Re: OpenBSD with pf on a mini-ITX?
On Tue, Mar 11, 2008 at 06:57:41PM +0100, Jordi Prats wrote: Hi all, Have anyone tried to run OpenBSD with pf on a Jetway J7F2 (or similar) motherboard to act as a firewall and do NAT? Any inputs will be welcome! Thanks, -- Jordi I'm using exactly this board (see dmesg below), a couple of things to note: - no sensors - if you use one of the addon gigabit ethernet boards, you'll need to apply the patch found in PR#5759, it seems that it will not make it into 4.3 thus re is busted for gigabit in 4.3-release. - no hw.setperf - AES performance is great :) Regards ahb OpenBSD 4.2-current (GENERIC) #5: Sun Mar 9 10:26:16 CET 2008 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: VIA Esther processor 1500MHz (CentaurHauls 686-class) 1.51 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,APIC,SEP,MTRR,PGE,CMOV,PAT,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,TM,SBF,SSE3 cpu0: RNG AES AES-CTR SHA1 SHA256 RSA real mem = 1005023232 (958MB) avail mem = 963772416 (919MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 05/18/07, BIOS32 rev. 0 @ 0xfa0a0, SMBIOS rev. 2.3 @ 0xf (34 entries) bios0: vendor Phoenix Technologies, LTD version 6.00 PG date 05/18/2007 apm0 at bios0: Power Management spec V1.2 (slowidle) apm0: AC on, battery charge unknown acpi at bios0 function 0x0 not configured pcibios0 at bios0: rev 2.1 @ 0xf/0xc904 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfc830/208 (11 entries) pcibios0: bad IRQ table checksum pcibios0: PCI BIOS has 11 Interrupt Routing table entries pcibios0: PCI Exclusive IRQs: 5 10 11 pcibios0: PCI Interrupt Router at 000:17:0 (VIA VT8237 ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0x1 0xd/0x800 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 VIA CN700 Host rev 0x00 agp0 at pchb0: v3, aperture at 0xe800, size 0x1000 pchb1 at pci0 dev 0 function 1 VIA CN700 Host rev 0x00 pchb2 at pci0 dev 0 function 2 VIA CN700 Host rev 0x00 pchb3 at pci0 dev 0 function 3 VIA PT890 Host rev 0x00 pchb4 at pci0 dev 0 function 4 VIA CN700 Host rev 0x00 pchb5 at pci0 dev 0 function 7 VIA CN700 Host rev 0x00 ppb0 at pci0 dev 1 function 0 VIA VT8377 AGP rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 VIA S3 Unichrome PRO IGP rev 0x01 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) xl0 at pci0 dev 8 function 0 3Com 3c905C 100Base-TX rev 0x74: irq 11, address 00:04:76:a1:cc:d1 bmtphy0 at xl0 phy 24: Broadcom 3C905C internal PHY, rev. 6 VIA VT6306 FireWire rev 0x80 at pci0 dev 10 function 0 not configured re0 at pci0 dev 11 function 0 Realtek 8169 rev 0x10: RTL8169/8110SCd (0x1800), irq 5, address 00:30:18:a8:0f:cc rgephy0 at re0 phy 7: RTL8169S/8110S PHY, rev. 2 pciide0 at pci0 dev 15 function 0 VIA VT6420 SATA rev 0x80: DMA pciide0: using irq 11 for native-PCI interrupt wd0 at pciide0 channel 0 drive 0: SanDisk SDCFX3-2048 wd0: 4-sector PIO, LBA, 1953MB, 4001760 sectors wd0(pciide0:0:0): using PIO mode 4, DMA mode 2 pciide1 at pci0 dev 15 function 1 VIA VT82C571 IDE rev 0x06: ATA133, channel 0 configured to compatibility, channel 1 configured to compatibility wd1 at pciide1 channel 0 drive 1: SanDisk SDCFX3-2048 wd1: 4-sector PIO, LBA, 1953MB, 4001760 sectors wd1(pciide1:0:1): using PIO mode 4, DMA mode 2 atapiscsi0 at pciide1 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: LITEON, CD-ROM LTN526D, YSR5 SCSI0 5/cdrom removable cd0(pciide1:1:0): using PIO mode 4, Ultra-DMA mode 2 uhci0 at pci0 dev 16 function 0 VIA VT83C572 USB rev 0x81: irq 10 uhci1 at pci0 dev 16 function 1 VIA VT83C572 USB rev 0x81: irq 10 uhci2 at pci0 dev 16 function 2 VIA VT83C572 USB rev 0x81: irq 11 uhci3 at pci0 dev 16 function 3 VIA VT83C572 USB rev 0x81: irq 11 ehci0 at pci0 dev 16 function 4 VIA VT6202 USB rev 0x86: irq 11 ehci0: timed out waiting for BIOS usb0 at ehci0: USB revision 2.0 uhub0 at usb0 VIA EHCI root hub rev 2.00/1.00 addr 1 viapm0 at pci0 dev 17 function 0 VIA VT8237 ISA rev 0x00 iic0 at viapm0 spdmem0 at iic0 addr 0x50: 1GB DDR2 SDRAM non-parity PC2-5300CL5 auvia0 at pci0 dev 17 function 5 VIA VT8233 AC97 rev 0x60: irq 11 ac97: codec id 0x56494170 (VIA Technologies 70) ac97: codec features headphone, 18 bit DAC, 18 bit ADC, KS Waves 3D audio0 at auvia0 vr0 at pci0 dev 18 function 0 VIA RhineII-2 rev 0x78: irq 10, address 00:30:18:b0:58:fa ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 10: OUI 0x004063, model 0x0032 usb1 at uhci0: USB revision 1.0 uhub1 at usb1 VIA UHCI root hub rev 1.00/1.00 addr 1 usb2 at uhci1: USB revision 1.0 uhub2 at usb2 VIA UHCI root hub rev 1.00/1.00 addr 1 usb3 at uhci2: USB revision 1.0 uhub3 at usb3 VIA UHCI root hub rev 1.00/1.00 addr 1 usb4 at uhci3: USB revision 1.0 uhub4 at usb4 VIA UHCI root hub rev 1.00/1.00 addr 1 isa0 at mainbus0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for
Hardware to give away Sun Sparc II / Ultra 5/ DEC Alpha Workstation-II (Duisburg/Germany)
Hi, I cleaned up my attic and found some kind of hardware I do not need any more. I'm not at home at the moment, but AFAIR there is a Sun Sparc 2 and a Sun Ultra 5. Perhaps there is an DEC Alpha Workstation II, too. Can be picked up in Duisburg / Germay. If you like you can spend some money for a local charitable youth- and cultural association - you're welcome. Regards, Falk
zombies
How are zombies best dealt with, correctively? My OBSD 4.2 x86 machine is showing memory and CPU utilization are a negligable fraction of the total capacity. Yet, it is getting maxed out in regards to number of processes, apparently due to the zombies. kill -KILL seems to have no effect. Some interaction between Apache2 and perl is creating zombies. After several months, this number has crept up to close to a thousand and with kern.maxproc=1024, problems are starting For example, ps says : ... _apache297 0.0 0.0 0 0 ?? Z - 0:00.00 (perl) _apache2 19083 0.0 0.0 0 0 ?? Z - 0:00.00 (perl) _apache2 24147 0.0 0.0 0 0 ?? Z - 0:00.00 (perl) _apache2 30821 0.0 0.0 0 0 ?? Z - 0:00.00 (perl) _apache2 6995 0.0 0.0 0 0 ?? Z - 0:00.00 (perl) _apache2 26059 0.0 0.0 0 0 ?? Z - 0:00.00 (perl) _apache2 31087 0.0 0.0 0 0 ?? Z - 0:00.00 (perl) ... So again, what corrective measures can be taken to rid the machine of zombie processes? And, is there a generic way to prevent them? The cause is a perl CGI called by apache2 Regards, -Lars
Re: zombies - solved
Thanks. Paul de Weerd wrote: ... Zombies are part of unix, you *need* them in cases. Leaving them dangling (for too long) is not good of course, clean-up is required. That's what's happening. I see that one work-around would be to have cron periodically send a kill signal to the parent. But it pains me to even mention such a lame and problematic hack. ...This is the job of the parent process so the 'generic way' to *solve* these issues is by fixing the parent process. Easier said than done given the original state of my concentration / coding skills and the subsequent deterioration from that state. ... You may want to investigate alternative options or fix the code if you can... Where is it that the problem most likely lies? Apache2, perl or the heinous 'apt-cacher' script called by Apache2? /usr/bin/perl /usr/sbin/apt-cacher -d -p /var/run/apt-cacher.pid Looking ahead, what is the timeline for moving to Apache2? Or what are the major reasons 4.3 is going to still use 1.3x? Regards, -Lars
Re: zombies - solved
On Wed, Mar 12, 2008 at 2:18 AM, Lars Noodin [EMAIL PROTECTED] wrote: Or what are the major reasons 4.3 is going to still use 1.3x? Licensing.
