Re: Apache 1.3 in base or 2.2.8 from ports ?
On Saturday 08 November 2008 08:40:55 Francisco Valladolid Hdez. wrote: Hi folks. I need a recomendation for using one or other web server for a shared web hosting for a small company. Always prefer using Apache from base, whenever I watch that Apache 2 include best performance compared to 1.3 (included in base), and best reverse proxy for dynamic web sites. Which must be the best choice for web hosting company having web 2.0, mod_perl and rails app's ? mod_perl = Apache 1.x mod_perl2 = Apache 2.x No choice. -- WBR, Pereresus ne Vlezaet Buggy
Re: Apache 1.3 in base or 2.2.8 from ports ?
* Francisco Valladolid Hdez. wrote: Hi folks. I need a recomendation for using one or other web server for a shared web hosting for a small company. Always prefer using Apache from base, whenever I watch that Apache 2 include best performance compared to 1.3 (included in base), and best reverse proxy for dynamic web sites. Which must be the best choice for web hosting company having web 2.0, mod_perl and rails app's ? Keep in mind that the Webserver in base has seen a lot of security and other improvements like chroot() by default etc. It is not a stock 1.3 Apache, it is only based on Apache 1.3. Apache 2 in ports was only imported to make it possible to test certain thinks. If you care for security, go with the one in base. Huge and highly loaded websites are served with it. Regards. --- --- ficovh - http://bsdguy.net In the beginning God created the heavens and the earth. Gen. 1:1 -- Marc Balmer, Micro Systems, Wiesendamm 2a, Postfach, CH-4019 Basel, Switzerland http://www.msys.ch/ http://www.vnode.ch/ In God we trust, in C we code.
Re: Apache 1.3 in base or 2.2.8 from ports ?
Francisco Valladolid Hdez. ha scritto: Hi folks. I need a recomendation for using one or other web server for a shared web hosting for a small company. Always prefer using Apache from base, whenever I watch that Apache 2 include best performance compared to 1.3 (included in base), and best reverse proxy for dynamic web sites. Which must be the best choice for web hosting company having web 2.0, mod_perl and rails app's ? Regards. mod_perl - Apache 1.x so 1.3 it's ok rails - use *nginx* as reverse proxy for mongrel_clusters and to spawn static content. web 2.0 does mean all or nothing. Francesco
Re: Oddly high load average
On Fri, Nov 07, 2008 at 10:09:08PM -0700, Theo de Raadt wrote: You're right Theo, but isn't better an answer like: RTFC ? Just 4 char. There is no point in telling people who can't read the code, to go read the code. It won't change a thing. They really will keep coming back to misc showing their false expectations. If he reads _learn_ the code as stare blankly at the code for fifteen minutes and then ask another question, then I've done the list a disservice. But I don't think it's ridiculous to emphasize that OpenBSD is a rational and well documented system that can be learned gradually by someone who is willing to take the time. Maybe you're right that it won't sink in, though.
Re: HP DL180 hangs on boot
Boris Goldberg wrote: Hello Alexander, Thursday, November 6, 2008, 7:44:16 AM, you wrote: AH OpenBSD 4.4-current (RAMDISK_CD) #203: Sun Nov 2 13:41:35 MST 2008 AH [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/RAMDISK_CD You might want to try i386. Good idea. Of course I'd prefer to run it with amd64 if possible, but at the very least it would be informative if it worked. Will try after the weekend. AH uhid at uhidev1 not configured AH ... AH uhid at uhidev3 reportid 2 not configured AH uhid at uhidev3 reportid 3 not configured AH uhid at uhidev3 reportid 4 not configured AH uhid at uhidev3 reportid 16 not configured AH uhid at uhidev3 reportid 17 not configured Try to disable uhid in the kernel. I've been disabling all kinds of stuff in the kernel, including usb, which AFAIK would imply the above, to no avail. Well, disabling isa and pci helped, but... well it was not the most usable machine. :) AH softraid0 at root Is there a way to boot without a softraid (just to make sure it's not causing the problem)? Not that I am using it in any way but I guess I could disable softraid too... /Alexander
Re: SATA card = total freeze
