Re: Light HTTP servers.
Hi, On Sun, 20.07.2008 at 21:03:03 +0200, Marc Balmer [EMAIL PROTECTED] wrote: * Henning Brauer wrote: lighttpd. can it do reverse proxying, as needed for zope? in theory, it can, but I didn't try. My experience from running some low-traffic sites with both nginx and lighttpd is that nginx is by far easier to handle, more robust, and also more flexible in its configuration, and I hope to get rid of lighttpd asap (eg. my bugs would linger for months, or longer). The only point where lighttpd imho shines, sort of, is easier launching of internal FastCGI servers. Do you have any problems running nginx as a reverse proxy for Zope? We do it, and it gives us less trouble than the built-in Apache, I must say (even ignoring the system load). Kind regards, --Toni++
Re: ospfd seq num mismatch
Mike H wrote:
Hi All,
I'm having a problem with ospfd on a 4.3 system (dmesg below) and I'm
hoping someone here can suggest something to help me resolve it.
The problem is that occasionally the system loses all routes learned
via OSPF ('netstat -rn' and 'ospfctl show fib' continue to show
connected and static routes). I have not been able to force the
problem to occur, nor have I been able to correlate it to any other
events. I am able to restore routing by restarting ospfd.
When the problem happens, I see these entries in the messages and
daemon logs:
$ grep ospfd /var/log/messages
Aug 8 15:30:08 psc-wifigw1 ospfd[20751]: recv_db_description: seq num
mismatch, bad flags
Aug 8 16:29:35 psc-wifigw1 ospfd[20751]: recv_db_description: invalid
seq num, mine d5e04e66 his d5e04e65
Aug 8 16:29:35 psc-wifigw1 ospfd[20751]: nbr_fsm: neighbor ID
10.222.16.65, event SEQ_NUM_MISMATCH not expected in state EXSTA
Aug 8 16:29:39 psc-wifigw1 ospfd[20751]: recv_db_description: seq num
mismatch, bad flags
Aug 8 16:40:08 psc-wifigw1 ospfd[20751]: recv_db_description: seq num
mismatch, bad flags
Aug 8 16:49:44 psc-wifigw1 ospfd[20751]: recv_db_description: seq num
mismatch, bad flags
Aug 8 16:50:42 psc-wifigw1 ospfd[20751]: nbr_adj_timer: failed to
form adjacency with 10.222.16.33
Aug 8 16:51:42 psc-wifigw1 ospfd[20751]: nbr_adj_timer: failed to
form adjacency with 10.222.16.33
Aug 8 17:00:42 psc-wifigw1 ospfd[20751]: nbr_adj_timer: failed to
form adjacency with 10.222.16.33
Aug 8 17:01:42 psc-wifigw1 ospfd[20751]: nbr_adj_timer: failed to
form adjacency with 10.222.16.33
Aug 8 18:49:49 psc-wifigw1 ospfd[28802]: lost child: route decision
engine exited
Aug 8 18:49:49 psc-wifigw1 ospfd[20751]: if_leave_group: error
IP_DROP_MEMBERSHIP, interface em0 address 224.0.0.6: Can't assign
requested address
Aug 8 19:43:18 psc-wifigw1 ospfd[9675]: nbr_fsm: neighbor ID
10.222.16.33, event LOADING_DONE not expected in state EXCHG
Aug 8 19:43:22 psc-wifigw1 ospfd[9675]: recv_db_description: seq num
mismatch, bad flags
The invalid seq num, mine... his... always seems to show a
difference of one.
