isa0
> pckbc0 at

Re: umsm(4) device attaches to ugen(4) instead

[Travers Buda]

* Aaron Glenn <[EMAIL PROTECTED]> [2008-03-05 12:24:24]:

> Greets,
> 
> I've got a 2623DDU IBM Thinkpad T60p with a built in Sierra Wireless
> MC5720 EVDO card and can't get it to recognize properly. Below is the
> relevant dmesg snippet; after reading all relevant man pages (twice,
> no less) I'm still at a loss. I'd appreciate a cluebat hit. I'm about
> to fire up a 4.3 snapshot to test out snmpd -- here's to hoping it
> automagically works :)
> 
> Thanks,
> Aaron
> 
> OpenBSD 4.2 (GENERIC) #375: Tue Aug 28 10:38:44 MDT 2007
> [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
> cpu0: Genuine Intel(R) CPU T2500 @ 2.00GHz ("GenuineIntel" 686-class) 2 GHz
> cpu0: 
> FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,VMX,EST,TM2,xTPR
> real mem  = 2145873920 (2046MB)
> avail mem = 2067337216 (1971MB)
> mainbus0 at root
> bios0 at mainbus0: AT/286+ BIOS, date 05/24/06, BIOS32 rev. 0 @
> 0xfd6b0, SMBIOS rev. 2.4 @ 0xe0010 (68 entries)
> bios0: vendor LENOVO version "79ET61WW (1.06 )" date 05/24/2006
> bios0: LENOVO 2623DDU
> pcibios0 at bios0: rev 2.1 @ 0xfd640/0x9c0
> pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdea0/272 (15 entries)
> pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82371FB ISA" rev 0x00)
> pcibios0: PCI bus #22 is the last bus
> bios0: ROM list: 0xc/0x1 0xd/0x1000 0xd1000/0x1000
> 0xdc000/0x4000! 0xe/0x1
> acpi at mainbus0 not configured
> cpu0 at mainbus0
> cpu0: unknown Enhanced SpeedStep CPU, msr 0x06130c2c06000613
> cpu0: using only highest and lowest power states
> cpu0: Enhanced SpeedStep 1000 MHz (1004 mV): speeds: 2000, 1000 MHz
> pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
> pchb0 at pci0 dev 0 function 0 "Intel 82945GM MCH" rev 0x03
> ppb0 at pci0 dev 1 function 0 "Intel 82945GM PCIE" rev 0x03
> pci1 at ppb0 bus 1
> vga1 at pci1 dev 0 function 0 vendor "ATI", unknown product 0x71c4 rev 0x00
> wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
> wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
> azalia0 at pci0 dev 27 function 0 "Intel 82801GB HD Audio" rev 0x02: irq 11
> azalia0: host: High Definition Audio rev. 1.0
> azalia0: codec: Analog Devices AD1981HD (rev. 2.0), HDA version 1.0
> azalia0: codec: Conexant/0x2bfa (rev. 0.0), HDA version 0.9
> azalia0: codec[1]: No support for modem function groups
> azalia0: codec[1]: No audio function groups
> audio0 at azalia0
> ppb1 at pci0 dev 28 function 0 "Intel 82801GB PCIE" rev 0x02
> pci2 at ppb1 bus 2
> em0 at pci2 dev 0 function 0 "Intel PRO/1000MT (82573L)" rev 0x00: irq
> 11, address 00:16:41:56:8f:37
> ppb2 at pci0 dev 28 function 1 "Intel 82801GB PCIE" rev 0x02
> pci3 at ppb2 bus 3
> wpi0 at pci3 dev 0 function 0 "Intel PRO/Wireless 3945ABG" rev 0x02:
> irq 11, MoW1, address 00:13:02:4a:20:23
> ppb3 at pci0 dev 28 function 2 "Intel 82801GB PCIE" rev 0x02
> pci4 at ppb3 bus 4
> ppb4 at pci0 dev 28 function 3 "Intel 82801GB PCIE" rev 0x02
> pci5 at ppb4 bus 12
> uhci0 at pci0 dev 29 function 0 "Intel 82801GB USB" rev 0x02: irq 11
> uhci1 at pci0 dev 29 function 1 "Intel 82801GB USB" rev 0x02: irq 11
> uhci2 at pci0 dev 29 function 2 "Intel 82801GB USB" rev 0x02: irq 11
> uhci3 at pci0 dev 29 function 3 "Intel 82801GB USB" rev 0x02: irq 11
> ehci0 at pci0 dev 29 function 7 "Intel 82801GB USB" rev 0x02: irq 11
> usb0 at ehci0: USB revision 2.0
> uhub0 at usb0: Intel EHCI root hub, rev 2.00/1.00, addr 1
> ppb5 at pci0 dev 30 function 0 "Intel 82801BAM Hub-to-PCI" rev 0xe2
> pci6 at ppb5 bus 21
> cbb0 at pci6 dev 0 function 0 "TI PCI1510 CardBus" rev 0x00: irq 11
> cardslot0 at cbb0 slot 0 flags 0
> cardbus0 at cardslot0: bus 22 device 0 cacheline 0x8, lattimer 0xb0
> pcmcia0 at cardslot0
> ichpcib0 at pci0 dev 31 function 0 "Intel 82801GBM LPC" rev 0x02: PM disabled
> pciide0 at pci0 dev 31 function 1 "Intel 82801GB IDE" rev 0x02: DMA,
> channel 0 configured to compatibility, channel 1 configured to
> compatibility
> atapiscsi0 at pciide0 channel 0 drive 0
> scsibus0 at atapiscsi0: 2 targets
> cd0 at scsibus0 targ 0 lun 0:  SCSI0
> 5/cdrom removable
> cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
> pciide0: channel 1 ignored (disabled)
> ahci0 at pci0 dev 31 function 2 "Intel 82801GBM AHCI SATA" rev 0x02:
> irq 11, AHCI 1.1
> scsibus1 at ahci0: 32 targets
> sd0 at scsibus1 targ 0 lun 0:  SCSI2 0/direct 
> fixed
> sd0: 95396MB, 12161 cyl, 255 head, 63 sec, 512 bytes/sec, 195371568 sec total
> ichiic0 at pci0 dev 31 function 3 "Intel 82801GB SMBus" rev 0x02: irq 11
> iic0 at ichiic0
> usb1 at uhci0: USB revision 1.0
> uhub1 at usb1: Intel UHCI root hub, rev 1.00/1.00, addr 1
> usb2 at uhci1: USB revision 1.0
> uhub2 at usb2: Intel UHCI root hub, rev 1.00/1.00, addr 1
> usb3 at uhci2: USB revision 1.0
> uhub3 at usb3: Intel UHCI root hub, rev 1.00/1.00, addr 1
> usb4 at uhci3: USB revision 1.0
> uhub4 at usb4: Intel UHCI root hub, rev 1.00/1.00, addr 1
> isa0 at ichpcib0
> isadma0 at isa0
> pckbc0 at