thanks for the reply. i guess i'll go for a pci card with a silicon image chip then On Nov 7, 2008, at 22:48, Anathae Townsend wrote: I have had varied success with this card under openbsd. It would nearly always cause a hang with a timeout error to the primary console when installed on an HP Vectra 400 machine. I currently have it running in an ASUS P4S800D-X with two 500 GB drives with no problems, however, if I add one or two additional drives, I start getting the freezing and the time out errors. Promise Technology has a history of being... tight with its intellectual property and as such, you're not likely to get any work done on getting buggy implementations fixed under OpenBSD. There was some work done to attempt to work around the bugs in the hardware under FreeBSD, however, I suspect that someone other than primary OpenBSD developers would have to port any fixes to OpenBSD. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joseph A Borg Sent: Friday, November 07, 2008 2:36 AM To: misc@openbsd.org Subject: SATA card = total freeze sorry to ask again: some weeks ago I installed a Promise 300sata TX4 pci card onto an Asrock motherboard running OpenBSD 4.3 tried to copy a 31Gb file to stress test. The machine hung up after a while and could only be switched off and re-started. can anybody confirm that this pci card works properly with OpenBSD? There are some year-old posts on kerneltrap regarding some strange behaviour with this card on freebsd. regards
Re: Oddly high load average
Theo de Raadt ha scritto: You're right Theo, but isn't better an answer like: RTFC ? Just 4 char. There is no point in telling people who can't read the code, to go read the code. It won't change a thing. They really will keep coming back to misc showing their false expectations. I think that if the code is written well is self explanatory. And AFAIK OpenBSD code is so. If he understand or not isnt our business...Maybe, he can ask why it's different but...who cares about it. I think the mailing lists would be better if it wasn't always full of people asking stupid questions, and then being answered by people with ridiculous or uneducated answers. Not that I want to be here providing the correct answers. Why bother? They won't be understood, and it isn't worth our time to explain things properly. But it also isn't worth anyone's time to see stupid questions answered with stupid answers, is it. There are no stupid questions, only stupid people! (south park cit.) I agree with you Theo sometimes misc@ is a dumb cove, just because people dont search enough and just ask to others...
Multiple ssl servers on one external IP by using internal addresses?
Hi all, I've got a problem with my web server and ssl that I'm having a hard time figuring out. This might take a while to explain so bail now or bear with me ;-) I'm on Qwest DSL with one static IP. The dsl modem is set to port forward all ports (putting the web server in the modem's DMZ is a guaranteed modem lockup within 24 hours, if there is anyone else out there using a Qwest Actiontec modem.) Here's an ascii diagram: | External IP Address | | | | Qwest Modem | | | _ | | 10.20.30.1--Qwest Internal IP | | 10.20.30.2--OpenBSD External IP (em0) _ | | | | | OpenBSD | fxp0 172.16.0.1 | | fxp1 10.30.50.1 - 10.30.50.19 | _ (as aliases) | Internal Lan All of my normal non-ssl virtual hosts are on 10.20.30.2. mail.openvistas.net is my webmail address, it automatically redirects everything to mail.openvistas.net:443. This has a cert that I bought from GoDaddy, and it is working fine. My ssl hosts work.openvistas.net and cvs.work.openvistas.net resolve to the same IP address as everything else from the internet, but to different internal IP addresses beginning at 10.30.50.1 with a split horizon DNS setup. These two use two different self-signed certs, each with the correct server name in the cert. So, if my understanding about how all this works was correct, I'd think that everything should Just Work. I have one ssl host on the same IP with all of the non-ssl hosts, and then the other two are each on their own internal IP address. And it does work just great--from my tibook inside the lan. There I get re-directed just fine to the different 10.30.50.x IP address, and get the warning from Camino about not being able to verify the self-signed certs, while connecting to mail.openvistas.net over httpds also works and uses the correct, verified cert. Outside the lan is a different story. There any https url ends up at the web mail page. It appears that as far