Re: 4.3 song and lyrics and commentary

[Leonardo Rodrigues]

Yeah, that was a lng thread. Quite funny too hehe.

It's good to see that the artwork is as good as ever =)
Keep up the good job!

Re: 4.3 song and lyrics and commentary

[Todd Alan Smith]

On Fri, Apr 11, 2008 at 12:08 AM, Theo de Raadt <[EMAIL PROTECTED]> wrote:
> Twice a year I get to release the song & lyrics, and write a little
>  commentary on something the project dealt with other the release.
>
>  Hope you guys enjoy.

And that I have! I've already downloaded it and listened to it several
times. Excellent song!

Btw, already that thread was burned into my memory (I was recovering
from back surgery when it took place), but now, with this song, the
thread and the broader issues covered are archived in a different way
for all to remember it by. Good job on the subject selection!

I can't wait for my 4.3 CDs to arrive!

4.3 song and lyrics and commentary

[Theo de Raadt]

Twice a year I get to release the song & lyrics, and write a little
commentary on something the project dealt with other the release.

Hope you guys enjoy.

 http://www.openbsd.org/lyrics.html

Now Contact my secretary

[John Chiname]

I didnot forgot your past effort and attemps to assist me, now I'm 
happy to inform you that i have suceeded in getting those funds 
transferred under the cooperation of a new partner from Paraguay.
Now Contact my secretary ask him for ($800.000.00)
for your compensation his,name is Henry Olise
E-Mail ([EMAIL PROTECTED])
Tel.   (+229-934-082-57)
YOUR FULL NAMES: ...
YOUR TELEPHONE NUMBERS:..
YOUR COUNTRY  .
YOUR HOME ADDRESS:...
YOUR PRESENT AGE..
hi will send you the money without any delay
Your telphone number is needed for urgent call .   
Regards
Barr John Chiname

Re: OpenBSD isakmpd and pf vs Cisco PIX or ASA

[Matthew Dempsky]

On Thu, Apr 10, 2008 at 2:33 PM, Stuart Henderson <[EMAIL PROTECTED]> wrote:
>  Problem is, a carp interface is not interested in the state of the
>  syncdev, it is interested in the state of its own carpdev (since
>  multiple carp interfaces on a machine are independent). And carpdev
>  usually faces a switch, so it stays up.

I didn't mean it would monitor the state of its own carpdev, but that
you'd be able to set an extra watchdev (or whatever) that it would
watch.

Re: Resampling? [was: "VIA Announces..."]

[Stuart Henderson]

On 2008-04-10, Zbigniew Baniewski <[EMAIL PROTECTED]> wrote:
> I would to ask about the issue to be found under Linux - is it valid for
> OpenBSD's "audio" too?

No, OpenBSD doesn't resample.


> http://www.diyaudio.com/forums/showthread.php?threadid=93315
>
> "The latest versions of ALSA which are included with Ubuntu Edgy, and I
> think Dapper Drake as well, will resample all audio to 48kHz if your
> soundcard does not support hardware mixing. This is also true if the driver
> doesn't support hardware mixing. As far as I can tell, there is absolutely
> no support for hardware mixing with any of the Envy24 chips in Linux. The
> problem with this resampling is that by default ALSA uses a poor resampling
> algorithm to save CPU usage, and destroys the quality of everything played
> back. ALSA uses this software mixing and resampling in order to let more
> than one application play audio at the same time. I have found a solution to
> the audio quality issue however. [..]"

Re: CARP and pfsync weird behaviour

[Jason Dixon]

I was implying that you should enable ACPI and try again.

-J.

On Apr 10, 2008, at 7:08 PM, "openbsd firewall" <[EMAIL PROTECTED] 
> wrote:



Hello,

It's booting with default behaviour so no ACPI enabled.
Here's dmesg output for the backup node (master is exactly the same
hardware).

Apr 10 17:40:23 bbq /bsd: OpenBSD 4.2 (GENERIC) #375: Tue Aug 28  
10:38:44

MDT 2007
Apr 10 17:40:23 bbq /bsd: [EMAIL PROTECTED]:
/usr/src/sys/arch/i386/compile/GENERIC
Apr 10 17:40:23 bbq /bsd: cpu0: Dual-Core AMD Opteron(tm) Processor  
1210 HE

("AuthenticAMD" 686-class, 1024KB L2 cache) 1.80 GHz
Apr 10 17:40:23 bbq /bsd: cpu0:
FPU, 
V86, 
DE, 
PSE, 
TSC, 
MSR, 
PAE, 
MCE, 
CX8, 
APIC, 
SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,CX16

Apr 10 17:40:23 bbq /bsd: real mem  = 2146988032 (2047MB)
Apr 10 17:40:23 bbq /bsd: avail mem = 2068418560 (1972MB)
Apr 10 17:40:23 bbq /bsd: mainbus0 at root
Apr 10 17:40:23 bbq /bsd: bios0 at mainbus0: AT/286+ BIOS, date  
02/08/08,

BIOS32 rev. 0 @ 0xf0010, SMBIOS rev. 2.4 @ 0xfbb50 (50 entries)
Apr 10 17:40:23 bbq /bsd: bios0: vendor American Megatrends Inc.  
version

"080011 " date 02/08/2008
Apr 10 17:40:23 bbq /bsd: bios0: Supermicro H8SSL-I2
Apr 10 17:40:23 bbq /bsd: pcibios0 at bios0: rev 2.1 @ 0xf/0x1
Apr 10 17:40:23 bbq /bsd: pcibios0: PCI IRQ Routing Table rev 1.0 @
0xf4d40/176 (9 entries)
Apr 10 17:40:23 bbq /bsd: pcibios0: no compatible PCI ICU found: ICU  
vendor

0x1166 product 0x0205
Apr 10 17:40:23 bbq /bsd: pcibios0: PCI bus #3 is the last bus
Apr 10 17:40:23 bbq /bsd: bios0: ROM list: 0xc/0xb000  
0xcb000/0x3000!

0xce000/0x1600 0xcf800/0x1600 0xd1000/0x1000
Apr 10 17:40:23 bbq /bsd: acpi at mainbus0 not configured
Apr 10 17:40:23 bbq /bsd: cpu0 at mainbus0
Apr 10 17:40:23 bbq /bsd: pci0 at mainbus0 bus 0: configuration mode  
1 (no

bios)
Apr 10 17:40:23 bbq /bsd: ppb0 at pci0 dev 1 function 0 "ServerWorks  
HT-1000

PCI" rev 0x00
Apr 10 17:40:23 bbq /bsd: pci1 at ppb0 bus 1
Apr 10 17:40:23 bbq /bsd: ppb1 at pci1 dev 13 function 0 "ServerWorks
HT-1000 PCIX" rev 0xb2
Apr 10 17:40:23 bbq /bsd: pci2 at ppb1 bus 2
Apr 10 17:40:23 bbq /bsd: ppb2 at pci2 dev 1 function 0 "Pericom  
PI7C21P100

PCIX-PCIX" rev 0x01
Apr 10 17:40:23 bbq /bsd: pci3 at ppb2 bus 3
Apr 10 17:40:23 bbq /bsd: em0 at pci3 dev 4 function 0 "Intel PRO/ 
1000MT QP

(82546GB)" rev 0x03: irq 7, address 00:1b:21:10:16:d0
Apr 10 17:40:23 bbq /bsd: em1 at pci3 dev 4 function 1 "Intel PRO/ 
1000MT QP

(82546GB)" rev 0x03: irq 9, address 00:1b:21:10:16:d1
Apr 10 17:40:23 bbq /bsd: em2 at pci3 dev 6 function 0 "Intel PRO/ 
1000MT QP

(82546GB)" rev 0x03: irq 9, address 00:1b:21:10:16:d2
Apr 10 17:40:23 bbq /bsd: em3 at pci3 dev 6 function 1 "Intel PRO/ 
1000MT QP

(82546GB)" rev 0x03: irq 9, address 00:1b:21:10:16:d3
Apr 10 17:40:23 bbq /bsd: bge0 at pci2 dev 3 function 0 "Broadcom  
BCM5704C"

rev 0x10, BCM5704 B0 (0x2100): irq 9, address 00:30:48:63:66:70
Apr 10 17:40:23 bbq /bsd: brgphy0 at bge0 phy 1: BCM5704  
10/100/1000baseT

PHY, rev. 0
Apr 10 17:40:23 bbq /bsd: bge1 at pci2 dev 3 function 1 "Broadcom  
BCM5704C"

rev 0x10, BCM5704 B0 (0x2100): irq 5, address 00:30:48:63:66:71
Apr 10 17:40:23 bbq /bsd: brgphy1 at bge1 phy 1: BCM5704  
10/100/1000baseT

PHY, rev. 0
Apr 10 17:40:23 bbq /bsd: pciide0 at pci1 dev 14 function 0  
"ServerWorks

HT-1000 SATA" rev 0x00: DMA
Apr 10 17:40:23 bbq /bsd: pciide0: using irq 11 for native-PCI  
interrupt
Apr 10 17:40:23 bbq /bsd: pciide0: port 0: device present, speed:  
1.5Gb/s

Apr 10 17:40:23 bbq /bsd: wd0 at pciide0 channel 0 drive 0:

Apr 10 17:40:23 bbq /bsd: wd0: 16-sector PIO, LBA48, 78533MB,  
160836480

sectors
Apr 10 17:40:23 bbq /bsd: wd0(pciide0:0:0): using PIO mode 4, Ultra- 
DMA mode

5
Apr 10 17:40:23 bbq /bsd: pciide0: port 1: PHY offline
Apr 10 17:40:23 bbq /bsd: pciide0: port 2: PHY offline
Apr 10 17:40:23 bbq /bsd: pciide0: port 3: PHY offline
Apr 10 17:40:23 bbq /bsd: pciide1 at pci1 dev 14 function 1  
"ServerWorks

HT-1000 SATA" rev 0x00
Apr 10 17:40:23 bbq /bsd: piixpm0 at pci0 dev 2 function 0  
"ServerWorks

HT-1000" rev 0x00: polling
Apr 10 17:40:23 bbq /bsd: iic0 at piixpm0
Apr 10 17:40:23 bbq /bsd: iic0: addr 0x2f 00=80 05=a8 06=bf 07=a8  
08=bf
09=64 0a=64 0b=5e 0c=73 0d=5c 0e=7b 0f=12 10=96 11=26 13=ff 14=1f  
15=6f

16=d1 17=78 18=cd 19=cd 1a=c2 1b=03 1c=22 1d=80 1e
=80 1f=80 20=1d 21=47 22=02 23=01 24=08 25=0f 28=bf 29=0f 2b=0f  
3b=ff 3c=ff
3d=ff 3e=ff 3f=ff 40=09 41=02 43=28 44=40 46=f7 47=ff 48=ff 49=7f  
4a=3f

4b=02 4d=68 50=1e 51=02 52=01 58=80 59=01 5c=0
3 5e=55 5f=03 60=ca 61=87 62=ca 63=87 64=ff 66=ff 67=ff 68=3f 6a=2b  
6b=18
6c=7c 6d=65 6e=e3 6f=b9 70=8a 71=70 72=e5 73=bb 74=e5 75=bb 76=e3  
77=b9

78=48 79=43 7a=48 7b=43 7c=48 7d=5f 7e=55 7f=50
80=64 81=5f 82=55 83=50 84=64 85=5f 86=55 87=50 88=46 89=41 8a=55  
8b=50
8c=64 8d=5f 8e=55 8f=50 90=07 91=68 92=07 93=68 94=07 95=68 96=07  
97=68

98=07 99=68 9a=07 9b=68 9c=07 9d=68 9e=ff 9f=ff a0
=ff a1=ff a2=ff a3=ff a4=ff a5=ff a6=ff a7=ff

Re: CARP and pfsync weird behaviour

[openbsd firewall]

Hello,

It's booting with default behaviour so no ACPI enabled.
Here's dmesg output for the backup node (master is exactly the same
hardware).