Re: umsm(4) device attaches to ugen(4) instead

[Aaron Glenn]

On Wed, Mar 5, 2008 at 1:55 PM, Travers Buda <[EMAIL PROTECTED]> wrote:
>  And did you see this in the man page?
>
>  CAVEATS
>  For Verizon Wireless (and possibly other services), cards require a one-
>  time activation before they will work; umsm does not currently support
>  this.

yes. what does that have to do with anything? the card has been
activated and used for a year+. activated or not, it's useless as a
ugen device (-:

Re: umsm(4) device attaches to ugen(4) instead

[Aaron Glenn]

On Wed, Mar 5, 2008 at 1:48 PM, Travers Buda <[EMAIL PROTECTED]> wrote:
>
>  Please send the output of usbdevs -v.
>

Theo emailed me privately stating this was a new device. It's not; but
it has a different ID as listed in usbdevs.h. My card shows 0x0218
where as usbdevs.h has it at 0x0018. now to cvs -current, edit
usbdevs.h, and test test test

Re: ksh set -o pipefail

[Vinicius Vianna]

Hi,

I don't see pipefail on the ksh man page, maybe you should ask for some 
developer add it to openbsd source, or compile/install another shell to 
use this, maybe even ksh.

Anyone else?

Piotrek Kapczuk wrote:

$ set -o pipefail
/bin/ksh: set: pipefail: bad option
$ echo $KSH_VERSION
@(#)PD KSH v5.2.14 99/07/13.2

Is there another way to get what I want ?
Are there any plans to implement this option 

4.3 release testing for amd64.mp on Sun X4100

[Daniel Ouellet]

Following Theo request for testing, I did the same test as previously 
reported a few times on misc@ as well as tech@ and the 4.3 release using 
the multi code on amd64 still crash at will by just doing a simple:


dd if=/dev/zero of=/var/test bs=1m count=1000

Doesn't do it using the single amd64 kernel, nor does it do it using 
either the i386 single kernel, or multi core one.