as apache is concerned everything is on 10.20.30.2, including the two work related pages, which is the only way I can make any sense of this excerpt from the ssl-engine log: [07/Nov/2008 20:26:13 18274] [info] Init: Configuring server cvs.work.openvistas.net:443 for SSL protocol [07/Nov/2008 20:26:13 18274] [info] Init: Configuring server mail.openvistas.net:443 for SSL protocol [07/Nov/2008 20:26:13 18274] [warn] Init: SSL server IP/port conflict: mail.openvistas.net:443 (/var/www/conf/httpd.conf:1731) vs. cvs.work.openvistas.net:443 (/var/www/conf/httpd.conf:2242) [07/Nov/2008 20:26:13 18274] [warn] Init: You should not use name-based virtual hosts in conjunction with SSL!! That is also what tcpdump shows when I try from outside the lan to go to https://cvs.work.openvistas.net: 07:43:58.854640 samsara.wykids.org.53050 10.20.30.2.https: S 606206889:606206889(0) win 65535 mss 1400,nop,nop,sackOK : 4500 0030 2136 7106 288e 4590 925e E..0!6..q.(.E..^ 0010: 0a14 1e02 cf3a 01bb 2421 fba9 ?:.?$!?? 0020: 7002 9296 0204 0578 0101 0402 p.??...x 07:43:58.854807 10.20.30.2.https samsara.wykids.org.53050: S 3336382975:3336382975(0) ack 606206890 win 16384 mss 1400,nop,nop,sackOK : 4500 0030 12f8 4006 67cc 0a14 1e02 [EMAIL PROTECTED] 0010: 4590 925e 01bb cf3a c6dd 29ff 2421 fbaa E..^.??:??)?$!?? 0020: 7012 4000 61a8 0204 0578 0101 0402 [EMAIL PROTECTED] From inside the lan it works just fine: 07:49:43.860277 172.16.0.15.56642 10.30.50.2.https: P 1204992021:1204992058(37) ack 1899480006 win 65535 nop,nop,timestamp 4251713075 3416398380 (DF) : 4500 0059 7079 4000 4006 e1e6 ac10 000f [EMAIL PROTECTED]@.??... 0010: 0a1e 3202 dd42 01bb 47d2 b815 7137 c3c6 ..2.?B.?GR8.q7?? 0020: 8018 0a12 0101 080a fd6b fe33 ..???k?3 0030: cba2 1a2c 1503 0100 2029 176f 03c7 f2c2 K., ).o.??? 0040: e160 ad02 1a23 0647 0103 1a52 6e17 3d15 ?`?..#.G...Rn.=. 0050: a815 4701 3a57 d208 da ?.G.:W?.? 07:49:43.860288 172.16.0.15.56642 10.30.50.2.https: F 37:37(0) ack 1 win 65535 nop,nop,timestamp 4251713075 3416398380 (DF) : 4500 0034 707a 4000 4006 e20a ac10 000f [EMAIL PROTECTED]@.?.?... 0010: 0a1e 3202 dd42 01bb 47d2 b83a 7137 c3c6 ..2.?B.?GR8:q7?? 0020: 8011 9905 0101 080a fd6b fe33 ..???k?3 0030: cba2 1a2cK., Even though the split horizon dns appears to be working, I
Re: Oddly high load average
I think the mailing lists would be better if it wasn't always full of people asking stupid questions, and then being answered by people with ridiculous or uneducated answers. Not that I want to be here providing the correct answers. Why bother? They won't be understood, and it isn't worth our time to explain things properly. But it also isn't worth anyone's time to see stupid questions answered with stupid answers, is it. I confess that I have asked stupid questions here too. Nevertheless the replies I got sometimes helped me out. So I even dared to answer to a few messages, although I may well be considered uneducated or even ridiculous. Sorry for this. I promise to keep my mouth shut in the future :-)
Re: Packet Filter: how to keep device names on hardware failure?
On Fri, 7 Nov 2008, johan beisser wrote: On Nov 7, 2008, at 9:44 AM, Dave Anderson wrote: Perhaps most of these issues could be dealt with by changing the network configuration procedure to have a hierarchy of interface-configuration files rather than just hostname.interface-name. If hostname.mac were used if the hardware MAC matches, then hostname.interface-name, then (say) hostname.only if there's only one NIC found, the sysadmin could assign interfaces to groups and use those group names everywhere, and so not need to use the actual interface names at all. This appears to be a fairly simple change. Does it sound reasonable to people with more knowledge of OpenBSD networking? It's not a simple change. Having now looked at /etc/netstart, it's clearly not as simple as I'd hoped -- but it doesn't look all that difficult. The only issue I don't (yet) see a solution for is how to get the original hardware MAC address for an interface (rather than the current MAC address, which appears to be what ifconfig reports). I could parse the dmesg from the most recent boot, but that feels wrong -- especially since I'm not certain that that information will always be available, complete and unaltered. Dave -- Dave Anderson [EMAIL PROTECTED]
Re: Multiple ssl servers on one external IP by using internal addresses?