Re: zombies
On Wed, Mar 12, 2008 at 10:36:23AM +0200, Lars Nood??n wrote: How are zombies best dealt with, correctively? My OBSD 4.2 x86 machine is showing memory and CPU utilization are a negligable fraction of the total capacity. Yet, it is getting maxed out in regards to number of processes, apparently due to the zombies. kill -KILL seems to have no effect. zombie processes are already dead, you cannot kill them. Some interaction between Apache2 and perl is creating zombies. After several months, this number has crept up to close to a thousand and with kern.maxproc=1024, problems are starting For example, ps says : ... _apache297 0.0 0.0 0 0 ?? Z - 0:00.00 (perl) _apache2 19083 0.0 0.0 0 0 ?? Z - 0:00.00 (perl) _apache2 24147 0.0 0.0 0 0 ?? Z - 0:00.00 (perl) _apache2 30821 0.0 0.0 0 0 ?? Z - 0:00.00 (perl) _apache2 6995 0.0 0.0 0 0 ?? Z - 0:00.00 (perl) _apache2 26059 0.0 0.0 0 0 ?? Z - 0:00.00 (perl) _apache2 31087 0.0 0.0 0 0 ?? Z - 0:00.00 (perl) ... So again, what corrective measures can be taken to rid the machine of zombie processes? And, is there a generic way to prevent them? The cause is a perl CGI called by apache2 zombie state happend if a child process exits, but its parent did not execute a wait(2) system call (or one if its alternatives) for the process (yet). So this seem a bug in the handling of CGIs. -Otto Regards, -Lars
Re: zombies - solved
Looking ahead, what is the timeline for moving to Apache2? Likely never, unless they decide to change their license. Or what are the major reasons 4.3 is going to still use 1.3x? apache2 is not free enough.
Re: zombies - half solved
How are zombies best dealt with, correctively? Sorry to answer my own question. The solution was to find the parent process and kill it. But the second question still stands, is there a generic way to prevent the formation of zombies? The cause in this specific case is a perl-based CGI script called by apache2. Regards, -Lars
Re: zombies
On Wed, Mar 12, 2008 at 10:36:23AM +0200, Lars Nood??n wrote: | How are zombies best dealt with, correctively? By fixing the bugs in the parent. | My OBSD 4.2 x86 machine is showing memory and CPU utilization are a | negligable fraction of the total capacity. Yet, it is getting maxed out | in regards to number of processes, apparently due to the zombies. Zombies don't consume any (or, nearly any) resources apart form the one pid. | kill -KILL seems to have no effect. Nope. Read up on 'em to find out why. Hint : you can't kill what's already dead. | Some interaction between Apache2 and perl is creating zombies. After | several months, this number has crept up to close to a thousand and with | kern.maxproc=1024, problems are starting | | For example, ps says : | ... | _apache297 0.0 0.0 0 0 ?? Z - 0:00.00 (perl) | _apache2 19083 0.0 0.0 0 0 ?? Z - 0:00.00 (perl) | _apache2 24147 0.0 0.0 0 0 ?? Z - 0:00.00 (perl) | _apache2 30821 0.0 0.0 0 0 ?? Z - 0:00.00 (perl) | _apache2 6995 0.0 0.0 0 0 ?? Z - 0:00.00 (perl) | _apache2 26059 0.0 0.0 0 0 ?? Z - 0:00.00 (perl) | _apache2 31087 0.0 0.0 0 0 ?? Z - 0:00.00 (perl) | ... | | So again, what corrective measures can be taken to rid the machine of | zombie processes? Find the parent process and restart it. This process is buggy. You may want to investigate alternative options or fix the code if you can. | And, is there a generic way to prevent them? The cause is a perl CGI | called by apache2 Zombies are part of unix, you *need* them in cases. Leaving them dangling (for too long) is not good of course, clean-up is required. This is the job of the parent process so the 'generic way' to *solve* these issues is by fixing the parent process. Cheers, Paul 'WEiRD' de Weerd -- [++-]+++.+++[---].+++[+ +++-].++[-]+.--.[-] http://www.weirdnet.nl/
Re: zombies
On 12 March 2008, Lars NoodC)n [EMAIL PROTECTED] wrote: [...] And, is there a generic way to prevent them? The cause is a perl CGI called by apache2 Depending on what you're doing, make the parent wait(2) for the processes or setsid(3). Regards, Liviu Daia -- Dr. Liviu Daia http://www.imar.ro/~daia
IP header compression status on OpenBSD
Hi, Does anyone know the status of IPHC over PPP as per RFC2507 and RFC3508 (TCP compression as described in RFC2507 is though not needed) on OpenBSD ? Thanks in advance. Mehdi
Re: zombies - solved
* Theo de Raadt [EMAIL PROTECTED] [2008-03-12 10:36]: Looking ahead, what is the timeline for moving to Apache2? Likely never, unless they decide to change their license. even then... I don't see any advatages in apache2, but lots of disadvantages and a gigantic design fault. No, not one, multiple. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: softraid as hot replacement for raidframe
On Wed, Mar 12, 2008 at 1:13 AM, Stuart Henderson [EMAIL PROTECTED] wrote: On 2008-03-11, nicodache [EMAIL PROTECTED] wrote: Now, the question is : is there any way to remotely (my box is in a remote securized datacenter with double code) jump from raidframe to softraid, as I've understood softraid was the future for OpenBSD ? not without foreign metadata support in softraid. as of 4.3, softraid is coming along nicely, but it doesn't have scrub/rebuild, it's not a full replacement for raidframe yet. at the moment, there are definitely situations where raidframe would just be able to reboot, where softraid would need manual intervention at the console (serial or otherwise). So, you advice me to stay with RaidFrame as long as softraid is not made the default raid driver, supporting automatic rebuild, nested raid, and all the things that make a raid driver sexy and pointless at some level ? ^^ Thank you for your answer.
Re: zombies
Hi! On Wed, Mar 12, 2008 at 12:05:29PM +0200, Liviu Daia wrote: On 12 March 2008, Lars NoodC)n [EMAIL PROTECTED] wrote: [...] And, is there a generic way to prevent them? The cause is a perl CGI called by apache2 Depending on what you're doing, make the parent wait(2) for the processes or setsid(3). setsid(2) (yes, it's section 2 on OpenBSD) doesn't make the child lose the connection to the parent. See the source of daemon(3) for how to use setsid in connection with fork and exit (in fact _exit) to make a process disconnect from its parent and its controlling terminal etc. Kind regards, Hannah.