Apr 10 17:40:23 bbq /bsd: OpenBSD 4.2 (GENERIC) #375: Tue Aug 28 10:38:44
MDT 2007
Apr 10 17:40:23 bbq /bsd: [EMAIL PROTECTED]:
/usr/src/sys/arch/i386/compile/GENERIC
Apr 10 17:40:23 bbq /bsd: cpu0: Dual-Core AMD Opteron(tm) Processor 1210 HE
("AuthenticAMD" 686-class, 1024KB L2 cache) 1.80 GHz
Apr 10 17:40:23 bbq /bsd: cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,CX16
Apr 10 17:40:23 bbq /bsd: real mem  = 2146988032 (2047MB)
Apr 10 17:40:23 bbq /bsd: avail mem = 2068418560 (1972MB)
Apr 10 17:40:23 bbq /bsd: mainbus0 at root
Apr 10 17:40:23 bbq /bsd: bios0 at mainbus0: AT/286+ BIOS, date 02/08/08,
BIOS32 rev. 0 @ 0xf0010, SMBIOS rev. 2.4 @ 0xfbb50 (50 entries)
Apr 10 17:40:23 bbq /bsd: bios0: vendor American Megatrends Inc. version
"080011 " date 02/08/2008
Apr 10 17:40:23 bbq /bsd: bios0: Supermicro H8SSL-I2
Apr 10 17:40:23 bbq /bsd: pcibios0 at bios0: rev 2.1 @ 0xf/0x1
Apr 10 17:40:23 bbq /bsd: pcibios0: PCI IRQ Routing Table rev 1.0 @
0xf4d40/176 (9 entries)
Apr 10 17:40:23 bbq /bsd: pcibios0: no compatible PCI ICU found: ICU vendor
0x1166 product 0x0205
Apr 10 17:40:23 bbq /bsd: pcibios0: PCI bus #3 is the last bus
Apr 10 17:40:23 bbq /bsd: bios0: ROM list: 0xc/0xb000 0xcb000/0x3000!
0xce000/0x1600 0xcf800/0x1600 0xd1000/0x1000
Apr 10 17:40:23 bbq /bsd: acpi at mainbus0 not configured
Apr 10 17:40:23 bbq /bsd: cpu0 at mainbus0
Apr 10 17:40:23 bbq /bsd: pci0 at mainbus0 bus 0: configuration mode 1 (no
bios)
Apr 10 17:40:23 bbq /bsd: ppb0 at pci0 dev 1 function 0 "ServerWorks HT-1000
PCI" rev 0x00
Apr 10 17:40:23 bbq /bsd: pci1 at ppb0 bus 1
Apr 10 17:40:23 bbq /bsd: ppb1 at pci1 dev 13 function 0 "ServerWorks
HT-1000 PCIX" rev 0xb2
Apr 10 17:40:23 bbq /bsd: pci2 at ppb1 bus 2
Apr 10 17:40:23 bbq /bsd: ppb2 at pci2 dev 1 function 0 "Pericom PI7C21P100
PCIX-PCIX" rev 0x01
Apr 10 17:40:23 bbq /bsd: pci3 at ppb2 bus 3
Apr 10 17:40:23 bbq /bsd: em0 at pci3 dev 4 function 0 "Intel PRO/1000MT QP
(82546GB)" rev 0x03: irq 7, address 00:1b:21:10:16:d0
Apr 10 17:40:23 bbq /bsd: em1 at pci3 dev 4 function 1 "Intel PRO/1000MT QP
(82546GB)" rev 0x03: irq 9, address 00:1b:21:10:16:d1
Apr 10 17:40:23 bbq /bsd: em2 at pci3 dev 6 function 0 "Intel PRO/1000MT QP
(82546GB)" rev 0x03: irq 9, address 00:1b:21:10:16:d2
Apr 10 17:40:23 bbq /bsd: em3 at pci3 dev 6 function 1 "Intel PRO/1000MT QP
(82546GB)" rev 0x03: irq 9, address 00:1b:21:10:16:d3
Apr 10 17:40:23 bbq /bsd: bge0 at pci2 dev 3 function 0 "Broadcom BCM5704C"
rev 0x10, BCM5704 B0 (0x2100): irq 9, address 00:30:48:63:66:70
Apr 10 17:40:23 bbq /bsd: brgphy0 at bge0 phy 1: BCM5704 10/100/1000baseT
PHY, rev. 0
Apr 10 17:40:23 bbq /bsd: bge1 at pci2 dev 3 function 1 "Broadcom BCM5704C"
rev 0x10, BCM5704 B0 (0x2100): irq 5, address 00:30:48:63:66:71
Apr 10 17:40:23 bbq /bsd: brgphy1 at bge1 phy 1: BCM5704 10/100/1000baseT
PHY, rev. 0
Apr 10 17:40:23 bbq /bsd: pciide0 at pci1 dev 14 function 0 "ServerWorks
HT-1000 SATA" rev 0x00: DMA
Apr 10 17:40:23 bbq /bsd: pciide0: using irq 11 for native-PCI interrupt
Apr 10 17:40:23 bbq /bsd: pciide0: port 0: device present, speed: 1.5Gb/s
Apr 10 17:40:23 bbq /bsd: wd0 at pciide0 channel 0 drive 0:

Apr 10 17:40:23 bbq /bsd: wd0: 16-sector PIO, LBA48, 78533MB, 160836480
sectors
Apr 10 17:40:23 bbq /bsd: wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode
5
Apr 10 17:40:23 bbq /bsd: pciide0: port 1: PHY offline
Apr 10 17:40:23 bbq /bsd: pciide0: port 2: PHY offline
Apr 10 17:40:23 bbq /bsd: pciide0: port 3: PHY offline
Apr 10 17:40:23 bbq /bsd: pciide1 at pci1 dev 14 function 1 "ServerWorks
HT-1000 SATA" rev 0x00
Apr 10 17:40:23 bbq /bsd: piixpm0 at pci0 dev 2 function 0 "ServerWorks
HT-1000" rev 0x00: polling
Apr 10 17:40:23 bbq /bsd: iic0 at piixpm0
Apr 10 17:40:23 bbq /bsd: iic0: addr 0x2f 00=80 05=a8 06=bf 07=a8 08=bf
09=64 0a=64 0b=5e 0c=73 0d=5c 0e=7b 0f=12 10=96 11=26 13=ff 14=1f 15=6f
16=d1 17=78 18=cd 19=cd 1a=c2 1b=03 1c=22 1d=80 1e
=80 1f=80 20=1d 21=47 22=02 23=01 24=08 25=0f 28=bf 29=0f 2b=0f 3b=ff 3c=ff
3d=ff 3e=ff 3f=ff 40=09 41=02 43=28 44=40 46=f7 47=ff 48=ff 49=7f 4a=3f
4b=02 4d=68 50=1e 51=02 52=01 58=80 59=01 5c=0
3 5e=55 5f=03 60=ca 61=87 62=ca 63=87 64=ff 66=ff 67=ff 68=3f 6a=2b 6b=18
6c=7c 6d=65 6e=e3 6f=b9 70=8a 71=70 72=e5 73=bb 74=e5 75=bb 76=e3 77=b9
78=48 79=43 7a=48 7b=43 7c=48 7d=5f 7e=55 7f=50
80=64 81=5f 82=55 83=50 84=64 85=5f 86=55 87=50 88=46 89=41 8a=55 8b=50
8c=64 8d=5f 8e=55 8f=50 90=07 91=68 92=07 93=68 94=07 95=68 96=07 97=68
98=07 99=68 9a=07 9b=68 9c=07 9d=68 9e=ff 9f=ff a0
=ff a1=ff a2=ff a3=ff a4=ff a5=ff a6=ff a7=ff a8=ed ae=ff af=ff b1=04 b2=30
b3=30 b4=30 b5=30 b6=30 b7=30 b8=30 b9=30 ba=30 bb=89 bc=89 bd=89 be=89
bf=89 c0=89 c1=89 c2=89 c3=01 c4=01 c5=7f c6=f
f c9=ff ca=ff cb=ff cc=ff cd=ff ce=ff cf=ff d1=46 d2=46 d3=46 d4=46 d6=
Apr 10 17:40:23 bbq /bsd: 0 d7=ff d

Re: CARP and pfsync weird behaviour

[Jason Dixon]

Is ACPI enabled?

-J.