Here is my ospfd.conf:
$ sudo ospfd -nvf /etc/ospfd.conf
router-id 10.223.32.130
fib-update yes
rfc1583compat no
stub router yes
redistribute connected
spf-delay 1
spf-holdtime 5
area 0.0.0.50 {
interface em1:10.223.32.1 {
hello-interval 10
metric 10
retransmit-interval 5
router-dead-time 40
router-priority 1
transmit-delay 1
auth-type crypt
auth-md-keyid 2
auth-md 2 XX
}
}
area 0.0.0.0 {
interface em0:10.222.0.5 {
hello-interval 10
metric 10
retransmit-interval 5
router-dead-time 40
router-priority 1
transmit-delay 1
auth-type none
}
}
Here is my dmesg output:
$ dmesg
OpenBSD 4.3 (GENERIC.MP) #1582: Wed Mar 12 11:16:45 MDT 2008
[EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 2145873920 (2046MB)
avail mem = 2072150016 (1976MB)
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.3 @ 0xf (41 entries)
bios0: vendor Sun Microsystems version 1.0.9 date 03/20/2006
bios0: Sun Microsystems Sun Fire(TM) X2100
acpi0 at bios0: rev 0
acpi0: tables DSDT FACP SSDT SRAT MCFG APIC
acpi0: wakeup devices HUB0(S5) XVR0(S5) XVR1(S5) XVR2(S5) XVR3(S5)
USB0(S3) USB2(S3) MMAC(S5) MMCI(S5) UAR1(S5)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Dual Core AMD Opteron(tm) Processor 175, 2211.58 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB
64b/line 16-way L2 cache
cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully
associative
cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully
associative
cpu0: apic clock running at 201MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Dual Core AMD Opteron(tm) Processor 175, 2211.33 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW
cpu1: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB
64b/line 16-way L2 cache
cpu1: ITLB 32 4KB entries fully associative, 8 4MB entries fully
associative
cpu1: DTLB 32 4KB entries fully associative, 8 4MB entries fully
associative
ioapic0 at mainbus0 apid 2 pa 0xfec0, version 11, 24 pins
ioapic0: misconfigured as apic 0, remapped to apid 2
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (HUB0)
Re: I'm embarassed. (Re: shell not reading login script)
2008/8/21 Joel Rees [EMAIL PROTECTED]: On 平成 20/08/21, at 12:12, Philip Guenther wrote: 2008/8/20 Joel Rees [EMAIL PROTECTED]: export PROFMARKER=.profile would you believe I put that in .profile, like the marker said? ...etc Now that you've said it, yes, I do. If you think it unreasonable to not assume that from your first message, then you haven't followed enough QA exchanges on mailing lists. People do things that are completely insane to others and then don't believe it when people say that was non-obvious. Part of writing a good question is providing enough information for the readers to both eliminate the weirder scenarios and to estimate how likely you are to miss the vital clue. If you don't set the scene sufficiently, then answers have to either a) be excessively general (60 lines to describe what file might control xterm's startup?) b) ask for more detail, or c) make assumptions, stated or not, and risk being completely wrong or starting the chase in the wrong direction. If you're wondering why the shotgun approach, I couldn't figure out, with my login shell set to sh, why the shell was behaving like csh. Still don't get it. sigh What do you mean by behaving like csh? The only prominent reference to csh behavior I see in your previous note is this: Except, csh picks up one marker, sh and ksh pick up none. So I'm still puzzled But that seems to be saying that your shell is *not* behaving like csh! If you *really* mean that your shell is behaving like csh, then perhaps xterm is actually running csh. What's the output of $SHELL from inside xterm? How about $XTERM_SHELL? What shows up in 'ps'? Are you passing xterm arguments on its command line? Does your ~/.xsession or ~/.xinitrc set the SHELL environment variable to /bin/csh? (You don't mention whether you use xdm or xinit, or something completely different, so I can't guarantee that there aren't other possible rcfiles that could be involved.) Is the involved startup script written in csh? ... Well, I read it and I thought about it and it sounds like what you're saying is that fvwm x11 sessions are giving me interactive shells instead of login shells? That .profile is not the same as .bash_profile? That it's probably not a good idea to have x11 sessions attempt to process the same script that starts up your login session when you login at a character terminal? Yes, yes, and maybe. The big no-no is putting stuff that requires a terminal (stty, etc) in rcfiles that are parsed for non-interactive shells (e.g., .bashrc or .cshrc). I'll