Re: softraid as hot replacement for raidframe
On 2008-03-12, nicodache [EMAIL PROTECTED] wrote: On Wed, Mar 12, 2008 at 1:13 AM, Stuart Henderson [EMAIL PROTECTED] wrote: On 2008-03-11, nicodache [EMAIL PROTECTED] wrote: Now, the question is : is there any way to remotely (my box is in a remote securized datacenter with double code) jump from raidframe to softraid, as I've understood softraid was the future for OpenBSD ? not without foreign metadata support in softraid. as of 4.3, softraid is coming along nicely, but it doesn't have scrub/rebuild, it's not a full replacement for raidframe yet. at the moment, there are definitely situations where raidframe would just be able to reboot, where softraid would need manual intervention at the console (serial or otherwise). So, you advice me to stay with RaidFrame as long as softraid is not made the default raid driver, supporting automatic rebuild, nested raid, and all the things that make a raid driver sexy and pointless at some level ? ^^ Thank you for your answer. It's not exactly advice, just pointing out some things you need to know so you can make your own decision. Personally I used ccd rather than raidframe before (since using a non-GENERIC kernel wasn't very appealing) and I'm using softraid instead of that now, working fine for me but there have been times I've been glad I have a console server. :-)
Initio 162X SATA controller up for grabs
Hi all, I bought a PCI SATA controller off the shelf at a local store last week. It was so cheap I didn't bother checking the chipset on it. It's a rebranded Sunix card: http://www.sunix.com.tw/it/en/Product_Detail.php?cate=2class_a_id=34sid=447 When I plugged it in I realised it uses a Initio chip, not supported by OpenBSD: vendor Initio, unknown product 0x1622 (class mass storage subclass SATA, rev 0x02) at pci0 dev 7 function 0 not configured (Full dmesg below) This is what 'lspci -vvx' has to say about the card: 00:07.0 SATA controller: Initio Corporation Unknown device 1622 (rev 02) (prog-if 00 [Vendor specific]) Subsystem: Initio Corporation Unknown device 1622 Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV+ VGASnoop- ParErr- Stepping- SERR+ FastB2B- Status: Cap+ 66MHz+ UDF- FastB2B+ ParErr- DEVSEL=medium TAbort- TAbort- MAbort- SERR- PERR- Latency: 32, Cache Line Size: 64 bytes Interrupt: pin A routed to IRQ 5 Region 0: I/O ports at e400 Region 1: I/O ports at e000 Region 2: I/O ports at dc00 Region 3: I/O ports at d800 Region 4: I/O ports at d400 Region 5: Memory at fe123000 (32-bit, non-prefetchable) Expansion ROM at fe00 [disabled] Capabilities: [dc] Power Management version 2 Flags: PMEClk+ DSI- D1+ D2+ AuxCurrent=0mA PME(D0-,D1+,D2+,D3hot+,D3cold-) Status: D0 PME-Enable- DSel=0 DScale=0 PME- 00: 01 11 22 16 17 01 b8 02 02 00 06 01 10 20 00 00 10: 01 e4 00 00 01 e0 00 00 01 dc 00 00 01 d8 00 00 20: 01 d4 00 00 00 30 12 fe 00 00 00 00 01 11 22 16 30: 00 00 00 fe dc 00 00 00 00 00 00 00 05 01 00 00 Looks like Linux got support last year: http://marc.info/?l=linux-idem=116781318032241w=2 I'll ship this card off to a developer in Europe willing to give an OpenBSD driver a go. After reading the comments from the linux developer about the chip, I understand if you're hesitant. :) /Johan OpenBSD 4.3 (GENERIC) #696: Thu Mar 6 05:09:01 MST 2008 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Celeron(R) CPU 1.80GHz (GenuineIntel 686-class) 1.80 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM real mem = 804814848 (767MB) avail mem = 769646592 (733MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 10/19/04, BIOS32 rev. 0 @ 0xffe90, SMBIOS rev. 2.3 @ 0xfadf0 (78 entries) bios0: vendor Dell Computer Corporation version A09 date 10/19/2004 bios0: Dell Computer Corporation PowerEdge 600SC acpi0 at bios0: rev 0 acpi0: tables DSDT FACP APIC SPCR acpi0: wakeup devices RTC_(S5) NIC_(S5) PCI0(S5) acpitimer0 at acpi0: 3579545 Hz, 32 bits acpiprt0 at acpi0: bus 0 (PCI0) acpicpu0 at acpi0 bios0: ROM list: 0xc/0x8000 0xc8000/0x1000 0xc9000/0x8000 0xd1000/0x1000 0xd2000/0x800 0xe3000/0x7800! 0xec000/0x4000! cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 ServerWorks GCNB-LE Host rev 0x32 pchb1 at pci0 dev 0 function 1 ServerWorks GCNB-LE Host rev 0x00 em0 at pci0 dev 2 function 0 Intel PRO/1000MT (82540EM) rev 0x02: irq 10, address 00:c0:9f:21:b8:7a puc0 at pci0 dev 3 function 0 Sunix 40XX rev 0x01: ports: 2 com, 1 lpt pccom3 at puc0 port 0 irq 5: ti16750, 64 byte fifo pccom3: probed fifo depth: 32 bytes pccom4 at puc0 port 1 irq 5: ti16750, 64 byte fifo pccom4: probed fifo depth: 32 bytes lpt3 at puc0 port 2: interrupting at irq 5 puc1 at pci0 dev 4 function 0 Sunix 40XX rev 0x01: ports: 2 com, 1 lpt pccom5 at puc1 port 0 irq 3: ti16750, 64 byte fifo pccom5: probed fifo depth: 32 bytes pccom6 at puc1 port 1 irq 3: ti16750, 64 byte fifo pccom6: probed fifo depth: 32 bytes lpt4 at puc1 port 2: interrupting at irq 3 xl0 at pci0 dev 5 function 0 3Com 3c905C 100Base-TX rev 0x74: irq 10, address 00:01:02:9e:d4:e6 bmtphy0 at xl0 phy 24: Broadcom 3C905C internal PHY, rev. 6 vendor Initio, unknown product 0x1622 (class mass storage subclass SATA, rev 0x02) at pci0 dev 7 function 0 not configured vga1 at pci0 dev 8 function 0 ATI Rage XL rev 0x27 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) piixpm0 at pci0 dev 15 function 0 ServerWorks CSB6 rev 0xa0: SMBus disabled pciide0 at pci0 dev 15 function 1 ServerWorks CSB6 RAID/IDE rev 0xa0: DMA wd0 at pciide0 channel 0 drive 0: ST340016A wd0: 16-sector PIO, LBA, 38146MB, 78125000 sectors wd1 at pciide0 channel 0 drive 1: ST380021A wd1: 16-sector PIO, LBA, 76319MB, 156301488 sectors wd0(pciide0:0:0): using PIO mode 4, DMA mode 2, Ultra-DMA mode 5 wd1(pciide0:0:1): using PIO mode 4, DMA mode 2, Ultra-DMA mode 5 wd2 at pciide0 channel 1 drive 0: ST3200822A wd2: 16-sector PIO, LBA48, 190782MB, 390721968 sectors wd2(pciide0:1:0): using PIO mode 4, DMA mode 2, Ultra-DMA mode 5 pcib0 at pci0 dev 15 function 3 ServerWorks GCLE-2 Host rev 0x00 isa0 at pcib0 isadma0 at isa0
ftp-proxy and carp
Hey chaps, I have a pair of OpenBSD firewalls running CARP $ uname -a OpenBSD ns-gs-fw2.host.nativ-systems.com 4.2 NS-GS-FW#0 i386 They both have internal and external addresses and an internal carp and external carp address shared. Now, they are protecting an FTP server that I want to allow access to. Ideally, I'd have ftp-proxy bind to the CARP address, so that if there was a failover event, inbound ftp would still work. Is this possible, or do I have to bind it to the real address and let inbound ftp fail in the event of a failover? -- joe. Have you seen the syrup on that bloke? Unreal.
Re: zombies
On 12 March 2008, Hannah Schroeter [EMAIL PROTECTED] wrote: Hi! On Wed, Mar 12, 2008 at 12:05:29PM +0200, Liviu Daia wrote: On 12 March 2008, Lars NoodC)n [EMAIL PROTECTED] wrote: [...] And, is there a generic way to prevent them? The cause is a perl CGI called by apache2 Depending on what you're doing, make the parent wait(2) for the processes or setsid(3). setsid(2) (yes, it's section 2 on OpenBSD) Yes, sorry. doesn't make the child lose the connection to the parent. No, it actually makes the calling process a session leader. See the source of daemon(3) for how to use setsid in connection with fork and exit (in fact _exit) to make a process disconnect from its parent and its controlling terminal etc. Actually, there's a bunch of other things to take care of, like signals and pipes. A more complete answer would be something like: read a book about UNIX process management; I was trying to provide a hint in the right direction, not abstract a book in a sentence. :) Regards, Liviu Daia -- Dr. Liviu Daia http://www.imar.ro/~daia
Re: zombies - solved
On 3/12/08, Lars NoodC)n [EMAIL PROTECTED] wrote: Looking ahead, what is the timeline for moving to Apache2? Or what are the major reasons 4.3 is going to still use 1.3x? Take a look at http://nginx.net/ BSD license, seems to work, but I don't know about its security profile. I'm sure it's not as secure as the OBSD Apache, but it might be ok compared with apache2.