On Apr 10, 2008, at 6:07 PM, "openbsd firewall" <[EMAIL PROTECTED] 
> wrote:



Hello,

This got even more interesting. After reading your email I had the  
idea to

start turning off the various carp interfaces to see what would be the
effect.
I have two onboard "Broadcom BCM5704C" and a "Intel PRO/1000MT QP  
(82546GB)"

quad nic.
One carp is configured for one onboard nic and two other for the  
quad nic.
I removed the two carps for the quad nic at backup node and rebooted  
it a
few times. There are no failures in iperf test (I used a long time  
to make
sure it was always running between all the tests) which is the same  
as your

tests and normal expected result.
Removing the onboard carp and activating both or one of the quad nic  
carps

gives the failures I reported previously. Without pfsync active in the
master node, I get a  small failure in iperf tests while the backup  
node is

coming back. If I activate pfsync, I get the same small failure plus
sometimes a total mess up of iperf connection states.
So it seems the problem is happening with the quad nic. I don't see  
any
performance problems with the quad nic because I left iperf running  
for 2
days without any problem. CPU usage in interrupts is around 15% and  
load
0.20 while doing tests. The firewall is still not in production, so  
only

traffic is only my test and internet junk being dropped.
Kernel is GENERIC 4.2 without any patches (I don't see any of them  
relevant

to this problem). I doubt about any hardware problems because the same
happens if I exchange their roles as master and backup.

I can't understand how the backup node can generate these results  
with a
reboot. While writing this I remembered to do another test. I  
destroyed the
quad nic carps (with ifconfig carpX destroy) and then brought them  
back with
sh /etc/netstart. Iperf keeps running smoothly this time... Master  
node
receives the bulk update requests without any problems. Did this a  
few times

and nothing happened.
Even more weird now !!! Something is being done while those  
interfaces got

up for the first time after the reboot!
Any ideas ?

Thanks,
John

On 10/04/2008, Calomel <[EMAIL PROTECTED]> wrote:


John,

I ran a test using iperf on an external openbsd system (client)  
through a

carp
firewall to an internal openbsd system (server). All systems are  
running

OpenBSD v4.2 with the latest patches.

 external   ---> CARP --->  internal
(iperf -i 1 -t 600 -c carp0)(iperf -s)

I did _not_ see any slow down through the MASTER when I rebooted the
BACKUP
server. For example, I started the reboot of the BACKUP at 5  
seconds and

the BACKUP finished rebooting at 102 seconds:

[  3]  1.0- 2.0 sec  81.2 MBytes681 Mbits/sec
[  3]  2.0- 3.0 sec  82.3 MBytes690 Mbits/sec
[  3]  3.0- 4.0 sec  83.8 MBytes703 Mbits/sec
[  3]  4.0- 5.0 sec  86.6 MBytes727 Mbits/sec -- start reboot
[  3]  5.0- 6.0 sec  86.8 MBytes728 Mbits/sec
[  3]  6.0- 7.0 sec  86.3 MBytes724 Mbits/sec
[  3]  7.0- 8.0 sec  82.8 MBytes695 Mbits/sec
[  3]  8.0- 9.0 sec  86.7 MBytes728 Mbits/sec
[  3]  9.0-10.0 sec  85.8 MBytes720 Mbits/sec
[  3] 10.0-11.0 sec  86.1 MBytes722 Mbits/sec

cut

[  3] 96.0-97.0 sec  83.4 MBytes699 Mbits/sec
[  3] 97.0-98.0 sec  82.4 MBytes692 Mbits/sec
[  3] 98.0-99.0 sec  81.9 MBytes687 Mbits/sec
[  3] 99.0-100.0 sec  84.7 MBytes710 Mbits/sec
[  3] 100.0-101.0 sec  83.3 MBytes699 Mbits/sec
[  3] 101.0-102.0 sec  83.7 MBytes702 Mbits/sec -- finished  
reboot

[  3] 102.0-103.0 sec  83.3 MBytes699 Mbits/sec
[  3] 103.0-104.0 sec  83.6 MBytes701 Mbits/sec
[  3] 104.0-105.0 sec  85.3 MBytes716 Mbits/sec
[  3] 105.0-106.0 sec  83.4 MBytes699 Mbits/sec

I also did not see any errors in the logs of either system running  
ipref

or on the firewalls. The load on the MASTER firewall was around 0.30.

Are the firewalls kernel patched? Are their any hardware failures to
report? Are the firewalls overloaded?

You are welcome to check out some of the "how to's" I have at
http://calomel.org if you need to.


--
 Calomel @ http://calomel.org
 Open Source Research and Reference

Re: envy24-based card for OpenBSD [was: "VIA Announces..."]

[Zbigniew Baniewski]

Maybe someone will find it useful:

http://www.via.com.tw/en/products/audio/partners/partners_envy24.jsp
-- 
pozdrawiam / regards

Zbigniew Baniewski

Resampling? [was: "VIA Announces..."]

[Zbigniew Baniewski]

I would to ask about the issue to be found under Linux - is it valid for
OpenBSD's "audio" too?

http://www.diyaudio.com/forums/showthread.php?threadid=93315

"The latest versions of ALSA which are included with Ubuntu Edgy, and I
think Dapper Drake as well, will resample all audio to 48kHz if your
soundcard does not support hardware mixing. This is also true if the driver
doesn't support hardware mixing. As far as I can tell, there is absolutely
no support for hardware mixing with any of the Envy24 chips in Linux. The
problem with this resampling is that by default ALSA uses a poor resampling
algorithm to save CPU usage, and destroys the quality of everything played
back. ALSA uses this software mixing and resampling in order to let more
than one application play audio at the same time. I have found a solution to
the audio quality issue however. [..]"
-- 
pozdrawiam / regards

Zbigniew Baniewski

Re: CARP and pfsync weird behaviour

[openbsd firewall]

Hello,

This got even more interesting. After reading your email I had the idea to
start turning off the various carp interfaces to see what would be the
effect.
I have two onboard "Broadcom BCM5704C" and a "Intel PRO/1000MT QP (82546GB)"
quad nic.
One carp is configured for one onboard nic and two other for the quad nic.
I removed the two carps for the quad nic at backup node and rebooted it a
few times. There are no failures in iperf test (I used a long time to make
sure it was always running between all the tests) which is the same as your
tests and normal expected result.
Removing the onboard carp and activating both or one of the quad nic carps
gives the failures I reported previously. Without pfsync active in the
master node, I get a  small failure in iperf tests while the backup node is
coming back. If I activate pfsync, I get the same small failure plus
sometimes a total mess up of iperf connection states.
So it seems the problem is happening with the quad nic. I don't see any
performance problems with the quad nic because I left iperf running for 2
days without any problem. CPU usage in interrupts is around 15% and load
0.20 while doing tests. The firewall is still not in production, so only
traffic is only my test and internet junk being dropped.
Kernel is GENERIC 4.2 without any patches (I don't see any of them relevant
to this problem). I doubt about any hardware problems because the same
happens if I exchange their roles as master and backup.

I can't understand how the backup node can generate these results with a
reboot. While writing this I remembered to do another test. I destroyed the
quad nic carps (with ifconfig carpX destroy) and then brought them back with
sh /etc/netstart. Iperf keeps running smoothly this time... Master node
receives the bulk update requests without any problems. Did this a few times
and nothing happened.
Even more weird now !!! Something is being done while those interfaces got
up for the first time after the reboot!
Any ideas ?

Thanks,
John

On 10/04/2008, Calomel <[EMAIL PROTECTED]> wrote:
>
> John,
>
> I ran a test using iperf on an external openbsd system (client) through a
> carp
> firewall to an internal openbsd system (server). All systems are running
> OpenBSD v4.2 with the latest patches.
>
>   external   ---> CARP --->  internal
> (iperf -i 1 -t 600 -c carp0)(iperf -s)
>
> I did _not_ see any slow down through the MASTER when I rebooted the
> BACKUP
> server. For example, I started the reboot of the BACKUP at 5 seconds and
> the BACKUP finished rebooting at 102 seconds:
>
> [  3]  1.0- 2.0 sec  81.2 MBytes681 Mbits/sec
> [  3]  2.0- 3.0 sec  82.3 MBytes690 Mbits/sec
> [  3]  3.0- 4.0 sec  83.8 MBytes703 Mbits/sec
> [  3]  4.0- 5.0 sec  86.6 MBytes727 Mbits/sec -- start reboot
> [  3]  5.0- 6.0 sec  86.8 MBytes728 Mbits/sec
> [  3]  6.0- 7.0 sec  86.3 MBytes724 Mbits/sec
> [  3]  7.0- 8.0 sec  82.8 MBytes695 Mbits/sec
> [  3]  8.0- 9.0 sec  86.7 MBytes728 Mbits/sec
> [  3]  9.0-10.0 sec  85.8 MBytes720 Mbits/sec
> [  3] 10.0-11.0 sec  86.1 MBytes722 Mbits/sec
>
> cut
>
> [  3] 96.0-97.0 sec  83.4 MBytes699 Mbits/sec
> [  3] 97.0-98.0 sec  82.4 MBytes692 Mbits/sec
> [  3] 98.0-99.0 sec  81.9 MBytes687 Mbits/sec
> [  3] 99.0-100.0 sec  84.7 MBytes710 Mbits/sec
> [  3] 100.0-101.0 sec  83.3 MBytes699 Mbits/sec
> [  3] 101.0-102.0 sec  83.7 MBytes702 Mbits/sec -- finished reboot
> [  3] 102.0-103.0 sec  83.3 MBytes699 Mbits/sec
> [  3] 103.0-104.0 sec  83.6 MBytes701 Mbits/sec
> [  3] 104.0-105.0 sec  85.3 MBytes716 Mbits/sec
> [  3] 105.0-106.0 sec  83.4 MBytes699 Mbits/sec
>
> I also did not see any errors in the logs of either system running ipref
> or on the firewalls. The load on the MASTER firewall was around 0.30.
>
> Are the firewalls kernel patched? Are their any hardware failures to
> report? Are the firewalls overloaded?
>
> You are welcome to check out some of the "how to's" I have at
> http://calomel.org if you need to.
>
>
> --
>   Calomel @ http://calomel.org
>   Open Source Research and Reference

Re: OpenBSD isakmpd and pf vs Cisco PIX or ASA

[Stuart Henderson]

On 2008-04-10, Matthew Dempsky <[EMAIL PROTECTED]> wrote:
> Assuming this is really a problem, could CARP use interface link state
> to speed up fail-over?  E.g., if the common setup is two routers with
> a direct Ethernet cable for pfsync and the common failure scenario is
> power failure (or at least something that brings down the pfsync
> device interface), when one router fails, the other could detect the
> link state change and then try to more aggressively contact the master
> before timing out and taking over.

Problem is, a carp interface is not interested in the state of the
syncdev, it is interested in the state of its own carpdev (since
multiple carp interfaces on a machine are independent). And carpdev
usually faces a switch, so it stays up.

envy24-based card for OpenBSD [was: "VIA Announces..."]