Only with the amd64.mp and is reproducible at will.

Also, this doesn't happen only on the Sun server, but a few other were 
reported, however, way more prominent on the Sun one.


Marco@ is aware of it and was also able to reproduce the problem as well 
on his X4100 too.


http://marc.info/?l=openbsd-tech&m=120122281409313&w=2

Any chance that may be that might be fix for the final release of 4.3?

Best,

Daniel

Re: The Dilbert Problem...

[ropers]

On 05/03/2008, Matthew Szudzik <[EMAIL PROTECTED]> wrote:
> > I've been noticing a similar problem with Firefox on OpenBSD...
>
>
> I've also experienced this problem, but was never able to reproduce it.
>  It would happen maybe once every month or two during normal web browsing
>  (which in my case means 5 or more tabs simultaneously open in Firefox).

Could this be because of local caching and little new resolve attempts?

Re: umsm(4) device attaches to ugen(4) instead

[Travers Buda]

* Aaron Glenn <[EMAIL PROTECTED]> [2008-03-05 14:25:19]:

> On Wed, Mar 5, 2008 at 1:55 PM, Travers Buda <[EMAIL PROTECTED]> wrote:
> >  And did you see this in the man page?
> >
> >  CAVEATS
> >  For Verizon Wireless (and possibly other services), cards require a 
> > one-
> >  time activation before they will work; umsm does not currently support
> >  this.
> 
> yes. what does that have to do with anything? the card has been
> activated and used for a year+. activated or not, it's useless as a
> ugen device (-:
> 

I suspected that it may attach to umsm if it was not activated.
Anyhow, good luck with the usbdevs, I can crank you out a kernel
if you need it.

-- 
Travers Buda

Another Oportunity (2008)

[Wanlida Textile Co. Ltd]

Wujiang Wanlida Textile Co Ltd.

[IMAGE]

I am Martin Lee, sales manager of (W.W.T.C.L). What we need is a U.S.A/AU
representative. Our Company Wujiang Wanlida Textile Co. Ltd is based in
No.6 The Third District Nanshan Road, Shengze, Wujiang City, Jiangsu
Province, China. We are experts in the sale of Textile materials; we
export into the Canada/America,Australia,India, and parts of Europe. We
are searching for representatives who can help us establish a medium of
getting our funds from our costumers in these areas as well as making
payments through you to us. Please if interested in working as the
companies representative in your country, so our clients could make
payment through you .
For every payment made though you,10% will be paid to you.
Selected Products which the company exports for now are below:

Jacquard Fabric
Jacquard Fabric

Cotton Satin
Cotton Satin

Printed Satin
Printed Satin

Twisted Satin
Twisted Satin

If interested, contact me and then you can also include a copy of your
resume. Note that no form of payment will be requested upfront in this
endeavor.
On our receipt of the above details (resume) we shall forward it to the
head office in China immediately and then a file will be open for you and
all our customers in your district will be given your contact. > Regards
Martin Lee
Sales Manager

select outgoing route depending on souce interface (net)

[Jon Rubio]

Hello,

IB4m a quite newbye on OpenBSD and need some help with routing dependent on
the source network.

This is the diagram of the scenary: (public IPs aren't the real ones)

   (ISP1)   (ISP2)
  ADSL-DHCP SHDSL:80.25.145.193
 ||
 ||
 ----
 |Ext IP: DHCP  ||Ext IP : 80.25.145.193|
 |Int IP: 192.168.0.1 ||Int IPs: 80.25.145.192/29|
 ----
 ||
 ||
 |--|
 | bge0: 192.168.0.254  bge1: 80.25.145.194 |
 |
|
 | OpenBSD 4.2 FIREWALL   |
 | Default gateway: 192.168.0.1   |
 |
|
 | bge2: 172.16.0.254   bge3: 172.31.0.254   |
 |--|
 ||
 ||
 ||
  --   --
 /   LAN \/   DMZ  \
/   172.16.0.0/24 \  /   172.31.0.0/24 \
   ||||
   |  gw: 172.16.0.254   |   | |
   ||| WEB_SRV: 172.31.0.21 |
\  /  \   /
 \   /  \   /
  ----