Re: zombies
Otto == Otto Moerbeek [EMAIL PROTECTED] writes: Otto zombie state happend if a child process exits, but its parent did not Otto execute a wait(2) system call (or one if its alternatives) for the Otto process (yet). So this seem a bug in the handling of CGIs. Most likely a bug in a Perl script that forks but doesn't wait for its kid. I generally *don't* see zombies in well-written Perl programs. Was this FastCGI by any chance? I know there's unique problems related to that for naive code that creates a child, because the parent never goes away (since it's shared by the next series of CGI hits). But again, with proper care, even a FastCGI script can be written properly. -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 [EMAIL PROTECTED] URL:http://www.stonehenge.com/merlyn/ Perl/Unix/security consulting, Technical writing, Comedy, etc. etc. See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
Re: zombies - solved
On Wed, Mar 12, 2008 at 08:39:07AM -0500, Gregg Reynolds wrote: On 3/12/08, Lars NoodC)n [EMAIL PROTECTED] wrote: Looking ahead, what is the timeline for moving to Apache2? Or what are the major reasons 4.3 is going to still use 1.3x? Take a look at http://nginx.net/ BSD license, seems to work, but I don't know about its security profile. I'm sure it's not as secure as the OBSD Apache, but it might be ok compared with apache2. There's also a port of nginx as of 4.2-current. THe port is of the stable version, not the development version. -- Darrin Chandler| Phoenix BSD User Group | MetaBUG [EMAIL PROTECTED] | http://phxbug.org/ | http://metabug.org/ http://www.stilyagin.com/ | Daemons in the Desert | Global BUG Federation
Re: zombies
On Wed, Mar 12, 2008 at 09:57:16AM +0100, Otto Moerbeek wrote: zombie state happend if a child process exits, but its parent did not execute a wait(2) system call (or one if its alternatives) for the process (yet). So this seem a bug in the handling of CGIs. I'd like to add a bit to the above and to Paul de Weerd's comments: Zombie processes are there to maintain a little info in case the parent process calls wait() later to retrieve it. Some program designs catch SIGCHILD or have a thread block on wait*, and in those cases the zombie lasts such a short time you'll probably never see it in top or ps. Other designs use non-blocking forms and zombies may stick around long enough to notice, but then disappear later when the parent makes a pass. If the parent dies before calling wait, then the zombie is inherited by init which will take care of it. So, zombies happen, but the only time they stay around for a long time is a negligent/misdesigned parent that is still alive but not calling wait* on the children. The OS can't make a badly written program into a well written program. So as admin you are stuck restarting the parent periodically, switching to something else, or bugging the developers to fix the problem. -- Darrin Chandler| Phoenix BSD User Group | MetaBUG [EMAIL PROTECTED] | http://phxbug.org/ | http://metabug.org/ http://www.stilyagin.com/ | Daemons in the Desert | Global BUG Federation
Re: ftp-proxy and carp
Am 12.03.2008 um 13:28 schrieb Joe Warren-Meeks: Hey chaps, Hey, Ideally, I'd have ftp-proxy bind to the CARP address, so that if there was a failover event, inbound ftp would still work. I set up an local ip address via interface lo1 and redirects all incoming ftp requests to ftp-proxy listening on this local address. Done this on both firewalls and configured pfsync between them, and everything is fine. -- joe. Falk
Re: ftp-proxy and carp
Joe, You can bind your reverse ftp-proxy to the carp addresses. BTW, a problem you might eventually see is when the firewalls fail over. Current connections to the ftp server will die when the backup firewall takes over because it does not have ftp-proxy anchors from the first firewall. The anchors are not pfsync states and thus are not transfered to the backup firewall through pfsync. But, if the users issue a reconnect to your ftp server after the firewall fail over they will connect without issue. -- Calomel @ http://calomel.org Open Source Research and Reference On Wed, Mar 12, 2008 at 12:28:00PM +, Joe Warren-Meeks wrote: Hey chaps, I have a pair of OpenBSD firewalls running CARP $ uname -a OpenBSD ns-gs-fw2.host.nativ-systems.com 4.2 NS-GS-FW#0 i386 They both have internal and external addresses and an internal carp and external carp address shared. Now, they are protecting an FTP server that I want to allow access to. Ideally, I'd have ftp-proxy bind to the CARP address, so that if there was a failover event, inbound ftp would still work. Is this possible, or do I have to bind it to the real address and let inbound ftp fail in the event of a failover? -- joe. Have you seen the syrup on that bloke? Unreal.
Re: zombies - solved
Theo de Raadt wrote: apache2 is not free enough. Ok. There were some additional reasons mentioned, but licensing is enough on its own. I found the old announcement now that I know what to look for: http://archives.neohapsis.com/archives/openbsd/2004-06/0448.html Apache 1.3.29 is decent enough and has the functionality, name brand recognition and familiarity needed. But without updates, it seems a dead end and not a good idea for new activities. I'm also not finding reference to IPv6 in the documentation for Apache 1.3.x either online or in the man pages and that was my main reason for even looking at Apache2. A fork does not seem like a good return on investment, so v 1.3.29 will probably go away sooner than later once the Apache Foundation drops maintenance on the 1.3 series. Gregg proposed, nginx ( http://nginx.net/ ), which seems to be just getting started. It's under a 'BSD-like' license. It might work, but seems new. I see Lighttpd already in the 'packages' and it is under an appropriate license. In the last year, it has gained a lot in both visibility and user-base. In a lot of cases, perhaps most, new setups could be steered towards Lighttpd, if it were mentioned in the documentation here and there. I probably would have chosen it over grabbing Apache2 from the ports tree had it been mentioned. Apache2 and Lighttpd both required some adjustment and I would rather future-proof my activities, just in case they have to be supported that long. The mention of it can be small and does not need to affect how things are currently done. But as more use it, it will be easier later to drop Apache when (if) the time comes. Would something like this be appropriate at the tail end of the httpd man page for v 1.3.29? Due to licensing changes, the version of Apache shipped with OpenBSD will stay at version 1.3.29. Bugfixes will be provided, but no further updates. Alternatively, Lighttpd is available via OpenBSD's packages. Regards, -Lars
Re: zombies
Randal L. Schwartz wrote: Most likely a bug in a Perl script that forks but doesn't wait for its kid. I generally *don't* see zombies in well-written Perl programs. ;) Was this FastCGI by any chance? No. I think it's the perl script, but now that gets added to my list of things to do. The hints about setsid(2) and wait(2) give an idea of what to look for. regards, -Lars
Re: What is WPA status in OpenBSD
IPSEC works well if you blissfully ignore the hassle of setting up IPSEC on every possible client you want to support in your network. OS X' native configuration panels does not deal with IPSEC, but, comes with Racoon so that one can take the trouble to set it up without having to compile additional software. Windows doesn't not deal with IPSEC easily either, and once one has taken the painstaking hassle to set it up they quickly find that the crypto supported isn't much to cheer over. I'm personally also waiting for the day WPA/2 capability finally shows up in OpenBSD, but, in the meanwhile, sure, unencrypted or WEP'd WiFi with IPSEC *works* - just not easily :) The best tip I can give to you, Dominik, is to go with OpenVPN for now. It's a much more convenient solution, especially since competent and intuitive client tools are freely available under both Windows, OS X, and BSD/Linux. -SD On Wed, Mar 12, 2008 at 4:28 AM, Luis Guillermo Coronado Chacon [EMAIL PROTECTED] wrote: Dominik, the short answer is: no, no WPA in OpenBSD. The long answer lies on many, many, many posts on this list. (http://marc.info for more details), but for a preview of all that: is not going to happen anytime soon because no one actually provides code for it and so far not a single developer wants/need it on the kernel. The reasons for this are very well explained. Just asking for features is not the right way to approach this community unless they come with some code attached :-d Believe me WEP+IPSEC (or WEP+ssh for that matter) works very well. Luis
Re: zombies - solved
Ok. There were some additional reasons mentioned, but licensing is enough on its own. I found the old announcement now that I know what to look for: http://archives.neohapsis.com/archives/openbsd/2004-06/0448.html Apache 1.3.29 is decent enough and has the functionality, name brand recognition and familiarity needed. But without updates, it seems a dead end and not a good idea for new activities. That is 1 persons opinion, and I think you will find yourself isolated. It's just a bloody web server. It's easy. I'm also not finding reference to IPv6 in the documentation for Apache 1.3.x either online or in the man pages and that was my main reason for even looking at Apache2. There are diffs coming that add v6 support. There have been reasons not to add it in the past. A fork does not seem like a good return on investment, so v 1.3.29 will probably go away sooner than later once the Apache Foundation drops maintenance on the 1.3 series. When we started work on OpenSSH, there were people just like you saying that it did not seem like a good return on investment. Investment. Who are you to tell us how we should spend our time, and what we should do? If you don't LIKE IT, then do whatever you want. Gregg proposed, nginx ( http://nginx.net/ ), which seems to be just getting started. It's under a 'BSD-like' license. It might work, but seems new. Huh? We've already GOT a completely working fixed one in our tree. It's fine. And we have zero interest in swapping to some other piece of shit when this piece of shit will do. Would something like this be appropriate at the tail end of the httpd man page for v 1.3.29? Due to licensing changes, the version of Apache shipped with OpenBSD will stay at version 1.3.29. Bugfixes will be provided, but no further updates. Alternatively, Lighttpd is available via OpenBSD's packages. No.