[Zbigniew Baniewski]

Found it - looks good, but it's an expensive one  :/  what do you think about
that other chips? Are they supported presently?

http://www.digit-life.com/articles/maudioaudiophile/

* main chip - multichannel PCI controller ENVY24 from IC Ensemble;
* I2S stereo codec AKM AK4528VF with the 24bit/96kHz DAC and ADC;
* CS8427 digital transceiver;

Also: http://www25.big.jp/~jam/audiocard/audiophile/
-- 
pozdrawiam / regards

Zbigniew Baniewski

EUSecWest CFP Closes April 14th (conf May 21/22 2008)

[Dragos Ruiu]

(We've moved the conference this year to the a club
in Leicester Square in the heart of London and SoHo.
We'll be putting speakers up across the square at the
Radisson Edwardian Hampshire, but there are lots of
hotels in the region there in the center of London
for those who want to attend (the venue is physically
on top of a tube station on Circle line so easy to get to).
Registration is now open and we hope to have the
Dojo registrations on-line by this weekend. The conference
is on Wednesday/Thursday, which leaves Friday to fly
to Berlin for those going to ph-n. cheers, --dr)

EUSecWest CALL FOR PAPERS

   LONDON, U.K. -- The second annual EUSecWest applied technical
   security conference - where the eminent figures in the
   international security industry will get together share best
   practices and technology - will be held in downtown London at
   the Sound club in Leicester Square on May 21/22 2008. The most
   significant new discoveries about computer network hack attacks
   and defenses, commercial security solutions, and pragmatic real
   world security experience will be presented in a series of
   informative tutorials.

   The EUSecWest meeting provides international researchers a
   relaxed, comfortable environment to learn from informative
   tutorials on key developments in security technology, and
   collaborate and socialize with their peers in one of the
   world's most central cities.

   The EUSecWest conference will also feature the availability of
   the Security Masters Dojo expert network security sensei
   instructors, and their advanced, and intermediate, hands-on
   training courses - featuring small class sizes and practical
   application excercises to maximize information transfer.

   We would like to announce the opportunity to submit papers,
   lightning talk proposals for selection by the EUSecWest
   technical review committee.

   Please make your paper proposal submissions before April 14th,
   2008.

   Some invited papers have been confirmed, but a limited number
   of speaking slots are still available. The conference is
   responsible for travel and accomodations for the speakers. If
   you have a proposal for a tutorial session then please email a
   synopsis of the material and your biography, papers and,
   speaking background to secwest08 [at] eusecwest.com . Only
   slides will be needed for the May paper deadline, full text
   does not have to be submitted - but will be accepted if
   available.

   The EUSecWest 2008 conference consists of tutorials on
   technical details about current issues, innovative techniques
   and best practices in the information security realm. The
   audiences are a multi-national mix of professionals involved on
   a daily basis with security work: security product vendors,
   programmers, security officers, and network administrators. We
   give preference to technical details and new education for a
   technical audience.

   The conference itself is a single track series of presentations
   in a lecture theater environment. The presentations offer
   speakers the opportunity to showcase on-going research and
   collaborate with peers while educating and highlighting
   advancements in security products and techniques. The focus is
   on innovation, tutorials, and education instead of product
   pitches. Some commercial content is tolerated, but it needs to
   be backed up by a technical presenter - either giving a
   valuable tutorial and best practices instruction or detailing
   significant new technology in the products.

   Paper proposals should consist of the following information:
1. Presenter, and geographical location (country of
   origin/passport) and contact info (e-mail, postal address,
   phone, fax).
2. Employer and/or affiliations.
3. Brief biography, list of publications and papers.
4. Any significant presentation and educational
   experience/background.
5. Topic synopsis, Proposed paper title, and a one paragraph
   description.
6. Reason why this material is innovative or significant or an
   important tutorial.
7. Optionally, any samples of prepared material or outlines
   ready.
8. Will you have full text available or only slides?
9. Please list any other publications or conferences where
   this material has been or will be published/submitted.

   Please include the plain text version of this information in
   your email as well as any file, pdf, sxw, ppt, or html
   attachments.

   Please forward the above information to secwest08 [at]
   eusecwest.com to be considered for placement on the speaker
   roster, have your lightning talk scheduled.

--
World Security Pros. Cutting Edge Training, Tools, and Techniques
London, U.K.   May 21/22 - 2008http://eusecwest.com
pgpkey http://dragos.com/ kyxpgp

Re: "VIA Announces Strategic Open Source Driver Development Initiative"

[Zbigniew Baniewski]

On Thu, Apr 10, 2008 at 10:25:50PM +0200, Alexandre Ratchov wrote:

> well, if both codecs and the digital chip are well documented, how
> they are connected is not too hard to guess. There's an EEPROM that
> gives hints.

You're right: "if".  ;)

But found some more info about the other chips:
http://wiki.hydrogenaudio.org/index.php?title=Chaintech_AV-710

> > > afaik, these cards are based on envy24ht, not envy24.
> > 
> > What do you think about (much cheaper) Chaintech AV-710? There's a version
> > with envy24... perhaps someone's using this under OpenBSD?
> > 
> > http://icrontic.com/articles/chaintech_av710_71_audio_card_review
> > http://techgage.com/article/chaintech_av-710_71_sound_card/
> > http://www.sudhian.com/index.php?/articles/show/654
> >
> 
> according to the second link, it uses envy24HT so it will not work
> with the current envy(4) driver. FYI envy24 is also known as VT1712
> or ICE1712. Esi-julia and AV-710 seem to use the VT1721.

Perhaps I misunderstood that test at "icrontic" - there was a comparison of
the chips, and this was suggesting, that there are four versions of the
card; probably wrong conclusion.

The testers are publishing a bit contradictory informations: f.e. on the
page:  http://techgage.com/article/chaintech_av-710_71_sound_card

First you'll find: "VIA ENVY 24PT", several verses down a remark: "The heart
of the card is the Envy24 HT-S Chipset" - with a photo on the side. A photo
of... ENVY 24PT. Immediately below - image of ENVY 24HT-S.   :-O

What a pity; the card has quite good reviews. OK, must look further...
-- 
pozdrawiam / regards

Zbigniew Baniewski

Re: Problems reading audio cdrom on 4.2 sparc64

[Stijn]

Jacob Meuser wrote:

On Thu, Apr 10, 2008 at 04:57:29PM +0200, Hannah Schroeter wrote:
  

Hi!

On Wed, Apr 09, 2008 at 05:49:57PM +, Jacob Meuser wrote:


On Wed, Apr 09, 2008 at 06:25:53PM +0200, Hannah Schroeter wrote:
  

On Wed, Apr 09, 2008 at 03:47:26PM +, Stuart Henderson wrote:


On 2008-04-09, Unix Fan <[EMAIL PROTECTED]> wrote:
  

If you want to dump the contents into PCM audio, look in the
ports.. install "cdrtools" and use the "cdda2wav" application.


No need for 3rd party software for this simple task, take a look
at cdio(1). It does a lot more than you probably expect.
  

Nice, but it can't rip to stdout (for example to encode the data in a
pipe, e.g. into mp3 or ogg/vorbis, w/o storing the uncompressed audio
inbetween). cdda2wav/cdparanoia *can* do that. (Frontends like grip,
can't, again, alas.)


$ mkfifo track01.wav
$ ffmpeg -i - track01.mp3 < track01.wav &
$ cdio cdrip 1
  

Probably works, but *yuck*.



so put it in a script.  then you don't have to see the yuckiness :)

joking aside, adding the ability to choose the output filenames for
the cdrip command might well be useful.

  

Or even better if you could use the file names provided by cddb.

Re: "VIA Announces Strategic Open Source Driver Development Initiative"

[Alexandre Ratchov]

On Thu, Apr 10, 2008 at 09:47:37PM +0200, Zbigniew Baniewski wrote:
> On Thu, Apr 10, 2008 at 09:36:51PM +0200, Alexandre Ratchov wrote:
> 
> >  - first, envy24 is a generic digital only chip; it's connected to
> >up to 4 codecs that do the analog<->digital conversions and that
> >hold the gain knobs. So to add support for a new cards we must
> >add support for its codecs, and we need to know how these codecs
> >are wired to the envy24 chip, how gpio pins are used, etc... 
> >(this may require docs from the sound card manufacturer, not
> >via)
> 
> That's I was afraid of.
> 

well, if both codecs and the digital chip are well documented, how
they are connected is not too hard to guess. There's an EEPROM that
gives hints.

> > afaik, these cards are based on envy24ht, not envy24.
> 
> What do you think about (much cheaper) Chaintech AV-710? There's a version
> with envy24... perhaps someone's using this under OpenBSD?
> 
> http://icrontic.com/articles/chaintech_av710_71_audio_card_review
> http://techgage.com/article/chaintech_av-710_71_sound_card/
> http://www.sudhian.com/index.php?/articles/show/654
>

according to the second link, it uses envy24HT so it will not work
with the current envy(4) driver. FYI envy24 is also known as VT1712
or ICE1712. Esi-julia and AV-710 seem to use the VT1721.

For a sound card (beside being supported) the most important is the
analog part, that will determine the sound quality, the esi julia
seems quite promising in this respect.

Nevertheless, if i one day I get one, I'll happily work on the "HT"
driver ;)

-- Alexandre

Re: constant barrage from rfc 1918 addresses source port 6293

[Lord Sporkton]

On 10/04/2008, Chris Smith <[EMAIL PROTECTED]> wrote:
> I block and log rfc 1918 connection attempts and am seeing the following
>  in pflog continuously ad nauseum:
>
>  Apr 10 15:10:21.414289 rule 9/(match) block in on fxp1:
>  172.21.153.70.6293 > 68.61.77.3.50716: [|tcp] (DF) [tos 0x20]
>  Apr 10 15:10:22.833822 rule 9/(match) block in on fxp1:
>  172.21.233.57.6293 > 68.61.77.3.54518: [|tcp] (DF) [tos 0x20]
>  Apr 10 15:10:23.789209 rule 9/(match) block in on fxp1:
>  172.21.153.22.6293 > 68.61.77.3.57836: [|tcp] (DF) [tos 0x20]
>  Apr 10 15:10:24.256891 rule 9/(match) block in on fxp1:
>  172.21.97.2.6293 > 68.61.77.3.50417: [|tcp] (DF) [tos 0x20]
>  Apr 10 15:10:24.821674 rule 9/(match) block in on fxp1:
>  172.21.225.72.6293 > 68.61.77.3.53965: [|tcp] [tos 0x20]
>  Apr 10 15:11:28.559238 rule 9/(match) block in on fxp1:
>  172.21.240.45.6293 > 68.61.77.3.58733: [|tcp] (DF) [tos 0x20]
>  Apr 10 15:11:29.397925 rule 9/(match) block in on fxp1:
>  172.21.240.63.6293 > 68.61.77.3.62274: [|tcp] [tos 0x20]
>
>  The source IP addresses do repeat (but not in a specific order) and the
>  source port remains constant at 6293.
>
>  As these addresses (AFAIK) aren't generally routed I'm wondering about
>  their source.
>
>  Possibly all spoofed, but as I'm using cable service, they could also be
>  from a system on the local shared subnet. Another thought is that the
>  ISP (Comcast) is using and routing them for their own purposes (VOIP
>  service, etc.). Any ideas?
>
>  Thanks.
>
>  --
>
> Chris
>
>

I would highly doubt that you are seeing internal traffic from your
ISP, what ever it is, its pointing directly at you, its not just stray
traffic thats passing on your link. I would suggest contacting your
ISP concerning this, they may be able to track it and/or prevent it.