The expected behavior:

1.) Workstations on LAN net (172.16.0.0/24) must reach Internet through ISP1
(172.16.0.X --> 172.16.0.254 --> 192.168.0.10 --> 192.168.0.1 --> ISP1).
2.) Servers on DMZ net (172.31.0.0/24) must reach Internet through ISP2
(172.31.0.X --> 172.31.0.254 --> 80.25.145.194 --> 80.25.145.193 --> ISP2).
3.) Web server on DMZ net must be reachable from Internet through ISP2 (ISP2
--> 80.25.145.194 --> 172.31.0.254 --> 172.31.0.21).
4.) Responses to incoming Web server (DMZ net) must be reply through ISP2
(172.31.0.21 --> 172.31.0.254 --> 80.25.145.194 --> 80.25.145.193 --> ISP2).

I've been testing many configurations without any success:
a) With/without multipathing.
b) With/without "route-to" and "reply-to" filter rules.
...

B?Can anyone please help me?

Bellow is my pf.conf file, i've removed the "routing outgoing trafic to
ISP2" to avoid confusions with my wrongly builted rules.

#
##
#
##
##
##  $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $
##
## See pf.conf(5) and /usr/share/pf for syntax and examples.
## Remember to set net.inet.ip.forwarding=1 and/or
net.inet6.ip6.forwarding=1
## in /etc/sysctl.conf if packets are to be forwarded between interfaces.
#
##
#
##

#
##
##  CONF: Local interfaces
#
##

## ISP1
isp1_if = "bge0"
isp1_ip = "192.168.0.254"
isp1_gw = "192.168.0.1"
isp1_net = "192.168.0.0/24"

## ISP2
isp2_if = "bge1"
isp2_ip = "80.25.145.194"
isp2_gw = "80.25.145.193"
isp2_net = "80.25.145.192/29"

## LAN
lan_if = "bge2"
lan_ip = "172.16.0.254"
lan_net = "172.16.0.0/24"

## DMZ
dmz_if = "bge3"
dmz_ip = "172.31.0.254"
dmz_net = "172.16.0.0/24"

#
##
##  CONF: Local servers/services
#
##

## WEB Server
srv_web_001 = "172.31.0.21"

#
##
##  CONF: Extended Security
#
##

private_networks  = "{10.0.0.0/8 172.16.0.0/12}"
pseudo_private_networks  = "{192.168.0.0/16}"
public_interfaces = "{" $isp1_if $isp_2if "}"

#
##
##  CONF: Loopback interface
#
##

set skip on lo

#
##
##  SCRUB
#
##

Re: pf - routing

[Stuart Henderson]

On 2008-03-05, Stuart Henderson <[EMAIL PROTECTED]> wrote:
> On 2008-03-05, Jussi Peltola <[EMAIL PROTECTED]> wrote:
>> On Wed, Mar 05, 2008 at 11:28:16AM +, Stuart Henderson wrote:
>>> There are ways, but they're hacks, and harder to get right than NAT or
>>> asking for another address. (And if you're already using NAT, you'll be
>>> renumbering the end hosts anyway, so moving block shouldn't be all that
>>> painful).
>>  
>> Couldn't you bridge the DMZ? Not as simple, but not a hack either.
>
> Ah, how could I forget about that! (probably repressed from trying
> to combine it with rdr before and getting very confused :-)

Oh, hang on. But then the IP address you were giving the firewall has
to be given to the router instead, so this doesn't gain you anything.

Re: floppy.fs

[Giancarlo Razzolini]

Stuart Henderson escreveu:
> On 2008-03-05, Giancarlo Razzolini <[EMAIL PROTECTED]> wrote:
>>   I do the installation using a pen drive, not a floppy,
>> so it would be nice if there was another image, suited for a pen drive
>> or other things bigger than floppy.
>
> Just do an OS installation to the pen drive then you can boot from it
> and run bsd.rd. You can also copy the installation tgz files to it,
> if you would like to install on machines without a working network.
>
> I pretty much exclusively use netboot of some kind these days though,
> pxeboot(8) is super easy on OpenBSD...
>
>
I do use the pen drive to make the installation of other systems also,
so i do overwrite it every time i'll make a installation. As replied to
Theo down there, i'm not complaining at all, will even take a look at
boot code to see if it's possible to make bigger images.