Re: zombies - solved
If you want to serve http content via IPv6, then perhaps you can run httpd on your (IPv4) loopback interface, and have relayd listen on your public IPv6 interface, and forward requests over IPv4 to it ? /Pete On 12 Mar 2008, at 4:22 PM, Lars Noodin wrote: Theo de Raadt wrote: apache2 is not free enough. Ok. There were some additional reasons mentioned, but licensing is enough on its own. I found the old announcement now that I know what to look for: http://archives.neohapsis.com/archives/openbsd/2004-06/0448.html Apache 1.3.29 is decent enough and has the functionality, name brand recognition and familiarity needed. But without updates, it seems a dead end and not a good idea for new activities. I'm also not finding reference to IPv6 in the documentation for Apache 1.3.x either online or in the man pages and that was my main reason for even looking at Apache2. A fork does not seem like a good return on investment, so v 1.3.29 will probably go away sooner than later once the Apache Foundation drops maintenance on the 1.3 series. Gregg proposed, nginx ( http://nginx.net/ ), which seems to be just getting started. It's under a 'BSD-like' license. It might work, but seems new. I see Lighttpd already in the 'packages' and it is under an appropriate license. In the last year, it has gained a lot in both visibility and user-base. In a lot of cases, perhaps most, new setups could be steered towards Lighttpd, if it were mentioned in the documentation here and there. I probably would have chosen it over grabbing Apache2 from the ports tree had it been mentioned. Apache2 and Lighttpd both required some adjustment and I would rather future-proof my activities, just in case they have to be supported that long. The mention of it can be small and does not need to affect how things are currently done. But as more use it, it will be easier later to drop Apache when (if) the time comes. Would something like this be appropriate at the tail end of the httpd man page for v 1.3.29? Due to licensing changes, the version of Apache shipped with OpenBSD will stay at version 1.3.29. Bugfixes will be provided, but no further updates. Alternatively, Lighttpd is available via OpenBSD's packages. Regards, -Lars
Re: zombies - solved
Op Wed, 12 Mar 2008 17:05:01 +0100 schreef Pete Vickers [EMAIL PROTECTED]: If you want to serve http content via IPv6, then perhaps you can run httpd on your (IPv4) loopback interface, and have relayd listen on your public IPv6 interface, and forward requests over IPv4 to it ? And then what if the HTTP request reads something like GET [::1] ? -- Boudewijn Dijkstra Indes - IDS B.V. +31 345 545 535
Re: zombies - solved
Lars NoodC)n wrote: Would something like this be appropriate at the tail end of the httpd man page for v 1.3.29? Due to licensing changes, the version of Apache shipped with OpenBSD will stay at version 1.3.29. Bugfixes will be provided, but no further updates. Alternatively, Lighttpd is available via OpenBSD's packages. Why do some people think Apache needs to be replaced? Moreover, if the developers are satisfied with Apache 1.3, why would the recommend another product in the documentation?
Re: zombies - solved
On Wed, Mar 12, 2008 at 11:58 AM, Theo de Raadt [EMAIL PROTECTED] wrote: A fork does not seem like a good return on investment, so v 1.3.29 will probably go away sooner than later once the Apache Foundation drops maintenance on the 1.3 series. I'm just curious what is in 2.x that you need, that is unavailable in 1.3? When we started work on OpenSSH, there were people just like you saying that it did not seem like a good return on investment. Investment. Who are you to tell us how we should spend our time, and what we should do? If you don't LIKE IT, then do whatever you want. Well, obviously we want an upgrade to Apache 2, and an upgrade to Apache 3 when that comes out. If only you are not so selfish as to go on mountain climbing hikes, and satay eating binges, then you'll definitely have time to invest in upgrading to Apache v3! :) -- http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk This officer's men seem to follow him merely out of idle curiosity. -- Sandhurst officer cadet evaluation. Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted. -- Gene Spafford learn french: http://www.youtube.com/watch?v=j1G-3laJJP0feature=related
Re: zombies - solved
On 2008-03-12, Pete Vickers [EMAIL PROTECTED] wrote: If you want to serve http content via IPv6, then perhaps you can run httpd on your (IPv4) loopback interface, and have relayd listen on your public IPv6 interface, and forward requests over IPv4 to it ? Here's a better way: test the diffs at http://mini.vnode.ch/ and provide feedback.
Re: zombies - solved
bofh wrote: On Wed, Mar 12, 2008 at 11:58 AM, Theo de Raadt [EMAIL PROTECTED] wrote: A fork does not seem like a good return on investment, so v 1.3.29 will probably go away sooner than later once the Apache Foundation drops maintenance on the 1.3 series. I'm just curious what is in 2.x that you need, that is unavailable in 1.3? mod_proxy_balancer Jonathan -- Jonathan Weiss http://blog.innerewut.de
Re: OpenBSD with pf on a mini-ITX?
On Wed, Mar 12, 2008 at 07:52:15AM +0100, Andreas Bihlmaier wrote: On Tue, Mar 11, 2008 at 06:57:41PM +0100, Jordi Prats wrote: Hi all, Have anyone tried to run OpenBSD with pf on a Jetway J7F2 (or similar) motherboard to act as a firewall and do NAT? Any inputs will be welcome! Thanks, -- Jordi I'm using exactly this board (see dmesg below), a couple of things to note: - no sensors - if you use one of the addon gigabit ethernet boards, you'll need to apply the patch found in PR#5759, it seems that it will not make it into 4.3 thus re is busted for gigabit in 4.3-release. It looks like this fix was just committed and tagged as OPENBSD_4_3. It may not be on the cd but it should show up in -stable. -- Mark
Re: zombies - solved
Quoting Jonathan Weiss [EMAIL PROTECTED]: bofh wrote: On Wed, Mar 12, 2008 at 11:58 AM, Theo de Raadt [EMAIL PROTECTED] wrote: A fork does not seem like a good return on investment, so v 1.3.29 will probably go away sooner than later once the Apache Foundation drops maintenance on the 1.3 series. I'm just curious what is in 2.x that you need, that is unavailable in 1.3? mod_proxy_balancer Ok, you have a need for Apache 2.x. That does not mean that the Apache server in the base install needs to be updated. http://www.openbsd.org/cgi-bin/cvsweb/ports/www/apache-httpd/ -- Tim Donahue This message was sent using IMP, the Internet Messaging Program.
IPv6 web servers (was Re: zombies - solved)
Markus Lude wrote: mbalmer@ posted a diff for IPv6 support for the base apache back last december: see http://mini.vnode.ch/ Excellent. What, in general, are the plans? (Any answer is fine.) Knowing more reduces the unnecessary questions, experiments and speculations that get in the way. My interest in this is having an IPv6 web server on OpenBSD so I can try an in-house IPv6 pilot sometime this year. The timeline for that is probably May or August. In general, it's preferable for me to follow -STABLE because the less I have to tweak the less likely I am to break something and the less custom documentation I need to provide to pass it on to others. I plan to rebuild for OBSD 4.3 in May, I'll try the IPv6 patch (or however it happens to be available) for 1.3 then. Going back to 1.3 will actually save me work and it's what I'm most familiar with already. Apache 2.2.x is in ports if you really need it. Some ports have an -ap2 flavor for that newer version. That's what I grabbed last autumn, but aside from IPv6 there's nothing needed that was/is specific to Apache 2. regards, -Lars
Re: What is WPA status in OpenBSD
I still have plans to continue the WPA work in the near future. No estimated time of arrival though, especially as I tend to become lazy as I get older. Damien | Dear All, | | I would love to use OpenBSD on my laptop but the problems is that most of | my work places use WPA encrypted wireless networks | | So what is a status of WPA support in OpenBSD? I know that a lot of people | ask about this. | | Last cvs commit I found with some work done with WPA is from 2007/08/22 | | http://marc.info/?l=openbsd-cvsm=118781535213730w=2 | | No active work with WPA in OpenBSD 4.3 or -current? | | P.S. I'm not waiting for a kind of reply like: WPA is bad - use VPN | tunnels ;) | | Thank you, | | - | Dominik Zalewski | System Administrator | OpenCraft | t- +2 02 3336 0003 | w- http://www.open-craft.com
sftp: Umlauts and Spaces in filenames
Hi, I need to transfer files via sftp (ssh ftp) from a Windows machine. This files may contain Umlauts (vd|) and Spaces. I made several tests and stuck with the following: sftp [EMAIL PROTECTED]:'/file-withv|d.txt' works, but sftp [EMAIL PROTECTED]:'/file with spaces.txt' doesn't work. If I use the interactive sftp shell its different: sftp [EMAIL PROTECTED] Connecting to windowsmachine.com [EMAIL PROTECTED]'s password: sftp get '/file with spaces.txt' works, but I am unable to enter Umlauts in the interactive mode and when I copy paste them they disappear. I need to create a script and because of the spaces-problem I used expect.pm to trigger the interactive mode. Is there a way to make it work with latin1 characters (using FreeBSD, but I guess that shouldn't matter). I can enter Umlauts perfectly in the shell (bash here) and I've set LANG=de_DE.ISO8859-15 export LANG Am I missing something? Is there a chance to get this working? Best Regards, Benny
Re: sftp: Umlauts and Spaces in filenames
Apparently the Umlauts in my mail got mangled by majordomo, I meant german latin1 characters, sometimes rewritten as 'ae' 'oe' and 'ue'. benny Hi, I need to transfer files via sftp (ssh ftp) from a Windows machine. This files may contain Umlauts (vd|) and Spaces. I made several tests and stuck with the following: sftp [EMAIL PROTECTED]:'/file-withv|d.txt' works, but sftp [EMAIL PROTECTED]:'/file with spaces.txt' doesn't work. If I use the interactive sftp shell its different: sftp [EMAIL PROTECTED] Connecting to windowsmachine.com [EMAIL PROTECTED]'s password: sftp get '/file with spaces.txt' works, but I am unable to enter Umlauts in the interactive mode and when I copy paste them they disappear. I need to create a script and because of the spaces-problem I used expect.pm to trigger the interactive mode. Is there a way to make it work with latin1 characters (using FreeBSD, but I guess that shouldn't matter). I can enter Umlauts perfectly in the shell (bash here) and I've set LANG=de_DE.ISO8859-15 export LANG Am I missing something? Is there a chance to get this working? Best Regards, Benny
Re: zombies - solved
On Wed, Mar 12, 2008 at 12:19:18PM -0400, bofh wrote: | A fork does not seem like a good return on investment, so v 1.3.29 will | probably go away sooner than later once the Apache Foundation drops | maintenance on the 1.3 series. | | | I'm just curious what is in 2.x that you need, that is unavailable in 1.3? The only reason I run Apache 2 on my OpenBSD machine is IPv6. There's patches for 1.3, but for now we chose Apache 2. I know there's people working on integrating the v6 patches in OpenBSD and I hope those make it for 4.4, but we'll see how it goes. Paul 'WEiRD' de Weerd -- [++-]+++.+++[---].+++[+ +++-].++[-]+.--.[-] http://www.weirdnet.nl/
Re: sftp: Umlauts and Spaces in filenames
I ran a few tests, and OpenBSD seems perfectly capable of using those extended characters have you tried using doubled quotes? sftp [EMAIL PROTECTED]:file with spaces and Umlauts.txt That should work.. but, spaces and extended characters are so unclean in the Unix world, it was never designed to use them. -Nix Fan.