And then maybe I'm completely mis-understanding how to run multiple internal ssl servers on one external IP address and that it can't be done without more external IPs from Qwest. I think this can be done with a proxy server that decrypts the SSL connection then passes it on to the web server. That's how it's done on Windows using Microsoft IAS, and I would say you could do something along the same lines. I don't think Apache has support for virtual hosts under SSL. Everything I have seen assumes there is one IP address per SSL host. Thanks, Chris Miller ServerMotion www.servermotion.com
Re: Packet Filter: how to keep device names on hardware failure?
On Fri, Nov 7, 2008 at 1:30 PM, Harald Dunkel [EMAIL PROTECTED] wrote: In the bad configuration the NIC with 00:30:48:d2:9a:06 is called em2, in the good one it is called em4. Maybe you can imagine how PF screws up, if this NIC would have been physically connected to the Internet. Surely it is unusual that a NIC disappears somehow. Maybe there is something wrong with my hardware, but this can always happen. I would like to have a secure setup even if there is a hardware failure. what keeps you from writing a script that would be called from the end of /etc/netstart; the script would check whether the initialized network interfaces match those described by a predefined table? in case of failure it would react somehow... you could also put in a NIC of some other type that would always be named the same (e.g. xl0) that would be an interface used for reporting the failure with those emX?
cdrecord dvd support
Hi, using stable 4.3. Does the cdrecord port supports DVD? I have a few problems with pipelines and growisofs and cdrecord seems to allow them well. thanks for all -Jesus.
Re: Apache 1.3 in base or 2.2.8 from ports ?
Hi! On Sat, Nov 08, 2008 at 09:17:53AM +0100, Marc Balmer wrote: Keep in mind that the Webserver in base has seen a lot of security and other improvements like chroot() by default etc. It is not a stock 1.3 Apache, it is only based on Apache 1.3. Apache 2 in ports was only imported to make it possible to test certain thinks. Also, some applications work only with Apache 2 IIRC, like the Subversion via http service. (However, svnserve works without any httpd, but that requires a different account/password management/database IIRC, and you can also do subversion via ssh.) Other webdav stuff, too, IIRC. [...] Kind regards, Hannah.
Re: Intel D201GLY2 install failure, OpenBSD 4.4
On Thursday 06 November 2008 22.24.49 Ted Unangst wrote: On Thu, Nov 6, 2008 at 11:49 AM, Jamie Cuesta [EMAIL PROTECTED] wrote: I was hoping to include a dmesg via serial port capture (my box does not include a floppy), but Use ftp. On Friday 07 November 2008 17.24.52 Ted Unangst wrote: Ok, you are having serious interrupt issues. The only thing I can think of to try is disabling acpi (via boot -c), but that's a long shot. I have the same board, and can confirm that without disabling acpi, -current OpenBSD can not recognize the network device, the hard drive nor the attached usb devices (disk, keyboard etc...). However, after disabling acpi, -current fires up, and recognizes the hard drives and the network card. That's how I could manage to get a dmesg. So here it is, and also sent to dmesg@: OpenBSD 4.4-current (RAMDISK_CD) #964: Fri Nov 7 03:25:28 MST 2008 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/RAMDISK_CD cpu0: Intel(R) Celeron(R) CPU 220 @ 1.20GHz (GenuineIntel 686-class) 1.21 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,TM,SBF,SSE3,MWAIT,DS-CPL,TM2,CX16,xTPR real mem = 1033404416 (985MB) avail mem = 992567296 (946MB) User Kernel Config UKC disable acpi 241 acpi0 disabled UKC quit Continuing... mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 01/04/08, SMBIOS rev. 2.4 @ 0xe4da0 (23 entries) bios0: vendor Intel Corp. version LY66210M.86A.0137.2008.0104.1540 date 01/04/2008 bios0: Intel Corporation D201GLY acpi at bios0 function 0x0 not configured pcibios at bios0 function 0x1a not