My regards,

--
Giancarlo Razzolini
Linux User 172199
Red Hat Certified Engineer no:804006389722501
Moleque Sem Conteudo Numero #002
Slackware Current
OpenBSD Stable
Ubuntu 7.04 Feisty Fawn
Snike Tecnologia em Informatica
4386 2A6F FFD4 4D5F 5842  6EA0 7ABE BBAB 9C0E 6B85

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: floppy.fs

[Giancarlo Razzolini]

Theo de Raadt escreveu:
>> Paul Greidanus escreveu:
>>> Hi All
>>>
>>> I'm just wondering how many people out there are using the floppy.fs
>>> installer still?  I'm wondering if it would be a worthwhile thought to
>>> expand past the 1.44Mb limit for the CD and .rd install options if there
>>> are features that can be added to the installer.  No, I'm not thinking a
>>> gui/menu based installer as the main reason, but there might be benefits
>>> to something like that.
>>>
>>> Paul
>>>
>>>
>> One thing that i miss a lot on floppy.fs is the dhcp client.
>
> All the i386 floppies contain dhclient, so I don't know what you are
> referring to.
>
I do most of my installs using amd64. I don't see it much as a
inconvenience, but every time i have to search for a free ip in my
network to install.
>> I do the installation using a pen drive, not a floppy,
>> so it would be nice if there was another image, suited for a pen drive
>> or other things bigger than floppy.
>
> This is harder than it looks, and is on the long term list of things
> to do to the bootblocks, to further solve the handling between CHS and
> LBA issues.  Right now you cannot simply dd a floppy or larger to a
> USB drive, and expect it to work.  The i386/amd64 boot code can't handle
> it perfectly.
I didn't knew about this limitation.
>
>> I know some archs doesn't have the
>> ability to boot from cd, or usb pen drives, and the only option left is
>> floppy or pxeboot. But, anyway, it would be nice to have another image
>> with more things in it, this image could even work as a rescue image.
>
> We've got a ton of boot options for each architecture.  If we could do
more,
> we would.
>
I'm not complaining at all. OpenBSD is great and having to put an ip on
hand to install it, never stopped me from installing it. :). I'll take a
look at the boot code from openbsd. I'm not a C master, but will see if
something can be done. Any relevant changes (if something work at all),
i'll post to the list. Thanks for the reply.

My regards,
--
Giancarlo Razzolini
Linux User 172199
Red Hat Certified Engineer no:804006389722501
Moleque Sem Conteudo Numero #002
Slackware Current
OpenBSD Stable
Ubuntu 7.04 Feisty Fawn
Snike Tecnologia em Informatica
4386 2A6F FFD4 4D5F 5842  6EA0 7ABE BBAB 9C0E 6B85

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

ipsec config old vs new

[Lord Sporkton]

Im having a bit of trouble understanding how the new ipsec should
work, im not sure if isakmpd is no longer needed or if just its config
has been moved to ipsec.conf

so do i need ipsec.conf and isakmpd
or do i just need ipsec.conf

-- 
-Lawrence
-Student ID 1028219

Re: floppy.fs

[Richard Daemon]

On Wed, Mar 5, 2008 at 3:44 PM, Paul Greidanus
<[EMAIL PROTECTED]> wrote:
>
> Richard Daemon wrote:
>  > On Wed, Mar 5, 2008 at 11:58 AM, Stuart Henderson <[EMAIL PROTECTED]> 
> wrote:
>  >
>  >> On 2008-03-05, Giancarlo Razzolini <[EMAIL PROTECTED]> wrote:
>  >>  >   I do the installation using a pen drive, not a 
> floppy,
>  >>  > so it would be nice if there was another image, suited for a pen drive
>  >>  > or other things bigger than floppy.
>  >>
>  >>  Just do an OS installation to the pen drive then you can boot from it
>  >>  and run bsd.rd. You can also copy the installation tgz files to it,
>  >>  if you would like to install on machines without a working network.
>  >>
>  >>  I pretty much exclusively use netboot of some kind these days though,
>  >>  pxeboot(8) is super easy on OpenBSD...
>  >>
>  >
>  > Speaking of which, is there a way or any plans to add the option to
>  > install from a tftpd itself rather than pxebooting - pull down the
>  > pxeboot and bsd.rd files over tftp then install from ftp, http, etc.?
>  >
>  >
>  I'm confused.. pxeboot/bsd.rd requires a tftp server, so you are booting
>  from tftp already.  Do you want to install the system from tftpboot,
>  i.e. base.tgz?  tftp is error prone, and bad for large files, so you
>  almost need http/ftp to do large files.  And it's easy to setup ftp.