It is possible that its not really ment for you, but perhaps your
modem, something along the lines of a modem checkin? hypothetically
speaking, if your modem was trying to "report home" sourcing from your
public ip but the public was actaully assigned on your router, you
could see return traffic from your modem "report home" <-- that is of
course a stretch and highly unlikely. Any isp that set up something
like that would be retarded beyond the capability of their sales team.

-- 
-Lawrence

Re: OpenBSD isakmpd and pf vs Cisco PIX or ASA

[Matthew Dempsky]

On Mon, Nov 5, 2007 at 12:26 PM, Brian A Seklecki (Mobile)
<[EMAIL PROTECTED]> wrote:
>  - PIX/ASA has proprietary serial console fail-over (which is marginally
>  faster than waiting for CARP)

Assuming this is really a problem, could CARP use interface link state
to speed up fail-over?  E.g., if the common setup is two routers with
a direct Ethernet cable for pfsync and the common failure scenario is
power failure (or at least something that brings down the pfsync
device interface), when one router fails, the other could detect the
link state change and then try to more aggressively contact the master
before timing out and taking over.

Re: "VIA Announces Strategic Open Source Driver Development Initiative"

[Zbigniew Baniewski]

On Thu, Apr 10, 2008 at 09:36:51PM +0200, Alexandre Ratchov wrote:

>  - first, envy24 is a generic digital only chip; it's connected to
>up to 4 codecs that do the analog<->digital conversions and that
>hold the gain knobs. So to add support for a new cards we must
>add support for its codecs, and we need to know how these codecs
>are wired to the envy24 chip, how gpio pins are used, etc... 
>(this may require docs from the sound card manufacturer, not
>via)

That's I was afraid of.

> afaik, these cards are based on envy24ht, not envy24.

What do you think about (much cheaper) Chaintech AV-710? There's a version
with envy24... perhaps someone's using this under OpenBSD?

http://icrontic.com/articles/chaintech_av710_71_audio_card_review
http://techgage.com/article/chaintech_av-710_71_sound_card/
http://www.sudhian.com/index.php?/articles/show/654
-- 
pozdrawiam / regards

Zbigniew Baniewski

Re: "VIA Announces Strategic Open Source Driver Development Initiative"

[Alexandre Ratchov]

On Thu, Apr 10, 2008 at 03:41:54AM +0200, Zbigniew Baniewski wrote:
> On Thu, Apr 10, 2008 at 12:08:26AM +, Jacob Meuser wrote:
> 
> > > Yes, I noticed it's there - but does the driver support all of the 
> > > available
> > > capabilities?
> > 
> > according to BUGS in envy(4), no.  but emu(4) doesn't support all
> > the features of the emu10k1 chips, either.
> 
> I understand - but the mentioned "VIA opening" is suggesting, that perhaps
> completing the envy driver can be much easier, if VIA will release the docs;
> Creative Labs, unfortunately, still doesn't seem to be willing to.
> 

besides the MIDI port and the world clock the envy24 chip support
is quite complete. Unfortunately that doesn't mean that all
envy-based cards are fully usable.

 - first, envy24 is a generic digital only chip; it's connected to
   up to 4 codecs that do the analog<->digital conversions and that
   hold the gain knobs. So to add support for a new cards we must
   add support for its codecs, and we need to know how these codecs
   are wired to the envy24 chip, how gpio pins are used, etc... 
   (this may require docs from the sound card manufacturer, not
   via)

 - second, there are limitations in most audio apps and in our
   audio(4) device that makes envy24-based cards hard to use (eg. 
   lack of 24/32-bit encoding or 10/12 channel support). IMO, this
   is the most urgent to solve.

> I'm not sure, nevertheless, if that envy24-related docs is enough; there are
> some other chips on the envy-fitted cards, anyway.
> 
> > > The "VIA opening" won't be of any help in this particular case?
> > 
> > at least some datasheets are/have been available:
> > 
> > http://envy24.svobodno.com/datasheets/
> 
> I think, I'll have to make a comparison with Audigy soon...  ;) as I can
> see, there are even (semi?)professional cards built using Envy; like f.e.
> this one: http://www.ixbt.com/multimedia/[EMAIL PROTECTED]

afaik, these cards are based on envy24ht, not envy24.

-- Alexandre

constant barrage from rfc 1918 addresses source port 6293

[Chris Smith]

I block and log rfc 1918 connection attempts and am seeing the following 
in pflog continuously ad nauseum:

Apr 10 15:10:21.414289 rule 9/(match) block in on fxp1:
172.21.153.70.6293 > 68.61.77.3.50716: [|tcp] (DF) [tos 0x20]
Apr 10 15:10:22.833822 rule 9/(match) block in on fxp1:
172.21.233.57.6293 > 68.61.77.3.54518: [|tcp] (DF) [tos 0x20]
Apr 10 15:10:23.789209 rule 9/(match) block in on fxp1:
172.21.153.22.6293 > 68.61.77.3.57836: [|tcp] (DF) [tos 0x20]
Apr 10 15:10:24.256891 rule 9/(match) block in on fxp1:
172.21.97.2.6293 > 68.61.77.3.50417: [|tcp] (DF) [tos 0x20]
Apr 10 15:10:24.821674 rule 9/(match) block in on fxp1:
172.21.225.72.6293 > 68.61.77.3.53965: [|tcp] [tos 0x20]
Apr 10 15:11:28.559238 rule 9/(match) block in on fxp1:
172.21.240.45.6293 > 68.61.77.3.58733: [|tcp] (DF) [tos 0x20]
Apr 10 15:11:29.397925 rule 9/(match) block in on fxp1:
172.21.240.63.6293 > 68.61.77.3.62274: [|tcp] [tos 0x20]

The source IP addresses do repeat (but not in a specific order) and the 
source port remains constant at 6293.

As these addresses (AFAIK) aren't generally routed I'm wondering about 
their source.

Possibly all spoofed, but as I'm using cable service, they could also be 
from a system on the local shared subnet. Another thought is that the 
ISP (Comcast) is using and routing them for their own purposes (VOIP 
service, etc.). Any ideas?

Thanks.

-- 
Chris

Re: Got 'em !

[Kian Mohageri]

On Thu, Apr 10, 2008 at 1:29 AM, Paul de Weerd <[EMAIL PROTECTED]> wrote:
> Hi all,
>
>  The new 4.3 CD set has just arrived here in Zurich, Switzerland ! I've
>  put up a pic on http://www.weirdnet.nl/images/openbsd43set.jpg ..
>  looking very cool yet again ;)
>

Artwork looks great!

Are those the same semi-transparent stickers from 4.2?  I can't tell
from the picture.

-Kian

Re: spamd fake MX

[andrew fresh]

On Thu, Apr 10, 2008 at 02:07:43PM +1000, Rod Whitworth wrote:
> Reality check please.
> 
> I see quite a few attempts to access port 25 on boxes that don't have
> externally listening smtpd. They show up in firewall logs.
> 
> It is a possibility to let spamd listen (as usual, redirected from 25
> to 8025, or even on 25 itself) and feed the IP over to my real MX using
> the spamd sync capability?
> 
> I think so but I may just need a cluebat if there is some reson not to.

http://www.hungryhacker.com/articles/misc/spamd

I have been meaning to set this up, and then sync the IPs to my actual
mail servers so they can be blacklisted.  I just haven't had time.

l8rZ,
-- 
andrew - ICQ# 253198 - Jabber: [EMAIL PROTECTED]

BOFH excuse of the day: high pressure system failure

Re: CARP and pfsync weird behaviour

[Calomel]

John,

I ran a test using iperf on an external openbsd system (client) through a carp
firewall to an internal openbsd system (server). All systems are running
OpenBSD v4.2 with the latest patches.

  external   ---> CARP --->  internal
(iperf -i 1 -t 600 -c carp0)(iperf -s)

I did _not_ see any slow down through the MASTER when I rebooted the BACKUP
server. For example, I started the reboot of the BACKUP at 5 seconds and
the BACKUP finished rebooting at 102 seconds:

[  3]  1.0- 2.0 sec  81.2 MBytes681 Mbits/sec
[  3]  2.0- 3.0 sec  82.3 MBytes690 Mbits/sec
[  3]  3.0- 4.0 sec  83.8 MBytes703 Mbits/sec
[  3]  4.0- 5.0 sec  86.6 MBytes727 Mbits/sec -- start reboot
[  3]  5.0- 6.0 sec  86.8 MBytes728 Mbits/sec
[  3]  6.0- 7.0 sec  86.3 MBytes724 Mbits/sec
[  3]  7.0- 8.0 sec  82.8 MBytes695 Mbits/sec
[  3]  8.0- 9.0 sec  86.7 MBytes728 Mbits/sec
[  3]  9.0-10.0 sec  85.8 MBytes720 Mbits/sec
[  3] 10.0-11.0 sec  86.1 MBytes722 Mbits/sec

cut

[  3] 96.0-97.0 sec  83.4 MBytes699 Mbits/sec
[  3] 97.0-98.0 sec  82.4 MBytes692 Mbits/sec
[  3] 98.0-99.0 sec  81.9 MBytes687 Mbits/sec
[  3] 99.0-100.0 sec  84.7 MBytes710 Mbits/sec
[  3] 100.0-101.0 sec  83.3 MBytes699 Mbits/sec
[  3] 101.0-102.0 sec  83.7 MBytes702 Mbits/sec -- finished reboot
[  3] 102.0-103.0 sec  83.3 MBytes699 Mbits/sec
[  3] 103.0-104.0 sec  83.6 MBytes701 Mbits/sec
[  3] 104.0-105.0 sec  85.3 MBytes716 Mbits/sec
[  3] 105.0-106.0 sec  83.4 MBytes699 Mbits/sec

I also did not see any errors in the logs of either system running ipref
or on the firewalls. The load on the MASTER firewall was around 0.30.