configured bios0: ROM list: 0xc/0x1 cpu0 at mainbus0: (uniprocessor) pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 SiS 662 PCI rev 0x01 ppb0 at pci0 dev 1 function 0 SiS 648FX AGP rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 SiS 6330 VGA rev 0x04 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) pcib0 at pci0 dev 2 function 0 SiS 964 ISA rev 0x36 pciide0 at pci0 dev 2 function 5 SiS 5513 EIDE rev 0x01: 964: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility atapiscsi0 at pciide0 channel 0 drive 1 scsibus0 at atapiscsi0: 2 targets, initiator 7 cd0 at scsibus0 targ 0 lun 0: HL-DT-ST, DVDRAM GSA-4120B, A111 ATAPI 5/cdrom removable cd0(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2 pciide0: channel 1 disabled (no drives) SiS 7012 AC97 rev 0xa0 at pci0 dev 2 function 7 not configured ohci0 at pci0 dev 3 function 0 SiS 5597/5598 USB rev 0x0f: irq 11, version 1.0, legacy support ohci1 at pci0 dev 3 function 1 SiS 5597/5598 USB rev 0x0f: irq 10, version 1.0, legacy support ohci2 at pci0 dev 3 function 2 SiS 5597/5598 USB rev 0x0f: irq 11, version 1.0, legacy support ehci0 at pci0 dev 3 function 3 SiS 7002 USB rev 0x00: irq 10 ehci0: timed out waiting for BIOS usb0 at ehci0: USB revision 2.0 uhub0 at usb0 SiS EHCI root hub rev 2.00/1.00 addr 1 sis0 at pci0 dev 4 function 0 SiS 900 10/100BaseTX rev 0x91: irq 11, address 00:1c:c0:41:23:6b ukphy0 at sis0 phy 1: Generic IEEE 802.3u media interface, rev. 1: OUI 0x0050ef, model 0x0007 pciide1 at pci0 dev 5 function 0 SiS 181 SATA rev 0x01: DMA pciide1: using irq 10 for native-PCI interrupt wd0 at pciide1 channel 0 drive 0: FUJITSU MHW2060BH wd0: 16-sector PIO, LBA48, 57226MB, 117199616 sectors wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5 rl0 at pci0 dev 6 function 0 Realtek 8139 rev 0x10: irq 10, address 00:30:4f:19:3e:fd rlphy0 at rl0 phy 0: RTL internal PHY ppb1 at pci0 dev 31 function 0 SiS PCI-PCI rev 0x00 pci2 at ppb1 bus 2 isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 usb1 at ohci0: USB revision 1.0 uhub1 at usb1 SiS OHCI root hub rev 1.00/1.00 addr 1 usb2 at ohci1: USB revision 1.0 uhub2 at usb2 SiS OHCI root hub rev 1.00/1.00 addr 1 usb3 at ohci2: USB revision 1.0 uhub3 at usb3 SiS OHCI root hub rev 1.00/1.00 addr 1 biomask fffd netmask fffd ttymask rd0: fixed, 3800 blocks uhidev0 at uhub1 port 2 configuration 1 interface 0 Logitech Logitech USB Keyboard rev 1.10/15.00 addr 2 uhidev0: iclass 3/1 ukbd0 at uhidev0 wskbd1 at ukbd0 mux 1 wskbd1: connecting to wsdisplay0 uhidev1 at uhub1 port 2 configuration 1 interface 1 Logitech Logitech USB Keyboard rev 1.10/15.00 addr 2 uhidev1: iclass 3/0, 3 report ids uhid at uhidev1 reportid 1 not configured uhid at uhidev1 reportid 2 not configured uhid at uhidev1 reportid 3 not configured softraid0 at root root on rd0a swap on rd0b dump on rd0b Daniel -- LEVAI Daniel PGP key ID = 0x4AC0A4B1 Key fingerprint = D037 03B9 C12D D338 4412 2D83 1373 917A 4AC0 A4B1
Re: Packet Filter: how to keep device names on hardware failure?
Denis Doroshenko [EMAIL PROTECTED] writes: what keeps you from writing a script that would be called from the end of /etc/netstart; the script would check whether the initialized network interfaces match those described by a predefined table? in case of failure it would react somehow... Then again, given the 'failure is not an option' scenario, any sane network design would mean you most likely have a multiply redundant CARP'd setup in place, so a hardware failure like the one described on one box would simply mean the machine would take itself out of the running, one of the backups would take over and your friendly robot helper would be paging you to replace the failed hardware at your earliest opportunity. By all means nothing stops you from writing script magic, but the tools already in your OpenBSD base system lets you solve these situations quite admirably and in several differen ways already. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Apache 1.3 in base or 2.2.8 from ports ?