have to think about that for a while. I mean it sort of makes sense. X11 is going to need parameters set that would be at best superfluous in a console shell and could well get in the way. This all gets usage dependent really quickly. If you often run X client programs from other machines using ssh, for example, then you may very well want to have all your X-related environment variables (e.g. XUSERFILESEARCHPATH) set in your remote terminal logins. If you don't ever do that, then setting and exporting that in your .xsession only is probably the simpler choice. But right now I'm having a bit of a hard time imagining why I would want environment settings in a console sh shell that I wouldn't want in an x11 sh session shell. If the old days when people logged into the console as a terminal and used 'xinit' to start X, there was no need for xterm to start a login shell, as it would inherit environment variables from your console login shell via xinit and .xinitrc. With xdm, you don't have that initial login shell, so you either need to set and export them in your .xsession or configure xterm to start login shells. Okay, it seems like I would want three separate places to specify startup parameters -- one file for login parameters that are independent of the shell, one set of files for parameters to X11, and one startup file for the specific shell. The first doesn't exist: csh and sh do not support a common syntax for setting environment variables. Most people just pick one shell and make sure everything uses that. Do you *really* want to actively use both csh and sh, or is that just a workaround for xterm starting something that may be csh despite your shell being /bin/sh in the passwd file? If the former, well, you'll need to duplicate stuff: good luck. If the latter, then let's figure out why it's acting weird so you can stick to the shell you prefer. For the the second (parameters to X11), that depends on how you run X. xinit, xdm, or something else? Remote sessions? (One of UNIX's traps is that almost everything is configurable...which means that almost nothing is guaranteed. Five ways to start X, with a dozen possible config files, and others that can be indicated via environment variables that might have been set in half a dozen rcfiles... A completely general answer grows in size exponentially as the moving parts increases. Thus the
Re: Vlan Tag on Vlan Tag (l2tunneling)
* Reyk Floeter [EMAIL PROTECTED] [2008-08-21 21:41]: On Thu, Aug 21, 2008 at 04:05:50PM +0200, Claudio Jeker wrote: no point in just doing that. a button to change the ether type would make sense. this is not trivial because it would require a change in the Rx path where it is currently matching the ethertype in ether_input() before calling vlan_input(). true. i think it should really only be 0x8100 or 0x88a8. we might want to settle for that..
Re: Light HTTP servers.
Le Fri, Aug 22, 2008 at 11:29:42AM +0200, Toni Mueller ecrivait : My experience from running some low-traffic sites with both nginx and lighttpd is that nginx is by far easier to handle, more robust, and also more flexible in its configuration, and I hope to get rid of lighttpd asap (eg. my bugs would linger for months, or longer). The only point where lighttpd imho shines, sort of, is easier launching of internal FastCGI servers. With low-traffic sites, there's not much difference between lighty and nginx, both are quite stable and they can serve a lot of static content without any CPU hit, even on a Soekris box. When it comes to the configuration, you can achieve the same results with both, but indeed nginx configuration files are usually cleaner. The lighty development status is a bit messy (see the lighty blog), while nginx development is clear and very active. Sure, lighty can start fastcgi servers, but on sites with medium traffic, php-fpm blows lighty's fastcgi servers. Switching from lighty (1.5) to nginx + php-fpm with GOTO for the Zend VM reduced the average time to serve pages of a busy vbulletin board down to a factor of 4. I never went back to lighty since. By the way, is anyone working on adding php-fpm to the php port? The patch requires some tweaks in order to properly merge and compile, but it's really worth it especially with nginx. Do you have any problems running nginx as a reverse proxy for Zope? We do it, and it gives us less trouble than the built-in Apache, I must say (even ignoring the system load). Kind regards, --Toni++ -- Frank Denis - j [at] pureftpd.org - http://00f.net - http://www.cotery.com
Packet Filter: how to keep device names on hardware failure?