Re: Sensors support on proliant DL380 G2
So, SMBus. I've made a few attempts to get it to work, with precious little success... but that isn't really surprising seeing as I have no idea how to go about doing such a thing. I've fiddled with the BIOS settings with no appreciable effect, and I've tried using UKC to pass different flags to pcibios on the offchance that the bios itself isn't working correctly. Still no joy. I've tried looking at the piixpm source. The 'SM Bus disabled' message is displayed when the SMB host controller enabled bit isn't set in the device's PCI configuration registers, which seems kinda obvious. However, I have no idea where this configuration bit might be set. Would I be right in thinking it should be set by the BIOS? This would seem to imply that I'm kinda stuffed here. On Sun, Mar 9, 2008 at 2:41 AM, Constantine A. Murenin [EMAIL PROTECTED] wrote: On 08/03/2008, Ruan Kendall [EMAIL PROTECTED] wrote: So, I've tried both 4.2 and 4.3 snapshot on this slightly aged proliant I've obtained, and most things have worked very well but for the total absense of any sensor information. Is this because a) I've not done something terribly important that would enable it for me, b) because all the sensor stuff is hidden behind something like ACPI which isn't working on this machine or c) because there is no driver for the bit of hardware that handles all the sensor data? The various bits of server firmware and the bios have been updated to the most recent version, and the BIOS has been set up to boot as 'linux'. It currently looks like my only hope is to give up and use something like Centos 4 instead, but I'd rather not have to. I totally agree that sensors is the most important part of the OS, upon which OS selection should be made! Dmesg for a recent 4.3 snapshot. I also have MP and 4.2 dmesgs if they're likely to prove useful, which I assume they won't. -- OpenBSD 4.3 (GENERIC) #695: Tue Mar 4 14:28:56 MST 2008 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) III CPU - S 1400MHz (GenuineIntel 686-class) 1.40 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE real mem = 1341730816 (1279MB) avail mem = 1287774208 (1228MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 12/31/99, BIOS32 rev. 0 @ 0xf, SMBIOS rev. 2.3 @ 0xec000 (38 entries) bios0: vendor Compaq version P24 date 05/01/2004 bios0: Compaq ProLiant DL380 G2 acpi0 at bios0: rev 0, can't enable ACPI bios0: ROM list: 0xc/0x8000 0xc8000/0x4000 0xcc000/0x1800 0xee000/0x2000! cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 ServerWorks CNB20HE Host rev 0x23 pci1 at pchb0 bus 1 ppb0 at pci1 dev 3 function 0 Intel S21152BB PCI-PCI rev 0x00 pci2 at ppb0 bus 2 vga1 at pci2 dev 0 function 0 ATI Rage XL rev 0x27 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) Compaq Netelligent ASMC rev 0x00 at pci2 dev 1 function 0 not configured vendor Compaq, unknown product 0x005a (class memory subclass miscellaneous, rev 0x00) at pci2 dev 2 function 0 not configured vendor Compaq, unknown product 0x00b1 (class memory subclass miscellaneous, rev 0x01) at pci2 dev 4 function 0 not configured pchb1 at pci0 dev 0 function 1 ServerWorks CNB20HE Host rev 0x01 pchb2 at pci0 dev 0 function 2 ServerWorks CNB20HE Host rev 0x01 pchb3 at pci0 dev 0 function 3 ServerWorks CNB20HE Host rev 0x01 pci3 at pchb3 bus 7 Compaq PCI Hotplug rev 0x12 at pci3 dev 7 function 0 not configured ciss0 at pci0 dev 1 function 0 Compaq Smart Array 5i/532 rev.2 rev 0x01: irq 3 ciss0: 1 LD, HW rev 1, FW 2.62/2.62 scsibus0 at ciss0: 1 targets sd0 at scsibus0 targ 0 lun 0: COMPAQ, LOGICAL VOLUME, 2.62 SCSI0 0/direct fixed sd0: 34719MB, 4426 cyl, 255 head, 63 sec, 512 bytes/sec, 71106240 sec total fxp0 at pci0 dev 2 function 0 Intel 8255x rev 0x08, i82559: irq 5, address 00:08:02:58:58:9c inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4 fxp1 at pci0 dev 4 function 0 Intel 8255x rev 0x08, i82559: irq 7, address 00:08:02:58:58:9b inphy1 at fxp1 phy 1: i82555 10/100 PHY, rev. 4 Compaq Netelligent ASMC rev 0x00 at pci0 dev 6 function 0 not configured piixpm0 at pci0 dev 15 function 0 ServerWorks OSB4 rev 0x51: SMBus disabled It looks like SMBus is disabled on your box. If you can find a way to enable it, you'll have a somewhat higher chance of finding some sensors. Cheers, Constantine. pciide0 at pci0 dev 15 function 1 ServerWorks OSB4 IDE rev 0x00: DMA atapiscsi0 at pciide0 channel 0 drive 0 scsibus1 at atapiscsi0: 2 targets cd0 at scsibus1 targ 0 lun 0: COMPAQ, CD-ROM SN-124, N104 SCSI0 5/cdrom
Re: What is WPA status in OpenBSD
Hello, I there a way to support as non-developer ... Unfortunally I'm not a developer so I can't help code, but if I can do something else let me know. Regards Hagen Volpers -Urspr|ngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Damien Bergamini Gesendet: Mittwoch, 12. Mdrz 2008 19:49 An: Dominik Zalewski Cc: misc@openbsd.org Betreff: Re: What is WPA status in OpenBSD I still have plans to continue the WPA work in the near future. No estimated time of arrival though, especially as I tend to become lazy as I get older. Damien | Dear All, | | I would love to use OpenBSD on my laptop but the problems is that most of | my work places use WPA encrypted wireless networks | | So what is a status of WPA support in OpenBSD? I know that a lot of people | ask about this. | | Last cvs commit I found with some work done with WPA is from 2007/08/22 | | http://marc.info/?l=openbsd-cvsm=118781535213730w=2 | | No active work with WPA in OpenBSD 4.3 or -current? | | P.S. I'm not waiting for a kind of reply like: WPA is bad - use VPN | tunnels ;) | | Thank you, | | - | Dominik Zalewski | System Administrator | OpenCraft | t- +2 02 3336 0003 | w- http://www.open-craft.com
USB PCI card to buy: Belkin F5U220?