--- On Sat, 11/8/08, Marc Balmer [EMAIL PROTECTED] wrote: From: Marc Balmer [EMAIL PROTECTED] Subject: Re: Apache 1.3 in base or 2.2.8 from ports ? To: Francisco Valladolid Hdez. [EMAIL PROTECTED] Cc: misc@openbsd.org Date: Saturday, November 8, 2008, 8:17 AM * Francisco Valladolid Hdez. wrote: Hi folks. I need a recomendation for using one or other web server for a shared web hosting for a small company. Always prefer using Apache from base, whenever I watch that Apache 2 include best performance compared to 1.3 (included in base), and best reverse proxy for dynamic web sites. Which must be the best choice for web hosting company having web 2.0, mod_perl and rails app's ? Keep in mind that the Webserver in base has seen a lot of security and other improvements like chroot() by default etc. It is not a stock 1.3 Apache, it is only based on Apache 1.3. Thanks for this suggest! Apache 2 in ports was only imported to make it possible to test certain thinks. Ok If you care for security, go with the one in base. Huge and highly loaded websites are served with it. I think use the minor posible programs from third party (aka ports), and only the necessary, most from base. Regards. --- --- ficovh - http://bsdguy.net In the beginning God created the heavens and the earth. Gen. 1:1 -- Marc Balmer, Micro Systems, Wiesendamm 2a, Postfach, CH-4019 Basel, Switzerland http://www.msys.ch/ http://www.vnode.ch/ In God we trust, in C we code.
Re: Packet Filter: how to keep device names on hardware failure?
Peter N. M. Hansteen wrote: Denis Doroshenko [EMAIL PROTECTED] writes: what keeps you from writing a script that would be called from the end of /etc/netstart; the script would check whether the initialized network interfaces match those described by a predefined table? in case of failure it would react somehow... Then again, given the 'failure is not an option' scenario, any sane network design would mean you most likely have a multiply redundant CARP'd setup in place, so a hardware failure like the one described on one box would simply mean the machine would take itself out of the running, one of the backups would take over and your friendly robot helper would be paging you to replace the failed hardware at your earliest opportunity. By all means nothing stops you from writing script magic, but the tools already in your OpenBSD base system lets you solve these situations quite admirably and in several differen ways already. If you actually require fault tolerance, this is the best advice so far. Your devices are ordered as you expect them to be, your rule base is in a known good state. The system uses supported features making upgrades simple, as well as leaving off the sort of site specific quirks that can make inheriting a site so challenging.
Re: Packet Filter: how to keep device names on hardware failure?
Rod Whitworth wrote: ... Let's look at this a little more analytically: My firewall is a Soekris 4801 with sis0, sis1 and sis2. sis0 is the 0utside (ADSL) sis1 is the 1nside (LAN) sis2 is the 2erver LAN heh. I gotta remember that naming/numbering convention, I like it! If 0 fails the other two move up the table. Risk = zero. If 1 fails the users holler No service! and the servers won't be compromised because they will now be connected to sis2 promoted to be sis1 and their default route won't be available and incoming traffic can't get to them either. Now, what was the problem again? With all the interfaces below the failure moving up the table there will be address mismatches = no traffic. I see no reason to panic. Maybe I'm too tired after being up really late replacing a faulty modem and I forgot to turn off NAT in the new one so my sleepy eyes missed the fact that I needed to test more than browsing from the LAN to make sure my servers were reachable. 8-(( 8 snip rest of story. Yeah, maybe I'm missing something too, but I'm not really thinking of a situation where this would really be a risk of anything other than downtime. And if chunks of your firewall aren't working, that's downtime. Usually, if you plug the wrong things into the wrong port, it just doesn't work. Different ports are usually on different subnets. If you really have a situation where this is a real risk and not just a silly panic over nothing, a solution is simple: * your /etc/pf.conf file just contains a block in all, and a pass out all from just the firewall to the outside networks. * in rc.local, you stick a script which tests things however you want them to be. Maybe you count the NICs, maybe you compare their MAC addresses to what you expect them to be, etc. Whatever makes you happy or is appropriate for your configuration. * IF you are happy, you do a pfctl -f /etc/prodpf.conf or similar, and put your production rules in there. Maybe even only activate forwarding if the test passes. IF the system is missing pieces, maybe you load up an ssh in only ruleset so someone can get to the box to look at what went wrong, but the firewall stays otherwise inert. Document the heck out of it, including in pf.conf saying, real production rules are over THERE... Note that this requires modifying no system files, so your upgrade process remains simple. I think that would be a lot saner for what seems to be a very special case than any of the let's follow Linux or Solaris's lead crap. I've used those, I'm completely unimpressed. The primary reason they suck is complexity; the people who claim they understand Linux and Solaris don't seem to be able to explain why they do what they do or fix it when they do it wrong, forget mere mortals. They just work around oddities. OpenBSD's rules for NIC naming are quite simple. There are cases where they will annoy the heck out of you, but it is easy to see WHY they are doing funny things, and easy to fix when they do. When my firewall blows out when I'm on vacation, I want to be able to tell someone over the phone, unplug the production machine, keeping careful track of what cable comes out of which port, plug them into the same port on the spare machine. Pull the disk out of the old machine, plug it into the spare machine. Turn it on, see you when I get back. Start strapping ports to physical addresses, you create a management nightmare, and something that probably only you will ever be able to maintain. Not good. Nick.