That's exactly what I was curious on.
I assume it's error prone because it does it over UDP only?

I agree, it's very easy to set up ftp and what not, was just curious.
I've installed from pxeboot'ing a few times on various systems like
Soekris, WRAP, ALIX and others.
That's why I was thinking if there would be such an option for those
times when you need to pxeboot to install but don't run http/ftp on
the install server.
No big deal and I know there's many other ways to install on such systems...

Thanks for the responses.

Re: select outgoing route depending on souce interface (net)

[Giancarlo Razzolini]

Jon Rubio escreveu:
> Hello,
>
> IB4m a quite newbye on OpenBSD and need some help with routing dependent on
> the source network.
>
> This is the diagram of the scenary: (public IPs aren't the real ones)
>
>(ISP1)   (ISP2)
>   ADSL-DHCP SHDSL:80.25.145.193
>  ||
>  ||
>  ----
>  |Ext IP: DHCP  ||Ext IP : 80.25.145.193|
>  |Int IP: 192.168.0.1 ||Int IPs: 80.25.145.192/29|
>  ----
>  ||
>  ||
>  |--|
>  | bge0: 192.168.0.254  bge1: 80.25.145.194 |
>  |
> |
>  | OpenBSD 4.2 FIREWALL   |
>  | Default gateway: 192.168.0.1   |
>  |
> |
>  | bge2: 172.16.0.254   bge3: 172.31.0.254   |
>  |--|
>  ||
>  ||
>  ||
>   --   --
>  /   LAN \/   DMZ  \
> /   172.16.0.0/24 \  /   172.31.0.0/24 \
>||||
>|  gw: 172.16.0.254   |   | |
>||| WEB_SRV: 172.31.0.21 |
> \  /  \   /
>  \   /  \   /
>   ----
>
.
.
.
snip

Selective routing uses the route-to directive from pf. It's quite simple
 to use and, to achieve what you want, a simple rule like this should
solve (the macros are wrong, was lazy to look them every time :):

pass in on $dmz_if route-to ($isp2_iface $ips2_gw) from $dmz_net to any

$dmz_if = dmz interface
$isp2_iface = interface which is attached to isp2 link
$isp2_gw = next hop (host to reach the net on isp2)
$dmz_net = dmz network

route-to directives are quite powerful. I developed a solution using pf
+ ifstated + snmp + ping and some clever (almost) shell scripts to
automatically change the rules depending on the availability of the link.

My regards,

--
Giancarlo Razzolini
Linux User 172199
Red Hat Certified Engineer no:804006389722501
Moleque Sem Conteudo Numero #002
Slackware Current
OpenBSD Stable
Ubuntu 7.04 Feisty Fawn
Snike Tecnologia em InformC!tica
4386 2A6F FFD4 4D5F 5842  6EA0 7ABE BBAB 9C0E 6B85

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: ipsec config old vs new

[Lord Sporkton]

nvm, archives, found my answer

On 05/03/2008, Lord Sporkton <[EMAIL PROTECTED]> wrote:
> Im having a bit of trouble understanding how the new ipsec should
>  work, im not sure if isakmpd is no longer needed or if just its config
>  has been moved to ipsec.conf
>
>  so do i need ipsec.conf and isakmpd
>  or do i just need ipsec.conf
>
>
>  --
>  -Lawrence
>  -Student ID 1028219
>


-- 
-Lawrence
-Student ID 1028219

pppoe(4) fails to include relay-session-id in PADR

[Zach Wilkinson]

I got a tcpdump trace on the init and nego exchange
for both the kernel driver and the userspace driver,
and there's a difference.

(see http://en.wikipedia.org/wiki/Pppoe for background
info)

Both kernel and userspace start with sending a PADI.
ISP sends back a PADO with the AC-name and a
relay-session-id.
Both kernel and userspace responds with a PADR,
however the userspace sends back the relay-session-id
where the kernel driver does not.
The userspace continues the nego successfully. The
kernel driver simply re-tries the PADR again unchanged
after no response from ISP.

Is there a way to get the pppoe(4) to include the
relay-session-id in the PADR packet?