I have a new-to-me dual P-133 Tyan board with 4 PCI slots and some ISA slots. (see my low-MHz server thread) I'll be wanting to add USB to it. Checking Belkin's website, their current card is part# F5U220v1, Hi-Speed USB 2.0 5-Port PCI Card. I don't see it listed in the 4.2 install.i386. Which card would be recommended; would a different brand be recommended? Thanks, Doug.
Re: USB PCI card to buy: Belkin F5U220?
Depends on the chip. As far as I can tell from that photo, it's an NEC usb controller. The last add-on usb card I bought had an NEC controller and it worked well enough... On Wed, Mar 12, 2008 at 1:52 PM, Douglas A. Tutty [EMAIL PROTECTED] wrote: I have a new-to-me dual P-133 Tyan board with 4 PCI slots and some ISA slots. (see my low-MHz server thread) I'll be wanting to add USB to it. Checking Belkin's website, their current card is part# F5U220v1, Hi-Speed USB 2.0 5-Port PCI Card. I don't see it listed in the 4.2 install.i386. Which card would be recommended; would a different brand be recommended? Thanks, Doug. -- GDB has a 'break' feature; why doesn't it have 'fix' too?
Re: sftp: Umlauts and Spaces in filenames
Marc Rene Arns wrote: Hi, I need to transfer files via sftp (ssh ftp) from a Windows machine. This files may contain Umlauts (vd|) and Spaces. I made several tests and stuck with the following: sftp [EMAIL PROTECTED]:'/file-withv|d.txt' works, but sftp [EMAIL PROTECTED]:'/file with spaces.txt' doesn't work. If I use the interactive sftp shell its different: sftp [EMAIL PROTECTED] Connecting to windowsmachine.com [EMAIL PROTECTED]'s password: sftp get '/file with spaces.txt' works, but I am unable to enter Umlauts in the interactive mode and when I copy paste them they disappear. I need to create a script and because of the spaces-problem I used expect.pm to trigger the interactive mode. Is there a way to make it work with latin1 characters (using FreeBSD, but I guess that shouldn't matter). I can enter Umlauts perfectly in the shell (bash here) and I've set LANG=de_DE.ISO8859-15 export LANG Am I missing something? Is there a chance to get this working? Best Regards, Benny It is up to the application to make necessary translations. Formerly there was the DOS2Unix and such filters. WinXP, Linux and to a certain extend FreeBSD, translate encodings with more or less success. Since I see you use Perl, have a look at man utf8(3p) Then, now part of the X distribution, there is the luit filter man luit(1) Not easy in an hybrid environment, for my part, I am blocked with tcl and NFSv3 complaining about incompatible character sets.
Accredito temporaneamente bloccato
[IMAGE] Ultime da Poste Italiane: Gentile Cliente, Abbiamo ricevuto una segnalazione di accredito di Euro 270 da UFFICIO POSTALE ROMA 12. L'accredito e' stato temporaneamente bloccato a causa dell'incongruenza dei suoi dati, potra' ora verificare i suoi dati e successivamente sara' accreditato sul suo conto postale. Accedi a Poste.it ? Acceda al servizio accrediti online di Poste.it e verifichi i suoi dati Sai che da oggi offriamo il doppio dei servizi? Vi offriamo solo servizi sicuri e di alta qualita' . Cordiali saluti, Poste Italiane Societa' del gruppo: [IMAGE] [IMAGE] [IMAGE] [IMAGE] [IMAGE] Ti preghiamo di non inviare alcuna risposta a questo messaggio e-mail, poiche' non verra' presa in considerazione.
FIPS 140-2
Does OpenBSD's OpenSSL use the FIPS 140-2 certified bits where applicable?
sftp logging using chroot internal-sftp in -current
Is it possible to enable DEBUG logging for internal-sftp in sshd? Using -current (Mar 12, 2008) and enabling a chroot'd sftp server we can get sshd to log initial connections. But, we would also like to log sftp activity like uploads, downloads, and directory changes similar to what vsftpd does. The older sftp-server man page had a log facility (-f) and log level (-l) options, but those arguments might not have been carried over to internal-sftp. Perhaps the chroot environment keeps us from logging internal-sftp? Any help is appreciated. Thanks for your time. http://calomel.org/sftp_chroot.html ## /etc/ssh/sshd_config AllowTcpForwarding no ClientAliveCountMax 3 ClientAliveInterval 0 Compression delayed LoginGraceTime 60s LogLevel DEBUG3 MaxAuthTries 6 PasswordAuthentication yes PermitEmptyPasswords no PermitRootLogin no PermitTunnel no PermitUserEnvironment no Port 22 Protocol 2 StrictModes yes SyslogFacility AUTH TCPKeepAlive yes UseDNS no UsePrivilegeSeparation yes X11Forwarding no ## sftp directives Subsystem sftp internal-sftp Match User ftp ForceCommand internal-sftp ChrootDirectory /ftp_jail http://calomel.org/sftp_chroot.html -- Calomel @ http://calomel.org Open Source Research and Reference
Re: Sensors support on proliant DL380 G2
I did a search around and found something called SmartStart, Apparently it's a bootable configuration utility for your system that configures various settings in NVRAM. http://www.umpquanet.com/support/freebsd_setup.html --FreeBSD articble related to your system... ftp://ftp.compaq.com/pub/products/Servers/supportsoftware/ZIP/ --Search for smartstart. http://people.freebsd.org/~jcagle/ --Random FreeBSD management utilties.. (Perhaps can be ported?). I also noticed a Linux diff releated to ACPI... apparently ACPI it was forced or something. -Nix Fan.
Re: zombies - half solved
Lars wrote: But the second question still stands, is there a generic way to prevent the formation of zombies? The cause in this specific case is a perl-based CGI script called by apache2. The easiest way might be to let perl auto-reap the children for you. It's as simple as prepending this line within the block that spawns the child processes: local $SIG{CHLD} = 'IGNORE'; # straight outa perlipc(1) One thing to watch out for though is that you may get weird side effects if you set this and then use system() in the same scope. If so, just use wait/waitpid instead (it's only a few more lines of code). -- Stephen Takacs [EMAIL PROTECTED] http://perlguru.net/ 4149 FD56 D078 C988 9027 1EB4 04CC F80F 72CB 09DA
Re: sftp: Umlauts and Spaces in filenames
So it must be an FreeBSD issue, sorry for the noise. I ran a few tests, and OpenBSD seems perfectly capable of using those extended characters have you tried using doubled quotes? I tried *everything* (backslash, double quotes, single quotes,...) BTW my ssh version is OpenSSH_4.5p1 FreeBSD-20061110 but I tried also openssh-portable-4.7.p1_1,1 from FreeBSD ports. sftp [EMAIL PROTECTED]:file with spaces and Umlauts.txt That should work.. but, spaces and extended characters are so unclean in the Unix world, it was never designed to use them. Yes, but we are not in the 70's of the last century anymore ;-) -Nix Fan.
Is there a tool or a deamon that documented a change in the /etc directory?
The problem is clear, I think. But a simple example: You are an operator for e.g. a OBSD Firewall. Yesterday everything was ok, Today a person phoned me and want that I open a tcp port for him. Ok I open. Tomorrow, I notice problems that I never have had before. But I have forgotten the new open port. Now it is nice to have a ChangeLog. Because it is faster than restore an Backup.
Re: Is there a tool or a deamon that documented a change in the /etc directory?
On Thu, Mar 13, 2008 at 12:37:55AM +0100, Stephan Andreas wrote: The problem is clear, I think. But a simple example: You are an operator for e.g. a OBSD Firewall. Yesterday everything was ok, Today a person phoned me and want that I open a tcp port for him. Ok I open. Tomorrow, I notice problems that I never have had before. But I have forgotten the new open port. Now it is nice to have a ChangeLog. Because it is faster than restore an Backup. You have a good idea there, and you are lucky that a solution exists. Put your config files in cvs (or hg or svn). Last time this came up someone said they had a cron job to push the latest committed configs out to the machines periodically, which eventually helps you remember to check in your changes. ;-) -- Darrin Chandler| Phoenix BSD User Group | MetaBUG [EMAIL PROTECTED] | http://phxbug.org/ | http://metabug.org/ http://www.stilyagin.com/ | Daemons in the Desert | Global BUG Federation
Re: Is there a tool or a deamon that documented a change in the /etc directory?
On Thu, Mar 13, 2008 at 12:37:55AM +0100, Stephan Andreas wrote: The problem is clear, I think. But a simple example: You are an operator for e.g. a OBSD Firewall. Yesterday everything was ok, Today a person phoned me and want that I open a tcp port for him. Ok I open. Tomorrow, I notice problems that I never have had before. But I have forgotten the new open port. Now it is nice to have a ChangeLog. Because it is faster than restore an Backup. there was fairly recently a discussion about using rcs/cvs for configuration files in /etc. check the archives. -- [EMAIL PROTECTED] SDF Public Access UNIX System - http://sdf.lonestar.org
Re: Is there a tool or a deamon that documented a change in the /etc directory?