Re: Multiple ssl servers on one external IP by using internal addresses?
On Sat, 8 Nov 2008, Chris Miller wrote: And then maybe I'm completely mis-understanding how to run multiple internal ssl servers on one external IP address and that it can't be done without more external IPs from Qwest. I think this can be done with a proxy server that decrypts the SSL connection then passes it on to the web server. That's how it's done on Windows using Microsoft IAS, and I would say you could do something along the same lines. I don't think Apache has support for virtual hosts under SSL. Everything I have seen assumes there is one IP address per SSL host. I'm assuming you mean by using relayd which so far today has been more fun that I need on a day off--Me:What do you mean, your e-mail is down? Them:$%#(*((^% and so on... And do you mean one *external, resolvable from the internet* IP address per SSL host, because I've seen an awful lot of stuff that shows an address of 10.X that would at least imply otherwise. Thanks, Chris Miller ServerMotion www.servermotion.com Jeff
Gateway setup
Hi I have the following configuration router/firewall --- OPENBSD BOX - Wireless switch Openbsd box has two NICs rl0 connects OPENBSD BOX to router/firewall dc0 connects Wireless swith to OPENBSD BOX nat.conf shows nat on rl0 from dc0/24 to any - rl0 sysctl.conf shows: net.inet.ip.forwarding=1 hostname.dc0 shows: inet 192.168.1.0 255.255.255.0 192.168.255.0 hostname.rl0 shows: dhcp NONE NONE NONE OPENBSD IP is 192.168.0.15 which is given by the router/firewall I connect my laptop to the wireless switch successfully but I can't go out to the internet. Cant I get some suggetions on how to solve this problem? Thanks Alfredo
Re: Gateway setup
On Nov 8, 2008, at 4:21 PM, Alfredo Perez wrote: On Sat, Nov 08, 2008 at 04:00:23PM -0800, johan beisser wrote: On Nov 8, 2008, at 3:34 PM, Alfredo Perez wrote: Hi I have the following configuration router/firewall --- OPENBSD BOX - Wireless switch I'm confused. Why isn't the OpenBSD box the router/firewall? That openbsd box is sometimes my file server and some times I would like to have my wireless go trought it. Why? Don't I need a nat configuration file? configured in pf. Syntax is right, but unless your pf_rules='' line points directly to that file, it'll be ignored. Don't I need to give nic dc0 an IP address. What should I do instead? Create a bridge between the two interfaces, then just permit the traffic to flow from the WAP to the network. You'll no longer need to NAT between the interfaces, but from this point forward the traffic will be much like the OpenBSD box isn't there. Laptop connect to wireless swith using WEP. I connect to it successfully I tried to ping the OPENBSD box 192.168.0.15 and I dont get response. Unsurprising. I try to ping the outside ex www.yahoo.com no response. I try to ping the router/firewall no response either. also unsurprising.
Re: Gateway setup
On Nov 8, 2008, at 3:34 PM, Alfredo Perez wrote: Hi I have the following configuration router/firewall --- OPENBSD BOX - Wireless switch I'm confused. Why isn't the OpenBSD box the router/firewall? nat.conf shows nat on rl0 from dc0/24 to any - rl0 nat.conf? Do you mean pf.conf? hostname.dc0 shows: inet 192.168.1.0 255.255.255.0 192.168.255.0 problem #1 is you can't really use a network address (192.168.1.0) for an IP. hostname.rl0 shows: dhcp NONE NONE NONE OPENBSD IP is 192.168.0.15 which is given by the router/firewall I connect my laptop to the wireless switch successfully but I can't go out to the internet. We need more information. Sorry. Cant I get some suggetions on how to solve this problem? I could give you a dozen, but they may not help you at all without more context.