Hi folks, Question: How can I make sure that em2 doesn't become em0 if my dual-port NIC dies? This would be fatal for my firewall setup. At least the antispoof rules _must_ be bound to the network devices. Of course I could buy different hardware for the external and internal network interfaces, or use the lowest available device for the most dangerous connection, but actually I would consider these just as workarounds. Any idea would be highly appreciated. Regards Harri
Re: Packet Filter: how to keep device names on hardware failure?
On Fri, Aug 22, 2008 at 04:16:38PM +0200, Harald Dunkel wrote: Hi folks, Question: How can I make sure that em2 doesn't become em0 if my dual-port NIC dies? This would be fatal for my firewall setup. At least the antispoof rules _must_ be bound to the network devices. first thing that comes to mind is to create unique interface groups for each iface and then write pf based on that. you'll still have to deal with the fallout after reboot after a failure, but at least if the hardware for whatever reason did happen to disappear during operation, you'd be insulated against the immediate change (tho maybe pf already handles that) other than that, assuming the PCI locations or whatever stay consistent through reboots (like, put 3 nics in, boot, see where they are, pull the middle one, see if 1 and 3 are still at the same points in dmesg even tho their ifnums will change), you could maybe break apart the 'em* at pci*' (or whatever it is) in config(8) and make individual ones based on where you want them. if that doesn't work in config(8) you probably have to make your own kernel. so you could do a little work and get a marginal benefit or spend a (potentially *LOT*) lot more time and force things specifically. barring any better suggestions, of course. -- jared
Re: ipsec vpn problem
On Fri, Aug 22, 2008 at 03:11:16PM +0200, Claus Larsen wrote: Well I did get a bit futher with the problem, it seems it was cause by a firewall blocking some of the traffic. So new problem now. Using the Greenbow vpn client. It says Phase 2 algoritm problem. From the isakmpd output I get (a larger portion of the output included below): 164658.900458 Default responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id d5ade2e5: 213.173.226.229, responder id c0a80102: 192.168.1.2 164658.901274 Default dropped message from 213.173.226.229 port 500 due to notification type NO_PROPOSAL_CHOSEN Any idea whats going on? when this happens to me, it is a config mismatch between the two peers. sometimes the mismatch can be excruciatingly subtle. but one wrong little anything will make the flow or sa or whatever it is that the wrong peer installs end up completely not matching what the other has. at times i've resorted to doing line-by-line echo $LINE | md5 to help speed the process of finding the mismatch along. given that in this case, there's 1918 IP on one side and !1918 on the other, the 1918 peer is perhaps using its 1918 IP by default but the other peer expects him to be sending his public IP. you can also see this type of mismatch with loglines that say something like Expected: 3DES, Received: $whatever_you're_trying_to_use for the algorithm in question; has always been the same thing for me in that case, (potentially subtle) config mismatch. /etc/ipsec.conf ike passive from any to any \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des group none \ psk openbsdrules hrm; i guess i'd assume 'any' would make it not care, so maybe my whole suggestion is shot. maybe for starters, copy that off to a new ike setup and specifically define the stuff that it seems the remote peer is sending that your end is complaining about, and then work back from there after you get that working. -- jared
Re: Vlan Tag on Vlan Tag (l2tunneling)