Stephan Andreas wrote: The problem is clear, I think. But a simple example: You are an operator for e.g. a OBSD Firewall. Yesterday everything was ok, Today a person phoned me and want that I open a tcp port for him. Ok I open. Tomorrow, I notice problems that I never have had before. But I have forgotten the new open port. Now it is nice to have a ChangeLog. Because it is faster than restore an Backup. ...and more productive, as you may be able to see what is wrong, rather than simply roll back to what was... This functionality is built into and turned on by default in OpenBSD. If you set up the root user's e-mail to forward or otherwise be delivered to your inbox every morning, you will find this is already being done for you. If you didn't do this, you have a pile of these things waiting for you to read through in /var/mail/root. Every night, as part of the /etc/daily script, it looks for changes to the files listed in /etc/changelist, and stores a backup of those files. If it finds a change, it mails you a diff of that file in an insecurity report. If you keep those, you have a very good record of the history of changes on your machine. Ta-da! Just what you asked for, by simply creating a /root/.forward with just your e-mail address in it. :) Within a few days, you will be reinventing this on every Unix machine you work with. That being said... I'm also fond of this little entry in my /etc/daily.local file: TGZFILE=/backup/`date +backup%Y-%m-%d`.tgz cd / tar czf $TGZFILE etc var On firewalls and DNS servers I have done this with, you get many YEARS of this backup files on the spare space on a 40G drive. Another trick that works well for firewalls is to have a script which you use to synchronize the pf.conf (and other) files between machines. I wrote one which: * did a diff -u against the other machine * Recorded that diff into a file, tossed the user into an editor to both review and explain/document the diff * Saved that file to /bkup/history * copy the compared files AND the change log file to the other machine and install them * run pfctl -f on that other machine. (this was all done in shell script and base tools, no packages were added to the machine) Yes, you could say I reinvented cvs for this, but I liked this specialized script over a general CMS for a few reasons, including the fact it stuffed the diff in your face and had it there while you were making the change message, and I found the dated change files much easier to grep through when looking for when something changed and why. Nick.
jetway board sensors (Fintek F71805F)
Mr. Bihlmaier mentioned that there is no support for the sensors on the Jetway J7F2 boards. I have written a driver for the Fintek F71805F found on some of those boards. It is a modification of the LM78 driver (lm78.c) a href=http://www.oat.com/fintek;here/a. Several people have used it in 4.2. Since lm78.c hasn't changed for 4.3, this shouldn't need to either. I do not assert that the code is in a format acceptable to the OpenBSD team. It appears to work and have no significant failings beyond those already present in lm78.c
Re: jetway board sensors (Fintek F71805F)
On Wed, Mar 12, 2008 at 8:45 PM, Geoff Steckel [EMAIL PROTECTED] wrote: Mr. Bihlmaier mentioned that there is no support for the sensors on the Jetway J7F2 boards. I have written a driver for the Fintek F71805F found on some of those boards. It is a modification of the LM78 driver (lm78.c) a href=http://www.oat.com/fintek;here/a. Several people have used it in 4.2. Since lm78.c hasn't changed for 4.3, this shouldn't need to either. I do not assert that the code is in a format acceptable to the OpenBSD team. It appears to work and have no significant failings beyond those already present in lm78.c It's hard to look at codes that are 404 compliant... :) -- http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk This officer's men seem to follow him merely out of idle curiosity. -- Sandhurst officer cadet evaluation. Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted. -- Gene Spafford learn french: http://www.youtube.com/watch?v=j1G-3laJJP0feature=related
Re: What is WPA status in OpenBSD
On Wed, Mar 12, 2008 at 09:32:45PM +0100, openbsd misc wrote: Hello, I there a way to support as non-developer ... Unfortunally I'm not a developer so I can't help code, but if I can do something else let me know. you could always offer to pay damien for his development time. -- Mathieu Sauve-Frankel
Re: FIPS 140-2
On Wed, 12 Mar 2008, Ed Ahlsen-Girard wrote: Does OpenBSD's OpenSSL use the FIPS 140-2 certified bits where applicable? No. Furthermore, there are no FIPS 140-2 certified bits - it is an entire package that is certified, you don't get to pick and choose. -d
Re: sftp logging using chroot internal-sftp in -current
On Wed, 12 Mar 2008, Calomel wrote: Is it possible to enable DEBUG logging for internal-sftp in sshd? Using -current (Mar 12, 2008) and enabling a chroot'd sftp server we can get sshd to log initial connections. But, we would also like to log sftp activity like uploads, downloads, and directory changes similar to what vsftpd does. The older sftp-server man page had a log facility (-f) and log level (-l) options, but those arguments might not have been carried over to internal-sftp. Perhaps the chroot environment keeps us from logging internal-sftp? Yes. You should be able to have syslogd(8) listen on /dev/log inside the chroot to make messages from the internal sftp-server visible. -d
Re: FIPS 140-2
On Thu, Mar 13, 2008 at 12:29:47PM +1100, Damien Miller wrote: On Wed, 12 Mar 2008, Ed Ahlsen-Girard wrote: Does OpenBSD's OpenSSL use the FIPS 140-2 certified bits where applicable? No. Furthermore, there are no FIPS 140-2 certified bits - it is an entire package that is certified, you don't get to pick and choose. However, if you can find a FIPS 140-2 certified cryptographic accellerator that OpenSSL will use (and most of those supported by OpenBSD will fall into this category), OpenSSH will be using it as well, and you can then presumably put FIPS 140-2* on your product materials or audit questionaire or what have you. -Ryan * With some fine print disclaimer to ensure that nobody accuses you of claiming FIPS compliance for the whole system, of course.
Re: jetway board sensors (Fintek F71805F)
bofh wrote: On Wed, Mar 12, 2008 at 8:45 PM, Geoff Steckel [EMAIL PROTECTED] wrote: Mr. Bihlmaier mentioned that there is no support for the sensors on the Jetway J7F2 boards. I have written a driver for the Fintek F71805F found on some of those boards. It is a modification of the LM78 driver (lm78.c) a href=http://www.oat.com/fintek;here/a. Several people have used it in 4.2. Since lm78.c hasn't changed for 4.3, this shouldn't need to either. I do not assert that the code is in a format acceptable to the OpenBSD team. It appears to work and have no significant failings beyond those already present in lm78.c It's hard to look at codes that are 404 compliant... :) Hmmm... that's true :-( try a href=http://www.oat.com/ot/fintek/;http://www.oat.com/ot/fintek//a instead. That might get something in the 200s.
Re: FIPS 140-2
Ryan, You're right about the entire package needing to be FIPS 140-2 certified. Also, the other key component here is what algorithms/components the system is FIPS 140-2 certified for, such as 3DES, TLS, SSL, RNG, or AES. However, if you're attempting to do CA on a system, keep in mind that the other important issue is interfacing components. What good is an OpenBSD system running with a FIPS 140-2 certified cryptographic component handling SSL and SSH (using AES-256) if the interfacing systems aren't also well-protected, and your applications running on the system don't have safeguards against malicious usage? It's a nice check box for most auditors, but it doesn't make your entire system more secure, and never will :). Mitch -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ryan McBride Sent: Wednesday, March 12, 2008 10:04 PM To: misc@openbsd.org Subject: Re: FIPS 140-2 On Thu, Mar 13, 2008 at 12:29:47PM +1100, Damien Miller wrote: On Wed, 12 Mar 2008, Ed Ahlsen-Girard wrote: Does OpenBSD's OpenSSL use the FIPS 140-2 certified bits where applicable? No. Furthermore, there are no FIPS 140-2 certified bits - it is an entire package that is certified, you don't get to pick and choose. However, if you can find a FIPS 140-2 certified cryptographic accellerator that OpenSSL will use (and most of those supported by OpenBSD will fall into this category), OpenSSH will be using it as well, and you can then presumably put FIPS 140-2* on your product materials or audit questionaire or what have you. -Ryan * With some fine print disclaimer to ensure that nobody accuses you of claiming FIPS compliance for the whole system, of course.
Re: FIPS 140-2
What good is an OpenBSD system running with a FIPS 140-2 certified cryptographic component handling SSL and SSH (using AES-256) if the interfacing systems aren't also well-protected, and your applications running on the system don't have safeguards against malicious usage? You're right -- better go back to Windows running FIPS 140-2 certified components I'm very very cynical about FIPS.