Setting up OpenBSD as a PPPoE router
Hi, I have STATIC dsl - with 5 static ips. I don't use the Netopia router that came with it, instead used OpenBSD as the router/firewall. So for this I setup openbsd on a box with pppoe and pf. The setup works totally fine. People can reach my webservers fine which are BEHIND my openbsd firewall. I have setup one to one NAT translation (binat) for this. Here comes the dillema: For setting up a high interaction honeynet, I would like to setup a box with the one of the 5 ips given to me on that DSL connection and have that box sit OUTSIDE of the openbsd firewall, is there a way to do this? Any help is highly appreciated. Basically what I am saying here is I take another box (honeypot server) and give public IP to that box and point its gateway to the OPENBSD box. How can I do this? This is sort of making this Honeypot server sit right NEXT to the OpenBSD firewall, using Openbsd as just a ROUTER for the Honeypot server. Thanks in advance. Any help is highly appreciated. -Parvinder Bhasin
Setting up OpenBSD as a PPPoE router
Just to put everything in visual perspective: Hi, I have STATIC dsl - with 5 static ips. I don't use the Netopia router that came with it, instead used OpenBSD as the router/firewall. So for this I setup openbsd on a box with pppoe and pf. The setup works totally fine. People can reach my webservers fine which are BEHIND my openbsd firewall. I have setup one to one NAT translation (binat) for this. Here comes the dillema: For setting up a high interaction honeynet, I would like to setup a box with the one of the 5 ips given to me on that DSL connection and have that box sit OUTSIDE of the openbsd firewall, is there a way to do this? Any help is highly appreciated. Basically what I am saying here is I take another box (honeypot server) and give public IP to that box and point its gateway to the OPENBSD box. How can I do this? This is sort of making this Honeypot server sit right NEXT to the OpenBSD firewall, using Openbsd as just a ROUTER for the Honeypot server. Thanks in advance. Any help is highly appreciated. -Parvinder Bhasin [demime 1.01d removed an attachment of type image/tiff which had a name of pastedGraphic.tiff]
Re: Intel D201GLY2 install failure, OpenBSD 4.4
Thanks to LEVAI Daniel for providing his dmesg. To add mere confirmation, I too was able to boot 4.4 release with NIC interface active/recognized after 'boot -c' + 'disable acpi', however I was unable to muster the skill to accomplish the ftp transfer. Is Daniel's dmesg sufficient for debug, or would a capture of a default-config dmesg (with all its error messages) be beneficial? If the latter, I will endeavor to connect a floppy drive... Jaime --- On Fri, 11/7/08, Ted Unangst [EMAIL PROTECTED] wrote: From: Ted Unangst [EMAIL PROTECTED] Subject: Re: Intel D201GLY2 install failure, OpenBSD 4.4 To: [EMAIL PROTECTED] Cc: misc@openbsd.org Date: Friday, November 7, 2008, 9:24 AM On Fri, Nov 7, 2008 at 8:54 AM, Jamie Cuesta [EMAIL PROTECTED] wrote: It seems that in order to use the ftp option, I need a functioning network interface(?). However when I boot using the install CD and choose (s)hell, here's what I see: # ifconfig lo0: flags=8008LOOPBACK,MULTICAST mtu 33204 groups: lo # Note that one of the boot messages in my first post seemed to indicate that the on-Mobo NIC was among the devices affected by a bad interrupt problem: sis0 at pci0 dev 4 function 0 SiS 900 10/100BaseTX rev 0x91pci_intr_map: bad interrupt line 19 : couldn't map interrupt Ok, you are having serious interrupt issues. The only thing I can think of to try is disabling acpi (via boot -c), but that's a long shot.
nfe0: no link...sleeping
Please advise how I can wake up my MCP55 on board network interface. During installation of AMD64 OpenBSD 4.4 or i386 OpenBSD 4.3 the network interface does not respond: no link...sleeping. The ethernet card is on board NVIDIA MCP55. After reboot, I tried to manually configure the card, but I get same response. I am very new to OpenBSD. Thank you.