On Fri, 22 Aug 2008 01:31:00 +0700, Reyk Floeter [EMAIL PROTECTED] wrote: hi, On Thu, Aug 21, 2008 at 04:48:02PM +0200, Henning Brauer wrote: * Claudio Jeker [EMAIL PROTECTED] [2008-08-21 16:11]: If we stack vlan interfaces I don't see a real need for such a button. switch vendors don't agree on the ethertype. it is configurable on all of them, and the defaults are different between vendors. as in: button needed. for example, you can easilly change the default tag-type from 0x88a8 to old-style 0x8100 on hp switches, but it is a global setting: - on the switch: ProCurve Switch 5406zl(config)# qinq mixedvlan tag-type 0x8100 - or - ProCurve Switch 5406zl(config)# qinq svlan tag-type 0x8100 ... ProCurve Switch 5406zl(config)# interface a1-a2 unknown-vlans disable ProCurve Switch 5406zl(config)# svlan 100 tagged a1,a2 - on the OpenBSD hosts: a# ifconfig em0 up a# ifconfig vlan100 vlandev em0 a# ifconfig vlan200 vlandev vlan100 192.168.200.1 b# ifconfig em0 up b# ifconfig vlan100 vlandev em0 b# ifconfig vlan200 vlandev vlan100 192.168.200.2 b# ping 192.168.200.1 reyk Geez Guys, This is beyond expectation, as an openbsd user, I'am blown over since now, my so called router/switch is a metro switch.. geez.. I patching now, and let's see what happens. Thanks, Insan -- insandotpraja(at)gmaildotcom
Any Ideas ? isakmpd loggs: exchange_setup_p1: unknown exchange type QUICK_MODE
... and send no answer back to xxx.yyy.zzz.uuu My Host is an OpenBSD 3.8, the other - remote ( xxx.yyy.zzz.uuu ) is a securepoint using strongswan. 17:11:22.476524 xxx.yyy.zzz.uuu.500 aaa.bbb.ccc.ddd.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 26e5b1720844a0fa- msgid: len: 212 payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 40 proposal: 0 proto: ISAKMP spisz: 0 xforms: 1 payload: TRANSFORM len: 32 transform: 0 ID: ISAKMP attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 3600 attribute ENCRYPTION_ALGORITHM = 3DES_CBC attribute HASH_ALGORITHM = MD5 attribute AUTHENTICATION_METHOD = PRE_SHARED attribute GROUP_DESCRIPTION = MODP_1024 payload: VENDOR len: 20 payload: VENDOR len: 12 payload: VENDOR len: 20 (supports DPD v1.0) payload: VENDOR len: 20 (supports NAT-T, RFC 3947) payload: VENDOR len: 20 (supports v3 NAT-T, draft-ietf-ipsec-nat-t-ike-03) payload: VENDOR len: 20 (supports v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02\n) payload: VENDOR len: 20 (supports v1 NAT-T, draft-ietf-ipsec-nat-t-ike-00) [ttl 0] (id 1, len 240) Any Ideas why this packet ist not answered by my Openbsd-BOX ? I double-checked my configs twice and have two additional well running tunnels. Kind regards, Stefan
Re: Vlan Tag on Vlan Tag (l2tunneling)
Insan Praja SW wrote: This is beyond expectation, as an openbsd user, I'am blown over since now, my so called router/switch is a metro switch.. geez.. I patching now, and let's see what happens. OT, but what makes a metro switch metro?
Re: Vlan Tag on Vlan Tag (l2tunneling)
Metro is a model name for cisco. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shockley Sent: Friday, August 22, 2008 12:08 PM To: misc@openbsd.org Subject: Re: Vlan Tag on Vlan Tag (l2tunneling) Insan Praja SW wrote: This is beyond expectation, as an openbsd user, I'am blown over since now, my so called router/switch is a metro switch.. geez.. I patching now, and let's see what happens. OT, but what makes a metro switch metro?
Re: PF redirection and pflogging
Thanks Imre!!! That seems to have done the trick for both issues.
Cheers!
-Parvinder Bhasin
On Aug 21, 2008, at 2:28 PM, Imre Oolberg wrote:
Hallo!
My guess is you dont get anything logged since you pass with rdr
rules. Maybe it is cleaner to keep translation and filtering
separate, e.g. have translation rules like this
rdr on $ext_if proto tcp from any to $webby_ip port 80 -
$webby_server port 80
And then you need to pass not to the external interface's ip address
but to where is your so to say real server, e.g. rule
pass in on $ext_if proto tcp from any to $webby_ip port 80 keep state
should rather read
pass in on $ext_if proto tcp from any to $webby_server port 80 keep
state
And also note that rule like this works when there aint other rules
what matches the package. Maybe it is more straight-forward at least
for debugging to add to it 'quick' keyword which makes the rule
match no matter what follows, like this
pass in quick on $ext_if proto tcp from any to $webby_server port 80
keep state
Imre
Parvinder Bhasin wrote:
List,
I am having some issues while redirecting traffic to port 80 on the
$squid_server.