Are the firewalls kernel patched? Are their any hardware failures to
report? Are the firewalls overloaded? 

You are welcome to check out some of the "how to's" I have at
http://calomel.org if you need to.
 
--
  Calomel @ http://calomel.org
  Open Source Research and Reference


On Thu, Apr 10, 2008 at 12:35:17PM +0100, openbsd firewall wrote:
>Hello,
>
>I'm testing an OpenBSD 4.2 firewall with Iperf and I'm experiencing a very
>strange behaviour.
>What happens is that when I reboot the backup node the connection rate drops
>while the backup node is coming back.
>Iperf log:
>[  3] 233.0-234.0 sec  6.62 MBytes  55.5 Mbits/sec
>[  3] 234.0-235.0 sec  6.62 MBytes  55.5 Mbits/sec
>[  3] 235.0-236.0 sec  6.62 MBytes  55.5 Mbits/sec
>[  3] 236.0-237.0 sec  6.70 MBytes  56.2 Mbits/sec
>[  3] 237.0-238.0 sec288 KBytes  2.36 Mbits/sec
>[  3] 238.0-239.0 sec  3.40 MBytes  28.5 Mbits/sec
>[  3] 239.0-240.0 sec  0.00 Bytes  0.00 bits/sec
>[  3] 240.0-241.0 sec  3.55 MBytes  29.8 Mbits/sec
>[  3] 241.0-242.0 sec  0.00 Bytes  0.00 bits/sec
>[  3] 242.0-243.0 sec  3.49 MBytes  29.3 Mbits/sec
>[  3] 243.0-244.0 sec  0.00 Bytes  0.00 bits/sec
>[  3] 244.0-245.0 sec  3.49 MBytes  29.3 Mbits/sec
>[  3] 245.0-246.0 sec  2.30 MBytes  19.3 Mbits/sec
>[  3] 246.0-247.0 sec  5.23 MBytes  43.9 Mbits/sec
>[  3] 247.0-248.0 sec  2.60 MBytes  21.8 Mbits/sec
>[  3] 248.0-249.0 sec  5.37 MBytes  45.0 Mbits/sec
>[  3] 249.0-250.0 sec  1.28 MBytes  10.7 Mbits/sec
>[  3] 250.0-251.0 sec  4.69 MBytes  39.3 Mbits/sec
>[  3] 251.0-252.0 sec  4.69 MBytes  39.3 Mbits/sec
>[  3] 252.0-253.0 sec  6.62 MBytes  55.5 Mbits/sec
>[  3] 253.0-254.0 sec  6.62 MBytes  55.5 Mbits/sec
>[  3] 254.0-255.0 sec  6.62 MBytes  55.5 Mbits/sec
>
>That drop in connection is when the rebooted node is coming back ! Iperf is
>being tested from one machine behind one firewall interface and another
>machine behind another firewall interface. One machine is running Openbsd
>and the other Linux.
>Is there any reason for this behaviour ? I do not expect the backup node to
>have any influence over the flow on active node.
>
>Related to this is a problem with pfsync. Sometimes I get a bad state after
>the backup firewall comes back and then Iperf gets totally messed up,
>sometimes recovering others not. No difference if psync is configured with
>multicast or with syncpeer.
>Log from the active node:
>Apr 10 06:57:03 inferno /bsd: pfsync: received bulk update request
>Apr 10 06:57:04 inferno /bsd: pfsync: bulk update complete
>Apr 10 06:57:04 inferno pflogd[23092]: invalid size 484 (116/116), packet
>dropped
>Apr 10 06:57:11 inferno pflogd[23092]: invalid size 144 (116/116), packet
>dropped
>Apr 10 06:57:16 inferno last message repeated 3 times
>Apr 10 06:57:31 inferno pflogd[23092]: invalid size 484 (116/116), packet
>dropped
>Apr 10 06:57:31 inferno /bsd: pf: BAD state: TCP xx.xx.xx.4:5001
>xx.xx.xx.4:5001 xx.xx.xx.5:43558 [lo=2191798936 high=2191798936 win=5840
>modulator=0] [lo=911995449 high=912001289 win=65535 modulator=0] 4:4 A
>seq=2191798936 (2191798936) ack=911995449 len=1460 ackskew=0
>pkts=1267241:671313 dir=in,fwd
>Apr 10 06:57:31 inferno /bsd: pf: State failure on: 1
>Apr 10 06:57:31 inferno /bsd: pf: BAD state: TCP xx.xx.xx.4:5001
>xx.xx.xx.4:5001 xx.xx.xx.5:43558 [lo=219179893

Re: Got 'em !

[Pau]

I am itching to put the hands on it!

I hope Barcelona is close enough to central Europe to speed up the process :)

Pau

2008/4/10, Alexander Hall <[EMAIL PROTECTED]>:
> Paul de Weerd wrote:
>
> > Hi all,
> >
> > The new 4.3 CD set has just arrived here in Zurich, Switzerland ! I've
> > put up a pic on
> http://www.weirdnet.nl/images/openbsd43set.jpg ..
> > looking very cool yet again ;)
> >
> > Thanks to all the developers for another very cool release.
> >
>
>  Mine arrived today here in Sweden. Wim told me I was #3, so just wait for
> your deliveries folks...
>
>  Now which disc contained the 4.3 song...? :-)
>
>  /Alexander

Re: timezone issue

[Jordi Espasa Clofent]

You probably have no /var/www/etc/localtime


Yes, it was the real problem.

$ ls -l /etc/localtime
lrwxr-xr-x  1 root  wheel  33 Feb 14 17:33 
/etc/localtime/usr/share/zoneinfo/Europe/Madrid


$ cp /usr/share/zoneinfo/Europe/Madrid /var/www/etc/localtime

Simple, clean and understandable. It was my fault... I use the OpenBSD 
default chrooted Apache, of course.


;)

--
Thanks,
Jordi Espasa Clofent

Re: Problems reading audio cdrom on 4.2 sparc64

[Jacob Meuser]

On Thu, Apr 10, 2008 at 04:57:29PM +0200, Hannah Schroeter wrote:
> Hi!
> 
> On Wed, Apr 09, 2008 at 05:49:57PM +, Jacob Meuser wrote:
> >On Wed, Apr 09, 2008 at 06:25:53PM +0200, Hannah Schroeter wrote:
> >> On Wed, Apr 09, 2008 at 03:47:26PM +, Stuart Henderson wrote:
> >> >On 2008-04-09, Unix Fan <[EMAIL PROTECTED]> wrote:
> 
> >> >> If you want to dump the contents into PCM audio, look in the
> >> >> ports.. install "cdrtools" and use the "cdda2wav" application.
> 
> >> >No need for 3rd party software for this simple task, take a look
> >> >at cdio(1). It does a lot more than you probably expect.
> 
> >> Nice, but it can't rip to stdout (for example to encode the data in a
> >> pipe, e.g. into mp3 or ogg/vorbis, w/o storing the uncompressed audio
> >> inbetween). cdda2wav/cdparanoia *can* do that. (Frontends like grip,
> >> can't, again, alas.)
> 
> >$ mkfifo track01.wav
> >$ ffmpeg -i - track01.mp3 < track01.wav &
> >$ cdio cdrip 1
> 
> Probably works, but *yuck*.

so put it in a script.  then you don't have to see the yuckiness :)

joking aside, adding the ability to choose the output filenames for
the cdrip command might well be useful.

-- 
[EMAIL PROTECTED]
SDF Public Access UNIX System - http://sdf.lonestar.org

Re: What's the status of kernel patch supporting Intel I/OAT tech?

[B A]

You can check sources

http://www.openbsd.org/cgi-bin/cvsweb/src/sys/dev/pci/if_em.c?rev=1.181&content-type=text/x-cvsweb-markup

and looks like there is no OAT there.



10.04.08, 16:59, "hu st" <[EMAIL PROTECTED]>:



> Hi,

> Intel I/OAT is a good tech for network performance,

> see http://www.intel.com/go/ioat.

> Linux e1000 driver has a patch for FreeBSD, see

> http://sourceforge.net/project/platformdownload.php?group_id=42302

> What's the status of OpenBSD patch?

> Regards

> Frank

> Tired of spam?  Yahoo! Mail has the best spam protection around 

> http://mail.yahoo.com 

Re: Got 'em !

[Alexander Hall]

Paul de Weerd wrote:

Hi all,

The new 4.3 CD set has just arrived here in Zurich, Switzerland ! I've
put up a pic on http://www.weirdnet.nl/images/openbsd43set.jpg ..
looking very cool yet again ;)

Thanks to all the developers for another very cool release.


Mine arrived today here in Sweden. Wim told me I was #3, so just wait 
for your deliveries folks...


Now which disc contained the 4.3 song...? :-)

/Alexander

Re: Problems reading audio cdrom on 4.2 sparc64

[Hannah Schroeter]

Hi!

On Wed, Apr 09, 2008 at 05:49:57PM +, Jacob Meuser wrote:
>On Wed, Apr 09, 2008 at 06:25:53PM +0200, Hannah Schroeter wrote:
>> On Wed, Apr 09, 2008 at 03:47:26PM +, Stuart Henderson wrote:
>> >On 2008-04-09, Unix Fan <[EMAIL PROTECTED]> wrote:

>> >> If you want to dump the contents into PCM audio, look in the
>> >> ports.. install "cdrtools" and use the "cdda2wav" application.

>> >No need for 3rd party software for this simple task, take a look
>> >at cdio(1). It does a lot more than you probably expect.

>> Nice, but it can't rip to stdout (for example to encode the data in a
>> pipe, e.g. into mp3 or ogg/vorbis, w/o storing the uncompressed audio
>> inbetween). cdda2wav/cdparanoia *can* do that. (Frontends like grip,
>> can't, again, alas.)

>$ mkfifo track01.wav
>$ ffmpeg -i - track01.mp3 < track01.wav &
>$ cdio cdrip 1

Probably works, but *yuck*.

Kind regards,

Hannah.

What's the status of kernel patch supporting Intel I/OAT tech?