Thanks,


  

Never miss a thing.  Make Yahoo your home page. 
http://www.yahoo.com/r/hs

Re: openbsd router hardware

[Brian A. Seklecki]

On Wed, 2008-03-05 at 09:55 -0800, Joe wrote:
> Perhaps you got a bad board in your past?

I've had 10 years of bad VIA chipsets (pciide(4), etc.)

Anyone who has been on the lists for a few years knows the same old
story.  "Results 1-10 of about 3,170 for bsd VIA ATA dma error"

~BAS

Why use fixed RELXDIR ?

[Dongsheng Song]

Why use fixed RELXDIR ?

snippet from /usr/src/distrib/*/iso/Makefile:

.include "${TOP}/Makefile.inc"

CDROM=  install${REV}.iso
RELXDIR=/home/relx-${MACHINE}
RELDIR?=/home/rel-${MACHINE}

Is it a typo, or advisement?
Can we move CDROM, RELXDIR, and RELDIR to '${TOP}/Makefile.inc'?

Dongsheng

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: pf tag goes missing post sshd tcp decapsulization

[Konrad]

Hi everybody,

> I like henning's idea to use something like a setsockopt(2) option to
>  assign a pf tag to a running session.  I was thinking about this
>  before to use it with some weird magic in relayd... but this is way
>  off at the moment.

I liked the idea, too. So here is what I've done so far. It work till
now for tcp but it should be no problem to do it for udp also. (Or to
do it generally for ip)

To set the sockopt you have to write it this way:
 setsockopt( create_socket, SOL_SOCKET, SO_PFTAG, tag, strlen(tag) + 1);
 getsockopt( create_socket, SOL_SOCKET, SO_PFTAG, bla, &a);

Bye
Konrad

[demime 1.01d removed an attachment of type application/octet-stream which had 
a name of sockopt.diff]

Re: pf tag goes missing post sshd tcp decapsulization

[Theo de Raadt]

> Hi everybody,
> 
> > I like henning's idea to use something like a setsockopt(2) option to
> >  assign a pf tag to a running session.  I was thinking about this
> >  before to use it with some weird magic in relayd... but this is way
> >  off at the moment.
> 
> I liked the idea, too. So here is what I've done so far. It work till
> now for tcp but it should be no problem to do it for udp also. (Or to
> do it generally for ip)
> 
> To set the sockopt you have to write it this way:
>  setsockopt( create_socket, SOL_SOCKET, SO_PFTAG, tag, strlen(tag) + 1);
>  getsockopt( create_socket, SOL_SOCKET, SO_PFTAG, bla, &a);
> 
> Bye
> Konrad
> 
> [demime 1.01d removed an attachment of type application/octet-stream which 
> had a name of sockopt.diff]

When will people learn that our mailing lists don't permit such MIME
attachments???

Re: Why use fixed RELXDIR ?

[Theo de Raadt]

> Why use fixed RELXDIR ?
> 
> snippet from /usr/src/distrib/*/iso/Makefile:
> 
> .include "${TOP}/Makefile.inc"
> 
> CDROM=  install${REV}.iso
> RELXDIR=/home/relx-${MACHINE}
> RELDIR?=/home/rel-${MACHINE}
> 
> Is it a typo, or advisement?
> Can we move CDROM, RELXDIR, and RELDIR to '${TOP}/Makefile.inc'?

No.  It is what we use behind the scene to build snapshots, since the
X and src trees are still rather disjoint.

And everyone wants us to continue to build snapshots.

Re: floppy.fs

[Paul Greidanus]

Theo de Raadt wrote:

There is one thing that some people out there could work on.  Noone
in our group is currently working on it, and it would be nice.

- A very carefully designed improvement/replacement to disklabel -E
  that can sub-partition more automatically.
  

Something like:
disklabel sd0 -p labelletter,start,end,mountpoint
disklabel sd0 -p a,0,5G,/

Or are you talking about something completely different with sub-partitions?

Another thought I've had on this thread is to give the user a 
default/sane partitioning option?  Although, the definition of what is 
sane default partitioning is a topic that can be debated until the 
universe grows cold.

- Might be nice if it can handle multiple disks correctly, and if it was
  more aware of the consequences of partitions mounted inside each
  other.

  

I've gotta play with this to understand the problem better.

- No existing features that disklabel -E has may be deleted.  People
  use them.

It is not easy to do right, but bad hacks won't qualify for this.

  

Do back hacks qualify anywhere? :)