I have this server serving two purpose: apache web server and
squid server. I can definately get to the PROXY services fine but
cannot get to the WWW (port 80) on the same server.
Another issue is that when I try to actively look at the pflog by
running tcpdump -n -e -ttt -i pflog0 , I don't get anything
even when the traffic is passing and/or getting blocked.
Any help is highly appreciated.
thx.
For this I have the following pf config:
ext_if=sk0
int_if=gem0
pf_log=pflog0
webby
set skip on enc0
set skip on gre0
external_ip=70.40.22.17
external_ips={70.40.22.17 70.40.22.18 70.40.22.19}
external_net={70.40.22.17 70.40.22.18 70.40.22.19}
internal_ip=172.16.10.10
internal_networks={172.16.10.0/24 172.16.100.0/24 172.16.200.0/24}
webby_ip=70.40.22.18
webby_server=172.16.10.11
squid_ip=70.40.22.19
squid_server=172.16.10.12
# block_ip=70.40.22.20
block_server=172.16.10.12
##TABLES
table bruteforce persist
table kiddies persist
OPTIONS #
set loginterface $ext_if
set loginterface $int_if
scrub in
NAT/REDIRECTS
nat on $ext_if from !($ext_if) to any - ($ext_if:0)
# rdr pass on $ext_if proto tcp from any to $block_ip port 80 -
$squid_server port 80
rdr pass on $ext_if proto tcp from any to $webby_ip port 80 -
$webby_server port 80
rdr pass on $ext_if proto tcp from any to $webby_ip port 443 -
$webby_server port 443
rdr pass on $ext_if proto tcp from any to $squid_ip port 3128 -
$squid_server port 3128
rdr pass on $ext_if proto tcp from any to $squid_ip port 80 -
$squid_server port 80
## FILTERS #
block log quick from bruteforce
block log quick from kiddies
block in log on $pf_log
# pass in quick on $int_if
pass out keep state
pass in on $ext_if proto icmp from any to $external_ip keep state
pass in on $ext_if proto tcp from any to $external_ip port ssh keep
state
pass in on $ext_if proto tcp from any to $webby_ip port 80 keep state
pass in on $ext_if proto tcp from any to $webby_ip port 443 keep
state
pass in log (all, to $pf_log) on $ext_if proto tcp from any to
$squid_ip port 3128 keep state
pass in on $ext_if proto tcp from any to $squid_ip port 80 keep state
# pass in on $ext_if proto tcp from any to $block_ip port 80 keep
state
pass in on $ext_if proto tcp from any to $external_ips port 22 keep
state
pass inet proto tcp from any to $external_net port 22 flags S/SA
keep state (max-src-conn 25, max-src-conn-rate 15/5, overload
bruteforce flush global)
# block in quick on $ext_if
Re: Vlan Tag on Vlan Tag (l2tunneling)
On Fri, Aug 22, 2008 at 02:08:00PM -0400, Steve Shockley wrote: Insan Praja SW wrote: This is beyond expectation, as an openbsd user, I'am blown over since now, my so called router/switch is a metro switch.. geez.. I patching now, and let's see what happens. OT, but what makes a metro switch metro? Normaly next to qinq mostly even bigger cams plus I nicer frontplate. Qinq while making it possible to push differnet L2 lans over a common network in a VPN like (the unencrypted form) fashion needs a lot more storage for all the MAC addrs seen on the core switches. In the end the core switches need to know all MAC addrs of all clients in all networks. The 16k entries of most basic manageable switches are way to little for larger networks. Oh and just to make stuff even more crazy on L2 there is MAC-in-MAC which adds to the qinq header an additional ethernet header to keep the MAC address tables separated per network. All this was invented because Windows likes to broadcast/multicast information around and the admins are unable to figure out how routing works. -- :wq Claudio
Re: From address when using mail command
Thanks, Actually this was not my problem. My server is mail and web host for several small sites. I will say that the link below would have been really great to have when I was setting up sendmail. I really struggled to find any site with a complete, yet simple explanation of how to get things going. m4 works quite easily once you know how, but I really had to browse for hours to get the simple answer how to use it. Richard Toohey sent me a message suggesting an obvious answer I should have thought of, since I use it in cgi scripts anyway. Just to use sendmail directly, since mail is really just an incomplete way of accessing sendmail. How? # sendmail -t From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Hello Whirled Goodbye . # Note that extra return after headers is needed and last line with . only to end message