[hu st]

Hi,

Intel I/OAT is a good tech for network performance,
see http://www.intel.com/go/ioat.

Linux e1000 driver has a patch for FreeBSD, see
http://sourceforge.net/project/platformdownload.php?group_id=42302

What's the status of OpenBSD patch?

Regards

Frank
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: Optimising OpenBSD

[Fabio Almeida]

I would like to recomend  Secure Architectures With OpenBSD.
It`s a great book.

Cheers,
Fabio

On Wed, Apr 9, 2008 at 8:58 PM, Douglas A. Tutty <[EMAIL PROTECTED]> wrote:
> On Wed, Apr 09, 2008 at 07:55:36AM -0500, Ed Ahlsen-Girard wrote:
> > From: Douglas A. Tutty [mailto:[EMAIL PROTECTED]
> >
> > >If you want a book, although its a bit old there's Absolute OpenBSD by
> > >nostarch press.
> >
> > A nice book, but it's out of print.  It is available as a PDF though.
>
> I purchased a copy last year.  I'd like a pdf version; I'll google for
> it unless you have the URL handy.
>
> Doug.

Re: Optimising OpenBSD

[Ed Ahlsen-Girard]

http://www.absoluteopenbsd.com

 
--
 
Ed Ahlsen-Girard
Senior Network Engineer
TYBRIN Corporation
tybrin.com
850-337-2830
850-337-2885 (fax)
This e-mail and any files transmitted with it are the property of TYBRIN
Corporation, are private, and are intended solely for the use of the
individual or entity to which this email is addressed. If you are not one of
the named recipient(s) or otherwise have reason to believe that you have
received this message in error, please delete this message immediately. Any
other use, retention, dissemination, forwarding, printing, or copying of this
e-mail is strictly prohibited.

-Original Message-
From: Douglas A. Tutty [mailto:[EMAIL PROTECTED]
Sent: Wednesday, April 09, 2008 6:58 PM
To: misc@openbsd.org
Subject: Re: Optimising OpenBSD

On Wed, Apr 09, 2008 at 07:55:36AM -0500, Ed Ahlsen-Girard wrote:
> From: Douglas A. Tutty [mailto:[EMAIL PROTECTED]
>
> >If you want a book, although its a bit old there's Absolute OpenBSD by
> >nostarch press.
>
> A nice book, but it's out of print.  It is available as a PDF though.

I purchased a copy last year.  I'd like a pdf version; I'll google for
it unless you have the URL handy.

Doug.

Idéal pour vos offres promotionnelles

[La Vitrine des Bonnes Affaires]

Si ce message ne s'affiche pas correctement, cliquez ici

[IMAGE]

[IMAGE]

[IMAGE]

  * un descriptif du produit ou service que vous souhaitez proposer
pouvant contenir : photo, disignation, prix, et objet de la promotion
(voir exemples ci-dessous)

  * un lien de redirection vers l’adresse de votre site ou adresse mail
pour que le prospect effectue sa demande de renseignement ou son
achat en ligne

[IMAGE]

[IMAGE]

[IMAGE]

envoyie par mail aux deux millions de personnes de notre fichier
d’adresses mail professionnelles (entreprises, dirigeants, cadres et
employis).

[IMAGE]

La vitrine des bonnes affaires est une news letter hebdomadaire d’offres
promotionnelles du moment pour faire rialiser du chiffre d’affaires
immidiat aux annonceurs et permettre aux prospects de profiter de ces
offres instantaniment.

Le nombre d’offres contenues dans la vitrine itant volontairement limiti
` 25 chaque semaine, n’attendez pas pour riserver votre place et faire
partie vous aussi du Hit Parade des offres promotionnelles communiquies
aux 2 millions de prospects :

Vous obtiendrez un support de communication commercial complimentaire et
efficace, source supplimentaire de chiffre d’affaires pour vous !

[IMAGE]

Email :*

Nom :*

Prinom :*

Tiliphone :*

Sociiti :*

Message :

Les champs marquis d'un * sont obligatoires.

La Vitrine des Bonnes Affaires - Sarl au capital de 15€
50 rue Henri Prou 78340 Les Clayes sous bois – Siret n0 49793861300013

Pour ne plus recevoir de message de notre part, cliquez sur le lien
suivant

Re: Use of 'Puffy' Logo *and* weatherproof stickers?

[Mark Mathias]

On Wed, Apr 9, 2008 at 11:51 AM, Theo de Raadt <[EMAIL PROTECTED]>
wrote:

> > > Hannah Schroeter wrote:
> > >
> > >  I read there (http://www.openbsd.org/art1.html):
> > > >
> > > >  but do not make profit from them since our own T-shirt sales
> provide
> > > >  funding so that OpenBSD can continue to operate.
> > > >
> > > > Recently it was said on a mailing list, that T-shirt sales do *not*
> > > > provide net funding, only donations and *CD* sales do. Which is
> true?
> > > >
> > >
> > > I was a bit curious about that, too, but just figured it was a page
> left
> > > that still needed editing.
> > >
> > > I also have a question of my own related to Puffy and, rather than
> start a
> > > new thread, I'll go ahead and ask in this one since it's kind of
> on-topic.
> > >
> > > Before I have some weatherproof OpenBSD/Puffy stickers made up for my
> own
> > > personal use, does anyone know *off the top of your head* if there are
> > > already some out there, available for purchase, where proceeds find
> their
> > > way back to the project? I'd rather buy some knowing that some of the
> $$ is
> > > going to make its way back to OpenBSD than to spend the same amount
> and it
> > > all go to a corporate interest.
> > >
> > > By weatherproof, I plan to stick it on my motorcycle luggage where it
> will
> > > be exposed to sun, rain, snow, ice and 120km/h+ winds.
> > >
> > > Thanks!
> > >
> > > kmw
> > >
> > >
> > Have you checked out
> > https://kd85.com/notforsale.html
> > there are a few stickers for cars that should serve your purpose.
>
> Sale of the items on that page do not fund the project.  Sale of those
> items does not even cover the cost that Austin and I paid our artist
> to draw the pictures for those items.
>
> Just keep that in mind please.
>
>
I didn't realize that the money from those sales don't fund the project, and
I will keep that in mind.

-- 
Mark Mathias

Puffy and the Cryptonauts have arrived in...

[Jasper Valentijn]

Hoorn, Netherlands.



Thanks devs!!

-- 
"We spend the first twelve months of our children's lives teaching
them to walk and talk and the next twelve telling them to sit down and
shut up."

Re: timezone issue

[Stuart Henderson]

On 2008-04-10, Jordi Espasa Clofent <[EMAIL PROTECTED]> wrote:
> The last goal was that symon shows the graphs in CEST (Europe/Madrid), 
> not in UTC.

You probably have no /var/www/etc/localtime

Re: Got 'em !

[Jasper Valentijn]

2008/4/10, Paul de Weerd <[EMAIL PROTECTED]>:
> Hi all,
>
>  The new 4.3 CD set has just arrived here in Zurich, Switzerland ! I've
>  put up a pic on http://www.weirdnet.nl/images/openbsd43set.jpg ..
>  looking very cool yet again ;)

It sure does! I keep looking for that UPS truck...

-- 
"We spend the first twelve months of our children's lives teaching
them to walk and talk and the next twelve telling them to sit down and
shut up."

Re: "VIA Announces Strategic Open Source Driver Development Initiative"

[Hannah Schroeter]

Hi!

On Wed, Apr 09, 2008 at 10:12:49PM +0200, frantisek holop wrote:
>hmm, on Wed, Apr 09, 2008 at 03:35:18PM -0400, bofh said that
>> Sun learnt a lot of lessons when it tried to merge sparc and x86 code bases
>> together around the solaris 2.4 time, iirc.  That's why things like zfs are
>> endian neutral.  OpenBSD started in the multi cpu world to begin with.

>i might be wrong, but i thought as of yet, not everything
>is endian neutral in openbsd (carp?)

FFS itself (the on-disk layout). In contrary, ext2 *is*.

>-f

Kind regards,

Hannah.

CARP and pfsync weird behaviour

[openbsd firewall]

Hello,

I'm testing an OpenBSD 4.2 firewall with Iperf and I'm experiencing a very
strange behaviour.
What happens is that when I reboot the backup node the connection rate drops
while the backup node is coming back.
Iperf log:
[  3] 233.0-234.0 sec  6.62 MBytes  55.5 Mbits/sec
[  3] 234.0-235.0 sec  6.62 MBytes  55.5 Mbits/sec
[  3] 235.0-236.0 sec  6.62 MBytes  55.5 Mbits/sec
[  3] 236.0-237.0 sec  6.70 MBytes  56.2 Mbits/sec
[  3] 237.0-238.0 sec288 KBytes  2.36 Mbits/sec
[  3] 238.0-239.0 sec  3.40 MBytes  28.5 Mbits/sec
[  3] 239.0-240.0 sec  0.00 Bytes  0.00 bits/sec
[  3] 240.0-241.0 sec  3.55 MBytes  29.8 Mbits/sec
[  3] 241.0-242.0 sec  0.00 Bytes  0.00 bits/sec
[  3] 242.0-243.0 sec  3.49 MBytes  29.3 Mbits/sec
[  3] 243.0-244.0 sec  0.00 Bytes  0.00 bits/sec
[  3] 244.0-245.0 sec  3.49 MBytes  29.3 Mbits/sec
[  3] 245.0-246.0 sec  2.30 MBytes  19.3 Mbits/sec
[  3] 246.0-247.0 sec  5.23 MBytes  43.9 Mbits/sec
[  3] 247.0-248.0 sec  2.60 MBytes  21.8 Mbits/sec
[  3] 248.0-249.0 sec  5.37 MBytes  45.0 Mbits/sec
[  3] 249.0-250.0 sec  1.28 MBytes  10.7 Mbits/sec
[  3] 250.0-251.0 sec  4.69 MBytes  39.3 Mbits/sec
[  3] 251.0-252.0 sec  4.69 MBytes  39.3 Mbits/sec
[  3] 252.0-253.0 sec  6.62 MBytes  55.5 Mbits/sec
[  3] 253.0-254.0 sec  6.62 MBytes  55.5 Mbits/sec
[  3] 254.0-255.0 sec  6.62 MBytes  55.5 Mbits/sec

That drop in connection is when the rebooted node is coming back ! Iperf is
being tested from one machine behind one firewall interface and another
machine behind another firewall interface. One machine is running Openbsd
and the other Linux.
Is there any reason for this behaviour ? I do not expect the backup node to
have any influence over the flow on active node.

Related to this is a problem with pfsync. Sometimes I get a bad state after
the backup firewall comes back and then Iperf gets totally messed up,
sometimes recovering others not. No difference if psync is configured with
multicast or with syncpeer.
Log from the active node:
Apr 10 06:57:03 inferno /bsd: pfsync: received bulk update request
Apr 10 06:57:04 inferno /bsd: pfsync: bulk update complete
Apr 10 06:57:04 inferno pflogd[23092]: invalid size 484 (116/116), packet
dropped
Apr 10 06:57:11 inferno pflogd[23092]: invalid size 144 (116/116), packet
dropped
Apr 10 06:57:16 inferno last message repeated 3 times
Apr 10 06:57:31 inferno pflogd[23092]: invalid size 484 (116/116), packet
dropped
Apr 10 06:57:31 inferno /bsd: pf: BAD state: TCP xx.xx.xx.4:5001
xx.xx.xx.4:5001 xx.xx.xx.5:43558 [lo=2191798936 high=2191798936 win=5840
modulator=0] [lo=911995449 high=912001289 win=65535 modulator=0] 4:4 A
seq=2191798936 (2191798936) ack=911995449 len=1460 ackskew=0
pkts=1267241:671313 dir=in,fwd
Apr 10 06:57:31 inferno /bsd: pf: State failure on: 1
Apr 10 06:57:31 inferno /bsd: pf: BAD state: TCP xx.xx.xx.4:5001
xx.xx.xx.4:5001 xx.xx.xx.5:43558 [lo=2191798936 high=2191798936 win=5840
modulator=0] [lo=911995449 high=912001289 win=65535 modulator=0] 4:4 A
seq=2191800396 (2191800396) ack=911995449 len=1460 ackskew=0
pkts=1267241:671313 dir=in,fwd
Apr 10 06:57:31 inferno /bsd: pf: State failure on: 1

If I destroy pfsync interface in the master node, this problem doesn't occur
(that's what I expected to happen).

Any clue of what is happening here ?

Thanks,
John

Re: OpenBSD isakmpd and pf vs Cisco PIX or ASA

[Rod Whitworth]

On Thu, 10 Apr 2008 12:27:32 +0200, Reyk Floeter wrote:

>> - PIX/ASA has some magical black-box inline transparent protocol
>> "fixups"
>

Yeah, they have a magical smtp "f**-up" that is famous for breaking
things.

Have a look at http://www.postfix.org/postconf.5.html and search the
page for pix.

Not too transparent either.

Please don't reply to the sender address of this mail. There is a
reply-to but the list is fine, I read every message.

Thanx,

Rod/

Me...a skeptic?  I trust you have proof.

Re: OpenBSD isakmpd and pf vs Cisco PIX or ASA

[Claudio Jeker]

On Thu, Apr 10, 2008 at 12:27:32PM +0200, Reyk Floeter wrote:
> > I don't know about ASA, but the 5xx PIX doesn't support IPv6
> > 
> 
> like the lucent boxes and many other systems.  and even if they
> support IPv6, they do it in a very basic way sometimes not even
> statefully.
> 

Or like on the ASA where IPv6 has nice memory leaks that cause the box to
freeze once a week and Cisco just does not care even though a lot of money
is paid for their support.

-- 
:wq Claudio

Re: OpenBSD isakmpd and pf vs Cisco PIX or ASA

[Reyk Floeter]

hi!

i cannot resist to give a few comments on the PIX/ASA...

but first you should have a look at
http://www.openbsd.org/lyrics.html#35
about the Monopoly of Cizzz-coeee.

On Mon, Nov 05, 2007 at 02:26:48PM -0500, Brian A Seklecki (Mobile) wrote:
> - PIX/ASA is going to get you a default packet "ASA" forwarding based on
> interface weights 

this concept of interface levels is something that is causing
headaches to generations of PIX admins... there are certain
limitations between interfaces of different levels then the PIX
doesn't even support VLANs, you have to use a physical interface per
LAN.

> - PIX/ASA is going to guarantee easily setup and functional Hybrid-XAUTH
> VPN Road-warrior clients

OpenBSD's isakmpd does not support XAUTH yet but the IPsec
configuration on PIX is neither easy nor functional; this concept of
using access lists for phase 2 policies (flows) and all the
dependencies of different types of cli rules for IPsec is just really
bad.

> - PIX has functional object-groups/group-object inheritance

it is not functional, it is an attempt to make the access lists more
useable. OpenBSD's tables, macros, etc. provide a much better
interface.

> - PIX/ASA has proprietary serial console fail-over (which is marginally
> faster than waiting for CARP)

yeah, and you have to run both systems in the same rack impossible to
put the systems in physically different locations.

> - PIX/ASA has some magical black-box inline transparent protocol
> "fixups"

this should only matter in the NAT case and is provided by our pf
proxies and relayd(8), but they're not magical.  we're working on
supporting more protocols in this case. 

> - PIX has a 4 hour SmartNet support contract option

there are OpenBSD-based appliances with suitable support contracts.

> - PIX/ASA has a SNMP MIB tree (Which we are working to catch up on)
> 

snmpd(8) will support a few more MIBs, but it is still the goal to
keep it small.

> I don't know about ASA, but the 5xx PIX doesn't support IPv6
> 

like the lucent boxes and many other systems.  and even if they
support IPv6, they do it in a very basic way sometimes not even
statefully.

> 
> Otherwise they're both software-based stateful IP packet forwarding
> engines running on i386 with NAT and IPSec and 802.1q support.
> 
> OpenBSD will always scale better because you can run it on the harwdare 
> platform of your choice.
> 

and more

- PIX/ASA require additional licenses for more users/cryptos/keystrokes/...

- Newer releases of ASA (8+) are based on Linux 2.6... it turned into
just another Linux UTM box.

reyk

> ~BAS
> 
> > 1. VPN is computationally heavy -- is your hardware fast enough?
> > 
> > 2. Try playing with queueing in PF to handle some types of traffic
> >faster than others. AFAIK, it is normal to find this kind of
> >configuration in commercial, black-box solutions, disguised as buzzy
> >slogans like "Built-in QoS Super-Routing" :-)
> > 
> > Just my two cents.
> > 
> > Martin

Advertising opportunity for http://www.11dom.org.pl/

[Loren Smith]

Dear Webmaster,

I am writing to inform you of an exciting business opportunity for your 
website: My company, Promotion on Web, would like to pay you for helping to 
promote one of our client's websites.

Our mission is to be the leading provider for web promotion solutions online 
and we are seeking reputable websites.

Please contact us for further details on how you can profit from our offer.

Best Regards,
Loren Smith
Advertising Consultant
Business Development Department
[EMAIL PROTECTED]
http://www.promotion-onweb.com

If you do not respond to this email you will not receive any additional emails 
from Promotion-onWeb.  To permanently delete yourself from our list, simply 
reply to this with a blank email and you will not receive any communication 
from us in the future.

0241

Re: timezone issue

[Jordi Espasa Clofent]

The computer clock should be set in UTC, which is CEST (Europe/Madrid
summertime) minus 2h.


Yes, is it.


$ env TZ=Europe/Madrid date
Thu Apr 10 11:21:04 CEST 2008
$ env TZ=UTC date
Thu Apr 10 09:21:13 UTC 2008

This is what I would expect.


The same in my system:

[EMAIL PROTECTED] [~] [11:33:23]
$ env TZ=Europe/Madrid date
Thu Apr 10 11:33:49 CEST 2008

[EMAIL PROTECTED] [~] [11:33:49]
$ env TZ=UTC date
Thu Apr 10 09:34:02 UTC 2008

[EMAIL PROTECTED] [~] [11:34:02]
$ date -u
Thu Apr 10 09:34:15 UTC 2008


Why is there a problem with sysmon generating graphs in UTC?


Simple commodity; maybe I've missunderstood the UTC.

The last goal was that symon shows the graphs in CEST (Europe/Madrid), 
not in UTC. But if computer clock _SHOULD_ be UTC... really there's no 
problem after all.


--
Thanks,
Jordi Espasa Clofent

Re: timezone issue

[ttw+bsd]

On 10.04-11:06, Jordi Espasa Clofent wrote:
[ ... ]
> [EMAIL PROTECTED] [~] [10:59:59]
> $ date -u
> Thu Apr 10 09:00:01 UTC 2008

presumably the prompt is showing local time which is UTC +2 (+1 for
CET and +1 for summer time).  so all is well.  as for the sysmon output
you'll probably find (but i don't know) that it's deliberately working
in UTC.

timezone issue

[Jordi Espasa Clofent]

Hi all,

When I installed my box, I configured Europe/Madrid as a timezone (I 
live in Barcelona).


I use OpenNTPd, so my prompt always shows to me the correct hour; but 
since I've installed symon (an excelent monitoring tool) I note that the 
generated graphs are -2 hours ???


well, I go to BIOS and change the hour... but it seems that always 
change to -2 hours. ?


After a lot of RTFM, I change the kernel timezone:

$ config -ef /bsd
OpenBSD 4.2-stable (GENERIC) #0: Mon Feb 18 13:10:48 CET 2008
[EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC
Enter 'help' for information
ukc> timezone
timezone = -120, dst = 0
ukc> quit
Saving modified kernel.

But when I reboot the box, the -2 hours error stills here:

[EMAIL PROTECTED] [~] [10:59:59]
$ date -u
Thu Apr 10 09:00:01 UTC 2008

(note that the prompt shows the correct time... but the UTC system not...)

?

--
Thanks,
Jordi Espasa Clofent

Got 'em !

[Paul de Weerd]

Hi all,

The new 4.3 CD set has just arrived here in Zurich, Switzerland ! I've
put up a pic on http://www.weirdnet.nl/images/openbsd43set.jpg ..
looking very cool yet again ;)

Thanks to all the developers for another very cool release.

Cheers,

Paul 'WEiRD' de Weerd

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 

Re: Use of 'Puffy' Logo *and* weatherproof stickers?

[Darren Spiteri]

On Wed, Apr 9, 2008 at 11:46 PM, Kevin Wilcox <[EMAIL PROTECTED]> wrote:
> Hannah Schroeter wrote:
>  By weatherproof, I plan to stick it on my motorcycle luggage where it will
> be exposed to sun, rain, snow, ice and 120km/h+ winds.
>

I wouldn't mind one for my bicycle. I was thinking of using the
install packaged stickers and covering them with some clear vinyl.