Works perfectly. Problem solved. Aaron W. Hsu wrote: Hello Chris, From [EMAIL PROTECTED] Thu Aug 21 21:28:29 2008 From: Chris Bennett [EMAIL PROTECTED] Subject: From address when using mail command Everything with my sendmail and dovecot works great. But when I occasionally want to send a message using mail command, The From: address ends up as: [EMAIL PROTECTED] This is not a good address that someone can reply to. Sendmail is doing what it is supposed to here. It is sending out mail from your machine (b03ls15le.corenetworks.net) which are from user. Where does mail obtain the From address? Sendmail is attempting to send out mail from your machine, and it uses the information of your machine to identify itself. Moreover, since you are sending from account user, sendmail is also identifying your username as the user of the machine sending this mail. Reading man pages about /etc/myname file doesn't really make it clear (to me) what other contents it can have. You should leave those contents the same. Can I change it to my main server's address and not have a problem? Would this fix the mail From problem? If you did a search on this, you probably would have found out a lot more about what sendmail does and how it works. You also would have discovered some common solutions to this common misunderstanding. The reason this problem does not manifest itself when you are using other clients is probably because they either use their own smtp client to send mail to a SMART HOST, or they are changing the From header of your messages to reflect the settings of that client. Mail does not do that, but rather feeds a more spartan message to sendmail, which then inserts the relevant headers that it can derive from its configuration. I believe what you are trying to do is send mail from your machine, where your machine is not the main mail machine. In other words, another machine is the hosting mail server (not the exactly correct term). Chances are you are on a network which is not configured with an IP address which is likely to avoid the large Dynamic blacklists that many ISPs place on senders, so you don't even want to use your machine as the primary mail server. What you do want to do is use sendmail as a client to relay its non-local messages to another server which is your main mail server. Usually this server is provided by your ISP (whether your network or mail provider). The steps for this are: 1) Configure a SMART_HOST 2) [Possibly] configure authentication 3) [Possibly] configure username rewriting (2) is necessary if your SMTP server which you use to relay your mail from your machine to the rest of the world requires some kind of authentication. This is usually the case if you are using a mail provider that is different than your network provider, or if you have a separate SMART HOST outside of your network provider's mail server. (3) is required if you are going to be using a different username than the one that you are currently using. The method you choose to do this may depend on whether you need to rewrite just the username, the domain only, or both the username and the domain of the sender address. If you just need to change the domain, then usinge MASQUERADING will get the job done. If you are just doing username rewriting (you are not just doing this) you can get by with some other things. If you are doing both, then you will probably want either a combination of both MASQUERADING and GENERICS TABLES. GENERICS TABLES will allow you to map your local username to an external address. MASQUERADING will just change the domain name sendmail uses when sending out mail. There are many other options you will want to investigate. All of this must be done by choosing the right sendmail .mc configuration file, editing it appropriately, compiling it through m4 and placing it as directed into the correct location, restarting sendmail, and some possible (likely) other work. The instructions for conducting such interesting
Re: Packet Filter: how to keep device names on hardware failure?
Question: How can I make sure that em2 doesn't become em0 if my dual-port NIC dies? This would be fatal for my firewall setup. At least the antispoof rules _must_ be bound to the network devices. Yep, this is an ugly problem. You could have a shellscript at boot scan ifconfig output and associate NICs with their MAC addresses, adding appropriate macros to pf.conf.
